Host Privacy Standards
Handling Guest Personal Information
As a Host you will receive and use Guests’ personal information to manage your reservations and deliver your Host Service. Please remember that you are responsible for complying with applicable privacy laws when you handle and process personal information. You should only use personal information you receive through the Koh-Lanta.org Platform as necessary to manage your reservations, comply with applicable laws, and deliver your Host Service. You may not encourage or require Guests to: open an account, leave a review, or otherwise interact with a third-party website, application or service before, during or after a reservation, unless authorized by Koh-Lanta.org.
If, in the course of providing Host Services, (i) personal information is transferred to you from the European Economic Area, Switzerland or the UK (within the meaning of Article 44 of the General Data Protection Regulation “GDPR”) and (ii) the transfer does not benefit from an adequacy decision under Article 45 of the GDPR, then you agree to process the personal information you receive in accordance with the obligations of module 1 (transfer controller-to-controller) of the standard contractual clauses (“Clauses”) contained in European Commission Implementing Decision (EU) 2021/914 of 4 June 2021. The Clauses are hereby incorporated into your agreement with us with the same force and effect as if they were fully set forth in that agreement.
Standard Contractual Clauses
The information to complete the Clauses is as follows:
- The option under clause 7 (docking clause) shall not apply.
- The option under clause 11 (redress) shall not apply.
- The governing law for the purposes of clause 17 (governing law) shall be the law of Ireland.
- The courts under clause 18 (choice of forum and jurisdiction) shall be the courts Ireland
The information to complete the Appendix to the Clauses is as follows:
For Annex I.A of the Clauses:
- You are the “data importer.”
- If you are hosting or booking a Listing in Japan, the “data exporter” is Koh-Lanta.org.
- If you are hosting somewhere other than Japan, the “data exporter” is Koh-Lanta.org.
- For data protection enquiries you may contact our data protection officer at the Contact Us section here and we may contact you by email to the address on your profile.
For Annex I.B of the Clauses:
- the data subjects are Guests;
- the purpose of the transfer is to enable you to provide the Host Service;
- the categories of data may include the Guest’s profile and full name, the full name of any additional Guests (if entered), the Guest’s cancellation history, Guest’s phone number, any other information the Guest chooses to share, and additional information to assist with coordinating the trip including messages exchanged with the Guest;
- the recipients of the data are any service providers you may choose to retain to assist you in providing the Host Services;
- no sensitive data is being transferred;
- the frequency of the transfer is subject to the frequency of reservations of your listing(s); and
- the data are retained for the period determined by you as necessary to manage your reservations, comply with applicable laws, and deliver your Host Service
For Annex I.C of the Clauses:
- The Irish Data Protection Commission is the competent supervisory authority in accordance with Clause 13.
For Annex II of the Clauses:
Have in place appropriate security measures to meet the requirement of Article 32 GDPR. In particular, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.