Personal Data Protection Law

1. Introduction

This personal data processing policy is KARALAR PETROL TAR. TYPE. NAK. And TRADE LTD. ŞTİ. SENSITIVE PREMIUM RESORT & SPA: briefly (“COMPANY”), has been prepared to determine the procedures and principles to be applied by the COMPANY regarding the processing of personal data that we hold in our capacity as data controller in accordance with the Personal Data Protection Law No. 6698 and other legislation.

2. Scope

The personal data of our employees, prospective employees, guests and all natural persons who have personal data with the COMPANY for any reason are managed in accordance with the law within the framework of this Personal Data Processing Policy.

3. Definitions

Law/KVKK: Personal Data Protection Law No. 6698 dated 24/3/2016.

Board/Institution: Personal Data Protection Board/Personal Data Protection Authority.

Personal Data: Any information regarding an identified or identifiable natural person.

Relevant Person: The person whose personal data is processed.

Explicit Consent: Consent regarding a specific subject, based on information and obtained with free will.

Anonymization: Making personal data impossible to associate with an identified or identifiable natural person in any way, even by matching it with other data.

Deletion of Personal Data: Deletion of personal data; making personal data inaccessible and unusable in any way for Relevant Users.

Destruction of Personal Data: The process of making personal data inaccessible, irretrievable and unusable by anyone.

Processing of Personal Data: Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available personal data by fully or partially automatic or non-automatic means provided that it is part of any data recording system, Any action performed on data, such as classifying or preventing its use.

Data processor: Natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller.

Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.

Personal Data of Special Qualification: Data regarding individuals‘ race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, appearance and attire, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric data and genetic data.

Disclosure Obligation: During the acquisition of personal data, the data controller or the person authorized by him/her shall inform the relevant persons; The identity of the data controller and his representative, if any, the purpose for which personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method and legal reason for collecting personal data, and other rights listed in Article 11 of the Law.

Sedna: Front office, Accounting, Purchasing, Guest Relations, HR, which includes guest data. Automation System.

Destruction Policy: The policy on which data controllers base the process of deleting, destroying and anonymizing personal data and determining the maximum period required for the purpose for which they are processed.

Recording Medium: Any electronic environment containing personal data processed by fully or partially automated means or by non-automatic means provided that it is part of any data recording system.

Company: KARALAR PETROL MAM. TAR. TYPE. NAK. And TRADE LTD. ŞTİ.

4. Principles Regarding the Processing of Personal Data

4.1 Compliance with the law and the rules of honesty: The COMPANY protects the individual rights of the persons concerned during the processing of personal data. Personal data is collected and processed lawfully and fairly.

4.2 Processing for specific, clear and legitimate (transparency) purposes and being limited and proportionate in relation to the purpose for which they are processed: The purposes for which personal data will be processed by the COMPANY are disclosed before the personal data processing activity begins. The COMPANY processes personal data only to provide better service to the relevant persons. During the acquisition of personal data; The relevant person is informed about the identity of the data controller and his representative, if any, the purpose of personal data processing, to whom and for what purposes personal data can be transferred, the method and legal reason for collecting personal data, and the rights of the relevant person.

4.3 Storage for the period specified in the relevant legislation or necessary for the purpose for which they are processed: The COMPANY retains personal data only for the period specified in the relevant legislation or necessary for the purpose for which they are processed. As long as personal data is deemed necessary for the purposes for which they are processed and is required by regulatory authorities and/or relevant laws and regulations, COMPANY and

e and its subsidiaries under its control will continue to process and maintain personal data in accordance with the purposes set out by this policy.

Accuracy of information, timeliness of data: The COMPANY keeps the processed personal data accurate, complete and, if necessary, up-to-date. Where necessary; Inaccurate or incomplete data is deleted, corrected, completed or updated.
Privacy and data security: Personal data is subject to data confidentiality. It is considered confidential at the personal level and necessary technical and administrative measures are taken to ensure the appropriate level of security in order to prevent unauthorized access, unlawful processing or distribution, as well as accidental loss, alteration or destruction, and to ensure the preservation of personal data.
5. Scope of Data Processing

Personal data processing is carried out in two different ways.

