MOST AMAZING PLACES TANITIM VE TİCARET A.Ş.
PERSONAL DATA STORAGE
AND
DESTRUCTION POLICY
Version 1.1
22.04.2025
INTRODUCTION
1.1. Purpose
This Personal Data Protection and Processing Policy (“Policy”) has been prepared to determine the procedures and principles regarding the work and transactions related to personal data processing and protection activities carried out by MOST AMAZING PLACES TANITIM VE TİCARET ANONİM ŞİRKETİ (“Company”) in its capacity as the data controller.
Our Company; in line with the basic principles it has adopted; has determined as a priority to process and protect the personal data of the Company employees, former employees, job candidates, shareholders, customers, potential customer candidates, service providers, suppliers, business partners, their authorities and employees, visitors and other relevant third parties in accordance with the Constitution of the Republic of Turkey, international agreements, the Personal Data Protection Law No. 6698 (“KVKK”) and other relevant legislation and to ensure that the relevant persons effectively exercise their rights in this regard.
The Company ensures the necessary transparency by informing the relevant persons about the work and operations related to the processing and protection of personal data and showing all their rights and the application procedures and ways to use them. With full awareness of our responsibility in this context, your personal and special personal data are processed and protected by us within the scope of this Policy.
1.2 Scope
All personal data of Company employees, former employees, job candidates, shareholders, customers, potential customer candidates, service providers, suppliers, business partners and their authorities and employees, visitors and other third parties who establish relations with our Company, processed automatically or non-automatically as part of any data recording system, are within the scope of this Policy. This Policy applies to all recording environments such as physical, electronic, website and social media environments where personal data owned or managed by the Company is processed and activities related to the processing of personal data.
With the KVKK, special importance has been given to certain personal data due to the risk of causing victimization or discrimination in the event of unlawful processing. Data determined as “special nature” with the KVKK are not processed by our Company.
However, depending on the type and nature of the relationship between our company and the relevant person, it is possible for our company to provide the relevant persons with personal data policies and/or notifications and information text procedures that differ from this Policy. The special policies and information texts/notifications provided to the relevant persons may also contain additional issues to the explanations in this Policy. In this case, the special policies and notifications provided to the relevant persons must be taken into consideration first. In addition to these, the relevant legal regulations in force regarding the processing and protection of personal data will be applied first. In the event of any inconsistency between the current legislation and the Policy, our Company accepts that the current legislation will be applied first. The Policy aims to regulate the rules set forth by the relevant legislation by concretizing them within the scope of Company practices.
1.3. Abbreviations and Definitions
Buyer Group | Category of natural or legal person to whom personal data is transferred by the data controller. |
Explicit Consent | Consent based on informed consent and expressed freely on a specific subject. |
Anonymization | Making personal data incapable of being associated with an identified or identifiable natural person in any way, even when matched with other data. |
Employee / Former Employee | MOST AMAZING PLACES TANITIM VE TİCARET ANONİM ŞİRKETİ staff/staff who left the job. |
Employee Candidate | Persons who have not established an employment contract with MOST AMAZING PLACES TANITIM VE TİCARET ANONİM ŞİRKETİ but are being evaluated for establishment. |
Electronic Media | Environments where personal data can be created, read, changed and written using electronic devices. |
Non-Electronic (Physical) Media | All written, printed, visual etc. media other than electronic media. |
Service / Expert Service Provider | A natural or legal person who provides a service or expert service such as accounting, workplace health and safety, informatics, law within the framework of a specific contract with MOST AMAZING PLACES TANITIM VE TİCARET ANONİM ŞİRKETİ. |
Contact Person | The natural person whose personal data is processed. |
Related Employee | Persons who process personal data within the data controller organization or in accordance with the authority and instructions received from the data controller. |
Destruction | Deletion, destruction or anonymization of personal data. |
Law | Personal Data Protection Law No. 6698. |
Recording Environment | Any environment in which personal data is processed by fully or partially automatic means or non-automatic means provided that it is part of any data recording system. |
Personal Data | Any information relating to an identified or identifiable natural person. |
Personal Data Processing Inventory | The inventory in which data controllers create personal data processing activities that they carry out in connection with their business processes by relating them to the purposes and legal reason for processing personal data, data category, recipient group to which the data is transferred and the data subject group, and detail the maximum retention period required for the purposes for which personal data is processed, personal data planned to be transferred to foreign countries and the measures taken regarding data security. |
Processing of Personal Data | Any operation performed on personal data, such as obtaining, recording, storing, changing, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data, in whole or in part, by automatic means or non-automatic means provided that it is part of any data recording system. |
The Board | Personal Data Protection Board |
KVKK | Personal Data Protection Law No. 6698 |
Special Personal Data | Data regarding individuals’ race, ethnic origin, political views, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data. |
Periodic Destruction | In case all the processing conditions of personal data specified in the law are eliminated, the deletion, destruction or anonymization process, which will be carried out ex officio at recurring intervals and as specified in the personal data storage and destruction policy. |
Politics | PERSONAL DATA PROTECTION AND PROCESSING POLICY. |
Company | MOST AMAZING PLACES PROMOTION AND TRADE JOINT STOCK COMPANY |
Data Processor | A natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller. |
Data Recording System | A recording system in which personal data is structured and processed according to certain criteria. |
Data Controller | The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system. |
Data Controllers Registry Information System (VERBIS) | The information system created and managed by the Personal Data Protection Board, accessible over the internet, to be used by data controllers in applying to the Registry and other relevant transactions related to the Registry. |
WORDS | Data Controllers Registry Information System |
DATA CONTROLLER
In processes related to your personal data, MOST AMAZING PLACES TANITIM VE TİCARET ANONİM ŞİRKETİ acts as the data controller in accordance with Law No. 6698. As the data controller, we have the authority and responsibility to determine the purposes of processing your personal data and the means by which it will be processed. In this context, this Policy text has been prepared to inform you in detail about the Company’s data processing purposes, means and protection methods.
