PRIVACY AND PERSONAL DATA PROTECTION TERMS
1. PURPOSE AND SCOPE
This Privacy and Personal Data Protection Terms (“Terms”), which are accepted by Tamaris Turizm Anonim Şirketi (“Company”) with respect to the protection of personal data, determines the personal data processing principles with respect to the processing of personal data of all relevant person groups and aims to inform such Data Subject Groups according to Personal Data Protection Law numbered 6698 (“Law numbered 6698”).
2. PRINCIPLES REGARDING PROCESSING OF PERSONAL DATA
We, the Company, as the Data Controller, process your personal data under the below principles.
2.1 Processing in accordance with Law and Rule of Fairness
The principles brought with legal regulations and the general trust and fairness rule are complied with in respect of processing your personal data. According to this principle, while we, as the Data Controller try to reach our personal data processing purposes, we take into consideration your interest and reasonable expectations, do not abuse our rights, and act in compliance with the principle of transparency in respect of our actions.
2.2 Ensuring that the Personal Data Are Correct and, When Necessary, Up-to-Date
In line with this principle, which emphasizes the importance of the accuracy and up-to-dateness of your personal data, periodical controls, and updating are made to ensure that the personal data, which is processed, is accurate and up-to-date, and in this respect necessary measures are taken by taking into consideration your legitimate interests. To this effect, systems, which are aimed to check the accuracy of the personal data and to make the necessary corrections, are established within the Company. Furthermore, the accuracy of the resources, from which the personal data are collected, is checked and requests, which arise due to inaccuracy of personal data, are taken into consideration. Therefore, this principle is applied in harmony with your right to request correction of the personal data, to which you are entitled under the Law numbered 6698.
2.3 Being Processed for Specified, Explicit, and Legitimate Purposes
Your personal data are processed based on explicit, specified, and legitimate data processing purposes. In this respect, we ensure that our personal data processing activities are clearly comprehensible by the data subject and we determine and explicitly set forth the purposes of the personal data processing activities in clauses 5 and 7 of this Terms.
2.4 Being Relevant, Limited and Proportioned to the Purposes for Which They Are Processed
Your personal data are processed in a manner, which is proportioned, relevant and limited to the envisioned processing purpose(s) and the processing of personal data, which are not relevant to achieving the(se) purpose(s) or are not needed, is avoided. Again, under this principle, personal data are not collected or processed for purposes, which do not exist and are deemed to occur later.
2.5 Being Stored for the Period Set Forth by the Legislation or the Period Required for the Purpose for Which They Are Processed
Your personal data are stored only for the period, which is set forth by the relevant legislation or is required for the purpose for which they are processed. For this, we, as the Data Controller, take and apply the organizational and technical measures. In this respect, we firstly determine whether a period of time is foreseen by the relevant legislation for the storing of personal data and if a period is determined, we comply with such period of time and if a period of time is not determined, the personal data are stored for the period, which is required for the purpose, for which they are processed. In the event of expiry of the period or that the reasons for processing cease to exist, if there is not any legal basis, which allows for data to be processed for a longer period of time, your personal data is erased, destructed, or anonymized according to the personal data protection legislation.
3. CONDITIONS FOR PROCESSING PERSONAL DATA
Your personal data may be processed by the Company under the conditions set forth below.
3.1 Being Expressly Provided for In the Laws
The fundamental rule is that the personal data cannot be processed without the explicit consent of the data subject, but according to this exception, your personal data may be processed in the event the processing of personal data is explicitly provided for in the laws.
3.2 Explicit Consent of the Data Subject Cannot Be Taken Due to Actual Impossibility
Your personal data may be processed to protect the life of the data subject or any other person, if the data subject is unable to express his/her consent due to an actual impossibility or the data subject’s consent cannot be deemed valid. In this respect, it is foreseen that in cases, where the consent cannot be expressed or is not valid, on the condition that it is mandatory to protect the life or bodily integrity of persons, personal data may be processed.
3.3 Being Directly Related to the Establishment or Performance of a Contract
On the condition that it is directly related to the establishment or performance of a contract, your personal data may be processed if the processing of the personal data of the parties to the contact is required. Based on this condition, in the event the personal data of the parties are processed for the performance of the obligations under a valid contract, explicit consent shall not be required.
3.4 Performance by the Company of its Legal Obligation
If the processing is mandatory in order to fulfill the legal obligations as a Data Controller, your personal data may be processed.
3.5 Personal Data Is Made Public
If your personal data is made public by yourself; in other words, if they are disclosed to the public by you, they may be processed. In such case, it is deemed that the legal interest, which is required to be protected, is deemed cease to exist.
3.6 Data Processing Is Mandatory for Establishment, Exercise or Protection of A Right
Your personal data may be processed if data processing is mandatory for establishment, exercise or protection of a right.
