Most Amazing Places

MOST AMAZING PLACES TANITIM VE TİCARET A.Ş.

PERSONAL DATA PROTECTION AND PROCESSING POLICY

Version 1.0

01.06.2024.

INTRODUCTION

1.1. Purpose 

  This Personal Data Protection and Processing Policy (“Policy”), as the data controller, MOST AMAZING PLACES TANITIM VE TİCARET A.Ş. It has been prepared in order to determine the procedures and principles regarding the work and transactions related to personal data processing and protection activities carried out by (“Company”). 

Our company; in line with the basic principles it has adopted; Company employees, former employees, employee candidates, shareholders, customers, potential potential customers, service providers, suppliers, business partners, their officials and employees, visitors and other relevant third parties. The Constitution has determined the priority to be processed and protected in accordance with international conventions, the Law on the Protection of Personal Data No. 6698 (“KVKK”) and other relevant legislation, and to ensure that the effective use of the rights of the relevant persons in this regard. 

The work and transactions related to the processing and protection of personal data are carried out in accordance with the Policy prepared by the Company in this direction. Thus, the Company provides the necessary transparency by informing the personal data owners and showing all their rights and application procedures and methods regarding their use. With the awareness of our responsibility within this scope, your personal and special personal data are processed and protected by us within the scope of this Policy. 

1.2. Scope 

All personal data processed automatically or non-automatically belonging to Company employees, former employees, employee candidates, shareholders, customers, potential leads, service providers, suppliers, business partners and their officers and employees, visitors and other third parties who have a relationship with our Company, provided that they are part of any data recording system, are processed by this Policy. This Policy applies to all recording media such as physical, electronic, website and social media media owned by the Company or managed by the Company where personal and special personal data are processed, and in activities for personal data processing. 

With the KVKK, special importance has been attached to some personal data due to the risk of causing victimization or discrimination of people in case of unlawful processing. These data are special personal data described in the Abbreviations and Definitions Table below. Our company is sensitive to the protection of special personal data, which is determined as “special” by KVKK and processed in accordance with the law. In this context, the technical and administrative measures taken by our Company for the storage and protection of personal data are applied much more carefully in terms of special personal data, and some additional measures specified in sections 4.3. and 4.5.2. below are taken for their processing, and the necessary inspections are also provided within the Company.

However, according to the type and nature of the relationship between our company and the data subject, it is possible to provide the data subjects with different personal data policies and/or notifications, disclosure texts procedures by our company from this Policy. The said special policy and clarification texts/notifications provided to the data owners may also contain additional considerations to the explanations in this Policy. In this case, the special policies and notifications provided to the data owners should be taken into account first. In addition to these, the relevant legal regulations in force regarding the processing and protection of personal data will first find application. In the event of an incompatibility between the legislation in force and the Policy, our Company accepts that the applicable legislation will first find an application. The policy aims to regulate the rules set forth by the relevant legislation by embodying them within the scope of Company practices. 

1.3. Abbreviations and Definitions

Buyer Group

The category of real or legal person to whom personal data is transferred by the data controller. 

Open Consent

Consent to a specific subject, based on being informed and explained of free will.

Anonymization 

Personal data cannot be associated with an identified or identifiable natural person in any way, even by matching it with other data. 

Employee / Former Employee

MOST AMAZING PLACES TANITIM VE TİCARET A.Ş. staff/staff who left the job.

Employee Candidate

People who have not established a business contract with MOST AMAZING PLACES TANITIM VE TİCARET A.Ş. but are evaluated for establishment.

Electronic Media 

Environments where personal data can be created, read, changed and written with electronic devices. 

Non-Electronic (Physical) Environment 

All written, printed, visual, etc. other media other than electronic media. 

Service / Expertise Service Provider 

Most AMAZING PLACES TANITIM VE TİCARET A.Ş. is a real or legal person who provides a service or expertise services such as accounting, workplace health-safety, informatics, law within the framework of a specific contract.

Contact Person 

The real person whose personal data is processed. 

Relevant Employee 

Persons who process personal data within the data controller organization or in line with the authority and instructions received from the data controller. 

Destruction 

Deletion, destruction or anonymization of personal data. 

Law 

Law No. 6698 on the Protection of Personal Data. 

Recording Medium 

Any medium in which personal data is fully or partially automated or processed by non-automatic means, provided that it is part of any data recording system. 

Personal Data 

Any information about an identified or identifiable natural person. 

Personal Data Processing Inventory 

The inventory that the data controllers process personal data activities in connection with their business processes; the purposes of processing of personal data and the legal reason, data category, the recipient group transferred and the group of person subject to the data, and the maximum retention period required for the purposes for which the personal data were processed, the personal data envisaged for transfer to foreign countries and the measures taken regarding data security.

Processing of Personal Data 

All kinds of operations performed on personal data, such as obtaining, recording, storing, preserving, changing, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data, which are fully or partially automatic or non-automatic means provided that they are part of any data recording system. 

Board

Personal Data Protection Board

KVKK

Law No. 6698 on the Protection of Personal Data 

Special Personal Data 

Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures and biometric and genetic data. 

Periodic Destruction 

In the event that all of the conditions for processing personal data contained in the law have disappeared, the process of deletion, destruction or anonymization of personal data will be carried out ex officio at repeated intervals specified in the storage and destruction policy. 

Politics 

PERSONAL DATA PROTECTION AND PROCESSING POLICY.

Company 

MOST AMAZING PLACES PROMOTION AND TRADE INC.

Data Processor 

A natural or legal person who processes personal data on behalf of the data controller based on the authority given by the data controller. 

Data Recording System 

Registration system in which personal data is structured and processed according to certain criteria. 

Data Owner

The real person whose personal data is processed. 

