IZZ GÖCEK OTEL İŞLETMECİLİĞİ YÖNETİM HİZMETLERİ TURİZM VE TİCARET LİMİTED ŞİRKETİ
POLICY ON THE PROTECTION OF AND PROCESSING OF PERSONAL DATA
1.1 The Scope and The Purpose of the Policy
The Law on the Protection of Personal Data, No: 6698 (“Law” and/or “KVKK”) has entered into force on 07/04/2016; and, The Processing and Protection of Personal Data Policy (“Policy”) by Izz Göcek Otel İşletmeciliği Yönetim Hizmetleri Turizm Ve Ticaret Limited Şirketi (“Company”) and the protection and processing of personal data by the Company. It is aimed to determine the principles to be followed in fulfilling the related liabilities.
The Law on the Protection of Personal Data, No: 6698 (“Law” and/or “KVKK”) has entered into force on 07/04/2016; and Izz Göcek Otel İşletmeciliği Yönetim Hizmetleri Turizm Ve Ticaret Limited Şirketi (“Company”) is intended to determine the principles to be followed in ensuring compliance with the Policy on the Processing and the Protection of Personal Data (“Policy”) and in fulfilling the obligations regarding the protection and processing of personal data by the Company.
Collected personal data of yours shall be processed within the context of the conditions and purposes of the Articles 5 and 6 of Law, No:6698, for the purposes of: performing the necessary work by our business units in order to make yours use of the products and the services provided by our Company, in general sense; recommending services to yours that are customized according to your likes and usage habits; ensuring the legal and commercial security of our Company and those who have a business relationship with our Company; determining and implementing our Company’s commercial and business strategies
The policy determines the processing conditions of personal data and sets out the main principles adopted by the Company in the processing of personal data. In this context, the Policy covers all personal data processing activities within the context of the Law, the subjects of all personal data processed by the Company and all personal data processed by the Company.
Definitions regarding the terms used in the policy are included in ANNEX-1.
1.2. Effectiveness and Amendmend
The Policy has been published and made public on the website by the Company. In case of dispute between the current legislation, especially the Law, and the regulations in this policy, the provisions of the legislation shall be applied. The company reserves the right to make amendmends in the policy in line with the legal regulations. The current version of the policy is available on the website of the Company.
1. DATA SUBJECTS, PURPOSES OF PROCESSING PERSONAL DATA AND DATA CATEGORIES OF OUR COMPANY WHILE PROCESSING PERSONAL DATA ACTIVITIES
2.1. Data Subjects
Within the scope of this Policy, Data Subjects are all of the natural persons other than Company employees whose personal data are processed by the Company. In this framework, the categories of data subjects are as follows: Employees whose personal data we process; Employee/ Candidate/ Intern,
- Our Suppliers,
- Our Business Partners,
- Hotel Guests,
- Potential Guests,
- The third person and / or the persons with whom we have relations within the scope of our company’s interests and legal responsibilities
Data subject categories are specified for general information sharing. The fact that the data subject does not fall under any of these categories does not eliminate the quality of the data subject as specified in the law.
2.2. Purposes of Processing Personal Data By the Company
Your personal data and personal data of special personal data might be processed by the Company in accordance with the personal data processing conditions specified in the law and related legislation for the following purposes.
|MAIN PURPOSES||SECONDARY PURPOSES|
|Performing the necessary works by our relevant business units in order to carry out the activities conducted by the Company, and and conducting business processes related to those||1. Planning and performance of business activities |
2. Event Management
3. Room Reservation
4. Check-in to the Hotel and Payment
5. Eating / drinking at the bar or the restaurant of the hotel bar during a stay
6. Planning and performance of corporate communication activities
7. Creation and management of information technologies infrastructure
8. Planning and execution of business continuity activities
9. Planning, inspecting and execution of information security processes
10. Planning and execution of business partners and suppliers’ access authorities to information
11. Monitoring financial and accounting affairs
12. Planning the activities / efficiency and effectiveness analysis of business activities
13. Planning and execution of corporate management activities
14. Planning, supporting and executing research and development activities
15. Planning and execution of company training activities
16. Management of relations with business partners and suppliers
17. Execution of strategic planning activities
18. Planning and execution of programs and trainings offered by the company in terms of scope and content
|Planning and Executing the Company’s Human Resources Policies and Processes||1. Planning of human resources processes|
2. Fulfillment of labour contractual and regulatory obligations for the personnel,
3. Monitoring and control of the work activities of the employees / candidates and interns
4. Planning and execution of the activities on the Organizations of Corporate communication, corporate social responsibility and non-governmental organizations with which the participate.
