The purpose of this clarification text: To inform you transparently on the collection, processing, processing methods and purpose, legal basis, to whom and for what purposes your personal data could be transferred and your rights under the relevant law, within the scope of the Law on Protection of Personal Data ("KVKK" or "Law") Nr. 6698, in particular Article 10 with the title "The Obligation of the Data Controller for Clarification" and Article 11 with the title "The Rights of the Relevant Person" of the Law.
Hapimag Turistik Yatırım ve Ticaret A.Ş. ("Company", "Our Company") processes, records, transfers, shares and protect your personal data, as the Data Controller, as it was described below and within the borders of the legal legislation.
Our Company reserves the right to update this "Clarification Text on Processing Personal Data Of Customers Staying At The Hotel and Customer Candidates of Hapimag Turistik Yatırım ve Ticaret Anonim Şirketi", within the scope of possible changes to be made in legal legislation.
- Identity of the Data Controller
Pursuant to the Law on Protection of Personal Data Nr.6698, the data controller is the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system. Our company has the title of data controller in accordance with the Law in terms of the personal data processesed.
Title of the company: Hapimag Turistik Yatırım ve Ticaret Anonim Şirketi
Address: İnönü Cad. No.18 D.8 Gümüşsuyu Beyoğlu İstanbul
Phone number: 02523111280
E-mail address: financeofficetr@hapimag.com
Web site: https://www.hapimagseagarden.com/
- Personal Data Processing Purposes
Our Company processes personal data of customers staying at the hotel and customer candidates for the following purposes;
to ensure that accommodation services are provided in accordance with legal requirements,
-to receive, report and store the data required by legal conditions,
-to ensure that the most suitable options are offered to customers,
-to make accommodation contracts,
-to make and manage individual or group reservations,
-to authenticate customers to be accommodated and make notifications about them
-to perform check-in and check-out procedures,
-to inform the units within the hotel so that they can provide quality service,
-to inform the customers in order for them to benefit from the services in the most appropriate way,
-to keep and invoice records regarding the use of hotel services,
-to work to increase the quality of service,
-to direct customers with / without reservation to solution partners in order to prevent mistreatment,
-to carry out financial and accounting affairs,
-to carry out emergency management processes,
-to carry out information security processes,
-to carry out activities in accordance with the legislation,
-to carry out and supervise business activities,
-to carry out occupational health / safety activities,
-to carry out communication activities,
-to carry out the procurement of goods and services,
-to carry out customer relationship management processes,
-to carry out marketing analysis studies,
-to carry out advertising / campaign / promotion processes,
-to follow requests / complaints,
-to carry out products and services marketing processes,
-to inform authorized persons / institutions / organizations.
Adequate measures determined by the Personal Data Protection Authority are also taken by our company in the processing of your health data, which is your sensitive personal data.
- To whom and for which purpose the processed personal data may be transferred
Our company transfers the personal data of the customers staying at the hotel and customer candidates to the following person groups:
- To the independent auditing company that our company works with, to the financial consultancy company that our company works with and to the company lawyer for the purposes of auditing business activities, carrying out activities in accordance with the legislation, carrying out financial and accounting affairs, and carrying out risk management processes.
- To the banks that our company works with for the purposes of carrying out business activities and carrying out the procurement of goods and services,
- To Hapimag AG, a partner of our company, operating in Switzerland, for the execution and control of business activities. Upon request, the personal data may be transferred to judicial authorities, law enforcement officers, authorized persons, institutions and organizations to resolve legal disputes within the framework of their legal powers, with a limited purpose and in accordance with the relevant legislation. Our company transfers the personal data of customers staying at the hotel and customer candidates based on the explicit consent legal reason stated in Article 8 of the Law on Protection of Personal Data.
Adequate measures determined by the Personal Data Protection Authority are also taken by our company for the transfer of your health data, which is your sensitive personal data.
- Method and legal reason for collecting personal data
Our Company is permitted to process customer’s staying at the hotel and customer candidates personal data automatically or non-automatically through different channels, verbally, in writing or electronically based on the statements of the customers staying at the hotel and customer candidates. Your personal data is stored by our Company in electronic and / or physical environment.
Our company processes the personal data of customers staying at the hotel and customer candidates based on the following legal reasons specified in Article 5 of the Law on Protection of Personal Data:
-it is clearly provided for by the laws.
-processing of personal data belonging to the parties of a contract is necessary provided that it is directly related to the conclusion or fulfilment of that contract.
-it is mandatory for the controller to be able to perform his legal obligations.
-the data concerned is made available to the public by the data subject himself.
-it is mandatory for the legitimate interests of the controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.
Our company processes the health data of the customers staying at the hotel, which is the sensitive personal data, based on the explicit consent legal reason stated in Article 6 of the Law on Protection of Personal Data.
- Clarification Requirement In Case Personal Data Are Not Obtained From Our Customers Staying At The Hotel and Customer Candidates
In case personal data are not obtained from our customers staying at the hotel and customer candidates; our company will fulfil the clarification requirement;
- a) Within a reasonable time from the acquisition of personal data,
- b) During the first communication period if personal data will be used for communication with our customers staying at the hotel and customer candidates,
- c) At the first transfer time at the latest if personal data will be transferred.
