Personal Data Protection Policy

ANIA TURİZM YATIRIMLARI A.Ş.

PERSONAL DATA PROTECTION PROCESSING STORAGE AND DESTRUCTION POLICY

 

CONTENTS

1. Introduction
   1. Purpose
   2. Scope
   3. Abbreviations and definitions
2. ANİA Turizm Yatırımları A.Ş. Regarding the Processing and Protection of Personal Data. Principles Adopted by
3. Compliance with Basic Personal Data Processing Data
4. Compliance with Personal Data Processing Conditions
5. Compliance with Special Personal Data Processing Conditions
6. Responsibility and task distribution
7. recording media
8. Transfer of Personal Data
   1. Transfer of Personal Data Domestically
   2. Transfer of Personal Data Abroad
9. Explanations Regarding the Reasons Requiring Storage and Disposal
   1. Notes on storage
   2. Reasons requiring destruction
10. Rights of Personal Data Owners and Finalization of Their Requests by the Company
11. Technical and administrative measures
    1. Technical measures
    2. Administrative measures
12. Personal data destruction techniques
    1. Deletion of personal data
    2. Destruction of personal data
    3. Anonymization of personal data
13. Storage and disposal periods
14. Periodic destruction time
15. Publication and storage of the Policy
16. Policy update period

ANNEX-1: Application form

1. INTRODUCTION
2. Purpose

The purpose of this document is the Personal Data Storage and Destruction Policy (“Policy”), the Personal Data Protection Law No. 6698 (“KVKK” or “Law”) and the secondary regulation of the Law, which came into force by being published in the Official Gazette dated 28 October 2017. To fulfill our obligations following the Regulation on Deletion, Destruction or Anonymization of Personal Data (“Regulation”) and to inform data owners about the principles of determining the maximum storage period required for the purpose for which their personal data is processed and the deletion, destruction and anonymization processes. It has been prepared by ANİA Turizm Yatırımları A.Ş., the operator of Balmy Hotels, as the data controller (from now on referred to as "ANİA" or "Company").

1. Scope

Personal data belonging to the Institution's employees, employee candidates, service providers, visitors and other third parties are within the scope of this Policy, and this Policy applies to all recording environments and personal data processing activities where personal data owned or managed by the Institution is processed.

1. Abbreviations and Definitions
     

Abbreviation	Definition
EXPRESS CONSENT	Consent regarding a specific subject is based on information and expressed with free will.
GDPR	European Union General Data Protection Regulation No. 2016/679 repealed Directive No. 95/46/EC on 25.05.2018.
RELEVANT USER	Persons who process personal data within the data controller organization or in line with the authority and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of the data.
DESTRUCTION	Deletion, destruction or anonymization of personal data.
LAW / PDPL	Personal Data Protection Law No. 6698.
RECORDING MEDIA	Any environment where personal data is processed by fully or partially automated or non-automatic means, provided that it is part of any data recording system.
PERSONAL DATA	Any information regarding an identified or identifiable natural person.
TRANSFER OF PERSONAL DATA	Personal data can be shared with domestic or foreign institutions, organizations, suppliers, etc. in accordance with PDPL and in accordance with Article 5 of this Policy. sharing.
ANONYMIZING PERSONAL DATA	Making personal data not associated with an identified or identifiable natural person in any way, even by matching it with other data.
PROCESSING OF PERSONAL DATA	Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or using personal data by fully or partially automatic or non-automatic means provided that it is part of any data recording system. Any action performed on data, such as blocking.
DELETION OF PERSONAL DATA	Deletion of personal data; making personal data inaccessible and unusable in any way for the relevant users.
DESTRUCTION OF PERSONAL DATA	The process of making personal data inaccessible, irretrievable and reusable by anyone.
ORGANISATION	Personal Data Protection Authority
AUTOMATIC DATA PROCESSING	Personal data processing activity carried out by an interconnected and interactive electrical or electronic system that minimizes the need for human intervention or assistance.
NON-AUTOMATIC DATA PROCESSING	Personal data processing activity carried out manually, that is, through human intervention or assistance,
SPECIAL PERSONAL DATA	Data regarding people's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data.
PERIODIC DESTRUCTION	In case all the conditions for processing personal data specified in the Law are eliminated, the deletion, destruction and anonymization process will be carried out ex officio at recurring intervals and specified in the personal data storage and destruction policy.
DATA OWNER / RELATED PERSON	Real person whose personal data is processed
DATA CONTROLLER	Natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system
REGULATION	Regulation on Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette on 28 October 2017.
POLICY	Personal Data Storage and Destruction Policy
DATA PROCESSOR	Natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller.
VERBIS	Data Controllers Registry Information System

