GARDENIA HOTELS PERSONAL DATA PROCESSING POLICY
This personal data processing policy has been prepared in order to determine the procedures and principles to be applied by GARDENIA HOTELS regarding the processing of personal data, in accordance with the Personal Data Protection Act #6698.
The personal data of our employees, employee candidates, guests and all natural entities who share personal data with GARDENIA HOTELS for any reason, is managed in accordance with the current legislations and our Personal Data Processing Policy.
Act / KVKK: Act #6698 of Personal Data Protection, dated 3/24/2016.
Board / Institution: Personal Data Protection Board / Personal Data Protection Authority.
Personal Data: Any information relating to an identifiable or identifiable natural person.
Relevant Person: The person whose personal data is processed.
Express Consent: Consent based on information about a particular subject and obtained with free will.
Anonymization: Making personal data unmatchable to any natural or legal entity even by processing it with other data.
Deleting Personal Data: Making personal data inaccessible and unusable to Related Users.
Destruction of Personal Data: The process of making personal data inaccessible, unusable and irretrievable to any person in any possible way.
Processing of Personal Data: Includes acquisition, storage, protection, modification, rearrangement, definition, classification, denial of use, transfer and further reacquisition of any data, as part of fully or partially automated process or by a recording system.
Data Processor: A natural or legal entity which processes personal data on behalf of the Data Responsible.
Data Responsible: A natural or legal entity which determines the purposes and ways of processing personal data and is responsible for the establishment and management of the data recording system.
Special Personal Data: Includes information about race, ethnicity, political thoughts and views, philosophical beliefs, religion, sect or other beliefs, personal clothing preferences, memberships in associations, foundations or professional unions, health condition, sexual life, criminal convictions, security precautions as well as biometric and genetic data.
Obligation of Clarification: In the process of personal data obtainment, the entity in charge of the data or the person authorized by is obliged to: introduce the Data Responsible and the representative of Data Responsible if present, clarify the purpose of personal data processing, inform about purposes of data processing and natural or legal entities who may have access to it, explain the method and legal reason for the collection of personal data,
give information about other rights listed in Article 11 of the Act.
Sedna: Front desk management program with guest, human resources, accountance, employee data and GARDENIA HOTELS Purchase Automation System.
Disposal Policy: The policy on which the data responsible establishes the maximum amount of time required for the purpose of deletion, destruction and anonymization of the processed data.
Recorded Media: Any electronic media containing personal data that is either fully or partially automated or processed by non-automated means provided that it is part of any data recording system.
Virtual POS Payment System: Online payment system.
4. PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATA
4.1. Compliance with law and integrity: GARDENIA HOTELS protect the individual rights of the people involved in the processing of personal data. Personal data is collected and processed in a fair and lawful manner.
4.2. Processing for specific, clear and legitimate (transparent) purposes and being limited in relation to the purpose for which the data is processed: Before starting the processing, GARDENIA HOTELS establish the purpose for which the personal data will be processed. GARDENIA HOTELS process personal data only for the purpose of providing better service to those concerned. During the acquisition of personal data the concerned are informed about identities of Data Responsible and its representatives if any are present, the purpose of the personal data processing, to whom and for what purposes the data can be transferred, the method and legal reasons of data collection, available legal rights.
4.3. Storage of data according to the purposes of acquisiton or the time required by relevant legislations: GARDENIA HOTELS maintains personal data only for the period required for the purpose for which it was specified or processed according with the relevant legislation. GARDENIA HOTELS and its subsidiaries will continue to process and maintain personal data in accordance with the purposes set forth in this policy, provided that the personal data is deemed necessary for the purposes for which it is processed and required by regulatory authorities and/or relevant laws and regulations.
4.4. Accuracy of information, keeping data up to date: GARDENIA HOTELS keeps processed personal data accurate, complete and up to date. Inaccurate or incomplete data is deleted, corrected, completed or updated on demand.
4.5. Privacy and data security: Personal data is always kept hidden. It is considered confidential at the personal level so necessary technical and administrative measures are taken to ensure the proper level of security in order to prevent unauthorized access, unlawful processing or distribution, as well as to prevent accidental loss, alteration or destruction and to protect personal data.
5. SCOPE OF DATA PROCESSING
Personal data processing is performed in two distinct ways:
Fully or partially automated processing of data is performed through data collection, recording, photography, organization, storage by the concerned person or third parties for the purpose of transfer, spread or other means of presentation, grouping or merging, blocking, deleting or destroying as well as replacement, reinstatement, recovery or disclosure.
Non-automated processing of data covers the recording, storage, preservation, modification, reorganization, disclosure, transfer, recovery, classification or use of any means of recording.