- The Rights of Customers Staying at The Hotel and Customer Candidates of the Company According to Article 11 of the Law on Protection of Personal Data
Right of Petition
In accordance with Article 11 of the Law on Protection of Personal Data, our customers staying at the hotel and customer candidates may apply to our Company through Hapimag Turistik Yatırım ve Ticaret Anonim Şirketi Personal Data Owner Application Form and make requests regarding the following issues:
- a) to learn whether his personal data are processed or not,
- b) to request information if his personal data are processed,
- c) to learn the purpose of his data processing and whether this data is used for intended purposes,
- d) to know the third parties to whom his personal data is transferred at home or abroad,
- e) to request the rectification of the incomplete or inaccurate data, if any, to request the erasure or destruction of his personal data under the conditions laid down in Article 7,
- f) to request notification of the operations carried out in compliance with subparagraph(e) to third parties to whom his personal data has been transferred,
- g) to object to the processing, exclusively by automatic means, of his personal data, which leads to an unfavorable consequence for the data subject,
- h) to request compensation for the damage arising from the unlawful processing of his personal data.
In this context, our customers staying at the hotel and customer candidates are obliged to apply to our Company first in order to submit their requests and to exercise their rights regarding the implementation of the Law on Protection of Personal Data. In accordance with the Law on Protection of Personal Data, our customers staying at the hotel and customer candidates cannot file a complaint to the Board or cannot directly apply to the judicial remedy without applying to our Company. Customers staying at the hotel and customer candidates whose applications to our company are implicitly or explicitly rejected may file a complaint to the Personal Data Protection Authority or apply to judicial remedies directly.
Cases Outside the Scope of Right to Apply
In accordance with Article 28 of the Law on Protection of Personal Data, our customers staying at the hotel and customer candidates will not be able to claim their rights in the following cases:
- Processing of personal data by real persons within the scope of activities of themselves or related family members living in the same residence, provided that they are not given to third parties and obligations regarding data security are complied with.
- Processing of personal data for purposes such as research, planning and statistics by anonymizing them with official statistics.
- Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that they do not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or constitute a crime.
- Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security.
- Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution proceedings.
Except the right to demand compensation in accordance with paragraph 2 of Article 28 of the Law on Protection of Personal Data, our customers staying at the hotel and customer candidates will not be able to claim their rights in the following cases:
- Processing of personal data is necessary for the prevention of crime or for a criminal investigation.
- Processing of personal data made available to the public by our customers staying at the hotel and customer candidates themselves.
- Processing of personal data is necessary for the execution of supervision or regulation duties and disciplinary investigation or prosecution by the authorized public institutions, organizations and public professional organisations, based on the authority granted by the law.
- Processing of personal data is necessary for the protection of the economic and financial interests of the State regarding budget, tax and financial issues.
Procedure of Responding
Our company has taken all necessary technical and administrative measures in order to conclude the applications made by our customers staying at the hotel and customer candidates effectively and in accordance with law and the rule of good faith. In accordance with Article 13 of the Law on Protection of Personal Data, our Company will conclude the application requests of our customers staying at the hotel and customer candidates free of charge as soon as possible depending on the content of the request and within 30 (thirty) days at the latest. Our company will accept the applications of our customers staying at the hotel and customer candidates or reject them by explaining the reason. Our company will respond to our customers staying at the hotel and customer candidates requests in writing or electronically. If the demands of our customers staying at the hotel and customer candidates are accepted, the matter of the requests will be fulfilled by our Company as soon as possible and our customers staying at the hotel and customer candidates will be informed. If our customers staying at the hotel and customer candidates applications will be responded in writing, this will not be charged up to the ten pages. Each and every page exceeding ten pages may be charged as 1 Turkish Liras for transaction fee. The fee to be requested by our Company shall not exceed the cost of recording medium if the response to the application is made in recording mediums such as CD, flash memory. In case the application is caused by the fault of our Company, the fee collected will be refunded to our customers staying at the hotel and customer candidates.
Pursuant to Art.13/1 of KVKK, you may make your application concerning use of your rights stated above, to our Company in writing or through other methods determined by the Board of Protection of Personal Data. You may access Hapimag Turistik Yatırım ve Ticaret Anonim Şirketi Personal Data Owner Application Form at https://www.hapimagseagarden.com/ for your requests. You may send the application forms with wet-ink signature or electronic signature to the Company's head office address specified in Article 1 of this Clarification Text, or you may send it via e-mail to the email address specified in Article 1 of this Clarification Text.
