DISCLOSURE TEXT

VENÜS OTEL İŞLETMECİLİĞİ A.Ş.’ (VENÜS HOTEL ADMINISTRATION COMMERCIAL ENTERPRISE INCORPORATED) – THE POLICY OF THE PROTECTION AND PROCESSING OF THE PERSONAL DATA AND CONFIDENTIALITY.

As being ‘Venüs Otel İşletmeciliği A.Ş.’ (VENÜS HOTEL ADMINISTRATION COMMERCIAL ENTERPRISE INCORPORATED) (will be referred as “Wyndham Garden Lara Hotel”), we are extremely sensitive towards the security of your personal data and maintaining complete conformity with the law on the Protection of the Personal Data numbered 6698 and other regulations towards the implementation of this law. With this consciousness, we perform all operations regarding the processing, storage, transfer of all kinds of personal data that belongs to all individuals that we have acquired during our activities with conformity to the Law on the Protection of Personal Data with number 6698 and the relevant legislations. With full comprehension of this responsibility we possess, as being the one who is in charge of your Data, all necessary administrative and technical precautions are taken towards maintaining the security order that is appropriate for the protection of your personal data.

During your visit of this web-site and when you utilize our services offered through this web-site, regarding how the information we acquired will be used and protected regarding you and the services you requested are subject to the conditions specified in hereby “Policy of Confidentiality”. By visiting this web-site and by requesting to utilize our services we offer through this web-site, you confirm these conditions stated in hereby “Confidentiality Policy”.

1.THE SCOPE AND PURPOSE OF THE POLICY OF THE PROTECTION AND PROCESSING OF THE PERSONAL DATA.
Maintaining conformity to liabilities regarding the regulations on the Protection of the Personal Data, protecting the personal data processing activity and its confidentiality that is conducted as appropriate to law and that is accumulated by the company with automatic and non-automatic methods through businesses, branches, agencies, call centers and similar mediums in oral, written or electronic forms, informing the people whose personal data are processed by our company regarding the process and the control and precautions in the company by specifying the relevant responsible staff in the company and so enabling the transparency.

The following are included to the Policy of the Protection of the Personal Data: all processed personal data of; authorized company employees, company shareholders, employees, the employee candidates, suppliers, customers, potential customers, vendors, members, subscribers, visitors, business partners, the relevant individuals who visit our internet web-sites and our mobile applications, shortly all real persons related – including the ones who utilize our company products and services and not limited with the ones stated.

2.DEFINITIONS
Explicit Consent: The consent given by free expression about a specific issue and based on information receival.
Anonymisation : The alteration of a personal data in an irrevocable way which loses its personal data feature. For example: making a data that is no more linkable to a specific real person through masking, data distortion, etc. techniques.
The processing of the personal data : All kinds of operations that are performed on the data such as their acquirement through automatic and non-automatic means, saving, storage, keeping, alteration, rearrangement, expression, transfer, take over, making acquirable, classification, distortion; with the condition that personal data shall be a part of a data system as a whole or partially.
The owner of the Personal Data / Relevant Person: The real person whose personal data is processed. Personal Data: All kinds of information that belong to the real person who can be identified or whose identity is certain. Therefore, the processing of the information regarding the legal entities is not within the boundaries of this Law. For instance; name-surname, TRID number, e-mail, address, date of birth, credit card number, bank account number, etc. Sensitive
Personal Data: The sensitive personal data are as follows: Nationality, ethnical background, political view, philosophical belief, religion, sect or other beliefs, clothing and appearance, membership to associations, foundations or unions, health, sexual life, criminal convictions, and data regarding the security precautions and biometric and genetic data. Data Manager : The employee who is responsible from the data and determines the processing purposes and the mediums of the personal data and manages the place where the data is kept systematically (data saving system). Policy : The Policy of the Protection and Processing of the Personal Data of ‘Venüs Otel İşletmeciliği A.Ş’.

3.THE ISSUES RELATED TO THE PROCESSING OF THE PERSONAL DATA
3.1. BASIC PRINCIPLES REGARDING THE PROCESSING OF THE PERSONAL DATA
Our company processes the data in direction with the Constitution of the Republic of Turkey, law numbered 6698 regarding the protection of the personal data, and the provisions of other laws with which it shall be in accordance based on its activities and the following basic principles are accepted in this context:
 

Processing as appropriate to the law and rules of honesty
While processing the personal data, our company works in accordance with the rules of honesty and principles stipulated by the laws.

