INFORMATION TEXT

DISCLOSURE TEXT

(For Hotel Guests)

You can access the details regarding the explanations contained in this disclosure text, which has been prepared and implemented in the accommodation facility belonging to the data controller company Tarşa Otel İşletmeciliği Turizm ve Tic.A.Ş and/or its branches (hereinafter referred to as "Arcanus Hotels"), in accordance with the KVKK Policy and Law No. 6698 on the Protection of Personal Data (PDPL), from the documents contained in the data controller's PDPL Policy and its annexes.

Your Personal Data Being Processed

 

  1. Identity and Family Information [Name-surname, National ID No., Passport No., place and date of birth, marital status, gender, child's name, number of children, ages and dates of birth, signature, voucher (travel card) information, registration card (accommodation card information), room type and number, flight number, hotel of stay, accommodation dates and amount]

  2. Contact Information [address, phone number, e-mail address]

  3. Customer Transaction Information [(Vehicle plate number, survey form, records related to product and service delivery, requests, instructions, photographs, wedding, birth, special day anniversaries, invoice information, order information, request information]

  4. Physical Premises Security Information [Entry and exit record information of customers and visitors, camera recordings]

  5. Transaction Security Information [IP address, hotspot records, password and passphrase information, website login/logout information, log and digital traffic records]

  6. Financial Information [Credit card number, account number, expiry date]

  7. Visual and Auditory Records and Information [Visual and auditory records and information]

  8. Health Information [Information regarding disability status, chronic conditions, past illnesses, asthma, diabetes, heart and blood pressure conditions, personal health information]

 

  1. Method of Collection and Legal Grounds for Processing Your Personal Data

 

Pursuant to this disclosure text, your personal data is collected verbally, in writing, or electronically through automatic or non-automatic means as part of a data recording system, through solution partners with whom we cooperate and have contractual relationships, through third parties with whom we have agreements as a requirement of our activities and to whom services are provided, or through information, documents and similar means transmitted by you.

 

This data may be processed directly within the framework of Article 5 of Law No. 6698 on the basis of your explicit consent, or in cases where your explicit consent is not required, in the presence of the conditions specified below. Accordingly:

  1. Being expressly provided for by law.

  2. Being necessary for the protection of the life or physical integrity of the person who is unable to disclose consent due to actual impossibility or whose consent is not legally valid, or of another person.

  3. Being necessary for the processing of personal data of the parties to a contract, provided that it is directly related to the establishment or performance of a contract.

  4. Being necessary for the data controller to fulfil its legal obligations.

  5. The data having been made public by the data subject themselves.

  6. Being necessary for the establishment, exercise or protection of a right.

  7. Being necessary for the legitimate interests of the data controller, provided that this processing does not harm the fundamental rights and freedoms of the data subject.

 

Within the scope of Article 6 of Law No. 6698, your special category personal data other than health and sexual life data may be processed based on your explicit consent or in cases provided for by law in accordance with the same article. In the absence of your explicit consent, your personal data relating to health and sexual life may only be processed by persons or authorised institutions and organisations under an obligation of confidentiality, for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

 

  1. Purposes for Processing Your Personal Data


Your personal data is processed in accordance with Articles 4, 5 and 6 of Law No. 6698 on the Protection of Personal Data; in a lawful and honest manner, accurately and up to date, for specific, clear and legitimate purposes, in a manner connected, limited and proportionate to the purposes for which they are processed, and preserved for the period stipulated in relevant legislation or required for the purpose for which they are processed, for the following purposes:

  • Your identity, contact, legal transaction and customer transaction data contained in the accommodation document are processed for the purpose of providing accommodation services, pursuant to PDPL Art. 5/2(c) for the establishment or performance of a contract.

  • Your identity and health data contained in the food allergy form are processed for the purpose of providing appropriate services to the guest, under PDPL Art. 6/3(a) for health data and PDPL Art. 5/2(c) for other data.

  • Your identity, legal transaction, financial and customer transaction data related to invoicing in your name are processed for the purpose of managing accounting processes, under PDPL Art. 5/2(c).

  • Your identity, financial, legal transaction and customer transaction data relating to reservation transactions are processed for the purpose of managing sales and operational processes, under PDPL Art. 5/2(c).

  • Your identity, contact and legal transaction data relating to vehicle entry records are processed for the purpose of ensuring physical premises security, under PDPL Art. 5/2(f).

  • Your identity, contact, financial and customer transaction data processed during online reservation through the website are processed for the purpose of conducting the sales process under PDPL Art. 5/2(c) and for the purpose of protecting our rights in case of disputes under PDPL Art. 5/2(e).