5. Planning and execution of benefits and vested benefits for the employees / candidates and interns
6. Execution of human resource procurement processes
7. Planning and monitoring performance evaluation processes
8. Planning and execution of personnel job quitting procedures
9. Planning and execution of the satisfaction and loyalty processes of the employees / candidates and interns
10. Planning and execution of the processes of receiving and evaluating the suggestions of the personnel for the improvement of the company processes
11. Planning and execution of Talent – Career development activities
12. Planning and execution of intraco orientation activities
13. Planning and execution of in-house appointment-promotion and turnover processes
14. Planning and execution of in-company training activities
15. Planning and execution of personnel / candidates and intern’s access to information
16. Planning of Salary increase
17. Improving the institutional processes of the staff
|Ensuring the legal, technical and commercial-occupational safety of the company and the persons in business relationship with the Company||1. Ensuring the security of the company’s campuses and facilities|
2. Creating and following up visitor records
3. Giving information to the authorized institutions arising from the legislation
4. Ensuring the security of company operations
5. Monitoring the legal affairs
6. Planning and execution of the operational activities required to ensure that company activities are carried out in accordance with institutional procedures and relevant legislation
7. Planning and execution of emergency management processes
8. Planning and execution of company audit activities
9. Planning and execution of occupational health and safety processes
10. Ensuring that the data are correct and up to date
11. Ensuring the security of company activities
12. Planning and execution of the company’s financial risk processes
13. Planning and execution of the company’s commercial risk processes
14. Ensuring the security of the company’s fixtures and resources
|Planning and execution of the activities required by the company to offer, recommend and promote her services to the people concerned.||1. Planning and executing company services|
2. Planning and execution of the processes of company marketing services
3. Planning and execution of marketing services research activities
4. Planning and execution of processes to establish and increase loyalty to the company
5. Planning and execution of company satisfaction activities
6. Planning and executing company programs and services
2.2. Personal Data Categories
Your personal data, categorized below by the Company, is processed in accordance with the personal data processing conditions contained in the law and related legislation:
|CATEGORIZATION OF PERSONAL DATA||EXPLANATION|
|Identity||All information regarding the identity of the person in documents, such as: driver’s license, identity card, residence, passport, attorneyship identity, date of birth, gender, marital status, education, insurance, occupation|
|Contact Information||Information that enables one to contact the data subject, such as: phone number, address, e-mail|
|Location Data||Data that are clearly identified or identifiable to a natural person and located within the data recording system, to determine the location of the data subject; boat / transportation / travel information|
|Information of Family Members and Relatives of the Data Subject||Information about the family members and relatives of the personal data subject whose identity is clearly or identifiably belongs to a real person and included in the data recording system, processed to protect the legal interests of the relevant Institution and the data subject.|
|Risk Management Information||Personal data that is clearly identified or identifiable to a natural person and included in the data recording system, processed to manage the Company’s commercial, technical and administrative risks|
|Physical Area Security Information||At the entrance to the physical space, records such as camera records, license plate information records taken during the stay in the physical area and personal data related to the documents|
|Transaction Security Information||Your personal data processed to ensure our technical, administrative, legal and commercial security while conducting our commercial activities|
|Financial Information||Information, accommodation and expenditure information, personal data processed on documents and records, showing all kinds of financial results created according to the type of legal relationship established between the data subject and our company.|
|Candidate Information||Personal data processed by individuals who have applied to be employees of our company or who are evaluated as candidates in line with our human resources needs or who are in a working relationship with our Company in accordance with commercial custom and good faith.|
|Legal Process and Compliance Information||Personal data processed within the scope of determination of legal receivables and rights, starting a legal proceeding and performance of our debts and compliance with our legal obligations and Company policies|
|Audit and Inspection Information||Personal data processed within the scope of our company’s legal obligations and compliance with Company policies|
