Protection of Personal Data

Information Text for Guests

According to the Law on the Protection of Personal Data No. 6698 (“Law”), SIR TURİZM SANAYİ İNŞAAT HALI KUYUMCULUK TİCARET LTD.ŞTİ. (Hereinafter referred to as “KARMİR RESORT & SPA”) is defined as the data controller due to the fact that it processes personal data about you. According to Article 10 of the Law titled “Information Obligation”, data controllers are obliged to inform the real persons whose personal data they process on certain issues.

This text has been prepared by KARMİR RESORT & SPA in order to both comply with the legislation and to be transparent and accountable.

Definitions

According to the Law on the Protection of Personal Data No. 6698:

Personal data means any information related to an identified or identifiable real person;

Special Personal Data, Data related to race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, appearance and dress, membership in associations, foundations or unions, health, sexual life, criminal conviction and security measures of individuals, and biometric and genetic data,

Processing of personal data, all kinds of operations performed on data such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data, in whole or in part, by automatic means or non-automatic means provided that it is part of any data recording system;

Relevant person, the natural person whose personal data is processed;

Data controller, the natural or legal person who determines the purposes and means of processing personal data, and is responsible for the establishment and management of the data recording system.

The obligation to inform, during the acquisition of personal data, the data controller or the person authorized by him/her, shall inform the relevant persons; the identity of the data controller, the purpose for which personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method and legal reason for collecting personal data, and the obligation to provide information on other rights listed in Article 11 of the Law;

Relevant Person: You, whose personal data we process due to hosting you as a guest in our hotels, are defined as the relevant person by law.

Data Controller: [KARMİR RESORT & SPA] is the data controller who determines the purposes and means of processing personal data regarding your personal data, and is responsible for the establishment and management of the data recording system.

Your Processed Personal Data, Purposes of Processing and Legal Reasons

If You Fill Out the Accommodation Document;

Your Identity (Name, Surname, Nationality, Date of Birth, TR ID Number), Contact (Address, Telephone), Legal Transaction (Signature, Signature Date, Departure Date), Customer Transaction (Room Number, Arrival Date, Departure Date, Folio Number, Agency) data.

o For the Purpose of Carrying Out Customer Relationship Management Processes

 KVKK Art. 5/2(c): In accordance with the clause that the processing of personal data belonging to the parties to the contract is necessary, provided that it is directly related to the establishment or execution of a contract (We obtain some of your personal data in the accommodation document in order to provide accommodation services to our valued guest.)

o For the Purpose of Carrying Out Storage and Archive Activities

 KVKK Art. 5/2(f): In accordance with the clause that the processing of data is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the relevant person (We store your accommodation document information for reasonable periods in order to retrospectively monitor our services.)

To Whom and for What Purposes Can Personal Data Be Transferred

Your personal data may be transferred to the relevant authorities without any obligation to inform and without your explicit consent upon request within the framework of KVKK Art. 28/1.

Apart from this, in unforeseen cases, if requested in cases clearly stated in the laws, your personal data may be transferred to public institutions specified in the laws (administrative authorities such as Ministries) within the scope of the purposes and limitations stipulated in the law.

Apart from our legal obligations that do not require an information obligation and do not require your explicit consent; your personal data is not transferred.

Methods of Obtaining Personal Data

Your personal data is obtained through non-automatic methods by filling out the accommodation document.

We process some of your personal data in order for you not to experience any problems related to your food allergy during your stay. During this process;

Your Identity (Name, Surname), Health Information (Allergenic Food Information), Customer Transaction (Room Number) data.

o For the Purposes of Carrying Out Goods / Services Production and Operation Processes and Carrying Out / Supervision of Business Activities

Your Information Other Than Health Information;

 KVKK Art. 5/2(c): In accordance with the clause that processing personal data belonging to the parties to the contract is necessary, provided that it is directly related to the establishment or execution of a contract (We obtain some of your personal data in the form of food allergy in order to provide you, our valued guest, with a problem-free accommodation service.)

