Personal Data Protection Policy

1. OUR IDENTITY AS DATA CONTROLLER

Tok Şen Turizm Otelcilik ve Ticaret Anonim Şirketi (hereinafter referred to as “Tok Şen A.Ş.” or the “Company”) operates at Kundu Mah. Yaşar Sobutay Bul. Ducale Lara Otel No: 94 Aksu / Antalya and provides 5-star hotel services under the name Ducale Lara Hotel.

 

2. PURPOSE AND SCOPE OF THE POLICY

This policy aims to explain the principles governing the processing of your personal data by Tok Şen A.Ş. in its capacity as data controller; the legal grounds and purposes of processing; data collection methods; the transfer, storage, anonymization, deletion and destruction of your data; the measures taken to ensure data security; as well as your rights and the methods of exercising these rights.

This policy applies to guests/customers, employees, employee candidates, interns, supplier representatives, supplier employees, and visitors whose personal data are processed by Tok Şen A.Ş., as well as their parents, guardians, or representatives.

3. OUR PRINCIPLES OF DATA PROCESSING

In accordance with Article 4 of the Personal Data Protection Law No. 6698 (KVKK), Tok Şen A.Ş. processes personal data in line with the following fundamental principles:

 

Compliance with law, good faith, and transparency:

We process your personal data in a lawful, fair, and transparent manner.

 

Proportionality and limitation:

We collect your personal data for specific, explicit, and legitimate purposes and do not process them in a manner incompatible with these purposes.

 

Data minimization (relevance and adequacy):

Personal data are relevant, adequate, and limited to what is necessary for the purposes for which they are processed. No unnecessary personal data unrelated to the purpose are processed.

 

Accuracy:

Personal data are processed accurately and kept up to date where necessary. Inaccurate personal data are deleted or corrected without delay in line with the purposes of processing.


Retention for the required period:

Your personal data are retained for as long as required by the purposes of processing. At the end of this period, your personal data are deleted, destroyed, or anonymized.

 

Data integrity and confidentiality:

We process your personal data by taking technical and administrative measures to prevent unauthorized or unlawful processing, as well as loss, deletion, or damage.

 

Accountability:

We are responsible for demonstrating our compliance with all the principles listed above.

 

4. CONDITIONS FOR PROCESSING PERSONAL DATA AND OUR PURPOSES OF PROCESSING

Pursuant to Article 5 of KVKK, your personal data may also be processed without your explicit consent where one of the conditions stipulated in the legislation is present. Based on these conditions, our data processing purposes are listed below.

4.1. Explicitly Provided for by Laws

Tok Şen A.Ş. processes the personal data of its customers, employees, and other relevant persons as explicitly required under the following laws:

  • Identity information of guests within the scope of the Law No. 1774 on Identity Notification,
  • Information regarding foreign guests within the scope of the Law No. 6458 on Foreigners and International Protection,
  • Employee data within the scope of the Labour Law No. 4857 and the Social Insurance and General Health Insurance Law No. 5510,
  • Log records related to the hotel’s internet infrastructure within the scope of the Law No. 5651 on the Regulation of Publications on the Internet and Combating Crimes Committed through Such Publications.

4.2. De Facto Impossibility

Personal data may be processed where it is mandatory for the protection of the life or physical integrity of a person who is unable to give consent due to de facto impossibility or whose consent is not legally valid. In this context:

  • Personal data may be shared with emergency services where there is a life-threatening situation concerning the guest or another person.
  • Necessary data may be processed to prevent risks arising from diet, allergies, or disabilities that may endanger life.

4.3. Establishment or Performance of a Contract

Personal data may be processed where it is necessary for the establishment or performance of a contract, provided that it is directly related to the contract and concerns the parties thereto. As a hotel service provider, Tok Şen A.Ş.:

• Processes the personal data of guests in order to:

– Make room reservations,

– Provide requested products and services,

– Process payments,

– Communicate,

– Notify via mail, telephone, or inform about unforeseen situations,

• Processes the personal data of employees, employee candidates, and interns in order to fulfil obligations arising from employment contracts,

• Processes the personal data of supplier representatives and supplier employees within contracts signed with suppliers in order to ensure the supply chain.

4.4. Legal Obligation

Your personal data are processed where it is necessary for us to fulfil our legal obligations. Your data may be processed within the scope of audits, compliance with standards, “reclaim processes,” and activities aimed at ensuring and maintaining service quality.

