KVKK

POLICY ON PROCESSING OF PERSONAL DATA 

1. Introduction

This Policy on Processing of Personal Data KARALAR PETROL TAR. TUR. NAK. Ve TIC LTD. STI. SENSITIVE PREMIUM RESORT & SPA: in short (“COMPANY”) as the data responsible for the personal data we have in our possession, the Data Protection Law No. 6698 and other legislation in accordance with the processing of personal data has been prepared by the COMPANY to determine the procedures and principles to be applied.

     2. Scope

The personal data of our employees, employee candidates, guests and all real persons who have personal data with the COMPANY for any reason are managed in accordance with the laws of this Policy on Processing of Personal Data.

3. Definitions

Law/PDPL: Protection of Personal Data Law Law No. 6698 dated 24/3/2016.

      Council/Institution: Personal Data Protection Council/ Personal Data Protection Institution

      Personal Data: All information related to a real person whose identity is known or could be identified.

      Relevant Person (Data Owner): The person whose personal data is processed.

      Explicit consent : Consent that is related to a specific issue, based on information and expressed with free will.

      Anonymising personal data: To render data in such a way that it can no longer be associated with an identified or identifiable person, even when the personal data is matched with other data

      Deleting personal data: To delete personal data or to render data in such a way that the personal data is no longer accessible to or reusable for users.

      Destroying personal data: To render personal data in such a way that it is inaccessible, unrecoverable and not reusable by anyone.

      Processing personal data: Any kind of transaction performed on the data such as obtaining, saving, storing, protecting, modifying, editing, describing, transferring, receiving, making available, classifying or blocking the use of the data by way of the data becoming totally or partially included in an automatic recording system.

      Data Operator: A natural or legal person who processes personal data on her/his behalf based on the authorization of the data operator.

      Data Controller: A natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

      Data of A Sensitive Nature: Shall mean data relating to race, ethnicity, political views, philosophical belief, religious denomination or other beliefs, clothing and attire, membership in associations, charities or trade unions, health, sex life, convictions, security measures, biometric and genetic data.

      Clarification Obligation: In the process of obtaining personal data, the person in charge of the data or the person authorized by him/herself shall inform the persons concerned; The identity of the data officer and the representative, if any, for which purpose the personal data will be processed, to whom and for what purpose the personal data may be processed, the method and legal reason for the collection of personal data, other rights listed in Article 11 of the Law.

      Sedna: An Automation System which includes Guest data from departments such as Front Office, Accounting, Purchasing, Guest Relations, Human Resources.

      Destruction Policy: The policy on which data operators establish the maximum amount of time required for the purpose for which personal data is processed, and the basis for deletion, destruction and anonymization.

      Recording media: Any medium containing personal data processed automatically, completely or in part, or non-automatically, provided it is a part of a data recording system.

      Company: KARALAR PETROL MAM. TAR. TUR. NAK. Ve TIC LTD. STI.

4. Principles of Processing of Personal Data

4.1 Processing in line with the law and honesty rules: The COMPANY protects the individual rights of the persons involved in the processing of personal data. Personal data is collected and processed in a fair and lawful manner.

4.2 Being processed for specific, explicit and legitimate purposes and being relevant with, limited to and proportionate to the purposes for which they are processed: The COMPANY clearly states the purpose for processing personal data before personal data processing begins. The COMPANY only processes personal data for the purpose of providing better service to the relevant persons. During the acquisition of personal data the relevant person is informed about the data operator and if available the representative of the data operator is also informed; the purpose of personal data processing, and to whom for what purposes the personal data may be transmitted, the method of legal data collection and the legal reason and the rights of the relevant person.

4.3 Storing for no longer than predetermined in the related legislation or the necessity for the purposes of processing: The COMPANY, stores personal data for as long as defined in the relevant legislation or necessary for its purpose. The COMPANY and its subsidiaries shall continue to process and maintain personal data in accordance with the purposes set forth in this policy, as long as personal data are deemed necessary for the purposes for which it is processed and required by regulatory authorities and/ or relevant laws and regulations.

