.
PROCESSING OF PERSONAL DATA
1. Method of Collecting Personal Data
In order to fulfill our obligations arising from the Law on Consumer Protection No. 6502 and the relevant regulations of the Distance Contracts Regulation, it is necessary to collect and use personal data. Your personal data may be collected automatically or non-automatically, physically, verbally, in writing, or electronically through our offices, our call center, our website, social media channels, and other means via our branches and sales agents. Your personal data may be processed as long as you benefit from our products and services, and may be updated when necessary to ensure its accuracy and relevance. In addition, your personal data may be processed when you physically visit Gezinomi offices and branches, use our call centers, visit our websites and/or other social and digital media, or participate in activities such as events, seminars, organizations, and training organized by our Company. The processing responsibilities of your personal data collected by our company units, call centers, and our website, which are stored in the Gezinomi system, is held by Holipedia as the Data Controller within the scope of the KVK Law and relevant legislation. However, if you benefit from Holipedia products and services through our sales agents, the responsibility for collecting, storing, and processing your personal data in accordance with the KVK Law and relevant legislation belongs to those respective parties.
2. Data Owners and Processed Personal Data
The Personal Data Processing and Protection Policy includes personal data of employees, interns, job applicants, customers, potential customers, suppliers, external service providers, and sales agent representatives, processed completely or partially automatically or through non-automated means as part of any data recording system. The categories of personal data processed by Gezinomi include; Identity Information, Contact Information, Location Information, Personal Information, Visual and Audio Recordings, Physical Space Security Information, Customer Transaction Information, Passport Information, Information Required for Visa Applications, Financial Information, Criminal Conviction and Security Information, Professional Experience Information, Education Information, Legal Transaction Information, Health Information, Family Information, Transaction Security Information, and Marketing Information. The processed personal data may vary depending on the services or products provided by Gezinomi.
3. Purposes of Processing Personal Data
The obtained Personal Data is processed by Gezinomi within the framework of the conditions for Personal Data Processing specified in Articles 5 and 6 of the Law; under the main purposes and related sub-purposes outlined below:
3.1. Within the scope of planning, developing, and implementing human resources policies and processes;
• Fulfillment of obligations arising from labor contracts and legislation for employees
• Management of employee benefits and interests processes
• Management of employee satisfaction and engagement processes
• Management of employment contracts
• Implementation of wage policy
• Conducting training activities
• Conducting talent and career development activities
• Conducting auditing and ethical activities
• Conducting internal audits/investigations/intelligence activities
• Management of performance evaluation processes
• Management of application processes for job candidates
• Management of selection and placement processes for candidates/interns
3.2. Within the scope of planning, executing, and managing corporate relations;
• Conducting communication activities
• Executing management activities
• Conducting assignment processes
• Planning organizations, meetings, invitations, and events and keeping records of attendees
• Executing social responsibility and civil society activities
• Conducting sponsorship activities
3.3. In the context of executing contract processes and planning, conducting, and implementing product and service sales;
• Executing finance and accounting work
• Executing contract processes
• Executing pricing processes
• Executing service sales processes
• Executing marketing processes for services
• Conducting marketing analysis studies
• Executing online requests
• Executing requests from agents and providing technical support to sub-agents
3.4. In the organization of package tours, transportation, accommodation, and other tourism services;
• Arranging flight tickets and transfer operations
• Providing travel insurance for passengers
• Creating reservations at hotels where customers will stay
• Providing guidance services
• Carrying out visa procedures if requested
3.5. For planning risk and opportunity management processes and implementing the Company Quality Policy and increasing brand awareness;
• Benefitting from state incentives and projects
• Receiving and evaluating recommendations for improving business processes
• Conducting strategic planning activities
• Executing investment processes
• Planning and executing actions to increase the perception level of company activities and the brand
3.6. Regarding the recording of call logs and the execution of social media and customer relationship management processes;
• Executing reservation processes
• Managing service post-sale support work
• Monitoring requests and complaints
• Executing cancellations, changes, and refund processes
• Implementing activities aimed at customer satisfaction
• Executing advertising/campaign/promotion processes
3.7. For ensuring the legal, technical, and commercial safety of the Company and other related parties within business relations;
• Ensuring physical space security
• Executing emergency management processes
• Creating and tracking visitor records
• Executing information security processes
• Managing access rights
• Ensuring the security of data controller operations
• Creating and developing software solutions needed by the Company and agents
3.8. In fulfilling the obligation to declare to the state and other legal obligations;
• Conducting activities in accordance with the Labor Law No. 4857, the Identity Notification Law No. 1774, the Private Security Services Law No. 5188, the Travel Agencies and Travel Agency Union Law No. 1618, the Travel Agencies Regulation, and other relevant legislation
• Conducting storage and archiving activities
• Providing information to authorized persons, institutions, and organizations
• Monitoring and executing legal affairs
3.9. In fulfilling the relevant provisions of the Occupational Health and Safety Law No. 6331;
• Evaluating the health status of employees concerning the nature of the work they will perform and making appropriate position changes based on the identified health status with their consent
• Taking necessary measures to detect and prevent occupational diseases
• Ensuring a healthy working environment
4. Legal Basis for Processing Personal Data
According to Article 5 of the Law, situations where personal data can be processed:
4.1. Obtaining the Explicit Consent of the Data Subject: Personal data cannot generally be processed without the explicit consent of the data subject. Explicit consent occurs when the data subject is informed on the relevant subject and their free will is obtained. Gezinomi processes personal data such as name, surname, phone number, and email address based on explicit consent to contact regarding advertisements, campaigns, promotions, and tours. If the data subject does not wish to receive notifications regarding these announcements, they have the right to withdraw their explicit consent. Personal data may be processed without obtaining the explicit consent of the data subject if one of the following conditions exists:
4.2. Explicitly Provided for in Laws: Personal data can be processed without the consent of the data subject if there is an explicit legal provision regarding the processing of personal data.
