PRIVACY POLICY

This policy explains the principles for the processing of personal data that should be known by the users of D OTEL MARMARİS TURİZM İŞLETMECİLİĞİ TİC. Ve SAN. A.Ş. (“Company”) web site https://www.dmarisbay.com


One of our most important priorities within the scope of the business activities we carry out as a company is the protection of personal data. Within the framework of this Personal Data Protection and Processing Policy (“Policy”), the principles adopted in the conduct of personal data processing activities carried out by our Company and the basic principles adopted in terms of the compliance of our Company's data processing activities with the regulations contained in the Personal Data Protection Law No. 6698 (“LPPD” or “Law”) are explained and detailed information on all personal data processing activities carried out by our Company has been set out and thus, the relevant persons are informed and the necessary transparency is provided. With full awareness of our responsibility within this scope, your personal data is processed and protected within the scope of this Policy.

This Policy relates to all personal data of persons other than the employees of our Company, which are processed by the Company by automatic means or by non-automatic means provided that they are part of any data recording system.

  1. Definitions

Under this Policy;

Explicit Consent: Consent on a specific issue, based on information and expressed with free will,

Anonymization: Making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data,

Doğuş Hospitality: D OTEL MARMARİS TURİZM İŞLETMECİLİĞİ TİC. Ve SAN. A.Ş., the owner of the website,

Data subject/Relevant person: Means the personal data owner,

Recording medium: Means any medium containing personal data that is fully or partially automated or processed non-automatically provided that it is a part of any data recording system,

Personal Data: Data, belonging or relating to a natural person, who is identified or can be identified with this data. Therefore, the processing of information on legal entities is not covered by the Law.

Sensitive Personal Data: personal data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, clothing, membership of associations, foundations or trade unions, information related to health, sex life, previous criminal convictions and security measures, and biometric and genetic data.

Processing of Personal Data: Any operation performed on personal data such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system.

Board: Personal Data Protection Board

Institution: Personal Data Protection Authority

Site: The web site https://www.dmarisbay.com

Data Processor: Means natural or legal person who processes personal data on behalf of the data controller.

Data Controller: Means natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

Law No. 5651: Means the Law on Regulating Broadcasts Made on the Internet and Combating Crimes Committed Through These Publications.

Law No. 6698/LPPD: Means the Law on Protection of Personal Data.

  1. Privacy and Scope and Purpose of the Personal Data Protection Policy

This Policy on Protecting Personal Data and Privacy explains;

  1. Methods and legal reasons for collecting personal data,
  2. The personal data of which groups of people are processed (Data Subject Person Group Categorization),
  3. In which category personal data are processed in relation to these groups of persons (Data Categories) and sample data types,
  4. In which business processes and for what purposes this personal data is used to.
  5. Technical and administrative measures taken to ensure the security of personal data,
  6. To whom and for what purpose personal data can be transferred,
  7. Retention periods of personal data,
  8. What are the rights of the Data Subjects on their personal data and how they can exercise these rights,
  9. How the Data Subjects can change their positive or negative preferences in receiving electronic commercial messages.
  1. Issues Regarding the Protection of Personal Data

ENSURING THE SECURITY OF PERSONAL DATA

In accordance with Article 12 of the Law, our Company takes the necessary measures in line with the nature of personal data in order to prevent unlawful processing, access, transfer or other security deficiencies that may occur in other ways and to ensure their preservation. In this context, our Company takes administrative measures to ensure the necessary level of security in accordance with the guidelines published by the Board, conducts audits or has them conducted.

PROTECTION OF SENSITIVE PERSONAL DATA

Sensitive personal data is given special importance under the Law due to the risk of causing victimization or discrimination when processed unlawfully.Pursuant to Article 6 of the Law, “sensitive” personal data are defined as data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, criminal convictions and security measures, biometric and genetic data, health, sexual life.

The technical and administrative measures taken by our Company for the protection of personal data are taken within the scope described in the Policy on Processing and Security of Sensitive Personal Data within the framework of the adequate measures stipulated in the Board's Decision No. 2018/10 dated 31/01/2018 in terms of sensitive personal data, and the works carried out in this direction are monitored and audited within the framework of the audits carried out within our Company.

