POLICY ON PROTECTION OF PERSONAL DATA

POLICY ON PRIVACY/THE PROTECTION OF PERSONAL DATA

The protection of personal data is an important subject for ANTUR TURİZM A.Ş. [“Antur”]. Antur adopts the principles laid down by the Law No. 6698 on the Protection of Personal Data [“KVK Law”] to ensure compliance with the KVK Law, and performs its obligations regarding the processing, deletion, destruction, anonymisation and transfer of personal data, as well as providing the relevant person with information and ensuring data security. The Policy on Privacy and the Protection of Personal Data issued for this purpose is presented to real persons [the “Relevant Person”] for information, and our website, our company headquarters or our stores may be visited also without having to share any personal data. Personal data collected within the visitors’ knowledge, however, may be processed subject to the conditions set forth in this policy in compliance with applicable legislation.

  1. The Scope and Objective of the Policy on Privacy and the Protection of Personal Data

This Policy on Privacy and the Protection of Personal Data explains:

  1. Antur’s methods and legal grounds for collecting personal data,
  2. Groups of individuals whose personal data are processed ( Data Subject Categorisation),
  3. Category of personal data belonging to these groups of individuals which are processed (Data Categories) and data type examples,
  4. Business processes and purposes in/for which these personal data are used,
  5. The technical and administrative measures taken to ensure the security of personal data,
  6. Parties and purposes to/for which personal data may be transferred,
  7. The durations of retaining personal data,
  8. The rights of the Relevant Persons on their personal data, and how they may exercise these rights,
  9. How the Relevant Persons may change their affirmative or negative preferences regarding the receipt of electronic commerce messages,
  10. The sharing of personal data with official authorities.
  1. Methods and Legal Grounds for Collecting Personal Data

Antur collects personal data in audio, electronic or written format, through printed forms, the Relevant Persons themselves, Agreements, suppliers, electronic mail, the Company’s common areas, the Company’s related departments, telephone calls, notices served by administrative and judicial bodies, and other means of communication, in keeping with the personal data processing conditions set forth in the KVK Law, and in line with the legal grounds specified in this Policy on Privacy/the Protection of Personal Data.

  1. Categorisation of Groups of Data Subjects

Antur categorises the groups of data subjects whose personal data are processed during personal data processing procedures and in activities related to these processes, in the following manner. However, in keeping with the personal data processing conditions specified in Articles 5 and 6 of the KVK Law, and in line with the legal grounds indicated in this Policy on Privacy/the Protection of Personal Data, personal data belonging to other groups of individuals (suppliers, dealers, consultants) may also be processed.

  1. Customers of Stores,
  2. Public Officer,
  3. Suppliers, or Suppliers’ Employees or Officials

Data Categories and Examples of Data Types

1.

Customer,

  • Identity Information:Name, surname, date of birth, gender, Turkish ID number
  • Contact Information:Mobile phone number, e-mail address, mailing address, postal code, land line number
  • Financial Information:Tax office, invoice details
  • Customer/Member Information:Membership information, membership ID number
  • Personnel data:Title, details of profession
  • Private personal data:Signature on the form

2.

Public Officer,

  • Identity Information:Name, surname, date of birth, gender, Turkish ID number
  • Contact Information:Mobile phone number, e-mail address, mailing address, postal code, land line number
  • Private Personal Data: Signature

3.

Suppliers, or Suppliers’ Employees or Officials

  • Identity Information: Turkish ID. No., name, surname
  • Contact Information: E-mail address, telephone number, KEP (Registered Electronic Mail) address, mailing address, mobile phone number
  • Financial Information:Account No., Tax office, Tax Identification Number, tax plate, IBAN
  • Legal Procedures and Compliance Information: Signature circular, certificate of activity,
  • Private Personal Data/Information on Legal Procedures: Signature
  • Visual Information: Photograph
  1. Business processes and purposes in/for which the personal data are used,

Personal data are used at stores and technical service centres operated by Antur for the purpose of carrying out activities relating to processes such as:

  • Products and/or Services Provision,
  • Products and/or Services Procurement,
  • Entering into contracts,
  • Performance of contracts,
  • Accounting and payment processes
  • Ensuring information security.
  1. Technical and Administrative Measures Taken to Ensure the Security of Personal Data

The technical and administrative measures taken to ensure the security of personal data processed by Antur are as follows:

  • Authorisations are managed on systems containing personal data in order to ensure Data Security. Attempts of access to these systems over the network are monitored.
  • All systems hosting personal data are periodically checked for security reasons.
  • Processes and systems are designed to prevent personal data from being unlawfully released to external sources outside of the corporation.
  • Persons with access to personal data are trained in order to raise their awareness, and rules to prevent cases of data breach are applied.
  • Personal data are kept at the data centre and in the cloud after the necessary security measures are taken.
  • Conformity of software and other products, which are used in the provision of services, with data security and the protection of personal data, is sought.
  • All systems hosting data are backed up to ensure protection and business continuity in the case of a system crash and against cyber-attacks.
  • Hash, encryption, logging, access management and physical security measures are applied to ensure the protection of information systems hosting personal data against unauthorised access and unlawful data processing.
  • The network on which all the systems hosting personal data and the website are operated is protected through the use of a firewall.
  1. Parties and purposes to/for which personal data may be transferred

Antur transfers personal data to third persons only in line with the purposes specified in the Policy on Privacy and the Protection of Personal Data, and in compliance with Articles 8 and 9 of the KVK Law. Customer data processed within this scope are shared with the relevant department, while in the case of magazine dispatches, information on the individual to whom the magazine will be delivered is also shared with the courier company.

