PERSONAL DATA PROCESSING AND PROTECTION POLICY
According to Article 20th, paragraph 3 of the Constitution of the Republic of Turkey, "Everyone has the right to request the protection of personal data concerning him/her. This right includes the right to be informed about personal data concerning the person, to access such data, to request their correction or deletion, and to learn whether they are used for their intended purposes. Personal data may be processed only in cases stipulated by law or with the explicit consent of the person..."
The right to protection of personal data as a fundamental human right is enshrined in Article 8 of the Charter of Fundamental Rights of the European Union and Article 16 of the Treaty on the Functioning of the European Union.
Article 4 of the Personal Data Protection Law (PDPL) lists the basic principles that must be observed for the processing of personal data. These principles are taken into consideration and meticulously applied within the scope of all personal data processing activities carried out by AYDIN ÜNLÜER TURİZM GIDA TİC VE SAN AŞ (COMPANY). The basic principles followed by the COMPANY in data processing processes are as follows-
Processing in Compliance with the Law and the Rule of Honesty: The COMPANY acts in accordance with the general principles of law and the rule of honesty while fulfilling its obligation to process and protect personal data.
Accurate and Up-to-date Processing of Personal Data: The COMPANY is aware that providing accurate and up-to-date information about individuals is of great importance for the protection of individuals' rights. It takes the utmost care to ensure that the personal data being processed is accurate and up-to-date.
Personal Data Processing for Specific, Explicit and Legitimate Purposes: PDPL requires data processing activities to be processed for specific, explicit and legitimate purposes. Within the framework of this principle, the COMPANY carries out personal data processing activities for specific, explicit and legitimate purposes required by its activities.
Processing in Connection, Limited and Proportionate to the Purpose for which they are Processed: The COMPANY processes personal data within the limits sufficient to fulfill the purposes determined within the scope of its activities. The COMPANY acts in accordance with the principle of limitation and proportionality by refraining from processing personal data that is not needed.
Preservation for the Period Stipulated in the Relevant Legislation or Required for the Purpose for which it is Processed: Personal data processed by the COMPANY are retained for the period until the personal data processing conditions are eliminated. When such purposes cease to exist, the COMPANY will terminate the retention of the relevant personal data. The COMPANY transparently informs all relevant parties about all data processing processes with the necessary documents.
INTRODUCTION
Law No. 6698 on the Protection of Personal Data was published in the Official Gazette dated 7 April 2016 in order to protect the fundamental rights and freedoms of individuals, especially the privacy of private life, and to regulate the obligations of real and legal persons who process personal data and the procedures and principles to be followed.
- Purpose
The Policy on Processing and Protection of Personal Data (Policy) has been prepared by AYDIN ÜNLÜER TURİZM GIDA TİC VE SAN AŞ (COMPANY) with the aim of disciplining the processing of personal data to be processed during the activities carried out in accordance with the legislation and protecting the fundamental rights and freedoms, especially the privacy of private life stipulated in the Constitution.
While preparing this Policy, it has been determined as a basic principle to determine which data and why the working units within the COMPANY organization collect and why they transfer this data to third parties and to understand the COMPANY's personal data processing procedure. In addition, this Policy aims to determine the administrative and technical measures to be taken to protect data confidentiality within and outside the organization of the COMPANY, to explain these measures and to inform and enlighten the individuals whose data are processed.
- Scope
This Policy covers all natural persons whose data are processed directly or indirectly due to the activities of the COMPANY.
Within the scope of this Policy, customized information about the data processed within the framework of the transactions and activities within the organization of the COMPANY, data categorization, data recipient groups, legal reason and method of data collection, third party groups to which data is transferred, data processing periods, data destruction periods are included.
3. Definitions
Company: located at 'Horozluhan OSB Mahallesi Cibi Sokak No-4/1 Selçuklu/KONYA' AYDIN ÜNLÜER TURİZM GIDA TİC VE SAN A.Ş.