  • Your identity data reported to the Gendarmerie General Command are processed and notified to the competent authorities pursuant to Law No. 1774 on Identity Notification, in accordance with PDPL Art. 5/2(a).

The necessary technical and administrative measures are taken by the establishment to prevent unlawful processing of or access to personal data.

  1. Transfer of Your Personal Data

 

Your personal data may be transferred domestically or abroad in accordance with Articles 8 and 9 of Law No. 6698, subject to the conditions set out therein.

Personal data collected on the basis of the conditions set out in Article 5 of Law No. 6698 or in accordance with your explicit consent may be transferred to individuals, institutions and companies with whom we cooperate, to shareholders and suppliers, and to third parties from whom or to whom services are received or provided, for the purposes stated above and in order to carry out the activities mentioned above, in compliance with Articles 8 and 9 of the Law.

 

Provided that adequate measures are taken, your health-related personal data may be transferred without seeking your explicit consent only by persons or authorised institutions and organisations under an obligation of confidentiality, for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

In cases where it is expressly provided for by law; where it is necessary to protect the life or physical integrity of a person who is unable to disclose consent due to actual impossibility or whose consent is not legally valid, or of another person; where it is necessary for the processing of personal data of the parties to a contract, provided that it is directly related to the establishment or performance of a contract; where it is necessary for the data controller to fulfil its legal obligation; where the data has been made public; where data processing is necessary for the establishment, exercise or protection of a right; where data processing is necessary for the legitimate interests of the data controller, provided that this does not harm your fundamental rights and freedoms; and additionally where processing is carried out by persons or authorised institutions and organisations under an obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing — your personal data may be transferred abroad without seeking your explicit consent, provided that adequate protection exists in the destination country, or, in the absence of adequate protection, that the data controllers in Turkey and in the relevant foreign country undertake adequate protection in writing and the Personal Data Protection Board grants its permission.

The Personal Data Protection Board decides whether adequate protection exists in a foreign country and whether permission for transfer abroad should be granted, by evaluating: international agreements to which Turkey is a party, the reciprocity situation regarding data transfers between the data-requesting country and Turkey, the nature, purpose and duration of processing for each specific personal data transfer, the legislation and practice of the country to which the personal data will be transferred, and the measures committed to by the data controller in the destination country — and by seeking the opinions of relevant institutions and organisations if deemed necessary. Your personal data may only be transferred abroad with the Board's permission and by obtaining the opinion of the relevant public institution or organisation, in cases where Turkey's or your interests would be seriously harmed, subject to the provisions of international agreements.

Within this framework, your personal data may be transferred for the following purposes:

 

  1. Management of Emergency Processes

  2. Management of Information Security Processes

  3. Conducting Activities in Compliance with Legislation

  4. Management of Finance and Accounting Operations

  5. Management of Company / Product / Service Loyalty Processes

  6. Ensuring Physical Premises Security

  7. Follow-up and Management of Legal Affairs

  8. Management of Communication Activities

  9. Management of Goods / Services Sales Processes

  10. Management of Goods / Services Production and Operational Processes

  11. Management of Customer Relationship Management Processes

  12. Conducting Activities Aimed at Customer and Guest Satisfaction and Service Quality

  13. Organisation and Event Management

  14. Management of Advertising / Campaign / Promotional Processes

  15. Management of Storage and Archiving Activities

  16. Management of Contract Processes

  17. Follow-up of Requests / Complaints

  18. Ensuring Security of Data Controller Operations

  19. Management of Investment Processes

  20. Providing Information to Authorised Persons, Institutions and Organisations

  21. Management of Administrative Activities

  22. Creation and Follow-up of Visitor Records

 and for the execution of these activities.

 

  1. Your Rights as a Personal Data Subject

As a data subject under the Law, you have the right to:

  1. Learn whether your personal data is being processed,

  2. Request information if your personal data has been processed,

  3. Learn the purpose of processing your personal data and whether it is being used in accordance with that purpose,

  4. Know the third parties to whom your personal data has been transferred domestically or abroad,

  5. Request correction if your personal data has been processed incompletely or incorrectly,

  6. Request deletion or destruction of your personal data within the framework of the conditions set out in Article 7 of the PDPL,

  7. Request notification to the third parties to whom your personal data has been transferred, regarding corrections or deletions of incorrectly processed or destruction-requested personal data,

  8. Object to any outcome that arises to your detriment as a result of analysis of your processed data exclusively through automated systems,

  9. Claim compensation for damages in the event that your personal data is processed unlawfully.

In order to exercise your complaint rights as a personal data subject, you must first apply to the data controller using the contact channels below. Without exhausting this route, it is not possible to submit a complaint to the Personal Data Protection Board.

