MOST AMAZING PLACES TANITIM VE TİCARET A.Ş. 

Privacy and Cookie Policy

CUSTOMER PERSONAL DATA CLARIFICATION TEXT

This clarification text is the 10th of the Personal Data Protection Law No. 6698 (‘KVKK’). In accordance with the provisions of the article and other relevant legislation; MOST AMAZING PLACES TANITIM VE TİCARET A.Ş. as the data controller. STI. Prepared by (‘Company’). Within the scope of our company’s activities, your personal data, which is required to be collected regarding your customer title, is collected and processed by us in accordance with the provisions of the relevant legislation and the principles described below.

  1. Method of Collection of Your Personal Data and Legal Reason

Your personal data, in the form of oral and written registration in the physical environment by our field employees who provide office and tourism guidance services, through the sharing or viewing permission given by the internet-based information systems belonging to tourism companies that are our business partners or suppliers in the electronic environment, in the electronic environment, in the call center, telephone, fax, e-mail, website (via online reservation form, e-mail contact forms, cookies and similar technologies) and instant messaging tools in the form of oral, written, auditory and visual recording in the form of digital image recording related to security cameras in the electronic environment, in the service units of our Company, or data recording in the form of digital image recording. It is collected by non-automatic methods provided that it is part of the system.

In this context, your personal data processed by our Company; Name-surname, T.C. identity number, passport information, picture in the passport photocopy, accommodation address, e-mail address, phone number, bank-credit card information, payment receipt and slip contents, invoice, call center voice recording, security camera image records and website IP and cookie information received during the entrance and stay of our workplaces and add-ons. No special quality personal data is collected by our company.

Your data collected for obtaining marketing, analysis and electronic message sending approval from your personal data is processed based on your explicit consent statement given in an enlightened manner specified in Article 5/1 of the KVKK. Your data about your security camera video records taken at the entrance to and stay of our company’s workplaces are processed due to the fact that data processing is mandatory for the legitimate interests of our Company in Article 5/2-f of the KVKK.

Your other personal data is processed by our Company based on the legal reasons specified in Article 5/2 of the KVKK and shown below. Your personal data within this scope;

  • It is necessary to process your personal data as the other party of the contract, provided that it is directly related to the establishment or performance of the commercial contract to which you are a party with our company,
  • It is clearly stipulated in the laws or that it is mandatory for our Company to fulfill its legal obligations,
  • Data processing is mandatory for the establishment, use and protection of a right belonging to our company,
  • Data processing is mandatory for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of your Party,

It is collected and processed based on legal reasons.

  1. Purpose and Procedure of Processing Your Personal Data

Your personal data Within the scope of the realization of our domestic-international commercial activities by our company; execution of contract and performance processes; goods and service purchase, sale and marketing transactions; after-sales performance and support services; finance and accounting transactions; ensuring information and physical space security; performance of legal processes and obligations arising from legislation; increasing customer satisfaction; giving the commercial supply carried out by our company in the best conditions, providing special goods and services to you in this context with the determination of personalized tastes, needs and usage purposes; raising quality standards; management of market research, analysis, marketing, re-mar/digital marketing processes related to our field of activity; advertising, promotion, offering and satisfaction with activities in our field of activity For the research, general or private e-mail, instant message, voice call is processed in connection with the purpose of the relationship you have established with our Company in order to provide our legal application and defense rights and follow-up of requests and complaints.

Your personal data collected by our company is 4 of the KVKK specified below. It is processed in accordance with the general principles regulated in the article. In this context, your personal data in question;

  • A) In accordance with the law and honesty rules,
  • b) Accurate and up to date when necessary,
  • C) For specific, explicit and legitimate purposes,
  • D) Connected, limited and measured for the purpose for which they are processed,
  • E) It is processed in accordance with the storage rules stipulated in the relevant legislation or for the necessary period for the purpose of processing.

You can access more detailed information about the processing principles of your personal data that you share with our company from our company’s “Personal Data Protection and Processing Policy”.

  1. Scope, Duration and Security of Processing Your Personal Data

The nature of the processing of your personal data provided by our Company as stated above; It is limited to be recorded, stored, stored, backed up, changed, rearranged/updated, disclosed, taken over, made available, classified or prevented from being used by our relevant departments and transferred to third parties with whom we have a business relationship within the scope specified below.

Our company keeps the personal data it processes confidentially in accordance with the provisions of the legislation in accordance with Article 12 of the KVKK in a physical environment, database and systems by taking all the necessary technical and administrative measures within the framework of technological methods and within the framework of information security standards. Upon the disappearance of the reasons that require the processing of your personal data in question or the expiration of the destruction periods determined in the relevant legislation and the Policy regulated by our Company in this regard, in accordance with the provisions of the relevant legislation and our “Personal Data Storage and Destruction Policy” text, it destroys it spontaneously or by deletion, destroying or anonymizing it immediately at the request of the data owner.

  1. To Whom and For What Purpose Your Processed Personal Data May Be Transferred

Your personal data collected by our company, only in accordance with our commercial activity, for the purposes of planning and execution of our Company’s business strategies and processes and internal trade processes, establishment and performance of our contracts, execution of post-contractual support services, secure backup/storage of data, making payment and accounting transactions, for the relevant departments of the Company, group companies, business partners, suppliers, service providers, their officials or employees, relevant bank branches, legally authorized institutions and organizations and private legal entities of the KVKK 8 and 9th. It can be transferred domestically or internationally when necessary in accordance with all regulations within the framework of the personal data transfer conditions and purposes specified in the other legislation related to its articles.

In this context, in accordance with the decision of the Personal Data Protection Board dated 31.05.2019 and numbered 2019/157, it should also be taken into account that the personal data subject to the said transmission is deemed to have been transferred abroad when foreign e-mail server and similar systems are used during data transmission.

  1. Rights You Have Within the Scope of KVKK

In accordance with Article 11 of the KVKK, you have the following rights regarding your personal data:

  • A) To learn whether your personal data is processed,
  • B) If your personal data has been processed, requesting information about it,
  • C) To learn the purpose of processing your personal data and whether they are used in accordance with their purpose,
  • ç) To know the third parties to whom your personal data is transferred at home or abroad,
  • D) Requesting correction of your personal data in case of incomplete or incorrect processing,
  • E) In accordance with Article 7 of the KVKK, to request the deletion or destruction of the reasons that require the processing of your personal data, which has been processed in a legal way, disappear,
  • F) Requesting that the transactions made in accordance with subparagraphs (d) and (e) be notified to the third parties to whom your data is transferred,
  • G) Objecting to the emergence of a result against you by analyzing your processed data exclusively through automated systems,
  • ğ) To request compensation for the damage in case you suffer damage due to the unlawful processing of your personal data.
  • H) To withdraw your consent statement regarding the processing of your personal data and your consent to send you electronic commercial messages at any time without giving any reason.
  1. Ways of Application to Our Company within the Scope of Your Rights

Your requests within the scope of the exercise of your above-mentioned rights, by filling out the “Personal Data Owner Application Form” on the most-amazing-places.com page according to the “Communiqué on the Procedures and Principles of Application to the Data Controller” or with a similar petition, our Company “Gümüşsuyu Mah. İnönü Cad. Melek Apt. No: 11/2 Beyoğlu/ISTANBUL” address you can apply in person and send it by identity card or in writing via Notary Public or via registered/secure e-mail to “info@most-amazing-places.com” as an e-mail.

Depending on the nature of your request, your applications will be finalized free of charge as soon as possible and within thirty days at the latest; however, if the transaction requires an additional cost, you may be charged according to the tariff to be determined by the Personal Data Protection Board.

SUPPLIER AND BUSINESS PARTNER PERSONAL DATA CLARIFICATION TEXT

This clarification text is the 10th of the Personal Data Protection Law No. 6698 (‘KVKK’). In accordance with the provisions of the article and other relevant legislation; MOST AMAZING PLACES TANITIM VE TİCARET A.Ş. as the data controller. STI.(“ Company”) was prepared by Within the scope of our company’s activities, your personal data, which is required to be collected regarding your supplier or business partner, is collected and processed by us in accordance with the provisions of the relevant legislation and the principles described below.

  1. Method of Collection of Your Personal Data and Legal Reason

Your personal data is collected by our employees in the form of oral, written, audio recording and image recording through the channel, which is contacted by oral and written recording in the phone, fax, e-mail, website (via e-mail communication forms, cookie, etc. technologies) and instant messaging and video conversation tools, and in the service units of our company, in the form of digital image recording of security cameras, or by non-automatic methods, provided that it is part of the data recording system.

In this context, your personal data processed by our Company in terms of our suppliers and business partners and their authorized or employees; Name-surname, T.C. ID number, passport information, address, e-mail address, phone and fax number, real person business/commercial title, tax administration and number, bank account and IBAN number, bank-credit card information, check-bill information, waybill, invoice, payment receipt and slip contents, current account information, signature data, call center voice recording, security image camera records and website IP and cookie information taken during the entrance and stay to our workplaces and add-ons.

In this context, your special quality personal data processed by our Company in terms of the authorized or employees of our suppliers and business partners; It is your biometric data regarding the image recording obtained through internet-based platforms used to work with the video conferencing method. Apart from this, your special quality personal data is not processed by our Company in any way.

Your data collected from your personal data for obtaining special marketing, analysis and electronic message sending approval to you is collected and processed based on your explicit consent statement given in the illuminated manner specified in Article 5/1 of the KVKK. Your data about your security camera video records taken at the entrance to the workplaces and add-ons of our company and during the stay there is processed due to the fact that data processing is mandatory for the legitimate interests of our Company regulated in Article 5/2-f of the KVKK. Your biometric data regarding the image recording obtained through the internet-based platforms used during remote operation are processed based on the legal reason for your explicit consent statement in accordance with Article 6/3-a of the KVKK.

Your other personal data is processed by our Company based on the legal reasons specified in Article 5/2 of the KVKK and shown below. Your personal data within this scope;

  • It is necessary to process your personal data as the other party of the contract, provided that it is directly related to the establishment or performance of the commercial contract to which you are a party with our company,
  • It is clearly stipulated in the laws or that it is mandatory for our Company to fulfill its legal obligations,
  • Data processing is mandatory for the establishment, use and protection of a right belonging to our company,
  • Data processing is mandatory for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of your Party,

It is collected and processed based on legal reasons.

  1. Purpose and Procedure of Processing Your Personal Data

Your personal data obtained in the form described above is within the scope of the realization of our domestic-international commercial activities by our Company; execution of contract and performance processes; planning and follow-up of the works carried out with business partners and suppliers; purchase and sale of goods and marketing transactions; after-sales performance and support services; finance and accounting transactions; ensuring information and physical space security; performance of legal processes and obligations arising from legislation; giving the commercial supply carried out by our company in the best conditions; working with the video confencing method in order to carry out of works uninterruptedly in unusual times such as epidemics; raising quality standards; management of market researches, analysis, marketing, re-digital marketing processes related to our field of activity; in our field of activity For the activities and advertising, promotion, offering and satisfaction research, sending general or private e-mail, instant message, voice call; It is processed in connection with the purpose of the relationship you have established with our Company in order to provide our legal application and defense rights and to follow up requests and complaints.

Your personal data collected by our company is the 4th of the KVKK specified below. It is processed in accordance with the general principles regulated in the article. In this context, your data in question;

  • A) In accordance with the law and honesty rules,
  • b) Accurate and up to date when necessary,
  • C) For specific, explicit and legitimate purposes,
  • D) Connected, limited and measured for the purpose for which they are processed,
  • E) It is processed in accordance with the rules of keeping it for the period stipulated in the relevant legislation or required for the purpose for which it is processed.

You can access more detailed information about the processing principles of your personal data that you share with our company from our company’s “Personal Data Protection and Processing Policy”.

