This information text includes notifications regarding the processing of Personal Data under the scope of Law No. 6698 on the Protection of Personal Data (“KVK Law”) and related legislation, by RYS TURİZM İNŞAAT GIDA SAN. VE TİC. A. Ş. (“Company”) as the DATA CONTROLLER.

The purpose of this information text is to inform individuals whose personal data is collected regarding the collected personal data, the method of collection, the purposes of processing, the legal grounds, to whom and for what purposes the processed personal data may be transferred, and the rights of the data subjects.

Under the KVK Law, personal data refers to any information related to an identified or identifiable natural person (“Personal Data”), and a special category of personal data refers to data regarding race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, clothing and attire, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data (“Special Categories of Personal Data”). As the Data Controller, in the course of our business relationship with you, Personal Data may be recorded, stored, kept, rearranged when necessary, shared with institutions authorized to request such Personal Data by law, and processed in other ways stipulated under the KVK Law, in a manner limited, proportional, and in connection with the purposes for which they are processed.

Definitions: KVK Law: Law No. 6698 on the Protection of Personal Data, KVK Board: Personal Data Protection Board, Data Subject: The natural person whose personal data is processed, Processing of personal data: Any operation performed on personal data, such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, receiving, making available, classifying, or preventing the use of data, either wholly or partially automatically, or through non-automatic means as part of any data recording system.

In this information text, personal data and special categories of personal data may be referred to together as “Personal Data.” The personal data processed in accordance with the purposes specified in this text will be transferred in proportion to the objectives stated herein.

  1. GROUPS OF INDIVIDUALS WHOSE PERSONAL DATA IS COLLECTED BY THE COMPANY, COLLECTED PERSONAL DATA, PURPOSE OF PROCESSING PERSONAL DATA, LEGAL BASIS, METHOD OF COLLECTION OF PERSONAL DATA, AND GROUPS TO WHOM PERSONAL DATA MAY BE TRANSFERRED

1.1. PERSONAL DATA SUBJECT GROUP: JOB APPLICANT

Collected Personal Data: Identity Data (Name, Surname, Turkish Republic Identity Number, Nationality, Mother’s and Father’s Names, Date of Birth, Marital Status, Place of Birth, Gender, etc.), Contact Data (Phone Number, Address Information, Emergency Contact Phone Number, Email, etc.), Physical Space Security Data (Security camera recordings of employees and visitors during their presence in the physical space, etc.), Professional Experience Data (diploma information, courses attended, in-service training details, certificates, etc.), Visual and Audio Records (passport photo, visual and audio records, etc.), Health Data (information on disability status, blood type, personal health information, device and prosthesis details, etc.), Criminal Convictions and Security Measures (criminal record, information on criminal convictions and security measures, etc.), Candidate Processing Data (Driver’s License Class, SRC Certificate, Travel Restrictions, Applied Position, Application Date, Salary Expectation, Shift Work Compatibility, Overtime Compatibility, Willingness to Relocate, Interview Information, etc.), Signature Data (wet or electronic signature, fingerprint, special marks, etc. on documents containing personal data), Other (Military status, candidate interview information, employee body measurements, Driver’s License Class, SRC Certificate, Competencies, Special Health or Life Insurance Information, Reference Information, Smoking Habits, Alcohol Consumption Habits, etc.)

Purpose of Processing Personal Data:

Managing emergency processes, conducting selection and placement processes for job candidates/interns/students, conducting application processes for job candidates, ensuring compliance with legislation in activities, ensuring physical space security, planning human resources processes, sharing with business partners for candidate evaluation purposes, managing relationships with business partners and suppliers, conducting occupational health and safety activities, carrying out contract processes, providing information to authorized persons, institutions, and organizations, employing new staff, reviewing candidates and identifying new candidates for employment, sharing information with managers for better understanding and selection of candidates, verifying data with references provided by candidates, confirming how well candidates match the position, recording CV information for future verification, recording shared information in digital or physical environments for potential future needs, evaluating candidates in the event of a vacancy in the relevant position in our group companies, conducting communication activities.

Legal Basis for Processing Personal Data: Your personal data is collected by our Company through physical or electronic means via different channels, based on the legal reasons stated above; through job application forms you have filled out, CVs or websites that allow you to apply for jobs, via email, security cameras during physical entries, and for the purposes outlined above under the employment contract. Personal data can be processed without the explicit consent of the data subject based on the provisions in Article 5(2) of the KVK Law, which includes (a) “Explicitly provided for in the laws,” (b) “It is mandatory for the protection of the life or bodily integrity of the person or another person who is unable to give consent due to physical impossibility or whose consent is legally invalid,” (c) “It is necessary for the establishment or performance of a contract directly related to the parties to the contract,” (ç) “It is mandatory for the data controller to fulfill its legal obligation,” (d) “It has been made public by the data subject,” (e) “Processing is necessary for the establishment, exercise, or protection of a right,” (f) “It is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.”