Data Controller 

The real or legal person responsible for the establishment and management of the data recording system, which determines the purposes and means of processing personal data. 

Data Controllers Registry Information System (VERBIS)

The information system created and managed by the Personal Data Protection Board, which can be accessed over the internet, which can be used by the data controllers in the application to the Registry and other related transactions related to the Registry. 

VERBIS 

Data Controllers Registry Information System 

DATA CONTROLLER

In the processes related to your personal data, MOST AMAZING PLACES TANITIM VE TİCARET A.Ş. acts as the data controller according to the Law No. 6698. As the data controller, we have the authority and responsibility to determine the purposes of processing your personal data and by which means it will be processed. In this context, the text of this Policy has been prepared to inform you in detail about the Company’s data processing purposes, means and protection methods.

DISTRIBUTION OF RESPONSIBILITY AND DUTIES 

All units and employees of the company actively support the responsible units in order to ensure the necessary implementation of the technical and administrative measures taken by the responsible units within the scope of the Policy, to increase the training and awareness of the employees of the unit, to monitor and prevent the unlawful processing of personal data, to prevent unlawful access to personal data and to ensure the legal storage of personal data. 

On the other hand, regarding the personal data processed by our Company, both the data controller official and employees acting as the data controller, as well as the persons processing the data on behalf of our Company as a result of the transfer, cannot disclose the personal data they have learned to anyone else contrary to the provisions of this Policy Text and KVKK and cannot use it for processing purposes. This obligation is 12/4 of the KVKK. In accordance with the Article, it continues indefinitely/for life after the completion of the duty/work. 

The distribution of titles, units and job descriptions of those who take part in the processing, storage and destruction processes of personal data is given in Table 1.

Table 1: Storage and destruction processes task distribution

TITLE 

UNIT 

TASK 

Company Personal Data Controller 

MOST AMAZING PLACES PROMOTION AND TRADE INC.

It is responsible for the preparation, development, execution, publication and updating of the Policy in related environments and the employees’ act in accordance with the policy.

Company Data Controller Contact Person 

Id. Jobs, Finance and Sales-Marketing Departments

It is responsible for providing and following up the administrative, physical and technical solutions needed in the implementation of the policy. 

Finance and Accounting, Id. Financial Affairs, Sales, Marketing, Information Processing (IT), Departments

Other Units

He is responsible for the execution of this Policy in accordance with his/her duties.

ISSUES RELATED TO THE PROCESSING OF PERSONAL DATA 

4.1. Processing of Personal Data in Accordance with the Principles Stipulated in the Legislation (Processing Conditions)

Processing in accordance with the Law and the Rule of Honesty 

Personal data is subject to the law in a way that does not harm the fundamental rights and freedoms of individuals (i.e., especially the 4th of the KVKK. Article etc.) is processed in accordance with the general rule of trust and honesty in a way that does not violate other legislation related to the article etc. In this context, personal data is processed in the minimum amount and extent required by the business activities of our Company and limited to these. 

In accordance with this principle, the obligation to act in accordance with the principles brought by laws and other legal regulations and the prohibition of abuse of the right is carefully followed by our Company in the processing of personal data. In accordance with the principle of compliance with the rule of integrity, our Company also takes into account the interests and reasonable expectations of the relevant persons, while attempting to achieve its objectives in data processing. It acts in a way that prevents the results that the person concerned does not expect and does not have to wait. In accordance with this principle, the said data processing activity is also carried out for the relevant persons transparently and in accordance with the information and warning obligations.

To re-emphasize that, in accordance with the rule of honesty by our company, maximum attention is paid to the issues of not using the personal data of the relevant person in a way that causes injustice against the relevant person, to meet the reasonable expectations of the relevant person and not exceeding the purpose of collecting personal data. Again in this context, for example; According to the nature of the relationship established with the data owner, unreasonable data is not requested and processed by the relevant person within the framework of the confidentiality of private life, and personal data is not processed by more than necessary employees within our Company. 

Ensuring that Personal Data is Accurate and Up-to-Date When Necessary 

Our company takes the necessary measures to ensure that personal data is accurate and up-to-date during the period of processing and carries out the necessary studies to ensure the accuracy and up-to-dateness of personal data for certain periods. In this context; Necessary care is taken in matters such as the sources from which personal data are obtained are specific and their accuracy is tested when necessary and the requests arising from the inaccuracy of personal data are taken into account.

Because this principle is in line with the right of the relevant person stipulated in the KVKK to request the correction of the data. Keeping personal data accurate and up-to-date is necessary for the benefit of our company, as well as for the benefit of our company, in terms of protecting the fundamental rights and freedoms of the data owner and in order not to suffer any material and moral damage. For example, if a person whose communication information is recorded incorrectly cannot receive his/her messages on time or if they are sent to a wrong person, the relevant person may suffer material and moral damage. Again, it is important that the number of children of our employees or the working status information of their spouse is correct and up-to-date for the correct calculation of the minimum subsistence allowance (MGI). Our active duty of care to ensure that personal data is accurate and up-to-date when necessary; It is valid if a conclusion is established by our Company based on this data (for example, in cases such as lending). Apart from this, our company, as a data controller, always keeps the channels open that will ensure that the information of the relevant person is accurate and up-to-date.

Processing for Specific, Explicit and Legitimate Purposes 

Our company carries out data processing by carrying out all necessary disclosure notifications regarding personal data processing in appropriate ways in the media where both physical and electronic data recording is made before the personal data processing activity and by also obtaining consent declaration in necessary. Thus, the personal data subject to being processed before the transaction by our Company, the methods by which it was obtained and the purposes of processing are clearly and definitively revealed, and the data is processed within the scope of specific, clear and legitimate purposes related to these activities in line with the business, trade and service activities carried out by our Company. For example, our Company never processes personal data that has nothing to do with our business such as mother and maiden name in all sales and customer relations processes. 