5.1. GARDENIA HOTELS shall be entitled to process the personal information of the person concerned during the period of use of the services provided and following the termination of the service relationship, in accordance with the purposes set forth in this policy.
5.2. Personal data processing by GARDENIA HOTELS covers any action taken on data using non-automated, semi-automated and fully automated means without restrictions.
5.3. GARDENIA HOTELS processes the data of the person or people under authority of the concerned person.
5.4. Data processing also includes sharing data within instructions given by GARDENIA HOTELS and/or with express consent of the relevant person and/or third parties when GARDENIA HOTELS is processing the data by a third party, acting in favor of the relevant person.
5.5. The express consent of the concerned person includes, but is not limited to; the use of various electronic channels (web browsers, websites, the Internet, mobile applications, payment methods, technical methods and channels used for money transfer and reception), consent to data processing. (For example, when using the electronic channels, it is possible that the location of the person concerned may be detected, identification and analysis of input data may be performed, frequency of product selection and/or other statistical data may be acquired.)
6. BASICS OF DATA PROCESSING
6.1. Even if the contractual relationship is terminated by the concerned person during the benefiting of services provided by GARDENIA HOTELS, GARDENIA HOTELS acknowledge that it is necessary to process the information belonging to the person or third parties specified by the person concerned for the purposes below.
a) The provision and/or implementation of a service for the concerned person,
b) In cases when data processing is compulsory in order to protect the legal rights of GARDENIA HOTELS and/or third parties,
c) Fulfillment of legal obligations by GARDENIA HOTELS,
d) When a contract between GARDENIA HOTELS and the relevant person is established or the data processing is directly related to its execution
e) When it is mandatory for the establishment, fulfillment or protection of a right,
f) Other matters to which the concerned person expressly consents,
g) Other matters clearly stipulated in the relevant legislations.
6.2. The express consent of the concerned person shall mean that the person has accepted the policy and its provisions.
7. DATA PROCESSING OBJECTIVES
GARDENIA HOTELS and/or third parties that process personal data shared consensually, as well as the concerned people may process the personal data of the person or people under authority of the concerned person or people for the following purposes:
a) Realization of accommodation services as declared, provision of better and more reliable services to the guest,
b) In order to realize and receive payments done by GARDENIA HOTELS with the Virtual POS Payment System. In this process, the guest's personal information (includes name, surname, date of birth, e-mail address, phone number and credit card) may be requested, information research and survey evaluations, planning, statistics, archiving services can be performed, customer satisfaction studies can be done.
c) In order to optimize and improve the services of GARDENIA HOTELS. It may be necessary to check the accommodation history and/or behavior models of the person concerned.
d) To offer new and/or additional services or non-service products,
e) To change the conditions of services offered by GARDENIA HOTELS,
f) To execute analysis of statistical data, preparation and presentation of various reports, researches and/or presentations,
g) To ensure security; identify and/or prevent abuse as well as other criminal activities,
h) To meet the complaints, questions and requests of the concerned person or people,
i) To verify the identity of the concerned person,
j) To fulfill marketing, promotion and campaign activities for accommodation services,
k) To fulfill the other purposes stipulated in national and international laws and regulations.
8. PROCESSING, TRANSFERRING AND DISCLOSURE OF DATA:
GARDENIA HOTELS fulfill the obligations imposed by the relevant legislations and board policy decisions regarding the processing, transfer or disclosure of personal data. Depending on the content and variety of accommodation services, given personal data of the person and concerned parties may be acquired, transferred or disclosed; but is not limited to: Name and surname of the concerned person or people, personal identification number and/or information displayed on the identity card, business and/or residence address, fixed/mobile phone number, personal e-mail address, data on the concerned person or people's employer, as well as information on employment conditions (place of work, wages, working hours, etc.), other activities of the person (people) and/or the third parties specified by the person (people) when using various electronic channels and/or the Internet (for example; verification of channels, actions taken, or transaction history).
8.1. If the concerned person gives personal data about third parties (family members, employers etc.) to GARDENIA HOTELS in order to benefit from the services, the person who has given the data to GARDENIA HOTELS will be held responsible for obtaining the consent for the processing of this personal data.
8.2. If the concerned person provides any kind of information to GARDENIA HOTELS (or its authorized personnel), this person is deemed to have given the required explicit consent and GARDENIA HOTELS no longer has the obligation to obtain such explicit consent.
8.3. In the event when personal and/or special personal data is processed without the express consent of the person concerned and harm arises as a result of such transaction, GARDENIA HOTELS is liable to cover regarding losses.