Explicit Consent: It refers to the consent regarding a specific subject, based on information and expressed with free will.
Cookie: These are small files saved on users' computers or mobile devices that help store preferences and other information about the web pages they visit.
Related User: Persons who process personal data within the organization of the data controller or in accordance with the authorization and instruction received from the data controller, except for the person or unit responsible for the technical storage, protection and backup of the data.
Destruction: Deletion, destruction or anonymization of personal data.
Contact Person: The real person notified by the data controller at the time of registration to the Registry for communication with the Authority regarding the obligations of legal persons resident in Turkey and non-resident legal person data controller representative within the scope of PDPL and secondary regulations to be issued based on this PDPL.
(The contact person is not authorized to represent the Data Controller. As the name suggests, it is only the person assigned to ensure the communication "liaison" between the data controller and the relevant persons and the Authority).
PDPL: Personal Data Protection Law dated March 24, 2016 and numbered 6698, published in the Official Gazette dated April 7, 2016 and numbered 29677.
Recording Medium: Any medium in which personal data processed by fully or partially automatic means or by non-automatic means, provided that it is part of any data recording system.
Personal Data: Any information relating to an identified or identifiable natural person.
Processing of Personal Data: All kinds of operations performed on personal data such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system.
Anonymization of Personal Data: Making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data.
Deletion of Personal Data: Making personal data inaccessible and non-reusable in any way for the Relevant Users.
Destruction of Personal Data: The process of making personal data inaccessible, unrecoverable and unusable by anyone in any way.
Board: Personal Data Protection Board.
Institution: Personal Data Protection Authority.
Special Categories of Personal Data: Data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership of foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.
Periodic Destruction: The process of deletion, destruction or anonymization to be performed ex officio at recurring intervals specified in Personal Data Storage and Destruction Policy in the event that all of the conditions required for the processing of personal data disappear.
Policy: Personal Data Processing and Protection Policy created by the Data Controller.
VERBIS: It is a registration system that natural and legal persons who process personal data must register before they start processing personal data and enter information on a categorical basis about the personal data they process.
Data Processor: A natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller.
Data Recording System: Recording system where personal data is structured and processed according to certain criteria.
Data Subject/Related Person: The natural person whose personal data is processed.
Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
4. Responsibility
All units and employees of the COMPANY are responsible for actively supporting the responsible units in taking technical and administrative measures to ensure data security in all environments where personal data is processed in order to prevent unlawful processing of personal data, to prevent unlawful access to personal data and to ensure that personal data is stored in accordance with the law, by properly implementing the technical and administrative measures taken by the responsible units within the scope of this Policy, training and raising awareness of unit employees, monitoring and continuous auditing.
- Policy Flow
- COMPANY PDPL Structure
The data controller in terms of personal data processing activities covered by this Policy is AYDIN ÜNLÜER TURİZM GIDA TİC VE SAN AŞ.
Within the framework of the PDPL compliance program, our COMPANY has organized a separate organization for the protection of personal data processes in order to guarantee the continuity of compliance with the PDPL, and has carried out appropriate work and transactions and provided the necessary equipment. Within this framework, a "PDPL Commission" has been established within our COMPANY and a Liaison Person has been assigned.
-
-
- Personal Data Protection Law Commission
-
A PDPL Commission has been established within our COMPANY to demonstrate our commitment to ensure sustainable compliance with personal data protection legislation and to ensure the effectiveness of our personal data protection system. The PDPL Commission chairperson and PDPL Commission members are appointed by the Board of Directors and carry out their duties.
-
-
- Contact Person
-
In order to fulfill the obligation to appoint a contact person stipulated by the legislation, a contact person who has received the necessary training and has the required competence in PDPL has been appointed. The main responsibility of the contact person is to ensure the communication of the data controller with the Board and the relevant persons as stipulated by the legislation, and the contact person does not have the authority to represent the data controller. The contact person will also work to ensure that the PDPL Commission fulfills its duties and responsibilities. The Contact Person is a natural member of the PDPL Commission within our organization and calls the PDPL Commission to a meeting when needed.
