KVKK & Privacy Policy

CONTRACTS

KVKK POLICY AND RELATED TEXTS

TERMS and CONDITIONS OF USE

COOKIE POLICY

POPD Application Form

Personal Data Protection Law & Privacy Policy

DEFINITIONS

Explicit Consent means freely given, specific and informed consent,
Anonymization means rendering personal data impossible to link with an identified or identifiable natural person, even though matching them with other data.
Application Form The form submitted in the annex of this Policy, containing the application of the data subject to use his/ her rights within the framework of the relevant legislation.
Website Websites thestay.com.tr and thestayline.com owned by the Company
Business Partner Natural or legal persons with whom the Company has established business partnerships for purposes such as carrying out various projects, receiving services, personally or together with their shareholders, companies or group companies while carrying out its commercial activities.
Personal Data means any information relating to an identified or identifiable natural person,
Processing of Personal data means any operation which is performed on personal data, wholly or partially by automated means or non-automated means which provided that form part of a data filing system, such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization, preventing the use thereof,
Personal Data of Special Nature Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions and security measures, and the biometric and genetic data are deemed to be special categories of personal data
Data Subject means the natural person, whose personal data are processed.
Data Processor  means the natural or legal person who processes personal data on behalf of the data controller upon its authorization,
Data Controller means the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system

 

ABBREVIATIONS

KVKK Law on Protection of Personal Data No. 6698, published in the Official Gazette dated 7 April 2016 and numbered 29677
KVK Board Personal Data Protection Board
Company Depot Konaklama Hizmetleri A.Ş.
Policy Protection on Personal Data and Privacy Policy prepared by Depot Konaklama Hizmetleri A.Ş.

PERSONAL DATA PROTECTION AND PRIVACY POLICY

  1. INTRODUCTION

As Depot Konaklama Hizmetleri A.S (“Company”), attach great importance to the protection of the personal data of our business partners, shareholders, employees and potential employees who apply to our company, our customers who request and receive service from hotels owned by our Company and/or purchase products through our Company’s website thestayline.com, our users and members to the website, other natural persons who have a relationship with us by visiting our hotels, our Websites, or through our social media accounts or in any other way; persons who contact us/contract with us personally or as a representative of a company or organization.

As the Company, we have prepared this Personal Data Protection and Privacy Policy (“Policy”) to ensure compliance with the Law on Protection of Personal Data No. 6698 and other regulations and to disclose our principles regarding the processing of personal data within the framework of KVKK.

  1. PURPOSE AND SCOPE

KVKK was published in the Official Gazette dated 7 April 2016 and numbered 29677. KVKK is enacted to protect the fundamental rights and freedoms of natural persons whose personal data are processed, including the privacy, and to determine the obligations of natural and legal persons who process personal data.

The purpose of this Policy is to determine the necessary management instructions, procedures and conditions and to establish a technical method to ensure that personal data is processed and protected by the Company in accordance with KVKK.

This Policy is implemented in the operations carried out for the processing and protection of all personal data that the Company obtains as “Data Controller” and/or “Data Processor”. The policy has been prepared based on the KVKK and other regulations on the processing and protection of personal data.

III. PERSONAL DATA 

  1. Definition of Personal Data

Within the framework of article 3/I(d) of the KVKK, “personal data” means any information regarding natural persons with an identified or identifiable identity. In this regard, anonymous information, anonymized information and other data that cannot be associated with a specific person are not considered personal data within the scope of this Policy.

  1. General Principles for Processing of Personal Data 

Within the framework of Article 3/I(e) of the KVKK, any operation that can be carried out on personal data such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over personal data, making it available, classifying or preventing its use completely or partially automatically or non-automatically, provided that it is a part of any data recording system falls within the scope of “data processing”.

The following principles shall be complied within the processing of personal data:

  1. a) Lawfulness and fairness
  2. b) Being accurate and kept up to date where necessary.
  3. c) Being processed for specified, explicit and legitimate purposes.