4.5. Public Disclosure by the Data Subject

Where you have made your personal data public, your data may be processed, provided that such processing is in line with your intention of disclosure.

 

4.6. Establishment, Exercise, or Protection of a Right

Your personal data may be processed where it is necessary for the establishment, exercise, or protection of a right.

 

4.7. Legitimate Interest

Provided that your fundamental rights and freedoms are not harmed, your personal data may be processed for our legitimate interests. In this context:

  • Ensuring guest satisfaction,
  • Maintaining our commercial reputation,
  • Resolving disputes,
  • Protection against fraud (monitoring and controlling our systems, verifying the validity of credit cards in payment transactions),
  • Business performance and improvement,
  • Ensuring hotel security, monitoring food safety and hygiene, preventing and detecting criminal activities through the use of security cameras and call recording systems,
  • Marketing of our products and services,
  • Ensuring that our business is conducted in compliance with legal regulations,

your personal data are processed.

4.7. Processing Based on Explicit Consent

Except for the situations stated above, your personal data cannot be processed without your explicit consent. By obtaining your explicit consent:

  • Your personal data are processed in order to send emails for promotional purposes related to the services in our hotel and to inform you about promotions,
  • Your personal data are processed to facilitate your use of our website through cookies and similar technologies when you visit it, and to provide marketing-based advertisements and promotions.



 

5. PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA

Pursuant to Article 6 of KVKK No. 6698 (as amended by Law No. 7499 dated 02/03/2024); data relating to a person’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data are defined as special categories of personal data.

 

As a rule, the processing of special categories of personal data is prohibited. However, such data may be processed where one of the following conditions exists:

  • The explicit consent of the data subject is obtained,
  • It is explicitly provided for by law,
  • It is mandatory for the protection of the life or physical integrity of the person or another person who is unable to give consent due to de facto impossibility or whose consent is not legally valid,
  • It relates to personal data made public by the data subject and is in line with the intention of disclosure,
  • It is necessary for the establishment, exercise, or protection of a right,
  • It is necessary for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and the planning, management, and financing of healthcare services by persons under confidentiality obligations or authorized institutions and organizations,
  • It is necessary for the fulfilment of legal obligations in the fields of employment, occupational health and safety, social security, social services, and social assistance,
  • It is in compliance with the applicable legislation and limited to the purposes of organizations such as foundations, associations, and other non-profit entities established for political, philosophical, religious, or trade union purposes, concerning their current or former members.

 

In addition, adequate measures determined by the Personal Data Protection Board (“Board”) must be taken in the processing of special categories of personal data.

 

Tok Şen A.Ş. processes special categories of personal data in the following cases:

  • Health data related to disabilities, dietary requirements, or allergies reported by guests themselves or through their parents/guardians/representatives are processed solely for the purpose of providing the requested services.
  • Data relating to criminal convictions and security measures, as well as health reports of employees, employee candidates, and interns, are processed in accordance with the relevant legislation for inclusion in personnel files and to ensure a working environment suitable to their health conditions during assignment.
  • Employees’ blood group data are processed within the scope of occupational health and safety to be used in case of necessity during emergency interventions.

6. DATA INVENTORY AND DATA CATEGORIES

Tok Şen A.Ş. collects the personal data of customers/guests, employees, employee candidates, interns, supplier representatives, supplier employees, and visitors, as well as their parents, guardians, or representatives, in a data inventory.


 

6.1. Data Subject Categories

 

Data Subject Category

Description

Guest/Customer

Refers to individuals who benefit from accommodation or other services of Ducale Lara Otel.

Employee

Refers to employees of Tok Şen A.Ş.

Employee Candidate

Refers to individuals who have applied for a job at Tok Şen A.Ş. but have not yet started working.

Visitor

Refers to individuals who visit Ducale Lara Otel to see employees or guests.

Supplier Employee/Representative

Refers to employees and representatives of institutions that provide goods or services to Tok Şen A.Ş.

Intern

Refers to individuals undertaking internships at Tok Şen A.Ş.

Parent/Guardian/Representative

Refers to individuals who act as parents, guardians, or representatives of persons receiving or providing services to Tok Şen A.Ş.

 

6.2. Personal Data Categories

Data Type

Description

Identity

Identity information such as name, surname, Turkish ID number (T.C. Kimlik No), passport number, place and date of birth.

