BURSALI TURİZM VE OTOMOTİV TİC. LTD. ŞTİ.
WEB PRIVACY AND PERSONAL DATA PROTECTION PRINCIPLES
1 PURPOSE AND SCOPE
This Privacy and Personal Data Protection Principles (“Principles”) regulates the principles accepted by BURSALI TURİZM VE OTOMOTİV TİC. LTD. ŞTİ. (referred to as “BURSALI TURİZM”, “Company” or “Data Controller”) regarding the protection of personal data and determines the principles of personal data processing regarding the processing of personal data belonging to Employee Candidate, Visitor, Customer, Customer, Prospective Customer, Supplier, Third Party, Online Visitor (“Person Groups”) and aims to enlighten the said person groups.
2 PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATA
As BURSALI TURİZM, we process your personal data in the capacity of Data Controller within the framework of the following principles.
2.1 Processing in accordance with the Law and Good Faith
In the processing of your personal data, we act in accordance with the principles introduced by legal regulations and the general rule of trust and honesty.
2.2 Ensuring that Personal Data is Accurate and Up-to-Date When Necessary
Taking into account your legitimate interests, periodic checks and updates are made to ensure that the processed data are accurate and up-to-date and necessary measures are taken in this direction. In this context, systems for checking the accuracy of personal data and making necessary corrections are established within BURSALI TURİZM.
2.3 Processing for Specific, Explicit and Legitimate Purposes
Your personal data is processed based on clear, specific and legitimate data processing purposes.
2.4 Being Relevant, Limited and Proportionate to the Purpose of Processing
Your personal data is processed in a measured, purpose-related and limited manner in order to achieve the prescribed purpose(s), and the processing of personal data that is not related to the realization of the purpose or is not needed is avoided.
2.5 Retention for the Period Stipulated in the Relevant Legislation or Required for the Purpose for which they are Processed
Your personal data are retained only for the period stipulated in the relevant legislation or required for the purpose for which they are processed. In this context, first of all, it is determined whether a period of time is stipulated for the storage of personal data in the relevant legislation, if a period of time is determined, it is acted in accordance with this period, and if a period of time is not determined, personal data is stored for the period required for the purpose for which they are processed. In the event that the period expires or the reasons requiring processing disappear, your personal data are deleted, destroyed or anonymized according to BURSALI TURİZM’s Policy on Storage and Destruction of Personal Data, unless there is a legal reason that allows them to be processed for a longer period.
3 CONDITIONS FOR PROCESSING PERSONAL DATA
Your personal data are processed by BURSALI TURİZM within the framework of the following conditions.
3.1 Explicitly Stipulated by Laws
In cases where personal data processing is explicitly stipulated in the laws, your personal data may be processed.
3.2 Failure to Obtain Explicit Consent of the Data Subject Due to Actual Impossibility
Your personal data may be processed if it is mandatory to process personal data in order to protect the life or physical integrity of the person concerned or another person who is unable to disclose his consent due to actual impossibility or whose consent cannot be recognized as valid.
3.3 Direct Relevance to the Establishment or Performance of the Contract
Provided that it is directly related to the establishment or performance of the contract, your personal data may be processed if it is necessary to process personal data belonging to the parties to the contract.
3.4 BURSALI TURİZM’s Fulfillment of its Legal Obligation
As a data controller, your personal data may be processed if processing is mandatory to fulfill legal obligations.
3.5 Publicization of Personal Data
If your personal data is made public by you, it may be processed.
3.6 Data Processing is Mandatory for the Establishment or Protection of a Right
Your personal data may be processed if data processing is mandatory for the establishment, exercise or protection of a right.
3.7 Processing of Data Based on Legitimate Interest
Your personal data may be processed if data processing is necessary for the legitimate interests of BURSALI TURİZM.
3.8 Processing Based on Explicit Consent
In cases where your personal data cannot be processed based on any of the conditions specified in these Principles, it is processed based on explicit consent.