For Health Information;

 KVKK Art. 6/3(d): In accordance with the clause that data processing is necessary for the establishment, exercise or protection of a right (We obtain your personal data in question in order to provide you, our valued guest, with a problem-free accommodation service.)

o For the Purpose of Carrying Out Storage and Archive Activities

Your Information Other Than Health Information;

 KVKK Art. 5/2(e): Based on the clause that data processing is mandatory for the establishment, exercise or protection of a right (We store your personal data in order to protect our rights in the event of a possible dispute.)

For Health Information;

 KVKK Art. 6/3(d): Based on the clause that data processing is mandatory for the establishment, exercise or protection of a right (We store your personal data in order to provide you, our valued guest, with a problem-free accommodation service.)

To Whom and for What Purposes Can Personal Data Be Transferred

Your personal data may be transferred to the relevant authorities without any obligation to inform and without your explicit consent upon request within the framework of KVKK Art. 28/1.

Apart from this, in unforeseen cases, your personal data may be transferred to public institutions (administrative authorities such as Ministries) specified in the laws upon request in cases clearly stated in the laws, within the scope of the purposes and limitations stipulated in the law.

Apart from our legal obligations that do not require an obligation to inform and do not require your explicit consent; your personal data is not transferred.

Methods of Obtaining Personal Data

Your personal data is obtained by non-automatic methods by filling in the guest information card of the card by our personnel.

In the Processes of Creating an Invoice on Your Behalf Through the Accounting Program We Receive Services;

Your Identity (Name, Surname), Legal Transaction (Invoice Date, Invoice Time, Invoice Type, Invoice Number), Finance (Service Amount Information), Customer Transaction (Received Service) data.

o For the Purpose of Carrying Out Finance and Accounting Affairs

 KVKK Art. 5/2 (ç): Based on the clause that it is mandatory for the data controller to fulfill its legal obligation (According to Article 230 of Tax Procedure Law No. 213, obtaining your aforementioned data is the legal obligation of the data controller.)

o For the Purpose of Carrying Out Storage and Archive Activities

 KVKK Art. 5/2(ç): Based on the legal obligation of the data controller (According to Article 82 of the Turkish Commercial Code No. 6102, obtaining your data is the legal obligation of the data controller.)

o For the Purpose of Carrying Out Finance and Accounting Affairs

 KVKK Article 5/2(f): Based on the clause that data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the relevant person (We have a legitimate interest as the data controller in transferring the data to the accounting program in order to carry out Finance and Accounting Affairs.)

Transaction security (Date and time of the transaction you have performed) Your data is created and stored by us for the purpose of carrying out information security processes, in accordance with the clause “Data processing is mandatory for the establishment, exercise or protection of a right” in Article 5/2(e) of the KVKK (We are required to create and store your personal data to protect our rights in the event of a possible dispute).

To Whom and for What Purposes Can Personal Data Be Transferred

Your personal data may be transferred to the relevant authorities without any obligation to inform and without your explicit consent upon request within the framework of Article 28/1 of the KVKK.

Apart from this, in unforeseen cases, if requested in cases clearly stated in the laws, your personal data may be transferred to public institutions (administrative authorities such as Ministries) specified in the laws within the scope of the purposes and limitations stipulated in the law.

Apart from our legal obligations that do not require an obligation to inform and do not require your explicit consent; within the framework of the conditions in Article 8 of the Law; it may be transferred to the accounting program from which the service is received for the purpose of carrying out financial and accounting transactions.

Methods of Obtaining Personal Data

Your personal data is obtained by semi-automatic methods in the accounting program.

In Case You Enter Our Hotel Campus with Your Vehicle;

Your Identity (Name, Surname), Contact (Telephone), Legal Transaction (Vehicle Plate, Entry Date, Date) data.

o For the Purpose of Ensuring Physical Space Security and Carrying Out Storage and Archive Activities

 KVKK Art. 5/2(f): Based on the provision that data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the relevant person (We have a legitimate interest as the data controller in creating the Vehicle Registration Form for the purpose of Ensuring Physical Space Security and storing it for the purpose of Carrying Out Storage and Archive Activities.)

