Helping you prepare for a new era in European privacy regulation
On May 25, 2018, the European Union (“EU”) General Data Protection Regulation (“GDPR”) will take effect and replace the existing EU Data Protection Directive 95/46/EC. Both the GDPR and the Directive exist as a regulatory framework designed to protect the personal data of consumers.
The GDPR imposes new rules on organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data tied to EU residents, no matter where you are located.
Kigo Legacy GDPR support and migration to Kigo Marketplace
To benefit our clients we have been maintaining the Kigo legacy platform for years. Given the challenges of staying compliant across two platforms, we have now made the decision to focus our GDPR efforts on the Kigo Marketplace platform, already designed to support GDPR as well as other global compliance needs. We feel that all of our clients are best supported on their GDPR journey by migrating to the Kigo Marketplace platform during 2018.
Please contact sales and support for more information about Kigo Marketplace.
Key changes under GDPR
Under the GDPR, there are three entity classifications with respect to regulation of personal data collection and handling:
- Data Controllers: In simple terms, a Data Controller determines what, why, and how data is processed. Kigo clients serve as Data Controllers under the GDPR, as they have a direct relationship with travelers and control the processing of personal data related to the traveler.
- Data Processors: A Data Processor is a party that processes personal data on behalf of a Data Controller in accordance with the Data Controller’s instructions. Kigo serves as a Data Processor through our role as SaaS provider to the vacation rental industry. Our clients, as Data Controllers, contract with Kigo for purposes of leveraging our data processing services
- Sub-Processors are parties contracted by Kigo for purposes of outsourcing processing functions and are typically a third party vendor.
The GDPR includes new rights and expansion of existing rights that affects both controllers and processors. A few of the rights granted to consumer include:
- The Right to Rectification (a way to update or correct personal data),
- The Right to Portability (right to transfer personal data to another organization),
- The Right to Erasure (an expansion of the former ‘right to be forgotten’),
- The Right to Restriction of Processing and the Right to Object to certain processing activities (profiling) and to automated processing decisions,
The GDPR expands the current rule around personal data and can now include profiling such as web tracking, cookies, and behavioral data. Profiling is not explicitly prohibited, but as a form of data processing, is now subject to the general rules governing the processing of personal data.
The GDPR retains the concept of consent but now requires a “clear affirmative action” in order to be valid and also requires a way to withdraw consent. As an example, actively checking a box in a form.
Further GDPR Information
The European Commission
The UK Information commissioner’s Office (ICO)
The Spanish Agency for Data Protection (AEPD)
This content is provided for general informational purposes only, and may not reflect current legal developments. Any information contained herein should not be construed as legal advice and is not intended to be a substitute for legal counsel on any subject matter. No recipient of this content should act or refrain from acting on the basis of any content without seeking the appropriate legal or other professional advice on the particular facts and circumstances at issue from a lawyer licensed in the recipient’s state, country or other appropriate licensing jurisdiction.