Privacy Policy

 

This information text is prepared in accordance with the Law on the Protection of Personal Data No. 6698 (“KVKK”) and related legislation, as a Data Controller, by RYS TURİZM GIDA SAN.TİC.A.Ş. (“Company”), and includes information regarding the processing of personal data.

Through this clarification text, it is aimed to inform the groups of individuals whose personal data are collected about the collected personal data, the method of collection, the purposes of processing, the legal grounds, the parties to whom the processed personal data may be transferred and for what purposes, and the rights of the personal data owners.

Under KVKK, personal data refers to all kinds of information relating to an identified or identifiable natural person (“Personal Data”), while sensitive personal data, which is a special category, refers to information regarding race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, attire, membership in associations, foundations or trade unions, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data (“Sensitive Personal Data”). As a Data Controller, within the scope of our business relationship with you, Personal Data may be recorded, stored, preserved, reorganized when necessary, shared with institutions authorized by law to request such Personal Data, and processed in other ways specified under KVKK, limited to and proportional with the purpose requiring their processing.

Definitions:

  • KVKK: The Law on the Protection of Personal Data No. 6698.
  • KVK Board: Personal Data Protection Board.
  • Data Subject: The natural person whose personal data is processed.
  • Processing of personal data: Any operation performed on data, such as obtaining, recording, storing, preserving, modifying, rearranging, disclosing, transferring, taking over, making available, classifying, or preventing the use of personal data, either entirely or partially through automatic means or non-automatic means that form part of a data recording system.

In this clarification text, personal data and sensitive personal data may collectively be referred to as “Personal Data.” The personal data processed for the purposes outlined in this text are transferred proportionately to the purposes stated herein.

1. GROUPS OF INDIVIDUALS WHOSE PERSONAL DATA IS COLLECTED BY THE COMPANY, COLLECTED PERSONAL DATA, PURPOSE OF PROCESSING, LEGAL BASIS, METHOD OF COLLECTION, AND GROUPS TO WHOM PERSONAL DATA IS TRANSFERRED

1.1. PERSONAL DATA SUBJECT GROUP: JOB APPLICANTS

Collected Personal Data:

  • Identity Data: Name and surname, National ID number, nationality, parents’ names, date of birth, marital status, place of birth, gender, etc.
  • Contact Data: Phone number, address, emergency contact number, email, etc.
  • Physical Space Security Data: Security camera recordings within the premises during the presence of employees and visitors.
  • Professional Experience Data: Diploma information, courses attended, in-service training records, certificates, etc.
  • Visual and Audio Records: Passport photo, visual, and audio recordings.
  • Health Data: Information regarding disability status, blood type, personal health details, devices or prosthetics used, etc.
  • Criminal Record and Security Measures: Criminal record, information regarding convictions, and security measures.
  • Candidate Transaction Data: Driver’s license class, SRC certificate, travel restrictions, applied position, application date, salary expectations, suitability for shift work, overtime work, willingness to relocate, interview details, etc.
  • Signature Data: Wet or electronic signatures, fingerprints, special marks on personal data-related documents.
  • Other: Military service status, interview notes, body measurements, driver’s license class, SRC certificate, competencies, private health or life insurance information, references, smoking and alcohol usage habits, etc.

Purpose of Processing Personal Data:

  • Managing emergency situations.
  • Conducting selection and placement processes for job applicants, interns, and students.
  • Managing application processes for job applicants.
  • Ensuring compliance with legal regulations.
  • Securing physical premises.
  • Planning human resources processes.
  • Sharing candidate evaluation data with business partners.
  • Managing relations with business partners and suppliers.
  • Conducting occupational health and safety activities.
  • Managing contract processes.
  • Providing information to authorized individuals, institutions, and organizations.
  • Hiring new employees.
  • Reviewing candidates and identifying suitable candidates for employment.
  • Allowing managers to better understand candidates and make informed decisions based on resumes.
  • Verifying information with references provided in resumes.
  • Confirming the suitability of candidates for the position.
  • Retaining resume details for future verification needs.
  • Storing data for potential future use in either digital or physical formats.
  • Evaluating candidates for positions in group companies if necessary.
  • Conducting communication activities.

Legal Basis for Processing Personal Data:
Personal data is collected by our Company through various channels and based on the legal grounds described above, in physical or electronic environments. Data may be collected directly from you via job application forms, resumes, or job application websites, through emails, from security cameras upon entering the premises, or during employment contract processes for the purposes listed above.

