KVKK Policy

MOLTON MONAPART HOTEL

PERSONAL DATA PROTECTION, PROCESSING AND PRIVACY POLICY

1- Our company, MOLTON MONAPART HOTEL (“Data Controller” or “Company”), with this (“Policy”), sets forth the obligations and procedures for obtaining, processing, deleting, destroying, or anonymizing the personal data of all parties concerned.

In this context, under the Personal Data Protection Law No. 6698 (“Law”), the Company is responsible for the personal data of Job Candidates, Customers, Company Shareholders, Company Officials, Visitors, Employees of Institutions with which we cooperate, Subcontractors, and Suppliers, as well as Third Parties (“Data Subject”).

The conditions and terms related to the personal data processing activities conducted by the company (“Data Controller”) are included in accordance with the Law, aiming to ensure transparency by informing the data subjects and obtaining their explicit consent within the scope of the situations specified below. The Privacy Policy is published on our company’s website (https://www.monaparthotel.com) and made accessible to the relevant individuals upon their request.

Accordingly, this Privacy Policy (“Policy”) has been prepared to ensure that personal data is processed in full compliance with the Personal Data Protection Law No. 6698 (“Law”) and to inform data subjects in this context. Apart from this Policy, a separate “MOLTON MONAPART HOTEL Employee Personal Data Processing Policy” has been prepared for the company’s employees.

2- This Policy relates to all personal data processed by automatic means or, provided it is part of any data recording system, by non-automatic means, particularly for Job Candidates, Customers, Company Shareholders, Company Officials, Visitors, Employees, Shareholders, and Officials of Institutions with which we cooperate, Subcontractors, and Suppliers, as well as Third Parties.

The scope of application of this Policy to the groups of personal data owners mentioned above may include the entirety of the Policy or only certain provisions thereof.

3- Legal regulations currently in force concerning the processing and protection of personal data will take precedence. In the event of any discrepancy between the applicable legislation and the Policy, the Company acknowledges that the prevailing legislation will apply.

4- Data subjects whose personal data are processed within the scope of the Policy are categorized as follows:

Job Candidates: Real persons who have applied for a job with the Company or made their resume and related information accessible to the Company by any means.

Employees, Shareholders, and Officials of Institutions, Subcontractors, and Suppliers We Cooperate With: Employees, shareholders, and officials of institutions, subcontractors, and suppliers with whom the Company has a business relationship.

Customers: Real persons whose personal data is obtained in the context of business relationships conducted within the activities carried out by the Company, regardless of whether there is a contractual relationship.

Visitors: Real persons who have entered or visited the Company’s physical premises for various purposes.

Third Parties: Other real persons whose personal data are processed within the framework of this Policy, even though they are not defined in the Policy.

Company Shareholders: Real persons who are shareholders of the Company.

Company Officials: Real persons who are members of the Company’s board of directors and other authorized persons.

5- In the implementation of this Policy:

Explicit Consent: Consent based on information and freely expressed regarding a specific matter.

Anonymization: Rendering personal data impossible to link with an identified or identifiable natural person, even through matching with other data.

Personal Data: Any information relating to an identified or identifiable natural person.

Special Categories of Personal Data: Data revealing race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, attire, membership of associations, foundations, or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.

Processing of Personal Data: Any operation performed on personal data, fully or partially automated, or by non-automated means, provided it is part of any data recording system, such as collecting, recording, storing, maintaining, altering, rearranging, disclosing, transferring, taking over, making available, classifying, or preventing use.

Board: Personal Data Protection Board.

Policy: The Company’s Personal Data Protection and Processing Policy.

Data Processor: A natural or legal person who processes personal data on behalf of the data controller based on the authority given by the data controller.

Data Controller: A person who determines the purposes and means of processing personal data and manages the place (data recording system) where data is systematically kept.

6- The matters related to the processing of personal data of Job Candidates, Customers, Company Shareholders, Company Officials, Visitors, Employees, Shareholders, and Officials of Institutions with which we cooperate, Subcontractors, and Suppliers, as well as Third Parties, are regulated in accordance with the Law within the scope of this Policy.

7- Personal data obtained with the consent of the data subject or other legitimate reasons specified in the Law are processed within the limits of the purpose stated in this policy and the informed consent of the data subject or the legal basis. Once the legal basis no longer exists or in cases where there is no consent or consent has been withdrawn, all personal data will be deleted, destroyed, or anonymized.

