Thank you for your subscription

We’ll let you know about our campaigns very soon.

INFORMATION ON PROCESSING OF PERSONAL DATA

INFORMATION ON PROCESSING OF PERSONAL DATA 

Dear Clients, Guests, Passengers and Business Partners,

As per the Law on the Protection of Personal Data numbered 6698, which was published in the Official Gazette dated 07.04.2016 and numbered 29677 (“LPPD”), your personal data permitted under LPPD may be processed by our Company, ATÜ Turizm İşletmeciliği A.Ş., as a “Data Supervisor” within the boundaries and under the circumstances set forth in the LPPD.

At duty-free stores operated by our Company (“Stores”), sales are made in compliance with the provisions of the Customs Law numbered 4458 and the Customs Regulation comprising the Customs Warehouse Regime and the relevant articles of the Regulation on Duty-Free Stores, published in the Official Gazette dated 08.08.2017 and numbered 30148, the Tax Procedural Law numbered 213, and provisions of other legislation concerning the Stores, including but not limited to the decisions and orders of competent authorities (“Legislation”).

Pursuant to the Legislation; the following are mandatory: issuance of a Sales Note for each sale made at the Stores, insertion in the Sales Note the names and surnames of persons who have a  right to shop from the Stores (“Right Holders”), the boarding cards or passport numbers of passengers who will travel abroad, the passport numbers of passengers who come from abroad, the landing card numbers or passport numbers of transit passengers and other passenger and sale information (“Personal Data”), and retention of the Sales Note for a period of time set forth in the Legislation.

We, in the capacity of a “Data Supervisor” within the scope of LPPD, kindly notify you that;

  • In order to fulfill our abovementioned legal obligations set forth in the Legislation, the Personal Data of the Right Holders is obtained by us, recorded, retained, analyzed via automatic systems, classified, and where the Legislation requires and/or permits, is disclosed and conveyed to third persons, administrative and public authorities;
  • There are closed circuit camera systems in the Stores and the persons present at the Stores are continuously and regularly being monitored by video surveillance due to the Legislation and Airport security rules;
  • The procedure regarding the collection of Personal Data during the sales made to the Right Holders includes scanning the passports or boarding cards of the Right Holders through passport readers, recording the same to the Sales Note, and the collection of the same as written and electronic data, image recording by monitoring through closed circuit camera systems;
  • Within the scope of LPPD, you have the right resort to our Company and to be informed about whether or not your personal data has been processed; if it has been processed, to request information in this respect; to be informed regarding the purpose of the processing and whether or not the data has been utilized in compliance with such purpose; to know the domestic and foreign third persons that the data has been conveyed to; if your personal data has been deficiently or incorrectly processed, to request the correction of the same; if the reasons which require the personal data to be processed are removed, to request the deletion or disposal of the data; to request that the transactions performed are notified to third persons to whom the data was transferred; to object to any outcome against you exclusively through an analysis of automatic systems; and if you incur any damage due to the processing of your personal data contrary to LPPD, to request that such damage is cured;
  • As per Article 13/1 of LPPD, you may send your request in written or in other way, determined by the Council on Protection of Personal Data, in order to use your rights explained above, to our Company; since the Council on Protection of Personal Data has not determined a method yet, you may send your request in written to our Company, as per LPPD; to do so, you may send your request, including your identity information and choice of right as per Article 11 of LPPD, by filling out the form at www.atu.com.tr and sending the signed copy of it to Büyükdere Cad., Bengün Han No:107/8, Gayrettepe, Şişli, İstanbul with your identity documents by hand, via notary public or other methods as per LPPD; or you may send the relevant form to kvkk_iletisim@atu.com.tr with the electronic signature. 

 

ATÜ Turizm İşletmeciliği A.Ş.

