PERSONAL DATA PROCESSING AND PROTECTION POLICY

 

According to Article 20th, paragraph 3 of the Constitution of the Republic of Turkey, "Everyone has the right to request the protection of personal data concerning him/her. This right includes the right to be informed about personal data concerning the person, to access such data, to request their correction or deletion, and to learn whether they are used for their intended purposes. Personal data may be processed only in cases stipulated by law or with the explicit consent of the person..." 

 

The right to protection of personal data as a fundamental human right is enshrined in Article 8 of the Charter of Fundamental Rights of the European Union and Article 16 of the Treaty on the Functioning of the European Union. 

 

Article 4 of the Personal Data Protection Law (PDPL) lists the basic principles that must be observed for the processing of personal data. These principles are taken into consideration and meticulously applied within the scope of all personal data processing activities carried out by

AYDIN ÜNLÜER TURİZM GIDA TİC VE SAN AŞ (COMPANY). The basic principles followed by the

COMPANY in data processing processes are as follows- 

Processing in Compliance with the Law and the Rule of Honesty: The COMPANY acts in accordance with the general principles of law and the rule of honesty while fulfilling its obligation to process and protect personal data. 

Accurate and Up-to-date Processing of Personal Data: The COMPANY is aware that providing accurate and up-to-date information about individuals is of great importance for the protection of individuals' rights. It takes the utmost care to ensure that the personal data being processed is accurate and up-to-date. 

Personal Data Processing for Specific, Explicit and Legitimate Purposes: PDPL requires data processing activities to be processed for specific, explicit and legitimate purposes. Within the framework of this principle, the COMPANY carries out personal data processing activities for specific, explicit and legitimate purposes required by its activities. 

Processing in Connection, Limited and Proportionate to the Purpose for which they are Processed: The COMPANY processes personal data within the limits sufficient to fulfill the purposes determined within the scope of its activities. The COMPANY acts in accordance with the principle of limitation and proportionality by refraining from processing personal data that is not needed. 

Preservation for the Period Stipulated in the Relevant Legislation or Required for the Purpose for which it is Processed: Personal data processed by the COMPANY are retained for the period until the personal data processing conditions are eliminated. When such purposes cease to exist, the COMPANY will terminate the retention of the relevant personal data. The COMPANY transparently informs all relevant parties about all data processing processes with the necessary documents.

 

INTRODUCTION 

Law No. 6698 on the Protection of Personal Data was published in the Official Gazette dated 7 April 2016 in order to protect the fundamental rights and freedoms of individuals, especially the privacy of private life, and to regulate the obligations of real and legal persons who process personal data and the procedures and principles to be followed. 

1. Purpose

The Policy on Processing and Protection of Personal Data (Policy) has been prepared by AYDIN ÜNLÜER TURİZM GIDA TİC VE SAN AŞ (COMPANY) with the aim of disciplining the processing of personal data to be processed during the activities carried out in accordance with the legislation and protecting the fundamental rights and freedoms, especially the privacy of private life stipulated in the Constitution.  

While preparing this Policy, it has been determined as a basic principle to determine which data and why the working units within the COMPANY organization collect and why they transfer this data to third parties and to understand the COMPANY's personal data processing procedure. In addition, this Policy aims to determine the administrative and technical measures to be taken to protect data confidentiality within and outside the organization of the COMPANY, to explain these measures and to inform and enlighten the individuals whose data are processed.  

 

2. Scope

This Policy covers all natural persons whose data are processed directly or indirectly due to the activities of the COMPANY. 

Within the scope of this Policy, customized information about the data processed within the framework of the transactions and activities within the organization of the COMPANY, data categorization, data recipient groups, legal reason and method of data collection, third party groups to which data is transferred, data processing periods, data destruction periods are included. 

 

3. Definitions

Company: located at 'Horozluhan OSB Mahallesi Cibi Sokak No-4/1 Selçuklu/KONYA' AYDIN ÜNLÜER TURİZM GIDA TİC VE SAN A.Ş.

Explicit Consent: It refers to the consent regarding a specific subject, based on information and expressed with free will.

Cookie: These are small files saved on users' computers or mobile devices that help store preferences and other information about the web pages they visit.

Related User: Persons who process personal data within the organization of the data controller or in accordance with the authorization and instruction received from the data controller, except for the person or unit responsible for the technical storage, protection and backup of the data.

Destruction: Deletion, destruction or anonymization of personal data.

Contact Person: The real person notified by the data controller at the time of registration to the Registry for communication with the Authority regarding the obligations of legal persons resident in Turkey and non-resident legal person data controller representative within the scope of PDPL and secondary regulations to be issued based on this PDPL.

(The contact person is not authorized to represent the Data Controller. As the name suggests, it is only the person assigned to ensure the communication "liaison" between the data controller and the relevant persons and the Authority).