Fully or partially automated processing of data;Receiving, collecting, recording, photographing, sound recording, video recording, organizing and storing data from the relevant person or third parties specified in this policy for the purposes of transferring, disseminating or presenting in different ways, grouping or combining, blocking, deleting or destroying. includes modification, restoration, withdrawal or disclosure.

Processing/obtaining data through non-automatic means;It includes recording, storing, preserving, changing, rearranging, disclosing, transferring, transferring abroad, taking over, making available, classifying or preventing use, provided that it is a part of any recording system.

The COMPANY will have the right to process the personal information of the relevant person, in accordance with the purposes specified in this policy, during the use of its services and after the termination of the service relationship.
Personal data processing by the COMPANY includes, without any restrictions, any action taken against data using non-automatic means, provided that it is automatic, semi-automatic or part of an automatic system.
The COMPANY processes the data of the relevant person or persons under the custody of the relevant person.
Data processing also includes sharing data given on the instructions of the COMPANY and/or with the express consent of the relevant person and/or third parties, when the COMPANY is the data processor and acts on behalf of and on the instructions of a third party.
The express consent of the relevant person is the recording and processing of the activities of the relevant person by the COMPANY while using various electronic channels (including, but not limited to, web browser, website, internet, mobile applications, payment transactions, technical methods and channels used for money transfer and receipt). also includes. (For example; determining the location of the relevant person when using an electronic channel, identifying and analyzing input data, product selection frequency and/or other statistical data)
6. Fundamentals of Data Processing

6.1 The relevant person accepts that, during the use of the COMPANY services and even if the contractual relationship is terminated, it is necessary for the COMPANY to process the information of the relevant person or of third parties specified by the relevant person, within the scope of the following purposes.

Providing and/or implementing a service for the relevant person,
Data processing is mandatory in order to protect the legal rights of the COMPANY and/or third parties,
Fulfilling the COMPANY’s legal obligations,
It is necessary to process personal data of the relevant person, provided that it is directly related to the establishment or execution of a contract between the relevant person and the COMPANY,
Data processing is mandatory for the establishment, exercise or protection of a right,
Other matters to which the relevant person expressly consents,
Other matters expressly provided for in the legislation.
6.2 Explicit consent given by the relevant person will mean that the relevant person accepts the policy and its provisions.

7. Data Processing Purposes

Third parties that process personal data shared with the consent of the COMPANY and/or relevant persons may process the personal data of the relevant person or persons under the custody of the relevant person for the following purposes.

Accommodation services are carried out as declared, and the services are provided to the guest in a better and more reliable manner,
Conducting information research and survey evaluations, providing planning, statistics, archiving and storage services, and conducting customer satisfaction studies,
In order to optimize and improve the COMPANY services, it is necessary to check the accommodation history and/or behavioral patterns of the relevant person,
The COMPANY can offer a new and/or additional service or non-service product,
Changing the current conditions of the service offered by the COMPANY,
COMPANY’s analysis of statistical data, various reports

Preparation and presentation of research and/or presentations,
In addition to ensuring security; detecting and/or preventing abuse and other criminal activities,
Meeting the complaints, questions and requests of the relevant person,
Verifying the identity information of the relevant person,
Carrying out publicity, marketing, promotion and campaign activities for accommodation services,
Achieving other objectives stipulated in national and international laws and regulations.
8. Processing, Transfer or Disclosure of Data

The COMPANY fulfills the obligations imposed by the relevant legislation and board policy decisions regarding the processing, transfer or disclosure of personal data. In accordance with the purposes determined by this policy, including but not limited to the personal data of the relevant person and third parties stated below; For the processing, transfer and/or disclosure of all kinds of information depending on the content and variety of accommodation services offered by the COMPANY; Name and surname of the person concerned, Personal identification number and/or unique feature on the ID card, Registered and/or residential address, Telephone/mobile phone number, E-mail address, Data regarding the employer, as well as information regarding employment conditions (place of work). , wages, working hours, etc.), when using various electronic channels and/or the internet (including but not limited to web cookies, etc.) and the activities of the relevant person and/or third parties specified by the relevant person when using the above-mentioned channels (this including, but not limited to, verification of channels, actions taken or transaction history),  It uses data about the people the relevant person stayed with during the service procurement period.

