This information is provided in accordance with Article 10 of the “Personal Data Protection Law” numbered 6698 and due to legal obligation.
This text, which has been prepared for the Protection of Personal Data within the scope of all of our facilities operating within the Özyer Group and providing services under the management of Otelcilik, each of which carries the title of data controller in terms of their legal entities, has been prepared within the framework of the issues included in the Law on the Protection of Personal Data, adhering to the elements mentioned in the law.
Lykia Turizm Yatırımları Sanayi ve Ticaret Anonim Şirketi (Liberty Lykia)
Ayfaba Turizm Yatirimlari Insaat Anonim Sirketi (Liberty Fabay)
Özyer Turizm Sanayi ve Ticaret A.Ş. (Liberty Lara, Sundia By Liberty Suncity)
B12 Enerji Turizm Sanayi ve Ticaret A.Ş. (Liberty Kuşadası)
Ölüdeniz Otelcilik Turizm Sanayi ve Ticaret A.Ş. (Sundia By Liberty Ölüdeniz)
Fethiye Enerji Sanayi ve Ticaret Anonim Şirketi (Sundia Exclusive By Liberty Fethiye)
Hez Tourism Investments San. And Tic. A.Ş (Liberty Signa)
Gulmete Tourism Investments Aş. (XO Cape Arnna)
All of the companies listed above will be referred to as Subsidiaries in the following text.
Affiliates; In accordance with the Law, the Regulation, which is a secondary regulation of the Law, and other legislation, primarily in the capacity of data controller;
Your guests,
Guest nominees,
Visitors,
Employees,
This text has been prepared for the purpose of processing and protecting the personal data of the partners and employees of other companies with which it is in business partnership and, without limitation, of all its interlocutors, determining the maximum retention period required for the purpose for which they are processed, deleting, destroying or anonymizing personal data at the end of the specified retention period and determining the process of fulfilling the requests of the persons concerned with the processed personal data.
The purpose of this text and the Liberty Hotels Group Personal Data Storage and Destruction Policy is to inform you, who make a hotel reservation on the websites of our affiliates, browse the websites or fill in the forms provided by our affiliates, about the commitments undertaken by our affiliates to ensure the protection of personal data of these persons.
In particular, we inform you about the personal data we collect from you, how we use it, how we disclose it, how we protect it and finally how you can exercise your rights over this data.
Purposes of Processing Personal Data
Our affiliates process personal data that you provide to us and that is relevant to you in the following circumstances:
When you browse our websites;
In cases where you have made reservations directly through the website at the following hotels: Liberty Lykia, Liberty Lara, Liberty Fabay, Sundia Exclusive By Liberty Fethiye, Sundia By Liberty Oludeniz, Sundia By Liberty Suncity, Liberty Signa, Liberty Kusadasi, XO Cape Arnna.
Where you have consented to receive our newsletters and other marketing / commercial information from us;
Whenever you wish to contact us to ask questions to our affiliates, to make a complaint or to apply for a job via the contact form.
Personal data (name, surname, date of birth, identity and passport information, work, home and mobile phone number, e-mail address, gender, address, occupation, education, marital status, vehicle license plate, accommodation, credit card, expenditure and flight information, shopping information, billing information, consumption preferences, etc.).
Carrying out the necessary work by business units to ensure that stakeholders benefit from the products and services offered,
Providing products and services and communicating with stakeholders about the products and services received or to be received by them,
Customizing and recommending products and services according to their tastes, usage habits and needs,
Product/service offer, (to be used in marketing activities),
Modeling, reporting, scoring, execution of human values policies,
Ensuring the legal and commercial security of persons who are in a relationship with our subsidiaries,
Defining and implementing commercial and business strategies,
For the purposes of our subsidiaries’ existing or new product studies and potential customer identification, etc.
In relation to tourism, marketing, promotion and advertising activities and due to legal obligations, personal data is processed within the scope of the personal data processing conditions and purposes specified in Articles 5 and 6 of the KVKK.