8- The Privacy Policy aims to:

• Clearly state what information belonging to the data subject is collected and what is done or not done with such data.
• Determine the responsibilities of the Data Subject, Data Controller, and third parties in protecting rights and privacy under the Law.
• Explain how shared information is used to provide functional and beneficial services.

9- By this text, data subjects acknowledge that they have been informed about the processing of their personal data and the privacy policy, and consent to the use of their personal data as specified herein.

10- The personal data processed by the Data Controller are categorized in accordance with the Personal Data Protection Law (Law) as follows. Unless explicitly stated otherwise, the term “Personal Data” within the scope of this Privacy Policy includes the following information:

Identity Information: Name-surname, ID number, nationality, mother-father name, place of birth, date of birth, gender, and Social Security number; all information contained in documents such as driver’s license, identity card, and residence permit.

Contact Information: Information clearly attributable to an identified or identifiable natural person; information such as phone number, address, email address, fax number, and IP address processed partly or fully automated or as part of a non-automated data recording system.

Customer Information: Information obtained and generated about the individual as a result of our commercial activities and the operations conducted by our business units.

Customer Transaction Information: Records related to the use of our products and services, including instructions and requests necessary for the use of products and services by the customer.

Transaction Security Information: Personal data processed to ensure technical, administrative, legal, and commercial security during the conduct of commercial activities.

Risk Management Information: Personal data processed through methods used in accordance with general legal, commercial practices, and principles of fairness to manage our commercial, technical, and administrative risks.

Financial Information: Personal data processed concerning any financial outcome created based on the type of legal relationship established with the data subject.

Job Applicant Information: Personal data processed regarding individuals who have applied to become employees of the Company or who have been evaluated as job candidates in accordance with the Company’s human resources needs or commercial practices and principles of fairness.

Legal Proceeding Information: Personal data processed for the identification, pursuit, and execution of our legal claims and rights.

Inspection Information: Personal data processed to comply with the Company’s legal obligations and policies.

Special Categories of Personal Data: As specified in Article 6 of the Personal Data Protection Law (KVKK); data such as race, ethnic origin, political opinion, philosophical belief, religion, sect, attire, membership of associations, foundations or unions, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data.

Marketing Information: Personal data processed for the customization and marketing of our products and services based on the personal usage habits, preferences, and needs of the data subject, along with reports and evaluations created as a result of such processing.

Physical Space Security Information: Personal data processed, partially or fully automated or as part of a non-automated data recording system, concerning records and documents obtained during entry into physical spaces, presence within physical spaces, camera recordings, and records obtained for security purposes, excluding records falling under Physical Space Security Information.

Visual/Auditory Information: Information clearly attributable to an identified or identifiable natural person; photographs, camera recordings (excluding records falling under Physical Space Security Information), audio recordings, and data contained in documents serving as copies of personal data.

Request/Complaint Management Information: Personal data related to the receipt and evaluation of any kind of request or complaint submitted.

11- Anonymized data, as per Articles 3 and 7 of the Personal Data Protection Law, will not be considered as personal data, and processing activities related to such data will be carried out independently of the provisions of this Privacy Policy.

12- Our company processes personal data in accordance with the fundamental principles stated in Article 4 of the Personal Data Protection Law and the principles set forth in this Policy. Furthermore, personal data is processed within the purposes and conditions specified in Article 5 paragraph 2 and Article 6 paragraph 3 of the Law. These purposes and conditions include:

• Explicitly stipulated in laws,
• Necessary to protect the life or bodily integrity of the data subject or another person who is unable to declare consent due to physical impossibility or whose consent is not legally valid,
• Necessary for the establishment or performance of any contract between the data subject and the data controller,
• Necessary for the data controller to fulfill its legal obligations,
• Already made public by the data subject,
• Necessary for the establishment, exercise, or protection of a right,
• Necessary for the legitimate interests pursued by the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

Furthermore, the Law defines personal data related to race, ethnic origin, political opinion, philosophical belief, religion, sect, attire, membership of associations, foundations, or unions, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data as “special categories” or “sensitive” personal data, and imposes stricter conditions for their processing. Accordingly, processing of sensitive personal data is only permitted under the following conditions, except where explicit consent has been obtained from the data subject:

• The processing is explicitly permitted by laws,
• Processing is necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing, by individuals under a confidentiality obligation or authorized institutions and organizations.

