Sena Global Otelcilik Ticaret A.S.
PROTECTION AND TREATMENT OF PERSONAL DATA
POLICY SECTION 1 – INTRODUCTION
1.1. INTRODUCTION Protection of
personal data is among the most important priorities of Sena Global Otelcilik Ticaret A.Ş. (the “Company”) . This is Sena Global Otelcilik Ticaret A.Ş. The principles adopted in the conduct of personal data processing activities carried out by our Company within the framework of the Personal Data Protection and Processing Policy (“Policy”) and the basic principles adopted in terms of compliance of our Company’s data processing activities with the regulations in the Personal Data Protection Law No. 6698 (“Law”) are explained, and Thus, our Company provides the necessary transparency by informing the personal data owners. With full awareness of our responsibility in this context, your personal data is processed and protected within the scope of this Policy.
The activities carried out by our Company regarding the protection of personal data of our employees are managed under the Policy on the Protection and Processing of Personal Data of BERRY HOTELS Employees, which was written in parallel with the principles in this Policy.
This Policy concerns all personal data of persons other than our Company ‘s employees , which are processed automatically or by non-automatic means, provided that they are part of any data recording system. It is possible to access detailed information about the personal data owners in question from the ANNEX 2 (“ Annex 2 – Personal Data Owners ”) document of this Policy.
1.3. IMPLEMENTATION OF POLICY AND RELEVANT LEGISLATION
Relevant legal regulations in force on the processing and protection of personal data will primarily find application. In case of inconsistency between the current legislation and the Policy, our Company accepts that the applicable legislation will find an area of application. The policy regulates the rules set forth by the relevant legislation by embodying them within the scope of Company practices.
1.4. ENFORCEMENT OF THE POLICY
our company , is dated 01.04.2023. In case of renewal of all or certain articles of the Policy, the effective date of the Policy will be updated. The policy is published on the website of our Company (www.berryhotels.com.tr) and made available to the relevant persons upon the request of the personal data owners.
SECTION 2 – MATTERS REGARDING THE PROTECTION OF PERSONAL DATA
2.1. ENSURING THE SECURITY OF PERSONAL DATA
Our company takes the necessary measures according to the nature of the data to be protected in order to prevent the unlawful disclosure, access, transfer or other security deficiencies of personal data in accordance with Article 12 of the Law . In this context, our Company takes administrative measures to ensure the required level of security in accordance with the guidelines published by the Personal Data Protection Board (“ Board ” ), and carries out inspections or have them done.
2.2. PROTECTION OF PRIVATE PERSONAL DATA
importance is attached to sensitive personal data within the scope of the Law due to the risk of causing suffering or discrimination when processed unlawfully . This “special quality” personal data; Data related to race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.
In this context, the technical and administrative measures taken by our Company for the protection of personal data are carefully implemented in terms of personal data of special nature and the necessary audits are provided within our Company .
Detailed information on the processing of special categories of personal data is provided in 3.3 of this Policy. included in the section.
2.3. RAISING AWARENESS AND SUPERVISION OF BUSINESS UNITS ON THE PROTECTION AND PROCESSING OF PERSONAL DATA
Our company ensures that the necessary trainings are organized for the business units in order to increase the awareness to prevent the illegal processing of personal data , illegal access to the data and to ensure the preservation of the data .
Our company establishes the necessary systems to raise the awareness of its current employees and newly recruited employees on the protection of personal data , and works with consultants if needed . In this direction, our Company evaluates the participation in the relevant trainings, seminars and information sessions, and organizes new trainings in parallel with the updating of the relevant legislation.
PROCESSING PERSONAL DATA IN ACCORDANCE WITH THE PRINCIPLES PROVIDED IN THE LEGISLATION
3.1.1. Processing in Compliance with Law and Integrity
Personal data are processed in accordance with the general rule of trust and honesty, without harming the fundamental rights and freedoms of individuals . In this framework, personal data is processed as and limited to the extent required by our Company ‘s business activities .