  1. The accuracy and up-to-date nature of personal data: The COMPANY keeps processed personal data accurate, complete and if necessary, up-to-date. When necessary; inaccurate or incomplete data is deleted, corrected, completed or updated.
  2. Privacy and data security: Personal data is subject to data privacy. It is considered confidential at the personal level and necessary technical and administrative measures are taken to ensure the proper level of security in order to prevent unauthorized access, unlawful processing or distribution, as well as to prevent accidental loss, alteration or destruction, and to protect personal data.

5. Scope of Data Processing

Personal data processing is performed in two different ways.

Personal data processed automatically, completely or in part; It covers the following: With the aim of transferring, dissemination or other means of presentation, grouping or merging, blocking, deleting or destroying; the personal data will be obtained, collected, recorded, photographed, video recorded, organized, stored, modified, reinstated, revoked or disclosed from data owner and third parties specified in this policy.

Personal data processed/obtained non-automatically; this refers to any kind of operation carried out on the data such as classification, or prevention of its use; the acquisition by means of non-automated means, registry, storage, retention, modification, reorganization, disclosure, transfer, takeover and retrieval of the data or as part of any data recording system.

5.1 In accordance with the purposes set forth in this policy, during the period of use of the services provided and following the termination of the service relationship, the COMPANY shall be entitled to process the personal information of the data owner.

   5.2 Personal data processing by the COMPANY covers any action taken on the data using non-automated means, provided that it is part of a system that is automated, semi-automatic or automated and without any restrictions.

   5.3 The COMPANY processes the data of the relevant person or the persons under custody of the data owner.

5.4 Also data processing includes the data sharing given by the COMPANY's instructions and/or with the explicit consent of the relevant person and/or third parties and it includes processing of data by the COMPANY and acting on behalf the of relevant person and a third party.

5.5 The explicit consent of the data owner also includes the recording and processing of the activities by the COMPANY, while using various electronic channels (including, but not limited to, the technical methods and channels used for web browser, website, internet, mobile applications, payment transactions, money transfer and purchase). (For example; when using an electronic channel, determining the location of the data owner, identifying and analyzing input data, frequency of product selection and/or other statistical data)

6. Principles of Data Processing

6.1 The data owner acknowledges, in case the contractual relationship is terminated even during the use of the COMPANY's services; the COMPANY is required to process for the following purposes: information of the data owner or information of third parties specified by the data owner.

a) Providing and/or implementing a service for the data owner,

b) Data processing is mandatory for the protection of the legal rights of the COMPANY and/ or third parties,

c) Fulfillment of legal obligations of the COMPANY, 

d) The processing of personal data of the data owner is required, provided that it is directly related to the establishment or performance of a contract between the data owner and the COMPANY,

e) Data processing is mandatory for the establishment, use or protection of a right,

f) Other issues to which the data owner explicitly gives consents,

g) Other issues clearly stipulated in the legislation.

6.2 The explicit consent of the data owner shall mean that the person has accepted the policy and its provisions.

7. Purpose of Data Processing

Third parties that process personal data shared with the consent of the COMPANY and/or the data owner, may process the personal data of data owner or the persons under their custody of the data owner for the following purposes.

a)  Realization of accommodation services as declared, as well as to conduct better and more reliable service to the guest, 

b) Conducting information research and survey evaluations, providing planning, statistics, archiving and custodian services, conducting customer satisfaction studies,

c) It is necessary to check the accommodation history and/or behavior patterns of the data owner in order to optimize and improve the COMPANY services,

d) The COMPANY may be able to offer a new and/or additional service or non-service product,

e) Change the existing conditions of the service provided by the COMPANY,

f) The COMPANY analyzes statistical data, prepares and presents various reports, researches and/ or presentations,

g) In addition to providing security; identifying and/or preventing abuse, other criminal activities,

h) Meeting the complaints, questions and requests of the data owner,

 i) Verification of the identity of the relevant person,

j) Promotion, marketing, special offers and campaign activities for accommodation services,

k) Realization of other purposes as stipulated in national and international laws and regulations.

