Atay Turizm Otomotiv İnşaat Sanayi ve Ticaret Ltd. Şti

Guest Disclosure Text

The Law on Protection of Personal Data no. 6698 (Law) came into force on April 7, 2017. This law includes all kinds of regulations on processing all kinds of data belonging to real persons with known identities or which can be detected. 

This text includes declarations and remarks by Atay Turizm Otomotiv İnşaat Sanayi ve Ticaret Ltd. Şti. (Company) with regards to the processing of personal data under the Law. In this respect, the implementation field of this text is related to the processing stages of personal data belonging to guests of the Company. Please read this disclosure text carefully and examine the procedures applicable to your data that was processed during and after the time you obtained services from the Company. In line with the law, your personal data may be processed by the Company as the data controller within the scope stated below.

The following terms shall have the following meanings in this text;

Explicit Consent: Approval freely given, specific, informed, clear and limited consent.

Anonymization: To render it impossible for personal data to be associated in any manner with the identity of a real person who is identified or identifiable, even if they are matched with other data.

Guest: A real person who lodges at the Company after reservations and legal registration transactions,

Data Subject: A real person whose personal data is processed;

Personal Data: Any information relating to an identified or identifiable real person,

Special Categories of Personal Data: Data of persons in relation to their race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.

Processing of Personal Data: Any transaction carried out in relation to the data, such as obtaining, recording, storage, preservation, alteration, reorganization, disclosure, transfer, takeover, making available, classifying personal data or preventing its usage by fully or partly automatic means or by non-automatic means, provided they are part of a data recording system.

Data Processor: A natural or legal person that processes personal data on behalf of the data controller based on authority granted by the data controller.

Data Controller: Refers to a real or legal person who determines the purposes and means of the processing of personal data, and who is responsible for the establishment and management of the data recording system.

 

  1. Data Categories and Data Types

Identity Information

Name-surname, gender, Republic of Turkey ID No., Republic of Turkey identity information (ID card serial number, family serial number and other information), ID photo, place of birth, date of birth, marital status, passport number if shared, nationality, and foreign ID number, if any

Contact Details

Home address, postal residence address and other addresses shared, email, phone/mobile phone number

Transaction Security

Internet traffic data (network movements, URL information, IP address, Mac addresses, visit information, time and date information, previous usage information to the site, access time, protocol type, protocol size, related log records)

Financial Information

Bank account details, credit card owner, Credit Card CVV, credit card number, credit card expiry date.

 

Marketing

Questionnaire information, guest thoughts and comments

Physical Location Security

Entry, exit information, IPTV records

Audio-Visual Records

IPTV records, photos

Health-Related Information

Allergy information

Information on Customer Transactions

Guest requests and order information, reservation information (date, time, room, etc.), accommodation period, accommodation dates, number of people staying, room number, accommodation date, type and number of used products, tax number, spending amount, spending information, order amount, product offered, breakdown status, VIP status

Other: Cargo Information

Cargo note, cargo content

Other: Damage Record

Damage record and damage amount

Other: Workplace and Occupation Information

Customer workplace and occupation information

Other: Vehicle Information

License Plate Details

Other: Customer Lost Goods Information

Information on goods lost or forgotten by the guest

 

  1. Methods and Legal Grounds for the Collection of Personal Data

The Company acquires personal data in the reservation and guest registry processes, throughout the accommodation, and in some limited cases after the accommodation service is completed by the following methods, together with details for each data processing activity by the Company:

 

  • By automated and non-automated methods by the Company during the reservations made by guests, in an electronic and physical medium, and as submitted by the Guest,

  • Personal data shared by a written form for registration for the guest, by automated or non-automated methods by communication in a physical environment,

  • By automated or non-automated methods by delivery of Guest order requests and complaints related to the order in an electronic and physical medium by the Guest in order for the Company to offer services,

  • By acquiring through automated and non-automated methods the information regarding the service the Guest benefited from among the services offered by the Company in an electronic and physical medium,