ç) Being relevant, limited and proportionate to the purposes for which they are processed.

  1. d) Being stored for the period laid down by relevant legislation or the period required for the purpose for which the personal data are processed.

In this regard, your personal and/or personal data of special nature received within the scope of KVKK and other regulations in written, verbal or electronic media by the Company, through Hotels or the Website and any channels without limitation can be obtained, recorded, stored, stored, preserved, changed in the ways stipulated in the KVKK, for legal reasons or in line with the legal and actual requirements of the product sales and service provided by the Company and can be shared with natural or legal persons in the country and abroad, as deemed appropriate by the Company and can be processed by other methods.

  1. Data processed by the Company 
  2. In general

The company can process general and special personal data with the explicit consent of the data subject or without explicit consent in cases stipulated in Articles 5 and 6 of the KVKK.

Including but not limited to the Law on the Protection of Consumers No. 6502, the Regulation on Distance Contracts introduced within the scope of this law, the Law No. 6563 on the Regulation of Electronic Commerce, the Regulation on Service Providers and Intermediary Service Providers in Electronic Commerce based on this law, Labor Law No. 4857, Social Insurance and General Health Insurance Law, No. 5510, Turkish Commercial Code No. 6102, Tax Procedure Law No. 213, Identity Reporting Law No. 1774, and all other regulations and directives an communiques related to these laws, personal data can be processed by the Company.

(i) Additional data, such as given name, family name, profession, CV, profession, gender, marital status, nationality for recognizing and distinguishing the data subject,

(ii) In cases where proof of identity is required, data contained in documents for identification purposes such as identity card, passport, driver’s license,

(iii) Contact information such as address, telephone, e-mail and fax number and mobile phone number of the place of residence, workplace or temporary residence,

(iv) Communication records such as telephone conversations, e-mail correspondences with the Company and other audio and video data, complaint and request records

(v) Data for determining consumer and user habits to improve service and product sales standards, and website usage data,

(vi) Internet protocol (IP) address, device ID, website views, statistics on mobile and other digital applications, inbound and outbound traffic information, redirect URL, internet log information, location information, sites visited and visits to our websites, advertising and electronic Information on transactions and actions carried out through our mail contents

  1. Specifically

Personal data that can be processed by the Company in line with the legitimate interests of the Company, in the light of other regulations and the principles set forth in this Policy, are listed below.

  1. Data on Website Users and online visitor data: Identity Information (name, surname, date of birth, gender, Turkish citizenship number), Location Information (the region/city the user is located), Contact Information (mobile phone, e-mail address, postal address, etc.), User Information (Membership information, User ID number, etc.), IP address, Transaction Security Information (Password information, etc.), Cookie records, User and/or Visitor habits and preferences, data and evaluations showing the User and/or Visitor’s approval/permission for commercial electronic message, Membership and User Agreement approved by the User and/or Visitor, other information on the Website and approved by the User and/or Visitor, written texts, commercial electronic messages sent within the scope of the consent given by the User and/or Visitor, records related to the management of the request and complaint processes.
  2. The data of the Buyer purchasing the product offered for sale by the Seller, the Product and the person who will use the Product: Buyer’s identity information, Contact Information (mobile phone, e-mail address, address, etc.), billing information, type, quantity, price, order date of the product purchased, data of the person purchasing the product, discount coupons used during shopping, campaigns, if any; commercial electronic message permission given by the Buyer in electronic environment, Distance Sales Agreement and Preliminary Information Form approved by the Buyer, other written texts approved by the Buyer, commercial electronic messages sent within the scope of the Buyer’s approval, records related to the management of the request and complaint processes, IP address, password, password information.

iii. Data regarding the Hotel Customer: Identity Information (Name, surname, date of birth, gender, Turkish citizenship number, passport information), Contact Information (mobile phone, e-mail address, address, etc.), written texts approved by the customer, Customer Commercial electronic messages sent within the scope of the approval given by the Customer, records regarding your marketing and communication preferences, your IP address, the pages you view on the hotel’s website, data identifying your mobile device if you visit our website on your mobile device, and any other information that you have expressly preferred and approved to give to us or that we can obtain from third parties with your explicit consent.

