GDPR

ASSOS TROY PORT HOTEL PERSONAL DATA PROCESSING AND PROTECTION POLICIES

⸻

SECTION 1 – ISSUES RELATED TO THE PROCESSING OF PERSONAL DATA

⸻

Introduction

As Ertan Erhan Solmaz Gıda İnşaat Turizm Sanayi Ticaret ve Ltd. Şti. (Assos Troy Port Hotel) (“Company”), we place the utmost importance on the lawful processing and protection of personal data in accordance with the Law No. 6698 on the Protection of Personal Data (“Law”). We act with this awareness in all our planning and operations.

With this consciousness, and in order to fulfill our obligation to inform as set forth in Article 10 of the Law and to disclose all administrative and technical measures we have taken regarding the processing and protection of personal data, we present this Personal Data Processing and Protection Policy (“Policy”) for your information.

⸻

Purpose

The main purpose of this Policy is to provide explanations about the systems related to the lawful processing and protection of personal data in accordance with the Law and its objectives. Within this scope, the aim is to inform individuals whose personal data are processed by our Company, primarily including:

• Company Stakeholders,

• Company Officials,

• Business Partners,

• Employee Candidates,

• Visitors,

• Customers of the Company and Group Companies,

• Potential Customers, and

• Third Parties.

This Policy also aims to ensure full compliance with the legislation in the personal data processing activities carried out by our Company and to safeguard all legal rights of data subjects.

⸻

Scope

This Policy has been prepared for individuals whose personal data are processed by our Company through automatic means or by non-automatic means provided that the data is part of a data recording system. This includes Company Stakeholders, Company Officials, Business Partners, Employee Candidates, Visitors, Customers of the Company and Group Companies, Potential Customers, and Third Parties.

This Policy shall not apply to legal entities and their data.

By publishing this Policy on our website, our Company informs the relevant Personal Data Subjects about the Law. For employees of the Company, the “Policy on the Processing of Personal Data for Employees” shall apply. In cases where the data is not considered “Personal Data” as defined below, or the data processing activity does not fall under the methods mentioned above, this Policy shall not be applied.

⸻

PROCESSING OF PERSONAL DATA IN ACCORDANCE WITH THE PRINCIPLES SET FORTH IN THE LEGISLATION

Personal data is processed by Assos Troy Port Hotel only in accordance with the procedures and principles stipulated in the Law and other relevant legislation. While processing personal data, Assos Troy Port Hotel complies with the following principles:

⸻

1. Compliance with the law and the rules of honesty

Assos Troy Port Hotel processes personal data in line with the principles introduced by relevant legislation and the principle of good faith. The Company ensures proportionality and refrains from using personal data beyond what is necessary for the purpose of processing.

⸻

2. Accuracy and being up to date when necessary

Assos Troy Port Hotel considers the fundamental rights and interests of personal data subjects and ensures that the personal data it processes is accurate and kept up to date. Necessary measures are taken in line with this principle.

⸻

3. Processing for specific, explicit, and legitimate purposes

Assos Troy Port Hotel determines the legitimate and lawful purposes for processing personal data in a clear and definite manner. It processes personal data only to the extent required by the services it provides and in connection with those services. The purpose of processing is defined before the data processing activity begins.

⸻

4. Being relevant, limited and proportionate to the purpose for which they are processed

Assos Troy Port Hotel processes personal data in a manner appropriate to the realization of the defined purposes. The Company avoids processing personal data that is not related to or not required for the realization of the intended purposes.

⸻

5. Retention for the period stipulated in relevant legislation or required for the purpose of processing

Assos Troy Port Hotel retains personal data for the period specified in the relevant legislation or for the time necessary for the purpose for which they are processed. If the legislation does not specify a retention period, the data is retained for the period needed to fulfill the purpose of processing. Once this period expires or the reason requiring data processing ceases to exist, the personal data is deleted, destroyed, or anonymized by the Company.

