rez+902422771001
KVKK

YOU OTELCİLİK TURİZM A.Ş 

CORPORATE PERSONAL DATA PROTECTION POLICY

Document Information

Document Name 

Personal Data Protection Policy

Document Relevance 

The purpose of the Personal Data Protection  Policy is to plan the processes related to the  protection of personal data by You Otelcilik  

Turizm Anonim Şirketi and determine the  principles to be applied in this regard.

Publication Date 

01.06.2023

Version No 

1

Reference / Justification 

Law No. 6698 on the Protection of Personal  Data and other related legislation

Approving Authority 

Board of Directors of You Otelcilik Turizm Anonim Şirketi

YOU OTELCİLİK TURİZM A.Ş 

CORPORATE PERSONAL DATA PROTECTION POLICY 

  1. PURPOSE 

The right of individuals to protect their personal data, which is related to themselves, is a  sacred right derived from the Constitution. As You Hospitality Tourism Joint Stock Company,  we consider fulfilling the requirements of this right as one of our most valuable duties.  Therefore, we attach great importance to the lawful processing and protection of your  personal data. 

The Corporate Personal Data Protection Policy is prepared as a result of the importance we  place on the protection of personal data, aiming to determine the principles and procedures  we adhere to when processing and safeguarding personal data. 

  1. SCOPE 

The policy covers all personal data managed by You Hospitality Tourism Joint Stock Company,  including data obtained either entirely or partially through automated or non-automated means,  as well as being part of any data recording system. It encompasses all types of operations  performed on the data, such as collection, recording, storage, retention, alteration,  reorganization, disclosure, transfer, acquisition, making it obtainable, classification, or prevention  of its use. 

The policy pertains to the personal data of You Otelcilik Turizm Anonim Şirketi\'s partners,  authorities, customers, employees, supplier officials and employees, and third parties. 

You Otelcilik Turizm Anonim Şirketi may modify the Policy in compliance with the legislation  and decisions of the Personal Data Protection Authority, aiming to ensure compliance and better  protection of personal data.

 

  1. DEFINITIONS 

Abbreviation 

Definition

Recipient Group

The category of natural or legal person to whom personal data is  transferred by the data controller.

Explicit Consent

Explicit consent based on being informed about a specific matter  and freely given will.

Anonymization 

Making personal data incapable of being associated with an  identified or identifiable natural person under any  circumstances, even by matching with other data.

Data Subject 

The real person whose personal data is being processed

Authorized User

The individuals who process personal data within the data  controller organization or under the authority and instructions  received from the data controller, excluding the person or unit  responsible for the technical storage, protection, and backup of the  data, are referred to.

Destruction 

Erasure, destruction, or anonymization of personal data.

Law/Personal Data  Protection Law

Law No. 6698 on the Protection of Personal Data.

Recording Medium

Any environment in which personal data is processed wholly or  partially automatically or by non-automatic means provided that it is a part of any data recording system. 

Including Rmos Web, Virtual POS Payment System and Datasoft.

Personal Data 

Any and all information related to an identified or identifiable  natural person.

Data Inventory

The inventory created by data controllers, which associates the  processing activities of personal data they carry out in relation to their business processes with the purpose and legal basis of  processing, data categories, recipients or recipient groups to  whom the data is transferred, groups of data subjects, the  maximum retention period necessary for the purposes for which  the personal data are processed, personal data intended to be  transferred to foreign countries, and the measures taken for  data security, by providing detailed explanations.

Processing of  

Personal Data

Any and all operations carried out on personal data, whether fully  or partially automated, or through non-automated means,  including collection, recording, storage, preservation, alteration,  rearrangement, disclosure, transfer, acquisition, making available,  classification, or prevention of use, pertaining to the data.

Board

Personal Data Protection Board.

Authority 

Personal Data Protection Authority.

Special Category  Personal Data

Personal data relating to an individual\'s race, ethnic origin, political  opinions, philosophical beliefs, religion, sect or other beliefs,  appearance, association, foundation or trade union membership,  health, sexual life, criminal conviction and security measures, as  well as biometric and genetic data.

Periodic Destruction 

In case all processing conditions of personal data specified in the  Law cease to exist, the deletion, destruction, or anonymization  process that will be carried out ex officio at recurring intervals as  stated in the data retention and destruction policy.

Policy

Personal Data Protection Policy

Data Processor

A natural or legal person who processes personal data on behalf of  the data controller based on the authorization granted by the data  controller.

Data Controller

A natural or legal person who determines the purposes and means of  processing personal data and is responsible for the establishment  and management of the data recording system.