  1. Data of the Candidate Employee /Person making Job Application: Identity Information (Name, surname, date of birth, gender, Turkish citizenship number), Contact Information (mobile phone, e-mail address, address, etc.), education history, employment history, CV information
  1. Purposes of Processing Personal Data 

The Company may process personal data for the purposes stated below and may be retained for the period required for these purposes and in any case for the periods required under the regulations.

  1. Fulfilling all legal and administrative obligations,
  2. Negotiation, establishment and performance of contracts concluded/to be concluded,
  3. Providing accommodation services in hotels,
  4. Processing of data of online visitors within the scope of regulations,
  5. Performing the membership process by the Users through the website, creating and arranging the personal account of the Members/Users on the website and managing the membership transactions through the personal account, informing the persons and Members/Users upon approval of commercial electronic messages about the campaigns and opportunities or presenting prices, marketing, other opportunities, benefits, offers and information to Members/Users,
  6. Making purchases of the products offered for sale on the website,
  7. Following up purchasing transactions and accounting processes,
  8. Ensuring the security of all websites and other electronic systems, social media accounts and physical environments of the Company,
  9. Promotion and marketing of the company’s products and services, and their development, questionnaires and polling, and obtaining the opinion of the data subject,
  10. Birthday celebrations, being included in raffles, campaigns or competitions, giving gifts and other similar events, promotions and campaigns in favor of the data subject,
  11. Investigation, detection, prevention of violations of the contract and the law and reporting them to the relevant administrative or judicial authorities,
  12. Resolving current and future legal disputes,
  13. Answering requests and questions, reviewing and solving complaints
  14. Carrying out corporate and partnership transactions,
  15. Execution of recruitment processes within the framework of human resources policies,
  16. Evaluating and finalizing the job applications and communicating with job applicants,
  17. Mandatory data processing for the establishment, exercising or protection of a right,
  18. Protection of the Company’s legitimate interests, provided that it does not harm the fundamental rights and freedoms of the data subject.
  1. Transfer of Personal Data within Turkey and abroad

Provided the Company complies with the general principles listed in the KVKK and the terms stipulated in Articles 8 and 9 of the KVKK, it may transfer the personal data obtained to third parties for the purposes specified in this Policy, take the necessary security measures and may process and store on servers or other electronic media. The third parties to whom personal data can be transferred may vary depending on the type and nature of the relationship between the data subject and the Company (/user/membership, business relationship, etc.) such as: (i) Company Group Companies, (ii) the depositories, platform owners, data broadcasters, infrastructure providers and other business partners, suppliers and subcontractors that the Company works with, (iii) any authorities and institutions, (iv) banks for collection purposes and/or institutions authorized by the Company for collection and other relevant third parties to carry out the activities related to these purposes.

  1. Method of Personal Data Collection 

The Company may obtain personal data in written, oral, audio or video recording or other physical or electronic forms for the purposes specified in this Policy, within the framework of the conditions set forth in Articles 5 and 6 of the KVKK. Besides, personal data may be collected through channels such as hotels, headquarters and other physical environments of the Company, websites, mobile applications, electronic transaction platforms, social media and other public channels or events organized, sales and marketing units, customer forms, digital marketing that data subject may contact, contracts, applications, forms, offers, and cookies used in website visits.

  1. Retention Period of Personal Data 

Except for cases where there is a legal requirement or permit for longer retention periods, the Company retains personal data it processes for the periods specified in the KVKK and other regulations, by obtaining the data in accordance with the KVKK in line with the purposes set out in this Policy and the Personal Data Retention and Destruction Policy.