PDPL: Personal Data Protection Law dated March 24, 2016 and numbered 6698, published in the Official Gazette dated April 7, 2016 and numbered 29677.

Recording Medium: Any medium in which personal data processed by fully or partially automatic means or by non-automatic means, provided that it is part of any data recording system.

Personal Data: Any information relating to an identified or identifiable natural person.

Processing of Personal Data: All kinds of operations performed on personal data such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system.

Anonymization of Personal Data: Making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data.

Deletion of Personal Data: Making personal data inaccessible and non-reusable in any way for the Relevant Users.

Destruction of Personal Data: The process of making personal data inaccessible, unrecoverable and unusable by anyone in any way.

Board: Personal Data Protection Board.

Institution: Personal Data Protection Authority.

Special Categories of Personal Data: Data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership of foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.

Periodic Destruction: The process of deletion, destruction or anonymization to be performed ex officio at recurring intervals specified in Personal Data Storage and Destruction Policy in the event that all of the conditions required for the processing of personal data disappear. Policy: Personal Data Processing and Protection Policy created by the Data Controller. VERBIS: It is a registration system that natural and legal persons who process personal data must register before they start processing personal data and enter information on a categorical basis about the personal data they process. 

Data Processor: A natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller.

Data Recording System: Recording system where personal data is structured and processed according to certain criteria.

Data Subject/Related Person: The natural person whose personal data is processed. Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.        

 

4. Responsibility

All units and employees of the COMPANY are responsible for actively supporting the responsible units in taking technical and administrative measures to ensure data security in all environments where personal data is processed in order to prevent unlawful processing of personal data, to prevent unlawful access to personal data and to ensure that personal data is stored in accordance with the law, by properly implementing the technical and administrative measures taken by the responsible units within the scope of this Policy, training and raising awareness of unit employees, monitoring and continuous auditing.

 

5. Policy Flow

5.1. COMPANY PDPL Structure

The data controller in terms of personal data processing activities covered by this Policy is AYDIN ÜNLÜER TURİZM GIDA TİC VE SAN AŞ.  

Within the framework of the PDPL compliance program, our COMPANY has organized a separate organization for the protection of personal data processes in order to guarantee the continuity of compliance with the PDPL, and has carried out appropriate work and transactions and provided the necessary equipment. Within this framework, a "PDPL Commission" has been established within our COMPANY and a Liaison Person has been assigned. 

 

5.1.1. Personal Data Protection Law Commission

A PDPL Commission has been established within our COMPANY to demonstrate our commitment to ensure sustainable compliance with personal data protection legislation and to ensure the effectiveness of our personal data protection system. The PDPL Commission chairperson and PDPL Commission members are appointed by the Board of Directors and carry out their duties. 

 

5.1.2. Contact Person 

In order to fulfill the obligation to appoint a contact person stipulated by the legislation, a contact person who has received the necessary training and has the required competence in PDPL has been appointed. The main responsibility of the contact person is to ensure the communication of the data controller with the Board and the relevant persons as stipulated by the legislation, and the contact person does not have the authority to represent the data controller. The contact person will also work to ensure that the PDPL Commission fulfills its duties and responsibilities. The Contact Person is a natural member of the PDPL Commission within our organization and calls the PDPL Commission to a meeting when needed. 

 

5.2. Purposes of Processing Your Personal Data, Collection Methods and Legal

Reasons of Your Personal Data We Process 

 

5.2.1. Processing Purposes

Your personal data will be used in compliance with the limits stipulated in PDPL and to fulfill the purposes indicated in the legislation related to the COMPANY. 

The processing purposes are; 

1. Fulfilling the obligations regarding all activities and audits stipulated in the Personal Data Protection Law No. 6698, the Turkish Code of Obligations No. 6098, the Identity Reporting Law No. 1774, the Information Acquisition Law No. 4982, the Labor Law No. 4857 and similar laws,
2. Establishment of rights arising from all activities to be carried out within the scope of the above-mentioned legislation,   
3. Carrying out the necessary work by the relevant units for you to benefit from the services offered by our COMPANY,      
4. Contacting you for the purpose of promoting our COMPANY and its activities through your communication channels you have shared with us,   
5. Recruitment of personnel in the areas required by the COMPANY, fulfillment of rights and obligations within the scope of the legislation regulating business life, especially Labor Law No.