General Principles
Our affiliates act within the framework of the following principles in all transactions related to personal data, including but not limited to the acquisition, processing, storage, protection, deletion, destruction and anonymization of personal data:
Compliance with the law and good faith,
Being accurate and up to date when necessary,
Processing for specific, explicit and legitimate purposes,
Being relevant, limited and proportionate to the purpose for which they are processed,
Retaining, preserving for the period stipulated in the relevant legislation or required for the purpose for which they are processed, and deleting, destroying or anonymizing personal data at the end of this period, taking into account the request of the person concerned or periodic deletion periods,
Respond to the requests of data subjects regarding their rights as defined in Article 11 of the Law as soon as possible,
Taking all necessary technical and administrative measures specified in the Law, Liberty Hotels Group Personal Data Storage and Destruction Policy and all other relevant legislation in all transactions related to the storage, deletion, destruction or anonymization of personal data,
Recording all transactions regarding the deletion, destruction, anonymization of personal data specified in this text and storing them for at least 3 years, excluding other legal obligations.
Transfer of Personal Data
Personal data may be used by business units to carry out the necessary work to benefit stakeholders from the products and services offered by our subsidiaries, to offer products and services, to communicate regarding the product and service received or to be received, to recommend products and services by customizing them according to their tastes, usage habits and needs, product / service offer, (to be used in marketing activities), to ensure the legal and commercial security of persons who are in a relationship with our affiliates, to determine and implement the commercial and business strategies of the affiliates, to business partners, suppliers, shareholders, our group companies affiliated to affiliates, legally authorized public institutions, state security units and private persons within the framework of the personal data processing conditions and purposes specified in Articles 8 and 9 of the KVKK. and within the framework of the personal data processing conditions and purposes specified in Articles 9.
Guest Personal Data
Guest Data Attributable to Individuals
Personal data (identification) such as name, surname, ID or passport number, age, gender, date of birth,
Personal data such as address, telephone number, e-mail address, etc. (contact),
Personal data such as the first 6 and last 4 digits of bank credit cards or the number of bank cards, cardholder name, surname, validity date, etc. transmitted to ensure payment for the service provided (payment),
Information and documents containing personal data related to the travel product (flight, accommodation, transfer, health tourism, etc.) obtained due to the service provided (service components),
Personal data such as IP number with the possibility of personalization (location),
Personal data (habits) that enable personalization of the service according to the guest’s wishes and expectations (thin pillow, jasmine scent, oversized bathrobe, etc.)
Statistical data that do not provide the opportunity to establish a direct relationship with the person; Anonymous information obtained from solution partners from which digital marketing services are obtained in order to determine the guest profile and learn their preferences and improve the services offered according to this profile, and guest data that can be anonymized by the Affiliates.
Sources of Guest Personal Data
Our affiliates obtain guest data directly from the data subject or the data subject’s representative, tour operators, agencies, web pages, call centers, mobile phone application, social media accounts, business and solution partners who are third parties, and from sources made public by the data subject himself/herself.
Personal data not obtained directly from the data subject by our Affiliates and transferred to the Affiliates in order to benefit from accommodation services are deemed to be in accordance with the will of the data subject and in accordance with the law. In case of any doubt in this regard, the Affiliates shall take the necessary measures and precautions without delay. If necessary, Liberty Hotels Group will immediately delete, destroy or anonymize the personal data in accordance with the principles set out in this Liberty Hotels Group Personal Data Retention and Destruction Policy.
Reasons for Obtaining, Processing and Transferring Guest Data
Our affiliates obtain, process and transfer guest data only for the legitimate purposes specified in Articles 5, 6, 8 and 9 of the law within the framework of the General Principles specified in Article 2 of this text. In the absence of the explicit consent of the person concerned, our affiliates may obtain, process or transfer personal data in cases where any one or more of the following conditions specified in Articles 5 and 6 of the law are present, limited to the extent and duration required by this situation:
Explicit provision in the law,
It is mandatory for the protection of the life or physical integrity of the person concerned or of another person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid,
It is necessary to process personal data provided that it is directly related to the establishment or performance of the contract concluded by the data subject with the Affiliates,
It is mandatory for the Affiliates to fulfill its legal obligation as the data controller,
The personal data has been made public by the person concerned,
Data processing is mandatory for the establishment, exercise or protection of a right,
Data processing is mandatory for the legitimate interests of the Affiliates as the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.
