PERSONAL DATA PROCESSING POLICY

1. Introduction

This personal data processing policy KARALAR PETROL TAR. TYPE. NAC. And TRADE LTD. STI. SENSITIVE PREMIUM RESORT & SPA: briefly (“COMPANY”) has been prepared for the purpose of determining the procedures and principles to be applied by the COMPANY regarding the processing of personal data in accordance with the Personal Data Protection Law No. 6698 and other legislation of the personal data we hold as data controller.

2. Scope

3. Definitions

Law/KVKK: The Law on Protection of Personal Data No. 6698, dated 24/3/2016.

      Board/Agency: Personal Data Protection Board/Personal Data Protection Authority.

      Personal Data: Any information relating to an identified or identifiable natural person.

      Relevant Person: Person whose personal data is processed.

      Explicit Consent: Consent on a particular subject, based on information and obtained with free will.

      Anonymization: Making personal data cannot be associated with an identified or identifiable natural person in any way, even by matching with other data.

      Deletion of Personal Data: Deletion of personal data; making personal data inaccessible and non-reusable for Relevant Users.

      Destruction of Personal Data: The process of making personal data inaccessible, unrecoverable and reusable by anyone.

      Processing of Personal Data: Acquiring, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over of personal data fully or partially automatically or non-automatically provided that it is a part of any data recording system. Any operation performed on data, such as making it available, classifying or preventing its use.

      Data processor: The natural or legal person who processes personal data on behalf of the data controller, based on the authority given to him.

      Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

      Sensitive Personal Data: The person's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, association, foundation or union membership, health, sexual life, criminal conviction and data on security measures and biometric and genetic data.

      Obligation to Disclose: During the acquisition of personal data, the data controller or the person authorized by it, to the relevant persons;  The identity of the data controller and its representative, if any,   For what purpose the personal data will be processed, To whom and for what purpose the processed personal data can be transferred,  Method and legal reason for collecting personal data,  Giving information about other rights listed in Article 11 of the Law.

      Sedna: Front office, Accounting, Purchasing, Guest Relations, I.K. Automation System.

      Destruction Policy: The policy on which data controllers base the process of determining the maximum time required for the purpose for which personal data is processed, and the process of deletion, destruction and anonymization.

      Recording Media: Any kind of electronic media containing personal data that is fully or partially automated or processed by non-automatic means, provided that it is a part of any data recording system.

      Company: KARALAR PETROL MAM. TAR. TYPE. NAC. And TRADE LTD. ŞTİ.

4. Principles Regarding the Processing of Personal Data

4.1 Compliance with the rules of law and good faith: The COMPANY protects the individual rights of the persons concerned during the processing of personal data. Personal data is collected and processed in accordance with the law and fairly.

4.2 Processing for specific, clear and legitimate (transparency) purposes and being limited and measured in relation to the purpose for which they are processed: The purpose for which personal data will be processed by the COMPANY It is revealed before the personal data processing activity begins. The COMPANY processes personal data only in order to provide better service to the persons concerned. During the acquisition of personal data; The data subject is informed about the identity of the data controller and its representative, if any, the purpose of processing personal data, to whom and for what purposes personal data can be transferred, the method of collecting personal data and the legal reason, and the rights of the person concerned.

4.3 Retaining the personal data for as long as required by the relevant legislation or for the purpose for which they are processed: The COMPANY can only keep personal data for the period specified in the relevant legislation or for the purpose for which they are processed. preserves it. As long as personal data is deemed necessary for the purposes for which they are processed and required by regulatory authorities and/or relevant laws and regulations, the COMPANY and its affiliates under its control will continue to process and maintain personal data in accordance with the purposes set forth by this policy.

1. Accuracy of information, up-to-dateness of data: The COMPANY keeps the processed personal data accurate, complete and up-to-date if necessary. Where necessary; Inaccurate or incomplete data is deleted, corrected, completed or updated.
2. Privacy and data security: Personal data is subject to data privacy. It is considered confidential at the personal level and necessary technical and administrative measures are taken to ensure the appropriate level of security in order to prevent unauthorized access, unlawful processing or distribution, as well as to prevent accidental loss, alteration or destruction, and to ensure the preservation of personal data.

5. Data Processing Scope

Personal data processing is carried out in two different ways.

Automatic processing of data in whole or in part; transfer, disseminate or otherwise present, group or combine, block, delete or destroy This policy covers collecting, recording, photographing, audio recording, video recording, organizing, storing, changing, restoring, retrieving or disclosing data from the specified person or third party for the purposes of this policy.

