KVKK Protocols - ENG

SAPAZ Otelcilik Turizm İnşaat Sanayi ve Ticaret Anonim Şirketi (“Port Bosphorus Hotel”)
PERSONAL DATA PROTECTION AND PROCESSING POLICY AND PRIVACY

As SAPAZ Otelcilik Turizm İnşaat Sanayi ve Ticaret Anonim Şirketi (“Port Bosphorus Hotel”), we demonstrate maximum sensitivity regarding the full compliance with Law No. 6698 on the Protection of Personal Data and other regulations for the implementation of this law, as well as the security of your personal data. With this awareness, we carry out all processes related to the processing, storage, and transfer of all kinds of personal data obtained during our activities in accordance with Law No. 6698 on the Protection of Personal Data and relevant legislation. Fully aware of this responsibility, as the Data Controller, we take all administrative and technical protection measures to establish an appropriate security system for the protection of your personal data.

Your visit to this website and your use of the services we offer through this site are subject to the conditions specified in this “Privacy Policy” regarding how the information we obtain about you and the services you request will be used and protected. By visiting this website and requesting to benefit from the services we offer through this site, you accept the conditions specified in this “Privacy Policy.”

1. PURPOSE AND SCOPE OF THE PERSONAL DATA PROTECTION AND PROCESSING POLICY
   The purpose of the Personal Data Protection and Processing Policy is to ensure compliance with the obligations regarding the regulations on the protection of personal data, to protect the confidentiality of personal data processing activities conducted lawfully by the Company through automatic or non-automatic methods, businesses, branches, agencies, call centers, and similar means, orally, in writing, or electronically, and to determine related internal responsibilities, operational procedures, internal controls, and measures, and to inform and ensure transparency for individuals whose personal data is processed by our company.

The scope of the Personal Data Protection Policy includes all processed personal data of all real persons related to the Company, including but not limited to individuals benefiting from our products and services, Company officials, Company shareholders, Employees, Employee Candidates, Suppliers, Customers, Potential Customers, Dealers, Members, Subscribers, Visitors, Business Partners, Individuals Visiting Our Websites and Mobile Applications, in short, all real persons related to the Company.

2. DEFINITIONS
   Explicit Consent: Consent given based on being informed and freely declared regarding a specific subject.

Anonymization: The alteration of personal data in such a way that it loses its personal data quality and cannot be reversed. For example; masking, data distortion, etc., techniques to render personal data unlinkable to a real person.

Processing of Personal Data: Any operation performed on personal data, wholly or partly by automatic or non-automatic means, provided that it is part of a data recording system, such as obtaining, recording, storing, preserving, altering, reorganizing, disclosing, transferring, taking over, making available, classifying, or preventing the use of data.

Data Subject/Relevant Person: The natural person whose personal data is processed.

Personal Data: Any information relating to an identified or identifiable natural person. Therefore, the processing of information related to legal entities is not within the scope of the Law. For example; name-surname, TR ID number, email, address, date of birth, credit card number, bank account number, etc.

Special Categories of Personal Data: Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership in associations, foundations, or trade unions, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data.

Data Controller: The natural or legal person who determines the purposes and means of processing personal data and manages the place where the data is systematically stored (data recording system).

Policy: SAPAZ Otelcilik Turizm İnşaat Sanayi ve Ticaret Anonim Şirketi (“Port Bosphorus Hotel”) Personal Data Processing and Protection Policy.

3. ISSUES RELATED TO THE PROCESSING OF PERSONAL DATA
   3.1. BASIC PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATA
   Our Company processes data in line with the provisions of the Constitution of the Republic of Turkey, Law No. 6698 on the Protection of Personal Data (KVKK), and other laws it must comply with within the scope of its activities and has adopted the following basic principles in this context.

Processing in Compliance with Law and Good Faith

Our Company acts in accordance with the principles and rules of good faith set forth in legal regulations in the processing of personal data.

Accuracy and Up-to-Date Data

Our Company ensures that the personal data it processes is accurate and up-to-date, considering the fundamental rights of personal data subjects and its own legitimate interests within the scope of KVKK and relevant legislation.

