PERSONAL DATA PROTECTION LAW & PRIVACY POLICY
DEFINITIONS
Explicit Consent
|
means freely given, specific and informed consent,
|
Anonymization
|
means rendering personal data by no means identified or identifiable with a natural person even by linking with other data
|
Application Form
|
The form submitted in the annex of this Policy, containing the application of the data subject to use his/ her rights within the framework of the relevant legislation.
|
Website
|
Websites thestay.com.tr and thestayline.com owned by the Company
|
Mobil Application
|
The mobil application named “The Stay” owned by the Company
|
Business Partner
|
Natural or legal persons with whom the Company has established business partnerships for purposes such as carrying out various projects, receiving services, personally or together with their shareholders, companies or group companies while carrying out its commercial activities.
|
Personal Data
|
means any information relating to an identified or identifiable natural person,
|
Processing of Personal Data
|
means any operation which is performed upon personal data such as collection, recording, storage, preservation, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization or blocking its use by wholly or partly automatic means or otherwise than by automatic means which form part of a filing system
|
Special Categories of Personal Data
|
Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions and security measures, and the biometric and genetic data are deemed to be special categories of personal data
|
Data Subject
|
means the natural person, whose personal data are processed.
|
Data Processor
|
means natural or legal person who processes personal data based on the authority granted by and on behalf of the data controller
|
Data Controller
|
means natural or legal person who determines the purposes and means of the processing of personal data, and who is responsible for establishment and management of the filing system
|
ABBREVIATIONS
KVKK
|
Personal Data Protection Law no. 6698, published in the Official Gazette dated 7 April 2016 and numbered 29677
|
KVK Board
|
Personal Data Protection Board
|
Company
|
Depot Konaklama Hizmetleri A.Ş.
|
Policy
|
Protection on Personal Data and Privacy Policy prepared by Depot Konaklama Hizmetleri A.Ş.
|
PERSONAL DATA PROTECTION AND PRIVACY POLICY
I. INTRODUCTION
As Depot Konaklama Hizmetleri A.S (“Company”), attach great importance to the protection of the personal data of our business partners, shareholders, employees and potential employees who apply to our company, our customers who request and receive service from hotels owned by our Company and/or purchase products through our Company's website thestayline.com, our users and members to the website, other natural persons who have a relationship with us by visiting our hotels, our Websites, or through our social media accounts or in any other way; persons who contact us/contract with us personally or as a representative of a company or organization.
As the Company, we have prepared this Personal Data Protection and Privacy Policy (“Policy”) to ensure compliance with the Personal Data Protection Law No. 6698 and other regulations and to disclose our principles regarding the processing of personal data within the framework of KVKK.
II. PURPOSE AND SCOPE
KVKK was published on Official Gazette numbered 29677 and dated of April 7th of 2016. KVKK is arranged to protect fundamental rights and freedoms including privacy of private life of natural persons whose personal data are processed and to determine the liabilities of natural persons and legal entities that process personal data.
The purpose of this Policy is to determine the necessary management instructions, procedures and conditions and to establish a technical method to ensure that personal data is processed and protected by the Company in accordance with KVKK.
This Policy is implemented in the operations carried out for the processing and protection of all personal data that the Company obtains as "Data Controller" and/or "Data Processor". The policy has been prepared based on the KVKK and other regulations on the processing and protection of personal data.
III. PERSONAL DATA
A. Definition of Personal Data
Within the framework of article 3/I(d) of the KVKK, “personal data” means any information regarding natural persons with an identified or identifiable identity. In this regard, anonymous information, anonymized information and other data that cannot be associated with a specific person are not considered personal data within the scope of this Policy.
B. General Principles for Processing of Personal Data
Within the framework of Article 3/I(e) of the KVKK, any operation that can be carried out on personal data such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over personal data, making it available, classifying or preventing its use completely or partially automatically or non-automatically, provided that it is a part of any data recording system falls within the scope of "data processing".
