Personal Data Protection Law

1. INTRODUCTION

1.1. Introduction

Since the protection of personal data is a fundamental human right, it is among the most important priorities of "BESTILL TURIZM OTELCILIK SAN. VE TIC. A.S." Company ("Company"). The company makes maximum efforts to comply with all applicable legislation in this regard in order to secure the right to the protection of personal data. Within the framework of this "BESTILL TURIZM OTELCILIK SAN. VE TIC. A.S." Policy for the Protection and Processing of Personal Data ("Policy"), the principles adopted in the conduct of personal data processing activities carried out by our Company and the basic principles adopted in terms of compliance of our Company's data processing activities with the regulations in the Law No. 6698 on the Protection of Personal Data ("Law") are explained, and thus, our Company provides the necessary transparency by informing the data subjects. Your personal data is processed and protected within the scope of this Policy with full awareness of our responsibility in this context.

1.2. Scope

"BESTILL TURIZM OTELCILIK SAN. VE TIC. A.S." ("COMPANY") Policy for the Processing and Protection of Personal Data ("Policy") has been prepared with the aim of disciplining the processing of personal data within the framework of the legislation on personal data and protecting the fundamental rights and freedoms, especially the privacy of private life, as stipulated in the Constitution.

While preparing the "Policy", it has been determined as the basic principle to determine which data is collected by the business units and why, and why they need to transfer these data to third parties within the organizational chart of the "COMPANY" and to understand the personal data processing method of the COMPANY. While transferring the requirements of the relevant legislation to the "Policy", it is adopted as a principle to explain in a simple and understandable manner what data the "COMPANY" provides and why, and why it processes these data by being privatized, within the framework of the requirement of protecting personal data. In addition, it is aimed to take the necessary administrative and technical precautions to protect data privacy within and outside the organization of the "COMPANY" and to inform and enlighten the individuals whose data are processed.

1.3. Implementation of the Policy and PDPL Legislation

Regarding the processing and protection of personal data, the relevant legal regulations in force shall be applied first. In case of inconsistency between the current legislation and the Policy, our Company accepts that the applicable legislation shall prevail. The Policy regulates the rules laid down by the relevant legislation by concretizing them within the scope of Company practices.

1.4. Enforcement of the Policy

The effective date of this Policy is 04.01.2023. This Policy is published on the website of "BESTILL TURIZM OTELCILIK SAN. VE TIC. A.S." [https://www.bestillhotel.com/]

2. ISSUES ON THE PROTECTION OF PERSONAL DATA

2.1. Ensuring the Security of Personal Data

Our company takes the necessary measures depending on the nature of the data to be protected in order to prevent the illegal disclosure, access and transfer of personal data or security deficiencies that may occur in other ways, in accordance with Article 12 of the Law. In this context, our Company takes administrative measures, conducts inspections or have them done in accordance with the guidelines published by the Personal Data Protection Board ("Board") to ensure the required security level.

2.2. Protection of Private Personal Data

Particular attention has been given to the use of some personal data by the Law due to the risk of victimization or discrimination of persons when they are processed illegally. These data are data with respect to race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, appearance, association, foundation or trade union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.

"BESTILL TURIZM OTELCILIK SAN. VE TIC. A.S." acts sensitively for the protection of private personal data determined by the Law as "private" and processed in accordance with the law. Within this context, the technical and administrative measures taken by "BESTILL TURIZM OTELCILIK SAN. VE TIC. A.S." for the protection of personal data are carefully applied with respect to the private personal data and necessary controls are provided within "BESTILL TURIZM OTELCILIK SAN. VE TIC. A.S.".

