Personal Data Protection Law

Processing Of Personal Data And Privacy Policy

INTRODUCTION AND SCOPE
This Privacy Policy (“Policy”), Yaşar Turizm Yatırımları İşletmecilik A.Ş. It determines the rules regarding personal data processed by the Company during the use of the site named [*] (“Website”), which is made available and operated by the (“Company”). The purpose of the Policy is to ensure that the personal data of Data Owners (those whose personal data are processed during the use of the Website will hereinafter be referred to as “Data Owner”) are processed in accordance with the Personal Data Protection Law No. 6698 and other relevant legislation.

Use of the Website means that this Policy has been read, understood and accepted. If you do not accept the rules stated in this Policy, please stop using the Website immediately.

If there is a link to third party websites or applications or similar elements through the Website, the websites, applications or similar elements accessed as a result of the use of such link are outside the scope of this Policy. In such cases, the privacy policy of the relevant website, application or similar element may be applicable.

Data that does not constitute personal data and anonymized data are outside the scope of this Policy.

CHANGE OF POLICY
The Company reserves the right to change the Policy at any time and in any way it wishes. The new version of the Policy will come into force at the time the amended policy is published on the Website or when Data Owners are informed through other communication methods, unless otherwise stated.

WHO IS THE DATA RESPONSIBLE FOR THE PROCESSING OF YOUR PERSONAL DATA?
In terms of processing your personal data, the data controller within the scope of the Personal Data Protection Law No. 6698 is Yaşar Turizm Yatırımları İşletmecilik A.Ş.

OUR BASIC PRINCIPLES REGARDING THE PROCESSING OF YOUR PERSONAL DATA
We act in accordance with the following principles when processing your personal data:
• Complying with the law and the rules of honesty,
• Being accurate and up to date when necessary,
• Processing for specific, clear and legitimate purposes,
• Being related to the purpose for which they are processed, limited and proportionate,
• Preservation for the period stipulated in the relevant legislation or required for the purpose for which they are processed.

WHAT ARE YOUR PERSONAL DATA BEING PROCESSED?
Your following personal data is collected and processed by the Company within the scope of this Policy:
• Your name and your surname,
• E-Mail Address,
• Your request/suggestion/complaint sent via the contact form,
• Your IP address,
• Your CV information that you submit through the Human Resources department.

WHAT ARE THE METHODS OF COLLECTION AND PURPOSES OF PROCESSING YOUR PERSONAL DATA?
Your personal data is collected through Cookies during your use of the Website or by filling in the relevant fields as Data Owners.

The company may use your personal data to evaluate, analyze and respond to your requests/suggestions/complaints. In addition, your collected personal data may be processed for purposes such as the Company’s ability to fulfill its legal obligations.

WITH WHOM IS YOUR PERSONAL DATA SHARED?
The Company may share your personal data within the scope of this Policy and the new personal data obtained by processing them, with third parties from whom it receives support or service in order to achieve the data processing purposes specified in the relevant section, and to achieve such purposes domestically or abroad.

Finally, your personal data may also be shared with judicial and administrative authorities or institutions and organizations that request it in accordance with the legal rules.

STORAGE OF YOUR PERSONAL DATA
Your personal data will be stored for the periods required for the purposes of processing your personal data described in the relevant section above or for the legally required periods.

INFORMATION ABOUT THE PRECAUTIONS TAKEN REGARDING THE SECURITY OF YOUR PERSONAL DATA
In order to ensure that your personal data is not processed unlawfully, that your personal data is not accessed unlawfully, and that your personal data is stored securely, the Company takes all necessary technical and administrative measures and carries out the necessary audit work to ensure the appropriate level of security.

Your personal data will not be processed and shared with third parties by the Company in violation of this Policy, other policies enacted and implemented by the Company, and the rules specified in the Personal Data Protection Law No. 6698.

WHAT ARE THE RIGHTS YOU HAVE REGARDING YOUR PERSONAL DATA?
You can exercise the following rights regarding the processing of your personal data by making a request to the Company:
• Learning whether your personal data is being processed or not,
• If your personal data has been processed, request information regarding this,
• Purpose of processing your personal data To learn whether your personal data is used in accordance with the purpose of processing,
• Knowing the third parties to whom your personal data is transferred at home or abroad,
• Request correction of your personal data if it is incomplete or incorrectly processed,
• Requesting the deletion or destruction of your personal data within the framework of the conditions stipulated in the relevant legislation,
• To request that correction, deletion and destruction operations carried out in accordance with the relevant legislation be notified to third parties with whom your personal data has been shared,
• Object to the emergence of a result unfavorable to you by analyzing your processed personal data exclusively through automatic systems,
• Request compensation for the damage if you suffer damage due to unlawful processing of your personal data.