 

2. PRINCIPLES ADOPTED BY THE COMPANY REGARDING THE PROCESSING AND PROTECTION OF PERSONAL DATA
3. Compliance with Basic Personal Data Processing Principles

The following basic principles are adopted by the company within the scope of complying with and maintaining compliance with personal data protection legislation:

1. Process personal data in accordance with the law and the rules of honesty

The company carries out its personal data processing activities in accordance with the law and the rule of honesty, in accordance with the personal data protection legislation, especially the Constitution of the Republic of Turkey.

2. Ensuring the accuracy and up-to-dateness of personal data processed

While the processing of personal data is carried out by the company, all necessary administrative and technical measures are taken to ensure the accuracy and up-to-dateness of personal data within technical possibilities.

3. Processing of personal data for specific, explicit and legitimate purposes

The processing of personal data by the company is carried out for clear and lawful purposes determined before the personal data processing begins.

4. Processing personal data in a limited and measured manner in connection with the purpose

Personal data is processed by the company in connection with the data processing conditions and as necessary to provide these services. In this context, the purpose of personal data processing is determined before starting the personal data processing activity, and data processing is not carried out with the assumption that it can be used in the future.

5. Keeping personal data for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed.

The company retains personal data for a limited period of time stipulated in the relevant legislation or required by the purpose of data processing. Accordingly, if the period stipulated in the legislation expires or the reasons requiring the processing of personal data disappear, personal data is immediately deleted by the Company.

2. Compliance with Personal Data Processing Conditions

The company carries out its personal data processing activities in accordance with the data processing conditions set out in Article 5 of the PDPL. In this context, personal data processing activities are carried out in the presence of the personal data processing conditions listed below:

1. Existence of Explicit Consent of the Personal Data Owner
2. Personal Data Processing Activity is Clearly Provided for in Laws
3. Explicit Consent of the Data Owner Cannot Be Obtained Due to Actual Impossibility and Personal Data Processing is Mandatory
4. Personal Data Processing Activity Is Directly Related to the Establishment or Performance of a Contract
5. It is mandatory to carry out personal data processing activities in order for the company to fulfill its legal obligations
6. Data Processing Is Necessary for the Establishment, Exercise or Protection of a Right
7. Data Owner's Publicization of Personal Data
8. Personal Data Processing is Necessary for the Legitimate Interests of the Company, Provided That It Does Not Harm the Fundamental Rights and Freedoms of the Data Owner
9. Compliance with Special Personal Data Processing Conditions

       Special categories of personal data can be processed in the following cases, provided that adequate measures determined by the Company are taken:

 

• The relevant person must have explicit consent,
• It is clearly stipulated in the law,
• It is necessary for the protection of the life or physical integrity of the person or someone else who is unable to express his/her consent due to actual impossibility or whose consent is not given legal validity,
• Concerning the personal data that the relevant person has made public and being in accordance with the will to make it public,
• It is mandatory for the establishment, use or protection of a right,
• It is necessary for the protection of public health, the execution of preventive medicine, medical diagnosis, treatment and care services, and the planning, management and financing of health services by persons or authorized institutions and organizations under the obligation of confidentiality,
• It is mandatory to fulfill legal obligations in the fields of employment, occupational health and safety, social security, social services and social assistance,