RESPONSIBILITIES AND DUTY DISTRIBUTIONS
All units and employees of the company actively support the responsible units in taking all necessary technical and administrative measures to ensure data security in all environments where personal data is processed, in order to properly implement the technical and administrative measures taken by the responsible units within the scope of the Policy, to train and raise awareness of the unit employees, to monitor and continuously audit them, to prevent unlawful processing of personal data, to prevent unlawful access to personal data and to ensure that personal data is stored in accordance with the law.
On the other hand, regarding the personal data processed by our Company, both the data controller officer and employees acting as the data controller and the persons processing the data as a result of the transfer on behalf of our Company cannot disclose the personal data they have learned to anyone else in violation of this Policy Text and the provisions of the KVKK and cannot use them for purposes other than the purpose of processing. This obligation continues indefinitely/lifelong after the end of the duty/job in accordance with Article 12/4 of the KVKK.
The distribution of titles, units and job descriptions of those involved in the processing, storage and destruction of personal data is given in Table 1.
Table 1: Distribution of tasks in storage and destruction processes
TITLE | UNIT | DUTY |
Company Personal Data Controller Officer | MOST AMAZING PLACES PROMOTION AND TRADE JOINT STOCK COMPANY | Responsible for the preparation, development, execution, publication and updating of the Policy in relevant media and ensuring that employees act in accordance with the policy. |
Company Data Controller Contact Person | Pelin YILDIZ | Responsible for providing and monitoring administrative, physical and technical solutions needed for the implementation of the policy. |
Finance and Accounting, Purchasing, Sales, Marketing and Regional Operations, Information Technology (IT), Departments | Other Units | Responsible for the execution of this Policy in accordance with their duties. |
ISSUES RELATED TO THE PROCESSING OF PERSONAL DATA
4.1. “Processing of Personal Data in Accordance with the Principles Stipulated in the Legislation (Conditions for Processing)
Processing in Accordance with Law and Fairness
Personal data is processed in accordance with the law (in particular, in a manner that does not violate Article 4 of the KVKK and other relevant legislation) and the general principle of trust and honesty, in a manner that does not harm the fundamental rights and freedoms of individuals. Within this framework, personal data is processed in the minimum amount and extent required by our Company’s business activities and limited to these.
In accordance with this principle, our Company carefully complies with the principles set forth by laws and other legal regulations and the prohibition of abuse of rights in the processing of personal data. In accordance with the principle of being in compliance with the rule of honesty, our Company also takes into account the interests and reasonable expectations of the relevant persons while trying to achieve its goals in data processing. It acts in a way that prevents the emergence of results that the relevant person does not expect and does not need to expect. In accordance with this principle, the data processing activity in question is also carried out transparently for the relevant persons and in accordance with the obligations of informing and warning.
It is necessary to emphasize once again that, in accordance with the principle of honesty, our Company pays utmost attention to the issues of not using the personal data of the relevant person in a way that would cause injustice to the relevant person, meeting the reasonable expectations of the relevant person and not exceeding the purpose of collecting personal data. Again, in this context, for example; according to the nature of the relationship established with the relevant person, within the framework of the privacy of private life, unreasonable data should not be requested from the relevant person and should not be processed, and again, within our Company, the requirements of the principle of honesty are acted in accordance with the requirements of the principle of honesty, namely, not processing and not requesting unreasonable data from the relevant person within the framework of the privacy of private life and not processing personal data by more employees than necessary.
Ensuring Personal Data is Accurate and Up-to-date Where Necessary
Our company takes the necessary measures to ensure that personal data is accurate and up-to-date throughout the period it is processed and carries out the necessary work to ensure the accuracy and up-to-dateness of personal data for certain periods. In this context, due care is taken in matters such as determining the sources from which personal data is obtained, testing their accuracy when necessary, and considering requests arising from inaccuracies in personal data.
This principle is in line with the right of the relevant person to request correction of data as stipulated in the KVKK. Keeping personal data accurate and up-to-date is necessary for the benefit of our Company, as well as for the protection of the fundamental rights and freedoms of the relevant person and for not suffering any material or moral damage. For example, if a person whose contact information is recorded incorrectly does not receive their messages on time or if they are sent to the wrong person, the relevant person may suffer material and moral damage. Our active duty of care to ensure that personal data is accurate and up-to-date when necessary is valid if our Company reaches a conclusion regarding the relevant person based on this data (For example, situations such as granting credit). Apart from this, our Company, as the data controller, always keeps open the channels to ensure that the information of the relevant person is accurate and up-to-date.