Processing for Specific, Explicit, and Legitimate Purposes

Our Company processes personal data in a manner suitable for the realization of previously determined purposes and avoids processing personal data that is unrelated and unnecessary for the realization of the purpose. Accordingly, data processing is limited to activities and legal obligations. Additional changes to the purpose are only possible to a limited extent and with justification.

Being Connected, Limited, and Proportionate to the Purposes for Which They Are Processed

Our Company processes personal data within the framework of the realization of the purposes it has determined, legal and legitimate interests; it does not carry out personal data processing activities that are unnecessary, not aimed at the purpose, and do not contain any legal and legitimate interest.

Retention for the Period Stipulated in the Relevant Legislation or Required for the Purpose for Which They Are Processed

Our Company retains personal data for the periods specified in the relevant legislation and other laws or for the periods required for the purposes for which they are processed. They are processed for as long as required by our Company’s practices and commercial customs.

If the purpose of processing personal data has expired and the storage periods specified in the relevant legislation and the Company have been reached, personal data may be retained to serve as evidence in possible legal disputes, to assert or defend a right. In this case, the retained data cannot be accessed for any other purpose, and access to the relevant personal data is only provided for use in the relevant legal dispute.

3.2. PURPOSES OF PROCESSING PERSONAL DATA
As a Company, we process your personal data; to carry out the necessary work by our relevant business units for the realization of the activities we conduct and to carry out the related business processes accordingly; to carry out the necessary work and related business processes to enable the Relevant Persons to benefit from the products and services offered by our company; to ensure the legal and commercial-business security of the Relevant Persons in a business relationship with our Company; to plan and execute our Company’s business strategies; to plan and execute human resources policies and processes within the scope of the following purposes (but not limited to these).

Planning and execution of activities and operational processes

Conducting activities in compliance with the legislation, compliance with information storage, reporting, and information obligations foreseen by the legislation and related authorities

Ensuring the fulfillment of legal obligations as required or mandated by legal regulations

Planning and execution of post-sales support services, customer satisfaction, corporate communication activities, customer relations, and customer request and complaint management processes

Planning or execution of business continuity activities

Planning, auditing, and execution of corporate sustainability, corporate governance, strategic planning, and information security processes

Planning and execution of sales, marketing, and promotion processes of products and services, as well as market research, determination of preferences, usage, and service understanding, and customization activities

Execution of membership processes through Social Networks

Execution and implementation of Call Center processes

Execution of business and management of relations with business partners, dealers, or suppliers

Execution of Financial and Accounting Affairs

Execution of Insurance Processes

Follow-up of contract processes or legal requests

Follow-up and execution of legal affairs

Ensuring the physical space security of the Company’s headquarters and facilities

Ensuring the legal and commercial security of our Company and persons in a business relationship with our Company

Determination and implementation of our Company’s commercial and business strategies

Execution of our Company’s Human Resources Policies

Planning and execution of employee recruitment and termination processes, management of human resources and personnel processes

Evaluation of Job Applications

Planning and execution of subcontractor personnel, extra personnel, foreign personnel processes

Execution of occupational health and safety processes

Execution of card membership program

Fulfillment of requests such as transfer, welcome, sending forgotten belongings

Creation and Tracking of Visitor Records

Execution of Storage and Archive Activities

Our Company, as a rule, obtains the explicit consent of the data subject (or relevant persons) in writing for the processing of personal data. However, in cases where any of the personal data processing conditions specified in Article 5/2 or Article 6/3 of the KVKK exist, explicit consent is not sought. These conditions are explained in detail below.

3.3. CONDITIONS, METHODS, AND LEGAL BASIS FOR PROCESSING PERSONAL DATA
Explicit Consent of the Personal Data Subject
Personal data cannot be processed without the explicit consent of the relevant person. Since the protection of personal data is also a constitutional right, our Company processes personal data only in cases foreseen by law or with the explicit consent of the person, based on informed and freely declared consent, in accordance with the Constitution.

