Personal data protection is among the main policies of our Company, which throughout its existence, has been committed to the privacy of personal data and has adopted it as a working principle in the light of which all employees are instructed to operate. Our Company accepts and undertakes to comply with all obligations introduced by the PPD Law. With such obligation in mind and under our capacity as a Data Controller, we process, record, transfer, share and store your personal data as explained below within the confines drawn by the formal legislation.
A. IDENTITY OF DATA CONTROLLER
You can reach us by using the contact information below for any questions about our “Information Notice About Personal Data Processing”.
Neptün Turizm ve Ticaret Anonim Şirketi
(Club Resort Atlantis Holiday Resort, Maya Bistro Hotel Beach) Sığacık Mahallesi, Akkum caddesi No:175, 35400-Seferihisar- Izmir/ Turkey
Contact information:
E-mail: kvkk@neptunclubhotels.com
Tel. No. +90(232) 745 74 55
Our Company reserves the right to update this “Information Notice About the Protection of Personal Data” any time with regard to any changes to the applicable formal legislation.
B. COLLECTION AND PROCESSING OF PERSONAL DATA AND PURPOSE OF PROCESSING:
Our policy on the Protection of Personal Data and Privacy has been prepared in accordance with the PPD Law. In this regard, your personal data may be collected through automatic or non-automatic methods by our offices, branches, dealers, call centers, websites, social media channels, mobile applications and the like, orally, in writing or electronically, which may vary depending on the services, products or commercial activities we provide. As long as you make use of our products or services, your personal data may be processed by way of creation and updating.
Further, your personal data may be processed when you, with the intention of using our services,
a. contact our call center or website,
b. visit our company, website or social media channels,
c. receive the services provided by our Hotel. We may process your personal data obtained upon your consent or due to legal compliance under the laws of the Republic of Turkey, for the following purposes:
d. for our business units to perform their duties in order to make available to you the products and services we offer which will be customized according to your preferences, habit of use and needs,
e. enabling legal and commercial security of our Company and those individuals having business relationship with us (our administrative operations regarding communication, physical security and supervision of our locations, business partner/client/supplier (authorized personnel or employees) assessment process, legal compliance process, financial affairs, etc.),
f. improving the quality of the services we offer and developing our quality policy,
g. notifying and making available to you general and special campaigns, promotions, publicity, discounts and similar advantages we offer,
h. processing the data obtained through your personal data, preferences, transactions and navigation period in the channels we offer when you have entered them by using your user name and password in order to obtain our services, for the aim of providing the information and services you have requested,
i. sending you notifications about any loyalty cards issued and/or to be issued by our Company and its affiliates as well as website memberships to our Company and its affiliates (renewal, termination, etc.), and keeping you informed about newly offered services and products as well as any changes or new introductions, etc. to the personal data policies and membership terms,
j. sending you notifications about the information, activities and services you may request from us,
k. determining and implementing our commercial and business strategies,
l. enabling the execution of our human resources policies; which may be processed by our Company and its affiliates as well as other real and/or legal entities mentioned in item (C) below under the conditions and purposes of personal data processing as set forth in Articles 5 and 6 of the PPD Law, if expressly stipulated under the respective legislation or, where necessary, for the aim of fulfilling any legal obligations expressly stipulated under the respective legislation.
Client or Potential Client Data
The categories of personal data to be processed in this regard and the respective explanations are as follows:
- Identification: Name, name(s) of accompanying guest(s), nationality, date and place of birth; TR identity, driving license and passport numbers (including date and place of issuance).
- Contact Details: Address, telephone number, e-mail address.
- Client Processing Data: Payment data, data about the products or services purchased.
- Marketing Data: Special preferences about accommodation, marketing and communication; evaluation of brands and facilities, website cookie information, opinion or complaints.
- Security of Physical Space: The security cameras available in our facility record security footage in order to fulfill our obligation to ensure individuals’ legal and commercial security.
- Other: Reservation data, travel background; participation in contests, draws or marketing programs, data of vehicles used to arrive at the facility; booked hotel, airlines or car rental packages; groups connected for accommodation at the facilities.
