TR I ENG

.

TR I ENG

PROCESSING & PROTECTION OF PERSONAL DATA

TURQUOİSE TOURISM AND TRAVEL AGENCY PERSONAL DATA PROTECTION AND PROCESSING POLICY

PERSONAL DATA PROCESSING AND PROTECTION POLICY

  1. ENTRANCE

    Within the scope of this Personal Data Protection and Processing Policy (“Policy”), the principles adopted by Turquoise Turizm ve Seyahat Acentalığı Ltd. Şti. (hereinafter referred to as “Turquoise Turizm”) for conducting personal data processing activities are explained, along with the fundamental principles adopted by Turquoise Turizm to ensure compliance with the regulations set forth in the Personal Data Protection Law No. 6698 (“the Law”). Additionally, this Policy informs data subjects about the legal provisions and general principles adopted by our Company.

    With full awareness of our responsibility in this context, your personal data is processed under this Policy and reasonably protected.

  2. PURPOSE OF THE POLICY

    The primary purpose of this Policy is to establish the principles of personal data processing activities conducted lawfully by Turquoise Turizm and to outline the fundamentals of personal data protection. In this context, the Policy aims to ensure transparency by informing and enlightening individuals whose personal data is processed by our Company.

  3. SCOPE OF THE POLICY

    This Policy outlines the principles regarding the processing of your personal data and personal health data within Turquoise Turizm. It provides details on the purposes and conditions for processing such data, its transfer domestically and internationally, its destruction, and the practices and principles concerning your rights over the processed data.

  4. ACCESS AND UPDATES

    The Policy is published on our Company’s website and made accessible to data subjects upon request. It is updated as necessary. (Pursuant to Article 4 of the Personal Data Protection Law No. 6698, the personal data we collect and process must be accurate and up-to-date. Therefore, in the event of any changes to your personal data, please notify us of your updated and accurate personal information using the methods specified in the Clarification Text available on our website.)

    Our Company reserves the right to make changes to the Policy in line with legal regulations.

    In the event of any conflict between the provisions of this Policy and the applicable legislation, particularly the Law, the provisions of the legislation shall prevail.





  5. DEFINITIONS

    The definitions used in this Policy are provided below:

    Explicit Consent Consent that is specific, informed, and freely given.
    Anonymization The process of rendering personal data unidentifiable with an individual, even when matched with other data.
    Personal Data Any information relating to an identified or identifiable natural person.
    Processing of Personal Data Any operation performed on personal data, such as collection, recording, storage, use, disclosure, transfer, or deletion.
    Personal Data Protection Law The Personal Data Protection Law No. 6698.
    Personal Data Protection Board The authority overseeing the implementation of the Personal Data Protection Law.
    Personal Data Protection Authority The official institution responsible for monitoring and enforcing personal data protection regulations.
    Special Categories of Personal Data Data revealing an individual's race, ethnicity, political opinions, religious beliefs, health, or similar sensitive information.
    Data Subject The individual whose personal data is being processed.
    Data Controller The entity responsible for determining the purposes and means of processing personal data.
    Data Processor The entity processing personal data on behalf of the data controller based on their authority.
    Data Controllers Registry The registry maintained under the supervision of the Personal Data Protection Board (VERB\u0130S).
    Data Inventory An inventory prepared by Turquoise Turizm outlining data processing activities, purposes, and relationships with data subject groups and data recipients.


  6. PERSONAL DATA INVENTORY AND CLASSIFICATION OF PERSONAL DATA

    Within Turquoise Turizm, personal data is processed in accordance with legitimate and lawful data processing purposes, as outlined in Article 5 of the Personal Data Protection Law (KVK Law). This is done in compliance with the principles specified in Article 4 of the KVK Law, general principles, and all related obligations. Personal data processing includes data subjects covered by this Policy, such as Product and Service Recipients, Employees, Job Candidates, Visitors, Legal Guardians, Supplier Employees, Supplier Representatives, Shareholders/Partners, Employee Relatives, Job Candidate Relatives, Dependents, Emergency Contacts, Guests, Hosts, Reservation Providers, Travelers, Service Recipient Relatives, Consultants, Trainers, and References, among others.

    • To fulfill the requirements of our Company’s commercial activities and ensure that individuals benefit from the products and services we provide.
    • To facilitate travel planning, reservations, and rentals.
    • To carry out visa applications to be submitted to consulates.
    • To define the commercial and operational strategies and determine suitable services.
    • To evaluate requests and complaints.
    • To ensure that Company activities comply with Company procedures and relevant legislation.
    • To manage the execution of work and reference relations with business partners in sectors with varying needs.
    • To fulfill information-sharing, reporting, and notification obligations imposed by public institutions and authorities.
    • To comply with legal obligations regarding the retention of information and documents.
    • To conduct financial, communication, market research, and procurement operations.
    • To manage legal processes and provide uninterrupted, reliable services in accordance with the personal data processing conditions and purposes specified in Articles 5 and 6 of Law No. 6698.


