- Purpose of the Data Protection, Storage and Destruction Policy
To provide information on the lawful processing of personal data that is carried out by our company and systems, and adopted for the protection of personal data. We aim to ensure transparency by informing people whose personal data are processed by our COMPANY, particularly our guests, employees, candidates, shareholders, company authorities, visitors (employees, company shareholders and authorities of the institutions that we cooperate with), and third parties.
- Scope of the Data Protection, Storage and Destruction Policy
2.1 Either the national laws or international treaties in force will be implemented for the processing and protection of personal data. In the event of any inconsistencies between the applicable legislation and this policy, the COMPANY agrees that the applicable legislation shall be implemented.
2.2 This policy is related to all personal data of our guests, employees, candidates, COMPANY shareholders, COMPANY authorities, visitors (employees, shareholders and authorities of the institutions that we cooperate with), and third parties, which are processed via automatic means, or through non-automatic means if the process is a part of any data registry system.
2.3 Our policy, which regards the personal data subjects described above, may be implemented to the fullest extent (for example, including employee candidates who are also our visitors), or only certain parts of its provisions may be implemented (for example, for only our visitors).
2.4 Personal data that has been anonymised for statistical evaluations or studies, unidentifiable personal data, and data related to legal persons are not considered to be personal data and are not subject to this policy.
2.5 This policy may be updated at any time. Therefore, in order to access the most updated version of the policy, please visit www.grandhotelderin.com
Law/PDPL: Law on Protection of Personal Data dated 24/3/2016 and numbered 6698.
Board/Authority: Personal Data Protection Board/ Personal Data Protection Authority.
Personal Data: all the information relating to an identified or identifiable natural person
Data Subject: the natural person, whose personal data is processed.
Explicit consent: freely given, specific, and informed consent.
Anonymising: rendering personal data impossible to link to an identified or identifiable natural person, even after matching them with other data,
Erasure of Personal Data: Erasure of Personal Data is the process by which information is rendered inaccessible and unusable for all relevant parties.
Destruction of Personal Data: Destruction of Personal Data is the process by which all physical means capable of information storage are rendered irretrievable and unusable for everyone.
Processing Personal Data: Any operation performed upon personal data such as the collection, recording, storage, retention, alteration, re-organisation, disclosure, transferring, taking over, making retrievable, classification or preventing the use thereof, fully or partially via automatic means, or via non-automatic means provided that the process is a part of any data registry system,
Data Processor: The natural or legal person who processes personal data on behalf of the controller upon his authorisation,
Data Controller: The natural or legal person who determines the purpose and means of processing personal data and is responsible for establishing and managing the data registry system.
Personal Data of Special Nature: Personal data relating to the race, ethnic origin, political opinions, philosophical belief, religion, sect or other belief, clothing, membership to associations, foundations or trade-unions, health, sexual life, convictions and security measures, or biometric and genetic data.
Obligation of Controller to Enlighten: Whilst collecting personal data, the controller or the person authorised by him is obliged to inform the data subjects of the identity of the controller and their representatives, if any; the purpose of data processing; to whom and for what purposes the processed data may be transferred; the method and legal reason for collection of personal data; and other rights referred to in Article 11.
Elektra: Front Office, accounting and procurement automation system where the customer data are available.
Destruction Policy: Policy dependent on determining the maximum period of time required for the purpose of the processing of personal data, and erasure, destruction or anonymising of personal data.
Recording Media: Any electronic media where the personal data, processed fully or partially via automatic means or provided that the process is a part of any data registry system, through non-automatic means, are available.
Netahsilat: Online payment system.
Company: DERİN TURİZM YATIRIM VE OTEL İŞLETMECİLİĞİ LTD.ŞTİ.
- Principles Related to Processing Personal Data
4.1 Lawfulness and conformity with rules of bona fides: The COMPANY, when processing personal data, has been protecting the individual rights of the Data Subject(s). Personal data must be processed by being collected in a fair manner and in accordance with the bona fide rules.
