Version 1.1
30.11.2025TARİHE BAK
Table of Contents
SECTION 1 – INTRODUCTION
1.1. Purpose
This Personal Data Protection and Processing Policy (“Policy”) has been prepared by MOST AMAZING PLACES TANITIM VE TİCARET ANONİM ŞİRKETİ (“Company”), acting in its capacity as data controller, in order to determine the procedures and principles regarding the personal data processing and protection activities carried out by the Company.
In line with its fundamental principles, the Company has adopted as a priority the processing and protection of the personal data of its employees, former employees, employee candidates, shareholders, customers, potential customers, service providers, suppliers, business partners, their authorized persons and employees, visitors, and other relevant third parties, in compliance with the Constitution of the Republic of Türkiye, international conventions, the Law on the Protection of Personal Data No. 6698 (“KVKK”) and other applicable legislation, and ensuring that data subjects effectively exercise their rights in this respect.
All activities relating to the processing and protection of personal data are carried out by the Company in a transparent manner by informing the relevant data subjects and by explaining all of their rights and the application procedures and methods for exercising such rights. With full awareness of its responsibilities in this regard, your personal data and your special categories of personal data are processed and protected by the Company within the scope of this Policy.
1.2. Scope
This Policy covers all personal data processed by automated means or by non-automated means, provided that they form part of a data recording system, belonging to the Company’s employees, former employees, employee candidates, shareholders, customers, potential customers, service providers, suppliers, business partners and their authorized persons and employees, visitors, and other third parties who establish a relationship with the Company.
This Policy applies to all recording media and all personal data processing activities, including physical and electronic environments, websites and social media platforms, in which personal data owned or managed by the Company are processed.
Under the KVKK, certain personal data are afforded special protection due to the risk that their unlawful processing may cause victimization or discrimination. Personal data defined as “special categories of personal data” under the KVKK are processed by the Company solely in accordance with subparagraph (f) of Article 6(3) of the Law on the Protection of Personal Data No. 6698 and other applicable legislation.
In addition, depending on the nature and type of the relationship between the Company and the data subject, the Company may provide the data subject with personal data policies and/or notices, privacy notices and procedures other than this Policy. Such specific policies and privacy notices provided to data subjects may contain additional provisions to those set out in this Policy. In such cases, the specific policy or notice provided to the data subject shall be taken into account in the first place.
Furthermore, the provisions of the applicable legislation in force regarding the processing and protection of personal data shall apply primarily. In the event of any inconsistency between the provisions of the legislation in force and this Policy, the Company acknowledges that the provisions of the legislation in force shall prevail. This Policy aims to concretize and regulate, within the framework of Company practices, the rules laid down by the applicable legislation.
1.3. Abbreviations and Definitions
Recipient Group
Category of natural or legal persons to whom personal data are transferred by the data controller.
Explicit Consent
Consent that is related to a specific subject, based on information and given with free will.
Anonymisation
Rendering personal data impossible to be associated with an identified or identifiable natural person, even when matched with other data.
Employee / Former Employee
Employees / former employees of MOST AMAZING PLACES TANITIM VE TİCARET ANONİM ŞİRKETİ
Employee Candidate
Persons whose employment contracts with MOST AMAZING PLACES TANITIM VE TİCARET ANONİM ŞİRKETİ have not been established but are under evaluation for establishment.
Electronic Environment
Environments in which personal data can be created, read, altered and written by electronic devices.
Non-Electronic (Physical) Environment
All written, printed, visual and other environments outside electronic environments.
Service / Professional Service Provider
A natural or legal person providing services or professional services such as accounting, occupational health and safety, information technologies or legal services to MOST AMAZING PLACES TANITIM VE TİCARET ANONİM ŞİRKETİ under a specific contract.
Data Subject
The natural person whose personal data are processed.
Relevant Employee
Persons who process personal data within the data controller’s organization or in accordance with the authority and instructions received from the data controller.
Destruction
Deletion, destruction or anonymisation of personal data.
Law
The Law on the Protection of Personal Data No. 6698.
