My OVHcloud services were affected by the Strasbourg fire, and as part of these services, I was processing personal data. What are my notification obligations?

The information below is provided by OVHcloud for informational purposes, in order to describe the roles and obligations set out in the regulations in force in France and in the European Union. These descriptions do not constitute legal advice. OVHcloud is therefore not responsible for your choices regarding your particular situation, or for the notification methods you choose to follow, depending on whether or not you choose to do so, in a particular situation. If you require legal advice, please contact a qualified legal professional with the necessary skills to assist you in the legal analysis of your situation.

Articles 33 and 34 of the General Data Protection Regulation 2016/679, which entered into force on 25th May 2018 (hereinafter referred to as the GDPR), require the “controller” to document “personal data breaches” and “notify” such breaches:

• to the competent data protection authority not later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of the natural persons concerned, and
• to the data subjects without undue delay if the breach is likely to result in a high risk to the rights and freedoms of natural persons.

If you are not the controller, you must inform the data controller of the situation which may constitute a breach as soon as possible, so that it can make the necessary notifications.