13- In the absence of the conditions mentioned above, the Company seeks explicit consent from the data subjects to process personal data. Within this framework, personal data may be processed for the following purposes, among others:

• Fulfillment of contract processes, customer relations, execution of sales processes, legal follow-ups, and tracking of customer requests and/or complaints to benefit data subjects from the products and services offered by the Company,
• Conducting necessary activities for the realization of commercial activities carried out by the Company, planning corporate communication activities, ensuring business continuity, establishing information technology infrastructure, monitoring financial affairs, executing corporate governance activities, planning and executing business activities, planning and executing research and development activities, planning and executing corporate management activities, and ensuring information security and suppliers’ access to information,
• Planning and executing human resources policies and processes of the Company, fulfilling employment contracts and obligations arising from legislation for employees and employee candidates, procuring products and services needed for business operations, monitoring and auditing business activities, planning and executing personnel recruitment processes, planning performance evaluation processes, planning and executing internal training activities, planning human resources processes, and planning and executing human resources needs necessary for production,

The Company ensures the protection of legal and commercial security of persons within the scope of business relationship with the Company; ensures that operational activities necessary for the conduct of company activities in accordance with company procedures and relevant legislation, and protection of company operations, company audit activities, ensuring the security of company operations, and ensuring data accuracy and currency are carried out.

If there is no explicit consent of the person, the processing of personal data is carried out within the framework of the exceptions specified in the Law. If the exceptions in the Law do not allow the processing of personal data and there is no explicit consent of the person, personal data is not processed.

14- The aforementioned personal information may also be used for contact with the Data Subject or for various statistical evaluations, database creation, and market research purposes without disclosing the identity of the Data Subject.

15- The Company may process the personal data of its employees, including resumes submitted by prospective employees, without seeking consent as necessary for the performance of the established service contract, fulfillment of mutual obligations, and other legal obligations. The Company ensures the confidentiality and protection of data belonging to its employees. In this context, a separate “Policy on the Processing of Personal Data of MOLTON MONAPART HOTEL Employees” has been prepared in addition to this Policy.

16- The monitoring activity conducted by the Company through cameras complies with the conditions for processing personal data stipulated in the Private Security Services Law and the Personal Data Protection Law.

The Company informs the data subjects in accordance with Article 10 of the Personal Data Protection Law regarding the monitoring activity conducted through cameras through multiple methods. For this purpose, notification letters stating that monitoring will be conducted at the entrances of the areas are posted. Thus, it is aimed to prevent harm to the fundamental rights and freedoms of the data subject, ensure transparency, and inform the data subject.

In accordance with Article 4 of the Personal Data Protection Law, the Company processes personal data in a manner that is relevant, limited, and proportionate to the purpose for which they are processed.

The purpose of the Company in continuing the monitoring activity with live camera images and digitally recorded and stored recordings is limited to the purposes listed in this Policy. Accordingly, the monitoring areas, number of cameras, and times for monitoring are implemented adequately and limitedly to achieve security objectives. Areas where monitoring may interfere with personal privacy beyond security purposes are not subject to monitoring.

In accordance with Article 12 of the Personal Data Protection Law, necessary technical and administrative measures are taken to ensure the security of personal data obtained as a result of camera monitoring activities.

Only a limited number of Company employees have access to recordings stored with live camera images and recorded and stored digitally.

The Company conducts personal data processing activities for monitoring visitor entries and exits for the purpose of ensuring the security of the locations where it conducts its commercial activities. The names and surnames of individuals visiting the Company are processed solely for the purpose of monitoring their entry and exit, and the relevant personal data are recorded in both physical and electronic record systems.

16- The camera monitoring activities conducted by our company are carried out in accordance with the Law on Private Security Services and the Personal Data Protection Law (KVKK).

Our company informs the data subjects in accordance with Article 10 of the KVKK about the camera monitoring activities through multiple methods. A notification letter stating that monitoring will be conducted is posted at the entrances to the premises. Thus, the aim is to prevent harm to the fundamental rights and freedoms of data subjects, ensure transparency, and inform data subjects.

Our company processes personal data in a manner that is relevant, limited, and proportionate to the purposes for which they are processed, in accordance with Article 4 of the KVKK.

The purpose of maintaining video camera monitoring activities by our company is limited to the purposes listed in this Policy. Accordingly, the monitoring areas, number of cameras, and times of monitoring are implemented adequately and limitedly to achieve security objectives. Individuals are not subjected to monitoring in areas that could infringe upon their privacy beyond security purposes.