Recording Medium
Any environment in which personal data are processed by fully or partially automated means or by non-automated means, provided that they form part of a data recording system.
Personal Data
Any information relating to an identified or identifiable natural person.
Personal Data Processing Inventory
The inventory in which data controllers detail their personal data processing activities by associating them with business processes, including purposes and legal grounds of processing, data categories, recipient groups, data subject groups, maximum retention periods, personal data envisaged to be transferred abroad and data security measures.
Processing of Personal Data
Any operation performed on personal data such as obtaining, recording, storing, preserving, altering, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of such data, by fully or partially automated means or by non-automated means forming part of a data recording system.
Board
The Personal Data Protection Board.
KVKK
The Law on the Protection of Personal Data No. 6698.
Special Categories of Personal Data
Data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and attire, association, foundation or trade-union membership, health, sexual life, criminal convictions and security measures, and biometric and genetic data.
Periodic Destruction
The deletion, destruction or anonymisation of personal data carried out automatically at recurring intervals specified in the personal data retention and destruction policy where all conditions for processing under the Law cease to exist.
Policy
Personal Data Protection and Processing Policy.
Company
MOST AMAZING PLACES TANITIM VE TİCARET ANONİM ŞİRKETİ
Data Processor
A natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.
Data Recording System
A recording system in which personal data are structured and processed according to certain criteria.
Data Controller
The natural or legal person who determines the purposes and means of the processing of personal data and is responsible for the establishment and management of the data recording system.
Data Controllers’ Registry Information System (VERBİS)
The information system established and managed by the Personal Data Protection Board and accessible via the internet, used by data controllers for registration and other registry-related procedures.
VERBİS
Data Controllers’ Registry Information System.
SECTION 2 – DATA CONTROLLER
MOST AMAZING PLACES TANITIM VE TİCARET ANONİM ŞİRKETİ acts as the data controller with respect to the processing of your personal data pursuant to the Law No. 6698.
As the data controller, the Company has the authority and responsibility to determine the purposes for which personal data are processed and the means used for such processing. Within this scope, this Policy has been prepared in order to inform data subjects in detail about the Company’s purposes of processing personal data, the methods used for such processing, and the protection measures applied.
SECTION 3 – RESPONSIBILITIES AND DUTY DISTRIBUTION
All units and employees of the Company actively support the responsible departments in the proper implementation of the technical and administrative measures adopted within the scope of this Policy, in the training and raising of awareness of employees, in monitoring and continuous auditing, in preventing the unlawful processing of personal data and unlawful access thereto, and in ensuring the lawful storage of personal data by taking all necessary technical and administrative measures to ensure data security in all environments where personal data are processed.
Furthermore, with respect to the personal data processed by the Company, both the authorized persons and employees acting on behalf of the data controller and the persons processing personal data as data processors as a result of data transfers on behalf of the Company are prohibited from disclosing the personal data they have learned to third parties in violation of this Policy and the provisions of the KVKK, and from using such data for purposes other than the purpose of processing. This obligation shall continue indefinitely, even after the termination of their duty or employment, pursuant to Article 12(4) of the KVKK.
The distribution of titles, units and duties of those involved in the personal data processing, storage and destruction processes is set out in Table 1 below.
Table 1: Distribution of Duties in Storage and Destruction Processes
Title | Unit | Duty |
Data Controller | MOST AMAZING PLACES TANITIM VE TİCARET ANONİM ŞİRKETİ | Responsible for the preparation, development, implementation, publication in relevant environments, updating of the Policy, and for ensuring that employees act in compliance with the Policy. |
Data Controller Contact Person | Pelin Yıldız | Responsible for providing and monitoring the administrative, physical and technical solutions required for the implementation of the Policy. |
Finance and Accounting, Purchasing, Sales, Marketing and Regional Operations, Information Technologies (IT) Departments | Other Units |
SECTION 4 – MATTERS RELATING TO THE PROCESSING OF PERSONAL DATA
4.1. Processing of Personal Data in Compliance with the Principles Prescribed by the Legislation (Conditions of Processing)
4.1.1. Processing in Compliance with the Law and the Principle of Good Faith
Personal data are processed in compliance with the law (in particular, without violating Article 4 of the KVKK and other relevant legislation) and in accordance with the principle of good faith, in a manner that does not harm the fundamental rights and freedoms of individuals. Within this framework, personal data are processed by the Company only to the extent required by its business activities and in a limited and proportionate manner.
