PDPP

INTRODUCTION

This Personal Data Processing Policy has been prepared in order to determine the procedures and principles to be applied by Side Star Hotels regarding the processing of personal data in according to the 6698 number of Personal Data Protection Law.

CONTENT

The personal data of our employees, employee candidates, guests and all real persons who have personal data at Side Star Hotels for any reason are managed in according to the laws within the framework of this Personal Data Processing Policy.

DEFINITIONS

Law/PDPP: Law on Protection of Personal Data dated 24/3/2016 and numbered 6698.

Board/Institution: Personal Data Protection Board/Personal Data Protection Authority.

Personal Data: Any information relating to an identified or identifiable natural person.

Relevant Person: The person whose personal data is processed.

Explicit Consent: Consent about a specific subject, based on information and obtained with free will.

Anonymization: Making personal data incapable of being associated with an identified or identifiable natural person in any way, even by matching with other data.

Deletion of Personal Data: Making personal data inaccessible and unusable for Relevant Users in any way.

Destruction of Personal Data: The process of making personal data inaccessible, unrecoverable and unusable by anyone in any way.

Processing of Personal Data: Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system, All kinds of operations performed on data such as classification or prevention of use.

Data processor: The natural or legal person who processes personal data on behalf of the data controller, based on the authority given to her/him.

Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

Sensitive Personal Data: Data related to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, membership to associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric data. and genetic data.

Obligation to Disclose: During the acquisition of personal data, the data controller or the person authorized by it, to the relevant persons; Giving information about the identity of the data controller and its representative, if any, for what purpose the personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method and legal reason for collecting personal data, other rights listed in Article 11 of the Law.

Sedna: Front office with guest data, human resources with accounting and employee data, and Side Star Hotels purchasing Automation System.

Destruction Policy: The policy on which data controllers base the process of determining the maximum period required for the purpose for which personal data is processed, and the process of deletion, destruction and anonymization.

Recording Media: Any electronic media containing personal data that is fully or partially automated or processed by non-automatic means, provided that it is a part of any data recording system.

Virtual POS Payment System: Online payment system.

PRINCIPLES ON THE PROCESSING OF PERSONAL DATA

Compliance with the law and the rules of honesty: Side Star Hotels protects the individual rights of the persons concerned during the processing of personal data. Personal data is collected and processed in accordance with the law and fairly.

Processing for specific, clear and legitimate (transparency) purposes and being limited and measured in connection with the purpose for which they are processed: The purpose for which personal data will be processed by Side Star Hotels is determined before the personal data processing activity begins. Side Star Hotels processes personal data only in order to provide better service to the persons concerned. During the acquisition of personal data; The data subject is informed about the identity of the data controller and its representative, if any, the purpose of personal data processing, to whom and for what purposes personal data can be transferred, the method of collecting personal data and the legal reason, and the rights of the relevant person.

Retention for the period stipulated in the relevant legislation or for the purpose for which they are processed: Side Star Hotels retains personal data only for the period specified in the relevant legislation or required for the purpose for which they are processed. As long as the personal data is deemed necessary for the purposes for which they are processed and required by regulatory authorities and/or relevant laws and regulations, Side Star Hotels and its affiliates under its control will continue to process and maintain personal data in accordance with the purposes set forth by this policy.

Accuracy of information, up-to-dateness of data: Side Star Hotels keeps the processed personal data accurate, complete and up-to-date if necessary. Where necessary; Inaccurate or incomplete data is deleted, corrected, completed or updated.

Privacy and data security: Personal data is subject to data privacy. It is considered confidential at the personal level and necessary technical and administrative measures are taken to ensure the appropriate level of security in order to prevent unauthorized access, unlawful processing or distribution, as well as to prevent accidental loss, alteration or destruction, and to ensure the preservation of personal data.

EXTENT OF DATA PROCESSING

Personal data processing is carried out in two different ways.

Automatic processing of data in whole or in part; Receiving, collecting, recording, photographing, sound recording, video recording, organizing, storing data from the relevant person or third parties specified in this policy for the purposes of transfer, dissemination or presentation in different ways, grouping or combining, blocking, deletion or destruction change, reinstatement, withdrawal or disclosure.

Processing/obtaining data by non-automatic means; It covers recording, storing, keeping, changing, rearranging, disclosing, transferring, transferring abroad, taking over, making available, classifying or preventing use, provided that it is part of any recording system.

Side Star Hotels shall have the right to process the personal information of the relevant person during the period of using the services it provides and after the end of the service relationship, by complying with the purposes specified in this policy.