Cases Where Personal Data Can Be Processed Without the Explicit Consent of the Personal Data Subject

While the explicit consent of the data subject enables the lawful processing of personal data, personal data can also be processed in the absence of explicit consent if one of the conditions specified below is met.

Our Company generally obtains the explicit consent of the Relevant Person for the processing of personal data. However, in cases where any of the conditions specified below and in Article 5/2 and Article 6/ of the KVKK exist, the explicit consent of the Relevant Person is not obtained, and processing is carried out based on these conditions.

Explicitly Provided for in Laws
The personal data of the data subject can be processed without explicit consent if explicitly provided for by law. Example: Inclusion of the relevant real person’s identity information, address information, etc., on the invoice in accordance with the Tax Procedure Law.

Impossibility of Obtaining Explicit Consent Due to Actual Impossibility
Personal data of the data subject can be processed if it is necessary to protect the life or physical integrity of the data subject or another person who is unable to express consent due to actual impossibility or whose consent is not deemed valid. Example: Providing identity information to health teams in cases where a customer staying at our Company’s hotels faints, etc.

Directly Related to the Establishment or Performance of a Contract
Personal data of the parties to a contract can be processed if it is necessary for the establishment or performance of the contract. Example: Processing the financial information of the supplier for the performance of the contract within the scope of the contract concluded by our Company with the supplier.

Legal Obligation
The personal data of the data subject can be processed if it is mandatory for our Company to fulfill its legal obligations. Example: Submission of personal information requested by courts.

Publicization of Personal Data by the Data Subject
Personal data can be processed if the data subject has made the personal data public by themselves. Example: A job applicant publishing their CV on websites.

Mandatory Data Processing for the Establishment, Exercise, or Protection of a Right
The personal data of the data subject can be processed if data processing is mandatory for the establishment, use, or protection of a right. Example: Retention of evidentiary data (e.g., accommodation forms, invoices of customers staying at our Company’s hotels) and use when necessary.

Mandatory Data Processing for the Legitimate Interests of the Company
The personal data of the data subject can be processed if data processing is mandatory for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the data subject. Example: Recording camera footage for security purposes at our Company’s hotels and businesses without harming the fundamental rights and freedoms of the relevant person.

Your personal data, depending on the service, product, or commercial activity provided by our Company, may be collected through automatic or non-automatic methods, customer interviews, reservation forms, membership forms, subscription forms, agency systems, channels through which our Company and persons or organizations authorized to represent our Company contact or will contact the relevant person, within the framework of the contractual relationship, to the extent and within the limits permitted by the agreements made, by accessing various agency databases through systems, by accessing public institution and organization databases within the framework of legal legislation and the limits drawn, for communication, providing information about our services and products, conducting surveys, customer satisfaction, and marketing activities through the website, mobile applications, and social media accounts, through offices, branches, facilities, call centers, travel agencies, supplier companies, dealers, and similar means, orally, through printed forms, in writing, or electronically. Additionally, your personal data may be processed through cookies used on our Company’s website.

Personal data collected through these methods can be processed and transferred within the scope of the data processing conditions and purposes specified in Articles 5 and 6 of the KVKK.

3.4. IDENTIFICATION AND CLASSIFICATION OF PERSONAL DATA SUBJECTS
In accordance with Article 10 of the KVKK, our Company informs the relevant persons and processes personal data in line with legitimate and lawful personal data processing purposes, based on one or several of the personal data processing conditions specified in Articles 5 and 6 of the KVKK, limitedly and in accordance with the general principles specified in Article 4 of the KVKK regarding the processing of personal data, in compliance with the law and rules of good faith; accurate and, where necessary, up-to-date; for specific, explicit, and legitimate purposes; connected, limited, and proportionate to the purpose; and in compliance with all obligations regulated in the KVKK.

Within the scope of this personal data processing policy regarding the personal data processed by our Company, personal data subjects are classified as Company officials, Company shareholders, Employees, Employee candidates, Customers, Potential Customers, Visitors, Third parties, Members, Subscribers, Business Partners, Suppliers, Dealers, and explanations are provided below.

