GDPR General Data Protection Regulation

GDPR Personal Data Protection & Processing Policy

1. Purpose of the Policy

1. To date, due to the sensitive nature of the services provided by Kalkanvilla Tur. İnş. Tic. ve San. Ltd. Şti. and Public Relations Kalkan Travel Agency, all data received from our customers or prospective customers has been kept confidential and has never been shared with third parties. The protection of personal data is one of our core corporate policies. Even before the enactment of legal regulations, our company and affiliates attached great importance to the confidentiality of personal data, adopted it as a working principle, and instructed employees accordingly.

2. We hereby undertake, as Kalkanvilla Tur. İnş. Tic. ve Ltd. Şti., to comply with all obligations introduced by the Turkish Law on the Protection of Personal Data No. 6698 (“KVKK”). Our principles regarding personal data protection apply to our subsidiaries as well.

2. Scope of the Policy and Amendments

1. This Policy has been prepared in accordance with KVKK No. 6698. The Law is currently in force with all of its provisions. Data obtained from you based on your consent or other lawful grounds stipulated in the Law will be processed in order to improve the quality of the services we provide and to enhance our service and quality policies.

2. Certain data may be anonymized and used for statistical purposes. Such anonymized data is not considered personal data and is therefore not subject to KVKK or this Policy.

3. The “Kalkanvilla Tur. İnş. Tic. ve Ltd. Şti. Personal Data Protection and Processing Policy” aims to protect the automatically obtained data of our customers, prospective customers, employees, customers and employees of companies working with us as solution partners, and other individuals, and includes rules and procedures regarding such protection.

4. Our Company reserves the right to amend this Policy and related internal regulations provided that amendments remain compliant with the law and aim to ensure better protection of personal data.

3. Fundamental Rules on Processing Personal Data

a) Compliance with law and good faith: Our Company examines the source of data it collects or receives from other companies and attaches importance to ensuring that such data has been obtained lawfully and in accordance with the rules of good faith. Within this scope, we provide necessary notices and warnings to third parties (including agencies and intermediaries) that sell our services in order to protect personal data.

b) Accuracy and being up-to-date where necessary: Our Company gives importance to ensuring that all data within our organization is accurate, does not contain incorrect information, and is updated when changes are notified to us.

c) Processing for specific, explicit and legitimate purposes: Our Company processes data only within the scope of purposes for which individuals provide approval during the service process. Data is not processed, used, or made available for purposes other than business purposes.

d) Relevance, limitation and proportionality: Our Company uses personal data only to the extent necessary for the purpose of processing and the requirements of the service.

e) Retention for the period required by relevant legislation or processing purpose: Our Company retains contract-based data for the periods required for dispute limitation, as well as commercial and tax law obligations. When these purposes cease to exist, data is deleted or anonymized.

These principles apply regardless of whether personal data is collected or processed based on consent or other lawful grounds.

4. Principle of Maximum Data Economy (Data Minimization)

Under the data minimization principle, data reaching our Company is entered into the system only to the extent necessary. Which data we collect is determined by the purpose. Unnecessary data is not collected. Data received through other channels is transferred to company IT systems in the same manner. Excess information is not recorded in the system, is deleted, or anonymized. Such data may be used for statistical purposes.
Special category data such as health data is collected only to provide better service and protect customers’ health and is stored with due care.

5. Deletion, Destruction and Anonymization of Personal Data

When legally required retention periods expire, judicial processes are completed, or other requirements cease, personal data is deleted, destroyed, or anonymized by our Company either automatically or upon the request of the data subject.

6. Data Accuracy and Updates

As a rule, data within our Company is processed as declared by the relevant persons. Our Company is not obliged to verify the accuracy of the declared data, and we do not do so due to legal and operational principles. Declared data is accepted as accurate.
Our Company updates personal data processed on the basis of official documents received by the Company or upon the request of the relevant person and takes necessary measures accordingly.

7. Confidentiality and Data Security

Personal data is confidential and our Company complies with this confidentiality. Only authorized persons within the company may access personal data. We take all necessary technical and administrative measures to protect personal data collected by our Company, to prevent unauthorized access, and to avoid potential harm to customers and prospective customers. This includes ensuring that software complies with standards, carefully selecting third parties, and ensuring compliance with internal data protection rules.

8. Purposes of Data Processing

Our collection and processing of personal data will be carried out in line with the purposes stated in the disclosure texts. Data is collected and processed for the establishment and performance of contracts and to provide better service to customers.

9. Customer / Prospective Customer / Business & Solution Partner Data

As Kalkanvilla Tur. İnş. Tic. ve Ltd. Şti., we process your personal data as the data controller under KVKK No. 6698 and other applicable legislation. Personal data categories processed include, but are not limited to:

• Identity Information: Name and surname; names of accompanying guests; nationality; place and date of birth; Turkish ID, driver’s license and passport numbers (including issuance date and place).

• Contact Information: Address, phone number, email address.

• Financial Information: Mobile invoice information, bank account details, payment card number and other payment details, loyalty program memberships, information regarding purchased products/services.

• Customer comments / feedback / complaints: Preferences relating to accommodation, marketing and communication; evaluations, opinions, or complaints about brands and facilities.