4 CATEGORIZATION OF PERSONAL DATA
Data Owner |
Data Category |
Data Types |
Customer |
ID |
Name-Surname, Turkish ID Number, Identity Information, Signature Information, Photograph, Passport Information |
Physical Space Security Certificate |
CCTV Camera Records |
|
Financial Information |
Account Information, Invoice Information, Credit Card Information |
|
Transaction Security |
IP Address, Website Login, Logout and Browsing Information, Password and Passcode Information |
|
Health Information |
Health Data |
|
Contact |
Address (work), Email, Phone / Cell Phone |
|
Employee Candidate |
ID |
ID Name-Surname, Identity Information, Gender, Date of Birth, Family Relative Information, Marital Status |
Contact |
Address, Email, Phone / Cell Phone |
|
Visual Information |
Photographs, CCTV Camera Clips |
|
Health Knowledge |
Disability Knowledge, Health Knowledge |
|
Curriculum Vitae |
Curriculum Vitae Information, Professional Experience Information, Education Information, Foreign Language Information, Driving License Information |
|
Transaction Security |
IP Address, Website Login, Logout and Browsing Information, Password and Passcode Information |
|
Prospective Customer |
ID |
Name-Surname, Turkish ID Number, Credentials, Signature Information |
Health Information |
Health Information |
|
Financial Information |
Credit Card Information |
|
Contact |
Address (work), E-Mail, Cell Phone |
|
Social Media Information |
Social Media Account Information |
|
Transaction Security |
IP Address, Website Login, Logout and Browsing Information, Password and Passcode Information |
|
Visitor |
Identification |
Name-Surname, Credentials, CCTV Camera Records |
Transaction Security |
IP Address, Website Login, Logout and Browsing Information |
|
Third Party |
Identification |
Name-Surname |
Contact |
Address (work), E-Mail, Cell Phone |
|
Transaction Security |
IP Address, Website Login, Logout and Browsing Information |
|
Supplier / Business Partner |
ID |
Name-Surname, Turkish ID Number, Credentials, Signature Information |
Physical Space Security Information |
CCTV Camera Records |
|
Personal |
SSI Information, OHS Information |
|
Health Information |
Health Information |
|
Contact |
Address (work), E-Mail, Cell Phone |
|
Criminal Conviction and Security Measures |
Criminal Record Information |
|
Audio/Visual Information |
Video recording |
|
Financial Information |
Account Information |
|
Transaction Security |
IP Address, Website Login, Logout and Browsing Information |
|
Online Visitor |
ID |
Name-Surname |
Transaction Security |
IP Address, Website Login, Logout and Browsing Information |
5 PURPOSES OF PROCESSING PERSONAL DATA
In BURSALI TURİZM, personal data can be processed for the following purposes according to the relevant person group within the personal data processing conditions specified in Articles 5 and 6 of Law No. 6698.
5.1 CUSTOMER
Within the scope of the personal data processing conditions specified in Articles 5 and 6 of Law No. 6698, customer personal data may be processed for the purposes of carrying out the business and operational processes necessary to benefit from the products and services offered by the company and the execution of the contract, planning and execution of financial and accounting affairs and customer relationship management and customer satisfaction activities processes, contract processes and follow-up of customer requests and complaints, planning and execution of transfer processes, planning, infrastructure creation and management, audit and execution of information security processes.
5.2 EMPLOYEE CANDIDATE
Employee Candidate personal data may be processed for the purposes of planning and execution of human resources processes, execution of personnel activities, fulfillment of obligations arising from legislation, planning and execution of benefits, execution of personnel recruitment processes, within the personal data processing conditions specified in Articles 5 and 6 of Law No. 6698.
5.3 CANDIDATE CUSTOMER
Candidate Customer personal data, within the personal data processing conditions specified in Articles 5 and 6 of Law No. 6698 Within the scope of the personal data processing conditions specified in Articles 5 and 6 of Law No. 6698, planning and execution of the activities necessary for the recommendation and promotion of the products and services offered by the Company to the relevant persons by customizing them according to the tastes, usage habits and needs of the relevant persons, carrying out the necessary studies for the realization of the commercial activities carried out by the Company and carrying out the related business processes, It may be processed for the purposes of conducting the necessary studies and related business processes in order to benefit from the products and services offered by the Company, planning and execution of the activities required for the customization and promotion of the products and services offered by the Company, planning and execution of customer relationship management processes.