3.1.2. Ensuring Personal Data Are Accurate and Up-to-Date When Necessary
Our company takes the necessary measures to ensure that personal data is correct and up-to-date throughout the period it is processed, and establishes the necessary mechanisms to ensure the accuracy and up-to-dateness of personal data for certain periods .
3.1.3. Processing for Specific, Explicit, and Legitimate Purposes
Our company clearly reveals the purposes of processing personal data and operates within the scope of purposes related to these activities in line with its business activities .
3.1.4. Being Related to the Purpose for which they are Processed, Limited and Measured
Our company collects personal data only in the quality and extent required by business activities and processes it limited to the determined purposes .
3.1.5. Retention for as Long as Required for the Purpose of Processing or Established in the Relevant Legislation
Our company preserves personal data for the period required for the purpose for which they are processed and for the minimum period stipulated in the relevant legal legislation . In this context, our company first determines whether a period is foreseen for the storage of personal data in the relevant legislation, and if a period is determined, it acts in accordance with this period. If there is no legal period, personal data are stored for the period necessary for the purpose for which they are processed . At the end of the specified storage periods, personal data is destroyed in accordance with the periodic destruction periods or the application of the data owner and with the determined destruction methods (deletion and / or destruction and / or anonymization).
1.2. CONDITIONS FOR PERSONAL DATA RELEASE _ _ _ _ _ _ _ _ _ _ _ _
Except for the express consent of the personal data owner, the basis of the personal data processing activity may be only one of the conditions specified below, or the basis of the same personal data processing activity under more than one condition . can happen. In case the processed data is personal data of special nature , it is ̧ 3.3 of this Policy . The terms in the title (“Processing of Special Quality Personal Data”) will be applied .
(i) Explicit Consent of the Personal Data Owner
the conditions for the processing of personal data is the explicit consent of the data owner. The explicit consent of the personal data owner should be disclosed on a specific subject, based on information and free will.
In the presence of the personal data processing conditions listed below, personal data can be processed without the need for the explicit consent of the data owner .
(ii) Explicitly Provided in Laws
If the personal data of the data owner is clearly stipulated in the law, in other words , if there is a clear provision in the law regarding the processing of personal data, the existence of this data processing condition can be mentioned.
(iii) Failure to Obtain Explicit Consent of the Person Due to Actual Impossibility
data of the data owner may be processed if it is necessary to process the personal data of the person who is unable to explain his or her consent due to actual impossibility or whose consent cannot be validated , in order to protect the life or bodily integrity of himself or another person .
(iv) Direct Concern with the Establishment or Performance of the Contract
directly related to the establishment or performance of a contract to which the data owner is a party , this condition may be deemed to have been fulfilled if the processing of personal data is necessary .
(v) Fulfilling the Company ‘s Legal Obligation
processing is necessary for our company to fulfill its legal obligations, the personal data of the data owner may be processed .
(vi) Publicizing the Personal Data of the Personal Data Owner
If the data owner has made his personal data public, the relevant personal data may be processed for the purpose of making it public on a limited basis .
(vii) Requirement of Data Processing for the Establishment or Protection of a Right
processing is necessary for the establishment, exercise or protection of a right, the personal data of the data owner may be processed .
( viii) Mandatory Data Processing for Our Company ‘s Legitimate Interest
Provided that it does not harm the fundamental rights and freedoms of the personal data owner, the personal data of the data owner may be processed if data processing is mandatory for the legitimate interests of our Company .
1.3. PROCESSING OF SPECIAL QUALITY PERSONAL DATA
Special quality personal data is processed by our Company in accordance with the principles set forth in this Policy, by taking all necessary administrative and technical measures, including the methods to be determined by the Board, and in the presence of the following conditions:
Special categories of personal data other than health and sexual life may be processed without the explicit consent of the data owner, provided that it is expressly stipulated in the law, in other words, there is a clear provision in the relevant law regarding the processing of personal data . Otherwise, the explicit consent of the data owner will be obtained.
Special categories of personal data regarding health and sexual life , protection of public health , preventive medicine, medical diagnosis , execution of treatment and care services, planning and management of health services and financing, It can be processed by individuals or authorized institutions and organizations without seeking explicit consent. Otherwise, the explicit consent of the data owner will be obtained.