Your requests to exercise your rights regarding your personal data will be concluded by notifying you within thirty (30) days at the latest.

As the Data Owner, you can ensure that your personal data within the scope of this Policy is complete, accurate and up-to-date, and you can also update them if there are any changes in the personal data in question. Otherwise, the Company will not have any liability.

OUR CONTACT INFORMATION
You can contact the Company to submit your questions regarding this Policy and to exercise your rights regarding your personal data. However, communications established without using legal means and without complying with the form and content requirements stipulated by the relevant law may not be taken into account by the Company.

Personal Data Processing Information Statement For Our Guests

Dear Guest;
Thank you for choosing us.

We would like to inform you regarding the personal data processing activity we will carry out due to your stay, within the framework of Article 10 of the Personal Data Protection Law No. 6698 (“Law”). In this respect, the data controller within the scope of the Law is Yaşar Turizm Yatırımları İşletmecilik A.Ş. (“Yaşar Turizm”).

WHY DO WE COLLECT YOUR PERSONAL DATA?

Your personal data;
• performance of the contract for accommodation services;
• Due to legal obligations within the scope of accommodation;
• ensuring the security of our facility and those in our facility;
• ensuring guest satisfaction;
• carrying out operations regarding the service to be provided to you as a guest;
• making accommodation reservations, finalizing accommodation and confirming accommodation fees;
• meeting your special requests as guests and preparing special treats;
• Confirmation procedures with the agency you applied regarding your accommodation;
• Preparing an incident report in case of any incident within the scope of facility security;
• ensuring the effectiveness, efficiency and appropriateness of our hotel services at the highest level;
• If you have your explicit consent, to inform you about promotions and discounts and to send surveys for guest satisfaction;
• Provide you with a better accommodation experience by remembering or recording your preferences and expectations on your next visit, if you have your explicit consent,
• With your explicit consent, we collect your health data such as allergies and sensitivities in order to meet your special requests and to protect the health of you and your children.

ON WHAT METHOD AND LEGAL REASON DO WE COLLECT AND STORE YOUR PERSONAL DATA?
We may collect and store your personal data that we need to fulfill the above-mentioned Purposes, verbally, in writing, physically and/or electronically. We store your personal data in electronic and/or physical environments, digitally or on paper, in a way that can be accessed by our employees, managers, relevant technical support team and archivists.
Your personal data, Art. 5/2 (a) (explicitly foreseen by law), (c) (establishment or execution of a contract), (d) (fulfillment of legal obligations), (e) (establishment, use and protection of a right) and (f) ) (legitimate interest) clauses, art. In accordance with Article 6/2, we collect your express consent in accordance with Article 6/3, in cases where the processing of special categories of personal data is mandatory in the exercise of fundamental rights and freedoms.

DO WE SHARE YOUR PERSONAL DATA WITH OTHERS?
Of your personal data that remains with us during your stay, we only transfer your general personal data to the Gendarmerie Command for the identity notification system, to the tax office and banks for payments, and to agencies for reservation transactions.

WHAT ARE THE RIGHTS YOU HAVE FOR THE PROTECTION OF YOUR PERSONAL DATA?
Your rights that you can exercise under the law:
• Learning whether your Personal Data is being processed or not,
• If your Personal Data has been processed, request information about how it is processed,
• Learning the purpose of processing your Personal Data and whether your Personal Data is used in accordance with the purpose of processing,
• Knowing the third parties to whom your Personal Data is transferred domestically or abroad,
• Request correction of your Personal Data if it has been processed incompletely or incorrectly,
• Requesting the deletion or destruction of your Personal Data within the framework of the conditions stipulated in the relevant legislation,
• Request that correction, deletion and destruction operations carried out in accordance with the relevant legislation be notified to third parties with whom your Personal Data has been shared,
• Object to the emergence of a result unfavorable to you by analyzing your processed Personal Data exclusively through automatic systems,
• Request compensation for the damage if you suffer damage due to unlawful processing of your Personal Data.

For detailed information about the above, you can contact Yaşar Tourism [*] Department using the [*] e-mail address. However, requests submitted without considering the form and content conditions stipulated by the Law and the relevant sub-legislation may not be taken into consideration by Yaşar Turizm.