|Data of Special Nature||Race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership to associations, foundations or trade-unions, health, sexual life, convictions and security measures, and the biometric and genetic data are the personal data of special nature|
|Marketing Information||Social media accounts, shopping information, invoice information, consumption preferences, data that shall be used by the Company in marketing activities, which are clearly identifies by a certain or identifiable natural person and included in the data recording system.|
|Request/ Complaint Management Information||Personal data regarding the receiving and evaluation of any requests or complaints addressed to our company|
|Reputation Management Information||nformation collected for the purpose of protecting the commercial reputation of our company and information related to the evaluation reports and actions taken|
|Incident Management Information||Personal data processed in order to take necessary legal, technical and administrative measures against events that emerged to protect the commercial rights and interests of our company.|
|AudioVisual Data||Visual and auditory recordings that are clearly identified or identifiable to a natural person and are included in the data recording system and associated with the data subject.|
3. PRINCIPLES AND CONDITIONS REGARDING THE PROCESSING OF PERSONAL DATA
3.1. Principles of the Processing of Personal Data
The personal data is processed in accordance with the personal data processing principles in Article 4 of KVKK by Company
It is imperative to comply with these principles for each personal data processing activity.
- Lawfulness and conformity with rules of bona fides.
- Accuracy and being up to date, where necessary.
- Being processed for specific, explicit and legitimate purposes
- Being relevant with, limited to and proportionate to the purposes for which they are processed.
- Being retained for the period of time stipulated by relevant legislation or the purpose for which they are processed.
3.2. Conditions of the Processing of Personal Data
Accordingly, the basis of the personal data processing activity might be only one of the conditions mentioned beloved, and more than one of these conditions might be the basis of the same personal data processing activity.
- Having the Explicit Consent of the Data Subject, The primary condition for processing of the personal data is the explicit consent of of the data subject. The explicit consent of the data subject has to be given freely, specific and informed consent.
- It Must Clearly Provided For By The Laws, Personal data of the data subject may be processed in accordance with the law without seeking the explicit consent of the data subject in cases where they are clearly provided for by the Laws.
- Where it is mandatory for the protection of life or physical integrity of the person or of any other person who is bodily incapable of giving his / her consent or whose consent is not deemed legally valid, Personal Data of the data subject might be processed in cases where it is mandatory for the protection of life or physical integrity of the person or of any other person who is bodily incapable of giving his / her consent or whose consent is not deemed legally valid.
- Direct relation with the conclusion or fulfilment of the contract, Personal Data of the data subject might be processed in cases where processing of personal data belonging to the parties of a contract, is necessary provided that it is directly related to the conclusion or fulfilment of contract
- Legal Obligation, Personal Data of the data subject might be processed in cases where it is mandatory for the controller to be able to perform our Company’s legal obligations
- Making the data available to the public by the data subject himself / herself, Within the boundaries of making the personal data available to the public, personal Data of the data subject might be processed in cases where the data concerned is made available to the public by the data subject himself
- Where data processing is mandatory for the establishment, exercise or protection of any right, Personal Data of the data subject might be processed in cases where data processing is mandatory for the establishment, exercise or protection of any right.
- Where data processing is mandatory for the legitimate interests of our Company, Personal Data of the data subject might be processed in cases where it is mandatory for the legitimate interests of the controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.
3.3. CONDITIONS ON THE PROCESSING OF PERSONAL DATA OF SPECIAL NATURE
In the Article 6 of the KVKK, special personal datas are specified to be limited. They are; race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership to associations, foundations or trade-unions, health, sexual life, convictions and security measures, and the biometric and genetic data of persons.
Company could process special personal data by providing additional measures determined by the Personal Data Protection Board in the following cases,
- The processing of special personal data, other than health and sexual life, can be processed if the data subject gives explicit consent or when clearly prescribed by law.
- Personal data related to health and sexual life, for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, the data owner is open by the persons who are under the obligation to keep secrets or authorized companies and organizations. can be processed without seeking consent.