If the purpose of processing personal data ends and the retention periods determined by the Company in accordance with the KVKK and other regulations, the personal data only serves as evidence in any likely legal disputes and is retained to claim the relevant right related to the personal data and/or to defense the rights or present such when requested by the authorities. In determination of the aforementioned periods, the statute of limitations and retention periods specified in the relevant regulation are taken as basis in order to claim the aforementioned right. In this case, the personal data stored is not accessed for any other purpose, and personal data is only provided when necessary for use in the relevant legal dispute.

The specified periods are reviewed by the Company, and the personal data, the retention period of which expires are deleted, destructed or anonymized by the Company in accordance with the KVKK, as detailed in the Personal Data Retention and Destruction Policy.

  1. Security and Control of Personal Data 

The Company takes the necessary technical and administrative measures to ensure the appropriate level of security as a “data controller” within the framework of article 12 of the KVKK, the Company to prevent the unlawful processing of personal data and illegal access to the data, and to ensure the preservation of personal data. For this purpose, (i) activities are carried out in accordance with the internal policies and rules prepared for the protection of personal data, (ii) necessary training and responsibilities are provided to the employees regarding the personal data protection law and the internal policies and rules prepared accordingly, (iii) all necessary declarations and commitments are taken for the confidentiality and protection of data from the employees, persons and institutions that process data on behalf of the Company, (iv) necessary information security measures are implemented to ensure the security of personal data and to prevent unauthorized access to data inside and outside the Company, (v) the internal policies and rules established are complied with for the protection of personal data, (vi) the adequacy of the measures taken is checked and new data security systems are provided according to the requirements and/or existing data security systems are developed, updated and necessary audits are made in this regard.

  1. The measures taken by the Company for the Protection and Security of Personal Data

The Company;

  1. ensures that all personal data collected is processed in accordance with the principles listed in Article 4 and the terms specified in Articles 5 and 6 of the KVKK
  2. fulfills the “Information and Disclosure Obligation”, which is the responsibility of the data controller pursuant to the KVKK, through the Disclosure Texts posted on the internet and all other relevant platforms.
  3. creates the necessary infrastructure to provide “explicit consent” for the supply and processing of personal data in accordance with KVKK, if required by law, in its capacity as Data Controller.
  4. creates the necessary infrastructure for the provision of personal data in accordance with KVKK and makes the necessary revisions in the applications within the Company for communication, marketing, opportunity notifications and promotional purposes.
  5. takes the necessary measures by establishing the necessary conditions for the provision and preservation of personal data in accordance with KVKK for job applications and recruitment processes.
  6. Deletes, destructs or anonymizes personal data that has been processed in accordance with the provisions of the KVKK and other regulations, in the event that the reasons for its processing disappear and the periods specified in the article titled “Personal Data Retention Periods” of this Policy and the Personal Data Retention and Destruction Policy expire, ex officio or upon the request of the relevant person in a way that cannot be used or restored in any way. The Company imposes restrictions pursuant to KVKK regarding in-house data access authorizations to ensure data security carries out the destruction of data deemed necessary.
  7. takes any technical and administrative measures to prevent unlawful processing of personal data and illegal access to this data, and to ensure that personal data is retained in accordance with KVKK; also configures existing encryption systems by developing in-house encryption policies for data security and secure storage.
  8. takes the necessary in-house measures to prevent data leaks with company applications and external support products.
  9. determines the legal retention periods in accordance with the relevant regulations, develops and puts into effect the storage policies according to company practices and the nature of the data obtained.
  10. takes measures to prevent unauthorized access and use of the personal data processed, transferred or received by different departments within the Company and by natural or legal persons who process personal data on behalf of the Company, based on the authorization given by the Company.
  11. periodically audits the personal data protection activities carried out by natural or legal persons who process personal data on behalf of the Company based on the authorization has given by the company.
  12. takes all technical and administrative measures to prevent damage to those concerned pursuant to the relevant regulations on the protection of personal data and the decisions of KVK Board despite the necessary technical and administrative measures on processing, transfer and storage of personal data; if third parties have unlawful access to personal data.
  13. Periodically monitors and audits that the data recording systems used within the company are established and used in accordance with the KVKK and relevant regulations
  14. Rights of the Data Subject under KVKK

