POLICY ON PROCESSING AND PROTECTION OF PERSONAL DATA

ISTANBUL KERVANSARAY HOTEL AND TOURISM INC.
POLICY ON PROCESSING AND PROTECTION OF PERSONAL DATA

General Remarks
As KERVANSARAY HOTEL, we give utmost importance to the legal processing and protection of personal data in accordance with the Law No. 6698 on the Protection of Personal Data (“Law”). Therefore, in order to provide a better service to you in terms of customer safety, we act in accordance with the Personal Data Processing and Protection Policy, which is set out below, for the protection, storage, processing, use, destruction, commercial electronic communications and other matters of personal data (information). In this context, we hereby submit this Personal Data Processing and Protection Policy (“Policy”) to your information, both in order to fulfil the obligation of clarification under Article 10 and to notify all administrative and technical measures we have taken in the processing and protection of personal data.

Purpose and Scope of Policy
The main purpose of this Policy is to provide information on systems for the processing and protection of personal data in accordance with the law and the purpose of the Law and to provide information on all personal data processed automatically or processed in non-automatic ways provided that it is part of any data recording system by KERVANSARAY HOTEL in this context.

Personal Data Owner / Concerned Person
It refers to our employees, hotel customers, potential customers, business partners, visitors and third parties, whose personal data are processed.

Personal Data Definition
Below is the list of data processed by KERVANSARAY HOTEL and considered as personal data in accordance with the Law. Unless expressly stated otherwise, the term “personal data” under the terms and conditions provided under this policy shall include the following information:
1) Personal Data You Share With Us: Name-surname, date of birth, Turkish ID number, telephone number, e-mail address, photographs and video recordings forwarded within the scope of surveys and contests other all types of personal data you share via channels mentioned above.
2) Other Information Including Personal Data Collected via Automatic Methods: Other Information Including Personal Data Collected via Automatic Methods: Automatically collected information via automatic search machines, video and audio recording devices and entering our website; this includes the number of visits, the average time spent on the site, and the page information displayed.
3) Personal Data From Other Sources and Other Information : Social media vehicles, your personal data such as updated address information account information, purchase, page view information, search term and search results that our business partners and other third parties share with us with prior permission obtained from you.

Sensitive Personal Data
Data regarding race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, disguise, association, foundation or union membership, health, criminal convictions and security measures and biometric and genetic data. In the event that the processed data is of a sensitive personal data as defined in the GDP Law; If the personal data owner does not have explicit consent, the personal data can only be processed provided that adequate measures defined by GDP Board are taken.

Data Responsible
The data officer refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system. Legal persons are themselves “data officers” within the scope of their activities regarding the processing of personal data and the legal responsibility specified in the relevant regulations shall arise in the person of the legal entity. There is no difference in this regard in terms of public legal entities and private legal entities.
According to the law, the person responsible for data is the person who determines the purpose and method of processing of the personal data. In other words, it is the person who will answer the “why” and “how“ of the processing activity. In this context, İSTANBUL KERVANSARAY HOTEL AND TOURISM INC. (“KERVANSARAY HOTEL”) acts as the data responsible.

Liabilities of the Data Responsible
a) Liability of Clarification
The law provides the persons concerned with the right to obtain information about whom, for what purposes and for what legal reasons this data can be processed and to whom it may be transmitted and for which purposes the data officer is responsible for disclosure. Accordingly KERVANSARAY HOTEL is required to provide the following information to the concerned person through itself or the person which it authorized during obtaining the personal data in accordance with Article 10 of the Law:
♣         The identity of the data officer and the representative, if any,
♣         The purpose for which personal data will be processed,
♣         To whom and for what purpose personal data may be transmitted,
♣         Method and legal reason of personal data collection,
♣         Other rights defined in Article 11 of Law.

Other rights listed in Article 11 of the Law;
• To learn whether personal data is processed or not,
• To demand information if personal data has been processed,
• To learn the purpose of processing personal data and whether they are used in accordance with their purpose,
• To know the third parties to whom personal data is transferred at home or abroad,
• To request correction of personal data in case of incomplete or incorrect processing,
• To request deletion or destruction of personal data within the principles laid down in GDPR,
• To request to notify third parties in case the data have been incorrectly transferred, deleted or destroyed
• To object to a conclusion against her/himself by analysing the processed data exclusively through automated systems,
• To demand damages in case of damage due to unlawful processing of personal data,

