1. PURPOSE AND SCOPE

This Privacy and Personal Data Protection Principles (hereinafter referred to as the “Principles”) determines the principles adopted by Tamaris Turizm Anonim Şirketi (hereinafter referred to as the “Company”) regarding the protection of personal data and covers all data subject groups with the Personal Data Protection Law No. hereinafter referred to as “KVKK No. 6698”).

2. PRINCIPLES ON THE PROCESSING OF PERSONAL DATA

As a Data Controller, we process your personal data within the framework of the following principles.

2.1 Lawful and Integrity Processing
In the processing of your personal data, we act in accordance with the principles brought by legal regulations and the general rule of trust and honesty. In accordance with this principle, we consider your interests and reasonable expectations while trying to achieve our personal data processing purposes, we do not abuse our rights and we act in accordance with the principle of transparency in our data processing activities.

2.2 Ensuring Personal Data Are Accurate and Up-to-Date When Necessary
In line with this principle, which emphasizes the importance of the accuracy and up-to-dateness of personal data, periodic controls and updates are made to ensure that the processed data is accurate and up-to-date, and necessary measures are taken accordingly. In this context, systems for checking the accuracy of personal data and making necessary corrections are established within the Company. In addition, the accuracy of the sources from which personal data is collected is checked and requests arising from the inaccuracy of personal data are taken into account. Therefore, this principle is implemented in accordance with the right to request the correction of personal data you have in accordance with the KVKK No. 6698.

2.3 Processing for Specific, Clear and Legitimate Purposes
Your personal data is processed based on clear, specific and legitimate data processing purposes. In this context, we ensure that our personal data processing activities are clearly understandable by the persons concerned, and we determine and clearly express in Article 3 of these Principles on which purposes and legal processing conditions it is based.

2.4 Relevance, Limitation, and Responsibility for the Purpose for which they are Processed
Your personal data is processed in a measured, purpose-related and limited manner in order to achieve the foreseen purpose/purposes, and the processing of personal data that is not relevant or needed for the realization of the purpose is avoided. Again, within the scope of this principle, personal data is not collected or processed for purposes that do not exist and are thought to be realized later.

2.5 Retention for as Long as Required for the Purpose of Processing or Envisioned in the Relevant Legislation
Your personal data is stored only for the period required by the relevant legislation or for the purpose for which they are processed. In this regard, the Company takes and implements the relevant administrative and technical measures. In this context, first of all, it is determined whether a period is foreseen for the storage of personal data in the relevant legislation, if a period is determined, this period is acted upon. In case the necessity of the relevant processes disappears, access to your personal data by unrelated departments is prevented within the scope of the deletion action specified in the KVKK No. 6698. Your personal data is destroyed or anonymized in accordance with the legislation on the protection of personal data, unless the period expires or the reasons requiring its processing disappear, unless there is a legal reason allowing them to be processed for a longer period of time.

3. TERMS OF PROCESSING PERSONAL DATA

Your personal data, within the scope of KVKK No. 6698, your personal and private data can be processed within the framework of the conditions set forth below.

3.1 Explicitly Provided in Laws
The basic rule is that personal data cannot be processed without the explicit consent of the persons concerned, and according to this exception, your personal data may be processed in cases where the laws expressly stipulate the processing of personal data.

3.2 Failure to Obtain Explicit Consent of the Related Person Due to Actual Impossibility
Your personal data may be processed if the processing of personal data is necessary in order to protect the life or physical integrity of the person or another person, who is unable to express his or her consent due to actual impossibility or whose consent cannot be validated.

3.3 Direct Concern with the Establishment or Performance of the Contract
Provided that it is directly related to the establishment or performance of the contract, your personal data may be processed if it is necessary to process the personal data of the parties to the contract.

3.4 Fulfilling the Company’s Legal Obligation
Your personal data may be processed if it is necessary to fulfill the legislation, contract and similar legal obligations to which the Company is bound and responsible.

3.5 Publicizing Personal Data
If your personal data has been made public by you, that is, if it has been shared with the public by you, it may be processed in connection with the purpose of making it public and in a measured manner.

3.6 Requirement of Data Processing for the Establishment or Protection of a Right
Within the scope of the execution and management of the processes related to the legal and commercial rights of the Company, your personal data may be processed if data processing is necessary for the establishment, exercise or protection of the said right.

3.7 Processing of Data Based on Legitimate Interest
Your personal data may be processed if data processing is necessary for the legitimate interests of the Company. In the event that data processing is required depending on the processing condition in question, our company evaluates your fundamental rights and freedoms and makes decisions according to the results of the evaluation.