Company is processing personal data in compliance with the following principles:
-
To be in compliance with the law and honesty rules
-
To be true and actual when necessary
-
To process for certain, explicit and legal goals
-
To be connected with their process goal, limited and moderated
-
To be conserved as much as time projected in related legislation or as the time required for the goal they are processed
In this regard, your personal and/or personal data of special nature received within the scope of KVKK and other regulations in written, verbal or electronic media by the Company, through Hotels or the Website and any channels without limitation can be obtained, recorded, stored, stored, preserved, changed in the ways stipulated in the KVKK, for legal reasons or in line with the legal and actual requirements of the product sales and service provided by the Company and can be shared with natural or legal persons in the country and abroad, as deemed appropriate by the Company and can be processed by other methods including the transfer abroad.
C. Data Processed By The Company
a. In general
The Company can process general and special personal data with the explicit consent of the data subject or without explicit consent in cases stipulated in Articles 5 and 6 of the KVKK.
Including but not limited to the Law on the Protection of Consumers No. 6502, the Regulation on Distance Contracts introduced within the scope of this law, the Law No. 6563 on the Regulation of Electronic Commerce, the Regulation on Service Providers and Intermediary Service Providers in Electronic Commerce based on this law, Labor Law No. 4857, Social Insurance and General Health Insurance Law, No. 5510, Turkish Commercial Code No. 6102, Tax Procedure Law No. 213, Identity Reporting Law No. 1774, and all other regulations and directives an communiques related to these laws, personal data can be processed by the Company.
-
Data in direction of knowing the data subject like name, surname, occupation, cv, gender, marital status, nationality and other additional data,
-
In cases where proof of identity is required, data contained in documents for identification purposes such as identity card, passport, driver's license,
-
Contact information like GSM number, fax number, e-mail, telephone, address which belong to home, work place or temporary residence place,
-
Communication records such as telephone conversations, e-mail correspondences with the Company and other audio and video data, complaint and request records
-
Data for determining consumer and user habits to improve service and product sales standards, and website usage data,
-
Internet protocol (IP) address, device identification, internet page views and statistics related to mobile and other digital applications, incoming and outgoing traffic information, referral URL, internet log info, location info, visited sites and information related to actions and transactions made through our internet sites and advertising and e-mail contents.
b. Specifically
Personal data that can be processed by the Company in line with the legitimate interests of the Company, in the light of other regulations and the principles set forth in this Policy, are listed below.
i. Data on Website Users and Online Visitor Data:
-
Data on “thestayline.com” Website Users and online visitor data: User Information (Membership information, User ID number, etc.), IP address, Transaction Security Information (Password information, etc.), Cookie records, User and/or Visitor habits and preferences, data and evaluations showing the User and/or Visitor's approval/permission for commercial electronic message, Membership and User Agreement approved by the User and/or Visitor, other information on the Website and approved by the User and/or Visitor, written texts, commercial electronic messages sent within the scope of the consent given by the User and/or Visitor, records related to the management of the request and complaint processes.
-
“thestay.com.tr” Website visitor data: IP address, Cookie records, User and/or Visitor habits and preferences, Membership and User Agreement approved by the User and/or Visitor, other information on the Website and approved by the User and/or Visitor.
ii. Buyer Data Who Bought Services and Products on Websites:
-
The data of the Buyer purchasing the product offered for sale by the Seller on "thestayline.com", the data subject to the purchase and the data of the person who will use the purchased product: Buyer's identity information, Passport number, Contact Information (mobile phone, e-mail address, address, etc.), billing and collection information, type, quantity, price, order date of the product purchased, data of the person purchasing the product, discount coupons used during shopping, campaigns, if any; commercial electronic message permission given by the Buyer in electronic environment, Distance Sales Agreement and Preliminary Information Form approved by the Buyer, other written texts approved by the Buyer, commercial electronic messages sent within the scope of the Buyer's approval, records related to the management of the request and complaint processes, IP address, password, password information.
-
Data of the person who purchased the service on “thestay.com tr”: Identity Information (name, surname, gender), Location Information (the region/city the user is located), Contact Information (mobile phone, e-mail address etc.), necessary Data in scope of the measures taken in Covid-19 era, User Information (Membership information, User ID number, etc.), billing and collection information, service information purchased, data belonging to the person purchasing the service, discount coupons used at the time of purchase, campaigns, if any; commercial electronic message permission given by the Buyer in electronic environment, Distance Reservation Agreement and Preliminary Information Form approved by the Buyer, other written texts approved by the Buyer, commercial electronic messages sent within the scope of the Buyer's approval, records related to the management of the request and complaint processes, IP address, password, password information.
iii. Customer data transacting through the Call Center: Identity Information (Name, surname, Turkish citizenship number, Passport No for non-Turkish citizens), Contact Information (mobile phone, e-mail address, address, etc.), Distance Reservation Agreement and Preliminary Information Form
iv. Data regarding the Hotel Customer: Identity Information (Name, surname, date of birth, gender, Turkish citizenship number, passport information), Contact Information (mobile phone, e-mail address, address, etc.), necessary Data in scope of the measures taken in Covid-19 era, written texts approved by the customer, Customer Commercial electronic messages sent within the scope of the approval given by the Customer, records related to the management of request and complaint processes, information about your stay and visit, billing and collection information, information about your purchase of products or services during your stay, your payment information, information about people staying with you, business status information, records of your marketing and communication preferences, your IP address, the pages you view on the hotel's website, data identifying your mobile device if you visit our website on your mobile device, and any other information that you have expressly preferred and approved to give to us or that we can obtain from third parties with your explicit consent., camera records
vi. Customer data transacting through the Mobile Application: Name, surname, mobile phone, e-mail address
vi. Data of the Employee/Person making Job Application: Identity Information (Name, surname, date of birth, gender, Turkish citizenship number), Contact Information (mobile phone, e-mail address, address, etc.), education history, employment history, CV information, criminal record, camera records, all kinds of data needed within the scope of the personnel file
D. Purposes of Processing Personal Data
The Company may process personal data for the purposes stated below and may be retained for the period required for these purposes and in any case for the periods required under the regulations.
-
Fulfilling all legal and administrative obligations,
-
Negotiation, establishment and performance of contracts concluded/to be concluded,
-
Providing accommodation services in hotels,
-
Processing of data of online visitors within the scope of regulations,
-
Performing the membership process by the Users through the website, creating and arranging the personal account of the Members/Users on the website and managing the membership transactions through the personal account, informing the persons and Members/Users upon approval of commercial electronic messages about the campaigns and opportunities or presenting prices, marketing, other opportunities, benefits, offers and information to Members/Users,
-
Making purchases of the products offered for sale on the website,
-
Following up purchasing transactions and accounting processes,
-
Ensuring the security of all websites and other electronic systems, social media accounts and physical environments of the Company,
-
Promotion and marketing of the company's products and services, and their development, questionnaires and polling, and obtaining the opinion of the data subject,
-
Birthday celebrations, being included in raffles, campaigns or competitions, giving gifts and other similar events, promotions and campaigns in favor of the data subject,
-
Investigation, detection, prevention of violations of the contract and the law and reporting them to the relevant administrative or judicial authorities,
-
Resolving current and future legal disputes,
-
Answering requests and questions, reviewing and solving complaints
-
Carrying out corporate and partnership transactions,
-
Execution of recruitment processes within the framework of human resources policies,
-
Evaluating and finalizing the job applications and communicating with job applicants,
-
Mandatory data processing for the establishment, exercising or protection of a right,
-
Protection of the Company's legitimate interests, provided that it does not harm the fundamental rights and freedoms of the data subject.
E. Transfer of Personal Data within Turkey and abroad
Company, provided that complying the general principles mentioned in KVKK and conditions projected in 8th and 9th articles of KVKK and taking necessary security measures, in direction of the goals stated in herein Politics, can transfer the obtained data to third parties within the country and abroad and process and store in servers within the country and abroad or in other electronic media. The third parties to whom personal data can be transferred may vary depending on the type and nature of the relationship between the data subject and the Company (/user/membership, business relationship, etc.) such as: (i) Company Group Companies, (ii) the depositories, platform owners, data broadcasters, infrastructure providers and other business partners, suppliers and subcontractors that the Company works with in country or abroad, (iii) any authorities and institutions, (iv) banks for collection purposes and/or institutions authorized by the Company for collection and other relevant third parties to carry out the activities related to these purposes.
F. Method of Personal Data Collection
The Company may obtain personal data in written, oral, audio or video recording or other physical or electronic forms for the purposes specified in this Policy, within the framework of the conditions set forth in Articles 5 and 6 of the KVKK. Besides, personal data may be collected through channels such as hotels, headquarters and other physical environments of the Company, websites, mobile applications, electronic transaction platforms, social media and other public channels or events organized, sales and marketing units, customer forms, digital marketing that data subject may contact, contracts, applications, forms, offers, and cookies used in website visits.
G. Retention Period of Personal Data
Except for cases where there is a legal requirement or permit for longer retention periods, the Company retains personal data it processes for the periods specified in the KVKK and other regulations, by obtaining the data in accordance with the KVKK in line with the purposes set out in this Policy and the Personal Data Retention and Destruction Policy.
If the purpose of processing personal data ends and the retention periods determined by the Company in accordance with the KVKK and other regulations, the personal data only serves as evidence in any likely legal disputes and is retained to claim the relevant right related to the personal data and/or to defense the rights or present such when requested by the authorities. In determination of the aforementioned periods, the statute of limitations and retention periods specified in the relevant regulation are taken as basis in order to claim the aforementioned right. In this case, the personal data stored is not accessed for any other purpose, and personal data is only provided when necessary for use in the relevant legal dispute.
The specified periods are reviewed by the Company, and the personal data, the retention period of which expires are deleted, destructed or anonymized by the Company in accordance with the KVKK, as detailed in the Personal Data Retention and Destruction Policy.
H. Security and Control of Personal Data
The Company takes the necessary technical and administrative measures to ensure the appropriate level of security as a "data controller” within the framework of article 12 of the KVKK, in order to prevent the unlawful processing of personal data and illegal access to the data, and to ensure the preservation of personal data. For this purpose, (i) activities are carried out in accordance with the internal policies and rules prepared for the protection of personal data, (ii) necessary training and responsibilities are provided to the employees regarding the personal data protection law and the internal policies and rules prepared accordingly, (iii) all necessary declarations and commitments are taken for the confidentiality and protection of data from the employees, persons and institutions that process data on behalf of the Company, (iv) necessary information security measures are implemented to ensure the security of personal data and to prevent unauthorized access to data inside and outside the Company, (v) the internal policies and rules established are complied with for the protection of personal data, (vi) the adequacy of the measures taken is checked and new data security systems are provided according to the requirements and/or existing data security systems are developed, updated and necessary audits are made in this regard.
I. The measures taken by the Company for the Protection and Security of Personal Data
The Company;
-
Maintains the processing of all collected personal data compliant to the principles stated in 4th article of KVKK and to the conditions stated in 5th and 6th articles.
-
In scope of KVKK, fulfills the “Informing and Clarification Liability” which is included in the liability of data responsible via Clarification Texts which it publishes through internet environment and other related platforms.
-
As Data Controller, generates necessary infrastructure in order to maintain “explicit consent” to provide and process personal data compliant to KVKK in case it is required by law.
-
Generates necessary infrastructure to provide personal data compliant to KVKK for goals of communication, marketing, occasion notification and promotion.
-
Takes necessary measures by generating required conditions in order to conserve personal data compliant to KVKK in job applications and hiring processes.
-
Personal data which are processed in compliance with KVKK and other related law provisions, upon the request of the related person or ex officio, are deleted unrecoverable and unusable in any way, destroyed or anonymized by the Company when the reasons of processing are vanished and in case of expiration of time said in the article titled “Personal Data Storage Time” of herein Politics and of time said in Personal data Storage and Destruction Politics. In order to maintain data security, Company generates limitations compliant to KVKK on in-house data Access authorizations, destroys data which are needed to be destroyed.
-
In order to prevent illegal processing of personal data and illegal access to personal data and maintain conservation of them compliant to KVKK, takes necessary technical and administrative measures. To conserve data security and secure conservation develops in-house encryption politics and configures present encryption system.
-
In order to prevent data leak, necessary in-house measures are taken with in-house applied applications and outsourced supporting products.
-
Determines storage times by law according to the quality of the provided data, develops storage politics in-house application and put into effect.
-
Takes measures to prevent unauthorized Access and usage of personal data by natural persons or legal entities that process personal data on the basis of authority issued by the Company or processed or transferred or obtained as a result of transfer personal data processed by different departments of the Company.
-
Audits activities of conservation of personal data which is run by natural persons or legal entities on behalf of itself periodically on the basis of authority it issued.
-
Although necessary technical and administrative measures are taken related to personal data processing, transferring or conserving; if third parties Access to personal data illegally, takes technical and administrative measures for related persons not to get any harm compliant to related legislation about protection of personal data and KVK Board decisions.
-
Periodically audits and follows-up data recording system in the Company if it is generated compliant to legislation about KVKK.
J. Rights of the Data Subject under KVKK
Each person has the right to request;
-
to learn whether his/her personal data are processed or not,
-
to demand for information as to if his/her personal data have been processed,
-
to learn the purpose of the processing of his/her personal data and whether these personal
-
data are used in compliance with the purpose,
-
to know the third parties to whom his personal data are transferred in country or abroad,
-
to request the rectification of the incomplete or inaccurate data, if any,
-
to request the erasure or destruction of his/her personal data under the conditions referred to in Article 7 of KVKK,
-
to request reporting of the operations carried out pursuant to sub-paragraphs (d) and (e) to third parties to whom his/her personal data have been transferred,
-
to object to the occurrence of a result against the person himself/herself by analyzing the data processed solely through automated systems,
-
to claim compensation for the damage arising from the unlawful processing of his/her personal data.
If data subjects wish to exercise any of their rights mentioned above, they must fill in the application form attached to this Policy and send a signed copy together with the information and documents to identify them to the Company's address in Harbiye Mah. Kadırgalar Cad. No:6 Kat:3 Maçka, Şişli/Istanbul, in person or via a notary public. In the event that the Personal Data Protection Board decides to transmit the requests by means other than those specified above, the ways in which the applications can be submitted will be announced separately.
The company shall review and finalize the duly received requests from the data subjects as soon as possible, and in any case, within 30 (thirty) days at the latest, depending on the nature of the request, within the framework of Article 13 of the KVKK.
While the requests of data subjects shall be concluded free of charge as a rule, if the response of the request requires an additional cost, a fee may be charged within the framework of the relevant regulation.
IV. COOKIES AND SIMILAR TECHNOLOGIES
While accessing the website, electronic platforms, mobile and digital applications or e-mail messages or advertisements sent through websites owned by the Company, small data files that enable the recording and collection of certain data by technical means may be placed in the visitor's computers, mobile phoned, tablet pc, or other devices accessed/used to show customized content to visitors and to engage in online advertising activities. These data files placed on computers and other devices may be cookies, pixel tags, flash cookies and web beacons, as well as other technologies for data storage purposes. (shortly “Cookies”)
It is possible to collect personal data through cookies, and such data may be processed by the Company within the scope of this Policy and KVKK to the extent that the data obtained through cookies constitute personal data under Turkish law. The user can remove cookies and reject cookies by closing the warnings. If the user refuses cookies, s/he may continue to use the website in question, but may not be able to access all functions or his/her access may be limited. Detailed information about cookies and the use of cookies can be found in thestayline.com and thestay.com.tr Cookie Policy.
V. WEBSITES, PRODUCTS AND SERVICES OF THE THIRD PARTIES
The websites, platforms and applications of the Company may contain links to third-party websites and products. These links are subject to the privacy policies of third parties and third parties and third-party sites are independent of the Company and the Company shall not be responsible for the privacy practices of third parties under any circumstances.
VI. AMENDMENTS
The Company is entitled to make amendments in this Personal Data Protection and Privacy Policy from time to time, including but not limited to, the provisions of the Regulation to be issued in accordance with the KVKK and for other reasons. The current version of the Policy shall be published on the websites of the Company and made available to users and members.
VII. ENTRY INTO FORCE
This Policy shall enter into force on the date of its publication and remain in effect until it is removed from the website.
