KVKK - BLUEWAVE HOTEL - ALANYA / ANTALYA

GDPR

General Data Protection Regulation
BLUE WAVE SUITE HOTEL PERSONAL DATA PROCESSING POLICY

INTRODUCTION

This policy of processing personal data Dorubey Tur. İşl İnş. Eml. Taah. Ve Tic. Ltd. Şti. In short ("Blue Wave Suite Hotel"), it has been prepared in order to determine the procedures and principles to be applied by Blue Wave Suite Hotel regarding the processing of personal data in accordance with the Personal Data Protection Law No.6698 and other legislation, which we hold as data controller.

SCOPE

The personal data of our employees, employee candidates, guests and all real persons who have personal data with Blue Wave Suite Hotel for any reason are managed in accordance with the laws within the framework of this Personal Data Processing Policy.

DEFINITIONS

Law / KVKK: Personal Data Protection Law dated 24/3/2016 and numbered 6698.

Board / Institution: Personal Data Protection Board / Personal Data Protection Authority.

Personal Data: All kinds of information regarding an identified or identifiable person.

Related Person: Person whose personal data is processed.

Explicit Consent: Consent based on information and free will regarding a specific subject.
Anonymous Rendering: Making personal data unrelated to an identified or identifiable natural person under any circumstances, even by matching with other data.

Deletion of Personal Data: Deletion of personal data; making personal data inaccessible and unavailable in any way for Relevant Users.

Destruction of Personal Data: The process of making personal data inaccessible, retrieved and reusable by anyone.

Processing of Personal Data: Obtaining, recording, storing, preserving, changing, reorganizing, disclosing, transferring, taking over, making available, through fully or partially automatic means of personal data or non-automatic means provided that it is part of any data recording system, Any action taken on data, such as classification or prevention of use.

Data Processor: Real or legal person who processes personal data on behalf of the data controller based on the authority given by him.

Data Supervisor: Real or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

Special Quality Personal Data: Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress and association, association, foundation or union membership, health, sexual life, criminal conviction and security measures and biometric and their genetic data.

Obligation of Disclosure: During the acquisition of personal data, the data controller or the person authorized by the person concerned; Providing information about the identity of the data controller and, if any, of its representative, the purpose for which personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method and legal reason for collecting personal data, other rights listed in Article 11 of the Law.

Elektra Web: Front office, accounting and purchasing Automation System with guest data

Datasoft: Automation System with personnel data

Destruction Policy: The policy on which data controllers are the basis for the process of determining the maximum time required for the purpose for which personal data are processed and for deletion, destruction and anonymization.

Recording Media: Any electronic medium containing personal data that is fully or partially automated or processed by non-automatic means provided that it is a part of any data recording system.

Virtual POS Payment System: Online payment system.

Company: Dorubey Tur. İşl İnş. Eml. Taah. Ve Tic. Ltd. Şti

PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATA

Compliance with the law and honesty rules: The COMPANY protects the individual rights of the relevant persons during the processing of personal data. Personal data are collected and processed in a lawful and fair manner. Processing for specific, open and legitimate (transparency) purposes and being limited and proportionate in connection with the purpose for which they are processed: The purpose for which personal data will be processed by the COMPANY is revealed before the personal data processing activity begins. The COMPANY processes personal data only in order to provide better service to the relevant persons. During the acquisition of personal data; The relevant person is informed about the identity of the data controller and, if any, of his representative, the purpose of the personal data processing, to whom and for what purposes personal data can be transferred, the method of collecting personal data and the legal reason, and the rights of the relevant person. Doing: The COMPANY retains personal data only for the period specified in the relevant legislation or for the purpose for which they are processed. As long as personal data is deemed necessary for the purposes for which they are processed, and required by regulatory authorities and / or relevant laws and regulations, the COMPANY and its subsidiaries under its control will continue to process and maintain personal data in accordance with the purposes set forth by this policy. The COMPANY keeps the processed personal data accurate, complete and, if necessary, up to date. In necessary cases; Inaccurate or incomplete data are deleted, corrected, completed or updated. Privacy and data security: Personal data is subject to data privacy. It is considered confidential at the personal level, and necessary technical and administrative measures are taken to ensure the appropriate level of security in order to prevent unauthorized access, unlawful processing or distribution, as well as to prevent accidental loss, alteration or destruction, and to ensure the preservation of personal data.

