COMMODORE ELITE SUITES & SPA PERSONAL DATA PROCESSING POLICY
SAĞ-TUR SAĞLIK TURIZM SAN. and TIC. A. Ş. in short as Commodore Elite Suites Spa, is responsible for the processing of personal data in accordance with law 6698; the data processing guidelines are used to establish the procedures and principles necessary for this purpose.
The personal datas of our employees, prospective employees, guests and all real persons, who has connection with Commodore Elite Suites Spa for any reason, are being governed by law under this Personal Data Processing Policy.
*Law On The Protection Of Personal Data (KVKK) Date : 24/03/2016 – Number 6698.
*Board / Authority: Board for the protection of personal data, authority for the protection of personal data.
*Personal data: any information which is belonging to a real person, which was identified or may be identified.
* Related person : Person, whose personal datas are processed.
* Explicit consent : The voluntary consent, related with a topic based on previously received information.
*Anonymization : Personal data cannot, in any way, be assigned to real existing persons who have a specific or definable identity.
*Deletion of personal datas: Users do not have access to personal datas in any way or can not use them repeatedly.
*Removal of personal datas: Personal datas cannot be reached, reversed or reused by anyone in any way.
* The processing of personal datas: all kind of process for Obtaining, storing, recording, receiving, changing, editing, publishing, forwarding, transferring, making available, classifying or prevention of personal data, which is done with the help of an automatic, semi-automatic or non-automatic storage system.
* Data processing person: person or legal entity that processes personal data taking into account the powers granted by the responsible persons.
* Private personal datas: ancestry, ethnicity, political opinion, philosophical beliefs, Religion, other beliefs, clothing, foundation or union membership, health, sex life, criminal conviction, personal - biometric or genetic datas of related person.
* Information obligation: while receiving the personal datas, responsible or authorized persons must inform the related persons about identity of the responsible or authorized Person. and also information about the purpose for which the data is used, with whom or for what reasons personal data is shared, methods and legal reasons why personal data is taken and information about Article 11 of the Basic Law.
* Sedna: Automation system in which personal datas are included and with which the Front office, the accounting department, the human resources department and the purchasing department work.
*Gonca: the automation system for guest surveys and the A’la Carte reservations.
* Destruction policy: guidelines on the determination of the maximum period in which the personal data can be used and the subsequent deletion, destruction and anonymization of the data.
* Recording media: all types of automatically or semi-automatically electronic media in which personal datas are collected.
Company: SAĞ-TUR SAĞLIK TURIZM SAN. ve TIC. A. Ş.
4. Principles for the processing of personal data:
4.1. Compliance with the act and the rules of honesty: The individual rights must be taken into account during the processing of the personal data by the company. Personal data is collected and processed in accordance with the law and fairly.
4.2. Specific, open and transparent use of personal data / limited and restrained usage: Before using personal data, the company must determine the reasons and purposes for which this data is used. The company uses this data only in order to be able to offer the data subjects a better service. During the collection of personal data, the identification of the responsible person, the data controller and, if available, its deputy must be disclosed. It is also necessary to explain the reasons for using the personal data, the reasons for forwarding the personal data, the procedure for storing the data, legal reasons and the rights of the persons concerned.
4.3. Deadline for the preservation / storage of personal data in accordance with the relevant legal provisions: The company may only store the personal data for as long as the relevant legal provisions state or as long as it is required for the required processes. So far as it is deemed necessary for the purposes of processing personal data, the regulatory authorities process personal data in accordance with the purpose set out in this policy, and will continue to do so by the company and its controlled subsidiaries, unless this is required by applicable laws or regulations of the company.
4.4 Accuracy of informations, actuality of datas: The company must check the stored personal data for accuracy, completeness and timeliness. If necessary, inaccurate or incomplete data will be deleted, updated, supplemented or corrected.
4.5 Data protection and data security: personal data is under the data protection. The personal data will be treated confidentially at the personal level. the company will ensure security measures and the necessary technical and administrative measures against unauthorized access, unlawful processing or dissemination and accidental loss, modification or destruction for the purpose of providing and storing personal data.