In this context, it is also ensured that personal data processing activities are clearly understandable by the relevant person, that personal data processing activities are based on which legal processing conditions are carried out and that the personal data processing activity and the purpose of this activity is revealed in detail to ensure the specificity of the purpose of this activity. For this reason, the personal data obtained is not processed for other purposes other than the purposes of giving or by misusing in any way.   

Being Related to the Purpose for Which They Are Processed, Limited and Measured 

Our company collects personal data only in the nature and extent required by business activities and processes it in a limited and connected manner for the purposes of providing it. In this context, in accordance with the principle of being related and limited to the purpose; care is taken to ensure that the processed data is necessary and convenient for the realization of the current and current purposes, and to avoid the processing of personal data that is not related to the realization of such a purpose or is not needed. Because data processing other than what is necessary for the purpose will constitute a violation of the principle of limitation. For example, sending an advertisement to the e-mail address given to participate in a symposium is against the principle of limitation. 

According to the principle of proportionality, we take into account that a reasonable balance should be established between the data processing and the purpose to be achieved. In other words, we carry out our data processing activity only to the extent that it achieves the purpose. For example, our company does not ask any data owner for information about their social life preferences in any process. 

Retention for the Period Stipulated in the Relevant Legislation or Required for the Purpose for Which They Are Processed 

Personal data should be kept only in accordance with the period required for the purpose for which they are processed as a requirement of the “purpose limitation principle”. According to this principle, our Company does not store personal data after the expiration of the specified period, the purpose of the purpose is realized or the data processing condition has disappeared, for the purpose of using it for another purpose or based on the existence of the possibility of use in the future, and it refers to the necessary means to go to the necessary destruction. For example, if there is no other processing condition, the name and vehicle license plate information collected for participation in a campaign that will be awarded to those who receive a certain amount of product within a certain period of time, if there is no other processing condition, it is carefully followed. 

In this regard, as stated in Article 12 of the KVKK, our company as the data controller; takes all kinds of necessary technical and administrative measures to ensure the appropriate operational and security level in order to prevent the unlawful processing of personal data, to prevent unlawful access to personal data and to ensure the preservation and destruction of personal data when necessary.

In this context, our company stores personal data for the minimum period of time, which is necessary for the purpose for which they are processed and stipulated in the relevant legal legislation. In the specified line, our Company first determines whether a period is provided for the storage of personal data in the relevant legislation, and if a period has been determined, it acts in accordance with this period. If there is no legal period, personal data is stored for the period necessary for the purpose for which the data is processed, taking into account the retention periods determined according to the field of activity of our Company. Personal data is destroyed at the end of the specified storage periods in accordance with the periodic destruction periods or the data owner application and with the determined destruction methods (deletion, destruction or anonymization). You can find more detailed information on issues related to retention and destruction in addition to the text of this Policy in the “Personal Data Retention and Destruction Policy” on the “www.most-amazing-places.com” website of our Company. 

4.2. Legal Reasons for Processing Personal Data 

Except for the explicit consent of the personal data owner, the basis of the personal data processing activity can be only one of the following conditions, and more than one condition may be the basis of the same personal data processing activity. If the processed data is special personal data, additional conditions in sections 4.3 and 4.5.2. of this Policy will also apply. 

Finding the Explicit Consent of the Personal Data Owner 

The explicit consent of the data owner is one of the conditions for personal data processing. However, if the personal data processing activity is based on one of the conditions other than the explicit consent in the KVKK and specified in the following articles below, in this case, since there is no need to obtain an explicit consent from the relevant person and since the priority should be given to the conditions other than this consent specified, our company takes care to carry out data processing activities by fulfilling the disclosure obligation based on the provisions of the specified law in all cases and conditions. 

In cases where there are no legal provisions regarding this data processing or it does not sufficiently allow the processing of personal data, personal data is processed by our Company based on the express consent of the data owner. In this case, maximum care and care are taken to ensure that the explicit consent of the data owner is disclosed on a specific subject, informed and free will. Again, during data processing based on explicit consent, the disclosure notification is necessarily fulfilled independently of this and before, and thus obtaining consent in an informed manner is obtained. In the same way, the process of obtaining explicit consent aimed at data processing is not made a prerequisite for the provision of any goods or services and is carried out in a way that does not contain a situation that will be at the disadvantage of the data owner if no explicit consent is given. 

To re-emphasize, in the presence of any of the personal data processing conditions below, the personal data will be processed based on these conditions specified by our Company without the need for the explicit consent of the data owner.

Explicitly Predicted in the Laws

If the processing of the personal data of the data owner is expressly provided for in the law or in other words, if there is a clear provision regarding the processing of personal data in the relevant law such as Tax Laws, Labor Law, Commercial Code and KVKK, the existence of this data processing condition can be mentioned. For example, the personal information and file of our employees in accordance with the Labor Law or the tax numbers of our customers due to financial legislation are within this scope.

Failure to Obtain the Explicit Consent of the Person Concerned Due to Actual Impossibility

If the person who is unable to disclose his/her consent due to actual impossibility or whose consent cannot be granted is valid, if it is mandatory to process the personal data of the person who does not have the power to discriminate in order to protect the life or physical integrity of himself or another person, the personal data of the data owner may be processed. For example, the personal health information of the unconscious person or the processing of contact and location information of the hostage person falls within this scope.

Directly Related to the Establishment or Execution of the Contract 

Provided that it is directly related to the establishment or performance of a contract, if the processing of personal data of the parties to the contract is mandatory, limited to this purpose, this condition will be deemed to have been fulfilled. For example, cases such as recording address information for service/product performance as a result of legal relations such as Employment Contract, Sales Contract, Transportation Contract, Service Contract, etc., giving them to the transport company or requesting a document showing the training status of the Company employee are included in this scope. Also, cases such as obtaining the account number of the creditor party for paying money in accordance with a contract or paying a salary to the employee, or making a surety agreement, the Company obtaining the payroll, title deed records, and the document stating that there is no enforcement debt of that person can also be given as an example here. 