  • By automated and non-automated methods via communication of information required from the Guest in order for the Company to collect the service charge in a physical or electronic medium,

  • By non-automated methods by acquiring the contracts concluded with the Company in order for it to pursue its business activities,

  • Through automated and non-automated methods within the scope of public common internet access providers to fulfill their obligation to establish systems that will define the users, mainly the Law No. 5651 on Regulation of Publications Made Online and Intervention of Crimes Committed Through These Publications, Electronic Communication Law No. 5809, and Regulations on Collective Internet Providers in order to offer internet access to guests within the scope of the company's contractual relationship,

  • By automated and non-automated methods through delivery of information required in an electronic or physical medium by the Guest related to their reservation requests,

  • By automated and non-automated methods in an electronic medium through systems that check the entry and exit times of the Guest in order for the Company to perform its obligations under the contractual relationship,

  • By automated and non-automated methods via communication of information required from the Guest in order for the Company to manage damaged case reports in a physical or electronic medium,

  • By automated methods via a written form issued in order for the Company to manage the storage and delivery of the Guest’s personal goods,

  • By automated and non-automated methods for improving the Company’s services and enhancing customer satisfaction by obtaining the thoughts and comments of guests via a questionnaire in an electronic medium and via a written form in a physical medium,

  • In accordance with the Company's legal obligation and legitimate interest to ensure safety, via automated methods in the form of cameras (IPTV) placed in the Company building,

  • By non-automated methods in a physical medium for collecting information regarding parked vehicles in order for the Company to administer its security and auditing activities,

  • By electronic automated methods to pursue the sales and marketing activities of the Company,

  • By automated and non-automated methods through written forms from the Guest or forms written automatically from our third party business partners in order to track incoming cargo to the Company,

  • By automated and non-automated methods through physical or electronic delivery by the Guest or third party business partners of any financial documents, administrative documents or original contracts belonging to the Company,

  • By automated and non-automated methods via communication of information in a physical or electronic medium by the Guest in order for the Company to pursue its financial audit processes.

Identity Information

  • If the laws clearly specify that we must process your personal data

  • If it is required for personal data belonging to you to be processed in case we establish a contractual relationship, or if it is directly related to our obligation to fulfill any obligation arising out of such contract

  • In cases where it is obligatory for fulfilling our legal obligation

  • When we establish a right for you and must therefore process data in order to use and protect such right

  • When such data processing is required for our legitimate interests, provided this does not infringe on your fundamental rights and liberties

Contact Details

  • If the laws clearly specify that we must process your personal data

  • If it is required that personal data belonging to you be processed in case we establish a contractual relationship, or if it is directly related to our obligation to fulfill any obligation arising out of such contract

  • In cases where it is obligatory for fulfilling our legal obligation

  • When we establish a right for you and must therefore process data in order to use and protect such right

  • When such data processing is required for our legitimate interests, provided this does not infringe on your fundamental rights and liberties

Transaction Security

  • If the laws clearly specify that we must process your personal data

  • In cases where it is obligatory for fulfilling our legal obligation

  • When such data processing is required for our legitimate interests, provided this does not infringe on your fundamental rights and liberties

 

Financial Information

  • If the laws clearly specify that we must process your personal data

  • If it is required that personal data belonging to you be processed in case we establish a contractual relationship, or if it is directly related to our obligation to fulfill any obligation arising out of such contract

  • In cases where it is obligatory for fulfilling our legal obligation

  • When we establish a right for you and must therefore process data in order to use and protect such right

Marketing

  • With the explicit consent we received from you

  • When such data processing is required for our legitimate interests, provided this does not infringe on your fundamental rights and liberties

Physical Location Security

  • When such data processing is required for the legitimate interests of the data controller, provided this does not infringe on your fundamental rights and liberties

Audio-Visual Records

  • When such data processing is required for the legitimate interests of the data controller, provided this does not infringe on your fundamental rights and liberties