4.3. Inability to Obtain the Data Subject’s Consent Due to Physical Impossibility: Personal data can be processed in cases where the data subject cannot express their consent due to physical impossibility, or their consent cannot be deemed valid, and the processing is necessary to protect the life or physical integrity of that person or another.
4.4. Directly Related to the Establishment or Performance of a Contract: Personal data may be processed when necessary and directly related to the establishment or performance of a contract with the parties of that contract.
4.5. Fulfillment of the Legal Obligation of the Data Controller: Personal data may be processed if it is necessary to fulfill the legal obligations of the data controller.
4.6. Publicly Disclosed by the Data Subject: Personal data that has been publicly disclosed by the data subject can be processed within the limits of the purpose of disclosure.
4.7. Necessary for the Establishment, Usage, or Protection of a Right: Personal data may be processed when necessary for the establishment, usage, or protection of a right.
4.8. Necessary for the Legitimate Interests of the Data Controller: The data controller first determines the legitimate interest it will achieve by processing the personal data and evaluates the potential impact of processing on the rights and freedoms of the data subject, and if it believes that the balance of interests is not disrupted, it carries out the processing activity.
5. Processing and Protection of Special Categories of Personal Data
According to Article 6 of the Personal Data Protection Law No. 6698, special categories of personal data, which are limitedly specified in the law, can only be processed under the conditions mentioned below and with the necessary technical and administrative measures taken by the Data Controller in accordance with the principles outlined in this Policy and the Decision of the Board dated 31/01/2018 and numbered 2018/10:
5.1. Special categories of personal data other than health and sexual life may be processed without obtaining the explicit consent of the data subject, provided there is an explicit provision in the law regarding their processing. If not explicitly stated in the law, the explicit consent of the data subject will be obtained.
5.2. Special categories of personal data relating to health and sexual life can be processed without explicit consent if it is carried out by persons or authorized institutions and organizations who are under the obligation of confidentiality: for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, and the planning and management of health services and financing. Otherwise, the explicit consent of the data subject will be obtained.
6. SECURITY OF PERSONAL DATA
The right to request the protection of personal data has gained constitutional guarantee through an amendment made to the Constitution by Law No. 5982 in 2010, adding a clause to Article 20 of the Constitution, covering the “right to privacy and protection of personal life.” Holipedia, as per Article 12 of the Law, takes necessary technical and administrative measures along with cyber security measures to prevent the unlawful processing of personal data, to prevent unlawful access to personal data, and to ensure the preservation of personal data in accordance with its nature. It conducts necessary inspections and will inform relevant departments promptly in the event of a potential data breach.
7. TRANSFER OF PERSONAL DATA
Personal data can be transferred without obtaining the explicit consent of the data subject provided that at least one of the following conditions exists, with all necessary security measures adopted by the Data Controller including those stipulated by the Board:
• Explicitly provided for in laws,
• Directly related and necessary for the establishment or performance of a contract,
• Necessary for the fulfillment of the legal obligation of the Data Controller,
• Limited for the purpose of disclosure by the data subject,
• Necessary for the establishment, usage, or protection of the rights of the Data Controller or the data subject or third parties,
• Necessary for the legitimate interests of the Data Controller, without harming the fundamental rights and freedoms of the data subject,
• Necessary to protect the life or bodily integrity of a person who cannot express their consent due to physical impossibility or in cases where their consent cannot be legally recognized.