INDEX
PREAMBLE
1.PURPOSE
2.CONTENT
3.DEFINITIONS
- ENSURING THE SECURITY AND PRIVACY OF PERSONAL DATA
4.1. TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN TO ENSURE THE LEGAL PROCESSING , SAFE STORAGE, UNLAWFUL ACCESS PREVENTION AND PROPER DESTRUCTION OF PERSONAL DATA
4.2. MEASURES TO BE TAKEN IN THE EVENT OF DISCLOSURE OF PERSONAL DATA BY UNLAWFUL WAYS
- PURPOSES AND LEGAL REASONS REQUIRED FOR THE STORAGE OF PERSONAL DATA AND PERSONAL DATA RETENTION PERIOD
5.1. PURPOSES REQUIRED FOR THE PROTECTION, PROCESSING AND STORAGE OF PERSONAL DATA
5.2. LEGAL REASONS REQUIRED FOR THE STORAGE OF PERSONAL DATA
5.3. PERSONAL DATA RETENTION PERIOD
- DESTRUCTION OF PERSONAL DATA
6.1. REASONS REQUIRING THE DESTRUCTION OF PERSONAL DATA
6.2. PERSONAL DATA DESTRUCTION METHODS APPLIED BY OUR COMPANY
- STORAGE AND DESTRUCTION PERIODS OF PERSONAL DATA
7.1. PERIODIC DESTRUCTION TIME
7.2. PERSONS INVOLVED IN THE STORAGE AND DESTRUCTION PROCESSES OF PERSONAL DATA
7.3. RECORDING MEDIA OF PERSONAL DATA
- CAMERA MONITORING WITHIN THE COMPANY
8.1.CHECK- IN AND EXIT RECORDS OF HOTEL VISITORS
- PUBLISHING AND STORING THE POLICY
- UPDATE PERIOD OF THE POLICY
- ENFORCEMENT AND TERMINATION OF THE POLICY
Preamble
In accordance with Article 20 of the Constitution of the Republic of Turkey, every person is entitled to demand the protection of personal data concerning them. This right also includes being informed about personal data, accessing these data, requesting their correction or deletion and learning for what purposes it is used.
The protection of fundamental rights and freedom of individuals in the processing of personal data and the obligations of natural and legal persons who process personal data, and the procedures and principles to be followed by these persons are regulated within the Law on the Protection of Personal Data No. 6698 (“Law”), it is regulated. The purpose of this Policy prepared in this direction is to determine the procedures and principles regarding the storage and destruction of personal data in line with the Law and other regulations.
1. Purpose
Policy on Storage and Destruction of Personal Data of Hapimag Turistik Yatırım ve Ticaret Anonim Şirketi (the "Policy") is prepared to determine the principles and the procedures regarding the personal data storage and disposal operations and transactions carried out by Hapimag Turistik Yatırım ve Ticaret Anonim Şirketi ("Company", "Our Company").
In line with the mission, vision and basic principles determined in the Strategic Plan; our Company has determined the processing of personal data of our company's employees, employee candidates, company partner employees, customers staying at the hotel, customer candidates, visitors, supplier employees and supplier officials in accordance with the Constitution of the Republic of Turkey, international conventions, the Law on the Protection of Personal Data No. 6698 and other relevant legislation, and ensuring that the relevant persons exercise their rights effectively as a priority.
The transactions regarding the storage and destruction of personal data are carried out in accordance with the Policy prepared by the Company in this direction.
2. Content
Data owners whose personal data are processed within the scope of this Policy are categorized as follows:
Employees | All company-dependent workers (employees) who work for a definite or indefinite period of time |
Employee Candidates | Real persons who make their CV (curriculum vitae) and related information accessible to the Company by applying for a job or by any other means. |
Company Partner Employees | Natural person Company partner employees whose personal data are obtained within the scope of relations conducted with the company partner Hapimag AG operating in Switzerland |
Customers Staying at the Hotel / Customer Candidates | Real persons whose personal data are obtained due to their accommodation in Our Company's hotel |
Visitors | Real persons who entered to the company's facilities for various purposes |
Supplier Employees/ Supplier Officials | Real persons whose personal data are obtained due to business relations within the scope of the activities carried out by the Company, regardless of whether there is a contractual relationship or not. |
3. Definitions
The definitions used in this Policy are as follows:
Explicit consent | Consent on a specific subject, based on information and expressed with free will |
Presidency | The Presidency for the Protection of Personal Data |
Electronic Media | Media where personal data can be created, read, changed and written with electronic devices |
Anonymizing Personal Data | Making personal data unrelated to a certain or identifiable natural person under any circumstances, even by matching other data. |
Employees | All company-dependent workers (employees) who work for a definite or indefinite period of time |
Employee Candidates | Real persons who make their CV (curriculum vitae) and related information accessible to the Company by applying for a job or by any other means. |
Supplier | Real or legal persons providing products or services to the Company |
Personal Health Data | All kinds of health information regarding an identified or identifiable natural person |
Personal Data | All kinds of information regarding an identified or identifiable natural person |
Processing of Personal Data | Any action taken on the data such as obtaining, recording, storing, preserving, changing, reorganizing, disclosing, transferring, taking over, making it available, classifying or blocking the usage of personal data through fully or partially automatic means or non-automatic means provided that they are part of any data recording system. |
Deletion of Personal Data | Making personal data inaccessible and unavailable in any way for related users |
Extinguishment of Personal Data | Making personal data inaccessible, unrecoverable and reusable in any way for anyone |
Inventory of Personal Data | Personal data processing activities carried out by data controllers depending on the business processes; the inventory that they have created by associating with the personal data processing purposes, the data category, the recipient group transferred and the data subject group, and elaborating the maximum period required for the purposes for which the personal data are processed, the personal data foreseen to be transferred to foreign countries and the measures taken regarding data security |