Pursuant to this principle, the Company strictly complies with the obligation to act in accordance with the principles introduced by laws and other legal regulations and with the prohibition of abuse of rights in the processing of personal data. In accordance with the principle of good faith, when striving to achieve its objectives in data processing, the Company takes into account the interests and reasonable expectations of the data subjects and acts in a manner that prevents the emergence of outcomes which the data subject does not expect and cannot reasonably be expected to foresee. Under this principle, processing activities are also carried out transparently and in compliance with information and notification obligations.
In summary, in accordance with the principle of good faith, the Company pays utmost attention to ensuring that personal data are not used in a way that would cause injustice to the data subject, that the reasonable expectations of the data subject are met, and that the purpose of data collection is not exceeded. For example, depending on the nature of the relationship established with the data subject, no personal data beyond what is reasonable within the scope of the right to privacy are requested or processed, and personal data are not processed by more employees than necessary within the Company.
4.1.2. Ensuring That Personal Data Are Accurate and Up to Date When Necessary
The Company takes the necessary measures to ensure that personal data remain accurate and up to date throughout the period of processing and carries out the necessary efforts at regular intervals to ensure the accuracy and currency of personal data. Within this scope, due care is taken in matters such as ensuring the reliability of the sources from which personal data are obtained and verifying their accuracy when necessary, as well as taking into account requests arising from the inaccuracy of personal data.
This principle is compatible with the data subject’s right to request the rectification of personal data as stipulated under the KVKK. Keeping personal data accurate and up to date is not only beneficial for the Company, but also necessary for the protection of the fundamental rights and freedoms of the data subject and for preventing material and moral damages. For example, if a person’s contact information is recorded incorrectly and communications cannot be delivered on time or are sent to the wrong person, the data subject may suffer material and moral damage.
The Company’s obligation to exercise due diligence in keeping personal data accurate and up to date applies particularly where a result relating to the data subject is to be produced based on such data (e.g. credit transactions). In any case, the Company, as the data controller, always keeps communication channels open to ensure that the data subject’s information remains accurate and up to date.
4.1.3. Processing for Specific, Explicit and Legitimate Purposes
The Company carries out personal data processing activities by fulfilling all necessary disclosure notifications and, where required, obtaining explicit consent in appropriate forms in both physical and electronic data recording environments prior to processing. Accordingly, before processing, it is clearly and precisely disclosed which personal data will be processed, by which methods the data will be obtained, and for what purposes they will be processed.
Personal data are processed by the Company only for specific, explicit and legitimate purposes that are directly related to its business, commercial and service activities. For example, the Company never processes personal data such as a mother’s maiden name, which is unrelated to its business, within sales or customer relationship processes.
Furthermore, the Company ensures that personal data processing activities are clearly understandable by the data subject, that the legal basis for processing is specified, and that the purpose and nature of the processing are disclosed in sufficient detail. Therefore, personal data obtained are never processed for purposes other than those for which they were provided, nor are they processed in any manner constituting abuse.
4.1.4. Being Relevant, Limited and Proportionate to the Purpose of Processing
The Company collects and processes personal data only to the extent required by its business activities and in a manner that is relevant and limited to the purposes for which such data are provided. In this respect, in accordance with the principle of relevance and limitation, attention is paid to ensuring that the data processed are necessary and suitable for achieving the specific and current purposes determined, and that the processing of unnecessary or irrelevant personal data is strictly avoided. Processing personal data beyond what is necessary for the purpose would constitute a violation of the principle of limitation. For example, sending advertisements to an e-mail address obtained for participation in a symposium would violate this principle.