INTRODUCTION AND SCOPE
These Terms of Use (“Terms”), Yaşar Turizm Yatırımları İşletmecilik A.Ş. It determines the rules regarding the use of the site named [*] (“Website”), which is made available and operated by (“Company”).

By using this Website, you are deemed to have accepted these Terms. If you do not accept any provision of the Terms, please stop using the Website.

The rules regarding personal data and privacy that will apply to your use of the Website (including the use of cookies) are regulated under the Personal Data Protection and Privacy Policy, which is an integral part of these Terms.

If there is a link to third party websites or applications or similar elements via the Website, the websites, applications or similar elements accessed as a result of the use of such link are outside the scope of these Terms. In such cases, the terms of use of the relevant website, application or similar element may be applicable.

CHANGING THE TERMS
The Company reserves the right to change the Terms at any time. The new version of the Terms will come into force at the time the new amended Terms are published on the Website or when users are informed through other communication methods, unless otherwise stated.

USE OF THE WEBSITE
The Website was established for the purposes of informing the public about the Company and its activities and fulfilling our legal obligations. Our users will also be able to individually benefit from the Website for these purposes.

However, you cannot engage in any activity that may damage the Website. In addition, you cannot engage in activities that would allow unauthorized use of the Website’s technology or intellectual property rights on the Website, such as reverse engineering.

INTELLECTUAL AND INDUSTRIAL PROPERTY RIGHTS
The Website and the contents on it are or may be subject to copyrights, trademark rights, design rights and other intellectual and industrial rights (all these together will be referred to as “Intellectual and Industrial Property Rights”).

The use of the Website will not mean that anyone is given the right to transfer, license, or reproduce, disseminate, use and exploit Intellectual and Industrial Property Rights in any way. Use of any content without permission from the Company may constitute a violation of the Company’s Intellectual and Industrial Property Rights.

CONTENT ON THE WEBSITE
The Company makes every effort to ensure that the content on the Website is always up-to-date and accurate. Despite this, the Company does not guarantee that all content shared on the Website is always up to date.

Our companies are introduced on the Website and general and public information about our activities is shared. If you need to make a decision regarding our companies or our activities, it is your responsibility to determine whether they are fit for purpose in the decision you wish to make.

None of the information and statements contained in the content we share through the Website can be considered as an invitation to contract and do not constitute any statement or commitment.

You are entirely responsible for the decisions you make based on the Website content. The Company has no responsibility for these decisions.

PROVISIONS REGARDING THE CONTENT OF THE WEBSITE AND KEEPING IT AVAILABLE

The Company may make any changes to the Website at any time, and may also remove the content shared on the Website, partially or completely, to the extent permitted by applicable laws.

Due to the nature of the Website, it may sometimes be necessary to interrupt the publication for a short time for purposes such as technical maintenance, correction or renewal of the Website. In such a case, the Company will not be held responsible for not being able to access the Website.

LIABILITY OF THE PARTIES
It cannot be claimed that any damage has occurred by using or benefiting from the Website and compensation for this damage cannot be claimed. You are responsible for all consequences that may arise from the use of the Website.

COMPETENT COURT AND APPLICABLE LAW
All disputes that may arise from the use of the Website will be subject to Turkish law. Antalya Courts and Enforcement Offices will be exclusively authorized to resolve such disputes.

OUR CONTACT INFORMATION
You can contact us using the contact form we provide on the Website to submit your questions about these Terms.

Personal Data Storage And Destruction Policy

CONTENTS
Purpose 2
Definitions and Abbreviations 2
Principles 4
Scope 4
Data Protection Committee 4
Storage 5
destruction 6
Technical and Administrative Measures 10
Violation of Policy 11
Miscellaneous Provisions 12
Maximum Storage and Destruction Periods ANNEX-1
Titles and Units of Data Protection Committee Members ANNEX-2
1. PURPOSE

1.1. This Storage and Destruction policy (“Policy”) is to be implemented together with Yaşar Turizm’s Personal Data Processing Inventory (“Inventory”) in accordance with Article 5 of the Regulation on Deletion, Destruction or Anonymization of Personal Data (“Regulation”). It was prepared to.

1.2. This Policy sets forth the general procedures for storing and destroying personal data within Yaşar Turizm in order to ensure compliance with the Law and secondary legislation to which Yaşar Turizm Yatırımları İşletmecilik A.Ş. (“Yaşar Turizm”) is subject.

1.3. This Policy aims to ensure that Yaşar Turizm’s documents and media containing personal data are stored securely and that personal data where the purpose and conditions of processing are eliminated are destroyed.

