INTRODUCTION, SCOPE AND DEFINITIONS
1.1. The Law on the Protection of Personal Data numbered 6698 ("KVKK") was enacted and published in the Official Gazette dated 07.04.2016, introducing a comprehensive legal framework for the protection of individuals’ personal data. In this context, the Personal Data Protection and Processing Policy ("Policy") serves as a guiding document for Urla Otelcilik Turizm Tic. A.Ş. ("Company/Our Company") regarding the concrete implementation of the rules laid down by KVKK and related regulations. The Company shall make the necessary internal arrangements to comply with the Policy and ensure its ongoing compliance through periodic internal audits.
1.2. Scope: This Policy covers all personal data that is processed by the Company through automated means or non-automated means provided that the processing is part of a data recording system, and applies to Employees, Former Employees, Employee Candidates, Interns, Group Employees, Relatives of Employees, Shareholders/Partners of the Company, Company Officials, Customers, Potential Customers, Visitors, Supplier Representatives, and Supplier Employees as defined in Article 1.3.
1.3. Definitions: Unless otherwise defined in this Policy, the terms used herein shall have the same meanings as defined in KVKK and secondary legislation.
Employee: Natural persons employed under an employment contract with the Company. Employee Candidate: Natural persons who have applied for a job with the Company or have submitted their resumes and related information for the Company’s consideration. Intern: Persons working at the Company to gain experience, learn job-related tasks, and improve professional skills. Former Employee: Natural persons whose employment relationship with the Company has ended for any reason. Shareholder/Partner: Natural persons who hold shares or a partnership interest in the Company. Company Officials: Members of the board of directors and other authorized persons within the Company. Supplier Employee: Employees of suppliers, business partners, or third parties providing services to the Company based on a contractual or non-contractual relationship. Supplier Representative: Authorized persons such as board members or general managers of the Company's suppliers or business partners. Customer: Real persons whose personal data is obtained in the course of business operations of the Company, regardless of whether they have a contractual relationship with the Company. Potential Customer: Persons to whom the Company’s products and services are promoted or marketed. Visitor: Individuals who enter the Company’s premises for various reasons or who visit its websites.
- PRINCIPLES FOR PROCESSING PERSONAL DATA
To comply with KVKK and related legislation and to maintain such compliance, the Company adopts the following core principles:
2.1. Lawfulness and Fairness: Personal data is processed in accordance with the Turkish Constitution and the principles of lawfulness and fairness.
2.2. Accuracy and Up-to-Date: The Company ensures the personal data it processes is accurate and kept up-to-date considering the rights of the data subject and its own legitimate interests.
2.3. Processing for Specific, Explicit, and Legitimate Purposes: The Company processes personal data only for legitimate and lawful purposes which are clearly defined.
2.4. Data Minimization: Personal data is processed in a way that is relevant, limited, and proportionate to the purpose.
2.5. Storage Limitation: The Company stores personal data for the period required by law or the purpose for which they are processed. Once this period expires, the data is deleted, destroyed, or anonymized.
- CONDITIONS FOR PROCESSING PERSONAL DATA
Personal data is processed based on one or more legal grounds outlined in Article 5 of KVKK. In cases where the data is of a special category, the conditions set forth in Article 5 of this Policy apply.
3.1. Explicit Consent: If personal data is processed based on explicit consent, it must be informed, freely given, and specific.
3.2. Legal Requirement: Processing is allowed if explicitly provided for by law.
3.3. Vital Interests: Personal data may be processed without consent if necessary to protect the life or bodily integrity of the data subject or another person who is incapable of giving consent.
3.4. Contractual Necessity: Data may be processed if required for the performance of a contract to which the data subject is party.
3.5. Legal Obligation: Processing is lawful when necessary for the Company to comply with legal obligations.
3.6. Public Disclosure: If personal data has been made public by the data subject, it may be processed for the purpose for which it was made public.
3.7. Legal Claims: Data may be processed if necessary for the establishment, exercise, or defense of legal claims.
3.8. Legitimate Interests: Personal data may be processed for the legitimate interests of the Company, provided it does not infringe on the fundamental rights and freedoms of the data subject.
- TRANSFER OF PERSONAL DATA
The Company, in accordance with legitimate and lawful purposes and ensuring the implementation of appropriate security and confidentiality measures, may transfer personal data and special categories of personal data within Turkey to: (i) Public institutions and organizations authorized by law, to the extent required by their legal authority; (ii) Shareholders/Partners for the fulfillment of Company operations and for audit purposes; (iii) Suppliers, for the purpose of receiving services necessary to conduct business operations; (iv) Authorized private legal persons, particularly banks under the Turkish Banking Association and the Company’s independent auditors, for activities within the scope of their legal authority and for benefits provided to employees.
- PROCESSING AND TRANSFER OF SPECIAL CATEGORIES OF PERSONAL DATA
The Company processes special categories of personal data by taking necessary administrative and technical measures, in accordance with the principles set forth in this Policy and the procedures to be determined by the Personal Data Protection Board: (i) Special category personal data excluding health and sexual life may be processed without explicit consent if expressly provided by law. Otherwise, explicit consent will be obtained. (ii) Personal data related to health and sexual life may be processed without explicit consent by persons under confidentiality obligations or authorized institutions and organizations, for the purposes of protecting public health, medical diagnosis, treatment, and care services, and the planning and management of healthcare services and their financing.
