0
Contact
Contact

PERSONAL DATA PROTECTION POLICY

PERSONAL DATA PROTECTION POLICY

  1. Legal Basis: Taking as its primary legal basis Article 20 of the Constitution, which provides that everyone has the right to request the protection of personal data concerning themselves, that this right includes being informed about personal data relating to oneself, accessing such data, requesting their correction or deletion and learning whether they are being used in accordance with their purposes, and that personal data may only be processed in cases provided for by law or with the explicit consent of the individual; we attach the utmost importance to the lawful protection and processing of personal data in accordance with Law No. 6698 on the Protection of Personal Data (KVKK) and act with this care in all our planning and activities. As a Company, we take all administrative and technical measures for the protection and processing of personal data, which are the foundation of the privacy of private life, and we inform and warn our personnel about the legal sanctions regulated under Article 135 et seq. of the Turkish Criminal Code (TCK) No. 5237.

  1. Purpose: Law No. 6698 on the Protection of Personal Data regulates the protection of the fundamental rights and freedoms of individuals, particularly the privacy of private life, in the processing of personal data, and the obligations of natural and legal persons who process personal data as well as the procedures and principles they must follow. The purpose of our policy, prepared taking into account the said regulation, is to ensure compliance with the obligations regarding the protection of personal data, to evaluate matters relating to the processing, transfer and protection of the confidentiality of information obtained within the scope of the activities carried out by our Company with a risk-based approach, and to determine strategies, in-house controls and measures, operating rules and responsibilities, as well as to raise awareness of company employees on these matters. At the same time, it is aimed to ensure transparency by informing individuals whose personal data is processed by our Company, primarily our customers, potential customers, employees, job applicants, Company shareholders, Company officials, visitors, employees, shareholders and officials of the institutions/organisations with which we cooperate, and third parties.

  1. Scope: This policy covers all personal data of our customers, potential customers, employees, job applicants, Company shareholders, Company officials, visitors, employees, shareholders and officials of institutions with which we cooperate, and third parties, processed by wholly or partially automatic means or by non-automatic means provided they form part of a data recording system.

  1. Definitions
    1. Explicit Consent Consent that is given freely based on information regarding a specific matter.
    2. Anonymisation The modification of personal data in such a way that it loses its capacity to be associated with an identified or identifiable person and this cannot be reversed. Example: rendering personal data unassociated with a real person through techniques such as masking, aggregation, data distortion, etc.
    3. Employee: Persons working at the Company pursuant to an employment contract concluded with the Company.
    4. Job Applicant: Natural persons who have applied for a job through the Company by any means or who have made their CV and related information available for the Company's review.
    5. Natural Persons and Private Law Legal Entities: Natural persons are persons who are alive and fully born according to the Turkish Civil Code. Private law legal entities refer to commercial companies defined in the Turkish Commercial Code and associations and foundations defined in the Turkish Civil Code.
    6. Open to the Public: Refers to the group of people that does not constitute any special feature, i.e., everyone, all people.
    7. Shareholders: Natural or legal persons holding shares (stocks) in the Company of the data controller.
    8. Business Partner: The parties with whom the data controller conducts commercial activities and is in a commercial relationship.
    9. Employees, Shareholders and Officials of Institutions with Which We Cooperate: Natural persons working in institutions with which the Company has any kind of business relationship (such as business partners, suppliers, but not limited to these), including shareholders and officials of those institutions.
    10. Subsidiaries and Affiliates: A subsidiary refers to companies in whose capital the data controller holds a shareholding in another company. If the Company holds more than 50% of the voting rights of the company it has a stake in, the relationship between the Company and that company constitutes a subsidiary; if the majority is not held by the Company, it is a simple affiliate relationship.
    11. Processing of Personal Data: Any operation performed on data by wholly or partially automatic means or by non-automatic means provided they form part of a data recording system, such as collection, recording, storage, preservation, alteration, re-organisation, disclosure, transfer, acquisition, making available, classification or prevention of use of personal data.
    12. Personal Data Subject The natural person whose personal data is processed. For example: customers and employees.
    13. Personal Data Any information relating to an identified or identifiable natural person. Processing of information relating to legal entities is not within the scope of the law. For example: name-surname, ID number, e-mail, address, date of birth, credit card number, etc.
    14. Customer Natural persons who use or have used the products and services offered by the Company, regardless of whether they have a contractual relationship with the Company.
    15. Special Categories of Personal Data: Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data are special categories of personal data.
    16. Potential Customer Natural persons who have made or expressed an interest in using our products and services, or who have been assessed as potentially having such an interest in accordance with commercial customs and the rules of good faith.
    17. Intern: Natural persons who have applied for an internship at the Company by any means, with the aim of putting their theoretical knowledge into practice in the workplace.
    18. Company Shareholder: Natural persons who are shareholders of the Company.
    19. Company Official: Board members and other authorised natural persons of the Company.
    20. Supplier: Parties that are in a business relationship with the data controller based on a service agreement and/or a mandate agreement for the provision of services within the scope of the data controller's commercial activities.
    21. Group Companies: According to the definition in the Turkish Commercial Code: "Companies directly or indirectly affiliated with the parent company form a group of companies together with it."
    22. Third Party Third-party natural persons related to the above-mentioned parties in order to ensure the security of commercial transactions between the Company and the said parties or to protect the rights and interests of those persons (e.g. family members and relatives).
    23. Data Processor A natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller. For example: firms or companies holding the Company's data, etc.
    24. Data Controller The person who determines the purposes and means of processing personal data, manages the place where the data is systematically kept (data recording system), and provides the data subject with the necessary information regarding their personal data and makes the relevant directions following the data subject's request/application.
    25. Authorised Public Institutions and Organisations: Public institutions and organisations that are authorised by the relevant legislation to request information and documents from the data controller and to which the data controller is required to transfer data in order to fulfil its legal obligations.
    26. Visitor Natural persons who have entered the physical premises owned by the Company for various purposes or who visit our websites.

