The policy has the purpose to describe the methods adopted with regard to the personal data processing activities and protection of personal data in accordance with the Protection of Personal Data Law numbered 6698 in all kinds of activities conducted by Mn Butler Mimarla Araş. Tas. ve Yapı Ltd. Şti (SUMAHAN ON THE WATER) and to fulfil the clarification obligation stated under Article 10 of the Law. The Personal Data Protection and Processing Policy includes the principles applied in the collection, use, sharing, retention and destruction processes of personal data by SUMAHAN ON THE WATER. It is aimed to inform all persons whose personal data are processed by the entity, especially our guests, employees of the entity, visitors, employees of the entities that we cooperate with and third parties.
With this Policy, our entity covers all personal data processed in processes of our entity by automatic means or by non-automatic means provided that it is a part of any data recording system.
- Authorities and Responsibilities
All employees, consultants, external service suppliers and anyone who retains and processes personal data in any manner before the entity is responsible for fulfilling the requirements with regard to the retention and destruction of personal data specified by the Law, Regulation and Policy within the entity. Each business unit is obliged to retain and protect the data produced in its own business processes.
The responsibility of the transactions such as the being notified or acceptance of notifications or correspondence made with the PPD Board on behalf of the data controller and registration to the registry belongs to the "Contact Person of the Data Controller".
- Definitions and Abbreviations
Explicit Consent: Consent on a specific subject based on information and expressed in free will.
The Relevant Users: Persons who process personal data within the organization of the data controller or in accordance with the authorization and instruction received from the data controller, except the person or unit responsible for the storage, protection and backup of the data technically.
Destruction: Erasure, destruction or anonymization of personal data.
Law: The Protection of Personal Data Law Numbered 6698.
Recording Medium: Any kind of media in which the processed personal data are located through wholly or partially automatic means or non-automatic means provided that it shall be a part of any data recording system.
Personal Data: Any kind of information related to the identified or identifiable real person.
Processing of Personal Data: All kinds of processes performed on personal data including obtaining, recording, storing, retaining, changing, re-arranging, disclosing, transmission, acquisition, making available, classification or prevention of use through wholly or partially automatic means or non-automatic means provided that it shall be a part of any data recording system.
Anonymization of Personal Data: Making personal data unlikely to be associated with any identified or identifiable real person in any way even when personal data is paired with other data.
Erasure of Personal Data: Erasure of the personal data is the process of making personal data inaccessible in any manner and unusable again for the Relevant Users.
Destruction of Personal Data: is the process of making personal data inaccessible, unrecoverable and unusable by anyone, in any manner.
Board: Protection of Personal Data Board.
Personal Data of Special Nature: Data relating to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership to associations, foundations or trade-unions, health, sexual life, convictions and security measures, and the biometric and genetic data.
Periodic Destruction: The process of erasure, destruction or anonymizing the personal data to be carried out as the stated in the personal data retention and destruction policy and to be performed ex officio at repeating intervals in the event that all of the processing conditions of the personal data in the law are disappeared.
Data Owner / Person Concerned: Real person whose personal data is processed.
Data Processor: A real person or legal entity who processes personal data on behalf of the data controller by basing on the authority given by the same.
Data Controller: Real person or legal entity identifies the purposes and means of personal data processing and is responsible for installing and managing data recording system.
Regulation: Regulation on Erasure, Destruction or Anonymization of Personal Data published in the Official Gazette dated October 28, 2017.
Guest: Real person staying at our hotel or benefiting from our other services.
- The Personal Data Processing and Protection Policy
SUMAHAN ON THE WATER presents the necessary measures and the process applied for the protection and processing of personal data in a concrete manner with this policy. SUMAHAN ON THE WATER accepts that it will comply with the current legislation in cases where this policy is incompatible with the relevant laws and regulations or if the policy is not updated in line with the updated legislation. This policy is updated and revised in order for SUMAHAN ON THE WATER to fulfill the legal requirements according to the changes in the law, regulations and legislations.
- 5.1. Purposes of Processing Personal Data
SUMAHAN ON THE WATER processes the personal data specified in the chart 1 for the purposes specified in the chart 2, limited to the purposes and conditions within the personal data processing conditions specified in the paragraph 2 of Article 2 and the paragraph 3 of Article 6 of the Law.
- 5.2. Methods of Collecting Personal Data and Legal Grounds
SUMAHAN ON THE WATER collects personal data that may be subject to official transactions from persons concerned in writing, and collects personal data that will not be subject to official transactions verbally. Electronically produced personal data (for instance internet logs) are collected and retained electronically. SUMAHAN ON THE WATER processes personal data based on the legal grounds specified in the chart 3.
- 5.3. Ensuring Security of Personal Data
- 5.3.1. Administrative and Technical Measures
The administrative and technical measures taken to ensure the security of personal data are detailed in the "Personal Data Retention and Destruction Policy."
- 5.3.1. Administrative and Technical Measures
- 5.4. Principles for Processing Personal Data
The principles for the processing personal data are determined in the subparagraph 2 of Article 4 of the Law. SUMAHAN ON THE WATER processes personal data in accordance with the determined principles.