Sometimes there may be multiple legal reasons for the collection of personal data. For example, although the legal basis for the processing of the personal data of the employees for the purpose of regulating payroll falls within the scope of this article, this situation also constitutes the reason for the fulfillment of the legal obligation of our Company, which will be mentioned below.

Fulfillment of Our Company’s Legal Obligations 

If data processing is mandatory for our company to fulfill its legal responsibilities and obligations, the personal data of the relevant person may be processed. For example, due to the obligation to share information for situations such as financial audits, security legislation, compliance processes with sector-oriented regulations, data processing enters here. In this context, obtaining and processing data such as bank account number, whether they are married, dependants, whether their spouses work, social insurance numbers, etc. In order to pay salaries to our employees, can be given an example of this situation. The fact that our company submits the information of its employees or customers during the tax audit to the examination of the relevant public officials can also be evaluated in this context.

Personal Data Owner’s Fulicization of Personal Data 

If the data owner has made public his/her personal data, that is, he presents his/her information to the public with the will to publicize it and to be used for certain purposes, the relevant personal data may be processed in a limited manner for the purpose of publicization. Since it will not make it public that a person’s personal data is in a place where everyone can only see it by chance or loss, data processing is carried out by paying attention to the details on this subject. In addition, the rule of not using personal data other than its purpose is followed in case of slatification. For example, the fact that the contact information of the relevant persons on the websites where vehicles are purchased and sold cannot be used and processed for marketing purposes is taken into consideration. 

An example of this situation is that a person publicly announces his contact information in order to be contacted in certain cases. On corporate websites, if the workplace phone numbers and corporate e-mail addresses of the employees are shared openly to third parties, it can also be said to be publicized. Again, for example, the contact information of the person making an advertisement containing the supply or request of goods or services related to the field of activity of our Company may be processed for the purpose of using it in this scope. 

Data Processing is Mandatory for the Establishment or Protection of a Right 

If data processing is mandatory for the establishment, exercise or protection of a right such as applying for legal action for our company, the personal data of the data owner may be processed. These data are mandatory data to be used in works such as filing a lawsuit, registration transactions, all kinds of title deed transactions, etc. For example, the retention of some of the personal data and information of an employee who leaves the job is kept during the 10-year litigation limitation period for the purpose of using it as evidence in a lawsuit to be filed. Similarly, after the termination of the contract, the storage of documents such as invoices, contract copies, surety notifications until the end of the statute of limitations against possible lawsuits or legal proceedings for these purposes will also be evaluated within this scope.

Data Processing is Mandatory for the Legitimate Benefit of Our Company 

If the data processing is mandatory for the current, important/serious and legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the personal data owner, the personal data owner may be processed. In this context, for example, our Company may be able to process personal data within these scopes to be taken as a basis for the regulation of promotions, salary increases or social rights of our employees or in the distribution of duties and roles in the process of restructuring of the business, provided that it does not harm the fundamental rights and freedoms of our employees. Again, for example, data processing is carried out within this scope for the purpose of recording camera videos in the workplaces belonging to our Company for security purposes or applying rewards and premiums that increase the loyalty of our employees. 

We consider that in order for this Article to be implemented, a reasonable balance must be achieved between the legitimate interest of our Company and the rights and freedoms of the data owner not to be harmed. However, while making this evaluation, it should also be taken into account that the legitimate interest of our Company and the purpose of processing personal data should not be confused. The purpose of processing personal data is specifically related to the reason for the processing of the data. However, in this context, the legitimate interest of our Company as the data controller is interpreted more broadly due to the benefit to be obtained as a result of the data processing activity to be carried out. 

4.3. Processing of Special Personal Data 

Special personal data processed by our company is only the following special personal data belonging to our suppliers and business partners and employees/employee candidates, and these are processed in accordance with the principles stated in this Policy and provided that the method and sufficient measures to be taken by the Board, by taking all necessary administrative and technical measures and in the presence of the following conditions. Our company does not process special personal data for any group of person or data category other than these. 

Special personal data of our suppliers and business partners

Biometric data related to the video recording of our supplier and our business partners obtained through internet-based platforms used during remote work/meeting by video conference method are processed based on the legal reason of the express consent of the relevant data owner in accordance with Article 6/3-a of the KVKK. In other words, in this case, the consent of the person concerned will be obtained before the data is processed, otherwise such a special personal data will not be processed.

Special personal data of our employees and employee candidates

Special personal data of our employees are collected and processed by our Company based on the relevant legal reasons and purposes specified in Article 6/3 of the KVKK. In this context;

  • Biometric data on image recording obtained through internet-based platforms used during the video conference working meeting, upon explicit consent declaration in accordance with Article 6/3-a of the KVKK, 
  • The data on health information, in accordance with Article 6/3-a of the KVKK, upon the declaration of explicit consent, due to the declaration of the workplace health and safety, employment of disabled personnel, disability report, and those related to pregnancy and childbirth only for our female employees, are expressly stipulated in the laws in accordance with Article 6/3-b of the KVKK and in accordance with Article 6/3-f of the KVK, it is mandatory for the fulfillment of legal obligations in the fields of employment, occupational health and safety and social security,
  • Data on criminal conviction and security measures, upon explicit consent declaration in accordance with Article 6/3-a of the KVKK, in case of obligation to employ compulsory convicts, due to the cases where it is clearly provided for in the laws in accordance with Article 6/3-b of the KVKK and it is mandatory for the fulfillment of legal obligations in the field of employment in accordance with Article 6/3-f of the KVKK, 

It is processed by our personnel who have signed a confidentiality commitment letter and OHS physicians who are under the obligation to keep it confidentiality. 

