Version 1.0
01.06.2024.
This Personal Data Protection and Processing Policy (“Policy”), as the data controller, MOST AMAZING PLACES TANITIM VE TİCARET A.Ş. It has been prepared in order to determine the procedures and principles regarding the work and transactions related to personal data processing and protection activities carried out by (“Company”).
Our company; in line with the basic principles it has adopted; Company employees, former employees, employee candidates, shareholders, customers, potential potential customers, service providers, suppliers, business partners, their officials and employees, visitors and other relevant third parties. The Constitution has determined the priority to be processed and protected in accordance with international conventions, the Law on the Protection of Personal Data No. 6698 (“KVKK”) and other relevant legislation, and to ensure that the effective use of the rights of the relevant persons in this regard.
The work and transactions related to the processing and protection of personal data are carried out in accordance with the Policy prepared by the Company in this direction. Thus, the Company provides the necessary transparency by informing the personal data owners and showing all their rights and application procedures and methods regarding their use. With the awareness of our responsibility within this scope, your personal and special personal data are processed and protected by us within the scope of this Policy.
All personal data processed automatically or non-automatically belonging to Company employees, former employees, employee candidates, shareholders, customers, potential leads, service providers, suppliers, business partners and their officers and employees, visitors and other third parties who have a relationship with our Company, provided that they are part of any data recording system, are processed by this Policy. This Policy applies to all recording media such as physical, electronic, website and social media media owned by the Company or managed by the Company where personal and special personal data are processed, and in activities for personal data processing.
With the KVKK, special importance has been attached to some personal data due to the risk of causing victimization or discrimination of people in case of unlawful processing. These data are special personal data described in the Abbreviations and Definitions Table below. Our company is sensitive to the protection of special personal data, which is determined as “special” by KVKK and processed in accordance with the law. In this context, the technical and administrative measures taken by our Company for the storage and protection of personal data are applied much more carefully in terms of special personal data, and some additional measures specified in sections 4.3. and 4.5.2. below are taken for their processing, and the necessary inspections are also provided within the Company.
However, according to the type and nature of the relationship between our company and the data subject, it is possible to provide the data subjects with different personal data policies and/or notifications, disclosure texts procedures by our company from this Policy. The said special policy and clarification texts/notifications provided to the data owners may also contain additional considerations to the explanations in this Policy. In this case, the special policies and notifications provided to the data owners should be taken into account first. In addition to these, the relevant legal regulations in force regarding the processing and protection of personal data will first find application. In the event of an incompatibility between the legislation in force and the Policy, our Company accepts that the applicable legislation will first find an application. The policy aims to regulate the rules set forth by the relevant legislation by embodying them within the scope of Company practices.
Buyer Group | The category of real or legal person to whom personal data is transferred by the data controller. |
Open Consent | Consent to a specific subject, based on being informed and explained of free will. |
Anonymization | Personal data cannot be associated with an identified or identifiable natural person in any way, even by matching it with other data. |
Employee / Former Employee | MOST AMAZING PLACES TANITIM VE TİCARET A.Ş. staff/staff who left the job. |
Employee Candidate | People who have not established a business contract with MOST AMAZING PLACES TANITIM VE TİCARET A.Ş. but are evaluated for establishment. |
Electronic Media | Environments where personal data can be created, read, changed and written with electronic devices. |
Non-Electronic (Physical) Environment | All written, printed, visual, etc. other media other than electronic media. |
Service / Expertise Service Provider | Most AMAZING PLACES TANITIM VE TİCARET A.Ş. is a real or legal person who provides a service or expertise services such as accounting, workplace health-safety, informatics, law within the framework of a specific contract. |
Contact Person | The real person whose personal data is processed. |
Relevant Employee | Persons who process personal data within the data controller organization or in line with the authority and instructions received from the data controller. |
Destruction | Deletion, destruction or anonymization of personal data. |
Law | Law No. 6698 on the Protection of Personal Data. |
Recording Medium | Any medium in which personal data is fully or partially automated or processed by non-automatic means, provided that it is part of any data recording system. |
Personal Data | Any information about an identified or identifiable natural person. |
Personal Data Processing Inventory | The inventory that the data controllers process personal data activities in connection with their business processes; the purposes of processing of personal data and the legal reason, data category, the recipient group transferred and the group of person subject to the data, and the maximum retention period required for the purposes for which the personal data were processed, the personal data envisaged for transfer to foreign countries and the measures taken regarding data security. |
Processing of Personal Data | All kinds of operations performed on personal data, such as obtaining, recording, storing, preserving, changing, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data, which are fully or partially automatic or non-automatic means provided that they are part of any data recording system. |
Board | Personal Data Protection Board |
KVKK | Law No. 6698 on the Protection of Personal Data |
Special Personal Data | Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures and biometric and genetic data. |
Periodic Destruction | In the event that all of the conditions for processing personal data contained in the law have disappeared, the process of deletion, destruction or anonymization of personal data will be carried out ex officio at repeated intervals specified in the storage and destruction policy. |
Politics | PERSONAL DATA PROTECTION AND PROCESSING POLICY. |
Company | MOST AMAZING PLACES PROMOTION AND TRADE INC. |
Data Processor | A natural or legal person who processes personal data on behalf of the data controller based on the authority given by the data controller. |
Data Recording System | Registration system in which personal data is structured and processed according to certain criteria. |
Data Owner | The real person whose personal data is processed. |
Data Controller | The real or legal person responsible for the establishment and management of the data recording system, which determines the purposes and means of processing personal data. |
Data Controllers Registry Information System (VERBIS) | The information system created and managed by the Personal Data Protection Board, which can be accessed over the internet, which can be used by the data controllers in the application to the Registry and other related transactions related to the Registry. |
VERBIS | Data Controllers Registry Information System |
In the processes related to your personal data, MOST AMAZING PLACES TANITIM VE TİCARET A.Ş. acts as the data controller according to the Law No. 6698. As the data controller, we have the authority and responsibility to determine the purposes of processing your personal data and by which means it will be processed. In this context, the text of this Policy has been prepared to inform you in detail about the Company’s data processing purposes, means and protection methods.
