Information Regarding Processing of Personal Data

ÜSTAY YAPI TAAHHÜT VE TİCARET A.Ş.  

&

LAW ON THE PROTECTION OF PERSONAL DATA

 

  1. AIM OF THE PROTECTION AND PROCESSING OF PERSONAL DATA POLICY

 By force of legal and social responsibility, ÜSTAY YAPI TAAHHÜT VE TİCARET A.Ş. accepts and undertakes to act in accordance with the legal regulations and international standards. For ÜSTAY YAPI TAAHHÜT VE TİCARET A.Ş. (hereinafter referred to as “Company”) ensuring data protection constitutes the basis of a confidential business relation and Company reputation. This Policy is also valid in https://ustay.com/ and all terms of websites, social media accounts and brands that are within the scope of our Company’s activities.

  1. THE SCOPE AND AMENDMENT OF THE PROTECTION AND PROCESSING OF PERSONAL DATA POLICY

This Protection and Processing of Personal Data Policy includes together with the statements of the Clarification Text (statements carried out in order to fulfil the liability to clarification on data collection channels) the processing of all personal data. Anonymized data for purposes such as statistical assessments or researches are not subject to this Protection and Processing of Personal Data Policy.

This Protection and Processing of Personal Data Policy has been drawn in accordance to the Law no. 6698 on the Protection of Personal Data (“KVKK”) dated April 7th, 2016.

This policy concerns the personal data of our customers, potential customers, candidate employees, employees, employees, shareholders and authorities of partner institutions and of third persons, whether these are automatically processed or non-automatically processed on the condition that they are part of a data recording system.

This Policy on The Protection and Processing of Personal Data is dated October 7th, 2016. In case the whole or certain articles of the Policy are amended, the effective date and the version of the Policy will be updated. The Policy shall be published on the official internet site of our Company and upon request from personal data owners, be presented to the access of those related persons.

  1. BASIC RULES REGARDING THE PROCESSING OF PERSONAL DATA
  2. Compliance to the Law and to the rules of correctness

In case of processing personal data, the rights of the persons in question shall be protected. Personal data shall be collected and processed equitably and in compliance to the Law.

  1. Ad hoc limitations

Personal data shall only be processed for the purpose defined before collection thereof. Additions and alterations of purpose shall only be possible with justification and on a limited scale.

  1. Transparency and clarification

The related person shall be informed regarding the use of his/her own data. Personal data is generally collected directly from the person. When data are collected, the related person shall be aware of or informed about the articles below:

 

  • The identification of the data responsible or if present, his representative,
  • The aim of processing the personal data
  • To whom and for what purpose the processed personal data is transmitted or third person categories,
  • The method and legal reason of collecting personal data,
  • The rights of the person whose personal data is processed in accordance to KVKK Article 11.
  1. Data reduction and data economy

Before processing the personal data, it shall be determined whether such process is necessary in order to reach the aim or to what extent such process is necessary. In cases where the aim is acceptable and balanced, statistical data may be used.

  1. Purging the personal data

Data which is no longer necessary,including record keeping obligations and recording procedures necessary for substantiation may be deleted, purged or anonymized, after legal or business process related term is over.

  1. Correctness and actualness of the data

Personal data on the file shall be held actual in case it is correct, complete and known. Appropriate measures to delete, correct, complete or actualize incomplete or missing data are taken by the Company.

  1. Confidentiality and data security

Personal data is subject to confidentiality. In order to prevent unauthorized access, illegal operations, sharing, accidental disappearance, change or damage, it shall be protected by appropriate organizational and technical measures and be held confidential on a personal basis.

  1. AIMS OF DATA PROCESSING

The Clarification Text on the Collection and Processing of Personal Data shall be effectuated within the belowmentioned aims.

  1. CUSTOMER AND BUSINESS PARTNERS DATA
  2. Data processing for contractual relations

Personal data belonging to a customer (customer and potential customers) or a partner ( in case partner is a legal entity, to its representative or to its officers) may be processed in order to draw up, to administer or to terminate a contract. Prior to the contract or at the starting phase of the contract, personal data may be processed on the purpose of shopping center and thus customer security, ensuring customer satisfaction, executing contractual acts in accordance to their aim and to the law and meeting contractual requirements. During the process of contract preparation, communication may be established with the data owners in light of the information they provided.

  1. Data processing with the aim of advertisement and information

If the data owner requests information from the Company his personal data may be processed in order to meet this request.

Personal data may be processed for advertisements or for market and opinion research only in case the aim of collecting this data is in accordance to the aforesaid aims. The data owner shall be informed regarding the use of his data for advertisement purposes. In case information is only collected for advertisement purposes, data owners may not give this information. The data owner shall be informed regarding his freedom to give information for this purpose. Personal consent is received in order to process the information of the data owner for advertisement purposes. The data owner may select from appropriate communication channels such as mail, electronic mail or telephone.