The processing of personal data is carried out in accordance with the following principles;
- a) Being in compliance with law and principle of honesty,
- b) Keeping them accurate and up-to-date when necessary,
- c) Processing for specific, clear, and legitimate purposes,
- d) Being relevant, limited, and proportionate to the purposes for which they are processed,
- e) Retaining them for the period of time stipulated by the relevant legislation or for the period deemed necessary for the purpose of the processing.
- 5.5. Conditions of Processing Personal Data
SUMAHAN ON THE WATER processes personal data due to legal obligations and in order to provide services to our guests. Data processing, as per Article 5/2 of the Law of which full text can be accessed from the address of www.mevzuat.gov.tr:
- a) Shall be expressly set forth in law.
- b) Shall be compulsory for the protection of life or body integrity of the person or someone, who is unable to explain her/his consent due to actual impossibility or whose consent is legally unrecognized.
- c) Processing of personal data belonging to the parties of a contract shall be necessary provided that it is directly related to the conclusion or fulfilment of that contract.
- ç) Being obligatory for the data controller to fulfil her/his legal obligations.
- d) In case the data is made available to the public by the person concerned.
- e) Data processing is mandatory for the establishment, exercise or protection of any right.
- f) Data processing is mandatory for the legitimate interests of the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the person concerned.
Except for the cases mentioned above, SUMAHAN ON THE WATER processes personal data only by obtaining the explicit consent of the data owners.
- 5.6. Destruction of Personal Data
The destruction of personal data obtained by SUMAHAN ON THE WATER is detailed in the "Personal Data Retention and Destruction Policy."
- 5.7. Domestic Transfer of Personal Data
SUMAHAN ON THE WATER carefully complies with the conditions set out in the Law regarding the sharing of personal data with third parties, without prejudice to the provisions of other laws. In this context, personal data is not transferred to third parties without the explicit consent of the data owner. However, in the presence of one of the following conditions specified in the Law, personal data; may also be transmitted without the explicit consent of the data owner:
- In the event that it is clearly stipulated by the laws,
- In the event that it is mandatory for the protection of life or physical integrity of a person himself/herself, or any other person, who is bodily incapable of giving his/her consent or whose consent is not deemed legally valid,
- In the event that it is required to process personal data of the parties to the contract, provided that the processing is directly related to the conclusion or fulfilment of that contract,
- In the event that it is mandatory for the data controller to fulfill her/his legal obligations.
- It has been made public by the data owner her/himself,
- In the event that data processing is mandatory for the establishment, exercise or protection of a right,
- In the event that data processing is mandatory for the legitimate interests of the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the person concerned.
Provided that adequate precautions are taken; the personal data of special nature other than health and sexual life can be processed without your explicit consent in case it is stipulated in laws, the personal data of special nature regarding the health and sexual life can be processed without your explicit consent,
- for the purposes of protection of public health,
- operation of preventive medicine,
- medical diagnosis,
- treatment and nursing services,
- planning and management of health-care services as well as their financing.
For the transmission of the personal data of special nature, the conditions stated for the processing terms of such data is applied to.
- 5.8. Transmission of Personal Data Abroad
SUMAHAN ON THE WATER does not share data abroad.
- 5.9. Personal Data of Visitors,
- 5.9.1. Footage
The hotel entrance and common areas are monitored by security cameras by SUMAHAN ON THE WATER, in order to ensure the protection. In this context, SUMAHAN ON THE WATER acts in accordance with the Constitution, Law and other relevant legislation. Image records of our visitors are taken through the monitoring system via camera at the building, facility entrances and inside the facility of our entity. The objectives of our entity within the monitoring activity with security cameras; are to improve the quality of the service provided, to ensure the reliability, to ensure the security of the entity, guests and other persons. Our entity acts in accordance with the regulations in the Law in conducting the monitoring activities by camera for security purposes.
The monitoring activities via security cameras by our entity are conducted in accordance with the Law on Private Security Services and related legislation. Only a limited number of entity employees have access to records that are recorded and retained digitally. A limited number of persons having access to the records declare that they will protect the confidentiality of the data they access with the confidentiality undertaking. In accordance with Article 12 of the PPD Law, necessary technical and administrative measures are taken in order to ensure the security of the personal data obtained by the monitoring activities via camera.
- 5.9.2. Personal Data of Website Visitors and Personal Data Received for Internet Access Point Service
On the websites owned by our entity; internet activities within the site are recorded by technical means (for instance such as cookie); in order to ensure that the visitors of these sites perform their visits on the sites in an appropriate manner for their visiting purposes.
Our entity provides free internet service to all its guests. Track records of the service provided as per the Law on the Regulation of Publications on the Internet and Combating Crimes Committed by means of such Publications Numbered 5651 and Name and Surname, TR Identity Number, MAC Address and internet logs are collected and retained in order to verify the access and identity information. Processed personal data are kept for 2 years in accordance with Law Numbered 5651.
