Personal Data Security Policy

Home

1. Purpose

The purpose of this Personal Data Security Policy (hereinafter referred to as the “Policy”) is to define the framework for ensuring the security of all personal data processed by ISG Airport Hotel (hereinafter referred to as the “Hotel” or “Data Controller”), in accordance with the Law on the Protection of Personal Data No. 6698 (KVKK), other relevant legislation, and the decisions of the Personal Data Protection Board (the Board).

2. Scope

  • Data Subject: All natural persons whose personal data is processed by the Hotel, including hotel guests, employees, employee candidates, visitors, users of Hotel services (e.g., Wi-Fi, website, reservation platforms, valet service), and the personnel of suppliers and other third parties.
  • Data Categories: All categories of personal data processed by the Hotel, including but not limited to, Identity (T.R. Identity No, passport no), Contact, Location, Financial (credit card information), Visual/Auditory (security camera footage), Customer Transaction (accommodation dates, room no, special requests), Transaction Security (IP address, log records), Marketing, and Health (only with explicit consent and subject to strict conditions).
  • Processing Activities: All personal data processing activities carried out through fully or partially automated means (Property Management System – PMS) or non-automated means, provided that they are part of any data filing system (e.g., archive of guest registration forms).
  • Geographical Scope: All premises of the Hotel (rooms, lobby, restaurants, parking lot, administrative offices) and its digital systems (servers, website, network infrastructure).

3. Definitions

For terms used in this Policy that are not otherwise defined herein, the definitions provided in Article 3 of the KVKK shall apply.

4. Data Controller and Contact Person

  • Data Controller: ISG Airport Hotel is the Data Controller within the scope of the KVKK.
  • Data Controller Contact Person: Our Hotel has established a Personal Data Protection Committee to fulfill its obligations under the KVKK and to manage data subject requests. Contact information is shared with the public on our Hotel’s corporate website and in our Privacy Notices.

5. Principles for Processing Personal Data

Our Hotel undertakes to comply with the following general principles set forth in Article 4 of the KVKK in all its personal data processing activities:

  • Lawfulness and Fairness.
  • Accuracy and Being Up-to-Date Where Necessary.
  • Being Processed for Specific, Explicit, and Legitimate Purposes.
  • Being Relevant, Limited, and Proportionate to the Purposes for which they are Processed (Data Minimization).
  • Being Retained for the Period Envisaged in the Relevant Legislation or Required for the Purpose for which they are Processed.

6. Conditions for Processing Personal Data (KVKK Article 5)

  • a) It is expressly provided for by the laws.
  • b) It is necessary for the protection of life or physical integrity.
  • c) Necessary for the performance of a contract.
  • d) Necessary for compliance with a legal obligation.
  • e) Made public by the data subject.
  • f) Necessary for the establishment, exercise, or protection of any right.
  • g) Legitimate interests of the data controller, not violating fundamental rights.

7. Transfer of Personal Data (Domestic and International)

  • Domestic Transfer: To public institutions, suppliers, and business partners.
  • International Transfer: To foreign service providers or group companies under KVKK Article 9 conditions.

8. Obligations Regarding Data Security (KVKK Article 12)

8.1. Administrative Measures

  • Preparation of a Personal Data Processing Inventory.
  • Establishment of Corporate Policies.
  • Establishment of an Authorization Matrix.
  • Training and Awareness Activities.
  • Confidentiality Agreements.
  • Change of Position or Termination of Employment.
  • Data Breach Incident Response Plan.

8.2. Technical Measures

  • Ensuring Cybersecurity.
  • Access Authorization and Control Systems.
  • Encryption.
  • Data Backup.
  • Physical Security Measures.
  • Security of Data in Paper Form.
  • Log Records.

9. Rights of the Data Subject (KVKK Article 11)

Every Data Subject has the rights listed in Article 11 of the KVKK, including to learn whether their data is processed, request correction or deletion, and object or claim compensation.

10. Application Procedure

  • Delivering in person with wet signature to the reception.
  • Sending via public notary.
  • Sending from the registered email address to the designated email.

Applications will be concluded free of charge within thirty days.

11. Data Breach Management

If personal data is unlawfully obtained, it will be reported to the Board and the data subjects within 72 hours. The Data Breach Incident Response Plan manages this process.

12. Review and Update of the Policy

This Policy enters into force on the date it is approved by the Hotel Management and is reviewed and updated at least once a year or as necessary.

13. Entry into Force

This Policy has entered into force with the approval of the Hotel Management.