Additionally, personal data may be transferred to foreign countries deemed to have adequate protection by the Board under any of the above conditions. If adequate protection is not present, it may be transferred to foreign countries that provide adequate protection in writing and have the approval of the Personal Data Protection Board.
While Gezinomi performs its travel agency activities, it makes agreements with third-party supplier companies and carries out reservation records for the services to be provided in your name. Your personal data may be shared with or legally or practically transmitted to public institutions and organizations with which we work, or third-party real or legal persons, service providers, and supplier companies, insurance companies, accommodation companies, airline companies, companies providing terrestrial and maritime transportation services, car rental companies, transfer personnel, and individuals and organizations related to the service provided.
Gezinomi may transfer personal data to third parties domestically and abroad under the conditions specified in Articles 8 and 9 of the Law, provided that at least one of the conditions mentioned above exists or by obtaining the explicit consent of the data subject; including to:
Legally authorized public institutions and organizations (for the purposes of providing information to authorized persons, benefiting from state incentives and projects, and fulfilling legal obligations)
Outsourced legal firms (for monitoring and executing legal affairs)
Insurance companies (for carrying out insurance transactions)
Suppliers (for the execution of hotel reservations, ticket, and transfer processes)
External service providers (for obtaining services necessary for the company's activities)
Partner banks (for conducting banking transactions)
Agents (for executing agency contract processes)
8. RIGHTS OF PERSONAL DATA OWNERS AND EXERCISE OF THESE RIGHTS
8.1. Rights of the Personal Data Owner
• Learn whether your personal data is being processed,
• Request information about your personal data if it has been processed,
• Learn the purpose of processing your personal data and whether they are used in accordance with their purpose,
• Know third parties to whom your personal data is transferred, domestically or abroad,
• Request correction of your personal data in case of incomplete or incorrect processing and demand that the operation made be notified to the third parties to whom your personal data has been transferred,
• Request the deletion or destruction of personal data despite being processed in accordance with the Law and other relevant legal provisions when the reasons necessitating the processing have ceased and demand that the operation made be notified to the third parties to whom your personal data has been transferred,
• Object to the emergence of any result against you due to the analysis of processed data exclusively through automated systems,
• Request compensation for damages arisen from the unlawful processing of your personal data.
8.2. Exercising the Rights of the Personal Data Owner
.
In the application, your name, surname, and if the application is written, your signature, your Turkish ID number for Turkish citizens, nationality, passport number, or ID number if available, your address for notifications, your electronic mail address if available, your phone and fax numbers, and the subject of the request must be included. The relevant information and documents regarding the subject should be attached to the application. In applications made without filling in the application form, all the aforementioned elements must be communicated to our Company completely. Otherwise, the application will not be considered valid.
For third parties to request on behalf of individuals whose personal data has been processed, a special power of attorney prepared through a notary must be available, designating the individual making the request.
Our Company may request verifying information from the applicant regarding whether they are the relevant person, and to ensure that the application results are communicated to the correct person. (For example, verification such as sending a message to your registered phone or calling you may be required.)
Your request in the application will be concluded as soon as possible and within at most 30 days free of charge, depending on the nature of the request. However, if the process incurs an additional cost for the company, a fee will be charged in accordance with the tariff determined by the Personal Data Protection Board. If your request is accepted, the necessary actions will be taken. However, if your request is rejected as a result of examination and evaluation, it will be communicated to you in writing or electronically along with the reasons for the rejection.
You may find detailed information regarding your rights related to the application to the data controller and your complaint rights in Articles 13, 14, and 15 of the Law.
8.3. Rejection of the Personal Data Owner's Application
According to Article 28 of the Law, the data controller may reject the request of the data subject, providing the reason, in cases such as:
• Processing of personal data by natural persons related wholly or partly to themselves or family members living in the same household, without disclosing to third parties and complying with data security obligations.
• Processing of personal data for research, planning, and statistics purposes by using official statistics and anonymizing it.
• Processing of personal data for purposes of national defense, national security, public safety, public order, economic security, privacy of private life, or protection of personality rights, without violating them or committing a crime in the context of artistic, historical, literary or scientific purposes or freedom of expression.
• Processing of personal data within preventive, protective, and intelligence activities carried out by public institutions and organizations authorized and assigned by law to provide national defense, national security, public safety, or economic security.
• Processing of personal data by judicial authorities or enforcement agencies regarding investigations, prosecutions, trials, or execution proceedings.
Articles regarding the data controller's obligation to provide information, except for the right to request compensation for damages, will not be applied in cases stated in Article 28/2 of the Law.
• Data processing is needed for preventing crime or for an inquiry.
• Personal data that has been disclosed by the related person.
