TEKSOY TOURISM ACCOMMODATION FOOD INVESTMENT IND. TRADE INC.
PACHAMAMA HOTEL
PERSONAL DATA STORAGE AND DESTRUCTION POLICY
This destruction policy has been prepared by TEKSOY TOURISM ACCOMMODATION FOOD INVESTMENT IND. TRADE INC. (hereinafter referred to as "TEKSOY TOURISM") as the data controller, to determine the procedures and principles to be applied by us for the deletion, destruction, or anonymization of personal data we hold, in accordance with the Personal Data Protection Law No. 6698 and other relevant legislation.
Within this context, the personal data of our employees, job applicants, customers, and all individuals whose personal data is held by TEKSOY TOURISM for any reason are managed in accordance with the laws within the framework of the Personal Data Processing and Protection Policy and this Personal Data Storage and Destruction Policy.
1.2. DEFINITIONS
Law on the Protection of Personal Data No. 6698," published in the Official Gazette dated April 7, 2016, with the number 29677
The Regulation on Deletion, Destruction, or Anonymization of Personal Data," published in the Official Gazette dated October 28, 2017, with the number 30224.
Personal Data Protection Board
Deletion, destruction, or anonymization of personal data
Personal data, even when matched with other data, shall be rendered in such a way that the identity of the real person cannot be identified or determinable under any circumstances
Any environment where personal data, whether processed entirely or partially by automatic means or non-automatic means as part of any data recording system
Personal Data Processing and Protection Policy
The policy that determines the principles and procedures for managing the personal data held by TEKSOY TOURISM, accessible at the address '
www.pachamamahotel.com
The record system where personal data is processed by being structured according to specific criteria
2.1. ENVIRONMENTS WHERE PERSONAL DATA IS STORED
The personal data stored by TEKSOY TOURISM is kept in a recording environment suitable for the nature of the relevant data and our legal obligations.The recording environments used for storing personal data are generally as follows. However, some data may be kept in an environment different from those shown here due to their special characteristics or our legal obligations. TEKSOY TOURISM always acts as the data controller and processes and protects personal data in compliance with the Law, the Personal Data Processing and Protection Policy, and this Personal Data Storage and Destruction Policy.
The environments where data is printed on paper or microfilms are stored
b) Local digital environments
The servers within the scope of TEKSOY TOURISM, including fixed or portable disks, optical disks, and other digital environments
Although not within the scope of TEKSOY TOURISM, environments using internet-based systems encrypted with cryptographic methods that are in use by TEKSOY TOURISM
2.2. ENSURING THE SECURITY OF ENVIRONMENTS
TEKSOY TOURISM takes all necessary technical and administrative measures to ensure the secure storage of personal data and to prevent its unlawful processing and access, in accordance with the nature of the relevant personal data and the environment in which it is held.These measures, not limited to, include the following administrative and technical measures to the extent that they are suitable for the nature of the relevant personal data and the environment in which the data is held:
2.2.1. Technical Measures
TEKSOY TOURISM takes the following technical measures for all environments where personal data is stored, in accordance with the nature of the relevant data and the environment in which it is held:
- Up-to-date and secure systems compatible with technological developments are used in environments where personal data is stored.
- Security systems for the environments where personal data is stored are used.
- Access to personal data in the environments where it is stored is restricted, allowing only authorized individuals limited access to this data for the purpose of storing personal data, and all accesses are recorded.
- TEKSOY TOURISM has sufficient technical personnel to ensure the security of the environments where personal data is stored.
2.2.2. Administrative Measures
TEKSOY TOURISM takes the following administrative measures for all environments where personal data is stored, in accordance with the nature of the relevant data and the environment in which it is held:
- Awareness and training programs are conducted to increase the awareness and consciousness of all TEKSOY TOURISM employees who have access to personal data about information security, personal data, and the privacy of private life.
- Administrative and technical consultancy services are obtained to follow developments in information security, the privacy of private life, and the protection of personal data and to take necessary actions.
- In cases where personal data is transferred to third parties due to technical or administrative requirements, contracts are signed with these third parties for the protection of personal data, and all necessary care is taken to ensure that these third parties comply with their obligations in these contracts.
