PERSONAL DATA PROCESSING POLICY OF BELLİS DELUXE HOTEL
INTRODUCTION
This Personal Data Processing Policy has been aimed at defining the methods and principles to be observed by Çalışkan Kardeşler Turizm İşletmeleri A.Ş. Bellis Deluxe Hotel A.Ş. (“COMPANY” in short) as the data controller in processing the personal data that the COMPANY maintains pursuant to the Personal Data Protection Act no 6698 and the other legislation.
SCOPE
The personal data of our employees, candidate employees, visitors and all natural persons whose personal data is being kept by the COMPANY for any reason whatsoever has been managed according to the laws within the framework of this Personal Data Processing Policy.
DEFINITIONS
Law/KVKK: Personal Data Protection Law no 6698, dated 24/3/2016.
Board/Agency: Personal Data Protection Board/Personal Data Protection Agency.
Personal Data: All kinds of data in relation to a natural person with specific or specifiable identity.
Related Person: The person whose personal data is being processed.
Express Consent: Informed consent given with free will for a certain subject.
Anonymization: Rendering personal data such that it becomes impossible to relate it to a natural person with a specific or specifiable identity in any way even if by way of matching with other data.
Deletion of Personal Data: Deletion of personal data; making personal data inaccessible and non-reusable in any way by the users.
Destruction of Personal Data: Making personal data inaccessible, non-retrievable and non-reusable in any way by any person.
Processing of Personal Data: All kinds of processing performed on personal data such as obtaining personal data by partly or entirely automatic means or by non-automatic means which has to be part of a data recording system, recording, storing, protecting, changing, reorganizing, clarifying, transferring, taking over, rendering accessible, classifying or preventing personal data from use.
Data processor: Natural or legal person who processes personal data on behalf of a data controller on the basis of the authorization given by the latter.
Data controller: Natural or legal person who defines the purposes and means of personal data processing and is responsible for establishing and managing the data recording system.
Sensitive Personal Data: Data about people’s race, ethnicity, political view, philosophical belief, religion, sect or other beliefs, appearance, membership of societies, foundations or unions, health, sexual life, criminal conviction and security measures and biometric and genetic data.
Clarification Obligation: During the collection of personal data, the data controller or its authorized representative gives information to the related people about the identity of the data controller or its authorized representative, the purpose of processing personal data, the reason why and the persons to whom the processed data may be transferred, the method and the legal basis of collecting personal data, other rights as listed in article 11 of the Law.
SEDNA: The Front office, accounting and purchasing Automation System where the information about visitors is saved.
Destruction Policy: The policy on which data controllers base themselves when determining the maximum period for the purpose-related processing of personal data and for deleting, destroying and anonymizing such data.
Recording Environment: All kinds of electronic environment for saving personal data which is obtained by partly or entirely automatic means or by non-automatic means which has to be part of a data recording system.
Netahsilat: Online payment system.
Company: Çalışkan Kardeşler Turizm İşletmeleri A.Ş. Bellis Deluxe Hotel A.Ş.
PRINCIPLES OF PROCESSING PERSONAL DATA
Conformance to the laws and the rules of integrity: The COMPANY protects the individual rights of the related people when processing personal data. Personal data is collected and processed fairly in accordance with the laws.
Processing for definite, clear and legitimate (transparent) purposes and being related to the purpose of processing, limited and restrained: The COMPANY clearly sets forth the purpose of processing the personal data before actually starting the activity of personal data processing. The COMPANY processes personal data only for the purpose of improving the service given to the related people. During the collection of personal data; the related person is informed about the identity of the data controller and its authorized representative, if any, the purpose of processing personal data, the reason why and the persons to whom the processed data may be transferred, the method and the legal basis of collecting personal data, and the rights of the related person.
