1. Introduction
This personal data processing policy KARALAR PETROL TAR. TYPE. NAC. And TRADE LTD. STI. SENSITIVE PREMIUM RESORT & SPA: briefly (“COMPANY”) has been prepared for the purpose of determining the procedures and principles to be applied by the COMPANY regarding the processing of personal data in accordance with the Personal Data Protection Law No. 6698 and other legislation of the personal data we hold as data controller.
2. Scope
3. Definitions
Law/KVKK: The Law on Protection of Personal Data No. 6698, dated 24/3/2016.
Board/Agency: Personal Data Protection Board/Personal Data Protection Authority.
Personal Data: Any information relating to an identified or identifiable natural person.
Relevant Person: Person whose personal data is processed.
Explicit Consent: Consent on a particular subject, based on information and obtained with free will.
Anonymization: Making personal data cannot be associated with an identified or identifiable natural person in any way, even by matching with other data.
Deletion of Personal Data: Deletion of personal data; making personal data inaccessible and non-reusable for Relevant Users.
Destruction of Personal Data: The process of making personal data inaccessible, unrecoverable and reusable by anyone.
Processing of Personal Data: Acquiring, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over of personal data fully or partially automatically or non-automatically provided that it is a part of any data recording system. Any operation performed on data, such as making it available, classifying or preventing its use.
Data processor: The natural or legal person who processes personal data on behalf of the data controller, based on the authority given to him.
Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
Sensitive Personal Data: The person's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, association, foundation or union membership, health, sexual life, criminal conviction and data on security measures and biometric and genetic data.
Obligation to Disclose: During the acquisition of personal data, the data controller or the person authorized by it, to the relevant persons; The identity of the data controller and its representative, if any, For what purpose the personal data will be processed, To whom and for what purpose the processed personal data can be transferred, Method and legal reason for collecting personal data, Giving information about other rights listed in Article 11 of the Law.
Sedna: Front office, Accounting, Purchasing, Guest Relations, I.K. Automation System.
Destruction Policy: The policy on which data controllers base the process of determining the maximum time required for the purpose for which personal data is processed, and the process of deletion, destruction and anonymization.
Recording Media: Any kind of electronic media containing personal data that is fully or partially automated or processed by non-automatic means, provided that it is a part of any data recording system.
Company: KARALAR PETROL MAM. TAR. TYPE. NAC. And TRADE LTD. ŞTİ.
4. Principles Regarding the Processing of Personal Data
4.1 Compliance with the rules of law and good faith: The COMPANY protects the individual rights of the persons concerned during the processing of personal data. Personal data is collected and processed in accordance with the law and fairly.
4.2 Processing for specific, clear and legitimate (transparency) purposes and being limited and measured in relation to the purpose for which they are processed: The purpose for which personal data will be processed by the COMPANY It is revealed before the personal data processing activity begins. The COMPANY processes personal data only in order to provide better service to the persons concerned. During the acquisition of personal data; The data subject is informed about the identity of the data controller and its representative, if any, the purpose of processing personal data, to whom and for what purposes personal data can be transferred, the method of collecting personal data and the legal reason, and the rights of the person concerned.
4.3 Retaining the personal data for as long as required by the relevant legislation or for the purpose for which they are processed: The COMPANY can only keep personal data for the period specified in the relevant legislation or for the purpose for which they are processed. preserves it. As long as personal data is deemed necessary for the purposes for which they are processed and required by regulatory authorities and/or relevant laws and regulations, the COMPANY and its affiliates under its control will continue to process and maintain personal data in accordance with the purposes set forth by this policy.
5. Data Processing Scope
Personal data processing is carried out in two different ways.
Automatic processing of data in whole or in part; transfer, disseminate or otherwise present, group or combine, block, delete or destroy This policy covers collecting, recording, photographing, audio recording, video recording, organizing, storing, changing, restoring, retrieving or disclosing data from the specified person or third party for the purposes of this policy.
Processing/obtaining data by non-automatic means; recording, storing, preserving, changing, rearranging, provided that it is part of any recording system It covers disclosure, transfer, transfer abroad, takeover, making available, classifying or preventing its use.