Processing/obtaining data by non-automatic means; recording, storing, preserving, changing, rearranging, provided that it is part of any recording system It covers disclosure, transfer, transfer abroad, takeover, making available, classifying or preventing its use.

5.1 The COMPANY has the right to process the personal information of the person concerned during the use of its services and after the end of the service relationship, by complying with the purposes specified in this policy.

5.2 The processing of personal data by the COMPANY, without any restrictions, provided that it is part of an automated, semi-automatic or automated system. It covers any action taken against data using non-automated means.

5.3 The COMPANY processes the data of the data subject or persons under the custody of the data subject.

5.4 Data processing also occurs on the instructions of the COMPANY and/or when the COMPANY acts on behalf of and on the instructions of a third party, where the COMPANY is the data processor It covers sharing the data given with the explicit consent of the relevant person and/or third parties.

5.5 Explicit consent of the person concerned, when using various electronic channels (web browser, website, internet, mobile applications, payment transactions, money including, but not limited to, the technical methods and channels used for the transfer and reception of the company) by the COMPANY. (For example; determining the location of the relevant person when using the electronic channel, identifying and analyzing input data, product selection frequency and/or other statistical data)

    6. Fundamentals of Data Processing

6.1 The data subject belongs to the relevant person or by the relevant person, within the scope of the following purposes of the COMPANY, even if the contractual relationship is terminated during the use of the COMPANY services. accepts that it is necessary to process the information of the specified third parties.

      a) Providing and/or implementing a service for the person concerned,

b) Data processing is mandatory in order to protect the legal rights of the COMPANY and/or third parties,

c) Fulfilling the COMPANY's legal obligations,

d) It is necessary to process the personal data of the person concerned, provided that it is directly related to the establishment or performance of a contract between the person concerned and the COMPANY,< /p>

e) Data processing is mandatory for the establishment, exercise or protection of a right,

      f) Other matters to which the person concerned has expressly consented,

     g) Other matters clearly stipulated in the legislation.

6.2 Explicit consent given by the person concerned shall mean that the person concerned accepts the policy and its provisions. 

7. Data Processing Purposes

Third parties that process personal data shared with the consent of the COMPANY and/or the relevant persons may process the personal data of the data subject or persons under the custody of the data subject for the following purposes.

a) Realization of accommodation services as declared, providing and executing the services provided to the guests in a better and reliable manner, 

b) To conduct information research and survey evaluations, to provide planning, statistics, archiving, storage services, to carry out customer satisfaction studies,

c) In order to optimize and develop the COMPANY services, it is necessary to check the accommodation history and / or behavioral patterns of the person concerned,

          d) The COMPANY's ability to offer a new and/or additional service or non-service product,

          e) Changing the current conditions of the service provided by the COMPANY,

f) The COMPANY's analysis of statistical data, preparation and presentation of various reports, researches and/or presentations,

g) In addition to providing security; detecting and/or preventing abuse, other criminal activities,

          h) Meeting the complaints, questions and demands of the relevant person,

          ı) Verifying the identity information of the person concerned,

     j) Carrying out promotional, marketing, promotion and campaign activities for accommodation services,

     k) Realization of other objectives stipulated in national and international laws and regulations.

8. Processing, Transfer or Disclosure of Data

The COMPANY fulfills the obligations imposed by the relevant legislation and board policy decisions regarding the processing, transfer or disclosure of personal data. In accordance with the purposes determined by this policy, including, but not limited to, the personal data of the related person and third parties; For the processing, transfer and/or disclosure of all kinds of information, depending on the content and variety of accommodation service offered by the COMPANY; Name and surname of the person concerned, Personal identification number and/or unique feature on the identity card, Registered and/or resident address, Telephone/mobile number, E-mail address, Employer data, as well as information about employment conditions (place of work) , wages, working hours, etc.), while using various electronic channels and/or the internet (including but not limited to web cookies, etc.) and when using the above-mentioned channels, the activities of the person concerned and/or the third parties specified by the person concerned (this including but not limited to the verification of channels, actions taken or transaction history),  Uses data about the persons with whom the relevant person stayed during the service purchase.

8.1 The person concerned with the purpose of benefiting from the services of the COMPANY (including but not limited to personal data, sensitive personal data, etc.) , if third parties (Family members, employer, etc.) give their personal data to the COMPANY; The person who gives the data to the COMPANY will be responsible for obtaining the necessary consent for the processing of this personal data.

8.2 If the person concerned gives the said information to the COMPANY (or its authorized personnel), it is assumed that the person concerned has given the necessary express consent and that the COMPANY  this express consent  The obligation to buy is eliminated.