• Data processing is necessary to ensure the control and regulation actions conducted by authorized and competent public institutions and organizations established by law.
• Personal data processing is necessary to protect the State's economic and financial interests concerning budget, taxes, and financial issues.
9. INFORMATION ABOUT THE DATA CONTROLLER
Company Name: Holipedia Tourist Services
Phone: 0850 3021340
10. EFFECTIVE DATE AND IMPLEMENTATION OF THE POLICY
This Policy came into effect on 8/01/2024. The version published on 25.12.2019 by Holipedia was updated by the effective date of this Policy. Holipedia reserves the right to make changes to this Policy to provide updated information regarding practices and legal regulations regarding the protection of personal data. In case of updates of the entire Policy or specific articles, the updates will come into effect on the date they are published.
11. DEFINITIONS AND FUNDAMENTAL PRINCIPLES
11.1. Definitions
Personal Data: Any information related to an identified or identifiable natural person.
Special Categories of Personal Data: Data concerning race, ethnic origin, political opinion, philosophical belief, religion, sect or any other beliefs, clothing, membership in associations, foundations, or trade unions, health, sexual life, criminal conviction, and security measures, as well as biometric and genetic data are considered special categories of personal data.
Explicit Consent: The consent that is informed and freely given regarding a specific topic. The data subject always has the right to withdraw their consent.
Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.
Relevant Person/Data Subject: The real person whose personal data is being processed.
Processing of Personal Data: Any operation performed on personal data, whether automatically or non-automatically as part of any data recording system, including collection, recording, storage, preservation, alteration, rearrangement, disclosure, transfer, retrieval, classification, or preventing its use.
Data Recording System: The system in which personal data is structured and processed according to specific criteria.
Anonymization: The process of rendering personal data in such a way that it can no longer be associated with an identified or identifiable natural person, even when matched with other data.
The Board: Refers to the Personal Data Protection Board.
The Authority: Refers to the Personal Data Protection Authority.
Data Processor: The natural or legal person who processes personal data on behalf of the Data Controller based on the authority given by the Data Controller.
Contact Person: The person responsible for communication between the Data Controller and the relevant person or between the Data Protection Authority.
11.2. Fundamental Principles
Gezinomi has adopted the following principles to ensure the processing and protection of personal data in accordance with the GDPR on an international level, especially based on Article 20 of the Constitution of the Turkish Republic and Law No. 6698 on the Protection of Personal Data, as well as in compliance with secondary regulations and decisions of the Personal Data Protection Board:
• Lawfulness and Fairness Principle: It processes the least amount of data possible while considering the reasonable expectations of the data subjects, ensuring that the data processing activity is transparent for the relevant person and fulfilling the obligation of notification.
• Accuracy and Up-to-date Data Principle: It pays attention to ensuring the accuracy and timeliness of personal data, ensuring that data is updated and verified when necessary.
• Purpose Limitation Principle: It processes personal data only for specific, explicit, and legitimate purposes and does not process personal data for any other purposes.
• Data Minimization Principle: It limits data processing activities to only those data necessary for achieving the purpose, avoiding unnecessary data collection.
• Retention Limitation Principle: Gezinomi retains the processed personal data only for the period required by the relevant legislation and for the duration necessary for the purpose of processing, in accordance with the Turkish Penal Code Article 138 and the KVKK Articles 4 and 7. The company first identifies if there is a specific retention period in the relevant legislation. If there is a defined period, it acts in accordance with it. If no legal period is specified, it determines the period necessary for the achievement of the processing purpose and retains personal data only for that duration. Upon expiry of the designated retention periods, personal data is destroyed at periodic destruction intervals or upon the request of the data subject using destruction methods (deletion and/or destruction and/or anonymization).
APPENDIX: Table on Data Retention Periods Based on Processes
PROCESS RETENTION PERIODPersonal Data Processed Under the Labor Law For 10 years after the end of the Employment RelationshipPersonal Data Processed Under Occupational Health and Safety For 15 years after the end of the Employment RelationshipPersonal Data Processed Under Contractual Processes For 10 years after the end of the ContractSupplier Personal Data For 10 years after the end of the Legal RelationshipCustomer Personal Data For 10 years after the end of the Legal RelationshipPersonal Data Processed for Institutional Communication Activities For 10 years after the end of the ActivityCommercial Electronic Mail Consent Records For 3 Years from the Date of Withdrawal of ConsentDestruction Deletion Anonymization Record Process For 3 years from the Date of the TransactionLocation Data 1 yearCamera Recordings 1 monthCall Center Audio Recordings 10 yearsVisual and Audio Records Obtained at Events and Organizations 10 years
Our partners