8. Process, Transfer and Announcement of Personal Data

The COMPANY fulfills the obligations imposed by the relevant legislation and board resolutions regarding the processing, transmission or disclosure of personal data. For the purposes set forth in this policy, including, but not limited to, the personal data of the data owner and third parties concerned; processing, transfer and/or disclose of any information provided by the COMPANY, depending on the content and variety of accommodation services; name and surname of the data owner, personal identification number and/or any original feature on the identity card, registered address and/or resident address, phone /mobile number, e-mail address, employer-related data,

also information on employment conditions (work place, wage, working hours, etc.), the activities of the data owner and/ or the third parties specified by the data owner while using various electronic channels as mentioned above and/or the Internet (including, but not limited to, cookies, etc.), (including, but not limited to, verification of these channels, actions taken, or transaction history), data about the person with whom the person is staying together during the service purchase is used.

8.1 If the data owner (including but not limited to personal data, sensitive personal data, etc.) for the purpose of making use of the services of the COMPANY provides personal data to the COMPANY in third parties (Family members, employers, etc.); the person giving the data to the COMPANY will be responsible for obtaining the consent to process such personal data.

8.2 If the data owner provides the COMPANY (or its authorized personnel) with such information, the data owner is deemed to have given the required explicit consent and the COMPANY is no longer required to obtain such explicit consent.

8.3 In the event that personal and/or sensitive personal data are processed without the explicit consent of the data owner and if a harm arises as a result of such transaction, the COMPANY is liable to cover such loss.

8.4 The explicit consent of the data owner also includes the recording and processing of the activities by the COMPANY while using various electronic channels (including, but not limited to, the technical methods and channels used for web browser, website, internet, mobile applications, payment transactions, money transfer and purchase). (For example, when using an electronic channel, determining the location of the data owner, identifying and analyzing input data, frequency of product selection and/or other statistical data).

8.5 Under the Regulation of Electronic Commerce No. 6563, the COMPANY has the right to send SMS (until the contact has exercised his/her right to reject), voice and/or other marketing messages (direct marketing) to telephone, mobile number, e-mail address and other contact information provided by the data owner

8.6  The data owner, gives the COMPANY the right to share his/her personal data with the COMPANY's subsidiaries and/or shareholders in order to make various marketing offers.

8.7 The advertising/information messages  (e.g. advertising brochures, promotional images, verbal offers, etc.) displayed by the COMPANY’s service points or the contents shown by the COMPANY’s (or its subsidiaries) electronic channels such as the Internet, mobile marketing etc.  will not be concerned as direct marketing. Therefore, the data owner will not have the right to request the termination of the publication and/ or display of such content.

9. Data Processing of Applicants or Employees

9.1 Processing of personal data in order to draw up, execute, maintain and terminate a service contract: Fulfilling the personal rights arising from the service contract and maintaining them continuously, occupational health and safety service to be provided to employees, fulfillment of work permit procedures, evaluation of personal job applications, conducting research and other recruitment processes, performance evaluation and monitoring, for the purposes of training activities, improvement of working conditions, execution of personal development processes such as human resources and fulfillment of training processes, the COMPANY has the right to process the personal information announced by the data owner due to commencement of work, trial period and/or internship.

In the process of applying for employment, the collection of information about the applicant from third parties is carried out in accordance with the provisions of the Personal Data Protection Law No. 6698.

The applicant's explicit consent is required for the processing of personal data related to the business relationship but is not initially part of the performance of the employment contract.

9.2 Conditions for processing of personal data of special nature

Private Personal Data may only be processed with the explicit consent of the relevant person to process private Personal Data. Personal data relating to health and sexual life may only be processed, without seeking explicit consent of the data subject, by any person or authorised public institutions and organizations that have confidentiality obligation; for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing.

10. Data Transfer/Share to/from Third Parties

In order for the COMPANY to provide services to the data owner, this policy is transferred/shared with the data owner and/or the third parties specified by the data owner within the scope of data processing. The data owner gives the COMPANY the rights for the usage of his/her personal data for the following:  All departments, internet, call centers, public institutions and organizations as well as through the parties and suppliers from whom the COMPANY receives services that are complementary or extension of the COMPANY's activities are authorized for the obtaining, storage, preservation, modification, reorganization, disclosure, transfer, transfer to abroad, takeover, making available, classification or use of data completely or partially; automatically or non-automatically provided that it is part of any recording system.