DISCLOSURE OF THE PERSONAL DATA OWNER
Our company , in accordance with Article 10 of the Law and secondary legislation, informs the owners of personal data by whom and for what purposes their personal data is processed, for what purposes they are shared, with what methods they are collected, and the legal reason and the business l l l e of the personal data of the data owners . informs them about the rights they have within the scope of the law .
1.5. TRANSFER OF PERSONAL DATA _ _ _ _ _ _ _
Our company can transfer the personal data and special quality personal data of the personal data owner to third parties ( public institutions , suppliers, etc.) by taking the necessary security measures in line with the personal data processing purposes in accordance with the law. . In this direction , our company acts in accordance with the regulations stipulated in Article 8 of the Law. Detailed information on this subject can be found in the APPENDIX 4 (“ APPENDIX 4 – Third Parties to which Personal Data Transferred by Our Company and Purposes of Transfer ”) document of this Policy.
1.5.1. Transfer of Personal Data
Even without the explicit consent of the personal data owner, personal data may be transferred to third parties by taking all necessary security measures, including the methods envisaged by the Board, with due care and in case one or more of the conditions stated below are present .
In addition to the above, personal data may be transferred to foreign countries declared to have adequate protection by the Board (” Foreign Country with Sufficient Protection “) in case of any of the above conditions. In the absence of sufficient protection, it can be transferred to foreign countries where the data controllers in Turkey and the relevant foreign country undertake an adequate protection in writing in line with the data transfer conditions stipulated in the legislation and where the Board has permission (“Foreign Country where the Data Controller Undertaking Adequate Protection is Available” ) .
1.5.2. Transfer of Private Personal Data
Special quality personal data may be transferred by our Company in accordance with the principles set forth in this Policy, by taking all necessary administrative and technical measures, including the methods to be determined by the Board, and in the presence of the following conditions:
(i) Personal data of special nature, excluding health and sexual life, may be processed without the explicit consent of the data owner , provided that it is clearly stipulated in the law , in other words, there is a clear provision in the relevant law regarding the processing of personal data . Otherwise, the explicit consent of the data owner will be obtained.
(ii) Private personal data on health and sexual life , for the protection of public health , preventive medicine , medical diagnosis , execution of treatment and care services, planning and management of health services and financing may be processed by persons or authorized institutions and organizations under the obligation to keep secrets without seeking explicit consent. Otherwise, the explicit consent of the data owner will be obtained.
In addition to the above, personal data may be transferred to Foreign Countries with Sufficient Protection in the presence of any of the above conditions. In the absence of sufficient protection, it can be transferred to Foreign Countries where the Data Controller Undertaking Adequate Protection is in line with the data transfer conditions stipulated in the legislation.
personal data processing purposes of our company , the personal data specified in the 5th and 6th articles of the Law, by informing the relevant persons in accordance with the Article 10 of the Law and the secondary legislation . Based on at least one of the processing conditions and in a limited manner, in accordance with the general principles specified in the Law, primarily the principles specified in Article 4 of the Law on the processing of personal data . personal data is processed . Within the framework of the purposes and conditions specified in this Policy , the personal data categories processed and detailed information about the categories can be accessed in the APPENDIX 3 (“ ANNEX 3- Personal Data Categories ”) document of the Policy.
processing purposes in question is included in ANNEX 1 of the Policy (“ ANNEX 1- Personal Data Processing Purposes ” ).
Our company preserves personal data for the period required for the purpose for which they are processed and for the minimum period stipulated in the relevant legal legislation . In this context, our Company first determines whether a period is foreseen for the storage of personal data in the relevant legislation, and if a period is determined , it acts in accordance with this period. If there is no legal period, personal data are stored for the period necessary for the purpose for which they are processed . At the end of the specified storage periods, personal data is destroyed in accordance with the periodic destruction periods or the application of the data owner and with the determined destruction methods (deletion and/or destruction and/or anonymization ) .
