Privacy Policy

  1. Data Protection Retention And Destruction Policy

 

The main purpose of this policy is to make statements about the personal data processing activity carried out by our COMPANY in accordance with the law and the systems adopted for the protection of personal data, in this context, our guests, employees, employee candidates, company shareholders, company officials, visitors, institutions we cooperate with . to ensure transparency by informing the persons whose personal data are processed by our COMPANY , especially its employees, shareholders and officials, and third parties .

 

  1. Data Protection Retention And Disposal Policy

 

2.1 Regarding the processing and protection of personal data , both national laws and procedures according to into effect ̧ international agreements will find application area first. In case of inconsistency between the current legislation and this policy, the COMPANY accepts that the current legislation will find an area of application.

2.2 This policy applies to all personal data of our guests, employees, employee candidates, COMPANY shareholders, COMPANY officials, visitors, employees, shareholders, officials of the institutions we cooperate with, and third parties, which are processed automatically or non-automatically, provided that they are part of any data recording system . is related.

2.3 The scope of application of this policy regarding the personal data owners in the above-mentioned groups may be the entire policy (for example, our employee candidates who are also visitors); There may also be only some provisions (for example, our visitors only).

2.4 Personal data that has been anonymized for statistical evaluations or studies, personal data of unidentified source, and data relating to legal entities are not considered personal data and are not subject to this policy.

2.5 This policy may be updated from time to time. Therefore, we ask you to visit www.papillon.com.tr regularly to access the most up-to-date version of the policy.

 

  1. Definitions

 

Law/KVKK: Law on Protection of Personal Data dated 24/3/2016 and numbered 6698.

Board/Institution: Personal Data Protection Board/Personal Data Protection Authority.

Personal Data: Any information relating to an identified or identifiable natural person.

Relevant Person: The person whose personal data is processed.

Explicit Consent: Consent about a specific subject, based on information and obtained with free will.

Anonymization: Making personal data incapable of being associated with an identified or identifiable natural person in any way, even by matching with other data.

Deletion of Personal Data: Deletion of personal data; making personal data inaccessible and unusable for Relevant Users in any way.

Destruction of Personal Data: The process of making personal data inaccessible, unrecoverable and unusable by anyone in any way.

Processing of Personal Data: Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system, All kinds of operations performed on data such as classification or prevention of use.

Data processor: Processes personal data on behalf of the data controller based on the authority given to him. real or legal person .

Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

Special Qualified Personal Data: Data related to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership to associations, foundations or unions, health, sexual life, criminal convictions and security measures, and biometric data . and genetic data.

Obligation to Disclose: During the acquisition of personal data, the data controller or the person authorized by it, to the relevant persons; Giving information about the identity of the data controller and its representative, if any, for what purpose the personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method and legal reason for collecting personal data, other rights listed in Article 11 of the Law.

      Sedna : Front office , accounting and purchasing automation system with customer data .

Destruction Policy: The policy on which data controllers base the process of determining the maximum time required for the purpose for which personal data is processed, and the process of deletion, destruction and anonymization.

Recording Media: Any electronic media containing personal data that is fully or partially automated or processed non-automatically, provided that it is a part of any data recording system.

      Netahsilat : Online payment system.

Company: Muna Turizm İnşaat Taahhüt Ticaret ve Sanayi A.Ş.- Simtan Turizm Ticaret ve Sanayi A.Ş.

 

  1. Principles Regarding the Processing of Personal Data

 

4.1 Compliance with the law and the rules of honesty: The COMPANY protects the individual rights of the persons concerned during the processing of personal data. Personal data is collected and processed in accordance with the law and fairly.

4.2 Processing for specific, clear and legitimate (transparency) purposes and being limited and measured in relation to the purpose for which they are processed: The purpose for which personal data will be processed by the COMPANY is determined before the personal data processing activity begins. The COMPANY processes personal data only in order to provide better service to the persons concerned. During the acquisition of personal data; The data subject is informed about the identity of the data controller and its representative, if any, the purpose of processing personal data, to whom and for what purposes personal data can be transferred, the method of collecting personal data and the legal reason, and the rights of the person concerned.

