TEKSOY TOURISM HOSPITALITY FOOD INVESTMENT INDUSTRY TRADE INC.

PACHAMAMA HOTEL
POLICY ON PROCESSING AND PROTECTION OF PERSONAL DATA

1. Introduction

1.1. Purpose of the Policy
Within the scope of Law No. 6698 on the Protection of Personal Data ("Law");As TEKSOY TOURISM HOSPITALITY FOOD INVESTMENT INDUSTRY TRADE INC. (TEKSOY TOURISM), processing personal data in compliance with the law and protecting it are among our top priorities. We follow the same priority in all our planning and business activities. In this context, in accordance with Item10 of the Law, we present this "Policy on Processing and Protection of Personal Data" ("Policy") to inform you and to disclose all administrative and technical measures we will implement regarding the processing and protection of personal data.

1.2. Scope
This Policy establishes the conditions for the processing of personal data and sets forth the principles adopted by TEKSOY TURİZM in the processing of personal data. In this context, the Policy encompasses all personal data processing activities conducted by TEKSOY TURİZM within the scope of the Law, including all processed personal data and their owners.

1.3. Definitions

Explicit Consent
Consent that is based on information, is informed, and is freely given regarding a specific matter.
Anonymization
Rendering data that was previously associated with an individual, in any way, unable to be associated with the identity of a specific or identifiable natural person, even if matched with other data.
Job Applicant
Individuals who are not currently employed within TEKSOY TURİZM but are in the status of job candidates.
Personal Data
Any kind of information related to an identified or identifiable natural person
Data Subject
The natural person whose personal data is processed.
Processing of Personal Data
Any operation performed on personal data, whether wholly or partially by automatic means or non-automatic means, which is a part of any data recording system, including obtaining, recording, storing, preserving, altering, rearranging, disclosing, transferring, taking over, making it obtainable, classifying, or preventing its use.
Law
The Law on the Protection of Personal Data No. 6698, published in the Official Gazette dated April 7, 2016, and numbered 29677.
Special Category Personal Data
Racial or ethnic origin, political opinions, philosophical beliefs, religion, sect, or other beliefs, dress and clothing, membership in associations, foundations, or unions, health, sexual life, criminal convictions, and data related to security measures, as well as biometric and genetic data.
Policy
TEKSOY TURİZM TURİZM SANAYİ VE TİCARET ANONİM ŞİRKETİ - Personal Data Processing and Protection Policy
Data Processor
Data Processor is the natural or legal person who processes personal data on behalf of and based on the authority granted by the data controller.
Data Controller
The person who determines the purposes and means of processing personal data, and manages the place where the data is systematically kept.
Data Record System
I t is a record system where personal data is processed by being structured according to specific criteria.
Business Partners
Individuals with whom TEKSOY TURİZM has established partnerships within the framework of contractual relationships in the scope of its commercial activities.

1.4. Effectiveness of the Policy
This Policy, organized by TEKSOY TOURISM, has entered into force on .............. date and has been made public. In case of any inconsistency between the regulations in force, especially the Law, and the regulations included in this Policy, the provisions of the legislation will be applied.TEKSOY TOURISM reserves the right to make changes to the Policy in parallel with legal regulations.

2. Information Regarding Personal Data Processing Activities Conducted by TEKSOY TOURISM

2.1. Data Owners
Policy within the scope of data subjects are all individuals, except TEKSOY TURİZM employees, whose personal data is processed by TEKSOY TURİZM. In general, data subjects can be listed as follows:

Data Subject
Describing the Categories
Customers 
It represents individuals who benefit from the products and services offered by TEKSOY TURİZM.
Potential Customers
It refers to individuals who show interest in the products and services offered by TEKSOY TURİZM and have the potential to become customers.
Job Applicants
It represents individuals who submit their resumes to TEKSOY TURİZM or apply for a job through other methods.
Visitors
It represents individuals who visit TEKSOY TURİZM for any reason.
Third Parties
The mentioned data subject categories represent individuals excluding TEKSOY TURİZM employees.

The data subject categories described in the table above are indicated for general information sharing purposes. The fact that the data subject does not fall within the scope of any of these categories does not eliminate the data subject's status as specified in the Law.