Under the principle of proportionality, the Company ensures that a reasonable balance is established between the purpose to be achieved and the data processing activity carried out. Data processing activities are performed only to the extent required for achieving the intended purpose. For instance, the Company does not request or process any information concerning personal lifestyle preferences in any process.
4.1.5. Retention for the Period Prescribed by the Relevant Legislation or Required for the Purpose of Processing
As a requirement of the principle of purpose limitation, personal data must be retained only for the period required for the purpose of processing. Accordingly, the Company does not retain personal data for future use or for purposes other than those for which they were collected once the purpose has been fulfilled, the processing condition has ceased to exist, or the specified retention period has expired. Instead, the necessary destruction procedures are initiated.
For example, name and vehicle license plate information collected for the purpose of participating in a promotional campaign granting rewards to customers purchasing a certain amount of products within a specific period are destroyed after the campaign ends, provided that no other legal processing condition exists.
Pursuant to Article 12 of the KVKK, the Company, as the data controller, takes all necessary technical and administrative measures to ensure an appropriate level of security to prevent unlawful processing of personal data, prevent unlawful access thereto, and ensure the lawful preservation and, where necessary, the destruction of personal data.
Accordingly, the Company retains personal data only for the minimum period required under the relevant legislation and for the purposes of processing. Where a specific retention period is prescribed by law, such period is complied with. Where no such legal period exists, personal data are retained for the period necessary for the purpose of processing. At the end of the applicable retention periods, personal data are destroyed through periodic destruction procedures or upon the application of the data subject, using the determined methods of destruction (deletion, destruction or anonymisation).
4.2. Legal Grounds for the Processing of Personal Data
Apart from obtaining the explicit consent of the data subject, the processing of personal data may be based on one or more of the legal grounds set out below. Where one or more of the following legal grounds exist, personal data may be processed without obtaining explicit consent.
4.2.1. Existence of the Data Subject’s Explicit Consent
The explicit consent of the data subject constitutes one of the legal grounds for the processing of personal data. However, where the processing activity is based on any of the legal grounds other than explicit consent as set forth under the KVKK and detailed below, explicit consent shall not be required, and priority shall be given to such other legal grounds. In such cases, the Company nevertheless ensures that the obligation to inform is fulfilled in all circumstances.
Where no such legal ground exists or where such legal grounds are not sufficient to permit processing, personal data are processed by the Company on the basis of the explicit consent of the data subject. In such cases, utmost care is taken to ensure that the explicit consent is related to a specific subject matter, based on adequate information, and given freely.
Furthermore, even where processing is based on explicit consent, the obligation to inform is fulfilled separately and in advance. Likewise, obtaining explicit consent is never made a precondition for the provision of goods or services, and no disadvantage shall arise for the data subject in the event that explicit consent is not granted.
Once again, it should be emphasized that where any of the personal data processing conditions listed below exists, personal data shall be processed by the Company without the need for explicit consent.
4.3. Processing of Special Categories of Personal Data
Special categories of personal data are processed by the Company in accordance with Article 6, paragraph 3, subparagraph (f) of the Law on the Protection of Personal Data No. 6698 (“KVKK”) and the relevant provisions of other applicable legislation.
4.4. Informing the Data Subject
Pursuant to Article 10 of the KVKK and the relevant secondary legislation, the Company informs data subjects as to:
Where personal data relating to a third person are provided to the Company by a person other than the data subject, the obligation to inform and, where required, to obtain explicit consent shall be fulfilled at the time of first contact with such third party if the data were provided for communication purposes, or at the time such data are first processed or transferred.
Examples of such cases include situations where a customer makes a purchase using another person’s credit card, or where reference letters are submitted for recruitment purposes.
4.5. Transfer of Personal Data
The Company may transfer personal data and special categories of personal data to third parties located domestically or abroad (including expert service providers, suppliers, group companies, shareholders, business partners and their authorized persons and employees, as well as legally authorized public institutions and organizations), in accordance with the purposes of lawful data processing and by taking all necessary security measures.