Our affiliates obtain, process or transfer personal data for the following purposes and without being limited to these, provided that it is not contrary to the general principles, based on the legal grounds stated above:
Business units can carry out the necessary work to ensure that guests benefit from the products and services offered by our subsidiaries,
Customizing the products and services offered by our affiliates according to the tastes, usage habits and needs of the guests, and recommending and offering them to them,
Improving the quality of services provided by our subsidiaries and developing a quality policy,
Informing and benefiting guests and potential guests about the general and special campaigns, promotions, promotions, discounts and similar advantages offered by our affiliates,
When visitors log in with their usernames and passwords in order to receive services from the channels offered by our affiliates, the personal data, preferences, transactions and browsing times in the relevant channels, as well as the data obtained, in order to provide the information and services they have requested,
To be able to make notifications (renewal, expiration, etc.) regarding all kinds of loyalty cards issued and / or to be issued by our Affiliates and related organizations and website memberships of our Affiliates and related organizations, all kinds of communication that may be established with guests, to inform them about changes, innovations and similar issues that may occur in personal data policies and membership conditions regarding new services and products to be offered,
Ensuring the legal and commercial security of our Affiliates and the relevant persons who are in business relations with our Affiliates (administrative operations for communication carried out by the Affiliates, ensuring the physical security and control of the Affiliates’ premises, business partner/guest/supplier (authorized or employees) evaluation processes, legal compliance process, financial affairs, etc.),
Providing information about the information, activities and services requested by the relevant persons from the Affiliates,
Determining and implementing the commercial and business strategies of our subsidiaries,
Ensuring the execution of the Human Values policies of our subsidiaries and fulfillment of a legal obligation determined by the legislation if it is clearly stated in the legislation or if necessary
It is essential to obtain the informed consent of the guests in the personal data obtained directly and indirectly. However, our Affiliates may also process personal data of guests or prospective guests without obtaining explicit consent, limited to the matters specified in paragraph 2 of Article 5 of the Law. If this requirement ceases to exist, the data will be deleted, destroyed or anonymized immediately, unless the guest or prospective guest consents.
Our affiliates do not process personal data other than the services and legitimate purposes it provides and do not use the data it has acquired in any way for services contrary to the rules of law and honesty, even if the guest’s explicit consent has been obtained within the framework of the principles stated above.
Transfer of Guest Personal Data
Our affiliates may share the data they have obtained in order to fulfill their objectives based on the legal grounds specified in this text and to fulfill their obligations under the contracts concluded with business and solution partners, accommodation and transfer service suppliers and other third parties.
Affiliates may transfer personal data domestically and abroad within the framework of the principles determined by the board in order to fulfill the service provided for the reasons listed in Article 8 of the law. Except for the reasons specified in paragraph 8/2 of the Law, personal data can only be transferred with the consent of the data subject.
Our affiliates adopt the principle of acting within the framework of the Law, other relevant legislation and board decisions and taking the necessary technical and administrative measures while sharing data with the persons and organizations to which it transfers.
Our affiliates may transfer personal data with the following persons and institutions and for the purpose of service fulfillment:
Suppliers and subcontractors from whom the subsidiaries procure the services required to provide accommodation services to their guests and at the same time to fulfill their commercial activities,
In case the guest wishes to benefit from airline transportation and accommodation services together as a package, to the relevant airline companies,
In the event that the guest requests a private transfer service by road from the airport to the hotel where the guest will stay at the hotel and/or from the hotel where the guest has stayed to the airport, to the suppliers and carrier companies that provide this transfer service,
Solution partners to ensure that commercial activities are carried out for the accommodation services offered by our subsidiaries,
To public institutions and organizations in order to fulfill legal obligations,
To third parties or public institutions and organizations in order to eliminate a threat to the lives, body integrity and security of personal data, to eliminate or prevent unlawful acts in case of fraud, intellectual rights and violations and violation of data policy,
In order to protect the legitimate interests of our subsidiaries and to protect their rights and interests both against their own claims and against the claims to be submitted to them, we have hired lawyers and legal advisors and audit companies.