4.3 Retention for the period stipulated in the relevant legislation or required for the purpose for which they are processed : The COMPANY retains personal data only for the period specified in the relevant legislation or required for the purpose for which they are processed. As long as the personal data is deemed necessary for the purposes for which they are processed and required by regulatory authorities and/or relevant laws and regulations, the COMPANY and its affiliates under its control will continue to process and maintain personal data in accordance with the purposes set forth by this policy.

  • Accuracy of information, up-to-dateness of data : The COMPANY keeps the processed personal data accurate, complete and up-to-date if necessary. Where necessary; Inaccurate or incomplete data is deleted, corrected, completed or updated.
  • Privacy and data security: Personal data is subject to data privacy. It is considered confidential at the personal level and necessary technical and administrative measures are taken to ensure the appropriate level of security in order to prevent unauthorized access, unlawful processing or distribution, as well as to prevent accidental loss, alteration or destruction, and to ensure the preservation of personal data.

 

  1. Data Processing Scope

 

Personal data processing is carried out in two different ways.

Automatic processing of data in whole or in part; Receiving, collecting, recording, photographing, sound recording, video recording, organizing, storing data from the relevant person or third parties specified in this policy for the purposes of transfer, dissemination or presentation, grouping or combining, blocking, deletion or destruction. change, reinstatement, withdrawal or disclosure.

Processing/obtaining data by non-automatic means; It covers recording, storing, preserving, changing, rearranging, disclosing, transferring, transferring abroad, taking over, making available, classifying or preventing use, provided that it is part of any recording system.

5.1 The COMPANY shall have the right to process the personal information of the person concerned during the use of its services and after the end of the service relationship, by complying with the purposes specified in this policy.

5.2 Personal data processing by the COMPANY includes all kinds of actions taken for data using non-automatic means, provided that it is part of an automatic, semi-automatic or automated system, without any restrictions.

5.3 The COMPANY processes the data of the data subject or persons under the custody of the data subject.

5.4 Data processing also includes sharing the data provided with the express consent of the relevant person and/or third parties, when the COMPANY’s instructions and /or when the COMPANY acts in favor of and on the instructions of a third party where the COMPANY is the data processor.

5.5 Explicit consent of the person concerned, recording of the activities of the person concerned by the COMPANY while using various electronic channels (including but not limited to the technical methods and channels used for web browser, website, internet, mobile applications, payment transactions, money transfer and receipt) and includes processing. (For example; determining the location of the relevant person when using the electronic channel , identifying and analyzing input data, product selection frequency and/or other statistical data)

 

  1. Fundamentals of Data Processing

 

6.1 The person concerned accepts that during the use of the COMPANY services and even if the contractual relationship is terminated, it is necessary for the COMPANY to process the information of the relevant person or of the third parties specified by the relevant person, within the scope of the following purposes.

  1. a) Providing and/or implementing a service for the person concerned ,
  2. b ) Data processing is mandatory in order to protect the legal rights of the COMPANY and/or third parties,
  3. c) Fulfilling the legal obligations of the COMPANY,
  4. d) It is necessary to process the personal data of the person concerned, provided that it is directly related to the establishment or performance of a contract between the data subject and the COMPANY,
  5. e) Data processing is mandatory for the establishment, exercise or protection of a right,
  6. f) Other matters to which the person concerned has expressly consented,
  7. g) Other matters clearly stipulated in the legislation .

6.2 The express consent given by the data subject shall mean that the person concerned accepts the policy and its provisions.

 

  1. Data Processing Purposes

 

Third parties that process personal data shared with the consent of the COMPANY and/or the persons concerned may process the personal data of the data subject or persons under the custody of the data subject for the following purposes.