Such transfers are carried out in compliance with Articles 8 and 9 of the KVKK.
SECTION 5 – SPECIAL CIRCUMSTANCES UNDER WHICH PERSONAL DATA ARE PROCESSED
5.1. Personal Data Processing Activities Carried Out for Security Purposes in Physical Premises Belonging to the Company
5.1.1. Personal Data Processing Activities at Building and Facility Entrances and Inside Such Premises
Personal data processing activities carried out at the physical premises of the Company’s service units fall within this scope. For the purposes of tracking the entry and exit of employees, customers, potential customers, visitors, Company officials, shareholders, guests and other third parties; ensuring data security and physical security; presenting evidence to judicial authorities and law enforcement officers in the event of a judicial incident; controlling access movements; and ensuring the safety of life and property, the Company monitors and records these areas 24/7 through closed-circuit camera systems. Accordingly, such image recordings constituting personal data are processed.
5.1.2. Legal Basis of Camera Surveillance Activities
The camera surveillance activities carried out by the Company are conducted in compliance with the Regulation on Business Opening and Operating Licenses, the Law on Private Security Services, and other applicable legislation.
Furthermore, in conducting camera surveillance activities for security purposes, the Company acts in accordance with the provisions of the KVKK. Within the Company’s service units, surveillance activities are carried out solely for the purposes prescribed by the applicable legislation and in compliance with the personal data processing conditions set forth under the KVKK.
5.1.3. Information on Camera Surveillance
In accordance with Article 10 of the KVKK, data subjects are duly informed by the Company. For this purpose, information notices and warning signs prepared in compliance with Law No. 6698 and the relevant legislation are visibly placed in monitored areas.
The Company provides notifications regarding camera surveillance activities through more than one method in order to ensure transparency and to safeguard the fundamental rights and freedoms of data subjects.
Furthermore, with respect to the processing of personal data through camera surveillance, this Policy is published on the Company’s website (online policy), and notification texts and signs indicating that surveillance is being conducted are posted at the entrances of monitored areas (on-site notification, layered notification).
5.1.4. Purpose and Purpose-Limitation of Camera Surveillance Activities
In accordance with Article 4 of the KVKK, the Company processes personal data in a manner that is relevant, limited and proportionate to the purpose of processing. The purposes for which video camera surveillance activities are carried out by the Company are limited to those specified in this Policy.
Accordingly, the scope of monitoring, the number of cameras and the monitoring periods are designed to be sufficient and strictly limited to achieving security purposes. Areas that may result in excessive interference with personal privacy beyond security needs are not subjected to surveillance.
5.2. Processing of Information Relating to the Company’s Website and to Users to Whom Internet Access Is Provided
5.2.1. Processing of Website User Information
On the websites owned by the Company, IP information and website activity data may be recorded through technical tools (such as cookies) in order to ensure that visitors can carry out their visits in an appropriate manner in line with their purposes of visiting the website, to provide customized content, and to conduct online advertising activities.
Detailed information regarding the processing and protection of personal data within the scope of these activities is provided in the “Cookie Information Notice” published on the Company’s website at www.most-amazing-places.com.
5.2.2. Processing of Information Relating to Users to Whom Internet Access Is Provided
Where employees, shareholders, visitors and other third parties use the internet access provided free of charge by the Company at its service units during their stay, information entered for internet access connections, device identification numbers, IP addresses, log records and other traffic data may be recorded pursuant to Law No. 5651 and the secondary legislation enacted thereunder.
Access to such records is granted only to a limited number of authorized Company employees. These records are processed solely for the purposes of fulfilling legal obligations upon requests by authorized public institutions and organizations, conducting internal audit processes to ensure information security, and protecting and exercising the Company’s legal rights. Except for expert service providers, such data are not shared with third parties.