• Other: Reservation information, travel history; participation in contests/raffles/marketing programs; vehicle information used to reach facilities; reserved hotel/airline/rental car packages; affiliated groups for accommodation; frequent flyer or travel partnership memberships and membership numbers; information provided in membership and account applications.

10. Collection and Processing for Contractual Relationship

If a contractual relationship has been established with our customers or prospective customers, collected personal data may be used without obtaining additional consent, provided that such use is limited to the purpose of the contract. Data is used to the extent required for better performance of the contract and service requirements and may be updated by contacting customers when necessary.
Data provided by prospective customers is processed to provide easier and higher-quality services later. If no contract relationship is formed upon request, such data is deleted.

11. Business and Solution Partners – Data Sharing

Our Company adopts lawful behavior as a principle when sharing data with business and solution partners. Data is shared only to the extent required by the service, under confidentiality undertakings, and partners are obliged to take data security measures.

12. Processing for Managing, Analyzing and Improving Services

• Conducting surveys to measure service quality,

• Marketing communications with guests in line with communication permissions obtained under applicable laws,

• Internal correspondence and list creation regarding guests who act against facility rules and general decency rules during villa rental,

• Recording guests’ comments on social media, blogs, review portals, etc. in order to analyze service feedback,

• Processing service data to offer a personalized holiday experience and to carry out Sales and Marketing activities,

• Managing guest relations before, during and after villa rental, including pre-entry phone calls, loyalty program management, handling loyalty-related questions, segmentation based on reservation history/travel preferences/services received, managing allegations/complaints on review portals and social media, keeping personal data up to date and combining it with third-party data sources for analytics where lawful.

13. E-Invoice & E-Archive Invoice

Within this program, the customer is automatically recorded in the system and invoices are sent via the email address provided. It is the customer’s responsibility to ensure that the email address provided at check-in or later updated is correct and is the preferred email for this communication. If this email address is used to make reservations for another family member or other persons, the relevant e-invoice will be sent to the email address owner.

An E-Invoice is an invoice prepared electronically, not printed on paper, and transmitted by servers to the buyer and/or seller. It was introduced by the Turkish Tax Procedure Law Communiqué No. 397 and has been in practice since 5 March 2010.
In an e-invoice, all information that must be included in a standard invoice is present; the mutual invoice exchange between buyer and seller occurs electronically.

An E-Archive Invoice is an application that enables invoices that are required to be issued, stored and presented in paper form under the Tax Procedure Law to be issued electronically under the conditions set out in the General Communiqué No. 433, and enables the second copy to be stored and presented electronically. All invoices other than those created for taxpayers registered in the E-Invoice Application are referred to as E-Archive Invoices.

14. Data Processing for Advertising / Commercial Electronic Messages

In accordance with the Law on Regulation of E-Commerce and the Regulation on Commercial Communication and Commercial Electronic Messages, advertising electronic messages may be sent only to persons who have provided prior approval. Clear and explicit consent is required. Our Company complies with the details of consent defined by the relevant legislation. Consent may be obtained in writing physically or through any electronic communication tool. The essential elements are the recipient’s affirmative declaration, their name and surname, and their electronic contact information.

15. Processing Based on Legal Obligation / Explicit Provision of Law

Personal data may be processed without additional consent where processing is explicitly prescribed by legislation or necessary to fulfill a legal obligation. The type and scope must be necessary for the legally permitted processing activity and in compliance with legal provisions.

16. Company’s Legitimate Processing

Personal data may be processed in line with our Company’s services and legitimate purposes. Data may not be used for any unlawful services.

17. Processing of Special Category Personal Data

Under the Law, data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, attire, association/foundation/union membership, health, sexual life, criminal convictions and security measures, biometric and genetic data are special category personal data. Our Company takes the measures determined by the Board for the processing of special category personal data. With the explicit consent of individuals, special category data may be processed only for the purpose for which it was collected, such as providing better services and protecting health.

18. Data Processed Through Automated Systems

Our Company acts in compliance with the Law for data processed through automated systems. Information obtained from such data may not be used against individuals without their explicit consent. However, our Company may make decisions regarding persons with whom it will transact by using data in its own systems.

19. User Information, Website and Cookies

When personal data is collected, processed, and used on our websites and other systems/applications, individuals are informed via privacy notice and, where necessary, cookie information. Personal data is processed lawfully.

When you visit our website, please consider the following information regarding cookies used/will be used on our website.

Google (Analytics, DoubleClick)
Purpose: Measurement, advertising, site improvement
Cookie type: Functional and analytical cookies; commercial cookies

Facebook / Instagram
Purpose: Advertising
Cookie type: Commercial cookies

Hotjar
Purpose: Measurement, site improvement
Cookie type: Functional and analytical cookies

Third-party firms (Criteo, rtbhouse)
Purpose: Advertising
Cookie type: Functional and analytical cookies; commercial cookies

Functional and Analytical Cookies help remember preferences, enable effective use of the website, optimize the site, and provide data on how visitors use it. Due to their nature, such cookies may include personal information like username.