4857, Occupational Health and Safety Law No. 6331 and Social Security and General Health

       Insurance Law No. 5510,                                                 

1. Paying salaries, providing allowances, realizing revolving fund payments etc. activities related to the personnel, 
2. Correspondence within the COMPANY,   
3. Providing information-documents to authorized public, institutions and organizations and judicial authorities within the conditions specified in the laws,     
4. Ensuring the functionality of the organization and event (seminars, conferences, meetings, trainings, symposiums, etc.) management processes in the COMPANY and announcing them to the public, ensuring the continuity of the website and social media accounts with up-to-date data in order to ensure the public awareness of the COMPANY and to keep it up-to-date, managing the promotion and advertising processes, 
5. Keeping an archive in accordance with the procedures specified in the legislation in order to carry out storage and archive activities and to create annual unit activity reports, 
6. Creation and follow-up of visitor records,
7. Ensuring building, personnel and visitor security,   
8. The data can be anonymized and used in statistical activities for research purposes,
9. Receiving and responding to interested person applications to be made within the scope of PDPL.

 

5.2.2. Personal Data We Process

You can access VERBIS, which contains the personal data we process on the basis of data categories; Data Controller Information Inquiry from VERBIS (kvkk.gov.tr).

Identity Information: Data that clearly belong to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of a data recording system; containing information about the identity of the person; documents such as driver's license, identity card and passport containing information such as name-surname, TR identity number, nationality information, mother's name-father's name, place of birth, date of birth, gender, and information such as tax number, SSI number, signature information, vehicle license plate etc.

Contact Information: Information such as telephone number, address, e-mail address, fax number, IP address, which clearly belongs to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of the data recording system.

Location Data: Information that clearly belongs to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of the data recording system; information that determines the location of the Personal Data Owner within the framework of the operations carried out by the business units of the COMPANY, during the use of the products and services of the group companies or while using the COMPANY vehicles of the employees of the institutions with which it cooperates; GPS location, travel data etc.

Personal Information: All kinds of personal data that clearly belong to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of the data recording system; processed to obtain information that will be the basis for the formation of the personal rights of natural persons who are in a working relationship with the COMPANY.

Legal Transaction Information: Data processed within the scope of the COMPANY's legal obligations with the determination and follow-up of its legal receivables and rights and the performance of its debts.

Customer Transaction Information: Call center records, invoice, promissory note, check information, information in box office receipts, order information, request information etc. Physical Space Security Information: Personal data clearly belonging to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of a data recording system; personal data relating to records and documents taken at the entrance to the physical space, during the stay in the physical space; camera recordings and records taken at the security point etc.

Transaction Security Information: Personal data processed regarding the technical, administrative, legal and commercial security of both the Personal Data Owner and the COMPANY while carrying out the activities of the COMPANY.

Risk Management: Information processed to manage commercial, technical, administrative risks etc. 

Financial Information: Personal data that clearly belongs to an identified or identifiable natural person; processed partially or completely automatically or non-automatically as part of the data recording system; personal data processed regarding information, documents and records showing all kinds of financial results created according to the type of legal relationship established by the COMPANY with the Personal Data Owner and data such as bank account number, IBAN number, credit card information, financial profile, asset data, income information.

Vocational Experience Information: Diploma information, courses attended, vocational training information, certificates, transcript information etc.

Marketing Information: Shopping history information, survey, cookie records, information obtained through campaign work etc.

Visual/Audio-Visual Information: Data contained in documents that clearly belong to an identified or identifiable natural person; photographs and camera recordings (except for recordings within the scope of Physical Space Security Information), audio recordings and documents that are copies of documents containing personal data.

Information on Philosophical Belief, Religion, Sect and Other Beliefs: Information on other beliefs, information on religious affiliation, information on philosophical belief, information on sectarian affiliation etc.

Health Information: Information on disability status, blood type information, personal health information, device and prosthesis information etc.

Information on criminal convictions and security measures: Information on criminal convictions, information on security measures etc.

Request/Complaint Management Information: Personal data clearly belonging to an identified or identifiable natural person; processed partially or completely automatically or nonautomatically as part of the data recording system; personal data regarding the receipt and evaluation of any request or complaint addressed to the COMPANY. Other Information: Data types to be specified by the user etc

 

5.2.3. Methods of Collecting Your Personal Data

Your personal data, member registration form, registration/application forms filled out over the internet, receipt and expenditure documents, video and audio recording devices used in events, security camera records and the COMPANY's official e-mail addresses [email protected] and [email protected], any e-mail address of the COMPANY using the @aydinbeyhotels.com.tr extension, [email protected] KEP address or fax address 0332 248 09 68 are collected through the aforementioned communication channels.

Personal data is also collected by physically sending documents, physically filling in a document provided by the COMPANY, calling the telephone lines belonging to the company or other internal numbers belonging to the COMPANY.

Your personal data is also collected automatically through cookies used in www.aydinbeyhotels.com address and extensions, mobile hotel information applications. These cookies are only necessary for the visitor to use the site with full efficiency and are used to remember the visitor's preferences and do not provide any other personal data. Cookie Policy is available at www.aydinbeyhotels.com.