PROCESSING OF PERSONAL DATA IN ACCORDANCE WITH THE PRINCIPLES SET FORTH IN THE LEGISLATION

⸻

1. Compliance with the law and the rules of honesty

⸻

2. Accuracy and being up to date when necessary

⸻

3. Processing for specific, explicit, and legitimate purposes

⸻

4. Being relevant, limited and proportionate to the purpose for which they are processed

⸻

5. Retention for the period stipulated in relevant legislation or required for the purpose of processing

PURPOSES OF PROCESSING PERSONAL DATA

Under the legal conditions specified above, Assos Troy Port Hotel may process personal data for the purposes listed below, including but not limited to the following:

⸻

1. For the execution of commercial activities carried out by the Company:

• Ensuring the planning and execution of business operations and business continuity,

• Follow-up of financial and/or accounting affairs,

• Management of event methods,

• Providing legally required information to authorized institutions,

• Planning and execution of corporate communication activities,

• Planning and execution of operational processes,

• Planning and execution of access authorizations for business partners and/or suppliers.

⸻

2. For enabling the use of products and services offered by the Company:

• Planning and execution of customer relationship management processes,

• Tracking customer requests and/or complaints,

• Planning and execution of marketing processes related to products and/or services,

• Planning and/or execution of after-sales support services,

• Monitoring contract processes and/or legal demands.

⸻

3. For offering personalized products and services to data subjects based on their preferences and needs:

• Planning and execution of market research activities for sales and marketing,

• Planning and execution of sales and after-sales operations and purchasing processes,

• Planning and/or execution of loyalty-building or enhancement processes related to products and/or services offered by the Company.

⸻

4. For ensuring the execution of the Company’s human resources policies:

• Fulfilling obligations regarding occupational health and safety and taking necessary precautions,

• Evaluating job applications in accordance with HR policies,

• Fulfilling obligations arising from employment contracts and/or applicable legislation,

• Carrying out hiring and exit procedures,

• Managing wage and performance processes,

• Managing payroll processes,

• Planning and/or execution of internal training activities,

• Conducting other HR operations.

⸻

5. For ensuring the legal and commercial security of the Company and its business partners:

• Following legal affairs of the Company,

• Planning and execution of operational activities in accordance with the Company’s procedures and relevant legislation,

• Creating and tracking visitor records,

• Ensuring the security of the Company premises,

• Ensuring the safety of company assets and/or resources,

• Ensuring the security of Company operations,

• Planning and execution of emergency management processes,

• Planning and/or execution of the Company’s financial risk processes.

⸻

6. For determining and implementing the Company’s commercial and business strategies:

• Company’s financial operations, communications, market research and CSR activities,

• Purchasing operations, product/project/investment quality processes and operations,

• Internal system and application management operations,

• Planning and/or execution of external training activities,

• Management of relationships with business partners and/or suppliers.

CATEGORIZATION OF PERSONAL DATA

In accordance with Article 10 of the Personal Data Protection Law (KVKK), individuals are informed, and within the scope of our Company’s legitimate and lawful personal data processing purposes, personal data is processed based on one or more of the legal grounds specified in the Law. These processes are conducted in accordance with the general principles stated in Article 4 of the Law, as well as all other applicable obligations in the Law, and are limited to the durations defined in this Policy.

The categories of personal data processed by our Company are defined in Annex 3 of this Policy.

Additionally, definitions and explanations regarding the terms “customer,” “potential customer,” “visitor,” “employee candidate,” “board member,” real persons in institutions we collaborate with, and third parties related to them are detailed in Annex 8.

Further, in Annex 9, the categories of personal data subjects mentioned above and the types of personal data processed for each category are explained in detail.

CONDITIONS FOR PROCESSING SPECIAL CATEGORIES OF PERSONAL DATA

Our Company handles the processing of special categories of personal data with utmost sensitivity and in strict compliance with the regulations set out in the Personal Data Protection Law (KVKK).