All units and employees of the company actively support the responsible units in order to ensure the necessary implementation of the technical and administrative measures taken by the responsible units within the scope of the Policy, to increase the training and awareness of the employees of the unit, to monitor and prevent the unlawful processing of personal data, to prevent unlawful access to personal data and to ensure the legal storage of personal data.
On the other hand, regarding the personal data processed by our Company, both the data controller official and employees acting as the data controller, as well as the persons processing the data on behalf of our Company as a result of the transfer, cannot disclose the personal data they have learned to anyone else contrary to the provisions of this Policy Text and KVKK and cannot use it for processing purposes. This obligation is 12/4 of the KVKK. In accordance with the Article, it continues indefinitely/for life after the completion of the duty/work.
The distribution of titles, units and job descriptions of those who take part in the processing, storage and destruction processes of personal data is given in Table 1.
Table 1: Storage and destruction processes task distribution
TITLE | UNIT | TASK |
Company Personal Data Controller | MOST AMAZING PLACES PROMOTION AND TRADE INC. | It is responsible for the preparation, development, execution, publication and updating of the Policy in related environments and the employees’ act in accordance with the policy. |
Company Data Controller Contact Person | Id. Jobs, Finance and Sales-Marketing Departments | It is responsible for providing and following up the administrative, physical and technical solutions needed in the implementation of the policy. |
Finance and Accounting, Id. Financial Affairs, Sales, Marketing, Information Processing (IT), Departments | Other Units | He is responsible for the execution of this Policy in accordance with his/her duties. |
Personal data is subject to the law in a way that does not harm the fundamental rights and freedoms of individuals (i.e., especially the 4th of the KVKK. Article etc.) is processed in accordance with the general rule of trust and honesty in a way that does not violate other legislation related to the article etc. In this context, personal data is processed in the minimum amount and extent required by the business activities of our Company and limited to these.
In accordance with this principle, the obligation to act in accordance with the principles brought by laws and other legal regulations and the prohibition of abuse of the right is carefully followed by our Company in the processing of personal data. In accordance with the principle of compliance with the rule of integrity, our Company also takes into account the interests and reasonable expectations of the relevant persons, while attempting to achieve its objectives in data processing. It acts in a way that prevents the results that the person concerned does not expect and does not have to wait. In accordance with this principle, the said data processing activity is also carried out for the relevant persons transparently and in accordance with the information and warning obligations.
To re-emphasize that, in accordance with the rule of honesty by our company, maximum attention is paid to the issues of not using the personal data of the relevant person in a way that causes injustice against the relevant person, to meet the reasonable expectations of the relevant person and not exceeding the purpose of collecting personal data. Again in this context, for example; According to the nature of the relationship established with the data owner, unreasonable data is not requested and processed by the relevant person within the framework of the confidentiality of private life, and personal data is not processed by more than necessary employees within our Company.
Our company takes the necessary measures to ensure that personal data is accurate and up-to-date during the period of processing and carries out the necessary studies to ensure the accuracy and up-to-dateness of personal data for certain periods. In this context; Necessary care is taken in matters such as the sources from which personal data are obtained are specific and their accuracy is tested when necessary and the requests arising from the inaccuracy of personal data are taken into account.
Because this principle is in line with the right of the relevant person stipulated in the KVKK to request the correction of the data. Keeping personal data accurate and up-to-date is necessary for the benefit of our company, as well as for the benefit of our company, in terms of protecting the fundamental rights and freedoms of the data owner and in order not to suffer any material and moral damage. For example, if a person whose communication information is recorded incorrectly cannot receive his/her messages on time or if they are sent to a wrong person, the relevant person may suffer material and moral damage. Again, it is important that the number of children of our employees or the working status information of their spouse is correct and up-to-date for the correct calculation of the minimum subsistence allowance (MGI). Our active duty of care to ensure that personal data is accurate and up-to-date when necessary; It is valid if a conclusion is established by our Company based on this data (for example, in cases such as lending). Apart from this, our company, as a data controller, always keeps the channels open that will ensure that the information of the relevant person is accurate and up-to-date.