  1. Abbreviations
    1. KVKK: Law No. 6698 on the Protection of Personal Data, published in the Official Gazette dated 7 April 2016 and numbered 29677, dated 24 March 2016.
    2. Constitution: The Constitution of the Republic of Turkey, published in the Official Gazette dated 9 November 1982 and numbered 17863, dated 7 November 1982 and numbered 2709.
    3. KVK Board Personal Data Protection Board
    4. KVK Authority Personal Data Protection Authority
    5. Policy Company Personal Data Protection and Processing Policy
    6. TBK Turkish Code of Obligations, published in the Official Gazette dated 4 February 2011 and numbered 27836, dated 11 January 2011 and numbered 6098.
    7. TCK Turkish Criminal Code, published in the Official Gazette dated 12 October 2004 and numbered 25611, dated 26 September 2004 and numbered 5237.
    8. TTK Turkish Commercial Code, published in the Official Gazette dated 14 February 2011 and numbered 27846, dated 13 January 2011 and numbered 6102.

  1. Data Categories: The Company may record, process or transfer data relating to the following data categories.
    1. Identity (such as name-surname, date of birth, marital status, national ID number)
    2. Contact (such as address, email address, correspondence address, telephone number)
    3. Location (location information of the place where the person is, etc.)
    4. Personnel (such as payroll information, disciplinary investigation, employment entry-exit document records, CV information, performance evaluation reports)
    5. Legal Transaction (such as information in correspondence with judicial authorities, information in case files)
    6. Customer Transaction (such as invoice, order information, request information)
    7. Physical Space Security (such as entry-exit records of employees and visitors, camera recordings)
    8. Transaction Security (such as IP address information, website entry-exit information)
    9. Risk Management (information processed for the management of commercial, technical, administrative risks)
    10. Finance (salary information)
    11. Professional Experience (such as diploma information, courses attended, in-service training information, certificates, transcript information)
    12. Marketing (cookie records)
    13. Visual and Audio Records (visual and audio records, etc.)
    14. Health Information (such as information on disability status, blood type, personal health information, information on devices and prosthetics used)
    15. Criminal Conviction and Security Measures (such as information relating to criminal convictions, information relating to security measures)
    16. Accommodation and Reservation Information (for hotel/residence guests)
    17. Investor and Partner Information (within the scope of real estate development activities)