Within the scope of processing special personal data of our employee candidates; 

  • Only for candidates who apply to disabled staff, reports on physical disability and significant disorders and operations that have been subjected to before, and special personal health data regarding the information within this scope are also processed upon explicit consent declaration in accordance with Article 6/3-a of the KVKK.

Apart from these, there is no other special personal data processed by our Company. 

4.4. Clarification of the Personal Data Owner 

In accordance with Article 10 of the KVKK and the secondary legislation, our company informs the personal data owners about who their personal data is processed as the data controller, for what purposes, for what purposes it is shared with whom it is collected, by what methods it is collected and for legal reasons and the rights that the data owners have within the scope of processing of their personal data.

If the personal data in question is given to our Company by another person other than the data owner, that is, if the person relating to our Company provides the data of someone else to use, the process of obtaining clarification and, if necessary, obtaining a consent declaration for the relevant third party, is carried out during this first communication specified if this data is provided for the purpose of communication with the relevant third person, if this is not the case, at the time when the said data is processed or transferred for the first time.

As an example of the cases mentioned in the paragraph above; Situations such as customers who want to receive goods or services with someone else’s credit card, people who send reference letters for the hiring of employees or employee relatives whose identity information is taken for additional-social payment such as AGİ can be shown. 

  

4.5. Transfer of Personal Data 

Our company may transfer the personal data of the personal data owner and its special personal data to third parties (our expert service providers, suppliers, group companies, shareholders, business partners and their officials and employees and legally authorized institutions and organizations) by taking the necessary security measures in accordance with the purposes of personal data processing in accordance with the law. Our company acts in accordance with the regulations stipulated in the 8th and 9th articles of the KVKK in this direction. 

Domestic Transfer of Personal Data 

Personal and special personal data processed by our company are 8/1 of the KVKK. In accordance with the Article, it can be transferred to our above-mentioned stakeholders in the country based on the explicit consent of the relevant person. In addition, with the sending of Article 8/2-a of the KVKK, 5/2 of the same Law. Article and again with the sending of Article 8/2-b of the KVKK, 6/3 of the same Law. In the event that one of the conditions specified in the Article is present, personal and special personal data can be transferred domestically in the same way without the explicit consent of the relevant person. The provisions of other laws regarding the transfer of personal data are reserved. 

In this context, with the sending of Article 8/2-a of the KVKK, 5/2 of the KVKK, which can transfer personal data by our Company without the consent of the relevant person. The conditions in the article are as follows;

  • Clearly stipulated in the laws of the relevant activities related to the transfer of personal data,
  • The transfer of personal data by the Company is directly related and necessary to the establishment or performance of a contract, 
  • The transfer of personal data is mandatory for our Company to fulfill its legal obligation, 
  • Transfer of personal data by our Company in a limited manner for the purpose of slartification, provided that it has been made smaded by the data owner, 
  • The transfer of personal data by the Company is mandatory for the establishment, use or protection of the rights of the Company or the data owner or third parties, 
  • It is mandatory to carry out personal data transfer activities for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the data owner,
  • It is mandatory for the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid for the protection of himself or someone else’s life or physical integrity. 

With the submission of Article 8/2-b of the KVKK, the 6/3 of the KVKK, which can transfer special personal data by our Company without the consent of the relevant person. The conditions in the article are as follows;

  • Clearly stipulated in the laws,
  • It is mandatory for the protection of the life or physical integrity of a person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid, for the protection of the life or physical integrity of himself or another person,
  • Regarding the personal data made by the person concerned and in accordance with the will to be made to be made,
  • Obligation for the establishment, exercise or protection of a right,
  • It is mandatory for the fulfillment of legal obligations in the fields of employment, occupational health and safety, social security, social services and social assistance. 

Transfer of Personal Data Abroad

The process of transfer of personal and special personal data processed by our company abroad is the 9th of the KVKK. It is fulfilled in accordance with the conditions specified in the Article. In this context; 

  • 9/1 of the KVKK. In accordance with Article, for personal data specified in Article 5 of the same Law and 6 of the same Law for special personal data (above “4.5.1. In the event of the existence of one of the conditions shown in detail under the title of “Transfer of Personal Data in the Country” and there is an adequacy decision given by the Board about the country, sectors in the country or international organizations to which the transfer will be made and published in the Official Gazette, the said personal and special personal data may be transferred abroad by our Company. 
  • 9/4 of the KVKK. In accordance with the Article, personal data may be transferred abroad by our Company upon the provision of at least one of the following appropriate guarantees, provided that there is one of the conditions specified in Articles 5 and 6 of the same Law, provided that there is one of one of the conditions specified in Articles 5 and 6 of the same Law, and the opportunity to exercise his rights of the relevant person in the country where the transfer will be made and to apply effective legal remedies:

a) The existence of the standard contract announced by the Board, which includes issues such as data categories, the purposes of data transfer, buyer and recipient groups, technical and administrative measures to be taken by the data recipient, additional measures taken for special personal data,

B) The existence of a written letter of commitment containing provisions that will provide adequate protection and allowing the transfer by the Board,

C) The existence of binding company rules that the companies within our group of undertakings engaged in joint economic activities are obliged to comply with, contain provisions on the protection of personal data and approved by the Board.