Transfer of Personal Data: Based on the explicit consent requirement for data processing under Article 8(1) of the KVK Law, personal data may be shared and transferred to business partners, group companies, and auditing companies located within Turkey for management activities.

1.1. PERSONAL DATA OWNER GROUP: EMPLOYEE

Collected Personal Data:

Identity Data (Full Name, National ID Number, Mother/Father’s Name, Date of Birth, Marital Status, Place of Birth, Gender, etc.), Contact Data (Phone Number, Email, Company Internal Phone Number, Corporate Email, etc.), Physical Space Security Data (Security Camera Recordings of Employees and Visitors during their Time in the Physical Space, etc.), Professional Experience Data (Diploma information, attended courses, in-service training, certificates, etc.), Visual and Audio Records (ID photo, visual and audio records, etc.), Health Data (Health report, pre-employment medical examination form, accident report, blood type information, personal health information, used devices and prosthetics information, disability status information, etc.), Criminal Conviction and Security Measures Data (Criminal record, conviction and security measures related information, etc.), Signature Data (Personal data documents with wet or electronic signatures, etc.), Other Data (Driver’s License, Competencies, Hobbies, Salary Expectations, Military Status, Reference Information, Smoking Status, Alcohol Usage, Computer Skills, Body Measurements, Candidate Interview Data, Employee’s Body Measurements Information, etc.), Location Data (Vehicle GPS Data, Device GPS Data, Location Information, etc.), Personal Data (Photograph, Education Information, Salary Slips, Employment Start Date, Employment Termination Information, Resume Information, Salary Information, Position, E-Declaration, Seniority Date, Department Information, Insurance Information, Reference Information, Timecard Information, Leave Usage Information, Disciplinary Investigations, Asset Declaration Information, Performance Evaluation Reports, Data for Generating Personal Rights within Employee or Company Relationships, Employment Contract, Graduation Information, Education Information, Job Suitability, Pension Fund Information, Employment Application Form, Employee Current Information Form, Annual Leave Usage Records, Timecard Records, SGK Information, Employment Entry Documents, Tax Allowance, E-Declaration, Signature Declaration, Record Number, Position Name, Department and Unit, Title, Last Employment Start Date, Employment Entry/Exit Dates, Flexible Working Hours Status, Travel Status, Workday Count, Projects Worked On, Monthly Total Overtime Information, Seniority Compensation Base Date, Seniority Compensation Additional Days, Strike Days, Leave Seniority Base Date, Leave Seniority Additional Days, Leave Group, Exit/Return Dates, Days, Leave Reasons, Leave Address/Phone and Other Legally Required Documents, etc.),

Legal Action Data (Information in correspondence with judicial authorities, case file information, etc.), Transaction Security Data (IP address, MAC address, website login/logout information, password, and credential information, etc.), Risk Management Data (Information related to managing administrative, technical, and commercial risks for employees), Financial Data (Bank account information, salary details, debt and case-related information for enforcement actions, etc.), Biometric Data (Face recognition information, etc.), Family Member Data (Spouse’s Full Name, Employment Status of Spouse, Spouse’s Income, Child’s Full Name, Child’s National ID, Child’s Date of Birth, Child’s Gender, Child’s Father’s Name, Child’s Mother’s Name, Biological/Step-Child Information, School Enrollment Date, School Name, Grade),

Purpose of Processing Personal Data:

Execution of the employment contract, employee annual and other leave approvals, viewing remaining leave balances and managing leave arrangements, managing employee entry and exit procedures, ensuring payroll operations, salary and benefit payments, managing emergency situations, conducting information security processes, managing employee satisfaction and engagement, fulfilling contractual and legal obligations towards employees, managing employee benefits and entitlements, performing audits/ethics activities, conducting training activities, managing access rights, ensuring compliance with relevant laws and company procedures, managing finance and accounting processes, managing company/product/service loyalty processes, ensuring physical space security, recording entries and exits, managing task assignment processes, following up on legal matters, conducting internal audits/investigations/intelligence activities, managing communication processes, planning human resources processes, conducting/monitoring work activities, collecting entry/exit records of partner/supplier employees, sharing with business partners, managing relationships with partners and suppliers, conducting occupational health and safety activities, gathering and evaluating suggestions for improving business processes, ensuring business continuity, managing logistics activities, managing goods/services purchasing processes, managing post-sale support services, managing sales processes, managing production and operations processes for goods/services, managing customer relationship processes, conducting activities for customer satisfaction, managing organization and event management activities, conducting marketing research, performing performance evaluations, conducting risk management processes, carrying out archiving activities, managing corporate social responsibility and civil society activities, managing contract processes, conducting sponsorship activities, carrying out strategic planning activities, monitoring and following up on requests/complaints, ensuring the security of movable assets and resources, implementing wage policies, managing foreign employee work and residence permit procedures, implementing career development activities, providing information to authorized persons, institutions, and organizations, managing administrative activities, recruiting new employees, reviewing candidates, sharing the data with managers to help them select the best candidate, confirming the reference information in your resume, validating the suitability for the position and saving your resume for future reference, recording shared information with you for future needs, evaluating the possibility of vacancies in related positions within our group companies, managing communication activities, personnel management and payroll, ensuring that your family member benefits from the minimum living allowance, following legal requirements, defining regulatory processes and company management responsibilities, conducting audits for proper application and compliance, ensuring compliance with corporate policies regarding security and internet usage, recording transactions, conducting operational requirements like training and quality control, conducting security checks, and sharing with relevant parties as necessary for corporate purposes.