  1. a) Realization of accommodation services as declared, better and reliable provision of the services provided to the guests, their execution,
  2. b) The COMPANY performs online payment and receipt of payments through the Netahsilat online system. In these transactions, the guest’s (Name and surname, date of birth, e-mail address, telephone number and credit card) information is used,
  3. c) To conduct information research and survey evaluations, to provide planning, statistics, archiving, storage services, to carry out customer satisfaction studies,
  4. d) It is necessary to check the accommodation history and/or behavioral patterns of the person concerned in order to optimize and develop the COMPANY services,
  5. e) The COMPANY’s ability to offer a new and/or additional service or out-of-service product ,
  6. f) Changing the current conditions of the service provided by the COMPANY ,
  7. g) The COMPANY’s analysis of statistical data, preparation and presentation of various reports, researches and/or presentations,

ı ) In addition to ensuring security; detecting and/or preventing abuse , other criminal activities,

  1. j) Meeting the complaints, questions and demands of the person concerned ,
  2. k) Verifying the identity information of the person concerned ,
  3. l) Carrying out promotional, marketing, promotion and campaign activities for accommodation services,
  4. m) Realization of other objectives stipulated in national and international laws and regulations.

 

  1. Processing, Transfer or Disclosure of Data

 

The COMPANY fulfills the obligations imposed by the relevant legislation and board policy decisions regarding the processing, transfer or disclosure of personal data. In accordance with the purposes determined by this policy, including, but not limited to, the personal data of the related person and third parties; For the processing, transfer and/or disclosure of all kinds of information, depending on the content and variety of the accommodation service offered by the COMPANY ; Name and surname of the person concerned, Personal identification number and/or unique feature on the identity card, Registered and/or resident address, Telephone/mobile number, E-mail address, Employer data, as well as information about employment conditions (place of work) , wages, working hours, etc.), while using various electronic channels and/or the internet (including but not limited to web cookies, etc.) and when using the above-mentioned channels, the activities of the person concerned and/or the third parties specified by the person concerned (this including but not limited to verification of channels, actions taken or transaction history),  It uses the data about the persons with whom the relevant person stays during the service procurement.

 

8.1 If the person concerned (including but not limited to personal data, sensitive personal data, etc.) to benefit from the services of the COMPANY gives personal data of third parties (Family members, employers, etc.) to the COMPANY ; The person who gives the data to the COMPANY will be responsible for obtaining the necessary consent for the processing of this personal data .

8.2 If the person concerned gives the said information to the COMPANY (or its authorized personnel), it is assumed that the person concerned has given the necessary explicit consent and the COMPANY’s obligation to obtain this explicit consent is no longer required.

8.3 In the event that personal and/or special quality personal data is processed without the explicit consent of the data subject and a loss arises as a result of this processing, the COMPANY is obliged to cover this loss.

8.4 Explicit consent of the person concerned, recording of the activities of the person concerned by the COMPANY while using various electronic channels (including but not limited to the technical methods and channels used for web browser, website, internet, mobile applications, payment transactions, money transfer and receipt), and includes processing. (For example; determining the location of the relevant person when using the electronic channel , identifying and analyzing input data, product selection frequency and/or other statistical data)

8.5 The COMPANY shall use the telephone number, mobile phone number, e-mail address and other contact information provided by the person concerned, to send SMS, voice and/or other kinds of marketing messages (direct marketing) until the person uses his/her right to refuse Electronic Commerce numbered 6563. It has the right to send commercial electronic messages within the scope of the Law on the Regulation.

8.6 The person concerned gives the COMPANY the right to share their personal data with the COMPANY’s subsidiaries and/or shareholders for the purpose of making various marketing offers.

8.7 The contents displayed during the use of advertising/information messages (for example, advertising brochures, promotional images, verbal offers, etc.) at the service points of the COMPANY or electronic channels such as the Internet, mobile marketing by the COMPANY (or its subsidiaries) directly It will not be considered as marketing and the person concerned will not have the right to demand that the publication and/or display of such content be terminated.

 

  1. Processing of Applicants’ or Employees’ Data

 

9.1 Processing of Personal Data for the Purpose of Concluding, Performing, Maintaining and Terminating a Service Contract

 

Fulfillment of personal rights arising from the service contract and their uninterrupted maintenance, occupational health and safety service to be provided to employees, fulfillment of work permit procedures, evaluation of personal job applications, execution of research and other recruitment processes, performance evaluation and follow-up, training activities, improvement of working conditions The COMPANY has the right to process the personal information disclosed by the person concerned due to employment, probationary period and/or start of internship, for purposes such as fulfillment of human resources and training processes such as carrying out personal development processes.