Personal data processing by Side Star Hotels, without any restrictions, includes all kinds of actions taken for data using non-automatic means, provided that they are part of an automatic, semi-automatic or automatic system.

Side Star Hotels processes the data of the person or persons under the custody of the relevant person.

Data processing also includes sharing the data provided with the express consent of the relevant person and/or third parties when Side Star Hotels is the data processor and/or Side Star Hotels acts in favor of and on the instructions of a third party.

The express consent of the relevant person, the recording of the activities of the relevant person by Side Star Hotels while using various electronic channels (including but not limited to the technical methods and channels used for web browser, website, internet, mobile applications, payment transactions, money transfer and receipt). and its processing. (For example; determining the location of the relevant person when using the electronic channel, identifying and analyzing input data, product selection frequency and/or other statistical data)

FOUNDATIONS OF DATA PROCESSING

The relevant person accepts that, during the use of Side Star Hotels services and even if the contractual relationship is terminated, Side Star Hotels must process the information of the relevant person or third parties specified by the relevant person, within the scope of the following purposes.

Providing and/or implementing a service for the relevant person,

Data processing is mandatory in order to protect the legal rights of Side Star Hotels and/or third parties,

Fulfilling the legal obligations of Side Star Hotels,

It is necessary to process the personal data of the relevant person, provided that it is directly related to the establishment or performance of a contract between the relevant person and Side Star Hotels,

Data processing is mandatory for the establishment, exercise or protection of a right,

Other matters to which the relevant person has expressly consented,

Other matters clearly stipulated in the legislation.

The express consent given by the relevant person shall mean that the relevant person accepts the policy and its provisions.

PURPOSES OF DATA PROCESSING

Side Star Hotels and/or third parties that process personal data shared with the consent of the relevant persons may process the personal data of the data subject or persons under the custody of the data subject for the following purposes.

Realization of accommodation services as declared, providing and executing the services provided to the guests in a better and reliable manner,

With the Virtual POS Payment System, Side Star Hotels can make online payments and receive payments. In these transactions, using the guest's (name, surname, date of birth, e-mail address, phone number and credit card) information, information research and survey evaluations, planning, statistics, archiving, storage services, customer satisfaction studies,

In order to optimize and develop Side Star Hotels services, it is necessary to check the accommodation history and / or behavioral models of the relevant person,

Side Star Hotels' ability to offer a new and/or additional service or out-of-service product,

Changing the current conditions of the service provided by Side Star Hotels,

Analyzing statistical data by Side Star Hotels, preparing and presenting various reports, researches and/or presentations,

In addition to providing security; detecting and/or preventing fraud, other criminal activities,

Meeting the complaints, questions and demands of the relevant person,

Verifying the identity information of the relevant person,

Carrying out promotional, marketing, promotion and campaign activities for accommodation services,

Realization of other objectives stipulated in national and international laws and regulations.

PROCESSING, TRANSFERRING OR DISCLOSING OF DATA

Side Star Hotels fulfills the obligations imposed by the relevant legislation and board policy decisions regarding the processing, transfer or disclosure of personal data. In accordance with the purposes determined by this policy, including, but not limited to, the personal data of the related person and third parties; For the processing, transfer and/or disclosure of all kinds of information, depending on the content and variety of accommodation service offered by Side Star Hotels; Name and surname of the relevant person, Personal identification number and/or unique feature on the identity card, Registered and/or resident address, Telephone/mobile phone number, E-mail address, Employer data, as well as information about employment conditions (place of work) , wages, working hours, etc.), When using various electronic channels and/or the internet (including but not limited to web cookies etc.) and the above-mentioned channels, the activities of the relevant person and/or the third parties specified by the relevant person (including verification of these channels, actions taken or transaction history). (but not limited to this) uses data about the persons with whom the relevant person stays during the service purchase.

If the relevant person (including but not limited to personal data, sensitive personal data, etc.) gives his personal data of third parties (Family members, employers, etc.) to Side Star Hotels in order to benefit from the services of Side Star Hotels; The person who gives the data to Side Star Hotels will be responsible for obtaining the necessary consent for the processing of this personal data.

If the relevant person gives the said information to Side Star Hotels (or its authorized personnel), it is assumed that the relevant person has given the necessary explicit consent and Side Star Hotels' obligation to obtain this explicit consent is no longer valid.

In the event that personal and/or special quality personal data is processed without the express consent of the relevant person and a loss arises as a result of this processing, Side Star Hotels is obliged to cover this loss.

