Personal Data Protection Law

1-Introduction

Purpose of the Policy

The Law on the Protection of Personal Data No. 6698 (the “Law”) entered into force on April 7, 2016, and contains regulations regarding the processing of any information relating to an identified or identifiable natural person (the “Data Subject”). As San-Tur Turizm A.Ş. (the “Company”), we attach the utmost importance to the retention and destruction of personal data in compliance with the Law.


This Policy on the Processing and Security of Special Categories of Personal Data (the “Policy”) has been prepared in accordance with the decision of the Personal Data Protection Board dated 31/01/2018 and numbered 2018/10 (the “Board Decision”) regarding the “Adequate Measures to be Taken by Data Controllers in the Processing of Special Categories of Personal Data,” in order to determine the measures we take as a data controller regarding the processing of special categories of personal data.


This Policy and our Company's “San-Tur Turizm A.Ş. Personal Data Retention and Destruction Policy” (the “Retention and Destruction Policy”) are complementary to each other, and for matters not addressed in this Policy, the Retention and Destruction Policy must be consulted. Our Company, in its capacity as a data controller, shall act in accordance with this Policy when processing special categories of personal data, sharing them with third parties, and retaining them in data recording media.

Scope of the Policy

Considering all processes carried out by our Company, the special categories of personal data of the groups consisting of Company Authorized Signatories, Addressees of Legal Processes, Data Subjects, Employees, Employee Candidates, Interns, Vocational High School Interns, Subcontractors/Subcontractor Employees, Potential Product or Service Buyers, and Product or Service Recipients are processed, and this Policy pertains to the processed special categories of personal data of these aforementioned groups of persons.

Tanımlar ve Kısaltmalar

Explicit Consent: Media where personal data can be created, read, modified, and written via electronic devices.

Non-Electronic Media: All other written, printed, visual, etc., media falling outside the scope of electronic media.

Service Provider: A natural or legal person providing services to the Company within the framework of a specific contract.

Data Subject: The natural person whose personal data is processed.

Destruction: The deletion, destruction, or anonymization of personal data.

The Law: The Law on the Protection of Personal Data No. 6698.

Recording Media: Any media containing personal data that is processed wholly or partly by automated means or by non-automated means provided that it forms part of a data filing system.

Personal Data: Any information relating to an identified or identifiable natural person.

Processing of Personal Data: Any operation performed upon personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making available, classification, or preventing the use thereof, fully or partially through automatic means or through non-automatic means provided that the process is a part of any data filing system.

Personal Data Processing Inventory: The inventory detailed by data controllers by explaining the personal data processing activities they perform depending on their business processes; associating them with the purposes and legal grounds of processing personal data, data categories, recipient groups, and data subject groups; and explaining the maximum retention period required for the purposes for which personal data are processed, personal data foreseen to be transferred to foreign countries, and measures taken regarding data security.

The Board: Personal Data Protection Board.

Special Categories of Personal Data: Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dressing, membership of associations, foundations or trade-unions, health, sexual life, criminal convictions and security measures, and biometrics and genetics.

Periodic Destruction: The process of deletion, destruction, or anonymization to be carried out ex officio at recurring intervals specified in the personal data retention and destruction policy, in the event that all conditions for processing personal data stipulated in the Law have ceased to exist.

Data Processor: The natural or legal person who processes personal data on behalf of the data controller, based on the authority granted by the data controller.

Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system.

VERBIS: Data Controllers’ Registry Information System.

Regulation: The Regulation on the Deletion, Destruction, or Anonymization of Personal Data published in the Official Gazette dated October 28, 2017.

Employee Candidate: Natural persons who have applied for a job at our Company by any means or who have made their resume and related information available for our Company’s review.

Company Employee: Natural persons working within our Company.

Product or Service Recipient/Customer: Persons to whom our Company provides goods and services.

Potential Product or Service Recipient/Customer: Potential persons to whom our Company has the possibility of providing goods and services.

Person in a Legal Dispute Relationship: The person with whom our Company is in a legal dispute relationship.

Company Authorized Signatory: The signatory officially authorized by the Company.

Intern: Persons performing an internship at our Company.

Subcontractor: The natural person to whom our Company delegates a portion of its work, such as the provision of goods and services, due to their expertise.

Subcontractor Employee: The employee of a natural or legal person to whom our Company delegates a portion of its work, such as the provision of goods and services, due to their expertise.