4.2 Being processed for specific, explicit and legitimate purposes and Being relevant with, limited to and proportionate to the purposes for which they are processed: Personal data can be processed only for the purpose that was defined by the COMPANY before collecting the data. The COMPANY has been processing personal data only for the purpose of rendering a better service to the data subjects. During collection of personal data, the data subject is informed about the identity of the controller and their representatives, if any; the purpose of data processing; to whom and for what purposes the processed data may be transferred; the method and legal reason of collection of personal data; and other rights.
4.3 Being retained for the period of time stipulated by relevant legislation, and the purpose for which they are processed: The COMPANY has been retaining personal data only for the period of time stipulated by relevant legislation, or the time required for the purpose of the processing of personal data. As long as the personal data are deemed necessary for the purposes for which they are processed and required by regulatory authorities and/or relevant laws and regulations, the COMPANY and affiliates under its control shall continue to process and retain the personal data in accordance with the purposes set out by this policy.
- Accuracy and being up to date: The COMPANY must keep the personal data on file correct, complete, and – if necessary – up to date. It is ensured that inaccurate or incomplete data are deleted, corrected, completed or updated.
- Confidentiality and data security: Personal data is subject to data secrecy. It is considered to be private and confidential, and therefore necessary technical and administrative measures must be taken to prevent unauthorised access, illegal processing or distribution, or accidental loss, modification or destruction, and to ensure proper security for the purpose of retaining personal data.
- Scope of Processing Data
Processing personal data can be performed in two different ways.
Processing personal data fully or partially via automatic means; includes collecting, recording, being photographed, voice recording, video recording, organising, storing, modifying, restoring, retrieving or disclosing data from the data subject or third parties specified in this policy, for the transfer, distribution or submission in various ways, grouping or merging, blocking, erasure or destruction purposes.
Processing/Collecting personal data via non-automatic means; includes recording, storage, retention, alteration, re-organisation, disclosure, transferring, transferring abroad, taking over, making retrievable, classification, or preventing use, provided that the process is a part of any data registry system.
5.1 The COMPANY shall have the right to process the personal data of the data subject during the course of the services it offers, as well as following the end of its service relations by means of abiding the purposes set out in this policy.
5.2 Processing personal data by the COMPANY includes all actions performed on the data by using automatic or semi-automatic means, or provided that the process is a part of any data registry system, via non-automatic means, without any restriction.
5.3 The COMPANY processes the data of the data subject, or the persons who are under the custody of the data subject.
5.4 Processing personal data also includes sharing data delivered by the explicit consent of the data subject and/or the third parities, when following instructions of the COMPANY and/or where the COMPANY is the data controller, and in the favour of the third party, or under its instructions.
5.5 The consent of the data subject enables the recording and processing activity by the COMPANY, while the data subject uses various electronic channels (including, but not limited to, technical methods and channels used for web browsing, websites, internet, mobile applications, payment transactions, money transfers and retrieval). For example; while using an electronic channel, locating data subject, identifying and analysing entry data, product selection frequency, and/or other statistical data.
- Basics of Processing Data
6.1 The data subject agrees that data belonging to the data subject or third parties mentioned by the data subject are required to be processed by the COMPANY in accordance with the following purposes, in the course of using the COMPANY’s services, and even after the contractual relation ends.
- a) Rendering and/or applying a service for the data subject,
- b) Processing data is compulsory for protecting the legal rights of the COMPANY and/or the third parties,
- c) Fulfilment of legal obligations of the COMPANY,
- d)Processing personal data belonging to the data subject is necessary, provided that it is related to the establishment or an agreement between the data subject and the COMPANY,
- e) Processing data is compulsory for establishing, using or protecting a right,
- f) Other matters where the data subject grants their explicit consent,
- g)Other matters explicitly stipulated by the legislation.
6.2 The explicit consent of the data subject shall mean that the data subject agrees to the policy and its provisions.
- Purposes of Processing Data
Third parties processing personal data shared with the consent of the COMPANY and/or the data subject, may process the personal data of the data subject or the persons who are under the custody of the data subject for the following purposes:
- Performing accommodation services as declared, providing and carrying out better and more reliable services to the guests,
- The COMPANY needs to make online payments using the Netahsilat online system to receive payments. Using guest’s information (Name, Surname, date of birth, email address, phone number and credit card information) is required in these transactions.