3. RESPONSIBILITIES AND DUTIES DISTRIBUTION

Title	Duty
IT Manager	Organizing workplace processes in terms of information technology and ensuring their security. Checking the compliance of personal data with the retention period. Carefully evaluating and finalizing the applications of those concerned. Management of periodic personal data destruction process.
Director of human resources	Ensuring that human resources processes in the workplace comply with personal data protection legislation. Management of storing processed personal data in accordance with its purpose and proportionately. Carefully monitoring and finalizing applications from relevant parties. Regular management of the personal data destruction process.
Operations manager	Checking the compliance of operational processes with personal data protection standards. Management of storing processed personal data in accordance with their purposes. Following up applications from relevant parties and finalizing them effectively. Operational management of periodic personal data destruction process.
Sales and Marketing Manager	Ensuring that marketing processes comply with personal data protection standards. Management of storing customer data in a manner appropriate and proportionate to its purpose. Quick handling and finalization of applications from interested parties. Effective implementation of periodic personal data destruction process in the marketing department.
Front office manager	Ensuring that accommodation processes comply with personal data protection standards. Carefully follow up and finalize guest applications. To manage the personal data destruction process and take necessary precautions.
Guest Relations Manager	Ensuring that guest relations processes comply with personal data protection standards. Carefully evaluating and finalizing applications from guests. Checking room reservations in terms of personal data management. Effective implementation of the periodic personal data destruction process in the guest services department.
Kitchen chef	Ensuring that kitchen processes comply with personal data protection standards. Evaluating special requests from guests who will receive food service in terms of personal data management. Management of safe storage of personnel-related personal data. Effective implementation of periodic personal data destruction process in the kitchen department.
Finance director	Ensuring that financial processes comply with personal data protection standards. Management of secure storage of financial data. Following up and finalizing financial applications from relevant parties. Effective implementation of periodic personal data destruction process in the finance department.
Reservations Manager	Ensuring that reservation processes comply with personal data protection standards. Management of secure storage of customer reservation information. Following up and finalizing reservation-related applications from relevant parties. Effective implementation of the periodic personal data destruction process in the reservation department.
F&B Manager	Ensuring that food and beverage processes comply with personal data protection standards. Controlling personal data management regarding the menu and special requests. Management of safe storage of personnel-related personal data. Effective implementation of periodic personal data destruction process in the F&B department.
Concept Manager	Ensuring that in-company concept and brand processes comply with personal data protection standards. Carefully following and finalizing the applications regarding the concept received from the relevant parties. Controlling personal data management regarding concept documents and designs. Effective implementation of the periodic personal data destruction process in the concept department.
ANIA Personal Data Protection Committee	Ensuring internal coordination to ensure that all departments comply with KVKK legislation and company data policy. Regularly auditing interdepartmental personal data management processes and improving them when necessary.

4. RECORDING MEDIA

Personal data is stored securely in accordance with the law in the environments listed below.

Electronic media

Non-electronic media

- Servers (Cloud Based Systems, Domain, backup, email, database, web, file sharing, etc.) - Software (office software, HR portal,….) - Information security devices (firewall, intrusion detection and prevention, log file, antivirus, etc.) - Personal computers (Desktop, laptop) - Mobile devices (phone, tablet, etc.) - Optical discs (CD, DVD, etc.) - Removable memories (USB, Memory Card, etc.) - Printer, scanner, photocopier

- Paper - Manual data recording systems (Customer registration form, reservation form, tour and transfer ticket stubs) - Written, printed, visual media

5. TRANSFER OF PERSONAL DATA

      We may share personal data with our business and solution partners that provide services such as tourism, hotel management, travel agency, tour operator, as well as with our Company subsidiaries, social media, advertising and analysis business partners, in order to provide services by the Company. Our business partners may combine this information with other information you have provided to them or that they have collected while using their services.

      Within the framework of national and international legislation provisions, especially KVKK, the Company may transfer the personal data it processes domestically or abroad. It may be subject to transfer procedures. During these transactions, articles 8 and 9 of the KVK Law, Directive 95/46/EC and the provisions of the GDPR, which repeals this directive, are taken into account. The company has fulfilled the conditions stipulated by the above-mentioned laws and directives regarding the transfer of personal data domestically and abroad.Kişisel Verilerin Yurtiçinde Aktarılması

The company may transfer the data it processes to third parties by obtaining the express consent of the relevant person within the framework of the authority granted by Articles 8 and 9 of the PDPL and this policy. The basic principles listed below are explained in Section 2 of this Policy within the scope of compliance and maintenance of compliance with the personal data protection legislation by the Company.