8.3 In the event that personal and/or special quality personal data is processed without the explicit consent of the data subject and a loss arises as a result of this processing, the COMPANY shall bear this loss. is obliged to meet.

8.4 Explicit consent of the person concerned, when using various electronic channels (Web browser, website, internet, mobile applications, payment transactions, money including, but not limited to, the technical methods and channels used for the transfer and reception of the company) by the COMPANY. (For example; determining the location of the relevant person when using the electronic channel, identifying and analyzing input data, product selection frequency and/or other statistical data)

8.5 The COMPANY shall keep the telephone, mobile phone number, e-mail address and other contact information provided by the person concerned until it exercises the right of refusal of the person concerned. It has the right to send commercial electronic messages within the scope of the Law No. 6563 on the Regulation of Electronic Commerce, including sending SMS, sending voice and/or other kinds of marketing messages (direct marketing).

8.6  The person concerned, sharing personal data of the COMPANY with its subsidiaries and/or shareholders for the purpose of making various marketing offers gives the right.

8.7 Advertising/information messages (for example, advertising brochure, promotional images, verbal offers, etc.) in the service points of the COMPANY or the COMPANY' The content displayed during the use of electronic channels such as internet, mobile marketing, etc., by the Company (or its subsidiaries), cannot be qualified as direct marketing, and the person concerned will not have the right to request that the publication and/or display of such content be terminated.

9. Processing of Applicants' or Employees' Data

9.1 Processing of personal data for the purpose of concluding, performing, maintaining and terminating a service contract: Fulfillment of personal rights and their uninterrupted maintenance, occupational health and safety service to be provided to employees, fulfillment of work permit procedures, evaluation of personal job applications, conducting research and other recruitment processes, performance evaluation and follow-up, training activities, improvement of working conditions, personal development The COMPANY has the right to process the personal information disclosed by the person concerned due to the start of work, trial period and/or internship, for purposes such as the execution of human resources and training processes, such as the execution of the processes.

In the job application process, information about the applicant is collected from third parties within the framework of the provisions of the Law on Protection of Personal Data No. 6698.

Explicit consent of the applicant is required for the processing of personal data that is related to the business relationship but is not part of the performance of the employment contract in the first place.

9.2 Processing of Special Categories of Personal Data

  May be processed with his express consent. Special categories of personal data other than health and sexual life, only in cases stipulated by law,  personal data on health and sexual life; however, it is complied with, that it is processed by persons or authorized institutions and organizations under the obligation of secrecy for the purpose of protecting public health, conducting preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

 

10. Information Transfer/Sharing to/from Third Parties

This policy is transferred/shared with the data subject and/or the third parties specified by the data subject, within the scope of data processing, in order for the COMPANY to provide services to the data subject. The person concerned gives the COMPANY personal data; Obtaining and recording data completely or partially automatically or non-automatically provided that it is a part of any recording system, through all departments, internet, call centers, public institutions and organizations, and the parties from which they receive services that are complementary or extensions of the COMPANY's activities, their suppliers, gives the rights to be stored, preserved, modified, rearranged, disclosed, transferred, transferred abroad, taken over, made available, classified or used.

11. Obligation of Data Controller and Data Processor

11.1 Referring to the provisions of this policy; The COMPANY may act on behalf of the data controller, including third parties, who are data processors, while processing some types of personal data. The data controller may be a data processor for third parties in some personal data. Accordingly, each of the parties to such a relationship (data controller as well as the data processor) acts in accordance with the Law on the Protection of Personal Data. Therefore;

a) Personal data is processed in accordance with the principles in the legislation.

b) The explicit consent of the person concerned is obtained, necessary information and illuminations are made.

In case of the following: When a request is made by the data subject regarding information about his/her personal data, when a complaint or statement is submitted regarding the compliance of the data controller with the obligations imposed by the legislation, it notifies the person concerned as soon as possible and within 30 days at the latest.

In addition, if one of the parties represents the data processor and the other the data controller during the data processing, the data processor fulfills the following obligations. The data processor is obliged to:

1. Processes the data transmitted/explained by the other party, in accordance with the extent and scope permitted by the legislation and defined by the provisions of this policy, or upon the request of a regulatory authority,
2. In order to prevent unauthorized processing, loss, destruction, damage, unauthorized modification or disclosure of data transmitted/disclosed by the data controller, all reasonable technical and administrative measures should be implemented and every necessary action should be taken, and the data controller should be informed of every measure taken within this scope.
3. The COMPANY supervises the measures and practices implemented by the data processor for data security through its authorized personnel,
4. Cooperates and supports in the examination of a complaint or statement submitted/explained by the COMPANY, including the following, by the Data Processor,
5. Provides the COMPANY with detailed information about the complaint and declaration status, including data about the data subject (including electronic data), transmitted/disclosed to the data processor by the data controller, within 7 working days from the date of request, 
6. Data processing (transfer) by the Data Processor to a country and/or international organization that is not part of the European Union Economic Area and is not on the list of countries that are at a sufficient level for the protection of personal data, or that the data subject or the Personal Data Protection Board does not allow the transfer. hinders its activity,
7.  Without the prior express written consent of the COMPANY; does not transfer/disclose the data to third parties,
8. Even where the COMPANY has express prior written consent; The data processor is obliged to transfer/disclose the data in accordance with a written contract. In the aforementioned written contract, the third party and its subcontractors are obliged to take all necessary technical and administrative measures to prevent unauthorized processing, loss, destruction, damage, unauthorized modification or disclosure of data. 
9. Compensation of any damage/loss that the COMPANY incurs due to the data processor's failure to take or fully perform the necessary actions (in accordance with the Policy and legislation). All kinds of damages/losses (including but not limited to consequential damages) that the COMPANY may suffer as a result of the breach of the data processor, complaints, expenses (including but not limited to the expenses that the COMPANY will incur due to the use of its legal rights), legal processes The data processor gives express consent and agrees with the data controller to compensate for damages and other obligations. 
10. Unless otherwise specified in the contract between the COMPANY and the data processor, the data processor after the termination of the contractual relationship between the COMPANY and the data processor; Returning any data (including personal data) transferred/disclosed from the COMPANY. It is obliged to take all necessary security measures to prevent unauthorized access to data by third parties, to destroy personal data transferred/disclosed by the COMPANY and to notify the COMPANY to confirm that this action has been taken.

12. Data Update, Processing, Retention Period and Data Disposal

1.  It continues to operate for a period of time consistent with the purposes and interests of the company, the requests of supervisory / regulatory authorities and / or legislation for the purposes specified in this policy during and after the period of using the services of the Company.
2.  The processing of the data transferred during the use of the COMPANY electronic channels (web browser, website, internet, mobile applications and/or other electronic data transfer tools) continues after the data subject deletes the data from the relevant electronic channels.
3.  Upon the request of the person concerned, information is provided about the personal data held in the COMPANY, in accordance with the legislation.
4.  In case the data of the person concerned is incomplete or inaccurate, the missing and incorrect data are completed and corrected upon the written notification of the person concerned to the COMPANY.
5.  Personal data is retained for as long as required by the relevant legislation or for the purpose for which they are processed, and in any case for 15 years. Even though it has been processed in accordance with the provisions of the legislation, in the event that the reasons for its processing disappear and the storage period of the COMPANY expires, personal data is deleted, destroyed or anonymized by the data controller spontaneously or upon the request of the data subject.
6.  In determining the retention and destruction periods of personal data, the following criteria are used:
   1.  By determining which of the exceptions stipulated in Articles 5 and 6 of the Law, data storage can be evaluated within the scope of,

Access authorization and control matrix system is used. For each personal data, the relevant users are identified, the authorizations and methods of the relevant users such as access, retrieval, reuse are determined, employment contract termination or change of position, etc. In such cases, the access, retrieval, reuse authorization and methods of the relevant users within the scope of personal data are updated, closed and eliminated.

1.  In the event that the period envisaged in the legislation expires in relation to the storage of the said personal data or no period is stipulated in the relevant legislation for the storage of the said data, the data is deleted, destroyed or anonymized by the data controller in 10-year periods.
2.  In the deletion, destruction and anonymization of personal data, the principles listed in Article 4 of the Law titled "General principles" and the measures to be taken within the scope of Article 12 titled "Obligations regarding data security", the provisions of the relevant legislation, We act in accordance with the decisions of the institution and this policy.
3.  All transactions regarding the deletion, destruction and anonymization of personal data are recorded by the COMPANY. These records are kept for at least 10 years, excluding other legal obligations.
4.  Unless a decision to the contrary is taken by the Personal Data Protection Authority, the appropriate method of deleting, destroying or anonymizing personal data is chosen by the COMPANY. 
5. Personal data collected by the COMPANY is stored in various recording media. It is deleted by methods suitable for recording media. The data in the servers are deleted manually and/or by giving the deletion command, and the personal data in the paper environment is deleted using the blackout method. The blackening process is where the personal data on the relevant document is truncated where possible, and in cases where it is not possible, it is rendered invisible to the relevant users by using fixed ink, which cannot be recovered and read with technological solutions.