Each person has the right to request;

  1. a) to learn whether his/her personal data are processed or not,
  2. b) to demand for information as to if his/her personal data have been processed,
  3. c) to learn the purpose of the processing of his/her personal data and whether these personal

data are used in compliance with the purpose,

  1. d) to know the third parties to whom his personal data are transferred in country or abroad,
  2. e) to request the rectification of the incomplete or inaccurate data, if any,
  3. f) to request the erasure or destruction of his/her personal data under the conditions referred to in Article 7 of KVKK,
  4. g) to request reporting of the operations carried out pursuant to sub-paragraphs (d) and (e) to third parties to whom his/her personal data have been transferred,
  5. h) to object to the occurrence of a result against the person himself/herself by analyzing the data processed solely through automated systems,
  6. i) to claim compensation for the damage arising from the unlawful processing of his/her personal data.

If data subjects wish to exercise any of their rights mentioned above, they must fill in the application form attached to this Policy and send a signed copy together with the information and documents to identify them to the Company’s address in Harbiye Mah. Kadırgalar Cad. No:6 Kat:3 Maçka, Şişli / Istanbul, in person or via a notary public. In the event that the Personal Data Protection Board decides to transmit the requests by means other than those specified above, the ways in which the applications can be submitted will be announced separately.

The company shall review and finalize the duly received requests from the data subjects as soon as possible, and in any case, within 30 (thirty) days at the latest, depending on the nature of the request, within the framework of Article 13 of the KVKK.

While the requests of data subjects shall be concluded free of charge as a rule, if the response of the request requires an additional cost, a fee may be charged within the framework of the relevant regulation.

  1. COOKIES AND SIMILAR TECHNOLOGIES 

While accessing the website, electronic platforms, mobile and digital applications or e-mail messages or advertisements sent through websites owned by the Company, small data files that enable the recording and collection of certain data by technical means may be placed in the visitor’s computers, mobile phoned, tablet pc, or other devices accessed/used to show customized content to visitors and to engage in online advertising activities. These data files placed on computers and other devices may be cookies, pixel tags, flash cookies and web beacons, as well as other technologies for data storage purposes. (shortly “Cookies”)

It is possible to collect personal data through cookies, and such data may be processed by the Company within the scope of this Policy and KVKK to the extent that the data obtained through cookies constitute personal data under Turkish law. The user can remove cookies and reject cookies by closing the warnings. If the user refuses cookies, s/he may continue to use the website in question, but may not be able to access all functions or his/her access may be limited. Detailed information about cookies and the use of cookies can be found in thestayline.com Cookie Policy.

  1. WEBSITES, PRODUCTS AND SERVICES OF THE THIRD PARTIES 

The websites, platforms and applications of the Company may contain links to third-party websites and products. These links are subject to the privacy policies of third parties and third parties and third-party sites are independent of the Company and the Company shall not be responsible for the privacy practices of third parties under any circumstances.

  1. AMENDMENTS 

The Company is entitled to make amendments in this Personal Data Protection and Privacy Policy from time to time, including but not limited to, the provisions of the Regulation to be issued in accordance with the KVKK and for other reasons. The current version of the Policy shall be published on the websites of the Company and made available to users and members on their websites.

VII. ENTRY INTO FORCE

This Policy shall enter into force on the date of its publication and remain in effect until it is removed from the website.

ANNEX- DATA RETENTION AND DESTRUCTION POLICY OF THE COMPANY

  1. DEFINITIONS
Relevant User Except for the person or department in charge of technical storage, protection and backup of the data, they are the persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller.
Destruction means the deletion, destruction or anonymization of personal data.
Periodic Destruction refers to the deletion, destruction or anonymization process that will be carried out ex officio at repetitive intervals and specified in the personal data storage and destruction policy, in the event that all of the personal data processing conditions in the law no longer exist.
Deletion of Personal Data Refers to the process of making personal data inaccessible and unusable for the relevant users in any way.
Destruction of Personal Data  Refers to the process of making personal data inaccessible, irretrievable and reusable by anyone in any way.
Anonymization of Personal Data means rendering of personal data in no way associated with an identified or identifiable natural person, even by matching with other data.
  1. PURPOSE AND SCOPE OF PERSONAL DATA RETENTION AND DESTRUCTION POLICY

The purpose of this Retention and Destruction Policy is to establish a policy on management instructions, procedures and a technical policy to ensure that the obligations arising from the Regulation are fulfilled for deletion, destruction or anonymizing personal data in accordance with the Regulation on the Deletion, Destruction or Anonymization of Personal Data (“Regulation”), which entered into force and published in the Official Gazette dated 28.10.2017 and numbered 30224, constituting the KVKK and the secondary regulation of the KVKK in case the reasons for the processing disappear and the legal retention periods expire despite the fact that the Company’s personal data of the persons concerned are processed, stored, protected and processed in accordance with the Law on the Protection of Personal Data (“Law” or “KVKK”) and to fulfill obligations under the Regulation.

This Retention and Destruction Policy is applied in the operations related to the storage and destruction of personal data processed by the Company.

This Storage and Destruction Policy hereby has been prepared based on the KVKK, the “Regulation on the Deletion, Destruction or Anonymization of Personal Data” and other regulations on the storage and destruction of personal data.

III. DELETING, DESTROYING AND ANONYMIZING PERSONAL DATA BY THE COMPANY

Personal data is retained by the Company only within the retention and limitation periods specified in the relevant regulation and/or for the period required for the purpose for which they are processed. Accordingly, the Company first determines whether there is any period and/or statute of limitations regarding the storage of personal data in the relevant regulations and stores personal data complying with these periods. If no period is stipulated in the relevant regulations, personal data is stored pursuant to the KVKK and for the period necessary for the purpose for which they are processed.

As specified in Article 7 of the KVKK, if the reasons for processing of personal data no longer exist and/or the legal retention periods expire, personal data is deleted, destructed or anonymized by the Company ex officio or upon the request of the relevant person in accordance with Articles 8,9 and 10 of the Regulation on “Deletion, Destruction or Anonymizing Personal Data”.

In order to fulfill its obligations arising from the Law and the Regulation, the Company has taken necessary technical and administrative measures, developed the necessary working mechanisms and given training to the relevant departments and makes the necessary assignments in this regard.

  1. CIRCUMSTANCES REQUIRING THE DESTRUCTION OF PERSONAL DATA AND METHODS OF DELETING, DESTROYING AND ANONYMIZING PERSONAL DATA
  2. Circumstances requiring the destruction of Personal Data

Pursuant to the KVKK and the Regulation, the personal data of the data subjects are deleted, destroyed or anonymized by the Company ex officio or upon request in the following cases:

  1. If the provisions of relevant regulations, which are the basis for the processing, storage and retention periods of personal data are amended and/or repealed in a way that eliminates the obligation regarding the storage of personal data,
  2. the purpose that requires the processing or storage of personal data no longer exists,

iii. “Personal Data Processing Conditions” specified in Articles 5 and 6 of the Law no longer exist

  1. In cases where the processing of personal data takes place only on the basis of “explicit consent” and the data subject withdraws his consent,
  2. Approval of the application made by the data subject for deletion, destruction or anonymization of his/her personal data within the scope of the rights referred to in point 1/e-f of Article 11 of the KVKK,
  3. Decision by the Board on the deletion, destruction or anonymization of personal data,

vii. Following the expiry of the maximum period requiring to retain personal data, there are no legal requirements to justify retention of personal data for a longer period of time.

