MORDENİZ TURİZM İŞLETMECİLİĞİ A.Ş. 

Personal Data Protection and Privacy Policy

1. Purpose of the Personal Data Protection and Processing Policy

Due to the sensitive nature of the work we engage in at Mordeniz Tourism Management Inc. (“Marmaris Park Hotel”), all data obtained from our customers or prospective customers has always been kept confidential and never shared with third parties. The protection of personal data is a fundamental policy of our company. Even before any legal regulations were in place, our company and its affiliates prioritized data privacy, adopted it as a working principle, and instructed employees to operate in line with this principle. As Marmaris Park Hotel, we commit to complying with all responsibilities brought by the Personal Data Protection Law. The principles of personal data protection in our company also apply to our affiliates.

1. Scope and Amendments to the Personal Data Protection and Processing Policy

This Policy, prepared by our company, has been drafted in accordance with the Law on the Protection of Personal Data No. 6698 (“KVKK”). The law is now fully in effect. Data obtained with your consent or as required by law will be used to enhance the quality of the services we provide and to improve our service standards and quality policies. Some data in our possession may be anonymized and no longer considered personal. These are used for statistical purposes and are not subject to the Law or this Policy.

The “Marmaris Park Hotel Personal Data Protection and Processing Policy” aims to protect the automatically obtained data of our customers, prospective customers, employees, employees of companies we work with as business partners, and other individuals, and includes regulations related to them.

Our company reserves the right to modify this Policy and our Regulations, provided such changes comply with the Law and enhance the protection of personal data.

III. Fundamental Rules Regarding the Processing of Personal Data

1. a) Compliance with the law and the principle of good faith: Marmaris Park Hotel verifies the source of collected or received data and ensures it is obtained lawfully and ethically. We also notify and warn third parties (including agencies and intermediaries) who provide services regarding the need to protect personal data.
2. b) Accuracy and currency: Marmaris Park Hotel prioritizes ensuring all data within its system is accurate, free from errors, and updated as needed when changes are communicated to us.
3. c) Processing for specific, clear, and legitimate purposes: Marmaris Park Hotel processes data only for the purposes it has stated and for which it has obtained consent during service delivery. It does not process, use, or permit the use of data for other purposes.
4. d) Data processing that is relevant, limited, and proportionate to its purpose: Marmaris Park Hotel uses data only as necessary for the stated purpose and service requirements.
5. e) Retention for the period stipulated by applicable regulations or as required for the purpose of processing: Marmaris Park Hotel retains data related to contracts for the duration required by legal dispute limitations, commercial, and tax laws. When these purposes cease to exist, the data is either deleted or anonymized.

It is important to note that Marmaris Park Hotel adheres to these principles whether data is collected with consent or under lawful conditions.

Your Rights Under Article 11 of the Personal Data Protection Law

To facilitate the exercise of your rights, Marmaris Park Hotel has also prepared a dedicated application form available on our website.
You may contact the relevant department as published on our site to exercise your rights regarding your personal data, including:

1. a) Learning whether your personal data is being processed,
   b) Requesting information if your personal data has been processed,
   c) Learning the purpose of data processing and whether it is used in accordance with that purpose,
   ç) Knowing the third parties to whom personal data is transferred, domestically or abroad,
   d) Requesting correction if personal data is incomplete or inaccurately processed,
   e) Requesting deletion or destruction of personal data within the framework of the conditions set forth in the Law,
   f) Requesting notification of the actions taken under (d) and (e) to third parties to whom data has been transferred,
   g) Objecting to results that arise to your detriment as a result of automated analysis of processed data,
   ğ) Requesting compensation if you suffer damage due to unlawful processing of personal data.

As Marmaris Park Hotel, we respect these rights.

Principle of Data Minimization / Frugality Principle

According to this principle, also referred to as the frugality principle, data received by Marmaris Park Hotel is processed into the system only as much as necessary. Thus, which data to collect is determined according to its intended purpose. Unnecessary data is not collected. Any other data transferred to our company is similarly handled within our IT systems. Redundant data is not recorded into the system; instead, it is deleted or anonymized. Such anonymized data may be used for statistical purposes. Special category personal data, particularly health data, is collected solely to provide better service and to safeguard the health of customers and is carefully maintained within the system.

Deletion of Personal Data

Once the legal retention periods expire, judicial processes conclude, or other necessary reasons cease to exist, personal data is deleted, destroyed, or anonymized by our company either automatically or upon the data subject’s request.

Accuracy and Currency of Data

As a rule, data stored within Marmaris Park Hotel is processed based on declarations made by the individuals concerned. The company is not obligated—either legally or under internal policies—to verify the accuracy of such declarations. Declared data is assumed accurate. However, Marmaris Park Hotel adheres to the principle of ensuring accuracy and data currency and updates personal data upon request or upon receiving official documents. Necessary measures are taken to ensure this.

Confidentiality and Data Security

Personal data is confidential, and Marmaris Park Hotel respects this confidentiality. Within the company, only authorized personnel may access personal data. Necessary technical and administrative measures are taken to prevent unauthorized access and to protect customers and prospective customers from potential harm. This includes using software that complies with standards, carefully selecting third-party providers, and enforcing internal compliance with the data protection policy.