1.4. This Policy has been prepared in line with Yaşar Turizm’s data processing activities and applies to all physical and electronic documents/media, including originals and copies.

2. DEFINITIONS AND ABBREVIATIONS

Unless they are proper nouns and are defined separately within the Policy, capitalized terms have the meanings defined below.

Explicit Consent refers to consent regarding a specific subject, based on being informed and expressed with free will.
Active Records refer to the data that is actively used within the scope of Yaşar Turizm’s activities.
Inactive Records refer to data that are not within the scope of Active Records and are not directly used by Yaşar Turizm but may be needed.
Anonymization refers to making personal data impossible to associate with an identified or identifiable natural person in any way, even if it is matched with other data.
Maximum Storage and Destruction Periods Table / Table refers to the Maximum Storage and Destruction Periods Table in ANNEX-1.
IT Department refers to Yaşar Turizm’s Information Technologies Department.
Inventory / Personal Data Processing Inventory Personal data processing activities carried out by Yaşar Turizm depending on its business processes; It refers to the list/table created by associating personal data processing purposes, data category, transferred recipient group and data subject person group, including the maximum period required for the purposes for which personal data are processed, personal data intended to be transferred to foreign countries, and measures taken regarding data security.
Secondary Legislation The Regulation on the Working Procedures and Principles of the Personal Data Protection Board issued by the Personal Data Protection Board, the Anonymization Regulation, the Registry Regulation, the Communiqué on the Procedures and Principles of Application to the Data Controller and the Communiqué on the Procedures and Principles to be Followed in Fulfilling the Disclosure Obligation, communiqués that may be issued in the future, administrative or refers to judicial decisions and principles.
Relevant Users Except for the person or unit responsible for the general technical storage, protection and backup of data; It refers to the persons, units and departments that process personal data within the Yaşar Turizm organization or in line with the authority and instructions received from Yaşar Turizm.
Destruction refers to any or all of the processes of deletion, destruction and/or anonymization.
The law refers to the Personal Data Protection Law No. 6698.
Records refer to all records created by Active and Inactive Records.
Personal Data/s refers to any information regarding an identified or identifiable natural person.
Board refers to the Personal Data Protection Board.
Institution refers to the Personal Data Protection Authority.
Yaşar Turizm means Yaşar Turizm Yatırımları İşletmecilik A.Ş.
Personal Data of Special Nature: Data regarding individuals’ race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, appearance and attire, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and It refers to genetic data.
Policy refers to this Storage and Disposal Policy.
The Guide refers to the Guide on Deletion, Destruction or Anonymization of Personal Data published by the Authority on 28/29 November 2017.
Deletion refers to the process of making personal data inaccessible and unusable for Relevant Users in any way.
Data Processor refers to the real or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller.
Data Protection Committee In order to fulfill the duties assigned to it within the scope of this Policy and Yaşar Turizm’s obligations under the legislation; It refers to the committee consisting of elected people.
Data Owner refers to the natural person whose personal data is processed or managed.
Data So

It refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.
Destruction refers to the process of making personal data inaccessible, irretrievable and unusable by anyone.
The Regulation refers to the Regulation on Deletion, Destruction or Anonymization of Personal Data, which was published in the Official Gazette on 28 October 2017 and entered into force on 1 January 2018.
3. PRINCIPLES
This Policy observes the following principles set out in the Law. Processing of personal data in accordance with the law;
• Complies with the law and the rules of honesty;
• Be accurate and up to date when necessary;
• Processing for specific, explicit and legitimate purposes;
• It must be related to the purpose for which it is processed, limited and proportionate, and
• They must be kept for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed.

4. SCOPE
4.1. This Policy is implemented throughout Yaşar Turizm and constitutes an institutional framework regarding Personal Data.

5. DATA PROTECTION COMMITTEE
5.1. The purpose of the Data Protection Committee established by the authorized bodies of Yaşar Turizm is to update, change and manage the Inventory within Yaşar Turizm, to store and destroy Personal Data, to evaluate and respond to requests from outside Yaşar Turizm regarding Personal Data, to To fulfill Yaşar Turizm’s obligations within the scope of the relevant legislation and the duties assigned to it in this Policy, especially ensuring the coordination between Yaşar Turizm departments regarding the company.

5.2. The Data Protection Committee monitors, gives relevant advice and organizes all kinds of personal data activities, including Personal Data processing, storage and anonymization within Yaşar Turizm. The titles and units of the people in the Data Protection Committee are included in ANNEX-2.