Policy on Storage and Destruction of Personal Data of Hapimag Turistik Yatırım ve Ticaret Anonim Şirketi | This Policy, which sets out the procedures and principles to be fulfilled by the Company regarding the Storage and Destruction of Personal Data in accordance with the Law on the Protection of Personal Data and the relevant legislation. |
Destruction | Deletion, Extinguishment or anonymization of personal data |
Periodic Destruction | The deletion, extinguishment or anonymization process to be carried out ex officio at recurring intervals specified in the Policy on Storage and Destruction of Personal Data in the event that all the conditions for the processing of personal data included in the Law are eliminated. |
Recording Medium | Any media containing personal data that is processed by fully or partially automated or non-automatic means provided that it is a part of any data recording system |
The Law | The Law on the Protection of Personal Data No. 6698 |
Commission | Commission of the Protection of Personal Data |
Institution | Institution of the Protection of Personal Data |
Directive | Directive of Deletion, Extinguishment or Anonymization of Personal Data |
Sensitive Personal Data | Individuals' data regarding their race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and fashion, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data |
Registry | Data Controllers Registry kept by the Presidency |
Data Processor | The natural or legal person who processes personal data on behalf of the data controller based on the authority given by the data controller |
Personal Data Owner | The real person whose personal data is processed, who is deemed to be the "relevant person" in the Law |
Personal Data Owner Application Form | The application form that personal data owners, whose personal data are processed within the company, will benefit from when using their applications regarding their rights described in Article 11 of the Law |
Data Controller | Real or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system (our Company) |
VERBİS | The information system to be used by the Data Controllers in the application to the Registry and in other related transactions related to the Registry, accessible on the internet, created and managed by the Presidency |
Visitor | Real persons who entered the company's facilities for various purposes |
4. ENSURING THE SECURITY AND PRIVACY OF PERSONAL DATA
In accordance with Article 12 of the Law, our company takes all necessary technical and administrative measures to prevent unlawful processing and access of the personal data processed by our Company, and to ensure the appropriate level of security in order to preserve personal data.
4.1. TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN TO ENSURE THE LEGAL PROCESSING, SAFE STORAGE, UNLAWFUL ACCESS PREVENTION AND PROPER DESTRUCTION OF PERSONAL DATA
The technical and administrative measures taken by our company for the legal processing,, safe storage, unlawful access prevention and ensuring legal destruction of personal data are as follows:
- Network security and application security are provided.
- Closed system networks are used for personal data transfers via the network.
- Key management is implemented.
- Security measures within the scope of procurement, development and maintenance of information technology systems are taken.
- There are disciplinary regulations that include data security provisions for employees.
- Training and awareness activities on data security are carried out periodically for employees.
- An authority matrix has been created for the employees.
- Access logs are kept regularly.
- Corporate policies on access, information security, usage, storage and destruction issues have been prepared and implemented.
- Data masking measures are applied when necessary.
- Confidentiality commitments are made.
- Powers of the employees who have a job change or leave their jobs are revoked.
- Current anti-virus systems are used.
- Firewalls are used.
- The signed contracts contain data security provisions.
- Extra security measures are taken for personal data transferred by paper and the relevant documents are sent in a confidential document format.
- Personal data security policies and procedures have been determined.
- Personal data security problems are reported quickly.
- Personal data security is monitored.
- Necessary security measures are taken for entering and exiting physical media containing personal data.
- Physical media containing personal data are secured against external risks (fire, flood, etc.).
- The security of media containing personal data is ensured.
- Personal data is reduced as much as possible.
- Personal data are backed up and the security of backed up personal data is also ensured.
- User account management and authorization control system is applied and they are also followed up.
- In-house periodic and / or random inspections are carried out and made.
- Log records are kept without user intervention.
- Current risks and threats have been identified.
- Protocols and procedures for sensitive personal data security have been determined and implemented.
- If sensitive personal data will be sent via e-mail, they absolutely will be sent through a cryptical form using KEP (registered email) or corporate mail account.
- Secure encryption / cryptographic keys are used for sensitive personal data and managed by different units.32. Intrusion detection and prevention systems are used.
- Penetration test is applied.
- Cyber security measures have been taken and their implementation is constantly monitored.
- Encryption has been done.
- Sensitive personal data to be transferred in portable memory, CD, DVD media, is encrypted.
- Data processing service providers are regularly audited for data security.
- Awareness of service providers who process data on data security is ensured.
- Data loss prevention software is used.
- MEASURES TO BE TAKEN IN THE EVENT OF DISCLOSURE OF PERSONAL DATA BY UNLAWFUL WAYS
If the processed personal data is obtained by others through illegal means, our Company will notify the relevant personal data owner and the Commission as soon as possible.