Processing for Specific, Clear and Legitimate Purposes
Our Company carries out data processing by fulfilling all necessary information notifications and, where necessary, obtaining consent declarations regarding personal data processing in appropriate ways in both physical and electronic data recording media before the personal data processing activity. Thus, before the transaction, our Company clearly and precisely determines what personal data is to be processed, by what methods it is obtained and the purposes of processing, and processes data within the scope of specific, clear and legitimate purposes related to these activities in line with the business, trade and service activities carried out by our Company. For example, our Company never processes personal data that is not related to our business, such as mother’s maiden name, in all sales and customer relations processes.
In this context, it is ensured that personal data processing activities are clearly understandable by the relevant person, the legal processing condition on which personal data processing activities are carried out and the personal data processing activity and the purpose of carrying out this activity are set forth in detail to ensure their specificity. Therefore, the personal data obtained is not processed for purposes other than the purposes for which it was provided or is not misused in any way.
Being Relevant, Limited and Proportionate to the Purpose for Which They Are Processed
Our company collects personal data only in the nature and extent required by business activities and processes it in a limited and connected manner with the purposes for which it is provided. In this context, due to the principle of being connected and limited to the purpose; care is taken to ensure that the processed data is necessary and suitable for the realization of the current and current purposes determined, and to avoid processing personal data that is not related to the realization of such a purpose or is not needed. Because processing data other than what is necessary for the purpose will be contrary to the principle of being limited. For example, sending advertisements to the e-mail address provided to participate in a symposium is contrary to the principle of being limited.
According to the principle of proportionality, we take into account that a reasonable balance must be established between data processing and the intended purpose. In other words, we carry out our data processing activities only to the extent that the purpose is achieved. For example, no relevant person is asked for information about their social life preferences by our Company in any process.
Preservation for the Period Stipulated in the Relevant Legislation or Necessary for the Purpose for which they are Processed
As a requirement of the “principle of purpose limitation”, personal data must be stored only for the period required for the purpose for which they are processed. In accordance with this principle, our Company does not store personal data after the specified period has expired, the purpose has been achieved or the data processing requirement has ceased to exist, for the purpose of using it for another purpose or based on the existence of the possibility of using it in the future, and resorts to the necessary means to destroy it. For example, if there is no other processing condition, the name and vehicle license plate information collected for participation in a campaign to be rewarded to those who purchase a certain amount of products in a certain period of time is meticulously adhered to, such as not being used and being destroyed at the end of the campaign.
In this regard, as stated in Article 12 of the KVKK, our Company, as the data controller, takes all necessary technical and administrative measures to ensure the appropriate operational and security level in order to prevent the unlawful processing of personal data, to prevent unlawful access to personal data, and to ensure the preservation and, when necessary, destruction of personal data.
Within this scope, our Company stores personal data for the minimum period required for the purpose for which they are processed and as stipulated in the relevant legal legislation. In line with the above, our Company first determines whether a period is stipulated in the relevant legislation for the storage of personal data, and if a period is specified, it complies with this period. If there is no legal period, personal data is stored for the period required for the purpose for which the data is processed, taking into account the storage periods determined according to our Company’s field of activity. At the end of the specified storage periods, personal data is destroyed in accordance with the periodic destruction periods or the application of the relevant person and with the specified destruction methods (deletion, destruction or anonymization). You can find more detailed information on storage and destruction in addition to this Policy text in the “Personal Data Storage and Destruction Policy” text, which can be found on our Company’s website www.most-amazing-places.com .
4.2. Legal Reasons for Processing Personal Data
Unless the relevant person gives explicit consent, the basis for personal data processing may be only one of the conditions specified below, or more than one condition may be the basis for the same personal data processing activity.
Explicit Consent of the Relevant Person
The explicit consent of the relevant person is one of the conditions for processing personal data. However, if the personal data processing activity is based on one of the conditions other than explicit consent in the KVKK and specified in the following articles, in this case, there is no need to obtain explicit consent from the relevant person and priority should be given to the conditions other than this consent, therefore our Company takes care to carry out data processing activities based on the specified provisions of the law, but by fulfilling the obligation to inform in all cases and conditions.
In cases where the legal provisions regarding this data processing do not exist or do not sufficiently allow for the processing of personal data, personal data is processed by our Company based on the explicit consent of the relevant person. In this case, utmost care and attention is paid to ensure that the explicit consent of the relevant person is given on a specific subject, based on information and with free will. Again, during data processing based on explicit consent, the information notification is fulfilled independently of and beforehand, and in this way, informed consent is obtained. Similarly, the process of obtaining explicit consent for data processing is not made a precondition for the provision of any goods or services, and is carried out in a way that does not include a situation that would disadvantage the relevant person if explicit consent is not given.
To reiterate, if any of the personal data processing conditions listed below are met, personal data will be processed by our Company based on these conditions without the need for the explicit consent of the relevant person.
Explicitly Provided in Laws
If the processing of the personal data of the relevant person is clearly stipulated in the law, or in other words, if there is a clear provision regarding the processing of personal data in the relevant law such as the Tax Laws, Labor Law, Commercial Law and KVKK, the existence of this data processing condition can be mentioned. For example, the collection and retention of the personal information and files of our employees as required by the Labor Law or the tax numbers of our customers as required by the financial legislation are included in this scope.