Storing for a period of time as suggested in the related legislation or as required for the purpose of processing: The COMPANY maintains personal data only for the period of time as stated in the related legislation or as required for the purpose of processing. The COMPANY and its subsidiaries shall continue to process and retain personal data in line with the purposes stated in this policy during the period of time required for the purposes of processing personal data and stipulated by the regulatory authorities and/or the related laws and regulations.
Accuracy of information and currency of data: The COMPANY maintains processed personal data in a correct, complete and, if necessary, updated format. When necessary; incorrect or incomplete information is deleted, corrected, completed or updated.
Confidentiality and data security: Personal data is subject to confidentiality of information. It is considered confidential at personal level and the necessary technical and administrative measures are taken to provide the proper level of security in relation to unauthorized access, illegal processing or distribution, prevention of loss, alteration and destruction and ensuring the protection of personal data.
DATA PROCESSING SCOPE
Personal data processing is performed in two different ways.
Processing data by totally or partly automated means; Includes receiving, collecting and storing data, taking photographs, making sound and video records, organizing, storing, altering, restoring, recovering and clarifying data in relation to the related persons or third parties specified in this policy in order to transfer, distribute or present in different ways, group and combine, block, delete or destroy the data.
Processing/obtaining data by non-automatic means; Includes storing, saving, maintaining, altering, reorganizing, clarifying, transferring, transferring to abroad, taking over, making available, classifying or preventing the use of data on the condition of being a part of some kind of recording system.
The COMPANY shall be entitled to process the personal data of the related person during the period of time in which the provided services are being used and after the service relation has ended on the condition of achieving the purposes stated in this policy.
The personal data processing performed by the COMPANY covers all kinds of actions, with no restrictions, targeted towards data, where the means of processing is automatic, semi-automatic or non-automatic but part of an automated system.
The COMPANY processes the information belonging to the related people or to the persons who are under the guardianship of the related people.
Data processing also covers sharing data which are provided with the express consent of the related people and/or the third persons acting upon COMPANY instructions and/or upon the instructions and on behalf of a third Party when the COMPANY is the data controller.
Express consent of the related person also covers the case in which the COMPANY records and processes the actions that the related person does by means of various electronic channels (including but not limited to web browser, website, internet, mobile applications, payment transactions, technical methods and channels used for transferring and receiving money). (For example; locating the person while an electronic channel is being used, identifying and analyzing the entered data, product selection frequency and/or other statistical data)
Fundamentals of Data Processing
The related person accepts that the COMPANY needs to process, within the frame of the below listed purposes, the data belonging to the related person or to the third persons designated by the same during the period in which the COMPANY services are being used and even after the termination of the contractual relation.
Providing and/or implementing a service targeted at the related person,
Data processing being compulsory for purposes of protecting the lawful rights of the COMPANY and/or the third persons,
Fulfilling the legal responsibilities of the COMPANY,
Processing the personal data of the related person being necessary on the condition of a having a direct relation with the establishment and execution of a contract between the related person and the COMPANY,
Data processing being compulsory for establishing, exercising and using a certain right,
Other considerations to which the related person gives express consent,
Other considerations expressly stated in the legislation.
The express consent given by the related person means the acceptance of the policy and its provisions by the same.
Purposes of Data Processing
Third parties that process the personal data shared upon the consent of the COMPANY and/or the related persons may process the personal data of the related person or of the persons under the guardianship of the related person for the below listed purposes.
Providing the accommodation services as declared, providing and performing better and more reliable services for the guests,
The COMPANY uses Netahsilat online system for receiving online payments and collecting money. Using guest information (name surname, date of birth, e-mail address, telephone number and credit card) for these transactions, doing information search and survey assessments, providing planning, statistics, archiving and storage services, doing guest satisfaction work,
The necessity of controlling the accommodation history and/or behavioral patterns of the related person for optimizing and improving COMPANY services,
The COMPANY’s ability to offer a new and/or additional service or non-service product,
Changing the current conditions of a service already being offered by the COMPANY,
Statistical data analysis performed by the COMPANY, preparing and presenting various reports, researches and/or presentations,
Ensuring security as well as identifying and/or preventing abuse and other criminal activities,
Responding to the complaints, questions and demands of the related person,
Verifying the credentials of the related person,
Performing promotion, marketing and campaign activities in relation to the accommodation service,
Fulfilling the other purposes suggested in the national and international laws and legislation.