According to Article 6 of the KVKK, certain personal data that may lead to discrimination or victimization if processed unlawfully are defined as special categories of personal data. These include:

Race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, clothing and appearance, membership to associations, foundations or trade unions, health data, sexual life, criminal convictions and security measures, and biometric and genetic data.

⸻

Processing Conditions

In compliance with the KVKK, Assos Troy Port Hotel may process special categories of personal data under the following conditions:

⸻

1. If the data subject has given explicit consent, or

2. If the data subject has not given explicit consent:

• For special category personal data other than health and sexual life (e.g., ethnic origin, political opinion), the data may be processed if explicitly permitted by law.

• For special category personal data related to health and sexual life, processing is only permitted if it is:

• For the protection of public health,

• Preventive medicine,

• Medical diagnosis,

• Execution of treatment and care services,

• Planning and management of health services and their financing,

and is carried out by persons or institutions under a confidentiality obligation.

TRANSFER OF PERSONAL DATA

Taking into account the nature of its commercial activities, Assos Troy Port Hotel may transfer personal data and special category personal data of data subjects to third parties, provided that it takes all necessary security measures and complies with the purposes of lawful data processing as stipulated by the Law and other relevant legislation.

Furthermore, Assos Troy Port Hotel may transfer personal data to:

• Foreign countries declared by the Board as having adequate protection (“Countries with Adequate Protection”), or

• In the absence of adequate protection, to foreign countries where data controllers in Turkey and the respective foreign country provide a written undertaking of adequate protection and receive authorization from the Board (“Countries Where the Data Controller Undertakes Adequate Protection”).

In this regard, the Company acts in full compliance with the provisions set forth in the Law.

⸻

Transfer of Personal Data to the Following Categories of Recipients

In accordance with Articles 8 and 9 of the KVKK, our Company may transfer personal data of customers to the following categories of recipients:

• Business Partners of Assos Troy Port Hotel,

• Suppliers of Assos Troy Port Hotel,

• Authorized public institutions and organizations,

• Authorized private legal entities.

Below are the definitions of these categories and the purposes for which personal data may be transferred to them:

Recipient Category

Definition

Purpose of Transfer

Business Partner

Parties that provide services to our Company based on contractual relationships in line with our Companyâ€™s instructions and for business operations.

Limited to the fulfillment of the purposes of the business partnership.

Supplier

Parties providing services to our Company from which our Company procures external services necessary to fulfill its commercial activities.

Limited to the provision of externally sourced services to our Company.

Authorized Public Institutions

Public institutions and organizations that are legally authorized to request information and documents from our Company.

Limited to the purpose for which the relevant public authority is authorized under applicable legislation.

Authorized Private Entities

Private legal persons authorized to request information and documents under the relevant legislation.

Limited to the purpose for which the relevant private entity is authorized under applicable legislation.

TRANSFER OF SPECIAL CATEGORY PERSONAL DATA ABROAD

Assos Troy Port Hotel, by exercising due care, taking necessary security precautions, and complying with the adequate safeguards determined by the Personal Data Protection Board (the “Board”), may transfer special category personal data abroad under the following conditions and for legitimate and lawful data processing purposes:

⸻

If the data subject has given explicit consent, or

If the data subject has not given explicit consent:

• Special category personal data other than health and sexual life (such as race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, association/foundation/trade union membership, criminal convictions and security measures, biometric and genetic data) may be transferred if permitted by law.

• Special category personal data related to health and sexual life may only be transferred for the following purposes:

• Protection of public health,

• Preventive medicine,

• Medical diagnosis,

• Execution of treatment and care services,

• Planning and management of health services and their financing,

and only by persons under confidentiality obligations or authorized institutions and organizations.