2.2. Purposes of Processing Personal Data

2.2.1. Conducting necessary activities by relevant units to benefit individuals from the products and services offered by TEKSOY TOURISM and carrying out business processes:

  1. Planning and executing the sales processes of products and/or services,
  2. Planning and/or executing post-sales support service activities,
  3. Planning and executing customer relationship management processes,
  4. Monitoring contract processes and/or legal claims,
  5. Tracking customer requests and/or complaints.

2.2.2. Planning and executing human resources policies and processes of TEKSOY TOURISM:

  1. Planning and execution of talent-career development activities,
  2. Fulfillment of employment contracts and/or obligations arising from legislation for company employees,
  3. Planning and execution of benefits and perks for employees,
  4. Planning and execution of in-house orientation activities,
  5. Planning and execution of personnel exit processes,
  6. Salary management,
  7. Planning human resources processes,
  8. Planning and executing in-house assignment-promotion and resignation processes,
  9. Planning and execution of employee performance evaluation processes,
  10. Tracking and/or auditing the work activities of employees,
  11. Planning and/or executing in-house training activities,
  12. Planning and executing processes related to employee satisfaction and/or loyalty,
  13. Planning and execution of processes for receiving and evaluating suggestions for improving employee's work and/or production processes,
  14. Planning and/or executing processes for the recruitment, placement, and operation of interns and/or students.

2.2.3. Carrying out the necessary studies by relevant business units for the realization of commercial activities conducted by TEKSOY TOURISM and the execution of related business processes:

  1. Event management,
  2. Planning and execution of business activities,
  3. Planning and execution of corporate communication activities,
  4. Planning and execution of supply chain management processes,
  5. Planning and execution of production and/or operation processes,
  6. Planning, auditing, and execution of information security processes,
  7. Establishment and management of information technology infrastructure,
  8. Planning and execution of access authorization of business partners to information,
  9. Monitoring financial and/or accounting affairs,
  10. Planning and execution of corporate sustainability activities,
  11. Planning and execution of corporate governance activities,
  12. Planning and/or executing activities to ensure business continuity,
  13. Planning and execution of logistics activities.

2.2.4. Planning and executing activities necessary for the customization, recommendation, and promotion of products and services offered by TEKSOY TOURISM according to the preferences, usage habits, and needs of the relevant individuals:

  1. Identification and/or evaluation of individuals to be subject to sales and marketing activities based on consumer behavior criteria,
  2. Design and/or execution of personalized sales, marketing, and/or promotional activities,
  3. Design and/or execution of advertising, and/or promotional, and/or marketing activities on digital and/or other platforms,
  4. Design and/or execution of activities developed for customer acquisition and/or value creation in existing customers on digital and/or other platforms,
  5. Planning and/or execution of data analysis studies for sales and marketing purposes,
  6. Planning and execution of sales and marketing processes of products and/or services,
  7. Planning and execution of processes for creating and/or increasing loyalty to the products and/or services offered by TEKSOY TOURISM.

2.2.5. Planning and executing commercial and/or business strategies of TEKSOY TOURISM:

Managing relationships with business partners.

2.2.6. Ensuring legal, technical, and commercial business security of TEKSOY TOURISM and individuals in business relationship with TEKSOY TOURISM:

  1. Tracking legal affairs,
  2. Planning and execution of operational activities to ensure that company activities are carried out in accordance with company procedures and/or relevant legislation,
  3. Providing information to competent authorities in accordance with legislation,
  4. Creation and tracking of visitor records,
  5. Planning and execution of emergency management processes,
  6. Realization of corporate law transactions,
  7. Planning and execution of company audit activities,
  8. Planning and/or execution of occupational health and/or safety processes,
  9. Management of credit processes risk management,
  10. Ensuring the security of company campuses and/or facilities,
  11. Ensuring the security of company operations,
  12. Planning and execution of financial risk processes of the company,
  13. Ensuring the security of company assets and/or resources.