SECTION 6 – CATEGORISATION OF PERSONAL DATA PROCESSED BY THE COMPANY AND PURPOSES OF PROCESSING AND SHARING
Within the Company, personal data are processed in accordance with Article 10 of the KVKK and the relevant legislation, by informing the data subjects, in line with the Company’s personal data processing purposes, based on at least one of the personal data processing conditions set forth in Articles 5 and 6 of the Law, and in a limited manner, primarily in compliance with the general principles and conditions specified under Article 4 of the KVKK and other general principles stipulated in the KVKK.
Within the scope of personal data processing activities carried out by the Company, the personal data categories processed and their explanations are set out in the table below.
Table 2: Personal Data Categories
PERSONAL DATA CATEGORIES | DESCRIPTION |
Identity Information | Personal data containing information regarding a person’s identity, including documents such as identity cards, driver’s licenses and passports containing information such as name and surname, Turkish ID number, nationality, marital status, mother’s and father’s name, place and date of birth, age and gender, as well as tax number, Social Security Institution number, signature information, etc. |
Contact Information | Personal data such as telephone number, address and e-mail address. |
Employee, Former Employee, Employee Candidate Information | Personal data processed in written, visual and electronic media relating to the Company’s employees, former employees, employee candidates and interns, as required by applicable legislation and commercial practices. |
Family Members and Relatives Information | Personal data relating to the data subject’s family members (e.g. spouse, mother, father, children within the scope of occupational health activities such as chronic illness monitoring) and relatives to be contacted in emergencies, processed in order to protect the legal interests of the Company and the data subject within the framework of operations carried out by the Company’s business units. |
Physical Premises Security Information | Personal data relating to records and documents obtained during entry to physical premises and during stay within such premises, including camera recordings and records taken at security points. |
Transaction Security Information | Personal data processed to ensure the technical, administrative, legal and commercial security of both the data subject and the Company while carrying out its activities, including internet access and web traffic information provided by the Company, security camera images and call center voice recordings. |
Risk Management Information | Personal data processed through methods used in accordance with generally accepted legal and commercial practices and the principles of good faith for the management of commercial, technical and administrative risks. |
Financial Information | Personal data relating to all kinds of financial outcomes arising within the scope of the legal relationship between the Company and the data subject, including information, documents and records, as well as bank account number, IBAN number, credit card information and financial profile data. |
Legal Transaction and Compliance Information | Personal data processed within the scope of identifying, following up and fulfilling the Company’s legal receivables, rights and obligations, statutory obligations and compliance with Company policies, as well as data relating to employees’ transactions subject to legal proceedings. |
Request / Complaint Management Information | Personal data relating to the receipt and evaluation of all kinds of requests or complaints directed to the Company. |
Reputation Management Information | Personal data associated with the data subject and collected for the purpose of protecting the Company’s commercial reputation (e.g. posts made about the Company). |
Incident Management Information | Information and assessments collected in relation to incidents associated with the data subject that have the potential to affect the Company’s employees and shareholders (e.g. information and assessments collected for the accurate management of public opinion). |
Within the scope of personal data processing activities carried out by the Company, the purposes of personal data processing are set out in the table below.