8.1 If the relevant person (including but not limited to personal data, special personal data, etc.) gives the personal data of third parties (family members, employer, etc.) to the COMPANY for the purpose of benefiting from the COMPANY’s services; The relevant person who provides the data to the COMPANY will be responsible for obtaining the necessary consent for the processing of these personal data.

8.2 If the relevant person provides the information in question to the COMPANY (or its authorized personnel), it is assumed that the relevant person has given the necessary explicit consent and the COMPANY’s obligation to obtain this express consent is eliminated.

8.3 If personal and/or special personal data are processed without the express consent of the relevant person and if the relevant person suffers a loss as a result of this processing, the COMPANY is obliged to cover this damage.

8.4 Explicit consent of the relevant person is provided by the COMPANY to record the activities of the relevant person while using various electronic channels (including, but not limited to, web browser, website, internet, mobile applications, payment transactions, technical methods and channels used for money transfer and receipt) and It also includes processing. (For example; determining the location of the relevant person when using an electronic channel, identifying and analyzing input data, product selection frequency and/or other statistical data)

8.5 The COMPANY may use the telephone number, mobile phone number, e-mail address and other contact information given by the relevant person in accordance with Electronic Commerce No. 6563, including sending SMS, voice and/or other marketing messages (Direct marketing) until the relevant person exercises his/her right to refuse. It has the right to send commercial electronic messages within the scope of the Law on Regulation.

8.6  The relevant person grants the COMPANY the right to share his or her personal data with the COMPANY’s subsidiaries and/or shareholders for the purpose of making various marketing offers.

8.7. Advertising/information messages (e.g. advertising brochures, promotional visuals, verbal offers, etc.) at the COMPANY’s service points or the contents shown during the use of electronic channels such as the internet and mobile marketing of the COMPANY (or the COMPANY’s subsidiaries) It cannot be described as marketing and the data subject will not have the right to request the termination of the publication and/or display of such content.

9. Processing of Applicants‘ or Employees‘ Data

9.1 Processing of personal data for the purpose of concluding, performing, maintaining and terminating a service contract: Fulfilling personal rights arising from the service contract and maintaining them uninterruptedly, occupational health and safety services to be provided to employees, fulfilling work permit procedures, evaluating personal job applications, research and The COMPANY has the right to process the personal information disclosed by the relevant person due to starting a job, trial period and/or internship, for purposes such as carrying out other recruitment processes, performance evaluation and monitoring, training activities, improving working conditions, carrying out personal development processes, and other human resources and training processes. had

r.

During the job application process, information about the applicant is collected from third parties within the framework of the provisions of the Personal Data Protection Law No. 6698.

Explicit consent of the applicant is required for the processing of personal data that is related to the employment relationship but is not part of the initial performance of the employment contract.

9.2 Processing of Special Personal Data

Special personal data can only be processed with the explicit consent of the relevant person to process special personal data. Special categories of personal data other than health and sexual life can only be used in cases stipulated by law; personal data related to health and sexual life; However, for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing, processing is permitted by persons or authorized institutions and organizations who are under the obligation of confidentiality.

10. Information Transfer/Sharing to/from Third Parties

In order for the COMPANY to provide service to the relevant person, this policy is transferred/shared with the relevant person and/or third parties specified by the relevant person within the scope of data processing. The relevant person provides his personal data to the COMPANY; Obtaining and recording data through fully or partially automatic or non-automatic means, provided that it is part of any recording system, through all departments, internet, call centers, public institutions and organizations, as well as parties and suppliers from whom they receive services that are a complement or extension of the COMPANY’s activities, It grants the rights to store, preserve, change, rearrange, disclose, transfer, transfer abroad, take over, make available, classify or use.