Personal Data of Employees and Employee Candidates
Our affiliates may process the personal data of the employees they employ for the purpose of the performance of the established employment contract, the fulfillment of mutual obligations and the fulfillment of the legal obligations that fall on them as the employer and limited to these purposes, provided that they obtain explicit consent. In this case, our affiliates shall take the General Principles set out in Article 2 of this text as basis, inform their employees and ensure the security of their personal data.
Our affiliates may process the personal data contained in the curriculum vitae and related documents submitted to them during the application processes of the employee candidates who apply to them for employment and until their applications are finalized, provided that they obtain explicit consent. In case the application is concluded negatively, the personal data will be completely deleted, destroyed or anonymized following the end of the specified retention period. In the event that the application is partially or fully approved, the retention and continued processing of the personal data obtained depends on the conditions of the new legal relationship to be established.
Sensitive Personal Data
The special categories of personal data listed in Article 6 of the Law are: race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership to associations, foundations or trade unions, health, sexual life, criminal conviction and security measures, biometric and genetic data.
Our affiliates take additional measures regarding the processing, transfer, deletion, destruction or anonymization of the personal data specified in this text and also of special nature. Actions to be taken for reasons arising from legal obligations or situations stipulated by law are reserved.
Our affiliates act in accordance with the data processing conditions set forth in Article 6 of the Law in the processing of sensitive personal data. In addition to the procedures and principles set out in this text, it is also necessary to take adequate measures determined in the relevant legislation in order to process special categories of personal data.
Our affiliates may process the health-related personal data of employees and guests in the presence of one of the following conditions, provided that they take adequate measures stipulated in the relevant legislation, process them in accordance with general principles, and are under the obligation of confidentiality:
The explicit consent of the person concerned, who is the personal data subject,
Protection of public health,
Preventive medicine,
Carrying out medical diagnosis, treatment and care services,
Planning and management of health services and financing,
Management of Human Values processes for employees. In the absence of the explicit consent of the person concerned,
Sensitive personal data other than health and sexual life, only in cases stipulated by law,
Personal data relating to health and sexual life may only be processed for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, by persons or authorized institutions and organizations under the obligation of confidentiality.
Personal Data Collection Method and Legal Reason
Personal data is obtained by our affiliates in all kinds of verbal, written or electronic media in order to provide the products and services offered in line with the above-mentioned purposes within the legal framework determined and to fulfill its obligations arising from the contract and the law in a complete and correct manner. Personal data collected for this legal reason may be processed and transferred for the purposes specified in Article 1 of this text within the scope of the personal data processing conditions and purposes specified in Articles 5 and 6 of the KVKK.
Raising Awareness on Protection and Processing of Personal Data, Audit
Our subsidiaries ensure that necessary trainings are organized for business units in order to raise awareness to prevent unlawful processing of personal data, unlawful access to data and to ensure the protection of data.
Our Subsidiaries establish the necessary systems to ensure that their existing employees and new employees are aware of the protection of personal data, and work with consultants if needed. In this respect, our Subsidiaries evaluate the participation in relevant trainings, seminars and information sessions and organize new trainings in parallel with the updating of the relevant legislation.
Terms of Processing of Personal Data
Except for the explicit consent of the personal data owner, the basis of the personal data processing activity may be only one of the following conditions, or more than one condition may be the basis of the same personal data processing activity. In case the processed data is personal data of special nature, the conditions in the Personal Data of Special Nature shall apply.
Explicit Consent of the Personal Data Owner
One of the conditions for processing personal data is the explicit consent of the data subject. The explicit consent of the personal data subject must be related to a specific subject, based on information and freely given.
Explicitly Stipulated in Laws
If the personal data of the data subject is explicitly stipulated in the law, in other words, if there is a clear provision in the relevant law regarding the processing of personal data, it will be possible to talk about the existence of this data processing condition.
Failure to Obtain the Explicit Consent of the Relevant Person Due to Actual Impossibility
The personal data of the data subject may be processed if it is mandatory to process the personal data of the person who is unable to disclose his/her consent due to actual impossibility or whose consent cannot be recognized as valid, in order to protect the life or physical integrity of himself/herself or another person.
Direct Relevance to the Establishment or Performance of the Contract
Provided that it is directly related to the establishment or performance of a contract to which the data subject is a party, this condition may be deemed to be fulfilled if the processing of personal data is necessary.
