KVKK PROTOCOLS

PRIVACY NOTICE (For Hotel Guests)

In this privacy notice prepared pursuant to the Personal Data Protection Law No. 6698 (“KVK Law” / “KVKK”), you may find explanations regarding the processing of your personal data at the accommodation facility owned and/or operated by the data controller Tarşa Otel İşletmeciliği Turizm ve Tic. A.Ş and/or its branches (hereinafter referred to as “Arcanus Hotels”).
For further details regarding the explanations contained in this notice, you may refer to the Data Controller’s KVKK Policy and the documents included in its annexes.

Your Personal Data Processed

a) Identity and Family Information
[Name-surname, Turkish ID No. (TCK No), Passport No., place and date of birth, marital status, gender, child’s name, number of children, ages and dates of birth, signature, voucher (travel card) information and register card (accommodation card) information, room type and number, flight number, hotel stayed at, accommodation dates and amount]

b) Contact Information
[address, telephone number, e-mail address]

c) Customer Transaction Information
[(Vehicle plate number, survey form, records related to product and service provision, requests, instructions, photographs, special days such as marriage/birth anniversaries, invoice information, order information, request information]

d) Physical Premises Security Information
[Entry/exit record information of customers and visitors, camera recordings]

e) Transaction Security Information
[IP address, hotspot records, password and passphrase information, website entry/exit information, log and digital traffic records]

f) Financial Information
[Credit card number, account number, expiration date]

g) Visual and Audio Records and Information
[Visual and audio records and information]

h) Health Information
[Information regarding disability status, chronic illnesses, past diseases, asthma, diabetes, heart and blood pressure diseases, personal health information]

1. Method of Collection of Your Personal Data and Legal Grounds

Pursuant to this privacy notice, your personal data are obtained verbally, in writing or electronically, either automatically or non-automatically provided that they form part of a data recording system, through information, documents and similar means communicated by you or by third parties with whom we cooperate, have contractual relations, or from whom we receive/provide services as required for conducting our activities.

These data may be processed due to your explicit consent within the scope of Article 5 of the KVK Law, and in cases where explicit consent is not required, may be processed directly if one of the conditions below exists:

a) Expressly stipulated in laws.
b) Mandatory for the protection of the life or physical integrity of the person who is unable to disclose consent due to actual impossibility or whose consent is not legally valid, or of another person.
c) Necessary for the establishment or performance of a contract, provided that it is directly related to the contract.
d) Mandatory for the data controller to fulfill its legal obligation.
e) Made public by the data subject.
f) Mandatory for the establishment, exercise or protection of a right.
g) Mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

Within the scope of Article 6 of the KVK Law, your special categories of personal data other than health and sexual life data may be processed based on your explicit consent or in cases stipulated in laws in accordance with the said article.
In the absence of your explicit consent, your personal data relating to health and sexual life may only be processed for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing, by persons under the obligation of confidentiality or authorized institutions and organizations.

2. Purposes of Processing Your Personal Data

In accordance with Articles 4, 5 and 6 of the KVK Law, your personal data are processed in compliance with the law and principles of good faith; accurately and up to date; for specific, explicit and legitimate purposes; limited and proportionate to the purposes; and retained for the period stipulated in relevant legislation or required for the purpose of processing, for the following purposes:

Your identity, contact, legal transaction and customer transaction data contained in the accommodation card are processed for the purpose of providing accommodation services, pursuant to KVKK Art. 5/2(c) (necessity for the establishment or performance of a contract).
Your identity and health data contained in the food allergy form are processed for providing services suitable for the guest; for health data pursuant to KVKK Art. 6/3(a), and for other data pursuant to KVKK Art. 5/2(c).
Your identity, legal transaction, finance and customer transaction data for issuing an invoice in your name are processed for conducting accounting processes pursuant to KVKK Art. 5/2(c).
Your identity, finance, legal transaction and customer transaction data related to reservation transactions are processed for conducting sales and operational processes pursuant to KVKK Art. 5/2(c).
Your identity, contact and legal transaction data related to vehicle entry records are processed for ensuring physical premises security pursuant to KVKK Art. 5/2(f).
Your identity, contact, finance and customer transaction data processed during reservation via the website are processed for conducting the sales process pursuant to KVKK Art. 5/2(c) and for protecting our rights in case of disputes pursuant to KVKK Art. 5/2(e).
Your identity data reported to the Gendarmerie General Command are processed and notified to authorized authorities pursuant to the Law No. 1774 on Identity Notification, in accordance with KVKK Art. 5/2(a).

