Personal Data Protection Notice

INFORMATION NOTICE REGARDING THE PROCESSING OF PERSONAL DATA

Data Controller: AKFEN TURİZM YATIRIMLARI VE İŞLETMECİLİK ANONİM ŞİRKETİ (“Company”) (Kazım Özalp Mahallesi, Koza Caddesi, No:22, Çankaya, Ankara)
This statement has been prepared to inform you, within the scope of Article 10 of the Law No. 6698 on the Protection of Personal Data (“Law”), regarding the processing of your personal data.

FOR WHAT PURPOSES DO WE PROCESS YOUR PERSONAL DATA?
Article 5 of the Law regulates the conditions for processing personal data, while Article 6 regulates the conditions for processing sensitive personal data. In accordance with these provisions, non-sensitive personal data may be processed under the following conditions:

  • The explicit consent of the data subject is obtained;
  • The processing is expressly provided for by law;
  • The processing is necessary to protect the life or physical integrity of the data subject or of another person where the data subject is physically or legally incapable of giving consent;
  • The processing is necessary for the establishment or performance of a contract to which the data subject is a party;
  • The processing is necessary for the data controller to fulfil its legal obligation;
  • The personal data has been made public by the data subject;
  • The processing is necessary for the establishment, exercise or protection of a legal right;
  • Provided that it does not harm the fundamental rights and freedoms of the data subject, the processing is necessary for the legitimate interests of the data controller.

Personal data regarding an individual’s race, ethnic origin, political opinion, philosophical belief, religion or other beliefs, appearance, membership to associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data, are classified as sensitive personal data. The conditions for processing such data are governed by Article 6 of the Law:

  • The explicit consent of the data subject is obtained;
  • For sensitive personal data other than those related to health and sexual life (such as race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and attire, association/foundation/trade union memberships, criminal convictions and security measures, biometric and genetic data), processing is permitted where it is explicitly provided for by law;
  • For data relating to health and sexual life, processing is permitted without explicit consent where it is carried out by persons or authorized institutions and organizations under a confidentiality obligation, for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, or the planning and management of healthcare services and financing.

Pursuant to Article 5 of the Law, personal data may be processed under the following legal grounds:

  • Based on the legal ground of the establishment or performance of a contract (Article 5/2(c) of the Law): No reservations are made through the website. However, your identity, contact, and customer transaction data may be processed for the purposes of managing and completing reservation processes carried out via telephone, ensuring the necessary communication within this scope, and fulfilling post-reservation support services.
  • Based on the legal grounds of explicit provision in the laws and the Company’s legal obligations (Article 5/2(a), (ç) of the Law): Your identity, contact information, customer transaction, and transaction security data may be processed for the purposes of fulfilling the Company’s legal obligations, ensuring compliance with statutory data retention requirements, providing information/documents to authorized persons or institutions in accordance with legal obligations, conducting all kinds of official correspondence, and responding to data subject requests and taking necessary actions in line with applicable legislation.
  • Based on the legal ground that processing is necessary for the establishment, exercise or defense of a legal claim (Article 5/2(e) of the Law): Your identity, contact information, customer transaction, and transaction security data may be processed for the purposes of evaluating requests and complaints, and storing personal data throughout the general statute of limitations period for use as evidence in potential future disputes.
  • Based on the legal ground that processing is necessary for the legitimate interests of the data controller, provided that it does not violate the fundamental rights of the data subject (Article 5/2(f) of the Law): Your identity, contact information, customer transaction, and transaction security data may be processed for the purposes of ensuring the execution of the commercial activities conducted by our Company through the necessary operations carried out by the relevant business units; planning and execution of our Company’s business strategies and related processes; ensuring the security of our website through necessary control mechanisms; implementing improvements to enhance information security; and conducting personalized advertising activities to provide services aligned with customer preferences. In addition, your personal data may be processed for the purposes of managing corporate communication activities; maintaining relationships with customers and potential customers; carrying out activities necessary for enabling relevant persons to benefit from our products and services, including those related to sales and marketing; and conducting customer acquisition initiatives. Your data may be processed for the purpose of providing information to third-party real or legal persons with whom our Company has entered into a business relationship, within the scope of our commercial activities; ensuring the legal, technical, commercial, and operational security of both our Company and the individuals involved in business relations with our Company; determining and implementing our Company’s commercial and business strategies; resolving your requests, inquiries, suggestions, and complaints; conducting all necessary research, development, corrective and preventive activities to avoid recurrence; and receiving suggestions aimed at expanding the scope of the services offered.
  • Based on the legal ground of explicit consent (Article 5/1 of the Law): Your identity, contact information, and marketing data may be processed for the purposes of conducting marketing activities related to the products and services offered by our Company, and for recommending and promoting such products and services by customizing them in accordance with your preferences, usage habits, and needs, including profiling and analytical activities. For these purposes, your personal data may be shared with the Company’s parent company and group companies, suppliers, business partners, authorized public institutions, and legally authorized private individuals or organizations. In addition, your identity and contact data may be processed for the purpose of sending commercial electronic communications, such as advertisements, promotions, and campaign notifications, to the contact information you have shared with our Company.