  1. Scope, Duration and Security of Processing Your Personal Data

The nature of the processing of your personal data provided by our Company as stated above; It is limited to be recorded, stored, stored, backed up, changed, rearranged/updated, disclosed, taken over, made available, classified or prevented from being used by our relevant departments and transferred to third parties with whom we have a business relationship within the scope specified below.

Our company keeps the personal data it processes confidentially in accordance with the provisions of the legislation in accordance with Article 12 of the KVKK in a physical environment, database and systems by taking all the necessary technical and administrative measures within the framework of technological methods and within the framework of information security standards. In the event that the reasons that require the processing of your personal data that is retained are eliminated or if the destruction periods determined in the relevant legislation and the Policy regulated by our Company on this subject, it destroys it by itself or by deleting, destroying it spontaneously or by anonymizing it at the request of the data owner in accordance with the provisions of the relevant legislation and our “Personal Data Storage and Destruction Policy”.

  1. To Whom and For What Purpose Your Processed Personal Data May Be Transferred

Your personal data collected by our company, only as a requirement of carrying out our commercial activity, for the purpose of planning and execution of our Company’s business strategy and processes and internal trade processes, establishment and performance of our contracts, execution of post-contractual support services, secure backup/storage of data, making payment and accounting transactions, our shareholders, group companies, business partners, suppliers, service providers, their officials or employees, relevant bank branches, your financial advisor or accounting department, legally authorized institutions and organizations and private legal entities for the purposes of KVKK 8 and 9th. It can be transferred domestically or internationally when necessary in accordance with all regulations within the framework of the personal data transfer conditions and purposes specified in the other legislation related to its articles.

In this context, it should also be taken into account that when foreign mail server and similar systems are used during the data transmission during the decision of the Personal Data Protection Board dated 31.05.2019 and numbered 2019/157, it should also be taken into account that the personal data subject to the said transmission is considered to have been transferred abroad, with the audio and biometric data on audio and video recording obtained through internet-based overseas-based platforms used during the work with the video conferencing method.

  1. Rights You Have Within the Scope of KVKK

In accordance with Article 11 of the KVKK, you have the following rights regarding your personal data:

  • A) To learn whether your personal data is processed,
  • B) If your personal data has been processed, requesting information about it,
  • C) To learn the purpose of processing your personal data and whether they are used in accordance with their purpose,
  • ç) To know the third parties to whom your personal data is transferred at home or abroad,
  • D) Requesting correction of your personal data in case of incomplete or incorrect processing,
  • E) Within the framework of the conditions stipulated in Article 7 of the KVKK, requesting the deletion or destruction of the reasons that require the processing of your personal data, which has been processed legally, disappear,
  • F) To request the notification of the transactions made in accordance with subparagraphs (d) and (e) to the third parties to whom your personal data has been transferred,
  • G) Objecting to the emergence of a result against you by analyzing your processed data exclusively through automated systems,
  • ğ) To request compensation for the damage in case you suffer damage due to the unlawful processing of your personal data.
  • H) To withdraw your consent statement regarding the processing of your personal data and your consent to send you electronic commercial messages at any time without giving any reason.
  1. Ways of Application to Our Company within the Scope of Your Rights

Your requests within the scope of the exercise of your above-mentioned rights, by filling out the “Personal Data Owner Application Form” on the most-amazing-places.com page according to the “Communiqué on the Procedures and Principles of Application to the Data Controller” or with a similar petition, our Company “Gümüşsuyu Mah. İnönü Cad. Melek Apt. No: 11/2 Beyoğlu/ISTANBUL” address you can apply in person and send it by identity card or in writing via Notary Public or via registered/secure e-mail to “info@most-amazing-places.com” as an e-mail.

Depending on the nature of your request, your applications will be finalized free of charge as soon as possible and within thirty days at the latest; however, if the transaction requires an additional cost, you may be charged according to the tariff to be determined by the Personal Data Protection Board.

WEBSITE COOKIE CLARIFICATION TEXT 

This text is MOST AMAZING PLACES TANITIM VE TİCARET A.Ş. as the data controller within the scope of Article 10 of the Personal Data Protection Law (KVKK) No. 6698 and the Communiqué on the Procedures and Principles to be Followed in the Fulfillment of the Clarification Obligation. STI. Prepared by (‘Company’).

1. OBJECTIVE

The purpose of this Cookie Clarification Text is to inform you about the processing of personal data obtained automatically through the placement of the cookies used on our website on your device, for what purposes what types of cookies we use, the legal reason and your rights. Thus, it is also possible to manage your privacy preferences in accordance with the European Union General Data Protection Regulation (EU General Data Protection Regulation: ‘GDPR’).

2. DATA PROCESSED THROUGH COOKIE DESCRIPTION, PURPOSE OF USE AND COOKIES

A cookie is a small text file that the site saves on your computer or mobile device when you visit a website. These files make it possible to detect your device every time you visit the website, thus allowing you to browse the website and use its resources. The main purpose of the use of cookies is to provide functions such as the proper functioning of a website, improving the user experience, the development of the site and the delivery of more appropriate advertisements based on interest, preventing unnecessary advertising display that will not interest the user.

Through cookie technology, cookie data consisting of information such as the information given by the users of the Site with their consent statements and the preferences made on the site, their reactions to the advertising banners on the site, and information such as IP number and address are processed.

Through this text, it is explained what kinds of cookies are used on our website for what purposes. MOST AMAZING PLACES TANITIM VE TİCARET A.Ş.., we can stop using the cookies we use in our online channels, change their types or functions, or add new cookies to our site. Therefore, we reserve the right to change the provisions of this ‘Cookie Clarification Text’ when necessary. Any changes made on the current text become effective by being published on the website.

3. TYPES OF COOKIES

A) Types of cookies according to the duration of use: The session cookie is used to ensure the continuity of the session, and these cookies are also deleted when the user closes the browser. The permanent cookie, on the other hand, is not deleted when the internet browser is closed and is automatically deleted on a certain date or after a certain period of time. In this context, session and permanent cookies are used on our website according to their usage period.

B) First-party and third-party cookies: First-party cookies are placed directly by the website visited by the user, that is, the address shown in the address bar of the browser. Third-party cookies are placed by a different domain other than the address visited by the user. In this context, only first-party cookies are used on our website.

C) Types of cookies according to the purpose of use: Cookies can be used for absolutely necessary, functional or advertising/marketing purposes according to their intended use. In this context, absolutely necessary cookies are used in order to provide the information society services you have clearly requested on our website.

4. COOKIES USED ON OUR WEBSITE

First-party session and persistent cookies are used on our website as absolutely necessary for the provision of information society services. In this context;

A) First-party permanent cookie called Borlabs Cookie – consent (stored for one year) to the website to understand whether the subsequent requests are reliable,

B) First-party permanent cookie called Borlabs Cookie – consent (stored for one year) for the purpose of confirming that the cookie disclosure text has been read.

Your personal data is processed by associating it with your IP information. Your personal data in question is not transferred to other data controllers.

5. LEGAL REASON FOR OUR PERSONAL DATA PROCESSING THROUGH COOKIES

In the processing of personal data through the said cookies, in accordance with subparagraph (f) of the second paragraph of Article 5 of the Personal Data Protection Law No. 6698, it is based on the processing condition that “Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the relevant person”.

6. THIRD PARTY SITE, PRODUCTS AND SERVICES

The company’s website may contain links to third parties’ website, products and services. Such links accessed from our site are subject to third parties’ privacy-security, use and personal data processing policies, and it should be aware that third parties and third parties’ sites are independent of the Company and the Company is not responsible for these third parties’ specified practices. In case of visiting the linked websites, we recommend that the privacy policies of these sites be read.

Because our Company is not responsible for disputes, material-moral damages and losses that may occur due to the personal data and information processing and use of the Websites, ethical principles, privacy-security principles, service quality, terms of use and other practices of the websites in question, which are reached for advertising, banners, content or for any other purpose. They are responsible for the information that data owners obtain from our site or other sites linked to on our site, information, promotion and advertisements that are communicated electronically to their parties, as well as the decisions they make within the framework of all kinds of suggestions, and all kinds of transactions and applications they make according to them.

7. WAYS TO APPLY TO OUR COMPANY WITHIN THE SCOPE OF YOUR RIGHTS

You can submit your requests within the scope of Article 11 of the KVKK, “Regulating the rights of the relevant person”, by filling out the “Personal Data Owner Application Form” on the “most-amazing-places.com” page according to the Communiqué on the Procedures and Principles of Application to the Data Controller, or with a similar petition, our Company “Gümüşsuyu Mah. İnönü Cad. Melek Apt. No: 11/2 Beyoğlu/ISTANBUL” address you can apply in person and send it by identity card or in writing via Notary Public or via registered/secure e-mail to “info@most-amazing-places.com” as an e-mail.

PERSONAL DATA PROTECTION AND PROCESSING POLICY

Version 1.0

01.06.2024.

1. LOGIN

1.1. Purpose

This Personal Data Protection and Processing Policy (‘Policy’), as the data controller, MOST AMAZING PLACES TANITIM VE TİCARET A.Ş.. It has been prepared to determine the procedures and principles regarding the work and transactions related to the personal data processing and protection activities carried out by the (“Company”).

Our company; in line with the basic principles it has adopted; Company employees, former employees, employee candidates, shareholders, customers, potential customer candidates, service providers, suppliers, business partners, their officials and employees, visitors and other relevant third parties T.C. It has determined as a priority that it is processed and protected in accordance with the Constitution, international conventions, the Law on the Protection of Personal Data No. 6698 (‘KVKK’) and other relevant legislation, and to ensure that the relevant persons use their rights effectively in this regard.

The work and transactions related to the processing and protection of personal data are carried out in accordance with the Policy prepared by the Company accordingly. Thus, the Company provides the necessary transparency by informing the personal data owners and showing all their rights and application procedures and ways of their use. With the full awareness of our responsibility in this context, your personal and private personal data is processed and protected by us within the scope of this Policy.

1.2. Scope

All personal data belonging to Company employees, former employees, employee candidates, shareholders, customers, potential customer candidates, service providers, suppliers, business partners and their officials and employees, visitors and other third parties who establish a relationship with our Company, or processed by non-automatic means, provided that they are part of any data recording system, are covered by this Policy. This Policy is applied to all recording media such as physical, electronic, website and social media, where personal and special quality personal data owned or managed by the Company are processed, and this Policy applies to all activities for personal data processing.

With the KVKK, special importance has been attached to some personal data due to the risk of causing victimization or discrimination of people if it is processed illegally. These data; They are special quality personal data described in the Abbreviations and Definitions Table below. It is treated sensitively by our company in the protection of special quality personal data determined as “special quality” with the KVKK and processed in accordance with the law. In this context, the technical and administrative measures taken by our Company for the storage and protection of personal data are applied much more carefully in terms of special quality personal data, and some additional measures specified in sections 4.3. and 4.5.2. below are also taken for their processing, and necessary audits are also provided within the Company.

However, depending on the type and nature of the relationship between our company and the data subject, it is possible to provide data subjects with personal data policies and/or notifications, clarification texts procedures different from this Policy by our company. Such special policy and disclosure texts/notifications provided to data owners may also be in addition to the explanations in this Policy. In this case, such special policies and notifications provided to data owners should be taken into account first. In addition, the relevant legal regulations in force regarding the processing and protection of personal data will first find application. In the event of a non-compliance between the applicable legislation and the Policy, our Company accepts that the current legislation will first find application. The policy aims to regulate the rules set forth by the relevant legislation by embodying them within the scope of Company practices.