The data duly collected, stored and processed by the company is shared with the following domestic third parties for purposes such as receiving technical support services and ensuring data security, and is processed within the scope of explicit consent.

Google LLC
Meta Inc,
Microsoft Corporation, Inc.,
Yandex LLC,
and also within the scope of Digital Marketing activities
Cyber Media Information Technologies. Tic. Ltd. Ltd.

 

Provisions in other laws are reserved for the domestic transfer of personal data.

If there is any Data Processor within the scope of this Data Policy, the provisions of Article 8 of the PDPL apply to personal data transfers between the Data Processor and the Company. Data transfer between employees operating in the legal entity and different departments within the legal entity of the company that has the title of data controller is not considered a transfer within the framework of Article 8 of the PDP Law. However, data transfers with those who have separate legal entities operating as cooperation or solution partners with the company are considered as data transfer within the scope of Articles 8 and 9 of the PDP Law and this PDP Policy.

2. Transfer of Personal Data Abroad

Personal data by the company in accordance with the personal data processing conditions in accordance with Article 9 of the KVKK;

(1) Existence of adequate protection (Countries with adequate protection are determined and announced by the Institution.)

(2) In case there is no adequate protection, the data controllers in Turkey and the relevant foreign country must undertake adequate protection in writing and have the permission of the Authority.

(3) The standard contract announced by the Institution must be signed with the company and the third party to be shared with.

or

• Performance of a contract or implementation of pre-contractual measures,
• Establishment or execution of a contract for the benefit of the relevant person, a superior public interest,
• Establishment, use or protection of a right,
• It is necessary for the protection of the life or physical integrity of the person or someone else who is unable to express his/her consent due to actual impossibility or whose consent is not given legal validity.
• Transfer from a registry that is open to the public or persons with legitimate interests

In such cases, it can be transferred abroad.

6. EXPLANATIONS REGARDING THE REASONS REQUIRING STORAGE AND DISPOSAL

Personal data belonging to data owners are stored securely by the Company in the physical or electronic environments listed above, within the limits specified in KVKK and other relevant legislation, especially in order to continue commercial activities, fulfill legal obligations, plan and fulfill employee rights and benefits, and manage customer relations.

1. 1. Information on Storage

Personal data processed in accordance with the law and this Policy may be stored under the following conditions.

• Storing personal data because it is directly related to the establishment and execution of contracts,
• Storing personal data for the purpose of establishing, exercising or protecting a right,
• It is mandatory to keep personal data for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of individuals,
• Storing personal data for the purpose of fulfilling any legal obligations of the Company,
• Storage of personal data is clearly stipulated in the legislation,
• Explicit consent of data owners is required for storage activities that require explicit consent of data owners.
  2. Reasons Requiring Destruction

 In accordance with the Regulation, in the cases listed below, personal data of data owners are deleted, destroyed or anonymized by the Company ex officio or upon request.

• Amendment or fulfillment of the relevant legislation provisions that constitute the basis for the processing or storage of personal data,
• Elimination of the purpose requiring the processing or storage of personal data,
• Elimination of the conditions requiring the processing of personal data in Articles 5 and 6 of the Law,
• To withdraw the consent of the relevant person in cases where the processing of personal data is carried out only on the basis of explicit consent,
• The data controller accepts the application made by the relevant person for the deletion, destruction or anonymization of his personal data within the framework of his rights in paragraphs 2 (e) and (f) of Article 11 of the Law,
• In cases where the data controller rejects the application made to him by the data subject requesting the deletion, destruction or anonymization of his personal data, his response is found insufficient, or he does not respond within the period stipulated in the Law; Making a complaint to the Institution and this request being approved by the Institution,
• Although the maximum period requiring the storage of personal data has passed, there are any conditions that justify storing personal data for a longer period of time.

The company retains personal data for the period necessary for the purpose for which they are processed and the minimum period stipulated in the relevant legal legislation. In this context, the Company first determines whether a period of time is stipulated in the relevant legislation for the storage of personal data, and if a period is determined, it acts in accordance with this period. If there is no legal period, personal data is stored for the period shown in the table above that is necessary for the purpose for which they are processed. At the end of the specified storage periods, personal data is destroyed in accordance with the periodic destruction periods or the data owner's application and with the specified destruction methods (deletion and/or destruction and/or anonymization).

7. RIGHTS OF PERSONAL DATA OWNERS AND CONCLUSION OF THEIR REQUESTS BY THE COMPANY

     If data owners submit their requests regarding their personal data to the Company in writing or by other methods determined by the KVK Authority, the Company, as the data controller, shall ensure that the request is finalized as soon as possible and within thirty (30) days at the latest, in accordance with Article 13 of the KVK Law, depending on the nature of the request. carries out the necessary processes to ensure Data owners must make their requests regarding their personal data in accordance with the Communiqué on the Procedures and Principles of Application to the Data Controller.

      Within the scope of ensuring data security, the company may request information to determine whether the applicant is the owner of the personal data subject to the application. Our company may also ask questions to the personal data owner regarding his/her application in order to ensure that the personal data owner's application is finalized in accordance with the request.

      Application of the data owner; In cases where there is a possibility of hindering the rights and freedoms of other persons, it requires disproportionate effort, or the information is publicly available, the request may be rejected by the Company by explaining the reason.

Rights of Personal Data Owners In accordance with Article 11 of the KVK Law, you can apply to our Company and request the following issues:

1. To learn whether your personal data is being processed or not,
2. To request information if your personal data has been processed,
3. To learn the purpose of processing your personal data and whether they are used in accordance with their purpose,
4. To learn the third parties to whom your personal data is transferred domestically or abroad,
5. To request correction of your personal data if it has been processed incompletely or incorrectly, and to request that the action taken in this context be notified to third parties to whom your personal data has been transferred,
6. To request the deletion, destruction or anonymization of your personal data in case the reasons requiring processing are eliminated, even though it has been processed in accordance with the provisions of PDPL and other relevant laws, and to request that the action taken in this context be notified to third parties to whom your personal data has been transferred,
7. To object to the emergence of a result against you by analyzing your processed data exclusively through automatic systems,
8. To request compensation in case you suffer damage due to unlawful processing of your personal data.

8. TECHNICAL AND ADMINISTRATIVE MEASURES

Company within the framework of adequate measures determined and announced by the Institution for special personal data in accordance with Article 12 of the Law and the fourth paragraph of Article 6 of the Law, in order to safely store personal data, prevent unlawful processing and access of personal data, and destroy personal data in accordance with the law. Technical and administrative measures are taken by the company.

1. Technical Measures

• With penetration tests, risks, threats, vulnerabilities and vulnerabilities, if any, regarding our Company's information systems are revealed and necessary precautions are taken.
• As a result of real-time analysis with information security incident management, risks and threats that will affect the continuity of information systems are constantly monitored.
• Access to information systems and authorization of users are made through the access and authorization matrix and security policies through the corporate active directory.
• Necessary precautions are taken for the physical security of our company's information systems equipment, software and data.
• In order to ensure the security of information systems against environmental threats, hardware (access control system that allows only authorized personnel to enter the system room, 24/7 employee monitoring system, ensuring the physical security of the edge switches that form the local area network, fire extinguishing system, air conditioning system, etc.) and software. Precautions (firewalls, attack prevention systems, network access control, malware blocking systems, etc.) are taken.
• Risks to prevent unlawful processing of personal data are identified, technical measures appropriate to these risks are taken, and technical controls are carried out for the measures taken.
• Access procedures are established within the company and reporting and analysis studies regarding access to personal data are carried out.
• Access to storage areas containing personal data is recorded and improper access or access attempts are kept under control.
• The Company takes the necessary measures to ensure that deleted personal data is inaccessible and unusable for relevant users.
• In case personal data is obtained by others unlawfully, a suitable system and infrastructure has been created by the Company to notify the relevant person and the Institution by sending an e-mail to info@balmyhotels.com.
• Security vulnerabilities are monitored, appropriate security patches are installed and information systems are kept up to date.
• Strong passwords are used in electronic environments where personal data is processed.
• Secure record keeping (logging) systems are used in electronic environments where personal data is processed.
• Data backup programs are used to ensure safe storage of personal data.
• Access to personal data stored in electronic or non-electronic media is limited according to access principles.
• The company does not store personal data in flash memory, USB drive, Data Bank and similar portable systems under any circumstances, and the transfer of existing personal data to such portable systems is not allowed.
• The authorizations of users who have access to data for employees involved in special personal data processing processes are defined.
• Electronic environments where special personal data are processed, stored and/or accessed are protected using cryptographic methods, cryptographic keys are kept in secure environments, all transaction records are logged, security updates of the environments are constantly monitored, necessary security tests are carried out regularly, test results are recorded. to be taken under,
• Adequate security measures are taken for the physical environments where special personal data are processed, stored and/or accessed, and unauthorized entries and exits are prevented by ensuring physical security.