PERSONAL DATA PROCESSING ACTIVITIES AT THE WORKPLACE AND FOR WEBSITE VISITORS

Assos Troy Port Hotel processes personal data for the purposes of ensuring security through CCTV surveillance and tracking guest entries and exits. By using surveillance cameras and recording guest movements, the Company carries out personal data processing activities in line with the applicable legislation.

⸻

Assos Troy Port Hotel ensures that all data processing through these methods complies with the Constitution, the KVKK, and other relevant legislation.

The CCTV monitoring activity is conducted to:

• Enhance the quality of services provided,

• Ensure the reliability of the hotel,

• Ensure the security of Assos Troy Port Hotel, its visitors, and other individuals,

• Protect the interests of guests in relation to the services they receive.

⸻

Digital recordings made within the premises of Assos Troy Port Hotel are accessible only to a limited number of authorized personnel. These individuals have signed confidentiality agreements declaring they will protect the privacy of the data they access.

⸻

When guests enter Assos Troy Port Hotel, their full names are obtained and recorded to track guest entry and exit. These personal data are only processed for this specific purpose and may be recorded in physical form within the data recording system. Guest logs are kept by the hotel’s own security personnel.

PROTECTION OF PERSONAL DATA

⸻

MEASURES TAKEN TO ENSURE THE SECURITY OF PERSONAL DATA

Our Company, in compliance with Article 12 of the Personal Data Protection Law (KVKK), takes the necessary technical and administrative measures to:

• Prevent unlawful processing of personal data,

• Prevent unlawful access to personal data,

• Ensure the safe storage of personal data.

Within this framework, the Company also conducts or commissions necessary audits.

⸻

TECHNICAL AND ADMINISTRATIVE MEASURES TO ENSURE LAWFUL PROCESSING OF PERSONAL DATA

To ensure the lawful processing of personal data, our Company takes technical and administrative measures in line with technological capabilities and implementation costs.

• Employees are informed and trained regarding the law on the protection of personal data and the lawful processing of personal data.

• All Company activities are analyzed in detail across business units to identify personal data processing activities.

• Compliance requirements under the Law are determined for each business unit and activity.

• Awareness is raised in relevant departments, implementation rules are defined, and necessary administrative controls are implemented through internal policies and training.

SECURE STORAGE OF PERSONAL DATA

Assos Troy Port Hotel takes all necessary technical and administrative measures to ensure that personal data is stored in secure environments and is protected against unlawful destruction, loss, or alteration, considering technological capabilities and implementation costs.

To ensure secure storage, the following precautions are taken:

• Technological systems appropriate to current developments are used for storing personal data.

• Technical security systems are installed for storage areas, regularly monitored, and updated based on risk evaluations.

• Backup programs are used lawfully to ensure the safe preservation of data.

• Employees are trained on secure data storage practices.

• If an external service provider is used due to technical requirements, contracts include clauses that obligate these providers to implement and ensure compliance with personal data protection measures.

OTHER PROVISIONS

ENTRY INTO FORCE

This Policy entered into force on May 1, 2022. It is published on the official website of Assos Troy Port Hotel and made available to relevant individuals upon request.

⸻

ACCEPTANCE AND UNDERTAKING

A copy of this Policy is provided to the Data Controller and all Assos Troy Port Hotel personnel.

To be binding on the Data Controller, the “Personal Data Retention and Destruction Policy Acceptance and Undertaking Form” found in Annex-5 must be signed.

To be binding on Assos Troy Port Hotel personnel, the same form must be signed and submitted to the Company.

Once signed by the Data Controller and the relevant personnel, this Policy becomes binding for both parties.

OTHER REGULATIONS

This Policy supersedes and nullifies any previous regulations and annexes concerning the processing of personal data that were in effect prior to its issuance.

Identity Information

All information found in documents such as ID card, driverâ€™s license, residence certificate, passport, marriage certificate, bar association card, etc.

Contact Information

Information such as phone number, address, and email, identifying a specific individual.