 

5.2.4 Legal Grounds for Personal Data Processing

PDPL lists the conditions for processing personal data in the 2nd paragraph of the 5th article. If the purposes of processing personal data by a data controller can be assessed within the framework of the personal data processing conditions listed in the PDPL, that data controller may process personal data lawfully. In this context, personal data processing activities are carried out by the COMPANY in cases where the COMPANY activity can be evaluated within the scope of the personal data processing conditions regulated in the PDPL. The COMPANY does not engage in any personal data processing activities that do not fall within the scope of personal data processing conditions. 

 

The personal data processing conditions in the PDPL are as follows; 

• Explicit consent of the person concerned, 
• That it is clearly stipulated in the laws, 
• It is mandatory for the protection of the life or physical integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid, 
• It is necessary to process personal data belonging to the parties to the contract, provided that it is directly related to the conclusion or performance of a contract, 
• It is mandatory for the data controller to fulfill its legal obligation, 
• It has been made public by the data subject himself/herself, 
• Data processing is mandatory for the establishment, exercise or protection of a right, 
• Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject. 

 

The basic processing condition for Special categories of personal data is explicit consent and the COMPANY does not intend to process special categories of personal data. However, your sensitive personal data that we need to process due to our activities or that you have given your explicit consent are also processed in a measured manner within the scope of the legislation.

 

The conditions listed in PDPL for the processing of special categories of personal data are as follows;

• Explicit consent of the person to be concerned,
• It is clearly required by law,
• It is mandatory for the protection of the life or physical integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid, himself/herself or someone else,
• It is related to the personal data made public by the data subject and is in accordance with the will of the data subject to make it public,
• It is mandatory for the establishment, exercise or protection of a right,
• It is necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, and the planning, management and financing of health services by persons under the obligation to keep secrets or authorized institutions and organizations,
• It is mandatory for the fulfillment of legal obligations in the fields of employment, occupational health and safety, social security, social services and social assistance,
• It is possible for foundations, associations and other non-profit organizations or formations established for political, philosophical, religious or trade union purposes, provided that they comply with the legislation to which they are subject and their purposes, are limited to their fields of activity and are not disclosed to third parties; if they are intended for their current or former members and members or persons who are in regular contact with these organizations and formations.

 

There may be one or more personal data processing conditions that make a personal data processing activity lawful at the same time.

In order to realize our aforementioned purposes, it is necessary to process your data mentioned above. When transferring identity information to our Company, data that are not actually within our processing purposes may also be transferred to us. Within the scope of administrative and technical measures, we delete and/or anonymize such data at the end of the periods stipulated in the legislation.

 

5.3. Transfer of Personal Data

Domestic transfer: As it is known, pursuant to Article 8/2-a and b of PDPL, it is possible to transfer personal data domestically without obtaining explicit consent if the personal data is processed within the scope of Articles 5/2 and 6/3 of PDPL. Transfers are made by the COMPANY to third parties in accordance with the relevant provisions, and in the event that it is not within the scope of the said provisions, the explicit consent of the relevant persons is applied.  Transfer abroad: It is possible that the data and documents processed by the COMPANY are kept on computers located outside the COMPANY, e-mails are sent and records are accessed from such computers, the systems where these data are kept and transferred and/or the databases of e-mail providers are located abroad. In addition, it may be necessary to transfer personal data abroad, especially in international organizations, event arrangements, hotel accommodations, obtaining visas, obtaining airline tickets, conducting and planning events abroad. In this case, the transfer shall be made in accordance with the provisions of Article 9 of the PDPL. 

Your personal data is shared with authorized public institutions and organizations, judicial authorities, enforcement authorities, law enforcement authorities, law enforcement units and suppliers, business partners and shareholders from whom contracted products and or services are purchased for the purposes and by the means shown in this Policy. Below is the table showing the shared parties-

 

Persons to whom data can be transferred	Description	Purpose
Business Partner	Parties with whom the COMPANY establishes business partnerships while conducting its commercial activities	Sharing of personal data limited to the purpose of ensuring the fulfillment of the purposes for which the business partnership was established
Shareholders	Shareholders who are authorized to design the strategies and audit activities regarding the commercial activities of the COMPANY in accordance with the provisions of the relevant legislation	Sharing of personal data limited to the design of strategies regarding the commercial activities of the COMPANY and for audit purposes
COMPANY Authorities	Board members and other authorized persons	Sharing of personal data limited to the design of strategies regarding the commercial activities of the COMPANY, ensuring its management at the highest level and for audit purposes
Legally Authorized Private Law Persons	Private law persons legally authorized to obtain information and documents from the COMPANY	Sharing data limited to the purpose requested by the relevant private law persons within their legal authority
Legally Authorized Public Institutions and Organizations	Public institutions and organizations legally authorized to receive information and documents from the COMPANY	Sharing personal data limited to the purpose of requesting information by the relevant public institutions and organizations

 

No data transfer is made that does not concern the purposes of the COMPANY. For example; even if we have obtained it with your consent, your IP address information or your vehicle license plate information is not shared with any 3rd party, including the persons and organizations shown above. The exception to this determination is when the transfer of the data in question is required by legislation, or is mandatory for a criminal investigation, or is requested by an official authority based on legislation and with justification.