In case data owner does not permit his information to be used for business purposes, the data shall no longer be used for such purpose and its use for such purposes shall be  prevented.

  1. Data operations made for the legal liability of the Company or due to clear legal stipulations

Personal data may be processed without receiving personalexpress consent, in case such processing is clearly stipulated on the related legislation or for the purpose of executing a legal liability determined by the legislation. The type and extent of the data processes shall be necessary for the legally permitted data processing activity and in accordance to the related legal provisions.

  1. Data processing for the legitimate interest of the Company

Personal data may be processed without receiving personalexpress consent in case it is necessary for a legitimate interest of the Company. Such legitimate interests are in general legal (e.g. collection of accounts receivable) or economic (e.g. preventing breach of contract) interests.

  1. Processing sensitive data

Sensitive data shall be processed with the condition of taking the sufficient measures determined by the Board for the Protection of Personal Data (“Board”) in below mentioned cases:

  • In cases stipulated by the laws, sensitive personal data except the health and sexual life of the related person;
  • Sensitive personal data regarding the health and sexual life of the related person may only be processed for the purpose of protecting public health, protective medicine, medical diagnosis, performing treatment and care services, planning and management of the health services and their finance, by the persons under confidentiality obligation or by authorized institutions or organizations.

In case the abovesaid data processing conditions are not present, the Company shall receive express consent of the related person for processing such data.

  1. Data processed through exclusively automatic systems

Procession of personal data through exclusively automatic systems in order to specify certain factors may not be by itself a basis for decisions having negative legal conclusions and affecting the related person negatively. The related person has the right to object to the emergence of a result to his detriment the rough the analysis of processed data through exclusively automatic systems. For the purpose of preventing erroneous decisions, test and reliability control are being conducted by the Company employee.

  1. User data and the Internet

In case of collection, process and use of personal data on web sites and applications, the related persons shall be informed about the privacy statement and if necessary, cookies. Privacy statement and cookie information shall be integrated in an easily identifiable, directly accessible and continuously available way for the related person.

In case of the formation of user profiles for the evaluation of website and web applications’ use,  the related person shall be appropriately informed thereof by the privacy statement.

If websites and applications are able to access personal data in an area limited to registered users, the identification of the related person and the verification of his identity shall provide sufficient protection during access.

  1. EMPLOYEE DATA
  2. Data processing for employment relations

For employment relations, personal data are processed without receiving specific consent in case they are necessary to draw up, execute and terminate an employment contract. If the candidate is declined, data belonging to the candidate are stored during the appropriate data storage duration for the next selection process; such data are deleted, destroyed or anonymized at the end of this duration.

  1. Data processes made for the purposes clearly stipulated by the law or for a legal liability of the Company

Personal data belonging to the employee may be processed without receiving specific consent in case the process is clearly stipulated by the related legislation or in order to execute a legal liability stated by the legislation.

  1. Data processing in accordance to the legitimate interests

Personal data belonging to the employee may be processed without receiving specific consent if necessary for a legitimate interest of the Company. Such legitimate interests are generally legal (e.g. filing, executing or defending legal rights) or economic (e.g. evaluation of the Company) interests.

In personal cases where it is necessary to protect the interests of the employees, personal data may not be processed for legitimate interests. Before data processing it shall be determined whether interests requiring protection are present.

In case data belonging to the employees are processed in accordance to the legitimate interest of the Company, it shall be examined whether the process is balanced. It shall be controlled whether the legitimate interest causing the Company to take such control measure is breaching an employee right needing protection and processing shall be carried out only in case it is balanced.

  1. Processing sensitive data

Sensitive personal data may  only be processed under certain conditions. Data such as race and ethnic background, political opinion, religion, philosophical beliefs, sects and other beliefs, attire and outfit, society, foundation or syndicate membership, health, sexual life, conviction history, data related to security measures, biometric and genetic data are classified as sensitive data.

Sensitive personal data may be processed in case the express consent of the employee is present. Upon express consent the personal data may be processed depending on its nature based on the principles stated on this policy and by taking the necessary administrative and technical measures.

In case express consent of the employee is not present sensitive personal data may be procesed in the belowmentioned cases on the condition that sufficient measures determined by the Board are taken.

In cases stipulated by the law, sensitive personal data except the health and the sexual life of the employee,

Sensitive personal data regarding the health and sexual life of the employee may only be processed for the purpose of protecting public health, protective medicine, medical diagnosis, performing  treatment and care services, planning and management of the health services and their finance, by the persons under confidentiality obligation or by authorized institutions or organizations.

  1. Data processed by exclusively automatic systems

In case personal data is processed by exclusively automatic systems as a part of the employment relation (ex. As part of the personnel selection or in order to evaluate talent profiles) the employee has the right to object to the emergence of a result to his detriment.