In cases where the data processing activity is subject to the express consent of the person concerned or the activity is carried out under another condition in the Law, the data officer’s obligation to inform the relevant person continues. That is, the person concerned is clarified in every situation where his/her personal data is processed.
b) Liabilities Regarding Data Security
KERVANSARAY HOTEL, which is data responsible regarding data security according to Article 12, is obliged to:
♣         Prevent unlawful processing of personal data,
♣         Prevent unlawful access to personal data,
♣         Maintain personal data.
KERVANSARAY HOTEL, acting as a data officer, has to take all necessary technical and administrative measures to ensure the appropriate level of security in order to fulfil these obligations. It is among the powers and duties of the Board to carry out regulatory procedures in order to determine obligations related to data security. However, it may be possible to take additional measures based on the nature of the personal data processed on a sector basis, based on the minimum criteria to be determined by the Board.
KERVANSARAY HOTEL is jointly responsible for taking necessary measures in case personal data is processed by another real or legal person on its behalf. Therefore, data processors are also obliged to take measures to ensure data security. Accordingly, if, for example, the records of the data officer’s company are kept by an accounting company, the data officer KERVANSARAY HOTEL shall be jointly responsible with the accounting company for taking measures regarding the processing of the data.
The law also imposes an audit obligation on the data officer regarding data security. The data officer is obliged to perform or have the necessary audits carried out in his own institution or organization in order to ensure the implementation of the provisions of the Law. Therefore, the data supervisor can perform this inspection himself or by means of a third party. On the other hand, the data responsible and the persons who process the data cannot disclose the personal data they have learned in contradiction with the provisions of this Law and use it for any purpose other than processing. This obligation continues even after they leave the office.
Finally, if the personal data processed is obtained by others by unlawful means, the data officer shall inform the relevant person and the Board as soon as possible. If necessary, the Board may announce this situation on its website or in any other way it deems appropriate.
Data security measures to be taken for each one of the data responsible for the structure, activities and be subject to the risks that must be appropriate. Therefore, a single model of data security cannot be foreseen. In determining the appropriate measures, the size or turnover of the company, as well as the nature of the work performed by the data officer and the personal data protected are important.

c) Obligation to reply to applications made by the persons concerned
Data responsible KERVANSARAYHOTEL, finalizes demands that are in writing or other methods to be determined by the Board about the application of the Law, according to their qualifications, as soon as possible and within 30 days at the latest, free of charge. However, in the event that the transaction requires additional cost, KERVANSARAY HOTEL may request the fees from the relevant person applying the tariff determined by the Board.
If KERVANSARAY HOTEL accepts the request or rejects it by explaining the reason, it informs the person in writing or electronically. In case the request in the application is accepted, the requirement of this request is fulfilled. If the application is due to the mistake of KERVANSARAY HOTEL, the fee will be returned to the person concerned.
In case of rejection of the application, inadequate response or failure to respond to the application in due time; the person concerned may lodge a complaint with the Board within thirty days from the date of receipt of the reply and in any event within sixty days from the date of application.

d) Obligation to Fulfil Board Decisions
If the Board detects the existence of a violation as a result of the investigation that it will carry out upon the complaint or if it learns the allegation of violation, it shall be resolved by KERVANSARAY HOTEL , the data officer responsible , and notified the decision to the related parties. KERVANSARAY HOTEL shall fulfil this decision without delay as of the date of notification and within thirty days at the latest.

 e) Obligation to register with the Data Responsible Register
KERVANSARAY HOTEL is obliged to register to the system called Data Responsible Registry (VERBİS) and declare the information about data processing activities.

Data Processing Person
In the case of data processing, it may be defined as real or legal persons outside the organization of the data officer who process personal data on behalf of the data officer based on the authorization of the data officer, and it is also possible to combine the data officer and data processing attributes into a single legal or natural person. KERVANSARAY HOTEL acts as a Data Processor at the same time and processes your personal data in accordance with the Law.

Processing of Personal Data
Processing of Personal Data is any kind of process where the data is obtained by means of fully or partially automatic or non-automated means provided that it is part of any data recording system, recorded, stored, saved, changed, rearranged, disclosed, transferred, taken over, made available or prevented from use.
The purpose of personal data processing by KERVANSARAY HOTEL is set forth before the beginning of personal data processing. In addition, personal data are processed by KERVANSARAY HOTEL in connection with the service it provides and as much as necessary for the service.

  Principles of Personal Data Processing
Provided that necessary measures are taken to protect your privacy and all legal principles regarding the processing of personal data are complied with, KERVANSARAY HOTEL processes personal data in accordance with the following principles for the purposes set out in this Personal Data Processing Policy:
• Compliance with the law and the rules of honesty,
• Being accurate and up-to-date when necessary,
• Processing for specific, clear and legitimate purposes,
• Being related with the purposes for which they are processed, being limited and moderate,
• Retention for the period required by the relevant legislation or for the purpose for which it was processed.

When can your personal data be processed?
If the personal data owner has explicit consent, if there is a clear regulation in the law that personal data will be transmitted, if it is necessary for the protection of the life or body integrity of the personal data holder or someone else, and if the personal data holder is unable to disclose his consent due to actual impossibility, or if his consent is not legally authorized, If it is necessary to transfer personal data of the parties to the contract provided that it is directly related to the establishment or performance of a contract, if the personal data is publicized by the personal data owner, and if the personal data transfer is compulsory for the establishment, use or protection of a right, the personal rights and freedoms of the personal data holder, personal data can be saved and transmitted without prejudice.

How Long Will Your Personal Data Be Preserved?
Your personal data processed in accordance with GDPR for the purposes specified in this Personal Data Processing and Protection Policy will be erased, destroyed or continue to be used by KERVANSARAY HOTEL when the objective requiring processing according to GDPR 7/f.1. is eliminated and/or the statute of limitations prescribed by legislation for processing personal data is timed out.