Winter ̧ personal data (1) (2) (3)
Owners have the following rights :
To learn whether personal data is processed or not , If
personal data is processed , to request information
about it , To process personal data To learn the purpose and whether they are used in accordance with their purpose,
To know the third parties to whom personal data is transferred
in the country or abroad , To request correction of personal data in case of incomplete or incorrect processing and to request that the transaction carried out within this scope be notified to the third parties to whom the personal data has been transferred,
Law and other relevant laws Requesting the deletion or destruction of personal data in the event that the reasons requiring its processing disappear, even though it has been processed in accordance with the provisions of its provisions, and requesting the notification of the transaction made within this scope to the third parties to which the personal data has been transferred, Objecting to the emergence of a result against the person himself by analyzing the processed data exclusively through automated
systems . To request the compensation of the damage in case of loss due to unlawful processing of personal data .
6.2. USE OF RIGHTS OF A PERSONAL DATA OWNER _ _ _ _ _ _ _
Personal data owners will be able to submit their requests regarding their rights listed in section 6.1 (“ Rights of Personal Data Owner ”) to our Company through the methods determined by the Board .
6.3. S ̧ COMPANY ̇ MI Z ̇ N PRESS ̧ ANSWERING BATT _ _
Our company takes the necessary administrative and technical measures to finalize the applications to be made by the personal data owner in accordance with the Law and secondary legislation.
personal data owner submits his request regarding the rights in section 6.1 (“Rights of the Personal Data Owner”) to our Company in accordance with the procedure, our Company will do so as soon as possible and within 30 (thirty) days at the latest, depending on the nature of the request . will finalize the request free of charge. However, if the transaction requires an additional cost, a fee may be charged in accordance with the tariff determined by the Board.
APPENDIX 1 – Purposes of Personal Data Processing
MAIN OBJECTIVES (PRIMARY)
Planning or executing processes related to receiving employee/intern candidate applications
Planning or executing our company’s human resources policies and processes
Planning or executing the processes of receiving and evaluating disabled employee candidate applications
Evaluation of the CV information of the employee or trainee candidate in terms of current or future positions within the company
evaluation of the employee /intern candidates whose applications are received and conducting the necessary interviews
Planning or execution of internal/external communication (reference check etc.) activities required for employee candidate or student/intern placement
the Company ‘s activities are carried out in accordance with Company procedures or relevant legislation
Planning or execution of activities to ensure the legal and technical security of our company and related persons who have business relations with our company
with company security policies and procedures
executing the activities of creating , auditing or following up personal records of subcontractor employees
Planning or execution of activities that should be carried out within the framework of occupational health and safety
Planning or executing emergency or incident management processes
Ensuring that the data is accurate , unique or up-to-date
Planning or execution of activities for providing and recording information or documents and requests requested from official institutions or organizations
of our company ‘s internal/external audit, inspection , investigation or control activities
Planning or execution of activities related to giving legal opinion or providing legal services
Arranging, concluding, revising or following up the contract processes
Planning or execution of network monitoring and management activities
Ensuring the security of company fixtures or resources
Creating or tracking visitor records
Planning or execution of the marketing processes of our company’s products and services
Determination or evaluation of the people to be subject to marketing activities in line with consumer behavior criteria
Planning or executing the activities required to customize the products and services offered by or on behalf of our Company according to the tastes, usage habits and needs of the persons concerned, and to recommend and promote them to the relevant persons .
personalized marketing, advertising, campaign and promotional activities (data enrichment, profiling, segmentation, data analytics and similar )
Planning or execution of customer acquisition activities
Planning or execution of cross-selling activities related to other products offered by our company
Planning or executing activities to create and increase loyalty to our company and the products and services offered by our company
Planning or executing lottery/competition activities
Planning or executing activities for measuring and reporting campaign/sweepstakes/advertising/event performances for marketing
6 Planning or execution of customer relationship management processes
studies and conducting the relevant business processes in order to benefit the relevant persons from the products or services offered by or on behalf of our Company .