Failure to Obtain the Explicit Consent of the Person Concerned Due to Actual Impossibility
If the processing of personal data is necessary to protect the life or physical integrity of a person who is unable to give consent due to a de facto impossibility or who lacks the power of discrimination to grant validity to his/her consent or another person, the personal data of the relevant person may be processed. For example, the processing of personal health information of an unconscious person or the communication and location information of a hostage person falls within this scope.
Directly Related to the Establishment or Performance of the Contract
If the processing of personal data of the parties to a contract is mandatory, provided that it is directly related to the establishment or execution of a contract, this condition will be deemed to be fulfilled if the data is processed for this purpose only. For example, recording address information for the performance of service/product as a result of legal relationships such as Employment Contract, Sales Contract, Transportation Contract, Service Contract, etc., providing these to the transportation company or requesting a document showing the educational status of the Company employee are included in this scope. Again, obtaining the account number of the creditor party for the payment of money or salary to the employee as required by a contract or obtaining the salary slip, land registry records and a document indicating that the Company has no enforcement debt during the execution of a guarantee agreement can be given as examples here.
Sometimes there may be more than one legal reason for collecting personal data. For example, while the legal basis for processing employees’ personal data for the purpose of preparing payroll falls within the scope of this article, this situation also constitutes the reason for fulfilling our Company’s legal obligations, which will be discussed below.
Fulfillment of Our Company’s Legal Obligations
If data processing is necessary for our company to fulfill its legal responsibilities and obligations, the personal data of the relevant person may be processed. For example, data processing falls into this category due to the obligation to share information for situations such as financial audits, security legislation, and compliance processes with sector-focused regulations. In this context, obtaining and processing data such as bank account numbers and social security numbers to pay salaries to our employees can be given as an example of this situation. Our company’s submission of information about its employees or customers to the relevant public officials during a tax audit can also be evaluated within this scope.
Making Personal Data Public by the Relevant Person
If the Relevant Person has made his/her personal data public, that is, if he/she has made his/her information public and has made it available to the public for use for certain purposes, the relevant personal data may be processed for a limited purpose. Since the mere fact that a person’s personal data is in a place where everyone can see it, either by chance or due to reasons such as loss, will not make it public, the data is processed by paying attention to the details in this regard. In addition, in the event of publicity, the rule that personal data should not be used for purposes other than its intended purpose is followed. For example, it is taken into consideration that the contact information of the relevant persons on websites where vehicles are bought and sold cannot be used and processed for marketing purposes.
An example of this situation is when a person publicly announces their contact information in order to be contacted in certain situations. Publicization can also be mentioned when employees’ workplace phone numbers and corporate e-mail addresses are shared on corporate websites in a way that is accessible to third parties. Again, for example, the contact information of a person who makes an announcement that includes a supply or demand for goods or services related to our Company’s field of activity may be processed for use in this context.
Data Processing is Necessary for the Establishment or Protection of a Right
In cases where data processing is mandatory for the establishment, exercise or protection of a right such as taking legal action for our company, the personal data of the relevant person may be processed. These data are mandatory data for purposes such as filing a lawsuit, registration procedures, all kinds of title deed transactions, etc. For example, the storage of some personal data and information belonging to an employee who has left the job for the duration of the statute of limitations for the purpose of using them as evidence in a lawsuit to be filed falls within this scope. Similarly, the storage of documents such as invoices, copies of the contract, and sureties for these purposes until the end of the statute of limitations against possible lawsuits or legal proceedings after the contract has ended will also be evaluated within this scope.
Data Processing is Necessary for the Legitimate Interest of Our Company
If data processing is mandatory for our Company’s existing, important/serious and legitimate interests, provided that it does not harm the fundamental rights and freedoms of the relevant person, the personal data of the relevant person may be processed. In this context, for example, our Company may process personal data of our employees in these scopes, provided that it does not harm their fundamental rights and freedoms, in order to be taken as a basis in the arrangement of their promotions, salary increases or social rights or in the distribution of duties and roles in the restructuring process of the business. Again, for example, data processing is carried out within this scope for the purpose of recording camera footage for security purposes in our Company’s workplaces or for the application of rewards and bonuses that increase the loyalty of our employees.
We consider that in order for this Article to be applied, a reasonable balance must be achieved between the legitimate interest of our Company and the rights and freedoms of the person concerned. However, when making this assessment, it should also be taken into account that the legitimate interest of our Company and the purpose of processing personal data should not be confused. The purpose of processing personal data is specifically related to the reason for processing the data. However, in this context, the legitimate interest of our Company as the data controller is in a position to be interpreted more broadly, as it is directed to the benefit to be obtained as a result of the data processing activity to be carried out.
4.3. Processing of Special Personal Data
Special personal data is not processed by our company.
4.4. Informing the Relevant Person
In accordance with Article 10 of the KVKK and secondary legislation, our Company informs the relevant persons as the data controller about who processes their personal data, for what purposes, with whom it is shared and for what purposes, by what methods it is collected, the legal reasons and the rights of the relevant persons within the scope of processing their personal data.
In the event that the personal data in question is provided to our Company by a person other than the relevant person, i.e. if the person who establishes a relationship with our Company provides the data of another person to be used, the process of informing the relevant third party and, if necessary, obtaining a declaration of consent is carried out during the first communication if this data is provided for the purpose of communicating with the relevant third party, or if this is not the case, during the first processing or transfer of the data in question.