DATA PROCESSING SCOPE

Personal data processing is carried out in two different ways.
Fully or partially automatic processing of data; data acquisition, collection, recording, photographing, audio recording, video recording, organizing, storing, for the purposes of transferring, disseminating or presenting in different ways, grouping or combining, blocking, deleting or destroying data from the specified person or third parties mentioned in this policy covers, changing, restoring, withdrawing or disclosing.
Data processing / acquisition by non-automatic means; It covers the recording, storage, preservation, modification, reorganization, disclosure, transfer, transfer abroad, taking over, making available, classifying or preventing its use, provided that it is a part of any recording system.

The COMPANY will have the right to process the personal information of the person concerned during the period of use of the services provided and after the termination of the service relationship, in accordance with the purposes stated in this policy.

The personal data processing performed by the COMPANY covers all actions taken against the data using non-automatic means, provided that it is part of an automatic, semi-automatic or automatic system without any restrictions.

The COMPANY processes the data of the person concerned or the persons under the custody of the person concerned.

Data processing also includes sharing the data given with the express consent of the data subject and / or third parties, when the COMPANY is the data processor and / or acts in favor of and on the instructions of a third party.

The explicit consent of the relevant person requires the recording and processing of the activities by the COMPANY while using various electronic channels (including but not limited to the technical methods and channels used for web browser, website, internet, mobile applications, payment transactions, money transfer and purchase). also covers. (For example; determining the location of the relevant person while using the electronic channel, defining and analyzing input data, product selection frequency and / or other statistical data)

Basics of Data Processing

The relevant person accepts that it is necessary for the COMPANY to process the information belonging to the relevant person or of the third parties specified by the relevant person during the use of the services of the COMPANY and even if the contractual relationship is terminated.
Providing and / or applying a service for the relevant person,
Data processing is mandatory in order to protect the legal rights of the COMPANY and / or third parties,
Fulfilling the legal obligations of the COMPANY,
Provided that it is directly related to the establishment or execution of a contract between the data subject and the COMPANY, it is necessary to process the personal data of the relevant person,
Data processing is mandatory for the establishment, use or protection of a right,
Other issues with the explicit consent of the relevant person,
Other issues clearly stipulated in the legislation.
The explicit consent of the person concerned will mean that the person concerned accepts the policy and provisions.

Data Processing Purposes

Third parties who process the personal data shared with the consent of the COMPANY and / or the persons concerned may process the personal data of the person concerned or the persons under the custody of the relevant person for the following purposes.

Providing accommodation services as declared, providing better and more reliable services to the guests,

The COMPANY performs online payments and receiving payments with the Virtual POS Payment System. In these transactions, using the information of the guest (Name, surname, date of birth, e-mail address, telephone number and credit card), information research and survey evaluations, planning, statistics, archiving, custody services, customer satisfaction studies,

It is necessary to check the accommodation history and / or behavioral patterns of the relevant person in order to optimize and develop the COMPANY services,

The COMPANY can offer a new and / or additional service or non-service product,

Changing the current conditions of the service provided by the COMPANY,

The COMPANY analyzing the statistical data, preparing and presenting various reports, researches and / or presentations,

In addition to ensuring security; Detecting and / or preventing misconduct, other criminal activities,

Meeting the complaints, questions and demands of the relevant person,

Verification of the identity information of the relevant person,

Promotion, marketing, promotion and campaign activities for accommodation service,

Realization of other purposes stipulated in national and international laws and regulations.

Processing, Transferring or Disclosure of Data

The COMPANY fulfills the obligations imposed by the relevant legislation and board resolutions regarding the processing, transfer or disclosure of personal data. In accordance with the purposes set out by this policy, the relevant person and third parties, including but not limited to the following personal data; In order to process, transfer and / or explain all kinds of information depending on the content and variety of the accommodation service offered by the COMPANY; Name and surname of the relevant person, Personal identification number and / or unique feature on the identity card, Registered and / or resident address, Telephone / mobile phone number, E-mail address, Data about the employer, and information about employment conditions (place of work , wages, working hours, etc.), when using various electronic channels and / or the internet (including but not limited to web cookies, etc.) and when using the aforementioned channels, the activities of the data subject and / or third parties specified by the data subject (this It uses data about the persons with whom the relevant person stays during the service procurement period (including but not limited to the verification of channels, actions taken or transaction history).

In order to benefit from the services of the COMPANY, if the person concerned (including but not limited to personal data, special quality personal data, etc.) gives their personal data to the COMPANY from their third parties (family members, employers, etc.); The person who gives the data to the COMPANY will be responsible for obtaining the necessary consent for the processing of these personal data.

