PERSONAL DATA PROCESSING AND PROTECTION POLICY
HM TİCARET TURİZM VE HOTELCLİK A.Ş.   
HM TİCARET HOTEL
PERSONAL DATA PROCESSING AND  PROTECTION POLICY




General Remarks
As HM COMMERCE HOTEL, we attach importance to the processing of personal computers in accordance with the Law No. 6698 on Personal Data Protection ("Law"). For this reason, in order to offer you a better service in order to provide you with a better service in personal use in order to provide you with a better service in terms of customer security, in order to provide you a better service in order to offer you a better service, commercial electronic communications and other issues are listed below. We act in accordance with the Personal Data Processing and Protection Policy, the general principles of which are specified. In this context, this Policy on Processing and Protection of Personal Data ("Policy") in order to notify all administrative and technical measures falling under the scope of the Law 10 ("Policy"), in order to inform you about all administrative and technical measures in the place it covers, and Protection Policy ("Policy") for your information.

Purpose and Scope of the Policy
The main purpose of this Policy is to make explanations about the systems for the processing and protection of personal data in accordance with the law and the purpose of the Law, within this scope, as HM COMMERCE HOTEL, all personal data processed by automatic means or non-automatic means provided that they are part of any data recording system. to inform about the data.

Personal Data Owner / Relevant
Person It refers to our employees, hotel customers, potential customers, business partners, visitors and third parties whose personal data we process.

Personal Data Definition
Below, the data processed by HM COMMERCE HOTEL and considered as personal data in accordance with the Law are listed below. Unless otherwise expressly stated, within the scope of the terms and conditions provided under this policy, the term "personal data" will include the following information:

1) Personal Data You Share With Us: Name, surname, date of birth, T.R. Identity number, telephone number, e-mail address, address, photographs, video recordings transmitted within the scope of the surveys and competitions, and any other personal data you share with us in any way through the channels mentioned above.
2) Other Information Including Personal Data Collected Automatically: Other Information Including Personal Data Collected Automatically: Automatic search machines, video and sound recording devices and automatically collected when entering our website; This includes the number of visits, the average time spent on the site, and the page information viewed.
3) Personal Data and Other Included Information From Other Sources: Updated address information, account information, purchasing, page, shared with us by social media tools, our business partners and other third parties based on your previous consent.

information such as viewing information, search terms and search results, and personal data such as paid listings.

Special Quality Personal Data / Data
Data on race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, dress code, membership in associations, foundations or trade unions, health, criminal convictions and security measures, and biometric and genetic data. If the processed data is personal data of special nature as defined in the KVK Law; If the personal data owner does not have explicit consent, personal data can only be processed provided that adequate measures are taken by the KVK Board.

Data Supervisor
Data controller refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system. Legal entities are themselves “data officers” within the scope of their activities regarding the processing of personal data, and the legal responsibility specified in the relevant regulations will arise in the person of the legal entity. There is no difference in this regard for public law legal entities and private law legal entities. According to the law, the data controller is the person who determines the purpose and method of processing personal data. That is, it is the person who will answer the questions of "why" and "how" of the processing activity. In this context, HM COMMERCE TURİZM VE OTELCİLİK A.Ş.- HM COMMERCE HOTEL acts as the data controller.

Obligations of the Data Controller
a. Lighting Obligations
The Law grants the data subjects the right to obtain information about who, for what purposes and for what legal reasons, and to whom the data can be transferred, and deals with these issues within the scope of the data controller's disclosure obligation. Accordingly, HM COMMERCE HOTEL is obliged to provide the following information to the relevant person in person or through the authorized person during the acquisition of personal data within the framework of Article 10 of the Law:

- The identity of the data controller and, if any, its representative,
- For what purpose personal data will be processed,
- To whom and for what purpose personal data can be transferred,
- The method and legal reason for collecting personal data,
- Other rights enumerated in Article 11 of the Law.

Other rights enumerated in Article 11 of the Law are;
vi. Learning whether your personal data has been processed,
vi. If personal data has been processed, to request information regarding this,
vi. Learning the purpose of processing personal data and whether they are used appropriately for their purpose,
vi. To know the third parties to whom personal data is transferred domestically or abroad,
vi. To request correction of personal data in case of incomplete or incorrect processing,
vi. To request the deletion or destruction of personal data within the framework of the principles specified within the scope of KVKK,
vi. To request notification of this situation to third parties to whom your data is transferred in cases such as wrong transfer, deletion or destruction of their data,
vi. Object to the occurrence of a result against him / her by analyzing the processed data exclusively through automated systems,
vi. Requesting the compensation of the loss in case of a loss due to the illegal processing of your personal data.