The Company processes personal data belonging to third-party natural persons for the following purposes:

  • Planning and execution of press and media-related activities
  • Planning, implementation, and auditing of information security processes
    Establishment and management of information technology infrastructure
  • Event management
  • Tracking of financial and/or accounting affairs
  • Ensuring legal security
  • Website management
  • Planning and execution of business activities
  • Planning and/or execution of occupational health and/or safety processes
  • Planning and/or execution of business continuity activities
  • Ensuring transaction security
  • Planning and execution of corporate communication activities
  • Planning and execution of corporate governance activities
  • Ensuring physical premises security
  • Managing customer relations
  • Updating customer contact information
  • Evaluating customer complaints and needs
  • Fulfillment of financial obligations
  • Ensuring the security of operations
  • Conducting advertising and promotional activities
  • Conducting risk management
  • Planning and/or execution of after-sales support services
  • Planning and implementation of sponsorship, donation, and aid processes
  • Tracking of contractual processes and/or legal claims
  • Planning and execution of supply chain management processes
  • Determination and implementation of commercial strategies
  • Planning and execution of production and/or operational processes
  • Planning and/or execution of processes for generating and/or increasing loyalty to products and/or services
  • Planning and execution of sales and marketing processes for products and/or services
  • Providing information to authorized institutions

The Company shall process personal data in accordance with the law and the principles of good faith; accurately and, where necessary, in a manner that is kept up to date; for specific, explicit, and legitimate purposes; in a manner that is relevant, limited, and proportionate to the purposes for which they are processed; and shall retain such data only for as long as is prescribed by the relevant legislation or required for the purposes for which they are processed.

WHICH OF YOUR PERSONAL DATA DO WE PROCESS?
IDENTITY INFORMATION Name, Surname
CONTACT INFORMATION Information such as email address, phone number
CUSTOMER INFORMATION Customer number, order details, etc.
VISUAL AND AUDIO RECORDİNGS Photographs, camera footage, audio recordings, and other visual and audio data
REQUEST/ COMPLAINT INFORMATION Records of all types of requests and complaints
LEGAL TRANSACTIONS Correspondence with judicial authorities, court case files, enforcement files, and information contained in correspondence with administrative bodies
MARKETING INFORMATION Surveys, reports, and analyses indicating individuals’ habits, needs, and preferences; cookie records, etc.
TRANSACTION SECURITY IP address details, website log-in and log-out data, password and passcode information, etc.
PHYSICAL SPACE SECURITY Visit records, camera footage, etc.
FINANCIAL INFORMATION Account number, credit card number, etc.

HOW DO WE STORE YOUR PERSONAL DATA?

