PERSONAL DATA PROTECTION AND PROCESSING POLICY
SECTION 1: INTRODUCTION
1. THE IMPORTANCE OF PERSONAL DATA PROTECTION
Protection of personal data is a constitutional right and is among our company’s priorities. Accordingly, with this purpose, it is aimed to establish a system within our company that is continuously updated, and this policy has been prepared. Within the scope of the Law on the Protection of Personal Data No. 6698, as the data controller of the registered trademark “Cemre Yachts” and the website www.cemreyachting.com, Hayati Yachting and Tourism Services Limited Company, this policy is prepared in order to fulfill the general obligation to inform and to set out the fundamental principles of our company’s personal data processing rules; and within this scope, the fundamental principles regarding the protection of personal data of our customers, potential customers, employees, employee candidates, interns and students, supplier/subcontractor employees and authorized representatives, our company shareholders and partners, visitors, and other third parties whose data we process are regulated.
For the implementation of the matters specified in this policy, necessary procedures are arranged within the Company; information notices aligned with the Personal Data Processing Inventory specific to person categories are created; personal data protection and confidentiality agreements are executed with Company employees and third parties who have access to personal data; job descriptions are revised; the required administrative and technical measures for the protection of personal data are taken by Hayati Yachting and Tourism Services Limited Company, and necessary audits are carried out or commissioned within this scope.
2. PURPOSE OF THE POLICY
The main purpose of this Policy is to set forth the principles regarding the personal data processing activities carried out by Hayati Yachting and Tourism Services Limited Company in a lawful manner and the protection of personal data, and within this scope to ensure transparency by informing and enlightening the persons whose personal data is processed by our company.
3. SCOPE
This Policy relates to all personal data that we process—either by fully/partly automated means or by non-automated means provided that it forms part of a data recording system—of the persons we categorize under the headings of “our customers, potential customers, employees, employee candidates, interns and students, supplier/subcontractor employees and authorized representatives, our company shareholders and partners, visitors, and other third parties whose data we process.”
4. IMPLEMENTATION OF THE POLICY AND THE RELEVANT LEGISLATION
In matters regarding the processing and protection of personal data, the relevant legal regulations in force shall primarily apply. In the event of any inconsistency between the legislation in force and this Policy, our Company accepts that the legislation in force shall apply.
5. ACCESS AND UPDATING
The Policy is published via our Company’s website with the domain www.cemreyachting.com, is made available to personal data subjects upon their request, and is updated when necessary.
SECTION 2: PROCESSING OF PERSONAL DATA
Our Company may carry out personal data processing activities in accordance with Article 20 of the Constitution and Article 4 of KVKK, in a manner that is lawful and compliant with the rules of honesty; accurate and, where necessary, kept up to date; for specific, explicit, and legitimate purposes; limited and proportionate to the purpose. Our Company retains personal data for the period prescribed by law or for as long as required by the purpose of processing.
Pursuant to Article 20 of the Constitution and Article 5 of KVKK, our Company processes personal data based on one or more of the conditions set out in Article 5 of KVKK regarding personal data processing.
Pursuant to Article 419 of the Turkish Code of Obligations, without prejudice to Law No. 6698 (KVKK), our Company processes the personal data of employees and employee candidates based on the purposes of suitability for work and performance of the employment contract.
In accordance with Article 20 of the Constitution and Article 10 of KVKK, our Company informs personal data subjects, and in case personal data subjects request information and apply to exercise their rights arising from the law, our Company provides the necessary information and responds to applications within the legal period.
Our Company acts in accordance with the regulations stipulated for the processing of special categories of personal data pursuant to Article 6 of KVKK.
In accordance with Articles 8 and 9 of KVKK, our Company complies with the rules stipulated by law regarding the transfer of personal data and carries out its practices by taking into account the decisions of the KVKK Board, published communiqués, and safe country lists.
2.1. PROCESSING OF PERSONAL DATA IN ACCORDANCE WITH THE PRINCIPLES AND RULES STIPULATED IN LEGISLATION
A. Principles of Processing Personal Data
a. Processing in Compliance with the Law and the Rules of Honesty
Our Company acts in compliance with the principles introduced by legal regulations and the rules of honesty in the processing of personal data. Within this scope, our Company determines the legal grounds that require the processing of personal data, takes proportionality requirements into account, does not use personal data beyond what the purpose requires, and does not conduct processing activities without the knowledge of individuals.
b. Ensuring that Personal Data is Accurate and, Where Necessary, Up to Date
Our Company ensures that the personal data it processes is accurate and up to date, taking into account the fundamental rights of personal data subjects and its own legitimate interests, and takes the necessary measures accordingly. In this scope, data relating to all person categories is attempted to be kept up to date.