Legal Obligation:

Meeting legal obligations under the Labor Law, Occupational Health and Safety Law, Social Security Law, and other applicable regulations, creating personnel files, providing SGK and İŞKUR notifications, calculating AGI, providing legal information on incentives and obligations, ensuring the opening of mandatory individual pension accounts, monitoring and managing employee entry/exit records, managing wage garnishment deductions from enforcement files, performing work health and safety tasks, reporting occupational accidents as required by law, making police reports, complying with archiving and notification obligations under regulations, fulfilling court judgment requirements.

Here is the English translation of the provided text:

Physical Space Security: Ensuring workplace security, securing the employee’s entry and exit to the company’s headquarters.

In accordance with our company’s obligations to ensure and improve occupational health and safety; emergency lists are created, emergency operations are conducted, emergency analysis reports are generated, occupational accident examinations are carried out, pre-employment medical examinations are done, and processes related to obtaining health reports from the workplace doctor are managed.

If you have a corporate email, cloud service, computer, phone, tablet, etc. assigned to you, company officials may monitor these devices, cloud, and email addresses. The company may close or delete the assigned cloud or email address at its discretion. The devices in use may be canceled.

Legal Basis for Processing Personal Data:

According to Article 5(1) of the Personal Data Protection Law (KVK), “Personal data cannot be processed without the explicit consent of the data subject.” In paragraph (2), it is stated that personal data may be processed without explicit consent under the following circumstances: (a) Where expressly provided by law. (b) Where it is necessary to protect the life or physical integrity of the data subject or another person and the data subject is unable to give consent due to physical impossibility or if their consent has no legal validity. (c) Where processing is necessary for the performance of a contract to which the data subject is a party. (ç) Where necessary for the data controller to fulfill its legal obligation. (d) Where the data subject has made the data public. (e) Where processing is necessary for the establishment, exercise, or defense of a legal claim. (f) Where processing is necessary for the legitimate interests pursued by the data controller, provided that it does not harm the rights and freedoms of the data subject.

In accordance with Article 6(3) of the Law, “Processing special categories of personal data is prohibited. However, processing is permitted in the following cases: (a) Where the data subject has given explicit consent. (b) Where it is clearly provided for by law. (c) Where it is necessary for the protection of life or physical integrity of the data subject or another person and the data subject cannot express consent due to physical impossibility or if their consent has no legal validity. (ç) Where the data subject has made the data public and it is in line with their intention to disclose. (d) Where processing is necessary for the establishment, exercise, or defense of legal claims. (e) Where processing is required to fulfill legal obligations in employment, occupational health and safety, social security, and social services. (f) Where processing is required for the protection of public health, preventive medicine, medical diagnosis, treatment, and care services, including the planning, management, and financing of health services.”

Methods of Collecting Personal Data:

Your personal data may be collected by the Company through any written, verbal, or electronic means, either automatically or manually, directly from you, or through websites that allow you to apply for jobs, via email, expense forms, leave forms, and other documents, both physically and digitally. In line with the Company’s legal obligation and legitimate interest to ensure workplace security, data is automatically collected through cameras installed in the workplace. To fulfill our legal obligations and as required by law, health data is collected through our workplace doctor.

In cases where a vehicle is assigned to you, the Company collects location data, date, and time via GPS channels as part of its legitimate interest in business tracking.

Through systems that monitor entry and exit times, personal data is collected using facial recognition methods to ensure workplace security, track employee entry and exit times, maintain attendance records, and generate payrolls, all in accordance with the legitimate interest and legal obligations of the data controller.

Transfer of Personal Data:

As stipulated in Article 8(1) of the Law, “Personal data cannot be transferred without the explicit consent of the data subject.” According to paragraph (2), personal data may be transferred without explicit consent under the following conditions: (a) As specified in paragraph 2 of Article 5. (b) Provided adequate precautions are taken. According to Article 6(3), “Transfer can be made without the data subject’s explicit consent if one of the specified conditions is met.”