    Turquoise Turizm, has prepared a personal data inventory in accordance with the Data Controllers Registry Regulation issued by the Personal Data Protection Authority. This inventory includes data categories, data sources, purposes of data processing, data processing processes, recipient groups to whom the data is transferred, and retention periods.

    Within the scope of this inventory, the following types of data categories exist within Turquoise Turizm, but are not limited to these:

    Identity Information Details written on your ID card such as name, surname, mother's name, father's name, place of birth, date of birth, marital status, religion, blood type, registered province, district, and neighborhood, as well as other information found on your ID card.
    Contact Information Information requested from you or provided by you to establish contact, such as home phone number, mobile phone number, residence address or other address information, email address, and similar communication details.
    Personnel Information • Copy of ID card
    • Population register example
    • Residence Certificate
    • Health report
    • Diploma copy
    • Criminal record
    • Passport photo
    • Family status document
    • Military status certificate
    • Employment/Service Contract
    • SGK entry declaration
    • Criminal record certificate
    • Information and documents regarding your health status.
    Professional Experience Details such as diploma information, attended courses, in-service training, certifications, etc.
    Bank Account Information (Finance) Bank account number, IBAN number, and other information related to your bank card.
    Transaction Security Details like IP address information, website access logs, passwords, etc.
    Resume Information • Information about your education, such as school details, certifications, education level, and training provided in your resume.
    • Work experience details such as locations, dates, and durations listed in your resume.
    • Photograph provided in your resume.
    • Driving license and its details.
    • References and related information provided in your resume.
    Health Data Health data obtained during the creation of personnel files (disability status, blood group, personal health information) and health data in insurance policies and SGK service documents.
    Criminal Record Data Details from criminal record certificates obtained for personnel files.
    Customer Transactions Details such as invoices, promissory notes, checks, teller slips, order details, and requests.
    Legal Processes Information such as correspondence with judicial authorities and data in case files.
    Visual and Audio Records Visual and audio recordings.
    Physical Space Security (Visitor Information) Details such as visitor camera records, internet access logs, and other information about visited individuals.
    Marketing Details such as past service information, surveys, cookie records, and data obtained through campaign activities.
    Location Details about the location of the place you are at.
    Other Details such as photo, travel, health insurance policy details, passport information, salary and payroll data, hotel and flight reservation details, signature circulars, SGK documents, and asset declaration (property, revenue contracts, bank account statements) required during visa applications by authorized visa service firms.


  7. GENERAL PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATA

    7.1 Legal Compliance

    Our company carries out its personal data processing activities in accordance with the law and the rules of honesty, in accordance with the Constitution, the Personal Data Protection Law and the relevant legislation. In this context, our company , acts by determining the legal basis that will require the processing of personal data, takes into account the proportionality requirements, and does not use personal data for purposes other than what is required. does not carry out any processing activities without the knowledge of individuals.

    7.2 Data is accurate and up-to-date when necessary

    Our company; It ensures that the personal data it processes are accurate and up-to-date, taking into account the fundamental rights of personal data owners and their own legitimate interests, and takes necessary steps accordingly. takes precautions. In this context, data regarding all categories of persons are tried to be kept up-to-date, and all kinds of administrative and technical measures are taken to ensure accuracy and up-to-dateness.

    7.3 Specific, Legitimate and Clear Purpose

    Our company; It processes personal data only for clearly and precisely determined legitimate purposes and does not engage in data processing activities other than these purposes. The purpose for which personal data will be processed by our company is determined before the processing activity and is processed in the “Personal Data Inventory”.

    7.4 Data must be related to the purpose for which they are processed, limited and proportionate.

    Personal data is processed by our company to the extent necessary to achieve the specified purposes. Data with the assumption that it can be used later No processing activity is carried out. In this context, processes are constantly reviewed and the principle of reduction of personal data is tried to be implemented.

    7.5 Keeping Personal Data as Long as Necessary and Deleting It Afterwards

    Our company retains personal data only for the period specified in the relevant legislation or necessary for the purpose for which they are processed. In this context, our Company primarily It determines whether a period of time is foreseen for the storage of personal data in the legislation, and if a period is determined, it acts in accordance with this period, and in this context, it It takes into account the statute of limitations and keeps personal data for the period necessary for the purpose for which they are processed. Reasons requiring expiration of the period or processing If it disappears, personal data is deleted, destroyed or anonymized in accordance with our Company's "Data Destruction Policy".