Examples of the situations mentioned in the paragraph above include customers who want to buy goods or services with someone else’s credit card, people who send reference letters for the recruitment of employees, etc.
4.5. Transfer of Personal Data
Our company may transfer the personal data and special personal data of the relevant persons to third parties (our expert service providers, suppliers, group companies, shareholders, business partners and their authorities and employees, and legally authorized institutions and organizations) in Turkey and abroad by taking the necessary security measures in line with the purposes of processing personal data in accordance with the law. In this regard, our company acts in accordance with the regulations stipulated in Articles 8 and 9 of the KVKK.
Transfer of Personal Data Domestically
Personal and special personal data processed by our company can be transferred to our stakeholders mentioned above within the country based on the explicit consent of the relevant person in accordance with Article 8/1 of the KVKK. In addition, if one of the conditions specified in Article 8/2-a of the KVKK and Article 5/2 of the same Law and again in Article 8/2-b of the KVKK and Article 6/3 of the same Law are met, personal data can be transferred within the country in the same manner without the explicit consent of the relevant person. The provisions of other laws regarding the transfer of personal data are reserved.
In this context, the conditions in Article 5/2 of the KVKK, under which our Company can transfer personal data without the consent of the relevant person, are as follows, in accordance with Article 8/2-a of the KVKK;
- The relevant activities regarding the transfer of personal data are clearly prescribed by law,
- The transfer of personal data by the Company is directly related to and necessary for the establishment or performance of a contract,
- The transfer of personal data is mandatory for our Company to fulfill its legal obligations,
- Transfer of personal data by our Company for the purpose of making it public, provided that it has been made public by the relevant person,
- The transfer of personal data by the Company is necessary for the establishment, exercise or protection of the rights of the Company or the relevant person or third parties,
- It is mandatory to transfer personal data for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the relevant person,
- If the person is unable to give his consent due to a physical impossibility or if his consent is not legally valid, it is necessary to protect his own life or the physical integrity of another person.
Transfer of Personal Data Abroad
The transfer of personal data processed by our company abroad is carried out in accordance with the conditions set forth in Article 9 of the KVKK. In this context;
- In accordance with Article 9/1 of the KVKK, if one of the conditions specified in Article 5 of the same Law (shown in detail above under the heading “4.5.1. Transfer of Personal Data Domestic” ) is present and there is an adequacy decision issued by the Board and published in the Official Gazette regarding the country to which the transfer will be made, the sectors within the country or international organizations, our Company may transfer the said personal and special personal data abroad.
- Pursuant to Article 9/4 of the KVKK, personal data may be transferred abroad by our Company in the absence of an adequacy decision, provided that one of the conditions specified in Article 5 of the same Law is present, the relevant person has the opportunity to exercise his/her rights and apply for effective legal remedies in the country where the transfer will be made, and at least one of the appropriate safeguards specified below is provided:
a) The existence of a standard contract declared by the Board, which includes matters such as data categories, purposes of data transfer, recipient and recipient groups, technical and administrative measures to be taken by the data recipient, and additional measures taken for special personal data,
b) The existence of a written commitment containing provisions to ensure adequate protection and the Board’s permission for the transfer,
c) The existence of binding company rules approved by the Board, which contain provisions regarding the protection of personal data, which the companies within our group of companies engaged in joint economic activities are obliged to comply with.
- In accordance with Article 9/6 of the KVKK, in the absence of an adequacy decision and in the event that any of the appropriate safeguards stipulated in Article 9/4 and paragraph of the KVKK referred to immediately above cannot be provided, our Company may transfer personal data abroad only in the event of the existence of one of the following situations, provided that it is incidental:
a) The relevant person gives explicit consent to the transfer, provided that he/she is informed about the possible risks,
b) The transfer is necessary for the performance of a contract between the data subject and our Company, which is the data controller, or for the implementation of pre-contractual measures taken at the request of the data subject,
c) The transfer is necessary for the establishment or performance of a contract between our Company, which is the data controller, and another natural or legal person for the benefit of the relevant person,
c) The transfer is necessary for a superior public interest,
d) The transfer of personal data is mandatory for the establishment, exercise or protection of a right,
e) If the transfer of personal data is necessary to protect the life or physical integrity of the person or another person who is unable to give his/her consent due to a de facto impossibility or whose consent is not legally valid,
f) Transferring information from a registry that is open to the public or to persons with a legitimate interest, provided that the conditions required for accessing the registry in the relevant legislation are met and the person with a legitimate interest requests it.
In case of transfer of personal data abroad within the scope specified above, our Company also pays attention to the following issues:
- The safeguards in this Law are provided and the provisions of this article are applied in terms of subsequent transfers of personal data transferred abroad and transfers to international organizations (LPPD, Art. 9/8),
- Personal data may be transferred abroad only with the permission of the Board after receiving the opinion of the relevant public institution or organization, in cases where the interests of Türkiye or the relevant person would be seriously harmed, without prejudice to the provisions of international agreements (LPPD, Art. 9/9),
- The provisions in other laws regarding the transfer of personal data abroad are reserved (LPPD, art. 9/10).