Registered Address     : Büyükdere Caddesi, Bengün Han, No:107/8, Gayrettepe/İstanbul

Telephone Number      : +90212 465 43 27

Central Registration System (Mersis) No: 0913002582400015

   

  

PERSONAL DATA PROTECTION AND PROCESSING REGULATION

 

 

CONTENTS 

CHAPTER 1

PURPOSE, SCOPE, DEFINITIONS AND BASIS 

CHAPTER 2

GENERAL PRINCIPLES

PART I: GENERAL INFORMATION AND MAIN PRINCIPLES

PART II. PRECAUTIONS TAKEN FOR DATA PROTECTION

PART III: PROCESSING TAPE RECORDS OF SECURITY CAMERAS

PART IV: MONITORING ENTRANCE AND EXITS OF GUESTS AT BUILDINGS AND FACILITIES OF THE COMPANY

PART V: SAVING INTERNET ACCESS RECORDS OF GUESTS AT THE COMPANY

PART VI: ENFORCEMENT AND EXECUTION

CHAPTER 3

ROLES AND RESPONSIBILITIES 

CHAPTER 4

EXECUTION

CHAPTER 5

ANNEXES

 CHAPTER 1

PURPOSE, SCOPE, DEFINITIONS AND BASIS 

Purpose

Article 1:

 

The Personal Data Protection Law (“PDP Law”) no. 6698 published in the Official Gazette no. 29677 on 7 April 2016. PDP Law has been established to protect the fundamental rights and freedoms of natural persons, which are also protected by the Constitution, including the privacy of personal life, whose personal data are processed, and to set forth obligations of natural and legal persons who process personal data and procedures and principles to comply with for the same.

 

The confidentiality and security of personal data of the customers, potential customers, employees, job candidates, stakeholders, business partners, shareholders and institutions, authorities, third parties and their employees in collaboration have vital importance for ATÜ Turizm İşletmeciliği A.Ş. (“ATÜ” or “the Company”) as defined below. The aim of ATÜ is to establish a data protection and processing regulation at international standards and properly meet the necessities required to comply with the PDP Law through efforts which have been initiated before the law entered into force and that are still going on. The main purpose of herein this Regulation is to provide transparency by informing the persons, firstly those mentioned above, whose personal data are being processed by ATÜ.

 

Scope

Article 2:

 

Personal Data Protection and Processing Regulation (“the Regulation”) discloses the principles adopted by ATÜ in protecting and processing personal data. Besides, the reasons for processing data by ATÜ, personal data collection methods, the legal purposes for collecting data, for whom and what purposes may the processed personal data be transferred, and the rights of the related authorities are also explained herein this Regulation.  

 

ATÜ is considered as a “Data Controller” within the framework of its business activities as per the PDP Law, thus the information and principles stated herein this Regulation shall be valid for ATÜ. ATÜ accepted this Regulation to be valid as of 7 October 2016 by acknowledging it. The Regulation shall be published on the official website of ATÜ and access shall be provided to the concerning persons upon the demand of personal data owners.

 

Descriptions

Article 3:

 

Explicit Consent: The consent given in a limited fashion for data processing regarding a subject matter to give information by one’s free will.  

 

Anonymization: Rendering personal data by no means identified or identifiable with a natural person even by linking with other data.

 

Personal Data Owner: Real person whose data is processed. For example; Customers, suppliers, visitors, employees and job candidates.  

 

Personal Data: Any information relating to an identified or identifiable natural person. Therefore, processing data regarding legal persons is not included in the PDP Law. For example; name-surname, TR ID No., e-mail, address, date and place of birth, social security number, VCR images, credit card number, bank account number, etc.  

 

 

Special Categories of Personal Data: Data that may cause harm or discrimination against the Personal Data owner when disclosed. (Data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dressing, membership of association, foundation or trade-union, health, sexual life, criminal conviction and security measures, and biometrics and genetics are special categories of personal data.)

 

Processing of Personal Data: Any operation which is performed upon personal data such as collection, recording, storage, safeguard, preservation, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization or blocking its use by wholly or partly automatic means or otherwise than by automatic means which form part of a filing system.

 

Data Violations: The incidents featuring rightful doubts about obtaining, collecting, altering, copying, distributing and using personal data illegally.

 

Basis

Article 4:

 

Herein this Regulation is drawn up based on the PDP Law and the related legislation to protect and process the personal data by ATÜ.

 

CHAPTER 2

GENERAL PRINCIPLES

Article 5:

 

PART I: GENERAL INFORMATION AND MAIN PRINCIPLES

 

ATÜ shall process personal data within the limits stipulated by the legislation as follows.  

 

1.1. Collection Method of Personal Data:

 

The personal data which are processed may vary according to the type and quality of the products and services of ATÜ. The personal data can be collected in verbal, written or electronically through offices, call centers, the web site, social media channels, institutions in business relations, shareholders, etc. by automatic means or otherwise than by automatic means.