Our company carries out data processing by carrying out all necessary disclosure notifications regarding personal data processing in appropriate ways in the media where both physical and electronic data recording is made before the personal data processing activity and by also obtaining consent declaration in necessary. Thus, the personal data subject to being processed before the transaction by our Company, the methods by which it was obtained and the purposes of processing are clearly and definitively revealed, and the data is processed within the scope of specific, clear and legitimate purposes related to these activities in line with the business, trade and service activities carried out by our Company. For example, our Company never processes personal data that has nothing to do with our business such as mother and maiden name in all sales and customer relations processes.
In this context, it is also ensured that personal data processing activities are clearly understandable by the relevant person, that personal data processing activities are based on which legal processing conditions are carried out and that the personal data processing activity and the purpose of this activity is revealed in detail to ensure the specificity of the purpose of this activity. For this reason, the personal data obtained is not processed for other purposes other than the purposes of giving or by misusing in any way.
Our company collects personal data only in the nature and extent required by business activities and processes it in a limited and connected manner for the purposes of providing it. In this context, in accordance with the principle of being related and limited to the purpose; care is taken to ensure that the processed data is necessary and convenient for the realization of the current and current purposes, and to avoid the processing of personal data that is not related to the realization of such a purpose or is not needed. Because data processing other than what is necessary for the purpose will constitute a violation of the principle of limitation. For example, sending an advertisement to the e-mail address given to participate in a symposium is against the principle of limitation.
According to the principle of proportionality, we take into account that a reasonable balance should be established between the data processing and the purpose to be achieved. In other words, we carry out our data processing activity only to the extent that it achieves the purpose. For example, our company does not ask any data owner for information about their social life preferences in any process.
Personal data should be kept only in accordance with the period required for the purpose for which they are processed as a requirement of the “purpose limitation principle”. According to this principle, our Company does not store personal data after the expiration of the specified period, the purpose of the purpose is realized or the data processing condition has disappeared, for the purpose of using it for another purpose or based on the existence of the possibility of use in the future, and it refers to the necessary means to go to the necessary destruction. For example, if there is no other processing condition, the name and vehicle license plate information collected for participation in a campaign that will be awarded to those who receive a certain amount of product within a certain period of time, if there is no other processing condition, it is carefully followed.
In this regard, as stated in Article 12 of the KVKK, our company as the data controller; takes all kinds of necessary technical and administrative measures to ensure the appropriate operational and security level in order to prevent the unlawful processing of personal data, to prevent unlawful access to personal data and to ensure the preservation and destruction of personal data when necessary.
In this context, our company stores personal data for the minimum period of time, which is necessary for the purpose for which they are processed and stipulated in the relevant legal legislation. In the specified line, our Company first determines whether a period is provided for the storage of personal data in the relevant legislation, and if a period has been determined, it acts in accordance with this period. If there is no legal period, personal data is stored for the period necessary for the purpose for which the data is processed, taking into account the retention periods determined according to the field of activity of our Company. Personal data is destroyed at the end of the specified storage periods in accordance with the periodic destruction periods or the data owner application and with the determined destruction methods (deletion, destruction or anonymization). You can find more detailed information on issues related to retention and destruction in addition to the text of this Policy in the “Personal Data Retention and Destruction Policy” on the “www.most-amazing-places.com” website of our Company.
Except for the explicit consent of the personal data owner, the basis of the personal data processing activity can be only one of the following conditions, and more than one condition may be the basis of the same personal data processing activity. If the processed data is special personal data, additional conditions in sections 4.3 and 4.5.2. of this Policy will also apply.
Finding the Explicit Consent of the Personal Data Owner
The explicit consent of the data owner is one of the conditions for personal data processing. However, if the personal data processing activity is based on one of the conditions other than the explicit consent in the KVKK and specified in the following articles below, in this case, since there is no need to obtain an explicit consent from the relevant person and since the priority should be given to the conditions other than this consent specified, our company takes care to carry out data processing activities by fulfilling the disclosure obligation based on the provisions of the specified law in all cases and conditions.
In cases where there are no legal provisions regarding this data processing or it does not sufficiently allow the processing of personal data, personal data is processed by our Company based on the express consent of the data owner. In this case, maximum care and care are taken to ensure that the explicit consent of the data owner is disclosed on a specific subject, informed and free will. Again, during data processing based on explicit consent, the disclosure notification is necessarily fulfilled independently of this and before, and thus obtaining consent in an informed manner is obtained. In the same way, the process of obtaining explicit consent aimed at data processing is not made a prerequisite for the provision of any goods or services and is carried out in a way that does not contain a situation that will be at the disadvantage of the data owner if no explicit consent is given.