-
- Purposes of Processing Your Personal Data, Collection Methods and Legal Reasons of Your Personal Data We Process
-
-
- Processing Purposes
-
Your personal data will be used in compliance with the limits stipulated in PDPL and to fulfill the purposes indicated in the legislation related to the COMPANY.
The processing purposes are;
- Fulfilling the obligations regarding all activities and audits stipulated in the Personal Data Protection Law No. 6698, the Turkish Code of Obligations No. 6098, the Identity Reporting Law No. 1774, the Information Acquisition Law No. 4982, the Labor Law No. 4857 and similar laws,
- Establishment of rights arising from all activities to be carried out within the scope of the above-mentioned legislation,
- Carrying out the necessary work by the relevant units for you to benefit from the services offered by our COMPANY,
- Contacting you for the purpose of promoting our COMPANY and its activities through your communication channels you have shared with us,
- Recruitment of personnel in the areas required by the COMPANY, fulfillment of rights and obligations within the scope of the legislation regulating business life, especially Labor Law No. 4857, Occupational Health and Safety Law No. 6331 and Social Security and General Health Insurance Law No. 5510,
- Paying salaries, providing allowances, realizing revolving fund payments etc. activities related to the personnel,
- Correspondence within the COMPANY,
- Providing information-documents to authorized public, institutions and organizations and judicial authorities within the conditions specified in the laws,
- Ensuring the functionality of the organization and event (seminars, conferences, meetings, trainings, symposiums, etc.) management processes in the COMPANY and announcing them to the public, ensuring the continuity of the website and social media accounts with up-to-date data in order to ensure the public awareness of the COMPANY and to keep it up-to-date, managing the promotion and advertising processes,
- Keeping an archive in accordance with the procedures specified in the legislation in order to carry out storage and archive activities and to create annual unit activity reports,
- Creation and follow-up of visitor records,
- Ensuring building, personnel and visitor security,
- The data can be anonymized and used in statistical activities for research purposes,
- Receiving and responding to interested person applications to be made within the scope of PDPL.
-
-
- Personal Data We Process
-
You can access VERBIS, which contains the personal data we process on the basis of data categories; Data Controller Information Inquiry from VERBIS (kvkk.gov.tr).
Identity Information: Data that clearly belong to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of a data recording system; containing information about the identity of the person; documents such as driver's license, identity card and passport containing information such as name-surname, TR identity number, nationality information, mother's name-father's name, place of birth, date of birth, gender, and information such as tax number, SSI number, signature information, vehicle license plate etc.
Contact Information: Information such as telephone number, address, e-mail address, fax number, IP address, which clearly belongs to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of the data recording system.
Location Data: Information that clearly belongs to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of the data recording system; information that determines the location of the Personal Data Owner within the framework of the operations carried out by the business units of the COMPANY, during the use of the products and services of the group companies or while using the COMPANY vehicles of the employees of the institutions with which it cooperates; GPS location, travel data etc.
Personal Information: All kinds of personal data that clearly belong to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of the data recording system; processed to obtain information that will be the basis for the formation of the personal rights of natural persons who are in a working relationship with the COMPANY.
Legal Transaction Information: Data processed within the scope of the COMPANY's legal obligations with the determination and follow-up of its legal receivables and rights and the performance of its debts.
Customer Transaction Information: Call center records, invoice, promissory note, check information, information in box office receipts, order information, request information etc.
Physical Space Security Information: Personal data clearly belonging to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of a data recording system; personal data relating to records and documents taken at the entrance to the physical space, during the stay in the physical space; camera recordings and records taken at the security point etc.