Accuracy and the actuality of the Data
Our Company ensures that the data it is processing is correct and up-to-date in case it knows the data it is processing by considering the basic rights of the personal data owners and its own legitimate benefits within the boundaries of the KVK law (The law on the protection of the personal data).

Processing with specific, overt and legitimate purposes
Our Company processes data in a way that is convenient for the realization of the purposes specified before and avoids processing information that is not related to purposes and not needed. In this respect, the processing of the personal data is within the boundaries of the activities and legal liabilities. The additional changes in the purposes are just in moderate scales and possible by the justification.

Being connected with their purposes and to be moderate and limited in scales
The realization of the purposes of our company are within the boundaries of legal and legitimate benefits and the data is processes in this respect; the personal data processing that is not within the purposes and has no legal and legitimate benefits is not carried out.

Keeping as necessary for the purposes or as stipulated by the relevant Law.
Our Company keeps the personal data for a time period as stipulated in the relevant law and other legislations or as necessary for the purposes. They are processed for a required period in accordance with the applications of our Company and the commercial customary practice If the processing purposes are completed and also the relevant legislation period and also the company’s keeping period are ended, personal data can be kept to be used as evidence in legal disputes for the claims to be asserted or the defense to be constituted. In such a case, the personal data kept cannot be reached for any other purposes, however can be accessed to be used in relevant legal disputes.

3.2. THE PURPOSES OF PROCESSING OF THE PERSONAL DATA
Our Company processes your personal data for the following purposes as stated below (however as not limited with these) within these boundaries: the required works conducted by the relevant unit for the realization of our activities performed and the execution of the work processes connected with these; the required works conducted and the related work processes are executed for making the relevant individuals to make use of the products and services presented by our Company; Providing commercial-business security of the Relevant Individuals that are in business relationship with our Company; Planning and Execution of the work strategies of our Company; Planning and Execution of human resources policies and processes.

* The planning and implementation of the activities and operation processes;
* The implementation of the activities in accordance with the legislations and conforming with the liabilities of keeping the information, reporting and providing information as stipulated by the legislations and the relevant authorities;
* Enabling the fulfillment of the legal liabilities as required or as being compulsory by the legal regulations;
* Service and after sales support systems, customer satisfaction, corporate communication activities, carrying out and the planning of the management processes of customer relations and customer requests and complaints;
* Planning and performing the activities of enabling the job continuity;
* Corporate sustainability, corporate management, strategic planning and the planning, audit and execution of the information security processes;
* Sales, Marketing and Promotion processes of products and services and planning and execution activities of detecting and personalizing likes, usage and service understanding;;
* Execution of membership processes through social networks;
* Conduct and Execution of Call Center processes;
* Sales, Marketing and Promotion processes of products and services and planning and execution activities of detecting and personalizing likes, usage and service understanding;
* Execution of membership processes through social networks;
* Conduct and Execution of Call Center processes;
* Execution of the works conducted with business partners, vendors or suppliers and the relationship management;
* The execution of Finance and Accounting works
* The execution of Insurance Processes;
* Following contract processes or legal requests;
* Following and executing legal works;
* The physical location procurement of company center and facilities
* Providing legal and commercial security of our Company and the individuals that are in business relationship with our Company;
* Determining the commercial and business strategies of our Company and their application;
* The execution of the Human Resources Policies of our Company;
* The planning and execution of the recruitment and job quitting processes, management of human resources and personnel affairs.
* The evaluation of the job applications
* The planning and execution of sub employer personnel, extra personnel, foreign personnel.
* The execution of Job health and security processes.
* The execution of Card membership program.
* Answering requests such as transfer, meeting, transfer of the missing belongings.
* The planning and execution of sub employer personnel, extra personnel, foreign personnel.
• Making and following visitor entries • Execution of the activities of keeping and archiving. As a rule, our Company takes the explicit consents of the data owners (or the relevant individuals) for data processing. However, when one of the conditions stated in Article 5/2 or Article 6/3 of KVK Law is present, then no explicit consent is sought. These conditions are explained in detail below:

3.3. THE CONDITIONS, METHODS AND LEGAL PURPOSES OF PERSONAL DATA PROCESSING
The presence of the Explicit Consent of the Personal Data Owner
Personal data cannot be processed without explicit consent of the relevant person. Because the protection of the personal data is also a right stated in the constitution, our company processes the personal data in accordance with the constitution and in situations as seen appropriate in the law or as based on informing the person whom expressed these data with his/her own free will and explicit consent.