Personal data subjects whose personal data is processed by our Company are classified within the scope specified below; however, persons outside these classifications can also direct their requests to our Company within the scope of the KVKK, and these persons’ requests will also be taken into consideration.

DATA SUBJECTS

Company Officials: Real persons who are members of the Board of Directors of our Company and other authorized real persons.
Company Shareholders: Real persons who are shareholders of our Company.
Employees: Real persons working within our Company.
Employee Candidate: Persons who have applied for a job to our Company in any way and have made their resume and personal information available for our Company’s review.
Customer: Real persons who use or have used the products and services offered by the Company, regardless of whether they have any contractual relationship with the Company.
Potential Customer: Real persons who have requested or shown interest in using the products and services from our Company or who may have such interest as evaluated in accordance with commercial customs and rules of good faith.
Visitor/External Participant: Real persons who have entered our Company’s hotels and other businesses for various purposes or visited our websites.
Third Party: Other real persons related to the persons within the scope of our Company’s Personal Data Protection and Processing Policy, to protect the rights of personal data subjects and in line with legitimate interests (such as companions, guarantors, family members, and relatives).
Members/Subscribers: Persons who participate in the Program, which is created to provide general and special campaigns, promotions, advertisements, point accumulations, etc., for customer satisfaction, with a contract, at our Company’s hotels and businesses.
Business Partners, Suppliers: Real persons, including employees, shareholders, and officials of companies (such as business partners, suppliers, but not limited to these) with whom we are in any business relationship.
Dealers: Real persons, including officials, shareholders, employees of companies with whom we are in a business relationship within the framework of dealership agreements and legal relations.

3.5. IDENTIFICATION OF PERSONAL DATA AND ASSOCIATION WITH PERSONAL DATA SUBJECTS
Identification of Personal Data
Our Company processes the personal data specified below, in whole or in part, automatically or as part of a data recording system non-automatically, in accordance with Article 10 of the KVKK, by informing the relevant persons, in line with legitimate and lawful personal data processing purposes and the conditions and basic principles determined within the scope of the KVKK.

PERSONAL DATA

Identity Information: Information contained in documents such as identity card, driver’s license, passport, professional IDs, including name-surname, TR ID number, nationality, place of birth, date of birth, mother’s name, father’s name, etc., as well as tax number, social security number, signature information, vehicle license plate, etc.
Contact Information: Address, telephone, fax, email, etc.
Family Members and Relatives Information: Identity and contact information of the personal data subject’s family members, relatives, and other persons who can be reached in emergencies, related to the products and services offered by the Company, to protect the legal and legitimate interests of the personal data subject.
Physical Space and Security Information: Information related to camera recordings taken during entry to the premises and stay within the premises of the businesses owned by the Company, and records and documents taken for security reasons.
Visual and Auditory Information: Information related to photographs and camera recordings not within the scope of physical space security information related to the products and services offered by the Company, copies of documents containing personal data, sound recordings, etc.
Transaction Security Information: Information such as login and logout information to our Company’s websites and applications, password and password information, IP address information.
Financial Information: Bank account number, IBAN number, credit card information, movable, immovable, and asset information, income, and all kinds of financial documents and information within the framework of the contractual and legal relationship established by the Company with the personal data subject.
Risk Management Information: Information processed in accordance with the rules of good faith to manage commercial, technical, and administrative risks.
Location Information: Information determining the location of employees while using company vehicles and travel data within the framework of the operations carried out by our Company’s business units.
Marketing Information: Personal data processed to determine the usage habits, preferences, satisfaction, and needs of personal data subjects in line with the products and services offered by the Company, and reports prepared regarding this data.
Personnel Information: All kinds of information regarding the personnel rights of real persons who are employees or job candidates who have made their personal information available for our Company’s review and are in an employment relationship with our Company, such as resume information, payroll information, etc.
Legal Transaction Information: Information in the follow-up of our legal receivables and debts, lawsuits and enforcement proceedings related to the fulfillment of our debts, correspondence with judicial authorities.
Customer Transaction Information: Call center records, invoices, promissory notes, checks, customer request information, dealer order information, request information, etc.
Special Categories of Personal Data: Data specified in Article 6 of the KVKK.