2.3.Personal Data Categories

The following categories of personal data categorized by TEKSOY TOURISM are processed in compliance with the conditions for processing personal data stipulated in the Law and related legislation:

Data Subject
Describing the Categories
Identity information
Identity card, driver's license, residence permit, passport, lawyer's ID, marriage certificate, and similar information found in documents.
Contact information
Contact information used to communicate with a person (e.g., email address, phone number, mobile phone number, address).
Customer information
Information about customers who benefit from our products and services (e.g., reservation details, travel history, information about vehicles used for transportation to the facility, reserved hotel, airline, and car rental packages, affiliated groups for accommodation at the facility, frequent flyer or Travel Partnership Program memberships and membership numbers, information provided in membership and account applications).
Customer transaction information
Information about any transactions carried out by customers who benefit from our products and services.
Physical space security information
Personal data related to records and documents such as camera recordings taken upon entry to a physical space and during the stay within the physical space.
Transaction security information
Personal data processed to ensure the technical, administrative, legal, and commercial security of TEKSOY TURİZM's commercial activities.
Financial information
Personal data processed regarding any financial results showing information, documents, and records created based on the type of legal relationship established between TEKSOY TURİZM and the data subject.
Job applicant information
Personal data processed regarding individuals who have applied to be an employee of TEKSOY TURİZM, evaluated as a job candidate based on human resources needs or in accordance with commercial customs and integrity rules, or individuals in an employment relationship with the company.
Legal transaction and compliance information
Personal data processed for the determination, follow-up of legal receivables and rights, fulfillment of obligations, and compliance with legal obligations and company policies of TEKSOY TURİZM.
Audit and inspection information
Personal data processed for compliance with legal obligations and company policies of TEKSOY TURİZM.
Special category of personal data
Employee health, criminal convictions, and security measures-related data.
Sales and Marketing information
The personal data processed by TEKSOY TURİZM for the purpose of customizing the sales and marketing of the products and services offered by TEKSOY TURİZM based on the usage habits, preferences, and needs of the data subject, as well as the reports and evaluations created as a result of this processing.
Request/Complaint Management Information
Personal data related to the receipt and evaluation of any requests or complaints directed to TEKSOY TURİZM. This includes special preferences in accommodation, marketing, and communication; evaluations, opinions, or complaints about brands and facilities.
Reputation Management Information
Information collected for the purpose of protecting TEKSOY TURİZM's commercial reputation, along with evaluation reports and actions taken in this regard.
Event Management Information
Personal data processed for the purpose of taking necessary legal, technical, and administrative measures against events that may affect TEKSOY TURİZM's commercial rights and interests, as well as the rights and interests of its customers.

3. Principles and Conditions for Processing Personal Data
TEKSOY TURİZM processes personal data in accordance with Article 4 of the Law, acting in compliance with the law and principles of honesty, ensuring that the data is accurate, up-to-date when necessary, specific, clear, and processed for legitimate purposes. The processing activities are limited, proportionate, and related to the specified purposes. TEKSOY TURİZM retains personal data for the duration specified by the laws or as long as necessary for the purpose of processing personal data.

3.1. Principles for Processing Personal Data
TEKSOY TOURISM informs data owners in accordance with Item 10 of the Law and, when consent is required, requests their consent, processing these personal data based on the principles stated below.

3.1.1. Processing Data in Compliance with the Law and Fairness
TEKSOY TOURISM acts in accordance with the principles established by legal regulations and the general trust and fairness rule in the processing of personal data. In accordance with the principle of fairness, TEKSOY TOURISM strives to achieve its data processing goals while taking into account the interests and reasonable expectations of the relevant individuals.

3.1.2. Ensuring the Accuracy and Timeliness of Personal Data
Ensuring that personal data is kept accurate and up-to-date is necessary for the protection of the fundamental rights and freedoms of the data subjects from TEKSOY TOURISM's perspective. In this regard, TEKSOY TOURISM has an active duty of care to keep the information of the data subject accurate and up-to-date, and all communication channels are open for this purpose.

3.1.3. Processing Data for Specified, Explicit, and Legitimate Purposes
TEKSOY TOURISM clearly and precisely determines the legitimate and legal purpose of processing personal data. It processes only the personal data necessary for the purposes that are directly related to its commercial activities and necessary for the conduct of its business.

3.1.4. Connection, Limitation, and Proportionality of Data Processing with the Purpose
TEKSOY TOURISM processes personal data within the purposes suitable for its business subject and necessary for the conduct of its business. Therefore, TEKSOY TOURISM processes personal data in a way that is conducive to achieving the defined purposes and avoids processing personal data that is not related to the realization of the purpose or is unnecessary.

3.1.5. Retention of Data Until the Period Prescribed in the Relevant Legislation or Required for the Purpose for Which They Were Processed
TEKSOY TOURISM retains personal data only for the period prescribed in the relevant legislation or required for the purpose for which they were processed. In this context, TEKSOY TOURISM first determines whether there is a specified period for storing personal data in the relevant legislation. If a period is determined, it acts in accordance with this period; if no period is specified, it keeps personal data for the duration necessary for the purpose of processing. After the purpose of personal data processing has ceased or upon the expiration of the period specified in the legislation, personal data is deleted, destroyed, or anonymized by TEKSOY TOURISM.