The situations that the personal data can be processed without the explicit consent of the data owner
If the data owner gives explicit consent, then the personal data can be processed in accordance with the law, however when one of the conditions below is present, then the personal data can be also processed without an explicit consent. As a rule, our company takes the explicit consent of the individual for the process of the personal data. However, when one of the conditions of personal data processing are present as stated in Article 5/2 and Article 6 of the KVK law below, then the explicit consent of the relevant person is not taken and the data is processed because of these conditions.

As explicitly stipulated by the law The personal data of the data owner can be taken without explicit consent and processed in accordance with the law when it is overtly stipulated in the law. For example: According to the Tax Procedure Law, when the ID information and address information is written in the invoice.

Because of actual impossibilities, the explicit consent is not taken
The individual can be in a situation that cannot express her/his explicit consent because of actual impossibilities or cannot have validity to its explicit consent, then the personal data of this data owner can be processed when it is compulsory for the protection of the body or life of this individual or another person, and in such cases, the personal data of the data owner can be processed. For example when a guest accommodates at the hotel feels faint and in such cases, the identity information of the guest is given to the health personnel.verilmesi

To be directly related with the Agreement concluded or its execution
With the condition that it is directly related with concluding an agreement or its execution, when the personal data of the parties of the agreement are required, then personal data can be processed. For example: Within the domain of the agreement concluded between our Company and the supplier, for the execution of the agreement, entering the financial information of the supplier.

Legal Liability
For the fulfillment of legal liabilities, our company can process the personal data of the person as it is compulsory. For example: Presenting the personal data of the data owner when requested by the courts.
Making the personal data owner’s data as publicly known
When the person’s data is made publicly known by herself/himself, then the personal data can be processed. For example: When the employee candidate publishes her/his CV on internet web-sites.
When the data processing is compulsory for establishing a right or its protection Personal data can be processed when the data processing is compulsory for establishing a right or its protection. For example: Keeping the data as evidence and using when necessary (for example, accommodation forms and invoices of the customers accommodate in our Company hotels) When it is compulsory for the legitimate benefit of the Company With the condition of not damaging basic rights and liberties of the personal data owner, when it is necessary for the legitimate benefits of our Company, personal data of the data owner can be processed. For example: Making camera recording for the purposes of security in our Company hotels and facilities with the condition of not damaging the basic rights and liberties of the relevant person.

Your personal data can change depending on the service, product provided by our company or according to the commercial activity; and your personal data can be collected by automatic and non-automatic methods, through channels such as customer interviews-meetings, reservation forms, membership forms, subscriber forms, agency systems, and the channels by which our company and the individuals or organizations that can represent our company will have contact or has contact before, through systems by reaching to the databases of the agencies within the framework of the permits provided by the contracts concluded and in such levels, by reaching to the databases of the public institutions and establishments as stipulated by the legal legislations and within the boundaries drawn, through web-site, mobile applications and social media accounts by offering communication and information regarding our services and products and for the execution of the surveys, customer satisfaction and marketing activities and also with the mediums such as offices, branches, facilities, call centers, travel agencies, supplier companies, vendors and similar ones with oral or written forms and as written or electronically. Besides, your personal data can also be processed with the cookies in the web-site of our company.

The personal data that are collected with these methods can be processed and transferred as stipulated by the 5th and 6th articles of the KVK law, within the stated purposes and conditions of the data processing.

3.4. DETERMINING AND CLASSIFYING THE PERSONAL DATA OWNERS
The personal data of the data owners are processed in accordance with the KVK Law Article 10; by informing the relevant individuals, within the purposes of personal data processing and as based on and limited with the conditions stated in the 5th and 6th Articles of the KVK Law and primarily as appropriate to the rules of honesty and laws as stated in the 4th article as correct and updated when necessary with specific, overt and legitimate purposes and as moderate, limited and connected with the purposes and also all in accordance with all liabilities and general principles stated in the KVK Law.

Within the context of our herby policy regarding the processing of these personal data, the personal data owners are classified as Company Authorized Personnel, Company Shareholders, Employees, Employee Candidates, Customers, Potential Customers, Visitors, Third Persons, Members, Subscribers, Business Partners, Suppliers, Vendors and the below explanations are provided.

Personal Data Owners within the context of our policy regarding the processing of these personal data regarding the personal data processed by our Company. Personal data owners whose data are processed by our company are classified within below context and the ones out of this domain can also send their requests to our Company within the context of the KVK Law and they will also be evaluated.