Contact

Contact information such as address, phone number, email address, and registered electronic mail (KEP) address.

Location

Data indicating the location of the individual; such as GPS positioning and vehicle recognition information.

Personnel (HR)

Information such as payroll, disciplinary investigations, employment entry-exit documents, and performance evaluations.

Legal Transaction

Correspondence with judicial authorities and information contained in case files.

Customer Transaction

Invoices, receipts, promissory notes and checks, as well as order and request information.

Physical Premises Security

Visitor records and entry-exit logs.

Transaction Security

IP addresses, website login/logout information, system logs, and password credentials.

Financial

Bank details, IBAN number, account and credit information.

Professional Experience

Information such as diplomas, educational certificates, work experience, and projects.

Marketing

Shopping history, surveys, campaign information, and cookies.

Visual and Audio Records

Video recordings, photographs, audio recordings, and camera footage.

Health Data

Health reports, disability information, blood group, allergies, and dietary information.

Criminal Convictions and Security Measures

Data related to criminal convictions or security measures.


 

7. STORAGE OF PERSONAL DATA

Tok Şen A.Ş. stores the personal data it processes for the period required by the purpose of collection and in accordance with the relevant legislation, and thereafter deletes, destroys, or anonymizes such data. The retention periods of personal data are set out in the table below.

 

Data

Legal Basis

Saklama Süresi

Human Resources – Job Application

Reasonable period for the evaluation of the application.

2 Years

Human Resources – Personnel File

Statute of limitations under Labour Law No. 4857 and Code of Obligations No. 6098.

10 Years

Accounting Data

Statute of limitations under Code of Obligations No. 6098.

10 Years

Supplier Employee/Representative Data

Contract-based statute of limitations under Code of Obligations No. 6098.

10 Years

Guest Usage Data

Statute of limitations under Code of Obligations No. 6098.

10 Years

Guest Identity and Contact Information

Code of Obligations No. 6098; limited to the duration of explicit consent for marketing purposes.

10 Years

Visual Records

For advertising, training, or event purposes; within the scope of explicit consent.

Explicit Consent Period

Visitor Records

Ensuring hotel security; statute of limitations under TCK.

2 Years

Security Camera Records

For the purpose of physical security.

1 Month

Internet Usage Log Records

Within the scope of Law No. 5651.

2 Years

 

8. ANONYMIZATION, DELETION, AND DESTRUCTION OF PERSONAL DATA

8.1. General Principle

Pursuant to Article 138 of the Turkish Penal Code and Article 7 of KVKK No. 6698, personal data shall be deleted, destroyed, or anonymized upon the decision of Tok Şen A.Ş. or upon the request of the data subject if the reasons requiring their processing cease to exist. The decisions and recommendations of the Personal Data Protection Authority are taken into account.

8.2. Anonymization

Anonymization of personal data refers to rendering the data in such a way that it can no longer be associated with an identified or identifiable natural person, even when matched with other data. Tok Şen A.Ş. complies with the methods specified in the Regulation on the Deletion, Destruction or Anonymization of Personal Data and the relevant guidelines of the Personal Data Protection Authority.

8.3. Deletion

In the deletion process, personal data are rendered inaccessible and unusable for the relevant users in any way. The following methods are applied depending on the medium:

  • In cloud systems: Data are removed via deletion commands; the user has no authorization to restore them.
  • In paper format: Redaction (cutting out or rendering unreadable with permanent ink) is applied.
  • On central servers: Operating system deletion commands or removal of access rights are applied.
  • In databases: Relevant rows are deleted using the DELETE command.

 

8.4. Destruction

In the destruction process, personal data are rendered completely inaccessible, irretrievable, and unusable by anyone. The methods used include:

  • Demagnetization: Exposing magnetic media to a high magnetic field.
  • Physical destruction: Melting, burning, or pulverizing the media.
  • Overwriting: Writing random data over magnetic media at least seven times.
  • Paper format: Shredding into small pieces that cannot be reassembled.