If the person concerned gives the said information to the COMPANY (or its authorized personnel), it is assumed that the person concerned has given the necessary explicit consent and the COMPANY's obligation to obtain this explicit consent is eliminated.

In the event that personal and / or special personal data is processed without the express consent of the relevant person and a loss occurs as a result of this processing, the COMPANY is liable to compensate this loss.

The COMPANY, the phone, mobile phone number, e-mail address and other contact information given by the person concerned, until the person uses the right to reject, sending SMS, voice and / or other kinds of marketing messages (Direct marketing), including the Regulation of Electronic Commerce No. 6563 It has the right to send commercial electronic messages under the Law on About.

The person concerned grants the COMPANY the right to share his / her personal data with the subsidiaries and / or shareholders of the COMPANY in order to make various marketing offers.
Advertising / information messages (such as advertisement brochure, promotional images, verbal offers, etc.) at the service points of the COMPANY or the contents shown during the use of the COMPANY's (or its affiliates), internet, mobile marketing, etc. and the person concerned will not have the right to request the termination of the publication and / or display of such content.

Processing Data of Applicants or Employees

Processing of personal data in order to conclude, execute, maintain and terminate service contracts: Fulfillment of personal rights arising from the service contract and their continuous maintenance, occupational health and safety service to be provided to employees, fulfillment of work permit procedures, evaluation of personal job applications, research and other The COMPANY has the right to process the personal information disclosed by the person concerned due to the job, trial period and / or starting an internship for purposes such as execution of recruitment processes, performance evaluation and follow-up, training activities, improvement of working conditions, execution of personal development processes, etc. .

During the job application process, the collection of information about the applicant from third parties is carried out within the framework of the provisions of the Personal Data Protection Law No. 6698.

The applicant's explicit consent is required for the processing of personal data that is related to the business relationship but is not part of the performance of the employment contract at first.

Processing Special Quality Personal Data; Special Quality personal data can only be processed with the explicit consent of the person concerned to process the personal data of special nature. Personal data of special nature other than health and sexual life, but in cases stipulated by law, personal data regarding health and sexual life; However, in order to protect public health, to carry out preventive medicine, medical diagnosis, treatment and care services, to plan and manage health services and their financing, the processing by persons or authorized institutions and organizations under the obligation of secrecy is complied with.

Information Transfer / Sharing to / from Third Parties

Within the scope of data processing, in order for the COMPANY to provide services to the relevant person, this policy is transferred / shared with the relevant person and / or third parties specified by the relevant person. The person concerned provides his personal data to the COMPANY; All departments, internet, call centers, public institutions and organizations and the parties from whom they receive services that are complementary to or extension of the activities of the COMPANY, through their suppliers, obtaining and recording the data through fully or partially automatic means or non-automatic means, provided that they are part of any recording system, It gives the rights of storage, preservation, modification, rearrangement, disclosure, transfer, transfer abroad, taking over, making available, classifying or using.

Obligation of Data Controller and Data Processor

Based on the provisions of this policy; While the COMPANY processes some types of personal data, it may act on behalf of the data controller, including the data processor and third parties. The data controller may be the data processor for third parties in some personal data. Accordingly, each of the parties to such a relationship (the data processor as well as the data controller) act in accordance with the Personal Data Protection Law. Therefore;

Personal data are processed in accordance with the principles in the legislation.

The explicit consent of the relevant person is obtained, necessary information and clarifications are made.

In the event of the data controller: When the data subject makes a request for information regarding his / her personal data, when a complaint or declaration regarding the compliance of the data controller with the requirements of the legislation is submitted, he / she notifies the relevant person as soon as possible and within 30 days at the latest.

In addition, if one of the parties represents the data processor and the other the data controller during the data processing, the data processor fulfills the following obligations. The data processor is obliged to;

Complying with the extent and scope defined by the provisions of this policy and permitted by the legislation; or, at the request of a regulatory authority, processing data transmitted / disclosed by the other party,

To prevent unauthorized processing, loss, destruction, damage, unauthorized alteration or disclosure of the data transmitted / disclosed by the data controller, the implementation of all reasonable technical and administrative measures and taking all necessary actions and informing the data controller of all measures taken within this scope,

The COMPANY supervises the measures and practices implemented by the data processor for data security purposes through its authorized personnel,

Cooperates and supports the examination of a complaint or statement conveyed / disclosed by the COMPANY, including the following by the Data Processor,

Provides to the COMPANY within 7 working days from the date of request, detailed information about the complaint and declaration status, including the data about the person concerned (including electronic data), which is transmitted / disclosed to the data processor by the data controller,

It prevents data processing (transfer) activity to a country and / or international organization that is not in the list of countries that are not part of the European Union Economic Area and that are at a sufficient level for the protection of personal data by the Data Processor or to a country and / or international organization that the person concerned or the Personal Data Protection Board does not allow.