DATA OWNERS
Company authorized personnel: Management Board Members of our Company and other authorized real persons.
Company shareholders: Real persons that are the shareholders of our Company.
Employees: Real persons working in the domain of our Company.
Employee Candidate: Individuals who have applied to our company in a way and opened their personal information and resume to the examination of our Company.
Customer: Real persons who use or have used the products and services offered by the Company without checking whether s/he has any contract relationship with our Company. Potential
Customer: Real persons who have requested to use the products and services of our Company or interested with them or who are evaluated as they can be interested with our products and services in accordance with the rules of honesty and commercial customary practice. Visitor/Outside participant: Real persons who visit our web-sites or entered the hotels and other facilities of our Company.
Third person: The other real persons who are in relationship with the people to protect the rights of the personal data owners and in direction with the legitimate benefits that are not within the context of the Personal data Protection and Processing Policy. (Such as family members and relatives, companion, guarantor)
Members/Subscribers: People who participates to the Program with agreement that are prepared to provide advantages such as promotion, introduction, point accumulation and general and specific campaigns in the hotels and facilities of our Company.
Business Partners, Suppliers: The employees of the companies that our company is in all kinds of business relationship (partner, supplier, but not limited with these) and the relevant real persons including the shareholders and the authorized personnel of this company. Vendors: The relevant real persons and the authorized personnel, shareholders, employees of the companies that our Company is in business relationship within the boundaries of the legal relationship and vendor agreements.

3.5. DETERMINING THE PERSONAL DATA AND ASSOCIATING THEM WITH THE PERSONAL DATA OWNERS
Determining the personal data

Our Company processes the following personal data that are determined in direction with the conditions and basic principles within the context of the KVK Law and its data processing purposes as legitimate and legally appropriate as required by the 10th Article of the KVK Law through informing the relevant individuals partially or completely automatically or as a part of the data entry system non-automatically.

PERSONAL DATA
ID Information: Documents such as ID Card, Driver’s License, Passport, Occupational Identities, that include information such as Name-Surname, T.R/ID Number, Nationality, Place of Birth, Date of Birth, Mother’s name, Father’s name and also information such as Tax number, Social Security Number, signature information, vehicle plate, etc.

Contact Information: Information such as Address, Telephone, Fax, E-mail, etc. Information of Family Members and the Relatives: Identity and contact information of the family members and relatives of the data owner and also such information of the other people that can be contacted in emergency situations, to protect the legal and legitimate benefits of the personal data owner regarding the products and services offered by the Company.

Information of Physical Location and Security: Camera records of the entry and exits in the facilities and during the stay in the facility that are owned by the Company and the information regarding the records and documents that are taken for the security reasons.

Visual and Audio Information: The pictures and camera records that are not within the context of the Physical Location Security and about the products and services offered by the Company and the documents, information and audio records that are as the copies of the documents with personal data. Operation Security Information: Information such as entry and exit to our Company Internet Web-Site and to our applications, information of passwords, IP Addresses, etc. Financial Information: Within the boundaries of the contractual and legal relationship that the Company has built with the data owner; information such as bank account number, IBAN number, credit card information, wealth information with movable and immovable properties, income and all kinds of financial documents and information. Risk Management Information: Information that is processed with methods as appropriate to the rules of honesty for the management of commercial, technical, administrative risks. Location Information: Information that detects the location while the employees use the company cars and the information regarding the travel data, within the operations conducted by the units of our Company. Marketing Information: The data processed towards making marketing and promotion in direction with the usage habits, choices, satisfactions and needs of the data owners regarding the products and services offered by our Company and the information regarding the reports prepared in this respect. Personnel Affairs Information: All kinds of information, resume information, payroll information, etc. of the real persons that are in work relationship with our Company and the employees of our Company and the employee candidates that opened their personal information to the examination of our Company. Legal Operation Information: The information in the correspondences with the legal authorized units during the relevant cases regarding our legal receivables and debts and their conducts and executions.
Customer Operation Information: Call center entries, invoices, notes, cheques, customer request information, vendor order information, request information, etc. Sensitive Information: The data stated in the 6th Article of the KVK Law. Associating the Personal Data with the Data Owners Within our policy, the processing of the personal data regarding the personal data processed by our Company is stated below and shows which personal data are processed.