Employee or Intern Data
- Identification, Contact and Personal Data: Processing data for planning and carrying out our human resources process, including creation and storage of personal files for recruitment, professional relationship process, performance assessment and evaluation, and performing exit interviews,
- Legal Process: Receiving legal support for satisfying our legal obligations arising from the respective legislation, and protecting and enforcing our rights in case of any disputes,
- Professional Experience: Processing education, diploma, certificate and training data for carrying out inhouse operational activities and providing better quality service,
- Financial Data: Employee bank account data for wage payments,
- Health Data: Processing employee health data under the Law No. 6331 on Occupational Health and Safety and Emergencies as well as processing employees’ disability status and blood types,
- Penal Conviction and Security Measures: Processing criminal records for carrying out employment and human resources process,
- Security of Physical Space: The security cameras available in our facility record security footage in order to fulfill our obligation to ensure individuals’ legal and commercial security.
- Process Security: We assign e-mail accounts with corporate domain extensions to our employees for business purposes only, thus we keep and monitor the logs of such e-mail accounts at company servers, keep internet logs and password data, and access and use such e-mail accounts upon end of employment.
We assign laptops and/or desktops to our employees for business purposes only, thus such devices are processed under the personal data processing terms as set forth under Articles 5 and 6 of the PPD Law for the aim of monitoring, supervising and controlling them in relation to the company activities and the services provided.
Candidate Employees
- Identification and Contact Details: Processing identification and contact data for carrying out employment process in terms of planning and executing our human resources process,
- Professional Experience: Processing education, diploma, certificate and training data for carrying out employment process,
- Health Data: Processing candidate employees’ disability status and blood types,
- Penal Conviction and Security Measures: Processing criminal records for carrying out employment and human resources process,
- Security of Physical Space: The security cameras available in our facility record security footage in order to fulfill our obligation to ensure individuals’ legal and commercial security.
Guest Data
Security of Physical Space: The security cameras available in our facility record security footage in order to fulfill our obligation to ensure individuals’ legal and commercial security.
Collection and Processing of Data for Contractual Relationships
In case a contractual relationship has been formed with a client or a potential client, the personal data collected may be used without the client’s consent. However, such use shall only involve the contractual purpose. The data shall be used to the extent of better execution of the agreement and service requirements, and shall be updated where necessary upon contacting the client.
Business Partner and Solution Partner Data
NEPTÜN TURIZM has been committed to compliance with the law while sharing data with both business partners and solution partners. Data shared with business partners and solution partners is based on the data privacy commitment and performed only to the extent required by the respective service, and such parties are always requested to take the necessary measures for providing data security.
Data Processing for Advertising Purposes
Persons whose prior consent has been received may be delivered electronic messages for advertising purposes pursuant to the Law on the Regulation of e-Commerce and the Regulation on Commercial Communication and Commercial Electronic Messages. The availability of express consent of the individual to whom advertising shall be sent is obligatory.
NEPTÜN TURIZM also complies with the details of “consent” as determined under the same legislation. The consent to be obtained shall cover all commercial electronic messages delivered to the electronic communication addresses of recipients for the aim of promoting and marketing the goods and services of the company, promoting the enterprise or enhancing recognition through celebratory or well-wishing content. Such consent may be obtained in written form in a physical environment or through any electronic communication means. The important point is the availability of the name and electronic communication address of the recipient with an affirmative declaration of intent on the fact that he/she has accepted the delivery of electronic messages.
Data Processing Performed Upon Legal Obligation of the Company or Due to Express Provision of the Law
Personal data may be processed without requiring additional consent when the processing is expressly stipulated in the respective legislation or for the aim of satisfying a legal obligation set forth therein. The type and scope of data processing shall be necessary for the legally approved data processing activity and shall comply with the respective legal provisions.