To re-emphasize, in the presence of any of the personal data processing conditions below, the personal data will be processed based on these conditions specified by our Company without the need for the explicit consent of the data owner.
Explicitly Predicted in the Laws
If the processing of the personal data of the data owner is expressly provided for in the law or in other words, if there is a clear provision regarding the processing of personal data in the relevant law such as Tax Laws, Labor Law, Commercial Code and KVKK, the existence of this data processing condition can be mentioned. For example, the personal information and file of our employees in accordance with the Labor Law or the tax numbers of our customers due to financial legislation are within this scope.
If the person who is unable to disclose his/her consent due to actual impossibility or whose consent cannot be granted is valid, if it is mandatory to process the personal data of the person who does not have the power to discriminate in order to protect the life or physical integrity of himself or another person, the personal data of the data owner may be processed. For example, the personal health information of the unconscious person or the processing of contact and location information of the hostage person falls within this scope.
Provided that it is directly related to the establishment or performance of a contract, if the processing of personal data of the parties to the contract is mandatory, limited to this purpose, this condition will be deemed to have been fulfilled. For example, cases such as recording address information for service/product performance as a result of legal relations such as Employment Contract, Sales Contract, Transportation Contract, Service Contract, etc., giving them to the transport company or requesting a document showing the training status of the Company employee are included in this scope. Also, cases such as obtaining the account number of the creditor party for paying money in accordance with a contract or paying a salary to the employee, or making a surety agreement, the Company obtaining the payroll, title deed records, and the document stating that there is no enforcement debt of that person can also be given as an example here.
Sometimes there may be multiple legal reasons for the collection of personal data. For example, although the legal basis for the processing of the personal data of the employees for the purpose of regulating payroll falls within the scope of this article, this situation also constitutes the reason for the fulfillment of the legal obligation of our Company, which will be mentioned below.
If data processing is mandatory for our company to fulfill its legal responsibilities and obligations, the personal data of the relevant person may be processed. For example, due to the obligation to share information for situations such as financial audits, security legislation, compliance processes with sector-oriented regulations, data processing enters here. In this context, obtaining and processing data such as bank account number, whether they are married, dependants, whether their spouses work, social insurance numbers, etc. In order to pay salaries to our employees, can be given an example of this situation. The fact that our company submits the information of its employees or customers during the tax audit to the examination of the relevant public officials can also be evaluated in this context.
Personal Data Owner’s Fulicization of Personal Data
If the data owner has made public his/her personal data, that is, he presents his/her information to the public with the will to publicize it and to be used for certain purposes, the relevant personal data may be processed in a limited manner for the purpose of publicization. Since it will not make it public that a person’s personal data is in a place where everyone can only see it by chance or loss, data processing is carried out by paying attention to the details on this subject. In addition, the rule of not using personal data other than its purpose is followed in case of slatification. For example, the fact that the contact information of the relevant persons on the websites where vehicles are purchased and sold cannot be used and processed for marketing purposes is taken into consideration.
An example of this situation is that a person publicly announces his contact information in order to be contacted in certain cases. On corporate websites, if the workplace phone numbers and corporate e-mail addresses of the employees are shared openly to third parties, it can also be said to be publicized. Again, for example, the contact information of the person making an advertisement containing the supply or request of goods or services related to the field of activity of our Company may be processed for the purpose of using it in this scope.
Data Processing is Mandatory for the Establishment or Protection of a Right
If data processing is mandatory for the establishment, exercise or protection of a right such as applying for legal action for our company, the personal data of the data owner may be processed. These data are mandatory data to be used in works such as filing a lawsuit, registration transactions, all kinds of title deed transactions, etc. For example, the retention of some of the personal data and information of an employee who leaves the job is kept during the 10-year litigation limitation period for the purpose of using it as evidence in a lawsuit to be filed. Similarly, after the termination of the contract, the storage of documents such as invoices, contract copies, surety notifications until the end of the statute of limitations against possible lawsuits or legal proceedings for these purposes will also be evaluated within this scope.
Data Processing is Mandatory for the Legitimate Benefit of Our Company
If the data processing is mandatory for the current, important/serious and legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the personal data owner, the personal data owner may be processed. In this context, for example, our Company may be able to process personal data within these scopes to be taken as a basis for the regulation of promotions, salary increases or social rights of our employees or in the distribution of duties and roles in the process of restructuring of the business, provided that it does not harm the fundamental rights and freedoms of our employees. Again, for example, data processing is carried out within this scope for the purpose of recording camera videos in the workplaces belonging to our Company for security purposes or applying rewards and premiums that increase the loyalty of our employees.
We consider that in order for this Article to be implemented, a reasonable balance must be achieved between the legitimate interest of our Company and the rights and freedoms of the data owner not to be harmed. However, while making this evaluation, it should also be taken into account that the legitimate interest of our Company and the purpose of processing personal data should not be confused. The purpose of processing personal data is specifically related to the reason for the processing of the data. However, in this context, the legitimate interest of our Company as the data controller is interpreted more broadly due to the benefit to be obtained as a result of the data processing activity to be carried out.