The Company takes necessary technical and administrative measures to prevent unlawful processing of and/or unlawful access to personal data.

3. Transfer of Your Personal Data

Your personal data may be transferred domestically or abroad in accordance with Articles 8 and 9 of the KVK Law, if the relevant conditions exist.

Based on the conditions in Article 5 of the KVK Law and/or your explicit consent, the personal data obtained may be transferred—within the scope of the purposes stated above and in order to perform the activities stated above—to persons, institutions and companies with whom we cooperate, and to third parties from whom we receive services or to whom we provide services, as well as to stakeholders, suppliers and other interacting persons/institutions, in compliance with the provisions of Articles 8 and 9 of the Law.

Provided that sufficient measures are taken, your personal data relating to health may be transferred without seeking the data subject’s explicit consent only for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing, by persons under the obligation of confidentiality or authorized institutions and organizations.

In cases expressly stipulated in laws; where it is mandatory for the protection of life or physical integrity due to actual impossibility; where it is necessary for the establishment/performance of a contract; where it is mandatory for the data controller to fulfill a legal obligation; where the data has been made public; where processing is mandatory for the establishment/exercise/protection of a right; where it is mandatory for the data controller’s legitimate interests provided that it does not harm your fundamental rights and freedoms; and additionally for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing—provided that it is carried out by persons under confidentiality obligations or authorized institutions/organizations—your personal data may be transferred abroad without seeking your explicit consent, provided that:

the foreign country offers adequate protection, or
if adequate protection is not available, the data controllers in Türkiye and in the relevant foreign country undertake in writing to provide adequate protection and the Personal Data Protection Board grants permission.

The Personal Data Protection Board decides whether adequate protection exists in the foreign country and whether to permit transfer abroad by taking into account, among others, international conventions to which Türkiye is a party, reciprocity status regarding data transfer between Türkiye and the country requesting personal data, the nature of the personal data and the purposes/duration of processing for each specific transfer, the legislation and practice of the recipient country, and the measures undertaken by the data controller in the recipient country; and if necessary, by obtaining the opinions of relevant institutions and organizations.
Without prejudice to international convention provisions, in cases where Türkiye’s interests or your interests would be seriously harmed, your personal data may be transferred abroad only with the Board’s permission and by obtaining the opinion of the relevant public institution/organization.

Within this framework, your personal data may be transferred for the following purposes:

Conducting Emergency Management Processes
Conducting Information Security Processes
Conducting Activities in Compliance with Legislation
Conducting Finance and Accounting Affairs
Conducting Loyalty Processes for Company / Products / Services
Ensuring Physical Premises Security
Following Up and Conducting Legal Affairs
Conducting Communication Activities
Conducting Sales Processes of Goods / Services
Conducting Goods / Service Production and Operational Processes
Conducting Customer Relationship Management Processes
Conducting Activities Aimed at Customer/Guest Satisfaction and Service Quality
Organization and Event Management
Conducting Advertising / Campaign / Promotion Processes
Conducting Storage and Archiving Activities
Conducting Contract Processes
Following Up Requests / Complaints
Ensuring the Security of the Data Controller’s Operations
Conducting Investment Processes
Providing Information to Authorized Persons, Institutions and Organizations
Conducting Management Activities
Creating and Following Up Visitor Records