  1. Personal Data Processing Purposes The Company may record, process or transfer personal data for the following purposes.
    1. Management of Emergency Processes
    2. Management of Information Security Processes
    3. Management of Job Applicant / Intern / Student Selection and Placement Processes
    4. Management of Job Applicant Application Processes
    5. Management of Employee Satisfaction and Engagement Processes
    6. Fulfilment of Obligations Arising from Employment Contracts and Legislation for Employees
    7. Management of Fringe Benefits and Advantages Processes for Employees
    8. Management of Audit / Ethics Activities
    9. Management of Training Activities
    10. Management of Access Authorisations
    11. Management of Activities in Compliance with Legislation
    12. Management of Finance and Accounting Operations
    13. Management of Company / Product / Service Loyalty Processes
    14. Ensuring Physical Space Security
    15. Management of Assignment Processes
    16. Follow-up and Management of Legal Affairs
    17. Management of Internal Audit / Investigation / Intelligence Activities
    18. Management of Communication Activities
    19. Planning of Human Resources Processes
    20. Management / Supervision of Business Activities
    21. Management of Occupational Health / Safety Activities
    22. Receiving and Evaluating Suggestions for Improving Business Processes
    23. Management of Business Continuity Activities
    24. Management of Logistics Activities
    25. Management of Goods / Service Procurement Processes
    26. Management of After-Sales Support Services for Goods / Services
    27. Management of Goods / Service Sales Processes
    28. Management of Goods / Service Production and Operation Processes
    29. Management of Customer Relations Management Processes
    30. Organisation and Event Management
    31. Management of Performance Evaluation Processes
    32. Management of Risk Management Processes
    33. Management of Storage and Archive Activities
    34. Management of Contract Processes
    35. Management of Strategic Planning Activities
    36. Ensuring Security of Movable Property and Resources
    37. Management of Supply Chain Management Processes
    38. Management of Remuneration Policy
    39. Management of Product / Service Marketing Processes
    40. Ensuring Security of Data Controller Operations
    41. Management of Investment Processes
    42. Management of Talent / Career Development Activities
    43. Providing Information to Authorised Persons, Institutions and Organisations
    44. Management of Management Activities
    45. Creation and Follow-up of Visitor Records
    46. Management of Activities Aimed at Customer Satisfaction
    47. Management of Marketing Analysis Studies
    48. Management of Advertising / Campaign / Promotion Processes
    49. Follow-up of Requests / Complaints
    50. Management of Corporate Social Responsibility and Civil Society Activities
    51. Management of Sponsorship Activities

  1. Legal Bases for Processing Personal Data: The legal bases for the processing of personal data are regulated under Article 5 of the KVKK. The Company acts in accordance with the applicable legislation in this regard.
    1. Personal data cannot be processed without the explicit consent of the data subject.
    2. However, provided that one of the following conditions exists, the Company may process personal data without seeking the explicit consent of the data subject:
      1. Being expressly provided for by law.
      2. Being mandatory for the protection of the life or physical integrity of the person or of another person who is unable to disclose consent due to actual impossibility or whose consent is not legally valid.
      3. Being necessary to process personal data belonging to the parties to a contract, provided that it is directly related to the establishment or performance of a contract.
      4. Being mandatory for the data controller to fulfil its legal obligation.
      5. Having been made public by the data subject himself/herself.
      6. Being mandatory for the establishment, exercise or protection of a right.
      7. Being mandatory for the legitimate interests of the data controller, provided that this does not harm the fundamental rights and freedoms of the data subject.

  1. Legal Bases for Processing Special Categories of Personal Data: The legal bases for the processing of personal data are regulated under Article 6 of the KVKK. The Company acts in accordance with the applicable legislation in this regard.
    1. The processing of special categories of personal data is prohibited.
      1. However, provided that one of the following conditions exists, the Company may process special categories of personal data:
        1. The explicit consent of the data subject exists,
        2. Being expressly provided for by law,
        3. Being mandatory for the protection of the life or physical integrity of the person or of another person who is unable to disclose consent due to actual impossibility or whose consent is not legally valid,
        4. Relating to personal data made public by the data subject and being in accordance with the will to make them public,
        5. Being mandatory for the establishment, exercise or protection of a right,
        6. Being necessary for the protection of public health, preventive medicine, medical diagnosis, provision of treatment and care services, and planning, management and financing of health services by persons under an obligation of secrecy or by authorised institutions and organisations,
        7. Being mandatory for the fulfilment of legal obligations in the areas of employment, occupational health and safety, social security, social services and social assistance,
        8. Being carried out by foundations, associations and other not-for-profit organisations or entities established for political, philosophical, religious or trade union purposes, in accordance with the legislation to which they are subject and their purposes, limited to their fields of activity and not to be disclosed to third parties, in relation to their current or former members and associates or persons in regular contact with these organisations and entities.