1.3. Abbreviations and Definitions

Buyer GroupThe category of natural or legal person to whom personal data is transferred by the data controller.
Open ConsentConsent on a particular subject, based on information and explained by free will.
Anonymizing Making personal data unidentified or identifiable natural person in any way by matching it with other data.
Employee / Former Employee MOST AMAZING PLACES TANITIM VE TİCARET A.Ş.. staff/staff leaving the job.
Employee CandidateMOST AMAZING PLACES TANITIM VE TİCARET A.Ş.. People who have not been contrected with employment but are evaluated for establishment.
Electronic Media Environments where personal data can be created, read, changed and written with electronic devices.
Non-Electronic (Physical) MediaAll written, printed, visual, etc. other media except electronic media.
Service / Expertise Service Provider MOST AMAZING PLACES TANITIM VE TİCARET A.Ş.. A real or legal person who provides a service or specialized service such as accounting, workplace health-safety, informatics, law within the framework of a certain contract with.
Contact PersonThe natural person whose personal data is processed.
Related Employee Persons who process personal data within the data controller organization or in line with the authority and instructions received from the data controller.
Destruction Deletion, destruction or anonymization of personal data.
LawLaw No. 6698 on the Protection of Personal Data.
Recording Media Any environment in which there is personal data that is completely or partially automatic or processed by non-automatic means, provided that it is part of any data recording system.
Personal Data Any information about an identified or identifiable natural person.
Personal Data Processing Inventory The personal data processing activities that data controllers carry out depending on their business processes; the personal data processing purposes and legal reason, the data category, the transferred recipient group and the data subject person group create by and the inventory they detail by explaining the maximum retention period required for the purposes for which the personal data is processed, the personal data foreseen to transfer to foreign countries and the measures taken regarding data security.
Processing of Personal Data All kinds of operations performed on data such as obtaining, recording, storing, storing, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data completely or partially automatic or by non-automatic means, provided that it is part of any data recording system.
BoardPersonal Data Protection Board
KVKKLaw No. 6698 on the Protection of Personal Data
Special Quality Personal Data Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership of association, foundation or union, health, sexual life, criminal conviction and security measures, and biometric and genetic data of the person.
Periodic Destruction In case the conditions of processing personal data in the law disappear, the process of deletion, destruction or anonymization specified in the personal data storage and destruction policy and will be carried out ex officio at repeated intervals.
PoliticsPERSONAL DATA PROTECTION AND PROCESSING POLICY.
CompanyMOST AMAZING PLACES TANITIM VE TİCARET A.Ş..
Data Processor A natural or legal person who processes personal data on behalf of the data controller based on the authority given by the data controller.
Data Recording System Registration system in which personal data is structured and processed according to certain criteria.
Data OwnerThe natural person whose personal data is processed.
Data Controller A natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
Data Controllers Registry Information System (VERBIS) The information system created and managed by the Personal Data Protection Board, which can be accessed over the internet, which can be used by data controllers in the application to the Registry and other relevant transactions related to the Registry.
VERBISData Controllers Registry Information System

2. DATA RESPONSIBLE

MOST AMAZING PLACES TANITIM VE TİCARET A.Ş.. in the processes related to your personal data. STI. Acts as a data controller according to Law No. 6698. As the data controller, we are responsible and responsible for determining the purposes for processing your personal data and by what means it will be processed. In this context, this Policy text has been prepared to inform you in detail about the Company’s data processing purposes, means and protection methods.

3. RESPONSIBILITY AND DUTY DISTRIBUTIONS

All units and employees of the company actively support the responsible units in order to implement the technical and administrative measures taken within the scope of the Policy by the responsible units, to increase the training and awareness of the unit employees, to monitor and to prevent the unlawful processing of personal data, to prevent unlawful processing of personal data, and to ensure that personal data is kept in accordance with the law, in order to take all necessary technical and administrative measures to ensure that personal data is processed.

On the other hand, regarding the personal data processed by our Company, both the data controller official and employees acting as the data controller, and the persons who process the data as a result of the transfer on behalf of our Company, cannot disclose the personal data they have learned to anyone else in violation of the provisions of this Policy Text and the KVKK, and cannot use it for other than the purpose of processing. This obligation is the 12/4 of the KVKK. In accordance with the article, it continues indefinitely/lifetime after the end of the task/work.

The distribution of the titles, units and job descriptions of the personal data processing, storage and destruction processes is given in Table 1.

Table 1: Storage and disposal processes task distribution

TITLEUNITDUTY
Company Personal Data Controller OfficerMOST AMAZING PLACES TANITIM VE TİCARET A.Ş..It is responsible for preparing, developing, executing the policy, publishing and updating it in relevant environments and the employees acting in accordance with the policy.
Company Data Controller Contact PersonAdministrative and Financial AffairsIt is responsible for the provision and follow-up of the administrative, physical and technical solutions needed in the implementation of the policy.
Finance and Accounting, Procurement, Sales, Marketing and Regional Operations, Computing (IT), DepartmentsOther UnitsHe is responsible for the execution of this Policy in accordance with his duties.

4. ISSUES CONCERNING THE PROCESSING OF PERSONAL DATA

4.1. Processing of Personal Data in Accordance with the Principles Stipulated in the Legislation (Processing Conditions)

4.1.1. Processing in accordance with the Law and the Rule of Honesty

Personal data is not harmed by the fundamental rights and freedoms of the persons (i.e., especially the 4th of the KVKK). Article et al. is processed in accordance with the general trust and honesty rule in a way that is not contrary to other legislation related to In this context, personal data is processed in the minimum amount and extent required by our Company’s business activities and limited to.

In accordance with this principle, the obligation to act in accordance with the principles brought by the laws and other legal regulations in the processing of personal data and the prohibition of not abuse of the right is carefully complied with by our Company. In accordance with the principle of compliance with the rule of honesty, our Company also takes into account the interests and reasonable expectations of the relevant persons while trying to achieve its goals in data processing. It acts in a way that prevents the emergence of results that the person concerned does not expect and does not need to wait. In accordance with this principle, the data processing activity in question is also carried out for the relevant persons, as transparent and in accordance with the information and warning obligations.

To reignterate, in accordance with the honesty rule of our Company, maximum attention is paid to the fact that the personal data of the relevant person should not be used in a way that leads to injustice to the relevant person, to meet the reasonable expectations of the relevant person and not to exceed the purpose of collection of personal data. Again, in this context, for example; According to the nature of the relationship established with the data owner, it is acted in accordance with the requirements of the honesty rule, such as that the unreasonable data is not requested and processed from the relevant person within the relevant person within the framework of the confidentiality, and that the personal data is not processed by more employees than necessary within our Company.

4.1.2. Ensuring Personal Data is Accurate and Up-to-Date When Needed

Our company takes the necessary measures to be accurate and up-to-date during the processing of personal data and carries out the necessary studies to ensure the accuracy and up-to-dateness of personal data for certain periods of time. In this context; Necessary care is taken in matters such as determining the sources from which personal data is obtained, and testing the accuracy of them when necessary, and considering the requests arising from the inaccurity of personal data.

Because this principle is in accordance with the right of the relevant person stipulated in the KVKK to request the correction of the data. Keeping personal data accurate and up-to-date is necessary for the benefit of our Company, as well as for the protection of the fundamental rights and freedoms of the data owner and for the prevention of material-moral damage. For example, in the event that a person whose contact information was registered incorrectly cannot receive his messages in a timely manner or if they were sent to an incorrect person, the person concerned may be damaged materially and morally. Again, the correct and up-to-date information of the number of children of an employee or the working status of his spouse is important for the correct calculation of the minimum living allowance (AGI). Our obligation to actively care to ensure that personal data is accurate and up-to-date when necessary; It is valid by our Company if a result is revealed regarding the data subject based on this data (for example, situations such as lending transactions). Apart from this, as the data controller, our Company always keeps the channels open to ensure that the information of the relevant person is accurate and up-to-date.

4.1.3. Processing for Specific, Clear and Legitimate Purposes

Before the personal data processing activity, our company carries out data processing by fulfilling all necessary clarification notifications regarding the personal data processing in appropriate ways in channels where both physical and electronic data are recorded, and, when necessary, the processing of consent. Thus, what are the personal data subject to the processing before the transaction by our Company, the methods by which they are obtained and the purposes of processing are clearly and precise, and in line with the business, trade and service activities carried out by our Company, the data is processed within the scope of certain, clear and legitimate purposes related to these activities. For example, our Company does not process personal data that is not related to our business at any time or way, such as the mother’s maiden name, in all sales and customer relations processes.

In this context, it is ensured that personal data processing activities are clearly understandable by the person concerned, that the personal data processing activities are carried out on the basis of which legal processing conditions are carried out, and that the personal data processing activity and the purpose of carrying out this activity are revealed in detail. Therefore, the personal data obtained are not processed for purposes other than the purposes of issuance or by misusing in any way.

4.1.4. Being Linked, Limited and Measured to the Purpose for Which They Are Processed

Our company collects personal data only to the nature and extent required by business activities and processes it limited and in connection with the purposes of giving. In this context, in accordance with the principle of being connected and limited to the purpose; Care is taken to ensure that the processed data is necessary and convenient for the realization of the determined current and current purposes, and to avoid the processing of personal data that is not related or needed to the realization of such purpose. Because other than what is necessary for the purpose, data processing will constitute a violation of the principle of limitation. For example, sending an advertisement to the email address given to participate in a symposium is against the principle of being limited.

In accordance with the principle of proportionality; We take into account that a reasonable balance should be established between data processing and the purpose to be realized. In other words, we carry out our data processing activity only to the extent that it fulfills the purpose. For example, no data subject is asked by our Company about their preferences for their social life in any process.

4.1.5. Retaining for the Time Required for the Purpose Prescribed or Processed in the Relevant Legislation

Personal data should be kept as a requirement of the ‘limitation principle for the purpose’ only in accordance with the period required for the purpose for which they are processed. In accordance with this principle, our Company does not store personal data after the specified period has expired, the purpose is realized or the data processing condition has disappeared, for the purpose of use it for another purpose or based on the existence of the possibility of using it in the future, and it rests the necessary ways to go to the necessary ways of destruction. For example, if there is no other processing requirement, the name and license plate information collected for participation in a campaign to be awarded to those who receive a certain amount of products in a certain period of time, if there is no other processing requirement, issues such as no longer being used and destroyed at the end of the campaign are carefully followed.

In this regard, as stated in Article 12 of the KVKK, our Company takes all kinds of technical and administrative measures to ensure the appropriate operational and security level in order to prevent the unlawful processing of personal data, to prevent unlawful access to personal data and to ensure the preservation and destruction of personal data when necessary.

In this context, our Company retains personal data for the minimum period stipulated in the relevant legal legislation, which is necessary for the purpose for which they are processed. In the specified direction, our Company first determines whether a period is foreseen for the storage of personal data in the relevant legislation, and acts in accordance with this period if a period is determined. If there is no legal period, personal data is stored for the period necessary for the purpose for which the data is processed, taking into account the storage periods determined according to the field of activity of our Company. Personal data is destroyed at the end of the specified retention periods in accordance with the periodic destruction periods or the data owner application and by the determined destruction methods (deletion, destruction or anonymization). In addition to this Policy text, you can find more detailed information about the issues related to storage and destruction in the “Personal Data Storage and Destruction Policy” text to be found on our Company’s website most-amazing-places.com.

4.2. Legal Reasons for Processing Personal Data

Apart from the express consent of the personal data owner, the basis of the personal data processing activity may be only one of the following conditions, and more than one condition may be the basis of the same personal data processing activity. If the processed data is special quality personal data, additional conditions in sections 4.3. and 4.5.2 of this Policy will also apply.