The express consent of the relevant person, the recording of the activities of the relevant person by Side Star Hotels while using various electronic channels (including but not limited to the technical methods and channels used for web browser, website, internet, mobile applications, payment transactions, money transfer and receipt). and its processing. (For example; determining the location of the relevant person when using the electronic channel, identifying and analyzing input data, product selection frequency and/or other statistical data)

Side Star Hotels sends the phone, mobile phone number, e-mail address and other contact information provided by the relevant person, to the Electronic Number 6563, including sending SMS, voice and/or other kinds of marketing messages (direct marketing) until the person uses his right to refuse. It has the right to send commercial electronic messages within the scope of the Law on the Regulation of Trade.

The relevant person gives Side Star Hotels the right to share their personal data with Side Star Hotels' subsidiaries and/or shareholders for the purpose of making various marketing offers.

Advertising/information messages (for example, advertising brochures, promotional images, verbal offers, etc.) at the service points of Side Star Hotels or electronic channels such as Internet, mobile marketing of Side Star Hotels (or Side Star Hotels' subsidiaries). The content displayed during its use will not be considered as direct marketing, and the relevant person will not have the right to demand the termination of the publication and / or display of such content.

PROCESSING OF APPLICANTS’ OR EMPLOYEES’ DATA

Processing of personal data for the purpose of concluding, performing, maintaining and terminating a service contract: Fulfilling the personal rights arising from the service contract and maintaining them uninterruptedly, occupational health and safety service to be provided to employees, fulfillment of work permit procedures, evaluation of personal job applications, research and other Side Star Hotels, for the purposes of carrying out recruitment processes, performance evaluation and follow-up, training activities, improving working conditions, carrying out human resources and training processes such as personal development processes, does not process the personal information disclosed by the relevant person due to employment, trial period and/or internship has the right.

During the job application process, the collection of information about the applicant from third parties is carried out within the framework of the provisions of the Law on the Protection of Personal Data No. 6698.

The explicit consent of the applicant is required for the processing of personal data that is related to the business relationship but is not part of the performance of the employment contract in the first place.

Processing of Private Personal Data; Sensitive Personal Data can only be processed with the explicit consent of the relevant person for the processing of sensitive personal data. Special categories of personal data other than health and sexual life, only in cases stipulated by law, and personal data related to health and sexual life; however, it is complied with, that it is processed by persons or authorized institutions and organizations under the obligation of secrecy for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing.

TRANSFERRING/SHARING INFORMATION TO/FROM THIRD PARTIES

In order for Side Star Hotels to provide services to the relevant person, this policy is transferred/shared with the data subject and/or the third parties specified by the relevant person within the scope of data processing. The relevant person gives Side Star Hotels personal data; Obtaining data completely or partially automatically or by non-automatic means provided that it is a part of any recording system, through all departments, internet, call centers, public institutions and organizations, and the parties from which they receive services that are complementary or extensions of the activities of Side Star Hotels, their suppliers, registration, storage, preservation, modification, rearrangement, disclosing, transferring, transferring abroad, acquisition, making available, classification or use.

OBLIGATIONS OF DATA CONTROLLER AND DATA PROCESSOR

Based on the provisions of this policy; Side Star Hotels may act on behalf of the data controller, including third parties, who are data processors, while processing some types of personal data. The data controller may be a data processor for third parties in some personal data. Accordingly, each of the parties to such a relationship (data controller as well as the data processor) acts in accordance with the Law on the Protection of Personal Data. That’s why;

Personal data is processed in accordance with the principles in the legislation.

The explicit consent of the relevant person is obtained, necessary information and illuminations are made.

In the event that the data controller occurs; When a request is made by the data subject regarding information about his/her personal data, when a complaint or statement is submitted regarding the compliance of the data controller with the obligations imposed by the legislation, it notifies the data subject as soon as possible and within 30 days at the latest.

In addition, if one of the parties represents the data processor and the other the data controller during the data processing, the data processor fulfills the following obligations. The data processor is obliged to:

By complying with the extent and scope as defined by the provisions of this policy and permitted by the legislation; or at the request of a regulatory authority, processes the data transmitted/explained by the other party,

In order to prevent unauthorized processing, loss, destruction, damage, unauthorized modification or disclosure of data transmitted/disclosed by the data controller, applying all reasonable technical and administrative measures and taking every necessary action and informing the data controller of all measures taken within this scope,

Side Star Hotels, through its authorized personnel, supervises the measures and practices implemented by the data processor for data security,

Cooperates and supports the examination of a complaint or statement submitted/explained by Side Star Hotels, including the following, by the Data Processor;

Provides Side Star Hotels with detailed information about the complaint and declaration status, including data about the data subject (including electronic data), transmitted/disclosed to the data processor by the data controller, within 7 working days from the date of request,