During the job application process, information about the applicant is collected from third parties within the framework of the provisions of the Law on Protection of Personal Data No. 6698.

The explicit consent of the applicant is required for the processing of personal data that is related to the business relationship but is not part of the performance of the employment contract in the first place.

 

9.2 Processing of Private Personal Data

 

Special Quality personal data can only be processed with the express consent of the person concerned for the processing of special quality personal data . Other than health and sexual life special categories of personal data, only as stipulated in the law. cases related to health and sexual life. personal data; however, it is complied with , that it is processed by persons or authorized institutions and organizations under the obligation of secrecy, for the purpose of protecting public health , conducting preventive medicine, medical diagnosis , treatment and care services , planning and managing health services and financing .

 

  1. Information Transfer/Sharing to/from Third Parties

 

the COMPANY to provide services to the data subject, this policy is transferred/shared with the data subject and/or the third parties specified by the relevant person within the scope of data processing. The person concerned gives the COMPANY personal data; Obtaining and recording data completely or partially automatically or non-automatically provided that it is a part of any recording system, through all departments, internet, call centers, public institutions and organizations, and the parties from which they receive services that are complementary or extensions of the COMPANY’s activities, their suppliers , gives the rights to be stored, preserved, modified, rearranged, disclosed, transferred, transferred abroad, taken over, made available, classified or used.

 

  1. Obligation of Data Controller and Data Processor

 

11.1 Based on the provisions of this policy; The COMPANY may act on behalf of the data controller, including third parties, who are data processors, while processing some types of personal data. The data controller may be a data processor for third parties in some personal data. Accordingly, each of the parties to such a relationship (data controller as well as the data processor) acts in accordance with the Law on the Protection of Personal Data. Because;

  1. a) Personal data is processed in accordance with the principles in the legislation.
  2. b) The explicit consent of the relevant person is obtained, necessary information and illuminations are made.

In the event that the data controller occurs; when a request is made by the data subject regarding information about his/her personal data, when a complaint or statement is submitted regarding the compliance of the data controller with the obligations imposed by the legislation, it notifies the data subject as soon as possible and within 30 days at the latest.

In addition, if one of the parties represents the data processor and the other the data controller during the data processing, the data processor fulfills the following obligations. The data processor is obliged to:

  1. By complying with the extent and scope as defined by the provisions of this policy and permitted by the legislation; or

processes the data transmitted/explained by the other party, upon the request of a regulatory authority,

  1. Unauthorized processing, loss, destruction, damage to the data transmitted/disclosed by the data controller,

take all reasonable technical and administrative measures to prevent unauthorized modification or disclosure.

implementation and taking every necessary action, and that the data controller is responsible for any measure taken within this scope.

informs ,

  • The COMPANY, through its authorized personnel, takes the measures implemented by the data processor for data security and

monitors applications

  1. complaint submitted/explained by the COMPANY, including the following, by the Data Processor or

cooperates and assists in the examination of the declaration ,

  1. Including data about the data subject transmitted/disclosed by the data controller to the data processor

( including electronic data), 7 working days from the date of request for detailed information on the status of complaints and declarations.

in It provides the COMPANY ,

  1. Personal data that are not part of the European Union Economic Area by the Data Processor

Personal Data of the person or person who is not in the list of countries that are at a sufficient level for the protection of

Data processing to a country and/or international organization that the Protection Board does not allow to be transferred

It prevents ( transfer ) activity,

  • Without the prior express written consent of the COMPANY ; does not transfer/disclose the data to third parties,
  • the COMPANY has express prior written consent; pursuant to a written contract with the data processor

responsible for transferring/disclosure of data . In the aforementioned written contract, the third party and its subordinates

processing , loss, destruction, damage, unauthorized modification or

is obliged to take all necessary technical and administrative measures to prevent disclosure .

  1. Failure of the data processor (in accordance with the policy and legislation) to take the necessary actions or not fully

Compensation for any damage/loss that the COMPANY will incur due to its failure to deliver . data processor

All kinds of damages/losses (including consequential damages) that the COMPANY may suffer as a result of violation of

but not limited to this), complaints, expenses (due to the COMPANY exercising its legal rights)

including, but not limited to, the expenses incurred by the

The data processor gives express consent and agrees with the data controller to remedy the damages and provide compensation.

remains .