5. Content of data processing
The processing of personal data is beind done in two different ways.
a) Fully automatic or semi-automatic processing of personal data. It includes the purpose of transmitting, distributing or presenting data in various ways, grouping, combining, blocking or deleting data, data collecting, stored, photographed, recorded, organized, modified, restored or published by the responsible person or by third parties, according to the guidelines.
b) Data processing / collection by non-automatic ways. it includes, so far as it is part of a registration system, the protection and immobilization of storage, preservation, modification, disclosure, transfer, transfer abroad, acquisition, provision, classification or usage.
5.1. The company has the right to process the personal datas of the related persons during the period of usage of its services and after the termination of the service, in accordance with the laid down in this Directive purposes.
5.2. the processing of personal data which is done by the company, without any restriction, by using automatic, semi-automatic or non-automatic ways, for the purpose of executed actions and encompasses all measures that are required with.
5.3. The company processes the data of the related persons or other person who is under custody of the related person.
5.4. The data processing also includes the exchange of data provided by the company's instructions and / or the company's data processing, which may be carried out with the express consent of the Person concerned and / or third parties, if the company acts in favor of and under the instructions of a third party.
5.5. Includes the processing and recording of activities by the company with the express consent of the data subject when using the various electronic channels (web browser, Website, mobile applications, as well as technical methods and channels used for payment or money transfer or receiving and similar ways or other ways). For example, the identification of the location of the datas when using an electronic channel, the identification and analysis of input data, product selection frequency and / or other statistical data, etc.
6. Basics Of Data Processing
6.1. The related person agrees that the company must process information belonging to or related to third parties during the use of the company's services and also at the termination of the contractual relationship.
a. The provision and / or performance of a service for the related person,
b. The company and third parties are obliged to process data in order to protect their legal rights,
c. The legal obligations of the company,
d. The processing of personal data belonging to the related person is necessary, if they are directly related to the creation or execution of a contract between the person concerned and the company,
e. Data processing is mandatory for the establishment, usage or protection of a right,
f. Other matters with the explicit consent of the datas of related person,
g. Other matters clearly defined in the legislation,
6.2. The Explicit consent which was given by the related person means that the related Person has accepted the Directive and its provisions.
7. Purposes Of Data Processing.
The company or third parties, who process personal datas with the explicit consent of the datas of related person, may process the personal datas of the related person or people that under the custody of the related person for the following purposes.
a. the realization of accommodation services as indicated, the provision and execution of better and more reliable services for the guest,
b. in order to optimize and improve the performance of the company, it is necessary to review the review / course of the accommodation and/or behavior patterns of the data subject,
c. the company may offer a new and / or additional Service or non-Service product,
d. modification of the existing conditions of the service provided by the company,
e. analysis of statistical data, preparation and presentation of various reports, research and / or presentations,
f. in addition to ensuring security, detection and / or prevention of misconduct and other criminal activities,
g. handling of complaints, questions and claims of the data subject,
h. verification of the identity data of the data subject,
i. Promotion, Marketing and campaign activities for the accommodation service,
j. realization of goals in national and international laws and regulations.
8. Processing, disclosure or publication of data.
The company fulfill obligations with legal and supervisory board policy decisions regarding the processing, disclosure or publication of personal data. In accordance with the purposes set out in these policies, the personal data of that Person and of third parties, including, but not limited just with these, and the following; for the processing, transmission and / or disclosure of information by the company, depending on the content and variety of accommodation offers; Name and surname of the related Person, personal identification number and / or the original information on the ID card, registered residence address, telephone / mobile number, E-Mail address, employer-related data, as well as information on conditions of employment (place of work, wages, working hours, etc.), using various electronic channels and / or the Internet (Web cookies, etc. (including but not limited to ) when using the channels mentioned above, the data subject and / or by the proxy specified in connection with the activities of third parties (the verification of these channels is including but not limited just with these actions or transaction history). The data with which the data related is accommodated during the stay will also be used.
8.1. If the related person gives the personal datas of the 3rd person (personal datas, specific datas, included but not limited with these) to the Company in order to benefit from the services of the Company; The person giving the data to the Company will be responsible for obtaining the necessary consent to process this personal data.