Under Article 5(1) of KVKK:
“Personal data cannot be processed without the explicit consent of the data subject.”
However, Article 5(2) outlines specific conditions where data may be processed without explicit consent:

  • (a) Where it is explicitly stipulated by laws.
  • (b) Where it is mandatory for the protection of life or physical integrity of a person who is unable to express consent due to actual impossibility or whose consent is not legally valid.
  • (c) Where it is necessary for the establishment or execution of a contract to which the data subject is a party.
  • (ç) Where it is mandatory for the data controller to fulfill its legal obligations.
  • (d) Where the personal data has been made public by the data subject.
  • (e) Where it is mandatory for the establishment, exercise, or protection of a right.
  • (f) Where it is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

Transfer of Personal Data:
Based on the explicit consent requirement stated in Article 8(1) of KVKK, personal data may be shared and transferred domestically to business partners, group companies, and auditing firms for the purpose of conducting management activities.

1.1. PERSONAL DATA SUBJECT GROUP: EMPLOYEE

Collected Personal Data:

  • Identity Data: (Name, Surname, Turkish ID Number, Mother’s and Father’s Name, Date of Birth, Marital Status, Place of Birth, Gender, etc.)
  • Contact Data: (Phone Number, Email Address, Internal Phone Number, Corporate Email, etc.)
  • Physical Space Security Data: (Security camera recordings of employees and visitors during their presence in physical spaces, etc.)
  • Professional Experience Data: (Diploma details, attended courses, in-service training details, certifications, etc.)
  • Visual and Auditory Records: (Passport photo, visual and auditory records, etc.)
  • Health Information: (Health reports, employment periodic examination forms, accident reports, blood group information, personal health information, information about used devices and prostheses, disability-related information, etc.)
  • Criminal Convictions and Security Measures: (Criminal record, information regarding criminal convictions and security measures, etc.)
  • Signature Data: (Wet or electronic signatures on documents that qualify as personal data, etc.)
  • Other: (Driver’s License, Skills, Hobbies, Salary Expectations, Military Status, Reference Information, Smoking Habits, Alcohol Use, Computer Literacy, Body Measurements, Candidate Interview Information, Employee’s Body Measurement Information, etc.)
  • Location Data: (Vehicle GPS Data, Device GPS Data, Location Information, etc.)
  • Personnel Data: (Photo, Educational Information, Payrolls, Start Date of Employment, Termination Details, Resume Information, Salary Information, Job Role, E-Declaration, Seniority Base Date, Department Information, Insurance Information, Reference Information, Attendance Records, Leave Utilization Information, Disciplinary Investigations, Asset Declarations, Performance Evaluation Reports, Any Personal Data Processed to Establish Personnel Rights Within the Employee-Company Relationship, Employment Contract, Graduation Details, Educational Information, Suitability for Job Role, Pension Fund Information, Job Application Form, Personnel Update Form, Annual Leave Usage Records, SGK [Social Security Institution] Details, Employment Entry Documentation, Tax Allowances [AGI], E-Declaration, Signature Declarations, Registry Number, Position Name, Department and Unit, Title, Last Entry Date, Entry and Exit Dates, Flexible Working Status, Travel Status, Number of Working Days, Projects Worked On, Total Monthly Overtime Details, Severance Pay Base Date, Additional Severance Days, Strike Days, Leave Seniority Base Date, Additional Leave Days, Leave Group, Exit/Return Dates, Day, Reason for Leave, Address/Phone Number During Leave, and Other Legally Mandated Documents, etc.).

Held Data (Information in correspondence with judicial authorities, data in case files, etc.), Transaction Security Data (IP address information, MAC address, website entry/exit information, passwords and login details, etc.), Risk Management Data (information processed for managing commercial, technical, and administrative risks related to administrative and technical staff), Financial Data (Bank account details, salary information, information regarding debt and file details of enforcement proceedings, etc.), Biometric Data (Facial recognition data, etc.), Family Member Data (Spouse’s name, spouse’s employment information, spouse’s income, child’s name, child’s T.C. ID number, child’s date of birth, child’s gender, father’s name, mother’s name, biological/adoptive information, school enrollment date, school name, class),

Purpose of Personal Data Processing:

Execution of the employment contract, annual and other leave approvals for employees, displaying and adjusting remaining leave information, processing employee entry and exit procedures, ensuring payroll processing, making salary and additional benefit payments, managing emergency processes, implementing information security processes, managing employee satisfaction and engagement processes, fulfilling contractual and legal obligations towards employees, managing employee benefits and perks, conducting audits/ethical activities, carrying out training activities, implementing access rights, ensuring operations are carried out in compliance with regulations, harmonizing and managing activities according to applicable laws or company procedures, managing financial and accounting tasks, implementing processes related to company/product/service loyalty, ensuring physical security of premises, recording entry/exit logs, carrying out delegation processes, following up and managing legal affairs, internal audits/investigations/intelligence activities, managing communication activities, planning HR processes, managing and supervising business operations, collecting entry/exit logs of business partner/supplier employees, sharing with business partners, managing relationships with business partners and suppliers, managing occupational health and safety activities, collecting and evaluating suggestions for improving business processes, ensuring business continuity activities, carrying out logistics activities, managing procurement processes, ensuring after-sales support services, managing sales processes, managing production and operation processes of goods/services, managing customer relationship processes, conducting activities to improve customer satisfaction, organizing and managing events, conducting marketing analysis, conducting performance evaluation processes, implementing risk management processes, carrying out storage and archiving activities, managing social responsibility and civil society activities, managing contract processes, implementing sponsorship activities, carrying out strategic planning activities, tracking requests/complaints, ensuring the security of movable property and resources, managing salary policies, processing work and residence permits for foreign employees, managing talent/career development activities, providing information to authorized persons, institutions, and organizations, carrying out management activities, recruiting new employees, reviewing candidates and selecting new hires, sharing and verifying reference details in resumes, confirming the alignment with the position, and saving resume information for future confirmation or evaluation in case of a vacancy in the group companies. Digital or physical information shared with you may also be recorded for future reference, and personal data might be processed for organizational communication, employee management, payroll processing, benefiting from the minimum living allowance for your family member, following legal requirements, ensuring regulatory and company management responsibilities, conducting proper application and compliance audits, and ensuring conformity with corporate policies such as security and internet usage requirements, as well as operational needs like recorded transactions, training, and quality control, security checks.

Legal Obligation: Fulfilling legal obligations under the Labor Law, Occupational Health and Safety Law, Social Security Law, and other relevant regulations, creating personal files, SGK and İŞKUR notifications, AGI calculation, providing information on incentives and legal obligations, ensuring the opening of mandatory individual pension insurance accounts, monitoring and managing employee entry and exit records, making payments related to salary garnishments in enforcement files, conducting occupational health and safety operations, making legal notifications of work accidents, police station notifications, complying with archiving and information notification obligations as per the legislation, fulfilling court rulings.

Ensuring Physical Space Security: Ensuring workplace security, providing employee entry and exit at the company’s headquarters.

Within the scope of our company’s obligations to ensure and improve occupational health and safety; creating emergency lists and carrying out emergency operations, creating emergency analysis reports, conducting work accident examinations, performing entrance examinations, and carrying out processes related to obtaining health reports from workplace doctors are processed and transferred for these purposes.

In case you have a corporate email, cloud service, computer, phone, tablet, etc. assigned to you, company officials may track these devices, cloud services, and email addresses. If deemed appropriate by the company, the assigned cloud or email address may be disabled or deleted. The devices used may be canceled.

Legal Basis for Processing Personal Data:

According to Article 5, Paragraph (1) of the Personal Data Protection Law (KVK Law): “Personal data cannot be processed without the explicit consent of the data subject.” In Paragraph (2), it states the exceptions under which personal data may be processed without explicit consent: (a) “Clearly stipulated in the laws.” (b) “In cases where the data subject is unable to express consent due to physical impossibility, or the person’s consent is not legally valid, and processing is necessary to protect the life or bodily integrity of the data subject or another person.” (c) “Where it is necessary for the establishment or performance of a contract, directly related to the parties of the contract, to process the personal data of the parties involved.” (ç) “Where it is mandatory for the data controller to fulfill a legal obligation.” (d) “Where the data subject has made the data public.” (e) “Where processing is necessary for the establishment, exercise, or protection of a right.” (f) “Where processing is necessary for the legitimate interests of the data controller, provided it does not harm the fundamental rights and freedoms of the data subject.”

In such cases, personal data may be processed without the explicit consent of the data subject. According to Article 6, Paragraph 3, “The processing of special categories of personal data is prohibited. However, the processing of such data is allowed if: (a) The explicit consent of the data subject is obtained, (b) Clearly stipulated in the laws, (c) Due to physical impossibility, the data subject is unable to express consent or their consent is not legally valid, and it is necessary to protect the life or bodily integrity of the person or another, (ç) Relates to personal data made public by the data subject, and is in accordance with the intention of making it public, (d) It is necessary for the establishment, exercise, or protection of a right, (e) It is necessary for persons or authorized institutions and organizations that are under an obligation of confidentiality, to protect public health, perform preventive medicine, medical diagnosis, treatment, and care services, as well as for planning, management, and financing of health services, (f) It is necessary for fulfilling legal obligations in employment, occupational health and safety, social security, social services, and social assistance areas” personal data is collected and processed under these conditions.