In cases where the data processing activity depends on the express consent of the person concerned or the activity is carried out under another condition in the Law, the obligation of the data controller to inform the person concerned continues. In other words, the person concerned is enlightened in every situation where his personal data is processed.


b. Obligations Regarding Data Security
HM COMMERCE HOTEL, who is the data controller in accordance with Article 12 of the Law regarding data security;
-To prevent personal data from being processed illegally,
-To prevent unlawful access to personal data,
-It is obliged to ensure the protection of personal data. HM COMMERCE HOTEL, acting as a data controller, has to take all necessary technical and administrative measures to ensure the appropriate level of security in order to fulfill these obligations. It is among the powers and duties of the Board to take a regulatory action to determine obligations regarding data security. However, it may be possible to take additional measures depending on the nature of the personal data processed on a sector basis, based on the minimum criteria determined by the Board. HM COMMERCE HOTEL is jointly responsible with these persons for taking necessary measures in case personal data are processed by another real or legal person on its behalf. Therefore, data processors are also under the obligation to take measures to ensure data security. Accordingly, for example, if the records of the data controller's company are kept by an accounting company, the data officer HM COMMERCE HOTEL will be jointly responsible with the accounting company to take measures regarding the processing of the data.
The law also imposes an audit obligation on the data controller regarding data security. The data controller is obliged to carry out the necessary inspections or have them done in order to ensure the implementation of the provisions of the Law in his institution or organization. Therefore, the data controller can perform this control himself or through a third party.

On the other hand, data controllers and data processors cannot disclose the personal data they have learned to anyone in violation of the provisions of this Law and cannot use them for purposes other than processing. This obligation continues even after they leave the job.
Finally, in case the processed personal data are obtained by others through illegal means, the data controller shall notify the relevant person and the Board as soon as possible. If necessary, the Board may announce this on its website or by any other method it deems appropriate.
Each of the measures to be taken regarding data security must be in accordance with the structure, activities and risks to which the data controller is subject. Therefore, no single model for data security can be envisaged. In determining appropriate measures, the size or turnover of the company, as well as the nature of the data controller's work and protected personal data are also important.

c. Obligation to Answer Applications Made by Relevant Persons
Data supervisor HM COMMERCE HOTEL concludes the requests submitted to him in writing or by other methods to be determined by the Board regarding the implementation of the Law, as soon as possible and within thirty days at the latest, free of charge. However, if the transaction requires an additional cost, HM COMMERCE HOTEL may request the fees in the tariff determined by the Board from the applicant.
If HM COMMERCE HOTEL accepts the request or rejects it by explaining its reason, it informs the relevant person in writing or electronically. If the request in the application is accepted, the requirement of this request is fulfilled. If the application is caused by the fault of HM COMMERCE HOTEL, the fee collected is returned to the relevant person.
In case the application is rejected, the response is found to be insufficient or the application is not answered in time; The person concerned can make a complaint to the Board within thirty days from the date he learns the answer, and within sixty days from the date of application.
 
D. Obligation to Fulfill Board Decisions
If the Board determines the existence of a violation upon the complaint or as a result of the examination of the issues that fall within its jurisdiction, if it finds out about the alleged violation, it decides that the illegality is remedied by the data controller HM COMMERCE HOTEL and notifies the decision to the concerned parties. HM COMMERCE HOTEL to fulfill this decision without delay and within thirty days at the latest from the date of notification.
E.  Obligation to Register to the Data Controllers Registry
HM COMMERCE HOTEL must register in the system called the Data Controllers Registry (VERBIS), declare the information about data processing activities and register within the periods specified by the law.

Data Processor
The data processor, based on the authority given by the data controller, can be defined as the real or legal persons who process personal data on his behalf, outside the organization of the data controller, or it is possible to combine the data controller and data processor titles in a single legal or natural person. HM COMMERCE HOTEL also acts as Data Processor within the scope of this policy and processes your personal data in accordance with the Law.