Office files located on the central server are deleted with the delete command in the operating system of the file or the access rights of the relevant user on the file or the directory where the file is located are removed. Personal data in portable memories, if any, are stored encrypted and deleted with software suitable for these environments. Relevant lines containing personal data are deleted with database commands. While performing the operation, attention is paid to whether the relevant user is also a database administrator.

Destroying personal data is the process of making personal data inaccessible, unrecoverable and reusable by anyone in any way. The COMPANY, the Data Controller, takes all necessary technical and administrative measures regarding the destruction of personal data. In order to destroy personal data, all copies of the data are detected and the systems with the data are physically destroyed by melting, burning or pulverizing optical media and magnetic media. It is ensured that the data is not accessed by processes such as melting, incinerating, pulverizing or passing the optical or magnetic media through a metal grinder. With the command to delete network devices (switch, router, etc.), mobile phones (sim card and fixed memory areas); optical discs, by erasing command and physical destruction methods in fixed memory areas in portable smartphones; Data storage media such as CDs and DVDs are destroyed by physical destruction methods such as burning, breaking into small pieces and melting. The destruction of personal data in devices that fail or are sent for maintenance is stored by removing the data storage medium, and other defective parts are sent to third institutions such as manufacturers, vendors and service providers. Employees coming from outside for maintenance and repair purposes are prevented from copying their personal data and taking them out of the institution, and necessary measures are taken.

Anonymization means removing or replacing all direct and/or indirect identifiers in a dataset, preventing the person concerned from being identified or being distinguishable within a group/crowd, a fact loss that cannot be associated with the person. The purpose of anonymization is to break the link between the data and the person identified by this data. The data is anonymized by choosing the one that is suitable for the relevant data among the methods such as automatic or non-automatic grouping, derivation, generalization, randomization applied to the records in the data recording system where personal data is kept.

13. Rights of the Relevant Person 

Every contact; to learn whether personal data is processed, to request information if personal data has been processed, to learn the purpose of personal data and whether they are used in accordance with its purpose, to know the third parties in the country or abroad to whom personal data are transferred, to request correction of personal data in case of incomplete or incorrect processing, Requesting the deletion or destruction of personal data, requesting notification that personal data has been transferred to third parties in the country or abroad, Objecting to the emergence of a result against the person by analyzing the processed data only through automatic systems, incurring damage due to unlawful processing of personal data has the right to demand the compensation of the damage in case of damage.

14. Confidentiality of Data Processing

1.  Personal data is subject to data security. Any employee of the COMPANY, its subsidiaries and/or subsidiaries is prevented from accessing this data without authorization and unauthorized persons are strictly prohibited from processing or using this data. The processing of this data by any employee of the COMPANY, its subsidiaries and/or subsidiaries who are not authorized within the framework of the job description, means an unauthorized transaction. Employees of the COMPANY, its subsidiaries and/or subsidiaries can access personal data only if they are authorized to access personal data within their job description.
2.  The employees of the COMPANY, its subsidiaries and/or subsidiaries are prohibited from using personal data for private or commercial purposes, sharing this data with unauthorized persons, or making this data accessible by any other method. The data controller informs its employees about the obligation to protect data confidentiality at the beginning of the job, provides training to their employees and ensures that they receive training.
3.  For the security-protection of property and confidentiality, as well as the control and measurement of service quality, in accordance with the provisions of the Law on Protection of Personal Data No. 6698, kitchen and service background etc. video and audio recordings are made in the environment.
4.  Relevant person is informed that video recording and video inspection is being done by using appropriate tools at the relevant service points of the COMPANY and while communicating with the COMPANY. The person concerned accepts the importance of the video and audio recording and hereby gives express consent to the COMPANY to process its data in this regard. 

15. Data Processing Security

Personal data is protected against unauthorized access, illegal data processing or disclosure, and accidental loss, modification or destruction of data. Whether the data is processed electronically or on paper, it is within the scope of protection. New and advanced data processing methods and information technology systems are followed in order to take technical and administrative measures to protect personal data.

16. Data Protection Control 

The issue of compliance with this Data Protection Policy and relevant data protection laws is regularly checked by authorized persons in the relevant units of the COMPANY. The personal data protection agency can personally audit the compliance of the COMPANY, its subsidiaries and subsidiaries with the provisions of this policy, as permitted by national laws.

•  

When the person concerned submits his requests regarding the implementation of this policy and the Law on Protection of Personal Data to the Data Controller in writing, the Data Controller will do so as soon as possible and within 30 days at the latest, depending on the nature of the request in the application. finalizes the request free of charge. However, if the transaction requires an additional cost, the fees in the tariff determined by the Personal Data Protection Board are charged.