8.4. The express consent of the person concerned includes processing of various electronic channels (but is not limited to, the technical methods and channels used for web browsing, websites, the Internet, mobile applications, payment transactions, money transfer and reception). (For example, when the concerned person interacts with the electronic channel, the location of the concerned person may be detected, input data may be identified and analyzed, frequency of product selection and/or other statistical data may be acquired.)
8.5. GARDENIA HOTELS retain the right to send SMS, voice and/or other marketing messages (for direct marketing) until the concerned person executes his/her right to reject being contacted through fixed and/or mobile phone number, e-mail address and other contact information provided by him/her. GARDENIA HOTELS have the right to send commercial electronic messages under the Act on the Regulation of Trade.
8.6. The concerned person has the right to share his personal data with GARDENIA HOTELS' subsidiaries and/or shareholders for various marketing offers.
8.7. The advertising/information messages (such as advertising brochures, promotional images, verbal offers etc.) may be distributed at the service points of GARDENIA HOTELS, or the electronic channels of GARDENIA HOTELS (or its affiliates) by means of internet and/or mobile marketing. The content shown during the use of the products can not be considered as direct marketing and the concerned person does not have the right to demand the termination of the publication and/or display of such content.
9. DATA PROCESSING OF APPLICANTS AND EMPLOYEES:
9.1. Processing of personal data in order to conclude, execute, maintain and terminate a service contract: GARDENIA HOTELS process personal information announced by the concerned person due to start of work, trial period and/or internship. This data is processed to ensure protection and uninterrupted maintenance of personal rights arising from the service contract, to provide employees with occupational health and safety services, for work permit procedures, for the evaluation of personal job applications, for the purposes of performance evaluation and follow-up of the recruitment processes, training activities, improvement of working conditions, execution of personal development processes and fulfillment of training processes, has the right.
In the process of employment application, the collection of information about the applicant through third parties is carried out in accordance with the provisions of the Personal Data Protection Act #6698.
Applicant's explicit consent is required for the processing of personal data relating to the business relationship. This does not include the data related to employment contract.
9.2. Processing of Personal Data: Special Personal Data can only be processed with the express consent to processing of special personal data of the concerned person. In accordance with law; personal data other than health and sexual life, shall be kept confidentially under responsibility of authorized institutions and organizations.
Special Personal Data acknowledged here is acquired for the protection of public health, preventive medicine, medical diagnosis, treatment and care services; economical, medical planning and management.
10. TRANSFER AND DISTRIBUTION OF DATA TO AND FROM THIRD PARTIES
In order to serve the concerned person, this policy is transferred/shared with the concerned person and/or specified third parties by GARDENIA HOTELS. The concerned person gives GARDENIA HOTELS the right to process information concerning all departments, the Internet, call centers, public institutions and organizations and the parties to whom GARDENIA HOTELS distribute the services that are complementary or an extension of their activities, to obtain this information completely or partially by means of their suppliers or by non-automatic means provided that they are part of any registration system, to store, preserve, modify, rearrange, disclose, transfer, takeover, make available and classify as well.
11. OBLIGATION OF DATA OFFICER AND DATA PROCESSOR
11.1. In accordance with the provisions of this policy, while processing some types of personal data, GARDENIA HOTELS may act on behalf of the data officer, including those that process data and which may involve third parties. Data officer may become data processor for the third parties. Each of the parties to such a relationship (the data processor as well as the data officer) act in accordance with the Law on the Protection of Personal Data. Therefore;
a) Personal data is processed in accordance with the principles in the legislation.
b) The express consent of the concerned person is gained, the concerned person is illuminated and the necessary information is provided.
The data officer shall inform the concerned person as soon as possible and in 30 days at the latest when a complaint or statement of compliance with the obligations of the Data Officer is submitted.
Furthermore, if one party represents the data processor and the other person responsible for the data processing, the data processor fulfills the following obligations:
I. Data processor complies with the extent and scope permitted by legislation and defined by the provisions of this policy. At the request of a regulatory authority, data processor processes the data transmitted/disclosed by the other party,
II. Informs the data officer about the implementation of all reasonable technical and administrative measures and takes all necessary actions to prevent unauthorized processing, loss, destruction, damage, unauthorized alteration or disclosure of the data communicated/disclosed by the data officer;
III. GARDENIA HOTELS supervise the measures and practices implemented by the data processor through its authorized personnel for the purpose of data security,
IV. Data processor collaborates with GARDENIA HOTELS and supports the review of a complaint or statement communicated/disclosed by GARDENIA HOTELS, including these circumstances;
V. Data processor provides the GARDENIA HOTELS with detailed information regarding the complaint and declaration status within 7 working days following the request date (including electronic data communicated/clarified by the data processor),
VI. Data processor prevents data processing and/or transfer to a country and/or international organization that is not part of the European Economic Area and is not on the list of countries that are adequate for the protection of personal data or that does not allow the transfer of the person or Personal Data Protection Board,
VII. Data processor does not transfer/disclose data to third parties without the prior written consent of GARDENIA HOTELS,
VIII. Even in cases when GARDENIA HOTELS has prior written consent, transfer/disclosure of data must be performed in accordance with a written contract. In such written contract; the third party and its subcontractors are obliged to take all necessary technical and administrative measures to prevent unauthorized processing, loss, destruction, damage, unauthorized alteration or disclosure of the data.