Security of Personal Data
KERVANSARAY HOTEL, in accordance with Article 12 of the GDP Law, takes appropriate measures to prevent unlawful processing of personal data, to prevent unlawful access to such data, and to prevent unlawful processing of personal data by third parties.
Responsibility
KERVANSARAY HOTEL has the responsibility on all kinds of transactions, applications and results of hotel customers, visitors and business partners, from www.hotelgoldenpark.net address or other linked sites, mobile applications, promotions and advertisements and all kinds of information and notifications made to them electronically communicated with the decisions taken within the scope of the information they receive.
Since the legal/actual driving license status of our customers and visitors could not be known by KERVANSARAY HOTEL, the responsibility for the use and transactions of children and other minors belongs to their legal representatives. They may also exercise their rights to personal data through their legal representatives.

Periodic Destruction and Legal Retention Periods
Physical and digital data that expires the statutory storage and disposal periods is periodically destroyed. KERVANSARAY HOTEL erases, destroys or anonymises personal data in the process following the date when the obligation to delete, destroy or anonymize personal data arises.
Deletion and Destruction Process if Data Holders Request
In the event that data owners request that their personal data be deleted or destroyed by applying to KERVANSARAY HOTEL, KERVANSARAY HOTEL checks the current status of the personal data processing conditions and takes related actions accordingly.
If all the conditions for processing personal data have been removed, the personal data subject to the request will be deleted, destroyed or made anonymous. KERVANSARAY HOTEL shall conclude the request of the person concerned within thirty days at the latest and inform the person concerned.
If all of the personal data processing conditions have been removed and the personal data subject to the request have been transferred to third parties, KERVANSARAY HOTEL shall notify this to the third party and ensure that the necessary actions are taken by the third party under the regulation.
If all the conditions for processing personal data have not been removed, KERVANSARAY HOTEL may deny the request by explaining the reason to the relevant data owner and notify the person concerned in writing or electronically within thirty days at the latest.

 Changes to Policy
Following any official changes to be made in the relevant legislation, KERVANSARAY HOTEL may make changes in this Policy in accordance with these changes.
Any changes that may be deemed necessary in the confidentiality by KERVANSARAY HOTEL, storing and destroying personal data, terms of use of the site, the products, services and activities offered to KERVANSARAY HOTEL customers will be effective as soon as they are announced via internet address or other appropriate communication means.
Changes to the Policy by KERVANSARAY HOTEL can be examined and all kinds of complaints and additional information about the changes can be made on www.hotelgoldenpark.net.

Effectiveness of Policy
This Data Processing Policy, which was issued by KERVANSARAY HOTEL and entered into force on the date of its publication, is published on www.hotelgoldenpark.net website and made available to the relevant persons upon request of Personal Data holders.
This Policy is regulated within the scope of the Obligation “Disclosure of the Data Officer” specified in Article 10 of the Law No. 6698 (Law).

ISTANBUL KERVANSARAY HOTEL AND TOURISM INC.
CLARIFICATION TEXT ON PROCESSING AND PROTECTION OF PERSONAL DATA

This Clarification text is written by ISTANBUL KERVANSARAY HOTEL AND TOURISM INC. (“KERVANSARAY HOTEL”), which acts as data responsible, in accordance with Personal Data Protection Law (“Law”) numbered 6698 to make an explanation and to inform about processing data of hotel customers, hotel employees, business partners, potential business partners that belong to KERVANSARAY HOTEL and third parties in relation to  KERVANSARAY HOTEL. For detailed information about the processing of your personal data that you share with KERVANSARAY HOTEL, you can access Kervansaray Hotel Personal Data Processing and Protection Policy (KVK Policy) at www.hotelgoldenpark.net.

What are personal data
In the context of KVKK (Law on Protection Of Personal Data), personal data is defined as any information that makes a real person specific or identifiable. Your personal data that may be processed by KERVANSARAY HOTEL, responsible for the data, including but not limited to:
• Name and Surname
• E-mail Address
• Turkish Identity or Passport Number
• Phone and Fax Number
• Date of Birth and Gender Information
• Camera and Audio Recordings
• Your Check-in Check-out Time
• Your Vehicle Information
• Your photos
• Your Bank Account Number and Billing Information
Purposes of Processing and Transferring of Personal Data
Personal Data are processed, in accordance with the law and the aim of the law, with the purposes as mentioned below, but not limited to;
• Correct planning, execution and management of human resources policies, business partnerships, management and communication activities and strategies
• To have the personal data holders benefit most from the products and services and to offer these services and products according to their demands, needs and desires
• Performing risk management and quality improvement activities
• Invoicing for our services
• Confirming your identity
• Monitoring and preventing unauthorized and unlawful transactions
• Satisfaction analysis
• Ensuring the highest level of data security
• Development of the services offered on the Internet site and elimination of errors on the site
• Contacting the Personal Data Owners who have forwarded their requests and complaints to KERVANSARAY HOTEL
• Giving information to the competent authorities from the legislation
• To ensure general security and to take the necessary measures at KERVANSARAY HOTEL and hotels those belong to KERVANSARAY HOTEL, to create and to monitor visitor registration.
Your direct consent is obtained by KERVANSARAY HOTEL regarding data processing course if the processing activity carried out for the mentioned purposes does not meet any of the conditions stipulated in the Law.

