Personal Data Protection Policy

PERSONAL DATA PROTECTION POLICY

1. Legal Basis: According to Article 20 of the Constitution, every person has the right to request the protection of personal data concerning themselves. This right encompasses the right to be informed about personal data, access this data, request its correction or deletion, and inquire whether it is used in line with its intended purpose. Personal data can only be processed if stipulated by law or with the explicit consent of the individual. Based on this fundamental legal basis, our company emphasizes the utmost importance of protecting and processing personal data lawfully as per the Personal Data Protection Law No. 6698 (KVKK) and approaches all planning and activities with this sensitivity. As a company, we take all administrative and technical measures to protect and process personal data, which is the foundation of privacy, and provide our staff with information and warnings about legal penalties as stipulated under Article 135 and subsequent articles of the Turkish Penal Code No. 5237 (TCK).

2. Purpose: Our company, Rozi Turizm Ticaret Nakliyat Limited Şirketi, has prepared this personal data protection policy concerning all areas of service, including the Huge Tours travel agency and the "Gidiyorum" website. In accordance with the KVKK, this policy aims to align with compliance obligations regarding personal data protection, assess risks with a risk-based approach, outline strategies, establish internal controls and safeguards, define operational rules, and clarify responsibilities while raising awareness among company employees about these issues. This policy is also intended to ensure transparency by informing individuals whose personal data are processed by our company, including but not limited to our customers, potential customers, employees, job applicants, company shareholders, company executives, visitors, and employees, shareholders, and executives of institutions/organizations we collaborate with.

3. Scope: This policy covers all personal data processed in an automated or non-automated manner as part of any data recording system, including the personal data of our customers, potential customers, employees, job applicants, company shareholders, company executives, visitors, and employees, shareholders, and executives of institutions we collaborate with, and third parties.