5.1 The COMPANY has the right to process the personal information of the person concerned during the use of its services and after the end of the service relationship, by complying with the purposes specified in this policy.
5.2 The processing of personal data by the COMPANY, without any restrictions, provided that it is part of an automated, semi-automatic or automated system. It covers any action taken against data using non-automated means.
5.3 The COMPANY processes the data of the data subject or persons under the custody of the data subject.
5.4 Data processing also occurs on the instructions of the COMPANY and/or when the COMPANY acts on behalf of and on the instructions of a third party, where the COMPANY is the data processor It covers sharing the data given with the explicit consent of the relevant person and/or third parties.
5.5 Explicit consent of the person concerned, when using various electronic channels (web browser, website, internet, mobile applications, payment transactions, money including, but not limited to, the technical methods and channels used for the transfer and reception of the company) by the COMPANY. (For example; determining the location of the relevant person when using the electronic channel, identifying and analyzing input data, product selection frequency and/or other statistical data)
6. Fundamentals of Data Processing
6.1 The data subject belongs to the relevant person or by the relevant person, within the scope of the following purposes of the COMPANY, even if the contractual relationship is terminated during the use of the COMPANY services. accepts that it is necessary to process the information of the specified third parties.
a) Providing and/or implementing a service for the person concerned,
b) Data processing is mandatory in order to protect the legal rights of the COMPANY and/or third parties,
c) Fulfilling the COMPANY's legal obligations,
d) It is necessary to process the personal data of the person concerned, provided that it is directly related to the establishment or performance of a contract between the person concerned and the COMPANY,< /p>
e) Data processing is mandatory for the establishment, exercise or protection of a right,
f) Other matters to which the person concerned has expressly consented,
g) Other matters clearly stipulated in the legislation.
6.2 Explicit consent given by the person concerned shall mean that the person concerned accepts the policy and its provisions.
7. Data Processing Purposes
Third parties that process personal data shared with the consent of the COMPANY and/or the relevant persons may process the personal data of the data subject or persons under the custody of the data subject for the following purposes.
a) Realization of accommodation services as declared, providing and executing the services provided to the guests in a better and reliable manner,
b) To conduct information research and survey evaluations, to provide planning, statistics, archiving, storage services, to carry out customer satisfaction studies,
c) In order to optimize and develop the COMPANY services, it is necessary to check the accommodation history and / or behavioral patterns of the person concerned,
d) The COMPANY's ability to offer a new and/or additional service or non-service product,
e) Changing the current conditions of the service provided by the COMPANY,
f) The COMPANY's analysis of statistical data, preparation and presentation of various reports, researches and/or presentations,
g) In addition to providing security; detecting and/or preventing abuse, other criminal activities,
h) Meeting the complaints, questions and demands of the relevant person,
ı) Verifying the identity information of the person concerned,
j) Carrying out promotional, marketing, promotion and campaign activities for accommodation services,
k) Realization of other objectives stipulated in national and international laws and regulations.
8. Processing, Transfer or Disclosure of Data
The COMPANY fulfills the obligations imposed by the relevant legislation and board policy decisions regarding the processing, transfer or disclosure of personal data. In accordance with the purposes determined by this policy, including, but not limited to, the personal data of the related person and third parties; For the processing, transfer and/or disclosure of all kinds of information, depending on the content and variety of accommodation service offered by the COMPANY; Name and surname of the person concerned, Personal identification number and/or unique feature on the identity card, Registered and/or resident address, Telephone/mobile number, E-mail address, Employer data, as well as information about employment conditions (place of work) , wages, working hours, etc.), while using various electronic channels and/or the internet (including but not limited to web cookies, etc.) and when using the above-mentioned channels, the activities of the person concerned and/or the third parties specified by the person concerned (this including but not limited to the verification of channels, actions taken or transaction history), Uses data about the persons with whom the relevant person stayed during the service purchase.