3.7 Processing Based on Legitimate Interests
If data processing is required for the legitimate interests of the Company, your personal data may be processed. In this respect, the Company may process personal data for the purposes such as promotion of employees, raise in the salaries of the employees or regulating the social benefits of the employees on the condition that the fundamental rights and freedoms of the employee are not violated. On the other hand, even in such cases, the fundamental principles with respect to the protection of personal data shall be complied with and the balance of interests of the data subject shall be respected.
3.8 Processing Based on Explicit Consent
Although the main rule is that the personal data is processed based on explicit consent, in the event the other conditions set forth in this clause exist, the explicit consent of the data subject is not sought. Otherwise, it will be an abuse of right. In this respect, your personal data is processed based on explicit consent if they are not processed based on one of the conditions, which are set forth in this Terms.
3.9 Processing of Special Categories of Personal Data
We process your special categories of personal data based on your explicit consent in accordance with Article 6 of the KVKK No. 6698. In the same article, special categories of personal data other than health and sexual life can only be processed in cases stipulated in the laws, and special categories of personal data regarding health and sexual life can only be used for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and financing of health services. For the purpose of management, we can process it without your explicit consent by paying attention to the issues regarding the processing by persons or authorized institutions and organizations under the obligation of confidentiality.
4. TRANSFER OF PERSONAL DATA
Your personal data may be transferred within the scope of principles and purposes set forth in clauses 2 of this Terms under the conditions for, and for the purposes of, processing personal data set forth in articles 8 and 9 of the Law numbered 6698 in a limited capacity to our business partners, legally authorized public authorities and legal entities in the country or our business partners which is located in abroad.
5. SECURITY OF PERSONAL DATA
The Company takes reasonable measures to prevent unauthorized access risks, data losses by accident, deliberate deletion of data or data from being damaged for the purpose of ensuring the security of the personal data and prevention of unlawful processing thereof.
All reasonably required technical and physical measures are taken to prevent persons other than those who are authorized to access personal data from accessing personal data. In this context, especially the authorization system is set up in a way which makes it impossible for persons and systems to access more personal data than it is necessary.
The Company carries out the required audits and has such audits carried out in its institutions and establishments for the purpose of execution of the provisions of the Law numbered 6698.
The measures taken are as follows:
• Network security and application security are provided.
• Closed system network is used for personal data transfers via network.
• Key management is implemented.
• The security of personal data stored in the cloud is provided.
• Security measures are taken within the scope of procurement, development and maintenance of information technology systems.
• There are disciplinary regulations that include data security provisions for employees.
• Training and awareness activities are carried out periodically on data security for employees.
• Authorization matrix has been created for employees.
• Access logs are kept regularly.
• Institutional policies on access, information security, use, storage and destruction have been prepared and started to be implemented.
• Data masking is applied when its necessary.
• Confidentiality commitments are signed.
• The authorizations of employees who have a change in duty or quit their job in this field are removed.
• Current anti-virus systems are used.
• Firewalls are used.
• Signed contracts include data security provisions.
• Extra security measures are taken for personal data transferred via paper and the relevant documents are sent in confidential document format.
• Personal data security policies and procedures have been determined.
• Personal data security issues are reported quickly.
• Personal data security is monitored.
• Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
• The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.
• The security of environments containing personal data is ensured.
• Personal data is reduced as much as possible.
• Personal data is backed up and the security of the backed up personal data is also ensured.
• User account management and authorization control system is implemented and these are also followed.
• In-house periodic and/or random audits are conducted and made.
• Log records are kept without user intervention.
• Existing risks and threats have been identified.
• Protocols and procedures for special quality personal data security have been determined and implemented.
• If sensitive personal data is to be sent via e-mail, it must be sent in encrypted form and using KEP or corporate mail account.
• Intrusion detection and prevention systems are used.
• Penetration test is applied.
• Cyber security measures have been taken and their implementation is constantly monitored.
• Encryption is provided.
• Sensitive personal data transferred in portable memory, CD, DVD media are transferred by encrypting them.
• Data processing service providers are periodically audited on data security.
• Awareness of data processing service providers on data security is ensured.
6. PROCEDURES AND PRINCIPLES FOR APPLICATION
As the data subject, you can direct your claims relating to your rights listed on the article 11 of the Law and similar other rights arising from the GDPR to us by filling out the Application Form for the Protection of Personal Data, which you can obtain from the front office. The Company, will process your application as soon as possible and within thirty days at the latest, according to the nature of your claim and free of charge. However, if the transaction requires additional costs, a fee in the amount determined by the Turkish Personal Data Protection Board shall be charged by the Compa-ny. If we reject your application; it does not have sufficient substance in your opinion or we fail to respond to you within thirty days, you may inform us or within thirty days after you receive our response and if that is not the case, within sixty days after you duly make your request you may apply to the data protection authority located in your country.
|Application Alternatives||Application Address|
|Electronic message you will send with KEP.||email@example.com|
|The message you will send with your e-mail address registered in our system or with secure electronic signature and mobile firstname.lastname@example.org|
Application that you submit in writing in person or through a notary public.
|Kazlıçeşme Mahallesi, Kennedy Caddesi, No:56, Zeytinburnu/İstanbul|