Planning or executing activities aimed at improving customer satisfaction or experience
Planning or execution of activities related to survey studies carried out by our company
Evaluation , follow- up or management of requests/requests or complaints collected in digital or other channels
Receiving reservation applications for hotel accommodation and facility use, realization and follow-up of accommodation / usage transactions
Controlling, ordering and cleaning of rooms/customer areas
Planning or execution of activities related to lost or entrusted goods
Planning or executing the processes of providing the customer with tools or information suitable for the channels that the customer will use in accessing or using the hotel services
Planning or execution of customer exit transactions
Establishing membership in our company ‘s affiliation /loyalty programs
Planning or execution of membership information change or cancellation transactions regarding our company ‘s affiliation / loyalty program
Health and Performance Center application requests for diagnosis, testing, therapy, treatment or training , creating registration and reservations
the relevant persons benefit from the Athlete Health and Performance Center services
Establishing a membership registration to the Athlete Health and Performance Center , realizing membership transactions or fulfilling cancellation /freezing requests
Realization , control and supervision of payment transactions related to hotel services
Performing invoice issuance, control or cancellation transactions
Realization of correspondence transactions _
Planning or execution of corporate communication activities
carry out the commercial or operational activities carried out by our company, the necessary work is carried out by our relevant business units and the related business processes are carried out .
Planning or execution of sponsorship activities
Planning or execution of social responsibility or civil society activities
Planning or executing events/invitations/fairs/meeting organizations for the promotion of our company and hotel services
Planning or executing career days, conferences or other events to promote our Company in terms of potential employee candidates Planning or executing market research activities for sales or marketing of hotel services
Planning or executing activities for business/process/system design, development or improvement
or execution of processes related to software creation , software testing and maintenance, and information systems support related to information systems
potential business partner / supplier / subcontractor / agency
Planning or executing risk assessment activities or feasibility studies for
Planning or executing communication activities related to service provision with our company ‘s business partners / suppliers / agents and the employees of these institutions
7 Planning or executing the activities of ensuring the follow-up of work / performance of the 3rd party employees in business relations with our company
Budget or financial statement studies/controls
Planning or executing purchasing deadlines
Identification, use or control of the authorization of access to information by our employees and third parties
Planning or executing operations or productivity processes, Carrying out business continuity activities Planning or executing internal/external reporting activities
or realizing activities related to the sale or lease of movable/real estate owned by our company
APPENDIX 2 – Personal Data Owners
CATEGORIES OF PERSONAL DATA OWNERS
Regardless of whether they have a contractual relationship with our company or not, real persons who apply for or use or have used the products and services offered by our company ( for example, those who stay in our hotels) Persons who are members of our hotels’ loyalty programs, who use or become a member of our hotels’ SPA, massage, gym, pool, beach, golf courses, although they do not stay)
persons who have entered the physical premises of our company for various purposes or visited our websites / mobile applications Commercial transactions between our company and the parties covered by this Policy
third-party real persons (e.g. family members and relatives, people subject to social responsibility projects, members of the public, references to the employee candidate, former employees, social media users) who are related to these persons in order to ensure their safety or to protect the rights of the aforementioned persons and to obtain benefits. ) or other natural persons who are not covered by this Policy and BERRY HOTELS Employees Personal Data Protection and Processing Policy
Real persons ( including trainee candidates) who have applied to our company for a job through any means , or who have made their CV and related information available to our company for review .