SPECIAL CASES WHERE PERSONAL DATA IS PROCESSED
5.1. Personal Data Processing Activities Conducted for Security Purposes in Physical Locations of Our Company
5.1.1. Building and Facility Entrances and Personal Data Processing Activities Conducted Therein
Data processing activities carried out in physical locations in our company’s service units are included in this scope. The Company monitors and records these images, which are considered personal data, 24/7 using closed circuit camera systems in order to monitor the entries and exits of employees, customers, potential customers, visitors, company officials, shareholders, guests and other third parties in the specified physical locations, to ensure data security and physical safety, to present evidence to judicial authorities and law enforcement officers in a possible legal case, to control the entries and exits of employees and other persons , and to ensure the safety of life and property.
5.1.2. Legal Basis for Camera Surveillance Activity
The camera monitoring activity carried out by our company is carried out in accordance with the Regulation on Business Opening and Operating Licenses, the Law on Private Security Services and other relevant legislation.
Again, the Company complies with the regulations in the KVKK in conducting camera surveillance activities for security purposes. In order to ensure security in the Company’s service units, it carries out closed circuit security camera surveillance activities in accordance with the purposes stipulated in the relevant legislation in force and the personal data processing conditions listed in the KVKK.
5.1.3. Information on Camera Monitoring
Our company informs the relevant person in accordance with Article 10 of the KVKK. In this regard, information texts and warning signs in accordance with Law No. 6698 and the relevant legislation are positioned in the monitored areas in a visible manner. Our company notifies about the camera monitoring activity of the information it carries out regarding general issues through more than one method. In this way, it is aimed to prevent harm to the fundamental rights and freedoms of the personal data subject, to ensure transparency and to inform the personal data subject.
Again, regarding the processing of personal data by camera, this Policy is published on the website (online policy regulation) and notification notices and signs regarding the monitoring are hung at the entrances of the areas where monitoring is carried out (on-site lighting, layered lighting).
5.1.4. Purpose of Carrying Out Camera Monitoring Activity and Limitation to Purpose
Our company processes personal data in accordance with Article 4 of the KVKK in a way that is related to the purpose for which it is processed, limited and proportionate. The purpose of the company’s video camera monitoring activity is limited to the purposes listed in this Policy. In this context, the monitoring areas of security cameras, their numbers and when monitoring will be carried out are implemented in a way that is sufficient and limited to achieve the security purpose. Areas that may result in an intervention in a way that exceeds the security purposes of the person’s privacy are not subject to monitoring.
5.2. Processing of Information Regarding the Company’s Website and Internet Access Users
5.2.1. Processing of Company Website User Information
In order to ensure that visitors to these sites visit the sites in accordance with the purposes of their visit, to be able to show them customized content and to engage in online advertising activities, IP information and technical means (such as cookie/s) may be used to record internet movements within the site on the websites owned by the Company. Detailed explanations regarding the protection and processing of personal data regarding these activities carried out by the Company are included in the “Cookie Information Text” on the www.most-amazing-places.com website.
5.2.2. Processing of Information Regarding Users to Whom the Company Provides Internet Access
In case our Company uses the internet access provided free of charge to employees, shareholders and visitors (all third parties) during their stay in the company service units, the information entered for the internet access connection, the identification number of the connected device, IP and LOG record and other traffic information may be recorded in accordance with the mandatory provisions of Law No. 5651 and the legislation regulated pursuant to this Law. Only a limited number of Company employees have access to the information obtained within this framework.
These records are processed only when requested by authorized public institutions and organizations or in audit processes to be carried out within the Company to ensure information security, to fulfill our relevant legal obligations and/or to protect our legal rights and to establish defense rights, and are not shared with third parties, except for our expert service providers.
CATEGORIZATION OF PERSONAL DATA PROCESSED BY OUR COMPANY AND THE PURPOSES OF PROCESSING AND SHARING
In our Company, personal data is processed in accordance with the general principles set forth in the KVKK, especially the general principles and conditions set forth in Article 4 of the KVKK regarding the processing of personal data, in line with the purposes of processing personal data of our Company, by informing the relevant persons in accordance with Article 10 of the KVKK and secondary legislation, and based on and limited to at least one of the personal data processing conditions set forth in Articles 5 and 6 of the Law.
