top of page
Privacy policy

INFORMATION DISCLOSURE TEXT FOR THE PROTECTION AND PROCESSING OF PERSONAL DATA

​

We, M & N BUTLER MÄ°MARLAR ARAÅžTIRMA TASARI VE YAPI LTD., (hereinafter referred to as “SUMAHAN ON THE WATER”), respect and care for the privacy of personal life.

 

We would like to inform you about your rights regarding the use and protection of your personal data under Law No. 6698 On the Protection of Personal Data (hereinafter referred to as the “LPPD”).

 

All your personal data, including your name and surname, Turkish ID no., passport no, birth date, birthplace, tax ID no., tax office, bank details and credit card details as well as your contact details including phone and e-mail which are processed by our Company for the purposes stated below and under the applicable legislation are protected under the Law No. 6698 On the Protection of Personal Data and other relevant legislation. Your personal data that you have shared may be processed, recorded, stored, updated, edited, disclosed, transferred or divulged to third parties or anonymized in our capacity as the Data Controller and for the purposes of our activities and services under the applicable Law.

Our Company’s liabilities, the purposes of processing and transferring your personal data, and the methods by which your personal data may be collected as well as your legal rights have been specified below:

​

​

DATA CONTROLLER

 

Under Law No. 6698 On the Protection of Personal Data, our Company (SUMAHAN ON THE WATER) is the data controller, and your personal data may be collected and processed pursuant to the scope defined below.

​

​

PURPOSE OF PROCESSING PERSONAL DATA

​

Your personal data may be processed for the following purposes:

  • handling the procedures for accommodation services,

  • discovering and meeting the customer needs,

  • measuring and enhancing customer satisfaction,

  • sending emails

 

​

THE POSSIBILITY OF TRANSFERRING THE PROCESSED PERSONAL DATA TO WHOM FOR WHAT PURPOSE

​

Your personal data collected may be transferred to companies operating in Turkey and abroad (Protel Bilgisayar A.Åž., Leading Hotels of The World, Ltd.) for the purposes specified in this Information Disclosure Text for The Protection and Processing of Personal Data and in line with the conditions and purposes of processing personal data as set out in Articles 8 and 9 of the Law no. 6698.

We may disclose your data to our lawyers for the fulfilment of our legal liabilities and, to the relevant institutions on the condition to be in compliance with the law and procedures, if requested by the judicial bodies or administrative authorities.

Your personal data may be shared with the General Directorate of Security in order to fulfil our obligations under the applicable legislation.

​

​

METHOD OF AND LEGAL GROUNDS FOR COLLECTION OF PERSONAL DATA

​

Your personal data may be collected by means of all kinds of automated or non-automated written, verbal or electronic media, including the completion by the data subject of electronic or physical forms, the transmission of e-mail messages, telephone calls and WhatsApp communication, visiting the web site and contact over social media platforms, online sales platforms, tourism agencies and transmission via solution partners for use subject to the purposes set forth in this Information Disclosure Text For The Protection And Processing Of Personal Data and the terms and conditions set forth in Articles 5 and 6 of the Law On the Protection of Personal Data.

​

The Company shall store those personal data collected by it for the duration necessary for the purpose underlying such processing.

​

Additionally, in the case of any disputes, the Company may keep personal data for a limited period and until the expiry of the statute of limitations identified pursuant to applicable legislation, for the purpose of pursuing administrative or judicial processes under the law.

​

​

LEGAL RIGHTS OF THE DATA SUBJECT

​

Data subjects may send their claims for their rights to the Company by using the following methods.  The Company shall fulfil this request as soon as possible, depending on the nature of the request.

Within this scope, data subjects are entitled:

​

  • To learn whether or not their personal data are being processed,

  • To request information on the procedure, if their personal data have been processed,

  • To obtain information on the purpose for which your personal data have been processed and find out whether your personal data have been used in line with their intended purpose,

  • To know about third parties to whom your personal data have been transferred domestically or abroad,

  • To request the correction of personal data that may have been processed incompletely or inaccurately, and to request that the operations carried out within this scope are notified to third parties to whom personal data have been transferred,

  • In the case where, although they have been processed pursuant to the provisions of Law no 6698 and other relevant laws, the reasons requiring them to be processed have been removed, to request that the personal data are deleted or destroyed, and the third parties to whom personal data are transferred to are also informed about  the transaction executed  in this regard,

  • To object to the emergence of an outcome which is to the detriment of the relevant person as a result of the analyzing of the processed data solely through automated systems

  • To request compensation for any loss suffered in case their personal data are processed unlawfully.

 

If data subjects send their requests for the said rights to the address of Kuleli Cad. No.43 Çengelköy, Üsküdar - ISTANBUL in writing by using the Personal Data Protection- Application Form available at www.sumahan.com or to info@sumahan.com by means of a secure electronic signature or mobile signature, or, if any, to info@sumahan.com by means of electronic mail address, if any, notified to the Company in advance and registered with the Company systems, these requests shall be considered and fulfilled as soon as possible.

​

Requests sent by data subjects should strictly contain the name and surname of the data subject, and if the application is in writing, his signature, Turkish ID no, or where it is a foreign citizen, his passport number, or, if any, ID number, and place of residence for notification purposes, or if any, office address, or if any, electronic mail address, telephone and facsimile for notice, and the subject matter of the request. In the event that the answer to the request shall be in writing, then no fee shall be charged up to ten pages, and for answers longer than 10 pages, the Company reserves its right to charge a fee at the fee tariff applicable in the legislation.  If the answer to an application is sent in a recording media such as CD, or flash memory, the Company may demand the cost of such recording media from the requesting data subject.

 

​

PERSONAL DATA STORAGE and DESTRUCTION POLICY

1. OBJECTIVE AND SCOPE
The Personal Data Storage and Destruction Policy has been prepaid in order to set out the
procedures and principles regarding the acts and transactions for the storage and destruction
activities performed by our Company. The acts and transactions regarding the storage and
destruction of personal data by our Company are performed pursuant to the Policy prepared
by our Company in this respect.


2. RECORDING MEDIA
Personal data is stored by the Company lawfully in a secure manner on the media listed below.

 

Electronic Media:

​

  • ï‚·Servers (Domain, backup, e-mail, database, web, file sharing, etc.)

  •  Software (office software, etc.)

  • Information security devices (firewall, antivirus, etc.)

  • Personal computers (Desktop, laptop)

  • Mobile devices (telephone, tablet, etc.)

  • Optical disks (CD, DVD, etc.)

  • Removable sticks (USB, Memory Card, etc.)

  • Printer, scanner, photocopier

 

Non-electronic Media:

​

  • Paper,

  • Manual data recording systems,

  • Written, printed, and visual media

 

3. EXPLANATIONS REGARDING STORAGE AND DESTRUCTION
Personal data of the customers, potential customers, employees, employee candidates,
company shareholders and company officers, the employees, shareholders, officers of the
entities cooperated with, and the third parties are stored by the Company in accordance with
the Law, during the period prescribed in the legislation, and if no period is prescribed in the
legislation, until the purpose of processing no longer exists, and is destroyed also as prescribed
in the legislation.


3.1. Purposes of Processing that Require Storage
The Company stores the personal data it processes within the scope of its activities in line with
the following purposes.

​

  • Performance of Potential Employee Application Processes,

  • Conclusion and implementation of employment contracts,

  • Determination of suitability for the job,

  • Creation of employees’ personal files,

  • Making SSI notifications, Turkish Employment Agency (Ä°ÅžKUR) notifications, and incentives and legal obligation notifications,

  • Ensuring the opening of a compulsory personal pension insurance account,

  • Paying to enforcement files the deductions made for employees’ salary attachment,

  • Making legal notifications for occupational accidents,

  • Carrying out occupational health and safety-related transactions,

  • Complying with other information storage, reporting, and information disclosure obligations, prescribed by the legislation, relevant regulatory institutions,

  • Ensuring that payroll transactions are carried out,

  • Making salary payments,

  • Arranging the employee leaves,

  • Determining the working periods,

  • Ensuring workplace security,

  • Planning and execution of the Company’s employment and human resources policies and processes,

  • Ensuring the legal, technical and commercial business security of the Company and of the relevant persons with which the Company shares a business relationship, following up and executing the legal affairs,

  • Performance of Employee Satisfaction and Loyalty Processes,

  • Fulfilment of the Obligations regarding the Employees arising from the Employment

  • Contracts and Legislation,

  • Performance of the Benefits and Interests Processes for the Employees,

  • Performance of Training Activities,

  • Performance of Activities in Accordance with the Legislation,

  • Performance of Financial and Accounting Works,

  • Performance of Appointment Processes,

  • Performance of Communication Activities,

  • Receiving Recommendations and Assessment Thereof for Improvement of Business Processes,

  • Performance of Business Continuity Activities,

  • Performance of Sales Processes for Services,

  • Handling the processes for accommodation services,

  • Discovering and meeting the customer needs,

  • Measuring and enhancing customer satisfaction,

  • Sending emails,

  • Performance of Customer Relations Management Processes,

  • Execution of Activities for Customer Satisfaction,

  • Carrying Out Performance Evaluation Processes,

  • Performance of Contractual Processes,

  • Tracking Requests / Complaints,

  • Performance of Talent / Career Development Activities,

  • Provision of Information to Authorized Persons / Institutions and Organizations,

  • Performance of Management Activities,

  • Performance of Information Security Processes,

  • Execution of emergency management processes,

  • Execution of marketing processes of services,

  • Implementation of wage policy,

  • Execution of access authorizations,

 

and similar purposes.

 

3.2. Reasons that Require Destruction
Personal data is deleted, destroyed or anonymized where:

​

  • The applicable legislation provisions that constitute the basis for processing personal data is amended or repealed,

  • The purpose that necessitates processing and storage of personal data ceases to exist,

  • Personal data is processed solely based on explicit consent and the data subject revokes his/her explicit consent,

  • The Company accepts the application of the data subject made for deletion and destruction of his/her personal data within the framework of his/her rights pursuant to article 11 of the Personal Data Protection Law,

  • The Company rejects the application of the data subject requesting the deletion, destruction or anonymization of their personal data, or the data subject finds the answer given by the Company insufficient or no answer is given by the Company within the period prescribed by the Law, and the data subject files a complaint with the Board and this complaint is found acceptable by the Board,

  • In the cases where the maximum period during which the personal data is required to be stored has elapsed and a condition that will justify storing the data for a longer period, it is deleted or destroyed by the Company upon request of the data subject, or deleted, destroyed or anonymized ex-officio.


4. TECHNICAL AND ADMINISTRATIVE PRECAUTIONS
Technical and administrative precautions are taken by the Company within the framework of
the sufficient measures which are set and announced by the Board for the sensitive personal
data as per article 12, and the 4th paragraph of article 6, of the Personal Data Protection Law, for
secure storage, prevention of unlawful processing of and access to personal data, and
lawful destruction of personal data.


4.1. Technical Precautions
The technical precautions taken by the Company in relation to the personal data it processes
are listed below:

​

  • Network security and application security are ensured.

  • Key management is applied.

  • Security measures are taken within the scope of procurement, development and maintenance of information technology systems.

  • The security of the personal data stored on the cloud is ensured.

  • Access logs are kept regularly with time stamps.

  • Firewalls are used.

  • Personal data is backed up and the backed-up personal data is protected.

  • User account management and authorization control system are implemented and monitored.

  • ï‚· Log records are taken in a way that will not allow user intervention.

  • Sensitive personal data is always encrypted and sent with KEP (registered electronic mail) or corporate mail accounts, in cases where it is sent by electronic mail.

  • Encryption is made.

  • Sensitive personal data that are transferred on portable flash memory, CD and DVD are transferred by encryption.

  • Penetration Tests are applied.


4.2. Administrative Precautions
The administrative precautions taken by the Company in relation to the personal data it
processes are listed below:

​

 

  • With regard to the processing of personal data, a personal data inventory was created for the purpose of conducting current status determination and risk analysis, categories of the personal data processed, and data subjects were determined.

  • Disciplinary regulations containing data security provisions are in place with respect to the employees.

  • Training and awareness-raising activities on data security are organized at regular intervals for the employees.

  • Corporate policies have been prepared and are being implemented on the topics of access, information security, usage, storage and destruction.

  • Letters of undertaking for confidentiality/privacy are obtained.

  • Relevant authorizations of the employees who are reassigned or whose employment is terminated are revoked.

  • The executed agreements contain provisions on data security.

  • Additional security measures are taken for personal data that are transferred in hard copy and the relevant documents are sent after being marked as classified.

  • Personal data security policies and procedures have been determined.

  • Personal data security issues are reported forthwith.

  • Security of personal data is monitored.

  • Necessary security measures are taken regarding entry-to-exit from physical sites containing personal data. Security of physical sites containing personal data is ensured against external risks (fire, flood, etc.).

  • The security of media containing personal data is ensured.

  • Personal data is minimized to the maximum extent.

  • In-house periodic and/or random inspections are conducted and caused to be conducted.

  • ï‚· Protocols and procedures regarding security of sensitive personal data have been

  • determined and are being implemented.

  • Audits are ensured at certain intervals to ensure data security of data processor service providers.

 

Awareness-raising activities are carried out to ensure data security of data processor service
providers.


Provisions are added to the existing contracts with our business partners to whom personal
data is transferred within the scope of the Company activities and in accordance with the PDPL
as to that they will take the necessary security precautions for protection of the personal data
transferred and ensure that such measures will be complied with in their own organizations,
or separate contracts are made in this respect; apart from the exceptions introduced with
respect to the business partners, terms that impose the obligation of non-disclosure and nonuse
are inserted and information is given in this regard.


In case of procurement of service from outside the Company due to the technical
requirements concerning storage of the personal data, provided that personal data is
transferred to such firms also in accordance with the PDPL, provisions are added to the
existing contracts as to that this firm and firm’s personnel will take the necessary security
precautions for protection of the personal data and ensure that such measures will be
complied with in their own organizations, or separate contracts are made in this respect.
Before starting to process personal data, the obligation of elucidating the data subjects is
fulfilled by the Company.


5. TECHNIQUES FOR DESTRUCTION OF PERSONAL DATA
At the end of the period prescribed in the applicable legislation or the storage period needed
for the purpose for which they are processed, personal data is destroyed by the Company in
line with the provisions of the relevant legislation through the use of the following techniques
either ex-officio or upon the application of the data subject.


5.1. Deletion of Personal Data
The personal data is deleted through the following methods:

​

 

  • Personal Data Stored in Servers: From among the personal data available in the servers, those the storage period of which has expired are deleted the system manager deletes through suitable methods.

  • Personal Data Stored Electronically: The personal data stored electronically, the necessary storage period of which has expired are rendered inaccessible and nonreusable for the other employees (relevant users) except the database manager.

  • Personal Data Stored in Physical Media: The personal data stored in physical media, the necessary storage period of which has expired are rendered inaccessible and nonreusable for all employees, other than the unit director responsible for archiving documents. In addition, data is concealed by crossing out / painting/ erasing in the way to render it indecipherable.

  • Personal Data Stored in Portable Media: The personal data stored in flash-based portable media, the necessary storage period of which has expired are stored in secure media after being encrypted by the system administrator who is given the exclusive access authorization.

 

5.2. Destruction of Personal Data
Personal data is destroyed by the Company with the following methods.

 

  • Personal Data Stored in Physical Media: The personal data contained in the printed media, the necessary storage period of which has expired are irreversibly destroyed by using shredders.

  • Personal Data Stored in Optical/ Magnetic Media: The personal data stored in optical and magnetic media, the necessary storage period of which has expired are destroyed by implementing physical destruction methods such as melting, burning or pulverizing. Furthermore, the magnetic media are exposed to high rate of magnetic field by being placed in a special device to render the data contained therein illegible.

 

5.3. Anonymization of Personal Data
Anonymization of personal data is the process of rendering it impossible for personal data to
be associated with any identified or identifiable real person in any way, even if the personal
data is matched with other data.


In order for personal data to be considered anonymized; it should become impossible for the
data controller or third parties to associate such personal data with an identified or
identifiable real person, even by using techniques appropriate in terms of the recording
medium and the relevant field of activity, such as data recovery and/or matching the data with
other data.


6. STORAGE AND DESTRUCTION PERIOD
With respect to personal data processed by the Company within the scope of its activities;
The storage periods for all personal data processed as part of the activities performed
depending on the processes, on the basis of different personal data, are contained in the
Personal Data Processing Inventory;

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

The personal data retention period of which has expired are anonymized or destroyed in accordance with the procedures contained in this Policy, at periods of 6 (six) months, within the framework of the destruction intervals. All the transactions carried out in relation to deletion, destruction or anonymization of personal data are recorded, and the aforementioned records are kept for a period of at least 3 (three) years, except for other legal obligations.

​

7. PERIODICAL DESTRUCTION INTERVAL
Pursuant to Article 11 of the Regulation, the Company has determined the periodical
destruction time interval as 6 months. Accordingly, a periodic destruction process is carried
out in the Company in the months of June and December every year.


8. PUBLICATION, RETENTION AND ABOLITION OF THE POLICY
This Policy is published on electronic medium, made public on the Company’s website
(www.sumahan.com), and made available to the personal data subjects upon request. This
Policy is updated as and where needed and any amendment enters into force by being
published on the website.


If this Policy is decided to be abolished, the former copies of the Policy are cancelled with a
cancellation stamp or by writing “cancelled” thereon and retained for at least 5 YEARS.

​

​

​

POLICY ON THE PROTECTION AND PROCESSING OF PERSONAL DATA

​

1. INTRODUCTION
Our Company named MN Butler Mimarlar Araştırma Tasarı ve Yapı Ltd. Şti. has the capacity of Data
Controller under the Personal Data Protection Law no. 6698. Our Company processes the personal
data of its employees, employee candidates, customers, suppliers, company shareholders, company
officers, the employees, shareholders, and officers of all parties it cooperates with, under the
relevant legislation and to the extent required by the work and attaches high importance to
protection of the data processed.


Processing the data of our customers, suppliers, employees, employee candidates, company
shareholders and company officers, the employees, shareholders, officers we cooperate with, and
the third parties, in accordance with the Constitution of Republic of Turkey, international
conventions, Personal Data Protection Law No. 6698 (“Law”) and other relevant legislation and
ensuring that the data subjects exercise their rights effectively, has been established as a priority.


2. DEFINITIONS
PDPL: Personal Data Protection Law No. 6698.


Constitution: The Constitution of Republic of Turkey dated 18.10.1982 and No. 2709.


Board : Personal Data Protection Board


Policy : Policy on the Protection and Processing of Personal Data


Turkish Penal Code : The Turkish Penal Code No. 5237, dated 26 September 2004.


Explicit Consent : Consent in relation to a specific matter, which is given upon being informed
and of one’s own free will.


Anonymization : Rendering personal data by no means identified or identifiable with a real
person even by linking with other data; changing personal data so that the personal data loses its
quality of personal data.


Personal Data Subject: Real person whose personal data is processed.


Personal Data : Any information relating to an identified or identifiable real person.


Sensitive Personal Data: Data in relation to race, ethnic origin, political opinion, philosophic belief,
religion, sect or other beliefs, appearance, membership to associations, foundations or unions,
health, sexual life, imprisonment and security measures and biometric and genetic data is sensitive
personal data.


Processing of Personal Data: Any transaction carried out on data, such as obtaining, recording,
storage, preservation, alteration, reorganization, disclosure, transfer, takeover, making available or
classifying the personal data or preventing its usage, by fully or partly automated means, or by nonautomated means, provided they are part of a data-recording system.


Data Processor : Real and legal persons who process personal data on behalf of the data
controller based on the authorization given by the data controller.


Data Controller : A real or legal person data controller identifying the processing objectives and
means of personal data, and responsible for the establishment and management of the data
recording system.


3. PURPOSE AND SCOPE OF THE POLICY
The main purpose of this Policy is to inform our customers, suppliers, employees, employee
candidates, company shareholders and company officers, the employees, shareholders, officers we
cooperate with, whose personal data we are processing under the law and in a lawful manner, and
other persons whose personal data is processed by the Company, of the activities for processing of
their personal data and protection of their personal data.


The scope of this Policy is all personal data of our suppliers, employees, employee candidates,
company shareholders and company officers, and the employees, shareholders, officers of the
entities we cooperate with, and other 3rd parties whose data we are processing, through such means
which are automatic of which are not part of any data recording system.


This policy is published on the website of the Company at www.sumahan.com .


4. RULES FOR PROCESSING OF PERSONAL DATA


4.1. PROCESSING OF PERSONAL DATA UNDER THE RULES PRESCRIBED IN THE LEGISLATION
The Company processes the personal data in accordance with the provisions and rules introduced by
the Personal Data Protection Law No. 6698 (“Law”) and other relevant legislation.


4.1.1. Processing in Compliance with Law and Good Faith
The Company acts in accordance with the principle of lawfulness, trust, and good faith for processing
personal data.


4.1.2. Ensuring that Personal Data is Accurate, and Up to Date, When Necessary
The Company takes all necessary measures to ensure that the personal data it process under the
legislation is accurate and up to date.


4.1.3. Processing for Specific, Clear and Legitimate Purposes
The Company processes the personal data only for specific, clear, and legitimate purposes. The
Company specifically and clearly determines the purposes of processing the personal data before
beginning the data processing activity, and explicitly communicates these purposes to the data
subject during obtaining their personal data.


4.1.4. Being Relevant, Limited, and Proportionate to the Purposes for which Data is processed
Our Company processes personal data with limitation to achievement of the purposes set and avoids
processing personal data that are not relevant for reaching the relevant purpose.

4.1.5. Preserving Personal Data for the Period Stipulated in the Relevant Legislation or the Period
required for the Purpose of Processing Thereof
Personal data is preserved only for the period prescribed in the relevant legislation or the period
required for the purpose of processing thereof. In this respect, first, if a period is prescribed in the
relevant legislation for storage of the personal data, personal data is processed being limited to such
periods, if no period is set out in the legislation or there is no legal reason that requires retaining the
data of a longer period, they are stored for such period which is necessary for the purpose of
processing thereof. Upon expiry of the specified period or if the reasons that require the processing
of personal data cease to exist, the personal data is deleted, destroyed, or anonymized.


4.2. CONDITIONS FOR PROCESSING OF PERSONAL DATA
Personal is processed

​

 

  • Upon informing the data subjects pursuant to article 10 of the Law,

  • Based on and with limitation to one or several of the personal data processing conditions specified in article 5 of the Law,

  • In compliance with the law and principles of honesty in line with the legitimate Company purposes.


CIRCUMSTANCES WHERE PERSONAL DATA MAY BE PROCESSED

​

  • ï‚·Upon explicit consent of the personal data subject: The express consent of the personal data subject should be given in relation to a specific matter, based on being informed and with free will.

  • ï‚·If the processing of personal data is expressly permitted by the laws; The personal data of the data subject may be processed lawfully if it is explicitly stipulated by the Laws.

  • ï‚·Inability to Obtain Express Consent of the Relevant Person due to Actual Impossibility: It may be processed when data processing is mandatory for the protection of life or bodily integrity of a personal data subject who is incapable of giving his/her consent due to physical impossibility or whose consent is legally invalid, or of another person.

  • If it is directly related to the execution or performance of the contract: Processing of the data is possible if processing of the personal data of the contract parties is necessary.

  • Fulfilment of legal obligation by the Company: Personal data of the data subject may be processed if processing is compulsory to fulfil the legal obligations of the Company as a data controller.

  • If the processing of personal data is mandatory for the establishment, exercise, or protection of a right; In case data processing is mandatory for establishing, exercising, or protecting a right, personal data of the data subject may be processed.

  • Being mandatory for the legitimate interests of the Company: Personal data may be processed provided that the fundamental rights and freedoms of the personal data subject are not infringed.

  • ï‚·Making of the Personal Data Public by the Data Subject: If the data subject makes public his/her personal data, the relevant personal data may be processed.


CIRCUMSTANCES WHERE SENSITIVE PERSONAL DATA MAY BE PROCESSED
We act in compliance with the stipulations of the Law in the processing of personal data which are
specified as “sensitive” under the PDPL. Article 6 of the Law stipulates that certain personal data
which bears the risk of victimization and discrimination of the persons if processed illegally are
designated as “sensitive” personal data. Such data is those relating to race, ethnicity, political
convictions, philosophical beliefs, religions, denominations or other beliefs, clothing, memberships
to associations, foundations or unions, health, sexual life, criminal conviction, and security measures,
as well as biometric and genetic data. Sensitive personal data may be processed with the explicit
consent of the data subject.


Sensitive personal data of the data subject other than those related to health and sexual life may be
processed without the explicit consent of the data subject in the cases stipulated by law.


Sensitive personal data in respect of the health of the data subject and sexual life may be processed
without consent of the data subject only by the persons who are bound by a duty of confidentiality
or the authorized bodies and institutions for the purpose of public health protection, preventive
medicine, medical diagnosis, treatment, and healthcare services, planning and management of
health services and financing thereof.


4.3. TRANSFER OF PERSONAL DATA


4.3.1. Transfer of Personal Data to Third Parties
Personal data processed in line with the personal data processing purposes may be transferred to
third parties in the cases stipulated by the law. The stipulations in the Law are complied with in
sharing the personal data.


Personal data may be transferred to third parties, based on one or several of the conditions for
processing of personal data.


By taking the measures prescribed by the Board and the necessary security precautions and paying
utmost attention, sensitive personal data may be transferred to third parties if the circumstances
where sensitive personal data may be processed and exist by complying with the obligations in
the Law.


4.3.2. Transfer of Personal Data to Abroad
By taking the necessary security precautions and complying with the obligations in the Law, personal
data may be transferred to third party’s resident abroad.


In line with legitimate and lawful data processing purposes, by taking the measures prescribed by the
Board and the necessary security precautions, in case of existence of one of the circumstances where
sensitive personal data may be processed, the personal data may be transferred to Foreign Countries
where the Data Controller is located, which has Sufficient Protection and Undertake Sufficient
Protection.


4.4. ELUCIDATING AND INFORMING THE PERSONAL DATA SUBJECT
In compliance with the obligation of elucidation prescribed by the Law, during obtaining the personal
data, data subjects are informed of how and for what purpose their personal data will be processed,
to whom and for what purposes the personal data processed may be transferred, the method of and
legal grounds for collecting personal data, and the rights of the personal data subject under article
11 of the Law, etc. In this respect, data subjects are informed of the following as a minimum.

​

 

  • The Company, and its representative, if any,

  • The purpose for processing of personal data,

  • To whom and for what purposes the personal data may be transferred,

  • The method of, and the legal grounds for collection of personal data,

  • Rights of personal data subject.


4.4.1 Types of the Personal Data Processed
You may find in the following table the personal data categories processed in accordance with the
principles and obligations specified in the Law and with which data subject category the personal
data categories are associated with.

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

​

​

​

​

​

​

​

 

 

 

4.4.2 Purposes of the Company for Processing Personal Data
Your personal data is processed under the Law and for the following purposes.

 

  • Performance of Potential Employee Application Processes,

  • Conclusion and implementation of employment contracts,

  • Determination of suitability for the job,

  • Creation of employees’ personal files,

  • Making SSI notifications, Turkish Employment Agency (Ä°ÅžKUR) notifications, and incentives and legal obligation notifications,

  • Ensuring the opening of a compulsory personal pension insurance account,

  • Paying to enforcement files the deductions made for employees’ salary attachment,

  • Making legal notifications for occupational accidents,

  • Carrying out occupational health and safety-related transactions,

  • Complying with other information storage, reporting, and information disclosure obligations, prescribed by the legislation, relevant regulatory institutions,

  • Ensuring that payroll transactions are carried out,

  • Making the salary payments,

  • Arranging the employee leaves,

  • Determining the working periods,

  • Ensuring the workplace security,

  • Planning and execution of the Company’s employment and human resources policies and processes,

  • Ensuring the legal, technical, and commercial business security of the Company and of the relevant persons with which the Company shares a business relationship, following up and executing the legal affairs,

  • Performance of Employee Satisfaction and Loyalty Processes,

  • Fulfillment of the Obligations regarding the Employees arising from the Employment Contracts and Legislation,

  • Performance of the Benefits and Interests Processes for the Employees,

  • Performance of Training Activities,

  • Performance of Activities in Accordance with the Legislation,

  • Performance of Financial and Accounting Works,

  • Performance of Appointment Processes,

  • Performance of Communication Activities,

  • Receiving Recommendations and Assessment Thereof for Improvement of Business Processes,

  • Performance of Business Continuity Activities,

  • Performance of Sales Processes for Services,

  • Handling the processes for accommodation service,

  • Discovering and meeting the customer needs,

  • Measuring and enhancing the customer satisfaction,

  • Sending emails,

  • Performance of Customer Relations Management Processes,

  • Execution of Activities for Customer Satisfaction,

  • Carrying Out Performance Evaluation Processes,

  • Performance of Contractual Processes,

  • Tracking Requests / Complaints,

  • Performance of Talent / Career Development Activities,

  • Provision of Information to Authorized Persons / Institutions and Organizations,

  • Performance of Management Activities,

  • Performance of Information Security Processes,

  • Execution of emergency management processes,

  • Execution of marketing processes of services,

  • Implementation of wage policy,

  • Execution of access authorizations

 

and similar purposes.


The processes of receiving lawful explicit consent from the personal data subjects are implemented
in the cases sought by the Law. In case the personal data subject refrains from giving explicit consent,
the data of the data subject may be processed only as part of the circumstances where personal data
may be processed without receiving explicit consent and for the purposes conforming to such
circumstances.


4.4.3 Third Parties to Whom Personal Data is Transferred, and Purposes of Such Transfer
Personal data may be transferred to third parties in accordance with articles 8 and 9 of the Law.
Scope of the third parties to whom the transfer is made and the purposes of data transfer are
specified below.

​

 

  • For the purpose requested within the legal authority of Legally Authorized Public Institutions and Organizations and relevant public institutions and organizations,

  • For the purpose requested within the legal authority of Legally Authorized Private Law Persons and relevant private law persons,

  • In any case, within the purposes specified under article 4.4.2. above.


4.4.4 Storage Periods of Personal Data
Provided that it is stipulated by the applicable laws and legislation, Personal Data is stored for the
periods mentioned therein.


Unless the legislation prescribes how long personal data should be stored, personal data is processed
for the period required in connection with the activity being carried out and pursuant to the business
practices, and then deleted, destroyed, or anonymized. The details related to this subject are
specified in the Company’s Personal Data Storage and Destruction Policy and published on the
website at www.sumahan.com .


5. ENSURING SECURITY OF PERSONAL DATA
In accordance with article 12 of the PDPL, necessary technical and administrative measures are taken
to ensure the proper security level for ensuring the security of personal data, preventing the unlawful
access to personal data and the unlawful processing of this data, and ensuring the preservation of
the data.


It is possible to have inspection conducted for the purpose of lawful processing of the personal data
and ensuring the security of the personal data, ensuring the security of the personal data, and
ensuring implementation of other provisions of the Law.


In the case that the personal data is acquired by others by unlawful means, utmost care is exercised
to inform the personal data subject and the Board of this circumstance as soon as possible.


5.1 TECHNICAL PRECAUTIONS TAKEN TO ENSURE LAWFUL PROCESSING OF PERSONAL DATA AND TO PREVENT UNLAWFUL ACCESS TO PERSONAL DATA

​

  • Network security and application security are ensured.

  • Key management is applied.

  • Security precautions are taken within procurement, development, and maintenance of information technology systems.

  • The security of the personal data stored on the cloud is ensured.

  • Access logs are kept regularly with time stamp.

  • Firewalls are used.

  • Personal data is backed up and the backed-up personal data is protected.

  • User account management and authorization control system are implemented and are monitored.

  • ï‚· Log records are taken in a way that will not allow user intervention.

  • Sensitive personal data is always encrypted and sent with KEP (registered electronic mail) or corporate mail accounts, in the cases where it is sent by electronic mail.

  • Encryption is made.

  • Sensitive personal data that are transferred on portable flash memory, CD and DVD are transferred by encryption.

  • Penetration Tests are applied.


5.2 ADMINISTRATIVE PRECAUTIONS TAKEN TO ENSURE LAWFUL PROCESSING OF PERSONAL DATA AND TO PREVENT UNLAWFUL ACCESS TO PERSONAL DATA
With regard to the processing of the personal data, personal data inventory was created for the
purpose of conducting current status determination and risk analysis, categories of the personal
data processed, and data subjects were determined.


Disciplinary regulations containing data security provisions are in place with respect to the
employees.


Training and awareness-raising activities on data security are organized at regular intervals for the
employees.


Corporate policies have been prepared and are being implemented on the topics of access,
information security, usage, storage, and destruction.


Letters of undertaking for confidentiality/privacy are obtained.


Relevant authorizations of the employees who are reassigned or whose employment is terminated
are revoked.


The executed agreements contain provisions on data security.


Additional security precautions are taken for personal data that are transferred in hard copy and
the relevant documents are sent after being marked as classified.


Personal data security policies and procedures have been determined.


Personal data security issues are reported forthwith.


Security of personal data is monitored.


Necessary security precautions are taken regarding entry-to-exit from physical sites containing
personal data.


Security of physical sites containing personal data is ensured against external risks (fire, flood, etc.).
The security of media containing personal data is ensured.


Personal data is minimized to the maximum extent.


In-house periodic and/or random inspections are conducted and caused to be conducted.
Protocols and procedures regarding security of sensitive personal data have been determined and
are being implemented.


Audits are ensured at certain intervals to ensure data security of data processor service providers.
Awareness-raising activities are carried out to ensure data security of data processor service
providers.


Provisions are added to the existing contracts with our business partners to whom personal data is
transferred as part of the Company’s activities and in accordance with the PDPL as to that they will
take the necessary security precautions for protection of the personal data transferred and ensure
that such measures will be complied with in their own organizations, or separate contracts are made
in this respect; apart from the exceptions introduced with respect to the business partners, terms that impose the obligation of non-disclosure and non-use are inserted and information is given in this
regard.


In case of procurement of service from outside the Company due to the technical requirements
concerning storage of the personal data, provided that personal data is transferred to such firms also
in accordance with the PDPL, provisions are added to the existing contracts as to that this firm and
firm’s personnel will take the necessary security precautions for protection of the personal data and
ensure that such measures will be complied with in their own organizations, or separate contracts
are made in this respect.


Before starting to process personal data, the obligation of elucidating the data subjects is fulfilled by
the Company.


5.3 INSPECTION OF THE MEASURES TAKEN FOR PROTECTION OF PERSONAL DATA
Necessary inspections are conducted or caused to be conducted in respect of the precautions taken
for protection of the personal data under the PDPL.


5.4 MEASURES TO BE TAKEN IN CASE OF UNAUTHORIZED DISCLOSURE OF PERSONAL DATA
In the case that the personal data is acquired by others by unlawful means, the personal data subject
and the Board are informed of this circumstance as soon as possible.


6. STORAGE, DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA
The personal data processed in accordance with the principles contained in the PDPL are stored
throughout the period prescribed in the legislations. If no period is prescribed for storage in the
legislation, the personal data is stored until the purpose for which the personal data is processed no
longer exists. In this respect, storage periods are determined considering the applications and the
practices of business life.


As set forth by Article 138 of the Turkish Criminal Code and Article 7 of the PDPL, in case the reasons
requiring them to be processed have ceased to exist, although they are processed in accordance with
the provisions of the relevant law, personal data is deleted, destroyed, or anonymized or upon the
request by the data subject.


Personal data may be stored for the purpose of constituting evidence in possible legal disputes,
claiming a right which can be proved with personal data, establishing the defense, and replying to
the information requests from the authorized public organizations. The limitation periods are
considered for claiming the said right in establishment of these periods.


The details related to this are specified in the Company’s Personal Data Storage and Destruction
Policy and published on the website at www.sumahan.com.


In accordance with article 28 of the Law, the anonymized personal data may be processed for
purposes such as research, planning, statistics. The anonymized are out of the scope of the Law as
they will not be considered as “personal data”.

6.1 TECHNIQUES FOR DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA


6.1.1 Techniques for Deletion and Destruction of Personal Data
The personal data is deleted through the following methods:3

​

  • Personal Data Stored in Servers: From among the personal data available in the servers, those the storage period of which has expired are deleted the system manager deletes through suitable methods.

  • Personal Data Stored Electronically: From among the personal data stored electronically, those the retention period of which has expired are rendered inaccessible and non-reusable by the other personnel (relevant users) except the database manager.

  • Personal Data Stored in Physical Media: From among the personal data stored in physical media, those the retention period of which has expired are rendered inaccessible and non-reusable for all employees, except for the unit director responsible for document archive. In addition, data is concealed by crossing out / painting/ erasing in the way to render it indecipherable.

  • Personal Data Stored in Portable Media From among the personal data stored in flash-based portable media, those the retention period of which has expired are stored in secure media after being encrypted by the system administrator, who should have exclusive access authorization.

  • Personal data is destroyed by the Company with the following methods.

  • Personal Data Stored in Physical Media: From among the personal data contained in the printed media, those the retention periods of which have expired are irreversibly destroyed by using shredders.

  • Personal Data Stored in Optical/Magnetic Media: From among the personal data stored in optical and magnetic media, those the retention periods of which have expired are destroyed by implementing physical destruction methods such as melting, burning, or pulverizing. Furthermore, the magnetic media are exposed to high rate of magnetic field by being placed in a special device to render the data contained therein illegible.


6.1.2 Techniques for Anonymization of the Personal Data
Anonymization of personal data is the process of rendering it impossible for personal data to be
associated with any identified or identifiable real person in any way, even if the personal data is
matched with other data.


For personal data to be considered anonymized; it should become impossible for the data controller
or third parties to associate such personal data with an identified or identifiable real person, even by
using techniques appropriate in terms of the recording medium and the relevant field of activity, such
as data recovery and/or matching the data with other data.


7. RIGHTS OF THE DATA SUBJECT AND RULES FOR EXERCISING THESE RIGHTS
If the personal data subjects submit their claims for the rights listed below to the Company in writing,
the Company concludes the claim as soon as possible and at the latest within thirty days, depending
on the nature of claim.

7.1. RIGHTS OF THE PERSONAL DATA SUBJECT

  • Learn whether your personal data is processed,

  • Request information on the procedure, if personal data have been processed,

  • Learn the purpose of processing of the personal data and whether such data is used in accordance with its purpose,

  • Know the third person to whom personal data is transferred at home or abroad,

  • Request the correction of personal data that may have been processed incompletely or inaccurately, and request that the operations carried out in this context are notified to third parties to whom personal data have been transferred,

  • Request the deletion or destruction of your personal data in the case that the reasons requiring them to be processed have ceased to exist, even though they are processed in accordance with the provisions of the Law and other relevant laws, and request that the third parties to whom your personal data have been transferred are notified of the procedure carried out in this context,

  • Object to the emergence of an outcome that is to the detriment of the data subject because of the analysis of the data processed exclusively through automated systems,

  • Request compensation for any loss suffered in case your personal data is processed unlawfully.


Conditions in which Personal Data Subjects cannot Exercise Their Rights
As the following cases are exempted from the scope of the Law pursuant to Article 28 of the PDPL,
personal data subjects are not entitled to exercise their rights listed in Section 7.1 hereunder:

​

 

  • Processing of personal data for research, planning, statistical and similar purposes by anonymizing them through official statistics,

  • Processing of personal data for the purposes related to arts, history, literature, or science, or within the freedom of expression without violating the national defense, national security, public security, public order, economic security, right of privacy or personal rights, and without committing a crime.

  • Processing of personal data as part of preventive, protective and intelligence-related activities carried out by public agencies and institutions tasked and authorized by law to secure national defense, national security, public security, public order and economic security.

  • Processing of personal data by judicial or executive authorities concerning investigation, prosecution, litigation, or execution processes.


As per article 28/2 of the PDPL; in the following cases, article 10 arranging the Company’s obligation
of elucidation, article 11 arranging the rights of the data subject, except for the right to claim
compensation of damages, and article 16 arranging the obligation registration in the data controller’s
register do not apply:

​

 

  • If it is required to process personal data for prevention or investigation of crimes.

  • If the personal data have already been made public by the data subject himself/herself.

  • If processing of personal data is necessary for the performance of supervision or regulatory duties, or disciplinary investigation or prosecution by assigned and authorized public institutions and organizations and professional organizations holding public institution status.

  • If processing of personal data is required for the protection of the economic and financial interests of the Government on budget, tax, and financial matters.


7.2. EXERCISE OF THE RIGHTS BY THE PERSONAL DATA SUBJECT
Personal data subjects may submit their claims related to the above-mentioned rights as per the 1st
paragraph of article 13 of the PDPL to the Company in writing. For application, they need to complete
the “Personal Data Protection - Application Form” available at www.sumahan.com and submit it
through one of the methods determined by the Company.


As a rule, the Company fulfills the applications of the data subjects free of charge for up to 10 pages.
However, if the transaction requested has an additional cost, the fees contained in the tariff
determined by the Board may be claimed from the data subject.


Incomplete application forms will not be processed by Company. For confirming whether or not the
person who made the application is the personal data subject or clarifying the request if the nature
of the request cannot be understood from the content of the form, the Company may request
additional information and documents from the data subject who made the application.


In order that a third party can make an application on behalf of a personal data subject, a special
power of attorney issued by the data subject to such third party is required.


7.3. COMPANY’S REPLY TO APPLICATIONS
In the case that the data subject forwards the application form to the Company as specified above,
the Company replies to the request as soon as possible depending upon the nature of the request
contained in the form.


In case the application is rejected, replied insufficiently, or not replied in due time pursuant to Article
14 of the Law; the personal data subject may file a complaint with the PDP Board within thirty days
following the date he/she learns the reply of the Company and in any event, within sixty days
following the date of application.


7.4 COMPANY’S RIGHT TO REJECT THE APPLICATION OF THE PERSONAL DATA SUBJECT
The Company may reject the application of the data subject in the following cases by explaining the
grounds of rejection:

​

 

  • The circumstances listed in article 28 of the PDPL,

  • The request of the personal data subject is likely to hinder the rights and freedoms of other persons,

  • The requests require disproportionate efforts,

  • The requested information is available to public,

  • The requests other than those specified in article 11 of the PDP Law.


8. UPDATING PERIOD OF THE POLICY
The Policy is reviewed when required and the necessary sections thereof are updated.


9. ENFORCEMENT AND ABOLITION OF THE POLICY
The Policy is deemed to have entered into force upon its publication on the Company’s website. If it
is decided to be abolished, the former copies of the Policy with wet signature are signed (by stamping
them with a cancellation stamp or by writing “canceled” thereon) and kept for at least 5 years.

​

​

M & N BUTLER MÄ°MARLAR ARAÅžTIRMA TASARI VE YAPI LTD. ÅžTÄ°.

“SUMAHAN ON THE WATER”

bottom of page