  1. Personal Data Transfer Recipient Groups The Company may transfer personal data to the following Personal Data Transfer Recipient groups.
    1. Shareholders
    2. Business Partners
    3. Subsidiaries and Affiliates
    4. Supplier
    5. Group Companies
    6. Authorised Public Institutions and Organisations

  1. Persons Subject to Personal Data - The Company may record, process or transfer personal data according to the following types of persons.
    1. Job Applicant
    2. Employee
    3. Intern
    4. Supplier Employee
    5. Supplier Official
    6. Person Receiving Product or Service
    7. Potential Product or Service Recipient
    8. Visitor
    9. Shareholder

  1. Personal Data Retention Periods: Personal data retention periods are regulated in detail in the Personal Data Retention and Disposal Policy.

  1. Deletion, Destruction or Anonymisation of Personal Data:
    1. In the event that the reasons necessitating the processing of personal data cease to exist, despite having been lawfully processed, these data shall be deleted, destroyed or anonymised by the data controller ex officio or upon the request of the data subject.
    2. The data controller shall delete, destroy or anonymise personal data in the first periodic disposal process following the date on which the obligation to delete, destroy or anonymise the personal data arises.
    3. The procedures to be followed regarding these matters are explained in detail in the Personal Data Retention and Disposal Policy.

  1. Transfer of Personal Data Personal data obtained for processing within the framework of the general principles set out in the Law may be transferred to third parties with the explicit consent of the data subject.
    1. Domestic transfer: Details regarding the domestic transfer of personal data and special categories of personal data are regulated in the Personal Data Transfer Procedure.
    2. International transfer: Transfer of data abroad is possible where the appropriate safeguards specified in the Law are provided and the standard contracts published by the Authority or the binding corporate rules are completed. The appropriate safeguards are specified in the Law. In cases where there are no appropriate safeguards, a one-time transfer may be made on the basis of one of the transfer grounds enumerated in the Law in exceptional circumstances. Details on this matter are regulated in the Personal Data Transfer Procedure.

  1. General (Fundamental) Principles in the Processing of Personal Data: Personal data shall be processed in accordance with the following fundamental principles as specified in detail in the Personal Data Processing Procedure. These fundamental principles are regulated under Article 4 of the Personal Data Protection Law.
    1. Compliance with the law and rules of good faith,

Compliance with the law and rules of good faith refers to the obligation to act in accordance with the principles introduced by laws and other legal regulations in the processing of personal data. The rule of good faith refers to acting in accordance with rules of trust and in the manner expected of a reasonable person when exercising one's rights.

  1. Being accurate and up to date when necessary,

It is necessary for the protection of the fundamental rights and freedoms of individuals that your personal data is kept accurately and up to date. This principle protects the rights of the data subject and is also in the interests of the data controller.

  1. Being processed for specified, explicit and legitimate purposes,

This principle requires data controllers to determine the purpose of data processing clearly and precisely and for this purpose to be legitimate. For the purpose to be legitimate means that the data processed must be connected to and necessary for the work done or the service provided.

  1. Being relevant, limited and proportionate to the purposes for which they are processed,

The data processed must be suitable for achieving the specified purposes and requires refraining from processing personal data that is not related to or not needed for the purpose of its realisation. Furthermore, data processing should not be resorted to for the purpose of meeting needs that may arise in the future. The principle of proportionality means that a reasonable balance must be struck between data processing and the purpose sought to be achieved.

  1. Being retained for the period stipulated in the relevant legislation or for as long as necessary for the purpose for which they are processed.

As a requirement of the 'principle of purpose limitation', personal data must be retained for a period appropriate to the purpose for which they are processed. In the event that the periods stipulated by the legislation to which the data controller is subject by virtue of its legal obligations, as well as the retention periods it has itself determined, are exceeded, the personal data must be deleted, destroyed or anonymised.

  1. Explicit Consent: Consent given freely based on information regarding a specific matter. As specified in detail in the Explicit Consent Procedure, Explicit Consent must be in relation to a specific matter, the Consent must be based on information, and it must be given with free will.

  1. Obligation to inform: The Company informs the relevant persons at the time of obtaining their personal data. As regulated in detail in the Notification Procedure, this information includes at a minimum the following matters:
    1. The identity of the data controller and, if any, its representative,
    2. The purpose for which personal data will be processed,
    3. To whom and for what purpose personal data may be transferred,
    4. The method of collecting personal data and its legal basis,
    5. The other rights of the data subject listed in Article 11 of the Law.