It prevents data processing (transfer) activities by the Data Processor to a country and/or international organization that is not part of the European Union Economic Area and is not on the list of countries that are at a sufficient level for the protection of personal data, or to a country and/or international organization that the data subject or the Personal Data Protection Board does not allow,

Without the express prior written consent of Side Star Hotels; does not transfer/disclose the data to third parties,

Even in cases where Side Star Hotels has express written consent; The data processor is obliged to transfer/disclose the data in accordance with a written contract. In the aforementioned written contract, the third party and its subcontractors are obliged to take all necessary technical and administrative measures to prevent unauthorized processing, loss, destruction, damage, unauthorized modification or disclosure of data.

Compensation for any damage/loss that Side Star Hotels may incur due to the data processor's failure to take or fully perform the necessary actions (in accordance with the policy and legislation). All kinds of damages/losses (including but not limited to consequential damages), complaints, expenses (including but not limited to the expenses that Side Star Hotels will incur due to exercising its legal rights) as a result of the breach of the data processor. ), the data processor gives express consent and agrees with the data controller against legal processes and other obligations, to compensate for damages and to provide compensation.

Unless otherwise stated in the contract between Side Star Hotels and the data processor, the data processor after the termination of the contractual relationship between Side Star Hotels and the data processor; Return of any data (including personal data) transferred/disclosed from Side Star Hotels. It is obliged to take all necessary security measures to prevent unauthorized access to data by third parties, to destroy personal data transferred/disclosed by SIDE STAR HOTELS and to notify SIDE STAR HOTELS to confirm that this action has been taken.

UPDATING, PROCESSING, RETENTION PERIOD OF DATA AND DATA DISPOSAL

It continues to operate for a period of time consistent with the purposes and interests of Side Star Hotels, the requests of supervisory / regulatory authorities and / or the legislation, for the purposes specified in this policy during and after the period of using the services of Side Star Hotels.

The processing of the data transferred during the use of Side Star Hotels electronic channels (web browser, website, internet, mobile applications and/or other electronic data transfer tools) continues after the data subject deletes the data from the relevant electronic channels.

Upon the request of the relevant person, information is provided regarding the personal data kept at Side Star Hotels in accordance with the legislation.

In case the data of the relevant person is incomplete or incorrect, incomplete or incorrect data is completed and corrected upon the written notification of the relevant person to Side Star Hotels.

Personal data is retained for as long as required by the relevant legislation or for the purpose for which they are processed, and in any case for 15 years. Although it has been processed in accordance with the provisions of the legislation, in the event that the reasons for its processing disappear and the storage period of Side Star Hotels expires, the personal data is deleted, destroyed or anonymized by the data controller spontaneously or upon the request of the data subject.

By determining which of the exceptions stipulated in Articles 5 and 6 of the Law, data storage can be evaluated within the scope of,

Access authorization and control matrix system is used. For each personal data, the relevant users are identified, the authorizations and methods of the relevant users such as access, retrieval, reuse are determined, employment contract termination or change of position, etc. In such cases, the access, retrieval, reuse authorization and methods of the relevant users within the scope of personal data are updated, closed and eliminated.

In the event that the period stipulated in the legislation expires in relation to the storage of the personal data in question or if no period is stipulated in the relevant legislation for the storage of the said data, the data is deleted, destroyed or anonymized by the data controller in 10-year periods.

In the deletion, destruction and anonymization of personal data, the principles listed in Article 4 of the Law titled "General principles" and the measures to be taken within the scope of article 12 titled "Obligations regarding data security", the provisions of the relevant legislation, the decisions of the Institution and this policy. appropriate action is taken.

All transactions regarding the deletion, destruction and anonymization of personal data are recorded by Side Star Hotels. These records are kept for at least 10 years, excluding other legal obligations.

Unless a contrary decision is taken by the Personal Data Protection Authority, the appropriate method of deleting, destroying or anonymizing personal data is chosen by Side Star Hotels.

Personal data collected by Side Star Hotels are stored in various recording media. It is deleted by methods suitable for recording media. Data in digital media is deleted manually and/or by giving a deletion command, and personal data in paper media is deleted using the blackout method. The blackening process is where the personal data on the relevant document is cut off when possible, and in cases where it is not possible, it is rendered invisible to the relevant users by using fixed ink, which cannot be read or returned with technological solutions.

Office files located on the central server are deleted with the delete command in the operating system of the file, or the access rights of the relevant user on the file or the directory where the file is located are removed.

Portable memory usage is restricted by authorization. The database containing personal data is protected by authorization levels, and the deletion process depends on authorization. While performing the transaction, attention is paid to whether the relevant user is also a database administrator.