Without the prior written consent of the COMPANY; does not transfer / disclose data to third parties,
Even in cases where the COMPANY has prior written consent; is obliged to transfer / disclose data in accordance with a written contract that processes data. In the aforementioned written contract, the third party and its subcontractors are obliged to take all necessary technical and administrative measures to prevent unauthorized processing, loss, destruction, damage, unauthorized alteration or disclosure of data.
Compensation of any damage / loss to be incurred by the COMPANY due to the failure of the data processor (in accordance with the policy and legislation) to take the necessary actions or to fulfill them completely. Any damages / losses (including but not limited to consequential damages), complaints, expenses (including but not limited to expenses due to the COMPANY's use of its legal rights) as a result of the breach of the data processor, legal processes The data processor gives explicit consent and agrees with the data controller to correct damages and compensation against other liabilities.
Unless otherwise specified in the contract between the COMPANY and the data processor, after the termination of the contractual relationship between the COMPANY and the data processor; Returning any data (including personal data) transferred / disclosed from the COMPANY. It is obliged to take all kinds of security measures to prevent unauthorized access of third parties to data, to destroy the personal data transferred / disclosed by the COMPANY and to notify the COMPANY to confirm that this action has been taken.

Data Update, Processing, Retention Period and Data Destruction

It continues to operate for a period of time consistent with the aims and interests of the company, the demands of the supervisory / regulatory authorities and / or the legislation, for the purposes specified in this policy during and after the use of the services of the company.

The processing of the data transferred during the use of the relevant person's electronic channels (web browser, website, internet, mobile applications and / or other electronic data transfer tools) continues after the data subject deletes the data from the relevant electronic channels.

Upon the request of the relevant person, information regarding the personal data held in the COMPANY is provided in accordance with the legislation.

In case the data belonging to the person concerned is incomplete or inaccurate, the missing and incorrect data are completed and corrected upon the written notification of the person concerned to the COMPANY.

Personal data are kept for the period stipulated in the relevant legislation or required for the purpose for which they are processed, and in any case for 15 years. Although it has been processed in accordance with the provisions of the legislation, in case the reasons for its processing disappear and the storage period of the COMPANY expires, the personal data are deleted, destroyed or anonymized by the data controller automatically or at the request of the person concerned.
In determining the storage and destruction periods of personal data, the following criteria are used:
Determining which of the exceptions stipulated in Articles 5 and 6 of the Law can be considered within the scope of the storage of data,

Access authorization and control matrix system is used. The relevant users are determined for each personal data, the authorizations and methods such as access, retrieval and reuse of the relevant users are determined, termination of employment or change of position, etc. In cases, the access, retrieval and reuse authorization and methods of the relevant users within the scope of personal data are updated, closed and eliminated.

Regarding the storage of the personal data in question, in the event that the period stipulated in the legislation expires or no period is stipulated in the relevant legislation for the storage of the data in question, the data is deleted, destroyed or anonymized by the data controller in 10-year periods.

In the deletion, destruction and anonymization of personal data, the principles listed in Article 4 titled "General Principles" of the Law and the measures to be taken within the scope of Article 12 titled "Obligations regarding data security", relevant legislation provisions, Institution decisions and this policy appropriate action is taken.

All transactions regarding the deletion, destruction and anonymization of personal data are recorded by the COMPANY. These records are kept for at least 10 years, excluding other legal obligations.

Unless a contrary decision is taken by the Personal Data Protection Authority, the appropriate method of deleting, destroying or anonymizing personal data is selected by the COMPANY.

Personal data collected by the COMPANY are stored in various recording media. It is deleted by methods suitable for recording media. The data in the digital media is deleted by giving a deletion command and / or manually, and the personal data in the paper environment is deleted by using the blackout method. The blackout process, where possible, the personal data on the relevant documents are cut off, and in cases where it is not possible, they are made invisible to the relevant users by using fixed ink in a way that is irreversible and cannot be read with technological solutions.