5. PURPOSES AND LEGAL REASONS REQUIRED FOR THE STORAGE OF PERSONAL DATA AND PERSONAL DATA RETENTION PERIOD
5.1. PURPOSES REQUIRED FOR THE PROTECTION, PROCESSING AND STORAGE OF PERSONAL DATA
Personal data are processed by our Company for the following purposes:
- Ensuring that accommodation services are provided in accordance with legal requirements,
- Ensuring that the most suitable options are offered to the customers staying at the hotel,
- Concluding accommodation contracts, making and managing individual or group reservations, executing authentication and notifications of customers to be accommodated, performing check-in and check-out procedures,
- Informing the units within the hotel so that they can provide quality service, informing the customers in order to benefit from the services in the most appropriate way, keeping and billing records regarding the use of hotel services, working to increase the service quality, directing customers with / without reservation to solution partners so that they are not suffered,
- Execution of Emergency Management Processes
- Execution of Information Security Processes
- Execution of Employee Candidate / Intern / Student Selection and Placement Processes
- Execution of Employee Candidates Application Processes
- Execution of audit / ethical activities
- Execution of training activities
- Execution of access rights
- Carrying out activities in accordance with the legislation
- Execution of Finance and Accounting Affairs
- Execution of Adherence Processes to Company / Products / Services
- Ensuring Physical Location Security
- Execution of assignment processes
- Following and Execution of Legal Affairs
- Execution of Internal Audit / Investigation / Intelligence Activities
- Execution of Communication Activities
- Planning of Human Resources Processes
- Execution / Supervision of Business Activities
- Execution of Occupational Health / Safety Activities
- Receiving and Evaluating Suggestions for the Improvement of Business Processes
- Execution of Business Sustainability Activities
- Execution of Logistics Activities
- Execution of Goods / Service Purchase Processes
- Execution of Goods / Service After Sales Support Services
- Execution of Goods / Service Sales Processes
- Execution of Customer Relationship Management Processes
- Organization and Event Management
- Execution of Marketing Analysis Studies
- Execution of Performance Evaluation Processes
- Execution of Advertising / Campaign / Promotion Processes
- Execution of Risk Management Processes
- Execution of Social Responsibility and Civil Society Activities
- Execution of Supply Chain Management Processes
- Execution of Marketing Process of Products / Services
- Informing Authorized Persons, Institutions and Organizations
- Execution of Management Activities
- Creating and Tracking Visitor Records
5.2. LEGAL REASONS REQUIRED FOR THE STORAGE OF PERSONAL DATA
While determining whether a period is stipulated in the relevant legislation for the storage of personal data, our company controls the following legislations:
- Directive on Health and Safety Measures to be Taken in Workplace Building and Extensions
- Other secondary regulations in force under these laws
5.3. PERSONAL DATA RETENTION PERIOD
Our company determines whether a period of time is stipulated in the relevant legislation for the storage of personal data. If a period is stipulated in the relevant legislation, the Company abides by this period; if a period is not stipulated, the Company keeps the personal data for the period required for the purpose for which they were processed. If the purpose of processing personal data has expired and the storage periods determined by the relevant legislation and / or our Company have come to an end, they can only be stored for the purpose of providing evidence in possible legal disputes, asserting the right related to personal data or establishing a defence. Personal data are not stored if its purpose of processing by our company, the maximum retention periods determined by the relevant legislation and / or the Company has expired, and that are not intended for any other storage. Pursuant to Article 7 of the Directive of Deletion, Extinguishment or Anonymization of Personal Data ("Directive"), which was published in the Republic of Turkey Official Gazette and entered into force as of 01/01/2018, all procedures regarding the destruction of personal data are recorded and the said records are kept for at least three years, excluding other legal obligations.
6. DESTRUCTION OF PERSONAL DATA
Pursuant to Article 7 of the Law, although the personal data has been processed in accordance with the relevant legislation, if the reasons for its processing disappear, the personal data will be destructed by our Company, either ex officio or upon the request of the personal data owner.
It is our Company's obligation to destruct personal data in cases where the reasons requiring its processing are eliminated. The application of the personal data owner is not required for this. However, the personal data owner has the right to request the destruction of their personal data.
With the Directive, it is aimed to determine the procedures and principles regarding the destruction of personal data that are fully or partially automated or processed by non-automatic means provided that it is a part of any data recording system. Our Company, who has prepared this Policy within the framework of the Directive, destructs the personal data in the first periodic destruction process following the date when the obligation to destruct the personal data comes in. This period cannot exceed six months in any case.
Within the scope of the Directive, the following principles regarding the destruction of personal data are enforced:
- In the event that all the conditions for processing personal data stipulated in Articles 5 and 6 of the Law are eliminated, the personal data must be destructed by our Company ex officio or upon the request of the person concerned.
- In the destruction of personal data, it is obligatory to act in accordance with the general principles in Article 4 of the Law and technical and administrative measures to be taken within the scope of Article 12, the provisions of the relevant legislation, the decisions of the Commission and this Policy.
- All transactions regarding the destruction of personal data are recorded and the said records are kept for at least three years, excluding other legal obligations.
- The Company is obliged to explain the methods applied for the destruction of personal data in this Policy and other procedures.
- Unless a contrary decision is taken by the Commission, the Company selects the appropriate method of ex officio destruction of personal data. Upon the request of the personal data owner, the Company selects the appropriate method by explaining its reason.
Pursuant to Article 12 of the Directive, when the personal data owner requests the destruction of their personal data by applying to our Company pursuant to Article 13 of the Law;
- a) If all the conditions for processing personal data have disappeared; our Company destructs the personal data subject to the request. Our company concludes the request of the personal data owner within thirty days at the latest and informs the personal data owner.
- b) If all the conditions for processing personal data have disappeared and the personal data subject to the request is transferred to third parties, our Company will notify the third party; ensures that the necessary procedures are carried out within the scope of this Directive in care of the third person.
- c) If all the conditions for processing personal data are not eliminated, this request may be rejected by our Company by explaining the reason in accordance with the third paragraph of Article 13 of the Law and the rejection response is notified to the personal data owner in writing or electronically within thirty days at the latest.
- REASONS REQUIRING THE DESTRUCTION OF PERSONAL DATA
Personal data;
- The amendment or abolition of the relevant legislation provisions that form the basis of its processing,
- The disappearance of the purpose requiring processing or storage,
- In cases where the processing of personal data is only based on express consent, the personal data owner withdraws their express consent,
- In accordance with Article 11 of the Law, the application for the deletion and extinguishment of personal data within the framework of the rights of the personal data owner is accepted by the Institution,
- In cases where the Institution rejects the personal data owner’s application for deletion, extinguishment or anonymization of the personal data, finds the answer inadequate or does not respond within the period stipulated in the Law; submitting a complaint to the Commission and approval of this request by the Commission,
- In cases where the maximum period that requires the storage of personal data has passed and there is no requirement to justify the storage of personal data for a longer period, it is destructed by the Institution at the request of the personal data owner.
- PERSONAL DATA DESTRUCTION METHODS APPLIED BY OUR COMPANY
The following personal data extinguishment methods are used in the processes of destruction of personal data processed by our company:
-Physical extinguishment: It is the physical extinguishment process of optical media and magnetic media such as melting, burning or pulverizing. It is ensured that the data is inaccessible by processes such as melting, burning, pulverizing or passing the optical or magnetic media through a metal grinder. For solid state disks, if overwriting or de-magnetizing is not successful, this media is also physically destroyed.
-Network devices (switches, routers, etc.): The storage media inside these devices are fixed. Products often have a delete command but no extinguishment feature. It is destroyed using one or more of the appropriate methods mentioned above in local systems.
-Mobile phones (sim card and fixed memory areas): Portable smartphones have a delete command in fixed memory areas, but most of them do not have a extinguishment command. It is destroyed using one or more of the appropriate methods mentioned above in local systems.
-Optical discs: These are data storage media such as CD and DVD. It must be destroyed by physical extinguishment methods such as burning, breaking into small pieces, melting.
-Peripherals such as printers, fingerprint door access systems with removable data recording media: It is verified that all data recording media have been removed and destroyed by using one or more of the appropriate methods specified in the above local systems according to their characteristics.
-Peripherals such as printer, fingerprint door access system with fixed data recording media: Most of these systems have a delete command, but most of them do not have a extinguishment command. It is destroyed using one or more of the appropriate methods mentioned above in local systems.
-Paper and microfiche media
Since the personal data in the mentioned environments are written on the media as a permanent and physical media, the main media is destroyed. While this process is being carried out, the media is divided into incomprehensible size, horizontal and vertical if possible, into small pieces in such a way that they cannot be put back together by shredding or shearing machines.
Personal data transferred from the original paper format to the electronic environment by scanning are destroyed by using one or more of the appropriate methods specified in the above local systems, depending on the electronic environment in which they are located.
-Cloud environment
During the storage and use of personal data in these systems, they are encrypted with cryptographic methods and, where possible, individual encryption keys are used for personal data, especially for each cloud solution that is served. When the cloud service ends, all copies of the encryption keys required to make personal data available are destroyed.
In addition to the above environments, the processes for the extinguishment of personal data in devices that are malfunctioning or sent for maintenance are carried out as follows:
-It is ensured that the personal data contained in the relevant devices are destroyed by using one or more of the appropriate methods specified in the local systems before they are transferred to third institutions such as manufacturers, vendors and services for maintenance and repair.
-In cases where destruction is not possible or appropriate, the data storage medium is disassembled and stored, and other defective parts are sent to third parties such as manufacturers, vendors and services.
-Necessary measures are taken to prevent personnel coming from outside for maintenance and repair purposes from copying personal data and taking them out of the organization.
- STORAGE AND DESTRUCTION PERIODS OF PERSONAL DATA
Pursuant to Article 7 of the Directive, personal data are processed under the conditions specified in Articles 5 and 6 of the Law. In the event that all of these processing conditions are eliminated, the personal data in question is destroyed (deletion, extinguishment or anonymization) by the Company ex officio or upon the request of the personal data owner.
Regarding the personal data being processed by the company within the scope of its activities;
- Retention periods related to all personal data are included in the Personal Data Processing Inventory
- Retention periods based on data categories are included in VERBIS registration and in this Policy.
The table below shows the maximum period of storage and destruction according to personal data category.
Personal Data Category | Retention Period | Destruction Period |
Identity Data | 10 years | Within 6 months after the expiry of the retention period |
Communication Data | 10 years | Within 6 months after the expiry of the retention period |
Personnel Affair Data | 10 years | Within 6 months after the expiry of the retention period |
Legal Transaction Data | 10 years | Within 6 months after the expiry of the retention period |
Customer Operations Data | 10 years | Within 6 months after the expiry of the retention period |
Physical Location Security Data | 2 years | Within 6 months after the expiry of the retention period |
Risk Management Data | 10 years | Within 6 months after the expiry of the retention period |
Financial Data | 10 years | Within 6 months after the expiry of the retention period |
Occupational Experience Data | 10 years | Within 6 months after the expiry of the retention period |
Audio and Visual Records Data | 2 years | Within 6 months after the expiry of the retention period |
Health Data | 10 years | Within 6 months after the expiry of the retention period |
Criminal Conviction and Security Measures Data | 10 years | Within 6 months after the expiry of the retention period |
- PERIODIC DESTRUCTION TIME
In accordance with Article 11 of the Directive of Deletion, Extinguishment or Anonymization of Personal Data, our Company has determined the periodic destruction period as 6 months.