Special personal data processed by our company is only the following special personal data belonging to our suppliers and business partners and employees/employee candidates, and these are processed in accordance with the principles stated in this Policy and provided that the method and sufficient measures to be taken by the Board, by taking all necessary administrative and technical measures and in the presence of the following conditions. Our company does not process special personal data for any group of person or data category other than these.
Biometric data related to the video recording of our supplier and our business partners obtained through internet-based platforms used during remote work/meeting by video conference method are processed based on the legal reason of the express consent of the relevant data owner in accordance with Article 6/3-a of the KVKK. In other words, in this case, the consent of the person concerned will be obtained before the data is processed, otherwise such a special personal data will not be processed.
Special personal data of our employees and employee candidates
Special personal data of our employees are collected and processed by our Company based on the relevant legal reasons and purposes specified in Article 6/3 of the KVKK. In this context;
It is processed by our personnel who have signed a confidentiality commitment letter and OHS physicians who are under the obligation to keep it confidentiality.
Within the scope of processing special personal data of our employee candidates;
Apart from these, there is no other special personal data processed by our Company.
In accordance with Article 10 of the KVKK and the secondary legislation, our company informs the personal data owners about who their personal data is processed as the data controller, for what purposes, for what purposes it is shared with whom it is collected, by what methods it is collected and for legal reasons and the rights that the data owners have within the scope of processing of their personal data.
If the personal data in question is given to our Company by another person other than the data owner, that is, if the person relating to our Company provides the data of someone else to use, the process of obtaining clarification and, if necessary, obtaining a consent declaration for the relevant third party, is carried out during this first communication specified if this data is provided for the purpose of communication with the relevant third person, if this is not the case, at the time when the said data is processed or transferred for the first time.
As an example of the cases mentioned in the paragraph above; Situations such as customers who want to receive goods or services with someone else’s credit card, people who send reference letters for the hiring of employees or employee relatives whose identity information is taken for additional-social payment such as AGİ can be shown.
Our company may transfer the personal data of the personal data owner and its special personal data to third parties (our expert service providers, suppliers, group companies, shareholders, business partners and their officials and employees and legally authorized institutions and organizations) by taking the necessary security measures in accordance with the purposes of personal data processing in accordance with the law. Our company acts in accordance with the regulations stipulated in the 8th and 9th articles of the KVKK in this direction.
Domestic Transfer of Personal Data
Personal and special personal data processed by our company are 8/1 of the KVKK. In accordance with the Article, it can be transferred to our above-mentioned stakeholders in the country based on the explicit consent of the relevant person. In addition, with the sending of Article 8/2-a of the KVKK, 5/2 of the same Law. Article and again with the sending of Article 8/2-b of the KVKK, 6/3 of the same Law. In the event that one of the conditions specified in the Article is present, personal and special personal data can be transferred domestically in the same way without the explicit consent of the relevant person. The provisions of other laws regarding the transfer of personal data are reserved.
In this context, with the sending of Article 8/2-a of the KVKK, 5/2 of the KVKK, which can transfer personal data by our Company without the consent of the relevant person. The conditions in the article are as follows;
With the submission of Article 8/2-b of the KVKK, the 6/3 of the KVKK, which can transfer special personal data by our Company without the consent of the relevant person. The conditions in the article are as follows;
Transfer of Personal Data Abroad
The process of transfer of personal and special personal data processed by our company abroad is the 9th of the KVKK. It is fulfilled in accordance with the conditions specified in the Article. In this context;
a) The existence of the standard contract announced by the Board, which includes issues such as data categories, the purposes of data transfer, buyer and recipient groups, technical and administrative measures to be taken by the data recipient, additional measures taken for special personal data,
B) The existence of a written letter of commitment containing provisions that will provide adequate protection and allowing the transfer by the Board,
C) The existence of binding company rules that the companies within our group of undertakings engaged in joint economic activities are obliged to comply with, contain provisions on the protection of personal data and approved by the Board.
A) Giving explicit consent to the transfer, provided that the relevant person is informed about the possible risks,
B) The transfer is mandatory for the performance of a contract between the relevant person and our Company, which is the data controller, or for the implementation of pre-contractual measures taken at the request of the relevant person,
C) The transfer is mandatory for the establishment or performance of a contract to be made between our Company, which is the data controller, and another real or legal person for the benefit of the relevant person,
ç) Transfer is mandatory for a superior public interest,
d) The transfer of personal data is mandatory for the establishment, exercise or protection of a right,
e) The transfer of personal data is mandatory for the protection of the life or physical integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid,
F) Transfers from a registry that is open to public or persons with legitimate interests, provided that the necessary conditions for accessing the registry are met in the relevant legislation and that the person with a legitimate interest requests it.