- Research and survey assessment, rendering planning, statistics, archiving, storage services, carrying out customer satisfaction studies,
- The accommodation background and/or behaviour models of the data subject need to be checked to optimise and develop COMPANY services,
- Offering a new and/or additional service or non-service product by the COMPANY,
- Changing the current conditions of the service offered by the COMPANY,
- Analysing the statistical data by the COMPANY, preparing and presenting various reports, research and/or presentations,
- In addition to ensuring security; identifying and/or preventing misuse, or other activities constituting crime
- Meeting complaints, questions and requests of the data subject,
- Verifying the credentials of the data subject,
- Carrying out introduction, marketing, promotion and campaign activities for accommodation services,
- Performing other purposes stipulated by national and international laws and legislations.
- Processing, Transferring and Disclosing Data
In regard to processing, transferring and disclosing processes of personal data, the COMPANY fulfils the obligations imposed by the relevant legislation and board resolutions. In accordance with the purposes specified by this policy, including but not limited to the personal data of the data subject and the third parties stated below; we have been using the name and surname, the personal identification number and/or the original characteristics of the ID card, the registered and/or domicile address, telephone/mobile number, email address of the data subject, data related to their employer, as well as information of their employment conditions (work place, wage, working hours, etc.), activities of the data subject and/or third parties specified by data subject while using various electronic channels and/or the internet (including but not limited to web cookies, etc.), and using the above mentioned channels (including but not limited to verification of these channels, actions, or processing history), and data related to people with whom the data subject was staying while receiving the service, for the purpose of processing, transferring and/or disclosing any data depending on the content and variety of accommodation service offered by the COMPANY.
8.1 If the data subject provides the personal data (Including but not limited to personal data, personal data of special nature, etc.) of the third persons (family members, employer, etc.) in order to benefit from the COMPANY’s services, the data subject who provides information to the COMPANY, shall be responsible for getting the necessary consent of those for processing those personal data.
8.2 If the data subject provides such information to the COMPANY (or to its official), it is assumed that the data subject grants the necessary explicit consent and the COMPANY shall be released from the obligation to get this explicit consent.
8.3 In the event of any damage to the data subject as a result of processing their personal data and/or personal data of special nature, without getting its explicit consent, the COMPANY shall be obliged to compensate such damage.
8.4 The expressed consent of the data subject covers the recording and processing of their activities by the COMPANY while the data subject uses various electronic channels (including, but not limited to, technical methods and channels used for web browsing, website, internet, mobile applications, payment transactions, money transfer and retrieval). For example; while using an electronic channel, locating data subject, identifying and analysing entry data, product selection frequency, and/or other statistical data.
8.5 The COMPANY shall have the right to use telephone or mobile phone number, email address and other contact information, provided by the data subject, to send commercial electronic messages including sending SMS, voice and/or other marketing messages (direct marketing) within the scope of Law on Regulation of Electronic Commerce numbered 6563, until the data subject uses their right to refuse.
8.6 The data subject grants the COMPANY the right to share their personal data with the subsidiaries and/or shareholders of the company, for various marketing offers.
8.7 Advertisements/informative messages in the COMPANY’s service points (for example; advertising brochure, promotional visuals, oral offers, etc.) or the contents that are shown during the use of electronic channels such as internet, mobile marketing of the COMPANY (or its affiliates), shall not be considered as direct marketing; the data subject shall not have the right to demand the termination of publishing and/or displaying of such content.
- Processing Data of the Applicants and Employees
9.1 Processing data for concluding, executing, maintaining and terminating the employment agreement:
The COMPANY shall have the right to process the personal data of the data subject that was disclosed when starting a job, and during probation, and/or internship, for human resources and training proceedings such as the fulfilment of personal rights arising from the employment agreement, maintaining them uninterruptedly, occupational health and safety service provided to the employees, execution of working permit proceedings, evaluation of personal job applications, conducting research and other recruitment processes, performance evaluation and follow-up, training activities, improvement of working conditions, and managing personal development processes.