2.2.3. Internal Audit
TEKSOY TOURISM conducts internal audits for the implementation of the provisions of the Law and this Personal Data Storage and Destruction Policy and the Personal Data Processing and Protection Policy, in accordance with Article 12 of the Law.
In case of finding deficiencies or defects in the implementation of these provisions during internal audits, these deficiencies or defects are immediately corrected.
In the event of understanding, during the audit or in any other way, that personal data under the responsibility of TEKSOY TOURISM has been obtained by others through unlawful means, TEKSOY TOURISM reports this situation to the relevant person and the Board within the shortest time specified by the Law.
3.1. STORAGE AND DESTRUCTION REASONS
3.1.1. Storage Reasons
The personal data held within TEKSOY TOURISM is stored in accordance with the Personal Data Processing and Protection Policy and our legal obligations, as specified here, in line with the purposes and reasons.
3.1.2. Destruction Reasons
Personal data held within TEKSOY TOURISM is deleted, destroyed, or anonymized in accordance with this destruction policy if the relevant person requests it or if, despite being processed in accordance with the Law and other relevant laws, the processing of personal data becomes unnecessary due to the elimination of the reasons requiring its processing.
3.2. Destruction Methods
TEKSOY TOURISM, in accordance with the Personal Data Processing and Protection Policy and this Personal Data Storage and Destruction Policy, deletes, destroys, or anonymizes personal data it holds when the reasons requiring its processing cease to exist, either upon the request of the data subject or within the periods specified in this Personal Data Storage and Destruction Policy.The most commonly used deletion, destruction, and anonymization techniques by TEKSOY TOURISM are listed below:
3.2.1. Deletion Methods
"Printed Data Deletion Methods:
Personal data in printed format is deleted using the redaction method. The redaction process involves cutting the personal data on the relevant document where possible, and in cases where this is not possible, rendering it invisible using permanent ink that cannot be reversed and cannot be read with technological solutions.
Deletion Methods for Personal Data Stored in Cloud and Local Digital Environments:
Secure Deletion via Software
Personal data stored in cloud or local digital environments is digitally and irreversibly deleted through a digital command. This ensures that the deleted data cannot be recovered."
3.2.2. Destruction Methods,
"Data Destruction Methods for Personal Data Stored in Print Environment:
Documents stored in printed format are physically destroyed using document shredders to prevent them from being reassembled.
Data Destruction Methods for Personal Data Stored in Local Digital Environment:
Physical destruction involves the physical obliteration of optical and magnetic media containing personal data, such as melting, burning, or reducing to dust. Processes like melting, burning, turning into dust, or passing through a metal grinder ensure the data becomes inaccessible."
Degaussing involves subjecting magnetic media to a high magnetic field to disrupt the data on it, making it unreadable.
At least seven passes of random data consisting of 0s and 1s are written on magnetic and rewritable optical media to prevent the old data from being read and recovered.
Data Destruction Methods for Personal Data Stored in Cloud Environment:
Secure Deletion via Software
Personal data stored in the cloud is digitally and irreversibly deleted through a digital command, and all copies of the encryption keys necessary to make the personal data usable are destroyed when the cloud computing service relationship ends. This ensures that the deleted data cannot be recovered."
3.2.3. Anonymization Methods
Anonymization is the process of rendering personal data so that it cannot be associated with any identified or identifiable natural person by any means.
The removal of one or more direct identifiers from personal data related to an individual that could be used to identify that person in any way. This method can be used to anonymize personal data or to remove information that does not align with the purpose of data processing.
The process of deleting distinguishing information that may be exceptional in a data table where personal data is collectively anonymous.
The process of combining personal data from multiple individuals, removing distinguishing information, and transforming it into statistical data.
Lower and Upper Bound Coding / Global Coding
Variable intervals are defined for a specific variable and categorized. If the variable does not contain numerical values, similar data in the variable is categorized. Values that fall within the same category are combined.
With this method, all records in the data set are first arranged in a meaningful order, and then the entire set is divided into a certain number of subsets. Later, the average value of the variable for each subset is calculated, and the value of the variable for that subset is replaced with the average value. This process makes it difficult to associate the data with the individual, as indirect identifiers in the data are disrupted.
Data Mixing and Distortion
Direct or indirect identifiers within personal data are mixed or distorted with other values, making it challenging to link the data to the individual."
TEKSOY TOURISM may use statistical methods such as K-Anonymity, L-Diversity, and T-Closeness when anonymizing personal data, depending on the nature of the relevant data.
3.3. STORAGE AND DESTRUCTION PERIODS
3.3.1. Storage Periods
Primary personnel data related to notifications on service duration and remuneration submitted to the Social Security Institution through employment documents
Maintained for a period of 10 (ten) years from the continuation of the employment contract and its termination.
Personnel data other than primary personnel data related to notifications on service duration and remuneration submitted to the Social Security Institution through employment documents
Maintained for a period of 10 (ten) years from the continuation of the employment contract and the start of the following calendar year.
Workplace Personal Health File Data
Maintained for a period of 10 (ten) years from the continuation of the employment contract and its termination.
Business Partner / Solution Partner / Consultant
Identity information, contact information, and financial information related to the conduct of the commercial relationship between the Business Partner / Solution Partner / Consultant and TEKSOY TURİZM, as well as the employee data of the Business Partner / Solution Partner / Consultant
Maintained for a period of 10 years from the end of the commercial relationship between the Business Partner / Solution Partner / Consultant and TEKSOY TURİZM, in accordance with Turkish Code of Obligations Item 146 and Turkish Commercial Code Article 82.
Name, surname, e-mail address, and browsing activity information of the Internet Site Visitor
Maintained for a period of 2 (two) years.
Resume and information provided in the job application form for the Job Applicant
Maintained for a maximum of 2 (two) years or until the resume becomes outdated.
Information in the intern file related to the intern
Maintained for a period of 10 (ten) years from the continuation of the internship and the start of the following calendar year.
Identity Information (Name-surname, accompanying guest(s) name-surname, nationality, place and date of birth), TC identity, driver's license and passport numbers (including date and place of issue), contact information (address, telephone number, e-mail address), financial information (invoice information, bank account information, payment card number, and other payment details, Loyalty Program memberships, information related to purchased products or services), customer reviews, feedback, and complaint data (Special preferences in accommodation, marketing, and communication; evaluations, opinions, or complaints about brands and facilities), records of customers and all other third parties, and other information (Reservation information, travel history, information about vehicles used to reach the facility, reserved hotel, airline, and car rental packages, groups associated with staying at the facility, frequent flyer or Travel Partnership Program memberships and membership numbers, information provided in membership and account applications)
Maintained for a period of 10 (ten) years from the delivery of each product/service to the customer, in accordance with Turkish Code of Obligations Article 146 and Turkish Commercial Code Item 82.
Identity information, contact information, and financial information obtained during discussions for the establishment of a commercial relationship with the Potential Customer
Maintained for a period of 2 (two) years.
TEKSOY TURİZM’s Collaboration with Institutions/Companies (Supplier, Producer, Dealer/Franchise)
Identity information, contact information, and financial information related to the conduct of the commercial relationship between TEKSOY TURİZM and the Institutions/Companies with which it collaborates, as well as the employee data of the collaborating Institutions/Companies
Maintained for a period of 10 years from the end of the commercial relationship between the collaborating Institutions/Companies and TEKSOY TURİZM, in accordance with Turkish Code of Obligations Item 146 and Turkish Commercial Code Article 82.
*If the regulations prescribe a longer period or if a longer period is stipulated by the legislation for statutes of limitations, expiration of rights, retention periods, etc., the statutory terms are considered as the maximum retention period.
3.3.2. Destruction Periods
TEKSOY TOURISM deletes, destroys, or anonymizes personal data for which it is responsible in the first periodic destruction process following the date on which the obligation to delete, destroy, or anonymize personal data arises, in accordance with the Law, relevant legislation, the Personal Data Processing and Protection Policy, and this Personal Data Storage and Destruction Policy.If the relevant person requests the deletion or destruction of their personal data in accordance with Items 13 of the Law;
1. If all the processing conditions for personal data have ceased; TEKSOY TURİZM shall erase, destroy, or anonymize the requested personal data within 30 (thirty) days from the date of the request, providing the justification for such action. For TEKSOY TURİZM to consider a request received, the relevant individual must submit the request in accordance with the provisions of Item 13 of the Law. In any case, TEKSOY TURİZM informs the data subject about the transaction.