Detailed information on the processing of sensitive personal data is provided in section 3.3 of this Policy.

RAISING AWARENESS AND SUPERVISION OF BUSINESS UNITS ON THE PROTECTION AND PROCESSING OF PERSONAL DATA

Our Company ensures that the necessary trainings are organized for the business units in order to raise awareness in order to prevent unlawful processing of personal data, unlawful access to data and to ensure the protection of data. The training and awareness activities organized by the Company are based on the “Personal Data Security Guide” published by the Board on its official website.

With the trainings and awareness activities carried out, it is aimed to ensure that the personal data processing activities of our Company's employees during the fulfillment of their job duties are carried out in accordance with the Law and secondary legislation.

Our Company establishes the necessary systems to ensure that existing employees and new employees are aware of the protection of personal data, and works with consultants if necessary. In this direction, our Company evaluates the participation in relevant trainings, seminars and information sessions and organizes new trainings in parallel with the updating of the relevant legislation.

  1. Issues Regarding the Processing of Personal Data

PROCESSING OF PERSONAL DATA IN ACCORDANCE WITH THE PRINCIPLES STIPULATED IN THE LEGISLATION

-Processing in accordance with lawfulness and fairness

Personal data are processed in accordance with the general rule of trust and honesty so as not to harm the fundamental rights and freedoms of individuals. Within this framework, personal data are processed to the extent required by and limited to the business activities of our Company.

-Ensuring that Personal Data is Accurate and Up-to-Date When Necessary

Our Company takes the necessary measures to ensure that personal data is accurate and up-to-date throughout the period of processing and establishes the necessary mechanisms to ensure the accuracy and currency of personal data for certain periods of time.

-Processing for Specific, Explicit and Legitimate Purposes

Our Company clearly sets out the purposes of processing personal data and processes it within the scope of purposes related to these activities in line with business activities.

-Being relevant, limited and proportionate to the purpose for which they are processed

Our company collects personal data only to the extent and quality required by business activities and processes it limited to the specified purposes.

-Preservation for the Period Stipulated in the Relevant Legislation or Required for the Purpose for which they are Processed

Our Company retains personal data for the period required for the purpose for which they are processed and for the minimum period stipulated in the relevant legislation. In this context, our Company first determines whether a period of time is stipulated for the storage of personal data in the relevant legislation, and if a period is determined, it acts in accordance with this period. If there is no legal period, personal data are stored for the period required for the purpose for which they are processed. Personal data are destroyed at the end of the specified storage periods in accordance with the periodic destruction periods or in accordance with the application of the person concerned and with the specified destruction methods (deletion and/or destruction and/or anonymization).

CONDITIONS FOR PROCESSING PERSONAL DATA

Except for the explicit consent of the data subject, the basis of the personal data processing activity may be only one of the following conditions, or more than one condition may be the basis of the same personal data processing activity. In the event that the processed data is personal data of special nature, the conditions in section 3.3 of this Policy (“Processing of Sensitive Personal Data”) shall apply.

(i)Explicit consent of the data subject

One of the conditions for processing personal data is the explicit consent of the data subject. The explicit consent of the data subject must be related to a specific subject, based on information and free will.

In the presence of the following personal data processing conditions, personal data may be processed without the explicit consent of the data subject.

(ii)Expressly permitted by law

If the personal data of the data subject is explicitly stipulated in the law, in other words, if there is a clear provision in the relevant law regarding the processing of personal data, it may be mentioned that this data processing condition exists.

(iii)The explicit consent of the person concerned cannot be obtained due to actual impossibility

The personal data of the person concerned may be processed if it is mandatory to process the personal data of the person who is unable to disclose his consent due to actual impossibility or whose consent cannot be recognized as valid, in order to protect the life or physical integrity of himself or another person.

(iv)Direct relevance to the establishment or performance of the contract

Provided that it is directly related to the establishment or performance of a contract to which the data subject is a party, this condition may be deemed to be fulfilled if the processing of personal data is necessary.

(v)Fulfillment of the Company's legal obligation

Personal data of the person concerned may be processed if processing is mandatory for our Company to fulfill its legal obligations.

(vi)Publicization of personal data by the data subject

If the data subject has made his/her personal data public, the relevant personal data may be processed limited to the purpose of publicization.