Your request will be responded to by our company, as the data controller, as soon as possible and within a maximum of 30 days, depending on the nature of the request.

In the event that your application is rejected, the response is found insufficient, or your application is not answered within the prescribed period, you may exercise your right to submit a complaint to the Personal Data Protection Board or apply directly to the courts.

           

Application Address and Contact Information:

 

COMPANY TITLE

HEAD OFFICE / BRANCH NAME

COMPANY ADDRESS

PHONE NO

E-MAIL ADDRESS

Tarşa Otel İşletmeciliği Turizm ve Tic.A.Ş

 

Arcanus Hotels

Çolaklı Mahallesi Barbaros Hayrettin Paşa Caddesi A Blok No: 10/1 Manavgat/Antalya

0242 777 03 40

 

kvkk@arcanushotelstrendlineside.com

 

 

 

  1. Retention Period of Your Personal Data

Your processed personal data is retained for the following periods, taking into account the periods specified in relevant legislation in accordance with the activities listed below, and after the processing purpose expires, it is deleted, destroyed or anonymised pursuant to Article 7 of the PDPL:

  • Accommodation records (identity, contact, customer transaction data): at least 1 year pursuant to Law No. 1774 on Identity Notification, and 10 years against possible legal disputes,

  • Invoices and financial documents: 10 years pursuant to Tax Procedure Law No. 213 and Turkish Commercial Code No. 6102,

  • Reservation, sales and customer transaction records: 10 years from the end of the service,

  • Food allergy notifications (health data): a maximum of 2 years from the end of the service,

  • Vehicle entry/exit records: a maximum of 2 years for physical premises security purposes,

  • Camera recordings: a maximum of 30 days,

  • Transaction security data (log records etc.): a maximum of 2 years pursuant to Law No. 5651 and related regulations,

  • Website reservation information: 10 years from the end of the service,

  • Passport information: 1 year after notification to the relevant law enforcement authorities pursuant to Law No. 1774 on Identity Notification.

Your personal data that needs to be processed through the methods and for the purposes stated above is retained for the period indicated in the data inventory, taking into account the statute of limitations and forfeiture periods specified in the law. If the reasons requiring the processing of your data cease to exist or the periods mandated by legislation for processing your data expire, your data will be deleted, destroyed or anonymised by our Company ex officio within periods of no more than six months, or upon your request within a maximum of thirty days, using one of the appropriate disposal methods.

Deletion of your personal data means making it inaccessible and unusable in any way for the relevant users. Destruction of your personal data means eliminating it in a way that it cannot be accessed, recovered or reused by anyone. Anonymisation of your personal data means rendering it impossible to associate with an identified or identifiable natural person through appropriate techniques. These processes are recorded and kept for 5 years for audit purposes when needed.

 

Your personal data that needs to be processed through the methods and for the purposes stated above is retained for the period indicated in the data inventory, taking into account the statute of limitations and forfeiture periods specified in the law. When the reasons requiring the processing of your data cease to exist or the periods mandated by legislation for the processing of your data expire, your data will be deleted, destroyed or anonymised by our Company ex officio within periods of no more than six months, or upon your request within a maximum of thirty days, using any one of the disposal methods.

Deletion of your personal data means making it inaccessible and unusable in any way for the relevant users.

Destruction of your personal data means eliminating it in a way that it cannot be accessed, recovered or reused by anyone in any manner.

Anonymisation of personal data means rendering the data impossible to associate with an identified or identifiable real person, even through the use of appropriate techniques.

Records of operations relating to the deletion, destruction and anonymisation of your personal data are kept as minutes. These minutes are retained for 5 years in the face of public requirements.

  1. Identity of the Data Controller

COMPANY TITLE

HEAD OFFICE / BRANCH NAME

COMPANY ADDRESS

Tax Office

Tax Number

Mernis No

 

 

Tarşa Otel İşletmeciliği Turizm ve Tic.A.Ş

.

 

Arcanus Hotels

Çolaklı Mahallesi Barbaros Hayrettin Paşa Caddesi A Blok No: 10/1 Manavgat/Antalya

 

 

Manavgat Tax

Office .

 

 

 8240756726

 

 

0824 0756 7260 0001

 

Arcanus Hotels Trendline Side — Kültür ve Turizm Bakanlığı - Turizm İşletme Belge Numarası: 20498