3.2. Conditions for Processing Personal Data

In accordance with Item 5 of the Law, personal data processing is carried out by TEKSOY TOURISM if at least one of the personal data processing conditions specified in Article 5 of the Law exists.

3.2.1. Explicit Consent of the Data Subject
One of the conditions for the processing of personal data is the explicit consent of the data subject. The explicit consent of the data subject must be disclosed based on informed consent, and it must be given freely and with free will. TEKSOY TOURISM obtains explicit consent through relevant methods from customers, potential customers, and visitors for the processing of their personal data.

3.2.2. Clearly Foreseen in the Laws for Personal Data Processing Activities
If personal data processing is clearly foreseen in the laws, personal data can be processed without the explicit consent of the data subject.

3.2.3. Inability to Obtain Explicit Consent Due to Impossibility
In cases where it is impossible to obtain explicit consent due to factual impossibility or the person is unable to express consent, and processing personal data is necessary to protect the life or bodily integrity of the data subject or another person, personal data may be processed.

3.2.4. Directly Related to the Establishment or Performance of a Contract
If the processing of personal data is necessary for the establishment or performance of a contract, personal data can be processed.

3.2.5. Fulfillment of Legal Obligations of TEKSOY TOURISM
If the processing of personal data is necessary for TEKSOY TOURISM to fulfill its legal obligations, personal data may be processed.

3.2.6. Disclosure of Personal Data by the Data Subject
If the data subject has publicly disclosed their personal data, TEKSOY TOURISM may process the relevant personal data.

3.2.7. Mandatory Processing for the Establishment, Exercise, or Protection of a Right
If personal data processing is mandatory for the establishment, exercise, or protection of a right, personal data may be processed.

3.2.8. Mandatory Processing for the Legitimate Interests of TEKSOY TOURISM
Personal data may be processed for the legitimate interests of TEKSOY TOURISM, provided that it does not harm the fundamental rights and freedoms of the data subject.

3.3. Processing of Special Categories of Personal Data
TEKSOY TOURISM complies with the regulations specified in the Law regarding the processing of special categories of personal data. Special categories of personal data are processed by TEKSOY TOURISM in the following cases:

With the explicit consent of the data subject.

In cases where the explicit consent is not obtained, special categories of personal data other than health and sexual life can be processed if it is explicitly permitted by the laws.

Health-related and sexual life-related special categories of personal data are processed by individuals or authorized institutions and organizations under the obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment, and care services, planning and management of health services and their financing.

4. Transfer of Personal Data

TEKSOY TURİZM, legal purposes of processing personal data in accordance with the law, takes necessary security measures to transfer the data owner's personal information and specially qualified personal data to third parties domestically or internationally. In this regard, TEKSOY TURİZM complies with the regulations outlined in Item 8 of the Personal Data Protection Law

4.1. Transfer of Personal Data to Third Parties within the Country
Personal data can be transferred by TEKSOY TOURISM if at least one of the data processing conditions specified in Items 5 and 6 of the Law exists and subject to compliance with the basic principles related to data processing conditions explained under the 3rd heading of this Policy.

4.2. Transfer of Personal Data to Third Parties Abroad
TEKSOY TURİZM, under the 3rd heading of this Policy, may transfer the personal data and specially qualified personal data of the data owner to third parties abroad, provided that at least one of the data processing conditions explained is present and necessary security measures are taken. Personal data processed by TEKSOY TURİZM may be transferred to foreign countries ("Countries with Adequate Protection") declared by the Personal Data Protection Board to have adequate protection, or in the absence of adequate protection, to foreign countries where data controllers in Turkey and the relevant foreign country have committed to providing adequate protection in writing and with the permission of the Personal Data Protection Board ("Country of Data Controller Committing Adequate Protection"). In this regard, TEKSOY TURİZM complies with the regulations outlined in Article 9 of the Personal Data Protection Law.