Our company takes necessary technical and administrative measures to ensure the security of personal data obtained as a result of camera monitoring activities, in accordance with Article 12 of the KVKK.

Live camera footage and digitally recorded and stored records are accessible only to a limited number of company employees.

Our company conducts personal data processing activities aimed at ensuring security and monitoring the entry and exit of visiting guests for the purposes stated in this Policy. The names of individuals visiting our company are processed only for the purpose of monitoring their entry and exit, and the relevant personal data is recorded in both physical and electronic record systems.

For the purpose of ensuring the security of its operational premises and facilities, our company engages in personal data processing activities involving camera monitoring, recording, card entry scanning, and identity registration at its headquarters and facilities. The monitoring through security cameras, recording, identity card scanning, and their registration aim to protect the interests of the Company and other individuals. Our company takes necessary technical and administrative measures to ensure the security of personal data obtained as a result of camera monitoring activities, in accordance with Article 12 of the relevant Law.

17- The data controller may share personal data and newly acquired data derived from the use of such personal data for the purposes stated under the Privacy Policy and the Information and Consent Text on the Processing of Personal Data. This includes conducting necessary activities to benefit individuals from provided services, executing commercial activities and related business processes, ensuring security, detecting fraudulent or unauthorized use, conducting operational evaluations, and sharing with third-party service providers (such as hosting services), legal offices, company officials, business partners, legally authorized public institutions and organizations, and private institutions, including those engaged in email and SMS sending.

18- Personal data collected for the aforementioned legal reasons may be processed and transferred in accordance with the current legislation and the purposes stated in this Privacy Policy. Pursuant to Article 5 of the Law on the Protection of Personal Data (KVKK), based on one or more of the following conditions for processing personal data, the company may transfer personal data to third parties in a limited and compliant manner:

• With the explicit consent of the data subject,
• If there is a clear provision in laws regarding the transfer of personal data,
• If it is necessary to protect the life or bodily integrity of the data subject or another person, and the data subject is unable to disclose consent due to actual impossibility or lack of legal validity for consent,
• If the transfer of personal data is directly related to the establishment or performance of a contract, provided it concerns personal data of the parties to the contract,
• If the transfer of personal data is mandatory for the company to fulfill its legal obligations,
• If the personal data has been made public by the data subject,
• If the transfer of personal data is necessary for the establishment, exercise, or protection of a right,
• If the transfer of personal data is necessary for the legitimate interests of the company, provided that it does not harm the fundamental rights and freedoms of the data subject.

The company ensures necessary diligence, takes required security measures, and implements adequate precautions as prescribed by the KVKK Board to transfer special categories of personal data of the data subject in accordance with legitimate and lawful purposes for processing personal data in the following cases:

• With the explicit consent of the data subject,
• If there is no explicit consent of the data subject, special categories of personal data other than health and sexual life of the data subject (such as race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress and clothing, membership of associations, foundations or trade unions, criminal record, and security measures-related data as well as biometric and genetic data) may be transferred in cases prescribed by law, specifically for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing, and under the obligation of confidentiality imposed by persons or authorized institutions and organizations.

19- In accordance with legitimate and lawful purposes for processing personal data, if the data subject gives explicit consent or if explicit consent is absent and one of the following conditions exists, the data controller may transfer personal data to foreign countries where the Data Controller Providing Adequate Protection or Committing to Providing Adequate Protection is located:

• If there is a clear provision in laws regarding the transfer of personal data,
• If it is necessary to protect the life or bodily integrity of the data subject or another person, and the data subject is unable to disclose consent due to actual impossibility or lack of legal validity for consent,
• If the transfer of personal data is directly related to the establishment or performance of a contract, provided it concerns personal data of the parties to the contract,
• If the transfer of personal data is mandatory for the company to fulfill its legal obligations,
• If the personal data has been made public by the data subject,
• If the transfer of personal data is necessary for the establishment, exercise, or protection of a right,
• If the transfer of personal data is necessary for the legitimate interests of the company, provided that it does not harm the fundamental rights and freedoms of the data subject.

20- The company, with necessary diligence, taking required security measures and implementing adequate precautions as prescribed by the KVKK Board, may transfer special categories of personal data of the data subject to foreign countries where the Data Controller Providing Adequate Protection or Committing to Providing Adequate Protection is located in accordance with legitimate and lawful purposes for processing personal data in the following cases:

• With the explicit consent of the data subject,
• If there is no explicit consent of the data subject, special categories of personal data other than health and sexual life of the data subject (such as race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress and clothing, membership of associations, foundations or trade unions, criminal record, and security measures-related data as well as biometric and genetic data) may be transferred in cases prescribed by law, specifically for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing, and under the obligation of confidentiality imposed by persons or authorized institutions and organizations.