4.2.1 Explicit Consent of the Personal Data Owner

The explicit consent of the data owner is one of the conditions of personal data processing. However, if the personal data processing activity is based on one of the conditions other than the express consent specified in the following articles in the KVKK, our Company takes care to carry out data processing activities based on the provisions of the specified law only by fulfilling the obligation to clarify in all circumstances, since there is no need to obtain explicit consent from the relevant person and the priority must be given to the conditions other than these specified consent.

In cases where there are no provisions of the law regarding this specified data processing or do not allow the processing of personal data sufficiently, personal data is processed by our Company based on the explicit consent of the data owner. In this case, maximum attention and care is taken to the fact that the explicit consent of the data owner is disclosed on a certain subject, based on information and with free will. Again, during data processing based on explicit consent, the disclosure notification is fulfilled regardless of this and before, and in this way, consent is obtained in an illuminated way. Likewise, the process of obtaining explicit consent for data processing is not made a prerequisite for the provision of any goods or services and is carried out in such a way that does not include a situation that will be to the disadvantage of the data owner if explicit consent is not given.

To emphasize again, in the presence of any of the following personal data processing conditions, personal data will be processed based on these conditions specified by our Company without the need for the explicit consent of the data owner.

4.2.2 Clearly Stipulated In Law

If the processing of the personal data of the data subject is clearly stipulated in the law or in other words, if there is a clear provision regarding the processing of personal data in the relevant law such as Tax Laws, Labor Law, Commercial Law and KVKK, the existence of this data processing condition can be mentioned. For example, in accordance with the Labor Law, the personal information and file of our employees or the tax numbers of our customers in accordance with the financial legislation, receiving and keeping them are within this scope.

4.2.3 Failure to Obtain the Explicit Consent of the Relevant Due to the Actual Impossibility

The personal data of the data subject may be processed if the processing of his personal data is mandatory in order to protect the life or physical integrity of himself or another person who is unable to express his consent due to the actual impossibility or who does not have the power to distinguish between his consent. For example, the processing of the personal health information of the unconscious person or the contact and location information of the pledge person falls within this scope.

4.2.4 Directly Related to the Establishment or Execution of the Contract

Provided that it is directly related to the establishment or performance of a contract, if the processing of personal data belonging to the parties of the contract is mandatory, this condition will be deemed fulfilled in case of processing the data for this purpose, limited to this purpose. For example, Labor Contract, Sales Contract, Transport Agreement, Service Agreement, etc. As a result of legal relations such as, recording the address information for service/product performance, giving them to the transportation company or requesting a document showing the training status from the Company employee fall within this scope. Again, cases such as obtaining the account number of the creditor party for paying money or salary payment to the employee in accordance with a contract, or the Company obtaining the salary payroll, title deed records and document of that there is no enforcement debt of that person during the conclusion of a surety contract.

Sometimes there may be multiple legal reasons for personal data collection. For example, although the legal basis for the processing of the personal data of the employees in order to regulate the payroll is within the scope of this article, this situation is also the reason for the fulfillment of our Company’s legal obligation, which will be mentioned below.

4.2.5 Fulfillment of our Company’s Legal Obligations

If data processing is mandatory for our company to fulfill its legal responsibilities and obligations, the personal data of the relevant person may be processed. For example, data processing enters here due to the obligation to share information for situations such as financial audits, security legislation, compliance with sector-oriented regulations. In this context, the acquisition and processing of data such as bank account number, whether he is married, dependents, whether his spouse works, and social insurance number to pay a salary to our employees can be given as an example of this situation. It can also be evaluated within this scope that our company submits information about its employees or customers to the examination of the relevant public officials during the tax audit.

4.2.6 The Personal Data Owner’s Selicization of Personal Data

If the data owner has made his personal data public, that is, he submits his/her information to the public with the will to publicize it and for certain purposes, the relevant personal data may be processed limitedly for the purpose of publicization. Since the fact that a person’s personal data is in a place where only everyone can see for reasons such as coincidence or loss will not make it public, data processing is carried out by paying attention to the detail in this regard. In addition, in case of publication, the rule of not using personal data for other than its purpose is followed. For example, it is taken into account that the contact information of the relevant people on the websites where vehicles are purchased and sold cannot be used and processed for marketing purposes.

An example of this situation can be given to a person publicly announce his contact information in order to contact him in certain situations. On corporate websites, if the employees’ workplace phone numbers and corporate e-mail addresses are shared openly to third parties, it can be mentioned without publicization. Again, for example, the contact information of the person who made an advertisement containing the supply or demand of goods or services related to the field of activity of our Company may be processed in order to use it within this scope.

4.2.7 Data Processing is Mandatory for the Establishment or Protection of a Right

If data processing is mandatory for the establishment, use or protection of a right such as resorting to legal action for our company, the personal data of the data subject may be processed. These data, filing a lawsuit, registration transactions, all kinds of title deed transactions, etc. These are mandatory data to be used in works such as For example, it is here that some personal data and information of an employee leaving the job are kept for 10 years of time for the purpose of using it as evidence in a lawsuit to be opened. Similarly, after the end of the contract, the storage of documents such as invoices, contract copies, surety for these purposes until the end of the statute of limitations against possible lawsuits or legal proceedings will be evaluated within this scope.

4.2.8 Data Processing is Mandatory for the Legitimate Interest of Our Company

Provided that it does not harm the fundamental rights and freedoms of the personal data owner, the personal data data owner may be processed if data processing is mandatory for the current, important/serious and legitimate interests of our Company. In this context, for example, our Company’s personal data within these scopes may be processed, provided that it does not harm the fundamental rights and freedoms of our employees, to be based on their promotions, salary increases or social rights, or in the distribution of duties and roles in the process of restructuring the enterprise. Again, for example, data processing is carried out in this scope in order to record camera images for security purposes in the workplaces of our Company or to apply rewards and premiums that increase the loyalty of our employees.

In order for this Article to be implemented, we consider that a reasonable balance should be achieved between the legitimate interest of our Company and the rights and freedoms of the data subject. However, when making this evaluation, it should also be taken into account that the legitimate interest of our Company and the purpose of processing personal data should not be confused. The purpose of processing personal data is specifically related to the reason for the processing of the data. However, in this context, the legitimate interest of our Company as the data controller is in a position to be interpreted more broadly, as it is found for the benefit to be obtained as a result of the data processing activity to be carried out.

4.3. Processing of Special Quality Personal Data

Special quality personal data processed by our company are only special quality personal data specified below for our suppliers and business partners and employees/working candidates, and these are processed in accordance with the principles specified in this Policy and provided that the method and sufficient measures to be determined by the Board are taken, by taking all necessary administrative and technical measures and in the presence of the following conditions. Our company does not process special quality personal data for any group of people or data category other than these.

4.3.1 Special quality personal data of our supplier and business partners

Biometric data regarding the image recording obtained through internet-based platforms used during remote work/meeting by video conference method belonging to our suppliers and business partners are processed based on the legal reason of the explicit consent statement of the relevant data owner in accordance with Article 6/3-a of the KVKK. In other words, in this case, the consent of the relevant person will be obtained before the data is processed, otherwise such a special quality personal data will not be processed.

4.3.2 Special quality personal data of our employees and candidates

Special quality personal data of our employees is collected and processed by our Company based on the relevant legal reasons and purposes specified in Article 6/3 of the KVKK. In this context;

Biometric data regarding the image recording obtained through the internet-based platforms used during the video conference working meeting, upon the clear consent statement in accordance with Article 6/3-a of the KVKK,

Since the data on health information, upon the explicit consent statement in accordance with Article 6/3-a of the KVKK, workplace health and safety, disabled personnel employment, incapacity report, as well as those related to pregnancy and childbirth for our only female employees are clearly stipulated in the laws in accordance with Article 6/3-b of the KVKK and compulsory for the fulfillment of legal obligations in the fields of employment, occupational health and safety and social security in accordance with Article 6/3-f of the KVKK,

Due to the fact that the data on criminal convictions and security measures are clearly stipulated in accordance with the declaration of consent in accordance with Article 6/3-a of the KVKK, and in case of compulsory convict labor obligation, the KVKK is clearly stipulated in the laws in accordance with Article 6/3-b and the fact that it is mandatory for the fulfillment of legal obligations in the field of employment in accordance with Article 6/3-f of the KVKK,

It is processed by our personnel who have signed a confidentiality commitment and OHS physicians who are under the obligation of confidentiality.

Within the scope of the processing of special quality personal data of our employee candidates;

For candidates who only apply to the disabled staff, reports on physical disabilities and previous important disabilities and operations, and special quality personal health data related to the information within this scope are also processed on a clear consent statement in accordance with Article 6/3-a of the KVKK.

Apart from these, there is no other special quality personal data processed by our Company.

4.4. Enlightenment of the Personal Data Owner

Our company informs the personal data owners about who they are processed as the data controller of their personal data, for what purposes, with whom it is shared with, what methods it is collected, and legal reasons and the rights that data owners have within the scope of the processing of their personal data.

If the personal data in question is given to our Company by another person other than the owner, that is, if the person who has a relationship with our Company gives the data of someone else to be used, the disclosure and, if necessary, obtaining a declaration of consent for the relevant third party, is done during this first communication, if this data is given for communication with the relevant third party, if this is not the case, the said data will be subject to the processing or transfer activity for the first time.

As an example of the situations specified in the above paragraph; situations such as the customer who wants to buy goods or services with someone else’s credit card, people who send a reference letter for the recruitment of employees, or employees’s relatives whose identity information is received for additional-social payment, such as AGI, can be shown.

4.5. Transfer of Personal Data

Our company can transfer the personal data and special quality personal data of the personal data owner to third parties (to our expert service providers, suppliers, group companies, shareholders, business partners, and their officials and employees and legally authorized institutions and organizations) by taking the necessary security measures in line with the purposes of personal data processing in accordance with the law. In this direction, our company acts in accordance with the regulations stipulated in Articles 8 and 9 of the KVKK.

4.5.1. Transfer of Personal Data Domestically

Personal and special quality personal data processed by our company is 8/1 of the KVKK. In accordance with the article, it can be transferred to our stakeholders mentioned above in the country based on the explicit consent of the person concerned. In addition, with the sending of Article 8/2-a of the KVKK, 5/2 of the same Law. In the article and again with the sending of Article 8/2-b of the KVKK, 6/3 of the same Law. In the event that one of the conditions specified in the article is found, personal and special quality personal data can be transferred domestically in the same way without seeking the explicit consent of the relevant person. The provisions in other laws regarding the transfer of personal data are reserved.

In this context, with the sending of Article 8/2-a of the KVKK, personal data can be transferred by our Company without the consent of the relevant person, 5/2. The conditions in the article are as follows;

Clearly stipulating the relevant activities related to the transfer of personal data in the laws,

The transfer of personal data by the Company is directly related and necessary to the establishment or performance of a contract,

The transfer of personal data is mandatory for our Company to fulfill its legal obligation,

Personal data is transferred by our Company in a limited way for the purpose of publication, provided that it is public by the data subject,

The transfer of personal data by the Company is mandatory for the establishment, use or protection of the rights of the Company or the data owner or third parties,

It is obligatory to carry out personal data transfer activities for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the data owner,

It is mandatory for the person who is unable to express his consent due to the actual impossibility or whose consent is not granted legal validity to protect the life or physical integrity of himself or someone else.

6/3 of the KVKK, which can transfer special quality personal data by our Company without seeking the consent of the relevant person, with the sending of Article 8/2-b of the KVKK. The conditions in the article are as follows;

Clearly stipulated in the laws,

The person who is unable to express his consent due to the actual impossibility or whose consent is not granted legal validity is mandatory for the protection of the life or physical integrity of himself or someone else,

To be in accordance with the will to make the personal data that the person concerned has smarked and will to make it palic,

It is mandatory for the establishment, use or protection of a right,

It is mandatory for the fulfillment of legal obligations in the fields of employment, occupational health and safety, social security, social services and social assistance.