C. METHOD AND LEGAL PURPOSE OF PERSONAL DATA COLLECTION:
Your personal data shall be collected in any oral, written or electronic medium, in order to provide our products and services within the determined legal scope in line with the purposes mentioned above and, in this regard, to enable complete and accurate fulfillment of our contractual and legal obligations. Your personal data collected for such legal grounds is processed, recorded, transferred, shared and stored for the purposes set forth under item (B) of this notice pursuant to the personal data processing conditions and purposes stipulated under Articles 5 and 6 of the PPD Law.
D. PROCESSING SENSITIVE DATA:
According to the PPD Law, sensitive personal data entails an individual’s race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dressing, association, foundation or union membership, health, sexual life, data on penal convictions or security measures, as well as biometric and genetic data. Our Company takes adequate level of measures in processing sensitive personal data as also set forth by the Personal Data Protection Board. We shall process individuals’ sensitive data for providing better services only upon the consent of such individuals and only for serving the purpose of collection.
E. TO WHOM AND FOR WHICH AIM PROCESSED PERSONAL DATA CAN BE TRANSFERRED:
We may transfer your personal data to the following affiliates of Neptün Turizm ve Ticaret Anonim Şirketi:
Club Resort Atlantis Hotel
Maya Bistro Hotel Beach
as well as our shareholders, business partners, suppliers, legally authorized public institutions and private persons for serving the purposes set forth in Item (B) within the framework of the personal data processing conditions and purposes stipulated under Articles 8 and 9 of the PPD Law.
F. INTERNATIONAL TRANSFER OF PERSONAL DATA:
Our Company is entitled to international transfer of personal data under the terms determined by the Personal Data Protection Board in the PPD Law in compliance with the other conditions set forth in the law and upon the explicit consent of the individual in this regard. Currently, we are not engaged in any international transfer of personal data.
G. RIGHTS OF DATA SUBJECT PURSUANT TO ARTICLE 11 OF THE PPD LAW:
We acknowledge that under the PPD Law, a data subject has the right to be informed of and provide his/her consent before processing, recording, transferring, sharing and storing his/her personal data, and thereafter, to determine the destiny of his/her data. In this regard, if you communicate any requests about your rights as a personal data subject through the means set forth below under this “Information Notice About Personal Data Processing and Privacy Policy”, our Company shall finalize such request free of charge within a maximum period of thirty days depending on the nature of your request.
Pursuant to the Communique on the Procedures and Principles of Application to Data Controllers published by the Personal Data Protection Board, the following conditions shall apply to your requests about your rights as a personal data subject:
i. If your application is replied in writing, no fees shall be charged up to ten pages. For each page exceeding ten pages, a processing fee of TRY 1 may be charged.
ii. If the response is provided in a recording medium such as a CD or flash disk, any fee that we may charge as the data controller shall not exceed the cost of the recording medium.
In this regard, a personal data subject has the following rights:
a. To be informed as to whether his/her personal data has been processed,
b. If so, to request information about it,
c. To be informed as to the purpose of personal data processing and whether the data has been used in line with such purpose,
d. To be informed of any national or international third parties to whom the personal data has been transferred,
e. Where personal data has been processed deficiently or incorrectly, to request correction thereof and notification of such correction process to third parties to whom the personal data has been transferred,
f. To request deletion, destruction or anonymization of personal data pursuant to the terms set forth under Article 7 of the PPD Law and notification of such process to third parties to whom the personal data has been transferred,
g. To object to any outcome detrimental to the individual caused by the analysis of the processed data exclusively by automatic systems,
h. To claim compensation for any damages incurred due to personal data processing violating the law. On the other hand, an individual has no rights on data anonymized within the Company. We shall be entitled to share personal data with relevant institutions or organizations under business or contractual relationships, and for allowing a judicial duty or governmental authority to use its legal authorization.
H. PERIOD FOR PERSONAL DATA PROCESSING:
In accordance with the PPD Law, your personal data processed in line with the purposes set forth in this “Information Notice About Personal Data Processing and Privacy Policy” shall be deleted, destroyed or continued to be used by anonymization when the purpose requiring processing under Article 7/f.1. of the PPD Law concludes and/or the prescription period necessitating us to process your data under the legislation expires.