- PERSONS INVOLVED IN THE STORAGE AND DESTRUCTION PROCESSES OF PERSONAL DATA
All units and employees of our Company actively supports the responsible units in taking technical and administrative measures to ensure data security in all media where personal data are processed in order to implement the technical and administrative measures taken within the scope of the Policy by responsible units, to increase the training and awareness of the unit employees, to monitor and continuously audit, to prevent the illegal processing of personal data, to prevent unlawful access to personal data and to ensure legal storage of personal data.
The information of the person (s) involved in the storage and destruction of personal data within the scope of the Directive is given in the table below.
Person involved in the storage and destruction of personal data | Title of the Person | Working Unit of the Person | Job Description of the Person |
Esma Ezgi Çetinel | Chief Financial Officer | Financial Affairs Department | Chief Financial Officer |
İlker Adaş | Hotel Operations and Guest Relations Manager | Hotel Operations | Hotel Operations and Guest Relations Manager |
Abdul Ahmet Uysal | Resort Operations manager | Resort Operations | Resort Operations manager |
Eyüp Elmacı | IT Manager | IT | IT Manager |
Gülşah Akgün Gülşen | Human Resources Manager | Human Resources Department | Human Resources Manager |
- RECORDING MEDIA OF PERSONAL DATA
Personal data of the Personal Data Owner are recorded through materials and media suitable for data storage such as documents, files, CD, floppy disk, hard disk, Company server, Micro ERP, Company CRM (LIAS, PIN, SAM3, BAAN, KODEG) applications by our Company.
The table below shows how / where types of personal data are recorded.
Personal Data Category | Recording Medium |
Identity Data | Sihot-SAP- Physical Environment |
Communication Data | Sihot-SAP- Physical Environment |
Personal Affair Data | SAP- Physical Environment |
Legal Transaction Data | Server-Physical Environment |
Customer Operations Data | Sihot-SAP-Server-Physical Environment |
Physical Location Security Data | Server-Sihot-Physical Environment |
Risk Management Data | SAP-Server-Physical Environment |
Financial Data | SAP-Server-Physical Environment |
Occupational Experience Data | Server-Physical Environment |
Audio and Visual Data | Server-Physical Environment |
Health Data | SAP-Physical Environment-Server |
8. CAMERA MONITORING WITHIN THE COMPANY
Camera monitoring is carried out within our Company in order to ensure the safety of the company and its employees, to carry out emergency management processes, to ensure physical location security, to carry out occupational health / safety activities and to create visitor records.
In line with the regulations in the Law, this Policy is published on our website regarding the camera surveillance activity conducted by our Company and a notification letter is posted on the entrances of the areas where the monitoring is done.
There is no monitoring done in areas that may cause an intervention to the privacy of the person. Security camera recordings can only be accessed by a limited number of Company employees and, if required, security company employees who are in the position of a supplier. Those persons who have access to the records declare that they will protect the confidentiality of the data they access with the confidentiality commitment they have signed.
8.1. CHECK- IN AND EXIT RECORDS OF HOTEL VISITORS
The personal data of our guests visiting our Company are processed in order to ensure the safety of the company and its employees, to carry out emergency management processes, to ensure physical location security, to carry out occupational health / safety activities, and to create visitor records.
- PUBLISHING AND STORING THE POLICY
The policy is published in two different media, as original signed (printed paper) and electronically. The most up-to-date version of the policy is available on the Company's website https://www.hapimagseagarden.com/ and at the common areas within the company.
- UPDATE PERIOD OF THE POLICY
The policy is reviewed as needed and the required sections are updated.
- ENFORCEMENT AND TERMINATION OF THE POLICY
The policy is deemed to have entered into force after its publication on our Company's website. In case of a decision is made for its annulment,, old copies of the original signed Policy are cancelled and signed and kept by our Company for at least 5 years.
The purpose of this clarification text: To inform you transparently on the collection, processing, processing methods and purpose, legal basis, to whom and for what purposes your personal data could be transferred and your rights under the relevant law , within the scope of the Law on Protection of Personal Data ("KVKK" or "Law") Nr. 6698, in particular Article 10 with the title "The Obligation of the Data Controller for Clarification" and Article 11 with the title "The Rights of the Relevant Person" of the Law.
Hapimag Turistik Yatırım ve Ticaret A.Ş. ("Company", "Our Company") processes, records, transfers, shares and protect your personal data, as the Data Controller, as it was described below and within the borders of the legal legislation.
Our Company reserves the right to update this "Clarification Text About Security Cameras Located Inside of the Hotel Facility Owned by Hapimag Turistik Yatırım ve Ticaret Anonim Şirketi ", within the scope of possible changes to be made in legal legislation.
- Identity of the Data Controller
Pursuant to the Law on Protection of Personal Data Nr.6698, the data controller is the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system. Our company has the title of data controller in accordance with the Law in terms of the personal data processed.
