POLICY
ON PRIVACY/THE PROTECTION OF PERSONAL DATA
The protection of
personal data is an important subject for D Otel Göcek Turizm Yatırımları ve
İşletmeciliği Ticaret ve A.Ş. [“D
Resort Göcek”]. D Resort Göcek adopts the principles laid down by the Law No.
6698 on the Protection of Personal Data [“KVK Law”] to ensure compliance with
the KVK Law, and performs its obligations regarding the processing, deletion,
destruction, anonymisation and transfer of personal data, as well as providing
the relevant person with information and ensuring data security. The Policy on
Privacy and the Protection of Personal Data issued for this purpose is
presented to real persons [the “Relevant Person”] for information, and our website,
our company headquarters or our stores may be visited also without having to
share any personal data. Personal data collected within the visitors’
knowledge, however, may be processed subject to the conditions set forth in
this policy in compliance with applicable legislation.
1.
The Scope and
Objective of the Policy on Privacy and the Protection of Personal Data
This Policy on Privacy and the Protection
of Personal Data explains:
a. D Resort Göcek’s methods and legal grounds for collecting personal data,
b. Groups of individuals whose personal data are processed ( Data Subject
Categorisation),
c. Category of personal data belonging to these groups of individuals which
are processed (Data Categories) and data type examples,
d. Business processes and purposes in/for which these personal data are
used,
e. The technical and administrative measures taken to ensure the security
of personal data,
f.
Parties and purposes to/for which personal
data may be transferred,
g. The durations of retaining personal data,
h. The rights of the Relevant Persons on their personal data, and how they
may exercise these rights,
i.
How the Relevant Persons may change their
affirmative or negative preferences regarding the receipt of electronic
commerce messages,
j.
The sharing of personal data with official
authorities.
a.
Methods and Legal Grounds for Collecting
Personal Data
D Resort Göcek collects personal data in
audio, electronic or written format, through printed forms, the Relevant
Persons themselves, Agreements, suppliers, electronic mail, the Company’s
common areas, the Company’s related departments, telephone calls, notices
served by administrative and judicial bodies, and other means of communication,
in keeping with the personal data processing conditions set forth in the KVK
Law, and in line with the legal grounds specified in this Policy on Privacy/the
Protection of Personal Data.
b.
Categorisation of Groups of Data Subjects
D Resort Göcek categorises the groups of
data subjects whose personal data are processed during personal data processing
procedures and in activities related to these processes, in the following
manner. However, in keeping with the personal data processing conditions specified
in Articles 5 and 6 of the KVK Law, and in line with the legal grounds
indicated in this Policy on Privacy/the Protection of Personal Data, personal
data belonging to other groups of individuals (suppliers, dealers, consultants)
may also be processed.
1. Customers of Stores,
2. Customers of Technical Service,
3. Individuals with regard to whom magazine work is carried out and to whom
magazines are sent,
4. Suppliers, or Suppliers’ Employees or Officials
c. Data Categories and Examples
of Data Types
1. |
Customer, · Identity Information: Name, surname, date of birth, gender, Turkish ID number · Contact Information: Mobile phone number, e-mail address, mailing address, postal code,
land line number · Financial Information: Tax office, invoice details · Customer / Member Information: Membership information, membership ID number · Personnel data: Title, details of profession, wedding anniversary · Private personal data: Signature on the form |
2. |
Customers of Technical Service, · Identity Information: Name, surname, date of birth, gender, Turkish ID number · Contact Information: Mobile phone number, e-mail address, mailing address, postal code,
land line number · Financial Information: Tax office, invoice details · Private Personal Data: Signature |
3. |
Individuals to whom magazines are sent;
Magazine Works; Interviews, · Identity Information: Name and Surname, · Location Information: Magazine’s delivery address · Contact Information: Mobile phone number, e-mail address, mailing address, postal code,
land line number |
4. |
Suppliers, or Suppliers’ Employees or
Officials · Identity Information: Turkish ID. No., name, surname · Contact Information: E-mail address, telephone number, KEP (Registered Electronic Mail)
address, mailing address, mobile phone number · Financial Information: Account No., Tax office, Tax Identification Number, tax plate, IBAN · Legal Procedures and Compliance Information: Signature circular, certificate of activity, · Private Personal Data/Information on Legal
Procedures: Signature · Visual Information: Photograph |
d.