Methods of Personal Data Collection:

Your personal data is collected by the Company through various written, oral, and electronic means, both automated and non-automated, for the purposes stated in this Privacy Notice, either directly from you or via websites that allow you to apply for a job, via email, through expense and leave forms, and other documents you fill out. In line with the Company’s legal obligations and legitimate interests regarding workplace security, personal data is automatically collected via cameras placed in the workplace. In compliance with legal obligations and due to statutory requirements, your health data is collected through our workplace physician.

If a vehicle is assigned to you, location information, date, and time data are collected through GPRS channels, in accordance with the Company’s legitimate interest in performing business tracking via automatic methods.

Through systems that monitor entry and exit times; for the purpose of ensuring workplace security, tracking employee entry/exit times, recording attendance, and processing payroll, personal data is collected via facial recognition methods due to the Company’s legitimate interest and legal obligations.

Transfer of Personal Data:

According to the law governing personal data transfer, Article 8, Paragraph 1, “Personal data cannot be transferred without the explicit consent of the data subject.” Based on Paragraph 2, personal data may be transferred under the following conditions: (a) As explicitly stated in the law, (b) If sufficient precautions are taken, (c) In the presence of one of the conditions mentioned in Article 6, Paragraph 3, transfer can occur without the explicit consent of the data subject.

According to Article 9, Paragraph 1, of the law, personal data shared with our Company may be transferred abroad by data controllers and processors if one of the conditions mentioned in Articles 5 and 6 exists, and there is a decision of adequacy for the country, sectors within the country, or international organizations. In cases where there is no adequacy decision, personal data may still be transferred abroad if one of the conditions mentioned in Articles 5 and 6 exists, and the data subject has the ability to exercise their rights and access effective legal remedies in the destination country.

Personal data will be transferred solely for the purposes stated in the law’s Articles 8 and 9. Data will not be transferred to any third parties outside the stated purposes.

Based on the processing condition of “contract establishment or performance” regulated in Article 5/2 (c) of the KVK Law, your personal data may be shared with banks, certified public accountants/tax consultants, and relevant suppliers for payroll and employee benefits processing, as well as the execution of the Company’s operations. According to Article 5/2 (ç) of the KVK Law, based on the condition “the data controller fulfilling their legal obligations,” personal data may be shared with the Ministry of Labor and Social Security, the Social Security Institution, Turkey Employment Agency, courts, and other public institutions as needed. In cases of potential disputes, for legal consultancy, technical support, and for ensuring the fulfillment of employment agreements, personal data may be shared with law offices and consultants. Personal location data may be shared with relevant third-party suppliers for providing vehicle tracking services. Based on explicit consent under Article 8 of the KVK Law, personal data may be shared with third parties for advertising, marketing, and promotional activities through social media accounts.

Personal Data Owner Group: Potential Product or Service Buyer / Customer Candidate

Collected Personal Data: Identification Data (Name, Surname, T.C. ID No., Nationality, etc.), Contact Data (Phone Number, Address, Email, etc.), Marketing Data (Shopping history, surveys, cookies, data obtained through campaign activities), Physical Space Security Data (Security camera recordings of employees and visitors during their time in the physical space, entry-exit logs, etc.)

Purpose of Personal Data Processing:

The data is processed for the following purposes: Conducting communication activities, receiving and evaluating suggestions for improving business processes, conducting sales processes of goods/services, performing marketing analysis studies, executing advertising/campaign/promotion activities, tracking demands/complaints, and managing the marketing process of products/services.

Legal Basis for Personal Data Processing:

According to Article 5, Paragraph 1 of the KVK Law, “Personal data cannot be processed without the explicit consent of the data subject.” In accordance with Paragraph 2, personal data may be processed under the following conditions: (a) As explicitly provided by law, (b) When it is necessary to protect the life or bodily integrity of the person who is unable to give consent due to physical impossibility, (c) When processing personal data is directly related to the establishment or performance of a contract, (ç) When necessary for the data controller to fulfill their legal obligations, (d) If the data subject has made the data public, (e) When processing personal data is necessary for the establishment, use, or protection of a right, (f) If processing the data is necessary for the legitimate interests of the data controller, without violating the data subject’s fundamental rights and freedoms.

Methods of Personal Data Collection:

Personal data may be collected through emails, social media (Facebook, Twitter, Instagram, etc.), our website, physical forms, documents, surveys, and fieldwork, or directly from you verbally.

Transfer of Personal Data:

According to the law determining the transfer of personal data, Article 8, paragraph 2, personal data may be transferred without the explicit consent of the relevant person if one of the following conditions is met:
(a) under the provision of Article 5, paragraph 2,
(b) under Article 6, paragraph 3, “if the specified conditions are met.”
As per the first paragraph, “Personal data cannot be transferred without the explicit consent of the relevant person.” Accordingly, the personal data shared and transferred may be shared and transferred directly or indirectly with our affiliates, group companies, shareholders/partners, authorized persons and institutions.