Employees , Shareholders and Officials of the Institutions We Collaborate With
Employees in the institutions (agents, business partners, suppliers, group companies, members of the press, well-known persons and the like, but not limited to, shareholders and officials of these institutions ) with which our company has all kinds of business relations . natural persons, Claimant / Complainant
persons who request opinions ̧ / complaints / suggestions and information about our company or our company ‘s products or services to our company, authorized public institutions and organizations or digital channels
Campaign / Contest / Event Participant
Real persons who participate in campaigns, competitions or events organized by our company in digital or non-digital environments
APPENDIX 3 – Categories of Personal Data
PERSONAL DATA CATEGORIES
containing information about the identity of the person (eg name-surname, TR identity number,
Nationality information, place of birth, date of birth , gender , workplace information , registration number, tax number, title, biography, etc. information and documents such as driver’s license, professional identity, identity card and passport)
about the contact ‘s contact address (eg phone number, address, e-mail, fax number )
Information identifying the location of the location for emergency processes
Family Members and Close Information
Information about the family members and relatives of the personal data owner, within the framework of our company’s operations, about the products and services we offer, or in order to protect the legal and other interests of the Company and the data owner
Data obtained regarding the customer during the commercial activities of our company
Customer Transaction Information
Information such as records of our customers’ use of our products and services, and instructions and requests of our customers necessary for the use of our products and services
Physical Space Security Information
related to the records and documents taken during the entrance to the physical space , during the stay in the physical space ( eg records taken at the security point)
Business Security Information _ _ _ _
Your personal data processed to ensure our technical, administrative, legal and commercial security during the execution of our activities (e.g. log records, IP information, identity verification information)
Personal data processed for information, documents and records showing all kinds of financial results created according to the type of legal relationship our company has established with the personal data owner ( eg bank account number , IBAN number , data such as income information, debt/credit information)
Employee Candidate Information
Curriculum vitae of employees and/or trainees who have applied for a job in our company by any means .
Special Qualified Personal Data
people ‘s race, ethnic origin, political opinion , philosophical belief, religion, sect or other beliefs, clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data
Request/ Complaint Management Information
Personal data regarding the receipt and evaluation of all kinds of requests , opinions or complaints directed to our company
Audio Visual Data
Photographs , camera and audio recordings
Legal Process and Compliance Information
Personal data processed within the scope of determination, follow-up and performance of our legal receivables and rights, and compliance with our legal obligations and our Company’s policies
data owner, who clearly belongs to an identified or identifiable natural person ,
Information on the associated vehicles
Personal data processed for the marketing of our products and services, which are clearly belonging to an identified or identifiable real person , in line with the usage habits, tastes and needs of the personal data owner, and the reports and evaluations created as a result of these processing results
Travel information of our company’s customers or employees of 3rd party organizations with which it is in business cooperation ( eg , transfer time, transfer vehicle)
Risk Management Information
Personal data processed in order to minimize the risks in accordance with our company policies and regulatory obligations
APPENDIX 4 – Third Parties to which Personal Data is Transferred by Our Company and Purposes of Transfer
Our company can transfer the personal data of customers to the following categories in accordance with Articles 8 and 9 of the Law :
The scope of the above-mentioned persons to whom the transfer is made and the data transfer purposes are stated below.
Persons to whom Data Transfer can be made
Data Transfer Purpose
Data controller with whom our company has a business partnership
Parties Partner banks, Agencies for the purpose of making payments
Limited to ensure the fulfillment of the purposes for which the business partnership was established.
Parties providing services to our company in line with our company’s data processing purposes and instructions within the scope of the execution of our company’s commercial activities
Our company’s external supplier In order to provide the necessary services to carry out the commercial activities of our S ̧ company ,
BERRY HOTELS, which is authorized to design strategies and audit activities related to our company ‘s commercial activities in accordance with the provisions of the relevant legislation ,
Limited to ensuring the execution of corporate communication , strategic planning, human resources, commercial and audit activities regarding our company’s commercial activities.
Authorized Public Institutions and Organizations
Public institutions and organizations authorized to receive information and documents from our Company in accordance with the provisions of the relevant legislation
Limited to the purpose requested by the relevant public institutions and organizations within the scope of their legal authority.
Authorized Private Law Persons
organizations determined by law in accordance with the provisions of the relevant legislation ̧ established in accordance with certain conditions ̧ and continuing their activities within the framework determined by the law (for example, independent auditors )
Relevant private institutions and organizations within the scope of the activities carried out in a limited manner related to the subjects.
Institutions with which References are Shared in terms of Human Resources
employers who are referenced based on the approval of our employees who quit their job, or new employers with whom information is shared within the scope of occupational health and safety
Limited to share the necessary documents within the scope of reference and legislation
** In cases where there is a conflict between the Turkish version of this policy in which it was prepared and any translation version , the Turkish text should be taken into account.
** Business This policy may not be reproduced or distributed without the written consent of BERRY HOTELS .