 

5.4. Rights of the Relevant Person

You have the following rights under Article 11 titled "Rights of the data subject" of the Law No.

6698 on the Protection of Personal Data;

1. Learning whether your personal data are processed,
2. Request information if your personal data has been processed,
3. Learning the purpose of processing your personal data and whether they are used in accordance with their purpose,
4. To know the third parties to whom your personal data is transferred domestically or abroad,
5. To request correction of your personal data in case of incomplete or incorrect processing, to request the deletion or destruction of your personal data in accordance with the conditions set out in the Law No. 6698 on the Protection of Personal Data,
6. To request correction of your incomplete or incorrectly processed personal data and to request notification of the deletion or destruction of your personal data to third parties to whom personal data has been transferred,
7. To object to this result in case a result arises against you by analyzing your processed data exclusively through automated systems,
8. In case you suffer damage due to unlawful processing of your personal data, to demand the compensation of the damage

 

How Can You Exercise Your Rights?

Data owners may communicate their rights listed above to our COMPANY by filling out the Personal Data Owner Application Form published at www.aydinbeyhotels.com and using the following methods. 

In the application procedure, the COMPANY carries out its transactions within the scope of the Communiqué on the Procedures and Principles of Application to the Data Controller. In this context, the application must be made in accordance with Article 5 of the aforementioned communiqué.  

 

The form should be filled in completely and sent to us by following the steps below; 

• By submitting a wet signed copy of the fully completed Personal Data Owner Application Form together with a document that will ensure identification to AYDIN ÜNLÜER TURİZM

GIDA TİC VE SAN AŞ/Horozluhan OSB Mahallesi Cibi Sokak No-4/1 Selçuklu/KONYA in person,

• By sending a wet signed copy of the fully completed Personal Data Owner Application Formtogether with a document to ensure identification to AYDIN ÜNLÜER TURİZM GIDA TİC VE SAN AŞ/Horozluhan OSB Mahallesi Cibi Sokak No-4/1 Selçuklu/KONYA via notary public,
• Personal Data Owner Application Form by signing with the "secure electronic signature" defined in the Electronic Signature PDPL numbered 5070 and sending it to [email protected],
• By filling in and signing the Personal Data Owner Application Form and scanning and uploading the wet signed form to the computer by sending an e-mail to [email protected]  address, 
• By sending via Registered Electronic Mail (REM) to [email protected] via KEP or using other methods to be determined by the Board  

The COMPANY shall finalize the requests of the relevant persons regarding their rights listed above in writing or by other methods to be determined by the Board as soon as possible and within thirty days at the latest after the date of transmission. 

Replies to applications made by the person concerned under the rights set out in Article 11 of the Law shall be provided free of charge. Although the basic principle is to provide the response free of charge, if the response to be given requires an additional cost, the fees shown in Article 7 of the Communiqué on the Procedures and Principles of Application to the Data Controller may be requested by the COMPANY from the relevant person. The relevant article reads as follows-

Wage

ARTICLE 7 - (1) If the relevant person's application is to be answered in writing, no fee is charged for up to ten pages. A transaction fee of 1 Turkish Lira may be charged for each page over ten pages.

(2) If the response to the application is given in a recording medium such as CD, flash memory, the fee that may be requested by the data controller cannot exceed the cost of the recording medium.

In order to respond to the applications made by the data owners, the COMPANY may request additional information and documents in order to verify the identity of the applicant, to prevent the unlawful transmission of another person's personal data to unrelated persons and to clarify the applicant's request. If such information and documents are not shared, the application of the data subject may not be answered. 

It is crucial to verify that the application has been submitted by the "identity holder" and/or authorized person. Likewise, while the purpose is to protect personal data, providing personal data to 3rd parties due to the inability to verify identity and taking action within the rights explained in Article 11 of the PDPL will damage the interest of the person concerned that needs to be protected. For this reason, we hope that you will understand our sensitivity in terms of identity verification procedures and that you will help our COMPANY. 

The COMPANY finalizes the requests as soon as possible and within 30 days at the latest. The result of the evaluation shall be notified to the relevant person in writing or electronically, and if the request is accepted, the requirements shall be fulfilled in accordance with the PDPL. 