  1. Telecommunication and internet

Telephone hardware, e-mail addresses, intranet and internet together with internal lines, are provided by the Company primarily for duties related to work. These are work tools and Company resources. These tools shall be used in accordance to legal regulations and to the internal regulations of the Company.

A general supervision regarding telephone and e-mail communication or intranet and internet use does not take place. In orderto prevent attacks against the IT infrastructure or individual users, protective measures blocking technically harmful contents or analysing the modelling of the attacks are implemented on the transition to the Company web. The use of telephone hardware, e-mail addresses, intranet/internet and/or internal social webs are stored for a limited duration for security purposes. The evaluation of these data regarding the person are only made in case a concrete doubt concerning the breach of legal regulations is present. These controls are implemented by the related departments only for the condition of keeping the balance principle.

  1. TRANSMISSION OF PERSONAL DATA

Transmission of personal data to a 3rd person outside the Company shall be carried out within the scope of the aims stated on the Clarification Text and the below mentioned aims.

The Company shall be able to transmit personal data to the below mentioned persons and institutions for specific aims:

  • To the suppliers of our Company in a limited way, in order to ensure that necessary services outsourced by our Company from supplier are offered to our Company, for our Company to execute its commercial activities,
  • To the partnerships of our Company in a limited way, in order to ensure the execution of commercial activities necessitating the participation of our Company’s partnerships,
  • To legally capable public institutions and organizations, only limited to the aim requested at the sole discretion of the related public institutions and organizations,
  • To legally capable private institutions and organizations, only limited to the aim requested at the sole discretion of the related private institutions and organizations.

Personal data shall be transmitted to those foreign countries, after foreign countries having sufficient protection are announced by the Board. Regarding those countries announced as not having sufficient protection, personal data shall only be transmitted in cases the data responsible in Turkey or in the related foreign country undertake a sufficient protection in written and the Board’s permission exists, or in cases the data owner gives consent.

  1. RIGHTS OF THE RELATED PERSON

All data owners possess the below mentioned rights. In case the data owner uses the mentioned rights and presents a request to the Company, the Company shall offer the necessary information and the Company shall hereby with this data confidentiality regulation inform the related data owner regarding the way the right in question may be used and how the cases related to the information request are evaluated.

  • Learning whether personal data has been processed or not,
  • In case personal data has been processed, requesting data related to this,
  • Learning the aim or personal data processing and whether such data are used in accordance to this aim,
  • Knowing the third persons to which personal data has been transmitted, locally or internationally,
  • In case personal data was processed missing or wrong, requesting these to be corrected and requesting the action made within this scope to be announced to the third parties to which personal data was transmitted,
  • Requesting personal data to be deleted or destroyed and requesting the action made within this scope to be announced to the third parties to which personal data was transmitted, in case the reasons necessitating the processing of personal data disappear, even though data was processed in accordance to KVKK or to the provisions of other laws,
  • Opposing to the emergence of a result to the detriment of the person, by analysing the processed data through exclusively automatic systems,
  • Requesting the indemnification of the damage, in case the person incurs a damage because of the illegal processing of the personal data.

For the cases kept outside the scope of KVKK and mentioned below, the related persons may not claim their above stated rights and the Company is not under obligation to execute the requests made in this scope:

  • Personal data processing for purposes such as research, planning and statistics by anonymizing them through official statistics,
  • Personal data processing for the purposes of art, history, literature or scientific purposes or within the scope of the freedom of expression, on the condition that such processing does not breach national defence, national security, public safety, public order, economic security, the right of privacy or personal rights,
  • Personal data processing within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations given duty and authority by the law, for the purpose of ensuring national defence, national security, public safety, public order or economic security,
  • Personal data processing by judicial authorities or law enforcement authorities for the purpose of investigation, prosecution, trial and execution activities.

In accordance to the KVKK, in the below stated cases , the related persons may not, with the exception of the right to request an indemnification of damages, claim their other rights:

  • In case the personal data processing is necessary in order to prevent the commitment of an offense or for a criminal investigation,
  • In case of the processing of personal data which is already made public by the owner of the personal data,
  • In case the personal data processing is necessary for the execution of supervision and regulation duties and for disciplinary investigations and prosecution by public institutions and organizations with given duty and authority by the law and by professional organizations in the status of public institution,
  • In case the personal data processing is necessary for the protection of the economic and financial interests of the state regarding budgetary, taxation and financial matters.

Personal data owners may address their requests regarding their abovementioned rights by completely filling and undersigning the form found at the Company’s official internet address www.ustay.com  and by sending it to Ahi Evran Caddesi – No:21 – Kat: 11 34485 Polaris Plaza  Maslak / Istanbul / Turkey address by registered letter with return receipt and with a copy of their identification document (for the identity card, only the front side copy). For a person to address a request on behalf of the personal data owner, such person shall hold a specific proxy statement regarding the subject matter drafted by the personal data owner for the addressing person.