8.2. If the related person or his authorised representative provides such information to the company, it is assumed that the contact person has given the necessary explicit consent and that the company's obligation to obtain such express consent ceases.
8.3. if there is no explicit consent, then the company is responsible for the damages due to this processing of personal and private datas.
8.4. The explicit consent of the data subject includes the processing and recording of activities by the company when using the various electronic channels (web browser, Website, mobile applications, as well as technical methods and channels used for payment or money transfer; all this is included but not limited just with these). It includes the recording and processing of activities by the company. (For Example, Identification of the location of the data subject when using an electronic channel, identification and analysis of input data, product selection frequency and / or other statistical data, etc.).
8.5. The company may use the telephone number, mobile number, e-mail address and other contact information provided by the related person, for sending SMS, Audio or other marketing messages (direct marketing) in accordance with law 6563 (law on the regulation of electronic commerce) until the related person asserts his or her right of refusal.
8.6. The related Person gives permsion to the company the right to share his personal datas with subsidiaries and /or shareholders of the company for the purposes of the preparation of various marketing offers.
8.7. Advertising / information messages (e.g., advertising brochure, advertising images, verbal offers, etc.) to the service points of the company the occurrence or content of the company / subsidiaries occurring during the usage of electronic channels such as Internet, Mobile Marketing or similar, are not considered to be direct marketing, and the Person concerned has not the right to request the termination of the publication and/or display of such content.
9. Processing of data of applicants or employees.
9.1. To conclude a service contract; processing of personal data for the purpose of execution, management and termination. - Fulfillment of personal rights from the service contract and maintenance of these rights, Occupational Safety and security for employees, execution of work permit procedures, evaluation of personal applications, execution of research and performance evaluation and monitoring, training measures, improvement of working conditions. The company has the right to process the personal data provided by the Person due to the work trial period and/or the beginning of the internship. During the application process, information about the applicant is collected from third parties in accordance with the provisions of Data Protection Act No. 6698. The explicit consent of the applicant is required for the processing of personal data in connection with the business relationship, but not initially part of the execution of the contract.
9.2. Processing Of Personal Data. - Private qualified personal data may only be processed with the explicit consent of the related person. Personal data relating to health and sex life can only be managed in cases prescribed by law or in cases concerning public health (preventive medicine, medicine, diagnosis, treatment and care, health services and financing for the purpose of planning and managing people in duty) by persons who are obliged to maintain its secrecy. (or by authorized institutions and organizations.)
10. Transfering and sharing of information to third parties.
In order for the company to provide services to the related person, data processing or data transfers may be carried out in the context of data processing and in accordance with this directive. The related person grants permission and the right to record, store, receive, modify, rearrange, disclose, transfer, transfer abroad, acquire, classify or usage personal data acquisition of data through its suppliers, that is passed on to the company through all departments the Internet, Call centers, public institutions / organizations or others. (either fully or partially automated or non-automated, provided that it is part of any recording system)
11. Obligations of the responsible person and the data processor
11.1. In accordance with the provisions of this Directive, the company is able to manage, on behalf of the data controller, including third parties, of certain types of personal data. The data controller may process certain personal data on behalf of third parties. Accordingly, each of the parties to such a relationship (the data processing Person and the data supervisor) in accordance with the data protection act. Therefore;
a) personal data shall be processed in accordance with the principles laid down in the legislation.
b) the explicit consent of the related person must be obtained and the necessary information and clarifications must be done.
If the related person submits a request for information about his or her personal data, the data controller should, in compliance with the legal provisions, provide a response to the related person no later than 30 days after the submission of a complaint or statement.