In particular, customer and potential customer data is carefully updated, and marketing/promotional e-mails and offers are not sent to individuals contrary to their consent.
c. Processing for Specific, Explicit, and Legitimate Purposes
Our Company clearly and precisely determines the legitimate and lawful purpose of processing personal data. Our Company processes personal data in connection with the service it provides and only to the extent necessary for such service. The purpose for which personal data will be processed is determined before the processing activity and is also recorded in the “Personal Data Inventory.”
d. Being Related to the Purpose, Limited, and Proportionate
Our Company processes personal data in a manner suitable for achieving the determined purposes and avoids processing personal data that is unrelated to the achievement of the purpose or not needed. In this scope, processes are continuously reviewed and the principle of “data minimisation” is attempted to be implemented.
B. Rules for Processing General (Non-Special) Personal Data
Protection of personal data is a right defined in the Constitution, and fundamental rights and freedoms may be restricted only by law and only based on the reasons specified in the relevant articles of the Constitution, without touching their essence. Pursuant to the third paragraph of Article 20 of the Constitution, personal data may be processed only in cases prescribed by law or with the explicit consent of the person. Accordingly, in the processing of personal data, our Company processes personal data without seeking the explicit consent of the relevant person only if one of the conditions below exists:
-
Explicitly prescribed by law,
-
Being mandatory for the protection of the life or physical integrity of the person or another person who is unable to disclose consent due to actual impossibility or whose consent is not legally valid,
-
Being necessary to process personal data of the parties to a contract, provided that it is directly related to the establishment or performance of a contract,
-
Being mandatory for the data controller to fulfil its legal obligation,
-
Being made public by the relevant person himself/herself,
-
Being mandatory for the establishment, exercise, or protection of a right,
-
Being mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the relevant person.
If the above conditions are not present, our Company applies for the explicit consent of the relevant person based on free will and informed decision. Especially in the field of Human Resources and employment relations, considering the dependency relationship of the employee, it is essential to rely primarily on legal bases other than consent; however, if those bases are not applicable, explicit consent is sought. On the other hand, for activities such as marketing, processing is carried out based on the consent of the relevant person. In any case, in all situations where personal data is processed, data processing is carried out based on “informing employees.”
C. Rules for Processing Special Categories of Personal Data
In the processing of personal data defined as “special categories” under KVKK, our Company acts in accordance with the regulations stipulated in KVKK. Article 6 of KVKK defines certain personal data as “special categories” due to the risk of causing victimisation or discrimination if processed unlawfully, and care and sensitivity are required in processing this data. These include: race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, attire, association/foundation/union membership, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data. In compliance with KVKK, our Company processes special categories of personal data, provided that necessary measures are taken, in the following cases:
• Special categories of personal data other than health and sexual life may be processed if prescribed by law or based on the explicit consent of the personal data subject.
• Special categories of personal data relating to health and sexual life may be processed only for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and planning and management of health services and their financing, by persons under an obligation of confidentiality or by authorized institutions and organizations, or with the explicit consent of the personal data subject.
• Regardless of the legal ground, general data processing principles are always taken into consideration in processing processes, and compliance with these principles is ensured (KVKK Art. 4).
Regarding the protection of special categories of personal data, our “Personal Data Protection and Processing Policy” has been put into effect within our company; our business units act in accordance with this policy, and necessary measures are taken.
D. Informing and Notifying the Relevant Persons Whose Data is Processed
In accordance with Article 10 of KVKK, our Company informs personal data subjects during the acquisition of personal data. In this scope, the relevant person whose data is processed is informed about: the purpose of processing personal data; to whom and for what purpose the processed personal data may be transferred; the method and legal ground of personal data collection; and the rights of the relevant person whose personal data is processed. We are legally obliged to provide information to relevant persons regarding:
• Our Company’s title and, if any, the identity of our representative
• For what purposes is personal data processed by Hayati Yachting and Tourism Services Limited Company
• To whom and for what purposes personal data processed by Hayati Yachting and Tourism Services Limited Company may be transferred
• The method and legal ground of collecting personal data
• The rights of the relevant person listed in Article VIII
2.2. TRANSFER OF PERSONAL DATA
In line with lawful personal data processing purposes, our Company may transfer the personal data and special categories of personal data of the relevant person whose data is processed to third parties by taking the necessary security measures. In this regard, our Company acts in accordance with the regulations stipulated in Article 8 of KVKK.
A. Principles of Transfer of Personal Data
In line with legitimate and lawful personal data processing purposes, our Company may transfer personal data to third parties in a limited manner based on one or more of the personal data processing conditions set out in Article 5 of the Law, as listed below:
-
Based on the explicit consent of the relevant person whose personal data is processed, or
• If there is an explicit legal provision regarding the transfer of personal data,
• If it is mandatory for the protection of the life or physical integrity of the personal data subject or another person, and the personal data subject is unable to disclose consent due to actual impossibility or his/her consent is not legally valid,
• If it is necessary to transfer the personal data of the parties to a contract, provided that it is directly related to the establishment or performance of a contract,
• If personal data transfer is mandatory for our Company to fulfil its legal obligation,
• If personal data has been made public by the relevant person himself/herself,
• If personal data transfer is mandatory for the establishment, exercise, or protection of a right,
• If personal data transfer is mandatory for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the relevant person whose personal data is processed.
Regardless of the reason, general data processing principles are always taken into consideration in transfer processes and compliance with these principles is ensured (KVKK Art. 4).
B. Transfer of Special Categories of Personal Data
By exercising due care, taking the necessary security measures, and adopting sufficient measures stipulated by the KVKK Board, our Company may transfer special categories of personal data of the relevant person whose data is processed to third parties in the following cases in line with legitimate and lawful personal data processing purposes:
• Based on the explicit consent of the relevant person, or
• If the relevant person does not have explicit consent;
• Special categories of personal data other than the relevant person’s health and sexual life (race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, attire, association/foundation/union membership, criminal convictions and security measures, biometric and genetic data) may be transferred in cases prescribed by law,
• Special categories of personal data relating to the relevant person’s health and sexual life may be processed only for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and planning and management of health services and their financing, by persons under an obligation of confidentiality or by authorised institutions and organisations.
Regardless of the reason, general data processing principles are always taken into consideration in transfer processes and compliance with these principles is ensured (KVKK Art. 4).
C. Transfer of Personal Data Abroad
In line with lawful personal data processing purposes, our Company may transfer the personal data and special categories of personal data it processes to third parties by taking the necessary security measures. Personal data is transferred by our Company to countries declared by the KVKK Board as providing adequate protection, to foreign countries announced as having adequate protection (“Foreign Country with Adequate Protection”), or, where adequate protection does not exist, to foreign countries where the data controllers in Turkey and the relevant foreign country undertake in writing to provide adequate protection and the KVKK Board has granted permission (“Foreign Country Where a Data Controller Undertaking Adequate Protection is Located”). Our Company acts in accordance with the regulations stipulated in Article 9 of KVKK.
In line with legitimate and lawful personal data processing purposes, our Company may transfer personal data to Foreign Countries with Adequate Protection or to Foreign Countries Where a Data Controller Undertaking Adequate Protection is Located and to countries compliant with GDPR, if the relevant person whose personal data is processed has explicit consent, or if the relevant person does not have explicit consent but one of the following conditions exists:
• If there is an explicit legal provision regarding the transfer of personal data,
• If it is mandatory for the protection of the life or physical integrity of the relevant person whose personal data is processed or another person, and the relevant person is unable to disclose consent due to actual impossibility or his/her consent is not legally valid,
• If it is necessary for the transfer of the personal data of the parties to a contract, provided that it is directly related to the establishment or performance of a contract,
• If personal data transfer is mandatory for our Company to fulfil its legal obligation,
• If personal data has been made public by the relevant person himself/herself,
• If personal data transfer is mandatory for the establishment, exercise, or protection of a right,
• If personal data transfer is mandatory for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the personal data subject.
2.3. PERSONAL DATA CATEGORIZATIONS
Persons whose data is processed within our Company and the data processed within this scope are categorised as follows:
PERSON AND DATA CATEGORIZATION
| Person Category | Description |
|---|---|
| Job Applicant | Natural persons who have applied for a job at our Company in any manner or who have made their CV and related information available for review by our Company |
| Employee | Natural persons working at our Company |
| Potential Customer | Natural persons who have requested or shown interest in using our services, or who are evaluated—within commercial practices and the rules of honesty—as potentially having such interest |
| Supplier Employee | Natural persons working at institutions with which our Company has any business relationship (such as business partners, suppliers, etc., without limitation) |
| Supplier Authorised Representative | Natural persons who are shareholders and authorised representatives of institutions with which our Company has a business relationship |
| Customer | Natural persons who use or have used the services offered by our Company, regardless of whether they have any contractual relationship with our Company |
| Visitor | Natural persons who enter our Company’s physical premises for various purposes or who visit our websites |
| OTHER | Third-party natural persons related to the above-mentioned persons to ensure the security of commercial transactions between our Company and the parties mentioned above, or to protect the rights of such persons and secure benefits (e.g., family members and relatives) |
DATA CATEGORIES
| Data Category | Description |
|---|---|
| Identity Data | Data in documents such as driver’s license, ID card, residence certificate, passport, attorney ID, marriage certificate, etc., that clearly belong to an identified or identifiable natural person; processed partly/fully by automated means or non-automated means, provided that it is part of a data recording system |
| Contact Data | Data such as phone number, address, e-mail, etc., that clearly belong to an identified or identifiable natural person; processed partly/fully by automated means or non-automated means, provided that it is part of a data recording system |
| Location Data | Data that determines the location of the personal data subject while using our services, or of employees of institutions we cooperate with while using our Company vehicles; clearly belonging to an identified or identifiable natural person; processed partly/fully by automated means or non-automated means, provided that it is part of a data recording system |
| Personnel Data | All personal data processed to obtain information that will form the basis for the accrual of personnel rights of our employees or natural persons in a working relationship with our Company; clearly belonging to an identified or identifiable natural person; processed partly/fully by automated means or non-automated means, provided that it is part of a data recording system |
| Legal Transaction & Compliance Data | Personal data processed within the scope of determining and following up our legal receivables and rights, performance of our obligations, our statutory obligations, and compliance with our Company policies; clearly belonging to an identified or identifiable natural person; processed partly/fully by automated means or non-automated means, provided that it is part of a data recording system |
| Customer Transaction Data | Records related to the use of our services and information, such as instructions and requests required for the customer to use the services, clearly belonging to an identified or identifiable natural person and included in a data recording system |
| Physical Premises Security Data | Personal data related to records and documents obtained during entry into physical premises and stay within physical premises; clearly belonging to an identified or identifiable natural person and included in a data recording system |
| Transaction Security Data | Personal data processed to ensure technical, administrative, legal, and commercial security while conducting activities; clearly belonging to an identified or identifiable natural person and included in a data recording system |
| Risk Management Data | Personal data processed through methods generally accepted in legal and commercial practice and in line with the rule of honesty to manage our commercial, technical, and administrative risks; clearly belonging to an identified or identifiable natural person and included in a data recording system |
| Financial Data | Personal data related to information, documents, and records showing any financial outcome created depending on the type of legal relationship established between our Company and the personal data subject; clearly belonging to an identified or identifiable natural person; processed partly/fully by automated means or non-automated means, provided that it is part of a data recording system |
| Performance & Career Development Data | Personal data processed for measuring the performance of employees or natural persons in a working relationship with our Company and for planning and conducting their career development within the scope of our human resources policy; clearly belonging to an identified or identifiable natural person; processed partly/fully by automated means or non-automated means, provided that it is part of a data recording system |
| Marketing Data | Personal data processed for marketing our services by customising them in line with the personal data subject’s usage habits, preferences, and needs, and reports/evaluations created as a result of such processing; clearly belonging to an identified or identifiable natural person; processed partly/fully by automated means or non-automated means, provided that it is part of a data recording system |
| Visual & Audio Data | Personal data such as photos and camera recordings (excluding recordings falling under Physical Premises Security Data), voice recordings, and data contained in copies of documents that include personal data; clearly belonging to an identified or identifiable natural person; processed partly/fully by automated means or non-automated means, provided that it is part of a data recording system |
| Special Categories of Data (Health, Sexual Life) | Data relating to health and sexual life; and data such as race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, attire, association/foundation/union membership, criminal convictions and security measures, biometric and genetic data |
SECTION 3: LEGAL GROUNDS AND PURPOSES OF PROCESSING PERSONAL DATA
3.1. LEGAL GROUNDS FOR PROCESSING PERSONAL DATA
General Principles
Even though the legal grounds for processing personal data by our Company may vary, in all personal data processing activities, we act in accordance with the general principles in Article 4 of Law No. 6698. Accordingly, in all data processing:
-
Compliance with the law and the rules of honesty,
-
Being accurate and, where necessary, up to date,
-
Being processed for specific, explicit, and legitimate purposes,
-
Being related to the purpose, limited, and proportionate,
-
Being retained for the period prescribed in relevant legislation or required for the purpose for which it is processed,
are considered as general principles.
Legal Bases (Lawfulness Conditions)
a) Existence of the Explicit Consent of the Personal Data Subject
One of the conditions for processing personal data is the explicit consent of the personal data subject. The explicit consent of the personal data subject must be disclosed regarding a specific matter, based on being informed, and with free will.
b) Explicitly Prescribed by Law
The personal data of the data subject may be processed lawfully if explicitly prescribed by law.
For example, notifying the identities of our employees to authorised authorities pursuant to identity notification legislation.
c) Failure to Obtain the Relevant Person’s Explicit Consent Due to Actual Impossibility
If it is mandatory to process the personal data to protect the life or physical integrity of the person himself/herself or another person who is unable to disclose consent due to actual impossibility or whose consent is not legally valid, the personal data of the data subject may be processed. For example, sharing the blood type information of an employee who has fainted with a physician.
d) Being Directly Related to the Establishment or Performance of a Contract
Personal data may be processed if it is necessary to process the personal data of the parties to a contract, provided that it is directly related to the establishment or performance of a contract. For example, receiving a CV from a candidate to establish an employment contract, and obtaining an address to enable service/notification within the scope of the contract.
e) Fulfilling the Company’s Legal Obligations
If processing is mandatory for our Company, as the data controller, to fulfil its legal obligations, the personal data of the data subject may be processed. For example, processing family information to enable an employee to benefit from the minimum living allowance.
f) The Personal Data Subject Making His/Her Personal Data Public
If the data subject has made his/her personal data public, the relevant personal data may be processed. For example, if our customers submit complaints, requests, or suggestions on a publicly accessible platform on the internet, they make their relevant information public. In this case, it is possible for our Company’s authorised person to process the data, limited to the purpose of responding to complaints, requests, or suggestions.
g) Necessity of Data Processing for the Establishment or Protection of a Right
If data processing is mandatory for the establishment, exercise, or protection of a right, the personal data of the data subject may be processed. For example, retaining evidential data (sales contract, invoice) and using it when necessary.
II. Necessity of Data Processing for Our Company’s Legitimate Interests
Provided that it does not harm the fundamental rights and freedoms of the personal data subject, if data processing is mandatory for our Company’s legitimate interests, the personal data of the data subject may be processed. For example, monitoring critical points via security cameras against theft or for occupational safety purposes.
Processing of Special Categories of Personal Data and Lawfulness Conditions
Special categories of personal data may be processed by our Company, if the personal data subject does not have explicit consent, only in cases prescribed by law and provided that adequate measures to be determined by the KVKK Board are taken. Special categories of personal data relating to the personal data subject’s health and sexual life may be processed only for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and planning and management of health services and their financing, by persons under an obligation of confidentiality or by authorised institutions and organisations. Regardless of the reason, general data processing principles are always taken into consideration in processing processes, and compliance with these principles is ensured (KVKK Law Art. 4).
3.2. PURPOSES OF PROCESSING PERSONAL DATA
Our Company processes personal data only within the purposes and conditions set out in paragraph 2 of Article 5 and paragraph 3 of Article 6 of Law No. 6698. During the data processing process, the legal grounds stated above are taken into account; if no other lawfulness condition exists, the consent of the relevant person is requested. In this process, compliance with general principles under Article 4 is also reviewed, and first and foremost, the data processing activity must comply with general lawfulness principles. The consent of the relevant person is obtained “explicitly, based on being informed, and with free will.” The purposes of processing personal data are also specified in our Company’s “Personal Data Inventory.”
Within our Company units, personal data is processed especially for the following purposes:
-
As an employer, it is necessary to process employees’ personal data to fulfil mutual obligations arising from the employment contract. Employees’ personal data is processed and retained in a manner that is lawful and compliant with the rules of honesty; accurate and, where necessary, up to date; for specific, explicit, and legitimate purposes; related to the purpose, limited, and proportionate. Within this scope, legal grounds include: the lawful conduct of the processes of establishing, performing, and terminating the employment contract; our Company’s legitimate interests provided that they do not violate fundamental rights and freedoms; situations explicitly prescribed by law; fulfillment of legal obligations related to employment; necessity of processing for the establishment, exercise, or protection of a right in legal follow-up cases; and, in other situations, explicit consent to be obtained from employees based on information and their free will.
-
Within the scope of activities required by the Company’s field of operation, the employer’s legitimate interests may necessitate processing employees’ personal data. Indeed, employees’ personal data may be processed for reasons such as preventing abuse, preventing theft, ensuring general security, or ensuring occupational health and safety. However, in such cases, great care is taken not to harm employees’ fundamental rights and freedoms.
-
The majority of employees’ personal data being processed is obtained from information provided by employees to the Company. In some cases, employees’ personal data may also come to the Company from internal sources such as Company managers, from employee references, or from data in systems established by public institutions and organisations due to requirements of working life.
-
Employees’ personal data being processed consists of information such as application forms and employee references, employment contracts and amendments, employee contact details, payroll-related information, family/relative information such as persons to be contacted in emergencies, education records, performance evaluation records, disciplinary records, and camera recordings.
-
Regarding the processing of employees’ personal data, many Company policies and procedures include rules. In this regard, in particular, the “Personal Data Protection and Processing Policy” on the Company website may be reviewed. The document may also be accessed via the Company intranet/QDMS system, and may be obtained in paper/hardcopy form from the Human Resources Unit.
-
Employees’ health information is also among the processed personal data. Information relating to employees’ health and sexual life is, as a rule, processed for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and planning and management of health services and their financing, by persons under an obligation of confidentiality or by authorised institutions and organisations. Within this scope, employees’ health data and related details are, as a rule, kept by the workplace physician and the health unit.
-
After attaining “Employee” status (not requested under the employee candidate category), if the employee becomes a union member, union membership may also be processed due to explicit legal provisions to fulfil legal requirements. Other than this, employees’ race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, attire, as well as biometric and genetic data are, as a rule, not included among the processed personal data unless explicitly prescribed by law; if an exceptional practice is to be made, requirements are carefully evaluated before processing.
-
There are monitoring and supervision practices over the Company’s information and communication tools (telephone, mobile phones, computers, and internet). Law No. 5651 and our Company’s legitimate interests constitute the legal grounds for such practices.
-
In our Company vehicles, a vehicle tracking system may be implemented for reasons such as “security, and more effective management of vehicles and personnel.” While this activity is based on our Company’s legitimate interests, it is carried out provided that it does not harm employees’ fundamental rights and freedoms.
-
For the execution of our Company’s human resources policies, providing personnel suitable for open positions in line with our Company’s HR policies, conducting HR operations, selecting employee candidates, managing personnel affairs, determining training and career plans, fulfilling obligations within the framework of occupational health and safety and taking necessary measures constitute the purposes of processing personal data.
-
Personal data of supplier/subcontractor employees may also be processed by our Company. In fact, Law No. 6331 specifies documents and information that the principal employer must check regarding employees coming from another workplace in terms of occupational health and safety. Similarly, Law No. 4857 and Law No. 5510 impose obligations on the principal employer regarding subcontractor and temporary workers and specify matters to be checked. Accordingly, processing the personal data of workers employed at our workplace by a supplier or another employer is based primarily on such legal regulations and also on our business’s legitimate interests.
-
Personal data is also processed in our relevant units for the purposes of:
• Conducting emergency management processes
• Conducting information security processes
• Conducting audit/ethics activities
• Conducting training activities
• Managing access authorisations
• Conducting activities in compliance with legislation
• Conducting finance and accounting operations
• Conducting loyalty processes related to the Company/services
• Ensuring physical premises security
• Conducting assignment processes
• Following up and conducting legal affairs
• Conducting internal audit/investigation/intelligence activities
• Conducting communication activities
• Conducting service and operation processes
• Conducting customer relations processes
• Conducting customer satisfaction activities
• Organisation and event management
• Conducting marketing analysis studies
• Conducting performance evaluation processes
• Conducting advertising/campaign/promotion processes
• Conducting risk management processes
• Conducting retention and archiving activities
• Conducting social responsibility and civil society activities
• Conducting contract processes
• Conducting sponsorship activities
• Conducting strategic planning activities
• Following up on requests/complaints
• Ensuring the security of movable property and resources
• Conducting supply chain management processes
• Conducting marketing processes for services
• Ensuring the security of the data controller’s operations
• Work and residence permit procedures for foreign personnel
• Conducting investment processes
• Providing information to authorised persons, institutions, and organisations
• Conducting management activities
• Creating and tracking visitor records
• Camera monitoring activities in the workplace for occupational health and safety, general security, and product safety purposes are carried out by taking into account the Company’s legitimate interests, provided that it does not harm the fundamental rights and freedoms of visitors, persons whose data is processed within this scope, and especially employees.
SECTION 4: RETENTION, DELETION, DESTRUCTION, AND ANONYMIZATION OF PERSONAL DATA
As regulated in Article 138 of the Turkish Penal Code and Article 7 of KVKK, even if personal data has been processed in accordance with the relevant legal provisions, if the reasons requiring processing cease to exist, personal data shall be deleted, destroyed, or anonymised upon our Company’s own decision or upon the request of the personal data subject.
4.1. RETENTION OF PERSONAL DATA AND RETENTION PERIODS
If prescribed by relevant laws and legislation, our Company retains personal data for the period specified in such legislation. If no period is regulated in legislation regarding how long personal data should be retained, personal data is processed for the period required in accordance with our Company’s practices and commercial customs in connection with the services offered while processing that data, and may be retained to constitute evidence in legal disputes or to enable assertion of a right related to the personal data or to establish a defense. In determining these periods, retention periods are set by taking as a basis the limitation periods for asserting the said right and examples from requests previously directed to our Company on the same matters, even after limitation periods have expired. In this case, retained personal data is not accessed for any other purpose and access is provided only when it’s necessary to use such personal data in the relevant legal dispute. After the said period expires, personal data is deleted, destroyed, or anonymised.
4.2. DELETION, DESTRUCTION, AND ANONYMIZATION OF PERSONAL DATA
As regulated in Article 138 of the Turkish Penal Code and Article 7 of the KVKK Law, even if personal data has been processed in accordance with the relevant legal provisions, if the reasons requiring processing cease to exist, personal data is deleted, destroyed, or anonymised upon our Company’s own decision or upon the request of the personal data subject. Within this scope, our Company fulfils its relevant obligation through the methods explained in this section.
A. Deletion of Personal Data
a. Personal Data Deletion Process
Even if processed in accordance with relevant legal provisions, if the reasons requiring processing cease to exist, our Company may delete personal data upon its own decision or upon the request of the personal data subject. Deletion of personal data is the process of rendering personal data inaccessible and non-reusable for relevant users in any way. Our Company takes all necessary technical and administrative measures to ensure that deleted personal data is inaccessible and non-reusable for relevant users.
b. Personal Data Deletion Procedure
The procedure to be followed in deleting personal data is as follows:
• Identifying the personal data subject to deletion.
• Identifying relevant users for each personal data by using an access authorisation and control matrix or a similar system.
• Identifying authorisations and methods of relevant users, such as access, retrieval, and reuse.
• Disabling and eliminating the access, retrieval, and reuse authorisations and methods of relevant users regarding personal data.
c. Methods for Deleting Personal Data
Since personal data may be stored in various recording environments, it is deleted using methods appropriate to the relevant recording environments.
B. Destruction of Personal Data
a. Personal Data Destruction Process
Even if processed in accordance with relevant legal provisions, if the reasons requiring processing cease to exist, our Company may destroy personal data upon its own decision or upon the request of the personal data subject. Destruction of personal data is the process of rendering personal data inaccessible, irretrievable, and non-reusable by anyone in any way. Our Company takes all necessary technical and administrative measures regarding the destruction of personal data.
b. Methods for Destroying Personal Data
To destroy personal data, all copies where the data exists are identified, and the systems containing the data are destroyed one by one.
C. Anonymisation of Personal Data
a. Personal Data Anonymisation Process
Anonymisation of personal data is the process of rendering personal data impossible to be associated with an identified or identifiable natural person in any way, even by matching it with other data. When the reasons requiring the processing of personal data processed lawfully cease to exist, our Company may anonymise personal data. Anonymisation is carried out by ensuring that personal data cannot be associated with an identified or identifiable natural person, even through the use of techniques suitable for the recording environment and the relevant activity area, such as reversal by the data controller or recipient groups and/or matching with other data. Our Company takes all necessary technical and administrative measures to anonymise personal data.
In accordance with Article 28 of the KVKK Law, anonymised personal data may be processed for purposes such as research, planning, and statistics. Such processing falls outside the scope of the KVKK Law, and explicit consent of the personal data subject will not be sought.
b. Methods for Anonymising Personal Data
Anonymisation means removing or altering all direct and/or indirect identifiers in a data set to prevent identification of the relevant person, or to ensure that the person loses the feature of being distinguishable within a group or crowd in a manner that cannot be associated with a natural person. Data that does not point to a specific person as a result of preventing or losing these features is considered anonymised data. The purpose of anonymisation is to sever the link between the data and the person whom the data defines. All link-severing operations carried out through methods such as automated or non-automated grouping, masking, derivation, generalisation, and randomisation applied to records in the data recording system where personal data is kept are referred to as anonymisation methods. As a result of applying these methods, the resulting data must not be able to identify a specific person.
SECTION 5: RIGHTS OF RELEVANT PERSONS
5.1. SCOPE OF RELEVANT PERSONS’ RIGHTS AND EXERCISING THESE RIGHTS
A. Rights of Relevant Persons
Persons whose personal data is processed by our Company have the following rights:
• To learn whether personal data is processed,
• If personal data has been processed, to request information regarding it,
• To learn the purpose of processing personal data and whether it is used in accordance with its purpose,
• To know the third parties to whom personal data is transferred domestically or abroad,
• To request correction of personal data if it is processed incompletely or inaccurately and to request notification of the transaction made within this scope to third parties to whom personal data has been transferred,
• To request deletion or destruction of personal data if the reasons requiring processing cease to exist, even though it has been processed in accordance with the KVKK Law and other relevant legal provisions, and to request notification of the transaction made within this scope to third parties to whom personal data has been transferred,
• To object to the occurrence of a result against oneself through analysis of processed data exclusively by automated systems,
• To request compensation for damages in case of suffering damage due to unlawful processing of personal data.
SECTION 6: ENSURING THE SECURITY OF PERSONAL DATA
6.1. OUR OBLIGATIONS REGARDING DATA SECURITY
As Hayati Yachting and Tourism Services Limited Company, in order to prevent unlawful processing of personal data, prevent unlawful access to personal data, and ensure the retention of personal data, we will apply the administrative and technical measures listed below by way of example.
6.2. DATA SECURITY MEASURES
• Network security and application security are ensured.
• A closed system network is used for personal data transfers via the network.
• Training and awareness activities on data security are carried out for employees at certain intervals.
• An authorisation matrix has been created for employees.
• Authorisations in this area are removed for employees who change duties or leave employment.
• Up-to-date anti-virus systems are used.
• Executed contracts include data security provisions.
• Personal data security issues are reported rapidly.
• Necessary security measures are taken regarding entry/exit to physical environments containing personal data.
• The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.
• The security of environments containing personal data is ensured.
• Personal data is minimised as much as possible.
• User account management and authorisation control system is implemented and monitored.
• Existing risks and threats have been identified.
• Penetration testing is applied.
• Encryption is implemented.
• Data loss prevention software is used.
6.3. STORAGE OF PERSONAL DATA IN SECURE ENVIRONMENTS
Our Company takes necessary technical and administrative measures—according to technological possibilities and implementation costs—to ensure that personal data is stored in secure environments and to prevent it from being destroyed, lost, or altered for unlawful purposes.
A. Technical Measures Taken to Store Personal Data in Secure Environments
The main technical measures taken by our Company to store personal data in secure environments are listed below:
• Systems compliant with technological developments are used to store personal data in secure environments.
• Technical security systems for storage areas are established; the technical measures taken are periodically audited by the audit mechanism determined by our Company, and risky issues are re-evaluated to produce necessary technological solutions.
• All necessary infrastructures are used lawfully to ensure that personal data is stored securely.
B. Administrative Measures Taken to Store Personal Data in Secure Environments
The main administrative measures taken by our Company to store personal data in secure environments are listed below:
Employees are informed about ensuring that personal data is stored securely.
If our Company obtains an external service due to technical requirements for storing personal data, provisions are included in the contracts executed with the relevant firms to which personal data is lawfully transferred, stating that persons to whom personal data is transferred will take the necessary security measures to protect personal data and ensure compliance with these measures within their organizations; and actions are taken in line with the provisions of the Company’s “Principles for the Protection of Personal Data in Relations with Third Parties” Policy.
6.4. TRAINING
Our Company provides necessary training to its employees regarding the protection of personal data within the scope of the Policy, KVKK Procedures, and KVKK Regulations.
In training, special emphasis is placed on the definitions and protection practices of Special Categories of Personal Data.
If a Company employee accesses Personal Data physically or in a computer environment, our Company provides training to the relevant employee specifically regarding such access (e.g., the accessed computer program).
6.5. AUDIT
a) Increasing Awareness and Auditing Business Units Regarding the Protection and Processing of Personal Data
Our Company ensures that necessary notifications are made to business units in order to increase awareness for preventing unlawful processing of personal data, preventing unlawful access, and ensuring data retention.
b) Increasing Awareness and Auditing Business Partners and Suppliers Regarding the Protection and Processing of Personal Data
Our Company provides necessary information to business partners to increase awareness aimed at preventing unlawful processing of personal data, preventing unlawful access, and ensuring data retention.
c) Auditing the Measures Taken Regarding the Protection of Personal Data
Our Company has the right to audit—at any time, ex officio, regularly, without prior notice—whether all employees, departments, and contractors of the Company act in accordance with this Policy and KVKK Regulations, and within this scope carries out or commissions necessary routine audits. Audit results are evaluated within the Company’s internal functioning, and necessary activities are carried out to improve the measures taken.
Measures to Be Taken in Case of Unauthorised Disclosure of Personal Data:
In accordance with Article 12 of the KVKK Law, our Company operates a system that ensures that, if personal data processed is obtained by others through unlawful means, this situation is notified to the relevant personal data subject and the KVKK Board as soon as possible.