1.3. PERSONAL DATA OWNER GROUP: INTERN

Collected Personal Data:

Identity Data (Name, Surname, T.C. ID Number, Mother’s and Father’s Name, Place of Birth, Date of Birth, etc.), Financial Data (Bank Account Information, Salary Information, etc.), Physical Security Data (Security Camera Records during the Period of Presence in the Facility, etc.), Professional Experience Data (School Information, Diploma Information, Courses Taken, In-house Training Information, Certifications, etc.), Visual and Audio Records (Visual and Audio Records, etc.), Transaction Security Data (IP Address Information, MAC Address, Website Login/Logout Information, Password Information, etc.), Contact Data (Address, Email Address, Contact Address, Phone Number, etc.), Health Data (Disability Information, Blood Type, Personal Health Information, Devices and Prostheses Used, Health Reports, etc.), Signature Data (Wet Signature on Documents Bearing Personal Data, etc.), Family Member Data (Name, Surname, Phone Number, Relationship, Residence Information, Email Address of Guardian, etc.), Personnel Data (Photo, Education Information, Salary Slips, Start Date, End Date, CV Information, E-Declaration, Department Information, Insurance Information, Reference Information, Work Hours, Leave Information, etc.).

Purpose of Processing Personal Data:

Personal data is processed and transferred for the following purposes:

  • Emergency management processes,
  • Information security processes,
  • Employee candidate/intern/student selection and placement processes,
  • Employee satisfaction and loyalty processes,
  • Employee benefits and welfare processes,
  • Audit/ethical activities,
  • Training activities,
  • Access rights management,
  • Activities in compliance with legislation,
  • Company/product/service loyalty processes,
  • Physical security of the facility,
  • Assignment processes,
  • Legal follow-up and management,
  • Internal audits/investigations/intelligence activities,
  • Communication activities,
  • Business activities and auditing,
  • Occupational health and safety activities,
  • Contract processes,
  • Talent/career development activities,
  • Sharing information with authorized persons, institutions, and organizations.

Legal Grounds for Processing Personal Data:

According to Article 5, paragraph 1 of the Personal Data Protection Law, “Personal data cannot be processed without the explicit consent of the relevant person.” Under paragraph 2, personal data may be processed without the explicit consent of the relevant person if any of the following conditions are met:
(a) It is explicitly foreseen by law,
(b) It is necessary for the protection of the life or physical integrity of the relevant person or another person, where the person is unable to give consent due to physical impossibility or if their consent is legally invalid,
(c) It is directly related to the conclusion or performance of a contract,
(ç) It is necessary for the fulfillment of the legal obligation of the data controller,
(d) The personal data has been made public by the data subject,
(e) It is necessary for the establishment, exercise, or protection of a legal right,
(f) It is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the relevant person.

Methods of Collecting Personal Data:

Personal data may be collected through digital channels via email or through physical forms/documents.

Transfer of Personal Data:

According to the law determining the transfer of personal data, Article 8, paragraph 2, personal data may be transferred without the explicit consent of the relevant person if one of the following conditions is met:
(a) under the provision of Article 5, paragraph 2,
(b) under Article 6, paragraph 3, “if the specified conditions are met.”
As per the first paragraph, “Personal data cannot be transferred without the explicit consent of the relevant person.” Accordingly, the personal data shared and transferred may be shared and transferred directly or indirectly with our affiliates, group companies, shareholders/partners, our contracted bank, certified public accountants/tax advisors, authorized persons and institutions.

1.4. PERSONAL DATA OWNER GROUP: SUPPLIERS/SERVICE PROVIDERS

Collected Personal Data:

Identity Data (Full Name, Title, National ID Number, etc.), Communication Data (Address, Email Address, Contact Address, Registered Electronic Mail Address (KEP), Phone Number, etc.), Legal Transaction Data (Information, Correspondence with Judicial Authorities, Case File Information, etc.), Risk Management Data (Information related to the management of commercial, technical, and administrative risks), Financial Data (Bank Information, Balance Sheet Information, Tax Office Information, Tax Number, Signature Circular, etc.), Customer Transaction Data (Invoice, GATE receipt information, order information, request information, signature circular, etc.), Physical Security Data (Security Camera Recordings during the time employees and visitors stay at the physical premises), Transaction Security Data (IP Address Information, MAC Address, Website Access/Exit Information, Passwords and Login Details, etc.), Signature Data (Wet or Electronic Signatures on Documents Containing Personal Data, etc.).