4. Definitions:

  • 4.1. Explicit Consent: Consent based on being informed about a specific issue and given with free will.
  • 4.2. Anonymization: Modifying personal data so it loses the ability to be associated with an identifiable or determined individual in an irreversible way. Examples include masking, aggregation, or data destruction.
  • 4.3. Employee: Individuals working at the company based on an employment contract.
  • 4.4. Job Applicant: Individuals who have applied for a job or shared their resume and relevant information with the company for review.
  • 4.5. Employees, Shareholders, and Executives of Institutions We Collaborate With: Individuals working at institutions with which the company has any business relationship, including shareholders and executives of those institutions.
  • 4.6. Processing of Personal Data: Any operation on personal data through automated or non-automated means, such as obtaining, recording, storing, preserving, modifying, rearranging, disclosing, transferring, taking over, making available, classifying, or preventing the use of personal data.
  • 4.7. Data Subject: The natural person whose personal data is processed (e.g., customers and employees).
  • 4.8. Personal Data: Any information relating to an identified or identifiable natural person (e.g., name, ID number, email, address, date of birth, credit card number).
  • 4.9. Customer: Individuals who use or have used the products and services offered by the company, regardless of whether a contractual relationship exists.
  • 4.10. Special Categories of Personal Data: Personal data revealing racial or ethnic origin, political opinions, philosophical beliefs, religion, sect, or other beliefs, as well as clothing, association, foundation, or union membership, health, sexual life, criminal conviction, and security measures, as well as biometric and genetic data.
  • 4.11. Potential Customer: Individuals who have shown interest in or requested information about our products and services.
  • 4.12. Company Shareholder: Individuals holding shares in the company.
  • 4.13. Company Executive: Members of the board of directors and other authorized individuals within the company.
  • 4.14. Third Parties: Real persons connected with the abovementioned individuals or involved in ensuring transaction security between them, such as family members and relatives.
  • 4.15. Data Processor: The individual or legal entity that processes personal data on behalf of the data controller, based on the authorization given by the data controller (e.g., companies storing data for the company).
  • 4.16. Data Controller: The individual who determines the purposes and means of processing personal data, manages the data storage system, and provides necessary information and guidance to the data subject.
  • 4.17. Visitor: Individuals who enter the company's premises or visit our websites for various purposes.
  • 5. Abbreviations
  • 5.1. KVKK: Law No. 6698 on the Protection of Personal Data, published in the Official Gazette dated April 7, 2016, numbered 29677.
  • 5.2. Constitution: The Constitution of the Republic of Turkey, published on November 9, 1982, in the Official Gazette numbered 17863.
  • 5.3. KVK Board: Personal Data Protection Board.
  • 5.4. KVK Authority: Personal Data Protection Authority.
  • 5.5. Policy: Company Personal Data Protection and Processing Policy.
  • 5.6. TBK: Turkish Code of Obligations, published in the Official Gazette on February 4, 2011, numbered 27836.
  • 5.7. TCK: Turkish Penal Code, published in the Official Gazette on October 12, 2004, numbered 25611.
  • 5.8. TTK: Turkish Commercial Code, published in the Official Gazette on February 14, 2011, numbered 27846.
  • 6. Data Categories
  • The company may record, process, or transfer data concerning the following categories:
  • 6.1. Identity: (e.g., full name, mother-father’s name, maiden name, date of birth, place of birth, marital status, ID card serial number, national ID number).
  • 6.2. Contact Information: (e.g., address, email, contact address, registered electronic mail (KEP), phone number).
  • 6.3. Location: (e.g., location information of a specific place).
  • 6.4. Personnel Information: (e.g., payroll data, disciplinary records, entry-exit documents, asset declaration information, resume data, performance evaluation reports).
  • 6.5. Legal Transaction: (e.g., correspondence with judicial authorities, information contained in case files).
  • 6.6. Customer Transaction: (e.g., call center records, invoices, promissory notes, checks, transaction slips, order information, request information).
  • 6.7. Physical Space Security: (e.g., entry and exit records of employees and visitors, camera recordings).
  • 6.8. Transaction Security: (e.g., IP address information, website login and logout information, password and security data).
  • 6.9. Risk Management: (e.g., data processed for the management of commercial, technical, and administrative risks).
  • 6.10. Finance: (e.g., balance sheet data, financial performance information, credit and risk information, asset details).
  • 6.11. Professional Experience: (e.g., degree information, attended courses, professional training, certifications, transcripts).
  • 6.12. Marketing: (e.g., shopping history, survey data, cookie data, information obtained through campaign studies).
  • 6.13. Visual and Audio Records: (e.g., visual and audio recordings).
  • 6.14. Health Information: (e.g., data on disability status, blood type, health information, and information on devices or prosthetics used).
  • 6.15. Criminal Conviction and Security Measures: (e.g., criminal conviction information, data on security measures).
  • Under KVKK, special categories of personal data include information regarding a person’s race, ethnic origin, political views, philosophical beliefs, religion, sect, attire, association, foundation or union membership, health, sexual life, criminal conviction, and security measures, as well as biometric and genetic data. Our company takes additional measures required by the Board for the processing of special categories of personal data and can process such data only for the purposes for which they are collected with the individual’s consent, unless otherwise provided by law. Special categories of personal data are processed only for the purposes permitted by law, with the individual’s explicit consent.
  • 7. Purposes of Personal Data Processing
  • The company may record, process, or transfer personal data for the following purposes:
  • 7.1. Execution of Emergency Management Processes.
  • 7.2. Execution of Information Security Processes.
  • 7.3. Execution of Employee/Intern/Student Selection and Placement Processes.
  • 7.4. Management of Employee Application Processes.
  • 7.5. Execution of Employee Satisfaction and Loyalty Processes.
  • 7.6. Fulfillment of Employment Contracts and Compliance with Statutory Obligations for Employees.
  • 7.7. Execution of Employee Benefits and Rights Processes.
  • 7.8. Conduct of Auditing/Ethical Activities.
  • 7.9. Execution of Training Activities.
  • 7.10. Management of Access Permissions.
  • 7.11. Compliance with Legal Regulations.
  • 7.12. Conduct of Financial and Accounting Processes.
  • 7.13. Execution of Company/Product/Service Loyalty Processes.
  • 7.14. Provision of Physical Space Security.
  • 7.15. Execution of Assignment Processes.
  • 7.16. Follow-up and Execution of Legal Affairs.
  • 7.17. Conduct of Internal Audits/Investigations/Intelligence Activities.
  • 7.18. Conduct of Communication Activities.
  • 7.19. Planning of Human Resources Processes.
  • 7.20. Management of Business Operations/Control.
  • 7.21. Execution of Occupational Health and Safety Activities.
  • 7.22. Collection and Evaluation of Suggestions for Business Process Improvements.
  • 7.23. Continuation of Business Sustainability Activities.
  • 7.24. Execution of Logistic Processes.
  • 7.25. Execution of Goods/Service Procurement Processes.
  • 7.26. Execution of Post-Sales Service Processes.
  • 7.27. Execution of Sales Processes for Goods/Services.
  • 7.28. Execution of Goods/Service Production and Operations.
  • 7.29. Execution of Customer Relationship Management Processes.
  • 7.30. Execution of Activities to Ensure Customer Satisfaction.
  • 7.31. Organization and Event Management.
  • 7.32. Execution of Marketing Analysis Studies.
  • 7.33. Execution of Performance Evaluation Processes.
  • 7.34. Execution of Advertising/Campaign/Promotion Processes.
  • 7.35. Execution of Risk Management Processes.
  • 7.36. Execution of Storage and Archiving Activities.
  • 7.37. Execution of Social Responsibility and Civil Society Activities.
  • 7.38. Execution of Contract Management Processes.
  • 7.39. Execution of Sponsorship Activities.
  • 7.40. Execution of Strategic Planning Activities.
  • 7.41. Follow-up of Requests/Complaints.
  • 7.42. Security of Movable Property and Resources.
  • 7.43. Execution of Supply Chain Management Processes.
  • 7.44. Management of Wage Policy.
  • 7.45. Marketing of Products/Services.
  • 7.46. Ensuring Security of Data Controller Operations.
  • 7.47. Execution of Foreign Employee Work and Residence Permit Processes.
  • 7.48. Execution of Investment Processes.
  • 7.49. Execution of Talent/Career Development Activities.
  • 7.50. Informing Authorized Persons, Institutions, and Organizations.
  • 7.51. Execution of Management Activities.
  • 7.52. Creation and Tracking of Visitor Records.

8. Personal Data Transfer Recipient Groups:

The company may transfer personal data to the following recipient groups:

8.1. Natural Persons and Private Law Legal Entities
8.2. Shareholders
8.3. Business Partners
8.4. Affiliates and Subsidiaries
8.5. Suppliers
8.6. Group Companies
8.7. Authorized Public Institutions and Organizations

9. Personal Data Subject Types:

The company may record, process, or transfer personal data related to the following types of individuals:

9.1. Employee Candidates
9.2. Employees
9.3. Shareholders/Partners
9.4. Potential Product and Service Buyers
9.5. Interns
9.6. Supplier Employees
9.7. Supplier Representatives
9.8. Product or Service Recipients
9.9. Guardians/Legal Representatives
9.10. Visitors

10. Personal Data Retention Periods:

Personal data are deleted, destroyed, or anonymized by the data controller upon the end of the data processing conditions or upon the relevant person’s request, in compliance with applicable laws.

11. Deletion, Destruction, or Anonymization of Personal Data:

11.1. Even if personal data have been processed in accordance with the law, the data controller shall delete, destroy, or anonymize these data upon the disappearance of the reason for processing, either by its own volition or at the request of the data subject.
11.2. The data controller will carry out the deletion, destruction, or anonymization of personal data during the first periodic destruction process following the date when the obligation to do so arises.