Processing, Transferring and Clarifying the Data
The COMPANY has been fulfilling the liabilities imposed by the related legislation and board resolutions in association with the procedures of processing, transferring or clarifying of personal data. In line with the purposes defined in this policy, in order to process, transfer and/or clarify all kinds of information depending on the content and variety of the accommodation service provided by the COMPANY, personal data of the related person and of the persons accompanying the related person the accommodation service purchase period, including but not limited do the below listed data, is being used; name and surname of the related person, personal identification number and/or the specific feature of the identity card, the registered address and/or residence address, telephone/mobile phone number, E-mail address, information about the employer, information about employment conditions (place of work, salary, working hours, etc.), activities of the related person or the third person designated by the same when using various electronic channels and/or the internet (including but not limited to web cookies etc) and when using the above listed channels (including but not limited to the verification of these channels, performed transactions or the history of transactions).
If, for purposes of making use of COMPANY services, the related person provides the COMPANY the personal information (including but not limited to personal data, sensitive personal data of third persons etc.) of third persons (family members, employer, etc.) as well; the person who provides such data to the COMPANY shall be responsible for obtaining the consent for processing the data.
If the related person provides the said data to the COMPANY (or to its authorized representative), such person shall be assumed to have given the necessary express consent and the COMPANY shall be released from the obligation to obtain such express consent.
The COMPANY is responsible for compensating any loss that is incurred by the related person if the personal and/or sensitive personal data is processed without obtaining express consent of the related person and such processing leads to some kind of loss on the part of the related person.
Express consent of the related person also covers the case in which the COMPANY records and processes the actions that the related person does by means of various electronic channels (including but not limited to web browser, website, internet, mobile applications, payment transactions, technical methods and channels used for transferring and receiving money). (For example; locating the person while an electronic channel is being used, identifying and analyzing the entered data, product selection frequency and/or other statistical data.)
The COMPANY has been entitled by the Law on the Regulation of Electronic Commerce no 6563 to use the contact information such as telephone number, mobile telephone number, e-mail address and other communication details given by the related person for sending commercial electronic mails including sending SMS, sending audio and/or other types of marketing messages (direct marketing) until the related person exercises the right to refuse.
The related person gives the COMPANY the right to share his/her personal data with the COMPANY subsidiaries and/or shareholders for the purpose of making various marketing offers.
The commercial/informative messages displayed at the service locations of the COMPANY (for example commercial brochures, promotional visuals, oral offers etc.) or the content displayed during the use of electronic channels of the COMPANY (or the COMPANY subsidiaries), such as internet, mobile marketing shall not be considered as direct marketing and the related person shall not have the right to demand the termination of the publication and/or display of such content.
Processing the Data of Applicants or the Employees
Processing personal data for purposes of executing performing, maintaining and terminating service contract: The COMPANY has been entitled to process the personal data of the related person disclosed at the time of job application, probation and/or training period for the purposes of fulfilling such human resources and training processes as exercising and continuously maintaining the personal rights arising out of the service contract, performing the procedures in relation to the occupational health and safety and the working permits of the employees, evaluating personal job applications, executing investigation and other recruitment processes, performance assessment and follow up, training activities, improving working conditions, carrying out personal development processes.
In the job application process, collecting information from the third parties in relation to the applicant is done within the frame of the provisions in the Personal Data Protection Act no 6698.
Express consent of the applicant is required for processing the personal data which is related to the business relations but is not an integral part of the execution of the service contract.