- 5.9.3. Health Data
Special situation information (Disability, Allergy, etc.) transmitted by the guests in our hotels is only transferred to the relevant personnel in order to take the necessary precautions and actions.
- 5.9.1. Footage
- 5.10. Rights of Personal Data Owner
Your rights as the personal data owner resulting from the Law are stated under Article 11 of the Law and are as follows:
ARTICLE 11- (1) Each person has the right to apply to the controller and
- a) to learn whether her/his personal data are processed or not,
- b) to request information if her/his personal data are processed,
- c) to learn the purpose of her/his personal data processing and if this data is used for intended purposes,
- ç) to know the third parties to whom her/his personal data is transferred at home or abroad,
- d) to request the rectification of the incomplete or inaccurate personal data, if any,
By filling out the "SUMAHAN ON THE WATER PPDL Application Form of the Person Concerned", you can exercise your rights mentioned in the above articles by using the following methods:
- By handing over the form (Address Çengelköy Mh, Kuleli Cd. No:43, 34684 Üsküdar/Istanbul),
- Via Notary (Address Çengelköy Mh, Kuleli Cd. No:43, 34684 Üsküdar/Istanbul)
PERSONAL DATA CANDIDATE EMPLOYEE EMPLOYEES GUESTS SUPPLIER MILITARY INFORMATION ✔ ✔ CRIMINAL CONVICTION AND SECURITY MEASURES ✔ ✔ FINANCE ✔ ✔ PHYSICAL SPACE SECURITY ✔ ✔ ✔ ✔ VISUAL AND AUDIO RECORDS ✔ ✔ CONTACT ✔ ✔ ✔ ✔ TRANSACTION SECURITY ✔ ✔ SIZE INFORMATION ✔ ✔ IDENTITY ✔ ✔ ✔ ✔ PROFESSIONAL EXPERIENCE ✔ ✔ CUSTOMER TRANSACTION ✔ ✔ PERSONNEL INFORMATION ✔ ✔ HEALTH INFORMATION ✔ ✔ ✔
PERSONAL DATA PROCESSING PURPOSE CANDIDATE EMPLOYEE EMPLOYEES GUESTS SUPPLIER Carrying out the Emergency Management Processes ✔ ✔ ✔ ✔ Maintaining Information Security Processes ✔ Carrying out Recruitment and Placement Processes for Employee Candidate / Trainee / Student ✔ ✔ Execution of Employee Satisfaction and Loyalty Processes ✔ Fulfillment of Obligations Arising From Employee Contracts and Legislation ✔ Conducting Training Activities ✔ Conducting Activities in Accordance with the Legislation ✔ ✔ Conducting Company / Product / Service Commitment Processes ✔ Ensuring Physical Space Security ✔ ✔ ✔ ✔ Follow-up and execution of legal affairs ✔ Conducting Communication Activities ✔ ✔ ✔ ✔ Execution / Audit of Business Activities ✔ Conducting Occupational Health / Safety Activities ✔ Protection of Public Health ✔ Execution of Logistics Activities ✔ Execution of Goods / Services Purchasing Processes ✔ ✔ ✔ Performing Goods / Service Sales Processes ✔ Conducting Performance Evaluation Processes ✔ Conducting Agreement Processes ✔ Following up of Claims/ Complaints ✔ Transactions on Work and Residence Permits of Foreign Personnel ✔ Conducting Talent / Career Development Activities ✔ ✔ Providing Information to Authorized Persons, Institutions and Organizations ✔ ✔ ✔ ✔ Execution of Management Activities ✔ Generating and Monitoring Visitor Records ✔
PERSONAL DATA CANDIDATE EMPLOYEE EMPLOYEES GUESTS SUPPLIER MILITARY INFORMATION Legitimate Interests of the Entity Legitimate Interests of the Entity CRIMINAL CONVICTION AND SECURITY MEASURES Legitimate Interests of the Entity Legitimate Interests of the Entity FINANCE Stipulated under Laws Stipulated under Laws PHYSICAL SPACE SECURITY Legitimate Interests of the Entity Legitimate Interests of the Entity Legitimate Interests of the Entity Legitimate Interests of the Entity VISUAL AND AUDIO RECORDS Legitimate Interests of the Entity Legitimate Interests of the Entity CONTACT Legitimate Interests of the Entity Legitimate Interests of the Entity Legitimate Interests of the Entity Legitimate Interests of the Entity TRANSACTION SECURITY Stipulated under Laws Stipulated under Laws SIZE INFORMATION Legitimate Interests of the Entity Legitimate Interests of the Entity IDENTITY Stipulated under Laws Stipulated under Laws Stipulated under Laws Stipulated under Laws PROFESSIONAL EXPERIENCE Legitimate Interests of the Entity Legitimate Interests of the Entity Legitimate Interests of the Entity CUSTOMER TRANSACTION Legitimate Interests of the Entity Legitimate Interests of the Entity PERSONNEL INFORMATION Legitimate Interests of the Entity Legitimate Interests of the Entity HEALTH INFORMATION Stipulated under Laws Stipulated under Laws Legitimate Interests of the Entity
- 5.1. Purposes of Processing Personal Data