4.5.2. Transfer of Personal Data Abroad

The transfer of personal and special quality personal data processed by our company abroad is the 9th of KVKK. It is fulfilled in accordance with the conditions specified in the article. In this context;

9/1 of KVKK. In accordance with the Article 5th of the same Law for personal data and for special quality personal data, specified in Article 6 of the same Law (above, “4.5.1. If there is an adequacy decision given by the Board about the country, sectors in the country or international organizations in which the transfer will be made, and published in the Official Gazette, one of the conditions shown in detail under the heading of “Domestic Transfer of Personal Data”, the personal and special quality personal data in question may be transferred abroad by our Company.

9/4 of KVKK. In accordance with the article, personal data, in the absence of an adequacy decision, the existence of one of the conditions specified in Articles 5 and 6 of the same Law can be transferred abroad by our Company upon the provision of at least one of the appropriate guarantees specified below, provided that the person concerned has the opportunity to use their rights and apply for effective remedies in the country where the transfer will be made:

A) The existence of the standard contract announced by the Board, which includes issues such as data categories, the purposes of the data transfer, the recipient and the recipient groups, the technical and administrative measures to be taken by the data recipient, the additional measures taken for special quality personal data,

B) The presence of a written undertaking containing the provisions that will provide adequate protection and the permission of transfer by the Board,

C) The existence of binding company rules that the companies within our group of companies engaged in joint economic activities are obliged to comply with, which contain provisions on the protection of personal data and approved by the Board.

9/6 of KVKK. In accordance with the article, the absence of a qualification decision and the 9/4 of the KVKK mentioned above. In the event that any of the appropriate guarantees stipulated in the article and paragraph cannot be provided, personal data can be transferred abroad by our Company only in the presence of one of the following situations, provided that it is accidental:

A) Provided that the relevant person is informed about the possible risks, giving explicit consent to the transfer,

B) The transfer is mandatory for the performance of a contract between the relevant person and our Company, which is the data controller, or for the implementation of pre-contractual measures taken at the request of the relevant person,

C) The transfer is mandatory for the establishment or performance of a contract to be made between our Company, which is the data controller for the benefit of the person concerned, and another natural or legal person,

ç) The transfer is mandatory for a superior public interest,

D) It is mandatory to transfer personal data for the establishment, use or protection of a right,

E) It is mandatory to transfer personal data in order to protect the life or body integrity of himself or someone else, who is unable to express his consent due to the actual impossibility or whose consent is not granted legal validity,

F) From a registry that is open to the public or to persons with legitimate interests, the conditions required to access the registry in the relevant legislation are met and transfer provided that the person with a legitimate interest requests it.

In case of transferring personal data abroad within the above-mentioned scope, the following points are also paid attention to by our Company:

Guarantees in this Law are also provided in terms of subsequent transfers of personal data transferred abroad and transfers to international organizations, and the provisions of this article are applied (KVKK, m. 9/8),

Personal data, without prejudice to the provisions of the international contract, can only be transferred abroad with the permission of the Board in cases where the interest of Turkey or the relevant person will be seriously damaged, with the opinion of the relevant public institution or organization (KVKK, m. 9/9),

The provisions in other laws regarding the transfer of personal data abroad are reserved (KVKK, m. 9/10).

5. SPECIAL CASES WHERE PERSONAL DATA IS PROCESSED

5.1. Personal Data Processing Activities for Security Purposes in Physical Spaces of Our Company

5.1.1. Building and Facility Entrances and Personal Data Processing Activities Made Within Them

Data processing activities carried out in physical spaces in the service units of our company are within this scope. These image records in the nature of personal data are processed by the company, monitoring and recording with closed-circuit camera systems 24 hours a day, 7 days a week, in order to monitor the entrance and exit of employees, customers, potential customers, visitors, company officials, company officials, shareholders, guests and other 3rd parties in the specified physical places, ensuring data security and providing data security and providing evidence to the judicial authorities and law enforcement officers in a possible judicial case, control of the entry and exit of employees and other people, and ensuring the safety of life and property.

5.1.2. The Legal Basis of Camera Monitoring Activity

Camera monitoring activity carried out by our company is carried out in accordance with the Regulation on Workplace Opening and Working Licenses, the Law on Private Security Services and other relevant legislation.

Again, the Company acts in accordance with the regulations in the KVKK in carrying out surveillance activities with a camera for security purposes. In order to ensure security in the service units, the company carries out closed-circuit security camera monitoring activities for the purposes stipulated in the relevant legislation in force and in accordance with the personal data processing conditions listed in the KVKK.

5.1.3. Information on Camera Monitoring

10th of KVKK by our company. In accordance with the article, the personal data owner is enlightened. In this regard, lighting texts and warning signs in accordance with Law No. 6698 and the relevant legislation are positioned in the areas monitored. Our company notifies the lighting regarding the general issues with more than one method regarding the monitoring activity with the camera. Thus, it is aimed to prevent damage to the fundamental rights and freedoms of the personal data owner, to ensure transparency and enlightenment of the personal data owner.

Again, for the processing of personal data with a camera by the Company; This Policy is published on the website (online policy regulation) and notification letters and signs are hung that the entrances of the monitoring areas are monitored (on-site lighting, layered lighting).

5.1.4. Purpose and Limitation of Camera Monitoring Activity to Conduct

Our company processes personal data in a limited and measured manner in accordance with Article 4 of the KVKK, in connection with the purpose for which they are processed. The purpose of continuing the video camera monitoring activity by the company is limited to the purposes listed in this Policy. In this direction, the monitoring areas, number and when to monitor the security cameras are sufficient and limited to implement for this purpose to achieve the security purpose. Areas that may result from the intervention in a way that exceeds the privacy of the person’s security purposes are not subject to monitoring.

5.2. Processing of Information Regarding the Company’s Website and Users Accessed by the Internet

5.2.1. Processing of Company’s Website User Information

On the websites owned by the company; to ensure that the people who visit these sites perform their visits on the sites in an appropriate way for the purposes of visit; to show them customized content and to engage in online advertising activities with IP information and technical means (eg. Cookies/such as cookies) internet movements within the site can be recorded. Detailed explanations about the protection and processing of personal data regarding these activities carried out by the company are included in the “Clarification Text on Cookies” on the website most-amazing-places.com.

5.2.2. Processing of Information Regarding Users Provided by the Company’s Internet Access

If our company uses the internet access provided free of charge during their stay in the company service units for employees, shareholders and visitors (all third parties), the information entered for the internet access connection, the identification number of the connected device, the IP and LOG registration and other traffic information can be recorded in accordance with the provisions of the Law No. 5651 and the legislation regulated in accordance with this Law. Only a limited number of Company employees have access to the information obtained within this framework.

These records are processed only for the purpose of fulfilling our relevant legal obligation in the audit processes to be carried out within the Company in order to be requested by authorized public institutions and organizations or to ensure information security, and/or to protect our legal rights and to establish defense rights, and are not shared with third parties, except for our expert service providers.

6. CATEGORY OF PERSONAL DATA PROCESSED BY OUR COMPANY AND PURPOSES OF PROCESSING, SHARING

In accordance with Article 10 of the KVKK and secondary legislation, the relevant persons are informed by informing the relevant persons in accordance with Article 10 of the KVKK and the personal data processing purposes of our Company, based on and limited to at least one of the personal data processing conditions specified in Articles 5 and 6 of the Law, especially the general principles and conditions specified in Article 4 of the KVKK regarding the processing of personal data, are processed in accordance with the general principles and conditions specified in the KVKK.

The categories and descriptions of personal data processed within the scope of the personal data processing activities carried out by our company are arranged and shown in the table below:

Table 2: Categories of personal data

PERSONAL DATACATEGORIESDESCRIPTION
Identity InformationIt is personal data containing information about the identity of the person; name-surname, T.C. identity number, nationality information, marital status, mother’s name-father’s name, place of birth, date of birth, age, documents such as driver’s license, identity card and passport containing information such as gender, tax number, SGK number, signature information, etc.
Contact InformationPersonal data such as phone number, address, e-mail address.
Employee, Former Employee, Employee Candidate InformationPersonal data in written, visual, electronic media processed in accordance with the applicable legislation and commercial practice rules regarding company employees, former employees, employee candidates and interns.
Family Individuals and Close KnowledgeWithin the framework of the operations carried out by the company’s business units, in order to protect the legal interests of the Company and the data owner, the family individuals of the personal data owner (for example; spouse, mother, father, children for providing benefits for our employees or for chronic disease follow-up within the scope of occupational health activity) and personal data about their relatives to reach in situations such as emergencies.
Physical Space Safety InformationPersonal data regarding the records and documents received during the stay in the physical space at the entrance to the physical space; camera records and records taken at the security point, etc.
Transaction Security InformationPersonal data such as internet access and web traffic information provided by the Company, security camera image and call center voice recordings, which are processed to ensure the technical, administrative, legal and commercial security of both the data owner and the Company while carrying out the Company’s activities.
Risk Management InformationPersonal data processed through methods used in accordance with the generally accepted legal, commercial and honesty rules in these areas for the management of commercial, technical and administrative risks.
Financial InformationPersonal data processed regarding information, documents and records showing all kinds of financial results created within the scope of the legal relationship between the company and the data owner, and personal data such as bank account number, IBAN number, credit card information, financial profile.
Legal Transaction and Compliance InformationPersonal data processed regarding the determination, follow-up and performance of the legal receivables and rights of the company, legal obligations and compliance with the Company’s policies and the transactions of its employees in legal follow-up.
Special Quality Personal DataThe data specified in Article 6 of the Law (for example; health data, including blood type, criminal record information).
Request/Complaint Management InformationOther personal data, including call center voice recording, regarding the receipt and evaluation of any request or complaint directed to the company.
Reputation Management InformationPersonal data associated with the person and collected for the purpose of protecting the Company’s commercial reputation (for example; shares about the Company).
Incident Management InformationInformation and evaluations collected about events associated with the personal data owner and potential to affect the Company’s employees and shareholders (e.g., information collected about the correct management of the public, such as evaluations).