Association of Personal Data with Personal Data Subjects

Within the scope of this personal data processing policy regarding the personal data processed by our Company, it has been determined which personal data of the personal data subjects are processed as specified below.

PERSONAL DATA SUBJECTS – PERSONAL DATA

Company Officials: Identity Information, Contact Information, Physical Space Security Information, Financial Information, Location Information, Family Members Information, Visual and Auditory Information, Special Categories of Personal Data.
Company Shareholders: Identity Information, Contact Information, Physical Space Security Information, Financial Information, Location Information, Family Members Information, Visual and Auditory Information, Special Categories of Personal Data.
Employees: Identity Information, Contact Information, Physical Space Security Information, Financial Information, Family Members Information, Visual and Auditory Information, Location Information, Personnel Information, Legal Transaction Information, Special Categories of Personal Data.
Employee Candidates: Identity Information, Contact Information, Physical Space Security Information, Financial Information, Family Members Information, Visual and Auditory Information, Personnel Information, Special Categories of Personal Data.
Customers: Identity Information, Contact Information, Physical Space Security Information, Financial Information, Family Members Information, Visual and Auditory Information, Marketing Information, Customer Transaction Information, Legal Transaction Information, Special Categories of Personal Data.
Potential Customers: Identity Information, Contact Information, Physical Space Security Information, Financial Information, Family Members Information, Visual and Auditory Information, Marketing Information, Customer Transaction Information, Special Categories of Personal Data.
Visitors/External Participants: Identity Information, Contact Information, Physical Space Security Information, Visual and Auditory Information, Customer Transaction Information.
Third Parties: Identity Information, Contact Information, Physical Space Security Information, Family Members Information, Visual and Auditory Information.
Members/Subscribers: Identity Information, Contact Information, Physical Space Security Information, Financial Information, Family Members Information, Visual and Auditory Information, Marketing Information, Legal Transaction Information, Special Categories of Personal Data.
Business Partners/Suppliers: Identity Information, Contact Information, Physical Space Security Information, Financial Information, Visual and Auditory Information, Legal Transaction Information, Special Categories of Personal Data.
Dealers: Identity Information, Contact Information, Physical Space Security Information, Financial Information, Visual and Auditory Information, Customer Transaction Information, Legal Transaction Information, Special Categories of Personal Data.

3.6. PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA
Article 6 of the KVKK defines some personal data as “special categories” that pose a risk of causing victimization or discrimination if processed unlawfully. These data include; race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.

Special categories of personal data can be processed in the following cases, provided that sufficient measures determined by the Personal Data Protection Board (“Board”) are taken:

Special categories of personal data other than the health and sexual life of the data subject, in cases explicitly stipulated by laws;

Special categories of personal data related to the health and sexual life of the data subject can only be processed by persons under the obligation of secrecy or authorized institutions and organizations for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing.

In cases where the above-mentioned data processing conditions are not met, the Relevant Persons are informed by our Company for data processing, and their explicit consent is obtained based on being informed and freely declared regarding a specific subject.

In this context, the identity of the company is disclosed, and the Relevant Persons are informed about the purposes for which special categories of personal data will be processed, to whom and for what purposes they may be transferred, the method and legal basis, and the rights of the Relevant Persons under Article 11 of the KVKK.

3.7. PROCESSING OF SECURITY CAMERA RECORDINGS
Our Company records images for security purposes at our headquarters, facilities, and businesses. Personal data processing activities carried out by our Company through security cameras are conducted in accordance with the Constitution, the KVKK, and other relevant legislation.

Within the scope of image recording, our Company; processes personal data automatically based on the legal grounds specified in Article 5 of the KVKK, such as “being mandatory for the data controller to fulfill its legal obligation” and “data processing being mandatory for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the data subject,” for general purposes such as increasing the quality of the service provided, ensuring its reliability, ensuring the life and property safety of our Company, our Employees, the Relevant Person, and other persons, preventing misuse, ensuring legal and commercial business security.