Method of Personal Data Collection and Legal Reason
Your personal data are collected via channels such as e-mail, related web sites and mobile applications by KERVANSARAY HOTEL, from automatic data processing devices used in public areas such as entrances and exits, car park and elevator within KERVANSARAY HOTEL and within hotels of KERVANSARAY HOTEL and from social media accounts that you allow KERVANSARAY HOTEL to access.
Your personal data may also be processed and shared under the terms and purposes of the personal data processing specified in Articles 5 and 6 of the Law.

What are the Requirements for Personal Data Processing?
The processing of personal data is possible if at least one of the cases listed in Article 5 of the Law is found. According to this;
♣         Existence of the express consent of the person concerned,
♣         Explicitly stipulated in the law,
♣         It is compulsory for the protection of the life or body integrity of the person who is unable to explain his or her consent due to the impossibility or whose consent is not legally granted,
♣         The processing of personal data of the parties to the contract is necessary provided that it is directly related to the establishment or execution of a contract,
♣         It is obligatory for the data officer to fulfill his legal obligation,
♣         Having been publicized by the person concerned,
♣         Data processing is mandatory for the establishment, use or protection of a right,
♣         Personal data may be processed if it is compulsory to process data for the legitimate interests of the data officer, provided that they do not harm the fundamental rights and freedoms of the person concerned.

The conditions for the processing of personal data, that is their compliance with the law, are specified in the Law in a limited number and these terms cannot be extended. If personal data processing is based on one of the provisions of the Law other than the express consent, then there is no need to obtain express consent from the person concerned. While it is possible to carry out data processing on a basis other than explicit consent, it will be deceptive and abuse of right if it is based on explicit consent. As a matter of fact, if the explicit consent given by the person concerned is revoked, KERVANSARAY HOTEL’s operation on the basis of one of the other personal data processing conditions shall mean that the transaction is contrary to law and honesty rules.

In this context, it should be evaluated whether the purpose of personal data processing activity performed by KERVANSARAY HOTEL, who is responsible for data, is based on one of the processing conditions other than explicit consent, if this purpose does not meet at least one of the conditions other than the explicit consent stated in the Law, then open Consent must be obtained from the concerned person in order to continue the activity of processing.

Consent in the Processing of Personal Data
In order for your personal data to be processed by KERVANSARAY HOTEL in accordance with the provisions of Law No. 6698 on the Protection of Personal Data, the EXPLICIT CONSENT of the data owner is required.
Explicit consent within the framework of the law means that the person gives consent to the processing of his/her data, either at his own request or on the request of the other party. Another importance of explicit consent is that it guides the data processor about the activity it will perform. In fact, the person expresses his/her decision regarding his/her legal value with the explicit consent statement.
The express consent shall enable the person to determine the limits, scope, manner and duration of the data that he or she allows to process. In this sense, express consent must include a declaration of positive will of the consenting person.  Written explicit consent is not required without prejudice to other legislation. Open consent can be obtained through electronic media and call centre and so on. The burden of proof rests with the data officer. Within the definition of open consent given in article 3 of the Law, open consent has 3 elements:
1) To be related to a specific subject
Open express consent, which is not limited to a specific subject and is not limited to the relevant transaction, is deemed to be invalid by law. In order to be valid, consent must be related to a specific issue. This means that an open-ended consent in the form of “I accept the processing of my data” will not be accepted alone as open consent in the context of the Law.
Consent should also be given in terms of different points of processing, in particular which data will be processed for what purposes. What is important here is the mutual reasonable expectations of the parties. As can be understood, consent is related to a specific issue and depends on the nature of the information.
As a rule, it is sufficient for the data officer to obtain the express consent of the person concerned, provided that the person concerned is likely to foresee for the different transactions to be performed. However, if the data officer subsequently wishes to process this data for different purposes (such as transfer to third parties), further consent will be required. The same applies if the purpose of processing the data changes.
2) Consent Being Based on Informing
Prior to the granting of the consent, the person concerned must be informed in a clear and understandable manner in all matters relating to processing. There are two main elements to inform the person concerned:
• Understandability: It is vital that information is carried out in a language that an average individual can understand. It should be noted that the limit of understandability will vary depending on the concrete situation and the target audience. In this context, it may be necessary to use simple language, to avoid professional or technical jargon and to use terms such as explaining if necessary.

• Accessibility: Information should be provided directly to the person concerned; to be accessible in some places is not enough. It is also important that the information is clearly visible (the font and size are effective in this).
3) Free Will
Consent is valid only if the person concerned can make a real choice. Deception, intimidation, exposure to pressure, or the absence of consent will result in significant negative consequences that will not be based on free will.