The personal data categories and descriptions processed within the scope of personal data processing activities carried out by our Company are arranged and shown in the Table below:
Table 2: Personal data categories
PERSONAL DATA CATEGORIES | EXPLANATION |
Identity Information | These are personal data that include information about the person’s identity; documents such as driver’s license, identity card and passport that contain information such as name-surname, Turkish identity number, nationality information, marital status, mother’s name-father’s name, place of birth, date of birth, age, gender, as well as information such as tax number, SSI number, signature information, etc. |
Contact Information | Personal data such as telephone number, address, e-mail address. |
Employee, Former Employee, Employee Candidate Information | Personal data in written, visual and electronic media regarding company employees, former employees, job candidates and interns processed in accordance with the applicable legislation and commercial customary rules. |
Family Members and Relatives Information | Within the scope of operations carried out by the Company’s business units, in order to protect the legal interests of the Company and the relevant person, personal data about the family members of the personal relevant person (e.g. spouse, mother, father, children for chronic disease monitoring within the scope of workplace health activities) and relatives to be reached in cases such as emergencies. |
Physical Space Security Information | Personal data regarding records and documents taken at the entrance to the physical space and during the stay in the physical space; camera records and records taken at the security point, etc. |
Transaction Security Information | Personal data such as internet access and web traffic information, security camera images and call center voice recordings provided by the Company, which are processed to ensure the technical, administrative, legal and commercial security of both the person concerned and the Company while carrying out the Company’s activities. |
Risk Management Information | Personal data processed through methods used in accordance with generally accepted legal, commercial practices and rules of integrity in these areas in order to manage commercial, technical and administrative risks. |
Financial Information | Personal data processed regarding information, documents and records showing all kinds of financial results created within the scope of the legal relationship between the company and the relevant person, as well as personal data such as bank account number, IBAN number, credit card information, financial profile. |
Legal Process and Compliance Information | Personal data processed within the scope of determining and following up on the Company’s legal receivables and rights, fulfilling its debts, complying with legal obligations and Company policies, and also in relation to the transactions of its employees that are subject to legal follow-up. |
Request/Complaint Management Information | Other personal data, including call center voice recordings, regarding the receipt and evaluation of any requests or complaints directed to the Company. |
Reputation Management Information | Personal data associated with the person and collected for the purpose of protecting the commercial reputation of the Company (for example; posts made regarding the Company). |
Incident Management Information | Information and assessments collected regarding events that are associated with the relevant person and have the potential to affect the Company’s employees and shareholders (for example; information and assessments collected regarding the proper management of public opinion). |
The purposes of processing personal data processed within the scope of personal data processing activities carried out by our Company are shown in the Table below:
Table 3: Purposes of personal data processing
MAIN PURPOSES | SECONDARY PURPOSES |
Determination, planning and implementation of our company’s commercial policies | 1. Planning and execution of internal or external training activities 2. Carrying out financial, accounting and financial transactions with customers, business partners and suppliers and performing risk management, |
Design and Execution of the Company’s Human Resources Activities | 1. Planning and execution of human resources and employee recruitment processes 2. Fulfillment of obligations arising from employment contracts and legislation for company employees. 3. Monitoring and auditing of employees’ work activities 4. Planning and execution of benefits and emergencies for employees 5. Planning and execution of employee exit procedures 6. Planning and monitoring employee performance evaluation processes 7. Planning and execution of in-company training activities 8. Management of relationships with business partners and suppliers 9. Fee management 10. Planning and execution of in-company orientation activities |
Carrying out the necessary work by the business units within the company to ensure that the commercial activities carried out by the company are carried out in accordance with the legislation and company policies and carrying out the activities in this direction. | 1. Monitoring of finance and accounting affairs 2. Conducting investor relations and marketing activities 3. Planning and execution of corporate communication activities 4. Planning and execution of efficiency/productivity and appropriateness analyses of business activities, Event management 5. Uninterrupted execution of the supply chain and its processes, 6. Creation and management of information technologies infrastructure 7. Planning, auditing and execution of information security processes 8. Planning and execution of business continuity activities 9. Planning and execution of business partners and suppliers’ access to information 10. Fulfillment of obligations regarding after-sales support |
Supporting the design, planning and execution of the company’s human resources activities | 1. Support in planning the company’s human resources strategies 2. Monitoring and announcing transfers, temporary assignments, promotions and terminations of company employees. 3. Supporting the planning and execution of the company’s employee loyalty measurement processes. 4. Supporting the company’s employee recruitment processes |
The company’s commercial reputation and the trust it creates Protection | 1. Request and complaint management 2. Carrying out activities to protect the reputation of company values. |
Our Company transfers/shares personal data within the scope of this Policy in accordance with the principles set out in the KVKK and particularly Articles 8 and 9 of Law No. 6698 to the recipient groups listed below for the purposes set out in the Table below:
Table 4: Categories of parties to whom personal data is transferred and the purposes of transfer
PERSONS TO WHICH DATA IS TRANSFERRED | CHEAP | PURPOSE OF DATA TRANSFER |
Shareholders, Group Companies, Business Partners and Authorized and Employees | The parties with whom the company has established a business partnership/union within or outside the group for purposes such as the conduct of its partner and commercial activities. | Limited to ensure that the purposes of establishing and running the business partnership/union are fulfilled. |
Suppliers, Service Providers, Expert Service Providers, Their Authorized Personnel and Employees, Relevant Bank Branch-Financial Institutions, BES Company | Parties that provide goods or services to the Company in accordance with the Company’s instructions and on a contractual basis within the scope of carrying out the Company’s commercial activities. | Limited to the purpose of providing the Company with the goods and services required to carry out the Company’s commercial activities and expert services such as Accounting, Finance, Information Technology and Law that the Company procures from external suppliers. |
Legally Authorized Public Institutions and Organizations | Public institutions and organizations authorized to receive information and documents from the Company in accordance with the relevant legislation. | Limited to the purpose requested by the relevant public institutions and organizations within their legal authority. |
Legally Authorized Private Law Entities | Private law legal entities authorized to receive information and documents from the Company in accordance with the relevant legislation. | Limited to the purpose requested by the relevant private law legal entities within their legal authority. |
STORAGE AND DESTRUCTION OF PERSONAL DATA
Our Company stores personal data in accordance with the period required for the purpose for which they are processed and the minimum periods stipulated in the legal legislation applicable to the relevant activity. In this context, our Company first determines whether a period is stipulated in the relevant legislation for the storage of personal data, and if a period is specified, it acts in accordance with this period. If there is no legal period, personal data is stored for the period required for the purpose for which they are processed. At the end of the specified storage periods, personal data is destroyed in accordance with the periodic destruction periods or the application of the relevant person and with the specified destruction methods (deletion, destruction or anonymization).