5.4 VISITOR
Within the scope of the personal data processing conditions specified in Articles 5 and 6 of Law No. 6698, visitor personal data may be processed for the purposes of ensuring the security of building and facility premises and/or facilities, creating and tracking visitor records, ensuring the security of fixtures and/or resources, ensuring technical and commercial business security, ensuring the security of corporate operations, providing information to authorized institutions and organizations arising from legislation.
5.5 THIRD PARTY
Within the scope of the personal data processing conditions specified in Articles 5 and 6 of Law No. 6698, Third Party personal data may be processed for the purposes of carrying out the necessary business and operational processes in order to benefit from the products and services offered by the company, carrying out the necessary work and related business processes for the realization of the commercial activities carried out by the company, carrying out the necessary work and related business processes in order to benefit from the products and services offered by the company, customizing, recommending and promoting the products and services offered by the Company and performing the contract.
5.6 SUPPLIER/BUSINESS PARTNER
Supplier / Business Partner personal data may be processed within the personal data processing conditions specified in Articles 5 and 6 of Law No. 6698 for the purposes of carrying out the necessary business and operational processes in order to benefit from the products and services offered by the company, carrying out the necessary work for the realization of the commercial activities carried out by the company and carrying out the related business processes, carrying out the necessary work and related business processes in order to benefit from the products and services offered by the company.
5.7 ONLINE VISITORS
Online Visitor personal data may be processed for the purposes of conducting marketing analysis studies, conducting advertising / campaign / promotion processes, conducting communication activities, conducting product and service development studies, fulfilling legal obligations, within the personal data processing conditions specified in Articles 5 and 6 of Law No. 6698.
6 TRANSFER OF PERSONAL DATA
Your personal data may be transferred to companies with which BURSALI TURİZM has commercial relations due to hotel management and similar needs, legally authorized public institutions and legally authorized private persons within the framework of the principles and purposes set out in Articles 3 and 5 of these Principles and the personal data processing conditions and purposes specified in Articles 8 and 9 of Law No. 6698.
7 METHOD AND LEGAL REASON FOR COLLECTING PERSONAL DATA
Your personal data transmitted to BURSALI TURİZM electronically are processed as follows according to the relevant person groups.
7.1 CUSTOMER
Customer personal data are processed in accordance with Article 5 of Law No. 6698. “it is necessary to process personal data belonging to the parties to the contract, provided that it is directly related to the establishment or performance of a contract”, “it is mandatory for the data controller to fulfill its legal obligation”, “data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the person concerned”, in physical and electronic media, written or verbal data transfer tools and the data recording system is processed automatically by taking it from the person personally or from the third party.
7.2 EMPLOYEE CANDIDATE
The personal data of the Employee Candidate shall be processed in accordance with Article 5 of the Law No. 6698. In the context of the employment contract that is likely to be established in Article 5 of Law No. 6698, “it is necessary to process personal data belonging to the parties to the contract, provided that it is directly related to the establishment or performance of a contract”, “it is mandatory for the data controller to fulfill its legal obligation”, “data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the person concerned”, by filling out the application form in electronic environment, by filling out a physical form, by taking it from the person or third party as part of the data recording system.
7.3 PROSPECTIVE CUSTOMER
Candidate Customer personal data shall be processed in accordance with Article 5 of Law No. 6698. “data processing is mandatory for the establishment, exercise or protection of a right”, “data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject”, “data processing is mandatory for the legitimate interests of the data controller”, “it is mandatory for the data controller to fulfill its legal obligation” in physical and electronic media, written or verbal data transfer tools and data recording system.