Location Data

Data indicating the location of the data subject while using our services or while using company vehicles.

Customer Information

Data generated or obtained through commercial operations related to customers or prospective customers.

Family Members and Relatives

Information about the family or close relatives of the data subject, processed for protecting their own or the companyâ€™s legal interests.

Customer Transaction Information

Records and instructions regarding the use of products or services by the customer.

Physical Space Security Data

Records and documents such as camera footage obtained during entrance to and stay within physical premises.

Transaction Security Information

Data processed to ensure the technical, administrative, legal, and commercial security of our business activities.

Risk Management Information

Data processed through legally accepted methods to manage commercial, technical, or administrative risks.

Financial Information

Data showing financial outcomes of legal relationships with individuals, such as invoices, payment records, etc.

Personnel Information

Any data processed to establish the basis of employment rights of employees or individuals in a working relationship with the Company.

Employee Candidate Information

Data regarding individuals who apply to work at the Company or are considered as candidates in line with human resources needs.

Employee Transaction Information

Data related to any professional activity carried out by an employee.

Employee Performance & Career Info

Data related to performance evaluation and career planning of employees or associates.

Fringe Benefits and Entitlements

Data processed for planning and monitoring fringe benefits or related entitlements.

Legal Process and Compliance Data

Data processed in relation to legal obligations, rights enforcement, and compliance with Company policies.

Audit and Inspection Data

Data processed to ensure compliance with legal obligations and internal company policies.

Special Category Personal Data

Personal data defined as â€œsensitiveâ€ in Article 6 of KVKK.

Marketing Information

Data processed to personalize product and service marketing according to preferences, usage habits, and needs.

Request/Complaint Management Info

Data related to all kinds of requests or complaints submitted to the Company.

6698 KVKK DATA SUBJECT APPLICATION FORM

GENERAL INFORMATION

Pursuant to the Personal Data Protection Law No. 6698 (“KVKK”), individuals defined as data subjects are granted certain rights under Article 11 of the Law concerning the processing of their personal data.

According to Article 13, Paragraph 1 of the KVKK, applications regarding these rights must be submitted to our institution, the Data Controller, via one of the methods listed below:

Application Methods:

Application Method: In person or via notary, with a signed petition and an ID

Address to Send the Application: Assos KadÄ±rga Koyu No:15, Behram / Ayvacık / ÇANAKKALE

Notes: Envelope should state: â€œInformation Request under the Law on Protection of Personal Dataâ€

All applications submitted to us will be responded to within thirty (30) days at the latest, depending on the nature of the request, as stipulated in Article 13/2 of the KVKK. Our responses will be sent in writing or electronically, depending on your chosen method of communication.

Data Subject Contact Information:

• Full Name:

• National ID Number:

• Phone:

• Email:

• Address:

Your Relationship with Our Institution:

(Please check the applicable box and provide relevant details.)

• Former Employee – Years Worked:

• Visitor – Contact Person / Department:

• Hotel Guest – Dates of Stay:

• Shared Resume – Date Submitted:

• Supplier / Service Provider – Company & Position:

• Other – Please specify:

Details of Your Request (under KVKK):

(Please clearly describe your request related to the Personal Data Protection Law.)

⸻

Preferred Method of Notification:

• Send to my address.

• Send to my email address.

• Send to my KEP (Registered Electronic Mail) address.

⸻

This application form has been prepared to identify your relationship with our institution and to respond to your request properly and within legal time limits. To avoid unauthorized and unlawful sharing of personal data, and to ensure data security, our Company reserves the right to request additional documentation for identity verification (e.g., copy of ID, driver’s license, etc.).

If the information you provide is inaccurate or out-of-date, or if the request is made by an unauthorized third party, our Company does not accept responsibility for such errors or unauthorized requests.

⸻

Signature of the Data Subject:

• Name & Surname:

• Date of Application:

• Signature: