PART 1
1 – INTRODUCTION
1.1. ENTRANCE
Protection of personal data One of our most important priorities within the scope of the business activities we carry out as Konit Turizm Anonim Şirketi (“Company”) is the protection of personal data. In terms of the principles adopted in the execution of personal data processing activities carried out by our Company within the framework of this Konit Turizm Anonim Şirketi Personal Data Protection and Processing Policy (“Policy”) and the compliance of our Company’s data processing activities with the regulations in the Personal Data Protection Law No. 6698 (“Law”). The basic principles adopted are explained and detailed information regarding all personal data processing activities carried out by our Company is provided, thus, the relevant persons who have personal data are informed and the necessary transparency is provided. With full awareness of our responsibility in this context, your personal data is processed and protected within the scope of this Policy.
The activities carried out by our Company regarding the protection of the personal data of our employees are managed under the Konit Turizm Anonim Şirketi Employee Personal Data Protection and Processing Policy, which has been written in parallel with the principles in this Policy.
1.2. SCOPE
This Policy; It relates to all personal data of persons other than our Company’s employees processed by the Company through automatic or non-automatic means provided that it is part of any data recording system. It is possible to access detailed information about the persons to whom the personal data in question relates in ANNEX 2 of this Policy (“ANNEX 2- Relevant Persons”).
1.3. IMPLEMENTATION OF THE POLICY AND RELEVANT LEGISLATION
The relevant legal regulations in force regarding the processing and protection of personal data will primarily be applied. In case of incompatibility between the current legislation and the Policy, our Company accepts that the current legislation will apply. The Policy concretizes and regulates the rules set forth by the relevant legislation within the scope of Company practices.
1.4. ENFORCEMENT OF THE POLICY
This Policy issued by our company is valid as of 09.03. It is dated 2018.
If the entire Policy or certain articles are renewed, the effective date of the Policy will be updated. The Policy is published on our Company’s website (www.takktravel.com) and made available to relevant persons upon the request of personal data owners.
CHAPTER 2
2 – ISSUES RELATED TO THE PROTECTION OF PERSONAL DATA
2.1. ENSURING THE SECURITY OF PERSONAL DATA
In accordance with Article 12 of the Law, our company takes the necessary measures, in line with the nature of personal data, to prevent and preserve personal data from unlawful processing, access, transfer or security deficiencies that may occur in other ways. In this context, our Company takes administrative measures and carries out inspections or has them carried out to ensure the necessary security level in accordance with the guides published by the Personal Data Protection Board (“Board”).
2.2. PROTECTION OF SPECIAL PERSONAL DATA
Sensitive personal data is given special importance within the scope of the Law due to the risk of causing victimization or discrimination when processed unlawfully. In accordance with Article 6 of the Law, “special nature” personal data; race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, criminal conviction and security measures and biometric and genetic data (“Special quality personal data other than health and sexual life” data”) has been determined as data regarding health and sexual life (“Special personal data regarding health and sexual life”).
The technical and administrative measures taken by our Company for the protection of personal data are within the scope of the Processing and Security of Special Personal Data within the framework of the adequate measures foreseen in the Board’s Decision No. 2018/10 dated 31/01/2018 in terms of special personal data. and the work carried out in this direction is monitored and inspected within the framework of the audits carried out within our Company.
Detailed information regarding the processing of special categories of personal data can be found in Section 3.3 of this Policy. are included in the section.
2.3. INCREASING THE AWARENESS AND AUDIT OF BUSINESS UNITS ON THE PROTECTION AND PROCESSING OF PERSONAL DATA
Our company organizes the necessary training for business units in order to raise awareness on preventing unlawful processing of personal data, unlawful access to data, and ensuring the preservation of data. The training and awareness activities organized by the Company are based on the “Personal Data Security Guide” published by the Board on the official website.
With the trainings and awareness activities carried out, our Company aims to ensure that personal data processing activities of employees during the performance of their job duties are carried out in accordance with the Law and secondary legislation.
Our company establishes the necessary systems to raise awareness of its existing employees and newly recruited employees about the protection of personal data, and works with consultants if necessary. In this regard, our Company evaluates the participation in relevant trainings, seminars and information sessions and organizes new trainings in parallel with the updating of the relevant legislation.
CHAPTER 3
3 – ISSUES RELATED TO THE PROCESSING OF PERSONAL DATA
3.1. PROCESSING OF PERSONAL DATA IN ACCORDANCE WITH THE PRINCIPLES PROVIDED IN THE LEGISLATION
3.1.1. Processing in Compliance with the Law and the Rules of Honesty
Personal data is processed in accordance with the general rule of trust and honesty, without harming the fundamental rights and freedoms of individuals. Within this framework, personal data is processed to the extent and limited to the extent required by our Company’s business activities.
3.1.2. Ensuring Personal Data is Accurate and Up to Date When Necessary
Our company takes the necessary precautions to ensure that personal data is accurate and up-to-date throughout the period it is processed, and establishes the necessary mechanisms to ensure the accuracy and up-to-dateness of personal data for certain periods.
3.1.3. Processing for Specific, Clear and Legitimate Purposes
Our company clearly states the purposes of processing personal data and processes it within the scope of purposes related to these activities in line with its business activities.
3.1.4. Being Related to the Purpose for Processing, Limited and Proportionate
Our company collects personal data only to the extent and nature required by its business activities and processes it limited to specified purposes.
3.1.5. Preservation for the Period Envisaged in the Relevant Legislation or Necessary for the Purpose for which they are Processed
Our company retains personal data for the period necessary for the purpose for which they are processed and the minimum period stipulated in the relevant legal legislation. In this context, our Company first determines whether a period of time is stipulated in the relevant legislation for the storage of personal data, and if a period is determined, it acts in accordance with this period. If there is no legal period, personal data is stored for the period necessary for the purpose for which they are processed. At the end of the specified storage periods, personal data is destroyed in accordance with the periodic destruction periods or the application of the relevant person and with the specified destruction methods (deletion and/or destruction and/or anonymization).
3.2. TERMS OF PROCESSING OF PERSONAL DATA
Except for the explicit consent of the relevant person, the basis for personal data processing may be only one of the conditions specified below, or more than one condition may be the basis for the same personal data processing activity. If the data processed is personal data of special nature, the conditions contained in title 3.3 of this Policy (“Processing of Personal Data of a Special Category”) will apply.
(i) Existence of Explicit Consent of the person concerned
One of the conditions for processing personal data is the explicit consent of the relevant person. The explicit consent of the person concerned must be expressed on a specific subject, on the basis of being informed and with free will.
If the following personal data processing conditions are met, personal data may be processed without the explicit consent of the relevant person:
(ii) Explicitly Provided in Laws
If the personal data of the person concerned is clearly foreseen by the law, in other words, if there is a clear provision in the relevant law regarding the processing of personal data, it can be said that this data processing condition exists.
(iii) Failure to Obtain Explicit Consent of the Person Relevant Due to Actual Impossibility
If it is necessary to process the personal data of a person who is unable to express his/her consent due to actual impossibility or whose consent cannot be recognized as valid, in order to protect the life or physical integrity of himself or another person, the personal data of the relevant person may be processed.
(iv) Directly Relevant to the Establishment or Performance of the Contract
This condition may be deemed to be fulfilled if the processing of personal data is necessary, provided that it is directly related to the establishment or performance of a contract to which the relevant person is a party.
(v) Fulfillment of the Company’s Legal Obligations
If processing is mandatory for our company to fulfill its legal obligations, the personal data of the relevant person may be processed.
(vi) Publicization of the Personal Data of the Personal Data Subject
If the relevant person has made his/her personal data public, the relevant personal data may be processed on a limited basis for the purpose of publicization.
(vii) Data Processing is Necessary for the Establishment or Protection of a Right
If data processing is mandatory for the establishment, exercise or protection of a right, the personal data of the relevant person may be processed.
(viii) Data Processing is Necessary for Our Company’s Legitimate Interests
Personal data of the relevant person may be processed if it is necessary to process data for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the relevant person.
3.3. PROCESSING OF SPECIAL PERSONAL DATA
Special categories of personal data are processed by our Company in accordance with the principles specified in this Policy and by taking administrative and technical measures with the methods explained in the Processing and Security of Special Personal Data Policy and in the presence of the following conditions:
(i) Special categories of personal data, other than health and sexual life, may be processed without seeking the explicit consent of the relevant person, if it is clearly provided for in the law, in other words, if there is a clear provision in the relevant law regarding the processing of personal data. Otherwise, the express consent of the relevant person will be obtained.
(ii) Special personal data regarding health and sexual life may be collected by persons or authorized institutions and organizations under the obligation of confidentiality for the purpose of protecting public health, preventive medicine, medical diagnosis, execution of treatment and care services, planning and management of health services and their financing. It may be processed without seeking explicit consent. Otherwise, the express consent of the relevant person will be obtained.
3.4. CLARIFICATION OF THE PERSONAL DATA OWNER
In accordance with Article 10 of the Law and secondary legislation, our Company informs the relevant persons about who their personal data is processed by as the data controller, for what purposes, for what purposes it is shared with whom, by what methods it is collected, and the legal reason and the rights of the relevant persons within the scope of processing their personal data.
3.5. TRANSFER OF PERSONAL DATA
Our company takes the necessary security measures in line with the legal personal data processing purposes and transfers the personal data and sensitive data of the relevant person to third parties (third party companies, group companies).
companies, third parties). In this regard, our company acts in accordance with the regulations stipulated in Article 8 of the Law. Detailed information on this subject can be found in the document ANNEX 4 of this Policy (“ANNEX 4 – Third Parties to which Personal Data is Transferred by Our Company and the Purposes of Transfer”).
3.5.1. Transfer of Personal Data to Third Parties Resident in Turkey
Even if the relevant person does not consent, personal data may be transferred to third parties by our Company by taking due care and taking all necessary security measures, including the methods prescribed by the Board, if one or more of the data processing conditions (“Data Processing Conditions”) specified below are present.
• Relevant activities regarding the transfer of personal data are clearly foreseen in the law,
• The transfer of personal data by the Company is directly related to and necessary for the establishment or performance of a contract,
• Transfer of personal data is mandatory for our Company to fulfill its legal obligations,
• Transfer of personal data by our Company in a limited way for the purpose of publicization, provided that it has been made public by the relevant person,
• Transfer of personal data by the Company is mandatory for the establishment, use or protection of the rights of the Company or the relevant person or third parties,
• It is mandatory to transfer personal data for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the relevant person,
• It is necessary for a person who is unable to express his/her consent due to actual impossibility or whose consent is not given legal validity, to protect his or someone else’s life or physical integrity.
3.5.2. Transfer of Personal Data to Third Parties Resident Abroad
Transfer of personal data abroad by our company will be carried out in accordance with the instructions explained below, depending on whether the country where the transfer will be made is one of the safe countries determined by the Board or not.
If the country where the transfer will be made is not one of the safe countries with adequate protection declared by the Board; Personal data can be transferred to third parties abroad in the following cases, if at least one of the Data Processing Conditions is present and in accordance with the basic principles specified in Article 4 of the Law.
In case of explicit consent of the relevant person,
If the company and the data recipient in the relevant country undertake adequate protection in writing and the Board’s permission for the relevant transfer is obtained.
If the country where the transfer will be made is one of the safe countries with adequate protection declared by the Board; Personal data may be transferred in case of any of the Data Processing Conditions.
3.5.3. Transfer of Special Personal Data
Special categories of personal data can be transferred by our Company in accordance with the principles specified in this Policy and by taking administrative and technical measures with the methods explained in the Processing and Security of Special Personal Data Policy and if the following conditions are met:
(i) Special categories of personal data, other than health and sexual life, may be processed without seeking the explicit consent of the relevant person, if it is clearly provided for in the law, in other words, if there is a clear provision in the relevant law regarding the processing of personal data. Otherwise, the express consent of the relevant person will be obtained.
Special personal data regarding health and sexual life can be collected without explicit consent by persons under the obligation of confidentiality or authorized institutions and organizations for the purpose of protecting public health, preventive medicine, medical diagnosis, execution of treatment and care services, planning and management of health services and their financing. can be processed. Otherwise, the express consent of the relevant person will be obtained.
CHAPTER 4
4 – CATEGORIZATION OF PERSONAL DATA PROCESSED BY OUR COMPANY AND PURPOSES OF PROCESSING
Before our Company, personal data is processed in accordance with the general principles specified in the Law, especially the principles specified in Article 4 of the Law regarding the processing of personal data, based on at least one of the Data Processing Conditions and limited to personal data arising within the scope of the conduct of our Company’s business activities. It is processed in line with the data processing purposes. Detailed information about the personal data processing purposes in question is included in ANNEX 1 of the Policy (“ANNEX 1- Personal Data Processing Purposes”).
The categories of personal data processed by our company within the framework of its business activities and detailed information about the categories can be accessed in the document ANNEX 3 of the Policy (“ANNEX 3 – Personal Data Categories”).
CHAPTER 5
5 – STORAGE AND DESTRUCTION OF PERSONAL DATA
Our company retains personal data for the period necessary for the purpose for which they are processed and the minimum period stipulated in the relevant legal legislation. Our company first determines whether a period of time is stipulated in the relevant legislation for the storage of personal data, and if a period is determined, it acts in accordance with this period. If there is no legal period, personal data is stored for the period necessary for the purpose for which they are processed.
Personal data processed by our company is considered on a categorical basis and maximum data retention periods are determined for each personal data category in line with the relevant data processing process. The mentioned periods are set out in the table in our Company’s Personal Data Storage and Destruction Policy. At the end of the determined maximum storage periods, personal data is destroyed in accordance with the periodic destruction periods or the application of the relevant person and with the specified destruction methods (deletion and/or destruction and/or anonymization).
CHAPTER 6
6 – RIGHTS OF RELATED PERSONS AND THE USE OF THESE RIGHTS
6.1. RIGHTS OF THE RELATED PERSON
As personal data owners, relevant persons have the following rights:
(1) Learning whether personal data is being processed or not,
(2) Requesting information if personal data has been processed,
(3) Learning the purpose of processing personal data and whether they are used for their intended purpose,
(4) Knowing the third parties to whom personal data are transferred at home or abroad,
(5) To request correction of personal data in case their personal data has been processed incompletely or incorrectly, and to request that the action taken in this context be notified to third parties to whom their personal data has been transferred,
(6) Requesting the deletion or destruction of personal data in case the reasons requiring processing no longer exist, even though it has been processed in accordance with the law and other relevant legal provisions, and requesting that the transaction carried out in this context be notified to third parties to whom personal data has been transferred,
(7) Object to the emergence of a result against the person by analyzing the processed data exclusively through automatic systems,
(8) Request compensation for the damage in case of damage due to unlawful processing of personal data.
6.2. USING THE RIGHTS OF THE RELATED PERSON
Relevant persons will be able to submit their requests regarding their rights listed in section 6.1. (“Rights of the Relevant Person”) to our Company through the methods determined by the Board. Accordingly, they will be able to submit their applications via the corporate email account info@takktravel.com.
6.3. OUR COMPANY’S RESPOND TO APPLICATIONS
Our company takes the necessary administrative and technical measures to finalize the applications made by the relevant person in accordance with the Law and secondary legislation.
If the relevant person submits his request regarding the rights set out in section 6.1. (“Rights of the relevant person”) to our Company in accordance with the procedure, our Company will finalize the relevant request free of charge as soon as possible and within 30 (thirty) days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, a fee may be charged in accordance with the tariff determined by the Board.
Click to view the entire Personal Data Protection and Processing Policy.