Processing Sensitive Personal Data; Sensitive personal data may processed only upon an express consent given by the related person allowing for the processing of such data. Sensitive personal data other than that in relation to health and sexual life may only be processed in situations stipulated by the laws, and the data in relation to health and sexual life may only be processed for purposes of protecting public health, providing preventive medicine, medical diagnosis, treatment and health care services, planning and managing health care services and finance and only by people or authorized institutions and organizations bound with a confidentiality obligation.
Transferring Data to/from and Sharing Data with Third Parties
This policy is transferred to/shared with the related person and/or the third parties designated by the related person within the frame of data processing in order for the COMPANY to give services to the related person. The related person grants the COMPANY the right to obtain, save, store, maintain, alter, reorganize, clarify, transfer, take over, make available, classify and use personal data by all departments, internet, call centers, public institutions and organizations and the parties and suppliers from whom services are purchased as the supplement or extension of COMPANY activities by using means that is totally or partly automatic or that is non-automatic but is part of some kind of recording system.
Responsibility of Data Controller and Data Processor
Pursuant to the provisions of this policy; the COMPANY may assume the role of a data processor when processing some types of personal data and act on behalf of the data controller including third parties. Data controller may be the data processor for third parties regarding some personal data. Accordingly, each of the parties in such a relationship (data controller as well as the data processor) acts in conformance to the Personal Data Protection Law. Therefore;
Personal data is being processed in accordance with the principles stipulated in the legislation.
Express consent is obtained from the related person, after having given information and made clarifications as necessary.
Data controller sends feedback to the related person as soon as possible and within 30 days at the latest if the related person makes a demand about the information related to his/her own personal data or a complaint or statement is received with respect to the conformance of the data controller to the legislative obligations.
Also if, during the data processing one of the parties represents the data processor and the other the data controller, data processor fulfils the following liabilities. The data processor is responsible for doing the following;
Processes the data sent/disclosed by the other party in accordance to the extent and scope as defined in the provisions of this policy and permitted by the legislation; or upon the demand of a regulatory authority,
Implements all reasonable technical and administrative measures and takes all necessary actions in order to prevent unauthorized processing of the data sent/disclosed by the data controller and the loss, destruction, damaging, unauthorized alteration and disclosure of the same and informs the data controller about all measures taken in this respect,
The COMPANY, working through its authorized personnel, inspects the data security measures and applications implemented by the data processor,
Makes cooperation and gives support in relation to the investigation of a complaint or statement sent/disclosed by the COMPANY including the following,
Provides the COMPANY, within 7 work days after the date of request, detailed information in relation to the complaint and statement involving the personal data (also electronic data) of the related person that was sent/disclosed by the data controller to the data processor,
Prevents any form of data transfer by the data processor to a country and/or an international organization which is not a part of the European Economic Area and not listed as one of the countries which are qualified for personal data protection or is not allowed by the related person or the Personal Data Protection Board for being transferred to,
Does not transfer/disclose data to third parties without having prior express consent of the COMPANY in writing,
Even in cases where the COMPANY has given prior express consent in writing; the data processor is liable for transferring/disclosing data pursuant to a written contract. In the said written contract, the third party and its subcontractors are responsible for taking all kinds of technical and administrative measures in order to prevent unauthorized processing of the data and the loss, destruction, damaging, unauthorized alteration and disclosure of the same.
Compensating all the loss/damage incurred by the COMPANY when the data processor fails to take or fully implement the required actions (as stipulated in the policy and the legislation). Data processor gives express consent and agrees with the data controller to indemnify the loss and compensate the damages when, as a result of any violation of the data processor, the COMPANY incurs some kind of loss/damage (including but not limited to consequential loss), receives complaints, pays costs (including but not limited to the costs incurred when the COMPANY exercises its legal rights), is subjected to legal actions and other liabilities.