Table 3: Purposes of Personal Data Processing
MAIN PURPOSES | SECONDARY PURPOSES |
Determination, Planning and Implementation of the Company’s Commercial Policies | 1. Planning and execution of internal and external training activities |
2. Execution of financial, accounting and fiscal transactions with customers, business partners and suppliers; implementation of risk management activities | |
Design and Execution of the Company’s Human Resources Activities | 1. Planning and execution of human resources and recruitment processes |
2. Fulfilment of obligations arising from employment contracts and legislation for Company employees | |
3. Monitoring and supervision of employees’ work activities | |
4. Planning and execution of employee benefits and emergency situations | |
5. Planning and execution of employee exit processes | |
6. Planning and monitoring of employee performance evaluation processes | |
7. Planning and execution of internal training activities | |
8. Management of relationships with business partners and suppliers | |
9. Wage management | |
10. Planning and execution of internal orientation activities | |
Carrying Out Necessary Activities by the Company’s Business Units in Order to Perform Commercial Activities in Compliance with Legislation and Company Policies | 1. Monitoring finance and accounting activities |
2. Execution of investor relations and marketing activities | |
3. Planning and execution of corporate communication activities | |
4. Planning and execution of efficiency, productivity and appropriateness analyses of business activities; event management | |
5. Continuous execution of supply chain processes | |
6. Establishment and management of information technology infrastructure | |
7. Planning, auditing and execution of information security processes | |
8. Planning and execution of business continuity activities | |
9. Planning and execution of access authorization of business partners and suppliers | |
10. Fulfilment of after-sales support obligations | |
Supporting the Design, Planning and Execution of the Company’s Human Resources Activities | 1. Supporting the planning of the Company’s human resources strategies |
2. Monitoring and announcing employees’ transfers, temporary assignments, promotions and terminations | |
3. Supporting the planning and execution of employee engagement measurement processes | |
4. Supporting recruitment processes | |
Protection of the Company’s Commercial Reputation and the Trust It Has Established | 1. Request and complaint management |
2. Conducting activities aimed at protecting the reputation of Company values |
The Company carries out the transfer/sharing of personal data within the scope of this Policy in accordance with the principles set forth under the KVKK, and in particular Articles 8 and 9 of the Law, to the recipient groups listed below, and for the purposes specified in the table below.
Table 4: Recipient Groups of Personal Data Transfers and Purposes of Transfer
RECIPIENT GROUPS | DEFINITION | PURPOSE OF TRANSFER |
Shareholders, Group Companies, Business Partners and Their Authorized Persons and Employees | Parties with whom the Company establishes partnerships or cooperations, within or outside the group, for purposes such as carrying out commercial activities | Limited to ensuring the establishment and execution of the purposes of the partnership/cooperation |
Suppliers, Service Providers, Expert Service Providers, Their Authorized Persons and Employees, Relevant Bank Branches / Financial Institutions, Private Pension Companies | Parties providing goods or services to the Company on an outsourced basis within the scope of its commercial activities, in accordance with the Company’s instructions and on a contractual basis | Limited to ensuring the provision of goods and services required for the Company’s commercial activities, and the provision of expert services such as accounting, finance, information technologies and legal services |
Legally Authorized Public Institutions and Organizations | Public institutions and organizations authorized to request information and documents from the Company pursuant to applicable legislation | Limited to the purpose requested within the scope of their legal authority |
Legally Authorized Private Law Legal Entities | Private law legal entities authorized to request information and documents from the Company pursuant to applicable legislation | Limited to the purpose requested within the scope of their legal authority |
SECTION 7 – RETENTION AND DESTRUCTION OF PERSONAL DATA
The Company retains personal data for the period required for the purposes for which they are processed and in compliance with the minimum retention periods stipulated under the applicable legislation governing the relevant activity.
Within this scope, the Company first determines whether a specific retention period is prescribed under the relevant legislation for the storage of personal data and, where such a period exists, acts in compliance with that period. Where no statutory retention period is prescribed, personal data are retained for the period necessary for the purpose for which they are processed.
Upon the expiry of the determined retention periods, personal data are destroyed in accordance with periodic destruction periods or upon the application of the data subject, using the determined destruction methods (deletion, destruction or anonymisation).
SECTION 8 – CONFIDENTIALITY
The Company does not disclose or transfer your personal data to unauthorized third parties, except for the exceptions set forth under Articles 8 and 9 of the Law No. 6698, and outside the persons or institutions specified in this Policy, the “Customer Personal Data Privacy Notice” published on the Company’s website at www.most-amazing-places.com, and other specific privacy notices, without your explicit consent.
Access to personal data processed by the Company is restricted solely to authorized Company personnel who are bound by confidentiality obligations.
The Company may use anonymized statistical data (such as browser type, geographical location, etc.) on its website, without disclosing personal identities, for the purpose of improving the website and obtaining statistical data for efficient and effective operations, based on its legitimate interests. Such data shall not be disclosed to third parties under any circumstances. However, such data may be shared with the relevant parties specified in this Policy and the applicable Privacy Notices in cases of legal obligation and/or upon official requests by public authorities.