IV. Purposes of Data Processing

Marmaris Park Hotel collects and processes personal data for purposes clearly outlined in its privacy notice. Data is collected and processed to establish contracts and to deliver better service to customers.

V. Customer, Prospective Customer, Business, and Solution Partner Data

Collection and Processing of Data for Contractual Relationships

If a contractual relationship is established with our customers or prospective customers, the personal data collected may be used without additional consent. However, this use is strictly limited to the purpose of fulfilling the contract. Data may also be updated as needed by contacting the customer. Data voluntarily provided by prospective customers is processed to offer them faster and higher-quality service. If no contract follows, such data is deleted upon request.

Business and Solution Partner Data

Marmaris Park Hotel commits to lawful behavior when sharing data with business and solution partners. Data is only shared to the extent required by the service and under a data confidentiality agreement. These partners are also required to implement appropriate data security measures.

Data Processing for Advertising Purposes

In accordance with the Law on the Regulation of E-Commerce and the Regulation on Commercial Communication and Commercial Electronic Messages, commercial electronic messages for advertising can only be sent to individuals who have given prior consent. This consent must clearly reflect the recipient’s affirmative intention, name, surname, and electronic communication address. It may be obtained in writing or through any electronic communication tool. Such consent covers all messages intended to promote the company’s goods or services, enhance brand recognition, or include celebratory content.

Data Processing for Legal Obligations or When Required by Law

Personal data may be processed without consent when expressly permitted by law or when necessary to fulfill a legal obligation. The nature and scope of such data processing must be limited to what is legally allowed and appropriate under applicable laws.

Company-Initiated Data Processing

Personal data may be processed by the company to deliver its services and achieve its legitimate objectives. However, such data may never be used for unlawful purposes.

Processing of Special Category Personal Data

According to the law, data related to individuals’ race, ethnic origin, political views, philosophical beliefs, religion, sect or other beliefs, attire, association/foundation/trade union memberships, health, sexual life, criminal convictions, security measures, biometric, and genetic data is considered special category personal data.
Marmaris Park Hotel takes all required precautions as defined by the Personal Data Protection Board when processing such data. These data are processed only with the individual’s explicit consent and strictly for the purposes for which they are collected to provide better service.

Data Processed via Automated Systems

Marmaris Park Hotel adheres to legal regulations regarding data processed via automated systems. Data processed through such systems cannot be used to the detriment of individuals without their explicit consent. However, Marmaris Park Hotel may make decisions regarding individuals based on the data within its system in compliance with the law.

User Information and the Internet

If personal data is collected, processed, or used through Marmaris Park Hotel websites or other systems or applications, individuals are informed through a privacy notice, including about cookies where necessary. Users are informed about the practices implemented on our web pages. Personal data is processed lawfully.

When visiting our website, the following information is provided regarding the cookies used or to be used.

Data Processed by Automated Systems

Personal data processed through automated systems concerning employees may be used for internal promotions and performance evaluations. Employees have the right to object to any decisions made against them and can do so by following internal procedures. Such objections are evaluated within the company.

Functional and Analytical Cookies

These cookies store your preferences, enable the effective use of the website, optimize the site according to user needs, and gather data on how visitors use the site. Due to their nature, these cookies may include personal data such as usernames.

Third-Party Cookies

Mordeniz Turizm İşletmeciliği A.Ş. websites/mobile apps/mobile websites work with trusted and well-known third-party advertising providers. These third-party service providers may place their own cookies to deliver personalized advertisements. These cookies collect, process, and analyze visitors’ browsing data across websites.

Commercial Cookies

These cookies are used to present content/products tailored to your interests and preferences. They help improve your experience by offering a more personalized advertising portfolio.
The background retention period for session, persistent, functional, analytical, and commercial cookies is approximately two (2) months, and individuals can adjust these settings through their browser preferences. Removal procedures may vary depending on the browser used.

Note: If your reservation process is interrupted due to system errors or disconnections, our call center representative may contact you to assist.

How Can I Delete Cookies?

Most web browsers are set to automatically accept and use cookies upon initial setup. You can block cookies or set alerts when cookies are sent to your device using your browser’s settings or help menus. To learn more about cookie management and adjusting your browser settings, refer to your browser’s instruction or help screens.

Collection and Processing Purposes of Security Data on Premises

Under Law No. 6698, Marmaris Park Hotel, as a data controller, collects security camera footage during your visit to ensure both the safety of our company and of yourself, and to deliver services securely.
Your personal data is not used for any purposes other than those listed above and is processed based on the legal basis outlined in Article 5/2(f) of the KVKK regarding the data controller’s legitimate interests.
As a rule, your personal data is not shared with any third parties or institutions. However, it may be shared to fulfill legal obligations under Article 5/2(ç) of the law in response to requests from legally authorized public institutions. Once the purpose of collection ends, the data is destroyed.

Employee Data

Data Processing for Employment Purposes

Personal data of employees may be processed without consent to the extent necessary for employment relations and health insurance purposes. However, Marmaris Park Hotel ensures the confidentiality and protection of employee data.