In case of transferring personal data abroad within the scope stated above, our Company also pays attention to the following issues:
SPECIAL CASES IN WHICH PERSONAL DATA IS PROCESSED
5.1. Personal Data Processing Activities for Security Purposes in Physical Places of Our Company
Data processing activities carried out in physical spaces in the service units of our company fall within this scope. These image records of personal data are monitored and recorded by the company with closed circuit camera systems 24 hours a day, 7 days a week for the purpose of tracking the entry and exit of employees, customers, potential customers, visitors, company officials, shareholders, guests and other 3rd parties in the specified physical spaces, ensuring data security and physical security, presenting evidence to the judicial authorities and law enforcement officers in a possible judicial case, controlling the entry and exit of employees and other persons, and ensuring the safety of life and property.
The monitoring activity carried out by our company is carried out in accordance with the Regulation on Opening a Business and Work Licenses, the Law on Private Security Services and other relevant legislation.
Again, the Company acts in accordance with the regulations in the KVKK in the implementation of camera monitoring activities for security purposes. In order to ensure security in the service units, the company carries out closed circuit security camera monitoring activities for the purposes stipulated in the relevant legislation in force and in accordance with the personal data processing conditions listed in the KVKK.
10th of KVKK by our company. In accordance with the article, the personal data owner is enlightened. In this regard, clarification texts and warning signs in accordance with the Law No. 6698 and related legislation are visibly positioned in the monitored areas. Our company notifies the camera monitoring activity of its lighting in relation to general issues with more than one method. Thus, it is aimed to prevent the fundamental rights and freedoms of the personal data owner, to ensure transparency and enlightenment of the personal data owner.
Again, for the processing of personal data by the Company with a camera; This Policy is published on the website (online policy regulation) and a notification letter and signs are hung at the entrances of the areas where the monitoring is carried out (in-place lighting, layered lighting).
Our company processes personal data in a limited and measured manner related to the purpose for which they are processed in accordance with Article 4 of the KVKK. The purpose of the company’s video camera monitoring activity is limited to the purposes listed in this Policy. In this direction, the monitoring areas, number and when to monitor the security cameras are put into practice as sufficient and limited to achieve the security purpose. Areas that may result in intervention in a way that exceeds security purposes are not subject to monitoring.
On the websites owned by the company; to ensure that the people who visit these sites make their visits to the sites in a suitable way for the purpose of visiting; in order to show them customized content and to carry out online advertising activities, IP information and technical means (e.g. Cookies/such as cookies) internet movements within the site can be recorded. Detailed explanations regarding the protection and processing of personal data related to these activities carried out by the company are in the “Clarification Text on Cookies” on the website “www.most-amazing-places.com”.
In the event that our company uses the internet access provided free of charge during their stay in the company’s service units for employees, shareholders and visitors (third parties), the information entered for the internet access connection, the identity number of the connected device, the IP and LOG record and other traffic information can be recorded in accordance with the provisions of the legislation regulated in accordance with the Law No. 5651 and this Law. Only a limited number of Company employees have access to the information obtained in this context.
These records are processed only for the purpose of fulfilling our relevant legal obligation in the audit processes to be requested by authorized public institutions and organizations or to be carried out within the Company and/or to protect our legal rights and to establish defense rights in order to ensure information security, and are not shared with third parties except our expert service providers.
In accordance with Article 10 of the KVKK and secondary legislation, the relevant persons are informed in accordance with the personal data processing purposes of our Company, based on at least one of the personal data processing conditions specified in Article 5 and 6 of the Law, in accordance with the general principles and conditions specified in Article 4 of the KVKK regarding the processing of personal data, in accordance with the general principles and conditions specified in Article 4 of the KVKK, in accordance with the personal data processing of the general principles specified in the KVKK.