To Whom and for What Purposes Can Personal Data Be Transferred

Your personal data may be transferred to the relevant authorities without any obligation to inform and without your explicit consent upon request within the framework of KVKK Art. 28/1.

Apart from our legal obligations that do not require an obligation to inform and do not require your explicit consent; your personal data is not transferred.

Methods of Obtaining Personal Data

Your personal data is created by our personnel in a paper environment using non-automatic methods.

During the Registration Process, During the Process of Recording Passport Information of Our Valuable Guests through the Hotel Management Program from Which We Receive Service;

Your Identity (Name, Surname, Nationality, Passport Number, Identity Type) data.

o For the Purposes of Carrying Out Goods / Services Sales Processes, Carrying Out Storage and Archive Activities and Carrying Out / Supervision of Business Activities

 KVKK Art. 5/2(f): Provided that it does not harm the fundamental rights and freedoms of the relevant person, based on the clause that data processing is mandatory for the legitimate interests of the data controller (We have a legitimate interest as the data controller in creating it for the purpose of ensuring the execution of the Goods / Services Sales Processes, storing it for the purpose of carrying out the Storage and Archive Activities, and transferring it to the hotel management program from which service is received in order to ensure the execution / audit of Business Activities.)

Transaction security (Date and time of the transaction you have performed) Your data is created and stored by us for the purpose of carrying out information security processes, based on the clause that data processing is mandatory for the establishment, exercise or protection of a right in KVKK Art. 5/2(e) (In case of a possible dispute, we need to create and store your personal data in order to protect our rights.)

To Whom and for What Purpose Can Personal Data Be Transferred

Your personal data may be transferred to the relevant authorities without any obligation to inform and without seeking your explicit consent, if requested within the framework of KVKK Art. 28/1.

Apart from our legal obligations that do not require an information obligation and do not require your explicit consent; within the framework of the conditions in Article 8 of the Law; it may be transferred to the hotel management program from which service is received for the purpose of Conducting / Supervising Business Activities.

Methods of Obtaining Personal Data

Your personal data is created by semi-automatic methods through the hotel management program from which service is received.

In the Processes of Recording the Reservation Information of Our Valuable Guests through the Hotel Management Program from Which Service is Received;

Your Identity (Name, Surname), Finance (Contract Price), Legal Transaction (Sales Date), Customer Transaction (Agency Name, Check-in Date, Check-out Date, Room Type, Number of Rooms, etc.) data.

o For the Purposes of Conducting Goods / Services Sales Processes, Conducting Storage and Archive Activities and Conducting / Supervising Business Activities

 KVKK Art. 5/2(f): Provided that it does not harm the fundamental rights and freedoms of the relevant person, based on the clause that data processing is mandatory for the legitimate interests of the data controller (We have a legitimate interest as the data controller in creating it for the purpose of ensuring the execution of Goods / Services Sales Processes, storing it for the purpose of carrying out Storage and Archive Activities, and transferring it to the hotel management program from which service is received in order to ensure the execution / audit of Business Activities.)

Transaction security (Date and time of the transaction you have performed) Your data is created and stored by us for the purpose of carrying out information security processes, based on the clause that data processing is mandatory for the establishment, exercise or protection of a right in KVKK Art. 5/2(e) (We are required to create and store your personal data in order to protect our rights in the event of a possible dispute.) To Whom and for What Purposes Can Personal Data Be Transferred

Your personal data may be transferred to the relevant authorities without any obligation to inform and without your explicit consent upon request within the framework of Article 28/1 of the KVKK.

Apart from our legal obligations that do not require an obligation to inform and do not require your explicit consent; within the framework of the conditions in Article 8 of the Law; it may be transferred to the hotel management program from which the service is received for the purpose of Conducting / Supervising Business Activities.

Methods of Obtaining Personal Data

Your personal data is obtained through automatic methods through the reservation page from which the service is received.