In accordance with Article 9(1) of the Law, “Personal data may be transferred internationally if there is an adequacy decision regarding the receiving country, sector, or international organization.”

If the country does not have an adequacy decision, personal data may still be transferred under the conditions specified in Article 5 and 6, provided the data subject’s rights can be effectively exercised in the receiving country.

This translation includes all the necessary legal details from the original text while maintaining its accuracy and clarity in English.

Here is the English translation of the provided text:

Personal data will be transferred within the framework of the conditions specified in Articles 8 and 9 of the Law and limited to the purposes mentioned above. No personal data will be transferred to third parties outside of those specified.

Based on the data processing condition of “the establishment or performance of a contract” as regulated in Article 5/2 (c) of the Personal Data Protection Law (KVK), personal data may be shared with banks, independent accountants/tax consultants, and relevant suppliers in order to facilitate salary payments and benefits, and to carry out Company operations.

Based on the data processing condition of “fulfilling the legal obligation of the data controller” as regulated in Article 5/2 (ç) of the KVK Law, personal data may be shared with the Ministry of Labor and Social Security, the Social Security Institution, the Turkish Employment Agency, courts, and other public institutions and organizations requesting information, as necessary.

Based on the data processing condition of “establishing, using, or protecting a legal right” as regulated in Article 5/2 (e) of the KVK Law, personal data may be shared with law offices and other consultants in cases of potential disputes for proof, obtaining legal advice and technical support, ensuring the application of the employment contract, and verifying whether the parties fulfill their obligations.

To ensure the legal and commercial security of the Company and its business partners, location data may be shared with the supplier company that provides the vehicle tracking system service, as necessary.

Based on the explicit consent data processing condition as stipulated in Article 8, paragraph 1 of the KVK Law, personal data may be shared with third parties via social media accounts for advertising, marketing, and promotional activities.

For the purpose of conducting management activities, personal data may be shared with business partners, group companies, and audit firms located within the country.

To maintain the internal functioning of the Company, personal data may be shared with companies with which we are affiliated or collaborate.

Personal data necessary for purposes such as transportation, vehicle supply, business card printing, and parking registration may be shared with the relevant companies with which we collaborate in those areas.

This translation maintains the legal tone and provides an accurate rendition of the original text in English.

1.2. PERSONAL DATA SUBJECT GROUP: POTENTIAL PRODUCT OR SERVICE CUSTOMER / PROSPECTIVE CLIENT

Collected Personal Data: Identity Data (Full Name, T.C. Identification Number, Nationality, etc.), Contact Data (Phone Number, Address Information, Email, etc.), Marketing Data (shopping history, survey data, cookie records, information obtained from campaign studies), Physical Space Security Data (Security Camera Footage of Employees and Visitors During Their Stay in the Physical Space, Entry/Exit Log Records, etc.).

Purpose of Personal Data Processing:

Managing communication activities, obtaining and evaluating suggestions for improving business processes, managing the product/service sales process, conducting marketing analysis studies, managing advertising/campaign/promotion processes, tracking requests/complaints, managing the product/service marketing process.

Personal data is processed and transferred for these purposes.

Legal Basis for Processing Personal Data:

Basis:

According to Article 5, Paragraph (1) of the Personal Data Protection Law (KVK Law), “Personal data cannot be processed without the explicit consent of the data subject.” According to Paragraph (2), personal data can be processed without explicit consent in the following cases:
(a) If explicitly provided by laws,
(b) If necessary to protect the life or bodily integrity of the data subject or another person when the data subject is incapable of providing consent,
(c) If directly related to the performance of a contract,
(ç) If necessary to fulfill the legal obligations of the data controller,
(d) If publicly disclosed by the data subject,
(e) If necessary for the establishment, exercise, or protection of a legal claim,
(f) If necessary for the legitimate interests of the data controller, provided that it does not violate the data subject’s fundamental rights and freedoms.

Methods of Collecting Personal Data:

Personal data may be collected through digital platforms such as email, social media (Facebook, Twitter, Instagram, etc.), website channels, and physical means such as forms, documents, surveys, fieldwork forms, or orally provided directly by the data subject.

Transfer of Personal Data:

Regarding the transfer of personal data, as stated in Article 8, Paragraph (2) of the law, personal data can be transferred without the data subject’s explicit consent if:
(a) As provided in Paragraph (2) of Article 5,
(b) Provided that adequate precautions are taken,
Personal data may be shared or transferred to direct or indirect affiliates, group companies, shareholders/partners, authorized persons and institutions, as specified in the above conditions.