11. Liability of Data Controller and Data Processor

11.1 Based on the provisions of this policy; When processing some types of personal data, the COMPANY is a data processor and may act on behalf of the data controller, including third parties. The data controller may also process some personal data for third parties. Accordingly, each party to such a relationship (data processor as well as data controller) acts in accordance with the Personal Data Protection Law. Because;

Personal data is processed in accordance with the principles contained in the legislation.
Explicit consent of the person concerned is obtained, and necessary information and clarification is provided.
The data controller should: When the relevant person makes a request for information regarding his or her personal data, or when a complaint or statement regarding the data controller’s compliance with the obligations imposed by the legislation is submitted, the relevant person is notified as soon as possible and within 30 days at the latest.

In addition, if one of the parties represents the data processor and the other the data controller during the data processing, the data processor fulfills the following obligations. Data processor is obliged to do the following;

Processes the data transmitted/disclosed by the other party, in accordance with the extent and scope defined by the provisions of this policy and permitted by the legislation or upon the request of a regulatory authority,
In order to prevent unauthorized processing, loss, destruction, damage, unauthorized modification or disclosure of data transmitted/disclosed by the data controller, all reasonable technical and administrative measures are implemented and every necessary action is taken, and the data controller is informed of all measures taken in this context,
The COMPANY, through its authorized personnel, controls the measures and practices implemented by the data processor for data security purposes,
Cooperates and supports the review of a complaint or statement submitted/declared by the COMPANY by the Data Processor, including the following,
Provides detailed information about the complaint and declaration status to the COMPANY within 7 business days from the date of request, including data about the relevant person (including electronic data), transmitted/disclosed by the data controller to the data processor,
It prevents data processing (transfer) by the Data Processor to a country and/or international organization that is not part of the European Union Economic Area and is not on the list of countries at an adequate level for the protection of personal data, or to which the data subject or the Personal Data Protection Board does not allow the transfer. ,
Without the prior written consent of the COMPANY; does not transfer/disclose data to third parties,
Even in cases where the COMPANY has prior written consent; The data processor is obliged to transfer/disclose the data in accordance with a written contract. In the said written agreement, the third party and its subcontractors are obliged to take all necessary technical and administrative measures to prevent unauthorized processing, loss, destruction, damage, unauthorized modification or disclosure of data.

Compensation for any damage/loss that the COMPANY may suffer due to the data processor not taking the necessary actions (in accordance with the Policy and legislation) or not fully fulfilling them. As a result of the data processor’s violation, any damage/loss that the COMPANY may incur (including, but not limited to, consequential damages), complaints, expenses (including, but not limited to, the expenses that the COMPANY will incur due to exercising its legal rights), legal processes The data processor gives explicit consent and agrees with the data controller to compensate for damages and provide compensation against and other liabilities.
Unless otherwise stated in the contract between the COMPANY and the data processor, the data processor after the termination of the contractual relationship between the COMPANY and the data processor; Returning any data (including personal data) transferred/disclosed from the COMPANY. It is obligatory to take all necessary security measures to prevent unauthorized access to data by third parties, to destroy personal data transferred/disclosed by the COMPANY and to notify the COMPANY to confirm that this action has been taken.
12. Data Update, Processing, Retention Period and Data Destruction

It continues to operate for the purposes specified in this policy during and after the period of using the Company’s services, for a period of time consistent with the purposes and interests of the company, the requests of supervisory/regulatory authorities and/or legislation.
The processing of data transferred during the use of the COMPANY’s electronic channels (web browser, website, internet, mobile applications and/or other electronic data transfer tools) by the relevant person continues even after the relevant person deletes the data from the relevant electronic channels.
Upon the request of the relevant person, information is provided regarding the personal data held by the COMPANY, within the scope of the legislation.
If the relevant person’s data held by the COMPANY is incomplete or incorrect, the missing and incorrect data are completed and corrected upon the relevant person notifying the COMPANY in writing.
Personal data are retained for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed, and in any case, for 15 years. Even though it has been processed in accordance with the provisions of the legislation, if the reasons requiring processing are eliminated and the COMPANY’s storage period expires, personal data is deleted, destroyed or anonymized by the data controller automatically or upon the request of the relevant person.
In determining the storage and destruction periods of personal data, the following criteria are used: By determining which of the exceptions stipulated in Articles 5 and 6 of the Law can be evaluated,
Access authorization and control matrix system is used. Relevant users are identified for each personal data, the authorizations and methods of relevant users such as access, retrieval, reuse are determined, employment contract termination or position change, etc. In such cases, the access, retrieval and reuse authorizations and methods of the relevant users within the scope of personal data are updated, closed and eliminated.