  1. Unless otherwise stated in the contract between the COMPANY and the data processor, the relationship between the COMPANY and the data processor

data processor after the termination of the contractual relationship; All kinds of data transferred/disclosed from the COMPANY

( including personal data). To prevent unauthorized access to data by third parties

necessary security measures, personal data transferred/explained by the COMPANY

destroying the data and notifying the COMPANY to confirm that this action has been taken.

responsible .

 

  1. Data Update, Processing, Retention Period and Data Disposal

 

12.1 It continues to operate for a period of time consistent with the purposes and interests of the company, the requests of supervisory / regulatory authorities and / or legislation for the purposes specified in this policy during and after the period of using the services of the Company.

12.2 The processing of the data transferred during the use of the COMPANY electronic channels (web browser, website, internet, mobile applications and/or other electronic data transfer tools) continues after the data subject deletes the data from the relevant electronic channels.

12.3 Upon the request of the person concerned, information is provided regarding the personal data kept in the COMPANY , within the scope of the legislation.

12.4 If the data of the person concerned in the COMPANY are incomplete or inaccurate, the incomplete and incorrect data are completed and corrected upon the written notification of the person concerned to the COMPANY .

12.5 Personal data is kept for as long as required by the relevant legislation or for the purpose for which they are processed, and in any case for 15 years. Although it has been processed in accordance with the provisions of the legislation, in the event that the reasons for its processing disappear and the COMPANY’s storage period expires, the personal data is deleted, destroyed or anonymized by the data controller automatically or upon the request of the data subject.

12.6 In determining the retention and destruction periods of personal data, the following criteria are used:

  1. a) By determining which of the exceptions stipulated in Articles 5 and 6 of the Law, data storage can be evaluated within the scope of it,

Access authorization and control matrix system is used. For each personal data, the relevant users are identified, the authorizations and methods of the relevant users such as access, retrieval, reuse are determined, employment contract termination or change of position, etc. In such cases, the access, retrieval, reuse authorization and methods of the relevant users within the scope of personal data are updated, closed and eliminated.

  1. b) In the event that the period stipulated in the legislation expires in relation to the storage of the personal data in question or if no period is stipulated in the relevant legislation for the storage of the said data, the data is deleted, destroyed or anonymized by the data controller in 10-year periods .

12.7 In the deletion, destruction and anonymization of personal data, the principles listed in Article 4 of the Law titled “General principles” and the measures to be taken within the scope of Article 12 titled “Obligations regarding data security”, the provisions of the relevant legislation, the decisions of the Institution and this policy is followed.

12.8 All transactions regarding the deletion, destruction and anonymization of personal data are recorded by the COMPANY. These records are kept for at least 10 years, excluding other legal obligations.

12.9 Unless a contrary decision is taken by the Personal Data Protection Authority, the appropriate method of deleting, destroying or anonymizing personal data is chosen by the COMPANY.

12.10 Personal data collected by the COMPANY are stored in various recording media. It is deleted by methods suitable for recording media. In the cloud system, data is deleted manually and/or by giving a deletion command, and personal data in paper media is deleted using the blackout method. The blackening process is where the personal data on the relevant document is cut off when possible, and in cases where it is not possible, it is rendered invisible to the relevant users by using fixed ink, which cannot be read or returned with technological solutions.

Office files located on the central server are deleted with the delete command in the operating system of the file, or the access rights of the relevant user on the file or the directory where the file is located are removed. Personal data in portable memories are stored encrypted and deleted with software suitable for these environments. Relevant lines containing personal data are deleted with database commands (DELETE etc.). While performing the transaction, attention is paid to whether the relevant user is also a database administrator.