Rights of the Personal Data Owner in accordance with the KVK Law
As KERVANSARAY HOTEL, we inform our hotel customers, employees and business partners, whose personal data we process, on your rights arising from the Law in accordance with Article 11 of the KVKK, provide guidance on how to use these rights and perform all necessary internal procedures, administrative and technical regulations.
Data holders whose personal data are processed have below rights against KERVANSARAY HOTEL in accordance with article 11 of KVKK;
• To learn whether personal data is processed or not,
• To demand information if personal data has been processed,
• To learn the purpose of processing personal data and whether they are used in accordance with their purpose,
• To know the third parties to whom personal data is transferred at home or abroad,
• To request correction of personal data in case of incomplete or incorrect processing,
• To request deletion or destruction of personal data within the principles laid down in KVKK,
• To request to notify third parties in case the data have been incorrectly transferred, deleted or destroyed
• To object to a conclusion against her/himself by analysing the processed data exclusively through automated systems,
• To demand damages in case of damage due to unlawful processing of personal data,

Personal Data Holders may submit their claims regarding their rights to KERVANSARAY HOTEL with the information and documents from which they can be identified together with the methods shown in the “Application Form for Data Officer” within the scope of KVKK” at www.hotelgoldenpark.net .
In order for third parties to request an application on behalf of personal data owners, a special power of attorney issued by a notary public on behalf of the person applying for the data owner must be present.

ISTANBUL KERVANSARAY HOTEL AND TOURISM INC.

CLOSED CAMERA RECORDING SYSTEMS CLARIFICATION TEXT

This is the clarification text is written for the purpose of clarifying the data owners about the procedures and principles regarding the processing of personal data collected by closed circuit camera system that is used in locations in which safety service is provided by  data responsible ISTANBUL KERVANSARAY HOTEL AND TOURISM INC. (“KERVANSARAY HOTEL”) in accordance with Law no 6698 on the Protection of Personal Data (“Law”).

1.  Purpose of Processing Personal Data 

Collected the personal data are processed within the purposes of ensuring legal, technical and commercial work safety of the related person and institutions that are in business relation with KERVANSARAY HOTEL and providing safety of locations that belong to KERVANSARAY HOTEL, within the scope of personal data processing conditions and purposes defined in the articles 5 and 6 of the Law.

2. Parties to whom Personal Data may be Transferred and Purpose of Transfer 

Personal data is collected through closed circuit camera systems located at the locations. Personal Data collected for the above-mentioned legal reasons can be processed and transmitted within the scope of the personal data processing conditions and purposes set forth in Articles 5 and 6 of Law No. 6698 articles 1 and 2 of this Clarification Text.

3.  Method of Personal Data Collection and Legal Reason 

Personal data is collected through closed circuit camera systems located at the locations. Personal Data collected aforementioned legal reasons, 6698 Law No. ‘ 5. v e 6 products covered by the personal data processing requirements and objectives set forth in business this Lighting text 1 and 2 m can be processed for the purposes mentioned in ADDENDUM and passed.

4. Rights of Data Owners and Use of These Rights 

In accordance with Article 11 of the Law, the owners of data have below rights;

• To learn whether personal data is processed or not,
• To demand information if personal data has been processed,
• To learn the purpose of processing personal data and whether they are used in accordance with their purpose,
• To know the third parties to whom personal data is transferred at home or abroad,
• To request correction of personal data in case of incomplete or incorrect processing and to request that the transaction carried out in this context be notified to the third parties to whom the personal data has been transferred,
• To request the deletion or destruction of personal data in the event that the reasons requiring processing are eliminated and to notify the third parties to whom the personal data has been transferred, although it has been processed in accordance with the provisions of the KVK Law and other relevant laws,
• To object to a conclusion against her/himself by analysing the processed data exclusively through automated systems,
• To demand damages in case of damage due to unlawful processing of personal data,

 

These rights will be evaluated and finalized within 30 days if they are forwarded to KERVANSARAY HOTEL by personal data owners. It is essential that no fee is charged for the requests, but KERVANSARAY HOTEL reserves the right to charge fees based on the tariff determined by the Personal Data Protection Board.

With our respect.

ISTANBUL KERVANSARAY HOTEL AND TOURISM INC. PERSONAL DATA STORAGE AND DISPOSAL POLICY

1. INTRODUCTION

1.1 Objective

The objective of this policy is to set forth the principles and procedures regarding the processing and protection of personal data as well as the deletion, disposal and anonymization of such processed personal data by ISTANBUL KERVANSARAY HOTEL VE TURİZM A.Ş (ERV KERVANSARAY HOTEL ”); according to the Law No. 6698 on the Protection of Personal Data (Law) published in the Official Gazette No. 30224 on 28.10.2017, the Regulation on the Deletion, Destruction or Anonymous Making of Personal Data (Regulation).

 

1.2 Scope

This policy , as specified in the Law or any data fully or partially automatic registration system located in the non-automated system for processing data path, provided that the part includes personal data. Unless otherwise specified in the policy, personal data and personally identifiable personal data will be collectively referred to as “Personal Data”.

 

1.3 Abbreviations and Definitions

Open Consent: Consent based on information about a specific subject and declared with free will.

Anonymous Rendering: Making personal data unmatched to any identifiable or identifiable natural person, even by pairing it with other data.

EDMS: Electronic Document Management System Electronic

Media: Environments where personal data can be created, read, modified and written with electronic devices.

Non-Electronic Environment: All electronic, printed, printed, visual, and so on. other environments.