 

As long as the products and services of ATÜ are utilized, the personal data shall be processed and updated when needed to ensure that the data are accurate and current. Besides the personal data shall also be processed by ATÜ during the following instances:

 

- When the office buildings and airports operated by ATÜ are visited in person to benefit from product and services of the companies.

- When call centers are contacted.

- When the web pages and/or other social and digital channels are visited.

- When the events, seminars, organizations and training programs of ATÜ are participated.

 

1.2 Methods and Grounds of Collecting Personal Data

 

The personal data shall be collected and processed to develop and apply commercial and business strategies, execute human resources policies and for other purposes that shall be notified during obtaining the Personal Data within the context of personal data processing conditions and purposes stated in 5th and 6th articles of PDP Law as well as for the purposes stated below:

 

 (i) Data of customers and business partners;

 

  • Data processing for contractual relationship; Personal data of a customer (customer and potential customers) or business partner (to the authorized deputy when the business partner is a legal identity) can be processed without getting consent to draw up, execute or terminate a Contract. The personal data can be processed before and during the enforcement of the Agreement for the following purposes: to prepare an offer or a purchasing offer or to meet the demands of the Personal Data Owner regarding the execution of the Contract.
  • Data processing for the legal liability of the Company or due to explicit stipulation by the Law; The personal data can also be processed without consent when it is explicitly stated in the related legislation or to fulfill a legal obligation defined by the legislation. The type and scope of the data processing should be deemed necessary for legal data processing and be in conformity with the related legal clauses.
  • Data processing serving to the legitimate interest of the company; Personal Data can also be processed without getting approval when it is required for a legitimate interest of the Company. Legitimate interests are generally legal (Ex. Recovery of Debts) or economic (Ex. Avoid Breaching the Contracts) interests.  
  • User information and the Internet; Confidentiality notification should be given to the related persons when personal data is collected, processed and utilized from the web sites and applications.

 

 (ii) Personnel information;

 

  • Data processing concerning business relation; Personal Data in business relations are processed without getting approval due to necessity to establish, execute and terminate a business contract. Personal Data of job candidates are processed when the business relation starts. If the job candidate is not found eligible, his/her data shall be saved for another candidate selection period for a valid time set for data protection, and deleted, destructed or anonymized at the end of this time.
  • Data processing as explicitly stipulated by the Law or due to the legal obligation of the Company; Personal Data of the employee can be processed without getting approval as it is explicitly stated by the relevant legislation or to fulfill a legal obligation defined by the legislation.
  • Processing data in accordance with the legitimate interest; Personal Data of the employee can be processed without getting approval when it is required by a legitimate interest of the Company. (Ex. Filing, enforcing or defending legal rights, or assessment of the Company). In personal circumstances which require the protection of employees’ interests, personal data are not processed to serve the purposes of legitimate interests. Data are controlled before processing to check if there are any interests to be protected. The processing of data shall be controlled to ensure that it is done taking the legitimate interests of the Company into consideration respecting the concerning limitations. The legitimate interest of the Company in taking this precaution for control is checking that no right of the related employee is violated and if it is limited and proportionate to the purposes for which data are processed.
  • Data processed by exclusively automatic systems: If personal data is processed exclusively by exclusively automatic systems as part of business relation, (ex. As part of personnel selection or evaluation of talent profiles), the Employee has the right to get a result against himself/herself).

 

The grounds for personal data processing can be only one of the following while more than one of the following conditions can be the reason for personal data processing.

 

a. Explicit Consent of Personal Data Owner   

 

Getting the explicit consent of the data owner is one of the conditions for processing personal data. The explicit consent of the data owner should be related to a specific subject, informative and given freely. Data shall be processed within the scope of the explicit consent of the data owner and for the purposes stated in the explicit consent. As a rule, if the other conditions stated-below are met, obtaining the explicit consent of the data owner is not necessary.  

 

b. It is Expressly Permitted by the Laws

 

The personal data of the data owner shall be processed in compliance with the law if it is expressly stipulated by the Law. In circumstances that data processing is permitted by the Laws, the data is processed as per the reason stated by the Law and limited by the data categories.  

 

c. Inability to Obtain Explicit Consent due to Physical Incapability

 

The personal data of the data owner  can be processed when it is necessary to protect the life or physical integrity of the data owner  or another person where the data owner  is physically or legally incapable of giving consent or his/her consent could not be deemed as valid.

 

d. Direct Relation to the Execution or Performance of the Contract  

 

The personal data can be processed (provided that the data owner  is one of the parties of the contract that is directly related to the execution or performance of the contract), when it is necessary to process the personal data of parties of a contract provided that the processing is directly related to the execution or performance of the contract.

 

e. Fulfilling Legal Obligations  

 

Personal data of the data owner can be processed when it is compulsory for ATÜ to fulfill its legal obligations.

 

f. Disclosure of Personal Data by Personal Data Owner   

 

If the relevant information is revealed to the public by the data owner herself/himself, the related personal data can be processed as limited by the purpose of disclosure.

 

g. Obligatory Data Processing for the Institution or Protection of a Right

 

The personal data of the data owner shall be processed when it is compulsory for the institution, usage, or protection of a right.

 

h. It is Obligatory for the Legitimate Interests of the Data Controller

 

The personal data of the data owner can be processed if it is necessary for the legitimate interests of ATÜ, provided that no harm is done to the fundamental rights and freedoms of the data owner.

 

It is prohibited to process special categories of personal data as defined in the PDP Law without obtaining the explicit consent of the data owner. If there is no explicit consent of the data owner, the personal data can only be processed in the following circumstances provided that the required precautions to be determined by the PDP Committee are taken.

 

 (i) Personal data other than relating to health and sexual life of the data owner may be processed without obtaining explicit consent of the data owner in the circumstances stipulated by the Laws.  

(ii) Personal data relating to health and sexual life may only be processed without obtaining the explicit consent of the data owner  for purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment, and care services, planning and management of health services and financing by persons under the obligation of secrecy or   authorized institutions and organizations.

 

1.3. Processing Personal Data as Stipulated by the Principles in the Legislation

 

ATÜ shall meet the general principles and conditions featured in the legislation regarding protection and processing of personal data act in conformity with the principles stated below. Personal data shall only be processed in accordance with the procedures and principles set forth by this Law or other laws.

 

1.3.1. Processing Personal Data in Conformity with the Law and Good Faith  

 

ATÜ shall process personal data in conformity with the law and good faith as per the 4th article of PDP Law, adopt “transparency” principle towards data owners and inform data owners about the utilization of their data. The data owners shall be informed in a transparent and honest manner, the purposes of data processing and utilization is conveyed clearly, and the data are processed in that framework. The personal data shall not be utilized to impact data owner adversely without any legal grounds.  

 

1.3.2. Ensuring Accuracy and Up-to-Datedness of Personal Data  

 

ATÜ shall ensure that the personal data processed are accurate and up-to-date. For that reason, any changes regarding the accuracy and up-to-datedness of personal data should be notified to kvkk_iletisim@atu.com.tr. The personnel data shall be updated through Oracle or the software used in the Company.   

 

1.3.3. Personal data are Processed for Specified, Explicit, and Legitimate Purposes

 

ATÜ shall collect and process personal data for legitimate and legal purposes. ATÜ shall process personal data proportionate and relevant to the business activities as required.

 

1.3.4. Being Relevant, Limited and Proportionate to the Purposes of Data Process

 

ATÜ shall avoid processing personal data which are unrequired and irrelevant for the purposes of processing. Within that framework, it is aimed to minimize data processing activities.

 

1.3.5. Being Stored Only for the Time Designated by Relevant Legislation or Necessitated by the Purpose for which Data are Collected.

 

ATÜ shall store personal data which are processed in accordance with the Clause 138 of Turkish Penalty Law and the Articles no. 4 and 7 of PDP Law, only for the time designated by the relevant legislation or necessitated by the purpose for which data are processed. The first step is to determine if there is a time designated by relevant legislation for storing personal data to be processed. If there is a legal time-period, the data is stored for that time. If no time is designated legally, the time needed for processing shall be set and personal data shall be stored within the limits of that time. When that time is terminated, and if there are no legal grounds to keep those data longer, personal data shall be deleted, destroyed or anonymized either ex officio by ATÜ or upon request by the data owner  via the application form attached and with different techniques. When the personal data are deleted by the subject methods, these data shall not be reused or retrieved. However, in the events that the data controller has legitimate interest, the personal data can be stored until the termination of legal time-period (ten years) defined by the Debts Law even though the purpose of processing and the periods designated by the laws are finalized, provided that the fundamental rights and freedoms of data owners are not harmed. Upon the termination of legal time-period, the personal data shall be deleted, destructed or anonymized in accordance with the afore-mentioned procedure.