11. Obligation of Data Operator and Data Controller

11.1 In accordance with the provisions of this policy; while the COMPANY processes certain types of personal data, it may act on behalf of the data officer, including the third parties that process the data. For some kind of personal data, the data controller may be processing data for third parties. Accordingly, each of the parties to such relationship (the data operator as well as the data controller) act in accordance with the Law on the Protection of Personal Data. For this reason;

a) Personal data is processed in accordance with the principles in the legislation.

b) The explicit consent is obtained by the data owner and necessary information is provided.

The data officer is obliged to: when the data owner makes a request for information about his or her personal data, and if a complaint or declaration regarding the compliance of the data controller with the requirements of the legislation is received, he/she notifies the data owner as soon as possible and within 30 days at the latest.

Furthermore, if one party represents the data operator and the other person responsible for the data processing, the data operator fulfills the following obligations. The data processor is obliged to;

  1. Processing the data transmitted/ announced by the other parties, in accordance with the extent and scope permitted by the legislation or at the request of a regulatory authority, as defined by the provisions of this policy,
  2. In order to prevent unauthorized processing, loss, destruction, damage of data transmitted/disclosed by the data operator, and to prevent unauthorized changes or disclosures, the data operator informs the technician about the implementation of all reasonable technical and administrative measures and taking all necessary actions.
  3. The COMPANY supervises the measures and practices, implemented by the data operator for the purpose of data security through its authorized personel,
  4. Including the below mentioned, the data operator collaborates and supports the review of a complaint or statement communicated/disclosed by the COMPANY,
  5. Provides to the COMPANY within 7 business days of the request date, detailed information about the complaint and declaration status, including data about the person (including electronic data), communicated/disclosed to the data controller by the data operator,
  6. The data operator prevents data transfer to a country and/or international organization that is not part of the European Economic Area and is not on the list of countries that are adequate for the protection of personal data, and where there is no consent of the person  and the permission of the Personal Data Protection Board.
  7.  Without the prior written consent of the COMPANY; the data operator does not transfer/ disclose data to third parties,
  8.  Even in cases where the COMPANY has explicit written consent in advance; the data processor is obliged to transfer/disclose the data in accordance with a written agreement. In such written agreement, the third party and its subcontractors are obliged to take all necessary technical and administrative measures to prevent unauthorized processing, loss, destruction, damage, unauthorized alteration or disclosure of the data.
  9. Take full action regarding the compensation of any loss or damage suffered by the COMPANY due to the failure of the data operator (in accordance with the policy and legislation); against any damages/losses (including but not limited to consequential damages) that may be incurred by the COMPANY as a result of the breach of the data operator, as well as complaints, expenses (including, but not limited to, the expenses incurred by the COMPANY using its legal rights), legal processes and for other obligations, the data operator gives explicit consent to the settlement of damages and compensation and comes to terms with the data controller.
  10.  Unless otherwise specified in the contract between the COMPANY and the data operator, after the termination of the contractual relationship between the COMPANY and the data operator, the data operator is obliged to return any data (including personal data) transferred/disclosed from the COMPANY.

 

12. Data Update, Data Processing, Retention Period and Data Destruction

12.1 Data processing continues to operate during and after the use of the COMPANY's services for the purposes set forth in this policy, in compliance with the COMPANY's objectives and interests, the demands of supervisory/regulatory authorities and/or legislation.

12.2 The processing of the data transmitted during the use of the person's electronic channels (web browser, web site, internet, mobile applications and/or other electronic data transfer tools) continues even after the person has deleted the data from the relevant electronic channels.

12.3 Upon the request of the data owner, information regarding personal data held in the COMPANY is provided within the scope of the legislation.

  1.  In case the person's own data held in the COMPANY is incomplete or incorrect; upon the written notification to the COMPANY, the missing and incorrect data is completed and corrected.

12.5 Personal data are kept for the period required for the purpose for which they are processed or foreseen in the relevant legislation and in any case for 15 years. In the event that the reasons that require processing are eliminated and the retention period of the COMPANY expires, although processed in accordance with the provisions of the legislation, the personal data are deleted, destroyed or anonymized by the data operator either spontaneously or upon the request of the data owner.