2.3. Raising Awareness and Supervision of Business Units

BESTILL TURIZM OTELCILIK SAN. VE TIC. A.S.” organizes regular trainings in order to raise awareness to prevent unlawful processing of personal data, illegal access to personal data and to protect personal data. Necessary systems are established to create awareness of the employees of BESTILL TURIZM OTELCILIK SAN.VE TIC.A.S.” on the protection of personal data,and it is worked with consultants in case of need.In this regard, our Company participates in the relevant trainings, seminars and information sessions especially organized by the Personal Data Protection Authority through its employees and renews its trainings in parallel with the updating of the relevant legislation

3. ISSUES ON PROCESSING OF PERSONAL DATA

Processing of Personal Data in Accordance with the Principles Stipulated in the Legislation

Processing in Accordance with the Law and Good Faith

"BESTILL TURIZM OTELCILIK SAN. VE TIC. A.S." acts in accordance with the principles enforced by legal regulations and the general rule for trust and good faith in the processing of personal data. In this context, personal data is processed to the extent required by and limited to the business activities of our Company.

Ensuring the Personal Data to Be Accurate and, When Necessary, Up-to-Date

"BESTILL TURIZM OTELCILIK SAN. VE TIC. A.S." takes the necessary measures to ensure that personal data are accurate and up-to-date during the period of processing and establishes the necessary mechanisms to ensure the accuracy and currency of personal data for certain periods.

Processing with Specific, Clear and Legitimate Purposes

"BESTILL TURIZM OTELCILIK SAN. VE TIC. A.S." clearly reveals the purposes of processing personal data and processes it within the scope of the purposes related to these activities in line with its business activities.

Being in Line with, Limited to and Restrained with the Purpose They are Processed

"BESTILL TURIZM OTELCILIK SAN. VE TIC. A.S." collects personal data only in the nature and extent required by its business activities and processes it only for the specified purposes.

Keeping for the Time Envisaged in the Relevant Legislation or Required for the Purposes for Which It is Processed

"BESTILL TURIZM OTELCILIK SAN. VE TIC. A.S." stores personal data for the period required for the purpose for which it is processed and the minimum period stipulated in the legislation to which the relevant activity is subjected. In this context, our Company first determines whether a period is stipulated for the storage of personal data in the relevant legislation, and if a period is specified, it acts in accordance with this period. If there is no legal period, personal data is stored for the period necessary for the purpose for which it is processed. At the end of the specified storage periods, personal data is destroyed in accordance with the periodic destruction periods or upon the application of the data owner and by means of the determined destruction methods (deletion and destruction and anonymization).

Requirements for Processing Personal Data

Except for the explicit consent of the personal data owner, the basis of the personal data processing activity may be only one of the conditions stated below, or more than one condition may be the basis of the same personal data processing activity. In case the processed data is private personal data, the conditions included in item 3.3 ("Processing of Private Personal Data") of this Policy shall be applied.

i. Presence of Explicit Consent of the Personal Data Owner

One of the conditions for the processing of personal data is the explicit consent of its owner. The explicit consent of the personal data owner must be explained on a specific matter, on an informed basis and with a free will.

ii. Explicit Prediction in Laws

If the personal data of the data owner is explicitly stipulated in the law, in other words, if there is an explicit provision in the relevant law regarding the processing of personal data, the existence of this data processing requirement may be mentioned.

iii. Failure to Obtain Explicit Consent of the Data Subject Due to Actual Impossibility

The personal data of the data owner may be processed in case it is compulsory to process personal data in order to protect the integrity of the life or body of the person himself/herself who cannot explain his/her consent or whose consent cannot be validated due to the actual impossibility, or of another person.

iv. Being Directly Related with the Establishment or Execution of the Contract

Provided that it is directly related to the establishment or performance of a contract to which the data owner is a party, this condition may be deemed to be fulfilled if the processing of personal data is necessary.

v. Company's Fulfillment of its Legal Obligation

The data owner's personal data may be processed if it is compulsory for our Company to fulfill its legal obligations.

kvkk.section3.requirements.puxsghts.title

kvkk.section3.requirements.puxsghts.text

viii. Compulsory Data Processing for the Legitimate Interest of our Company

The personal data of the data owner may be processed if the data processing is compulsory for the legitimate interests of our Company provided that the basic rights and liberties of the data owner are not damaged.