(vii)Data processing is mandatory for the establishment or protection of a right

Personal data of the data subject may be processed if data processing is mandatory for the establishment, exercise or protection of a right.

 

(viii) Data processing is mandatory for the legitimate interest of our Company

Provided that it does not harm the fundamental rights and freedoms of the person concerned, the personal data of the person concerned may be processed if data processing is mandatory for the legitimate interests of our Company.

PROCESSING OF SENSITIVE PERSONAL DATA

Sensitive personal data are processed by our Company in accordance with the principles set forth in this Policy and by taking administrative and technical measures and in the presence of the following conditions:

  1. Explicit consent of the data subject

One of the conditions for processing senstive personal data is the explicit consent of the data subject. The explicit consent of the data subject must be related to a specific subject, based on information and free will.

  1. Expressly permitted by law

If the sensitive personal data of the data subject is explicitly stipulated in the law, in other words, if there is a clear provision in the relevant law regarding the processing of sensitive personal data, it may be mentioned that this data processing condition exists.

  1. The explicit consent of the person concerned cannot be obtained due to actual impossibility

The sensitive personal data of the person concerned may be processed if it is mandatory to process the sensitive personal data of the person who is unable to disclose his consent due to actual impossibility or whose consent cannot be recognized as valid, in order to protect the life or physical integrity of himself or another person.

  1. Publicization of sensitive personal data by the data subject

If the data subject has made his/her sensitive personal data public, the relevant sensitive personal data may be processed limited to the purpose of publicization.

  1. Data processing is mandatory for the establishment or protection of a right

Sensitive personal data of the data subject may be processed if data processing is mandatory for the establishment, exercise or protection of a right.

  1. Necessary for the Protection of Public Health

Persons under the obligation to keep secrets or authorized institutions and organizations may process the sensitive personal data of the data subject if necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, and the planning, management and financing of health services.

  1. Necessity for the Fulfillment of Legal Obligations

In case it is mandatory for the fulfillment of legal obligations in the fields of employment, occupational health and safety, social security, social services and social assistance, the sensitive personal data of the data subject may be processed.

  1. Processing by Foundations, Associations and Other Non-Profit Organizations

Provided that the foundations, associations and other non-profit organizations or formations established for political, philosophical, religious or trade union purposes comply with the legislation to which they are subject and their purposes, are limited to their fields of activity and are not disclosed to third parties; the sensitive personal data of the person concerned may be processed if they are intended for their current or former members and members or persons who are in regular contact with these organizations and formations

ENLIGHTENMENT OF THE DATA SUBJECT

In accordance with Article 11 of the Law and secondary legislation, our Company informs the relevant persons about the purposes for which their personal data is processed by who is the data controller, for what purposes, with whom it is shared for what purposes, by which methods it is collected and its legal reason and the rights of the relevant persons within the scope of processing their personal data.

  1. Collection and Processing of Your Personal Data

1. Processing of Personal Data of Website Users (Online Visitors) and Call Center Users

1.1.       Processing of Personal Data of Website Users (Online Visitors)

Users who use the site to make requests and suggestions; can submit the information such as name, surname, e-mail, telephone, gender, date of birth, address, message, sector and subject of the form by filling out the form on the "Contact" page at https://www.dmarisbay.com Users accept that they share this personal data with the Site with their own free will, and that this data is only requested for the purpose of evaluating the requests and suggestions they have submitted.

In addition, traffic information of users visiting the Website is processed in accordance with Law No. 5651.

1.2. 1.2.            Processing of Personal Data of Call Center Users

Personal data of users calling the call center with their phone number are collected and stored by the Call Center company which is in a contractual relationship with Doğuş Hospitality and has the same legal and technical responsibilities as Doğuş Hospitality on data protection and security and complies with the provisions of the relevant legislation.

Personal data such as name, surname, telephone number and e-mail address are collected during the call from the users who call the Call Center. These data are processed for carrying out the necessary work and carrying out the relevant business processes to benefit you from the products and services offered by our company, planning and execution of the activities required for the recommendation and promotion of the products and services offered by the company by customizing them according to your tastes, usage habits and needs, carrying out the necessary work by our relevant business units for the realization of the commercial activities carried out by our company and carrying out the related business processes, planning and execution of our company's commercial and / or business strategies, ensuring the legal, strategic and commercial job security of our company and those who are in business relations with our company

Your personal data, which you have shared by calling our call center, is collected and stored by the call center company in order to process your requests, suggestions and complaints, to inform you about the result of the transaction and to improve the services and products offered within this scope.