When applying to a job, the collection of information related to the applicant from third parties shall be performed within the framework of the provisions of Law on Protection of Personal Data numbered 6698.
The explicit consent of the applicant is required for the processing of personal data that is not a part of the initial employment agreement, but which is related to the business relationship.
9.2 Processing Personal Data of Special Nature
Personal Data of Special Nature shall only be processed with the explicit consent of the data subject to process their personal data of special nature. Personal data of special nature, excluding that related to health and sexual life, may be processed in the cases stipulated by laws. In contrast, personal data of special nature relating to health and sexual life may only be processed by a person or authorised public institutions and organisations that have confidentiality obligations, for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as planning their financing.
- Data Sharing/Transfer to/from Third Parties
This policy is transferred/shared with the data subject and/or third parties specified by the data subject within the scope of data processing, in order to render services to the data subject by the COMPANY. The data subject has been granting the COMPANY the right to collect, record, store, retain, alter, re-organise, disclose, transfer, transfer abroad, take over, make retrievable, classify, or use its personal data, fully or partially, through automatic means or via nnon-automatic means, provided that the process is a part of any data registry system, via all its departments, internet, call centres, public institutions and organisations, and the parties from whom they receive services to complete and extend the activities of the COMPANY and its suppliers.
- Obligation of Data Controller and Processor
11.1 As per the provisions of this policy; the COMPANY is the data processor while processing some types of personal data, and may act on behalf of the data controller, including third parties. The data controller may be the data processor for third parties for some personal data. Accordingly, any one of these parties able to act as data processor as well as data controller must act in accordance with the Law on Protection of Personal Data. Therefore;
- a) Personal data has been processed in accordance with the principles set out in the legislation.
- b) The explicit consent of the data subject shall be obtained, and necessary information and enlightenments shall be provided.
In the event of the data subject requesting information on their own personal data, and a complaint or statement related to the compliance of the data controller with the obligations imposed by the legislation is communicated, the Data controller must notify the data subject as soon as possible, and not later than 30 days.
During data processing, if one party represents the data processor and other represents the data controller, the data processor shall fulfil the following obligations;
- By complying with the extent and scope defined by the provisions of this policy and permitted by the legislation, or upon the request of a regulatory authority, it processes the data communicated/disclosed by another party,
- In order to prevent unauthorised processing, loss, destruction, damage, unauthorised alteration or disclosure of data communicated/disclosed by data controller, it applies all reasonable technical and administrative measures and takes all necessary actions, and informs the data controller of each measure taken thereof,
- The COMPANY controls the applied measures and practices by the data processor for data security through its authorised personnel,
- It cooperates and supports the examination of complaints or statements communicated/disclosed by the COMPANY, including the following by the Data Processor,
- It provides detailed information to the COMPANY related to the complaints and statements communicated/disclosed by the data controller to data processor, including information on the data subject (including electronic data), within 7 working days from the date of request,
- It prevents data processing (transfer) activity to a country and/or international organisation that is not a part of the European Union Economic Area, and not in the list of the countries where a sufficient level of protection is provided, or not allowed to be transferred by the data subject or Personal Data Protection Board.
- It shall not transfer/disclose personal data to the third parties without explicit consent of the COMPANY beforehand.
- Even in cases where explicit consent of the COMPANY is available beforehand, the data processor shall be obliged to transfer/disclose the data in accordance with a written agreement. In the above-mentioned written agreement, third parties and their subcontractors shall be obliged to take all necessary technical and administrative measures to prevent unauthorised processing, loss, destruction, damage, unauthorised alteration or disclosure of data,
- If the data processor fails to take necessary actions or to fulfil its obligation completely (in accordance with policy and legislation), it shall compensate any damage/loss suffered by the COMPANY. The data processor grants an explicit consent to recover and compensate any damages/losses incurred by the COMPANY, including but not limited to consequential damages, complaints, expenses (including, but not limited to, any costs incurred by the Company in exercising its legal rights), against legal procedures and other obligations, in consequence of the violation of data processor and comes to an agreement with the data controller.