  • 9/6 of KVKK. In accordance with the Article, the absence of an adequacy decision and the 9/4 of the above-mentioned KVKK. In the event that any of the appropriate guarantees provided for in the Article and paragraph cannot be provided, our Company may transfer personal data abroad only in the presence of one of the following cases, provided that it is incidental:

A) Giving explicit consent to the transfer, provided that the relevant person is informed about the possible risks,

B) The transfer is mandatory for the performance of a contract between the relevant person and our Company, which is the data controller, or for the implementation of pre-contractual measures taken at the request of the relevant person,

C) The transfer is mandatory for the establishment or performance of a contract to be made between our Company, which is the data controller, and another real or legal person for the benefit of the relevant person,

ç) Transfer is mandatory for a superior public interest,

d) The transfer of personal data is mandatory for the establishment, exercise or protection of a right,

e) The transfer of personal data is mandatory for the protection of the life or physical integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid,

F) Transfers from a registry that is open to public or persons with legitimate interests, provided that the necessary conditions for accessing the registry are met in the relevant legislation and that the person with a legitimate interest requests it.

In case of transferring personal data abroad within the scope stated above, our Company also pays attention to the following issues: 

  • The guarantees contained in this Law are also provided in terms of subsequent transfers of personal data transferred abroad and transfers to international organizations and the provisions of this article are applied (KVKK, m. 9/8),
  • Subject to the provisions of the international agreement, in cases where the interests of Turkey or the relevant person are seriously damaged, personal data may only be transferred abroad with the permission of the Board by taking the opinion of the relevant public institution or organization (KVKK, m. 9/9),
  • The provisions of other laws regarding the transfer of personal data abroad are reserved (KVKK, art. 9/10).

SPECIAL CASES IN WHICH PERSONAL DATA IS PROCESSED 

5.1. Personal Data Processing Activities for Security Purposes in Physical Places of Our Company

5.1.1. Building and Facility Entrances and Personal Data Processing Activities Performed in Them

Data processing activities carried out in physical spaces in the service units of our company fall within this scope. These image records of personal data are monitored and recorded by the company with closed circuit camera systems 24 hours a day, 7 days a week for the purpose of tracking the entry and exit of employees, customers, potential customers, visitors, company officials, shareholders, guests and other 3rd parties in the specified physical spaces, ensuring data security and physical security, presenting evidence to the judicial authorities and law enforcement officers in a possible judicial case, controlling the entry and exit of employees and other persons, and ensuring the safety of life and property. 

5.1.2. Legal Basis of Camera Monitoring Activity

The monitoring activity carried out by our company is carried out in accordance with the Regulation on Opening a Business and Work Licenses, the Law on Private Security Services and other relevant legislation.

Again, the Company acts in accordance with the regulations in the KVKK in the implementation of camera monitoring activities for security purposes. In order to ensure security in the service units, the company carries out closed circuit security camera monitoring activities for the purposes stipulated in the relevant legislation in force and in accordance with the personal data processing conditions listed in the KVKK.

5.1.3. Information on Monitoring with Camera 

10th of KVKK by our company. In accordance with the article, the personal data owner is enlightened. In this regard, clarification texts and warning signs in accordance with the Law No. 6698 and related legislation are visibly positioned in the monitored areas. Our company notifies the camera monitoring activity of its lighting in relation to general issues with more than one method. Thus, it is aimed to prevent the fundamental rights and freedoms of the personal data owner, to ensure transparency and enlightenment of the personal data owner.

Again, for the processing of personal data by the Company with a camera; This Policy is published on the website (online policy regulation) and a notification letter and signs are hung at the entrances of the areas where the monitoring is carried out (in-place lighting, layered lighting).

5.1.4. Limitation of the Purpose and Purpose of Conducting the Monitoring Activity with the Camera

Our company processes personal data in a limited and measured manner related to the purpose for which they are processed in accordance with Article 4 of the KVKK. The purpose of the company’s video camera monitoring activity is limited to the purposes listed in this Policy. In this direction, the monitoring areas, number and when to monitor the security cameras are put into practice as sufficient and limited to achieve the security purpose. Areas that may result in intervention in a way that exceeds security purposes are not subject to monitoring.

5.2. Processing of Information Regarding the Company’s Website and Users to Which It Provides Internet Access

5.2.1. Processing of the Company’s Website User Information

On the websites owned by the company; to ensure that the people who visit these sites make their visits to the sites in a suitable way for the purpose of visiting; in order to show them customized content and to carry out online advertising activities, IP information and technical means (e.g. Cookies/such as cookies) internet movements within the site can be recorded. Detailed explanations regarding the protection and processing of personal data related to these activities carried out by the company are in the “Clarification Text on Cookies” on the website “www.most-amazing-places.com”.

5.2.2. Processing of Information Regarding Users Provided by the Company’s Internet Access

In the event that our company uses the internet access provided free of charge during their stay in the company’s service units for employees, shareholders and visitors (third parties), the information entered for the internet access connection, the identity number of the connected device, the IP and LOG record and other traffic information can be recorded in accordance with the provisions of the legislation regulated in accordance with the Law No. 5651 and this Law. Only a limited number of Company employees have access to the information obtained in this context.

These records are processed only for the purpose of fulfilling our relevant legal obligation in the audit processes to be requested by authorized public institutions and organizations or to be carried out within the Company and/or to protect our legal rights and to establish defense rights in order to ensure information security, and are not shared with third parties except our expert service providers. 

CATEGORIZATION OF PERSONAL DATA PROCESSED BY OUR COMPANY AND PURPOSES OF PROCESSING AND SHARING

In accordance with Article 10 of the KVKK and secondary legislation, the relevant persons are informed in accordance with the personal data processing purposes of our Company, based on at least one of the personal data processing conditions specified in Article 5 and 6 of the Law, in accordance with the general principles and conditions specified in Article 4 of the KVKK regarding the processing of personal data, in accordance with the general principles and conditions specified in Article 4 of the KVKK, in accordance with the personal data processing of the general principles specified in the KVKK. 