 

1.3.6. Confidentiality of Personal Data and Data Security

 

Personal data are subject to confidentiality. All necessary technical and organizational measures should be taken to prevent unlawful access, illegal transactions, sharing, losing by mistake, alteration or destruction and they should be kept confidential in personal level.

 

1.4. Security of Personal Data  

 

ATÜ shall take all necessary technical and organizational measures in accordance with Article 12 of the PDP Law to prevent unlawful processing of personal data and unlawful access to personal data, safeguard personal data and prevent unlawful processing of personal data by 3rd parties.

 

1.5. Transfer of Personal Data

 

The personal data can be transferred to fulfill the purposes stated herein this Regulation to business partners of ATÜ limited by meeting the founding purposes of the business partnership, shareholders, legally authorized public institutions and organizations, legally authorized private legal entities, suppliers of ATÜ limited with the purpose of providing the required services to carry out the commercial activities by outsourcing via the suppliers, service providers, or to other third parties and/or abroad, by taking the necessary security precautions within the framework of personal data processing conditions and purposes mentioned in the 8th and 9th Articles of the PDP Law.

           

            1.5.1. Transfer of Personal Data Abroad

 

ATÜ shall transfer personal data to foreign countries which are announced as having adequate protection by PDP Committee or in case there is not an adequate level of protection, if the data controllers in Turkey and abroad commit, in writing, to provide an adequate level of protection and the permission of the Board for foreign countries (“Foreign Country having Adequate Level of Protection”) exists. ATÜ shall act in accordance with the arrangements stipulated in the 9th article of the PDP Law.

 

1.6. The Rights of the Data Owner Listed in the 11th Article of the PDP Law

 

The rights of the data owner pursuant to the 11th article of PDP Law are as follows:

 

a) Learn whether or not her/his personal data have been processed;

b) Request information as to processing if her/his data have been processed;

c) Learn the purpose of processing of the personal data and whether data are used in accordance with their purpose;

ç) Know the third parties in the country or abroad to whom personal data have been transferred;

d) Request rectification in case personal data are processed incompletely or inaccurately;

e) Request deletion or destruction of personal data within the framework of the conditions set forth under article 7;

f) Request notification of the operations made as per indents (d) and (e) to third parties to whom personal data have been transferred;

g) Object to occurrence of any result that is to her/his detriment by means of analysis of personal data exclusively through automated systems;

h) Request compensation for the damages in case the person incurs damages due to unlawful processing of personal data

 

1.7. Application to the Data Controller

 

Personal Data Owners should convey their requests within the scope of the 11th article of the PDP Law as listed above, with the copy of the application letter attached herein this Regulation with wet signature to the communication addresses of ATÜ, through postal mail, e-mail or registered letter with return receipt or other methods to be determined by Personal Data Protection Committee. The detailed information about filling in the form or sending it to ATÜ are stated herein the application form attached.  

 

ATÜ shall conclude the requests as soon as possible considering the nature of the request and within 30 days at the latest. The conclusion of the evaluation shall be notified to the data owner in writing or electronically and if the request is accepted, it shall be fulfilled by the data controller as per the PDP Law.

 

In case the application is rejected, replied insufficiently, or not replied in due time; the data owner  may file a complaint to the Personal Data Protection Committee following the date he/she learns the reply of the data controller and in any event, within 60 days following the date of application as per 14th article of the PDP Law.

 

1.8. Exceptions

 

Personal Data Owner shall not demand their rights mentioned above for the following circumstances which are not included in the PDP Law, therefore ATÜ are not under the obligation to fulfill these requests. Provisions of this Law shall not be applied in the following cases: 

 

  • Processing of personal data for the purposes of official statistics and, through anonymization, research, planning, statistics and similar.
  • Processing of personal data for the purposes of art, history, and literature or science, or within the scope of freedom of expression, provided that national defense, national security, public safety, public order, economic safety, privacy of personal life or personal rights are not violated.
  • Processing of personal data within the scope of preventive, protective and intelligence-related activities by public institutions and organizations who are assigned and authorized for providing national defense, national security, public safety, public order or economic safety.
  • Processing of personal data by judicial authorities and execution agencies with regard to investigation, prosecution, adjudication or execution procedures.

 

As per the PDP Law, Personal Data Owners shall not demand their rights mentioned above for the following circumstances other than the right to claim compensation for their losses:

 

  • Processing of personal data is necessary for the protection of economic and financial interests of the state related to budget, tax, and financial matters.
  • Processing of personal data is necessary for prevention of crime or investigation of a crime.
  • Processing of personal data revealed to the public by the data owner herself/himself. Processing of personal data is necessary, deriving from the performance of supervision or regulatory duties, or disciplinary investigation or prosecution by assigned and authorized public institutions and organizations and professional organizations with public institution status.
  • Processing of personal data is necessary for the protection of economic and financial interests of the state related to budget, tax, and financial matters.

 

The accuracy of the data disclosed and keeping them up-to-date are important for usage of rights on data as per the PDP Law and other related legislation. The Personal Data Owner  shall be responsible from the results of giving false data.

 

Article 6:

 

PART II: PRECAUTIONS TAKEN TO ESTABLISH DATA SECURITY

 

ATÜ shall take all necessary technical and organizational measures for providing an appropriate level of security to protect personal data. The precautions stipulated in the article 12(1) of the PDP Law are as follows:  

 

  • Prevent unlawful processing of personal data,
  • Prevent unlawful access to personal data,
  • Safeguard personal data.

 

The precautions taken by ATÜ within that scope are mentioned below:

 

Organizational Precautions:

 

• ATÜ shall carry out or have the necessary inspections done at their organizations to ensure the execution of the provisions of the PDP Law.

• In case processed personal data are acquired by others through unlawful means, ATÜ shall notify the data owner and the Committee of such situation as soon as possible.

• Regarding the disclosure of personal data, ATÜ shall sign a framework agreement with the persons whom data is shared, or data security shall be ensured by including additional clauses to the agreements.  

• ATÜ has experienced staff having the know-how on protecting, processing, preventing unlawful access, safeguarding them in a secure environment and shall give the necessary PDP Training on these subjects.  

• ATÜ shall supervise if the confidential information under its responsibility are protected in conformity with the PDP Law by ATÜ or third persons when it is deemed necessary.

 Technical Precautions:

ATÜ shall:

• Employ experienced staff having the know-how on protecting, processing, preventing unlawful access, saving them in a secure environment and give the necessary PDP Training on these subjects.  

• Carry out necessary internal controls.   

• Execute risk analysis, data classification, IT risk assessment and business impact analysis regarding IT systems.

• Ensure that the technical infrastructure is set up and related matrixes are developed to prevent and/or monitor the leakage of personal data outside ATÜ.

• Keep data access authorization of IT departments’ staff under control.  

• Take technical precautions in parallel with technological developments to prevent unlawful access to personal data; update and renew them periodically.

• Utilize systems designed in parallel with technological developments to safeguard personal data and use back-up programs in compatible with legal considerations.

 

Article 7:

 PART III: PROCESSING SECURITY VCR DATA  

Video camera recordings of visitors, employees and other related persons shall be taken by ATÜ via security cameras in accordance with the basic principles stipulated in the PDP Law and featured herein this Regulation to ensure general and commercial security of facilities and companies. These VCR data shall be kept for an appropriate time according to the purposes for processing data physically or electronically. There are visible warning signs at the places where VCRs are taken to notify data owners. Monitoring via security cameras by ATÜ shall be carried out in accordance with the Law on Private Security Services and related legislation. Besides ATÜ shall take necessary steps to fulfill responsibilities stipulated in all concerning legislations, primarily the PDP Law to protect personal data.  No VCR shall be done in places having a high-level of privacy.  

Article 8:

PART IV: MONITORING ENTRANCE AND EXITS OF GUESTS AT BUILDINGS AND FACILITIES OF ATÜ

Personal data processing regarding monitoring entrance and exits of guests shall be performed by ATÜ to establish security and fulfill purposes stated herein this Regulation.

