Corparate

Personal Data Protection Law

PROTECTION OF PERSONAL DATA

AND 

PROCESSING POLICY

FIRST PART

Purpose, Scope and Definitions

 

  1. AIM

 

In Article 20 of the Constitution of the Republic of Turkey; It has been stated that everyone has the right to demand respect for their private and family life, and that the confidentiality of their private and family life cannot be violated. With the Personal Data Protection Law No. 6698 (KVKK), which was enacted to protect the privacy of private life guaranteed by the Constitution, the general framework has been drawn and the rights, powers and responsibilities have been determined.

Sehri Nuh Otelcilik San. And Trade. As AS company, the purpose of this policy is to ensure that personal and private information is secured by the Constitution and KVKK; To ensure information security of employees, partners, candidate employees, solution partner employees, customers, dealers, candidate dealers, visitors and real persons who share their information with our company in any way and to ensure that they are enlightened about using their rights.

1.2.SCOPE AND APPLICATION

 

Processing, storing, protecting, sharing, transferring, anonymizing, destroying and exercising the rights of personal data of real persons who work with our company, partners, candidate employees, solution partner employees, customers, dealers, candidate dealers, visitors and who share their information with our company in any way. All processes related to its use are within the scope of this policy. Sehri Nuh Otelcilik San. And Trade. If it wishes, AS may determine separate processes and policies for its own employees, provided that they adhere to the standards permitted by law.

In case of incompatibility between the current legislation provisions and the company policy, the legislative provisions will be applied first.

1.3.DEFINITIONS

Constitution: Constitution of the Republic of Turkey No. 2709,

KVKK: Personal Data Protection Law No. 6698,

Explicit consent: Consent regarding a specific subject, based on informed consent and expressed with free will.

Anonymization: Making personal data impossible to associate with an identified or identifiable natural person in any way, even by matching it with other data,

President: President of the Personal Data Protection Authority,

Personal data owner: The real person whose personal data is processed,

Personal data: Any information regarding an identified or identifiable natural person,

Processing of personal data: Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring personal data by fully or partially automatic or non-automatic means provided that it is part of any data recording system,

Any operation performed on data such as acquiring, making available, classifying or preventing its use,

Board: Personal Data Protection Board,

Institution: Personal Data Protection Authority,

Data processor: Real or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller,

Data recording system: The recording system in which personal data is structured and processed according to certain criteria,

Data controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system,

Seh-i Nuh Hotel: Sehri Nuh Otelcilik Sanayi ve Ticaret Anonim Sirketi,

Refers to legal entity.

SECOND PART

Processing of Personal Data

 

  1. PRINCIPLES TO BE APPLIED IN THE PROCESSING OF PERSONAL DATA

 

After stating that personal data can be processed in accordance with the procedures and principles set forth in this Law and other laws in Article 4 of the KVKK, it has made it mandatory to comply with the principles listed below. Our company shows utmost care and attention to comply with these principles.

2.1.1. Transaction in accordance with the Law and the Rules of Honesty,

 

In the processing of personal data and special personal data, it has been adopted as a basic principle by our company to act in accordance with the rules of accuracy and honesty within the framework of the rules determined by the legislation. In this context, all necessary precautions for the processing of data have been taken and continue to be taken.

2.1.2. Being Accurate and Up to Date When Necessary,

 

Personal data is generally provided with the information and documents provided by the personal data owner. For this reason, the information and documents provided by the data owner mostly reflect the truth. It is ensured that any of this information and documents that are clearly found to be erroneous or incorrect are corrected. In addition, the necessary information is obtained from the data owner to confirm the accuracy of personal data reaching the company through third parties and to keep it up to date.

2.1.3. Processing for Specific, Clear and Legitimate Purposes,

Our company processes personal data for lawful purposes determined by the legislation. The purpose of data processing is determined clearly and precisely in advance.