If You Make a Reservation from Our Website Named www.karmirhotel.com ;

Your Identity (Name, Surname), Contact (Email, Phone), Finance (Card Number, CVV), Customer Transaction (Entry Date, Exit Date, Number of Adults, Number of Children) data.

o For the Purpose of Carrying Out Goods / Services Sales Processes

 KVKK Art. 5/2(c): In accordance with the clause that processing personal data of the parties to the contract is necessary, provided that it is directly related to the establishment or execution of a contract (Your personal data mentioned is obtained in order to establish the online reservation contract.)

o For the Purpose of Carrying Out Storage and Archive Activities

 KVKK Art. 5/2(e): In accordance with the clause that data processing is mandatory for the establishment, exercise or protection of a right (We store the personal data mentioned in order to protect our rights in the event of a possible dispute.)

Transaction security (Date and time of the transaction you performed) Your data is created and stored by us in order to carry out information security processes in accordance with the clause that data processing is mandatory for the establishment, exercise or protection of a right in KVKK Art. 5/2(e) (We need to create and store your personal data in order to protect our rights in the event of a possible dispute.)

To Whom and for What Purposes Can Personal Data Be Transferred

Your personal data may be transferred to the relevant authorities without any obligation to inform and without your explicit consent upon request within the framework of Article 28/1 of the KVKK.

Apart from our legal obligations that do not require an obligation to inform and do not require your explicit consent; your personal data is not transferred.

Methods of Obtaining Personal Data

Your personal data is obtained by automatic methods through your filling out the relevant form on the reservation page of our website.

We Need to Transfer Your Identity Information to the Gendarmerie General Command. During this Process;

Your Identity (Name, Surname, TR ID Number) data.

o For the Purpose of Providing Information to Authorized Persons, Institutions and Organizations

 Article 28/1 of the KVKK. 5/2(a): Based on the Condition of Being Clearly Foreseen in the Laws (Article 3 of the Identity Notification Law No. 1774 clearly stipulates that your identity information must be transferred to authorized persons, institutions and organizations for the purpose of providing information.)

To Whom and for What Purposes Can Personal Data Be Transferred

Your personal data may be transferred to the relevant authorities without the obligation to inform and without your explicit consent, if requested within the framework of Article 28/1 of the KVKK.

Apart from our legal obligations that do not require an obligation to inform and do not require your explicit consent; within the framework of the conditions in Article 8 of the Law; It may be transferred to the Gendarmerie General Command for the purpose of providing information to authorized persons, institutions and organizations.

Your Rights Regarding Your Personal Data

The persons concerned must first communicate their rights regarding their personal data to the data controller.

According to the law, you can exercise your rights regarding your personal data:

a) To learn whether personal data has been processed,
b) To request information regarding your personal data if it has been processed,
c) To learn the purpose of processing your personal data and whether it is used in accordance with its purpose,

ç) To know the third parties to whom your personal data has been transferred domestically or abroad,

d) To request correction of your personal data if it has been processed incompletely or incorrectly,
e) To request deletion or destruction of your personal data if the reasons requiring processing are eliminated,

f) To request notification of the transactions carried out pursuant to clauses (d) and (e) to the third parties to whom your personal data has been transferred,
g) To object to the emergence of a result against you by analyzing your processed data exclusively through automated system,

ğ) To request compensation for the damages in case you suffer damages due to the processing of personal data in violation of the law.

Application Method to Data Controller

You can submit your application:

 In writing to Göynük Mahallesi Ahu Ünal Aysal Cad.No:14/1 Kemer / ANTALYA;

 With secure electronic signature or mobile signature to sirturizm@hs01.kep.tr kep;

 If your e-mail address is registered in our system, you can submit it by sending an e-mail to info@karmirhotel.com .

In your application;

▪ Your name, surname and signature if the application is in writing,

▪ For citizens of the Republic of Turkey, your T.C. identity number, if you are a foreigner, your nationality, passport number or your identity number if you have one,

▪ Your place of residence or workplace address for notification,

▪ If available, your e-mail address, telephone and fax number for notification,

▪ Your subject of the request,

it is mandatory to include information and documents related to the subject, if any, in the application.

KARMİR RESORT & SPA reserves the right to verify your identity.

You can access the procedural rules to be followed during the application and more detailed information from the Personal Data Protection Authority’s “Communiqué on the Procedures and Principles of Application to the Data Controller”.