Third-Party Cookies: Our websites/mobile applications/mobile sites work with reliable third-party advertising providers who place their own cookies to serve tailored advertisements and analyze browsing information.

Commercial cookies help improve user experience by offering a more personalized advertising portfolio and content similar to your interests. The retention period of session/persistent/functional/analytical/commercial cookies is approximately two (2) months, and settings can be adjusted via browser settings.

If your transaction is interrupted during reservation due to system errors or disconnections, our call center representative may contact you.

How can I delete cookies?
Most browsers accept cookies by default. You may block cookies or receive alerts through browser settings/help menus. Please refer to your browser’s instructions for detailed guidance.

20. Collection and Processing Purposes of Security Data at Facilities

Under KVKK, as data controller, Kalkanvilla Tur. İnş. Tic. ve Ltd. Şti. collects security camera recordings due to your visit to our facility/website to ensure both our security and yours and to provide services safely.
Your personal data is not used outside these purposes and is processed based on the legal ground of legitimate interest under Article 5/2(f) of KVKK.
As a rule, collected personal data is not shared with any third party or institution. However, it may be shared with legally authorized public institutions and organizations to fulfill legal obligations under Article 5/2(c). After the purpose ends, data is disposed of.

21. Employee Data

Processing for employment relationship: Employee personal data may be processed without consent to the extent necessary for employment relations and health insurance. Our Company ensures confidentiality and protection of employee data.

Recruitment: Data is obtained via Kariyer.net for job applications and candidate evaluation and recorded within the scope of the recruitment process.

Processing due to legal obligations: Employee personal data may be processed without additional consent to fulfill legal obligations prescribed by legislation, limited to such obligations.

Processing for employees’ benefit: Data may be processed without consent for benefits such as private health insurance. Data may also be processed for disputes arising from employment relations.

Special category employee data: Special category data required for insurance and health services is used strictly for the purpose and limited accordingly, with the required safeguards.

Telecommunications and internet: Computers, phones, email and other tools allocated to employees are for business purposes only. Employees may not use these tools for personal purposes. The Company may control and audit data on these tools. Employees undertake not to keep non-business data on allocated devices.

22. Domestic and International Transfer of Personal Data

Personal data may be shared with business and solution partners to provide services. Our Company may transfer personal data for specific purposes to:

• Business partners, limited to fulfilling the purposes of the partnership,

• Suppliers providing outsourced services necessary for commercial operations,

• Solution partners limited to conducting activities requiring participation of affiliates,
  and may transfer data domestically or internationally in accordance with the conditions determined by the Board and other requirements under the Law, subject to consent where required.

23. Rights of the Data Subject

Our Company acknowledges that data subjects have the right to give consent before processing and to determine the fate of their data after processing. By applying through the channels announced on our website, you may:
a) Learn whether your personal data is processed,
b) Request information if it has been processed,
c) Learn the purpose and whether it is used accordingly,
ç) Know third parties to whom data is transferred domestically or abroad,
d) Request correction of incomplete/incorrect data,
e) Request deletion/destruction under Article 7,
f) Request notification of correction/deletion to third parties,
g) Object to adverse outcomes from automated processing,
ğ) Request compensation for damages due to unlawful processing.

Data subjects have no rights regarding anonymized data within the Company. The Company may share personal data with relevant institutions/organizations due to judicial duties or legal authority.

24. Application Method

Data subjects may submit their requests by completing the application form available on our official website, signing it with wet signature, and sending it by registered mail with return receipt to the contact address, together with an ID copy (only the front side for Turkish ID). Applications will be responded to as soon as possible and in any case within 30 days. Only requests relating to the applicant will be answered; requests about spouse/relatives/friends will not be accepted. The Company may request additional information and documents.

25. Confidentiality Principle

All data of employees and other persons within the Company is confidential. No one may use, copy, reproduce, transfer, or use this data for purposes other than business purposes without a contract or legal basis.

26. Processing Security, Audit and Breach Notification

We take continuous technical and administrative measures, update and develop security measures, and conduct internal and external audits where necessary.
If a breach is reported to the Company, it acts immediately to remedy it, minimizes the data subject’s damage, and compensates where appropriate. In case personal data is obtained by unauthorized persons, the Company promptly notifies the Personal Data Protection Board. Applications regarding breach notification may also be made via the procedures stated on our website.

27. Changes to the Policy

The Company reserves the right to change the statements herein. In case of an important change, a link enabling access to the updated statement will be added to the homepage. Guests registered for any of our products/services may be informed through the communication channel provided. Each change becomes effective upon publication on the website. Continued use of the website/services indicates acceptance of the updated statement.

Policy Update: 19.12.2019 (KVKK)

28. Contact

For questions about this privacy policy, you may contact:

Kalkanvilla Tur. İnş. Tic. ve Ltd. Şti.
Kalkan Mahallesi Yayla Caddesi No: 8/A
Kaş / Antalya 07960
Kaş Mal Müdürlüğü: 8590533120
MERSIS No: 0859053312000017
KEP: kalkanvillaturizm@hs01.kep.tr
Email: info@kalkanvilla.org
Phone: +90 242 844 37 77
Website: kalkanvilla.org