2.1.4. Being Concerned with the Purpose for which they are Processed, Being Nervous and Restrained,

Our company processes personal data in connection with and limited to its commercial activities, to the extent required by the interests of itself and the data owner.

2.1.5. Preservation for the Necessary Period,

Our company retains personal data for a limited period of time stipulated by the legislation. If any period of time is stipulated in the legislation for the preservation of personal data, this period is binding for our company and it is not kept for a longer period of time. If no period is stipulated in the legislation, they are stored for the period necessary for the purpose for which they are processed. Even if no period is specified for personal data, the data whose purpose of processing has ceased to exist is deleted by our company or anonymized as required by law.

 

3.1. CONDITIONS FOR PROCESSING PERSONAL DATA

 

The general framework of the processing conditions of personal data is drawn in Article 5 and Article 6 of KVKK No. 6698. Our company processes personal data in accordance with these terms and purposes.

  1. If it is clearly provided for in the law,
  2. It is necessary for the protection of the life or physical integrity of the person or someone else who is unable to express his/her consent due to actual impossibility and whose consent is not legally valid,
  3. It is necessary to process personal data of the parties to the contract, provided that it is directly related to the establishment or execution of a contract,
  4. It is mandatory for the data controller to fulfill its legal obligations,
  5. Personal data has been made public by the relevant person,
  6. Data processing is mandatory for the establishment, exercise or protection of a right,
  7. It is mandatory to process data for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the relevant person,
  8. Personal data other than health and sexual life may be processed without the consent of the relevant person in cases stipulated by law,
  9. Personal data regarding health and sexual life can only be used with the express consent of the person concerned or by authorized institutions and organizations for the purposes of protecting public health, preventive medicine, medical diagnosis, execution of treatment and care services, planning and management of health services and financing. It can be processed without any need.

 

 

 

4.1. PROCESSING OF SPECIAL PERSONAL DATA

 

According to Article 6 of KVKK No. 6698, special personal data; “data regarding people's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.” It is defined as .

Since it is highly likely that the above-mentioned special personal data will cause victimization to individuals if processed unlawfully, the sensitivity shown by the legislator in processing these data is taken into consideration with great care by our company. For this reason, special personal data are processed in the following cases, provided that adequate measures determined by the KVK Board are taken.

  1. Personal data may be processed in cases where there is explicit consent of the owner.
  2. Even if there is no explicit consent of the personal data owner, special personal data may be processed in the following cases.

              a. Personal data other than health and sexual life, in cases stipulated by law,

              b. Personal data regarding health and sexual life can only be processed for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing, by persons or authorized institutions under the obligation of confidentiality, without seeking the express consent of the person concerned.

5.1. DELETION, DESTRUCTION OR ANONYMIZATION OF PERSONAL DATA

 

  1. Deletion, Destruction and Anonymization Techniques of Personal Data

    In case the conditions for processing personal data specified in Articles 5 and 6 of the Law and processed by the company are eliminated, the company may, ex officio, based on its own decision or upon the request of the relevant person, Deletion of Personal Data, None. may delete or destroy personal data in accordance with the provisions of the Regulation on Deletion or Anonymization. Sehri Nuh Otelcilik San. And Trade. The deletion and destruction techniques applied by AS are generally as follows. Physical destruction: Personal data processed by the company is physically destroyed when the purpose is achieved or upon the request of the data owner. The destruction process is carried out by tearing and/or burning the printed documents in such a way that it is not clear to whom the data belongs. Electronic data (CD, DVD, USB, Floppy Disk, PC, etc.) are irreversibly deleted and destroyed on the system. If a technical expert is needed to destroy personal data, Sehri Nuh Otelcilik San. And Trade. AS may also delete personal data through an expert.

a. Destruction by mixing method: Personal data is destroyed by mixing it with other personal data of the same nature so that it cannot be determined who it belongs to.

b. Destruction by masking method: It is the removal of the distinctive elements of personal data from the information, making it impossible to understand who the personal data belongs to.

c. Destruction by derivation method: It is the making of personal data so that it is not possible to understand who it belongs to by adding new data.