1.3. PERSONAL DATA SUBJECT GROUP: INTERN

Collected Personal Data: Identity Data (Full Name, T.C. Identification Number, Mother’s/Father’s Name, Place and Date of Birth, etc.), Financial Data (Bank Account Information, Salary Information, etc.), Physical Space Security Data (Security Camera Footage of Employees and Visitors During Their Stay in the Physical Space), Professional Experience Data (School Information, Diploma Information, Courses Taken, In-Job Training Information, Certifications, etc.), Visual and Auditory Records (photographs, videos, etc.), Security Data (IP Address, MAC Address, Website Login/Logout Information, Passwords, etc.), Contact Data (Address, Email Address, Phone Number, etc.), Health Data (Disability Information, Blood Type, Personal Health Information, Devices/Prosthetics Information, Health Reports, etc.), Signature Data (Wet Signatures on Documents Containing Personal Data), Family Member Data (Guardian’s Full Name, Guardian’s Phone Number, Guardian’s Relationship, Guardian’s Address Information, Guardian’s Email Address, etc.), Personnel Data (Photographs, Education Information, Salary Slips, Employment Start/End Dates, Resume, E-Declaration, Department Information, Insurance Information, References, Attendance Records, Leave Records, etc.).

Purpose of Personal Data Processing:

Managing emergency processes, managing information security processes, managing employee/intern/student selection and placement processes, managing employee satisfaction and engagement processes, managing benefits and welfare processes for employees, auditing/ethical activities, managing training activities, managing access permissions, ensuring compliance with regulations, managing company/product/service loyalty processes, ensuring physical space security, managing assignment processes, managing legal matters, managing internal audits/investigations/intelligence activities, managing communication processes, managing business activities and audits, managing occupational health and safety processes, managing contract processes, managing talent/career development activities, and informing authorized persons, institutions, and organizations.

Personal data is processed and transferred for these purposes.

Legal Basis for Processing Personal Data:

Basis:

According to Article 5, Paragraph (1) of the Personal Data Protection Law (KVK Law), “Personal data cannot be processed without the explicit consent of the data subject.” According to Paragraph (2), personal data can be processed without explicit consent in the following cases:
(a) If explicitly provided by laws,
(b) If necessary to protect the life or bodily integrity of the data subject or another person when the data subject is incapable of providing consent,
(c) If directly related to the performance of a contract,
(ç) If necessary to fulfill the legal obligations of the data controller,
(d) If publicly disclosed by the data subject,
(e) If necessary for the establishment, exercise, or protection of a legal claim,
(f) If necessary for the legitimate interests of the data controller, provided that it does not violate the data subject’s fundamental rights and freedoms.

Methods of Collecting Personal Data:

Personal data may be collected via email or through physical means such as forms/documents.

Transfer of Personal Data:

As stated in Article 8, Paragraph (2) of the law, personal data can be transferred without the data subject’s explicit consent if:
(a) As provided in Paragraph (2) of Article 5,
(b) Provided that adequate precautions are taken,
Personal data may be shared or transferred to direct or indirect affiliates, group companies, shareholders/partners, our contracted bank, independent auditors/tax consultants, and authorized persons or institutions.

1.4. PERSONAL DATA SUBJECT GROUP: SUPPLIERS/SERVICE PROVIDERS

Collected Personal Data:

Identification Data (Full name, title, T.C. identity number, etc.), Communication Data (Address, email address, contact address, registered electronic mail address (KEP), phone number, etc.), Legal Transaction Data (information, data from court correspondences or case files, etc.), Risk Management Data (information for managing commercial, technical, and administrative risks), Financial Data (bank information, balance sheet, tax office, tax number, signature circular, etc.), Customer Transaction Data (Invoice, cash register receipts, order details, request details, signature circular, etc.), Physical Space Security Data (Security camera recordings of employees and visitors within the physical space), Transaction Security Data (IP address, MAC address, internet login/logout information, passwords, etc.), Signature Data (wet or electronic signatures on documents containing personal data, etc.)

Purpose of Processing Personal Data:

Processing personal data is carried out for the purposes of managing emergency situations, information security processes, conducting audits/ethical activities, managing access rights, managing finance and accounting processes, ensuring physical space security, managing assignment processes, following and executing legal matters, conducting internal audits/investigations/intelligence activities, communication activities, business operations/monitoring, planning and managing the access rights of business partners and suppliers to information and facilities, managing business relations with business partners and suppliers, conducting occupational health and safety activities, receiving and evaluating suggestions for improving business processes, ensuring business continuity, managing logistics activities, conducting purchase processes, managing goods/services production and operations, performing storage and archiving activities, conducting contract processes, and providing information to authorized persons, institutions, and organizations.

Legal Basis for Processing Personal Data:

According to Article 5(1) of the Personal Data Protection Law (KVK Law), personal data cannot be processed without the explicit consent of the data subject. However, according to Article 5(2), personal data can be processed without explicit consent under the following circumstances: (a) If explicitly provided in laws, (b) If necessary to protect the life or bodily integrity of the person, or a third party, when the data subject is unable to provide consent due to physical impossibility or when their consent is legally ineffective, (c) If processing personal data is necessary for the performance of a contract to which the data subject is a party, (ç) If processing is required for the data controller to fulfill their legal obligations, (d) If the data subject has made the data public, (e) If processing is necessary for the establishment, exercise, or defense of legal claims, (f) If processing is necessary for the legitimate interests of the data controller, provided it does not harm the fundamental rights and freedoms of the data subject.

Method of Collecting Personal Data:

Personal data may be collected via digital platforms such as email or through physical forms, documents, or verbally by you.

Transfer of Personal Data:

According to Article 8(2) of the relevant law, personal data may be transferred under the following conditions: (a) As per the conditions stated in Article 5(2), (b) With sufficient precautions in place, personal data can be transferred without the explicit consent of the data subject if one of the specified conditions is met, and according to the first paragraph, “Personal data cannot be transferred without the explicit consent of the data subject.”

Thus, your personal data may be shared or transferred to affiliates, group companies, shareholders/partners, independent auditors, agreed banks, authorized persons and institutions, and other third parties in compliance with legal regulations and with appropriate safeguards.

1.5. PERSONAL DATA SUBJECT GROUP: INDIVIDUALS RECEIVING PRODUCTS OR SERVICES / CUSTOMERS

Collected Personal Data:

Identification Data (Full Name, T.C. Identity Number, Nationality, Passport Number, Issuing Authority, Issuance Date, Mother-Father Name, Place of Birth, Date of Birth, Relative’s Full Name, Companion’s Full Name, etc.), Communication Data (Phone Number, Address Information, Relative’s Phone Number, Companion’s Phone Number, Smoking Status, Email, etc.), Marketing Data (Purchase history, surveys, cookie records, information obtained through campaign activities), Health Information (Chronic disease information, febrile illness information), Physical Space Security Data (Security camera recordings of employees and visitors within the physical space, entrance and exit record books, etc.), Other (Order date and time, number of people information, occupation, date and time information, destination city information, room information, vehicle plate number, language, occupation, departure date, signature, accompanying person information, appointment information, etc.)

Purpose of Processing Personal Data:

Processing personal data is carried out for the purposes of managing emergency situations, information security processes, conducting audits/ethical activities, ensuring compliance with regulations, managing loyalty processes to the company/products/services, ensuring physical space security, following and executing legal matters, conducting internal audits/investigations/intelligence activities, communication activities, business operations/monitoring, occupational health and safety activities, providing post-sale support services, managing sales processes for goods/services, managing customer relationship management processes, conducting customer satisfaction activities, performing marketing analysis, managing advertising/campaign/promotion processes, conducting storage and archiving activities, managing contract processes, tracking requests/complaints, managing product/service marketing processes, and providing information to authorized persons, institutions, and organizations.

Legal Basis for Processing Personal Data:

According to Article 5(1) of the Personal Data Protection Law (KVK Law), personal data cannot be processed without the explicit consent of the data subject. However, in accordance with Article 5(2), personal data can be processed without explicit consent under the following conditions: (a) If explicitly stated in laws, (b) If necessary to protect the life or bodily integrity of the person or a third party, when the data subject is unable to provide consent due to physical impossibility or when their consent is legally ineffective, (c) If processing personal data is necessary for the performance of a contract to which the data subject is a party, (ç) If processing is required for the data controller to fulfill their legal obligations, (d) If the data subject has made the data public, (e) If processing is necessary for the establishment, exercise, or defense of legal claims, (f) If processing is necessary for the legitimate interests of the data controller, provided it does not harm the fundamental rights and freedoms of the data subject.

In accordance with Article 6(3), processing of special categories of personal data is prohibited unless the following conditions are met: (a) The explicit consent of the data subject, (b) Explicitly stipulated in laws, (c) Necessary for the protection of the life or bodily integrity of the data subject or a third party, when the data subject is unable to provide consent due to physical impossibility or when their consent is legally ineffective, (ç) Relating to personal data that the data subject has made public and in accordance with their intention to make it public, (d) Necessary for the establishment, exercise, or defense of legal claims, (e) Necessary for protecting public health, conducting medical diagnosis, treatment, and care services, health services planning, management, and financing, if carried out by persons or authorized institutions under a confidentiality obligation, (f) Necessary for fulfilling legal obligations in employment, occupational health and safety, social security, social services, and social assistance.

Method of Collecting Personal Data:

Personal data is collected directly from you verbally, via digital platforms such as email, our website, social media applications, or through physical forms and documents.