  8. TERMS OF PROCESSING OF PERSONAL DATA

    Personal data can only be collected, processed or used within the scope of the legal bases specified below.

    8.1 Explicit Consent

    Explicit consent in Article 3 of the Law; It is defined as "consent regarding a specific subject, based on informed consent and expressed with free will". In addition, the 3rd paragraph of Article 20 of the Constitution stipulates that personal data can only be processed in cases stipulated by law or with the explicit consent of the person. has been taken under. Explicit consent is envisaged in Law No. 6698 as the main reason for compliance with the law for both special personal data and non-special personal data.

    Accordingly, our company requires explicit consents declared with free will and verifiable (in writing, electronically or recorded verbally). Personal data is processed by. If special categories of personal data are processed, explicit consent will be obtained in writing when necessary.

    Process managers who process personal data are obliged to check the existence and validity of the relevant data owner's explicit consent when collecting the personal data they process. If it is determined that there is no explicit consent (except for the following exceptions), no data processing activity will be carried out.

    8.2 Processing of Personal Data Without Explicit Consent

    In case of one of the following conditions, it is possible to process personal data without the explicit consent of the relevant person:
    1. Explicitly stipulated by the law,
    2. Being necessary to protect the life or physical integrity of the person who is unable to express consent or whose consent is not legally valid due to actual impossibility,
    3. Being necessary for the processing of personal data of the parties to a contract, provided that it is directly related to the establishment or performance of the contract,
    4. Being mandatory for the data controller to fulfill its legal obligations,
    5. Having been made public by the data subject,
    6. Being necessary for the establishment, exercise, or protection of a right,
    7. Being necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject,

    In such cases, it may be processed without explicit consent.

    8.3 Processing of Special Personal Data

    Our company pays special attention to the processing of special personal data, the protection of which is of critical importance for data owners in various aspects. In this context, such data is not processed without the explicit consent of the data owners, provided that adequate measures are taken as determined by the Board. However, taking adequate precautions It can be processed without explicit consent, provided that the following reasons exist:

    • Explicitly stipulated by the law,
    • Being necessary to protect the life or physical integrity of the person who is unable to express consent or whose consent is not legally valid due to actual impossibility,
    • Being related to the personal data made public by the data subject and consistent with the intention of making it public,
    • Being necessary for the establishment, exercise, or protection of a right,
    • Being necessary by persons under a confidentiality obligation or authorized institutions and organizations for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, as well as for planning, managing, and financing healthcare services,
    • Being mandatory to fulfill legal obligations in the areas of employment, occupational health and safety, social security, social services, and social assistance,
    • Being related to foundations, associations, or other non-profit organizations established for political, philosophical, religious, or trade union purposes, within the scope of their legal regulations and objectives, limited to their field of activity, and provided that they are not disclosed to third parties; directed toward their current or former members and affiliates or those who are in regular contact with these organizations.


    In any case where special personal data needs to be processed, the KVKK Committee will be informed.

  9. TRANSFER OF PERSONAL DATA

    Your personal data will be processed by our company in accordance with the law and the rules of honesty, accurate and up-to-date when necessary, for specific, clear and legitimate purposes, in connection with the purpose for which they are processed, in a limited and proportionate manner, They are processed in accordance with the principles of retention for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed.

    Your personal data; To our business partners at home and/or abroad with whom we cooperate in order to continue our company's activities and business processes, including TURSAB and relevant ministries, Consultancy services to supervisory and regulatory public institutions and organizations, general directorate of security and other law enforcement forces, courts, including lawyers, consultants and auditors to third parties we receive, authorized representatives and agencies, insurance companies, airlines, hotels, rental companies, authorized visa application companies, notaries, banks and financial institutions, Domestic and/or abroad storage, archiving, information technology support (server, hosting, software, cloud computing, etc.) etc. that process personal data on behalf of our company. We receive support in the fields It may be transferred to our service providers within the framework of the personal data processing conditions specified in Articles 8 and 9 of Law No. 6698 and the purposes stated above.

  10. RIGHTS OF RELATED PERSONS

    10.1 Turquoise Turizm will respond to the requests of the relevant persons whose personal data it processes, within the scope of the following rights, within 30 days:

    1. To learn whether personal data has been processed or not,
    2. If personal data has been processed, to request information regarding it,
    3. To learn the purpose of processing personal data and whether it is used in line with its purpose,
    4. To know the third parties to whom personal data is transferred domestically or abroad,
    5. To request correction of incomplete or inaccurate personal data and to request that the process carried out in this regard be communicated to the third parties to whom the personal data has been transferred,
    6. Despite being processed in accordance with the Personal Data Protection Law and other relevant laws, to request deletion or destruction of personal data in the event that the reasons requiring processing are eliminated, and to request that the process carried out in this regard be communicated to the third parties to whom the personal data has been transferred,
    7. To object to the occurrence of a result against the person by analyzing the processed data exclusively through automated systems,
    8. To demand compensation in case of damage due to unlawful processing of personal data.