7.3 VISITOR
The personal data of the Visitor are processed in accordance with Article 5 of Law No. 6698. Based on the legal reason that “it is mandatory for the data controller to fulfill its legal obligation” and “data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the person concerned” in Article 5 of Law No. 6698, the personal data of the visitors are processed automatically by recording images through security cameras located in the entrance doors, building exterior, meeting rooms and event areas, dining areas, cafeteria, entrance waiting area, parking lot, elevators and floor corridors in our service building.
7.4 THIRD PARTY
Third Party personal data are processed automatically by means of physical, electronic media, written or verbal data transfer tools and data recording system as a part of the data recording system by means of physical, electronic media, written or verbal data transfer tools based on the legal reasons of “data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject” and the personal data processing conditions specified in Article 6 of Law No. 6698.
7.5 SUPPLIER / BUSINESS PARTNER
The personal data of the Supplier / Business Partner shall be processed in accordance with Article 5 of Law No. 6698. “it is necessary to process personal data belonging to the parties to the contract, provided that it is directly related to the establishment or performance of a contract”, “it is mandatory for the data controller to fulfill its legal obligation”, “data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the person concerned”, in physical and electronic media, written or verbal data transfer tools and data recording system.
7.6 ONLINE VISITORS
Online Visitor processes personal data automatically based on the legal grounds of “data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject” and “it is mandatory for the data controller to fulfill its legal obligation” in Article 5 of Law No. 5651 on the Regulation of Publications on the Internet and Combating Crimes Committed through These Publications and Law No. 6698.
8 SECURITY OF PERSONAL DATA
8.1 BURSALI TURİZM takes reasonable measures to prevent unauthorized access risks, accidental data loss, deliberate deletion of data or damage to data in order to ensure the security of personal data and to prevent unlawful processing.
8.2 All necessary technical and physical measures are taken to prevent access to personal data by persons other than those authorized to access it. In this context, especially the authorization system is designed in such a way that no one can access more personal data than necessary.
8.3 BURSALI TURİZM carries out and has the necessary audits carried out in its own institution or organization in order to ensure the implementation of the provisions of Law No. 6698.
9 COMMITMENTS REGARDING THIRD PARTY PERSONAL DATA
It is accepted and consented by the Person Group that BURSALI TURİZM may process the personal information of third parties transmitted by the Person Groups. The relevant Person Group also undertakes that it has made the necessary information and obtained the permissions in accordance with the Law No. 6698 on the Protection of Personal Data for the communicated persons and their information. Otherwise, any damages that may arise will remain with the relevant Person Group.
10 APPLICATION PROCEDURES AND PRINCIPLES
As a relevant person, in case you have a request regarding your rights under Article 11 of Law No. 6698; With your application that meets the minimum conditions stipulated by the Communiqué on the Procedures and Principles of Application to the Data Controller; bursaliturizm@hs01.kep.tr KEP address kvkk@ramadaencorebayrampasa.com e-mail address with mobile signature or e-signature or Yenidoğan Mah. Şehit Naci Çakar Sok. No:11 Bayrampaşa/İstanbul address in person with a wet signed written application or through a notary public. As BURSALI TURİZM, we will finalize your application free of charge as soon as possible and within thirty days at the latest, depending on the nature of your request. However, if the transaction requires an additional cost, BURSALI TURİZM will charge the fee in the tariff determined by the Personal Data Protection Board.
In this context, you have the following rights as the relevant person;
a) Learn whether personal data is being processed,
b) Request information if personal data has been processed,
c) To learn the purpose of processing personal data and whether they are used in accordance with their purpose,
ç) To know the third parties to whom personal data are transferred domestically or abroad,
d) To request correction of personal data in case of incomplete or incorrect processing,
e) To request the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7 of the Law,
f) To request notification of the transactions made pursuant to subparagraphs (d) and (e) to third parties to whom personal data are transferred,
g) To object to the emergence of a result to the detriment of the person himself/herself by analyzing the processed data exclusively through automated systems,
ğ) In case of damage due to unlawful processing of personal data, to demand the compensation of the damage.