4.3. Third Parties to Whom Personal Data is Transferred and Purposes of Transfer
TEKSOY TOURISM can transfer data in compliance with the general principles of the Law and data processing conditions specified in Items 8 and 9 to the categories of parties categorized in the table below:

Persons/Entities Authorized for Data Transfer
Definition
Purpose
Business partner
Parties with whom TEKSOY TURİZM has formed business partnerships while conducting its commercial activities
Limited sharing of personal data is carried out to ensure the fulfillment of the objectives of establishing the business partnership
Shareholders
Shareholders authorized to design strategies and control activities related to TEKSOY TURİZM's commercial operations in accordance with relevant legislation provisions
Limited sharing of personal data is done for the purpose of designing strategies related to TEKSOY TURİZM's commercial activities and for audit objectives.
Company Officials
Board members and other authorized individuals
Limited sharing of personal data is done for the purpose of designing strategies related to TEKSOY TURİZM's commercial activities, ensuring top-level management, and for audit objectives
Legally Authorized Public Institutions and Organizations
Public institutions and organizations authorized to request information and documents from TEKSOY TURİZM legally
Limited sharing of personal data is carried out for the purpose of information requests from relevant public institutions and organizations
Legally Authorized Private Legal Entities
Legally authorized private legal entities to request information and documents from TEKSOY TURİZM
Limited sharing of data is carried out for the purpose requested within the legal authority of the relevant private legal entities

5. Rights of the Data Subject and Exercise of Related Rights

5.1. Rights of the Data Subject:

Learning whether personal data is processed and request information if processed.
Requesting information if personal data has been processed.
Learning the purpose of processing personal data and whether they are used appropriately for their purpose.
Knowing the third parties to whom personal data is transferred, whether domestically or abroad.
Requesting correction of personal data if it is incomplete or incorrectly processed and request notification of the correction made to third parties to whom the personal data has been transferred.
Requesting the deletion, destruction, or anonymization of personal data in case the reasons requiring its processing cease to exist, despite being processed in accordance with the provisions of the Law and other relevant laws, and request notification of the transaction made to third parties to whom the personal data has been transferred.
Objecing to the occurrence of a result against the individual by analyzing the processed data exclusively through automated systems. Requesting compensation for the damages incurred due to the unlawful processing of personal data.

5.2. Cases where the Data Subject Cannot Assert Their Rights:
Personal data owners cannot assert their rights as listed in Item 5.1 in the cases excluded from the scope of the Personal Data Protection Law, in accordance with Item 28 of the Personal Data Protection Law:

The processing of personal data by individuals solely within the scope of activities related to themselves or family members living in the same household, provided that it is not disclosed to third parties and the obligations regarding data security are adhered to.
The processing of personal data for research, planning, and statistical purposes by rendering them anonymous through official statistics.
The processing of personal data for artistic, historical, literary, or scientific purposes, or for the freedom of expression, provided that it does not violate national defense, national security, public safety, public order, economic security, the privacy of private life, or individual rights, and does not constitute a crime.
The processing of personal data by public institutions and organizations authorized by law to carry out preventive, protective, and intelligence activities for ensuring national defense, national security, public safety, public order, or economic security.
The processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial, or execution processes.

In accordance with Item  28.2 of the Personal Data Protection Law, personal data owners cannot assert their rights, except for the right to request remedy for damages, listed in 5.1 in the following cases:

When processing of personal data is necessary for the prevention of a crime or for the investigation of a crime,
Processing of personal data that has been publicly disclosed by the data subject,
When personal data processing is necessary for the performance of duties and powers by authorized public institutions and organizations or professional organizations with the status of a public institution, for the conduct of inspection or regulation duties, or for the investigation or prosecution of disciplinary matters,
When processing of personal data is necessary for the protection of the State's economic and financial interests concerning budget, tax, and financial matters.

6. Rights of the Data Subject and Exercise of Related Rights

Even if personal data has been processed in compliance with the relevant legal provisions stipulated in Item 138 of the Turkish Penal Code and Item  7 of the Personal Data Protection Law, if the reasons necessitating its processing cease to exist, TEKSOY TURİZM deletes, destroys, or anonymizes personal data based on the decision of TEKSOY TURİZM or upon the request of the data subject. In this context, TEKSOY TURİZM has implemented necessary technical and administrative measures within the Company to fulfill its obligations; has established operational mechanisms; and, in order to comply with these obligations, educates relevant departments, assigns responsibilities, and ensures awareness.

Contact Us

To convey all your questions and opinions about the Personal Data Protection Policy, contact us!
www.pachamamahotel.com