Transfer of Personal Data:

According to the law governing the transfer of personal data, Article 8, Paragraph 1 states that “Personal data cannot be transferred without the explicit consent of the data subject.” According to Paragraph 2, personal data can be transferred without explicit consent of the data subject under the following conditions: (a) as specified in Article 5, Paragraph 2; (b) provided that adequate precautions are taken, as stated in Article 6, Paragraph 3, “personal data can be transferred without the explicit consent of the data subject if one of the specified conditions exists.” Data shared with our company may be transferred abroad by data controllers and processors under the conditions specified in Article 9, Paragraph 1, as follows: “Personal data can be transferred abroad by data controllers and processors if there is a decision of adequacy regarding the country, sectors within the country, or international organizations to which the transfer will be made, and the conditions specified in Articles 5 and 6 are met.” According to Paragraphs 2 and 3, if the Board has issued an adequacy decision for the countries, personal data may be transferred to those countries or other countries where it is necessary. According to Paragraph 4, “If no adequacy decision exists, personal data can be transferred abroad by data controllers and processors, provided that one of the specified conditions in Articles 5 and 6 exists, and the data subject has the ability to exercise their rights and access effective legal remedies in the country to which the transfer will be made, and one of the following appropriate safeguards is in place: a) an international agreement made between public institutions and organizations in the country and those in the recipient country, or a non-international agreement authorized by the Board; b) binding corporate rules approved by the Board, containing provisions on the protection of personal data, which must be followed by companies within the same economic activity group; c) a standard contractual clause, approved by the Board, containing details about data categories, the purposes of the data transfer, recipient and recipient groups, the technical and administrative measures to be taken by the data recipient, and additional measures for sensitive personal data; ç) a written commitment containing provisions ensuring adequate protection, approved by the Board.” According to Paragraph 5, “Standard contracts must be submitted to the Board by the data controller or processor within five business days of signing.” Paragraph 6 states that “Subparagraphs (a), (b), and (c) do not apply to public institutions and organizations’ public law activities.” Data controllers and processors may transfer personal data abroad, on an occasional basis, only under the following circumstances when no adequacy decision or suitable safeguards are provided: a) If the data subject gives explicit consent to the transfer after being informed of the potential risks; b) If the transfer is necessary for the performance of a contract between the data subject and the data controller, or for taking pre-contractual steps at the data subject’s request; c) If the transfer is necessary for the establishment or performance of a contract between the data subject and another person or legal entity for the benefit of the data subject; ç) If the transfer is required for reasons of substantial public interest; d) If the transfer is necessary for the establishment, use, or protection of a legal claim; e) If the data subject is unable to express consent due to physical impossibility or legal incapacity, and transferring personal data is essential for the protection of their or another person’s life or bodily integrity; f) If data is transferred from a public registry open to the public or accessible under the relevant legislation and a legitimate request is made by the person with legitimate interests.” According to Article 9, “Personal data can only be transferred abroad, with the Board’s approval, after consultation with the relevant public institution or organization, when the interests of the data subject or Turkey are seriously jeopardized.” Also, Article 11 stipulates that “Other provisions in laws regarding the transfer of personal data abroad are reserved,” and the transfer will be conducted in compliance with the applicable regulations.

Transfers are conducted within the scope of the conditions outlined in Articles 8 and 9 of the law, and the specified purposes. No personal data is transferred to third parties other than these conditions.

Personal data shared with our company may be disclosed and transferred to our direct or indirect affiliates, group companies, shareholders/partners, private legal entities, and independent accountants/financial advisors, or authorized persons and institutions, including the bank with which we have agreements.

1.6. PERSONAL DATA SUBJECT GROUP: VISITOR

Collected Personal Data:

  • Physical Space Security Data (Security camera recordings such as the duration of time employees and visitors are present in physical spaces),
  • Other (Signature, vehicle information),
  • Transaction Security Data (IP address information, MAC address, website login/logout information, password and code information, etc.)

Purpose of Processing Personal Data:

Managing emergency procedures, ensuring physical space security, conducting internal audits/investigations/intelligence activities, creating and tracking visitor records, ensuring the security of data controller operations, providing information to authorized persons, institutions, and organizations, ensuring confidentiality, providing better service, using as evidence in future disputes, meeting the demands of authorized public institutions or organizations in emergency management, ensuring entry-exit controls, securing the company, detecting criminal incidents, and processing and transferring for audit purposes.