In case the period stipulated in the legislation for the storage of the personal data in question expires or if no period is stipulated in the relevant legislation for the storage of the data in question, the data is deleted, destroyed or anonymized by the data controller in 10-year periods.
In deleting, destroying and anonymizing personal data, the principles listed in Article 4 of the Law titled „General principles“, the measures to be taken within the scope of Article 12 titled „Obligations regarding data security“, the relevant legislative provisions, the Institution’s decisions and this policy are adhered to. appropriate action is taken.
All transactions regarding the deletion, destruction and anonymization of personal data are recorded by the COMPANY. These records are kept for at least 10 years, excluding other legal obligations.
Unless a contrary decision is taken by the Personal Data Protection Authority, the appropriate method of deleting, destroying or anonymizing personal data is chosen by the COMPANY.
Personal data collected by the COMPANY is stored in various recording environments. It is deleted using methods appropriate to the recording environment. Data on the servers is deleted by giving a delete command and/or manually, and personal data on paper is deleted using the blackout method. The blackening process means that the personal data on the relevant document is cut off where possible, and in cases where it is not possible, it is made invisible to the relevant users by using fixed ink in a way that is irreversible and unreadable with technological solutions.

It is dying.
Office files located on the central server are deleted with the delete command in the operating system of the file, or the access rights of the relevant user on the file or the directory where the file is located are removed. Personal data in portable memories, if any, are stored encrypted and deleted with software suitable for these environments. Relevant lines containing personal data are deleted with database commands. While performing the transaction, attention is paid to whether the relevant user is also the database administrator.

Destruction of personal data is the process of making personal data inaccessible, irretrievable and unusable by anyone. COMPANY, the data controller, takes all necessary technical and administrative measures regarding the destruction of personal data. To destroy personal data, all copies containing the data are identified and the systems containing the data are physically destroyed, such as melting, burning or pulverizing optical media and magnetic media. Data is prevented from being accessed through processes such as melting, burning, pulverizing or passing through a metal grinder of optical or magnetic media. With the command to delete network devices (switch, router, etc.), mobile phones (sim card and fixed memory areas); optical discs with the delete command and physical destruction methods in the fixed memory areas of portable smartphones; Data storage media such as CDs and DVDs are destroyed by physical destruction methods such as burning, breaking into small pieces, and melting. The destruction of personal data in devices that are faulty or sent for maintenance is stored by removing the data storage medium, and other defective parts are sent to third institutions such as manufacturers, sellers and service. Personnel coming from outside for maintenance and repair purposes are prevented from copying personal data and taking them out of the institution, and necessary precautions are taken.

Anonymization is the removal or modification of all direct and/or indirect identifiers in a data set, preventing the relevant person from being identified or losing the feature of being distinguishable in a group/crowd in a way that cannot be associated with a natural person. The purpose of anonymization is to break the connection between the data and the person identified by this data. The data is anonymized by selecting one of the disconnection processes that are carried out using methods such as automatic or non-automatic grouping, derivation, generalization and randomization applied to the records in the data recording system where personal data is kept.

13. Rights of the Relevant Person

Each relevant person; to learn whether personal data is processed, to request information if personal data has been processed, to learn the purpose of personal data and whether they are used in accordance with their purpose, to know the third parties to whom personal data are transferred domestically or abroad, to request correction of personal data if they are incomplete or incorrectly processed, Requesting the deletion or destruction of personal data, requesting notification that personal data has been transferred to third parties at home or abroad, objecting to the emergence of a result against the person by analyzing the processed data only through automatic systems, suffering damage due to personal data being processed contrary to the Law. has the right to demand compensation for the damage.