The Company does not guarantee that third-party websites accessed via links on its website comply with the Company’s privacy principles. Therefore, data subjects are advised to review the privacy policies of such websites before sharing any personally identifiable information.
The Company takes all necessary technical and administrative measures, to the extent possible and in accordance with the nature of the personal data to be protected, to prevent the unlawful disclosure, transfer, access and any other potential security breaches of personal data in violation of Law No. 6698, this Policy and the separate privacy notices prepared for different data subject groups.
SECTION 9 – RIGHTS OF DATA SUBJECTS AND EXERCISE OF SUCH RIGHTS
9.1. Rights of the Data Subject
Pursuant to Article 11 of the Law, the data subject has the following rights:
a) To learn whether their personal data are processed,
b) To request information if their personal data have been processed,
c) To learn the purpose of the processing of their personal data and whether such data are used in compliance with the purpose,
ç) To know the third parties to whom their personal data are transferred, domestically or abroad,
d) To request the rectification of incomplete or inaccurate personal data,
e) To request the erasure or destruction of personal data where the reasons requiring the processing of such data cease to exist, within the framework of the conditions set forth under Article 7 of the KVKK,
f) To request notification of the actions taken pursuant to subparagraphs (d) and (e) to the third parties to whom personal data have been transferred,
g) To object to the occurrence of a result against the data subject arising from the analysis of personal data exclusively through automated systems,
ğ) To claim compensation for damages arising from the unlawful processing of personal data,
h) To cease and withdraw, at any time and without providing any justification, their consent regarding the processing of personal data and the approval given for receiving electronic commercial messages.
9.2. Methods of Application to the Company Within the Scope of Your Rights
You may submit your requests within the scope of exercising the above-mentioned rights, in accordance with the “Communiqué on the Principles and Procedures for the Request to the Data Controller,” by completing the “Data Subject Application Form” available on www.most-amazing-places.com and submitting your application through one of the following methods:
• By applying in person, with proof of identity, to the Company’s address:
Gümüşsuyu Mah. İnönü Cad. Melek Apt. No: 11/2 Beyoğlu / İstanbul,
• By submitting a written application through a notary public,
• By sending an application via registered electronic mail (KEP) to mostamazing@hs01.kep.tr,
• By sending an e-mail from your registered e-mail address in the Company’s systems to kvkk.map@most-amazing-places.com.
Your requests shall be concluded free of charge as soon as possible and no later than thirty (30) days, depending on the nature of the request; however, if the transaction requires additional costs, a fee may be charged in accordance with the tariff to be determined by the Personal Data Protection Board.
SECTION 10 – PUBLICATION AND RETENTION OF THE POLICY
This Policy is published in two formats: with wet signature (printed hard copy) and in electronic form, and is disclosed publicly on the Company’s website. The printed hard copy is also retained in the file maintained by the Data Controller’s Contact Person.
SECTION 11 – POLICY UPDATE PERIOD
This Policy is reviewed as required and the necessary sections are updated accordingly.
SECTION 12 – EFFECTIVE DATE AND ABOLITION OF THE POLICY
This Policy has been issued by the Company as of 08.12.2025. The Policy shall be deemed to have entered into force and to have been made accessible to data subjects upon its publication on the Company’s website at www.most-amazing-places.com.
In the event that the entire Policy or any of its provisions is amended, the effective date shall be updated accordingly.
Should a decision be taken to repeal this Policy, the former wet-signed originals shall be invalidated (by being stamped or marked as cancelled), signed by the Company’s Data Controller Authorized Person, and retained for a period of 10 years in the file maintained by the Company’s Data Controller Contact Person.
You are currently viewing a placeholder content from Vimeo. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More InformationYou are currently viewing a placeholder content from YouTube. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More InformationYou need to load content from reCAPTCHA to submit the form. Please note that doing so will share data with third-party providers.
More InformationYou are currently viewing a placeholder content from Instagram. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More Information