Personal data categories and descriptions processed within the scope of personal data processing activities carried out by our company are arranged and shown in the Table below:

Table 2: Personal data categories

PERSONAL DATA 

CATEGORIES 

DESCRIPTION 

Identity Information 

Personal data containing information about the identity of the person; name-surname, Turkish identity number, nationality information, marital status, mother’s name-father’s name, name, place of birth, age, gender, driver’s license documents such as identity card and passport, tax number, SSI number, signature information, etc. information. 

Contact Information 

Personal data such as phone number, address, e-mail address. 

Employee, Former Employee, Employee Candidate Information

Personal data processed in written, visual and electronic media in accordance with the applicable legislation and commercial practice rules regarding company employees, former employees, employee candidates and interns. 

Family Members and Close Knowledge 

Within the framework of operations carried out by the Company’s business units, personal data about the family members of the personal data owner (for example; spouse, mother, father, children for chronic disease follow-up in the scope of workplace health activity) in order to protect the legal interests of the Company and the data owner in order to protect the legal interests of the Company and the data owner. 

Physical Space Safety Information 

Personal data regarding the records and documents taken at the entrance to the physical space, during the stay in the physical space; camera recordings and records taken at the security point, etc. 

Transaction Security Information 

Personal data such as internet access and web traffic information, security camera image and call center audio recordings provided by the Company, which are processed to ensure the technical, administrative, legal and commercial security of both the data owner and the Company while carrying out the activities of the Company. 

Risk Management Information 

Personal data processed through methods used in accordance with generally accepted legal, commercial practices and honesty rules in these fields for the management of commercial, technical and administrative risks. 

Financial Information 

Personal data such as bank account number, IBAN number, credit card information, financial profile, personal data processed in relation to information, documents and records showing all kinds of financial results created within the scope of the legal relationship between the company and the data owner. 

Legal Transaction and Compliance Information 

Personal data processed within the scope of the determination and follow-up of the legal receivables and rights of the Company and the performance of its debts, legal obligations and compliance with the Company’s policies, and again related to the legal proceedings of its employees. 

Special Personal Data 

The data specified in Article 6 of the Law (for example, health data, including blood type, criminal record information). 

Request/Complaint Management Information 

Other personal data, including call center audio recording regarding the receipt and evaluation of any request or complaint addressed to the company. 

Reputation Management Information 

Personal data associated with the person and collected for the purpose of protecting the Company’s commercial reputation (for example; sharing about the Company). 

Event Management Information 

Information and assessments collected about events associated with the personal data subject and related to the Company’s employees, the potential to affect its shareholders (e.g. collected information on the proper management of the public, assessments, etc.). 

The purposes of personal data processing within the scope of personal data processing activities carried out by our company are shown in the Table below:

Table 3: Purposes of personal data processing

MAIN OBJECTIVES

SECONDARY GOALS 

Identification, planning and implementation of our company’s commercial policies

1. Planning and execution of in-house or external training activities

2. Conducting financial, accounting and financial transactions with customers, business partners and suppliers, performing risk management,

Design and Execution of the Company’s Human Resources Activities

1. Planning and execution of human resources and employee procurement processes 

2. Fulfillment of obligations arising from employment contract and legislation for company employees

3. Follow-up and control of employees’ work activities

4. Planning and execution of benefits and benefits for employees

5. Planning and execution of employee exit procedures

6. Planning and follow-up of employee performance evaluation processes

7. Planning and execution of in-house training activities

8. Management of relationships with business partners and suppliers

9. Wage management

10. Planning and execution of internal orientation activities

Carrying out the necessary studies by the business units within the company for the implementation of the commercial activities carried out by the company in accordance with the legislation and company policies and carrying out the activities in this direction

1. Follow-up of finance and accounting works

2. Execution of investor relations and marketing activities

3. Planning and execution of corporate communication activities

4. Planning and execution of activity/efficiency and on-site analysis of business activities, Event management

5. Uninterrupted execution of supply chain and processes, 

6. Creation and management of information technology infrastructure

7. Planning, supervision and execution of information security processes

8. Planning and execution of work continuity activities

9. Planning and execution of information access authorizations of business partners and suppliers

10. Fulfillment of obligations related to after-sales support

Supporting the design, planning and execution of the company’s human resources activities

1. Support in planning the company’s human resources strategies

2. Follow-up and announcement of company employees’ transfer, temporary assignment, promotion and dismissal

3. Supporting the planning and execution of the processes of measuring company employee loyalty

4. Supporting company employee procurement processes

Company’s

commercial reputation and

of the trust it creates

protection

1. Demand and complaint management

2. Carrying out studies to protect the reputation of the company values

In accordance with the principles contained in the KVKK and especially the 8th and 9th articles of the Law No. 6698, our company transfers/shares personal data within the scope of this Policy to the groups of recipient persons listed below for the purposes specified in the Table below:

Table 4: Categories of parties to which personal data is transferred and for transmission purposes 

DATA TRANSFERRED PEOPLE 

DEFINITION 

PURPOSE OF DATA TRANSFER 

Shareholders, Group Companies, Business Partners and Officials and Employees

Parties in which the company has established a business partnership / association within or outside the group for purposes such as carrying out the company’s partner and commercial activities 

Limited to ensure the fulfillment of the purposes of establishment and execution of the business partnership / association 

Suppliers, Service Providers, Expert Service Providers, Their Authorized and Employees, Related Bank Branch-Financial Institutions, BES Company 

Within the scope of the performance of the company’s commercial activities, the parties providing goods or services to the Company in accordance with the Company’s instructions and on a contractual basis 

Limited to ensure the provision of goods and services required by the Company to carry out the Company’s commercial activities and expertise services such as Accounting, Finance, Informatics and Law, which the Company outsources from the supplier 