Legal Basis for Processing Personal Data:

According to Article 5, Paragraph 1 of the Personal Data Protection Law (KVK Law), “Personal data cannot be processed without the explicit consent of the data subject.” According to Paragraph 2, personal data can be processed without explicit consent in the following cases:

  • (a) “Clearly stipulated by laws.”
  • (b) “It is necessary to protect the life or bodily integrity of the person or another person, where the data subject cannot give consent due to physical impossibility or the legal validity of consent is not recognized.”
  • (c) “It is necessary for the establishment or performance of a contract, provided it is directly related to the parties of the contract.”
  • (ç) “It is necessary for the data controller to fulfill its legal obligation.”
  • (d) “The data subject has made it public.”
  • (e) “Processing is necessary for the establishment, use, or protection of a right.”
  • (f) “Processing is necessary for the legitimate interests of the data controller, provided it does not harm the data subject’s fundamental rights and freedoms.” In these cases, personal data can be processed without the explicit consent of the data subject.

Method of Collecting Personal Data:

Personal data is collected and processed by the company primarily through security services, including digital security camera recordings, emails, our website, social media applications, physical forms, documents, voice recordings, and through the visitor logbook by the security unit.

Transfer of Personal Data:

According to Article 8, Paragraph 2 of the Law, personal data may be transferred without the explicit consent of the data subject in the cases specified in:

  • (a) “As stipulated in Article 5, Paragraph 2,”
  • (b) “If sufficient precautions are taken,” under Article 6, Paragraph 3, “Personal data can be transferred if one of the specified conditions is met without the explicit consent of the data subject.” Data may be transferred when necessary to authorized institutions and organizations.

2. TRANSFER OF PERSONAL DATA

The company does not share personal data with third parties prohibited by law, regardless of explicit consent, unless legally required. The personal data collected by the company may be shared with the data controller, in accordance with the KVK Law and relevant regulations, for the purpose of conducting commercial activities in compliance with the law, providing services you have requested, managing contract processes, verifying the signatures of the parties signing relevant documents, planning commercial and/or legal strategies, accessing legal online applications, and fulfilling legal obligations. The data may be recorded, stored for the required period, and shared with third parties in accordance with the Aydınlatma Metni (Clarification Text) and as permitted by the law and your explicit consent.

3. STORAGE PERIOD OF PERSONAL DATA

Personal data shared with the company via the channels mentioned in this Aydınlatma Metni will be stored in accordance with the periods prescribed in the KVK Law and relevant regulations, where applicable. In accordance with Article 7 of the KVK Law, personal data will be erased after the required storage period. If a period is not specified by the law or regulation, the processing and destruction procedures will be conducted as outlined in the Personal Data Storage and Destruction Policy.

4. RIGHTS OF THE DATA SUBJECT

In accordance with Article 11 of the Personal Data Protection Law (KVK Law), the data subject has the following rights:

  • To inquire whether personal data related to them is processed by the company,
  • To request information about the personal data if it has been processed,
  • To learn the purpose of processing personal data and whether it is being used in accordance with its intended purpose,
  • To know the third parties to whom personal data has been transferred, both domestically and internationally,
  • To request correction of personal data if it is incomplete or incorrect, and to request that the corrections be communicated to third parties to whom the data has been transferred,
  • To request the deletion or destruction of personal data, and to request that the deletion or destruction process be communicated to third parties to whom the data has been transferred, in accordance with the conditions specified in the KVK Law and other relevant legal provisions,
  • To object to the processing of personal data exclusively through automated systems, which results in a decision that negatively affects the person,
  • To request compensation for any damage caused by unlawful processing of personal data.

If an application is rejected, the response is deemed insufficient, or if no response is given within the legal timeframe, the data subject has the right to file a complaint with the Personal Data Protection Authority within thirty (30) days following the notification of the response, or in any case, within sixty (60) days from the date of the application. However, the complaint process cannot be initiated without exhausting the application process as required by the legal regulations.

5. METHODS OF APPLYING TO THE DATA CONTROLLER

If you wish to exercise your rights, you can submit your application by following the procedure outlined in the “Methods of Application to the Data Controller” section of this Aydınlatma Metni (Clarification Text), with identification documents attached. The application should be made after filling out the application form at:

https://www.ryshotel.com/

Then, submit a signed copy of the form through one of the following methods:

a. Delivered in person or via notary to I. Murat Mahallesi, Talat Paşa Cd. No: 82/A, 22030 Merkez / Edirne.

b. Sent by electronic mail to [email protected] using a registered electronic mail (KEP) address, secure electronic signature, mobile signature, or the electronic mail address previously provided to our company and registered in our systems.

c. Other methods specified in the KVK Law can also be used to send your application.

In order for third parties to make an application on behalf of the personal data subject, the data subject must provide a special power of attorney issued via notary for the person applying on their behalf.

Your requests will be processed free of charge and completed as quickly as possible, and in any case, within 30 (thirty) days, depending on the nature of the request. However, if the process incurs additional costs for the company, a fee determined by the Personal Data Protection Authority will be applied.