1. 2. Administrative Measures

Administrative measures taken by the company regarding the personal data it processes are listed below:

• In order to improve the qualifications of employees, training is provided on preventing unlawful processing of personal data, preventing unlawful access to personal data, ensuring the preservation of personal data, communication techniques, technical knowledge and skills, Law No. 657 and other relevant legislation.
• Employees are made to sign confidentiality agreements regarding the activities carried out by the company.
• A disciplinary procedure has been prepared for employees who do not comply with security policies and procedures.
• Before starting to process personal data, the Company fulfills its obligation to inform the relevant persons.
• A personal data processing inventory has been prepared.
• Periodic and random audits are carried out within the company.
• Information security training is provided to employees.
• A separate policy has been determined for the security of sensitive personal data.
• Training is provided on special personal data security for employees involved in special personal data processing processes, and confidentiality agreements have been signed regarding special personal data security.

9. PERSONAL DATA DESTRUCTION TECHNIQUES

At the end of the period stipulated in the relevant legislation or the storage period required for the purpose for which they are processed, personal data are destroyed by the Company ex officio or upon the application of the relevant person, using the techniques specified below, in accordance with the relevant legislation.

1. 1. Deletion of Personal Data

Data Recording Environment	Explanation
Personal Data on Servers	For personal data on the servers whose retention period has expired, the system administrator removes the access authorization of the relevant users and deletes them.
Personal Data in Electronic Media	Among the personal data in the electronic environment, those whose period of storage has expired are made inaccessible and unusable for other employees (relevant users) except the database administrator.
Personal Data in Physical Environment	Personal data kept in physical environment, for which the period requiring storage has expired, is destroyed under the control of the unit manager responsible for the document archive.

1. 2. Destruction of Personal Data

Data Recording Environment	Explanation
Personal Data in Physical Environment	Personal data stored on paper that have expired are irreversibly destroyed in paper shredding machines.
Personal Data Contained in Optical / Magnetic Media	Personal data contained in optical media and magnetic media whose storage period has expired are destroyed by melting, burning, pulverizing or physically destroying them by a similar method.

10. STORAGE AND DISPOSAL PERIOD

Regarding the personal data processed by the company within the scope of its activities;

• Personal data-based retention periods for all personal data within the scope of activities carried out depending on the processes are included in the Personal Data Processing Inventory;
• Process-based retention periods are in the Personal Data Storage and Destruction Policy.

takes place.

For personal data whose storage period has expired, the Company will ex officio delete, destroy or anonymize it.

 