Customer data are also shared with the commercial electronic communication means service provider, for the purpose of offering promotions and advertisements and benefits and opportunities to the customers, in line with their shopping choices, likes and habits, in accordance with the customers’ commercial electronic communication approvals.

Website user settings and navigation history are shared with third parties from which cookie services are procured.

Anonymised data belonging to customers are shared with companies performing market research for the purpose of increasing customer satisfaction and loyalty.

Within the scope of reporting and statistical research, data belonging to customers are shared with Antur’s shareholder Doğuş Holding A.Ş. and its affiliates.

Personal data subject to domestic and overseas transfer as specified above are also protected legally through the provisions included in our contracts, which are compatible with the KVK Law, that take into consideration whether the counter-party of the legal relationship is a data controller or data processor, as well as the technical measures to ensure their security.

  1. The durations of retaining personal data

Antur retains the personal data it has processed, in compliance with the KVK Law, and for the durations prescribed by the applicable legislation or required by the purpose of processing. These durations are approximately as follows in our Personal Data Retention and Destruction Policy:

Data belonging to customers

Such data are retained as long as they remain as our customers/suppliers.

When they are no longer customers/suppliers, their data are retained for as long as such data preserves its quality of being accurate and up-to-date.

Law No. 6098

All records relating to accounting and financial transactions

10 years

Law No. 6102, Law No. 213

Cookies

Please see our Cookie Policy

 

Commercial electronic communication approval records

1 year following the date on which the approval was withdrawn

Law No. 6563 and applicable secondary legislation

Information and/or CVs collected due to job applications

Candidate employee data are reviewed once a year and data belonging to candidates who were not employed are deleted.

Personal data belonging to suppliers

Such data are retained as long as they remain as our customers/suppliers.

When they are no longer customers/suppliers, their data are retained for as long as such data preserves its quality of being accurate and up-to-date.

Law No. 6102, Law No. 6098 and Law No. 213

You may see our Cookie Policy on retention terms of personal data obtained through the use of cookies.

  1. Rights of The Relevant Persons on Their Personal Data, and How They May Exercise These Rights

The rights of the Relevant Persons on their personal data processed by Antur, pursuant to Article 11 of the KVK Law, are listed below:

  • To learn whether or not their personal data have been processed,
  • To request information on the matter, if their personal data have been processed,
  • To learn the purpose for which their personal data are processed and whether they are used according to their purpose,
  • To obtain information on the third persons to whom their personal data are transmitted domestically or abroad,
  • To request the correction of their personal data that may have been incompletely or inaccurately processed,
  • To request the deletion or destruction of their personal data within the framework of the provisions set forth in Article 7 of the KVK Law,
  • To request that the third parties to whom their personal data were transferred are informed of the procedures carried out pursuant to sub-paragraphs (d) and (e),
  • To object to any consequences that may arise against them as a result of the analysis of the processed data exclusively by automatic systems,
  • To request indemnification of their damages in the case that they sustain damages as a result of unlawful processing of their personal data.

It is possible to exercise the rights on personal data by filing an application by using the methods specified in the “Application Form” created pursuant to Article 13 of the KVK Law, which may be found on the website operated by Antur.

 

  1. Sharing of Personal Data with Official Authorities

Antur may share the personal data it processes with public authorities and institutions that are legally authorised to request such data in order that Antur may fulfil its legal obligations [in cases where Antur has a legal or administrative obligation to provide legal notice or information including, but not limited to, fighting crime, and any threat against the State and public security etc.].

  1. Use and Management of Cookies

Please see our Cookie Policy for detailed information on the cookies used by Antur, and cookie types and purposes, durations of retention and cookie management.

  1. Conditions Regarding Deletion, Destruction and Anonymisation of Personal Data

Antur retains the personal data it processes through its website, pursuant to Article 7 and 17 of the KVK Law and Article 138 of the Turkish Criminal Code, for the durations stipulated by applicable laws and/or for the durations required by their purpose of processing. Following the expiration of such durations, personal data shall be deleted, destroyed or anonymised pursuant to the provisions of the Regulation on Deletion, Destruction or Anonymisation of Personal Data.

Deletion of personal data by Antur refers to the process of rendering personal data completely inaccessible and non-reusable by the relevant users. To this end, Antur forms and implements an access authorisation and control matrix at user level. It takes the necessary precautions to carry out the deletion procedure in the database.

Destruction of personal data by Antur refers to the process of rendering personal data completely inaccessible, non-restorable and non-reusable by anybody.

Anonymisation of personal data by Antur refers to making it impossible for personal data to be associated in any manner with an identified or identifiable real person, even if they match with other data.

In its Policy on Retention and Destruction of Personal Data which it has issued pursuant to the Regulation on Deletion, Destruction or Anonymisation of Personal Data, Antur explains in detail the methods regarding, and the technical and administrative measures it takes to ensure, deletion, destruction and anonymisation. This Policy also stipulates the frequency of carrying out the periodical destruction procedure, which is prescribed by the Regulation, as 6 months.

  1. Possible Changes to the Policy on Privacy/the Protection of Personal Data

Antur may introduce changes to the Policy on Privacy/the Protection of Personal Data at any time without prior notice. Such changes shall immediately take effect upon the publication of the amended new Policy on Privacy/the Protection of Personal Data.