  1. Methods of Deleting, Destroying and Anonymizing Personal Data

While destroying the personal data, the company uses deletion, destruction or anonymization methods in accordance with KVKK:

  1. Deletion Methods: According to the nature of the personal data and the media in which it is stored, the company uses one or more of the methods of deletion such as deletion, from the database and blackout.
  2. Destruction Methods: According to the nature of personal data and the media it is stored, the company uses one or more of the methods of physically destroying, such as demagnetizing and overwriting.

iii. Anonymization Methods: To anonymize personal data, the Company uses one or more methods such as regional hiding, removing variables, removing records, generalization, lower and upper limit encoding, global coding, sampling, data interchange, noise insertion, micro-merging, data pooling and disrupting as anonymization methods depending on the nature of the data, its size, the structure of the physical environment, the variety, the benefit to be obtained from the data and the purpose of processing.

  1. DEPARTMENT, TITLE AND JOB DEFINITIONS OF COMPANY STAFF INVOLVED IN PERSONAL DATA STORAGE AND DESTRUCTION

The person(s) working in the positions detailed below shall be in charge of storage, deletion, destruction and anonymization of personal data from the database. The job descriptions of these persons have been determined by the Company as follows:

Position: Digital Marketing Manager / Dorukcan Koca

Job Description:
–Managing digital channels and ensuring the coordination of different marketing methods,
– Protecting and storing data obtained from the website.
– Monitoring, backing up, storing, and accessing the collected data, and establishing the conditions by communicating with third parties and companies on these issues.
–Protection and monitoring of data and server
–Following up issues such as search engine marketing, content marketing, digital targeting and digital sales and to intervene communication operations when necessary,
–Performing various tests on user experience and creating a roadmap according to the results,
–Analyzing the data coming from digital channels and presenting the necessary reports to the management

  1. RETENTION AND DESTRUCTION PERIODS
Data Categories Retention Periods Destruction Period
Data of the Customer, Membership and Buyer and data subject to the Order/Purchase 10 years after the legal relationship ends pursuant to the Turkish Commercial Code No. 6102, 3 years pursuant to the Law No. 6563 on the Regulation of Electronic Commerce and the relevant secondary regulations; accommodation documents for one year pursuant to the Regulation on the Identity Reporting Law for 1 year starting from the calendar year following the year it is issued; accommodation registers for 5 years starting from the calendar year. Upon expiry of the retention period, at the first periodic destruction.
All records of financial and accounting transactions 10 years under the Turkish Commercial Code No. 6102, 5 years under the Tax Procedure Law No. 213 Upon expiry of the retention period, at the first periodic destruction.
Records of electronic commerce transactions 3 years from date of transaction Upon expiry of the retention period, at the first periodic destruction
Commercial Electronic Message records 3 years from the date of withdrawal of consent Upon expiry of the retention period, at the first periodic destruction
Resumes 5 years as per company policy Resumes exceeding 5 years are destroyed in the computer environment. For physical resumes, the duration is 6 months.
  1. TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN BY THE COMPANY FOR SECURE STORING AND PREVENTION OF UNLAWFUL PROCESSING AND ACCESS OF PERSONAL DATA
  2. Necessary technical and administrative measures have been taken by the Company to prevent the illegal processing of and access to personal data, and to ensure that personal data is retained as per KVKK.
    ii. The company limits the access rights of the personnel to ensure data security and limit the authority.
    iii. It restricts personnel access on the company main server.
    iv. To ensure data security at the company, encryption techniques are introduced and the obligation to change the password periodically is imposed.
    v. The company protects all areas on the website or mobile application from which personal data is obtained with SSL.
    vi. Software and hardware including virus protection systems and firewalls are installed at the company and on the platforms it owns.