Business processes and purposes in/for
which the personal data are used,
Personal data are used at stores and
technical service centres operated by D Resort Göcek for the purpose of
carrying out activities relating to processes such as:
· Products and/or Services Provision,
· Products and/or Services Procurement,
· Entering into contracts,
· Performance of contracts,
· Accounting and payment processes
· Ensuring information security.
e.
Technical and Administrative Measures
Taken to Ensure the Security of Personal Data
The technical and administrative measures
taken to ensure the security of personal data processed by D Resort Göcek are
as follows:
· Authorisations are managed on systems containing personal data in order
to ensure Data Security. Attempts of access to these systems over the network
are monitored.
· All systems hosting personal data are periodically checked for security
reasons.
· Processes and systems are designed to prevent personal data from being
unlawfully released to external sources outside of the corporation.
· Persons with access to personal data are trained in order to raise their
awareness, and rules to prevent cases of data breach are applied.
· Personal data are kept at the data centre and in the cloud after the
necessary security measures are taken.
· Conformity of software and other products, which are used in the
provision of services, with data security and the protection of personal data,
is sought.
· All systems hosting data are backed up to ensure protection and business
continuity in the case of a system crash and against cyber-attacks.
· Hash, encryption, logging, access management and physical security
measures are applied to ensure the protection of information systems hosting
personal data against unauthorised access and unlawful data processing.
· The network on which all the systems hosting personal data and the
website are operated is protected through the use of a firewall.
f.
Parties and purposes to/for which personal
data may be transferred
D Resort Göcek transfers personal data to
third persons only in line with the purposes specified in the Policy on Privacy
and the Protection of Personal Data, and in compliance with Articles 8 and 9 of
the KVK Law. Customer data processed within this scope are shared with the
relevant department, while in the case of magazine dispatches, information on
the individual to whom the magazine will be delivered is also shared with the
courier company.
Customer data are also shared with the
commercial electronic communication means service provider, for the purpose of
offering promotions and advertisements and benefits and opportunities to the
customers, in line with their shopping choices, likes and habits, in accordance
with the customers’ commercial electronic communication approvals.
Website user settings and navigation
history are shared with third parties from which cookie services are procured.
Anonymised data belonging to customers are
shared with companies performing market research for the purpose of increasing
customer satisfaction and loyalty.
Within the scope of reporting and
statistical research, data belonging to customers are shared with D Resort
Göcek’s shareholder Doğuş Holding A.Ş. and its affiliates.
Personal data subject to domestic and
overseas transfer as specified above are also protected legally through the
provisions included in our contracts, which are compatible with the KVK Law,
that take into consideration whether the counter-party of the legal
relationship is a data controller or data processor, as well as the technical
measures to ensure their security.
g.
The durations of retaining personal data
D Resort Göcek retains the personal data
it has processed, in compliance with the KVK Law, and for the durations
prescribed by the applicable legislation or required by the purpose of
processing. These durations are approximately as follows in our Personal Data
Retention and Destruction Policy:
Data belonging to customers |
Such data are retained as long as they
remain as our customers/suppliers. When they are no longer
customers/suppliers, their data are retained for as long as such data
preserves its quality of being accurate and up-to-date. |
Law No. 6098 |
All records relating to accounting and
financial transactions |
10 years |
Law No. 6102, Law No. 213 |
Cookies |
Please see our Cookie Policy |
|
Commercial electronic communication
approval records |
1 year following the date on which the
approval was withdrawn |
Law No. 6563 and applicable secondary
legislation |
Information and/or CVs collected due to
job applications |
Candidate employee data are reviewed
once a year and data belonging to candidates who were not employed are
deleted. |
|
Personal data belonging to suppliers |
Such data are retained as long as they
remain as our customers/suppliers. When they are no longer
customers/suppliers, their data are retained for as long as such data
preserves its quality of being accurate and up-to-date. |
Law No. 6102, Law No. 6098 and Law No.