  1. Rights of the data subject and methods of seeking legal remedy: Data subjects have the right to apply to the Company and request: to learn whether their personal data is being processed, to request information if it has been processed, to request correction of data that is incomplete or incorrect, deletion or destruction in the event it is unlawful, to request that the transactions carried out in this manner be notified to the third parties to whom the data has been disclosed, and to claim compensation for damages arising from personal data being processed contrary to the law. The data subject may exercise their application and complaint rights as specified in the Data Subject Rights Application Procedure.

  1. Application: Data subjects are obliged to apply to the data controller first in order to exercise their rights. It is not possible to go to the Board by way of complaint without exhausting this route.

  1. Complaint: In order for the data subject to apply by way of complaint, the application must have been rejected by the Company, the response given must have been found inadequate, or no response must have been given to the application within 30 days. It is not possible for data subjects to go directly to the Board by way of complaint without first applying to the Company.

  1. Obligation to Comply with Board Decisions: If the Board, upon complaint or upon learning of an allegation of violation, determines that a violation exists as a result of an investigation it conducts ex officio on matters within its area of duty, it shall decide that the Company remedies the unlawfulness and notify its decision to the relevant parties. As specified in detail in the Procedure for Compliance with Board Decisions, the Company shall fulfil this decision promptly and within at most thirty days from the date of notification.

  1. Obligation to Register with the Data Controllers Registry (VERBİS): The Company shall register with the Data Controllers Registry (VERBİS), the registration system in which data controllers are required to register and declare information regarding their data processing activities, as specified in the VERBİS Registration Procedure, and shall update these registrations.

  1. Personal Data Breach: In the event that personal data being processed is obtained by others through unlawful means, the Company shall notify the relevant person and the Board of this situation as soon as possible as specified in the Personal Data Breach Procedure. The Board may, where necessary, announce this situation on its own website or by another method it deems appropriate.

  1. Personal Data Security Measures: The Company takes the following technical and administrative measures at a level appropriate to the Company's structure to prevent the unlawful processing of personal data, prevent unlawful access to personal data, and ensure the preservation of personal data. In this regard;
    1. Network security and application security are ensured.
    2. Closed system networks are used for the transfer of personal data over networks.
    3. Key management is applied.
    4. Security measures within the scope of procurement, development and maintenance of information technology systems are taken.
    5. Disciplinary regulations containing data security provisions for employees are in place.
    6. Training and awareness activities on data security are carried out for employees at certain intervals.
    7. An authorisation matrix for employees has been established.
    8. Access logs are kept on a regular basis.
    9. Corporate policies on access, information security, use, storage and disposal have been prepared and put into practice.
    10. Confidentiality undertakings are made.
    11. The authorisations of employees who change positions or leave the Company are revoked.
    12. Up-to-date anti-virus systems are used.
    13. Firewalls are used.
    14. Signed contracts contain data security provisions.
    15. Extra security measures are taken for personal data transferred on paper and the relevant document is sent in classified document format.
    16. Personal data security policies and procedures have been determined.
    17. Personal data security issues are reported quickly.
    18. Personal data security is monitored.
    19. The necessary security measures are taken regarding entry and exit to physical environments containing personal data.
    20. The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.
    21. The security of environments containing personal data is ensured.
    22. Personal data is minimised as much as possible.
    23. Personal data is backed up and the security of backed-up personal data is also ensured.
    24. A user account management and authorisation control system is in place and is monitored.
    25. Periodic and/or random in-house audits are conducted and commissioned.
    26. Log records are kept without user intervention.
    27. Existing risks and threats have been identified.
    28. Protocols and procedures for the security of special categories of personal data have been determined and are applied.
    29. Where special categories of personal data are to be sent by electronic mail, they are sent encrypted using KEP or corporate email accounts.
    30. Secure encryption / cryptographic keys are used for special categories of personal data and are managed by different units.
    31. Attack detection and prevention systems are used.
    32. Penetration testing is applied.
    33. Cyber security measures have been taken and their implementation is continuously monitored.
    34. Encryption is applied.
    35. Data processing service providers are audited on data security at certain intervals.
    36. Awareness of data processing service providers on data security is ensured.
    37. Data loss prevention software is used.

Data Controller Title : KK UNİVERSAL TURİZM KONAKLAMA GAYRİMENKUL VE GELİŞTİRME A.Ş.

MERSIS No : 0336132644000001

E-mail address : info@kkuniversalinc.com

KEP address :

Physical Postal Address : Halil Rıfat Paşa Mah. Yüzer Havuz Sk. Perpa Tic. Mer. A Blok No: 1 İç Kapı No: 1766 Şişli / İstanbul