Destruction of personal data is the process of making personal data inaccessible, unrecoverable and unusable by anyone in any way. Side Star Hotels, Data controller takes all necessary technical and administrative measures regarding the destruction of personal data. In order to destroy personal data, all copies of the data are detected and the systems with the data are physically destroyed by melting, burning or pulverizing optical media and magnetic media. It is ensured that the data is not accessed by processes such as melting, incinerating, pulverizing or passing the optical or magnetic media through a metal grinder.

Mobile phones (sim card and fixed memory areas) with the command to delete network devices (switch, router, etc.); optical discs, if any, by erasing command and physical destruction methods in fixed memory areas in portable smartphones; Data storage media such as CDs and DVDs are destroyed by physical destruction methods such as burning, breaking into small pieces and melting. The destruction of personal data in devices that are broken or sent for maintenance is stored by removing the data storage medium, and other defective parts are sent to third institutions such as manufacturers, vendors and service.

Personnel coming from outside for purposes such as maintenance and repair are prevented from copying their personal data and taking them out of the institution, and necessary measures are taken. Necessary confidentiality agreements are in place with the relevant maintenance companies.

Anonymization is the removal or change of all direct and/or indirect identifiers in a data set, preventing the identification of the data subject from being identified, or losing its distinctiveness in a group/crowd so that it cannot be associated with a natural person. The purpose of anonymization is to break the link between the data and the person identified by this data. The data is anonymized by choosing the one suitable for the relevant data out of the methods such as automatic or non-automatic grouping, masking, derivation, generalization, randomization applied to the records in the data recording system where personal data is kept.

RELEVANT PERSON’S RIGHTS

Each relevant person; has the right to learn whether personal data is processed, to request information if personal data has been processed, to learn the purpose of personal data and whether they are used in accordance with its purpose, to know the third parties in the country or abroad to whom personal data are transferred, to request correction of personal data in case of incomplete or incorrect processing, Demanding the deletion or destruction of personal data, requesting notification of the transfer of personal data to third parties in the country or abroad, Objecting to the emergence of a result against the person by analyzing the processed data only through automatic systems, incurring damage due to unlawful processing of personal data demand the compensation of the damage in case of damage.

PRIVACY OF DATA PROCESSING

Personal data is subject to data security. Any employee of Side Star Hotels, its affiliates and/or subsidiaries is prevented from accessing this data without authorization and unauthorized persons are strictly prohibited from processing or using this data. Any employee of Side Star Hotels, its subsidiaries and/or subsidiaries who are not authorized within the scope of the job description, means unauthorized processing of this data. Employees of Side Star Hotels, its affiliates and/or subsidiaries can access personal data only if they are authorized to access personal data within their job description.

Employees of Side Star Hotels, its affiliates and/or subsidiaries are prohibited from using personal data for private or commercial purposes, sharing this data with unauthorized persons or making this data accessible by any other method. The data controller informs its employees about the obligation to protect data confidentiality at the beginning of the job, provides training to their employees and ensures that they receive training.

In order to protect the property and privacy, as well as to control and measure the quality of service, the provisions of the Law on the Protection of Personal Data No. 6698 are observed in the vicinity and entrances of the buildings and workplaces, in the kitchen and service background, etc. video and audio recordings are made.

The relevant person is informed that video recording and video inspection are being carried out using appropriate tools at the relevant service points of Side Star Hotels and when communicating with Side Star Hotels. The relevant person accepts the importance of the video and audio recording and hereby gives express consent to Side Star Hotels to process their data in this regard.

SECURITY OF DATA PROCESSING

Personal data is protected against unauthorized access, illegal data processing or disclosure, and accidental loss, alteration or destruction of data. Whether the data is processed electronically or on paper, it is within the scope of protection. New and advanced data processing methods and information technology systems are followed in order to take technical and administrative measures to protect personal data.

DATA PROTECTION CONTROL

Compliance with this Data Protection Policy and relevant data protection laws is regularly checked by authorized persons in the relevant units of Side Star Hotels. The personal data protection agency can personally audit the compliance of Side Star Hotels, its affiliates and subsidiaries with the provisions of this policy, as permitted by national laws.

COMMUNICATION

When the data subject submits his requests regarding the implementation of this policy and the Law on the Protection of Personal Data to the Data Controller in writing, the Data Controller concludes the request free of charge as soon as possible and within 30 days at the latest, depending on the nature of the request in the application. However, if the transaction requires an additional cost, the fees in the tariff determined by the Personal Data Protection Board are charged.