Title of the company: Hapimag Turistik Yatırım ve Ticaret Anonim Şirketi
Address: İnönü Cad. No.18 D.8 Gümüşsuyu Beyoğlu İstanbul
Phone number: 02523111280
E-mail address: financeofficetr@hapimag.com
Web site: https://www.hapimagseagarden.com/
- Personal Data Processing Purposes
Images are recorded through a total of 37 security cameras in our facility for the purposes of ensuring the safety of employees, hotel guests, visitors and facility, conducting emergency management processes and conducting internal audit activities. Recordings are audited by the Information Technologies department.
- To whom and for which purpose the processed personal data may be transferred
Upon request, the personal data may be transferred to judicial authorities, law enforcement officers, authorized persons, institutions and organizations to resolve legal disputes or upon request of the relevant legislation within the framework of their legal powers, with a limited purpose. Our company transfers the image data obtained through security cameras based on the explicit consent legal reason stated in Article 8 of the Law on Protection of Personal Data.
- Method and legal reason for collecting personal data
Our company processes the image data obtained through security cameras based on the following legal reasons specified in Article 5 of the Law on Protection of Personal Data:
-it is mandatory for the controller to be able to perform his legal obligations.
-it is mandatory for the legitimate interests of the controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.
- The Rights of the People Whose Personal Data are Processed According to Article 11 of the Law on Protection of Personal Data
Right of Petition
In accordance with Article 11 of the Law on Protection of Personal Data, the people whose personal data are processed may apply to our Company through Hapimag Turistik Yatırım ve Ticaret Anonim Şirketi Personal Data Owner Application Form and make requests regarding the following issues:
- a) to learn whether his personal data are processed or not,
- b) to request information if his personal data are processed,
- c) to learn the purpose of his data processing and whether this data is used for intended purposes,
- d) to know the third parties to whom his personal data is transferred at home or abroad,
- e) to request the rectification of the incomplete or inaccurate data, if any, to request the erasure or destruction of his personal data under the conditions laid down in Article 7,
- f) to request notification of the operations carried out in compliance with subparagraph (d) to third parties to whom his personal data has been transferred,
- g) to object to the processing, exclusively by automatic means, of his personal data, which leads to an unfavorable consequence for the data subject,
- h) to request compensation for the damage arising from the unlawful processing of his personal data.
In this context, the people whose personal data are processed are obliged to apply to our Company first in order to submit their requests and to exercise their rights regarding the implementation of the Law on Protection of Personal Data. In accordance with the Law on Protection of Personal Data, the people whose personal data are processed cannot file a complaint to the Board or cannot directly apply to the judicial remedy without applying to our Company. The relevant persons whose applications made to our company are implicitly or explicitly rejected may file a complaint to the Personal Data Protection Authority or apply to judicial remedies directly.
Cases Outside the Scope of Right to Apply
In accordance with Article 28 of the Law on Protection of Personal Data, the people whose personal data are processed will not be able to claim their rights in the following cases:
- Processing of personal data by real persons within the scope of activities of themselves or related family members living in the same residence, provided that they are not given to third parties and obligations regarding data security are complied with.
- Processing of personal data for purposes such as research, planning and statistics by anonymizing them with official statistics.
- Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that they do not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or constitute a crime.
- Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security.
- Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution proceedings.
Except the right to demand compensation in accordance with paragraph 2 of Article 28 of the Law on Protection of Personal Data, the people whose personal data are processed will not be able to claim their rights in the following cases:
- Processing of personal data is necessary for the prevention of crime or for a criminal investigation.
- Processing of personal data made available to the public by our customers themselves.
- Processing of personal data is necessary for the execution of supervision or regulation duties and disciplinary investigation or prosecution by the authorized public institutions, organizations and public professional organizations, based on the authority granted by the law.
- Processing of personal data is necessary for the protection of the economic and financial interests of the State regarding budget, tax and financial issues.
Procedure of Responding
Our company has taken all necessary technical and administrative measures in order to conclude the applications made by the people whose personal data are processed effectively and in accordance with law and the rule of good faith. In accordance with Article 13 of the Law on Protection of Personal Data, our Company will conclude the application requests of the people whose personal data are processed free of charge as soon as possible depending on the content of the request and within 30 (thirty) days at the latest. Our company will accept the applications of the people whose personal data are processed or reject them by explaining the reason. Our company will respond to the requests of the persons’ whose personal data are processed in writing or electronically. If the demands of the people whose personal data are processed are accepted, the the matter of the requests will be fulfilled by our company as soon as possible and the people whose personal data are processed will be informed. If those people’s applications will be responded in writing, it will not be charged for the responses up to the ten pages. Each and every page exceeding ten pages may be charged as 1 Turkish Liras for transaction fee. The fee to be requested by our Company shall not exceed the cost of recording medium if the response to the application is made in recording mediums such as CD or flash memory. In case the application is caused by the fault of our Company, the fee collected will be refunded to the people whose personal data are processed.
Pursuant to Art.13/1 of KVKK, you may make your applications concerning use of your rights stated above, to our Company in writing or through other methods determined by the Board of Protection of Personal Data. You may access Hapimag Turistik Yatırım ve Ticaret Anonim Şirketi Personal Data Owner Application Form at https://www.hapimagseagarden.com/ for your requests. You may send the application forms with wet-ink signature or electronic signature to the Company's head office address specified in Article 1 of this Clarification Text, or you may send it via e-mail to the email address specified in Article 1 of this Clarification Text.