  1. Data Categories and Sample Data Types

1.

Online Visitor

  • Transaction Security Information: Password, mobile phone, password information
  • Legal Transaction Information/Risk Management Information: IP address
  • Legal Procedure and Compliance Information: Start and end time of the service provided, the type of service used, the amount of data transferred.
  • Reservation Information: Reserved hotel, number of guests, reservation time, special requests
  • Payment Information: The amount paid, information showing the financial result, data regarding documents and records, bank account number, IBAN number, credit card information, financial profile

Post-Booking Assessment: Satisfaction assessment, comments, loyalty scores

2.

Web site users

  • Identity Information: Name, surname, date of birth,
  • Contact Information: mobile phone, e-mail address, address
  1. Security of Your Personal Data, Transfer of Your Personal Data, and Exercise of Your Rights Over Your Personal Data

All your personal data you have shared with us will be kept confidential in the database of Doğuş Hospitality in accordance with Article 12 of the Law numbered 6698 on Personal Data Protection and will not be shared with third parties for commercial purposes.

Doğuş Hospitality undertakes to take all necessary technical and administrative measures and show due diligence to ensure the confidentiality, integrity and security of your personal data.

Doğuş Hospitality takes the necessary measures to prevent unauthorized access, misuse, illegal processing, disclosure, alteration or destruction of personal data. Doğuş Hospitality uses generally accepted security technology standards such as firewalls and Secure Socket Layer (SSL) encryption when processing personal data. In addition, when sending your personal data to D Hotelier through the website, mobile application and mobile site, these data are transferred using SSL.

Regarding the prevention of unlawful access to the personal data that Doğuş Hospitality processes, the prevention of unlawful processing of these data and the protection of personal data:

The rights of the Data Subject on personal data processed by Doğuş Hospitality in accordance with the Article 11 of the LPPD are listed below:

In order to exercise your rights over your personal data; you can make your application and use your rights with the methods specified in the "Application Form" on the website or mobile application of electronic commerce platforms operated by Doğuş Hospitality and arranged in accordance with the Article 13 of the LPPD.  

  1. To Whom Personal Data Can Be Transferred for What Purpose

Our Company may transfer the personal data and sensitive data of the data subject to third parties (third party companies, group companies, third real persons) by taking the necessary security measures in line with the personal data processing purposes in accordance with the Law. In this respect, our Company acts in accordance with the regulations stipulated in Article 8 of the Law.

Transfer of Personal Data to Domestic Third Parties

Even without the consent of the data subject, if one or more of the following data processing conditions (“Data Processing Conditions”) exist, personal data may be transferred to third parties by our Company by taking all necessary care and taking all necessary security measures, including the methods stipulated by the Board.

Transfer of Personal Data to Third Parties Residing Abroad

The transfer of personal data abroad by our Company will be carried out in the direction described below, depending on whether the country of transfer is one of the safe countries to be determined by the Board or not.

In the event that the country of transfer is not one of the safe countries with adequate protection declared by the Board; personal data may be transferred to third parties abroad in the presence of at least one of the Data Processing Conditions, provided that the data subject has the opportunity to exercise his/her rights and apply for effective legal remedies in the country of transfer and in accordance with the basic principles set out in Article 4 of the Law, if one of the following appropriate safeguards is provided by the parties.

If the country to which the transfer will be made is one of the safe countries with adequate protection declared by the Board; personal data may be transferred in the presence of any of the Data Processing Conditions.

Transfer of Sensitive Personal Data

Sensitive personal data may be transferred by our Company in accordance with the principles set forth in this Policy and by taking administrative and technical measures and in the presence of the following conditions:

Doğuş Hospitality may transfer personal data to the third parties specified in this Privacy and Personal Data Protection Policy for the purposes specified in this Privacy and Personal Data Protection Policy and in accordance with Articles 8 and 9 of the LPPD by taking the necessary security measures in line with the lawful personal data processing purposes.