4. TRANSFER OF PERSONAL DATA
Company may transfer personal data at home or abroad in case there are conditions for transferring personal data, in accordance with the Articles of 8 and 9 of KVKK and with the additional regulations determined by the Personal Data Protection Board
- Transfer of personal data to third persons at home, Your personal data, provided that at least one of the data processing conditions stated in Articles 5 and 6 of KVKK and specified under the Section.3 of this Policy exists and provided that they comply with the basic principles of data processing, might be transferred by Company.
- Transfer of personal data to third persons abroad, in the cases a person does not renders his/her explicit consent, your personal data, provided that at least one of the data processing conditions stated in Articles 5 and 6 of KVKK and specified under the Section.3 of this Policy exists and provided that they comply with the basic principles of data processing, might be transferred by Company.
In case the country to be transferred is not from the safe countries to be announced by the Personal Data Protection Board, upon undertaking adequate protection in writing in the relevant country by Company and the data controller, personal Data may be transferred abroad to third parties in case of at least one of the data processing conditions specified in article 5 and 6 of KVKK (see Policy Title 3), provided that the Board permits this process.
Within the scope of the general principles of KVKK and data processing conditions specified in Articles 8 and 9, Company may transfer data to the parties categorized in the table below:
|CATEGORIZATION OF TRANSFERRED PART||CONTEXT||PURPOSE OF TRANSFER|
|Business Partner||Parties with which the Company has established a business partnership while carrying out her commercial activities||Limited sharing of personal data to ensure the fulfillment of the business partnership’s objectives|
|Provider||Parties that provide services for the Company to proceed her commercial activities in accordance with the instructions received from the Company and based on the contract with the Company.||Limited transfer by receiving outsourced services from the supplier|
|Legally Authorized Public Authority||Public institutions and organizations legally authorized to receive information and documents from the Company||Limited personal data sharing of relevant public institutions and organizations to request information|
|Authorized Private Company||Private persons legally authorized to receive information and documents from the Company||Limited sharing of data for the purpose requested by the relevant private persons within their legal authority|
5. RIGHTS OF AND INFORMING THE DATA SUBJECTS
According to Article 10 of the Law, data subjects must be informed with regard to the processing of personal data before or while the processing of personal data at the latest. In accordance with the this article, the necessary structure within the Institution has been established to ensure that the data subject are informed in every situation where the personal data processing activity is carried out by the Company as the data controller. Within this context;
- For the purpose of processing your personal data, please See the section 2.2 of the Policy.
- Please See the section 4 of the Policy for the parties to which your personal data is transferred and for the purpose of the transfer.
- Please See the sections 3.2 and 3.3 of the Policy to review the conditions for processing your personal data, which can be collected through different channels in physical or digital media. As you are the Data Subject, we inform you that you have the following rights pursuant to the Article 11 of KVKK:
- to learn whether your personal data are processed or not,
- to request information if your personal data are processed,
- to learn the purpose of your data processing and whether this data is used for intended purposes
- to know the third parties to whom your personal data is transferred at home or abroad,
- to request the rectification of the incomplete or inaccurate data of your, if any, and to request notification of the operations carried out in compliance these to third parties to whom your personal data has been transferred,
- -Despite being processed in accordance with the provisions of KVKK and other relevant legislations- to request erasure or destruction of the personal data in the case that the purposes requiring their processing disappear; and also, to request notification of the operations carried out in compliance these to third parties to whom your personal data has been transferred.
- to object to the processing, exclusively by automatic means, of your personal data, which leads to an unfavourable consequence for the data subject,
- to request compensation for the damage arising from the unlawful processing of your personal data.
You can submit your applications regarding your rights specified above to our Company by filling out the Data Subject Application Form of our Company which you could provide it by accessing to the Website of the Company. Depending on the nature of your request, your applications shall be concluded free of charge as soon as possible and within thirty days at the latest; however, in case such act requires an additional cost, you may be charged for that according to the tariff to be determined by the Personal Data Protection Board.