- Unless otherwise specified by the agreement between the COMPANY and the data processor; the data processor, after the termination of the contractual relationship between the COMPANY and the data processor, shall return any data (including personal data) communicated/disclosed by the COMPANY. It shall be obliged to take all necessary security measures to prevent unauthorised access to data by third parties, to destroy personal data transferred/disclosed by the COMPANY, and to notify the COMPANY confirming that this action has been taken.
- Updating, Processing, Retention Period and Destructing Data
12.1 The COMPANY continues to process personal data during the course of using the Company’s services, and for the purposes specified in this policy after this period, for a period of time consistent with the purposes and interests of the company, and with the request of the supervisory/regulatory authorities and with the legislation.
12.2 The processing of personal data transmitted via the use of the company’s electronic channels (web browsing, web site, internet, mobile applications and/or other electronic data transmission tools) continues after erasing personal data from the related electronic channels.
12.3 Upon the request of the data subject and in compliance with the legislation; information on personal data retained by the COMPANY shall be provided.
12.4 In the event of any incomplete or inaccurate data from the data subject retained by the COMPANY, upon the written notification by the data subject, the incomplete or inaccurate data shall be completed and rectified.
12.5 Personal data shall be retained for the period of time stipulated by relevant legislation, or for the purpose for which they are processed, and in any case for 15 years. Despite the fact that they have been processed in accordance with the provisions of the legislation, in case the causes required for processing are no longer present, or the expiration of the retention period of the COMPANY, personal data shall be erased, destroyed or anonymised by the data collector automatically or upon the request of the data subject.
12.6 To determine retention and destruction periods of personal data, proceedings shall be carried out by addressing the following criterion:
- a)By identifying within which scope of exceptions, stipulated in the articles 5 and 6 of the Law, the storage of data will be evaluated;
An access authorisation and control matrix system is used. Relevant users are identified for each personal data, and authorisation and methods such as access, restoration, and reuse, of the relevant users are identified. In cases such as termination of employment agreements, or position change, the access, restoration, and re-use authorisation and methods of the relevant users are updated, closed and cancelled.
- b)In regards to the storage of such personal data; when the period of time stipulated by legislation expires or no period of time regarding the storage of such data is stipulated by the relevant legislation, data must be erased, destroyed, or anonymised by the data controller for a period of 10 years.
12.7 For the erasure, destruction and anonymisation of personal data, the Company acts in accordance with measures taken within the scope of the principles in the article 4 of the Law, titled “General Principles” and the article 12 titles “Obligations Concerning Data Security”, the provisions of the relevant legislation, Board resolutions and this policy.
12.8 All operations made in relation to erasure, destruction and anonymisation of personal data, are recorded by the COMPANY. Such records are retained at least for a period of 10 years, excluding other legal obligations.
12.9 Unless otherwise agreed by the Personal Data Protection Authority, one of the applicable methods of erasure, destruction and anonymisation of personal data, is selected by the COMPANY.
12.10 Personal data collected by the COMPANY are stored in various recording environments. They are erased by methods applicable to the recording environments. Data stored in cloud applications are erased by way of issuing a delete command, and/or manually, while personal data in printed form are erased by way of darkening. Darkening is performed by trimming the personal data on the relevant document or, where trimming is not practical, by irreversibly rendering the data invisible using indelible ink.
Office files stored on central servers are erased by issuing a delete command on the operating system, or the access authorisation of the relevant user on the file or the directory where the file is kept, should be revoked. Personal data stored on portable media are stored in encrypted form, and shall be erased the same way, using suitable software for such media. The relevant lines that contain personal data are erased by way of issuing the appropriate database commands (DELETE etc.). While taking such action, attention should be paid that the relevant user is not also a database administrator. Destruction of personal data is the process of rendering the personal data strictly and conclusively inaccessible, non-retrievable and non-reusable by relevant users. The COMPANY, data controller, takes any and all technical and administrative measure as necessary and appropriate in respect of the destruction of personal data. For destruction of personal data, all copies storing data are identified, and systems containing data are destroyed physically by means of melting, burning, or powdering optical and magnetic media. Data is ensured to be inaccessible by operations such as melting, burning, powdering, or metal shredding optical and magnetic media. Data stored on mobile phones (SIM card and fixed memory spaces) are destroyed using the delete command of network devices (switch, router etc.); optical disks are destroyed by using the delete command for fixed memory spaces in portable smart phones, and by physical destruction methods; data storage media such as CDs or DVDs are destroyed by physical destruction methods like burning, or breaking up into small pieces. For devices that have been broken and will be sent for maintenance, data storage media is dismantled and kept, and the other broken parts are sent to the third-party institutions like manufacturers, or seller and repair services. Duplicating and taking personal data from the organisation by the personnel outsourced for maintenance and repair is therefore prevented, as necessary measures are taken.
