CASA HOHTO CUSTOMER REGISTER

Information Document on the Processing of Personal Data in A&K Investment Oy's Customer Register under the EU General Data Protection Regulation (GDPR)

1. Controller

Name: A&K Investment Oy / Casa Hohto
Address: Tasetie 8, 01510 Vantaa
Contact Information: Phone: +358 505565655, Email: info@casahohto.com
Last Updated: January 21, 2025

2. Contact Person for Register-Related Matters

For inquiries regarding the register and exercising data subject rights, please contact:
Name: Anne Lehtonen
Phone: +358 50 409 3969
Email: anne@bowlcircus.com

3. Register Name

Casa Hohto Customer Register

4. Legal Basis for Processing Personal Data

The processing of personal data in the customer register is based on the customer relationship between A&K Investment Oy (Casa Hohto) and its consumer or business customers. Data processing is also based on agreements between the controller and the data subject, specifically for handling reservations.

5. Purposes of Processing Personal Data

The purposes for processing customer data include:

• Customer communication and relationship management
• Managing customer accommodation reservations
• Processing payments, invoicing, and collections
• Marketing, sales, and delivery of Casa Hohto's accommodation services
• Planning and developing Casa Hohto's business operations and customer service

6. Categories of Personal Data Processed

Personal Data:

• First and last name, phone number, address, email address
• Payment details (specific details related to payment processing services can be found here:
  Stripe Privacy Policy & Lodgify Privacy Policy)

Business Contact Data:
For corporate customers, the following information may also be processed:

• Contact person’s name, email address, phone number

7. Sources of Personal Data

Personal data is primarily collected from the data subject during the reservation process. Additional data may be generated by the controller or obtained from third parties, such as other accommodation booking platforms.

8. Recipients or Categories of Recipients of Personal Data

Customer data may be disclosed to authorities based on legally justified requests. It may also be shared with third-party software service providers.

9. Data Transfers Outside the EU

Casa Hohto may use services provided by companies outside the EU for direct marketing purposes. These companies are required to comply with GDPR and EU Commission-approved standard contractual clauses.

10. Retention Period of Personal Data

The customer register is stored in an encrypted and secured database.

Personal data is processed only for as long as it is necessary to fulfill the defined purposes. Certain information may be retained longer to comply with accounting or other legal obligations.

11. Rights of the Data Subject

Personal data is processed based on the legitimate interest of the controller or the agreement between the controller and the data subject (GDPR Article 6(1)(e)). In this context, the data subject has the following rights:

Right of Access:
The data subject has the right to request access to their personal data to verify whether it is being processed.

Right to Rectification:
The data subject can request the correction of inaccurate or incorrect personal data without undue delay.

Right to Erasure:
The data subject has the right to have their personal data deleted without undue delay if one of the following applies:

• The data is no longer needed for the purposes for which it was collected
• The data subject objects to the processing, and there are no overriding legitimate grounds
• The data was processed unlawfully

Right to Object:
The data subject has the right to object to the processing of their personal data for reasons related to their specific situation. They can also object to the use of their data for direct marketing purposes.

Right to Restriction of Processing:
The data subject can request a restriction on the processing of their data in the following cases:

• If the accuracy of the data is contested
• If processing is unlawful and the data subject opposes deletion
• If the controller no longer needs the data, but the data subject requires it for legal claims

Right to Data Portability:
If the data processing is based on an agreement and carried out automatically, the data subject has the right to receive their data in a machine-readable format and transfer it to another controller.

Submitting a Request to Exercise Rights:
Requests must be submitted in writing to the contact person listed in section 2. The controller may verify the identity of the data subject using official identification or other necessary methods.

12. Right to Lodge a Complaint

The data subject has the right to lodge a complaint with the supervisory authority if they believe that the controller has violated applicable data protection regulations.

13. Submitting Requests Related to Data Subject Rights

Inquiries and requests regarding personal data processing and the exercise of rights should be directed to the contact person listed in section 2. Requests can be made in writing via email or post, or in person at the controller's office.

To ensure that personal data is only disclosed to the data subject, the controller may require written and signed requests, identity verification, or other necessary measures.