In cases where the applications of the data subjects are rejected, the response is deemed inadequate or the application is not responded to in due time, the data subject may file a complaint to the Personal Data Protection Board within 30 days from the date of receipt of the response in accordance with Article 14 of the PDPL.

 

5.5. Legal Exceptions and Consent in the Processing of Personal Data and Sensitive Personal Data  

In principle, the COMPANY wishes to adopt the method of applying for the "explicit consent" of the persons concerned. Considering the purposes and conditions of processing specified in this Policy, it is not necessary to obtain the consent of the data subjects in terms of data processing conditions that fall within the scope of legal exceptions. 

However, under no circumstances should this situation be interpreted as the COMPANY will not benefit from the exemption provisions and/or will choose to obtain explicit consent in all cases. 

 

5.6. Information on the Processing of Personal Data 

5.6.1. Channels through which Personal Data is Obtained

Our COMPANY obtains personal data mainly through the following channels-   ➢ Organization, Event, Conference Participant-Invitee 

• Hotel Guest
• Employee Personnel File Documents, 
• Camera Recordings, 
• SMS/E-Mail, Telephone
• Website, Applications, Cookies and Similar Tracking Technologies,  ➢ Fax, 
• Mail, Cargo or Courier Services, 
• Location Tracker,
• Other Physical and Electronic Media. 

Depending on technological developments, new additions may be made by the COMPANY to the above-mentioned channels of obtaining personal data or the use of some of the existing channels may be abandoned. In such cases, in order to maintain transparency and accountability, it will be ensured that the channels used are accurately expressed by updating this Policy. 

 

5.6.2. Classification of Personal Data

Categorization of personal data is extremely important to ensure compliance with the legislation. Our legislation basically categorizes personal data under two categories: personal data and sensitive personal data.

 

5.6.3. Contact Person Classification 

The classification of the COMPANY's related parties is shown below- 

 

Personal Data Category	Data Subjects Related to Processed Personal Data
Identity Information	Candidate, Employee, Potential Product or Service Buyer, Intern, Product or Service Recipient, Parent / Guardian / Representative, Other-Brand Owner, Company Employee or Official, Other-Employee's Dependent or Child, OtherDoctor, Other-Public Employee, Other-Person Involved in the Incident, Other-Referenced Person, Other-Principal and Teacher of Interns, Other-All Internet Users, Shareholder/Partner, Supplier Employee, Supplier Official, Visitor, Hotel Guest, Other-Person to Call in Case of Emergency
Contact Information	Candidate, Employee, Potential Product or Service Buyer, Intern, Product or Service Recipient, Parent / Guardian / Representative, Other - Brand Owner Company Employee or Official, Other - Employee's Dependent or Child, Other - Doctor, Other-Public Employee, Other-Person Involved in the Incident, Other-Referenced Person, Other-Principal and Teacher of Interns, Other-All Internet Users, Shareholder/Partner, Supplier Employee, Supplier Official, Visitor, Hotel Guest, Other-Person to Call in Case of Emergency
Location Data	Employee, Other-Involved Person, Product or Service Recipient, Shareholder/Partner
Personal Information	Candidate,          Employee,          Employee,           Intern, Shareholder/Partner, Supplier Employee
Legal Action Information	Product or Service Recipient, Other-Involved Person, Employee, Shareholder/Partner, Intern, Supplier Official

Customer Transaction Information Purchaser of Product or Service, Other-Brand Owner

Company Employee or Official, Supplier Employee, Supplier Official, Hotel Guest

 

Physical Space Safety Information  Employee, Product or Service Recipient, Visitor, Other -

Brand Owner Company Employee or Official, Other -

Employee's Dependent or Child, Other - Doctor, Other - Public Employee, Other - Person Involved in the Incident, Other  - School Principal and Teacher of Interns, Other - Third Parties, Employee Candidate, Shareholder/Partner, Potential Product or Service Recipient, Intern, Supplier Employee, Supplier Official, Parent / Guardian / Representative

 

Transaction Security Information Employee, Product or Service Recipient, Other-All Internet Users, Shareholder/Partner, Intern, Supplier Official, Other3rd Persons

Risk Management	Other-Person involved in the incident, Employee, Intern, Supplier Employee, Supplier Official, Product or Service Recipient, Visitor
Financial Information	Employee, Intern, Product or Service Recipient, OtherInvolved Person, Shareholder/Partner, Supplier Employee, Supplier Official
Knowledge of Professional  Experience	Employee, Employee Candidate, Intern
Marketing Information	Other-3rd Persons
Audio/Visual Information	Prospective Employee, Employee, Potential Product or Service Recipient, Product or Service Recipient, Other - Employee or Official of the Brand Owner, Other - Employee's Dependent or Child, Other-Doctor, Other-Public Employee, Other-Person Involved in the Incident, OtherPrincipal and Teacher of Interns, Other-3rd Persons, Shareholder/Partner, Intern, Supplier Employee, Supplier Official, Parent/Guardian/Representative, Visitor, Hotel Guest