213 |
You may see our Cookie Policy on retention
terms of personal data obtained through the use of cookies.
h.
Rights of The Relevant Persons on Their
Personal Data, and How They May Exercise These Rights
The rights of the Relevant Persons on
their personal data processed by D Resort Göcek, pursuant to Article 11 of the
KVK Law, are listed below:
· To learn whether or not their personal data have been processed,
· To request information on the matter, if their personal data have been
processed,
· To learn the purpose for which their personal data are processed and
whether they are used according to their purpose,
· To obtain information on the third persons to whom their personal data
are transmitted domestically or abroad,
· To request the correction of their personal data that may have been
incompletely or inaccurately processed,
· To request the deletion or destruction of their personal data within the
framework of the provisions set forth in Article 7 of the KVK Law,
· To request that the third parties to whom their personal data were
transferred are informed of the procedures carried out pursuant to
sub-paragraphs (e) and (f),
· To object to any consequences that may arise against them as a result of
the analysis of the processed data exclusively by automatic systems,
· To request indemnification of their damages in the case that they
sustain damages as a result of unlawful processing of their personal data.
It is possible to exercise the rights on
personal data by filing an application by using the methods specified in the
“Application Form” created pursuant to Article 13 of the KVK Law, which may be
found on the website operated by D Resort Göcek.
i.
Sharing of Personal Data with Official
Authorities
D Resort Göcek may share the personal data
it processes with public authorities and institutions that are legally
authorised to request such data in order that D Resort Göcek may fulfil its
legal obligations [in cases where D Resort Göcek has a legal or administrative
obligation to provide legal notice or information including, but not limited
to, fighting crime, and any threat against the State and public security etc.].
j.
Use and Management of Cookies
Please see our Cookie Policy for detailed
information on the cookies used by D Resort Göcek, and cookie types and
purposes, durations of retention and cookie management.
2.
Conditions
Regarding Deletion, Destruction and Anonymisation of Personal Data
D Resort Göcek retains the personal data
it processes through its website, pursuant to Article 7 and 17 of the KVK Law
and Article 138 of the Turkish Criminal Code, for the durations stipulated by
applicable laws and/or for the durations required by their purpose of processing.
Following the expiration of such durations, personal data shall be deleted,
destroyed or anonymised pursuant to the provisions of the Regulation on
Deletion, Destruction or Anonymisation of Personal Data.
Deletion of personal data by D Resort Göcek
refers to the process of rendering personal data completely inaccessible and
non-reusable by the relevant users. To this end, D Resort Göcek forms and
implements an access authorisation and control matrix at user level. It takes
the necessary precautions to carry out the deletion procedure in the database.
Destruction of personal data by D Resort
Göcek refers to the process of rendering personal data completely inaccessible,
non-restorable and non-reusable by anybody.
Anonymisation of personal data by D Resort
Göcek refers to making it impossible for personal data to be associated in any
manner with an identified or identifiable real person, even if they match with
other data.
In its Policy on Retention and Destruction
of Personal Data which it has issued pursuant to the Regulation on Deletion,
Destruction or Anonymisation of Personal Data, D Resort Göcek explains in
detail the methods regarding, and the technical and administrative measures it
takes to ensure, deletion, destruction and anonymisation. This Policy also
stipulates the frequency of carrying out the periodical destruction procedure,
which is prescribed by the Regulation, as 6 months.
3.
Possible Changes
to the Policy on Privacy/the Protection of Personal Data
D Resort Göcek may introduce changes to
the Policy on Privacy/the Protection of Personal Data at any time without prior
notice. Such changes shall immediately take effect upon the publication of the
amended new Policy on Privacy/the Protection of Personal Data.