5.3. The Data Protection Committee cooperates with authorized institutions regarding Personal Data, such as the Institution and the Board, and carries out communications and contacts regarding Personal Data. Regarding Personal Data processing activities, it acts as the contact and communication point for supervisory authorities regarding personal data such as the Institution and the Board and, if necessary, corresponds with the relevant institutions and organizations.

5.4. While performing its duties, the Data Protection Committee observes the risks related to processing activities and takes into account the nature, scope, content and purposes of the processing activity.

5.5. All Yaşar Turizm departments, employees and suppliers must operate in compliance with the Data Protection Committee. Each department manager, together with the Data Protection Committee, is responsible for the implementation of this Policy. Establishing or operating a Data Protection Committee does not eliminate the responsibility of department managers.

5.6. Questions regarding the implementation of this Policy are forwarded to the Data Protection Committee.

6. STORAGE
6.1. Reasons Requiring Storage of Personal Data
Personal Data is processed by Yaşar Turizm in line with the reasons specifically stated for each data processing process in the Inventory. These reasons are also mentioned in the 2nd paragraph of Article 5 of the Law and are listed below:

a) It is clearly foreseen in the law,
b) It is necessary for the protection of the life or physical integrity of the person or someone else who is unable to express his/her consent due to actual impossibility or whose consent is not given legal validity,
c) It is necessary to process personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,
d) It is mandatory for the data controller to fulfill its legal obligation,
e) It has been made public by the person concerned,
f) Data processing is mandatory for the establishment, exercise or protection of a right, and
g) It is necessary to process data for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the person concerned.

6.2. Storage of Physical Records
Physical Records consist of records found on paper, microfiche and similar media, such as records on paper, contracts, minutes, invoices and photographs.
Active Records and Records that need to be easily accessed due to daily activities are stored in Yaşar Turizm’s active work areas.
Inactive Records are forwarded to Yaşar Turizm’s archive and archived there. The Relevant User’s access to the data sent to the archive is terminated and can only be accessed by the archive management for the purpose of protecting, organizing and maintaining the archive.

6.3. Storage of Electronic Records
Electronic Records consist of digital records in many media, including voice recordings, photographs, videos and visual and audio media. Electronic Records containing Personal Data are accurate, up-to-date and process personal data.

It is stored in secure electronic environments so that it can be accessed by the necessary persons and prevents access and processing by unauthorized third parties.
Adequate protection measures are taken and implemented with the recommendation of the IT Department and the approval of the Data Protection Committee to ensure that Electronic Records are protected against loss, alteration, unauthorized destruction, access during storage processes, and to ensure that they are complete, accurate and legible.
6.4. Storage Periods
Storage periods are determined specifically for each data processing process in the Inventory, as the relevant processes and activities vary among themselves. For this reason, Inventory is primarily used to determine storage periods. With this; The longest storage periods applied within the scope of any data processing activity for Data Owner groups of persons are given in the Maximum Storage and Destruction Periods Table in ANNEX-1.

7. DESTRUCTION
7.1. Reasons Requiring Destruction of Personal Data
Within the scope of this Policy, the term “Destruction” is used as a superconcept covering all deletion, destruction and anonymization processes, as stated in the Definitions section.

Situations regarding the destruction of personal data are stated below. Actions regarding how destruction will be carried out are determined by the Data Protection Committee according to the conditions of the concrete case and the provisions of the Law, Regulation and Secondary Legislation.

I. When the Data Owner requests the destruction of Personal Data,
ii. In case the Data Owner withdraws his/her explicit consent in Personal Data processing and storage processes based on explicit consent,
iii. If the Board requests the destruction of Personal Data in accordance with the procedure,
iv. In case all of the processing conditions of Personal Data or the purposes and legal/contractual requirements for the processing of Personal Data are eliminated, and
v. If the specified Personal Data retention period expires.

7.2. Data Owner’s Destruction Request
When the Data Owner requests Destruction of Personal Data; Yaşar Turizm first evaluates whether all of the processing purposes and data processing conditions included in the Inventory and to be determined additionally have been eliminated. If it is concluded that the purpose and conditions continue, the Data Owner’s request and justification may be rejected in writing. The written decision is sent to the Data Owner who made the request within 30 (thirty) days. If it is concluded that the purpose and conditions do not continue, the Destruction procedures listed below will be applied and the Data Owner who made the request will be informed in writing within 30 (thirty) days.