2. If all the processing conditions for personal data have not ceased to exist, this request may be rejected by TEKSOY TOURISM, with the reason being explained, in accordance with the third paragraph of Item 13 of the Law, and the rejection response is notified to the data subject in writing or electronically within a maximum of 30 (thirty) days.
3.4. PERIODIC DESTRUCTION
In case all the processing conditions specified in the law for personal data are no longer valid; TEKSOY TOURISM deletes, destroys, or anonymizes personal data whose processing conditions have ceased to exist through a process to be carried out periodically, as specified in this policy.Periodic destruction processes start on [start date] and recur every 6 (six) months.
3.5. AUDIT OF THE LEGALITY OF THE DESTRUCTION PROCESS
TEKSOY TOURISM carries out destruction processes, both upon request and in periodic processes, in compliance with the Law, other legislation, the Personal Data Processing and Protection Policy, and this Personal Data Storage and Destruction Policy, to ensure the legality of these processes.
TEKSOY TOURISM takes some administrative and technical measures to ensure that these processes are carried out in accordance with these regulations.
3.5.1. Technical Measures
- TEKSOY TOURISM ensures the security of the place where the destruction processes are carried out.
- TEKSOY TOURISM keeps access records of individuals performing the destruction process.
- TEKSOY TOURISM employs competent and experienced personnel to perform the destruction process or obtains services from competent third parties when necessary.
3.5.2. Administrative Measures
- TEKSOY TOURISM conducts studies to increase the awareness and consciousness of employees who will perform the destruction process regarding information security, personal data, and the privacy of private life.
- TEKSOY TOURISM obtains administrative and technical consultancy services to follow developments in information security, the privacy of private life, and secure destruction techniques and to take necessary actions.In cases where the destruction process is carried out by third parties due to technical or administrative requirements,
- TEKSOY TOURISM signs protocols with these third parties for the protection of personal data, and all necessary care is taken to ensure that these third parties comply with their obligations in these protocols.
- TEKSOY TOURISM regularly checks whether destruction processes are carried out in accordance with the Law and the conditions and obligations specified in this Personal Data Storage and Destruction Policy, takes the necessary actions.
- TEKSOY TOURISM records all processes related to the deletion, destruction, and anonymization of personal data and keeps these records for at least three years, excluding other legal obligations.
TEKSOY TOURISM establishes a Personal Data Committee. The Personal Data Committee is authorized and responsible for performing the necessary procedures and processes to ensure that the data of relevant individuals are stored and processed in accordance with the law, the Personal Data Processing and Protection Policy, and the Personal Data Storage and Destruction Policy.
The Personal Data Committee consists of two members, including one manager and one administrative specialist. The titles and job descriptions of TEKSOY TOURISM employees assigned to the Personal Data Committee are specified below:
Personal Data Committee Manager
Responsible for directing all planning, analysis, research, and risk identification activities in projects carried out during the compliance process with the law; managing processes to be carried out in accordance with the Law, the Policy on the Processing and Protection of Personal Data, and the Policy on the Storage and Destruction of Personal Data; and making decisions on requests received from relevant individuals.
Personal Data Committee Specialist (Administrative):
Responsible for examining and reporting requests from relevant individuals to the Personal Data Committee Manager for evaluation; carrying out processes related to requests evaluated and decided by the Personal Data Committee Manager in accordance with the decision of the Personal Data Committee Manager; overseeing storage and destruction processes, reporting the results of these audits to the Personal Data Committee Manager; and being responsible for the execution of storage and destruction processes.
TEKSOY TURİZM reserves the right to make changes to the Policy on the Storage and Destruction of Personal Data, either due to amendments in the law, institutional decisions, or developments in the tourism sector or the field of information technology.
Any changes made to this Personal Data Storage and Destruction Policy are promptly incorporated into the text, and explanations regarding the modifications are provided at the end of the policy.
5.1. CHANGE NOTES
23.11.2023 : The Personal Data Storage and Destruction Policy has been published.
No changes have been made to this policy at an earlier date.
If all the conditions for processing personal data specified in the Law cease to exist, the deletion, destruction, or anonymization process, as specified in the data retention and destruction policy and automatically performed at recurring intervals, will be carried out