21- Personal data collected for the aforementioned legal reasons may be processed and transferred in accordance with Articles 5 and 6 of Law No. 6698 and the purposes stated in this Privacy Policy.

22- Pursuant to Article 11 of the Law, data subjects have the right to:

• Learn whether personal data concerning them is being processed,
• Request information regarding the processing of personal data if it has been processed,
• Learn the purpose of processing personal data and whether they are being used in accordance with the purpose,
• Know the third parties to whom personal data is transferred domestically or abroad,
• Request correction of incomplete or inaccurate personal data,
• Request deletion or destruction of personal data if the reasons requiring its processing cease to exist despite being processed in accordance with the law and relevant regulations,
• Request notification to third parties to whom the processed data has been transferred regarding corrections, deletions, or destructions made as a result of correction, deletion, or destruction requests,
• Object to the occurrence of a result against them due to the analysis of processed data exclusively through automated systems,
• Request compensation for damages in case personal data is processed unlawfully and causes damage.

23- In accordance with Article 13/1 of the Law on Protection of Personal Data (KVKK), to exercise your aforementioned rights, you must submit your request to our Company in writing or through other methods determined by the Personal Data Protection Board. In your applications under Article 11 of the KVKK, where you wish to exercise your rights mentioned above, please specify the necessary information to identify your identity and your explanations regarding the right you wish to exercise, indicating which right specified in Article 11 of the KVKK you are exercising, and send your request by registered mail to the following address:

MOLTON MONAPART HOTEL
ADDRESS: MECİDİYEKÖY MAH. GÜVENEVLER SOKAK NO: 12/A 34381 ŞİŞLİ ISTANBUL / TURKEY

It is not possible for third parties to make requests on behalf of the data subject. In order for someone other than the data subject to make a request, a special power of attorney issued by the data subject regarding the subject must be available.

24- In accordance with Article 13 of the KVKK, our Company concludes the application requests made by the data subject in the scope of Article 11 of the KVKK as soon as possible and within a maximum of 30 (thirty) days free of charge. However, if the process requires additional costs, it is possible to charge the fee specified in the tariff determined by the KVKK Board.

Our Company may accept the data subject’s application request, or it may reject the request by explaining the reasons and notify the relevant person in writing or electronically under the following reasons:

• Blocking the rights and freedoms of others,
• Disproportionate effort,
• If the information is public knowledge,
• Jeopardizing the privacy of others,
• If one of the exceptions outside the scope of the KVKK Law exists.

If the data subject’s application is rejected, if the response is found insufficient, or if there is no response to the application within the specified period, the data subject has the right to file a complaint with the KVKK within thirty days from the date of learning the response or within sixty days from the application date.

Our Company takes necessary technical and administrative measures in accordance with the law and this Privacy Policy to prevent personal data from being processed unlawfully, accessed unlawfully, and to ensure the protection of personal data. The data controller also refrains from disclosing the personal data obtained from the data subject to others in violation of this Privacy Policy and the Law on Protection of Personal Data.

25- This Privacy Policy may be updated from time to time to comply with changing conditions and legislation.

26- Although no specific period is defined for the retention of personal data under the Law, personal data are generally kept for the period required by the relevant legislation or for the purpose for which they were processed. The Data Controller Company evaluates each data processing process based on the current legislation and the purpose of the process to determine appropriate storage periods. In this context, personal data are stored at least until the legal obligations and statute of limitations periods expire, including the time when the processing purpose of the relevant personal data ends, and thereafter, personal data are anonymized, deleted, or destroyed in accordance with the Law.

27- Your collected personal data must be accurate and updated as necessary. Therefore, if there is any change in your personal data, you can notify this to the relevant department of our Company.

28- Our Company fulfills its obligations under the KVKK and assigns necessary responsibilities within the Company and establishes procedures accordingly for the implementation of the issues stated in this Policy.

The policy containing the above-mentioned items, including the “MOLTON MONAPART HOTEL Personal Data Protection, Processing and Privacy Policy Information and Consent Text,” is presented to the data subject together with other relevant information and consent texts. Additionally, upon request of the data subjects, the policy is provided to the relevant individuals and access is facilitated.