Your collected personal data will be shared with;

Please click on https://www.d-teknoloji.com.tr/ for information about Doğuş Bilgi İşlem ve Teknoloji Hizmetleri A.Ş.,  www.dogusgrubu.com.tr for Doğuş Holding A.Ş., all of its subsidiaries and affiliates.

Personal data subject to transfer within and outside the country mentioned above; in addition to the technical measures to ensure their security, are also legally protected by the LPPD compliant provisions included in our agreements, considering that the counterparty of the legal relationship is a data controller or a data processor.

As said above, during sharing information when transferring personal data to countries other than Turkey, the transfer of data is ensured in accordance with this policy and as permitted by the applicable law on data protection.

  1. Retaining Your Personal Data Correct and Updated

The Data Subject groups whose personal data we process accepted and declared that they know that the correct and up-to-date personal data shared on the Website an /or provided by themselves due to the contractual relationship are important for them to be able to exercise their rights on their personal data in the sense of LPPD and other relevant legislation and that the responsibility arising from providing false information will be entirely theirs.

  1. How Data Subjects Can Change Their Positive or Negative Preferences Regarding the Receipt of Electronic Commercial Communications

The consent of the customer regarding the Commercial Electronic Message is obtained through the information form on the website www.dhotelier.com. Commercial message delivery is carried out by Doğuş Hospitality under the name of “Doğuş Hospitality”.

You can change or update your positive or negative preferences for receiving commercial electronic messages at any time, which you have given while signing up or at a later time, through the website https://www.dmarisbay.com operated by Doğuş Hospitality.

  1. Personal Data Retention Period

Our Company retains personal data for the period required for the purpose for which they are processed and for the minimum period stipulated in the relevant legislation. Our Company first determines whether a period of time is stipulated for the storage of personal data in the relevant legislation, and if a period is determined, it acts in accordance with this period. If there is no legal period, personal data are stored for the period required for the purpose for which they are processed.

Doğuş Hospitality retains the personal data it processes in accordance with the LPPD for the periods stipulated in the relevant legislation or required by the purpose of processing. In our Personal Data Retention and Destruction Policy, these periods are approximately as follows:

All records regarding accounting and financial transactions

10 years

Law No. 6102, Law No. 213

Commercial electronic message confirmation records

1 year from the date of withdrawal of approval

Law No. 6563 and related secondary legislation

Traffic information for online visitors

2 years

Law No. 5651

Personal data about customers

10 years after the legal relationship ends; 3 years in accordance with Law 6563 and related secondary legislation; 90 days for CCTV recordings

Law No. 6563, Law No. 6102, Law No. 6098, Law No. 213, Law No. 6502

  1. Deletion, Destruction or Anonymization of Your Personal Data

The https://www.dmarisbay.com website stores the personal data processed through its mobile application for the periods stipulated by the relevant laws and/or the periods required by the processing purpose pursuant to Article 7, 17 of the LPPD and Article 138 of the Turkish Penal Code. In the event that these periods expire, they will delete, destroy or anonymize in accordance with the provisions of the Regulation on Deletion, Destruction or Anonymization of Personal Data.

Deletion of personal data by Doğuş Hospitality refers to the process of making personal data inaccessible and unavailable in any way for the relevant users. D Hotelier creates and implements user-level access authorization and control matrix for this. It takes the necessary measures to perform the deletion in the database.

The destruction of personal data by Doğuş Hospitality means the process of making personal data inaccessible, irrevocable and unusable in any way by anyone.

The anonymization of personal data by Doğuş Hospitality means making personal data unrelated to an identified or identifiable natural person under any circumstances, even if they are matched with other data.

Doğuş Hospitality explains in detail the methods for deletion, destruction and anonymization and the technical and administrative measures taken within the scope of the Personal Data Storage and Destruction Policy prepared in accordance with the Regulation on the Deletion, Destruction or Anonymization of Personal Data. In this Policy, the period of periodic destruction stipulated by the Regulation is also determined as 6 months.

  1. Possible Changes and Updates to the Policy

Doğuş Hospitality may always make changes or updates in this Policy in line with the legal regulations and Company Policy. These changes become effective immediately upon publication of the new policy. Relevant people are informed about the new Policy text, which reflects all these changes and updates, via the website.