 

Philosophical Belief, Religion,          Employee, Other-Employee's Dependent

 

Sect And Other Beliefs Knowledge    Child, Shareholder/Partner       

           

Health Information               Employee, Intern, Product or Service Recipient, Visitor, Hotel Guest, Supplier Employee, Shareholder/Partner, Supplier Official, Other-Employee's Dependent or Child

 

Criminal Conviction and                     Employee, Product or Service Recipient, Intern, Supplier

 

Security Measures Information        Employee, Supplier Official, Shareholder/Partner, Other -  

Person Involved into Incident

 

Request/Complaint Management  Potential Product or Service Buyer, Product or Service 

Information	Recipient, COMPANY Stakeholders, COMPANY Authorities, COMPANY Business Partners, Employee Candidates, Visitors, COMPANY and Group COMPANY Customers, Potential Customers and Third Parties
Other Information	Potential Product or Service Recipient, Product or Service Recipient

 

5.7. Storage and Destruction of Personal Data 

The COMPANY stores the personal data of the data owners whose personal data it processes by taking the necessary technical and administrative security measures in electronic and physical environments.

The retention period of the COMPANY's personal data is calculated by taking into account the periods specified in the relevant legislation. 

Personal data will be destroyed by the COMPANY in the event that the personal data processing purposes that will eliminate the existence of the personal data processing conditions in the PDPL cease to exist. Such destruction operations are carried out ex officio in 6-month periods in accordance with the provisions of the relevant legislation or concluded if the requests from the data owners are found appropriate. Pursuant to the legislation, the COMPANY will fulfill the deletion and/or destruction requests of the relevant person within 30 days at the latest, unless another period is stipulated in the legislation, and will inform the relevant person.  

Minutes regarding the destruction of personal data will be kept by the COMPANY for 3 years . The periods stipulated in special legislation are reserved, and in case the periods herein are changed due to changes in PDPL and related legislation, the updated periods will be applied.

Destruction techniques of deletion, anonymization or destruction are used by the COMPANY.  The processes regarding destruction are carried out and decided by the PDPL Commission.

For more information, you can access Personal Data Retention and Destruction Policy at www.aydinbeyhotels.com.

 

5.8. Disclosure Obligation

Pursuant to Article 10 of the PDPL, the COMPANY shall fulfill the disclosure obligation mentioned in the PDPL by providing the following information to the relevant data subjects during the acquisition of personal data-

• Identity of the data controller and its representative, if any,
• The purpose for which personal data will be processed,
• To whom and for what purpose the processed personal data may be transferred, ➢ The method and legal grounds for collecting personal data, ➢ Other rights listed in Article 11th.

While carrying out its activities, the COMPANY prepares appropriate Disclosure Texts and presents them to the relevant persons in order to fulfill its disclosure obligation. 

For more information, you can access General Disclosure Text by using the link www.aydinbeyhotels.com.

 

5.9.  Measures Regarding the Security of Personal Data 

The COMPANY shows all reasonable care and diligence in ensuring the confidentiality and security of the personal data it processes, with the awareness of its responsibility as a well-established COMPANY. In addition to the requirements of the relevant legislation, the COMPANY reasonably takes the necessary technical and administrative measures to ensure data confidentiality and security within the framework of Article 12 of the PDPL. With these administrative and technical security measures, it is aimed to prevent unlawful processing of personal data, to prevent unlawful access to personal data and to maintain personal data at an appropriate security level. In the event that personal data is processed by another natural or legal person (data processor) on its behalf, the COMPANY will take the necessary measures to ensure that the above-mentioned measures are also taken by the relevant data processors. 

In the event that personal data is unlawfully obtained by third parties, it will notify the data subjects, the Board and other relevant public institutions and organizations in accordance with the provisions of the relevant legislation.

While taking measures regarding the security of personal data, the Personal Data Security Guide (Technical and Administrative Measures) published by the Board and the Board decisions are taken into consideration.