8.1 The person concerned with the purpose of benefiting from the services of the COMPANY (including but not limited to personal data, sensitive personal data, etc.) , if third parties (Family members, employer, etc.) give their personal data to the COMPANY; The person who gives the data to the COMPANY will be responsible for obtaining the necessary consent for the processing of this personal data.
8.2 If the person concerned gives the said information to the COMPANY (or its authorized personnel), it is assumed that the person concerned has given the necessary express consent and that the COMPANY this express consent The obligation to buy is eliminated.
8.3 In the event that personal and/or special quality personal data is processed without the explicit consent of the data subject and a loss arises as a result of this processing, the COMPANY shall bear this loss. is obliged to meet.
8.4 Explicit consent of the person concerned, when using various electronic channels (Web browser, website, internet, mobile applications, payment transactions, money including, but not limited to, the technical methods and channels used for the transfer and reception of the company) by the COMPANY. (For example; determining the location of the relevant person when using the electronic channel, identifying and analyzing input data, product selection frequency and/or other statistical data)
8.5 The COMPANY shall keep the telephone, mobile phone number, e-mail address and other contact information provided by the person concerned until it exercises the right of refusal of the person concerned. It has the right to send commercial electronic messages within the scope of the Law No. 6563 on the Regulation of Electronic Commerce, including sending SMS, sending voice and/or other kinds of marketing messages (direct marketing).
8.6 The person concerned, sharing personal data of the COMPANY with its subsidiaries and/or shareholders for the purpose of making various marketing offers gives the right.
8.7 Advertising/information messages (for example, advertising brochure, promotional images, verbal offers, etc.) in the service points of the COMPANY or the COMPANY' The content displayed during the use of electronic channels such as internet, mobile marketing, etc., by the Company (or its subsidiaries), cannot be qualified as direct marketing, and the person concerned will not have the right to request that the publication and/or display of such content be terminated.
9. Processing of Applicants' or Employees' Data
9.1 Processing of personal data for the purpose of concluding, performing, maintaining and terminating a service contract: Fulfillment of personal rights and their uninterrupted maintenance, occupational health and safety service to be provided to employees, fulfillment of work permit procedures, evaluation of personal job applications, conducting research and other recruitment processes, performance evaluation and follow-up, training activities, improvement of working conditions, personal development The COMPANY has the right to process the personal information disclosed by the person concerned due to the start of work, trial period and/or internship, for purposes such as the execution of human resources and training processes, such as the execution of the processes.
In the job application process, information about the applicant is collected from third parties within the framework of the provisions of the Law on Protection of Personal Data No. 6698.
Explicit consent of the applicant is required for the processing of personal data that is related to the business relationship but is not part of the performance of the employment contract in the first place.
9.2 Processing of Special Categories of Personal Data
May be processed with his express consent. Special categories of personal data other than health and sexual life, only in cases stipulated by law, personal data on health and sexual life; however, it is complied with, that it is processed by persons or authorized institutions and organizations under the obligation of secrecy for the purpose of protecting public health, conducting preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.
10. Information Transfer/Sharing to/from Third Parties
This policy is transferred/shared with the data subject and/or the third parties specified by the data subject, within the scope of data processing, in order for the COMPANY to provide services to the data subject. The person concerned gives the COMPANY personal data; Obtaining and recording data completely or partially automatically or non-automatically provided that it is a part of any recording system, through all departments, internet, call centers, public institutions and organizations, and the parties from which they receive services that are complementary or extensions of the COMPANY's activities, their suppliers, gives the rights to be stored, preserved, modified, rearranged, disclosed, transferred, transferred abroad, taken over, made available, classified or used.
11. Obligation of Data Controller and Data Processor
11.1 Referring to the provisions of this policy; The COMPANY may act on behalf of the data controller, including third parties, who are data processors, while processing some types of personal data. The data controller may be a data processor for third parties in some personal data. Accordingly, each of the parties to such a relationship (data controller as well as the data processor) acts in accordance with the Law on the Protection of Personal Data. Therefore;
a) Personal data is processed in accordance with the principles in the legislation.
b) The explicit consent of the person concerned is obtained, necessary information and illuminations are made.