IX. Any losses incurred by GARDENIA HOTELS as a result of failure of the data processor to take full action, must be compensated. Any damages and losses (including but not limited to) those resulting from agreement violations caused by data processor as well as expenses (including, but not limited to, expenses incurred by the use of GARDENIA HOTELS' legal rights) are included. Thereby, data processor gives legal consent to be held liable for such losses and to fulfill other obligations regarding them, to recover damages, to give compensation and completely agree in this with GARDENIA HOTELS as the data officer.
X. After the termination of the contractual relationship between GARDENIA HOTELS and the data processor (unless otherwise specified by the agreement between GARDENIA HOTELS and the data processor), any data (including personal data transferred/disclosed by GARDENIA HOTELS) must be returned. Data processor is obliged to take all kinds of security measures to prevent unauthorized access to the data by third parties, to destroy the personal data transferred/disclosed by GARDENIA HOTELS and to notify GARDENIA HOTELS in order to confirm this action.
12. DATA PROCESSING, UPDATING, DESTRUCTION; CONDITIONS ON DATA RETENTION
12.1. Data processor continues to operate for a period of time consistent with the objectives and interests of GARDENIA HOTELS, the demands of supervisory/regulatory authorities and/or legislation for the purposes set forth in this policy during and after the period of use of the services of Star Hotels.
12.2. The processing of the data transferred during the use of GARDENIA HOTELS' electronic channels by the concerned person (web browser, website, internet, mobile applications and/or other electronic data transfer tools) continues even after the person deletes the data from those electronic channels.
12.3. Upon request of the concerned person, information regarding personal data held at GARDENIA HOTELS is provided within the scope of the legislation.
12.4. In case when the data of the concerned person is incomplete or incorrect, the missing and incorrect data is completed and corrected through sending written notification to the GARDENIA HOTELS.
12.5. Personal data is kept for at least 15 years in any case and for period required by the relevant legislation or for the purpose for which it is processed. Although processed in accordance with the provisions of the legislation; personal data is automatically deleted, destroyed or anonymized by the data officer upon the request of the person concerned in case the reasons that require processing are eliminated or the storage period of GARDENIA HOTELS expires.
12.6. The assignation of the storage and destruction periods of personal data is carried out using the following criteria:
a) Plausible exceptions for data storage and processing, stipulated in Articles 5 and 6 of the Act, are determined; for this purpose, access authorization and control matrix system is used. For each chunk of personal data; relevant users, authorization and methods of access, retrieval, re-use of relevant users, termination of employment or change of position are determined separately. When the mentioned exceptions or the end of storage period have come; access, retrieval, reuse, methods of authorization of the concerned people (within the scope of personal data) are updated, shut down or eliminated.
b) In the event that the period foreseen in the legislation for the storage of such personal data has not expired or no time is stipulated in the relevant legislation for the storage of such data, the data is deleted, destroyed or rendered anonymous by the data officer every 10 years.
12.7. In the deletion, destruction and anonymization of personal data; the principles listed in aforementioned Act's Article 4 "General Principles" and Article 12 "Obligations regarding data security", relevant legislations, the decisions of the Authority and the conditions in this policy are followed.
12.8. All actions regarding the deletion, destruction and anonymization of personal data are recorded by GARDENIA HOTELS. These records are kept for at least 10 years in exception of other legal obligations.
12.9. Unless otherwise consented upon by the Personal Data Protection Agency, GARDENIA HOTELS selects the appropriate method of deleting, destroying or anonymizing personal data.
12.10. The personal data collected by GARDENIA HOTELS is stored on various recording media. Those are deleted by appropriate methods. Data in digital media is deleted by automatic commands of deletion and/or manually and personal data in paper media is destroyed using darkening method. The darkening process is performed by shredding of relevant document when possible or by using stationary ink, which is not removable and has the ability to render documents impossible to read even with technological solutions.