PERSONAL DATA OWNERS
PERSONAL DATA

Company Authorized Personnel
Identity Information, Contact Information, Physical Location Security Information, Financial Information, Location Information, Family Members Information, Visual and Audio Information, Sensitive Personal Data

Company Shareholders
Identity Information, Contact Information, Physical Location Security Information, Financial Information, Location Information, Family Members Information, Visual and Audio Information, Sensitive Personal Data

Employee
Identity Information, Contact Information, Physical Location Security Information, Financial Information, Family Members Information, Visual and Audio Information, Location Information, Personnel Affairs Information, Legal Operation Information, Sensitive Personal Data

Employee Candidate Identity
Information, Contact Information, Physical Location Security Information, Financial Information, Family Members Information, Visual and Audio Information, Personnel Affairs Information, Sensitive Personal Data Customer Identity Information, Contact Information, Physical Location Security Information, Financial Information, Family Members Information, Visual and Audio Information, Marketing Information,

Customer Operation Information, Legal Operation Information, Sensitive Personal Data Potential Customer Identity Information, Contact Information, Physical Location Security Information, Financial Information, Family Members Information, Visual and Audio Information, Marketing Information, Customer Operation Information, Sensitive Personal Data Visitor/Outside Participant Identity Information, Contact Information, Physical Location Security Information, Visual and Audio Information, Customer Operation Information Third Person Identity Information, Contact Information, Physical Location Security Information, Family Members Information, Visual and Audio Information, Members/Subscribers Identity Information, Contact Information, Physical Location Security Information, Financial Information, Family Members Information, Visual and Audio Information, Marketing Information, Legal Operation Information, Sensitive Personal Data

Business Partners/Suppliers Identity Information, Contact Information, Physical Location Security Information, Financial Information, Visual and Audio Information, Legal Operation Information, Sensitive Personal Data Vendors Identity Information, Contact Information, Physical Location Security Information, Financial Information, Visual and Audio Information, Customer Operation Information, Legal Operation Information, Sensitive Personal Data

3.6. PROCESSING OF THE SENSITIVE DATA
At the 6th Article of the KVK Law, some personal data are specified as “sensitive” which have risks of causing discrimination or unjust treatment of the individuals when the data is processed. These data are as follows: nationality, ethnical background, political view, philosophical belief, religion, sect or other beliefs, clothing and appearance, membership to foundations, associations or unions, health, sexual life, criminal convictions and the data regarding the security precautions and the biometric and genetic data. Sensitive Personal Data are processed in the following situations with the condition of taking necessary precautions specified by the Board of the Protection of the Personal Data “Board”:

* Sensitive Personal Data apart from the relevant person’s health and sexual life, in the conditions stipulated by the law;
* Sensitive Personal Data regarding the relevant person’s health and sexual life can only be processed for the purposes of the protection of the public health, protective medical profession, medical diagnosis, execution of the treatment and care services, planning of the health services and their financing and management, by the individuals and authorized institutions and establishments and all under the liability of keeping the confidential information as secret.

When the conditions of data processing as explained above are not present, the relevant persons are given disclosure texts and their explicit consents are received with their free will and for a specific subject based on informing. In this context, by expressing the identity of the company, the disclosure text is provided stating that; on what purposes the sensitive personal data will be processed and to whom and with what purposes these can be transferred and its method and legal purpose and the rights people have within the context of the KVK Law Article 11.

3.7. THE PROCESSING OF THE SECURITY CAMERA RECORDS
In our Company, center, facility and enterprises, the camera recording is performed for providing security. The personal data processing activities that are conducted with the security cameras by our Company are conducted in accordance with the Constitution, KVK Law and other relevant legislations.

Our Company processes data within the context of camera recording, automatically and for the purposes of increasing the quality of the services offered, providing their trust, providing the life safety and property safety of our Company, Employees, the relevant person and other people, to prevent misconduct and providing the legal and commercial job security and providing security as a general term and based on the legal grounding as stated in 5th Article of KVK Law as follows: “it is compulsory for the data manager to fulfill its legal liability” and “with the condition of not damaging the basic rights and liberties of the relevant individual, because data processing is compulsory for the legitimate benefits of our Company”.

That relevant information can be transferred to law enforcement officers or to authorized legal offices when requested as required by the relevant legislations or in order to eliminate legal disputes. Our Company, as appropriate to KVK Law Article 4, processes personal data as connected with their purposes of processing, moderately and in a limited manner. No video records are performed when it is more than the security purposes and which can damage the confidentiality and the privacy of the personal life. General areas are recorded such as; center, the entry doors of our facility and enterprises, building outer front, restaurant, cafe, lobby, visitor waiting room, elevator, parking lot, security room, floor corridors. In this context, the relevant people regarding the personal data processing activities are informed. However, because there is a legitimate benefit of our Company, their explicit consent is not asked. In accordance with the KVK Law Article 12, necessary technical and administrative precautions are taken for providing the security of the personal data that has been acquired as a result of camera recording activity.

3.8. PROCESSING OF THE ENTRIES REGARDING THE INTERNET ACCESS
When requested by our visitors, our Company can provide internet access during their accommodation in our facilities, center and the establishments with the purposes stated in our Policy and for providing the security. In such cases, the log entries regarding the internet access are recorded according to the Law numbered 5651 and the ordering provisions of the legislations prepared according to this law; these records are processed only when requested by the authorized public institutions and establishments or to fulfill our legal liability in the audit processes that will be conducted within our Company. The relevant access is provided by the Company employees just when requested by the authorized public institutions and establishments and to be used in the audit processes and transferred to the legally authorized persons.

3.9 PROCESSING OF THE PERSONAL DATA WHICH WERE COLLECTED THROUGH COOKIES
Our Company uses cookies for developing the operational style of our internet pages or mobile applications and their usage and tries to make your time in digital platforms more productive and joyful. Besides, we utilize some cookies to remind your previous choices in our web-sites and mobile applications and so we can offer a personalized experience to you as developed and according to your choices. Through cookies in our digital platforms, your personal data are processed and transferred. By our Company, in order to provide the security of the personal data collected through cookies, as appropriate to KVK Law Article 12, necessary technical and administrative precautions are taken.

4. THE ISSUES REGARDING THE TRANSFER OF THE PERSONAL DATA
Our Company takes necessary administrative and technical precautions in direction with its purposes of data processing and shows maximum effort and care about the share of this personal data within the country or abroad and carries out its activities in this respect in accordance with the current regulations. In this context, for the conduct of our services that our Company offers, we can share the personal data with our suppliers that we are in collaboration and we take service from and with our suppliers, business partners (software companies that provides information systems and technical support, consultancy companies, etc.), Directorate General of Security and law enforcement officers, Social Security Institution, Civil Registry Directorate, General Directorate of Revenue, Courts and other official institutions and establishments, with the agencies in or out of the country that we are in collaboration with, and with the third persons that offer travel service, with the vendors that we are in collaboration, with the representatives that we have authorized, with institutions that we work with, with attorneys, with the third persons that we receive consultancy including the tax consultants and auditors and the regulative institutions that performs inspections, the systems and institutions in and out of the country and/or other companies in our domain; all of these to realize the purposes stated in the Protection of the Personal Data and our Confidentiality Policy and to fulfill the liabilities arose from the Law in moderate levels and to be just limited with these purposes.

Besides, because of the technical details in the information systems of our Company, the acquired data can be transferred to abroad.

The relevant data can be stored and kept and classified as required by the marketing activities, financial and operational processes, can be updated with different periods and within the boundaries of the legislations and within the basis of confidentiality and as stipulated by the policies that we are connected to with our business partners and/or service providers and/or suppliers and/or third persons as required by the service and with the purposes stipulated by other authorities, can be transferred, stored, processed by reporting and a registry and document can be prepared to be basis for the operation on the electronic or paper form. The transfer can be conducted within the boundaries of the personal data processing conditions and purposes stated in the KVK Law 9th Article regarding the transfer of the personal data to foreign countries and the KVK Law 8th Article regarding the transfer of the personal data. When the conditions in Article 5/2 and 6/3 of the KVK Law are maintained, by taking the required precautions that are stipulated by the KVK board, the personal data and the sensitive personal data can be transferred without explicit consent of the relevant person.

5. PROTECTING THE RIGHTS OF THE PERSONAL DATA OWNER
5.1. THE RIGHTS OF THE DATA OWNER
Our company performs required operational informing and technical and administrative regulations to inform the data owners and to evaluate the requests regarding the rights of the personal data owners.
In this respect, our company makes disclosure regarding the following issues during the acquirement of the personal data, in accordance with the 10th article of the KVK Law (Law on the protection of the personal data):
* The identity of the data manager and if there is, the id of the representative,
* The purpose of the personal data processing,
* To whom and with what purposes the processed data are transferred or the third person categories,
* The method of the personal data collection and its legal purpose,
* The rights of the Personal data owner as stipulated by the 11th article of the KVK Law (Law on the protection of the personal data).
* When the personal data owner requests, our Company makes the necessary informing and announces to the personal data owners and these relevant people within the boundaries of our and hereby this Personal Data Protection and our Confidentiality Policy with various overt and reachable documents that it makes business activities towards the principles stated within the domain of the KVK Law and the Constitution. If the personal data owners deliver their requests to our Company regarding their rights as stated below, the requests are concluded as soon as possible and latest in 30 days without any fee and according to the feature of the request. However, if the operation requires additional charges, then the required fee is received as specified by our Company, KVK Board or other authorities which is at the price list. Personal Data Owners have the following rights;
* Knowing if their data are processed or not,
* If processed, requesting information regarding this,
* Knowing the purposes of personal data processing and whether they are used for the purposes or not.
* Knowing the third persons that the personal data is transferred within the country or to abroad.
* When the personal data are processed as incomplete or wrong, requesting their correction and in this context, requesting the notification of this operation to third persons whom the data were transferred.
* Although the data were processed in conformity with KVK law and other provisions of the relevant laws, when the purposes for processing are no more present , then requesting their deletion and the notification of this operation to third parties whom the data were transferred.
* Objecting to a result that can occur against the person through the analysis of the data by automatic systems solely.
* When the person has a loss because of the illegal processing of the data, then s/he has rights to request the compensation of this loss.

5.2. PERSONAL DATA OWNER’S USING OF HIS/HER RIGHTS
Personal data owners can deliver their requests regarding their rights stated above by 11th Article of the KVK Law to our Company with the information and documents that can detect their identities and with the following methods and other methods determined by the Board.

You can submit your request to our Company about using your rights as stipulated by the 13th Article 1st paragraph of the KVK Law with the regulations in the relevant legislations and KVK Law and with the method(s) that will be determined by the Board, you can also submit your request by filling out and signing the application form in the Download Application Form web-address and with one of the methods below. You can submit us a signed copy of the form including your explanations regarding your rights you requested to this address by hand, with official documents that detects your identity (for example ID card, driver’s license, passport, etc.);
* Kemerağzı mah. Yaşar Sobutay Bulvarı, No:333 , Aksu –a Antalya / Türkiye
* You can send the form you’ll fill out and your official documents detecting your ID through Notary or
* You can send these in electronic form to this address as electronically signed or as mobile signed ; wyndhamgardenlara.com
* You can send your ID information (official documents detecting your ID) and the form you have filled out by using your e-mail address that is registered to our System that you have notified us before as data responsible. Our Company will reply latest in 30 days according to the feature of the request. The rights belonging to the personal data can just be used about these personal data. The requests of people other than this person with form and ID information will not be considered. The forms without official documents detecting the ID will not be considered. We’d like to remind you that even when the requests of deleting are completed, when requested by the official authorities, we are liable to share them this information with them. Third persons on behalf of the relevant persons cannot use the information requesting right stated in 11th Article of KVK Law. For the third persons to request information regarding the personal data, then a notary approved power of attorney with original signature shall be submitted on the name of the applicant. Our Company can request additional information and documents in order to detect if this is the relevant real person and ask questions to her/him regarding his/her application to make some issues on the application more clear. In cases below, the application of the applicant can be rejected by providing the reason:
* The processing of the personal data by anonymising with official statistics and processing with purposes of research, planning and statistics.
* The processing of the personal data for the purposes of arts, history, literature or scientific purposes or within the domain of free expression-speech with a condition that this shall not cause a crime or violates national defense, national security, public security, public order, financial security, the privacy of the private life and the personality rights.
* The processing of the personal data in order to provide national defense, national security, public security, public order or financial security and within the preventive, protective, and informative activities executed by the legally authorized public institutions and establishments.
* Processing of the personal data by the judgment offices or enforcement offices for investigation, prosecution, judgment or enforcement.
* When the personal data processing is required in order to prevent a crime or for a crime investigation.
* The processing of the personal data by the relevant person whom she/he had anonymised the data by herself/himself.
* When the personal data processing is required for the disciplinary investigation or prosecution and for the execution of the duties of audit and regulation by the occupational establishments that are in the form of public institution and by the authorized public institutions and based on the authority provided by the law on personal data processing.
* When the personal data processing is required for the protection of the financial and fiscal benefits of the State regarding budget, tax and fiscal issues.
* When the request of the relevant person has a possibility to prevent other persons’ rights and liberties.
* When the information requested by the applicant is a publicly known information.