Article 9:

PART V: SAVING INTERNET ACCESS RECORDS OF GUESTS AT BUILDINGS AND FACILITIES OF ATÜ

In order to ensure security and fulfill purposes stated herein this Regulation, ATÜ may provide Internet access to the visitors upon their request for the time they spend in the buildings and facilities of ATÜ. The log records regarding their Internet access as per the mandatory provisions of the legislation arranged in accordance with the Law no.  5651 and the legislation arranged in accordance with that Law; these records can only be processed when demanded by authorized public institutions and organizations or to meet the legal responsibility regarding auditing processes performed at ATÜ.

Article 10: 

PART VI: ENFORCEMENT AND EXECUTION

Herein this Regulation has been entered into force on 09.04.2018. In the event that whole or certain clauses of herein this Regulation shall be updated, the updated parts would enter into force on the date they are published. The Regulation shall be published with its updated version on www.atu.com.tr and access shall be provided to the related persons upon the request of personal data owners.  In the event of a discrepancy with articles of the PDP Law and the other legislation, firstly PDP Law and other related legislation clauses shall be executed.   

CHAPTER 3

ROLES AND RESPONSIBILITIES

Article 11:

The Regulation shall be followed-up by ATÜ Turizm İşletmeciliği A.Ş. Legal Directorate and Human Resources.

- Data Controller; ATÜ shall be responsible for determining the purposes and means of the processing of personal data, establishing and managing the filing system and shall enregister as the Data Controller when Data Controllers’ Registry opens.

- Data Controller Representative; ATÜ shall assign data controller representative required for registry to the Data Controllers’ Registry when Data Controllers’ Registry is established for all subsidiaries in its organizational structure. The Data Controller Representative shall be a specialist who would be responsible for protecting and processing all personal data, taking security measures and managing and executing regular audits.

- Data Processor: Natural or legal person who processes personal data based on the authority granted by and on behalf of ATÜ

- Responsibility; In the event that personal data are processed by another natural or legal person on behalf of ATÜ, then ATÜ, as the data controller, and data processors shall be jointly responsible for taking the required precautions. As the data controller, ATÜ shall supervise periodically whether the data processors are complying to the confidentiality policy to ensure that the business partners, service providers, suppliers and subcontractors are providing the same level of security as ATÜ to the data owners.  

CHAPTER 4

EXECUTION

Article 12:

This regulation shall be executed by ATÜ Turizm İşletmeciliği A.Ş. Legal Directorate and Human Resources. 

CHAPTER 5

ATTACHMENTS

Article 13:

ATTACHMENT -1     Data Owner Application Form

ATÜ TURİZM İŞLETMECİLİĞİ A.Ş.

DATA OWNER APPLICATION FORM

1. GENERAL

This Application Form has been prepared by ATÜ Turizm İşletmeciliği A.Ş. (“ATÜ” or “Company”) who act as data controller in order to be able to evaluate and analyse in an effective and comprehensive manner, the applications which will be made by your end, data owners, in accordance with Articles 11 and 13 of Personal Data Protection Law numbered 6698 (“PDP Law”).

2. APPLICATION  

You, data owners, in accordance with articles 11 and 13 of PDP Law, may send your requests in written to our Company regarding the implementation of PDP Law by filling out this form or by other procedures that the Board will determine with following methods;

  • Making an individual application with a wet signed copy of this application form to Büyükdere Cad. Bengün Han No.107/8 Gayrettepe Şişli/İstanbul,
  • Sending by registered letter a wet signed copy of this application form to Büyükdere Cad. Bengün Han No.107/8 Gayrettepe Şişli/İstanbul,
  • Sending a wet signed copy of this application form to the following e-mail addresses with e-signature; address kvkk_iletisim@atu.com.tr

You, data owners, may benefit from this right provided that your applications are made in Turkish.

 3. INFORMATION ABOUT DATA OWNER   

We kindly ask you to complete the following chart in order to ensure that we can recognize you and to make the necessary research, evaluation and analysis in relation to your application which will be made in accordance with the relevant article of PDP Law.

Name and Surname*   

 

Nationality for foreigners) *

 

Turkish Republic Identity Number for Turkish Citizens or Passport or Identity Number for Foreigners *

 

Address*                                 

 

Phone  Number*

 

E-mail *

 

Fax Number (optional)

 

 

* Compulsory fields

The personal data that you have provided above are only obtained for the purposes of evaluating and concluding this form and communicating with you, and are not subject to data processing for any other purpose.

Please indicate below whether your relationship still continue with ATÜ by marking the appropriate option.

Client                           .......                                         Employee candidate     .......