Processing of Personal Data
Processing of Personal Data, obtaining, recording, storing, preserving, changing, reorganizing, disclosing, transferring, taking over, making available, classifying, fully or partially automatic or non-automatic, provided that it is part of any data recording system, or all kinds of operations performed on data, such as preventing their use.
The purpose for which personal data will be processed by HM COMMERCE HOTEL is revealed before the personal data processing activity begins. In addition, personal data are processed by HM COMMERCE HOTEL in connection with the service it provides personal data and as much as necessary for them.
Principles We Adhere to in Processing Personal Data

HM COMMERCE HOTEL, provided that you take the necessary measures to protect your privacy and comply with all legal principles regarding the processing of personal data; processes personal data within the framework of the purposes specified in this Personal Data processing policy in accordance with the following principles:
v. Compliance with the law and honesty rules,
v. Being accurate and up-to-date when necessary,
v. Processing for specific, explicit and legitimate purposes,
v. Being connected, limited and measured for the purpose of processing,
v. Preservation for the period stipulated in the relevant legislation or required for the purpose for which they are processed


When Can Your Personal Data Be Processed?
If the personal data owner has explicit consent; If there is a clear regulation in the laws that personal data will be transferred, if it is necessary for the protection of the life or body integrity of the personal data owner or someone else, and if the personal data owner is unable to disclose his consent due to actual impossibility or his consent is not legally valid, to be directly related to the establishment or performance of a contract. If it is necessary to transfer the personal data belonging to the parties of the contract, if the personal data is made public by the personal data owner, if the personal data transfer is mandatory for the establishment, exercise or protection of a right, personal data can be recorded and transferred, provided that the fundamental rights and freedoms of the personal data owner are not damaged.
 

How Long Will Your Personal Data Be Retained?
In accordance with the KVKK, your personal data processed for the purposes specified in this Personal Data Processing and Protection Policy, KVKK Art. When the purpose of processing according to 7 / f.1. Is eliminated and / or the limitation periods stipulated by the legislation for us to process your personal data expire, HM COMMERCE HOTEL will be deleted, destroyed or anonymized and continue to be used.


Security of Personal Data
HM COMMERCE HOTEL, in accordance with Article 12 of the Law on KVK, takes appropriate measures to prevent unlawful processing of personal data, prevent illegal access to these data and ensure their protection, and prevents the illegal processing of personal data by third parties.
Since the legal / actual license status of our customers and visitors cannot be known by HM COMMERCE HOTEL, the responsibility for the use and transactions of children and other minors belongs to their legal representatives. These persons can also exercise their rights regarding personal data through their legal representatives.

Periodic Destruction and Legal Retention Times
Physical and digital data that expire the legal storage and destruction periods are periodically destroyed. HM COMMERCE HOTEL deletes, destroys or anonymizes personal data in the process following the date when the obligation to delete, destroy or anonymize personal data occurs.
Deletion and Destruction Process Upon Request by Data Owners
In cases where the data owners apply to HM COMMERCE HOTEL and request the deletion or destruction of their personal data, HM COMMERCE HOTEL checks the current status of the personal data processing conditions and takes the relevant actions accordingly.
If all the conditions for processing personal data are eliminated, the personal data subject to the request will be deleted, destroyed or anonymized. HM COMMERCE HOTEL concludes the request of the relevant person within thirty days at the latest and informs the relevant person.
If all the conditions for processing personal data are not eliminated, HM COMMERCE HOTEL may reject the request by explaining the reason to the relevant data owner and notify the relevant person in writing or electronically within thirty days at the latest.

Changes to the Policy
After all kinds of official changes in the relevant legislation, HM COMMERCE HOTEL can make changes in this Policy in accordance with these changes.
Privacy, storage and destruction of personal data, site usage conditions, any changes that may be deemed necessary in the products, services and activities offered to HM COMMERCE HOTEL customers by HM COMMERCE HOTEL will be valid from the moment they are announced via the internet address or other appropriate communication tools.

Enforcement of the Policy
This Data Processing Policy, which was arranged and entered into force on the date of publication by HM COMMERCE HOTEL, is published on the website www.hmcommercehotel.com and made available to the relevant persons upon the request of the Personal Data owners.
This Policy has been regulated within the scope of the "Disclosure Obligation of the Data Officer" specified in Article 10 of the Law No. 6698 (Law).