The said personal data may be transferred to judicial authorities or relevant law enforcement agencies in case of legal disputes or upon request in accordance with the relevant legislation.

Our Company processes personal data in a manner connected, limited, and proportionate to the purposes for which they are processed, in accordance with Article 4 of the KVKK. Image recording is not carried out in areas that may result in interference with individuals’ privacy and private life beyond security purposes. Image recording is carried out in general service areas such as entrance doors, building exterior, restaurant, cafeteria, lobby, visitor waiting room, elevator, parking lot, security booth, floor corridors of our headquarters, facilities, and businesses. Relevant Persons are informed about personal data processing activities carried out within this scope. However, their explicit consent is not obtained due to the existence of our Company’s legitimate interest.

Our Company takes all necessary technical and administrative measures to ensure the security of personal data obtained as a result of camera monitoring activities, in accordance with Article 12 of the KVKK.

3.8. PROCESSING OF INTERNET ACCESS RECORDS
Our Company may provide internet access to visitors who request it within our headquarters, facilities, and businesses for security purposes and the purposes specified in our Policy.

In this case, log records related to your internet access are recorded in accordance with the mandatory provisions of Law No. 5651 and the legislation enacted under this law; these records are processed only upon request by authorized public institutions and organizations or to fulfill our relevant legal obligation during audit processes conducted within the Company.

Company employees who have access to the said records access these records only for use in requests from authorized public institutions and organizations or audit processes and transfer them to legally authorized persons.

3.9. PROCESSING OF PERSONAL DATA COLLECTED THROUGH COOKIES
Our Company uses Cookies to improve the functioning and usage of our web pages or mobile applications and strives to make the time you spend on our digital platforms more efficient and enjoyable.

Additionally, we utilize some cookies to remember your preferences on our websites and mobile applications and thus provide you with an enhanced and personalized experience based on your preferences. Personal data is processed and transferred through cookies on our digital platforms. Our Company takes all necessary technical and administrative measures to ensure the security of personal data collected through cookies, in accordance with Article 12 of the KVKK.

4. ISSUES RELATED TO THE TRANSFER OF PERSONAL DATA
   Our Company shows maximum care and attention in sharing the personal data of the personal data subject with domestic and/or foreign parties in line with personal data processing purposes by taking the necessary administrative and technical measures, and in this context, it continues its activities in compliance with the current regulations.

In this context, our Company, within the framework of the purposes specified in our Personal Data Protection and Privacy Policy and to fulfill obligations arising from the law, may share personal data with our suppliers and business partners with whom we cooperate to provide the services offered by our company (such as software companies providing information systems and technical support, consultancy firms, etc.), the General Directorate of Security and other law enforcement agencies, the Social Security Institution, the Population Directorate, the Revenue Administration, Courts and other official institutions and organizations, agencies and third parties providing travel services with whom we cooperate domestically and abroad, dealers with whom we are in a business relationship, authorized representatives, institutions to which we are affiliated and/or with which we work, including lawyers, tax consultants and auditors, as well as regulatory and supervisory authorities, domestic and foreign systems and organizations, and/or other companies within our organization.

Additionally, due to technical details related to our Company’s information systems, the transfer of personal data obtained abroad is in question.

The said personal data may be stored and preserved, classified due to financial and operational processes and marketing activities, updated at various intervals, and processed by reporting, transferred to third parties and/or suppliers and/or service providers and/or our business partners in accordance with the policies to which we are bound and for other reasons foreseen by the authorities, stored, and documented in electronic or paper form as a basis for processing. Personal data can be transferred within the framework of the conditions and purposes specified in Article 8 of the KVKK regarding the transfer of personal data and Article 9 regarding the transfer of personal data abroad.

Our Company can transfer personal data and special categories of personal data without the explicit consent of the Relevant Person if the conditions specified in Article 5/2 and Article 6/3 of the KVKK are met, provided that the necessary measures foreseen by the KVK Board are taken.