Office files on the central server are deleted with the delete command in the operating system of the file or the access rights of the relevant user on the directory where the file or file is located are removed.

The use of portable memory is limited by the authorities. The database containing personal data is protected by authorization levels, and deletion is subject to authorization. While performing the transaction, it is taken into account whether the relevant user is also a database administrator.

The destruction of personal data is the process of making personal data inaccessible, retrieved and reusable in any way. The COMPANY, the Data Controller, takes all necessary technical and administrative measures regarding the destruction of personal data. In order to destroy personal data, all copies of the data are detected and the systems containing the data are physically destroyed, such as melting, burning or pulverizing optical media and magnetic media. It is ensured that data cannot be accessed by processes such as melting, burning, pulverizing or passing the optical or magnetic media through a metal grinder.

With the command to delete network devices (switches, routers, etc.), mobile phones (sim card and fixed memory areas); Optical disks, if any, by erasing command and physical destruction methods in fixed memory areas in portable smartphones; Data storage media such as CDs and DVDs are destroyed by physical destruction methods such as burning, breaking into small pieces, melting. The destruction of personal data in devices that are defective or sent for maintenance is stored by removing the data storage medium, and other defective parts are sent to third institutions such as manufacturers, vendors and services. Personnel coming from outside for maintenance and repair purposes are prevented from copying personal data out of the organization and necessary measures are taken. Necessary confidentiality agreements are in place with the relevant maintenance companies.

Anonymization is the removal or modification of all direct and / or indirect identifiers in a data set, preventing the identity of the relevant person from being identified or losing its distinctiveness within a group / crowd in a way that cannot be associated with a real person. The purpose of anonymization is to break the link between the data and the person identified by this data. The data is anonymized by selecting one suitable for the relevant data among the methods such as automatic or non-automatic grouping, masking, derivation, generalization, randomization applied to the records in the data recording system where personal data are kept.

Rights of the Related Person

Each contact person; To learn whether personal data are processed, to request information if personal data have been processed, to learn the purpose of personal data and whether they are used for their purpose, to know the third parties to whom personal data are transferred in the country or abroad, to request correction of personal data in case of incomplete or incorrect processing, To request the deletion or destruction of personal data, to be notified that the personal data has been transferred to third parties in the country or abroad, to object to the occurrence of a result against the person by analyzing the processed data only through automated systems, if personal data is damaged due to the processing in violation of the Law has the right to demand the compensation of the damage.

Privacy of Data Processing

Personal data are subject to data security. Any employee of the COMPANY, its subsidiaries and / or affiliates is prevented from accessing this data without authorization, and it is strictly prohibited for unauthorized persons to process or use this data. The processing of this data by any employee of the COMPANY, its affiliates and / or its subsidiaries, who is not authorized within the framework of the job description, means unauthorized transaction. Employees of the COMPANY, its affiliates and / or subsidiaries can access personal data only if they have the authority to access personal data within their job description.

Employees of the COMPANY, its subsidiaries and / or affiliates are prohibited from using personal data for private or commercial purposes, sharing this data with unauthorized persons or making this data accessible by any other method. The data controller informs its employees about the obligation to protect data confidentiality at the beginning stage, provides training and training to its employees.
In order to protect and protect the property and privacy, as well as to control and measure the service quality, in accordance with the provisions of the Law on the Protection of Personal Data No. Video and sound are recorded in environments.

The relevant person is informed that video recording and video control are being carried out by using appropriate tools at the relevant service points of the COMPANY and while communicating with the COMPANY. The relevant person acknowledges the importance of video and audio recording and gives explicit consent to the COMPANY to process their data in this regard with this article.

Data Processing Security

Personal data is protected against unauthorized access, illegal data processing or disclosure, and accidental loss, alteration or destruction of data. Whether the data is processed electronically or on paper, it is under protection. New and advanced data processing methods and information technology systems are followed in order to take technical and administrative measures to protect personal data.

Data Protection Control

Compliance with this Data Protection Policy and relevant data protection laws is regularly checked by authorized persons in charge of the relevant units of the COMPANY. As permitted by national laws, the personal data protection agency can personally audit the compliance of the COMPANY, its subsidiaries and affiliates with the provisions of this policy.

Contact

When the relevant person submits their requests regarding the implementation of this policy of the Personal Data Protection Law to the Data Supervisor in writing, the Data Controller concludes the request free of charge as soon as possible and within 30 days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, the fees in the tariff determined by the Personal Data Protection Board are collected.