Processing of Private Personal Data

Private personal data are processed by our Company in accordance with the principles specified in this Policy and by taking all necessary administrative and technical precautions, including the methods to be determined by the Board, and in the presence of the following conditions:

  • (i) Private personal data other than health and sexual life can be processed without requiring the explicit consent of the data owner, in case it is clearly stipulated in the laws, in other words, there is an explicit provision in the law regarding the processing of personal data. Otherwise, the explicit consent of the data owner shall be obtained in order to process such private personal data.
  • (ii) Private personal data related to the health and sexual life can be processed by the persons or authorized institutions and organizations under the obligation of confidentiality without requiring the explicit consent, for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, and planning and management of health services and their financing. Otherwise, the explicit consent of the data owner shall be obtained.

Enlightening Data Subjects

"BESTILL TURIZM OTELCILIK SAN. VE TIC. A.S." enlightens personal data owners in accordance with Article 10 of the Law and the secondary legislation. In this context, "BESTILL TURIZM OTELCILIK SAN. VE TIC. A.S.", as the data supervisor, informs the data subjects about who processes the personal data and for what purposes, for what purposes it is shared, with which methods it is collected, and its legal reason and the rights of the data owners within the scope of the processing of their personal data.

Transfer of Personal Data

Our company may transfer the personal data and private personal data of the personal data owner to the third persons (third party companies, public and private authorities, third party real persons) by taking necessary security measures in line with the legal personal data processing purposes. In this respect, our Company acts in compliance with the regulations set out in Article 8 of the Law.

Although the personal data owner has not given his/her explicit consent, personal data can be transferred by our Company with due care to third parties by taking all necessary security precautions, including the methods prescribed by the Board, in case one or more of the conditions stated below are present.

  • If the relevant activities regarding the transfer of personal data are clearly stipulated in the laws
  • If the transfer of personal data by the Company is directly related with and necessary for the establishment or performance of a contract
  • If the transfer of personal data is mandatory for our Company to fulfill its legal obligation
  • If the personal data is transferred by our Company in a limited way for the purpose of making it public, provided that it has been made public by the data owner
  • If the transfer of personal data by the Company is mandatory for the establishment, use or protection of the rights of the Company or the data owner or third parties
  • If it is mandatory to carry out personal data transfer activities for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the data owner
  • If it is compulsory for the protection of the life or physical integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid

Transfer of Private Personal Data

Private personal data can be transferred by our Company in accordance with the principles specified in this Policy and by taking all necessary administrative and technical precautions, including the methods to be determined by the Board, and in the presence of the following conditions:

  • (i) Private personal data other than health and sexual life can be processed without requiring the explicit consent of the data owner, in case it is clearly stipulated in the laws, in other words, there is an explicit provision in the law regarding the processing of personal data. Otherwise, the explicit consent of the data owner shall be obtained.
  • (ii) Private personal data related to the health and sexual life can be processed by the persons or authorized institutions and organizations under the obligation of confidentiality without requiring the explicit consent, for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, and planning and management of health services and their financing. Otherwise, the explicit consent of the data owner shall be obtained.

4. CATEGORIZATION AND PROCESSING PURPOSES OF PERSONAL DATA

In our Company, the data subjects are informed pursuant to Article 10 of the Law and the secondary legislation, and in line with the purposes of our Company regarding the processing of personal data, personal data is processed based on and limited to at least one of the personal data processing conditions specified in Article 5 and Article 6 of the Law and in accordance with the general principles specified in the Law,especially the principles specified in Article 4 of the Law on the processing of personal data.

5. STORAGE AND DISPOSAL OF PERSONAL DATA

Our Company stores personal data for the period required for the purpose for which it is processed and the minimum period stipulated in the legislation to which the relevant activity is subjected.In this context, our Company first determines whether a period is stipulated for the storage of personal data in the relevant legislation, and if a period is specified, it acts in accordance with this period.If there is no legal period, personal data is stored for the period necessary for the purpose for which it is processed.At the end of the specified storage periods, personal data is destroyed in accordance with the periodic destruction periods or upon the application of the data owner and by means of the determined destruction methods(deletion and destruction and anonymization).