Destruction of personal data is the process of making personal data inaccessible, unrecoverable and unusable by anyone in any way. The COMPANY, the Data Controller, takes all necessary technical and administrative measures regarding the destruction of personal data. In order to destroy personal data, all copies of the data are detected and the systems with the data are physically destroyed by melting, burning or pulverizing optical media and magnetic media. It is ensured that the data is not accessed by processes such as melting, incinerating, pulverizing or passing the optical or magnetic media through a metal grinder. With the command to delete network devices ( switch , router , etc.) , mobile phones (sim card and fixed memory areas); optical discs, by erasing command and physical destruction methods in fixed memory areas in portable smartphones; Data storage media such as CDs and DVDs are destroyed by physical destruction methods such as burning, breaking into small pieces and melting. The destruction of personal data in devices that fail or are sent for maintenance is stored by removing the data storage medium, and other defective parts are sent to third institutions such as manufacturers, vendors and service providers. Personnel coming from outside for maintenance and repair purposes are prevented from copying their personal data and taking them out of the institution, and necessary precautions are taken.

Anonymization is the removal or change of all direct and/or indirect identifiers in a data set, preventing the identification of the data subject from being identified, or losing its distinctiveness in a group/crowd so that it cannot be associated with a natural person. The purpose of anonymization is to break the link between the data and the person identified by this data. The data is anonymized by choosing the one suitable for the relevant data out of the methods such as automatic or non-automatic grouping, masking, derivation, generalization, randomization applied to the records in the data recording system where personal data is kept.

 

  1. Rights of the Relevant Person

 

Each relevant person; to learn whether personal data is processed, to request information if personal data has been processed, to learn the purpose of personal data and whether they are used in accordance with its purpose, to know the third parties in the country or abroad to whom personal data are transferred, to request correction of personal data in case of incomplete or incorrect processing, Requesting the deletion or destruction of personal data, requesting notification that personal data has been transferred to third parties in the country or abroad, Objecting to the emergence of a result against the person by analyzing the processed data only through automatic systems, incurring damage due to unlawful processing of personal data has the right to demand the compensation of the damage in case of damage.

 

  1. Confidentiality of Data Processing

 

14.1 Personal data is subject to data security. Any employee of the COMPANY , its affiliates and/or subsidiaries is prevented from accessing this data without authorization and unauthorized persons are strictly prohibited from processing or using this data. The processing of this data by any employee of the COMPANY , its subsidiaries and/or subsidiaries who are not authorized within the framework of the job description, means unauthorized operation. Employees of the COMPANY , its subsidiaries and/or subsidiaries can access personal data only if they are authorized to access personal data within their job description.

14.2 Employees of the COMPANY , its subsidiaries and/or subsidiaries are prohibited from using personal data for private or commercial purposes, sharing this data with unauthorized persons or making this data accessible by any other method. The data controller informs its employees about the obligation to protect data confidentiality at the beginning of the job, provides training to their employees and ensures that they receive training.

14.3 In order to protect the property and privacy, as well as to control and measure the service quality, the provisions of the Law on the Protection of Personal Data No. 6698 are taken into account, around and at the entrances of the buildings and workplaces, in the kitchen and service background, etc. video and audio recordings are made.

14.4 The person concerned is informed that video recording and video inspection are being made by using appropriate tools at the COMPANY’s relevant service points and while communicating with the COMPANY. The person concerned accepts the importance of video and audio recording and hereby gives express consent to the COMPANY to process its data in this regard .

 

  1. Data Processing Security

 

Personal data is protected against unauthorized access, illegal data processing or disclosure, and accidental loss, alteration or destruction of data. Whether the data is processed electronically or on paper, it is within the scope of protection. New and advanced data processing methods and information technology systems are followed in order to take technical and administrative measures to protect personal data.

 

  1. Data Protection Control

 

Compliance with this Data Protection Policy and relevant data protection laws is regularly checked by authorized persons in the relevant units of the COMPANY. Personal data protection agency can personally audit the compliance of the COMPANY , its subsidiaries and subsidiaries with the provisions of this policy , as permitted by national laws .

 

17.Contact

 

When the data subject submits his requests regarding the implementation of this policy and the Law on the Protection of Personal Data to the Data Controller in writing, the Data Controller concludes the request free of charge as soon as possible and within 30 days at the latest, depending on the nature of the request in the application. However, if the transaction requires an additional cost, the fees in the tariff determined by the Personal Data Protection Board are charged.