12. Transfer of Personal Data:

Personal data obtained for processing under general principles stipulated in the law can be transferred to third parties with the explicit consent of the data subject.

12.1. Domestic Transfer: Except in cases where KVKK or related regulations require the data to be transferred to administrative or judicial authorities, the company does not transfer personal data to other parties without the data subject’s explicit consent. However, when the provisions of Articles 5 and/or 6 of KVKK are met, personal data may be transferred to relevant institutions and organizations without seeking consent in accordance with the law.

12.2. International Transfer: Personal data may be transferred to other countries based on the data subject’s explicit consent or under conditions specified by law and regulations.

13. General (Fundamental) Principles in Personal Data Processing:

Personal data will be processed according to the following principles, as specified in the company’s data processing procedures:

13.1. Compliance with the law and integrity principles,
13.2. Accuracy and, where necessary, currency,
13.3. Processing for specific, clear, and legitimate purposes,
13.4. Relevance, limitation, and proportionality to the processing purpose,
13.5. Retention for the period prescribed by relevant legislation or as necessary for the processing purpose.

14. Explicit Consent:

Explicit consent is the freely given, informed agreement by an individual for a specific matter. It must pertain to a specific matter, be based on information, and be freely given.

15. Obligation to Inform:

During data collection, the company will inform relevant individuals. This notification, as detailed in the Information Document, will include the following minimum information:

15.1. The identity of the data controller and, if any, its representative,
15.2. The purposes for processing personal data,
15.3. To whom and for what purposes personal data may be transferred,
15.4. The method and legal basis of personal data collection,
15.5. Other rights of the data subject as per Article 11 of the Law.

16. Methods for Exercising the Rights of the Data Subject:

Individuals can submit requests to the company to inquire about whether personal data is processed, request access to processed data, request correction if the data is incomplete or inaccurate, request deletion if processing is unlawful, and demand that the relevant actions are communicated to third parties to whom the data have been disclosed. Initially, the data subject must submit their requests to the company to exercise their rights.

16.1. Application: Data subjects must first contact the data controller to exercise their rights. This route must be exhausted before filing a complaint with the Board.
16.2. Complaint: A complaint to the Board can be lodged only if the company rejects the request, the response is inadequate, or if the company does not respond within 30 days. Direct complaint to the Board without applying to the company is not possible.

17. Obligation to Comply with the Board’s Decisions:

Upon receiving a complaint or learning of an alleged violation, the Board will investigate the matter and, if it finds a violation, it will order the company to rectify it. The company must implement the decision within 30 days of notification.

18. Personal Data Breach:

In the event that personal data are illegally obtained by others, the company will promptly notify both the data subject and the Board. The Board may announce this situation on its website or through other means, if deemed necessary.

19. Personal Data Security Measures:

To prevent unlawful data processing, unlawful access, and secure data storage, the company implements the following technical and administrative measures, adapted to the company’s structure:

19.1. Ensuring network and application security,
19.2. Using closed network systems for data transfers,
19.3. Applying key management,
19.4. Implementing security measures for IT systems during procurement, development, and maintenance,
19.5. Maintaining access logs,
19.6. Using data masking where necessary,
19.7. Revoking access for employees undergoing role changes or resigning,
19.8. Using firewalls,
19.9. Including data security provisions in signed contracts,
19.10. Establishing data security policies and procedures,
19.11. Quickly reporting data security issues,
19.12. Monitoring data security,
19.13. Ensuring physical security of environments containing personal data,
19.14. Securing physical environments against external risks (e.g., fire, flood),
19.15. Ensuring security of data storage environments,
19.16. Minimizing personal data where possible,
19.17. Backing up personal data and securing backups,
19.18. Implementing user account management and access control, with monitoring,
19.19. Keeping logs without user intervention,
19.20. Encrypting data.