The purposes of personal data processing processed within the scope of personal data processing activities carried out by our Company are shown in the Table below:

Table 3: Purposes of personal data processing

MAIN OBJECTIVESSECOND PURPOSE
 Determination, planning and implementation of our company’s commercial policies1. Planning and execution of training activities inside or outside the company2. Conducting financial, accounting and financial transactions with customers, business partners and suppliers, realizing risk management,
Designing and Execution of the Company’s Human Resources Activities 1. Planning and execution of human resources and employee procurement processes2. Fulfillment of obligations arising from employment and legislation for company employees3. Follow-up and supervision of employees’ business activities4. Planning and execution of benefits and benefits for employees5. Planning and execution of employee exit procedures6. Planning and follow-up of employee performance evaluation processes7. Planning and execution of in-house training activities8. Management of relationships with business partners and suppliers9. Wage management10. Planning and execution of in-house orientation activities
Carrying out the Necessary Studies by the Business Units within the Company for the Fulfillment of the Commercial Activities Carried Out by the Company in accordance with the Legislation and Company Policies and the Conduct of the Activities in this direction1. Follow-up of finance and accounting affairs2. Conducting investor relations and marketing activities3. Planning and execution of corporate communication activities4. Planning and execution of efficiency/efficiency and appropriateness analyzes of business activities, Event management5. Uninterrupted execution of supply chain and processes,6. Creation and management of information technology infrastructure7. Planning, supervision and execution of information security processes8. Planning and execution of business-ensuring activities9. Planning and execution of information access authorizations of business partners and suppliers10. Fulfillment of obligations related to after-sales support
Supporting the design, planning and execution of the company’s human resources activities1. Supporting the company in planning its human resources strategies2. Follow-up and announcement of transfer, temporary assignment, promotion and dismissal of company employees3. Supporting the planning and execution of the processes of measuring the employee loyalty of the company4. Supporting company employee procurement processes
The company’sof its commercial reputation andThe trust it createsProtection of1. Request and complaint management2. Realizing studies to protect the reputation of company values

Our company, in accordance with the principles in the KVKK and especially the 8th and 9th articles of the Law No. 6698, transfer/sharing of personal data within the scope of this Policy to the recipient person groups listed below for the purposes specified in the Table below:

Table 4: Categories of parties to whom personal data is transferred and transfer purposes

DATA TRANSFER PERSONSDESCRIPTION OFPURPOSE OF DATA TRANSFER
Shareholders, Group Companies, Business Partners and Authorized and EmployeesParties in which the company has established a business partnership / association within or outside the group for purposes such as the execution of its partner and commercial activitiesLimited to the fulfillment of the purposes of establishment and execution of the partnership / association
Suppliers, Service Providers, Expert Service Providers, Their Authorized and Employees, Relevant Bank Branch-Finance Institutions, BES CompanyWithin the scope of the execution of the company’s commercial activities, the parties that provide goods or services to the Company in accordance with the instructions of the company and on a contractual basisLimited to the provision of the Company with the goods and services required to carry out the company’s commercial activities and the expertise services such as Accounting, Finance, IT and Law are provided to the Company.
Legally Authorized Public Institutions and OrganizationsPublic institutions and organizations authorized to receive information and documents of the Company according to the provisions of the relevant legislationLimited to the purpose requested by the relevant public institutions and organizations within the legal authority
Legally Authorized Private Law Legal PersonsPrivate law legal entities authorized to receive information and documents from the Company in accordance with the provisions of the relevant legislationLimited to the purpose requested by the relevant private law legal entities within the legal authority

7. STORAGE AND DISPOSAL OF PERSONAL DATA

Our company stores personal data in accordance with the period required for the purpose for which they are processed and the minimum periods stipulated in the legal legislation to which the relevant activity is subject. In this context, our company first determines whether a period is foreseen for the storage of personal data in the relevant legislation, and if a period is determined, it acts in accordance with this period. If a legal period does not exist, personal data is stored for the period necessary for the purpose for which they are processed. Personal data is destroyed at the end of the specified retention periods in accordance with the periodic destruction periods or the data owner application and by the determined destruction methods (deletion, destruction or anonymization).

You can find detailed and necessary explanations about issues such as the record media in which the said data is kept regarding the storage and destruction of the personal data processed by our company, all technical and administrative measures taken regarding the safe storage and protection, the explanations regarding the legal reasons requiring storage and destruction, the personal data storage periods on the basis of the process and periodic destruction periods and destruction techniques in the text of the “Personal Data Storage and Destruction Policy” that will be open to access to the most-amazing-places.com website of our Company.

8. PRIVACY

Our company does not transfer and disclose your personal data to any unauthorized third parties other than the unauthorized third persons or institutions written in this Policy and “Customer Personal Data Clarification Text” published in this Policy and on our website most-amazing-places.com and other special disclosure texts, except for the exceptions in Articles 8 and 9 of the KVKK and without your explicit consent. Your personal data processed by our company can be accessed only by the authorized personnel of our Company, who have a confidentiality agreement, and our workplace physicians, who have an obligation to keep secrets in terms of health data.

Our company can use statistical information (scanner type, geographical location, etc.) on the website without revealing the person’s identity, in order to improve the website and to obtain statistics for effective and efficient work in general. This information is not disclosed to third parties in any way. However, due to legal obligation and/or against the requests of the official authorities, it may share it with the relevant persons written in this Policy and the Clarification Text.

Our Company does not guarantee that other sites you will go through the links on our website will comply with our Company’s Privacy Principles; therefore, you should evaluate the privacy approaches of the sites you visit before providing any personally identifiable information.

Our company takes all necessary measures according to the nature of the personal data to be protected and in order to prevent access to this data and other security deficiencies that may occur, in order to disclose and transfer your personal data in violation of the Law No. 6698, the provisions of this Policy and the disclosure texts prepared separately for the relevant person groups as the application/procedural documents of this Policy.

9. RIGHTS OF PERSONAL DATA OWNERS AND USE OF THESE RIGHTS

9.1. Rights of the Personal Data Owner

Personal data owners are the 11th of the Law. According to the article, they have the following rights:

A) To learn whether your personal data is processed,

B) If your personal data has been processed, requesting information about it,

C) To learn the purpose of processing your personal data and whether they are used in accordance with their purpose,

ç) To know the third parties to whom your personal data is transferred at home or abroad,

D) Requesting correction of your personal data in case of incomplete or incorrect processing,

E) Within the framework of the conditions stipulated in Article 7 of the KVKK, requesting the deletion or destruction of the reasons that require the processing of your personal data, which has been processed legally, disappear,

F) To request the notification of the transactions made in accordance with subparagraphs (d) and (e) to the third parties to whom your personal data has been transferred,

G) Objecting to the emergence of a result against you by analyzing your processed data exclusively through automated systems,

ğ) To request compensation for the damage in case you suffer damage due to the unlawful processing of your personal data.

H) To stop and withdraw your consent statement regarding the processing of your personal data and your consent to send you electronic commercial messages at any time without giving any reason.

9.2. Ways of Application to Our Company within the Scope of Your Rights

By filling out the “Personal Data Owner Application Form” or with a similar petition, by filling out your requests within the scope of the exercise of your above-mentioned rights, according to the “Communiqué on the Procedures and Principles of Application to the Data Controller” or with a similar petition, our Company’s “Gümüşsuyu Mah. İnönü Cad. Melek Apt. You can apply to No: 11/2 Beyoğlu/İSTANBUL” address in person and send it by identity card or in writing through the Notary Public or via registered/secure e-mail to ‘info@most-amazing-places.com’ as an e-mail.

Depending on the nature of your request, your applications will be finalized free of charge as soon as possible and within thirty days at the latest; however, if the transaction requires an additional cost, you may be charged according to the tariff to be determined by the Personal Data Protection Board.

10. PUBLICATION AND STORAGE OF THE POLICY

The policy is published in two different environments, wet-signed (printed paper) and electronically, and announced to the public on the website. The printed paper copy is also stored in the file to be kept by the Personal Data Controller Contact Person, who is the Company’s Relevant Employee.

11. UPDATE PERIOD OF POLICY

The policy is reviewed as needed and the required sections are updated.

12. ENFORCEMENT AND REMOVAL OF THE POLICY

This Policy regulated by our company is dated 01.06.2024. The policy is deemed to have entered into force after publication on our Company’s website most-amazing-places.com and has become accessible to personal data holders. In the event that all or certain articles of the Policy are renewed, the effective date will be updated.

In case the policy is decided to repeal, the wet-signed old copies are canceled by the Company Contact Person (by writing a cancellation stamp or by writing cancellation) with the Decision of the Company Data Controller Officer and are stored in the file to be kept by the Personal Data Controller Contact Person, who is the Relevant Employee of the Company for 10 years.

This Standard Agreement is notified to the Authority by the data controller or data processor within five working days from its signing (KVKK No. 6698, m. 9/5). Otherwise, an administrative fine of 50,000 Turkish liras to 1,000,000 Turkish liras is imposed on those who do not fulfill this notification obligation (KVKK No. 6698, m. 18/1-d).

PERSONAL DATA STORAGE AND DESTRUCTION POLICY

Version 1.0

01.06.2024.

1. LOGIN

1.1. Purpose

This Personal Data Storage and Destruction Policy (‘Policy’), as the data controller, MOST AMAZING PLACES TANITIM VE TİCARET A.Ş. It has been prepared to determine the procedures and principles regarding the works and transactions related to the personal data storage and destruction activities carried out by the (“Company”).

Our company; in line with the basic principles it has adopted; Company employees, former employees, employee candidates, shareholders, customers, potential customer candidates, service providers, suppliers, business partners, their officials and employees, visitors and other relevant third parties T.C. Its Constitution has determined as a priority that it is processed, stored, destroyed and that the relevant persons use their rights effectively in accordance with the Constitution, international contracts, the Law on the Protection of Personal Data No. 6698 (‘KVKK’) and other relevant legislation.

The work and transactions related to the storage and destruction of personal data are carried out in accordance with the Policy prepared by the Company in this direction. Thus, the Company provides the necessary transparency by informing the personal data owners and showing all their rights and application procedures and ways of their use. With the full awareness of our responsibility in this context, your personal data is processed and stored within the scope of this Policy.

1.2. Scope

All personal data belonging to Company employees, former employees, employee candidates, shareholders, customers, potential customer candidates, service providers, suppliers, business partners and their officials and employees, visitors and other third parties who establish a relationship with our Company, or processed by non-automatic means, provided that they are part of any data recording system, are covered by this Policy. This Policy is applied in all recording media such as physical, electronic, website and social media media, where personal data and special quality personal data owned or managed by the Company are processed, and this Policy is applied in activities for personal data processing.

With KVKK, special attention has been attached to some personal data due to the risk of causing victimization or discrimination of people if it is processed unlawfully. These data; They are special quality personal data described in the Abbreviations and Definitions Table below. It is treated sensitively by our company in the protection of special quality personal data determined as “special quality” with the KVKK and processed in accordance with the law. In this context, the technical and administrative measures taken by our Company to store personal data are applied more carefully in terms of special quality personal data and necessary inspections are provided within the Company. Additional measures taken regarding the storage of special quality personal data are included in sections 5.1 and 5.2 of this Policy.

The relevant legal regulations in force regarding the processing, storage and destruction of personal data will first find application. In the event of a non-compliance between the applicable legislation and the Policy, our Company accepts that the current legislation will first find application. The policy regulates the rules set forth by the relevant legislation by embodied within the scope of Company practices.

1.3. Abbreviations and Definitions

Buyer GroupThe category of natural or legal person to whom personal data is transferred by the data controller.
Open ConsentConsent to a particular subject, based on information and explained by free will.
Anonymizing Making personal data unidentified or identifiable natural person in any way by matching it with other data.
Employee / Former Employee MOST AMAZING PLACES TANITIM VE TİCARET A.Ş. staff/staff leaving the job.
Employee CandidateMOST AMAZING PLACES TANITIM VE TİCARET A.Ş. People who have not been contrected with employment but are evaluated for establishment.
Electronic Media Environments where personal data can be created, read, changed and written with electronic devices.
Non-Electronic (Physical) MediaAll written, printed, visual, etc. other media except electronic media.
Service / Expertise Service Provider MOST AMAZING PLACES TANITIM VE TİCARET A.Ş. with a real or legal person who provides a service or specialized service such as accounting, workplace health-safety, informatics, legal consultancy within the framework of a certain contract.
Contact PersonThe natural person whose personal data is processed.
Related Employee Persons who process personal data within the data controller organization or in line with the authority and instructions received from the data controller.
Destruction Deletion, destruction or anonymization of personal data.
LawLaw No. 6698 on the Protection of Personal Data.
Recording Media Any environment in which there is personal data that is completely or partially automatic or processed by non-automatic means, provided that it is part of any data recording system.
Personal Data Any information about an identified or identifiable natural person.
Personal Data Processing Inventory The personal data processing activities that data controllers carry out depending on their business processes; the personal data processing purposes and legal reason, the data category, the transferred recipient group and the data subject person group create by and the inventory they detail by explaining the maximum retention period required for the purposes for which the personal data is processed, the personal data foreseen to transfer to foreign countries and the measures taken regarding data security.
Processing of Personal Data All kinds of operations performed on data such as obtaining, recording, storing, storing, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data completely or partially automatic or by non-automatic means, provided that it is part of any data recording system.
BoardPersonal Data Protection Board
KVKKLaw No. 6698 on the Protection of Personal Data
Special Quality Personal Data Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership of association, foundation or union, health, sexual life, criminal conviction and security measures, and biometric and genetic data of the person.
Periodic Destruction In case the conditions of processing personal data in the law disappear, the process of deletion, destruction or anonymization specified in the personal data storage and destruction policy and will be carried out ex officio at repeated intervals.
PoliticsPersonal Data Retention and Destruction Policy.
CompanyMOST AMAZING PLACES TANITIM VE TİCARET A.Ş.
Data Processor A natural or legal person who processes personal data on behalf of the data controller based on the authority given by the data controller.
Data Recording System Registration system in which personal data is structured and processed according to certain criteria.
Data OwnerThe natural person whose personal data is processed.
Data Controller A natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
Data Controllers Registry Information System (VERBIS) The information system created and managed by the Personal Data Protection Board, which can be accessed over the internet, which can be used by data controllers in the application to the Registry and other relevant transactions related to the Registry.
VERBISData Controllers Registry Information System
Regulation Regulation on Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated October 28, 2017.