3.8 Consent-Based Processing
Although the processing of personal data based on explicit consent is the main rule, in the presence of other conditions specified in this article, the explicit consent of the persons concerned is not relied upon. Otherwise, abuse of the right may be mentioned. In this context, your personal data is processed based on your explicit consent, in cases where it is not processed based on any of the conditions set forth in these Principles.

3.9 Processing of Private Personal Data
We process your sensitive personal data based on your explicit consent in accordance with Article 6 of the KVKK No. 6698. Again, in the same article, your special quality personal data other than health and sexual life can only be processed in cases stipulated by the laws, and your personal data of special nature regarding health and sexual life can only be used for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and financing of health services. For the purpose of management, we can process it without your explicit consent by paying attention to the issues regarding the processing by persons or authorized institutions and organizations under the obligation of confidentiality.

4. TRANSFER OF PERSONAL DATA

Your personal and private data; Within the scope of article 2 of these Principles, it can be transferred to our domestic business partners, public institutions and organizations and similar or to our business partners abroad. Compliance with the 8th and 9th articles of the KVKK No. 6698 is observed while making the said transfers. If necessary, your explicit consent is obtained and the transfer is provided within this framework.

5. SECURITY OF PERSONAL DATA

In order to ensure the security of personal data and to prevent unlawful processing, the Company takes all reasonable administrative and technical measures to prevent unauthorized access risks, accidental data loss, deliberate deletion of data or damage to data.
All reasonable technical and physical measures are taken to prevent access to personal data by persons authorized to access it. In this context, the authorization system is designed in such a way that it is not possible for individuals and systems to access more personal data than necessary.
The company carries out the necessary inspections in its own institution or organization in order to ensure that the provisions of the KVKK No. 6698 are implemented.
The measures taken are as follows.
• Network security and application security are provided.
• Closed system network is used for personal data transfers via network.
• Key management is implemented.
• Security measures are taken within the scope of procurement, development and maintenance of information technology systems.
• The security of personal data stored in the cloud is ensured.
• There are disciplinary regulations that include data security provisions for employees.
• Training and awareness activities are carried out periodically for employees on data security.
• An authorization matrix has been created for the employees.
• Access logs are kept regularly.
• Institutional policies on access, information security, use, storage and destruction have been prepared and started to be implemented.
• Data masking is applied when necessary.
• Confidentiality commitments are made.
• The authorizations of employees who have a change in duty or quit their job in this field are removed.
• Current anti-virus systems are used.
• Firewalls are used.
• Signed contracts contain data security provisions.
• Extra security measures are taken for personal data transferred via paper and the relevant documents are sent in confidential document format.
• Personal data security policies and procedures have been determined.
• Personal data security issues are reported quickly.
• Personal data security is monitored.
• Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
• The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.
• The security of environments containing personal data is ensured.
• Personal data is reduced as much as possible.
• Personal data is backed up and the security of the backed up personal data is also ensured.
• User account management and authorization control system is implemented and these are also followed.
• In-house periodic and/or random audits are conducted and made.
• Log records are kept without user intervention.
• Existing risks and threats have been identified.
• Protocols and procedures for special quality personal data security have been determined and implemented.
• If sensitive personal data is to be sent via e-mail, it must be sent in encrypted form and using KEP or corporate mail account.
• Intrusion detection and prevention systems are used.
• Penetration test is applied.
• Cyber security measures have been taken and their implementation is constantly monitored.
• Encryption is done.
• Data of special persons transferred in portable memory, CD, DVD media are encrypted and transferred.
• Data processing service providers are periodically audited on data security.
• Awareness of data processing service providers on data security is ensured.

6. RIGHTS OF THE RELATED PERSON, APPLICATION PROCEDURES AND PRINCIPLES

As the person concerned, if you have a request regarding your rights in Article 11 of Law No. 6698 and if you are a citizen of the European Union, within the scope of GDPR; Application Form on the Protection of Personal Data, which you can obtain from our website regarding your rights to withdraw your express consent, to obtain information about your data and to access this data, to correct your personal data in certain cases, to have it deleted or to limit its processing, to data portability under certain conditions, to object to the processing of your personal data and similar rights. You can send it to us by filling out the . As the Company, we will finalize your application free of charge as soon as possible and within thirty days at the latest, depending on the nature of your request. However, if the transaction requires a separate cost, the fee in the tariff determined by the Personal Data Protection Board will be charged by the Company. In the event that your application is rejected, the response is insufficient, or the application is not responded to on time, upon your application to us, you can inform us about this. In addition, as the data subject, you have the right to apply to the authorized data protection authority in your country within thirty days from the date you learned our answer and in any case within sixty days from the date you duly filed your application. .

To download APPLICATION FORM FOR THE PROTECTION OF PERSONAL DATA OF CONCERNING PERSON (PERSONAL DATA OWNER)  click here.