DIDIM BEACH RESORT & SPA POLICY ON PROTECTION AND PROCESSING OF PERSONAL DATA

Protection of personal data is an issue of great importance for Didim Beach Resort & Spa. Didim Beach Resort & Spa, in accordance with the sensitivity of the area it has served until today, personal data obtained from owners (real person / data subject whose personal data are processed) kept the data confidential and never tried to contact third parties unlawfully. Didim Beach Resort & Spa, before any legal regulation, has adopted the privacy of personal data as a working principle and has given working instructions in line with the principle.

The Company, in order to comply with the Personal Data Protection Law No.6698 ("Law") Adopting all the principles stipulated by the law, processing, deletion of personal data, no anonymizing, transferring, enlightening the person concerned and data It fulfills its obligations related to ensuring security. It This KVK Policy regulated within the scope of the access of natural persons whose personal data is processed is offered.

1. Purpose and Scope of the KVK Policy

This KVK Policy means collection of personal data by Didim Beach Resort & Spa, the issues of use, sharing, preservation and protection and related data explains the rights of its owners. This KVK Policy;

• Employees,

• Employee candidates,

• Company shareholders,

• Company officials,

• Your visitors,

• Employees of cooperating institutions

• Those who access all kinds of applications and services offered by the company and

• Third parties

It is applied for personal data under the Law. Explicit consent from data owners collected by obtaining or within the scope of other legal compliance cases enumerated in the Law personal data of Didim Beach Resort & Spa Fulfillment of legal obligations, provision of services properly, Increasing the quality of services and improving the quality policy and this KVK It is processed for other purposes specified in the policy.

2. Processing of Personal Data

2.1. General Principles Regarding the Processing of Personal Data Didim Beach Resort & Spa, while performing personal data processing activities, It abides by the principles listed in the article.

• Being in compliance with the law and good faith: Didim Beach Resort & Spa questions the source of personal data obtained from third parties and attaches importance to obtaining and processing within the framework of appropriate and honesty rules. It Didim Beach Resort & Spa provides personal data to third parties to whom it transfers personal data. makes necessary warnings and notifications to protect data.

• Being accurate and up-to-date when necessary: ​​Didim Beach Resort & Spa is within its legal entity All data found is accurate, not false, and finally personal. to update in cases where changes are made in the data and these are communicated to them. he cares. Didim Beach Resort & Spa; contacting members, customers or the Company on the accuracy and currency of personal data declared by third parties show reasonable care and attention.

• Processing for specific, explicit and legitimate purposes: Didim Beach Resort & Spa, legal and legal the appropriate data processing purposes before starting the personal data processing and it clearly reveals. Except for the purposes set in this way, personal data is not processed.

• Being connected, limited and restrained for the purpose of processing: Didim Beach Resort & Spa, personal performs data processing activities only limited to the purpose of processing. Didim Beach Resort & Spa personal data not related to the specified purpose not processed.

• Preservation for the period stipulated in the relevant legislation or required for the purpose for which they are processed. personal data of Didim Beach Resort & Spa as stipulated by the legislation or the purpose of processing keeps it as long as required. However, when the period stipulated by the legislation expires or when all the purposes of processing disappear, personal data is deleted, destroyed or anonymizes.

These principles; Didim Beach Resort & Spa personal data based on express consent or Whether it has been processed in accordance with other data processing conditions stipulated in the Law is applied regardless. At this point, Didim Beach Resort & Spa processes personal data into data processing. It operates in accordance with the conditions and general principles and fulfills the obligation of illumination.

2.2. Conditions of Processing Personal Data Didim Beach Resort & Spa; personal data with express consent or other data processing conditions It operates in the cases deemed appropriate:

• It is clearly stipulated in the laws.

• A legal person who is unable to explain his / her consent due to actual impossibility or the unrecognized person's life or bodily integrity to be mandatory for protection.

• Provided that it is directly related to the establishment or performance of a contract, It is necessary to process personal data belonging to the parties of the contract.

• It is mandatory for the data controller to fulfill its legal obligation.

• It has been made public by the person concerned.

• Data processing is mandatory for the establishment, exercise or protection of a right.

• Provided that it does not harm the fundamental rights and freedoms of the data subject, the data controller Data processing is mandatory for legitimate interests.

According to the law, people's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress and dress, association, foundation or union membership, health, biometric and data on sexual life, criminal conviction and security measures genetic data are personal data of special nature.

Didim Beach Resort & Spa, in the processing of special quality data, Law and Personal Takes additional measures stipulated by the Data Protection Board.

Data processing listed in Article 6 of the Law in the processing of special quality personal data by publishing in the Official Gazette dated 20 October 2016 in terms of conditions and health data About the Processing of Personal Health Data and Ensuring Privacy The provisions of the regulation are respected. In this context, special quality personal data processed in the following cases:

• Obtaining the explicit consent of the data owner

• The processing of sensitive personal data other than health and sexual life predicting.

• Protection of public health data on health and sexual life, preventive medicine, carrying out medical diagnosis, treatment and care services, healthcare and financing by persons under the confidentiality obligation for planning and management processing.

2.3. Purposes of Processing Personal Data Didim Beach Resort & Spa; of employee candidates, employees, customers and the Company personal data of shareholders / officials, visitors and other persons It operates based on the legal reasons in Articles 5 and 6 of the Law. Personal The purposes for processing the data differ according to the respective category of data subject as follows. offers.

Employee Candidate Data: Didim Beach Resort & Spa, human resources policy and In accordance with the procedures, employee candidates apply to the Company for a job shared or obtained from Didim Beach Resort & Spa's online employment platforms evaluation of the candidate's suitability for the position, personal data, interview processes candidates whose execution and process result in negative results It works for the purpose of being re-evaluated. Didim Beach Resort & Spa, employee request any special quality personal data from candidates during the job application phase does not. Nevertheless, with the express consent of the employee candidate, he In cases where they are shared, the relevant data are stored, if necessary, by taking additional measures; opposite it is destroyed.

Employee Data: Personal data of Didim Beach Resort & Spa employees, Labor Law m. Preparing and keeping personal files of the employer born from 75; rights arising from employment contract

Customer / User Data: The main field of activity of Didim Beach Resort & Spa on its platform Mediation for reservations made by customers at the accommodation facility located is to. The main purpose of processing customer data is to provide this service as required. It in scope; Completion and management of reservation procedures, by improving the website providing customers with an easier and more qualified service, demand and complaint management, and / or resolution of existing disputes, legal obligations of Didim Beach Resort & Spa processing and storing online user data within the scope of fulfillment, marketing, profiling and advertising activities, Didim Beach Resort & Spa's For the purposes of determining and implementing commercial and business strategies, customer personal data is processed.

Visitor Data: Visitors of Didim Beach Resort & Spa buildings and facilities security cameras in order to ensure the physical security of the company saved via. Recorded images are stored encrypted in secure environments. and… is destroyed at the end of the day. Didim Beach Resort & Spa, any dispute process relevant personal data and share it with legal authorities. Didim Beach Resort & Spa, data owners and suppliers in the above categories, personal data of shareholders and other third parties; corporate sustainability planning and execution of its activities, relations with business partners or suppliers management, maintenance of ordinary company activities, financial reporting and risk management execution / follow-up of corporate transactions, execution / follow-up of company legal affairs, corporate communication planning and execution of activities, execution of corporate governance activities, companies and realization of partnership law transactions, aimed at protecting the reputation of the company conducting studies, managing investor relations, authorized institutions Providing information arising from the legislation, determining the commercial and business strategies of the Company and responding to information requests from administrative and judicial authorities, legal processes and compliance with legislation, information and transaction security and malicious It can work for purposes such as prevention of use. Data processing activities carried out for the aforementioned purposes, If it does not meet any of the other data processing conditions, the relevant data Obtaining explicit consent from the data subject by Otelz.com regarding the processing process.

2.4. Collection Method of Personal Data Didim Beach Resort & Spa, personal data Contracts, digital media, call center, administrative Auditory through notifications from and judicial authorities and other communication channels, in electronic or written form, in compliance with the personal data processing conditions specified in the Law and in line with the legal reasons specified in this KVK Policy. The personal data in question is basically under the scope of this KVK Policy. is processed in order to establish and provide services to data owners.

In this context, when Didim Beach Resort & Spa services are used, Didim Beach Resort & When a legal relationship is established with Spa (purchase, brokerage, work, etc.) is created, when the service is purchased without a member or when the services related When contacting Otelz.com (via e-mail, etc.), personal data are obtained.

Didim Beach Resort & Spa users / customers make a personal In case of sharing of data, the personal data of the data owner is transferred to Didim Beach Resort & Spa and obtaining consent when necessary responsibility belongs to the relevant user / customer.

Didim Beach Resort & Spa obtains personal data from both business partners and solution partners. adopts as a principle to act in accordance with the law Data from business partners and solution partners With the commitment to confidentiality and only as much data as required by the service, at this point Measures are taken to ensure data security.

2.5. Transfer of Personal Data Didim Beach Resort & Spa personal data are only specified in this KVK Policy. to third parties in line with the purposes and in accordance with Articles 8 and 9 of the Law conveys. In this context, the Company collects personal data from the person and institutions for specific purposes:

• In order to ensure the fulfillment of the objectives of the establishment of the business partnership, to the company's business partners,

• The Company's outsourcing from the supplier and the company's commercial activities limited in order to provide the necessary services to the Company. to the Company's suppliers,

• The company's customers

• The purpose of the company to share personal data of Didim Beach Resort & Spa with its solution partners, to access services, to comply with legal obligations, to have concluded with the data owner to ensure the execution of the contract, to carry out buying and selling transactions or services to prevent and detect fraudulent or illegal activities.

Didim Beach Resort & Spa is a principle to act in accordance with the law in data sharing activities. acquires. With third parties to whom personal data are transferred, but only to the extent required by the service data is shared. These parties must take precautions regarding data security. is forced.

Personal data also; shopping preferences in line with the member's commercial electronic message confirmation, promotion, advertisement, benefit and can be shared with the relevant solution partners in order to present an opportunity.

Didim Beach Resort & Spa; In order to increase customer satisfaction and loyalty, Anonymous data of the member / customer can be shared with companies that will conduct market research. Personal data subject to the above-mentioned domestic and international transfer, data security In addition to the technical measures to provide; provisions included in data transfer contracts thanks to it is protected legally.

Didim Beach Resort & Spa processes the personal data; fulfill its obligation under the law (crime fighting, threat to state and public security, etc.) Not limited to the Company's legal or administrative notification or information are legally authorized to request this information) will be able to share with public institutions and organizations.

2.6. Storage and Destruction of Personal Data Pursuant to the law, personal data are kept accurate and up-to-date. are kept for the time required for the purpose for which they are processed. This time is for each personal are determined separately for the data category and after this period, the relevant personal data Deletion, Destruction or Anonymization of Personal Data It is deleted at the end of the periodic destruction periods determined in accordance with the Regulation on are being made or anonymized.

Deletion of personal data, personal data for the relevant users in no way the process of making it inaccessible and unavailable again; destruction of personal data, personal data cannot be accessed, retrieved or re-used by anyone in any way. the process of making it unusable; anonymization of personal data, personal Even if the data is matched with other data, it is never identified or to make it unrelated to an identifiable natural person

In this context, Didim Beach Resort & Spa determined the required periodic destruction periods and data established a policy of destruction. Company personal data deletion, destruction and anonymous records all transactions made regarding the production and keeps records for at least three years, excluding other legal obligations.

The data owner applies to Didim Beach Resort & Spa to obtain personal data Didim Beach Resort & Spa; when requested to be deleted or destroyed

a. If all the conditions for processing personal data have disappeared, the personal data subject to the request delete, destroy or anonymize. The data subject's request within thirty days at the latest concludes and informs the data owner.

b. All the conditions for processing personal data have disappeared and the personal data subject to the request If the data are transferred to third parties, it informs the relevant third party; third person ensures that necessary actions are taken before you.

c. If all the conditions for processing personal data are not eliminated, this request is In accordance with the third paragraph of the third article, you can reject by explaining the reason and the rejection notifies the data subject in writing or electronically within thirty days at the latest.

3. Technical and Administrative Measures Taken to Ensure the Security of Personal Data Didim Beach Resort & Spa, to ensure that personal data is processed in accordance with the law, It takes technical and administrative measures according to technological possibilities and implementation costs. Technical and administrative measures taken for the protection of personal data, special quality personal is applied with care and additional measures in terms of data and Didim Beach Resort & Spa The necessary inspections are periodically provided at the highest level.

Didim Beach Resort & Spa, personal data only as specified in this KVK Policy processing within the scope of purposes and using it maliciously, personal unauthorized access, sharing, destruction or modification of data, such as It has taken all appropriate security measures to reduce risks. This security to countries whose measures may not provide an adequate level of data protection of personal data. It also includes other measures taken on issues such as transfer.

Personal data are confidential and Didim Beach Resort & Spa abides by this privacy. Personal Only persons authorized within Didim Beach Resort & Spa can access the data. It within the framework, that the software complies with the standards, the third parties are carefully selected and It is ensured that the data protection policy is observed within the company.

Didim Beach Resort & Spa technical and administrative measures taken to ensure data security within the scope;

• Regular trainings on the protection of personal data for employees and organizes awareness studies.

• The company creates policies based on personal data processing inventory and It sets up the processes necessary for the implementation of policies.

• The company identifies its risks within the scope of personal data protection law and It carefully carries out efforts to eliminate risks. In this context, active lighting and open consent channels.

• In order to fulfill the obligations regarding the protection of personal data It carries out periodic internal audits.

• Continuous legal consultancy service regarding compliance with the updated legislation

• Creates a separate policy for the protection of sensitive personal data and It implements additional measures determined by the Data Protection Board.

• Necessary data sharing agreement for managing relations with data processors. It implements the measures.

• Generally accepted applications such as firewalls and Secure Socket Layer (SSL) encryption uses security technology standards.

• Personal data to didimbeach.com via website, mobile application and mobile site When sending, these data are transferred using SSL.

• Virus protection systems, secure databases, servers, firewalls (security software).

• In the light of current technological developments, including encryption of electronic mail information analysis of current information and data values ​​and risk status to protect personal data takes the widest and most appropriate preventive security measures.

• Secure technique to ensure the security of databases where personal data will be stored creates the infrastructure.

• Procedures for reporting the technical measures taken and audit processes determines.

• Takes other administrative measures regarding the protection of personal data.

• Security-related measures are periodically renewed and developed. Although Otelz.com takes the necessary information security measures, Otelz.com As a result of attacks on operated platforms or Otelz.com system, personal Otelz.com, in case the data is damaged or captured by unauthorized third parties, takes immediate action to remedy the violation in question and minimizes the damage of the person concerned. Otelz.com notifies the data owners and the Personal Data Protection Board immediately and take necessary precautions.

4. Data Owners' Rights on Their Personal Data According to the Constitution of the Republic of Turkey, all the personal data related to their has the right to demand protection. In this context, the data on the personal data of the Data Owner its rights are as follows:

• Learning whether personal data is being processed,

• Requesting information if personal data has been processed,

• The purpose of processing personal data and whether they are used appropriately for their purpose. learning,

• To know the third parties to whom personal data are transferred domestically or abroad,

• Correction of personal data in case of incomplete or incorrect processing don't want,

• Deletion of personal data within the framework of the conditions stipulated in Article 7 of the Law, or Don't ask to be destroyed,

• This deletion, destruction or correction of the third party to whom personal data is transferred asking people to be notified,

• By analyzing the processed data exclusively through automated systems objecting to the occurrence of a result against the data subject,

• In case of damage due to unlawful processing of your personal data do not claim damages.

Application to the Data Officer for the requests of the data owners regarding the rights listed above. Didim Beach in accordance with the application procedures stipulated in the Communiqué on Procedures and Principles Didim Beach Resort & Spa, in case of forwarding it to Resort & Spa, will be concluded free of charge in a short time and within 30 (thirty) days at the latest. But, If the transaction requires an additional cost, Didim Beach Resort & Spa, Personal Data Will be able to receive the fee in the tariff determined by the Protection Board.

The data subject can make his / her requests within the scope of the above-mentioned rights, in writing or on a registered basis. electronic mail (KEP) address, secure electronic signature, mobile signature or data owner previously reported to Didim Beach Resort & Spa by Didim Beach Resort & Spa by using the electronic mail address registered in the system or by using the it can be transmitted through a software or application developed for its purpose. Made in application;

a. Name, surname and signature if application is in writing,

b. For citizens of the Republic of Turkey T. C. identification number, nationality for foreigners, passport number or identification number, if any,

c. Place of residence or workplace address for notification,

d. If available, notification e-mail address, telephone and fax number,

e. Demand and the information and documents related to the subject must be attached to the application. Applications However, it will be evaluated if it is in Turkish. Third on behalf of personal data owners will be applied by the data owner so that individuals can make an application request. a special power of attorney issued by a notary public on behalf of the person.

5. Changes to KVK Policy Didim Beach Resort & Spa can always make changes in this KVK Policy. It the changes take effect on the day the modified new KVK Policy is published. In order to be aware of the changes in this KVK Policy, the data owners are notifications will be made.