Purpose of Processing Personal Data:

The processing of personal data is carried out for the following purposes: Managing emergency processes, managing information security processes, conducting audits/ethics activities, managing access rights, managing financial and accounting tasks, ensuring physical security of premises, managing assignment processes, following up and managing legal processes, conducting internal audits/investigations/intelligence activities, managing communication activities, conducting and auditing business operations, planning and managing access rights to information and facilities for business partners and suppliers, managing relationships with business partners and suppliers, managing occupational health and safety activities, collecting and evaluating suggestions for improving business processes, ensuring business continuity, managing logistics activities, managing purchasing processes for goods/services, managing production and operation processes for goods/services, conducting storage and archiving activities, managing contract processes, and sharing information with authorized persons, institutions, and organizations.

Legal Basis for Processing Personal Data:

According to Article 5 (1) of the Personal Data Protection Law (KVK Law), “Personal data cannot be processed without the explicit consent of the relevant person.” In Article 5 (2), (a) “When explicitly foreseen in the laws,” (b) “When the person cannot express consent due to a physical impossibility or when their consent is not legally valid, and it is necessary to protect the life or physical integrity of the person or another,” (c) “When directly related to the establishment or performance of a contract, processing of personal data of the contract parties is necessary,” (ç) “When it is necessary for the data controller to fulfill a legal obligation,” (d) “When the data is made public by the person concerned,” (e) “When processing is necessary for the establishment, use, or protection of a right,” (f) “When processing is necessary for the legitimate interests of the data controller without violating the fundamental rights and freedoms of the relevant person,” in these cases, personal data can be processed without the explicit consent of the relevant person.

Method of Collecting Personal Data:

Personal data can be collected through digital means (email) or physical means (forms/documents), or verbally provided by the relevant person.

Transfer of Personal Data:

In accordance with the provisions of Article 8, paragraph 2 of the Law, personal data may be transferred to third parties, including affiliates, group companies, shareholders/partners, private legal entities, free accountants/tax consultants, banks with whom agreements are made, and authorized persons or institutions, in cases where sufficient measures are taken, or when one of the conditions set out in Article 6(3) of the Law applies, and without requiring explicit consent from the data subject.

1.5. PERSONAL DATA OWNER GROUP: PERSON / CUSTOMER RECEIVING PRODUCTS OR SERVICES

Collected Personal Data:

Identity Data (Full Name, National ID No, Nationality, Passport No, Issued By, Date of Issue, Mother’s and Father’s Name, Place of Birth, Date of Birth, Relative’s Full Name, Accompanying Person’s Full Name, etc.), Communication Data (Phone Number, Address Information, Relative’s Phone Number, Accompanying Person’s Phone Number, Smoking Status, Email, etc.), Marketing Data (Shopping history, surveys, cookie records, information obtained through campaign efforts), Health Information (Chronic disease information, information on infectious diseases), Physical Space Security Data (Security camera recordings of employees and visitors during their time in physical premises, entrance and exit logbook), Other (Order Date and Time, Number of Persons, Occupation, Date and Time Information, Destination City Information, Room Information, Vehicle Plate Number, Language, Occupation, Departure Date, Signature, Accompanying Person Information, Appointment Information, etc.).

Purpose of Processing Personal Data:

The processing of personal data is carried out for the following purposes: Managing emergency response processes, managing information security processes, conducting audits/ethics activities, ensuring activities comply with regulations, managing loyalty processes for the company/products/services, ensuring physical space security, following and managing legal processes, conducting internal audits/investigations/intelligence activities, managing communication activities, conducting and auditing business activities, managing occupational health and safety activities, providing post-sale support services for products/services, managing sales processes for products/services, managing customer relationship management (CRM) processes, conducting customer satisfaction activities, conducting marketing analysis, managing advertising/campaign/promotion processes, conducting storage and archiving activities, managing contract processes, tracking requests/complaints, marketing processes for products/services, and sharing information with authorized persons, institutions, and organizations.

Legal Basis for Processing Personal Data:

According to Article 5(1) of the Personal Data Protection Law (KVK Law), “Personal data cannot be processed without the explicit consent of the relevant person.” In Article 5(2), (a) “When explicitly foreseen in the laws,” (b) “When the person cannot express consent due to physical impossibility or when their consent is not legally valid, and it is necessary to protect the life or physical integrity of the person or another,” (c) “When directly related to the establishment or performance of a contract, processing of personal data of the contract parties is necessary,” (ç) “When it is necessary for the data controller to fulfill a legal obligation,” (d) “When the data is made public by the person concerned,” (e) “When processing is necessary for the establishment, use, or protection of a right,” (f) “When processing is necessary for the legitimate interests of the data controller without violating the fundamental rights and freedoms of the relevant person,” in these cases, personal data can be processed without the explicit consent of the relevant person.