You can find detailed and necessary explanations regarding the storage and destruction of personal data processed by our Company, such as the recording media where the data in question is kept, all technical and administrative measures taken for its safe storage and protection, explanations regarding the legal reasons requiring storage and destruction, personal data storage periods on a process basis and periodic destruction periods, and destruction techniques, in the “Personal Data Storage and Destruction Policy” text, which can be accessed on our Company’s website www.most-amazing-places.com .
SECURITY
Our Company does not transfer or disclose your personal data to unauthorized third parties, except for the persons or institutions specified in this Policy and the “Customer Personal Data Information Text” published on our website www.most-amazing-places.com and other special information texts, in any way and without your explicit consent, except for the exceptions in Articles 8 and 9 of the KVKK. Only authorized personnel of our Company with whom we have a confidentiality agreement can access your personal data processed by our Company.
Our company may use statistical information (browser type, geographic location, etc.) on the website without disclosing personal identities, for the purpose of improving the website and obtaining statistics for effective and efficient operation in general, for its legitimate interest. This information is not disclosed to third parties in any way. However, due to legal obligations and/or upon the requests of official authorities, it may share it with the relevant parties specified in this Policy and the Disclosure Text.
Our Company does not guarantee that other sites you will visit through links on our website will comply with our Company’s Privacy Policy; therefore, you should evaluate the privacy approaches of the sites you visit before providing any personally identifiable information.
Our Company takes all necessary measures, within the possibilities and according to the nature of the personal data to be protected, in order to prevent the disclosure and transfer of your personal data in a manner contrary to Law No. 6698, the provisions of this Policy and the information texts prepared separately for the relevant person groups as the application/procedure documents of this Policy, the provision of access to this data and other security deficiencies that may occur.
RIGHTS OF PERSONAL DATA OWNERS AND EXERCISE OF THESE RIGHTS
Rights of the Data Subject
The relevant person has the following rights in accordance with Article 11 of the Law:
a) Learning whether your personal data is being processed,
b) Request information regarding your personal data if it has been processed,
c) To learn the purpose of processing your personal data and whether they are used in accordance with their purpose,
d) To know the third parties to whom your personal data is transferred, either domestically or abroad,
d) Request correction of your personal data if it is processed incompletely or incorrectly,
e) To request the deletion or destruction of your legally processed personal data, within the framework of the conditions set forth in Article 7 of the KVKK, if the reasons requiring processing are eliminated,
f) Request that the operations carried out in accordance with clauses (d) and (e) be notified to third parties to whom your personal data has been transferred,
g) To object to a result that is to your detriment as a result of your processed data being analyzed exclusively through automatic systems,
g) To request compensation in case you suffer damages due to the unlawful processing of your personal data.
h) To stop and withdraw your declaration of consent regarding the processing of your personal data and your approval regarding the sending of electronic commercial messages to you at any time without giving any reason.
9.2. Ways to Apply to Our Company Within the Scope of Your Rights
You can submit your requests within the scope of exercising your rights specified above by filling out the “Relevant Person Application Form” on the www.most-amazing-places.com page in accordance with the “Communiqué on the Procedures and Principles of Application to the Data Controller” , by applying in person to our Company’s address “Gümüşsuyu Mah. İnönü Cad. Melek Apt. No: 11/2 Beyoğlu/İSTANBUL” with the specified application methods, with proof of identity, or in writing through a Notary Public, or via the registered/secure electronic mail address mostamazing@hs01.kep.tr (KEP address) or via e-mail to kvkk.map@most-amazing-places.com with your electronic mail address registered in our systems.
Depending on the nature of your request, your applications will be finalized free of charge as soon as possible and within thirty days at the latest; however, if the process requires an additional cost, you may be charged a fee according to the tariff determined by the Personal Data Protection Board.
PUBLICATION AND STORAGE OF THE POLICY
The policy is published in two different media: with wet signature (printed paper) and electronically, and is disclosed to the public on the website. The printed copy is also kept in the file to be kept by the Personal Data Controller Contact Person, who is the relevant Employee of the Company.
POLICY UPDATE PERIOD
The policy is reviewed as needed and necessary sections are updated.
ENFORCEMENT AND REPEAL OF THE POLICY
This Policy, prepared by our Company, is dated 22.04.2025. The Policy is deemed to have entered into force and become accessible to relevant persons after it is published on our Company’s website www.most-amazing-places.com. In the event that the entire Policy or certain articles are renewed, the effective date will be updated.
If it is decided to abolish the Policy, the old signed copies will be cancelled (by stamping or writing cancellation) by the Company Contact Person with the decision of the Company Data Controller Officer and will be kept in the file to be kept by the Personal Data Controller Contact Person who is the Relevant Employee of the Company for a period of 10 years.