Transaction Security Information: Personal data processed regarding the technical, administrative, legal and commercial security of both the Personal Data Owner and the COMPANY while carrying out the activities of the COMPANY.
Risk Management: Information processed to manage commercial, technical, administrative risks etc.
Financial Information: Personal data that clearly belongs to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of the data recording system; personal data processed regarding information, documents and records showing all kinds of financial results created according to the type of legal relationship established by the COMPANY with the Personal Data Owner and data such as bank account number, IBAN number, credit card information, financial profile, asset data, income information.
Vocational Experience Information: Diploma information, courses attended, vocational training information, certificates, transcript information etc.
Marketing Information: Shopping history information, survey, cookie records, information obtained through campaign work etc.
Visual/Audio-Visual Information: Data contained in documents that clearly belong to an identified or identifiable natural person; photographs and camera recordings (except for recordings within the scope of Physical Space Security Information), audio recordings and documents that are copies of documents containing personal data.
Information on Philosophical Belief, Religion, Sect and Other Beliefs: Information on other beliefs, information on religious affiliation, information on philosophical belief, information on sectarian affiliation etc.
Health Information: Information on disability status, blood type information, personal health information, device and prosthesis information etc.
Information on criminal convictions and security measures: Information on criminal convictions, information on security measures etc.
Request/Complaint Management Information: Personal data clearly belonging to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of the data recording system; personal data regarding the receipt and evaluation of any request or complaint addressed to the COMPANY.
Other Information: Data types to be specified by the user etc
-
-
- Methods of Collecting Your Personal Data
-
Your personal data, member registration form, registration/application forms filled out over the internet, receipt and expenditure documents, video and audio recording devices used in events, security camera records and the COMPANY's official e-mail addresses info@aydinbeyhotels.com.tr and sales@aydinbeyhotels.com.tr, any e-mail address of the COMPANY using the @aydinbeyhotels.com.tr extension, aydinunlueras@hs03.kep.tr KEP address or fax address 0332 248 09 68 are collected through the aforementioned communication channels.
Personal data is also collected by physically sending documents, physically filling in a document provided by the COMPANY, calling the telephone lines belonging to the company or other internal numbers belonging to the COMPANY.
Your personal data is also collected automatically through cookies used in www.aydinbeyhotels.com address and extensions, mobile hotel information applications. These cookies are only necessary for the visitor to use the site with full efficiency and are used to remember the visitor's preferences and do not provide any other personal data. Cookie Policy is available at www.aydinbeyhotels.com.
-
-
- Legal Grounds for Personal Data Processing
-
PDPL lists the conditions for processing personal data in the 2nd paragraph of the 5th article. If the purposes of processing personal data by a data controller can be assessed within the framework of the personal data processing conditions listed in the PDPL, that data controller may process personal data lawfully. In this context, personal data processing activities are carried out by the COMPANY in cases where the COMPANY activity can be evaluated within the scope of the personal data processing conditions regulated in the PDPL. The COMPANY does not engage in any personal data processing activities that do not fall within the scope of personal data processing conditions.
The personal data processing conditions in the PDPL are as follows;
- Explicit consent of the person concerned,
- That it is clearly stipulated in the laws,
- It is mandatory for the protection of the life or physical integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid,
- It is necessary to process personal data belonging to the parties to the contract, provided that it is directly related to the conclusion or performance of a contract,
- It is mandatory for the data controller to fulfill its legal obligation,
- It has been made public by the data subject himself/herself,
- Data processing is mandatory for the establishment, exercise or protection of a right,
- Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.
The basic processing condition for Special categories of personal data is explicit consent and the COMPANY does not intend to process special categories of personal data. However, your sensitive personal data that we need to process due to our activities or that you have given your explicit consent are also processed in a measured manner within the scope of the legislation.