Business Partner           .......                                         Employee                    .......

Visitor                          .......                                         Other                           (__ )

 

4. REQUESTS OF DATA OWNERS   

As a data owner, please tick the relevant box on the list below for the case(s) you would like to have information under Articles 11th and 13th of the PDP Law.   

REQUEST

INFORMATION/DOCUMENT REQUIRED

YOUR CHOICE

1.  I would like to be informed whether my personal data is being processed by ATÜ.

Please indicate if you require an information regarding a specific personal data...........................................

 

2.  I would like to learn the purpose of processing of my personal data by ATÜ.

Please indicate if you require an information regarding a specific personal data...........................................

 

3.  I would like to be informed whether my personal data is being used by ATÜ in compliance with it’s purpose.

Please indicate if you require an information regarding a specific personal data...........................................

 

4.  I would like to be informed of any unrelated persons residing within the country or overseas to whom the data is transferred.

Please indicate if you require an information regarding a specific personal data...........................................

 

5.  I think my personal data is being processed incompletely and/or inaccurately and I request rectification.

Please specify the data which is processed incompletely and/or inaccurately and explain how it should be………………………………….

 

6.  I request my personal data which I believe processed incompletely and/or inaccurately to be rectified before any unrelated persons to whom it is transferred.

Please specify the data which is processed incompletely and/or inaccurately and explain how it should be…………………………………………………………

 

 

 

7.  I request deletion and/or destruction of my personal data since the reasons for processing have been disappeared.

Please indicate your personal data subject to your request and the result of which you are of the opinion that against you. against you in your opinions. Please attach to subject Form the certifying documents in this regard as well.

 

8.  I request deletion and/or destruction of my personal data before any unrelated persons to whom it is transferred since the reasons for processing have been disappeared.

If your subject request relates only to a part of your personal data, please indicate these datas together with the documents certifying the reason of this request. Please attach to subject Form the certifying documents in this regard as well.

 

9.  I believe my personal data which is processed by ATÜ is being analyzed exclusively through automated system and I object to the conclusion occured against me as a result of such analyzing.

Please indicate the reason of your request and the result of your right of information request. Please attach to subject Form the certifying documents in this regard as well.

 

10.  I request compensation for the damages I suffer as a result of unlawful processing of my personal data.

Please indicate below the reason of your request and the damage you suffered; Please attach to subject Form the certifying documents (Decisions of Courts or Personal Data Protection Board) in this regard as well.

 

 

 

It is required to submit a notarised power of attorney together with this Form in case applications are made by a third person on behalf of the data owner and as for applications made on behalf of children under custody/guardianship, the documents certifying the custody/guardianship relation should be submitted together with this Form.

In order to ensure the security of your personal data, within seven (7) days from the date on which your right of information application is received by ATÜ, ATÜ may communicate with you and request some information and documents to confirm that you are the owner of the data. In this regard, the information and documents that you have provided us with will be destroyed immediately upon confirmation of your ownership of data.

In case the requested information and documents are incomplete, upon our request, the information and documents must be completed and communicated to us. Thirty (30) days period stipulated in article 13/2 of the PDP Law for concluding a request will be suspended until all required information and documents are communicated.

5. CONCLUSION OF REQUEST OF DATA OWNER   

According to the qualification of your request, it will be responded as soon as possible and not later than within thirty (30) days from the date of receipt of the request in accordance with PDP Law. Our responses and our assessments will be forwarded to your end according to your choice on the Application Form, in writing or electronically, in accordance with Article 13 of PDP Law. If you have a preference for receiving the application result via one of the following methods; mail, e-mail or fax, please indicate below:

I would like my application result to be sent to my e-mail address.      .......................

I would like my application result to be sent by post.                           .......................

I would like my application result to be sent by fax.                            .......................

Your requests will be concluded by ATÜ complimentarily and in case the responding process causes a cost, a fee may be charged as set out in the applicable legislation.

 6. DATA OWNER DECLARATION

I hereby request the evaluation and conclusion of my right to information application that I have made pursuant to the PDP Law within the scope of the above-mentioned request/requests and I accept, declare and undertake that the information and documents I have provided you with are accurate, current and belong to me.

DATA OWNER

Name and surname                  ...........................

Application date                       ...........................

Signature                                 ...........................

Join Our Newsletter Now!

Get all the news about our campaigns...