2. RESPONSIBILITY AND DUTY DISTRIBUTIONS

All units and employees of the company actively support the responsible units in order to implement the technical and administrative measures taken by the responsible units within the scope of the Policy properly, to increase the training and awareness of the unit employees, to monitor and to prevent the unlawful processing of personal data, to prevent unlawful access to personal data, to ensure that personal data is stored in accordance with the law, and to destroy the specified periods, to take technical and administrative measures to ensure data security in all environments processed in order to destroy the specified.

On the other hand, the data controller official and employees who act as the data controller, and the persons who process data on behalf of our Company, cannot disclose the personal data they have learned to anyone else in violation of the provisions of this Policy Text and the KVKK, and cannot use it for other than the purposes of processing. This obligation is the 12/4 of the KVKK. In accordance with the article, it continues indefinitely/lifetime after their leaving from office.

The distribution of the titles, units and job descriptions of those involved in the storage and destruction processes of personal data is given in Table 1.

Table 1: Storage and disposal processes task distribution

TITLEUNITDUTY
Company Personal Data Controller OfficerMOST AMAZING PLACES TANITIM VE TİCARET A.Ş.It is responsible for preparing, developing, executing the policy, publishing and updating it in relevant environments and the employees acting in accordance with the policy.
Company Data Controller Contact PersonAdministrative and Financial AffairsIt is responsible for the provision and follow-up of the administrative, physical and technical solutions needed in the implementation of the policy.
Finance and Accounting, Procurement, Sales, Marketing and Regional Operations, Computing (IT), DepartmentsOther UnitsHe is responsible for the execution of this Policy in accordance with his duties.

3. RECORDING MEDIA

Personal data is stored securely by the Company in accordance with the law in the media listed in Table 2.

Table 2: Personal data storage environments

Electronic MediaNon-electronic Media

– – Servers (Domain, backup, e-mail, database, web, file sharing, etc.)– Office Programs,– Softwares (portal, office software),– Information security devices (log file, antivirus, etc. )– Personal computers (Desktop, laptop)– Mobile devices (phone, tablet, etc.)– Optical discs (CD, DVD, etc.)– Removable memories (USB, Memory Card, etc.)– Printer, scanner, copier
– Paper– Manual data recording systems (occupational health and safety exam measurement and other filled form documents)– Written, printed, visual media. 

4. EXPLANATIONS ABOUT STORAGE AND REPLOY

By the Company; above is the “1.2. Personal data about all natural persons shown under the heading of “Scope” are stored and destroyed in accordance with this Policy and KVKK.

In this context, detailed explanations of storage and destruction are given below in order.

4.1. Explanations on Storage and Protection

In Article 3 of the Law No. 6698, the concept of processing of personal data is defined, in Article 4, it is stated that the personal data processed should be related, limited and proportionate to the purpose for which they are processed, and that it should be kept for the necessary time for the purpose stipulated or processed in the relevant legislation, and in Articles 5 and 6, the processing conditions of personal data are counted.

Accordingly, within the framework of our Company’s activities, personal data are stored for the period stipulated in the relevant legislation or in accordance with our processing purposes.

12 of Law No. 6698. In accordance with the article, our Company takes the necessary measures according to the nature of the data to be protected in order to prevent the unlawful disclosure, access, transfer or security deficiencies that may occur in other ways. It takes technical and administrative measures to ensure the necessary level of security in accordance with the guidelines published by the Board, conducts inspections or has them done.

Our company provides the necessary trainings to business units in order to prevent the unlawful processing of personal data, unlawful access to the data, and to raise awareness to ensure the preservation of the data.

Sensitive personal data has been given special importance within the scope of Law No. 6698 due to the risk of causing victimization or discrimination of people when processed unlawfully. These ‘special quality’ personal data; race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.

In this context, the technical and administrative measures taken by our Company for the storage of personal data are also carefully implemented in terms of special quality personal data, and although the necessary inspections are provided within our Company, some additional measures are also taken to store and protect special quality personal data. In this sense, adequate and more detailed measures regarding the storage and protection of special quality personal data are also included in sections 5.1 and 5.2 of this Policy.

4.1.1. Legal Reasons Requiring Storage

In our company, personal data processed within the framework of our activities are kept for the period stipulated in the relevant legislation. In this context, personal data;

Law No. 6698 on the Protection of Personal Data,

Turkish Code of Obligations No. 6098,

Turkish Commercial Code No. 6102,

Tax Procedure Law No. 213,

Public Procurement Law No. 4734,

Labor Law No. 4857 and Labor Courts Law,

Occupational Health and Safety Law No. 6331,

Social Insurance and General Health Insurance Law No. 5510,

Pension Health Law No. 5434,

Social Services Law No. 2828

Law No. 5651 on Regulation of Publications Made on the Internet and Combating Crimes Committed Through These Publications,

Law No. 6563 on the Regulation of Electronic Commerce,

Electronic Signature Law No. 5070,

Electronic Communications Law No. 5809,

Information Law No. 4982,

Law No. 3071 on the Exercise of the Right to Petition,

Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Add-ons,

Other secondary regulations in force under these laws,

Other relevant legislation provisions,

It is stored for the storage periods stipulated within the framework and then destroyed.

4.1.2. Processing Purposes Requiring Storage

The company stores the personal data it processes within the framework of its activities for the following purposes.

To carry out human resources processes.

To provide corporate communication.

To ensure the commercial, legal and cyber security of the company with its physical space and goods, business partners, suppliers and customers.

To be able to do statistical studies.

To be able to perform business and transactions as a result of signed contracts and protocols.

Creating and updating VERBIS records within the required process.

To ensure the fulfillment of legal obligations, as required or required by legal regulations.

To provide contact with real / legal persons who have a business relationship with the company.

Conducting marketing, market research, analysis and reporting within legal limits,

Managing call center processes,

To provide the obligation to prove as evidence in legal disputes that may arise in the future.

4.2 Explanation of Destruction and Reasons Requiring Destruction

Our company stores personal data for the time required for the purpose for which they are processed and the minimum period stipulated in the relevant legal legislation. In this context, our company first determines whether a period is foreseen for the storage of personal data in the relevant legislation, and if a period is determined, it acts in accordance with this period. If there is no legal period, personal data is stored for the period determined within the scope of the relevant legislation to which our Company is subject and necessary for the purpose for which they are processed, taking into account general and commercial practices, and at the end of the specified retention periods, it is destroyed in accordance with the periodic destruction periods or the data owner application and with the determined destruction methods (deletion, destruction or anonymization).

Personal data;

Changing or abolition of the provisions of the relevant legislation, which constitutes the basis for its processing,

In accordance with Article 7/1 of the Law No. 6698; elimination of the purpose/reasons that require it to be processed or stored,

In cases where the processing of personal data is carried out only on the basis of the explicit consent requirement, the person concerned withdraws his explicit consent,

Acceptance by the Company of the application made regarding the deletion and destruction of personal data within the framework of the rights of the relevant person in accordance with Article 11 of the Law,

In cases that the company rejects the application made to it with the request to delete, destroy or anonymize its personal data by the person concerned, finds the answer it has given insufficient or does not respond within the period stipulated in the Law; It makes a complaint to the Board and this request is found appropriate by the Board,

The maximum retention periods determined in this Policy, which require the storage of personal data, have passed and there are no conditions that will justify storing personal data for a longer period of time,

In cases, in the first periodic destruction process following the date of the obligation to delete, destroy or anonymize personal data in accordance with Article 11/1 of the Regulation, ex officio or upon the request of the relevant person, personal data is deleted, destroyed or anonymized.

5. TECHNICAL AND ADMINISTRATIVE MEASURES FOR SAFE STORAGE

In accordance with Article 12 of the KVKK, the following technical and administrative measures are taken by our Company in order to prevent secure storage, unlawful processing and access to personal data, and to store and destroy personal data in accordance with the law. In this regard, in accordance with the fourth paragraph of Article 6 of the KVKK and the Board’s Decision dated 31/01/2018 and numbered 2018/10, sufficient additional measures determined and announced by the Board for special quality personal data are taken as follows.

5.1. Technical Measures

The technical measures taken by the company regarding the personal and special quality personal data it processes are listed as follows:

Access to information systems and authorization of users are made through the access and authority matrix and security policies through the corporate active directory.

Necessary measures are taken for the physical security of the company’s information systems equipment, software and data.

In order to ensure the security of information systems against environmental threats, hardware (access control system that provides only authorized personnel to the system room, 24/7 working and storage spaces entrance-exit monitoring system, ensuring the physical security of the edge switches that make up the local area network, fire extinguishing system, air conditioning system, etc.) and software (security walls, attack prevention systems, network access control, systems that prevent malicious software, etc.) measures are taken.

Risks to prevent unlawful processing of personal data are determined, technical measures are taken in accordance with these risks, and technical controls are carried out for the measures taken.

Access to storage areas where personal data is located is recorded and inappropriate accesses or access attempts are kept under control.

The Company takes the necessary measures to ensure that the deleted personal data is inaccessible and unavailable to the relevant users.

Vulnerabilities are followed and appropriate security patches are installed and information systems are kept up to date. Security updates are being tracked and test results are reported.

Passwords are used in electronic media where personal data is processed.

Data backup, which ensures the secure storage of personal data, is made in the secure cloud programs used for our office, accounting and other programs and information system that we use in the server, external disks and servers located in the country/abroad.

Access to personal data stored in electronic or non-electronic media is limited according to access principles.

Accessing the company website is encrypted using a secure protocol.

Security updates of environments are constantly followed on our website where personal data is processed.

A separate policy has been determined in this text for the security of special quality personal data as follows.

Within the scope of the additional policy for the security of the said special quality personal data;

Trainings on special quality personal data security have been given for employees involved in special quality personal data processing processes, confidentiality agreements have been made, and the authorizations of users who have access to the data have been defined.

Adequate security measures are taken for the physical environments where special quality personal data is processed, stored and/or accessed, and unauthorized entrances and exits are prevented by ensuring physical security.

If special quality personal data is required to be transferred via e-mail, encrypted by corporate e-mail address or using a KEP account. If it is necessary to be transferred via media such as portable memory, CD, DVD, it is encrypted. If transfer is carried out between servers in different physical environments, firewall is used or data transfer and remote connection are carried out with FTP and VPN method. If it is necessary to be transferred through a paper medium, necessary measures are taken against risks such as theft, loss or seeing of the document by unauthorized persons, and the document is sent in a “secret” format.