5.3. PROVIDING SECURITY OF THE PERSONAL DATA
Our Company shows maximum effort and care to provide data security and in this respect, in conformity with the KVK Law Article 12, takes the following precautions and the stated aspects towards providing “data security”.
* All kinds of technical and administrative precautions are taken for the protection of the personal data and to prevent its illegal processing and access.
* The employees are informed and their pledges are received such that they shall not express their acquired data to another person as stipulated by the KVK law and not to use against the purpose of processing and this liability shall continue even though after they quit the job.
* The liabilities that our Company shall obey while processing the personal data as data manager and the relevant legal, technical and administrative precautions that it shall conform are also laid upon to the business partners, suppliers, consultants of our Company with agreements.
* Our Company takes organizational and technical precautions to prevent unauthorized access, illegal operations and sharing, losing or changing the data by mistake or the destruction and provides its confidentiality.
* Our Company maintains required audits or makes someone to make these in its domain and executes required activities for the implementation of the provisions of the KVK Law in its internal operation.
* When the processed data is acquired by other through illegal means, then this case is notified to the relevant responsible authorized person and the KVK board. 6.

DELETING, DESTROYING AND ANONYMISING THE PERSONAL DATA
When the storage periods ends and the required purposes are no more valid as stipulated by the Law and the relevant regulations, including the record keeping liabilities and operations of required record keeping as proofs, or by the request of our Company or the relevant person, the data are deleted, destroyed or anonymised.

DELETING PERSONAL DATA
Deleting the personal data is the process of deleting the personal data and making this data inaccessible in any way by the relevant users and making not usable again.
During the process of deleting the data stored in digital or physical environments that were processed with automatic or non-automatic methods, Our Company, first detects the personal data that can be subject for the deleting operation and the access and authorizations of the relevant users for each personal data, and also detects the access, recovery, reusing authorizations and methods of the detected users and then the access, recovery and reusing authorizations and methods are closed within the context of personal data of the relevant users. The examples on the Personal Data Deleting are provided below:
* Darkening: The data on the paper are deleted by using the method of Darkening. The data becomes unseen to the relevant users with technological solutions and in an irrevocable way by scratching and painting the whole personal data in a way that is no more possible to associate it with a real person whose identity is known or can be known.
* Deleting from the Server: The files kept on the digital environment are deleted with the delete order from the operating system and the relevant access rights of the user are removed.
* During deleting, our Company conforms to the KVK law and the provisions of the relevant legislations fully and takes all necessary administrative and technical precautions.

DESTROYING PERSONAL DATA
Destroying personal data stands for the operation of making the personal data inaccessible, unreachable as irrevocable and not be able to used again by anyone
While the personal data are destroyed which are the ones that can be processed with non-automatic methods and that are kept physically with the condition to be a piece of a data system, the method is physically destroying to not to be used again later.
While the data are destroyed which are processed with automatic ways completely or partially and kept in digital environments, the methods used are deleting from the software in a way that is not possible to rescue.
Our company conforms to the KVK law and the provisions of the relevant legislations fully and takes all necessary administrative and technical precautions during the destruction of the personal data.

ANONYMISING THE PERSONAL DATA
Anonymising the personal data stands for making the personal data in a way that is no more possible to associate the data with a real person whose identity is known or can be identified, even by associating with other data. Our Company can anonymise the data when the reasons of personal data processing which are conducted in accordance with laws, are no more present

For the personal data to be anonymised, these shall be made in a form that cannot be associated with any person that is identified or can be identified even with appropriate techniques in terms of related activity field and the recording environment; such as reversing and or the association of the data with other data. The data that prevents the detection of the relevant person or the data that has lost its distinctive feature in a group are seen as anonymised data as they lost the feature of real person association and do not point to a real person.

In other words, before anonymising, the real person could have been identified, however after anonymising operation, the connection of the data and the real persons is lost and it is no more possible to associate the data to the real person. In accordance with the KVK law Article 28, the anonymised data can be processed for the purposes of research, planning and statistics. These kinds of operations are at outside of the KVK Law domain and for these kinds of data; explicit consent of the person shall not be sought. For anonymising, our company uses methods such as masking, grouping, generalizing, reproducing, and randomizing to break off the link between the data and the real person.

Our company conforms to the KVK law and the provisions of the relevant legislations fully and takes all necessary administrative and technical precautions during anonymisation of the personal data. Hereby this Policy is a regulation in a basic level regarding the processing of the personal data of our Company and prepared to be applied by matching to the business processes and other procedures prepared with similar purposes. Protection and Processing of the Personal Data are primarily arranged within the boundaries of the current legislation; the provisions of the legislations can change and also our Company can make updates and changes in the Policy of our Company.