6. RIGHTS OF DATA SUBJECT

6.1. Rights of Data Subject

  • Learn whether your personal data is processed
  • Request information on your Personal Data if it has been processed
  • Learn the purpose of processing your Personal Data and whether they are used appropriately for this purpose
  • Know the third parties to whom your Personal Data is transferred
  • Request correction of your Personal Data if it is incomplete or improperly processed
  • Request your Personal Data to be deleted or destroyed
  • Request the transactions made to be notified to third parties
  • Object to the appearance of a result against yourself
  • Request the compensation of damages in case of loss

How Can You Exercise Your Rights?

You can fill in the "application form", which you can download using the link https://www.kvkk.gov.tr/, in line with your request/complaint, send this form to us via MAİL ADRESS, or you can fill the form physically and send it to "Ortahisar Beldesi Yeni Mah.Hisar Sk.Suzan Özbay Sitesi Best Cave Hotel Blok No 10 İç kapı no Z1 NEVŞEHİR" by courier/ mail. If you submit your request to us using one of the methods indicated above, your request shall be evaluated within 30 days at the latest and you will be informed about the subject, pursuant to Article 13/2 of the PDPL. If your request is accepted, the necessary actions shall be carried out immediately by the data supervisor COMPANY. As a rule, requests are met free of charge, but if fulfilling the request requires costs, a fee can be charged by the COMPANY pursuant to the following provision stipulated in article 7 of the "Communiqué on the Procedures and Principles of Application to the Data Supervisor": "If the application of the data subject will be answered in writing, no fee is charged for up to 10 pages.A transaction fee of 1 TL shall be charged for each page after ten pages.If the answer is given to the application in a recording medium such as CD or flash memory, the fee that may be requested by the data supervisor shall not exceed the cost of the recording medium."

7. SPECIAL CASES WHERE PERSONAL DATA IS PROCESSED

Personal Data Processing Activities Performed at the Entrances and Inside of Buildings and Facilities, and Website Visitors

In order to ensure security, "BESTILL TURIZM OTELCILIK SAN. VE TIC. A.S." performs personal data processing activities in the buildings and facilities of "BESTILL TURIZM OTELCILIK SAN. VE TIC. A.S." by security cameras for monitoring the entrances and exits of the visitors.

Camera Monitoring Activities of "BESTILL TURIZM OTELCILIK SAN. VE TIC. A.S." at the Entrances and Inside of Buildings and Facilities

"BESTILL TURIZM OTELCILIK SAN. VE TIC. A.S." carries out camera monitoring activities in accordance with the Law on Private Security Services and the relevant legislation in order to ensure security in its buildings and facilities.

  • "BESTILL TURIZM OTELCILIK SAN. VE TIC. A.S." carries out security camera monitoring activities for the purposes stipulated in the relevant legislation in force and in accordance with the personal data processing conditions listed in the Law, in order to ensure security in its buildings and facilities.
  • In accordance with Article 10 of the Law, "BESTILL TURIZM OTELCILIK SAN. VE TIC. A.S." informs the personal data owner through more than one method regarding the camera monitoring activity. In addition, "BESTILL TURIZM OTELCILIK SAN. VE TIC. A.S." processes personal data in line with, limited to and restrained with the purpose they are processed, in accordance with Article 4 of the Law.
  • The purpose of maintaining the video camera monitoring activity by "BESTILL TURIZM OTELCILIK SAN. VE TIC. A.S." is limited to the purposes listed in this Policy. In this regard, the monitoring areas of security cameras, their number and time of monitoring are implemented in a sufficient and limited way to achieve the security goal.
  • Areas (for example, toilets) that may result in interference with the privacy of the person exceeding the security goals are not subject to monitoring.
  • Only a limited number of employees of "BESTILL TURIZM OTELCILIK SAN. VE TIC. A.S." have access to the records saved and preserved on the digital media with vital camera images. A limited number of persons with access to the records declare that they will protect the confidentiality of the data they obtain through a confidentiality commitment.

Tracking of Entries and Exits of Visitors

"BESTILL TURIZM OTELCILIK SAN. VE TIC. A.S." performs personal data processing activities for monitoring the entrances and exits of the visitors to ensure security and for the purposes specified in this Policy.