Health Information

  • With the explicit consent we received from you

  • In cases where it is obligatory for fulfilling our legal obligation

Information on Customer Transactions

  • If it is required that personal data belonging to you be processed in case we establish a contractual relationship, or if it is directly related to our obligation to fulfill any obligation arising out of such contract

  • When such data processing is required for our legitimate interests, provided this does not infringe on your fundamental rights and liberties

  • In cases where it is obligatory for fulfilling our legal obligation

 

Other: Cargo Information

  • When we establish a right for you and must therefore process data in order to use and protect such right

 

Other: Damage Record

  • When such data processing is required for our legitimate interests, provided this does not infringe on your fundamental rights and liberties

  • In cases where it is obligatory for fulfilling our legal obligation

 

Other: Workplace and Occupation Information

  • If it is required that personal data belonging to you be processed in case we establish a contractual relationship, or if it is directly related to our obligation to fulfill any obligation arising out of such contract

  • When such data processing is required for our legitimate interests, provided this does not infringe on your fundamental rights and liberties

Other: Vehicle Information

  • If it is required that personal data belonging to you be processed in case we establish a contractual relationship, or if it is directly related to our obligation to fulfill any obligation arising out of such contract

  • When such data processing is required for our legitimate interests, provided this does not infringe on your fundamental rights and liberties

Other: Customer Lost Goods Information

  • When we establish a right for you and must therefore process data in order to use and protect such right

 

  1. The Purposes for which Personal Data May Be Processed

 

Within the scope of this text, the personal data of data subjects is processed in line with the aforementioned general conditions and for the purposes stated below:

Identity Information

 

 

 

  • Execution of emergency management processes

  • Performance of activities in accordance with legislation

  • Performance of financial and accounting work

  • Conducting company/product/service loyalty processes

  • Performance/audit of business activities

  • Performance of business continuity activities

  • Taking precautions and the assessment thereof for improvement of business processes

  • Conducting goods/services sale processes

  • Performing goods/services production and operation processes

  • Conducting storage and archive activities

  • Informing authorized persons, authorities and organizations

  • Performance of information security processes

  • Audit/execution of ethics activities

  • Conducting contract processes

  • Performance of communication activities

  • Organization and event management

  • Conducting company/product/service loyalty processes

  • Handling and carrying out legal affairs

  • Security of data controller operations

  • Informing authorized persons, authorities and organizations

  • Tracking requests and complaints

  • Execution of activities for customer satisfaction

  • Performance of customer relations management processes

  • Execution of performance assessment processes/Conducing marketing processes of products/services

Contact Details

 

  • Execution of emergency management processes

  • Performance of activities in accordance with legislation

  • Performance of financial and accounting work

  • Performance/audit of business activities

  • Conducting company/product/service loyalty processes

  • Performance of communication activities

  • Conducting goods/services sale processes

  • Informing authorized persons, authorities and organizations

  • Performance of information security processes

  • Audit/execution of ethics activities

  • Handling and carrying out legal affairs

  • Performance of customer relations management processes

  • Tracking requests and complaints

  • Conducting storage and archive activities

 

Transaction Security

  • Performance of information security processes

  • Audit/execution of ethics activities

  • Execution of access authorizations

  • Performance of activities in accordance with legislation

  • Performance of internal audit/investigation/intelligence activities

  • Informing authorized persons, authorities and organizations

  • Handling and carrying out legal affairs

  • Carrying out risk management processes

  • Security of data controller operations

 

Financial Information

  • Performance of financial and accounting work

  • Conducting goods/services sale processes

  • Performance of communication activities

  • Performance/audit of business activities

 

Marketing

  • Conducting company/product/service loyalty processes

  • Taking precautions and the assessment thereof for improvement of business processes

  • Performing goods/services production and operation processes

  • Execution of activities for customer satisfaction

  • Carrying out performance evaluation processes

  • Conducting storage and archive activities

Physical Location Security

  • Execution of emergency management processes

  • Physical location security

  • Handling and carrying out legal affairs

  • Ensuring security of movable goods and resources

  • Security of data controller operations

  • Informing authorized persons, authorities and organizations

  • Creating and following up on visitor records

  • Performance of activities in accordance with legislation

  • Security of data controller operations

 