Related Person: KERVANSARAY HOTEL , whose personal data is processed , refers to its employees, business partners, customers and third parties.

Relevant User: Persons who process personal data within the organization of the data officer or with the authority and instruction received from the data officer, except the person or unit responsible for the technical storage, protection and backup of the data.

Destruction: Deletion, destruction or anonymization of personal data.

Law: Law No. 6698 on the Protection of Personal Data.

Recording Media: Any media containing personal data that is either fully or partially automated or processed by non-automated means provided that it is part of any data recording system.

Personal Data: Any information relating to an identifiable or identifiable natural person.

Personal Data Processing Inventory: The data processing activities of the data responsible according to the business processes; the inventory that they form by linking the personal data with the purposes of data processing, the data category, the group of recipients transferred, and the group of data subject, and detailing the maximum time required for the purposes for which the personal data were processed, the personal data envisaged to be transferred to foreign countries, and the measures taken for data security.

Processing of Personal Data : Any operation, which is performed upon personal data such as collection, recording, storage, preservation, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization or blocking its use by wholly or partly automatic means or otherwise than by automatic means which form part of a filing system.

Board: The Personal Data Protection Board.

Personal Data: Biometric data about the race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, disguise and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures. and genetic data.

Periodic Disposal:  The deletion, disposal or anonymization, which shall be conducted automatically on a periodical and recurrent basis as specified within the personal data storage and disposal policy in the cases, where all of the requirements for the processing of personal data as set forth within the Code cease to be satisfied.

Policy: Storing and Disposing of Personal Data

Data Processor:  Refers to KERVANSARAY HOTEL, which processes personal data .

Data Recording System: A recording system in which personal data is structured and processed according to certain criteria.

Data Responsible: A natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system. ( KERVANSARAY HOTEL MANAGEMENT )

Data Officers Registry Information System: An information system created by the Presidency and managed by the Presidency, which will be used by the data responsible for the application to the Registry and other related transactions.

VERBIS: Data Responsible Registry Information System

Regulation: Regulation on the Deletion, Destruction or Anonymous Making of Personal Data published in the Official Gazette dated October 28, 2017 .

2. COMMITMENTS AND DECLARATIONS

Unless exempted by exception, KERVANSARAY HOTEL is a data officer responsible for registration. It accepts, declares and undertakes that it is obliged to prepare a Policy and to act in accordance with this Policy in order to store the personal data it holds in accordance with the Law and regulations and to delete, destroy or anonymize it when necessary.

The following principles apply to the storage and disposal of personal data:

1. a) KERVANSARAY HOTEL, in accordance with article 4 of the Law : It accepts, declares and undertakes that it shall comply with the principles of uygun compliance with the law and honesty rules, being accurate and up-to-date when necessary, processing personal data for certain, clear and legitimate purposes, processing personal data in a limited and measured manner, and preserving it for as long as necessary ”.
2. b) KERVANSARAY HOTEL accepts that the preparation of this Policy does not imply that personal data are deleted, destroyed or anonymized in accordance with the legislation.
3. c) When storing, deleting, destroying or anonymizing personal data, KERVANSARAY HOTEL shall comply with the security measures stated in Article 12 of the Law, the provisions of the relevant legislation , particularly the Regulation, and the decisions to be taken by the Personal Data Protection Board and the Policy. accept, declare and undertake that it will act appropriately.
4. d) KERVANSARAY HOTEL shall ensure compliance with the tools, programs and processes to be applied in accordance with this Policy and the Policy during the deletion, destruction or anonymization of the personal data which are fully or partially automated or processed by non-automatic means provided that it is part of any registration system undertakes.
5. RECORDING MEDIA

KERVANSARAY HOTEL agrees to include in the scope of this Policy the personal data in the following environments which contain personal data and in addition to the other media that may arise.

1. a) Computers and servers registered on behalf of KERVANSARAY HOTEL
2. b) Network devices
3. c) Shared / non-shared disk drives used for storing data on the network
4. d) Cloud systems
5. e) Mobile phones and all storage areas
6. f) Paper
7. g) Microfiche
8. h) Peripherals such as printer, fingerprint reader
9. i) Magnetic tapes
10. j) Optical discs
11. k) Flash memories
12. CONDITIONS REQUIRING STORAGE AND DISPOSAL OF PERSONAL DATA

KERVANSARAY HOTEL stores personal data with the express consent of the person concerned or without the express consent of the person concerned in the cases written in the Law, without prejudice to the storage periods stipulated in the legislation, in accordance with the principles specified in the Law for the period required for the purpose of processing the data.

As a rule, private personal data cannot be stored or processed in any other way without the express consent of the person concerned, but they are processed in the cases and processes specified in the Law .

In cases where we process personal data for more than one purpose, the data is deleted, destroyed or anonymized and stored at the request of the person concerned (in case there is no obstacle in the legislation). In terms of destruction, deletion or anonymization, the provisions of the legislation and decisions of the Board of the KVK shall be complied with.