During the evaluation of the applications, the Company, first, determines whether the person making the claim has a real right to do so. In addition to this, the Company may request detailed and additional information in order to understand the request in a better way, when it deems necessary.
Responses to data subject applications are reported to them in writing or electronically. If the application is refused, the reasons for rejection shall be explained to the data subject on by explaining the reasoning of the refusal as well.
If personal data are not collected directly from the data subject;
- Within a reasonable time from the acquisition of personal data,
- If the personal data will be used for data communication with the person, during the initial communication,
- If personal data is to be transferred, at the latest when personal data are to be transferred for the first time,
activities regarding the informing of data subjects shall be carried out by the company
6. ERASURE, DESTRUCTION, ANONYMIZATION OF THE PERSONAL DATA OF THE EMPLOYEES
According to the Article 7 of KVKK, despite being processed under the provisions of the Law, personal data shall be erased, destructed or anonymized by Company in accordance with the Guidances published by Company, ex officio or upon demand by the Employee, upon disappearance of reasons which require the process.
7. CONSTRAINTS REGARDING THE APPLICATION AND THE SCOPE OF THE LAW
The provisions of the Law shall not be applied in the following cases where:
- personal data is processed by natural persons within the scope of purely personal activities of the data subject or of family members living together with him in the same dwelling provided that it is not to be disclosed to third parties and the obligations about data security is to be complied with.
- personal data is processed for the purpose of official statistics and for research, planning and statistical purposes after having been anonymized.
- personal data is processed with artistic, historical, literary or scientific purposes, or within the scope of freedom of expression provided that national defence, national security, public security, public order, economic security, right to privacy or personal rights are not violated or they are processed so as not to constitute a crime.
- personal data is processed within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations duly authorised and assigned to maintain national defence, national security, public security, public order or economic security.
- personal data is processed by judicial authorities or execution authorities with regard to investigation, prosecution, criminal proceedings or execution proceedings.
In the cases listed below, the Company is not under the obligation to inform her Employees and the Employees, excluding their rights to demand compensation, shall not be able to exercise their rights regulated in the Law where personal data processing:
- is required for the prevention of a crime or crime investigation.
- is carried out on the data which is made public by the data subject himself.
- is required for inspection or regulatory duties and disciplinary investigation and prosecution to be carried out by the public institutions and organizations and by professional associations having the status of public institution, assigned and authorised for such actions, in accordance with the power conferred on them by the law.
- is required for protection of State’s economic and financial interests with regard to budgetary, tax-related and financial issues.
8. ANNEX-1: DEFINITIONS
|Explicit Consent||Freely given, specific and informed consent.|
|Anonymizing||Rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data.|
|Employee||Real Person that is the Employee of the Company|
|Candidate||Natural persons who are not the employees of the company, but who have the status of Candidates of the Company through various methods|
|Personal Medical Data||Any health information about an identified or identifiable natural person|
|Personal Data||All the information relating to an identified or identifiable natural person.|
|Data Subject||The natural person, whose personal data is processed.|
|Processing of Personal Data||Any operation performed upon personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making retrievable, classification or preventing the use thereof, fully or partially through automatic means or provided that the process is a part of any data registry system, through non-automatic means.|
|Law||The Law on the Protection of Personal Data No: 6698, published in the Official Gazette, No: 28677 , on April 7, 2016|
|Personal Data of Special Nature||Race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership to associations, foundations or trade-unions, health, sexual life, convictions and security measures, and the biometric and genetic data.|
|Policy||Policy on the Processing and the Protection of Personal Data of the Company|
|Company / Company||Izz Göcek Otel İşletmeciliği Yönetim Hizmetleri Turizm Ve Ticaret Limited Şirketi|
|Business Partners||Persons with whom the Company has established a partnership within the scope of contractual relations within the framework of her business activities.|
|Data Processor||The natural or legal person who processes personal data on behalf of the controller upon his authorization.|
|Data Controller||The natural person who determines the purpose and means of processing personal data and is responsible for managing the data registry system that the data are retained in a systematical way|
9. ANNEX-2: VERSION FOLLOW-UP CHART
|VERSION NO||DATE OF UPDATE||AMENDMEND|