14. Confidentiality of Data Processing

Personal data is subject to data security. Any employee of the COMPANY, its subsidiaries and/or subsidiaries is prevented from accessing these data without authorization and unauthorized persons are strictly prohibited from processing or using this data. Processing of this data by any employee who is not authorized within the scope of the job description of the COMPANY, its subsidiaries and/or subsidiaries constitutes unauthorized processing. Employees of the COMPANY, its subsidiaries and/or subsidiaries can only access personal data if they are authorized to access personal data within their job description.
The employees of the COMPANY, its subsidiaries and/or subsidiaries are prohibited from using personal data for private or commercial purposes, sharing this data with unauthorized persons or making this data accessible by any other method. The data controller informs his employees about the obligation to protect data privacy at the initial stage of employment, provides training to his employees and ensures that they receive training.
For the purpose of security-protection of property and privacy, as well as control and measurement of service quality, in accordance with the provisions of the Personal Data Protection Law No. 6698, kitchen and service background, etc. are used around and at the entrances of buildings and workplaces. Video and audio recording is done in environments.
The relevant person communicates with the COMPANY at relevant service points and with the COMPANY.

While setting up the job, you are informed that video recording and video supervision is being carried out using appropriate tools. The relevant person accepts the importance of video and audio recording and with this article gives explicit consent to the COMPANY to process his data in this regard.
15. Data Processing Security

Personal data is protected against unauthorized access, unlawful data processing or disclosure and accidental loss, alteration or destruction of data. Data is protected whether it is processed electronically or on paper. New and advanced data processing methods and information technology systems are followed in order to take technical and administrative measures to protect personal data.

16. Data Protection Control

Compliance with this Data Protection Policy and relevant data protection laws is regularly checked by authorized persons working in the relevant units of the COMPANY. The personal data protection authority may personally audit the compliance of the COMPANY, its subsidiaries and affiliates with the provisions of this policy, as permitted by national laws.

When the relevant person submits his requests regarding the implementation of this policy and the Personal Data Protection Law to the Data Controller in writing, the Data Controller finalizes the request free of charge as soon as possible and within 30 days at the latest, depending on the nature of the request in the application. However, if the process requires an additional cost, the fees determined by the Personal Data Protection Board are charged.

Dear Sensitive Premium Resort & SPA Guest;

As Sensitive Premium Resort & SPA Hotel; We respect and attach importance to the privacy of our guests‘ private lives. For this reason, we would like to provide information about the Personal Data Protection Law No. 6698 (KVKK), which is in force to protect fundamental rights and freedoms in the use of personal data.

Our guests may share their personal data, special personal data and family and relative data (name, surname, date of birth, mobile phone number, e-mail, gender, address, profession, education, marital status, vehicle license plate, identification information, accommodation, expense information. , billing information, health data, food allergy, photograph, name, surname and e-mail address of relatives who can be reached in case of emergency, guest product information, guest arrival and departure dates, agency/company information) from our hotel’s reception, website and call center. through channels; They can communicate it to us verbally, in writing or electronically.

We process the personal data you have shared with us in order to customize the products and services offered by our hotel according to your tastes, usage habits and needs, and to recommend them to you and to provide better service.

We your data; We always keep it safely and share your data with our business partners, suppliers (officials or employees) and officials of our company in business relations for reservation, information processing, advertising, marketing, promotion, business development, security, promotion, campaign notification, survey, customer satisfaction research. We use the transfer and sharing to our shareholders, legally authorized public institutions and private individuals, by taking the necessary precautions, for the purpose of providing our services and fulfilling our legal obligations, and we do not share it with anyone else.

By contacting us whenever you want; You can learn the purpose of using your personal data, with which organizations it is shared and for what purpose.

You may request the correction of your incomplete or incorrectly recorded or used information and the deletion of your information if the conditions stipulated by law are met.

To benefit from your rights under the law, you can submit your request to our hotel in writing, and for detailed information, you can review the link www.sensitivepremium.com/tr/kvkk and the Personal Data Protection Law No. 6698.

Regards;

Sensitive Premium Resort & SPA

KARALAR PETROL MAM. TAR. TYPE. NAK. and TİC LTD. ŞTİ.

Tel: +90 (242) 731 07 00

Fax : +90 (242) 731 07 03

www.sensitivepremium.com