  1.  The determination of the storage and destruction periods of personal data is carried out using the following criteria:

a) The determination of the exceptions which are stipulated in Articles 5 and 6 of the Law, can be evaluated within the scope of the data storage,

Access authorization and control matrix system is used.

For each personal data, data owners are identified; the authorization and methods of access, retrieval and reuse are determined. In case of termination of employment or change of position and similar situations, access, recovery, re-use authorization of personal data are updated, closed and eliminated.

  1.  In the event that the foreseen period in the legislation for the storage of such personal data expires or if no period is stipulated in the relevant legislation for the storage of such data, the data shall be deleted, destroyed or anonymized by the data operator in 10-year periods.
  2.  In the deletion, destruction and anonymization of personal data, the principles specified in Article 4 “General Principles”  of the Law and the measures to be taken within the scope of Article 12 “Obligations regarding data security”, are subject to the provisions of the relevant legislation; the decisions of the institution and this policy are followed.
  3.  All transactions regarding the deletion, destruction, anonymization of personal data are recorded by the COMPANY. These records are kept for at least 10 years except for other legal obligations.
  4.  Unless otherwise decided by the Personal Data Protection Authority, the appropriate method of deleting, destroying or anonymizing personal data is selected by the COMPANY.

12.10 The personal data collected by the COMPANY are stored in various recording media. The recorded media are deleted by appropriate methods. The data on the servers is deleted by the command to delete and/or manually, and the personal data on the media is deleted using the dimming method. The dimming method is used to cut off personal data on the relevant document, where possible; and to make it invisible to the data owners using marking ink, which is irreversible and impossible to read with technological solutions. The office files on the central server are deleted by the ‘delete’ command in the operating system of the file, or the access rights of the data owner are removed from the file or from the directory where the file is located. If available, the personal data stored in the memory stick is encrypted and deleted with the appropriate software. The relevant lines containing personal data are deleted by database commands. When the transaction is performed, attention is paid to whether the data owner is also the database administrator.

Destruction of personal data is the process by which personal data cannot be accessed, retrieved or reused by anyone in any way. The COMPANY and the data operator, takes all necessary technical and administrative measures to destroy personal data. For the destruction of personal data, all copies of the data are detected and the systems in which the data is located are physically destroyed, such as melting, incineration or pulverization of the optical media and magnetic media. Data is prevented from being accessed, through processes such as melting, incineration, pulverization or grinding a optical or magnetic media. Network devices (switches, routers, etc.) with the command to delete mobile phones (sim card and fixed memory areas); fixed memory areas in portable smartphones are destroyed by deletion command and physical destruction methods. Optical discs; data storage media such as CDs and DVDs are destroyed by physical destruction methods such as burning, shredding and melting. The destruction of the personal data in the devices that are defective or sent for maintenance is kept by removing the data storage medium. Other defective parts are sent to the third institutions such as manufacturer, seller and service. Personnel coming from outside for maintenance and repair purposes are prevented from copying personal data outside the institution; necessary measures are taken.

The anonymisation is that by removing or changing all direct and/or indirect identifiers in a data set, the identity of the person concerned is prevented from being identified or loses its distinguishability in a group/crowd so that it cannot be associated with a real person. The purpose of anonymizing is to break the link between the data and the person whom this data identifies. The data is anonymized by selecting one of the tie breaks, performed by methods such as automatic or non-automatic grouping, derivation, generalization, randomization applied to the records in the data recording system where personal data is kept.

13. Rights of Data Owners

The owners of the personal data have the following rights; learning about whether the personal data is processed or not, requesting information regarding processing of the personal data if the personal data is processed, learning about the purpose of processing the personal data and whether the personal data is used in accordance to its purposes or not, learning about the third persons to whom the personal data is transferred domestically and internationally, requesting the correction of the personal data in the event that the personal data is processed incompletely or wrongly, requesting the notification of the procedure conducted in this scope to the third persons to whom the personal data is transferred, objecting to the emergence of an outcome which is against the individual by analyzing the processed data exclusively through the automated systems, requesting elimination of the losses in the event that losses are incurred due to processing of the personal data against the law.