5. CIRCUMSTANCES REQUIRING DISPOSAL OF PERSONAL DATA

KERVANSARAY HOTEL will initiate the necessary actions in case of a violation as stated below. KERVANSARAY HOTEL takes all kinds of technical and administrative measures for safe storage of personal data and preventing unlawful processing and access. The reasons for the destruction of personal data are as follows:

5.1. Unlawfulness

KERVANSARAY HOTEL undertakes that it will not store and / or process any personal data in contradiction with the manner specified in the Law, and will destroy the data that is illegal to store in accordance with the changing legislation, in accordance with the Law, Regulation, KVKK decisions and the provisions of this Policy.

5 .2. Elimination of Data Processing Terms

KERVANSARAY HOTEL is responsible for the up-to-date data processing conditions and shares this responsibility with its employees. Employees cannot continue to process data if the data processing requirements are removed. KERVANSARAY HOTEL, as mentioned in the Regulation accepts the disappearance of cases, data processing conditions listed below:

1. a) Amendment or repeal of the provisions of the relevant legislation which constitute the basis for processing personal data,
2. b) The contract between the parties has never been established, the contract is invalid, the contract is terminated automatically, the contract is terminated or returned from the contract ,
3. c) Eliminating the purpose of processing personal data,
4. d) The processing of personal data is against the law or the code of honesty,
5. e) In case the processing of personal data occurs only with the express consent of the person concerned, the person concerned revokes his consent,
6. f) Acceptance of the application made by the person concerned to the data officer upon request of deletion or destruction of personal data following the elimination of situations requiring data processing activity,
7. g) Data charge of the , by the request for deletion or destruction of personal data by the person to reject the application made to it, his answer was found lacking or in case of non-response within the time limit specified in the Law; Complaining to the Board and approval of this request by the Board,
8. h) Although there has been a maximum period of time for the storage of personal data, there is no requirement to justify the storage of personal data for a longer period of time.
9. DISPOSAL OF PERSONAL DATA

The destruction of personal data can be achieved in three different ways. These are deletion, destruction or anonymization of data.

6.1 Deleting Personal Data

Deletion of personal data is the process of making personal data inaccessible and inaccessible to the users concerned. Although KERVANSARAY HOTEL has been processed in accordance with the provisions of the relevant law, in case the reasons that require processing are eliminated and the conditions set out in the Regulation arise, it deletes or destroys personal data according to its decision or upon the request of the personal data holder.

6.2 Destruction of Personal Data

Destruction of personal data is the process by which personal data cannot be accessed, retrieved or reused by anyone in any way.

Destruction will be carried out in cases where KERVANSARAY HOTEL processes data in physical recording environments. By destroying, this data is rendered impossible to recover. During this process, KERVANSARAY HOTEL employees and related departments are obliged to inform the KVKK Working Group about the data to be destroyed, and then KERVANSARAY HOTEL shall take all necessary technical and administrative measures.

6.3 Anonymization of Personal Data

The anonymisation process is where KERVANSARAY HOTEL processes personal data completely or automatically, making it unrelated to a certain or identifiable natural person even if it is matched with other data.

7. MEASURES FOR THE STORAGE AND DISPOSAL OF PERSONAL DATA
8. 1 Technical Measures Concerning the Storage of Personal Data

Security systems are established in accordance with technological developments regarding the storage of personal data. Only authorized employees have access to personal data. Personal data, which cannot be accessed even by authorized employees, is protected by key and password methods. KERVANSARAY HOTEL, storing the data from the 3rd person work demands commitments regarding the fulfilment of certain standards. However, KERVANSARAY HOTEL takes the necessary precautions to ensure that personal data is not lost and used illegally.

7.2 Administrative Measures Concerning the Storage of Personal Data

Additional technical data and create awareness about the preservation of administrative inform our employees about risks la together, the people of personal data is transferred, the necessary security measures to protect personal data transferred to and stored in a secure we take.

8. MEASURES RELATED TO DISPOSAL OF PERSONAL DATA

8.1 Technical Precautions Regarding the Destruction of Personal Data

The unit responsible for data processing and destruction determines the personal data that will be the subject of the deletion process and identifies the relevant users for each personal data. Authorities and methods of access, retrieval, re-use of personal users within the scope of personal data are closed and eliminated.

Data on cloud systems and central server are deleted by giving delete command. Database corresponding line of data in the database command l bees (Delete) and delete. All these operations are removed if the user is authorized to retrieve the deleted data. For erasing data stored in other recording media (blackout etc.) and disposal (no physical not, to de-magnetize overwriting) one or anonymization methods are preferred. All relevant media for the disposal method to be selected are determined and the type of system where the data is located is considered.

8. 2 Administrative Measures Concerning Destruction of Personal Data

Employees are informed about the protection and destruction of personal data within the legislation. In the workplace, especially necessary equipment for physical destruction is kept.

9. DISPOSAL METHODS AND PROCESS OF PERSONAL DATA

Destruction of personal data takes place in the following ways:

9.1 Delete Command

The data in the cloud system and databases is deleted by giving a delete command. It is noted that the said user is not authorized to retrieve deleted data on the cloud system or database while performing said operation. All copies of the encryption keys of personal data are also destroyed. Help is available from the cloud administrator if necessary.