If one of the parties represents the data administrator and the other data administrator in the processing of the data, this Person must also fulfill the following obligations. The data processor is obliged:
i. in accordance with the provisions of this directive and to the extent permitted by law or at the request of a Regulatory Authority, data transmitted / passed on by the other party may be processed,
ii. all necessary and appropriate technical and administrative measures must be taken to avoid unauthorised processing, deletion, destruction, damage or description of the related persons datas,
iii. the Company shall supervise, through its authorized personnel, the measures and practices of data processing for the purpose of data security,
iv. the data controller cooperates and supports the investigation of a complaint or statement submitted/published by the company,
v. in the event of a complaint and statement request, including data about the data subject (electronic data), the data controller must provide the company with detailed information within 7 working days of the request being submitted,
vi. data processing (transfer) to a country and / or an international Organisation that is not part of the economic zone of the European Union and is not listed as sufficient for the protection of personal data must be prevented by the data controller,
vii. Data may not be forwarded or published to third parties without the express prior written consent of the company,
viii. The company is obliged to transfer and disclose the data in accordance with a written contract that processes data, even in cases where the company has explicit prior written consent. The third party mentioned in the written contract and its sub-contractors, the data from unauthorized processing, loss, destruction, damage, are obliged to take all necessary technical and administrative measures to prevent unauthorized modification or disclosure,
ix. Compensating any loss / loss suffered by the company because the data processor (in accordance with the policy and legislation) does not take the necessary actions or cannot perform it fully. Any damages / losses (including but not limited just with these) that the company may suffer as a result of a violation of the data processor, complaints, expenses (including but not limited to expenses incurred by the company using its legal rights), legal processes and explicitly consenting data to compensate for damages and compensation against other obligations. therefore should agree with the data controller,
x. Unless otherwise specified by contract between the company and the data processor, the data processor after the contractual relationship between the company and the data processor has ended; Returning any data (including personal data) transferred / disclosed from the company. It is obliged to take all necessary security measures to prevent unauthorized access of third parties to the data, to destroy personal data transferred / disclosed by the company and to notify the company to confirm that this action has been taken.
12. Update, processing, retention period and data destruction.
12.1. the Company shall operate its services for a period consistent with the objectives and interests of the company, the requirements of the supervisory authorities and/or legislation for the purposes set out in this directive during and after that period.
12.2. the processing of the data transmitted during the use of the company's electronic channels (web browser, Website, Internet, mobile applications and/or other electronic data transmission tools) continues even after the data has been deleted from the relevant electronic channels.
12.3. At the request of the Person concerned, information about the personal data will be provided in accordance with the legislation.
12.4. if the personal data of the related person is incomplete or incorrect, these datas will be filled in and corrected after written notification by the related person.
12.5. Personal data will be stored for 15 years in any situation. or as long as it sets out in the relevant legislation or for the purposes of the processing are required. Although the personal data are processed in accordance with the statutory provisions, they are either deleted, destroyed or anonymized by the data controller himself or at the request of the data subject, if the reasons for the processing have been removed and the retention period of the company ends.
12.6. The determination of the storage and Destruction periods for which personal data is carried out according to the following criteria.
a) Storage of data, article 5. and 6.. Determination of the in the articles of Association exceptions provided for in the framework of the usage of an access authorization and control Matrix system. - For all personal data, the relevant users are identified, their powers and methods such as access, retrieval, reuse, termination of the employment contract or change of Position are respected. In these cases, the access, retrieval, reuse powers and methods of the personal data of the affected users are updated, closed, and eliminated.
b) The data will be deleted, destroyed or anonymised by the data controller after period of 10 years if the period laid down in the legal provisions has expired or no period is laid down in the relevant legal provisions for the storage of such data.
12.7. for the deletion, destruction and anonymity of personal data, Article 4 of the law entitled "general principles" with the principles referred to in Article 12 entitled "data security obligations"; the measures shall be taken in accordance with the measures to be taken under the article, the provisions of the relevant legislation, the decisions of the institution and these guidelines.
12.8. All transactions in connection with the deletion, destruction, anonymity of personal data will be recorded by the company. These records will be stored for at least 10 years, with the exception of other legal obligations.
12.9. Unless the Data Protection Authority makes a decision to the contrary, the company chooses the appropriate method for the deletion, destruction or anonymization of personal data.