 

6.1. TRANSFER OF PERSONAL DATA

 

In accordance with Article 8 of the Law, personal data cannot be transferred without the express consent of the relevant person. However, if one of the conditions specified in the second paragraph of Article 5 of the Law is met, provided that adequate measures are taken, and in the third paragraph of Article 6, it may be transferred without the consent of the relevant person. The provisions of other laws regarding the transfer of personal data are reserved.

6.1.1. Transfer of personal data abroad

 

In accordance with Article 9 of the Law, personal data cannot be transferred abroad without the express consent of the person concerned. Personal data is subject to the existence of one of the conditions specified in the second paragraph of Article 5 and the third paragraph of Article 6 and in the foreign country to which the personal data will be transferred; It can be transferred abroad without seeking the express consent of the relevant person, provided that there is sufficient protection, or if there is not sufficient protection, the data controllers in Turkey and the relevant foreign country undertake to provide adequate protection in writing and the Authority has permission.

 

 

THIRD PART

RIGHTS AND OBLIGATIONS

 

  1. RIGHTS OF THE PERSONAL DATA OWNER AND OBLIGATIONS OF THE DATA CONTROLLER

 

Articles 10, 11 and 12 of KVKK No. 6998 list the rights of the personal data owner and the obligation of the data controller regarding information and data security.

7.1.1. Data controller's obligation to inform

 

Sehri Nuh Otelcilik San. And Trade. The following explanations will be made to the data owner through the person authorized by AS during the acquisition of personal data.

a. Identity of the data controller and his representative, if any,

b. For what purposes personal data will be processed,

c. To whom and for what purpose the processed personal data can be transferred,

D. Method and legal reason for collecting personal data,

D. Other rights listed in Article 11,

 

7.1.2. Rights of the data owner

 

In accordance with Article 11 of the Law, the rights of the data owner are listed below.

 

a. Learning whether personal data is being processed or not,

b. Requesting information regarding personal data if they have been processed,

c. Learning the purpose of processing personal data and whether they are used for their intended purpose,

D. Knowing the third parties to whom personal data is transferred domestically or abroad,

to. Requesting correction of personal data if they are incomplete or incorrectly processed,

f. Requesting the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7,

g. To request that the transactions made in accordance with paragraphs (d) and (e) of the first paragraph of Article 11 be notified to third parties to whom personal data are transferred,

h. Objecting to the emergence of a result that is unfavorable to the individual by analyzing the processed data exclusively through automatic systems,

I. Requesting compensation for the damage in case of damage due to personal data being processed unlawfully,

7.1.3.Right to apply to the data controller

 

The data owner may submit his requests regarding the implementation of KVKK to our company in writing or by any method determined by the Board. After our company determines that the application is in accordance with the procedure, it finalizes it as soon as possible depending on the nature of the request, but in any case within thirty (30) days. If the transaction does not require any additional costs, it is completed free of charge. In case of a situation requiring a fee, a fee will be charged according to the tariff determined by the Board.

Our company may answer the request by accepting it or reject it by explaining the reason. Acceptance or rejection status is notified to the applicant in writing or electronically. In cases where a fee is charged, if it is understood that the application is due to our company's error, the fee collected will be refunded to the applicant.

7.1.4.The applicant's right to complain

 

If the application made to our company is rejected, the response given is not satisfactory, or the response cannot be given within the maximum time specified by the Law; The applicant may file a complaint with the Board within thirty (30) days from the date on which the data controller learns the answer or the maximum period expires, and in any case within sixty (60) days from the date of application.

8.1. OTHER MATTERS

 

If there is a conflict between the provisions of this data policy prepared by our company and the decisions to be taken by the KVKK and/or the Board, or if there is no provision in the data policy, the decisions of the KVKK and/or the Board will be applied first.

If any article of this data policy provisions is invalid, the other articles will remain valid.