CONTENTS
1. INTRODUCTION
1.1 Purpose and Scope of the Policy
1.2. Enforcement and Change
2. DATA OWNERS, DATA PROCESSING PURPOSE, AND DATA CATEGORIES FOR PERSONAL DATA PROCESSING ACTIVITIES CARRIED OUT BY OUR COMPANY
2.1. Data Owners
2.2 Personal Data Processing Purposes
2.3 Personal Data Categories
3.PRINCIPLES AND CONDITIONS REGARDING THE PROCESSING OF PERSONAL DATA
3.1. Principles Regarding the Processing of Personal Data
3.2. Conditions Regarding the Processing of Personal Data
3.3 Conditions Regarding the Processing of Special Categories of Personal Data
4.TRANSFERRING PERSONAL DATA
5. DISCLOSURE OF DATA OWNERS AND RIGHTS OF DATA OWNERS
6.DELETING, DESTROYING, AND MAKING PERSONAL DATA ANONYMOUS
7.SCOPE OF THE LAW AND RESTRICTIONS ON ITS APPLICATION
1.INTRODUCTION
1.1. Purpose and Scope of the Policy
Law No. 6698 on the Protection of Personal Data (“Law”) entered into force on 7 April 2016; hereby Alanya Teleferik İşletmecilik A.Ş. Personal Data Processing and Protection Policy (“Policy”), Alanya Teleferik İşletmecilik A.Ş. (“Alanya Teleferik İşletmecilik” or “Company”) to ensure compliance with the Law and to determine the principles to be followed by the Company in fulfilling its obligations regarding the protection and processing of personal data.
The policy determines the processing conditions of personal data and sets out the main principles adopted by the Company in the processing of personal data. In this framework, the Policy covers all personal data processing activities by the Company within the scope of the Law, the owners of all personal data processed by the Company, and all personal data processed by the Company.
1.2. Enforcement and Change
The policy was published by the Company on its website and presented to the public. In case of conflict with the legislation in force, especially the Law, and the regulations included in this Policy, the provisions of the legislation shall apply.
| MAIN OBJECTIVES | SUB-OBJECTIVES |
| Execution of Company Internal Operations | 1. Planning, Auditing and Execution of Information Security Processes
2. Establishment and Management of Information Technologies Infrastructure 3. Planning and Execution of Employees’ Access Authorizations to Information Systems 4. Event Management 5. Follow-up of Finance and Accounting Affairs 6. Planning and Execution of Efficiency/Efficiency and Appropriateness Analysis of Business Activities 7. Planning and Execution of Business Activities 8. Planning and Execution of Business Partners and Suppliers’ Access Authorizations to Information Systems 9. Planning and Execution of Business Continuity Activities 10. Planning and Execution of Corporate Communication Activities 11. Planning and Execution of Corporate Sustainability Activities 12. Planning and Execution of Corporate Governance Activities 13. Planning and Execution of Logistics Activities 14. Planning and Execution of Production and Operation Processes 15. Planning and Monitoring of Building and Construction Works |
| Activities with Legal, Technical and Administrative Consequences | 1. Planning and Execution of Emergency Management Processes
2. Planning and Execution of Occupational Health and Safety Processes 3. Realization of Risk Management of Credit Processes 4. Calculation of Insurance Policy Premiums of Persons and Formation of the Policy 5. Management and Supervision of Relations with Affiliates 6. Starting the Damage Process and Completing the Damage File 7. Follow-up of Legal Affairs 8. Group Companies IT and Operational Audit Studies 9. Giving Information Based on Legislation to Authorized Institutions 10. Creating and Tracking Visitor Records 11. Planning and Execution of Production and Operational Risk Processes of the Company 12. Execution of Companies and Partnership Law Transactions 13. Ensuring the Security of Company Operations 14. Ensuring the Security of Company Campuses and Facilities 15. Planning and Execution of the Company’s Financial Risk Processes 16. Ensuring the Security of Company Fixtures and Resources 17. Planning and Execution of Company Audit Activities 18. Arrangement of Insurance Policies 19. Various Transaction applications of partners, their first degree relatives and Board Members 20. Planning and Execution of Operational Activities Necessary for Ensuring that Company Activities are carried out in accordance with Company Procedures and Related Legislation 21. Ensuring Data is Accurate and Up-to-Date |
|||
| Customer Touching Process and Operations | 1. Loan Payment Transactions Tracking
2. Planning and Execution of After Sales Support Services Activities 3. Planning and Execution of Sales Processes of Products and Services 4. Follow-up of Contract Processes and Legal Requests 5. Planning and Execution of Customer Relationship Management Processes |
|||
| Financial Operations | 1. Banking Transactions 2. Making Damage Payment 3. Making Claims Payments of Persons 4. Collection of Insurance Policy Premiums of Individuals 5. Collection of Policy 6. Pricing of Insurance Policy |
|||
| Strategy Planning and Partners/Supplier Management | 1. Management of Relationships with Business Partners and/or Suppliers
2. Planning and Execution of External Training Activities 3. Execution of Strategic Planning Activities |
| Marketing Operations | 1. Planning and Execution of the Processes of Establishing and Increasing Loyalty to the Products and Services Offered by the Company
2. Planning and Execution of Market Research Activities for Sales and Marketing of Products and Services 3. Planning and Execution of Marketing Processes of Products and Services 4. Planning and Execution of Customer Satisfaction Activities |
The Company reserves the right to make changes in the Policy in line with the legal regulations. The current version of the Policy can be accessed from the Company website at https://alanyateleferik.com.tr/en/quality-policy/.
- DATA OWNERS, DATA PROCESSING PURPOSE AND DATA CATEGORIES FOR PERSONAL DATA PROCESSING ACTIVITIES CARRIED OUT BY OUR COMPANY
2.1. Data Owners
Data subjects within the scope of the policy are all natural persons, excluding Company employees, whose personal data are being processed by the Company. In this context, the categories of data subjects are as follows:
| DATA OWNER CATEGORIES | EXPLANATION | |
| 1 | Customer | It refers to the real persons who benefit from the products and services offered by the Company. |
| 2 | Potential Customer | It refers to real persons who show interest in using the products and services offered by the Company and have the potential to become customers. |
| 3 | Visitor | It refers to real persons who visit the company, store, campus and website. |
| 4 | Employee Candidate | It refers to real persons who apply for a job by sending a CV to the Company or by other methods. |
| 5 | Third Parties | It refers to natural persons, excluding the categories of data subjects mentioned above and Company employees. |
Data owner categories are specified for general information sharing purposes. The fact that the data owner does not fall under any of these categories does not remove the data owner’s qualification as specified in the Law.
2.2. Personal Data Processing Purposes
Your personal data and sensitive personal data may be processed by the Company for the following purposes in accordance with the personal data processing conditions in the Law and relevant legislation:
2.3. Personal Data Categories
Your personal data, categorized below, are processed by the Company in accordance with the personal data processing conditions in the Law and relevant legislation:
| PERSONAL DATA CATEGORY | EXPLANATION |
| Credentials | All information about the identity of the person in documents such as driver’s license, identity card, residence, passport, attorney ID, marriage certificate |
| Communication information | Information for contacting the data owner such as phone number, address, e-mail |
| Customer information | Information obtained and produced about the person concerned as a result of our commercial activities and the operations carried out by our business units in this context. |
| Family Members and Close Information | Information about the family members and relatives of the personal data owner, which is processed in order to protect the legal interests of the Company and the data owner, related to the products and services we offer. |
| Customer Transaction Information | Information such as records for the use of our products and services and the customer’s instructions and requests for the use of products and services |
| Physical Space Security Information | Personal data regarding records and documents such as camera records, fingerprint records taken during the entrance to the physical space, during the stay in the physical space |
| Transaction Security Information | Your personal data processed to ensure our technical, administrative, legal and commercial security while carrying out our commercial activities |
| Financial Information | Personal data processed for information, documents and records showing all kinds of financial results created according to the type of legal relationship our company has established with the personal data owner |
| Employee Candidate Information | Personal data processed regarding individuals who have applied to be an employee of our company or who have been evaluated as an employee candidate in line with the human resources needs of our company in accordance with commercial practices and honesty rules, or who have a working relationship with our Company |
| Legal Process and Compliance Information | Personal data processed within the scope of determination, follow-up and performance of our legal receivables and rights and compliance with our legal obligations and company policies |
| Audit and Inspection Information | Personal data processed within the scope of our company’s legal obligations and compliance with company policies |
| Special Qualified Data | Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and clothing, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data are of special nature. is personal data. |
| Marketing Information | Personal data processed for the marketing of our products and services by customizing them in line with the usage habits, tastes and needs of the personal data owner, and the reports and evaluations created as a result of these processing results |
| Request/Complaint Management Information | Personal data regarding the receipt and evaluation of any request or complaint directed to our company |
| Reputation Management Information | Information about the information collected in order to protect the commercial reputation of our company, the evaluation reports prepared and the actions taken. |
| Incident Management Information | Personal data processed in order to take necessary legal, technical and administrative measures against developing events in order to protect the commercial rights and interests of our company and the rights and interests of our customers. |
3.1. Principles Regarding the Processing of Personal Data
- Your personal data is processed by the Company in accordance with the personal data processing principles set forth in Article 4 of the Law. It is mandatory to comply with these principles for each personal data processing activity:Processing personal data in accordance with the law and honesty rules; The Company acts in accordance with the laws, secondary regulations and general principles of law in the processing of your personal data; attaches importance to processing personal data limited to the purpose of processing and taking into account the reasonable expectations of data owners.
- Personal data are accurate and up-to-date; Care is taken to ensure that your personal data processed by the company is up-to-date and controls are made. In this context, data owners are given the right to request correction or deletion of their correct and outdated data.
Processing personal data for specific, explicit and legitimate purposes; The company determines the purposes of data processing before each personal data processing activity and pays attention to the fact that these purposes are not illegal. - Being connected, limited and measured for the purpose for which personal data is processed; Data processing is limited to the personal data necessary to fulfill the purpose of collection and necessary steps are taken to prevent the processing of personal data unrelated to this purpose.
- Keeping personal data for as long as required by the legislation or processing purposes; Personal data is deleted, destroyed or anonymized by the company after the purpose of processing personal data disappears or when the period stipulated in the legislation expires.
3.2. Conditions Regarding the Processing of Personal Data
- Your personal data is processed by the Company in the presence of at least one of the personal data processing conditions in Article 5 of the Law. Explanations on these conditions are given below:In cases where the personal data owner has express consent and other data processing conditions do not exist,
1. In accordance with the general principles set forth under the title, the personal data of the data subject can be processed by the Company with the free will of the data subject, provided that he/she gives sufficient information about the personal data processing activity, leaving no room for hesitation, and only limited to that transaction. - Personal data may be processed by the Company without the explicit consent of the data owner, if the personal data processing activity is expressly stipulated in the law. In this case, the Company will process personal data within the framework of the relevant legal regulation.
In case the explicit consent of the data owner cannot be obtained due to the actual impossibility and the personal data processing is mandatory, the personal data belonging to the data owner, whose consent cannot be declared by the Company or whose consent cannot be validated, may be made mandatory in order to protect the life or physical integrity of the data owner or a third person. if any, it will be processed. - In the event that the personal data processing activity is directly related to the establishment or performance of a contract, personal data processing will be carried out if it is necessary to process the personal data of the parties to the contract established or already signed between the data owner and the Company.
If it is necessary to carry out personal data processing activities in order to fulfill the legal obligation of the data controller, the Company processes personal data in order to fulfill its legal obligations under the applicable legislation. - If the data owner has made his personal data public, the personal data that has been disclosed to the public in any way by the data owner, and that has been made available to everyone as a result of making it public, may be processed by the Company, even without the explicit consent of the data owners, limited to the purpose of making it public.
In the event that personal data processing is mandatory for the establishment, exercise or protection of a right, the Company may process the personal data of the data subject without the explicit consent of the data subjects within the scope of the obligation.
Provided that it does not harm the fundamental rights and freedoms of the data owner, if data processing is necessary for the legitimate interests of the data controller, personal data may be processed by the Company, provided that the balance of interests of the Company and the data owner is observed. In this context, in the processing of data based on legitimate interest, the Company first determines the legitimate interest to be obtained as a result of the processing activity. It evaluates the possible impact of the processing of personal data on the rights and freedoms of the data owner, and if it considers that the balance is not disturbed, it performs the processing.
3.3. Conditions Regarding the Processing of Special Categories of Personal Data
In Article 6 of the Law, special categories of personal data are specified in a limited number. These; data about race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, costume and clothing, membership to associations, foundations or unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.
The Company can process sensitive personal data in the following cases by taking additional measures determined by the Personal Data Protection Board:
The processing of sensitive personal data other than health and sexual life can only be processed if the data owner gives express consent or if it is expressly stipulated in the law.
Personal data related to health and sexual life can only be obtained with the explicit consent of the data subject by persons or authorized institutions and organizations under the obligation to keep confidential for the purpose of protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing. can be processed without a call.
4. TRANSFERRING PERSONAL DATA
- In accordance with the additional regulations listed in Articles 8 and 9 of the Law and determined by the Personal Data Protection Board; If there are conditions for the transfer of personal data, it can transfer personal data at home or abroad.Transfer of personal data to third parties in the country, in the presence of at least one of the data processing conditions explained in Articles 5 and 6 of the Law and explained under Title 3 of this Policy, and provided that it complies with the basic principles of data processing conditions, your personal data will be processed by the Company. can be transferred.
The transfer of personal data to third parties abroad, in cases where there is no explicit consent of the person, in the presence of at least one of the data processing conditions stated in Articles 5 and 6 of the Law and explained under Title 3 of this Policy, and in accordance with the basic principles regarding data processing conditions. Your personal data can be transferred abroad by the Company, provided that you comply.
If the country to which the transfer will be made is not a safe country to be announced by the Personal Data Protection Board, upon the written commitment of the Company and the data controller in the relevant country to adequate protection, the Board’s permission to process the Personal Data. Personal data can be transferred to third parties abroad if at least one of the data processing conditions (see Policy, Title 3) is present.
In accordance with the general principles of the law and the data processing conditions in Articles 8 and 9, the Company can transfer data to the parties categorized in the table below:
| SHARED PARTY CATEGORY | SCOPE | PURPOSE OF TRANSFER |
| Business partner | Parties with whom the Company has established business partnerships while carrying out its commercial activities | Limited sharing of personal data in order to ensure the fulfillment of the purposes of the establishment of the business partnership |
| Supplier | Parties providing services for the Company to continue its commercial activities in line with the instructions received from the Company and based on the contract between the Company and the Company. | Transfer limited to the receipt of outsourced services from the supplier |
| Participation | Companies that are affiliates of the Company | Limited transfer of personal data for the purpose of conducting commercial activities that require the participation of affiliates |
| Legally Authorized Public Institution | Public institutions and organizations that are legally authorized to receive information and documents from the Company | Limited personal data sharing for the purpose of requesting information by relevant public institutions and organizations |
| Legally Authorized Private Institution | Private law persons who are legally authorized to receive information and documents from the Company | Sharing of data limited to the purpose requested by the relevant private legal persons within the legal authority |
- DISCLOSURE OF DATA OWNERS AND RIGHTS OF DATA OWNERS
According to Article 10 of the Law, before the processing of personal data or at the latest at the time of processing, data owners must be informed about the processing of personal data. In accordance with the relevant article, the necessary internal structure has been established in order to ensure that data owners are informed in every situation where personal data processing activities are carried out by the Company as the data controller. In this context;
For the purpose of processing your personal data, please see section 2.2 of the Policy. Check out the section.
Please review Section 4 of the Policy for the parties to which your personal data is transferred and the purpose of the transfer.
In order to examine the conditions regarding the processing of your personal data, which can be collected through different channels in physical or electronic media, please see 3.2 and 3.3 of the Policy. see section.
As a data owner, we would like to state that you have the following rights in accordance with Article 11 of the Law:
Learning whether your personal data is processed,
If your personal data has been processed, requesting information about it,
To learn the purpose of processing your personal data and whether they are used in accordance with the purpose,
Knowing the third parties to whom your personal data is transferred, in the country or abroad,
Requesting correction of your personal data in case of incomplete or incorrect processing and requesting notification of the transaction made within this scope to the third parties to whom your personal data has been transferred,
Requesting the deletion or destruction of personal data in the event that the reasons requiring its processing cease to exist despite the fact that it has been processed in accordance with the Law and other relevant law provisions, and requesting the notification of the transaction made within this scope to the third parties to whom your personal data has been transferred,
Objecting to this if a result arises against you by analyzing the processed data exclusively through automated systems,
To request the compensation of the damage in case you suffer damage due to unlawful processing of your personal data.
You can submit your applications regarding your rights listed above at the address https://alanyateleferik.com.tr/en/data-subject-application-form/ to Alanya Teleferik İşletmecilik A.Ş. You can fill in the Data Owner Application Form and send it to our Company. Depending on the nature of your request, your applications will be concluded free of charge as soon as possible and within thirty days at the latest; however, if the transaction requires an additional cost, you may be charged a fee according to the tariff to be determined by the Personal Data Protection Board. During the evaluation of the applications, the company first determines whether the person making the request is the real right holder. However, when deemed necessary, the Company may request detailed and additional information in order to better understand the request. Responses to data subject applications are notified by the company in writing or electronically. If the application is rejected, the reasons for the rejection will be explained to the data owner with justification. In case the personal data is not obtained directly from the data owner; By the company (1) within a reasonable period of time after the personal data is obtained, (2) during the first communication in case the personal data is to be used for communication with the data owner, (3) at the latest, if the personal data is to be transferred, for the first time at the latest. Activities regarding the disclosure of data owners are carried out at the time of transfer.
- DELETING, DESTROYING, MAKING PERSONAL DATA ANONYMOUS
Although it has been processed in accordance with the law in accordance with Article 7 of the Law, in the event that the reasons requiring its processing disappear, the Company deletes, destroys or anonymizes personal data ex officio or upon the request of the data owner, in accordance with the guidelines published by the Authority.
7. SCOPE OF THE LAW AND RESTRICTIONS ON ITS APPLICATION
The following situations are outside the scope of the Law:
Processing of personal data by real persons within the scope of activities related to themselves or their family members living in the same residence, provided that they are not given to third parties and that the obligations regarding data security are complied with.
Processing of personal data for purposes such as research, planning and statistics by anonymizing them with official statistics.
Processing personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or constitute a crime.
Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations that are authorized by law to provide national defense, national security, public safety, public order or economic security.
Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution proceedings.
In the following cases, the Company does not need to inform the data owners, and the data owners will not be able to use their rights specified in the Law, except for the right to redress their damages:
The processing of personal data is necessary for the prevention of crime or for criminal investigation.
Processing of personal data made public by the person concerned.
The processing of personal data is necessary for the execution of supervisory or regulatory duties and for disciplinary investigation or prosecution by the authorized and authorized public institutions and organizations and professional organizations in the nature of public institution, based on the authority given by the law.
The processing of personal data is necessary for the protection of the economic and financial interests of the State with regard to budgetary, tax and financial matters.
ATTC-1: DEFINITIONS
| DEFINITION | ||
| Open Consent | Consent on a specific subject, based on information and expressed with free will. | |
| Anonymization | Making personal data incapable of being associated with an identified or identifiable natural person under any circumstances, even by matching with other data. | |
| Worker | Natural persons who are employees of the company. | |
| Employee Candidate | Natural persons who are not employees of the Company, but who are in the status of Employee Candidates through various methods | |
| Personal Health Data | Any health information relating to an identified or identifiable natural person. | |
| Personal Data | Any information relating to an identified or identifiable natural person. | |
| Data Owner | The natural person whose personal data is processed. | |
| Processing of Personal Data | Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or using personal data in whole or in part by automatic or non-automatic means provided that it is a part of any data recording system. Any operation performed on the data, such as blocking. | |
| Law | Law on Protection of Personal Data No. 6698, published in the Official Gazette dated 7 April 2016 and numbered 29677. | |
| Special Qualified Personal Data | Data on race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data. | |
| Policy | Alanya Teleferik İşletmecilik Inc. Personal Data Processing and Protection Policy | |
| Company /Alanya Teleferik | Alanya Teleferik İşletmecilik Inc. | |
| Work partners | Persons with whom the Company has established a partnership within the scope of contractual relations within the framework of its commercial activities. | |
| Data Owner | Natural person whose personal data is processed | |
| Data Processor | It is the natural and legal person who processes personal data on behalf of the data controller based on the authority given by the data controller. |
| Data Controller | It is the person who determines the purposes and means of processing personal data and manages the place where the data is kept in a systematic way. |
Leave a Reply