The conditions listed in PDPL for the processing of special categories of personal data are as follows;
- Explicit consent of the person to be concerned,
- It is clearly required by law,
- It is mandatory for the protection of the life or physical integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid, himself/herself or someone else,
- It is related to the personal data made public by the data subject and is in accordance with the will of the data subject to make it public,
- It is mandatory for the establishment, exercise or protection of a right,
- It is necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, and the planning, management and financing of health services by persons under the obligation to keep secrets or authorized institutions and organizations,
- It is mandatory for the fulfillment of legal obligations in the fields of employment, occupational health and safety, social security, social services and social assistance,
- It is possible for foundations, associations and other non-profit organizations or formations established for political, philosophical, religious or trade union purposes, provided that they comply with the legislation to which they are subject and their purposes, are limited to their fields of activity and are not disclosed to third parties; if they are intended for their current or former members and members or persons who are in regular contact with these organizations and formations.
There may be one or more personal data processing conditions that make a personal data processing activity lawful at the same time.
In order to realize our aforementioned purposes, it is necessary to process your data mentioned above. When transferring identity information to our Company, data that are not actually within our processing purposes may also be transferred to us. Within the scope of administrative and technical measures, we delete and/or anonymize such data at the end of the periods stipulated in the legislation.
-
- Transfer of Personal Data
Domestic transfer: As it is known, pursuant to Article 8/2-a and b of PDPL, it is possible to transfer personal data domestically without obtaining explicit consent if the personal data is processed within the scope of Articles 5/2 and 6/3 of PDPL. Transfers are made by the COMPANY to third parties in accordance with the relevant provisions, and in the event that it is not within the scope of the said provisions, the explicit consent of the relevant persons is applied.
Transfer abroad: It is possible that the data and documents processed by the COMPANY are kept on computers located outside the COMPANY, e-mails are sent and records are accessed from such computers, the systems where these data are kept and transferred and/or the databases of e-mail providers are located abroad. In addition, it may be necessary to transfer personal data abroad, especially in international organizations, event arrangements, hotel accommodations, obtaining visas, obtaining airline tickets, conducting and planning events abroad. In this case, the transfer shall be made in accordance with the provisions of Article 9 of the PDPL.
Your personal data is shared with authorized public institutions and organizations, judicial authorities, enforcement authorities, law enforcement authorities, law enforcement units and suppliers, business partners and shareholders from whom contracted products and or services are purchased for the purposes and by the means shown in this Policy. Below is the table showing the shared parties-
Persons to whom data can be transferred |
Description |
Purpose |
Business Partner |
Parties with whom the COMPANY establishes business partnerships while conducting its commercial activities |
Sharing of personal data limited to the purpose of ensuring the fulfillment of the purposes for which the business partnership was established |
Shareholders
|
Shareholders who are authorized to design the strategies and audit activities regarding the commercial activities of the COMPANY in accordance with the provisions of the relevant legislation |
Sharing of personal data limited to the design of strategies regarding the commercial activities of the COMPANY and for audit purposes |
COMPANY Authorities |
Board members and other authorized persons |
Sharing of personal data limited to the design of strategies regarding the commercial activities of the COMPANY, ensuring its management at the highest level and for audit purposes |
Legally Authorized Private Law Persons |
Private law persons legally authorized to obtain information and documents from the COMPANY |
Sharing data limited to the purpose requested by the relevant private law persons within their legal authority |
Legally Authorized Public Institutions and Organizations |
Public institutions and organizations legally authorized to receive information and documents from the COMPANY |
Sharing personal data limited to the purpose of requesting information by the relevant public institutions and organizations |
No data transfer is made that does not concern the purposes of the COMPANY. For example; even if we have obtained it with your consent, your IP address information or your vehicle license plate information is not shared with any 3rd party, including the persons and organizations shown above. The exception to this determination is when the transfer of the data in question is required by legislation, or is mandatory for a criminal investigation, or is requested by an official authority based on legislation and with justification.