    10.2 Data owners may apply within the scope of the above-mentioned rights with the KVKK application form available on the website, with information and documents that will identify them and by the methods specified below or other methods determined by the Personal Data Protection Board.

  11. 11. PRIVACY and DATA SECURITY MEASURES;

    All personal data processed within Turquoise Turizm are confidential and specified in Article 12 of the Law;

    a) To prevent unlawful processing of personal data,

    b) To prevent unlawful access to personal data,

    c) Ensuring the preservation of personal data,

    It takes all necessary technical and administrative measures to ensure the level of security appropriate to its purpose.

    11.1 Technical Measures Taken to Ensure Lawful Processing of Personal Data and Prevent Unlawful Access to Personal Data

    Turquoise Tourism has taken all kinds of technical and technological security measures to protect your personal data and protects your personal data against possible risks. For example;

    • Network security and application security are ensured.
    • Key management is implemented.
    • Authorities in this area are revoked for employees who change roles or leave the job.
    • Up-to-date antivirus systems are used.
    • Firewalls are employed.
    • Security measures are taken within the scope of procurement, development, and maintenance of information technology systems.
    • Personal data is backed up, and the security of the backed-up personal data is also ensured.
    • Necessary security measures are taken for entry and exit to physical environments containing personal data.
    • The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.
    • The security of environments containing personal data is ensured.
    • Personal data is minimized as much as possible.
    • User account management and access control systems are implemented and monitored.
    • Encryption is applied. Access to systems containing personal data is provided through the use of a username and password.


    11.2 Administrative Measures Taken to Ensure Lawful Processing of Personal Data and Prevent Unlawful Access to Personal Data

    1. A management framework has been established to initiate and control information security operations and applications within the organization.
      1. The KVKK Committee and Contact Person have been appointed, and their job descriptions have been defined.
      2. KVKK Application channels have been determined.
      3. Workflows for violation, request/complaint management have been established.
    2. The main principles, policies, and procedures related to the processing and protection of personal data have been determined.
      1. The Data Processing and Retention Policy has been established.
      2. The Policy on the Processing and Protection of Personal Data has been created.
      3. A Policy on the Security of Special Category Personal Data has been established.
    3. Risks and threats associated with processed personal data have been identified.
    4. Training and awareness activities on personal data security are conducted for employees.
    5. Roles and responsibilities related to data security have been defined to ensure that employees and contractors are aware of their information security responsibilities and fulfill them.
    6. Confidentiality agreements are signed.
    7. Clarification texts for employees, customers, suppliers, etc., have been published.
    8. Processes requiring explicit consent have been identified and implemented.
    9. Periodic and/or random internal audits are conducted. Privacy and security vulnerabilities identified as a result of these audits are addressed.
    10. The necessity of personal data for the stated purposes is evaluated, and personal data is minimized as much as possible.
    11. If data is unlawfully obtained by others, measures are taken by employees to inform the concerned individuals and the Board as soon as possible.


    11.3 Measures to be Taken in Case of Illegal Disclosure of Personal Data

    If the processed personal data is obtained by others through illegal means, our Company will notify the relevant data owner and the Board as soon as possible (within a maximum of 72 hours).

  12. DESTRUCTION (DELETION, DESTRUCTION AND ANONYMIZATION) CONDITIONS OF PERSONAL DATA

    In accordance with Article 138 of the Turkish Penal Code, Article 7 of the Personal Data Protection Law and the "Regulation on Deletion, Destruction and Anonymization of Personal Data" issued by the Institution; Although it has been processed in accordance with the provisions of the relevant law, in the event that the reasons requiring processing are eliminated, based on Turquoise Turizm's own decision or the personal data owner Upon request, personal data is deleted, destroyed or made anonymous. Turquoise Turizm has created a Policy in accordance with the provisions of the regulation on this subject and has determined the nature of the data in accordance with this Policy. Destruction is done accordingly. In accordance with this regulation, periodic destruction dates have been determined by Turquoise Turizm , and periodic destruction will be carried out at various intervals with the beginning of the obligation. The calendar was created accordingly.

  13. EXECUTIVE

    A management structure has been established by Turquoise Turizm to ensure compliance with the KVK Law regulations in the execution of this Policy.

  14. EFFECTIVE DATE OF THE POLICY

    This Policy entered into force on 03.09.2024.

tursab
iata
0216 693 01 66
tursab
0216 693 01 66
nobika