  1. GENERAL PRINCIPLES 

You Otelcilik Turizm Anonim Şirketi verifies the compliance of the data to be processed with the  following principles during the preparation phase of each new data processing workflow. Workflows that  are found to be non-compliant are not implemented. 

When processing personal data, You Otelcilik Turizm Anonim Şirketi: 

(I) Adheres to the law and principles of honesty. 

(II) Ensures that personal data is accurate and up-to-date when necessary. 

(III) Pays attention to the specific, clear, and legitimate purpose of the processing.

 

(IV) Verifies that the processed data is relevant to the purpose of processing, processed to the extent  necessary, and proportionate. 

(V) Retains data only for the period prescribed by the relevant legislation or as long as necessary for the  purpose of processing, and destroys it when the processing purpose ceases to exist. 

  1. DATA SECURITY MEASURES 

You Otelcilik Turizm Anonim Şirketi takes all necessary technical and administrative measures to ensure  an appropriate level of security in order to prevent unlawful processing of personal data, unauthorized  access to personal data, and to ensure the preservation of personal data. 

5.1. Technical Measures 

(I) Network security and application security are ensured. 

(II) Security measures are taken regarding the supply, development, and maintenance of information  technology systems. 

(III) Access logs are regularly maintained. 

(IV) Up-to-date antivirus systems are used. 

(V) Firewalls are utilized. 

(VI) Necessary security measures are taken for the entry and exit of physical environments containing  personal data. 

(VII) Physical environments containing personal data are secured against external risks (fire, flood, etc.). (VIII) The security of environments containing personal data is ensured. 

(IX) Personal data is backed up, and the security of backed-up personal data is ensured. (X) User account management and authorization control system are implemented, and their monitoring is  performed. 

(XI) Log records are maintained without user intervention. 

(XII) Intrusion detection and prevention systems are utilized. 

(XIII) Encryption is implemented. 

 5.2. Administrative Measures 

(I) Disciplinary regulations containing data security provisions are in place for employees. (II) Regular training and awareness programs on data security are conducted for employees. (III) Corporate policies regarding access, information security, use, storage, and disposal are prepared and  implemented. 

(IV) Data masking measures are implemented when necessary. 

(V) Confidentiality commitments are made. 

(VI) An authorization matrix is established for employees. 

(VII) The authorities in this area are revoked for employees who have job changes or leave the company. (VIII) Contracts signed include data security provisions. 

(IX) Personal data security policies and procedures are defined. 

(X) Personal data security issues are promptly reported. 

(XI) Personal data security is monitored. 

(XII) Personal data is minimized as much as possible. 

(XIII) Periodic and/or random audits are conducted internally and externally. 

(XIV) Existing risks and threats are identified. 

(XV) Protocols and procedures are established and implemented for the security of special category  personal data. 

(XVI) Service providers processing data are made aware of data security.

 

  1. RIGHTS OF THE DATA SUBJECT 

The data subject can apply to You Otelcilik Turizm Anonim Şirketi to exercise the following rights: (I) To learn whether personal data is being processed, 

(II) To request information if personal data has been processed, 

(III) To learn the purpose of the processing of personal data and whether they are used in accordance with  their purpose, 

(IV) To learn the third parties to whom personal data is transferred domestically or abroad, (V) To request the correction of personal data if it is incomplete or inaccurate and to request the  notification of the correction made to the third parties to whom personal data has been transferred  within this scope, 

(VI) To request the deletion, destruction, or anonymization of personal data if the reasons requiring the  processing of personal data no longer exist, and to request the notification of this process to the third  parties to whom personal data has been transferred within this scope, 

(VII) To object to a result against the data subject that arises solely through automated systems by  analyzing the processed data, 

(VIII) To request the compensation of damages in case of personal data being processed unlawfully. 

  1. BREACH NOTIFICATIONS 

Employees of You Otelcilik Turizm Anonim Şirketi report to the management if they believe that there is  a violation of the provisions of the Law on the Protection of Personal Data and/or the Policy. The  management, if deemed necessary, creates an action plan regarding the violation following this breach notification. 

If the breach occurs through the unauthorized acquisition of personal data by others, the management  shall notify the relevant parties and the Data Protection Authority within 72 hours, in accordance with the  decision numbered 2019/10 dated 24.01.2019 of the Board. 

  1. CHANGES 

Changes to the Policy are submitted to the approval of the Board of Directors of You Otelcilik Turizm  Anonim Şirketi. The updated Policy may be sent to employees via email or published on the company\'s  website. 

  1. EFFECTIVENESS 

This version of the Policy has been approved by the Board of Directors and has entered into force.

Corporate General Clarification Text On The Processing Of Personal Data

Guest Explicit Consent Form

Application Form To The Data Controller

up