While obtaining the names and surnames of the persons who come to the buildings of "BESTILL TURIZM OTELCILIK SAN.VE TIC.A.S." as visitors, or through texts posted by "BESTILL TURIZM OTELCILIK SAN.VE TIC.A.S." or made available to the visitors in other ways, the personal data owners are informed in this context.The data obtained for the purpose of monitoring the entrances and exits of the visitors is processed only for this purpose and the relevant personal data is recorded in the data recording system in the physical environment.

8. PRECAUTIONS FOR THE SECURITY OF PERSONAL DATA

With the awareness of the responsibility of being a well-established company, the "COMPANY" provides all reasonable attention and care to ensure the confidentiality and security of the personal data it processes.

In addition to the requirements of the relevant legislation, the "COMPANY" takes technical and administrative measures at a reasonable level to ensure data privacy and security within the framework of Article 12 of the PDPL.

With the aforementioned administrative and technical security precautions, it is aimed to prevent illegal processing of personal data, to prevent illegal access to personal data, and to keep personal data at an appropriate security level.

The "COMPANY" shall take the necessary measures to ensure that these precautions are also taken by the data operators in the event that personal data is processed by another natural or legal person (data operator) on its behalf.

In case personal data is illegally seized by third parties, it shall notify the data owners, the Board and other relevant public institutions and organizations in accordance with the provisions of the relevant legislation.

The Personal Data Security Guide (Technical and Administrative Precautions) published by the Board is taken into account when taking precautions regarding the security of personal data.

Administrative Precautions
  • Establishing and operating an information security management system within the Company
  • Signing covenants and confidentiality agreements with Company staff and related parties
  • Performing risk analyzes on business processes
  • Establishing personal data inventories
  • Operating information security policies and procedures
  • Organizing and evaluating trainings on information security and personal data processing activities
  • Use of computers, etc. of the employees only by the authorized persons in order to prevent unauthorized access to these tools and equipment
  • Reviewing the activities through internal or independent audits
  • Creating records that will produce objective evidence for the transactions carried out
Technical Precautions
  • The risks, threats, vulnerabilities and, if any, gaps in the Company's information systems are revealed with penetration tests and necessary precautions are taken
  • As a result of real-time analyzes performed with information security event management, risks and threats that will affect the continuity of information systems are constantly monitored
  • Access to information systems and authorization of users are performed through access and authorization matrix and security policies over the corporate active directory
  • When software changes and/or updates will be made on the systems, tests are made in the test environment, security vulnerabilities, if any, are detected, necessary precautions are taken and the change to be made is finalized after these processes
  • Necessary precautions are taken for the physical security of information systems equipment, software and data
  • In order to ensure the information security systems against environmental threats, hardware and software precautions are taken
  • Risks to prevent illegal processing of personal data are identified, ensuring that technical precautions are taken for these risks, and technical controls are carried out regarding the precautions taken
  • By establishing access procedures within the company, reporting and analysis studies regarding access to personal data are carried out
  • The Company takes the necessary precautions to ensure that the deleted personal data is inaccessible and unavailable for the relevant users
  • In case personal data is illegally obtained by others, preparations have been made to inform the relevant person and the Board about this situation
  • Security vulnerabilities are monitored, appropriate security patches are installed and information systems are kept up-to-date
  • Strong passwords are used in electronic environments where personal data are processed
  • Secure logging systems are used in electronic environments where personal data is processed
  • Data backup programs that ensure the safe storage of personal data are used
  • Access to personal data stored in electronic or non-electronic media is limited according to access principles
  • Access to the company website is encrypted with SHA 256 Bit RSA algorithm using secure protocol (HTTPS)
  • Private personal data security trainings have been provided for the employees involved in private personal data processing processes
  • Electronic environments where private personal data is processed are preserved using cryptographic methods
  • Adequate security measures are taken in physical environments where private personal data is processed
  • If private personal data needs to be transferred via e-mail, it is transferred in encrypted form
  • If it is required to be transferred via paper media, necessary precautions are taken against risks such as theft, loss or viewing of the document by unauthorized persons