4. Your Rights as a Data Subject

Under the Law, as the data subject (relevant person), you have the right to:

a) Learn whether your personal data are processed,
b) Request information if your personal data have been processed,
c) Learn the purpose of processing and whether they are used in accordance with the purpose,
d) Know the third parties to whom your personal data are transferred domestically or abroad,
e) Request correction of your personal data if processed incompletely or incorrectly,
f) Request deletion or destruction of your personal data within the framework of the conditions set forth in Article 7 of the KVKK,
g) Request notification of the correction/deletion/destruction to third parties to whom the data have been transferred,
h) Object to the emergence of a result against you by analyzing the processed data exclusively through automated systems,
i) Request compensation for damages in case you suffer damages due to unlawful processing of your personal data.

In order to exercise your complaint rights as a data subject, you must first apply to the data controller through the communication channels below. Without exhausting this route, a complaint cannot be filed with the Personal Data Protection Board.
Depending on the nature of your request, your application will be answered by our Company as data controller as soon as possible and no later than 30 days.
If your application is rejected, if the response is found insufficient, or if you do not receive a response within due time, you may file a complaint with the Personal Data Protection Board or apply directly to judicial remedies.

Application Address and Contact Information:

5. Retention Period of Your Personal Data

Your processed personal data are retained in accordance with the activities stated below—taking into account the periods specified in relevant legislation—and after the processing purpose ends, to be deleted, destroyed or anonymized pursuant to Article 7 of the KVKK, for the following periods:

Accommodation records (identity, contact, customer transaction data): at least 1 year pursuant to Law No. 1774, and 10 years against possible legal disputes,
Invoices and financial documents: 10 years pursuant to the Tax Procedure Law No. 213 and the Turkish Commercial Code No. 6102,
Reservation, sales and customer transaction records: 10 years from the end of the service,
Food allergy notifications (health data): maximum 2 years from the end of the service,
Vehicle entry/exit records: maximum 2 years for physical premises security purposes,
Camera recordings: maximum 30 days,
Transaction security data (log records etc.): maximum 2 years pursuant to Law No. 5651 and related regulations,
Website reservation information: 10 years from the end of the service,
Passport information: 1 year after notification to law enforcement pursuant to Law No. 1774.

Your personal data that must be processed by the methods and for the purposes stated above are retained for the period shown in the data inventory, also taking into account limitation periods and time bars specified in the legislation. If the reasons requiring processing cease to exist or if the legally mandatory retention periods expire, your data are deleted, destroyed or anonymized by our Company ex officio at the latest in six-month periods, or upon your request within the latest thirty days, by using one of the appropriate disposal methods.

Deletion of personal data means making the personal data inaccessible and unusable in any manner for the relevant users. Destruction of personal data means eliminating the personal data in such a way that no one can access, retrieve or use it again. Anonymization of personal data means rendering the data incapable of being associated with an identified or identifiable natural person, even through the use of appropriate techniques. These actions are recorded and kept for 5 years for audit purposes when necessary.

Your personal data that must be processed by the methods and for the purposes stated above are retained for the period specified in the data inventory, also taking into account limitation periods and time bars specified in the legislation. If the reasons requiring processing cease to exist or if the legally mandatory retention periods expire, your data are deleted, destroyed or anonymized by our Company ex officio at the latest in six-month periods, or upon your request within the latest thirty days, by using any one of the disposal methods.

Deletion of personal data means making the personal data inaccessible and unusable in any manner for the relevant users.
Destruction of personal data means making the personal data inaccessible, irretrievable and unusable by anyone in any manner.
Anonymization of personal data means making the data incapable of being associated with an identified or identifiable natural person, even through the use of appropriate techniques.

All actions related to deletion, destruction and anonymization are recorded in a report. In view of public requirements, these reports are retained for 5 years.

6. Identity of the Data Controller

Arcanus Hotels Trendline Side — Kültür ve Turizm Bakanlığı - Turizm İşletme Belge Numarası: 20498