Data Owner	Process	Storage Period	Destruction Period
Employees, Interns and Relatives of Employees	Creating an Employee Personnel File	Legal Relationship + 10 years	During the first periodic destruction following the end of the storage period
Employee and Intern	Occupational Health and Safety Practices	Legal Relationship + 10 years	Saklama süresinin bitimini takip eden ilk periyodik imha süresinde
Employee and Intern	Salary payments	Legal Relationship + 10 years	Saklama süresinin bitimini takip eden ilk periyodik imha süresinde
Employee and Intern	Educational Planning	Legal Relationship + 10 years	Saklama süresinin bitimini takip eden ilk periyodik imha süresinde
Employee Candidate	Conducting the Job Application Process	2 years from the completion of the visit	Saklama süresinin bitimini takip eden ilk periyodik imha süresinde
Instructor	Educational Planning	1 year from completion of training	Saklama süresinin bitimini takip eden ilk periyodik imha süresinde
Subcontractor	Execution of Subcontracted Activities	Legal Relationship + 10 years	During the first periodic destruction following the end of the storage period
Employee Candidate and Visitor	Tracking of Building Entrances and Exits	2 years from the completion of the visit	During the first periodic destruction following the end of the storage period
Daily Hotel Guests, Supplier Employees, Supplier Officials and Visitors	Tracking of Building/Institution Entrance and Exit	2 years from the completion of the visit	During the first periodic destruction following the end of the storage period
Employee and Intern	Detection of Employees' Disciplinary Behaviors	Legal Relationship + 10 years	During the first periodic destruction following the end of the storage period
Person Receiving Product or Service	Ensuring Institutional Security	Legal Relationship + 10 years	During the first periodic destruction following the end of the storage period
Person Receiving Product or Service	Camera Recordings	Legal Relationship + 10 years	During the first periodic destruction following the end of the storage period
Visitors, Daily Hotel Guests, Employee Candidates and Interns	Camera Recordings	2 years	During the first periodic destruction following the end of the storage period
Person Receiving Product or Service	Execution of Accommodation Service-Related Processes and Service Sales	Legal Relationship + 10 years	During the first periodic destruction following the end of the storage period
Person Receiving Product or Service	Personal Health Data, Blood Group Information and Allergen Information	Legal Relationship + 20 years	During the first periodic destruction following the end of the storage period
Person Receiving Product or Service	Sales and Marketing Activities	Legal Relationship + 10 years	During the first periodic destruction following the end of the storage period
Employee, Intern and Person Receiving Products or Services	Transaction Security Activities	2 years	During the first periodic destruction following the end of the storage period
Employee, Intern and Person Receiving Products or Services	Log/Recording/Tracking Systems	2 years	During the first periodic destruction following the end of the storage period
Website Visitor	Website Visits	2 years	During the first periodic destruction following the end of the storage period
Person Receiving Product or Service	Customer Registration Information	10 years	During the first periodic destruction following the end of the storage period
Supplier Employee and Supplier Official	Conducting Purchasing Processes	Legal Relationship + 1 years	During the first periodic destruction following the end of the storage period
Website Visitor	Log Record Tracking Systems (based on law no. 5651)	2 years	During the first periodic destruction following the end of the storage period

2. PERIODIC DESTRUCTION PERIOD

Periodic destruction periods are determined as 3 months. Within the company, destruction is carried out every year in 3-month periods on the date determined by the Company.

3. PUBLISHING AND STORAGE OF THE POLICY

The policy is published in two different media, with wet signature (printed paper) and electronically, and is disclosed to the public on the website. The printed paper copy is stored at the office headquarters.

4. UPDATED PERIOD OF THE POLICY

This data policy was updated on 21.03.2024 and will be reviewed if necessary in line with developments and the necessary sections will be updated. Updates are published on the web page.

ANNEX-1 APPLICATION FORM

This form is submitted to ANİA Turizm Yatırımları A.Ş. in accordance with Article 11 of the Law on the Protection of Personal Data. It has been prepared to make it easier for you to exercise your right to receive information by applying to (ANIA). For detailed information about the processing process of your Personal Data and the process after your application with this form, see “ANİA Turizm Yatırımları A.Ş.” published on the balmyhotels.com website. Please review the "Policy on Protection, Processing, Storage and Destruction of Personal Data".

1. Applicant's Contact Information

The information requested through this form is necessary to accurately identify you, to conduct detailed research regarding your request, and to notify you of the result of your application, and may be processed for this purpose. Therefore, please submit your information accurately and completely. Your requested personal data will not be used in any way other than to fulfill the Purpose.

Name and Surname:
TR ID Number:
Phone Number:
E-Mail Address:
Adresiniz:

2. Applicant's Relationship with ANIA
    
3. 1. Please indicate your relationship with ANIA.

For example: Employee; Shareholder; Company official; Customer; Customer Representative/Employee; Reseller.

…………...…………………………………………………………………………………………………......

1. 2. Which unit within ANIA did you communicate with?

…………...…………………………………………………………………………………………………......

3. Applicant's Request

Please describe your request in detail below.

…………...…………………………………………...……………………………………………………......

…………...…………………………………………………………………………………………………......

…………...…………………………………………………………………………………………………......

…………...…………………………………………………………………………………………………......

…………...…………………………………………………………………………………………………......