Fulfillment of the Company’s Legal Obligation
Personal data of the data subject may be processed if processing is mandatory for our Company to fulfill its legal obligations.
Publicization of Personal Data by the Personal Data Owner
If the data owner has made his/her personal data public, the relevant personal data may be processed limited to the purpose of publicization.
Data Processing is Mandatory for the Establishment or Protection of a Right
If data processing is mandatory for the establishment, exercise or protection of a right, the personal data of the data subject may be processed.
Data Processing is Mandatory for the Legitimate Interest of our Company
Provided that it does not harm the fundamental rights and freedoms of the personal data owner, the personal data of the data owner may be processed if data processing is mandatory for the legitimate interests of our Company.
Rights of Personal Data Subjects
As a personal data owner according to Article 11 of KVKK;
Learn whether personal data is being processed,
Request information if your personal data has been processed,
To learn the purpose of processing personal data and whether they are used for their intended purpose,
Knowing the third parties to whom personal data is transferred at home and abroad,
To request correction of personal data in case of incomplete or incorrect processing and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,
To request the destruction of personal data in the event that the reasons requiring its processing are eliminated despite being processed in accordance with the provisions of the KVKK and related laws, and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,
To object to the occurrence of a result to the detriment of the person by analyzing the processed data exclusively through automated systems,
In case of damage due to unlawful processing of personal data, they have the right to demand compensation for the damage.
Pursuant to paragraph 1 of Article 13 of the KVKK, the personal data owner is required to submit his/her request to use the above-mentioned rights ‘in writing’ to our affiliates by the methods specified below or by other methods determined by the Personal Data Protection Board. In this context, the channels and procedures through which the written application is submitted to our subsidiaries for the applications made within the scope of Article 11 of the LPPD are explained below. For the use of the above-mentioned rights, the request containing identifying information and explanations regarding the rights requested to use the rights specified in Article 11 of the KVKK; by filling out the application form and sending a signed copy of the form with the identifying documents to “[email protected], [email protected], [email protected], [email protected]” by e-mail, in person at Liberty Hospitality Group hotels, by registered letter with return receipt via Notary Public or by other methods specified in the KVKK.
Our Subsidiaries Responding to Applications
Our affiliates take the necessary administrative and technical measures to finalize the applications to be made by the personal data owner in accordance with the Law and secondary legislation.
In the event that the personal data owner duly submits his/her request regarding the rights set out in section 7 (“Rights of the Personal Data Owner”) to our Affiliates, our Affiliates will finalize the relevant request free of charge as soon as possible and within 30 (thirty) days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, a fee may be charged in accordance with the tariff determined by the Board.
Personal Data Recording Environments
The Affiliates store the aforementioned personal data in the following recording media:
Electronic Environments and Physical Environments
Erasure, Destruction and Anonymization of Personal Data
Our affiliates delete, destroy or anonymize the personal data obtained within the framework of the principles and procedures specified in this text and the Law, in accordance with the Law, relevant legislation, Board decisions and guidelines, ex officio in periodic destruction processes or upon the duly application of the relevant person, in the event that the purpose and legal grounds for processing the data disappear.
The deletion, destruction or anonymization operations performed shall be determined with a report and the records regarding the deletion, destruction or anonymization operations shall be kept for at least 3 years, without prejudice to the other obligations of our Affiliates as data controllers.
All kinds of technical and administrative measures are taken by the Affiliates in the process of deletion, destruction or anonymization of personal data.
It is the process of making personal data inaccessible and non-reusable in any way for the relevant users.
The data processor on behalf of our affiliates checks that there is no possibility to access the data and determines this situation with a report.
Techniques for Deletion of Personal Data
Personal Data in Paper Media: It is erased using the blackout method.
Office Files on the Central Server: It is deleted with the delete command in the operating system.
Personal Data on Portable Media: It is deleted with appropriate software.
Databases The relevant rows with personal data are rendered unreadable by databases commands.
Destruction of Personal Data
It is the process of making personal data inaccessible to any person, making the data unrecoverable and unusable under any circumstances.
Personal Data on Local Systems: Destroyed by de-magnetization, physical destruction, overwriting, using the appropriate method.