Unless stated otherwise in the contract executed between the COMPANY and the data processor, and upon termination of the contractual relation between the COMPANY and the data processor, the data processor shall be responsible for returning all data (including personal data) transferred/disclosed by the COMPANY, taking all kinds of measures to prevent third parties having unauthorized access to the data, destroying the personal data transferred/disclosed by the COMPANY and giving feedback to the COMPANY confirming that such action has been taken.
Updating and Processing Data, Period of Retention and Data Destruction
Data continues to be processed during the period in which the Company services are made use of and during a period of time afterwards, pursuant to the purposes stated in this policy and consistent with the goals and benefits of the company, the demands of supervisory/regulatory authorities and/or the legislation.
Processing of the data that has been transferred during the time the related person has made use of the electronic channels of the COMPANY (web browser, website, internet, mobile applications and/or other electronic data transfer tools) continues even after the related person has deleted the data from the related electronic channels.
Upon request of the related person, information is given regarding the personal data retained by the COMPANY within the scope permitted by the legislation.
If the data about the related person retained by the COMPANY is incomplete or incorrect, such incomplete or incorrect data is completed and corrected upon the related person sending a written notice to the COMPANY.
Personal data is retained for a period of time as stipulated in the related legislation or as required by the purpose of processing but in all cases for a period of 15 years. Although having been processed in line with the legislative provisions, personal data is deleted, destroyed or anonymized automatically or by the data processor upon demand of the related person when the reasons for processing are no longer valid and the period of retention by the COMPANY has expired.
The criteria listed below are taken into consideration when calculating the period of time during which personal data shall be retained and destroyed:
The exemption(s) for data retention as stipulated in articles 5 and 6 of the Law have been determined for the data and accordingly,
A matrix system for authorization and control of access is in use. Related users for each piece of personal data are identified, authorization and methods of access, retrieval and reuse for the related users are defined, authorization and methods of access, retrieval and reuse for the related users are updated, cancelled or removed in cases such as service contract termination or change of position.
In cases when the period of time stipulated in the legislation for the retention of said personal data has expired or when no period of time has been stated in the legislation regarding the retention of said data, such data is deleted, destroyed or anonymized by the data controller every 10 years.
When deleting, destroying or anonymizing the personal data, action is taken according to the principles listed in article 4 “General Principles” of the Law, the measures stipulated in article 12 “Data security obligations”, the related legislative provisions, the Agent resolutions and this policy.
All operations related to the deletion, destruction and anonymization of personal data are recorded by the COMPANY. These records are maintained for a minimum period of 10 years, excluding any other legal obligations.
Unless decided otherwise by the Personal Data Protection Agency, a suitable method for deleting, destroying or anonymizing personal data is selected by the COMPANY.
The personal data collected by the COMPANY is saved in various recording environments. The data is deleted using proper methods for the recording environments. The data saved in digital environments is deleted manually and/or by giving delete command and the data saved on printed paper is deleted by blackout method. Blackout method is the process with which the personal data on the paper is cut out when possible or, in other cases, made irreversibly invisible to the related users by using permanent ink that renders the data non-readable even if technological solutions are used.
The office files saved in the central server are deleted by way of the delete command in the operating system of the file or users are denied the right of access to the file or to the directory of the file.
The use of memory sticks has been limited to authorized people. The database where personal data is saved is protected using degrees of authorization and deletion may only be made by authorized people. Execution of this operation depends on whether the related user is also a database administrator.
Deletion of personal data is the operation with which personal data is rendered inaccessible, irretrievable and non-reusable by anyone in any way whatsoever. The COMPANY as the data controller takes all kinds of necessary technical and administrative measures in relation to the destruction of personal data. For the purpose of destroying personal data, all copies containing the data are identified and the systems on which the data is located are physically destroyed by way of melting, burning or pulverizing the optical media and magnetic media. Data is rendered inaccessible by way of melting, burning or pulverizing the magnetic media or by passing it through a metal crusher.