-
- Rights of the Relevant Person
You have the following rights under Article 11 titled "Rights of the data subject" of the Law No. 6698 on the Protection of Personal Data;
- Learning whether your personal data are processed,
- Request information if your personal data has been processed,
- Learning the purpose of processing your personal data and whether they are used in accordance with their purpose,
- To know the third parties to whom your personal data is transferred domestically or abroad,
- To request correction of your personal data in case of incomplete or incorrect processing, to request the deletion or destruction of your personal data in accordance with the conditions set out in the Law No. 6698 on the Protection of Personal Data,
- To request correction of your incomplete or incorrectly processed personal data and to request notification of the deletion or destruction of your personal data to third parties to whom personal data has been transferred,
- To object to this result in case a result arises against you by analyzing your processed data exclusively through automated systems,
- In case you suffer damage due to unlawful processing of your personal data, to demand the compensation of the damage
How Can You Exercise Your Rights?
Data owners may communicate their rights listed above to our COMPANY by filling out the Personal Data Owner Application Form published at www.aydinbeyhotels.com and using the following methods.
In the application procedure, the COMPANY carries out its transactions within the scope of the Communiqué on the Procedures and Principles of Application to the Data Controller. In this context, the application must be made in accordance with Article 5 of the aforementioned communiqué.
The form should be filled in completely and sent to us by following the steps below;
- By submitting a wet signed copy of the fully completed Personal Data Owner Application Form together with a document that will ensure identification to AYDIN ÜNLÜER TURİZM GIDA TİC VE SAN AŞ/Horozluhan OSB Mahallesi Cibi Sokak No-4/1 Selçuklu/KONYA in person,
- By sending a wet signed copy of the fully completed Personal Data Owner Application Formtogether with a document to ensure identification to AYDIN ÜNLÜER TURİZM GIDA TİC VE SAN AŞ/Horozluhan OSB Mahallesi Cibi Sokak No-4/1 Selçuklu/KONYA via notary public,
- Personal Data Owner Application Form by signing with the "secure electronic signature" defined in the Electronic Signature PDPL numbered 5070 and sending it to kvkk@aydinunluer.com.tr,
- By filling in and signing the Personal Data Owner Application Form and scanning and uploading the wet signed form to the computer by sending an e-mail to kvkk@aydinunluer.com.tr address,
- By sending via Registered Electronic Mail (REM) to aydinunlueras@hs03.kep.tr via KEP or using other methods to be determined by the Board
The COMPANY shall finalize the requests of the relevant persons regarding their rights listed above in writing or by other methods to be determined by the Board as soon as possible and within thirty days at the latest after the date of transmission.
Replies to applications made by the person concerned under the rights set out in Article 11 of the Law shall be provided free of charge. Although the basic principle is to provide the response free of charge, if the response to be given requires an additional cost, the fees shown in Article 7 of the Communiqué on the Procedures and Principles of Application to the Data Controller may be requested by the COMPANY from the relevant person. The relevant article reads as follows-
Wage
ARTICLE 7 - (1) If the relevant person's application is to be answered in writing, no fee is charged for up to ten pages. A transaction fee of 1 Turkish Lira may be charged for each page over ten pages.
(2) If the response to the application is given in a recording medium such as CD, flash memory, the fee that may be requested by the data controller cannot exceed the cost of the recording medium.
In order to respond to the applications made by the data owners, the COMPANY may request additional information and documents in order to verify the identity of the applicant, to prevent the unlawful transmission of another person's personal data to unrelated persons and to clarify the applicant's request. If such information and documents are not shared, the application of the data subject may not be answered.
It is crucial to verify that the application has been submitted by the "identity holder" and/or authorized person. Likewise, while the purpose is to protect personal data, providing personal data to 3rd parties due to the inability to verify identity and taking action within the rights explained in Article 11 of the PDPL will damage the interest of the person concerned that needs to be protected. For this reason, we hope that you will understand our sensitivity in terms of identity verification procedures and that you will help our COMPANY.