The office files on the central server are deleted by the automatic delete command in the operating system of the file or by invalidation of relevant user's access rights on the directory where the file is located.
The use of portable memory is limited by authorizations. The database containing personal data is protected by authorization levels and the deletion process is subject to authorization. When performing the operation, attention is paid to whether the user concerned is also the database administrator.
Destruction of personal data is the process which makes personal data inaccessible, irretrievable and unusable by anyone in any way. As the data officer, GARDENIA HOTELS take all necessary technical and administrative measures related to the destruction of personal data. For the destruction of personal data, all copies of the data are detected and the systems in which the data is located are physically destroyed through means such as melting, incineration or dusting of the optical and magnetic media. Methods of melting, incineration, pulverizing or grinding an optical or magnetic media irrecoverably prevent access, use and retrieval of the personal data.
Personal data on switches and routers is deleted through automatic delete commands; data on mobile devices, portable smartphones, SIM cards and fixed memory areas is either deleted by command or by means of physical destruction; data storage media such as CD's, DVD's are destroyed by physical destruction methods such as burning, shredding and melting. The destruction of the personal data in the devices that are defective or sent for maintenance is carried out by removing the data storage medium and other defective parts which are sent to third institutions such as manufacturers, sellers and authorized services. Necessary measures are taken against copying and taking personal data out of the institution by personnel who come for external maintenance and repair purposes. Confidentiality agreements are signed with related maintenance companies.
The anonymisation is process of removing or changing all the direct and/or indirect identifiers in a data set. Data of concerned person is prevented from being identified or loses its distinguishability in a group/crowd so that it cannot be associated with a real person. The purpose of anonymizing is to break the link between the data and the person whom this data defines. The data is anonymized by cutting physical and electronical ties with the concerned person and it is performed by methods such as automatic or non-automatic grouping, masking, derivation, generalization, randomization applied to the records in the data recording system where the personal data is kept.
13. RIGHTS OF THE CONCERNED PERSON
Each concerned person has the right to learn whether personal data has been processed, to request information about data that has been processed, to learn the purpose of personal data acquisition and whether it has been used in accordance with its purpose, to know third parties to whom personal data has been transferred domestically or internationally, to request correction of any personal data in case of incomplete or incorrect processing; requesting deletion or destruction of personal data, requesting notifications of personal data transfer to third parties at home or abroad in case of sustaining losses.
14. PRIVACY OF DATA PROCESSING
14.1. Personal data is subject to data security. All employees, subsidiaries of GARDENIA HOTELS and/or its affiliates are prevented from accessing this data unauthorized, and unauthorized persons are strictly prohibited from processing or using this data. Any access to personal data executed by employees, subsidiaries of GARDENIA HOTELS and/or its affiliates without permission will be regarded as unauthorized access. Employees of GARDENIA HOTELS, its subsidiaries and/or affiliates may access personal data only if they are granted access to personal data within the terms of reference.
14.2. Employees of GARDENIA HOTELS, its subsidiaries and/or affiliates are prohibited from using personal data for private or commercial purposes, sharing this data with unauthorized people or otherwise making it accessible. The data officer informs the employees about the obligation to protect the data confidentiality during the startup phase and provides needed training.
14.3. For the protection of personal property and confidentiality, as well as for control and measurement of service quality, in accordance with the provisions of the Personal Data Protection Act #6698; video and audio recording is performed in and outside of hotel buildings and workplaces, in places like kitchens and backgrounds.
14.4. When contacting GARDENIA HOTELS at the relevant service points and when contacting GARDENIA HOTELS, the concerned person is informed that video recording and surveillance is being carried out using the appropriate tools. The person acknowledges the importance of video and audio recording and hereby expresses explicit consent to GARDENIA HOTELS to process its data in this respect.
15. DATA PROCESSING SECURITY
Personal data is protected from unauthorized access, illegal processing, disclosure, accidental loss, modification or destruction. Data is protected regardless of being processed electronically or on paper. Modern and advanced data processing methods and information technology systems are operated in order to take technical and administrative measures to protect personal data.
16. DATA PROTECTION CONTROL
This Data Protection Policy and the relevant data protection legislations are regularly checked by authorized personnel in the relevant departments of GARDENIA HOTELS. The personal data protection authority can personally monitor the compliance of GARDENIA HOTELS, its subsidiaries and affiliates with the provisions of this policy, as permitted by national law.
When the concerned person submits his/her requests regarding the application of this policy and the Act on Protection of Personal Data to the data officer in written form, the data officer concludes the request free of charge, as soon as possible and in 30 days at the latest, according to the nature of the request. However, if the transaction requires additional costs, the fees set by the Personal Data Protection Board are charged.