ANNEX- DATA RETENTION AND DESTRUCTION POLICY OF THE COMPANY
I. DEFINITIONS
Relevant User
|
Except the person or unit who is responsible for technically storing, protecting and backing up the data, they are persons who process personal data in direction of the instruction they took from data responsible or within the data responsible organization.
|
Destruction
|
Means deletion, destruction or anonymization of personal data.
|
Periodical Destruction
|
In case of all of the personal data processing conditions are canceled in the Law, it means that deletion, destruction or anonymization of personal data which will be done officially as it is stated in data storage and destruction policy or at repeating intervals.
|
Deletion of Personal Data
|
It is the transaction of making personal data inaccessible or un-reusable in any way for the related users.
|
Destruction of Personal Data
|
It is making personal data inaccessible, un-restorable or un-reusable in any way for anybody,
|
Anonymization of Personal Data
|
Making personal data unable to be unrelated with a natural person whose identity is certain or can be determined in any way even by matching with other data;
|
II. PURPOSE AND SCOPE OF PERSONAL DATA RETENTION AND DESTRUCTION POLICY
The purpose of this Retention and Destruction Policy is to establish a policy on management instructions, procedures and a technical policy to ensure that the obligations arising from the Regulation are fulfilled for deletion, destruction or anonymizing personal data in accordance with the Regulation on the Deletion, Destruction or Anonymization of Personal Data (“Regulation”), which entered into force and published in the Official Gazette dated 28.10.2017 and numbered 30224, constituting the KVKK and the secondary regulation of the KVKK in case the reasons for the processing disappear and the legal retention periods expire despite the fact that the Company's personal data of the persons concerned are processed, stored, protected and processed in accordance with the Law on the Protection of Personal Data (“Law” or “KVKK”) and to fulfill obligations under the Regulation.
This Retention and Destruction Policy is applied in the operations related to the storage and destruction of personal data processed by the Company.
This Storage and Destruction Policy hereby has been prepared based on the KVKK, the "Regulation on the Deletion, Destruction or Anonymization of Personal Data" and other regulations on the storage and destruction of personal data.
III. DELETING, DESTROYING AND ANONYMIZING PERSONAL DATA BY THE COMPANY
Personal data is retained by the Company only within the retention and limitation periods specified in the relevant regulation and/or for the period required for the purpose for which they are processed. Accordingly, the Company first determines whether there is any period and/or statute of limitations regarding the storage of personal data in the relevant regulations and stores personal data complying with these periods. If no period is stipulated in the relevant regulations, personal data is stored pursuant to the KVKK and for the period necessary for the purpose for which they are processed.
As specified in Article 7 of the KVKK, although it is processed compliant to the related legislation, if the reasons for processing of personal data no longer exist and/or the legal retention periods expire, personal data is deleted, destructed or anonymized by the Company ex officio or upon the request of the relevant person in accordance with Articles 8,9 and 10 of the Regulation on "Deletion, Destruction or Anonymizing Personal Data".
In order to fulfill its obligations arising from the Law and the Regulation, the Company has taken necessary technical and administrative measures, developed the necessary working mechanisms and given training to the relevant departments and makes the necessary assignments in this regard.
IV. CIRCUMSTANCES REQUIRING THE DESTRUCTION OF PERSONAL DATA AND METHODS OF DELETING, DESTROYING AND ANONYMIZING PERSONAL DATA
-
CIRCUMSTANCES REQUIRING THE DESTRUCTION OF PERSONAL DATA
Pursuant to the KVKK and the Regulation, the personal data of the data subjects are deleted, destroyed or anonymized by the Company ex officio or upon request in the following cases:
-
Other legislation provisions which constitute fundamentals for the processing, storing and storing times of personal data are amended in the nature of vanishing the liability of storing personal data and/or repealed,
-
Goal which makes it necessary to process or store the personal data is vanished,
-
“Erasing Conditions of Personal Data” stated in the 5th and 6th articles of the Law is vanished,
-
In case when personal data is processed with the condition of “explicit consent”, data owner cancels his/her consent,
-
In scope of data owner’s rights stated in 1/e-f subclauses of 11th article of KVKK, his/her application of his/her data to be erased, destroyed or anonymized is accepted by data responsible,
-
Erasing, destroying or anonymizing of personal data is decided by the Board,
-
Following the expiration of maximum time of personal data storage, any condition by law exists which justifies to store the personal data longer
-
METHODS OF DELETING, DESTROYING AND ANONYMIZING PERSONAL DATA
While destroying the personal data, the company uses deletion, destruction or anonymization methods in accordance with KVKK:
-
Deletion Methods: Company uses one or more of the methods of deleting from data base by command and blacking out according to the quality of the personal data and where it exists.
-
Destruction Methods: Company uses one or more of the methods of physical destruction, de-magnetizing, overwriting as for the method according to the quality of the personal data and where it exists.
-
Anonymization Methods: Company uses one or more of the methods of regional hiding, excluding parameters, excluding logs, generalizing, minimal and maximal limit coding, global coding, sampling, data exchanging, adding noise and micro combining, data hash and data corruption according to the size of related data, quality of data, existing structure in physical environments, its variation, benefit requested to get from the data and processing goal in order to anonymize personal data.
-
DEPARTMENT, TITLE AND JOB DEFINITIONS OF COMPANY STAFF INVOLVED IN PERSONAL DATA STORAGE AND DESTRUCTION
The person(s) working in the positions detailed below shall be in charge of storage, deletion, destruction and anonymization of personal data from the database. The job descriptions of these persons have been determined by the Company as follows:
Position : Marketing&Communication Manager
Job Description : Managing digital channels and ensuring the coordination of different marketing methods, protecting and storing data obtained from the website, monitoring, backing up, storing, and accessing the collected data, and establishing the conditions by communicating with third parties and companies on these issues, protection and monitoring of data and server
following up issues such as search engine marketing, content marketing, digital targeting and digital sales and to intervene communication operations when necessary, performing various tests on user experience and creating a roadmap according to the results, analyzing the data coming from digital channels and presenting the necessary reports to the management
-
RETENTION AND DESTRUCTION PERIODS
Data Categories
|
Storage Durations
|
Destruction Durations
|
Data of the Customer, Membership and Buyer and Subject to the Order/Purchase Transaction Order/Purchasing Transaction
|
In scope of Turkish Commercial Code numbered 6102, 10 years of after the legal relationship finished; according to Law on the Regulation of Electronic Commerce numbered 6563 and related secondary legislation, 3 years, According to Identification Notification Law Application and related legislation, accommodation documents for one year, 1 year beginning from the year following arranged year; accommodation place registry, 5 years beginning from the calendar year following expired year
|
At the first periodical destruction following storing time expiration.
|
Call Center Audio Recordings
|
In scope of Turkish Commercial Code numbered 6102, 10 years of after the legal relationship finished, in scope of Turkish Law Of Obligations numbered 6098, 10 years
|
At the first periodical destruction following storing time expiration
|
All registries related to financial and accounting
|
In scope of Turkish Commercial Code numbered 6102, 10 years, in scope of Tax Procedure Law numbered 213, 5 years
|
At the first periodical destruction following storing time expiration.
|
Registries related to electronic commerce transactions
|
3 years beginning from transaction date
|
At the first periodical destruction following storing time expiration.
|
Commercial electronic messaging registries
|
3 years beginning from the taking back of the consent
|
At the first periodical destruction following storing time expiration.
|
CVs
|
5 years according to Company policy
|
CVs that are older than 5 years are destroyed in computer environment. For the physical CVs, this time is 6 months.
|
-
TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN BY THE COMPANY FOR SECURE STORING AND PREVENTION OF UNLAWFUL PROCESSING AND ACCESS OF PERSONAL DATA
-
Necessary technical and administrative measures are taken in order to prevent illegal processing and of personal data and illegal accessing of personal data and in order to store personal data compliant to KVKK.
-
Company limits the Access authorizations of the personnel in order to maintain the data security and to make authorization limitation.
-
Company limits personnel Access authorization at main server.
-
Encryption techniques are brought and periodical password change is applied compulsory in order to maintain in-house data security.
-
Company protects all areas in web site or mobile applications with SSL where personal data are taken.
-
Software and hardware including virus protection systems and firewalls are installed at the Company and on the platforms owned by the Company.
thestay.com.tr Cookie Policy
This Cookie Policy ("Cookie Policy") is furnished to provide information to the visitors of the web site "thestay.com" (Web Site"), regarding the use of the cookies at "the stay.com.tr" and the principles and details for the use of the cookies.
1-What are cookies ?
Depot Konaklama Hizmetleri A.Ş. may place small pieces of data files which bring in and record several data through technical means in order to display customized contents to the visitors' personal computer, mobile telephone, tablet pc or any other devices accessed or used and perform online advertisement activities during accession to the website, electronic platforms, mobile and digital applications or e-mail messages transmitted by thestay.com.tr. Such data files placed on the computers and other devices may not only be in the form of cookies, pixel tags, flash cookies and web markers but also the other technologies of similar nature for data storage purposes (Briefly referred to as the "Cookies")
The cookies are the small text files comprising some data pieces placed on the devices of the visitors temporarily through the browsers used by the visitors. Each time the visitor visits the web site through their web browsers, such cookies are sent back to the web site and thanks to this particular feature, the web site perceives the device of the visitor. The cookies are used for data collection purposes regarding the use of the website. The cookies do not contain any personal data inclusive of the data stored on the visitors' computers. They cannot be used for user identification. thestay.com.tr uses of the cookies to make the website user friendly and facilitate the browsing experience on thestay.com.tr
2- The cookies used on the websites
The cookies may be classified under the headings of "Mandatory Cookies", " Functional Cookies", "Analytical Cookies" and "Ad Cookies".
Mandatory Cookie
The Mandatory Cookies are the cookies necessary for the smooth operation of the website. Such mandatory cookies are used to manage the system in an orderly manner, provide the user to log in subsequent to creation of the user account, and prevent the fake transactions. In the absence of such cookies, the website is not operated smoothly.
Functional Cookies
The Functional Cookies are the cookies used to facilitate the visits by the visitors on the website and enhance their experience on the site. These cookies recall the previous visit on the website and provides easy access to the contents.
Analytic Cookies
The Analytic Cookies include the data collected to observe the traffic on the website in order to provide services which comply with the traffic thus observed by seeing which of the pages roused interest and which of the resources viewed more than the others. The cookies used in this context store the data anonymously.
Ad Cookies
Advertisement or in other terms, the targeting cookies are the cookies which are used to find out the fields of interests of the visitors and provide them with the contents specific to their interests. The third party advertisement cookies may be placed on the websites and mobile sites, the other websites on which such ads are published in order to identify the visitors and present advertisements specific to the visitors. Such cookies are used to measure up the efficiency of the advertisements.
Third Party Cookies
3rd party cookies are as follows:
• Google Analytics
• Facebook
• YouTube
3- Supervision, deletion / removal of the cookies
Many of the web browsers are set to automatically to accept the default cookies. Such settings may be amended through alerts transmitted to the visitors' devices or blocking the cookies. The blockage of the cookies by the visitors may have an adverse effect on the user experience on the website. For example, some of the website components of thestay.com.tr may not be viewed, the access may be restricted, the functions of all the channels may not be accessible or when visited, the information available for and specific to the visitor may not be accessible.
Whenever the website is visited using different devices (tablet pc and mobile telephone etc.) the cookies options of the browser used should have been arranged.
You have the option to customize your cookie preferences by changing the browser adjustments. The producers of the browsers provide help pages for the management of the cookies in the range of products they offer. For more information please click the following:
Google Chrome:
https://support.google.com/chrome/answer/95647?hl=tr
Mozilla Firefox:
https://support.mozilla.org/tr/kb/%C3%87erezleri%20engellemek
Internet Explorer:
https://support.microsoft.com/tr-tr/help/17442/windows-internet-explorer-delete-manage-cookies
Opera:
https://www.opera.com/tr/help
Opera Mobil:
https://www.opera.com/tr/help/mobile/android
Safari Computer:
https://support.apple.com/kb/PH19214?locale=tr_TR&viewlocale=tr_TR
Safari Mobil:
https://support.apple.com/tr-tr/HT201265