I. CIRCUMSTANCES IN WHICH OUR COMPANY MAY LAWFULLY PROCESS YOUR PERSONAL DATA WITHOUT YOUR EXPLICIT CONSENT:
Pursuant to Article 5 of the PPD Law, we may process your aforementioned legally acquired personal data without requiring your explicit consent under the following circumstances:
Situations expressly stipulated by law;
i. If processing is necessary to protect the vital interests and physical integrity of you as the data subject or of another person where you are physically or legally incapable of giving your consent or in circumstances where your consent is legally invalid,
ii. If processing of the personal data of the parties of an agreement is necessary provided that such processing is directly related to the establishment or performance of an agreement that you have executed with our company and its affiliates, or other real and/or legal entities indicated under Item (C).
iii. If processing is necessary for us to perform our legal obligations,
iv. If you have manifestly made your personal data public,
v. If processing is necessary for the establishment, exercise or defense of a right,
vi. If processing is necessary for our legitimate interests, provided that your fundamental rights and freedoms are not damaged.
MAXIMUM SAVINGS/SCRIMPING POLICY
Pursuant to our maximum savings/scrimping policy, the data obtained by NEPTÜN TURIZM shall be processed in the system only to the extent required. Thus, the data to be collected shall be determined according to the respective purpose. Unnecessary data shall not be collected. Other data submitted to our Company shall similarly be transferred to the corporate information systems. Excess information shall not be recorded but deleted or anonymized. Such data may be used for statistical purposes.
DELETION OF PERSONAL DATA
Our company shall delete, destroy or anonymize personal data automatically or upon the data subject’s request when the legal period for storage expires, judicial proceedings finalize or other requirements cease to exist.
DATA ACCURACY AND CURRENTNESS
As a rule, data contained within NEPTÜN TURIZM shall be processed in the way it has been declared by data subjects. NEPTÜN TURIZM is under no obligation to examine the accuracy of the data declared by clients or those persons who get into contact with NEPTÜN TURIZM nor is such verification possible in legal terms or in accordance with our working principles. Data declared shall be deemed accurate. The principle of accuracy and currentness of personal data has also been adopted by NEPTÜN TURIZM. We shall update the personal data processed on the basis of respective official documentation submitted to us or upon the request of the data subject. The necessary precautions shall be taken for this aim.
PRIVACY AND DATA SECURITY PRINCIPLE
The data of both employees and other persons at NEPTÜN TURIZM are confidential. Such data shall not be used by anyone for any other reason than contractual or legal compliance purposes, nor shall it be copied, reproduced or transferred to others beyond business purposes.
Personal data is private and NEPTÜN TURIZM complies with such privacy. Only authorized personnel may access personal data within the company. All necessary technical and administrative measures have been taken for protecting personal data collected by NEPTÜN TURIZM in order to prevent unauthorized access and suffering to data subjects. In this regard, we make sure that our software conforms to the prevailing standards, third parties are chosen diligently and the Privacy Policy is complied with internally. Further, we also ask the companies we lawfully share personal data with to ensure the protection of such data.
PROCESS SECURITY
All necessary technical and administrative measures have been taken for the protection of personal data collected by NEPTÜN TURIZM in order to prevent unauthorized access and suffering to data subjects. In this regard, we make sure that our software conforms to the prevailing standards, third parties are chosen diligently and Information Security principles are complied with internally. Our security measures are continuously renewed and improved.
AUDIT
NEPTÜN TURIZM shall have the necessary internal and external audits conducted about the protection of personal data.
NOTIFICATION OF VIOLATIONS
NEPTÜN TURIZM shall immediately take action upon any notification about any violation with regard to personal data. Any damages suffered by data subjects shall be minimized and compensated. Any external unauthorized capture of personal data shall be immediately notified to the Personal Data Protection Board.
J. FOR YOUR REQUESTS UNDER THE LAW ON THE PROTECTION OF PERSONAL DATA: