CLARIFICATION TEXT ABOUT THE LAW ON PROTECTION OF PERSONAL DATA

This information is provided in accordance with Article 10 of Law No. 6698 on the “Protection of Personal Data” and due to legal obligation. This text, prepared within the scope of companies holding the title of data controller in terms of their legal personalities, in all of our facilities which operate within the Özyer Group and provide services under the Hotel management, has been prepared in compliance with the provisions mentioned in the Law on the Protection of Personal Data, adhering to the elements mentioned therein.
Lykia Turizm Yatırımları Sanayi ve Ticaret Anonim Şirketi (Liberty Lykia)
Ayfaba Turizm Yatırımları İnşaat Anonim Şirketi (Liberty Fabay)
Özyer Turizm Sanayi ve Ticaret A.Ş. (Liberty Lara, Liberty Kuşadası, Sundia By Liberty Suncity)
Ölüdeniz Otelcilik Turizm Sanayi ve Ticaret A.Ş. (Sundia By Liberty Ölüdeniz)
Fethiye Enerji Sanayi ve Ticaret Anonim Şirketi (Sundia Exclusive By Liberty Fethiye)
Ephesus Golf İşletmeciliği Turizm Sanayi ve Ticaret A.Ş (Ramada Resort By Wyndham Kuşadası, Ramada Suite By Wyndham Kuşadası)
Hez Turizm Yatırımları San. Ve Tic. A.Ş (Liberty Signa)
 
From now on, the term "Affiliates" will be used to refer to all the companies mentioned above in the continuation of the text.
Affiliates; as data controllers under the Law, the Regulation, which is the secondary regulation of the Law, and other legislation.
has prepared this text for the purposes of processing, protection, determination of the maximum retention period necessary for the purpose of processing, deletion, destruction, or anonymization of personal data at the end of the determined retention period, and the determination of the process for fulfilling the requests of the individuals related to the processed personal data of primarily;
Their guests
Prospective guests
Visitors
Employees,
Partners and employees of other companies in partnership, including but not limited to all of its addressees.
 
The purpose of this document and the Liberty Hotels Group Personal Data Retention and Destruction Policy is to inform you who make hotel reservations on our affiliates' websites, browse the websites or fill out provided forms about the commitments undertaken by our Affiliates to ensure the protection of personal data of such people.
Specifically, we aim to inform you about the personal data we collect from you, how we use, disclose, protect this data, and finally, how you can exercise your rights over this data.

1. Purposes of Processing Personal Data

Our affiliates process the personal data provided by you and related to you in the following situations:
When you browse our websites.
When you make reservations directly on the website for the following hotels: Liberty Lykia, Liberty Lara, Liberty Fabay, Sundia Exclusive By Liberty Fethiye, Sundia By Liberty Ölüdeniz, Sundia By Liberty Suncity, Liberty Signa, Liberty Kuşadası, Ramada Resort By Wyndham Kuşadası and Ramada Suite By Wyndham Kuşadası.
When you consent to receiving newsletters and other marketing/commercial content from us.
When you wish to contact our affiliates to ask questions, file complaints, or apply for a job through our communication form.
The personal data (such as name, surname, date of birth, identification and passport information, work, home and mobile phone numbers, email address, gender, address, occupation, education, marital status, vehicle plate number, accommodation, credit card, spending and flight information, shopping details, invoice information, consumption preferences, etc.) is processed by our Affiliates for the purposes of:
Carrying out of necessary work by business units to make their stakeholders benefit from the products and services offered.
Offering of products and services, ensuring communication regarding the products and services purchased or to be purchased by stakeholders.
Customizing and offering products and services based on preferences, usage habits, and needs.
Offering product/service proposals (for use in marketing activities).
Modelling, reporting, scoring, and executing human values policies.
Ensuring the legal and commercial security of individuals in relationships with our affiliates.
Determining and implementing commercial and business strategies.
Existing or new product studies of our Affiliates and identifying potential customers, etc.
within the scope of personal data processing conditions and purposes specified in Articles 5 and 6 of the KVKK (Personal Data Protection Law) in relation to tourism, marketing, promotion and advertising activities and due to legal obligations.

2. General Principles

Our affiliates act within the framework of the following principles in all processes related to personal data including but not limited to obtaining, processing, storing, protecting, deleting, destroying, and anonymizing of personal data:
Compliance with the law and principles of honesty,
Accuracy and being up-to-date when necessary,
Processing for specific, explicit and legitimate purposes,
Being relevant, limited and proportionate to the purpose of processing,
Preservation for the period prescribed in the relevant legislation or as long as necessary for the purpose of processing, and deletion, destruction, or anonymization of personal data at the end of this period, taking into account the requests of the data subject or periodic deletion periods,
Responding to requests regarding the rights of data subjects defined in Article 11 of the Law as soon as possible,
Taking all necessary technical and administrative measures specified in the Law, Liberty Hotels Group Personal Data Retention and Destruction Policy, and all other relevant legislation in all processes related to the storage, deletion, destruction, or anonymization of personal data,
Recording all processes related to the deletion, destruction or anonymization of the personal data specified in this document and storing them for at least 3 years, except for other legal obligations.

3. Transfer of Personal Data

Personal data may be transferred to business partners, suppliers, shareholders, affiliated group companies, legally authorized public institutions, state security units and private individuals within the framework of the personal data processing conditions and purposes specified in Articles 8 and 9 of the Law on Protection of Personal Data (KVKK) for the purposes of conducting necessary activities by the business units to make stakeholders benefit from the products and services offered by our affiliates, ensuring the provision of products and services, establishing communication regarding the products and services purchased or to be purchased, customizing and offering products and services based on preferences, usage habits and needs (for use in marketing activities), ensuring the legal and commercial security of individuals in relationships with our affiliates, and determining and implementing the commercial and business strategies of the affiliates.

1. Personal Data of Guests
   1. Guest Data Associated with Individuals

Personal data such as name, surname, identification or passport number, age, gender, date of birth (identity),
Personal data facilitating communication such as address, telephone number, email address (communication),
Personal data delivered to ensure payment for the service offered such as the first 6 and last 4 digits of bank credit cards or the number of bank cards, cardholder name, surname, expiration date (payment),
Information and documents containing personal data related to travel products (flight, accommodation, transfer, health tourism, etc.) obtained due to the service provided (service components),
Personal data such as IP address, which allows personalization (location),
Personal data enabling the customization of the provided service according to the guest's preferences and expectations (soft pillow, jasmine scent, large bathrobe, etc.) (habits),
Statistical data that does not directly establish a relationship with the individual; anonymous information obtained from solution partners providing digital marketing services for the determination of guest profiles and learning their preferences and for improving the services offered according to this profile, and guest data that can be anonymized by the Affiliates.

1. Sources of Guest Personal Data

Our affiliates obtain guest data directly from the relevant individual or their representative, tour operators, agents, websites, call centres, mobile phone applications, social media accounts, and from business and solution partners who are third parties, as well as from sources openly disclosed by the relevant individual.
Personal data transferred to the Affiliates for the purpose of benefiting from accommodation services, which are not directly obtained from the relevant individual by our Affiliates, is considered to be in accordance with the will of the relevant individual and legal. In case of any doubt in this regard, Affiliates take necessary measures and precautions without delay. If necessary, they immediately delete, destroy or anonymize the personal data according to the principles specified in this Liberty Hotels Group Personal Data Retention and Destruction Policy.

1. Reasons for Obtaining, Processing and Transferring Guest Data

Our affiliates obtain, process and transfer guest data within the framework of the General Principles specified in Article 2 of this document, only for the legitimate purposes indicated in Articles 5, 6, 8, and 9 of the law. In cases where explicit consent of the data subject is not present, our affiliates may obtain, process or transfer personal data stated in Articles 5 and 6 of the law, in case of one or more of the following conditions, to the extent and for the duration required by this condition:
When explicitly provided for in the laws,
When it is necessary for the protection of the life or physical integrity of the data subject or another person, who is unable to express consent due to physical impossibility or whose consent is not legally valid,
When personal data processing is necessary for the establishment or performance of a contract to which the data subject is a party with the Affiliates, provided that it is directly related,
When it is necessary for the Affiliates, as the data controller, to fulfil its legal obligations,
When the personal data has been made public by the data subjects themselves,
When data processing is necessary for the establishment, exercise, or protection of a right,
When data processing is necessary for the legitimate interests of the Affiliates, as data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.
Our affiliates obtain, process or transfer personal data for the following purposes, provided that they do not contradict the general principles and based on the legal justifications mentioned above, including but not limited to:
To conduct necessary activities by the business units to make guests benefit from the products and services offered by our Affiliates.
To customize and offer products and services provided by our Affiliates based on guests' preferences, usage habits and needs.
To improve the quality of services provided by our Affiliates and develop the quality policy.
To inform about and benefit guests and potential guests from the general and specific campaigns, promotions, discounts and similar advantages offered by our Affiliates.
To provide the information and services requested by visitors who log in with their usernames and passwords to the platforms provided by our Affiliates, along with the personal data, preferences, transactions, and browsing times obtained from these platforms.
To communicate with guests about any notifications related to loyalty cards issued and/or to be issued by our affiliates and their related organizations, as well as notifications related to website memberships of our Affiliates and their related organizations (renewal, expiration, etc.) and to inform about any changes, innovations or similar matters in personal data policies and membership conditions about new services and products.
To ensure the legal and commercial security of our Affiliates and the individuals in relationships with our Affiliates (administrative operations related to communication conducted by Affiliates, ensuring the physical security and control of Affiliate venues, evaluation processes for partners/guests/suppliers (authorized or employees), legal compliance processes, financial affairs, etc.).
To provide information about the information, events and services requested by related people from our Affiliates.
To determine and implement the commercial and business strategies of our Affiliates.
To ensure the implementation of Human Values policies by our Affiliates and, if expressly stated in the legislation or if required, to fulfil a legal obligation determined by the legislation.
Obtaining informed consent from guests for the direct and indirect personal data obtained is essential. However, our Affiliates may process personal data without explicit consent limited to the matters specified in Article 5, paragraph 2 of the law, among guests or prospective guests. If this necessity ceases to exist and there is no consent from the guest or prospective guest, the data is immediately deleted, destroyed or anonymized.
Even if the guest's explicit consent is obtained within the framework of the principles stated above, our Affiliates do not process personal data for purposes other than the services provided and legitimate purposes, and they do not use the acquired data for services that violate laws and principles of honesty.

1. Transfer of Guest Personal Data

Our affiliates may share the data they have obtained to fulfil their purposes and perform their obligations under the contracts concluded, based on the legal justifications specified in this document, with business partners, solution partners, accommodation and transfer service providers, and other third parties.
Affiliates may transfer personal data domestically and internationally within the framework of the principles determined by the board for the purpose of fulfilling the service provided for the reasons listed in Article 8 of the law. Transfer of personal data outside the reasons specified in Article 8/2 of the law is subject to the consent of the data subject.
When our affiliates share data with individuals and organizations to which they transfer data, they adhere to the Law, relevant legislation, and board decisions and take necessary technical and administrative measures.
Our affiliates may transfer personal data to the following individuals and institutions and for delivery of the services:
To suppliers and subcontractors from whom Affiliates procure necessary services to provide accommodation services to their guests and to carry out their commercial activities.
To relevant airline companies if the guest wishes to benefit from air transportation and accommodation services as a package.
To suppliers and carriers providing private transfer services by road from the airport to the hotel where the guest will stay or from the hotel where the guest has stayed to the airport, if the guest requests such transfer services.
To solution partners to ensure the conduct of commercial activities for the accommodation services provided by our Affiliates.
To public institutions and organizations for the purpose of fulfilling legal obligations.
To third parties or public institutions and organizations for the elimination of threats to individuals' lives, bodily integrity, and safety, elimination or prevention of illegal acts in cases of fraud, intellectual property rights infringements and violations of data policy.
To lawyers, legal advisors and audit firms to protect legitimate interests, the rights and interests of our Affiliates against requests both made by them or to be conveyed to them.Formun Üstü

1. Personal Data Regarding Employees and Job Applicants

Our affiliates may process the personal data of their employees for the purpose of performing the established employment contract, fulfilling mutual obligations, and fulfilling the legal obligations incumbent upon the employer, subject to obtaining explicit consent as limited to these purposes. In this case, our Affiliates adhere to the General Principles specified in Article 2 of this document, inform their employees, and ensure the security of their personal data.
Our Affiliates may process the personal data contained in the resumes and relevant documents submitted by job applicants during the application process and until the applications are finalized, subject to obtaining explicit consent. In the event of an unsuccessful application, upon the expiration of the determined retention period, all personal data is completely deleted, destroyed or anonymized. In the event of partial or complete success of the application, the retention and processing of the obtained personal data depend on the conditions of the new legal relationship to be established.

1. Sensitive Personal Data

The sensitive personal data listed in Article 6 of the Law includes individuals' race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership in associations, foundations or unions, health, sexual life, criminal record, and data related to security measures, biometric and genetic data.
Our Affiliates take additional measures regarding the processing, transfer, deletion, destruction or anonymization of sensitive personal data as specified in this text. Transactions to be carried out due to legal obligations or reasons foreseen in the laws are reserved.
Our Affiliates act in accordance with the data processing conditions set forth in Article 6 of the Law in the processing of sensitive personal data. In addition to the procedures and principles specified in this text for the processing of sensitive personal data, it is also necessary to take sufficient measures determined in the relevant legislation.

Our Affiliates may process the health-related personal data of employees and guests, subject to taking the necessary measures prescribed by the relevant legislation, processing in accordance with general principles, and being subject to confidentiality obligations, provided that one of the following conditions exists:
Explicit consent of the data subject,
Protection of public health,
Preventive medicine,
Provision of medical diagnosis, treatment and care services,
Planning and management of health services and their financing,
Management of Human Values processes for employees.
In cases where explicit consent of the data subject is not available:
Sensitive personal data other than health and sexual life may be processed only in cases foreseen in the laws,
Personal data related to health and sexual life may be processed only by individuals or authorized institutions and organizations subject to confidentiality obligations, for the purpose of protecting public health, preventive medicine, providing medical diagnosis, treatment and care services, and planning and managing health services and their financing.

4. Method of Personal Data Collection and Legal Basis

Personal data is obtained by our Affiliates in any form, whether oral, written, or electronic, with the aim of being able to provide the products and services offered in line with the purposes mentioned above within the specified legal framework, and to fulfil their contractual and legal obligations accurately and completely. Personal data collected for this legal reason can be processed and transferred for the purposes specified in the first article of this text within the scope of the personal data processing conditions and purposes stated in Articles 5 and 6 of the Personal Data Protection Law (KVKK).

5. Increasing Awareness Regarding the Protection and Processing of Personal Data, Audit

Our Affiliates ensure the organization of necessary trainings for business units to increase awareness about preventing the unlawful processing of personal data, unauthorized access to data, and ensuring data preservation.
Our Affiliates establish necessary systems to raise awareness among existing employees and new recruits about the protection of personal data and collaborate with consultants when needed. Accordingly, our Affiliates evaluate participation in relevant training sessions, seminars, and informative sessions, and organize new trainings in parallel with the updating of relevant legislation.

6. Conditions for Processing Personal Data

Except for the explicit consent of the data subject, the basis for personal data processing activities can be any one of the conditions listed below, and multiple conditions can also serve as the basis for the same personal data processing activity. If the processed data are sensitive personal data, the conditions within the Sensitive Personal Data will be applied.

1. Existence of Explicit Consent of the Data Subject

One of the conditions for processing personal data is the explicit consent of the data subject. The explicit consent of the data subject must be related to a specific subject, based on informed and given freely.

1. Explicit Provision in the Law

If the personal data of the data subject is explicitly provided for in the law, in other words, if there is a clear provision in the relevant law regarding the processing of personal data, then it can be said that this data processing condition exists.

1. Inability to Obtain Explicit Consent of the Data Subject Due to Actual Impossibility

If it is necessary to process the personal data of the data subject in order to protect their own or another person's life or physical integrity, and the data subject is unable to express their consent due to physical impossibility or their consent cannot be considered valid, then the personal data of the data subject may be processed.

1. Direct Relatedness to the Establishment or Performance of a Contract

If the processing of personal data is necessary in direct relation to establishment or performance of a contract to which the data subject is a party, then this condition may be deemed to have been fulfilled.

1. Fulfilment of Company's Legal Obligations

If it is necessary to process the personal data of the data subject for the fulfilment of our company's legal obligations, then the personal data of the data subject may be processed.

1. Public Disclosure of Personal Data by the Data Subject

If the data subject has made their personal data public, then the relevant personal data may be processed solely for the purpose of public disclosure.

1. Necessity of Data Processing for Establishing or Protecting a Right

If it is necessary to process the personal data of the data subject for establishing, exercising or protecting a right, then the personal data of the data subject may be processed.

1. Necessity of Data Processing for the Legitimate Interests of Our Company

If it is necessary to process the personal data of the data subject for the legitimate interests of our company, provided that it does not harm the fundamental rights and freedoms of the data subject, then the personal data of the data subject may be processed.

7. Rights of the Data Subjects

According to Article 11 of the KVKK, Data Subjects have the rights to:
Learn whether their personal data is being processed or not,
Request information if their personal data has been processed,
Learn the purpose of processing personal data and whether they are being used in accordance with that purpose,
Know the third parties to whom personal data are transferred domestically or abroad,
Request correction of their personal data if they are incomplete or incorrect, and to request notification of the correction made to third parties to whom the personal data have been transferred in this context,
Request the deletion of their personal data if the reasons requiring their processing have been eliminated, despite being processed in accordance with the KVKK and relevant laws, and to request notification of the deletion made to third parties to whom the personal data have been transferred in this context,
Object to the occurrence of a result against them through the analysis of processed data exclusively by automated systems,
Request compensation for damages in case of suffering damages due to the unlawful processing of personal data.
The data subject must submit their request to exercise the rights specified above under Article 13, paragraph 1 of the KVKK "in writing" to our Affiliates through the methods listed below or through other methods determined by the Personal Data Protection Board. In this context, the channels and procedures through which written applications are submitted to our Affiliates under Article 11 of the KVKK are explained below. For the exercise of the rights mentioned above, the request, which includes identifying information and explanations regarding the rights requested to be exercised as specified in Article 11 of the KVKK, can be sent to our email addresses "kvkk@libertyhotels.com, kvkk@libertyhospitality.com, kvkk@sundiabyliberty.com, kvkk@sundiahotels.com" by filling out the Application Form and sending a signed copy of the form with identification documents, can be delivered personally to the addresses of Liberty Hospitality Group hotels, can be sent  through a notary, by registered mail with return receipt requested or other methods specified in the KVKK.

1. Responding to Requests by Our Affiliates

Our affiliates take necessary administrative and technical measures to handle the requests made by the data subjects in accordance with the Law and secondary legislation.
If the data subject submits their request regarding the rights listed in section 7 ("Rights of the Data Subject") to our Affiliates in accordance with the procedure, our Affiliates will promptly and within a maximum period of 30 (thirty) days from the receipt of the request, conclude the relevant request free of charge, depending on the nature of the request. However, if the transaction requires an additional cost, a fee may be charged in accordance with the tariff determined by the Board.

8. Personal Data Record Mediums

Our Affiliates store the personal data mentioned above in the following record mediums:
Electronic Mediums and Physical Mediums

9. Deletion, Destruction, and Anonymization of Personal Data

In the event that the purposes and legal grounds for processing the personal data obtained in accordance with the principles and procedures specified in this document and the Law cease, our Affiliates delete, destroy or anonymize personal data obtained, in accordance with the Law, relevant legislation, decisions of the Board, and guidelines, either ex officio or upon the proper application of the relevant individual during periodical destruction periods. 
The processes of deletion, destruction or anonymization are documented, and records of these processes are kept by our Affiliates as the data controller for a minimum period of 3 years, subject to other obligations.
During the process of deletion, destruction or anonymization of personal data, our Affiliates take all necessary technical and administrative measures.
The process of rendering personal data inaccessible and unusable for relevant users is carried out.
Entities processing data on behalf of our Affiliates verify that there is no access to the data and document this situation.

1. Techniques for Deletion of Personal Data

Personal Data in Paper Format: Deleted using the method of blackening.
Office Files Located on Central Servers: Deleted using the delete command in the operating system.
Personal Data on Portable Media: Deleted using appropriate software.
Databases: Relevant rows containing personal data are rendered unreadable using database commands.

1. Destruction of Personal Data

The process of making personal data inaccessible to any individual, ensuring that the data cannot be retrieved under any circumstances and rendering it unusable again.
Personal Data on Local Systems: Destroyed using appropriate methods such as demagnetization, physical destruction or overwriting.
Personal Data on Environmental Systems:
Network Devices (switches, routers, etc.): Ensuring data becomes inaccessible through physical destruction methods like burning or breaking into small pieces.
SIM cards and memory cards: Making data inaccessible by processes such as melting or burning optical or magnetic media.
Optical Discs: Ensuring data becomes inaccessible through physical destruction methods like overwriting, burning, breaking into small pieces or melting.
Fixed Peripheral Devices with Data Recording Media: Ensuring data becomes inaccessible through physical destruction methods like overwriting, burning, breaking into small pieces or melting.
Personal Data on Paper and Microfilm Formats: Destroyed using paper shredders.
Personal data transferred to electronic environments through scanning from the original paper format is deleted using appropriate software depending on the environment they are in.
Cloud Environment: Personal data stored and used in these systems are accessed with passwords. Access by external personnel coming for purposes such as maintenance or repair is conducted under the supervision of authorized personnel. Disks of expired servers are destroyed by being broken into small pieces.

1. Anonymization of Personal Data

Anonymization of personal data involves removing or altering all direct and/or indirect identifiers in a dataset to prevent the identification of individuals or to lose the distinguishable characteristic within a group that cannot be associated with a real person.
Techniques for Anonymizing Personal Data: During the anonymization process of personal data, one of the methods shown in the relevant legislation provisions or in the text is used.

1. Periods for Deletion, Destruction and Anonymization of Personal Data

Subject to the absence of any legal obligation to retain the personal data of the data subject for the period prescribed by law, the data processed with the consent of the data subject is deleted, destroyed or anonymized, upon the request of the relevant person, within a maximum period of 30 days from the submission of the request to our Affiliates.
In cases where personal data are processed for reasons listed in Article 5 of the Law that do not require explicit consent, the data is deleted, destroyed or anonymized at the end of the first periodic deletion, destruction or anonymization period following the cessation of the reason and legal grounds.
In cases where personal data are processed for reasons listed in Article 5 of the Law without requiring explicit consent, but the data subject requests deletion, the personal data are separated from the data processed with consent, preserved in a manner accessible only by units related to legal obligations, with authorization and control matrices limited, and are immediately destroyed or anonymized upon cessation of the legal grounds specified in Article 5 of the Law.

10. Technical and Administrative Measures
    1. Administrative Measures

Our Affiliates, within the scope of administrative measures:
Consider job descriptions in company-wide access to processed and stored personal data and limit authorization and control matrices.
In the event of unauthorized access to processed personal data by others, they promptly notify the relevant individual.
Employ knowledgeable and experienced personnel regarding the processing of personal data and provide necessary training and warnings.
Conduct or commission necessary audits on data security within its legal entity and all group companies and take necessary measures regarding the findings of the audits.

1. Technical Measures

They conduct necessary internal controls within the established systems.
They oversee the processes of information technology risk assessment and business impact analysis within the established systems.
They ensure the provision of technical infrastructure to prevent personal data from leaving the institution and establish authorization and control matrices.
They ensure control of system vulnerabilities by obtaining penetration testing services periodically and when needed.
They ensure control over access permissions of personnel in the information technology departments to personal data.
The environments where personal data is stored are protected with high-security encryption technology or cryptographic methods, and measures such as firewalls and SSL Protocol (Secure Socket Layer) are implemented to prevent misuse. Physically held data is stored only in archives with access granted to authorized personnel from Affiliates.
They take necessary measures to ensure cybersecurity in environments where personal data is stored. In this context, they obtain DDoS services from internet service providers to defend against cyberattacks.
They also use security software to ensure the security of virtual servers.
All operations and activities occurring in the record mediums where personal data is located are monitored, and vulnerabilities are immediately addressed by conducting risk analysis in case of security breaches.
The physical safeguarding of record mediums containing personal data, cyber systems and servers is ensured through special security devices and authorization controls.
Personal data backup disks and servers are protected against external risks such as fire and flood in locked vaults.
Data stored in the ISP server room is backed up daily via point-to-point lines.
Authorization controls are implemented for entries into record mediums.
A Data Loss Prevention (DLP) solution is utilized to prevent the risk of data loss.
External media ports are kept closed to mitigate the risk of loss by authorized personnel.