Additionally, according to Article 6, Paragraph 3, “Processing special categories of personal data is prohibited. However, processing such data is permitted if: a) The explicit consent of the relevant person is obtained, b) It is explicitly foreseen in the laws, c) It is necessary due to physical impossibility or the legal incapacity of the person to give consent, to protect their own or someone else’s life or physical integrity, d) It is in accordance with the intention of the person who made the data public, e) It is necessary for the establishment, use, or protection of a right, f) It is necessary for public health protection, preventive medicine, medical diagnosis, treatment, and healthcare services, or necessary for the planning, management, and financing of health services under the obligation of confidentiality by persons or authorized institutions and organizations, or if it is required to fulfill legal obligations in the fields of employment, occupational health and safety, social security, social services, and social assistance.”

These categories of personal data are collected and processed accordingly.

Method of Collection of Personal Data:

Personal data is collected directly from you through verbal communication, digital platforms such as email, our website, social media applications, or through physical means such as forms and documents.

Transfer of Personal Data:

According to the law regulating the transfer of personal data, in accordance with Article 8, Paragraph 1, “Personal data cannot be transferred without the explicit consent of the data subject.” In Paragraph 2, personal data may be transferred under the following conditions: (a) According to the second paragraph of Article 5, (b) “Transfer may occur if sufficient precautions are taken,” and in the third paragraph of Article 6, “If one of the specified conditions is met, personal data may be transferred without obtaining the explicit consent of the data subject.”

The personal data shared with our company may be transferred abroad according to Article 9, Paragraph 1, which states, “Personal data may be transferred abroad by data controllers and data processors if one of the conditions specified in Articles 5 and 6 is met, and there is a positive adequacy decision regarding the country, sectors within the country, or international organizations.” According to Paragraphs 2 and 3, personal data may be transferred to countries where the Board has issued adequacy decisions. According to Paragraph 4, “Personal data may be transferred abroad even if there is no adequacy decision, provided that one of the conditions specified in Articles 5 and 6 exists, and the data subject has access to their rights in the country to which the data is being transferred, along with effective legal remedies, and one of the following safeguards is provided by the parties involved: a) The existence of an international agreement between public institutions and organizations abroad or international organizations and public institutions and organizations in Turkey, even if not legally binding, and permission is granted by the Board. b) The existence of binding corporate rules containing provisions regarding the protection of personal data and approved by the Board, for companies within the same economic group. c) The existence of a standard contractual agreement published by the Board, which includes data categories, purposes of data transfer, recipients, and measures to be taken by the recipient in terms of technical and administrative safeguards, including additional measures for sensitive data. ç) The existence of a written undertaking containing provisions ensuring adequate protection and permission granted by the Board.” According to Paragraph 5, “The standard contract must be notified to the Board by the data controller or processor within five business days of signing.” According to Paragraph 6, “The provisions of (a), (b), and (c) do not apply to activities conducted by public institutions and organizations under public law.” In cases where there is no adequacy decision and none of the appropriate safeguards mentioned in Paragraph 4 can be provided, personal data may only be transferred abroad under the following circumstances: a) The data subject provides explicit consent, after being informed about potential risks. b) The transfer is necessary for the performance of a contract between the data subject and the data controller or for taking pre-contractual measures at the request of the data subject. c) The transfer is necessary for the establishment or performance of a contract between the data controller and another individual or legal entity in the interest of the data subject. ç) The transfer is required for a public interest of superior importance. d) The transfer is necessary for the establishment, exercise, or protection of a legal right. e) The transfer is necessary for the protection of the life or physical integrity of a person who is unable to give consent due to physical impossibility or whose consent is not legally valid. f) The transfer is made based on a public registry accessible to the public or to individuals with legitimate interests in accordance with the relevant legislation, if the conditions for accessing the registry are met and the individual with the legitimate interest requests the transfer.”

According to Article 9, “Personal data may be transferred abroad with the permission of the Board if the transfer significantly harms Turkey’s or the data subject’s interests, and only after consulting the relevant public institution or organization.” According to Article 11, the provision “Other provisions in relevant laws regarding the transfer of personal data abroad will apply” will govern such transfers.

Personal data is transferred only under the conditions specified in Articles 8 and 9, and for the purposes mentioned above. No transfer of personal data will be made to third parties beyond these specified purposes.

Personal data shared with our company may be shared and transferred with our direct or indirect affiliates, group companies, shareholders/partners, private law entities, independent accountants/tax advisors, our contracted bank, and authorized persons and institutions.

