> Sumahan on the Water Hotel Istanbul | Privacy Policy

The Personal Data Processing and Protection Policy

 

  1. Purpose

    The policy has the purpose to describe the methods adopted with regard to the personal data processing activities and protection of personal data in accordance with the Protection of Personal Data Law numbered 6698 in all kinds of activities conducted by Mn Butler Mimarla Araş. Tas. ve Yapı Ltd. Şti (SUMAHAN ON THE WATER) and to fulfil the clarification obligation stated under Article 10 of the Law. The Personal Data Protection and Processing Policy includes the principles applied in the collection, use, sharing, retention and destruction processes of personal data by SUMAHAN ON THE WATER. It is aimed to inform all persons whose personal data are processed by the entity, especially our guests, employees of the entity, visitors, employees of the entities that we cooperate with and third parties.

  2. Scope

    With this Policy, our entity covers all personal data processed in processes of our entity by automatic means or by non-automatic means provided that it is a part of any data recording system.

  3. Authorities and Responsibilities

    All employees, consultants, external service suppliers and anyone who retains and processes personal data in any manner before the entity is responsible for fulfilling the requirements with regard to the retention and destruction of personal data specified by the Law, Regulation and Policy within the entity. Each business unit is obliged to retain and protect the data produced in its own business processes.

    The responsibility of the transactions such as the being notified or acceptance of notifications or correspondence made with the PPD Board on behalf of the data controller and registration to the registry belongs to the "Contact Person of the Data Controller".

  4. Definitions and Abbreviations

    Explicit Consent: Consent on a specific subject based on information and expressed in free will.

    The Relevant Users: Persons who process personal data within the organization of the data controller or in accordance with the authorization and instruction received from the data controller, except the person or unit responsible for the storage, protection and backup of the data technically.

    Destruction: Erasure, destruction or anonymization of personal data.

    Law: The Protection of Personal Data Law Numbered 6698.

    Recording Medium: Any kind of media in which the processed personal data are located through wholly or partially automatic means or non-automatic means provided that it shall be a part of any data recording system.

    Personal Data: Any kind of information related to the identified or identifiable real person.

    Processing of Personal Data: All kinds of processes performed on personal data including obtaining, recording, storing, retaining, changing, re-arranging, disclosing, transmission, acquisition, making available, classification or prevention of use through wholly or partially automatic means or non-automatic means provided that it shall be a part of any data recording system.

    Anonymization of Personal Data: Making personal data unlikely to be associated with any identified or identifiable real person in any way even when personal data is paired with other data.

    Erasure of Personal Data: Erasure of the personal data is the process of making personal data inaccessible in any manner and unusable again for the Relevant Users.

    Destruction of Personal Data: is the process of making personal data inaccessible, unrecoverable and unusable by anyone, in any manner.

    Board: Protection of Personal Data Board.

    Personal Data of Special Nature: Data relating to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership to associations, foundations or trade-unions, health, sexual life, convictions and security measures, and the biometric and genetic data.

    Periodic Destruction: The process of erasure, destruction or anonymizing the personal data to be carried out as the stated in the personal data retention and destruction policy and to be performed ex officio at repeating intervals in the event that all of the processing conditions of the personal data in the law are disappeared.

    Data Owner / Person Concerned: Real person whose personal data is processed.

    Data Processor: A real person or legal entity who processes personal data on behalf of the data controller by basing on the authority given by the same.

    Data Controller: Real person or legal entity identifies the purposes and means of personal data processing and is responsible for installing and managing data recording system.

    Regulation: Regulation on Erasure, Destruction or Anonymization of Personal Data published in the Official Gazette dated October 28, 2017.

    Guest: Real person staying at our hotel or benefiting from our other services.

  5. The Personal Data Processing and Protection Policy

    SUMAHAN ON THE WATER presents the necessary measures and the process applied for the protection and processing of personal data in a concrete manner with this policy. SUMAHAN ON THE WATER accepts that it will comply with the current legislation in cases where this policy is incompatible with the relevant laws and regulations or if the policy is not updated in line with the updated legislation. This policy is updated and revised in order for SUMAHAN ON THE WATER to fulfill the legal requirements according to the changes in the law, regulations and legislations.

    • 5.1. Purposes of Processing Personal Data

      SUMAHAN ON THE WATER processes the personal data specified in the chart 1 for the purposes specified in the chart 2, limited to the purposes and conditions within the personal data processing conditions specified in the paragraph 2 of Article 2 and the paragraph 3 of Article 6 of the Law.

    • 5.2. Methods of Collecting Personal Data and Legal Grounds

      SUMAHAN ON THE WATER collects personal data that may be subject to official transactions from persons concerned in writing, and collects personal data that will not be subject to official transactions verbally. Electronically produced personal data (for instance internet logs) are collected and retained electronically. SUMAHAN ON THE WATER processes personal data based on the legal grounds specified in the chart 3.

    • 5.3. Ensuring Security of Personal Data
      • 5.3.1. Administrative and Technical Measures

        The administrative and technical measures taken to ensure the security of personal data are detailed in the "Personal Data Retention and Destruction Policy."

    • 5.4. Principles for Processing Personal Data

      The principles for the processing personal data are determined in the subparagraph 2 of Article 4 of the Law. SUMAHAN ON THE WATER processes personal data in accordance with the determined principles.

      The processing of personal data is carried out in accordance with the following principles;

      • a) Being in compliance with law and principle of honesty,
      • b) Keeping them accurate and up-to-date when necessary,
      • c) Processing for specific, clear, and legitimate purposes,
      • d) Being relevant, limited, and proportionate to the purposes for which they are processed,
      • e) Retaining them for the period of time stipulated by the relevant legislation or for the period deemed necessary for the purpose of the processing.
    • 5.5. Conditions of Processing Personal Data

      SUMAHAN ON THE WATER processes personal data due to legal obligations and in order to provide services to our guests. Data processing, as per Article 5/2 of the Law of which full text can be accessed from the address of www.mevzuat.gov.tr:

      • a) Shall be expressly set forth in law.
      • b) Shall be compulsory for the protection of life or body integrity of the person or someone, who is unable to explain her/his consent due to actual impossibility or whose consent is legally unrecognized.
      • c) Processing of personal data belonging to the parties of a contract shall be necessary provided that it is directly related to the conclusion or fulfilment of that contract.
      • ç) Being obligatory for the data controller to fulfil her/his legal obligations.
      • d) In case the data is made available to the public by the person concerned.
      • e) Data processing is mandatory for the establishment, exercise or protection of any right.
      • f) Data processing is mandatory for the legitimate interests of the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the person concerned.

      Except for the cases mentioned above, SUMAHAN ON THE WATER processes personal data only by obtaining the explicit consent of the data owners.

    • 5.6. Destruction of Personal Data

      The destruction of personal data obtained by SUMAHAN ON THE WATER is detailed in the "Personal Data Retention and Destruction Policy."

    • 5.7. Domestic Transfer of Personal Data

      SUMAHAN ON THE WATER carefully complies with the conditions set out in the Law regarding the sharing of personal data with third parties, without prejudice to the provisions of other laws. In this context, personal data is not transferred to third parties without the explicit consent of the data owner. However, in the presence of one of the following conditions specified in the Law, personal data; may also be transmitted without the explicit consent of the data owner:

      • In the event that it is clearly stipulated by the laws,
      • In the event that it is mandatory for the protection of life or physical integrity of a person himself/herself, or any other person, who is bodily incapable of giving his/her consent or whose consent is not deemed legally valid,
      • In the event that it is required to process personal data of the parties to the contract, provided that the processing is directly related to the conclusion or fulfilment of that contract,
      • In the event that it is mandatory for the data controller to fulfill her/his legal obligations.
      • It has been made public by the data owner her/himself,
      • In the event that data processing is mandatory for the establishment, exercise or protection of a right,
      • In the event that data processing is mandatory for the legitimate interests of the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the person concerned.

      Provided that adequate precautions are taken; the personal data of special nature other than health and sexual life can be processed without your explicit consent in case it is stipulated in laws, the personal data of special nature regarding the health and sexual life can be processed without your explicit consent,

      • for the purposes of protection of public health,
      • operation of preventive medicine,
      • medical diagnosis,
      • treatment and nursing services,
      • planning and management of health-care services as well as their financing.

      For the transmission of the personal data of special nature, the conditions stated for the processing terms of such data is applied to.

    • 5.8. Transmission of Personal Data Abroad

      SUMAHAN ON THE WATER does not share data abroad.

    • 5.9. Personal Data of Visitors,
      • 5.9.1. Footage

        The hotel entrance and common areas are monitored by security cameras by SUMAHAN ON THE WATER, in order to ensure the protection. In this context, SUMAHAN ON THE WATER acts in accordance with the Constitution, Law and other relevant legislation. Image records of our visitors are taken through the monitoring system via camera at the building, facility entrances and inside the facility of our entity. The objectives of our entity within the monitoring activity with security cameras; are to improve the quality of the service provided, to ensure the reliability, to ensure the security of the entity, guests and other persons. Our entity acts in accordance with the regulations in the Law in conducting the monitoring activities by camera for security purposes.

        The monitoring activities via security cameras by our entity are conducted in accordance with the Law on Private Security Services and related legislation. Only a limited number of entity employees have access to records that are recorded and retained digitally. A limited number of persons having access to the records declare that they will protect the confidentiality of the data they access with the confidentiality undertaking. In accordance with Article 12 of the PPD Law, necessary technical and administrative measures are taken in order to ensure the security of the personal data obtained by the monitoring activities via camera.

      • 5.9.2. Personal Data of Website Visitors and Personal Data Received for Internet Access Point Service

        On the websites owned by our entity; internet activities within the site are recorded by technical means (for instance such as cookie); in order to ensure that the visitors of these sites perform their visits on the sites in an appropriate manner for their visiting purposes.

        Our entity provides free internet service to all its guests. Track records of the service provided as per the Law on the Regulation of Publications on the Internet and Combating Crimes Committed by means of such Publications Numbered 5651 and Name and Surname, TR Identity Number, MAC Address and internet logs are collected and retained in order to verify the access and identity information. Processed personal data are kept for 2 years in accordance with Law Numbered 5651.

      • 5.9.3. Health Data

        Special situation information (Disability, Allergy, etc.) transmitted by the guests in our hotels is only transferred to the relevant personnel in order to take the necessary precautions and actions.

    • 5.10. Rights of Personal Data Owner

      Your rights as the personal data owner resulting from the Law are stated under Article 11 of the Law and are as follows:
      ARTICLE 11- (1) Each person has the right to apply to the controller and

      • a) to learn whether her/his personal data are processed or not,
      • b) to request information if her/his personal data are processed,
      • c) to learn the purpose of her/his personal data processing and if this data is used for intended purposes,
      • ç) to know the third parties to whom her/his personal data is transferred at home or abroad,
      • d) to request the rectification of the incomplete or inaccurate personal data, if any,

      By filling out the "SUMAHAN ON THE WATER PPDL Application Form of the Person Concerned", you can exercise your rights mentioned in the above articles by using the following methods:

      • By handing over the form (Address Çengelköy Mh, Kuleli Cd. No:43, 34684 Üsküdar/Istanbul),
      • Via Notary (Address Çengelköy Mh, Kuleli Cd. No:43, 34684 Üsküdar/Istanbul)

    Chart 1

    PERSONAL DATA CANDIDATE EMPLOYEE EMPLOYEES GUESTS SUPPLIER
    MILITARY INFORMATION
    CRIMINAL CONVICTION AND SECURITY MEASURES
    FINANCE
    PHYSICAL SPACE SECURITY
    VISUAL AND AUDIO RECORDS
    CONTACT
    TRANSACTION SECURITY
    SIZE INFORMATION
    IDENTITY
    PROFESSIONAL EXPERIENCE
    CUSTOMER TRANSACTION
    PERSONNEL INFORMATION
    HEALTH INFORMATION

    Chart 2

    PERSONAL DATA PROCESSING PURPOSE CANDIDATE EMPLOYEE EMPLOYEES GUESTS SUPPLIER
    Carrying out the Emergency Management Processes
    Maintaining Information Security Processes
    Carrying out Recruitment and Placement Processes for Employee Candidate / Trainee / Student
    Execution of Employee Satisfaction and Loyalty Processes
    Fulfillment of Obligations Arising From Employee Contracts and Legislation
    Conducting Training Activities
    Conducting Activities in Accordance with the Legislation
    Conducting Company / Product / Service Commitment Processes
    Ensuring Physical Space Security
    Follow-up and execution of legal affairs
    Conducting Communication Activities
    Execution / Audit of Business Activities
    Conducting Occupational Health / Safety Activities
    Protection of Public Health
    Execution of Logistics Activities
    Execution of Goods / Services Purchasing Processes
    Performing Goods / Service Sales Processes
    Conducting Performance Evaluation Processes
    Conducting Agreement Processes
    Following up of Claims/ Complaints
    Transactions on Work and Residence Permits of Foreign Personnel
    Conducting Talent / Career Development Activities
    Providing Information to Authorized Persons, Institutions and Organizations
    Execution of Management Activities
    Generating and Monitoring Visitor Records

    Chart 3

    PERSONAL DATA CANDIDATE EMPLOYEE EMPLOYEES GUESTS SUPPLIER
    MILITARY INFORMATION Legitimate Interests of the Entity Legitimate Interests of the Entity
    CRIMINAL CONVICTION AND SECURITY MEASURES Legitimate Interests of the Entity Legitimate Interests of the Entity
    FINANCE Stipulated under Laws Stipulated under Laws
    PHYSICAL SPACE SECURITY Legitimate Interests of the Entity Legitimate Interests of the Entity Legitimate Interests of the Entity Legitimate Interests of the Entity
    VISUAL AND AUDIO RECORDS Legitimate Interests of the Entity Legitimate Interests of the Entity
    CONTACT Legitimate Interests of the Entity Legitimate Interests of the Entity Legitimate Interests of the Entity Legitimate Interests of the Entity
    TRANSACTION SECURITY Stipulated under Laws Stipulated under Laws
    SIZE INFORMATION Legitimate Interests of the Entity Legitimate Interests of the Entity
    IDENTITY Stipulated under Laws Stipulated under Laws Stipulated under Laws Stipulated under Laws
    PROFESSIONAL EXPERIENCE Legitimate Interests of the Entity Legitimate Interests of the Entity Legitimate Interests of the Entity
    CUSTOMER TRANSACTION Legitimate Interests of the Entity Legitimate Interests of the Entity
    PERSONNEL INFORMATION Legitimate Interests of the Entity Legitimate Interests of the Entity
    HEALTH INFORMATION Stipulated under Laws Stipulated under Laws Legitimate Interests of the Entity

The Personal Data Retention and Destruction Policy

 

  1. PURPOSE

    The Personal Data Retention and Destruction Policy (the "Policy") has the purpose of the determination and announcement of the business rules regarding the retention and destruction of personal data processed by Mn Butler Mimarlar Araş. Tas. ve Yapı Ltd. Şti (SUMAHAN HOTEL); such personal data belonging to Customers, entity employees, employee candidates, service providers, visitors and other third parties, in accordance with the Turkish Constitution, international agreements, Protection of Personal Data Law Numbered 6698 (the "Law") and other relevant legislation.

  2. Scope

    Personal data belonging to customers, entity employees, employee candidates, service providers, visitors and other third parties are within the scope of this Policy and this Policy is applied in all recording mediums where personal data owned or managed by the Entity are processed and in activities related to personal data processing.

  3. AUTHORITIES and RESPONSIBILITIES

    All employees, consultants, external service suppliers and anyone who retains and processes personal data in any manner before the entity is responsible for fulfilling the requirements with regard to the destruction of data specified by the Law, Regulation and Policy within the entity. Each business unit is obliged to retain and protect the data produced in its own business processes. The responsibility of the transactions such as the being notified or acceptance of notifications or correspondence made with the PPD Board on behalf of the data controller and registration to the registry belongs to the "Contact Person of the Data Controller".

  4. DEFINITIONS and ABBREVIATIONS

    DEFINITIONS

    Group of Recipients: The category of real person or legal entity to whom personal data is transferred by the data controller.

    Explicit Consent: Consent on a specific subject based on information and expressed in free will.

    Anonymization: Making personal data unlikely to be associated with any identified or identifiable real person in any way even when personal data is paired with other data.

    Employee: SUMAHAN HOTEL personnel.

    Electronic Environment: Media where personal data can be created, read, changed and written with electronic devices.

    Non-Electronic Environment: All written, printed, visual, etc. any environment other than electronic environments.

    Service Provider: Real person or legal entity providing services within the framework of a specific contract with SUMAHAN HOTEL.

    Person Concerned: Real person whose personal data is processed.

    Related User: Persons who process personal data within the organization of data controller or in line with the authorization and instruction given by the data controller except for the person or unit responsible for the technical storage, protection and support of the data.

    Destruction: Erasure, destruction or anonymization of personal data.

    Law: The Protection of Personal Data Law Numbered 6698.

    Recording Medium: Any kind of media in which the processed personal data is located through wholly or partially automatic means or non-automatic means provided that it shall be a part of any data recording system.

    Personal Data: Any kind of information related to the identified or identifiable real person.

    The Inventory of Personal Data Processing: The inventory where the data controllers provide detailed information by explaining personal data processing activities carried out by the data controllers by basing on their business processes; the purpose of processing personal data, the category of data, the maximum period of time created by associating the group of recipients transferred and the group of persons subject matter of data and required for the purposes of which the personal data is processed, the personal data foreseen to be transferred to foreign countries and the measures taken regarding data security.

    Processing of Personal Data: All kinds of processes performed on personal data such as obtaining, recording, storing, retaining, changing, re-arranging, disclosing, transmission, acquisition, making available, classification or prevention of use through wholly or partially automatic means or non-automatic means provided that it shall be a part of any data recording system.

    Board: Protection of Personal Data Board.

    Personal Data of Special Nature: Data relating to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership to associations, foundations or trade-unions, health, sexual life, convictions and security measures, and the data relating to biometric and genetic data of persons.

    Periodic Destruction: The process of erasure, destruction or anonymization of the personal data to be carried out as the stated in the personal data retention and destruction policy and to be performed ex officio at repeating intervals in the event that all of the processing conditions of the personal data in the law are disappeared.

    Data Processor: A real person or legal entity who processes personal data on behalf of the data controller by basing on the authority given by the data controller.

    Data Recording System: Recording system in which personal data is processed by structuring these according to certain criteria.

    Data Controller: Real person or legal entity identifies the purposes and means of personal data processing and is responsible for installing and managing data recording system.

    Data Controllers Registry Information System (DCRIS/VERBIS): The information system created and managed by the PPD Authority, is accessible on the internet, to be used by the data controllers in the application to the Registry and in other transactions related to the Registry.

    Regulation: Regulation on Erasure, Destruction or Anonymization of Personal Data published in the Official Gazette dated October 28, 2017.

  5. THE PERSONAL DATA RETENTION AND DESTRUCTION POLICY

    All Directorates and employees of SUMAHAN HOTEL actively supports the responsible units in taking technical and administrative measures to ensure data security in all environments where personal data are processed for the purpose of applying the technical and administrative measures taken within the scope of the Policy by the responsible units, increasing the training and awareness of the unit employees, preventing the illegal processing of personal data by monitoring and continuous control, preventing unlawful access to personal data and the assurance of retention of personal date legally.

    The distribution of the titles, units and job descriptions of those carries out duties in the retention and destruction processes of personal data is given under Chart 1.

    TITLEJOB DESCRIPTION
    Contact Person of the Data ControllerThe main duties of the contact person are defined as designing, planning, carrying out of works and transactions required to be performed and organizing the relevant actions and ensuring the audits on behalf of the data controller within the framework of the procedures and principles determined in the PPDL.
    Archive CommitteeManaging the processes of processing, retention, erasure, destruction and anonymization of personal data retained in the archive.

    RECORDING MEDIUMS

    Personal data are securely and legally retained by SUMAHAN HOTEL in the environments listed in Chart 2.

    ELECTRONIC ENVIRONMENTSNON-ELECTRONIC ENVIRONMENTS
    Servers (Domain, backup, e-mail,Paper
    Database, web, file sharing, etc.)Written, printed, visual media
    Software (Office Software, PMS, Accounting Software)
    Information security devices (firewall, intrusion detection and blocking, daily log file, antivirus, etc.)
    Personal computers (Desktop, laptop)
    Mobile devices (phone, tablet, etc.)
    Optical discs (CD, DVD, etc.)
    Removable sticks (USB, Memory Card etc.)
    • 5.1. Personal Data Retention

      Personal data belonging to customers, employees, visitors and employees of third parties, institutions or organizations whom we have relationship with as service providers are retained and destructed by SUMAHAN HOTEL in accordance with the Law. In this context, detailed explanations regarding the retention and destruction of personal data are as follows respectively. The concept of processing personal data has been defined in Article 3 of the Law, it is stated in Article 4 that the processed personal data must be related, limited and proportionate to the purposes for which they are processed and must be retained for the period stipulated in the relevant legislation or required for the purpose which they are processed for, and the processing conditions of personal data are listed in Articles 5 and 6. Accordingly, SUMAHAN HOTEL retains personal data within the framework of its activities for the period stipulated in the relevant legislation or in accordance with our processing purposes.

      • 5.1.1. Legal Reasons Requiring Retention
        • PUBLIC HEALTH LAW NUMBERED 1593
        • LABOUR LAW NUMBERED 4857
        • CIVIL REGISTRY SERVICES ACT NUMBERED 5490
        • SOCIAL INSURANCE AND GENERAL HEALTH INSURANCE LAW NUMBERED 5510,
        • THE LAW ON THE REGULATION OF PUBLICATIONS ON THE INTERNET AND COMBATING CRIMES COMMITTED BY MEANS OF SUCH PUBLICATIONS NUMBERED 5651
        • TURKISH CODE OF OBLIGATION NUMBERED 6098,
        • OCCUPATIONAL HEALTH AND SAFETY LAW NUMBERED 6361,
        • PROTECTION OF PERSONAL DATA LAW NUMBERED 6698
      • 5.1.2. Processing Purposes Requiring Retention
        • Carrying out the Emergency Management Processes
        • Maintaining Information Security Processes
        • Carrying out Recruitment and Placement Processes for Employee Candidate/Trainee/Student
        • Execution of Employee Satisfaction and Loyalty Processes
        • Fulfillment of Obligations Arising From Employee Contracts and Legislation
        • Conducting Training Activities
        • Conducting Activities in Accordance with the Legislation
        • Conducting Company/Product/Service Commitment Processes
        • Ensuring Physical Space Security
        • Follow-up and execution of legal affairs
        • Conducting Communication Activities
        • Execution/Audit of Business Activities
        • Conducting Occupational Health / Safety Activities
        • Protection of Public Health
        • Execution of Logistics Activities
        • Execution of Goods/Services Purchasing Processes
        • Performing Goods/Service Sales Processes
        • Conducting Performance Evaluation Processes
        • Conducting Agreement Processes
        • Following up of Claims/Complaints
        • Transactions on Work and Residence Permits of Foreign Personnel
        • Conducting Talent/Career Development Activities
        • Providing Information to Authorized Persons, Institutions and Organizations
        • Execution of Management Activities
        • Generating and Monitoring Visitor Records
      • 5.1.3. Causes Requiring Destruction

        In the events where;

        • the relevant legislation provisions that form the basis for processing personal data is amended or abolished,
        • the purpose of processing personal data or retention of the same is disappeared,
        • In the event where the processing of personal data is only performed upon the obtaining of the explicit consent, the consent is withdrawn by the person concerned,
        • In the event where the application made with regard to the erasure and destruction of the personal data within the scope of the rights of the person concerned as per Article 11 of the Law is accepted by SUMAHAN HOTEL,
        • In the event where SUMAHAN HOTEL refuses the application made to it by the person concerned with the request of erasure, destruction or anonymization of her/his personal data, finds the answer insufficient or does not respond within the period stipulated in the Law; where a complaint is made to the Protection of Personal Data Board and this request is approved by the Board,
        • In the event where the maximum period for which retaining personal data has elapsed and there is no condition to justify the retaining of the personal data for a longer period of time,

        it is erased, destructed upon the request of the person concerned or ex officio erased, destructed or anonymized by SUMAHAN HOTEL.

    • 5.2. Ensuring Security of Personal Data

      SUMAHAN HOTEL takes all kinds of necessary technical and administrative measures to ensure the appropriate level of security required for the protection of personal data.

      It takes the necessary measures to fulfill the conditions stated under the subparagraph 1 of Article 12 of the PPDL, which are as follows;

      • To prevent unlawful processing of personal data,
      • To prevent unlawful access to personal data,
      • To ensure the protection of personal data.

      The measures implemented by MARM ASSISTANCE to ensure the security of personal data are detailed in sub articles.

      • 5.2.1. Technical Measures

        SUMAHAN HOTEL employs informed and experienced persons in order to ensure data security and provides its employee with the necessary Information Security Awareness Trainings and PPD trainings. Necessary internal controls are made for the installed systems. It operates the processes of risk analysis, data classification, information security risk assessment and business impact analysis within the scope of the installed systems. In line with these processes, technical measures are taken in accordance with the developments in technology. Investments in infrastructure appropriate to the developing technology are made. It enables the installation of software and hardware including virus protection systems and firewalls. It uses the versions of the systems with the necessary security measures against current and known vulnerabilities and it records the log of the systems. It ensures that the access authorization to personal data of the employees worked in the information technology units is kept under control. SUMAHAN HOTEL implements access restrictions to personal data according to the principle of least authority. Access authorizations are checked periodically within the scope of ISO 27001 standard. It makes the definition of access and authorization in accordance with the directorate and process requirements. It checks the compliance of access with authorizations. It reports the information obtained as a result of checking the security of the systems to the relevant persons. Necessary technical measures are taken by determining the points that pose a risk. In order to maintain the security of Personal Data, it expands awareness to be a part of the corporate culture with a model that continuously operates technical measures. It ensures that the measures taken are kept alive with the controls. Camera systems and physical security measures are kept at the highest level within the entity. Environment monitoring of digital environments where personal data is kept, automatic fire extinguishing systems and access authorization controls are provided. Backups of personal data are retained in a different location under the control of SUMAHAN HOTEL.

      • 5.2.2. Administrative Measures

        SUMAHAN HOTEL takes the necessary administrative measures to ensure the security of personal data and inspects the works of its employees according to these measures. It defines the access authorizations in accordance with the directorate and process requirements at a level that does not cause disruption to business processes. Employees are informed that they cannot disclose the personal data they have learned to anyone in violation of the provisions of the Law, cannot use them for purposes other than processing, and that this obligation will continue even after they leave their job. Necessary undertakings are taken from the employees in this direction. Regarding the sharing of personal data with third parties, it signs a confidentiality agreement with the persons with whom personal data is shared or provides personal data security with the provisions to be added to the agreements. Third parties with whom personal data are shared accept the provisions that they will take necessary security measures to protect personal data and ensure that these measures are followed in their own organizations.

      • 5.2.3. Audits Made for the Sustainability of the Protection of Personal Data

        SUMAHAN HOTEL, in accordance with Article 12 of the Law, will make or have the necessary audits done. It provides internal and external audits to ensure the sustainability of the Information Security. It regularly performs penetration tests into the systems for technical gaps that may occur in the systems. Systems are regularly monitored by the information technology.

      • 5.2.4. Measures Applied to Ensure the Protection of Personal Data by Third Parties

        SUMAHAN HOTEL; mutually adds necessary sanction provisions for preventing the unlawful processing of personal data, preventing unlawful access to data and ensuring the retention of data in its contracts made with third parties. Confidentiality agreements are signed before sharing information with third parties. Necessary information is provided to third parties to raise awareness.

      • 5.2.5. Measures Applied for the Protection of Personal Data of Special Nature

        Adequate measures should be taken for personal data of special nature, both due to their characteristics and since they may cause victimization or discrimination. In Article 6 of the PPD Law, personal data, which has the risk of causing victimization or discrimination when illegally processed, are identified as the "data of special nature".

        These data are related to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership to associations, foundations or trade-unions, health, sexual life, convictions and security measures, and the biometric and genetic data.

        SUMAHAN HOTEL takes the necessary measures for the protection of personal data of special nature determined as the "data of special nature" by the Law and processed in accordance with the law. In the technical and administrative measures taken to protect personal data, sensitivity is displayed for the personal data of special nature.

      • 5.2.6. Raising Awareness to Ensure Protection of Personal Data

        Employees are informed as required, trainings are organized and their effectiveness is measured in order to raise awareness to prevent unlawful processing of personal data, to prevent unlawful access to data and to ensure the retention of data. Other documents related to the "Personal Data Retention and Destruction Policy" have been published on our entity's website.

        In case of any changes in the relevant law, regulation or legislation, the policies are revised and announced to the relevant persons again.

    • 5.3. PERSONAL DATA DESTRUCTION TECHNIQUES

      SUMAHAN HOTEL destructs the personal data that it obtains, upon the request of the personal data owner, provided that it is not obligatory to use it due to legal obligations or for the protection of public order and it does not affect the business processes. Personal data belonging to data owners are destructed pursuant to the decision to be taken by the entity, when the requirements for continuing the service to our customers, for fulfilling legal obligations, for planning employee rights and fringe benefits are disappeared. Personal data, which is not required to be retained on the dates determined by the Data Controller Contact Person, is destructed every year with the following techniques in accordance with the legislation.

    • 5.4. Erasure of Personal Data

      Methods for erasure of personal data are specified in the chart given below.

      Data Recording MediumDescription
      Personal Data on ServersFor personal data on servers of which period required for the retention has expired, the system manager will remove the access authorization of the relevant users and conduct the erasure process of such data.
      Personal Data in Electronic EnvironmentThe personal data in electronic environment, whose period required for the retention has expired, is made inaccessible in any manner and unusable again for employees (relevant users) other than the database manager.
      Personal Data in the Physical EnvironmentPersonal data in the physical environment, whose retention period expires once a year, is sorted by the Committee consisting of the Chairman of the Board of Directors, Accounting Manager and Financial Advisor, and is destructed by the recycling firm.
      Personal Data on Portable MediaThe personal data kept in Flash-based storage media, whose retention period has expired, is encrypted by the system manager and is retained in secure environments with encryption keys of which the access authority is given only to the system manager.
    • 5.5. Destruction of Personal Data

      Destruction of personal data is specified in the chart given below.

      Data Recording MediumDescription
      Personal Data in the Physical EnvironmentPersonal data in the physical environment, whose retention period expires once a year, is sorted by the Committee consisting of the Chairman of the Board of Directors, Accounting Manager and Financial Advisor, and is destructed by the recycling firm.
      Optical / Magnetic Media Contains Personal DataPersonal data in optical media and magnetic media, whose period required for retention has expired, is made physically unreadable in a irreversible condition.
    • 5.6. Anonymization of Personal Data

      Anonymization of personal data is the process of making personal data unlikely to be associated with any identified or identifiable real person in any way, even when such personal data is paired with other data. In order for personal data to be anonymized; personal data must be made unlikely to be associated with any identified or identifiable real person in any way, even by using appropriate techniques in recording medium and related field of activity, such as restoring personal data and/or pairing data with other data by data controller or third parties.

    • 5.7. RETENTION AND DESTRUCTION PERIODS

      Regarding the personal data being processed by SUMAHAN HOTEL within the scope of its activities;

      • In the Personal Data Processing Inventory on the retention periods based on personal data related to all personal data within the scope of activities carried out depending on processes;
      • At the registration of retention periods based on data categories to DCRIS/VERBIS;

      updates are made on the mentioned retention periods, if required, by the Personal Data Contact Person.
      Personal data whose retention period has expired is destroyed ex officio.
      The retention periods of personal data are specified in the chart given below.

      DataRETENTION PERIOD
      Personnel Data10 Years
      Health Data of Employee10 Years
      Footage2 Months
      Internet Logs2 Years
      Employee Candidate Information2 Years
      Accounting Records5 Years

Minimum Contact, Maximum Hygiene

Dear guests,

Before your arrival, we wanted to share what is required for a safe stay at our hotel.

As this pandemic has taught us

"Please think about others before yourself."

We intend for you to leave here as healthy as you arrived.

Warmest regards




IT IS MANDATORY FOR ALL OUR GUESTS TO SHOW THEIR "HES CODES"

It is obligatory for guests to confirm the declaration "I have read and accept the following rules" in writing at the time of booking.

Mandatory Rules for Checking-in (16:00) and Checking-out (10:00)

  • If a guest has arrived before you and is checking in, please wait in your car until asked to enter by the hotel attendant.
  • The temperature of each guests is taken upon arrival. If any of the guests register temperatures that exceed the limit specified by the Ministry, they will not be allowed into the hotel and they will be directed to the nearest health care provider. During this process, all guests must wear a mask.
  • Your room key has been disinfected and must only be used by you. During your stay, the key must not come into contact with your personal belongings. Please be careful when carrying the key inside the hotel.
  • If you wish to make payments with a credit card, you must follow the instructions of the hotel staff who will process the payment.
  • For hotel guests who have arrived from abroad or will be traveling abroad we have a special arrangement with the Biruni Diagnostic Laboratory which is approved by the Turkish Ministry of Health for the Covid-19 PCR test. The test would be carried out at the Hotel for a total fee of 250TL, including VAT.

Mandatory Rules while in the Room

  • To maximize the effectiveness of the cleaning products used to disinfect the room, textile products should not touch any surfaces with which your shoes have come into contact. Therefore, avoid contact with the floor when using any provided textile products. These include pillows, piques, duvets, sheets, etc. Also, avoid placing the towels in the bathrooms on the floor with the exception of foot towels.
  • It is important that you use the trash bags provided for the waste in your room and bathroom. If you have additional personal trash such as shoeboxes, gift boxes, bags, hygiene products, etc., please request extra trash bags. Keep all trash bags tied and do not leave them out in the open.
  • The informational booklet usually found in your room has been removed to comply with the pandemic measures. Thank you for your sensitivity to the environment.
  • During this time, we encourage as much natural ventilation as possible. The filters of your room's air conditioning system have always been cleaned routinely, however currently they are being cleaned even more frequently. Your air conditioning and television remotes have been disinfected specifically for your use.
  • During your stay, a guest from outside your room is not allowed to visit you.
  • The layout in the garden lawn complies with social distancing protocols. Please do not change this layout.
  • Please inform the reception in advance if you do not want anyone to enter your room during your stay to perform the daily room cleaning. If you prefer, service can be limited to fresh towels.

Mandatory rules for Public Spaces and the Health Center

  • Please keep the contact between your personal items and the hotel's sun loungers, cushions, seats, etc. to a minimum.
  • Turkish Hamam service at the Health Center will be limited to 30 minutes and done by appointment only. There will be 60-minute interval between each appointment to allow for hygienic cleaning. We have received our certificate of approval by TÜV NORD, which is a requirement for Health Center operation.

Mandatory Rules for Restaurant Use

  • The interior and exterior layouts of the restaurant comply with social distancing protocols. Please do not change this layout.
  • We continue to provide single-use towels in our public restrooms. Additionally, you will find hand sanitation stations throughout the hotel. As our restaurant also serves guests from the outside, we recommend that you use the bathroom facilities in your own room should the need arise.
  • The hotel management may close the public restrooms if they feel that the necessary hygiene protocols cannot be maintained.
  • The use of masks in the restaurant's indoor areas is required. The hotel staff are authorized to warn any guest who does not wear a mask in these areas.
  • In accordance with hygiene rules, each guest will receive a single-use menu or be provided with a QR Code to download the menu onto a smart phone.