PERSONAL DATA PROTECTION AND PROCESSING POLICY
1- INTRODUCTION:
In accordance with the Personal Data Protection Law No. 6698 (“Law No. 6698”), ÇİFTAY Turizm ve Otelcilik A.Ş. (00860057064000 17 and Başkent Tax Office 0860057064) (“ÇİFTAY A.Ş.”), as the data controller, processes the personal data of our employees, customers, potential customers, job applicants, visitors, third parties, and other individuals with whom we have a relationship under the fundamental principles outlined below. With this Policy, we aim to process and protect the personal data of our customers, potential customers, employees, job applicants, visitors, and third parties in a lawful manner, as reported to us and in its most up-to-date form.
2- DEFINITIONS
Explicit Consent: Consent that is freely given, specific, informed, and unambiguous.
Anonymization: The process of rendering personal data unidentifiable, such that it cannot be associated with any identifiable or identifiable natural person, even when combined with other data.
Application Form: The “Application Form for Applications to be Made by the Relevant Person (Personal Data Owner) to the Data Controller in accordance with the Personal Data Protection Law No. 6698” containing the application to be made by personal data owners to exercise their rights.
Job Applicant: Refers to individuals who have applied for a job at ÇİFTAY A.Ş. in any way or who have provided their resume and relevant information. Employees, Shareholders, and Officials of Partner Organizations: Refers to individuals who work at organizations with which ÇİFTAY A.Ş. has any kind of business relationship, including the shareholders and officials of these organizations.
Business Partner: Parties with whom ÇİFTAY A.Ş. has established a business partnership for purposes such as carrying out various projects directly or through its affiliated companies and receiving services while conducting its commercial activities.
Law: Refers to the Personal Data Protection Law No. 6698.
Processing of Personal Data: Any operation performed on data, such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, acquiring, making available, classifying, or preventing the use of personal data, whether fully or partially automated or non-automated, provided that it is part of a data recording system.
Data Subject: The natural person whose personal data is processed. Personal Data: Any information relating to an identified or identifiable natural person.
Board: Refers to the Personal Data Protection Board.
Customer: Refers to real persons who benefit from the products and services offered by the Company.
Special Category Personal Data: Data related to race, ethnic origin, political opinion, philosophical belief, religion, denomination or other beliefs, attire, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
Policy: Refers to the basic rules regarding the processing of personal data as stated in ÇİFTAY A.Ş.’s Personal Data Processing and Protection Policy. Potential
Customer: Refers to real persons who show interest in using the products and services offered by the Company and who have the potential to become customers.
Supplier: Parties that provide services to ÇİFTAY A.Ş. on a contractual basis while ÇİFTAY A.Ş. conducts its commercial activities.
Third Party: Natural persons whose personal data is processed within the scope of the Policy but who are not defined differently within the scope of the Policy.
Data Processor: A natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.
Data Controller: The person who determines the purposes and means of processing personal data and manages the place where the data is systematically stored (data recording system). Within the scope of this policy, ÇİFTAY A.Ş. is the data controller.
Deletion of Data: The process of rendering personal data inaccessible and unusable for the relevant users.
Destruction of Data: The process of rendering personal data inaccessible, unrecoverable, and unusable by anyone.
Visitor: Natural persons who have entered the offices, hotels, and website owned by ÇİFTAY A.Ş. for various purposes.
3- PURPOSE OF THE POLICY
The primary purpose of this Policy is to:
Provide explanations regarding the principles adopted by ÇİFTAY A.Ş. concerning the lawful processing of personal data and the protection of personal data;
to inform our customers, employees, job applicants, visitors, shareholders and employees of institutions we collaborate with, and third parties whose personal data has been collected by our office, hotel, website, and company; about topics such as personal data processing activities, measures taken, data subjects’ rights, and methods of exercising these rights.
4- SCOPE OF THE POLICY
This Policy covers our customers, employees, job applicants, visitors, employees of institutions we collaborate with, and third parties whose personal data is collected by our company through camera recording systems, email correspondence, training attendance records, forms, eyewitnesses, petitions, incident site information, authorized institutions, internet login and registration system, our websites and social media pages, mobile applications, and similar other channels, whether automatically or non-automatically, in written, verbal, or electronic form, and through similar technologies.