7.3. Data Owner’s Withdrawal of Explicit Consent
If the Data Owner states that he has withdrawn his explicit consent other than the destruction of his Personal Data; Yaşar Turizm first evaluates whether the relevant Personal Data is processed only based on explicit consent. At this point, the purpose of the relevant processing process in the Inventory is determined and it is confirmed whether there is any additional or different purpose. If it is concluded that the processing activity is not based on explicit consent or that there are other purposes besides explicit consent, the Data Owner’s request may be rejected in writing, stating the reason. The written decision is sent to the Data Owner who made the request within 30 (thirty) days. If it is concluded that the data processing activity is based only on explicit consent, the destruction procedures listed below are applied and the requesting Data Owner is informed in writing within 30 (thirty) days.

7.4. Periodic Review and Destruction
A periodic review process is carried out within Yaşar Turizm every 6 (six) months in order to determine whether all of the processing conditions or purposes or legal/contractual requirements of Personal Data, which are reasons for destruction, have been eliminated and whether the specified Personal Data retention periods have expired.
The review process is carried out by each Yaşar Turizm department regarding its internal processes under the supervision of the Data Protection Committee and the results are reported to the Data Protection Committee. The reports specifically indicate which types of Active Records exist within the department, which Records will be archived, and which Records will be destroyed.
The Data Protection Committee evaluates the reports submitted to it, carries out the necessary checks, and makes decisions regarding archiving and destruction. It chooses the appropriate destruction method for the Records it decides to destroy.
The first periodic destruction is done [at the end of the calendar year], the second every year [at the end of June]. Records whose processing conditions and purposes are determined to have been eliminated outside the periodic review period are destroyed during the first subsequent periodic destruction.
7.5. Starting the Destruction Procedure
The actual destruction procedure is initiated by the decision of the Data Protection Committee. In the decision, the types of data to be destroyed, the reasons for destruction, the method of destruction, f

It includes the names of the persons who will carry out the physical destruction, the date of destruction and how the destruction process will be recorded in a demonstrable manner.

7.6. Destruction Methods
7.6.1. Destruction: Destruction of records is achieved by making personal data inaccessible, irretrievable and unusable by anyone. In order for Personal Data to be destroyed, all copies containing the data must be identified, cannot be returned, cannot be reused, and Personal Data must not be accessed in any way.

I. Destruction of Physical Records
Physical Records are destroyed by shredding or shredding machines to incomprehensible sizes (shredding both vertically and horizontally if possible) or by other methods that make it impossible to read (e.g., by cutting into small pieces that cannot be assembled or by burning the physical record in a suitable medium).

ii. Destruction of Electronic Records
Approval or supervision of the IT Department is required for all transactions regarding Electronic Records.
Electronic Records may be destroyed in the following ways:
• By destroying the physical object containing the electronic record (For example: burning CDs and DVDs, breaking them into small pieces, melting them),
• By writing on it,
• By de-magnetization,
• By using the deletion commands of flash-based hard disks containing personal data, or if not, by using the methods recommended by the manufacturer,
• By using other possible methods to technically confirm that it cannot be retrieved, re-accessed or used.

• Personal data contained in electronic media, where the unit/part/section/medium in which the data is recorded is removable (for example, fingerprint door access system), is selected after verifying that all data recording media have been removed, and a destruction method appropriate to the characteristics of the unit is selected.

• Personal Data stored in cloud systems is encrypted with technically generally accepted cryptographic methods. If different cloud storage areas are used or services are received from different cloud service providers, a different encryption key is used for each. If the cloud service received from service providers is terminated, the passwords and keys that allow re-accession or use of Personal Data are destroyed.

7.6.2. Deletion: Deletion is carried out by making Personal Data inaccessible and unusable in any way for Relevant Users. In short, it is the elimination of the connection between Relevant Users and Personal Data.
I. Deletion of Physical Records
Personal data contained in Physical Records can be deleted using the blackout or archiving method. In the blackout method, the Personal Data on the relevant document can be cut or removed where possible, or if this is not possible, it can be made invisible by using fixed ink in a way that is irreversible and unreadable with technological solutions.
In the archiving method, the connection between Relevant Users and Records can be eliminated by archiving Active Records and converting them into Inactive Records. In this situation
• Records to be archived are determined,
• The content, number or identifiable elements of the Records, which do not contain Personal Data, are recorded in three copies, by which department and on what date they were delivered to Yaşar Turizm archive authorities.
• One copy of the minutes is given to the department that delivered the Records, one copy to the archive authorities and one copy to the Data Protection Committee.
• Records containing Personal Data are archived by the archive authorities in a separate section in the archive area, in a way that cannot be accessed by any Yaşar Turizm department and employee, especially the Relevant Users.
• The relevant archive area can only be accessed for cleaning, maintenance-repair and surveillance purposes; otherwise, Yaşar Turizm employees and third parties cannot access the area and Records unless there is a written decision of the Data Protection Committee.