Network devices (switch, router etc.) are deleted by delete command, mobile telephones (sim card and memory areas); permanent memory areas of portable smart phones are deleted by delete command or physical destruction methods, data storage media such as optic disks; CD, DVD are destroyed by physical destruction methods such as burning, breaking to pieces, and melting. As for the personal data saved in devices which have been broken down or sent for maintenance, the data storage media is removed and retained and the rest of the defective device is delivered to the third parties such as producer, seller or technical service. External personnel who are here to provide repair and maintenance services are prevented from copying personal data and taking it outside the agency by putting the necessary measures in place. Confidentiality agreements have been signed with the related maintenance companies.
Anonymization is the process with which all direct and/or indirect identifiers in a data set are deleted or modified, making it impossible to specify the identity of the related person or making the person lose the capacity to be distinguished in a group/crowd by becoming unassociatable to a natural person. The purpose of anonymization is to break the connection between the data and the person identified by such data. Data is anonymized by selecting a suitable method for the related data from among such disconnection operations as automatic or non-automatic grouping, masking, deriving, generalizing, randomizing, all of which are applicable to the records in the data recording system where the personal data is stored.
Rights of the Related Person
Every related person has the right to learn whether the personal data has been processed or not, request related information if the personal data has been processed, know about the purpose of the personal data and whether the data has been used for the intended purpose, know about the third persons within or outside the country to whom the personal data has been transferred, ask for the correction of any incomplete or incorrect processing of the personal data, ask for the deletion or destruction of the personal data, ask for notification as to whether the personal data has been transferred to third persons within or outside the country, raise objection to any results occurring against the person him/herself when the processed data is analysed only by means of automatic systems, ask for the compensation of any damage that the person might have incurred because of the illegal processing of personal data.
Confidentiality of Data Processing
Personal data is subject to data security. Unauthorized access to such data by some employee of the COMPANY, its partnerships and/or subsidiaries is prevented and it is strictly prohibited for unauthorized people to process or use such data. Processing of such data by an employee of the COMPANY, its partnerships and/or subsidiaries whose job description does not include an authorization to do so means performing an unauthorized operation. Employees of the COMPANY, its partnerships and/or subsidiaries may have access to personal data only if their job description includes an unauthorization to do so.
It is prohibited for the employees of the COMPANY, its partnerships and/or subsidiaries to use personal data for private or commercial purposes, to share them with unauthorized people or to make such data accessible by any other means. At the time of commencing to work, data controller gives information to its employees with respect to the obligation to protect the confidentiality of data, organizes training sessions for employees and makes sures that they have been duly trained.
In order to protect and ensure the security of ownership and confidentiality and to control and measure service quality, video and sound recording is taken around and at the entrance of buildings and workplaces and in places like kitchen and service background based on the provisions in the Personal Data Protection Law no 6698.
The related person is informed of the fact that video recordings and video inspections are made using suitable devices at the related service points and when establishing communication with the COMPANY. The related person accepts the importance of video and sound records and give express consent in this article to the COMPANY to process the data in this respect.
Data Processing Security
Personal data is secured against unauthorized access, illegal data processing and disclosure and accidental loss, alteration or destruction of data. Data is under protection whether processed by electronic media or on paper. For the purpose of taking technical and administrative measures with regard to the protection of personal data, new and advanced data processing methods and information technology systems are being followed up.
Data Protection Control
Conformance to this Data Protection Policy and to the related data protection laws is regularly monitored by the authorized people employed in the related COMPANY departments. Personal data protection agency has been entitled to personally inspect the conformance of the COMPANY, its partnerships and/or subsidiaries to the provisions in this policy as permitted by the national laws.
Communication
When the related person submits a written request to the Data Controller in relation to the application of this policy and the Personal Data Protection Law, Data Controller responds the request free of charge as soon as possible and within 30 days at the latest depending on the nature of the request in the application. However, if an additional cost is incurred due to the procedure, a fee is charged as stated in the tariff issued by the Personal Data Protection Agency.