5- GENERAL PRINCIPLES FOR PROCESSING PERSONAL DATA
ÇİFTAY A.Ş. informs data subjects in accordance with Article 10 of the KVK Law and requests consent from data subjects when consent is required. It processes these personal data within the scope of the general principles listed in Article 4 of Law No. 6698: In accordance with the Law and the Rule of Fairness, ÇİFTAY A.Ş. processes personal data by keeping all communication channels open to ensure that personal data is accurate and, where necessary, up-to-date, by processing it for specific, clear, and legitimate purposes, by ensuring that it is relevant, limited, and proportionate to the purpose for which it is processed, and by retaining it for the period required by the relevant legislation or necessary for the purpose for which it is processed.
6- RULES ON THE PROTECTION OF PERSONAL DATA
ÇİFTAY A.Ş., in accordance with Article 20 of the Constitution and Article 4 of the Personal Data Protection Law, processes personal data in a manner that is lawful and fair, accurate and, where necessary, up-to-date, for specific, explicit, and legitimate purposes, and in a manner that is relevant, limited, and proportionate to the purpose. ÇİFTAY A.Ş. retains personal data for the period required by law or necessary for the purpose of processing personal data. ÇİFTAY A.Ş. collects and processes personal information belonging to its customers, job applicants, employees, visitors, supplier company employees, and third parties, including ÇİFTAY A.Ş. processes personal data such as identity information (name, surname, Turkish ID number, gender, age, date of birth), contact information (email address, phone number, address information, IP address), professional data, visual and audio data, education data, family member data, and health data.
When processing this data, the conditions and purposes of personal data processing specified in Articles 5 and 6 of Law No. 6698, the Identity Reporting Law No. 1774, the Consumer Protection Law No. 6502, and the obligations arising from tax legislation, the regulations of supervisory and regulatory institutions and organizations, and other mandatory cases imposed by authorized public authorities, the monitoring and execution of legal processes and other legal provisions, and without being limited to these, we process your personal data in order to fulfill the requirements of the contracts we are a party to, to carry out sales, service, and organizational services and transactions, and to provide you with better service, in addition to the above-mentioned obligations.
Verifying your identity and reservation before our sales, service, and organization services, contacting potential customers and thereby identifying potential consumers and informing consumers about campaigns, carrying out the offer preparation process, sharing the contract with you for the purpose of establishing the contract,
To create records in the system related to sales services, service operations, and organizational services, and to complete contract processes,
Post-purchase communication to measure product and service satisfaction, updating customer contact information, customizing, updating, marketing, and promoting the products and services offered by our company according to customer preferences, usage habits, and needs, informing you about any changes in our terms of service, addressing and following up on your requests and complaints, providing after-sales support services, including billing related to sales and services; conducting financial and monetary transactions, conducting risk management, conducting operations related to your safety and emergencies, informing you before the contract expiration date, and storing your data securely in a physical or electronic environment for an appropriate period of time for processing purposes.
7- ENSURING THE SECURITY OF PERSONAL DATA
ÇİFTAY A.Ş., in accordance with Article 12 of the Personal Data Protection Law, takes the necessary technical and administrative measures to ensure an appropriate level of security to prevent the unlawful processing of personal data it processes, prevent unlawful access to data, and ensure the preservation of data. Within this scope, it conducts or has conducted the necessary audits.
7.1. The technical measures taken in this context are listed below, without being limited to what is written here:
Personal data processing activities carried out within ÇİFTAY A.Ş. are monitored by the technical systems established.
Departments have been set up for technical matters, and specialized personnel are employed in this regard.
New technological developments are monitored, and technical measures are taken on systems, particularly in the field of cybersecurity. These measures are periodically updated and renewed.
Access and authorization technical solutions are implemented within ÇİFTAY A.Ş. in accordance with the legal compliance requirements determined for each department.
Access rights are restricted, and authorizations are regularly reviewed.
Access restrictions are applied to former employees, and accounts are closed.
Software and hardware, including virus protection systems, data breach security, and firewalls, are installed.
All information systems, including applications that collect personal data, are regularly subjected to external impact testing to detect security vulnerabilities, and any vulnerabilities found are closed based on the results of this testing.
7.2. The administrative measures taken are listed below, without limitation:
ÇİFTAY A.Ş. employees are informed and trained on personal data protection law and the lawful processing of personal data.
