SWOT HOSPITALITY RESTORAN JOINT STOCK COMPANY PRINCIPLES OF PRIVACY AND PROTECTION OF PERSONAL DATA
PURPOSE AND SCOPE
The hereyn Privacy and Personal Data Protection Principles (hereinafter referred to as the "Principles") determines the principles adopted by Swot Hospitality Restaurant Join stock Company (hereinafter referred to as the "Company") regarding the protection of personal data and governs all relevant groups of persons in the Personal Data Protection Law No. 6698 (hereinafter referred to as the "Company"). Hereinafter referred to as “GDPR No. 6698”).
2. PRINCIPLES ON THE PROCESSING OF PERSONAL DATA
As a Data Controller, we process your personal data within the framework of the following principles.
2.1 Lawful and Integrity Processing
In the processing of your personal data, we act in accordance with the principles brought by legal regulations and the general rule of trust and honesty. In accordance with this principle, we consider your interests and reasonable expectations while trying to achieve our personal data processing purposes, we do not abuse our rights and we act in accordance with the principle of transparency in our data processing activities.
2.2 Ensuring Personal Data Are Accurate and Up-to-Date When Necessary
In line with this principle, which emphasizes the importance of the accuracy and up-to-dateness of personal data, periodic controls and updates are made to ensure that the processed data is accurate and up-to-date, and necessary measures are taken accordingly. In this context, systems for checking the accuracy of personal data and making necessary corrections are established within the Company.In addition, the accuracy of the sources from which personal data is collected is checked and requests arising from the inaccuracy of personal data are taken into account. Therefore, this principle is implemented in accordance with the right to request the correction of personal data you have in accordance with the GDPR No. 6698.
2.3 Processing for Specific, Explicit, and Legitimate Purposes
Your personal data is processed based on clear, specific and legitimate data processing purposes. In this context, we ensure that our personal data processing activities are clearly understandable by the persons concerned, and we determine and clearly express in Article 3 of these Principles on which purposes and legal processing conditions it is based.
2.4 Being Relevant, Limited and Proportionate to the Purpose for which they are Processed
Your personal data is processed in a measured, purpose-related and limited manner in order to achieve the foreseen purpose/purposes, and the processing of personal data that is not relevant or needed for the realization of the purpose is avoided.Again, within the scope of this principle, personal data is not collected or processed for purposes that do not exist and are thought to be realized later.
2.5 Retention for as Long as Required for the Purpose of Processing or Envisioned in the Relevant Legislation
Your personal data is stored only for the period required by the relevant legislation or for the purpose for which they are processed. In this regard, the Company, takes and implements the relevant administrative and technical measures.In this context, first of all, it is determined whether a period is foreseen for the storage of personal data in the relevant legislation, if a period is determined, this period is acted upon.In case the necessity of the relevant processes disappears, access to your personal data by unrelated departments is prevented within the scope of the deletion action specified in GDPR No. 6698.Your personal data is destroyed or anonymized in accordance with the legislation on the protection of personal data, unless the period expires or the reasons requiring its processing disappear, unless there is a legal reason allowing them to be processed for a longer period of time.
3. TERMS OF PROCESSING PERSONAL DATA
Your personal data can be processed within the scope of GDPR No. 6698, within the framework of the conditions set forth below.
3.1 Explicitly Provided in Laws
The basic rule is that personal data cannot be processed without the explicit consent of the persons concerned, and according to this exception, your personal data may be processed in cases where the laws expressly stipulate the processing of personal data.
3.2 Failure to Obtain the Explicit Consent of the Person Related to the Cause of Actual Impossibility
Your personal data may be processed if the processing of personal data is necessary in order to protect the life or physical integrity of the person or another person, who is unable to express his or her consent due to actual impossibility or whose consent cannot be validated.
3.3 Direct Concern with the Establishment or Performance of the Contract
Provided that it is directly related to the establishment or performance of the contract, your personal data may be processed if it is necessary to process the personal data of the parties to the contract.
3.4 Fulfilling the Company's Legal Obligation
Your personal data may be processed if it is necessary to fulfill the legislation, contract and similar legal obligations to which the Company is bound and responsible.
3.5 Making Personal Data Public
If your personal data has been made public by you, that is, if it has been shared with the public by you, it may be processed in connection with the purpose of making it public and in a measured manner.
3.6 Requirement of Data Processing for the Establishment or Protection of a Right
Within the scope of the execution and management of the processes related to the legal and commercial rights of the Company, your personal data may be processed if data processing is necessary for the establishment, exercise or protection of the said right.
3.7 Processing of Data Based on Legitimate Interest
If data processing is necessary for the legitimate interests of the Company, your personal data may be processed. In the event that data processing is required depending on the processing condition in question, our company evaluates your fundamental rights and freedoms and makes decisions according to the results of the evaluation.
3.8 Consent-Based Processing
Although the processing of personal data based on explicit consent is the main rule, in the presence of other conditions specified in this article, the explicit consent of the persons concerned is not relied upon. Otherwise, abuse of the right may be mentioned. In this context, your personal data is processed based on your explicit consent, in cases where it is not processed based on any of the conditions set forth in these Principles.
3.9 Processing of Private Personal Data
We process your sensitive personal data based on your explicit consent in accordance with Article 6 of the GDPR No. 6698.Again, in the same article, your special quality personal data other than health and sexual life can only be processed in cases stipulated in the laws, and your personal data of special nature regarding health and sexual life can only be used for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and financing of health services. For the purpose of management, we can process it without your explicit consent by paying attention to the matters regarding the processing by persons or authorized institutions and organizations under the obligation of confidentiality.
4. TRANSFER OF PERSONAL DATA
Your personal and private data; Within the scope of Article 2 of these Principles, it can be transferred to our domestic business partners, public institutions and organizations and the like. Compliance with Article 8 of GDPR No. 6698 is observed while performing these transfers. If necessary, your explicit consent is obtained and the transfer is provided within this framework.
5. SECURITY OF PERSONAL DATA
In order to ensure the security of personal data and to prevent unlawful processing, the Company takes all reasonable administrative and technical measures to prevent unauthorized access risks, accidental data loss, deliberate deletion of data or damage to data.
All reasonable technical and physical measures are taken to prevent access to personal data by persons authorized to access it. In this context, the authorization system is designed in such a way that it is not possible for individuals and systems to access more personal data than necessary.
The company carries out and has the necessary audits done in its own institution or organization in order to ensure the implementation of the GDPR provisions numbered 6698.
The measures taken are as follows.
• Network security and application security are provided.
• Closed system network is used for personal data transfers via network.
• Security measures are taken within the scope of procurement, development and maintenance of information technology systems.
• The security of personal data stored in the cloud is ensured.
• There are disciplinary regulations that include data security provisions for employees.
• Training and awareness activities are carried out periodically for employees on data security.
• An authorization matrix has been created for the employees.
• Access logs are kept regularly.
• Institutional policies on access, information security, use, storage and destruction have been prepared and started to be implemented.
• Confidentiality commitments are made.
• The authorizations of employees who have a change in duty or quit their job in this field are removed.
• Current anti-virus systems are used.
• Firewalls are used.
• The signed contracts contain data security provisions.
• Extra security measures are taken for personal data transferred via paper and the relevant document is sent in confidential document format.
•Personal data security policies and procedures have been determined.
•Personal data security issues are reported quickly.
•Personal data security is followed up. Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
• The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.
• The security of environments containing personal data is ensured.
• Personal data is reduced as much as possible.
• Personal data is backed up and the security of the backed up personal data is also ensured.
• User account management and authorization control system is implemented and these are also followed.
• In-house periodic and/or random audits are conducted and made.
• Existing risks and threats have been identified.
• Protocols and procedures for special quality personal data security have been determined and implemented.
• If sensitive personal data is to be sent via e-mail, it must be sent in encrypted form and using REM or corporate mail account.
• Intrusion detection and prevention systems are used.
• Penetration test is applied.
• Cyber security measures have been taken and their implementation is constantly monitored.
• Data of special persons transferred in portable memory, CD, DVD media are encrypted and transferred.
• Data processing service providers are periodically audited on data security.
• Awareness of data processing service providers on data security is ensured.
6. RIGHTS OF THE RELATED PERSON, APPLICATION PROCEDURES AND PRINCIPLES
6.1 Rights of the Relevant Person
The rights of the person concerned are regulated in Article 11 of GDPR No. 6698 as follows. Everyone, by applying to the data controller;
a) Learning whether personal data is processed or not,
b) If personal data has been processed, requesting information about it,
c) Learning the purpose of processing personal data and whether they are used in accordance with its purpose,
d) To know the third parties to whom personal data is transferred in the country or abroad,
e) Requesting correction of personal data in case of incomplete or incorrect processing,
f) To request the deletion or destruction of personal data within the framework of the provisions of Article 7 of the Law,
g) Requesting the notification of third parties to whom personal data has been transferred, that clauses (d) and (e) have been removed while configuring,
h) Preventing the occurrence of a result against the person himself by analyzing the processed data exclusively on the drawings of automatic objects,
i) To request the reduction of the damage in case personal data is damaged against the borders in violation of the law,has rights.
6.2 Application Procedures and Principles
As a data subject, you can make your requests regarding your rights in Article 11 of GDPR No. 6698 by filling the Application Form on the Protection of Personal Data, which you can obtain from our website https://tr.swothospitality.com/ or with the Communiqué on Application Procedures and Principles to the Data Controller. With your application that meets the minimum conditions stipulated, you can send it to us by the following methods. As the Company, we will finalize your application free of charge as soon as possible and within thirty days at the latest, depending on the nature of your request. However, if the transaction requires a separate cost, the fee in the tariff determined by the Personal Data Protection Board will be charged by the Company.
| Manner of Application |
Application Address |
|---|---|
| Electronic message you will forward with REM |
swothospitality@hs01.kep.tr |
| The message you will send with your e-mail address registered in our system or with secure electronic signature and mobile signature. |
info@swothospitality.com |
| Application that you submit in writing in person or through a notary public. |
Kadriye,Atatürk Street No: 104/1 Serik Antalya |