5. PROTECTION OF THE RIGHTS OF THE PERSONAL DATA SUBJECT
   5.1. RIGHTS OF THE PERSONAL DATA SUBJECT
   Our Company makes the necessary operational notifications, administrative and technical arrangements for the evaluation of the requests of personal data subjects regarding their rights and the necessary information to be provided to personal data subjects.

In this context, our Company informs personal data subjects in accordance with Article 10 of the KVKK at the time of obtaining personal data. In this context, our Company provides information on the following issues.

The identity of the data controller and, if any, its representative

The purpose of processing personal data

To whom and for what purposes the processed personal data may be transferred or the categories of third parties

The method and legal basis of personal data collection

The rights of the person whose personal data is processed under Article 11 of the KVKK

Our Company states that it carries out personal data processing activities in accordance with the principles specified in the Constitution and the KVKK, announces this to personal data subjects and relevant persons within the framework of this Personal Data Protection and Privacy Policy and various open and accessible documents, and provides the necessary information if the personal data subject requests information.

Personal data subjects can exercise the rights listed below by submitting their requests to our Company. Their requests will be concluded free of charge as soon as possible and within thirty days at the latest, depending on their nature. However, if the transaction requires an additional cost, the fee determined by the KVK Board or other authorities will be charged by our Company.

Personal Data Subjects have the right to;

Learn whether their personal data is being processed,

Request information if their personal data has been processed,

Learn the purpose of processing their personal data and whether they are used in accordance with their purpose,

Know the third parties to whom their personal data is transferred domestically or abroad,

Request the correction of their personal data if it is incomplete or incorrectly processed and request that the transaction made within this scope be notified to third parties to whom their personal data has been transferred,

Request the deletion or destruction of their personal data if the reasons requiring its processing have disappeared, despite being processed in accordance with the KVKK and other relevant legal provisions, and request that the transaction made within this scope be notified to third parties to whom their personal data has been transferred,

Object to the emergence of a result against themselves by analyzing the processed data exclusively through automated systems,

Request compensation for the damage if they suffer damage due to unlawful processing of their personal data.

5.2. EXERCISE OF RIGHTS BY THE PERSONAL DATA SUBJECT
Personal Data subjects can submit their requests regarding the rights specified in Article 11 of the KVKK above to our company with information and documents that can identify their identity and through the following methods and other methods determined by the Board.

In accordance with paragraph 1 of Article 13 of the KVKK, you can submit your request regarding the exercise of your rights specified above to our Company in accordance with the regulations in the KVKK and related legislation and the method(s) determined/to be determined by the Personal Data Protection Board, as well as by downloading the Application Form from the address [Başvuru Formunu İndir], filling out and signing the Application Form, and submitting your request through one of the following methods.

You can personally submit a signed copy of the form containing your explanations regarding the right you request, along with your identity documents (e.g., identity card, driver’s license, passport, etc.), to the address Kılıçali Paşa Mahallesi Meclis-i Mebusan Cd. No:13 Karaköy / Beyoğlu / İSTANBUL.

You can send the form you will fill out and your identity documents through a notary public, or

You can send the form you will fill out and your identity documents electronically; to www.portbosphorushotel.com with a secure electronic signature or mobile signature, or

You can send the form you will fill out and your identity documents to our Companies using the e-mail address you have previously notified to our Company and registered in our Company’s system, as the Data Controller. Our Company will ensure that the request is finalized within 30 days at the latest, depending on the nature of the request. Rights regarding personal data can only be used regarding the data of the persons themselves. Requests regarding the data of persons other than the person who fills out the form and whose official identity documents are attached will not be taken into consideration. Forms without official identity documents attached will not be taken into consideration. We inform you that even if data deletion requests are fulfilled, we are obliged to share the data with official authorities if requested by official authorities. It is not possible for third parties to exercise the right to information regulated in Article 11 of the KVKK on behalf of the Relevant Persons.