ÇİFTAY A.Ş. employees have been informed verbally and in writing that they must not use the personal data they learn in the course of their activities in violation of the provisions of the Personal Data Protection Law. In this context, service contracts and related documents between ÇİFTAY A.Ş. and its employees include records containing information about personal data and data security, and additional protocols are made to ensure that these obligations continue even after the employees leave their positions.
All personal data processing activities carried out by ÇİFTAY A.Ş. are conducted in accordance with the personal data inventory and its annexes, which have been created through a detailed analysis of all departments.
The personal data processing activities carried out by the relevant departments within ÇİFTAY A.Ş. are bound by written policies and procedures established by ÇİFTAY A.Ş. to ensure compliance with the personal data processing conditions required by the KVKK. Each department has been informed about this matter, and the issues that need to be considered in the activities they carry out have been determined.
ÇİFTAY A.Ş. enters into supplementary agreements and/or obtains written commitments with the recipients of personal data to ensure that they take the necessary security measures to protect personal data and ensure compliance with these measures within their own organizations.
In the event that processed personal data is obtained by others through unlawful means, ÇİFTAY A.Ş. will notify the relevant party and the Board as soon as possible.
8- PROTECTION OF SPECIAL CATEGORIES OF PERSONAL DATA
The KVK Law attaches special importance to certain personal data due to the risk of causing harm or discrimination to individuals if processed unlawfully. These data include race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, attire and clothing, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data. ÇİFTAY A.Ş. acts with sensitivity in protecting special category personal data determined as “special category” by the KVK Law and processed in accordance with the law. In this context, ÇİFTAY A.Ş. meticulously implements the technical and administrative measures taken within the scope of the Law and the principles of the Board for the protection of personal data, particularly with regard to special category personal data, and ensures that the necessary audits are carried out within ÇİFTAY A.Ş.
9- INFORMING AND NOTIFYING DATA SUBJECTS ÇİFTAY A.Ş.; In accordance with Article 10 of the Personal Data Protection Law and the Communiqué on the Procedures and Principles to be Followed in Fulfilling the Obligation to Inform, ÇİFTAY A.Ş. informs personal data subjects when their personal data is obtained. In this context, Information Texts have been placed in easily visible areas in our offices, hotel, and website for our customers, employees, job applicants, visitors, shareholders and employees of institutions we collaborate with, and third parties whose personal data has been collected by our company. The information text and application form have also been published at www.hicukurambar.com along with this policy.
10- TRANSFER OF PERSONAL DATA
ÇİFTAY A.Ş. may transfer the personal data and special category personal data of the data subject to third parties in accordance with the law, taking the necessary security measures and in compliance with the legislation. ÇİFTAY A.Ş. may transfer personal data to foreign countries declared by the KVK Board to have adequate protection or, in the absence of adequate protection, to foreign countries where the data controllers in Turkey and the relevant foreign country have committed in writing to provide adequate protection and where the KVK Board has given its consent. The reasons for the transfer are explained below:
If there is an explicit provision in the laws regarding the transfer of personal data,
If the transfer of personal data belonging to the parties to the contract is necessary, provided that it is directly related to the establishment or performance of a contract,
If the transfer of personal data is mandatory for ÇİFTAY A.Ş. to fulfill its legal obligations,
If the transfer of personal data is mandatory for the establishment, exercise, or protection of a right,
Provided that it does not harm the fundamental rights and freedoms of the personal data subject,
Provided that it does not harm the fundamental rights and freedoms of the data subject,
If the transfer of personal data is necessary for the legitimate interests of ÇİFTAY A.Ş.
11- RETENTION PERIODS FOR PERSONAL DATA
ÇİFTAY A.Ş. retains personal data for the period specified in the relevant laws and regulations, if such a period is stipulated therein. In this context, ÇİFTAY A.Ş. first determines whether the relevant legislation specifies a retention period for personal data. If a period is specified, it complies with that period. If no period is specified, it retains personal data for as long as necessary for the purpose for which it was processed. At the end of these periods, personal data is deleted, destroyed, or anonymized in accordance with the obligations under the Law, depending on the nature of the data and the purpose of its use. If the purpose of processing personal data has ended and the retention periods specified by the relevant legislation and ÇİFTAY A.Ş. have also expired, personal data may only be retained for the purpose of serving as evidence in possible legal disputes or asserting or establishing a defense related to the personal data. The periods mentioned here are established in accordance with the statute of limitations for asserting the aforementioned right and the statute of limitations for asserting the right despite the passage of the statute of limitations, as well as for matters previously addressed to ÇİFTAY A.Ş. on the same issues. Retention periods are determined based on examples in requests. In this case, personal data stored is not accessed for any other purpose and access to the relevant personal data is only provided when it is necessary for use in the relevant legal dispute. Here too, after the aforementioned period has ended, personal data is deleted, destroyed, or anonymized.