Personal Data in Environmental Systems:
Network Devices (switchers, routers, etc.): Data is rendered inaccessible through physical destruction methods such as incineration and fragmentation.
Sim cards and fixed memory cards: Data is rendered inaccessible by processes such as melting or burning optical or magnetic media.
Optical Disks: Data is rendered inaccessible through physical destruction methods such as overwriting or burning, fragmentation, melting.
Peripherals with Fixed Data Recording Media: Data is rendered inaccessible through physical destruction methods such as overwriting or burning, fragmentation, melting.
Personal Data on Paper and Microfiche Media: It is destroyed using paper shredders.
Personal data transferred from the original paper format to electronic media through scanning are deleted with appropriate software according to the media they are in.
Cloud Environment: During the storage and use of personal data in these systems, access is made with a password. The access of personnel coming from outside for purposes such as maintenance and repair is carried out under the supervision of authorized personnel coming from outside for purposes such as maintenance and repair. The disks of expired servers are destroyed by shredding them into small pieces.
Anonymization of Personal Data
It is the removal or alteration of all direct and/or indirect identifiers in a dataset, preventing the identification of the persons concerned or losing the ability to be distinguishable within a group in such a way that it cannot be associated with a natural person.
Techniques for Anonymization of Personal Data: During the anonymization of Personal Data, one of the methods shown in the text is used in the provisions of the relevant legislation.
Periods for Deletion, Destruction, Anonymization of Personal Data
Provided that there is no obligation to store the personal data of the data subject for the period prescribed by law in accordance with legal obligations; the data processed with the consent of the data subject shall be deleted, destroyed or anonymized in accordance with the request of the data subject, within 30 days at the latest after the request is communicated to our Affiliates.
For personal data processed for the reasons listed in Article 5 of the Law that do not require explicit consent, it is deleted, destroyed or anonymized during the first periodic deletion, destruction or anonymization period at the end of the period after the reason and legal grounds disappear.
In cases where personal data is processed for the reasons listed in Article 5 of the Law without the requirement of explicit consent, but the person concerned requests deletion, the personal data is separated from the data processed with consent, stored by limiting the authorization and control matrices so that only the units related to legal obligations can access it, and is immediately destroyed or anonymized upon the disappearance of the legal grounds specified in Article 5 of the Law.
Technical and Administrative Measures
Administrative Measures
Our subsidiaries are under administrative measures;
Limits authorization and control matrices by taking into account job descriptions for internal access to processed and stored personal data.
In the event that the processed personal data is unlawfully obtained by others, it notifies the relevant person as soon as possible.
It employs knowledgeable and experienced personnel about the processing of personal data and provides necessary training and warnings.
Carries out or has carried out the necessary audits regarding data security within the scope of its own legal entity and in all group companies. It takes the necessary measures regarding the issues identified as a result of the audits.
Technical Measures
Performs the necessary internal controls within the scope of the established systems.
Carries out the processes of information technologies risk assessment and business impact analysis within the scope of the established systems.
Ensures that the technical infrastructure is provided to prevent personal data from leaving the organization and that authorization and control matrices are established.
It ensures the control of system vulnerabilities by obtaining penetration testing services at periodic intervals and when needed.
It ensures that the access authorizations of employees working in information technology units to personal data are kept under control.
Environments where personal data are stored are protected with high-security password technology or crypto-graphic methods, and misuse is prevented with firewall, SSL Protocol (Secure Socket Layer). The data kept physically is kept in archives where only persons authorized by the Subsidiaries have access.
It takes necessary measures to ensure cyber security in environments where personal data is stored. In this context, it receives DDOS service from internet service providers against cyber attacks.
It also uses security software to secure virtual servers.
All transactions and movements in the recording environments where personal data are stored are monitored, and in case of security breaches, risk analysis is performed and vulnerabilities are immediately eliminated.
The physical protection of the recording media, cyber systems and servers containing personal data is ensured by special security devices and authorization control.
Personal data is protected against external risks such as fire, flood, etc. in backup disks and servers, locked vaults
The data kept in the ISP system room is backed up daily via point to point lines.
Authorization controls are provided for access to recording environments.
DLP solution is used to prevent the risk of data loss.
External media ports are kept closed in case the authorities lose them.