The scopes and durations of the authorization for employees who are authorized to access special quality personal data have been determined strictly and clearly by the “Retention and Access Authorizations” directive, which is put into execution by the Company Data Controller as a regulatory document. Again, authority control is carried out periodically for these personnel, when their duties are changed or left, their powers in this field are immediately removed, and all information, documents and equipment are returned on this issue are received.

5.2. Administrative Measures

The administrative measures taken by the company regarding the personal data it processes are listed as follows:

In order to improve the nature of the employees in this regard, regular trainings are given on the Labor Law and other relevant legislation, especially the KVKK numbered 6698, to prevent the unlawful processing of personal data, to prevent the unlawful processing of personal data, to prevent the unlawful access of personal data, to ensure the protection of personal data, and to establish a corporate culture in this regard.

Before starting the processing of personal data, the obligation of the Company to enlify the relevant persons in all circumstances is carefully fulfilled.

Personal data processing inventory has been prepared and if there will be a new personal data category that should be processed in the said inventory, they will be added and updates will be made at the times corresponding to the 6-month periodic destruction periods.

In accordance with Article 13 of the Regulation on the Data Controllers Registry; changes that occur in case of a change in the information registered in the registry will be notified to the Institution within 7 days through the registry.

Information security trainings are provided for employees.

A disciplinary sanction has been determined for employees who do not comply with the Security and Privacy policies and procedures.

Confidentiality agreements are made to the relevant user-employees who process personal and special personal data related to the activities carried out by the company.

Regular training and follow-up are provided to employees who have access to special quality personal data.

The security of the physical storage areas with special quality personal data is provided by personnel, continuous closed-circuit camera tracking and technical equipment, preventing unauthorized entry-exit and access. In addition, according to the nature of these places, sufficient measures are taken against situations such as fire, flood, electricity leakage and theft.

All policy and procedure documents and texts have been created and discussed the effect to cover all persons and data groups related to the protection of personal data within the company.

In addition to this “Personal Data Storage and Destruction Policy”, the “Personal Data Protection and Processing Policy” has been prepared in a more inclusive way, and with the mentioned Policy, it has been tried to provide more comprehensive information and sensitivity about our data processing and protection activities for both our data owners and employees.

If personal data is unlawfully obtained by others, a suitable system and infrastructure has been created by the Company to report this situation to the relevant person and the Board.

In this context, in accordance with the Board’s Decision dated 24.01.2019 and numbered 2019/10, a ‘Data Violation Response Plan’ regarding Personal Data Violations was prepared and it was decided to review this Plan on the annual periodic destruction dates of personal data at least 2 times a year.

Summarized in accordance with the Data Breach Response Plan in question;

Necessary measures have been determined by our company to continuously evaluate and follow up the possible data breach situations related to the personal data we process and transfer, and to intervene immediately if there is such a problem.

As of the date of the violation by our company, in accordance with Article 12 of the Law and the Board Decision, if a notification is made to the Board without delay and within 72 hours at the latest, and if a notification cannot be made within 72 hours with a justified reason, action has been taken to explain the reasons for the delay to the Board with the notification to be made.

In the notification to be made to the Board, it was decided to use the “Personal Data Breach Notification Form” published by the Board and provided by us.

It has been decided by our company to record the information, effects and measures taken regarding data breaches and to keep it ready for the review of the Board.

Following the determination of the relevant persons affected by the said data breach, it has been decided to notify the relevant persons as soon as possible, if the contact address of the relevant person can be accessed directly, and if it cannot be reached, by appropriate methods such as the publication of the data through the website of our Company.

In the event that the data breach occurs in the presence of the data processor, measures have been taken to ensure that the data processor notifies our Company without any delay in this regard.

In the event that the data breach occurs before the data controller residing abroad, if the results of this breach affect the relevant persons located in Turkey and the relevant persons benefit from the products and services offered in Turkey, the necessity of notification to the Board within the framework of the same principles by this data controller.

6. PERSONAL DATA DISPOSAL TECHNIQUES

At the end of the period stipulated in the relevant legislation or the retention period required for the purpose for which they are processed, personal data is destroyed by the Company ex officio or upon the application of the relevant person, in accordance with the following techniques in accordance with the provisions of the relevant legislation.

6.1. Deletion of Personal Data

Personal data is deleted by the methods given in Table-3.

Table 3: Deletion of Personal Data

Data Recording EnvironmentDescription
Personal Data on ServersFor those who have expired in the period that requires the personal data on the servers, the access authority of the relevant users is removed and the deletion is made by the system administrator.
Personal Data Contained ElectronicallyThose who have expired the period that requires the storage of personal data in the electronic environment are made unaccessible and unusable again for other employees (related users), except for the database administrator.
Personal Data in the Physical EnvironmentFor those who have expired the period that requires the storage of personal data kept in the physical environment, it is inaccessible and made unusable again for other employees, except for the unit manager responsible for the document archive. In addition, blackout is also applied by drawing/painting/deleting in a way that cannot be read.
Personal Data in Portable MediaThose who have expired, which requires storage from personal data held in Flash-based storage media, are encrypted by the system administrator and access authorization is given only to the system administrator, with encryption keys.

6.2. Destruction of Personal Data

Personal data is destroyed by the methods given by the Company in Table-4.

Table 4: Destruction of Personal Data

Data Recording EnvironmentDescription
Personal Data in the Physical EnvironmentThose who expire in the period that need to be stored from the personal data in the paper environment are destroyed in a way that cannot be reversed in the paper clipping machine.
Personal Data in Optical / Magnetic MediaThe process of physically destroying those who have expired, such as melting, burning or pulverizing, which requires storage from personal data in optical media and magnetic media, is applied. In addition, the data on it is made unreadable by passing the magnetic media through a special device and exposing the magnetic field at a high value.

6.3. Anonymizing Personal Data

Anonymization of personal data is making personal data unidentified or identifiable natural person in no way, even if it is matched with other data.

In order for personal data to be anonymized; attention is paid to the necessity of making the personal data unrelated with an identified or identifiable natural person, even through the use of appropriate techniques in terms of registration medium and the relevant field of activity, such as returning the personal data by the data controller or third parties and/or matching the data with other data. These transactions specified by our company are carried out in accordance with the procedures and techniques specified in the “Guide to Deletion, Destruction or Anonymization of Personal Data” published by the Board.

7. STORAGE AND DESTRUCTION TIMES

Regarding the personal data processed by the Company within the scope of its activities;

Storage periods on the basis of personal data related to all personal data within the scope of activities carried out depending on the processes are in the Personal Data Processing Inventory,

Storage periods on the basis of data categories are in registration with VERBIS (when registration with VERBIS is required),

Retention periods on a process basis are included in the Personal Data Retention and Destruction Policy.

Updates are made on the said retention periods with the offer of our Company Data Controller Contact Person and the approval of our Company Data Controller Officer if necessary.

For personal data whose retention periods have expired, the process of deleting, destroying or anonymizing it is carried out by the Personal Data Controller Contact Person, who is the Relevant Employee of our Company, as shown in Table 5 below.

Table 5: Table of storage and destruction times by process

PROCESSSTORAGE PERIODDISPOSAL PERIOD
Security camera video recordings6 months from registration (10 years from registration if there is evidence within the scope of Law No. 6331, during the statute of limitations if there is evidence of crime)Within 180 days following the end of the storage period
Call center audio recordings6 months from registration (10 years if legal evidence is 10 years, if it is evidence of crime z. during the excess)Within 180 days following the end of the storage period
Biometric Image and Audio Recordings Related to Working Activities with Remote/Video Conferencing Method6 months from registrationWithin 180 days following the end of the storage period
Employee candidate and reference information (if no job contract is established)6 months from the transaction (10 years from leaving if received)Within 180 days following the end of the storage period
Information and documents about the trainer-advisor, service providers who are the department of professional training and service supply activities1 year from the completion of the training, service activityWithin 180 days following the end of the storage period
Shareholder and Employee passport information (Received within the Scope of Business Travel Abroad Activity)1 year from partnership or leaving the jobWithin 180 days following the end of the storage period
Mail-Cargo Document Receiving-Giving Transactions, Incoming-Outgoing Document1 Year From The TransactionWithin 180 days following the end of the storage period
Information on visitor records1 year from the visit dateWithin 180 days following the end of the storage period
IP and Cookie data for Website users1 year from the date of accessWithin 180 days following the end of the storage period
Internet Access Data Provided to Personnel in the Company 1 year from the date of accessWithin 180 days following the end of the storage period
Shopping slip-z report information made by customers with debit-credit card5 years from the end of the legal relationshipWithin 180 days following the end of the storage period
Data on employees and shareholders stored under labor law10 years after the end of the business relationshipWithin 180 days following the end of the storage period
Employee and shareholder data kept under SSI legislation and other relevant legislation10 years after the end of the business relationshipWithin 180 days following the end of the storage period
Work-working contract and its annexes, Part of the contract process10 years after the end of the business relationshipWithin 180 days following the end of the storage period
All documents related to employee training activities10 years after he left workWithin 180 days following the end of the storage period
Data collected for employees within the scope of workplace health and safety legislation10 years after the end of the business relationship(Data consisting of temporary incapacity report, lung X-ray, respiratory function test, hemogram, eye and hearing test within the scope of occupational health, reports and information that may be the subject of occupational accident or occupational disease case 15 years)Within 180 days following the end of the storage period
Documents on the allocation and use of vehicles, computers, telephones, etc. to employees10 yearsWithin 180 days following the end of the storage period
Personnel financing processes document (Salary and other payments)10 years following the termination of the business relationshipWithin 180 days following the end of the storage period
Personal data about suppliers and business partners 10 years after the legal relationship endedWithin 180 days following the end of the storage period
Payment transactions10 years after the end of the business-commercial relationshipWithin 180 days following the end of the storage period
Contracts concluded with third parties10 yearsWithin 180 days following the end of the storage period
Customer data10 years after the legal relationship endedWithin 180 days following the end of the storage period
Request-complaint data10 years after the legal relationship endedWithin 180 days following the end of the storage period
KVKK disclosure notification, consent statement and other approval documents10 years after the legal relationship ends (If the original document is shorter, on that date)Within 180 days following the end of the storage period
Personal Data Disposal Records and Depealed Policy Texts10 years from the transactionWithin 180 days following the end of the storage period
All kinds of document filing 10 years from the transactionWithin 180 days following the end of the storage period
Data collected in accordance with other relevant legislationUntil the period stipulated in the relevant legislationWithin 180 days following the end of the storage period
The fact that the relevant personal data is the subject of a crime within the scope of the Turkish Penal Code or other criminal legislationAs of the time out of the caseWithin 180 days following the end of the storage period

8. PERIODIC DESTRUCTION PERIOD

In accordance with Article 11 of the Regulation, the Company has determined the period of period destruction as 6 months. Accordingly, periodic destruction is carried out in the Company every year in June and December.

9. PUBLICATION AND STORAGE OF THE POLICY

The policy is published in two different environments, wet-signed (printed paper) and electronically, and announced to the public on the website. The printed paper copy is also stored in the file to be kept by the Personal Data Controller Contact Person, who is the Company’s Relevant Employee.

10. UPDATE PERIOD OF POLICY

The policy is reviewed as needed and the required sections are updated.

11. ENFORCEMENT AND REMOVAL OF THE POLICY

This Policy regulated by our company is dated 15.08.2022. The policy is deemed to have entered into force after publication on our Company’s website most-amazing-places.com and has become accessible to personal data holders. In the event that all or certain articles of the Policy are renewed, the effective date will be updated. If it is decided to repeal the Policy, old copies with wet signatures are signed by canceling the Company Data Controller’s Decision (by stamping cancellation or by writing cancellation) and it is stored in the file to be kept by the Personal Data Controller Contact Person, who is the Relevant Employee of the Company for 10 years.

Download the Personal Data Owner Application Form