For a third party to make a request regarding personal data, the original of the special power of attorney issued in the name of the person to make the request by the Relevant Person, with a wet signature and notarized, must be submitted. Our Company may ask the Relevant Person questions regarding the issues in the application to clarify the issues in the application and may request additional information and documents from the Relevant Person to determine whether the applicant is the Relevant Person.

The application of the applicant may be rejected by explaining the reason in the following cases:

Processing of personal data for purposes such as research, planning, and statistics by making them anonymous with official statistics.

Processing of personal data for artistic, historical, literary, or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life, or personal rights or constitute a crime.

Processing of personal data by public institutions and organizations authorized by law to carry out preventive, protective, and intelligence activities for the purposes of national defense, national security, public security, public order, or economic security.

Processing of personal data by judicial authorities or enforcement authorities regarding investigation, prosecution, trial, or execution proceedings.

Processing of personal data is necessary to prevent a crime or conduct a criminal investigation. Processing of personal data made public by the Relevant Person themselves.

Processing of personal data is necessary for the execution of auditing or regulatory duties and disciplinary investigation or prosecution by public institutions and organizations and professional organizations with the nature of public institutions authorized by law.

Processing of personal data is necessary for the protection of the economic and financial interests of the State regarding budget, tax, and financial matters.

The possibility that the request of the Relevant Person may prevent the rights and freedoms of others.

The information requested by the applicant is publicly available.

5.3. ENSURING THE SECURITY OF PERSONAL DATA
Our Company pays maximum attention and care to ensuring data security, and in this context, takes the relevant measures specified in Article 12 of the KVKK regarding “data security” and the following related measures.

All kinds of technical and administrative measures are taken to prevent unlawful processing of and access to personal data and to ensure the preservation of personal data.

Employees are informed that they will not disclose the personal data they have obtained to others in violation of the KVKK provisions and will not use it for purposes other than processing, and commitments are obtained from them in this direction, and this obligation continues after they leave their duties.

The obligations that our Company, as the data controller, must comply with when processing personal data and the legal, technical, and administrative measures it has developed in this regard are contractually imposed on data processors such as our business partners, suppliers, consultants, with whom we are in a relationship.

Our Company protects personal data with appropriate organizational and technical measures to prevent unauthorized access, unlawful transactions, sharing, accidental loss, alteration, or destruction, and ensures their confidentiality.
Our Company conducts the necessary audits within its own organization or has them conducted.
It carries out the necessary activities to ensure the implementation of the provisions of the KVKK within the scope of the Company’s internal operations. In case of obtaining processed personal data by others through unlawful means, the said situation is notified to the relevant person and the KVK Board as soon as possible.

6. DELETION, DESTRUCTION, AND ANONYMIZATION OF PERSONAL DATA
   In case the legal or business processes, including record-keeping obligations for proof and record-keeping processes related to legal obligations, expire and the reasons requiring processing are eliminated, personal data is deleted, destroyed, or anonymized by our Company or upon the request of the Relevant Person, in accordance with the law and related regulations.

DELETION OF PERSONAL DATA

Deletion of personal data is the process of making personal data inaccessible and unusable in any way for the relevant users.
Our Company, in the deletion of data processed by automatic or non-automatic methods and stored in physical and digital environments; first determines the personal data subject to deletion, determines the access and authorizations of the relevant users for each personal data, and closes the access, retrieval, reuse, etc., methods and authorizations of the determined users by determining the access, retrieval, reuse, etc., methods and authorizations of the determined users regarding personal data.

Examples of personal data deletion processes are specified below.
Redaction: Data on paper is deleted using the redaction method. The entirety of personal data is made invisible to relevant users in an irreversible and unreadable manner by technological solutions, such as crossing out and painting over, so that they cannot be associated with an identified or identifiable natural person.
Deletion from the Server: Files stored in digital environments are deleted from the operating system with the delete command or the access rights of the relevant user are removed from the server where the file is located.
Our Company fully complies with the provisions of the KVKK and relevant legislation in the deletion of personal data and takes all necessary administrative and technical measures.