1.6. PERSONAL DATA OWNER GROUP: VISITOR

Collected Personal Data:

Physical Space Security Data (Security camera recordings during the period employees and visitors are in the physical space), Other (signature, vehicle information), Transaction Security Data (IP address, MAC address, website login/logout data, password, and credential information)

Purpose of Processing Personal Data:

To manage emergency processes, ensure physical space security, conduct internal audits/investigations/intelligence activities, create and monitor visitor records, ensure the security of data controller operations, provide information to authorized persons, institutions, and organizations, ensure confidentiality, provide better service, use as evidence in potential future disputes, fulfill requests of authorized public institutions or organizations in managing emergencies, ensure entry and exit controls, secure the company, detect criminal incidents, and process for audit purposes.

Legal Basis for Processing Personal Data:

According to Article 5(1) of the Law on the Protection of Personal Data (KVK Law), “Personal data cannot be processed without the explicit consent of the data subject.” According to Article 5(2), (a) “If explicitly stated in laws,” (b) “If the data subject cannot give consent due to actual impossibility or if the person’s consent is not legally valid, and it is necessary for the protection of their life or physical integrity or that of another person,” (c) “If it is necessary for the establishment or performance of a contract and personal data is directly related to the contract parties,” (ç) “If necessary for the fulfillment of the legal obligation of the data controller,” (d) “If it has been made public by the data subject,” (e) “If processing is necessary for the establishment, exercise, or protection of a right,” (f) “If processing is necessary for the legitimate interests of the data controller without harming the fundamental rights and freedoms of the data subject,” personal data can be processed without the explicit consent of the individual.

Method of Collection of Personal Data:

Personal data is processed and collected through digital methods such as security camera recordings, email, our website, social media applications, or physical forms, documents, and audio recordings, and through physical methods such as the visitor log maintained by the security team.

Transfer of Personal Data:

According to Article 8(2) of the Law, personal data may be transferred without the explicit consent of the individual, based on certain conditions mentioned in the law, to authorized institutions or organizations as needed.

2. TRANSFER OF PERSONAL DATA

The company does not share personal data with third parties prohibited by law, whether with explicit consent or not, except as required by legal obligations and recognized rights. The personal data collected by the company may be processed, recorded, stored, and, if permitted by law and the explicit consent of the individual, transferred to third parties, in accordance with the terms outlined in the Disclosure Text.

3. STORAGE PERIOD OF PERSONAL DATA

Personal data shared with our company through the channels mentioned in this Disclosure Text will be stored in compliance with the periods specified in the relevant legislation and the Law on the Protection of Personal Data. After the required retention period, personal data will be destroyed in accordance with the methods and principles specified in the KVK Law Article 7. If there is a prescribed period, operations after its expiration or in the absence of a specified period will be conducted according to the Personal Data Retention and Destruction Policy.

4. RIGHTS OF THE RELEVANT PERSON

According to Article 11 of the Law on the Protection of Personal Data:

By applying to the company, you have the right to learn whether your personal data is processed, to request information if your personal data has been processed, to learn the purpose of processing your personal data and whether they are used in accordance with that purpose, to know the third parties to whom your personal data is transferred both inside and outside the country, to request the correction of any incomplete or inaccurate personal data, and to have such corrections communicated to the third parties to whom your personal data has been transferred. You also have the right to request the deletion or destruction of your personal data, provided the conditions stipulated in the KVK Law and related laws are met, and to have these actions communicated to the third parties to whom your personal data has been transferred. You can also object to the result that may arise against you by the exclusive use of automated systems, and request the correction of damages arising from the unlawful processing of your personal data.

If your application is rejected, if you find the response insufficient, or if no response is given within the required period, you have the right to lodge a complaint with the Personal Data Protection Board within 30 days of receiving the response, and within 60 days from the date of your application. However, you cannot file a complaint without exhausting the application process if required by the legal regulations.

5. METHODS OF APPLYING TO THE DATA CONTROLLER

If you wish to exercise your rights, you can submit your applications in accordance with the procedures and principles outlined in the “Regulation on the Procedure and Principles for Application to the Data Controller” dated 10.03.2018 and numbered 30356, by providing documents that prove your identity along with the completed Application Form found at:

https://www.ryshotel.com/

The signed copy of the form should be sent as follows:

a. Delivered in person or by notary to the address I. Murat Mahallesi Atatürk Bulvarı No:232 22030 Merkez / Edirne,

b. By sending an electronic mail (email) to [email protected] using a secure electronic signature, mobile signature, or the electronic mail address previously notified and registered in our systems, in soft copy,

c. You can also apply using other methods specified in the Personal Data Protection Law (KVK Law).

In case a third party applies on behalf of the personal data owner, a special power of attorney issued by notary must be provided by the data owner for the person applying on their behalf.

Your application, depending on the nature of your request(s), will be concluded as soon as possible and no later than 30 (thirty) days free of charge. However, if the process incurs additional costs for the Company, the fee specified by the Personal Data Protection Board will be charged.