12- RIGHTS AND REQUESTS OF THE DATA SUBJECT
Pursuant to Article 11 of Law No. 6698, you have the following rights regarding your personal data by applying to ÇİFTAY A.Ş. in accordance with the prescribed procedure.
Find out whether your personal data has been processed
Request information if it has been processed
Find out the purpose of processing and whether it is being used for that purpose
Know the third parties to whom your personal data has been transferred within or outside the country
Requesting the correction of personal data if it has been processed incompletely or incorrectly
Requesting the deletion or destruction of personal data if the reasons for processing it no longer exist
Requesting notification of these actions to third parties to whom personal data has been transferred, in cases where correction is requested due to incomplete or incorrect processing of personal data, or where deletion or destruction is requested due to the disappearance of the reasons requiring the processing of personal data
Objecting to a result that is detrimental to you due to the analysis of processed data exclusively by automated systems
If you suffer damage due to the unlawful processing of your personal data, you may request compensation for the damage. Data subjects may submit requests regarding their rights under Article 11 of Law No. 6698 in writing or via registered electronic mail (KEP) address, secure electronic signature, mobile signature, or any other method previously notified to the data controller by the data subject and registered in the data controller’s system, in accordance with the “Communication on the Procedures and Principles for Applications to the Data Controller.” in writing or via a registered electronic mail (KEP) address, secure electronic signature, mobile signature, or the electronic mail address previously notified by the relevant person to the data controller and registered in the data controller’s system, or by means of software or an application developed for the purpose of the request, attaching information and documents related to the subject matter.
The application must include the applicant’s first name, last name, and signature (if the application is in writing), Turkish Republic ID number for Turkish citizens, nationality, passport number or ID number (if available) for foreigners, residential or business address for notification purposes, email address for notification purposes (if available), telephone and fax numbers, and the subject of the request. Applications made by registered mail or through a notary public must be sent to the address “İşçi Blokları Mah. 1484. Sk., No. 3 (Konya yolu üzeri) Çukurambar, ÇANKAYA / ANKARA”. ÇİFTAY A.Ş. will process the requests included in the application as soon as possible and within a maximum of 30 (thirty) days, depending on the nature of the request and in accordance with the legislation. If the request of the relevant person is accepted, ÇİFTAY A.Ş. will fulfill the request as soon as possible and inform the relevant person.
13- CASES WHERE THE DATA SUBJECT CANNOT EXERCISE THEIR RIGHTS
Pursuant to Article 28 of the KVK Law, the following cases are excluded from the scope of the KVK Law:
a) The processing of personal data by natural persons solely for activities related to themselves or their family members living in the same household, provided that such data is not disclosed to third parties and obligations regarding data security are complied with.
b) The processing of personal data for purposes such as research, planning, and statistics by rendering it anonymous through official statistics.
c) Processing of personal data for artistic, historical, literary, or scientific purposes, or within the scope of freedom of expression, provided that it does not violate national defense, national security, public safety, public order, economic security, privacy, or personal rights, or constitute a crime.
ç) Processing of personal data within the scope of preventive, protective, and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order, or economic security.
d) Processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial, or enforcement proceedings.
14-DELETION, DESTRUCTION, AND ANONYMIZATION OF PERSONAL DATA In
accordance with the “Regulation on the Deletion, Destruction, and Anonymization of Personal Data” issued by the legislation and the Board, even if processed in accordance with the relevant provisions of the law, personal data shall be deleted, destroyed, or anonymized at the discretion of ÇİFTAY A.Ş. or upon the request of the personal data owner if the reasons for processing no longer exist. This Policy has been prepared within the framework of the Personal Data Protection Law and the legislation in force and is published on our website (www.hicukurambar.com) for the access of the relevant persons. In case of any inconsistency between the legislation in force and the Policy, the provisions of the legislation shall prevail. Best regards,