Vocational High School Intern: Persons receiving education in vocational high schools and performing their compulsory internship at our Company.

Third Party: Other persons who do not fall under any data subject category within this Policy.

2-Principles of the Policy

General Principles Regarding the Processing of Special Categories of Personal Data

This Policy has been established by substantiating the rules and regulations set forth by the legislation in force within the scope of the practices carried out by our Company. In the event of a conflict between the legislation in force and the Policy, our Company accepts that the legislation in force shall prevail.


The Company shall act by taking into consideration the principles set forth in Article 4, Paragraph 2 of the Law and listed below, during the processing of both personal data and special categories of personal data:

Conformity with the Law and Good Faith

This principle expresses the obligation to act in compliance with the principles established by laws and other legal regulations in the processing of personal data. In accordance with the principle of good faith, our Company takes into account the interests and reasonable expectations of the data subjects while striving to achieve its objectives in personal data processing. In accordance with this principle, the personal data processing activities carried out by our Company are also highly transparent. Indeed, in the clarification notices provided by the Company particularly for product or service recipients, employees, interns, and vocational high school interns, the Company does not merely state the processed personal data and the purposes of processing, but also specifies separately for which purposes the personal data are processed on a process-by-process basis.

Being Accurate and Kept Up to Date Where Necessary

Keeping personal data accurate and up to date is as essential for the protection of the fundamental rights and freedoms of the data subject as it is critically important for the corporate identity of our Company.


In this context, the personal data held by the Company regarding the data subject is verified and updated at each processing stage, thereby ensuring a healthy and mutual flow of information.

Being Processed for Specified, Explicit, and Legitimate Purposes

The principle that the purposes of processing personal data must be specified, legitimate, and explicit ensures that personal data processing activities are clearly understandable by the data subject, that the specific legal processing condition upon which the activity is based can be identified, and that these activities are presented with sufficient detail to ensure the specificity of the purpose for which they are carried out.


In this respect, utmost sensitivity is shown regarding compliance with the principles of specificity and clarity in legal transactions and documents where the purposes of personal data processing are explained (such as explicit consent, clarification, responding to data subject requests, and registration with the Registry of Data Controllers). In parallel, the use of complex technical-legal expressions that are difficult to understand is avoided.

Being Relevant, Limited, and Proportionate to the Purposes which they are Processed

This principle requires that the processed personal data be suitable for the achievement of the designated purposes and that the processing of personal data which is irrelevant to or not required for the achievement of such purposes be avoided.


Within the scope of this principle, in order to ensure that personal data is processed by our Company in a relevant, limited, and proportionate manner, regular assessment studies for data minimization are conducted, employees are informed, audits are performed periodically and without prior notice, and other administrative and technical measures specified in this

Being Retained for the Period Stipulated in the Relevant Legislation or Required for the Purpose for which they are Processed

As a requirement of the “purpose limitation principle,” personal data must be retained in accordance with the period required for the purpose for which they are processed. In this context, our Company retains personal data for the retention periods stipulated in the legislation or, in the absence of such a period, for the duration of the statutes of limitation applicable to any legal disputes.

Information on the Special Categories of Personal Data Subject to Processing, Purposes of Processing, and Processing Procedures

The special categories of personal data subject to processing, along with their purposes of processing, legal grounds, and periods of processing and destruction, are specified in the data inventory prepared by our Company, the VERBIS registration, the Retention and Destruction Policy, and the relevant clarification texts. In addition to this information, explanations regarding the processing purposes and procedures of the special categories of personal data subject to processing by our Company are provided below:

Processed Special Categories of Personal Data Explanation Regarding Purpose of Processing Explanation Regarding Processing Procedure
Religious Information Subject to processing due to its inclusion in identity documents and other documents, in cases where it is required to be obtained within the scope of legal responsibilities and obligations. This information is processed as it is included in documents such as identity cards, powers of attorney, or signature circulars required to be obtained especially during the data subject application process, legal action process, and company authorized signatory transaction processes.
Information on Appearance and Dressing This information, obtained only from employees, is processed for the purpose of providing work clothes to employees. This information is processed during the employee footwear and clothing procurement process. This information essentially consists of body/shoe size and does not provide information about any religious/political etc. thought/belief.
Allergen Information Processed for the purpose of customizing products and services to be offered to guests according to guest preferences, and particularly for the protection of guest health. This information is processed during the accommodation and reservation process and is subject to processing if specified by the guest themselves.
Information on Disability and Special Needs Status Processed for the purpose of customizing products and services to be offered to guests according to guest preferences, and particularly for the protection of guest health. For employees, it is processed particularly for the fulfillment of legal obligations. This information is processed for guests during the accommodation and reservation process and is subject to processing if specified by the guest themselves. This information obtained from employees is processed in necessary Social Security Institution (SGK) notification processes, primarily in the process of creating personnel files.
Health Information Processed by the physician for purposes such as conducting emergency management processes within the scope of legal responsibility for guests and ensuring activities are carried out in accordance with legislation. For employees, subcontractor employees, and interns, it is also processed for the fulfillment of Occupational Health and Safety (OHS) obligations in addition to these purposes. This information is processed for guests within the scope of processes conducted by the physician. For employees, subcontractor employees, and interns, it is processed within the scope of creating personnel and health files, periodic examination processes, and occupational accident notification processes.
Blood Type Information This information may be processed for employees, interns, vocational high school interns, addressees of legal processes, and authorized signatories for purposes such as the conduct of legal processes, emergency management processes for employees, and ensuring the security of operations. This information is processed as it is included in documents such as identity cards, powers of attorney, or signature circulars required to be obtained during the [data subject] application process, legal action process, and company authorized signatory transaction processes. Additionally, it is processed during the creation of personnel files for the purpose of conducting emergency processes.
Information on Criminal Convictions and Security Measures This information is processed particularly for the fulfillment of obligations arising from employment contracts and legislation, and for the conduct of human resources processes. This information is obtained only from addressees of legal processes and subcontractors/subcontractor employees. This information is subject to processing as it is included in legal action processes. Additionally, in the event that subcontractor workers are employed by the Company, it is processed during the personnel registration and follow-up processes of subcontractor workers.

In accordance with Article 10 of the Law, our Company informs the data subjects regarding the purposes for which their special categories of personal data are processed. Special categories of personal data processed within the framework of the Company's activities are retained for the period stipulated in the relevant legislation. In this context, special categories of personal data are retained for the retention periods prescribed within the framework of the aforementioned regulations.

Law on the Protection of Personal Data No. 6698 Turkish Code of Obligations No. 6098
Turkish Commercial Code No. 6102 Social Security and General Health Insurance Law No. 5510
Value Added Tax Law No. 3065 Income Tax Law No. 193
Corporate Tax Law No. 5520 Stamp Tax Law No. 488
Civil Servants Law No. 657 Occupational Health and Safety Law No. 6361
Law on the Right to Information No. 4982 Law on the Exercise of the Right to Petition No. 3071
Labor Law No. 4857 Higher Education Law No. 2547
Retirement Fund Law No. 5434 Social Services Law No. 2828
Identity Declaration Law No. 1774 Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Annexes
Law on the Protection of the Consumer No. 6502 Vocational Training Law No. 3308
Turkish Employment Agency Law No. 4904 Tourism Incentive Law No. 2634
Regulation on the Qualifications of Tourism Facilities Implementation Regulation on Tourism Facilities
Regulation on Archive Services Other secondary regulations in force pursuant to these laws
National/international agreements Regulation on Travel Agencies

As set forth in our Company's VERBIS registration, special categories of personal data are processed for the following purposes;

1. Execution of Emergency Management Processes 2. Execution of Information Security Processes
3. Execution of Selection and Placement Processes for Employee Candidates / Interns / Students 4. Execution of Application Processes of Employee Candidates
6. Fulfillment of Obligations Arising from Employment Contracts and Legislation for Employees 7. Execution of Side Rights and Benefits Processes for Employees
8. Execution of Audit / Ethics Activities 10. Execution of Access Authorizations
11. Conducting Activities in Accordance with the Legislation 12. Execution of Finance and Accounting Works
15. Execution of Assignment Processes 16. Follow-up and Execution of Legal Affairs
17. Execution of Internal Audit / Investigation / Intelligence Activities 18. Execution of Communication Activities
19. Planning of Human Resources Processes 20. Execution / Audit of Business Activities
21. Execution of Occupational Health / Safety Activities 25. Execution of Goods / Service Procurement Processes
26. Execution of After-Sales Support Services for Goods / Services 27. Execution of Goods / Service Sales Processes
28. Execution of Production and Operation Processes of Goods / Services 29. Execution of Customer Relationship Management Processes
30. Execution of Activities for Customer Satisfaction 33. Execution of Performance Evaluation Processes
35. Execution of Risk Management Processes 36. Execution of Storage and Archive Activities
38. Execution of Contract Processes 40. Execution of Strategic Planning Activities
41. Follow-up of Requests / Complaints 42. Ensuring the Security of Movable Property and Resources
43. Execution of Supply Chain Management Processes 44. Execution of Wage Policy
46. Ensuring the Security of Data Controller Operations 50. Providing Information to Authorized Persons, Institutions, and Organizations
54. Execution of Related Processes by Obtaining Documents such as Identity Document/Power of Attorney, etc 54. Execution and Audit of Contractual Processes by Obtaining Identity Documents
51. Execution of Management Activities