Legally Authorized Public Institutions and Organizations 

According to the provisions of the relevant legislation, the Company’s public institutions and organizations authorized to receive information and documents 

Limited to the purpose requested by the relevant public institutions and organizations within the legal authority 

Legally Authorized Private Law Legal Entities 

Private law legal entities authorized to receive information and documents from the Company according to the provisions of the relevant legislation 

Limited to the purpose requested by the relevant private law legal entities within the scope of their legal authority 

STORAGE AND DESTRUCTION OF PERSONAL DATA

Our company retains personal data in accordance with the period required for the purpose for which they are processed and the minimum periods stipulated in the legal legislation to which the relevant activity is subject. In this context, our Company first determines whether a period is provided for the storage of personal data in the relevant legislation, and if a period has been determined, it acts in accordance with this period. If there is no legal period, personal data is stored for the period necessary for the purpose for which they are processed. Personal data is destroyed at the end of the specified storage periods in accordance with the periodic destruction periods or the data owner application and with the determined destruction methods (deletion, destruction or anonymization).

You can find all the detailed and necessary explanations regarding the storage and destruction of the personal data processed by our company, the recording environments where the said data are kept, all technical and administrative measures taken regarding the safe storage and protection, explanations regarding the legal reasons requiring storage and destruction, process-based personal data retention periods and periodic destruction periods and destruction techniques, which will be found on the “www.most-amazing-places.com” website of our Company, in the text of “Personal Data Retention and Destruction Policy”.

PRIVACY

Our company does not transfer and disclose your personal data to unauthorized third parties other than persons or institutions written in this Policy and in the “Customer Personal Data Clarification Text” and other special clarification texts published on our website “www.most-amazing-places.com” in any way and without your explicit consent, except for the exceptions in Articles 8 and 9 of the KVKK. Only authorized personnel of our Company with confidentiality agreement and our workplace physicians who have an obligation to keep secrets in terms of health data can access your personal data processed by our company.

Our company may use statistical information (browser type, geographical location, etc.) in order to improve the website and to obtain statistics for effective and efficient work in general, without disclosing personal identities on the website. This information is not disclosed to third parties in any way. However, due to legal obligation and/or in response to the requests of official authorities, it may share it with the relevant parties written in this Policy and the Clarification Text. 

Our Company does not guarantee that other sites you visit through links on our website will comply with our Company’s Privacy Principles; therefore, before providing any personally identifiable information, you should evaluate the privacy approaches of the sites you visit.

Our company takes all necessary measures according to the nature of the personal data to be protected in order to prevent the disclosure and transfer of your personal data in a way that is contrary to the Law No. 6698, the provisions of this Policy and the disclosure texts prepared separately for the relevant person groups as the application / procedure documents of this Policy, and to provide access to this data and other security deficiencies that may occur.

RIGHTS OF PERSONAL DATA OWNERS AND USE OF THESE RIGHTS

Rights of the Personal Data Owner 

Personal data owners are subject to the 11th of the Law. According to the Article, they have the following rights:

a) Learning whether your personal data has been processed, 

B) If your personal data is processed, requesting information about it, 

c) To learn the purpose of processing your personal data and whether it is used in accordance with its purpose, 

ç) Knowing the third parties to whom your personal data is transferred at home or abroad, 

d) To request the correction of your personal data in case of incomplete or incorrect processing,

E) Within the framework of the conditions stipulated in Article 7 of the KVKK, to request the deletion or destruction of your personal data that has been processed in a legal manner in case of the disappearance of the reasons requiring the processing, 

f) To request that the transactions made in accordance with paragraphs (d) and (e) be notified to the third parties to whom your personal data is transferred, 

g) Objecting to the emergence of a result against you by analyzing your processed data exclusively through automatic systems, 

ğ) Requesting the removal of the damage in case you suffer damage due to the unlawful processing of your personal data.

h) To stop and withdraw your consent to the processing of your personal data and your consent to be sent to you electronic commercial messages at any time without giving any reason.

9.2. Ways to Apply to Our Company Within the Scope of Your Rights 

Your requests within the scope of the use of your above-mentioned rights, by filling out the “Personal Data Owner Application Form” according to the “Communiqué on the Procedures and Principles of Application to the Data Controller” or with a similar petition, our Company’s “Gümüşsuyu Mah. İnönü St. Melek Apt. You can apply to the address No: 11/2 Beyoğlu/İSTANBUL in person and send it by sending it to “pelin@most-amazing-places.com” by applying in person to the address of your identity or through a notary, or by sending it by e-mail to “pelin@most-amazing-places.com” via registered/secure e-mail.

Depending on the nature of your request, your applications will be finalized free of charge as soon as possible and within thirty days at the latest; however, if the process requires an additional cost, a fee may be requested from you according to the tariff to be determined by the Personal Data Protection Board.

PUBLICATION AND STORAGE OF THE POLICY 

The policy is published in two different media, wet signed (printed paper) and electronic, and announced to the public on the website. The printed paper copy is also stored in the file to be kept by the Contact Personal Data Controller, who is the Company’s Relevant Employee. 

UPDATE PERIOD OF THE POLICY 

The policy is reviewed as needed and the necessary sections are updated.

ENFORCEMENT AND REPEAL OF THE POLICY 

This Policy issued by our company is dated 01.06.2024. The policy is considered to have entered into force after the publication of our Company on the website www.most-amazing-places.com and is considered accessible to personal data owners. In case of renewal of all or certain articles of the Policy, the effective date will be updated. 

If it is decided to repeal the Policy, the old copies with wet signatures are canceled and signed by the Company Liaison Person with the Company Data Controller Authority Decision (by stamping the cancellation stamp or writing the cancellation) and stored in the file to be kept by the Personal Data Controller, who is the Company’s Relevant Employee, in the file to be kept by the Contact Person.