Audio-Visual Records

  • Execution of emergency management processes

  • Physical location security

  • Handling and carrying out legal affairs

  • Ensuring security of movable goods and resources

  • Security of data controller operations

  • Informing authorized persons, authorities and organizations

  • Creating and following up on visitor records

  • Performance of activities in accordance with legislation

  • Security of data controller operations

Health Information

  • Conducting storage and archive activities

  • Conducting contract processes

 

Information on Customer Transactions

  • Execution of emergency management processes

  • Audit/execution of ethics activities

  • Performance of activities in accordance with legislation

  • Performance of financial and accounting work

  • Performance of communication activities

  • Performance/audit of business activities

  • Taking precautions and the assessment thereof for improvement of business processes

  • Conducting goods/services sale processes

  • Performing goods/services production and operation processes

  • Performance of goods/after sales support services

  • Organization and event management

  • Conducting storage and archive activities

  • Conducting contract processes

  • Ensuring security of movable goods and resources

  • Conducting company/product/service loyalty processes

  • Conducting statistical assessments and market research

  • Execution of activities for customer satisfaction

  • Performance of customer relations management processes

  • Conducting goods/services sale processes

  • Tracking requests and complaints

  • Carrying out performance evaluation processes

  • Physical location security

  • Security of data controller operations

 

Other: Cargo Information

  • Performance/audit of business activities

  • Conducting storage and archive activities

 

Other: Damage Record

  • Handling and carrying out legal affairs

  • Conducting contract processes

  • Ensuring security of movable goods and resources

  • Performance of activities in accordance with legislation

  • Informing authorized persons, authorities and organizations

 

Other: Workplace and Occupation Information

  • Performance/audit of business activities

  • Conducting goods/services sale processes

  • Conducting storage and archive services

  • Conducting contract processes

Other: Vehicle Information

  • Physical location security

  • Performance/audit of business activities

  • Security of data controller operations

Other: Customer Lost Goods Information

  • Audit/execution of ethics activities

  • Performing goods/services production and operation processes

  • Execution of activities for customer satisfaction

  • Conducting storage and archive activities

 

Related data included in the Wi-Fi usage processes are specifically processed mainly to fight against crime under the provisions of Law No. 5651 on Regulation of Publications Made Online and Intervention of Crimes Committed Through These Publications, Electronic Communication Law No. 5809, and provisions of Turkish Criminal Code no. 5237 to prevent access to criminal content, to protect family and children, to prevent crime and detect perpetrators, to take precautions to prevent access to content with criminal topics, to ensure efficiency of access prevention and filtering systems, to ensure transaction security, to ensure legal transaction safety, to record access records, to plan processing stages and to manage, audit and carry out such stages, to plan, manage, audit and carry out information security processes, to establish, manage and protect information technologies infrastructure for traffic management, to offer internet service, to ensure and manage connections, to ensure legal, technical and commercial-business security of the company, to prevent abuse, use beyond its purpose, illegal usage and irregularities, to determine fraud, to ensure accuracy and the actuality of data, in cases where it is our legal liability, to implement conditions stated in the Wi-Fi User Agreement, to inspect such, and to carry out related procedures.

 

  1. To Whom and for What Purposes Processed Personal Data May Be Transferred

Guests’ personal data collected in order to fulfill the aforementioned purposes, and which is limited to fulfilling such purposes, can be transferred to the following (domestic) persons and groups under personal data processing conditions stated in Articles 8 and 9 of the Law and is limited to the aforementioned purposes.