The anonymisation of personal data is the action of preventing identification of the data subject, by removing or modifying all direct and/or indirect identifiable information in a data set, or losing identifiability in a group/cloud in a way that it is no longer associated with a natural person. The purpose of anonymisation of personal data is to break the connection between the data and the person identified by that data. Personal data is anonymised by selecting one of the disconnection processes suitable for the data, and is conducted using methods such as automatic and non-automatic grouping, masking, deriving, generalising, or randomising methods applied to records.
- Rights of the Data Subject
Each data subject has the right to learn whether their personal data are processed or not, to request information if their personal data are processed, to learn the purpose of the data processing and whether this data is used for intended purposes, to know the third parties to whom their personal data is transferred to at home or abroad, to request the rectification of incomplete or inaccurate data, if any, to request the erasure or destruction of their personal data, to request notification of the operations to third parties to whom their personal data has been transferred, to object to the processing of their personal data exclusively by automatic means, which leads to an unfavourable consequence for the data subject, and to request compensation for any damage arising from the unlawful processing of his personal data.
- Confidentiality of Processing Data
14.1 Personal data is subject to data secrecy. Unauthorised access to these data by any employee of the COMPANY, its affiliates and/or its subsidiaries are prevented, and processing or using these data by unauthorised person is strictly forbidden. The processing of these data by any employee of the COMPANY, its affiliates and/or its subsidiaries, which is not authorised within the framework of their job description, means an unauthorised operation. The employee of the COMPANY, its affiliates and/or its subsidiaries may only access personal data if access authorisation is available within their job description.
14.2 Using personal data for private or commercial purposes, sharing these data with unauthorised persons or making these data accessible by other method by the employees of the COMPANY, its affiliates and/or its subsidiaries is forbidden. The data controller informs employees about the obligation to protect data confidentiality at the start of employment, and provides training to employees on this matter.
14.3 By regarding the provisions of Law on the Protection of Personal Data numbered 6698, video and voice recording are carried out in locations such as the surroundings and entrances of buildings and workplaces, and kitchen and service areas, for the purpose of security and protection of property and confidentiality, and also to control and measure service quality.
14.4 The data subject, while communicating with the COMPANY and at the relevant service points of the COMPANY, is informed in regards to video recording and inspection. The data subject agrees with the importance of video and voice recording, and grants their explicit consent to this, and to the COMPANY in terms of processing its data.
- Security of Data Processing
Personal data are protected against unauthorised access, unlawful data processing, disclosure, accidental loss of data, alteration, or destruction. Data is protected when it is processed both via electronic media and on paper. In terms of taking technical and administrative measures for protection of personal data, new and advanced data processing methods and information technologies systems are followed.
- Control of Data Protection
Compliance with this Data Protection Policy and related data protection laws is ensured via the authorised persons appointed at the relevant units of the COMPANY. As permitted by national laws, the Personal Data Protection Authority may personally carry out inspections and confirm the compliance of the COMPANY, its subsidiaries and affiliates with the provisions of this policy.
When the data subject communicates their requests related to the implementation of this policy and Law on Protection of Personal Data in writing to the Data Collector, the Data Collector shall finalise the application without any charge, not later than 30 days according to the nature of the request. However, if the underlying transaction requires a cost for the Company, the fees in the tariff designated by the Personal Data Protection Board may be charged to you.