14. Confidentiality of Data Processing

  1.  Personal data is subject to data security. Any employee of the COMPANY’s affiliations and/or its subsidiaries is prevented from accessing unauthorized data, and unauthorized persons are strictly prohibited from processing or using this data. Any unauthorized employee of the COMPANY’s affiliations  and/or its subsidiaries who is not authorized to process this data within the scope of the terms of reference, means it is an unauthorized processing of the data. Employees of the COMPANY’s affiliations  and/or its subsidiaries may have access to personal data only if they have access to personal data within the terms of reference.
  2.  Employees of the COMPANY’s affiliations and/or subsidiaries are prohibited from using personal data for private or commercial purposes, sharing this data with unauthorized persons, or making it accessible with other methods. The data controller informs the employees about the obligation to protect the data confidentiality during the start-up phase, gives education and provides training to his/her employees.
  3. For the protection of property and confidentiality of privacy, as well as the control and measurement of service quality, video and audio recordings are made around the buildings and workplaces and in the entrances, kitchen and service backgrounds and similar environments, in accordance with the provisions of Protection of Personal Data Law No. 6698.

14.4 The relevant person is informed that video recording and video inspection is carried out by using the appropriate tools at the COMPANY's relevant service points and when communicating with the COMPANY. The person acknowledges the importance of video and audio recording and hereby expressly gives the COMPANY explicit consent to the processing of its data in this respect.

15. Data Processing Security

Personal data is protected from unauthorized access, illegal data processing or disclosure, and accidental loss, modification or destruction of data. The data is protected, whether processed electronically or on paper. New and advanced data processing methods and information technology systems are followed in order to take technical and administrative measures to protect personal data.

16. Data Protection Control

In compliance with this Data Protection Policy and applicable data protection laws, data is regularly checked by authorized persons in the relevant departments of the COMPANY. The Personal Data Protection Institution may, as permitted by national law, personally monitor the compliance of the COMPANY, its subsidiaries and affiliations with the provisions of this policy.

17. Contact

When the relevant person submits his/her requests regarding the application of this policy and the Law on Protection of Personal Data to the Data Operator in writing, the Data Operator concludes the request free of charge as soon as possible and within 30 days at the latest according to the nature of the request. However, if the transaction requires additional costs, the fees in the tariff are charged, which is set by the Personal Data Protection Board.

GUEST CLARIFICATION TEXT

Dear Sensitive Premium Resort & SPA Guest;

As Sensitive Premium Resort & SPA Hotel; we respect and attach importance to the privacy of our guests' private lives. For this reason, in order to protect fundamental rights and freedoms in the use of personal data, we would like to give information about the current Personal Data Protection Law (PDPL) No. 6698.

Our guests provide us their personal data, sensitive personal data, family and relatives data (name, surname, date of birth, mobile phone number, e-mail, gender, address, occupation, education, marital status, license plate, identification information, accommodation, expenditure information, invoice information, health data, food allergy, photo; name, surname and e-mail address of relatives who can be reached in case of emergency, guest product information, guest arrival and departure dates, agency/ company information) over reception of our hotel, channels such as website and call center; in verbal, written, or electronic media.

In order to offer you the best service by customizing the products and services offered by our hotel according to your taste, usage habits and needs; we process your personal data that you have shared with us.

For the purposes of booking, computing, advertising, marketing, promotion, business development, security, special offers, campaign notification, surveys, customer satisfaction surveys, as well as business partners, suppliers (officials or employees), we  always keep your data secure; we use the transfer and sharing with our shareholders, publicly authorized institutions and private individuals by taking necessary measures for the purpose of providing our services and fulfilling our legal obligations. We do not share your data, other than the mentioned above.

You can learn the purpose of your personal data usage, with the related organizations and their purpose of sharing data, by contacting us at any time.

You may request the correction of your used information if it is incomplete or incorrectly recorded, provided that the stipulated conditions are met by the law.

In order to take advantage of your rights under the law, for detailed information you can send your request to our hotel in writing; also you can check the link www.sensitivepremium.com/en/kvkk and the Law on Protection of Personal Data No. 6698.

With Regards;

 

Sensitive Premium Resort & SPA

KARALAR PETROL MAM. TAR. TUR. NAK. ve TIC LTD. STI.

Tel  : +90 (242) 731 07 00

Fax : +90 (242) 731 07 03

www.sensitivepremium.com