Processing Due to Legal Obligations

Marmaris Park Hotel may process employee data without separate consent when explicitly required by law or to fulfill legal obligations. This processing is strictly limited to obligations arising from the law.

Processing for Employee Benefit

Marmaris Park Hotel may process personal data without consent for operations that benefit employees, such as private health insurance. Data may also be processed in the event of disputes arising from employment relationships.

Processing of Special Category Personal Data

According to the law, data relating to an individual’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, attire, association/foundation/trade union membership, health, sexual life, criminal convictions and security measures, biometric, and genetic data are considered special category personal data.
Marmaris Park Hotel takes additional security measures as determined by the Board when processing such data, in addition to obtaining explicit consent from the data subject. These data may only be processed without consent under conditions strictly limited to those permitted by law. For example, special category data collected to provide insurance or health services to employees are used solely for that purpose.

Telecommunications and Internet Use

All computers, phones, emails, and other applications allocated to employees within the company are provided strictly for work-related purposes. Employees are prohibited from using these tools for personal communication or purposes. The company has the right to monitor and audit all data on these devices.
From the moment they begin employment, employees commit that they will not store or process any non-work-related data or information on the devices and systems assigned to them.

VII. Transfer of Personal Data Domestically and Abroad

Personal data may be shared with business partners to ensure the proper execution of services provided by Marmaris Park Hotel.

“Marmaris Park Hotel” may transfer personal data to the following parties for the specified purposes:

• To business partners, limited to the fulfillment of the purpose of business cooperation.
• To suppliers, limited to the provision of externally sourced services required to fulfill the company’s commercial activities.
• To solution partners, limited to the conduct of commercial activities involving the participation of the company’s affiliates.

“Marmaris Park Hotel” has the authority to transfer personal data within Turkey and abroad in accordance with the conditions set by law and with the explicit consent of the data subject, or in compliance with the other lawful bases specified by the law.

VIII. Rights of the Data Subject

Marmaris Park Hotel acknowledges that data subjects have the right to provide consent before their data is processed, and the right to determine the fate of their data afterward.

By contacting the designated person or unit announced on our website, individuals whose personal data is processed have the following rights under the Law:

1. a) To learn whether personal data is being processed,
   b) If processed, to request information about it,
   c) To learn the purpose of processing and whether the data is used accordingly,
   ç) To know the third parties to whom personal data is transferred domestically or abroad,
   d) To request correction of incomplete or inaccurate data,
   e) To request deletion or destruction of personal data under the conditions set out in Article 7,
   f) To request notification of the actions taken under (d) and (e) to third parties to whom the data was transferred,
   g) To object to any results arising against them through the exclusive use of automated systems,
   ğ) To request compensation for any damages incurred due to unlawful processing.

However, individuals do not have any rights regarding anonymized data held by the company.

“Marmaris Park Hotel” may share personal data with legally authorized public institutions or judicial authorities as required by business or contractual obligations, or in the exercise of state powers under applicable law.

How to Exercise These Rights

To exercise your rights, data subjects must:

1. Fully complete the application form available on our official website: gomarmarispark.com,
2. Sign it with a wet signature,
3. Send it via registered mail with return receipt to the company’s contact address, together with a copy of their identification (only the front side of the national ID card is required).

Requests will be processed as soon as possible, and at the latest within 30 days from the date the company receives the request.
Only requests pertaining to the applicant themselves will be processed. Requests concerning a spouse, relative, or friend will not be accepted.
The company reserves the right to request additional information or documentation as necessary to verify the identity and eligibility of the applicant.

1. Privacy Principle

Whether concerning employees or other individuals, all data at Marmaris Park Hotel is confidential. No one may use, copy, reproduce, or transfer this data for purposes other than those specified in contracts or in compliance with the law.

1. Data Security

Marmaris Park Hotel takes necessary technical and administrative measures to protect collected personal data and prevent unauthorized access. This includes using compliant software, carefully selecting third-party service providers, and ensuring adherence to internal data protection policies. Security measures are continuously updated and improved.

1. Auditing

Marmaris Park Hotel conducts both internal and external audits to ensure compliance with personal data protection regulations.

XII. Notification of Breaches

If a personal data breach occurs, Marmaris Park Hotel will take immediate action to rectify the situation, minimize harm to the affected individual, and notify the Personal Data Protection Authority if unauthorized access is confirmed. For breach notifications, please refer to the procedures outlined at https://www.gomarmarispark.com/kvkk.

Regarding Requests Made Under the Personal Data Protection Law

As announced on the https://www.gomarmarispark.com/kvkk page, all requests will be processed only if the form available on the mentioned page is fully completed, signed with a wet signature, and sent along with a photocopy of an identity document via registered mail to the address stated on the form.

Rights related to personal data can only be exercised by the individuals to whom the data belongs. Requests submitted on behalf of others, even if the form is completed and a photocopy of an ID is attached, will not be considered. Forms submitted without a photocopy of the ID will also not be processed.

Please note that even if data deletion requests are fulfilled, we are obligated to share data with official authorities if requested by them.