9. TRANSFER OF YOUR PERSONAL DATA WITHIN THE COUNTRY

Pursuant to Article 8 of KVKK, at least one of the following conditions must be met for the transfer of personal data within the country:

  • Obtaining the explicit consent of the data subject,
  • Being explicitly provided for by law,
  • Being mandatory for the protection of the life or physical integrity of a person who cannot give consent due to de facto impossibility,
  • Being necessary for the processing of personal data directly related to the establishment or performance of a contract,
  • Being mandatory for the data controller to fulfil its legal obligations,
  • The data having been made public by the data subject,
  • Being necessary for the establishment, exercise, or protection of a right,
  • Being mandatory for legitimate interests, provided that it does not harm the fundamental rights and freedoms of the data subject.

 

Within this scope, your personal data may be shared with the following parties:

  • Authorized public institutions and security forces for the purpose of fulfilling our legal obligations,
  • Reservation service providers, payment providers, IT service providers, security camera service providers, transfer service providers, and legal service providers, for the purpose of conducting our commercial activities and fulfilling our contractual obligations.

 

10. TRANSFER OF YOUR PERSONAL DATA ABROAD

Pursuant to Article 9 of KVKK No. 6698 (as amended by Law No. 7499 dated 02/03/2024 and effective as of 01/09/2024), the transfer of personal data abroad is carried out within the following framework.



 

10.1. Transfer Based on an Adequacy Decision

Personal data may be transferred abroad where one of the conditions set out in Articles 5 and 6 of KVKK is met and an adequacy decision has been issued by the Board regarding the country, sector, or international organization to which the transfer will be made. Adequacy decisions are published in the Official Gazette and are reviewed at least every four years.

 

10.2. Appropriate Safeguards in the Absence of an Adequacy Decision

In the absence of an adequacy decision, personal data may be transferred provided that one of the conditions set out in Articles 5 and 6 of KVKK is met, and that the data subject has the opportunity to exercise their rights and access effective legal remedies in the country of transfer, and that one of the following appropriate safeguards is ensured by the parties:

  • The existence of an agreement between public institutions or organizations abroad and public institutions or professional organizations in Türkiye, and permission granted by the Board for the transfer,
  • The existence of binding corporate rules approved by the Board for companies within a group of undertakings engaged in joint economic activity,
  • The existence of a standard contract announced by the Board (to be notified to the Authority within five working days from its execution),
  • The existence of a written undertaking containing provisions ensuring adequate protection, and permission granted by the Board for the transfer.

 

10.3. Occasional Transfers

In the absence of an adequacy decision and where appropriate safeguards cannot be provided, personal data may be transferred abroad on an occasional basis only if one of the following conditions is met:

  • The data subject gives explicit consent after being informed of the possible risks,
  • The transfer is necessary for the performance of a contract between the data subject and the data controller,
  • The transfer is necessary for overriding public interest,
  • The transfer is necessary for the establishment, exercise, or protection of a right,
  • The transfer is necessary for the protection of the life or physical integrity of the person or another person who is unable to give consent due to de facto impossibility.

 

Tok Şen A.Ş. ensures that the safeguards stipulated under KVKK are also maintained for any subsequent transfers of personal data transferred abroad.

11. HOW ARE YOUR PERSONAL DATA COLLECTED?

The personal data of our guests are collected when an application for a reservation is made to the hotel. This may occur upon arrival at the hotel, through the use of the website or mobile applications, or via telephone communication. In addition, personal data are processed through video recordings in common areas during the stay and via wireless internet connections.

The processing of personal data of our employees and interns begins with the job application and continues, where necessary, by requesting such data from them until the termination of their employment contracts. The personal data of employee candidates are processed during the job application process.

The collection of personal data of supplier representatives and supplier employees begins with the signing of the contract. Video recordings are processed during hotel visits.

Tok Şen A.Ş. retains internet usage log records in accordance with Law No. 5651. Cookies are used to enhance website functionality and improve user experience, and the necessary notifications are provided.

12. MEASURES TAKEN REGARDING DATA SECURITY

Tok Şen A.Ş. takes all necessary administrative and technical measures to ensure the security of your personal data.

 

12.1. Administrative Measures

  • Personal data security policies and procedures have been established, and their implementation is monitored by senior management.
  • Personal data are not processed for purposes other than those intended; data minimization is applied wherever possible.
  • An authorization matrix has been established for employees.
  • Confidentiality undertakings are signed with employees.
  • Contracts signed with suppliers and other parties to whom data are transferred include data security provisions.
  • Security measures are taken regarding entry and exit to physical environments containing personal data.
  • Physical environments containing personal data are secured against external risks (such as fire, flood, etc.).