Personal data categories and descriptions processed within the scope of personal data processing activities carried out by our company are arranged and shown in the Table below:
Table 2: Personal data categories
PERSONAL DATA CATEGORIES | DESCRIPTION |
Identity Information | Personal data containing information about the identity of the person; name-surname, Turkish identity number, nationality information, marital status, mother’s name-father’s name, name, place of birth, age, gender, driver’s license documents such as identity card and passport, tax number, SSI number, signature information, etc. information. |
Contact Information | Personal data such as phone number, address, e-mail address. |
Employee, Former Employee, Employee Candidate Information | Personal data processed in written, visual and electronic media in accordance with the applicable legislation and commercial practice rules regarding company employees, former employees, employee candidates and interns. |
Family Members and Close Knowledge | Within the framework of operations carried out by the Company’s business units, personal data about the family members of the personal data owner (for example; spouse, mother, father, children for chronic disease follow-up in the scope of workplace health activity) in order to protect the legal interests of the Company and the data owner in order to protect the legal interests of the Company and the data owner. |
Physical Space Safety Information | Personal data regarding the records and documents taken at the entrance to the physical space, during the stay in the physical space; camera recordings and records taken at the security point, etc. |
Transaction Security Information | Personal data such as internet access and web traffic information, security camera image and call center audio recordings provided by the Company, which are processed to ensure the technical, administrative, legal and commercial security of both the data owner and the Company while carrying out the activities of the Company. |
Risk Management Information | Personal data processed through methods used in accordance with generally accepted legal, commercial practices and honesty rules in these fields for the management of commercial, technical and administrative risks. |
Financial Information | Personal data such as bank account number, IBAN number, credit card information, financial profile, personal data processed in relation to information, documents and records showing all kinds of financial results created within the scope of the legal relationship between the company and the data owner. |
Legal Transaction and Compliance Information | Personal data processed within the scope of the determination and follow-up of the legal receivables and rights of the Company and the performance of its debts, legal obligations and compliance with the Company’s policies, and again related to the legal proceedings of its employees. |
Special Personal Data | The data specified in Article 6 of the Law (for example, health data, including blood type, criminal record information). |
Request/Complaint Management Information | Other personal data, including call center audio recording regarding the receipt and evaluation of any request or complaint addressed to the company. |
Reputation Management Information | Personal data associated with the person and collected for the purpose of protecting the Company’s commercial reputation (for example; sharing about the Company). |
Event Management Information | Information and assessments collected about events associated with the personal data subject and related to the Company’s employees, the potential to affect its shareholders (e.g. collected information on the proper management of the public, assessments, etc.). |
The purposes of personal data processing within the scope of personal data processing activities carried out by our company are shown in the Table below:
Table 3: Purposes of personal data processing
MAIN OBJECTIVES | SECONDARY GOALS |
Identification, planning and implementation of our company’s commercial policies | 1. Planning and execution of in-house or external training activities 2. Conducting financial, accounting and financial transactions with customers, business partners and suppliers, performing risk management, |
Design and Execution of the Company’s Human Resources Activities | 1. Planning and execution of human resources and employee procurement processes 2. Fulfillment of obligations arising from employment contract and legislation for company employees 3. Follow-up and control of employees’ work activities 4. Planning and execution of benefits and benefits for employees 5. Planning and execution of employee exit procedures 6. Planning and follow-up of employee performance evaluation processes 7. Planning and execution of in-house training activities 8. Management of relationships with business partners and suppliers 9. Wage management 10. Planning and execution of internal orientation activities |
Carrying out the necessary studies by the business units within the company for the implementation of the commercial activities carried out by the company in accordance with the legislation and company policies and carrying out the activities in this direction | 1. Follow-up of finance and accounting works 2. Execution of investor relations and marketing activities 3. Planning and execution of corporate communication activities 4. Planning and execution of activity/efficiency and on-site analysis of business activities, Event management 5. Uninterrupted execution of supply chain and processes, 6. Creation and management of information technology infrastructure 7. Planning, supervision and execution of information security processes 8. Planning and execution of work continuity activities 9. Planning and execution of information access authorizations of business partners and suppliers 10. Fulfillment of obligations related to after-sales support |
Supporting the design, planning and execution of the company’s human resources activities | 1. Support in planning the company’s human resources strategies 2. Follow-up and announcement of company employees’ transfer, temporary assignment, promotion and dismissal 3. Supporting the planning and execution of the processes of measuring company employee loyalty 4. Supporting company employee procurement processes |
Company’s commercial reputation and of the trust it creates protection | 1. Demand and complaint management 2. Carrying out studies to protect the reputation of the company values |
In accordance with the principles contained in the KVKK and especially the 8th and 9th articles of the Law No. 6698, our company transfers/shares personal data within the scope of this Policy to the groups of recipient persons listed below for the purposes specified in the Table below:
Table 4: Categories of parties to which personal data is transferred and for transmission purposes
DATA TRANSFERRED PEOPLE | DEFINITION | PURPOSE OF DATA TRANSFER |
Shareholders, Group Companies, Business Partners and Officials and Employees | Parties in which the company has established a business partnership / association within or outside the group for purposes such as carrying out the company’s partner and commercial activities | Limited to ensure the fulfillment of the purposes of establishment and execution of the business partnership / association |
Suppliers, Service Providers, Expert Service Providers, Their Authorized and Employees, Related Bank Branch-Financial Institutions, BES Company | Within the scope of the performance of the company’s commercial activities, the parties providing goods or services to the Company in accordance with the Company’s instructions and on a contractual basis | Limited to ensure the provision of goods and services required by the Company to carry out the Company’s commercial activities and expertise services such as Accounting, Finance, Informatics and Law, which the Company outsources from the supplier |
Legally Authorized Public Institutions and Organizations | According to the provisions of the relevant legislation, the Company’s public institutions and organizations authorized to receive information and documents | Limited to the purpose requested by the relevant public institutions and organizations within the legal authority |
Legally Authorized Private Law Legal Entities | Private law legal entities authorized to receive information and documents from the Company according to the provisions of the relevant legislation | Limited to the purpose requested by the relevant private law legal entities within the scope of their legal authority |
Our company retains personal data in accordance with the period required for the purpose for which they are processed and the minimum periods stipulated in the legal legislation to which the relevant activity is subject. In this context, our Company first determines whether a period is provided for the storage of personal data in the relevant legislation, and if a period has been determined, it acts in accordance with this period. If there is no legal period, personal data is stored for the period necessary for the purpose for which they are processed. Personal data is destroyed at the end of the specified storage periods in accordance with the periodic destruction periods or the data owner application and with the determined destruction methods (deletion, destruction or anonymization).