ii. Deletion of Electronic Records
When performing the deletion process for Electronic Records, the following order is generally followed:
• Determining the Personal Data that will be subject to deletion and the environment in which it is located,
• Identifying Relevant Users using the authorization matrix,
• Determining the authorizations and methods of the Relevant Users such as access, retrieval and reuse,
• Closing and eliminating the relevant Users’ access to, retrieval and reuse of Records, authorization and methods,
• If the above mentioned transactions cannot be performed, transferring the information to a digital area to which the Relevant Users do not have access, by taking all necessary technical security measures and not leaving any Records in the initial environment,
• Recording the transactions made.
The environment, file or server where Electronic Records are located is only for the purpose of maintaining the operation of the system and ensuring its security.

IT Department employees determined by the Data Protection Committee will have access.
7.6.3. Anonymization: Anonymization is the prevention of identifying or distinguishing the Data Owner by removing or changing all direct and/or indirect identifiers in a data set.

Data that does not indicate a person as a result of loss or prevention of detection or distinguishing features are deemed to be anonymized. In conclusion; The data used to identify a person before the anonymization process will be rendered impossible to connect with the real person after the process.

Methods such as grouping, masking, derivation, generalization and randomization can be used for anonymization. Some of them are listed below:

I. Anonymization Methods That Do Not Provide Value Irregularity
• Subtracting Variables
• Removing Records
• Lower and Upper Limit Coding
• Regional Hiding
• Sampling
• Generalization
• Global Coding
ii. Anonymization Methods That Provide Value Irregularity
• Micro-Joining
• Data Exchange
• Adding Noise

iii. Statistical Methods to Strengthen Anonymization
• K-Anonymity
• L-Diversity
• T-Proximity

8. TECHNICAL AND ADMINISTRATIVE PRECAUTIONS TAKEN FOR THE SECURE STORAGE OF PERSONAL DATA, PREVENTING THEIR ILLEGAL PROCESSING, ACCESS AND LEGAL DESTRUCTION
8.1. In order to store and secure Personal Data, Yaşar Turizm takes into consideration the nature and condition of Personal Data, risks that may arise from unauthorized modification, possible loss, possible damage, unauthorized processing or access, human action or exposure to the effects of the natural or physical environment, and other similar risks. It aims to take physical, technical and administrative measures to prevent damages, taking into account technical and economic conditions.

8.2. Yaşar Turizm employees, departments and suppliers are obliged to ensure that all Personal Data they process or access is kept secure. Personal Data cannot be shared or disclosed with any unauthorized third party verbally, in writing or otherwise.

8.3. Physical copies containing Personal Data are kept in locked cabinets or locked drawers; If it is an electronic copy, it is encrypted; if it is kept on a portable medium, the file itself is also encrypted.

8.4. As a general principle, Records containing Personal Data cannot be kept electronically or physically at the staff’s home, on laptops or other personal portable devices, or in other areas outside the workplace. The security of e-mail accounts that can be accessed through personal devices must be taken care of by the employee himself, and mobile devices used for business purposes are protected with a screen lock.

8.5. If it is deemed necessary or appropriate to keep Personal Data outside the workplace as a matter of business, the relevant unit or department immediately reports the situation to the Data Protection Committee. The Data Protection Committee may allow this situation if it believes that the security of Personal Data can be ensured.

8.6. With the decision of the Data Protection Committee, a protocol is signed between Yaşar Turizm and the relevant unit or employee, which includes the special procedures and principles to be determined regarding keeping personal data outside the workplace, and the responsibilities of the employee are specified in this protocol.

8.7. The employee who manages the equipment or manages the area is responsible for data stored on portable electronic devices or erasable digital or physical media. This person is also responsible for providing the following elements:

• To take and ensure that the data in the relevant devices, environments and areas are backed up in environments where adequate security measures are taken, in case of any damage,
• Keeping Special Personal Data and other sensitive data in a separate area, keeping these areas appropriately encrypted or locked,
• Not to leave laptops, mobile devices and computer-based recording media (such as USB devices, CDs) containing Special Personal Data and other sensitive data unattended in the office.
• To apply to the Data Protection Committee to take additional security and protection measures deemed necessary.