12.10 The personal data acquired by the company is stored in various recording media. The data is deleted using suitable methods for recording media. Data in digital media is deleted manually and/or with the Delete command, and personal data in paper media is deleted with the blackout method. In this process, the personal data will be cut in pieces, if possible. If this is not possible, the data will be processed with ink in such a way that it cannot be undone and reread with technological solutions.
Office files on the central Server are deleted by the Delete command on the operating system of the file or the user's access rights are removed in the file or directory.
The usage of portable storage is restricted by authorization. The database of personal data is protected by authorization levels and the deletion is subject to authorization. When performing the process, care is taken whether the user is also a database administrator.
The destruction of personal data is the process of making personal data inaccessible, non-recoverable and unusable by anyone in any way. The company and the data officer shall take all necessary technical and administrative measures in relation to the destruction of personal data. In order to destroy personal data, all copies of the data are recognized and the systems in which the data is located are physically destroyed for example melting, burning or pulverizing optical and magnetic media. This prevents re-access to this data.
Network devices are rendered unusable by deletion commands. Mobile phones, portable Smartphones, fixed memory areas are rendered unusable by deletion command and physical destruction. Optical Discs, CD, DVD storage media are rendered unusable by burning or breaking into small pieces, melting by physical destruction. If the personal data is stored in equipment that has failed or is sent to maintenance, the data carriers are dismantled and stored and other defective parts are sent to third parties institutions such as manufacturers, vendors, services. The staff who comes from outside for purposes such as maintenance and repair are prevented from copying personal data from the facility and necessary measures are taken to do so. Required confidentiality agreements are in place with the relevant companies.
Anonymization is the removal or modification of all direct and indirect identifications in a record, thereby providing the person concerned from being identified or the distinction from being lost within a group in a way that cannot be associated with a real Person. The purpose of anonymization is to break the link between the data and the Person who identifies it. In the data collection system in which personal data is stored, the data is anonymized by selecting one that is suitable for the relevant data from the Link-Breaking processes carried out by means of grouping, masking, derivation, generalization, randomization, which are either automatically or not applied to the data sets.
13. The rights of related person.
Every related person has the right to know whether the personal data is being processed, why the data is being used, whether the guidelines are being followed, whether the data is being passed on to third parties at home or abroad. Incomplete or incorrect data can be changed at the request of the data subject. The deletion or destruction of personal data, information about forwarding to third parties at home or abroad can be requested. By analyzing the processed data by automated systems, objections can be raised against a result that is directed against itself. In the event that personal data is damaged by unlawful processing, the data subject has the right to request that the damage be rectified. The contact whose data is processed can reach the application form of the data holder.
14. Data Protection Of Data Processing
14.1. Personal data is subject to the data security. Any employee of the company or its subsidiaries is prohibited from accessing this data without authorization. The processing of this data by employees of the company or its subsidiaries who are not authorized on behalf of the company constitutes an unauthorized process. Employees of the company or its subsidiaries can only access personal data if they are entitled to access personal data within the content of the mandate.
14.2. Employees of the company and its subsidiaries are prohibited from using personal data for private or commercial purposes, from sharing such data with unauthorized persons, or from making such data otherwise accessible. The data manager informs employees about the obligation to protect privacy during the start-up phase, trains their employees and offers them training.
14.3. For the security and protection of property and privacy, and also for the control and measurement of the quality of service, video and audio recordings are made in the territories like kitchen and `staff only` areas, taking into account the provisions of the personal data protection Article No. 6698.
14.4. The related person is informed by the company that video recordings and video checks are carried out by appropriate means at the respective service points of the company and in communication with the company. The Person acknowledges the importance of video and audio recording and hereby gives express consent for the processing of your data.
15. Data Processing Security
Personal data is protected against unauthorized access, illegal data processing or disclosure as well as accidental loss, modification or destruction of data. The digital or written data on paper are protected. New and advanced data processing methods and information technology systems are being pursued to take technical and administrative measures to protect personal data.
16. Privacy control
If a person deliver his or her application in writing to the data protection officer, the data protection officer should complete the request as free of charge as soon as possible and at the latest 30 days after the type of application. However, if the transaction requires additional costs, fees will be charged in the tariff set by the Data Protection Authority and will be paid by the applier.