The COMPANY takes technical and administrative measures in data storage and destruction, taking into account Articles 7 and 12 of the law. The measures taken are as follows;

 

• Network security and application security are ensured.
• Closed system network is used for personal data transfers through the network.
• Key management is in place.
• Security measures are taken within the scope of procurement, development and maintenance of information technology systems.
• There are disciplinary regulations for employees that include data security provisions.
• Training and awareness raising activities on data security are carried out for employees at regular intervals.
• Authorization matrix has been created for employees.
• Access logs are kept regularly.
• Corporate policies on access, information security, use, storage and disposal have been prepared and implemented.
• Data masking measures are applied when necessary.       
• Confidentiality commitments are made.
• Employees who are reassigned or leave their jobs are no longer authorized in this area.
• Up-to-date anti-virus systems are used.
• Firewalls are used.
• The signed contracts contain data security provisions.
• Extra security measures are taken for personal data transferred via paper and the relevant document is sent in the format of a confidential document.
• Personal data security policies and procedures have been determined.
• Personal data security issues are reported quickly.
• Personal data security is monitored.
• Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
• Physical environments containing personal data are secured against external risks (fire, flood etc.).
• Security of environments containing personal data is ensured.
• Personal data is minimized as much as possible.
• Personal data is backed up and the security of backed up personal data is also ensured.
• User account management and authorization control system are implemented and monitored.
• Internal periodic and/or random audits are conducted and commissioned.
• Log records are kept without user intervention.
• Existing risks and threats have been identified.
• Protocols and procedures for the security of sensitive personal data have been determined and implemented.
• If sensitive personal data is to be sent via electronic mail, it is sent encrypted and using a KEP or corporate mail account.
• Secure encryption/cryptographic keys are used for sensitive personal data and managed by different units.
• Intrusion detection and prevention systems are used.
• Cyber security measures have been taken and their implementation is constantly monitored.
• Encryption is performed.
• Sensitive personal data transferred on portable memory sticks, CDs and DVDs are encrypted.
• Data processing service providers are periodically audited on data security.
• Awareness of data processing service providers on data security is ensured.
• Data loss prevention software is used.

 

5.10. Keeping Records Regarding the Internet Service Provided in the Common Area  

For the purposes of ensuring security by the COMPANY and for the purposes specified in this Policy; the COMPANY may provide internet access to visitors who request it during their stay at the COMPANY premises. In order to provide this access, date of birth and room number information is requested from visitors. In addition, log records regarding internet access are recorded in accordance with the Law No. 5651 and the mandatory provisions of the legislation regulated in accordance with this Law; these records are processed only upon request by authorized public institutions and organizations or in order to fulfill the relevant legal obligation in the audit processes to be carried out within the COMPANY.

COMPANY employees who have access to the aforementioned records access these records only for use in requests or audit processes from authorized public institutions and organizations and transfer them to legally authorized persons. The disclosure obligation is fulfilled prior to the relevant processing activity.

 

5.11. Processing of Personal Data Collected through Cookies

Our COMPANY uses Cookies to improve the functioning and use of our websites or mobile applications and tries to make the time you spend on our digital platforms more efficient and enjoyable.

We also use some cookies to remember your preferences on our websites and mobile applications and thus provide you with an improved and personalized experience based on your preferences. Your personal data is processed and transferred through cookies on our digital platforms. Necessary technical and administrative measures are taken by our COMPANY to ensure the security of personal data collected through cookies in accordance with Article 12 of the PDPL.

For more information, you can access the Cookie Policy at www.aydinbeyhotels.com.

 

5.12. Training and Supervision of Employees and Data Processors on PDPL 

The COMPANY provides the necessary awareness trainings to its employees in order to fulfill the obligations stipulated by the legislation within the scope of personal data protection law and to protect the rights of the data subject. It is also ensured that new employees joining the COMPANY receive these trainings. Professional support is received in both internal and external training and audit processes. 

 

The COMPANY also carefully selects its data processors, makes it a condition of its business processes that data processors fulfill PDPL compliance, and periodically inquires about the PDPL compliance status of data processors. In this context, the COMPANY signs the necessary contracts and undertakings with the data processors and monitors their implementation, and terminates the contractual relationship with the data processors who do not meet the conditions.

            

5.13. Data Controller Identity 

Information regarding the identity of the data controller for all kinds of personal data processing activities within the scope of this Policy is given below.

 

Data Controller	AYDIN ÜNLÜER TURİZM GIDA TİC VE SAN AŞ
Address	Horozluhan OSB Mahallesi Cibi Sokak No-4/1 Selçuklu/KONYA
Telephone	0332 248 19 22
Fax	0332 248 09 68
E-mail	[email protected]
KEP	[email protected]
Website	www.aydinunluer.com.tr

 

5.14. Enforcement

This Policy issued by the COMPANY has entered into force on 19/02/2024 and has been made public. In case of conflict between the legislation in force, especially the Law, and the regulations contained in this Policy, the provisions of the legislation shall apply.

 

5.15. Update

Last Updated on: 01.06.2024

 

6.İlgili Dokümanlar

6.1. Personal Data Processing and Protection Policy              

6.2. Personal Data Retention and Destruction Policy              

6.3. Cookie Policy