Transfer of Special Categories of Personal Data

Our Company may share special categories of personal data with third parties in accordance with the data processing conditions specified in Articles 8 and 9 of the LPPD (Law on the Protection of Personal Data). 


During the transfer of special categories of personal data to third parties, the Company shall take the security measures specified in the Board Decision. In this context, special categories of personal data;

  • In cases of transfer between servers in different physical environments, are transferred by establishing a VPN between servers or via the sFTP method.
  • If the transfer of data via paper media is required, necessary measures are taken against risks such as theft, loss, or unauthorized viewing of the document, and the document is sent in the format of "confidential documents.

Storage of Special Categories of Personal Data

Our Company stores special categories of personal data in accordance with the general principles and processing conditions mentioned in detail above. Regarding the environments where special categories of personal data are stored and/or accessed, our Company shall take the security measures specified in the Board Decision. In this context, the administrative and technical measures taken by the Company for the storage of special categories of personal data are as follows:

  1. Network security and application security are provided.
  2. Closed system networks are used for personal data transfers via the network.
  3. Key management is implemented.
  4. Security measures within the scope of procurement, development, and maintenance of information technology systems are taken.
  5. Disciplinary regulations containing data security provisions for employees are in place.
  6. Periodic training and awareness studies on data security are conducted for employees.
  7. An authorization matrix has been established for employees.
  8. Access logs are kept regularly.
  9. Corporate policies on access, information security, use, storage, and destruction have been prepared and implemented.
  10. Data masking measures are applied when necessary.
  11. Confidentiality agreements are executed.
  12. Authorizations in this field are revoked for employees who undergo a change of duty or leave their jobs.
  13. Up-to-date anti-virus systems are used.
  14. Firewalls are used.
  15. Signed contracts contain data security provisions.
  16. Extra security measures are taken for personal data transferred via paper media, and relevant documents are sent in confidential document format.
  17. Personal data security policies and procedures have been determined.
  18. Personal data security issues are reported quickly.
  19. Monitoring of personal data security is carried out..
  20. Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
  21. Security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.
  22. Security of environments containing personal data is ensured.
  23. Personal data is minimized as much as possible.
  24. Personal data is backed up, and the security of the backed-up personal data is also ensured.
  25. A user account management and authorization control system is implemented and monitored..
  26. Periodic and/or random internal audits are conducted and had conducted.
  27. Log records are kept in a manner that prevents user intervention.
  28. Existing risks and threats have been identified.
  29. Protocols and procedures for the security of special categories of personal data have been determined and implemented.
  30. If special categories of personal data are to be sent via e-mail, they must be sent in encrypted form using REM (Registered Electronic Mail) or a corporate email account.
  31. Intrusion detection and prevention systems are used.
  32. Penetration testing is applied.
  33. Cyber security measures have been taken, and their implementation is constantly monitored.
  34. Encryption is performed.
  35. Special categories of personal data transferred via portable memory, CD, or DVD media are transferred by encryption.
  36. Periodic audits of data processor service providers regarding data security are ensured.
  37. Awareness of data processor service providers regarding data security is ensured.
  38. Data loss prevention software is used.

Publication and Storage of The Policy

The Policy may be published in two different media, namely as a wet-signed (printed paper) copy and in electronic media, and may be disclosed to the public on the internet page. The printed paper copy is stored in the Human Resources Department and its respective file.

Update Period of the Policy

The Policy is reviewed as needed, and the necessary sections are updated.

Enforcement and Revocatiın of the Policy

The Policy is deemed to have entered into force upon its publication. In the event that a decision is made to revoke it, the old wet-signed copies of the Policy are canceled (by stamping "canceled" or writing "canceled") and signed by the Human Resources Department, and are stored by the Human Resources Department for a period of at least 5 years. The policy is set to "canceled" via the hotel management system in use.