In case of the following: When a request is made by the data subject regarding information about his/her personal data, when a complaint or statement is submitted regarding the compliance of the data controller with the obligations imposed by the legislation, it notifies the person concerned as soon as possible and within 30 days at the latest.
In addition, if one of the parties represents the data processor and the other the data controller during the data processing, the data processor fulfills the following obligations. The data processor is obliged to:
12. Data Update, Processing, Retention Period and Data Disposal
Access authorization and control matrix system is used. For each personal data, the relevant users are identified, the authorizations and methods of the relevant users such as access, retrieval, reuse are determined, employment contract termination or change of position, etc. In such cases, the access, retrieval, reuse authorization and methods of the relevant users within the scope of personal data are updated, closed and eliminated.
Office files located on the central server are deleted with the delete command in the operating system of the file or the access rights of the relevant user on the file or the directory where the file is located are removed. Personal data in portable memories, if any, are stored encrypted and deleted with software suitable for these environments. Relevant lines containing personal data are deleted with database commands. While performing the operation, attention is paid to whether the relevant user is also a database administrator.
Destroying personal data is the process of making personal data inaccessible, unrecoverable and reusable by anyone in any way. The COMPANY, the Data Controller, takes all necessary technical and administrative measures regarding the destruction of personal data. In order to destroy personal data, all copies of the data are detected and the systems with the data are physically destroyed by melting, burning or pulverizing optical media and magnetic media. It is ensured that the data is not accessed by processes such as melting, incinerating, pulverizing or passing the optical or magnetic media through a metal grinder. With the command to delete network devices (switch, router, etc.), mobile phones (sim card and fixed memory areas); optical discs, by erasing command and physical destruction methods in fixed memory areas in portable smartphones; Data storage media such as CDs and DVDs are destroyed by physical destruction methods such as burning, breaking into small pieces and melting. The destruction of personal data in devices that fail or are sent for maintenance is stored by removing the data storage medium, and other defective parts are sent to third institutions such as manufacturers, vendors and service providers. Employees coming from outside for maintenance and repair purposes are prevented from copying their personal data and taking them out of the institution, and necessary measures are taken.
Anonymization means removing or replacing all direct and/or indirect identifiers in a dataset, preventing the person concerned from being identified or being distinguishable within a group/crowd, a fact loss that cannot be associated with the person. The purpose of anonymization is to break the link between the data and the person identified by this data. The data is anonymized by choosing the one that is suitable for the relevant data among the methods such as automatic or non-automatic grouping, derivation, generalization, randomization applied to the records in the data recording system where personal data is kept.
13. Rights of the Relevant Person
Every contact; to learn whether personal data is processed, to request information if personal data has been processed, to learn the purpose of personal data and whether they are used in accordance with its purpose, to know the third parties in the country or abroad to whom personal data are transferred, to request correction of personal data in case of incomplete or incorrect processing, Requesting the deletion or destruction of personal data, requesting notification that personal data has been transferred to third parties in the country or abroad, Objecting to the emergence of a result against the person by analyzing the processed data only through automatic systems, incurring damage due to unlawful processing of personal data has the right to demand the compensation of the damage in case of damage.
14. Confidentiality of Data Processing
15. Data Processing Security
Personal data is protected against unauthorized access, illegal data processing or disclosure, and accidental loss, modification or destruction of data. Whether the data is processed electronically or on paper, it is within the scope of protection. New and advanced data processing methods and information technology systems are followed in order to take technical and administrative measures to protect personal data.
16. Data Protection Control
The issue of compliance with this Data Protection Policy and relevant data protection laws is regularly checked by authorized persons in the relevant units of the COMPANY. The personal data protection agency can personally audit the compliance of the COMPANY, its subsidiaries and subsidiaries with the provisions of this policy, as permitted by national laws.
When the person concerned submits his requests regarding the implementation of this policy and the Law on Protection of Personal Data to the Data Controller in writing, the Data Controller will do so as soon as possible and within 30 days at the latest, depending on the nature of the request in the application. finalizes the request free of charge. However, if the transaction requires an additional cost, the fees in the tariff determined by the Personal Data Protection Board are charged.