In order to fulfill the purposes stated above, we may collect your personal data through our website, social media platforms, mobile applications, marketing activities, events, security cameras, customer request and complaint forms, camera footage, Company records, directly from the data subjects, existing records, and call center logs, either verbally, physically, and/or through electronic means. Your personal data is stored in both electronic and physical environments— in secure email inboxes, specially protected software systems with restricted access, and locked cabinets— accessible only by authorized personnel.

DO WE SHARE YOUR PERSONAL DATA WITH OTHERS?

Non-sensitive personal data may be shared by the Company under the following conditions:

  • The explicit consent of the data subject is obtained
  • The processing is expressly provided for by law
  • The processing is necessary to protect the life or physical integrity of the data subject or of another person who is unable to express consent due to actual impossibility or whose consent is not legally valid
  • The processing is necessary for the establishment or performance of a contract, provided that it is directly related to the parties to the contract
  • The processing is necessary for the data controller to fulfill its legal obligations
  • The personal data has been made public by the data subject
  • The processing is necessary for the establishment, exercise, or protection of a legal right
  • The processing is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject

Under the above conditions, personal data may be transferred to the Company’s parent company and group companies, suppliers, business partners, authorized public institutions, and legally authorized private individuals or organizations.

No transfer of personal data is made abroad.

FOR WHAT PURPOSES MAY WE TRANSFER YOUR PERSONAL DATA?
Your personal data may be transferred for the following purposes: to enable relevant business units to carry out the necessary operations for individuals to benefit from the products and services offered by the Company; to execute the relevant business processes; to promote the Company’s products and services; to present them in line with your preferences; to analyze your needs and habits; to carry out operational processes; to ensure legal, physical, and commercial security; and to fulfill our obligations arising from applicable legislation and/or administrative procedures.

WHAT ARE YOUR RIGHTS REGARDING THE PROTECTION OF YOUR PERSONAL DATA?

Pursuant to Article 11 of the Law, you have the following rights:

  • To learn whether your personal data is being processed
  • If your personal data has been processed, to request information regarding such processing
  • To learn the purpose of the processing of your personal data and whether it is being used in accordance with that purpose
  • To learn the third parties to whom your personal data is transferred within the country or abroad
  • To request the correction of your personal data if it is incomplete or inaccurate
  • To request the deletion or destruction of your personal data within the framework of the conditions set forth in the applicable legislation
  • To request that third parties to whom your personal data has been transferred are informed about the correction, deletion, or destruction of your personal data
  • To object to any outcome against you that arises as a result of your personal data being analyzed exclusively through automated systems
  • To request compensation for damages if you suffer harm due to your personal data being processed unlawfully

HOW CAN YOU EXERCISE YOUR RIGHTS?
You may submit your requests and applications regarding your personal data to the Company through the following methods:

  • By sending an email from the email address you have previously notified to the Company to the address turizm@hs03.kep.tr
  • By applying to the Company in person with a valid identity document
  • By sending a wet-signed application form together with a copy of your ID to the address Kazım Özalp Mahallesi, Koza Caddesi No: 22, Çankaya, Ankara
  • By signing your application with a mobile signature or secure electronic signature and sending it via email to turizm@hs03.kep.tr

Pursuant to the “Communiqué on the Principles and Procedures for Application to the Data Controller,” third-party applicants must include the following information in their application: name, surname, signature (if the application is made in writing), Turkish ID number (for foreign nationals: nationality, passport number, or if available, another identity number), residential or business address for notifications, if available, email address for notifications, telephone and fax number, and information regarding the subject of the request.

Third parties must clearly and understandably specify the right they are requesting to exercise, along with explanations regarding the matter. Relevant information and documents must also be attached to the application.

The request must concern the applicant personally. If the request is submitted on behalf of another person, the applicant must be specifically authorized in this regard and such authorization must be documented (e.g., via a power of attorney). The application must also include identifying information and address details of the applicant, and documents verifying identity must be attached. Requests made by unauthorized third parties on behalf of others will not be considered.