9.2 Anonymization Methods

In the case of anonymization, the nature of the data, the size, the diversity, the nature of the presence in the physical environment, the frequency of processing, the reliability of the party to be transferred, the effort to make the data anonymous, and so on. the appropriate method is selected and anonymization is applied.

9.3 Overwriting

It is the process of making old data unreadable by writing random data consisting of 0 and 1 at least 8 times with software on magnetic media and rewritable optical media.

9.4 Magnetizing

It is the process of placing the magnetic media in a high value magnetic field in order to make the data on it unreadable.

9.5 Physical Destruction

It is the process of physically destroying optical or magnetic media by melting, pulverizing, grinding and the like. It can be applied in cases where magnetization or overwriting methods fail. Paper personal data on the media in the necessary paper will be destroyed with the destruction or crop machinery.

Printer, door entry tourniquet, network devices, mobile phones and so on. for the destruction of personal data contained in such environments. Such disposal must be carried out before the devices are subjected to backup, maintenance and similar operations.

10. STORAGE AND DISPOSAL TIMES
11. 1 Periodical Destruction and Legal Retention Times

Physical and digital data that expires the legal retention periods are periodically destroyed within the intervals stipulated by the legislation. Periodic destruction takes place at 6-month intervals for all personal data. Records of such transactions relating to deleted, destroyed and anonymized data shall be retained for at least 3 years free of other legal obligations.

10.2 Deletion and Elimination Process if Data Holders Request

Data holders KERVANSARAY HOTEL where requested the deletion of personal data belonging to itself by application or destruction KERVANSARAY HOTEL, checks the current status of the personal data processing conditions and is hence related actions. Deletes, destroys or anonymized the personal data subject to the request if all of the personal data processing requirements have been removed. KERVANSARAY HOTEL shall conclude the request of the person concerned within thirty days at the latest and inform the person concerned. KERVANSARAY HOTEL informs the third party if all of the personal data processing conditions have been removed and the personal data subject to the request has been transferred to third parties; ensures that the necessary actions are taken by the third party within the scope of the Regulation. If the disappearance of all personal data processing conditions, KERVANSARAY HOSPITALITY concerned may reject the request by explaining the rationale for rejection of data and notifies the appropriate person to answer later in writing or in electronic form within thirty days.

 

11. EFFECTIVE DATE OF POLICY AND UPDATES TO BE MADE IN POLICY
12. An update can be made to the Policy following the amendment to be made in the relevant legislation.
13. KERVANSARAY HOTEL will share its changes with the employees via e-mail in order to review the changes made to the Policy and make them available to the employees via corporate internet. This Policy entered into force as of … / … / … date.

ISTANBUL KERVANSARAY OTELCILIK VE TOURISM INC.
, APPLICATION TEXT FOR DATA RESPONSIBLE WITHIN LOPPD (LAW ON THE PROTECTION OF PERSONAL DATA)

The right to apply of the data owner to the data officer is regulated according to the Law no. 6698. In this context, the person concerned can apply to KERVANSARAY OTELCİLİK, the data officer, and request the fulfillment of the following rights in Article 11 of the Law:

• To find out if your personal data is being processed.
• To request information on the processed data, if personal data has been processed,
• To learn the purpose of processing the personal data and whether or not the personal data has been used in accordance with the declared purpose,
• To know about the third parties at home and abroad, to which the personal data has been transferred,
• To request for the correction of the personal data, if such data were processed incompletely or incorrectly,
• Within the context of the principles specified in the LOPPD, to request the deletion or destruction of personal data,
• In the event of incorrect transfer, deletion or destruction of data, to request that these situations be communicated to third parties to whom their data is transmitted.
• To object to any consequence that may arise against oneself through the analysis of the processed data exclusively by means of automated systems,
• To request to compensate the damages in the events that personal data is damaged due to unlawful processing,

In accordance with the provision of the first paragraph of Article 13 of the LOPPD Law:  “the person concerned, in writing or by other methods to be determined by the Board, requests for the application of this Law.,” according to the nature of the demand, Pursuant to paragraph 2 of Article 13 of the KVK Law, applications made in writing or by other methods determined by the Personal Data Protection Authority will be finalized as soon as possible and at the latest within thirty days from the date the application reaches KERVANSARAY OTELCİLİK.  

In the application to be made within this framework, it must exist the applicant’s following information:

1. Name, surname and signature if the application is written,
2. If the applicant is a citizen of the Republic of Turkey, T. C. identification number, nationality if foreign, passport number or identification number (if any),
3. Place of residence or place of work for notification,
4. Notification e-mail address (if any), telephone / fax number,
5. Request subject

In addition to that the applicants may be able to apply personally with a document proving their identity by coming to the address “Kocatepe Quarter, Lamartin Street, No: 22-24 Beyoğlu / İSTANBUL”, they may apply through a notary public, via Registered Electronic Mail (REM) signed by the Secure Electronic Signature defined in the Electronic Signature Law No. 5070, or by e-mail to info@hotelgoldenpark.net. Also, after the announcement of other methods to be determined by the Personal Data Protection Authority, KERVANSARAY OTELCİLİK will announce how the applications will be received through these methods. 

In order to reach the form, please Click