12.2. Technical Measures

  • Cybersecurity is handled holistically; physical infrastructures, applications, and digital environments containing information are continuously monitored.
  • Intrusion detection and prevention systems are used.
  • User account management and authorization control systems are implemented.
  • Firewalls and up-to-date antivirus software are used.
  • Access logs to information systems are maintained in a way that prevents user intervention.
  • Personal data are stored through backups, and the security of these backups is also ensured.

 

13. YOUR RIGHTS REGARDING THE PROCESSING OF YOUR PERSONAL DATA

Pursuant to Article 11 of KVKK, every data subject may exercise the following rights by applying to the data controller:

  • To learn whether personal data are being processed,
  • To request information if personal data have been processed,
  • To learn the purpose of processing personal data and whether they are used in accordance with that purpose,
  • To know the third parties to whom personal data are transferred, domestically or abroad,
  • To request the correction of personal data if they are incomplete or inaccurately processed,
  • To request the deletion or destruction of personal data within the framework of the conditions set forth in Article 7 of KVKK,
  • To request that correction, deletion, or destruction operations be notified to third parties to whom personal data have been transferred,
  • To object to the occurrence of a result against the data subject by means of analysing the processed data exclusively through automated systems,
  • To request compensation for damages in case personal data are processed unlawfully.

 

You also have the right to withdraw your explicit consent at any time with respect to data processing activities that require your explicit consent.

14. APPLICATION METHODS

Within the scope of your rights listed in Article 11 of KVKK, you may submit your requests through one of the following methods in accordance with Article 13 of the Law and Article 5 of the Communiqué on the Procedures and Principles of Application to the Data Controller. Your request will be responded to within 30 days in accordance with Article 13 of KVKK.

 

The following information must be included in your applications:

  • Name, surname, and signature if the application is submitted in writing,
  • Turkish ID number for citizens of the Republic of Türkiye; for foreigners, nationality, passport number, or identification number,
  • Residential or business address for notification purposes,
  • If available, email address, telephone, and fax number for notification purposes,
  • Subject of the request.

 

Application Method

Requirements for Application

Applciation Address

Other Notes 

In-Person Application

Identity verification; a wet-signed petition or application form. In case of application via a proxy, a power of attorney is required.

Ducale Lara Otel, Kundu Mah. Yaşar Sobutay Bul. No: 94 Aksu/Antalya

The phrase “Request for Information within the Scope of KVKK” must be written on the envelope.

Application by Post

A wet-signed application form or petition; notarized signature circular (if submitted via a proxy, the original power of attorney).

Ducale Lara Otel, Kundu Mah. Yaşar Sobutay Bul. No: 94 Aksu/Antalya

The phrase “Request for Information within the Scope of KVKK” must be written on the envelope.

Registered Electronic Mail (KEP)

A petition signed with a secure electronic signature sent via a KEP address.

Şirketin KEP adresi
[email protected]

Subject: “Request within the Scope of KVKK”

Via Notary

A notice (ihtarname) sent through a notary, including our company’s name and details.

Ducale Lara Otel, Kundu Mah. Yaşar Sobutay Bul. No: 94 Aksu/Antalya

Subject: “Request within the Scope of KVKK”

Application by Email

If your email address is registered in the system, application via this address. If not registered, application may be made using reservation number, name-surname, date of stay, and room number.

[email protected]

Subject: “Request within the Scope of KVKK”

Applications are free of charge. However, if responding to the request requires an additional cost, a fee may be charged in accordance with the tariff determined by the Personal Data Protection Board. If it is determined that Tok Şen A.Ş. is at fault regarding the subject of the request, the fee charged will be refunded.

 

Applications that do not contain missing information will be concluded within a maximum of 30 days in accordance with the law and the principles of good faith.

15. POLICY UPDATES

Tok Şen A.Ş. reserves the right to update this policy in line with changes in legal regulations or developments in its data processing activities. The current version of the policy can be accessed at the hotel reception area and on the website.

16. ENTRY INTO FORCE

This policy has entered into force by the decision of the Board of Directors of Tok Şen Turizm Otelcilik ve Ticaret Anonim Şirketi and is implemented within the framework of the Personal Data Protection Law No. 6698 and the relevant legislation.

 

+90 242 431 26 40
Ara
Online Reservation
Rezervasyon