  1. To our suppliers (for example, internet service providers and solution partners offering infrastructure for Wi-Fi service),

  2. legally authorized public institutions and

  3. private persons or institutions and third persons

The following is an example of the purposes for which your personal data may be shared in detail:

 

Purpose of Transfer

  • Execution of emergency management processes

  • Performance of information security processes

  • Performance of activities in accordance with legislation

  • Performance of financial and accounting work

  • Handling and carrying out legal affairs

  • Performance of internal audit/investigation/intelligence activities

  • Performance of communication activities

  • Performance/audit of business activities

  • Performance of business continuity activities

  • Performing goods/services production and operation processes

  • Conducting goods/services sale processes

  • Performance of customer relations management processes

  • Execution of activities for customer satisfaction

  • Conducting storage and archive activities

  • Conducting contract processes

  • Ensuring security of movable goods and resources

  • Security of data controller operations

  • Informing authorized persons, authorities and organizations

  • Tracking requests and complaints

 

Your personal data may be transferred abroad based on your explicit consent for the transfer of your personal data abroad. The following is an example of the purposes for which your personal data may be shared abroad:

The data of our guests may be transferred to our overseas suppliers in order to fulfill the following purposes.

  • Conducting Storage and Archiving Activities

  • Performance of Communication Activities

  • Performance of Information Security Processes

  • Execution of Access Authorities

  • Performance/Audit of Business Activities

  • Performance of Business Continuity Activities

  • Conducting company/product/service loyalty processes

  • Execution of Activities for Customer Satisfaction

  • Conducting Marketing Analysis Work

  • Carrying out Advertisement/Campaign/Promotion Processes

  • Execution of marketing processes of products/services

 

  1. Your Rights under Article 11 as the Data Subject

The rights of the data subject under Article 11 of the Law are as follows:

  • To learn whether or not your personal data is being processed,

  • To request information on the procedure if personal data has been processed,

  • To obtain information regarding the purpose of processing personal data, and to find out whether personal data has been used in line with this purpose,

  • To obtain information about third parties to whom your personal data has been transferred domestically or abroad,

  • To request the correction of personal data that may have been incompletely or inaccurately processed,

  • To request the deletion or destruction of personal data within the scope of the provisions set forth in Article 7 of the Law,

  • To request that the third parties to whom personal data is transferred are informed of the operations carried out pursuant to sub-paragraphs (d) and (e),

  • To object to any outcome detrimental to the data subject as a result of analysis of the data processed exclusively through automatic systems,

  • To request indemnification of damages in the case that damages are sustained as a result of the unlawful processing of personal data.

As data subjects, in order to specify your requests with regards to your rights and to use your rights regarding your personal data, you can request the necessary changes, updates and/or deletions, and other related requests by filling out the Contact Form, which you can access on the website of the Company and send as “Data Subject Application Form” to the official email of the company at info@gezibosphorus.com or with the official phone number of the Company, +90 212 393 2700, or deliver it to the address of the Company at Gümüşsuyu Mah. Mete Cad. No: 34 Beyoğlu / Istanbul. In requests delivered by phone, you will be directed to other application methods following such request.

Under paragraph 1 of Article 13 of the Law, you can submit your request for exercising the aforementioned rights, together with the following information based on the “Notification on Procedures and Principles for Application to the Data Controller”:

  • Name and surname of the applicant,

  • If the applicant is a Republic of Turkey citizen, a Republic of Turkey ID number, if not, a passport number, or if available an ID number,

  • Residence or workplace address for notification of the applicant,

  • Main email address, telephone and fax numbers for notification of the applicant,

  • Subject of the request,

  • Information and documents for the subject of the request,

  • Application methods and

  • Signature if the application is in writing.

 

Gezi Hotel will conclude your application on a free-of-charge basis within the shortest time possible depending on the nature of the request, within no later than thirty days once you deliver your request to us via the specified methods. However, in case the process requires any additional cost, the Company shall charge the fee in the tariff specified by the Board of Protection of Personal Data.

Your application to exercise any of your above-mentioned rights, including your remarks about the right you wish to exercise, should clearly state your request, should be personally related to you (or if you act on behalf of another person, then you should be specifically authorized in this regard and capable of certifying such authorization), and should include your ID and address details, and supporting identification documents.

BOOK NOW

BOOK DIRECT

SAVE UP TO 10%