8.8. Personal Data located on portable media such as flash disk, external HDD are stored encrypted and deleted using software suitable for these media.

8.9. Employees cannot copy or download Records containing Personal Data saved on the programs to the computer they use unless necessary, and if it is necessary to download or copy, they immediately delete the copy when the purpose of use ends.

8.10. In case of devices that are faulty or sent for maintenance, it is first checked whether there is a record containing personal data. Delivering the relevant devices to third institutions such as manufacturers, dealers and service for maintenance and repair

If necessary, the Personal Data contained therein will be destroyed in advance, as detailed under the heading “Destruction”. In cases where destruction is not possible or appropriate, the data storage medium is removed and stored, or only the defective part is sent to third parties such as manufacturers, dealers, and services.

8.11. Suppliers who enter Yaşar Turizm facilities to serve Yaşar Turizm or access Yaşar Turizm systems remotely are prevented from accessing Personal Data, and necessary technical precautions are taken to prevent them from copying and taking them out of Yaşar Turizm. The IT Department immediately reports the necessary information and suggestions regarding these issues to the Data Protection Committee.

9. VIOLATION OF THE POLICY
9.1. In case Yaşar Turizm employees share Personal Data without authorization or violate this Policy; This situation may require a disciplinary penalty and/or, depending on the situation, may lead to the termination of the employee’s employment contract with just cause in accordance with Article 25 of the Labor Law.

9.2. In case Yaşar Turizm suppliers share Personal Data without authorization or violate this Policy; This may result in sanctions being imposed against suppliers and/or termination of the supply contract.

9.3. In case of violation of this Policy, the Data Protection Committee has the authority to investigate the Yaşar Turizm employee or other persons who committed the violation. If the Data Protection Committee deems it necessary, it will take appropriate regulatory measures to reduce the risk arising from the breach.

9.4. Considering the seriousness of the violation, sanctions may be taken against the employee, supplier or third parties, but depending on the nature of the decision taken (e.g. dismissal of the employee or termination of the supplier’s contract), the implementation of the decision may be subject to the approval of Yaşar Turizm management.

10. MISCELLANEOUS PROVISIONS
10.1. Publication and Entry into Force of the Policy
It will be made available to Yaşar Turizm employees in writing by the Human Resources Department.

10.2. Execution of the Policy
The Data Protection Committee is responsible for the implementation and enforcement of this Policy and ensuring compliance with the Policy.

10.3. Changes
Changes may be made to this Policy at any time. Notification of material changes will be communicated to employees by the Human Resources Department, to suppliers by the Financial and Administrative Affairs Department, and to others through an appropriate mechanism selected by the Data Protection Committee.

APPENDICES
1- Maximum Storage and Destruction Periods Table
2- Titles and Units of Data Protection Committee Members

ANNEX-1: TABLE OF MAXIMUM STORAGE AND DISPOSAL PERIOD
• This Storage and Destruction Periods Table has been prepared as an annex to Yaşar Turizm Personal Data Storage and Destruction Policy.

• Specific retention periods for each data processing activity within Yaşar Turizm are included in the Inventory. Different storage periods are determined and applied by Yaşar Turizm within the scope of different data processing activities for the same group of individuals.

• The longest retention period applied within the scope of any data processing activity for the data owner group in the Inventory is included in the table.

• Since the retention periods in the table are maximum, there may be a shorter retention period determined for the same group of individuals in any other data processing process. For this reason, in each data processing process, the periods included in the Inventory will be primarily applied.

PERSON GROUP MAXIMUM STORAGE AND DISPOSAL PERIOD
Employee/Employees are kept for a maximum of 15 years from the termination of the employment contract.
Employee Candidate job applications are kept at most until the end of the evaluation process.
Persons Subject to the News are stored until explicit consent is withdrawn.
Customer-Guest are kept for a maximum of 10 years from the expiration of contracts concluded with customers. In addition, in data processing processes based on explicit consent, it is stored until the explicit consent is withdrawn.
Interns are kept for 5 years from the completion of the Internship process.
Suppliers are kept for a maximum of 10 years from the expiration of supplier contracts.
Third Parties Since there are data processing processes based on explicit consent, it is stored at maximum until the explicit consent is withdrawn.
Visitors are stored at most until the complaint process is completed, and when cookies are used, they are stored until the cookies are deleted.

ANNEX-2: Titles and Units of Data Protection Committee Members