You can find all the detailed and necessary explanations regarding the storage and destruction of the personal data processed by our company, the recording environments where the said data are kept, all technical and administrative measures taken regarding the safe storage and protection, explanations regarding the legal reasons requiring storage and destruction, process-based personal data retention periods and periodic destruction periods and destruction techniques, which will be found on the “www.most-amazing-places.com” website of our Company, in the text of “Personal Data Retention and Destruction Policy”.
Our company does not transfer and disclose your personal data to unauthorized third parties other than persons or institutions written in this Policy and in the “Customer Personal Data Clarification Text” and other special clarification texts published on our website “www.most-amazing-places.com” in any way and without your explicit consent, except for the exceptions in Articles 8 and 9 of the KVKK. Only authorized personnel of our Company with confidentiality agreement and our workplace physicians who have an obligation to keep secrets in terms of health data can access your personal data processed by our company.
Our company may use statistical information (browser type, geographical location, etc.) in order to improve the website and to obtain statistics for effective and efficient work in general, without disclosing personal identities on the website. This information is not disclosed to third parties in any way. However, due to legal obligation and/or in response to the requests of official authorities, it may share it with the relevant parties written in this Policy and the Clarification Text.
Our Company does not guarantee that other sites you visit through links on our website will comply with our Company’s Privacy Principles; therefore, before providing any personally identifiable information, you should evaluate the privacy approaches of the sites you visit.
Our company takes all necessary measures according to the nature of the personal data to be protected in order to prevent the disclosure and transfer of your personal data in a way that is contrary to the Law No. 6698, the provisions of this Policy and the disclosure texts prepared separately for the relevant person groups as the application / procedure documents of this Policy, and to provide access to this data and other security deficiencies that may occur.
Personal data owners are subject to the 11th of the Law. According to the Article, they have the following rights:
a) Learning whether your personal data has been processed,
B) If your personal data is processed, requesting information about it,
c) To learn the purpose of processing your personal data and whether it is used in accordance with its purpose,
ç) Knowing the third parties to whom your personal data is transferred at home or abroad,
d) To request the correction of your personal data in case of incomplete or incorrect processing,
E) Within the framework of the conditions stipulated in Article 7 of the KVKK, to request the deletion or destruction of your personal data that has been processed in a legal manner in case of the disappearance of the reasons requiring the processing,
f) To request that the transactions made in accordance with paragraphs (d) and (e) be notified to the third parties to whom your personal data is transferred,
g) Objecting to the emergence of a result against you by analyzing your processed data exclusively through automatic systems,
ğ) Requesting the removal of the damage in case you suffer damage due to the unlawful processing of your personal data.
h) To stop and withdraw your consent to the processing of your personal data and your consent to be sent to you electronic commercial messages at any time without giving any reason.
Your requests within the scope of the use of your above-mentioned rights, by filling out the “Personal Data Owner Application Form” according to the “Communiqué on the Procedures and Principles of Application to the Data Controller” or with a similar petition, our Company’s “Gümüşsuyu Mah. İnönü St. Melek Apt. You can apply to the address No: 11/2 Beyoğlu/İSTANBUL in person and send it by sending it to “pelin@most-amazing-places.com” by applying in person to the address of your identity or through a notary, or by sending it by e-mail to “pelin@most-amazing-places.com” via registered/secure e-mail.
Depending on the nature of your request, your applications will be finalized free of charge as soon as possible and within thirty days at the latest; however, if the process requires an additional cost, a fee may be requested from you according to the tariff to be determined by the Personal Data Protection Board.
The policy is published in two different media, wet signed (printed paper) and electronic, and announced to the public on the website. The printed paper copy is also stored in the file to be kept by the Contact Personal Data Controller, who is the Company’s Relevant Employee.
The policy is reviewed as needed and the necessary sections are updated.
This Policy issued by our company is dated 01.06.2024. The policy is considered to have entered into force after the publication of our Company on the website www.most-amazing-places.com and is considered accessible to personal data owners. In case of renewal of all or certain articles of the Policy, the effective date will be updated.
If it is decided to repeal the Policy, the old copies with wet signatures are canceled and signed by the Company Liaison Person with the Company Data Controller Authority Decision (by stamping the cancellation stamp or writing the cancellation) and stored in the file to be kept by the Personal Data Controller, who is the Company’s Relevant Employee, in the file to be kept by the Contact Person.
You are currently viewing a placeholder content from Instagram. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More Information