The requests addressed in due form to the company shall be completed within thirty days at the latest. In case the completion of the requests in question requires an additional cost, the Company may charge the petitioner a fee at the rate determined by the Board.

The Company may, in order to determine whether the petitioner is the owner of the personal data, request additional information from the related person and address the personal data owner questions regarding his request in order to clarify issues stated on the request.

  1. CONFIDENTIALITY OF THE PROCEDURES

Personal data are subject to confidentiality. Collection, processing and unpermitted use of data by the employees are prohibited. Unauthorized use is unauthorized data processing which employees executed outside their legitimate duties. All principle is valid: Employees may access personal data only in case it is in accordance to the scope and nature of the duty in question.

Employees are prohibited from using personal data for personal or commercial purposes, to distribute them to unauthorized persons or to make it accessible in another way. The managers shall infrom employees regarding their obligations concerning data protection, when the employment relation starts. This obligation continues after the employment relation is terminated.

  1. PROCESS SECURITY

The company takes the necessary measures and controls, makes or lets make the necessary supervisions in this scope, in order to prevent the processed personal data being illegally processed, to prevent data being illegally accessed and to ensure the appropriate security level in order to store data. This case is valid independently from whether the data processing is made electronically or by writing. Particularly during migration to new IT systems, before starting new methods of data processing, technical and organizational measures aimed at the protection of personal data are identified and practiced. These measures lean on the latest developments and to the need to protect data, determined by the process risks and the information classification procedure. Technical and organizational measures concerning the protection of personal data are a part of the Company’s information security management and they are being constantly adapted to technical developments and organizational changes.

 

 

  1. DATA PROTECTION CONTROL

The accordance to the Personal Data Protection and Processing Policy and to KVKK is ensured through regular data protection supervisions and other controls. The company is making or letting make the necessary supervisions.

  1. DATA BREACH MANAGEMENT

The Company may, in case the personal data processed in accordance to this Personal Data Protection and Processing Policy herein and to the KVKK are illegally obtained by others, operates the system ensuring that this situation is announced within the shortest time to the related person and to the Board. In cases deemed necessary by the Board, this case may be announced on the website of the Board or by another means.

  1. DESCRIPTIONS
  • In case personal data cannot be tracked by anyone or in case personal identity can be re-created by an unreasonable amount of time, cost and labour force, such data is considered anonymized.
  • Data breaches are events where there is legitimate doubt about illegal capture, collection, change, copying, distribution or use of personal data. This may be related to third parties and persons.
  • The related person is the real person whose data is processed.
  • Sensitive data are personal data about race, ethnic background, political opinion, philosophical belief, religion, and sect or other beliefs, attire and outfit, society, foundation or syndicate membership, health sexual life, conviction history and security measures as well as biometric and genetic data.
  • Personal data are any data identifying or enabling to identify a real person. A person is identifiable, if for instance his personal relation can be determined by using data combination,even with possible additional information.
  • Personal data processing includes all processes effectuated on data, such as acquisition, recording, storage, conservation, change, re-arrangement, disclosure, transmission, takeover, making available, classification and prohibition from use of personal data, whether or not these are automatically or partly automatically processed or non-automatically processed on the condition that they are part of a data recording system
  1. CONFIDENTIALITY AND APPROVAL

Your personal information will only be used in accordance to the service exigencies, to access information specific to you or to get in touch with you. These information will not be shared with third persons and will not be published anywhere. Automatically saved information (Non-personal data), when you enter the Website, the general non-personal information (browser used, visitor amount, average time spent on the site, pages viewed) are saved automatically (separate from the member registration). This information is used in order to improve the general quality of our website. Your information will not be subject to any further processes and will not be transmitted to third persons. Within this context, we would like to state that with your approval in question you will declare that you accept that your sensitive personal data (telephone, e-mail, address and other communication information included) may be processed in accordance to the Law no. 6698 on the Protection of Personal Data (“KVKK”), used and shared on the condition of being limited to its processing aims within the related process, stored for the necessary duration  by ÜSTAY YAPI TAAHHÜT VE TİCARET A.Ş.  , group companies, related partnerships and subsidiaries; that being subject to the activities within the scope of electronical trade legislation you may be contacted through SMS, e-mail and calls and that the necessary clarification was made to you regarding the subject matter, that you declare that you have read and understood this text.

  1. SCOPE

This policy herein and all approvals and permissions within apply for ÜSTAY YAPI TAAHHÜT VE TİCARET A.Ş.  , and all group companies, partnerships and subsidiaries; these data may be processed by all of these companies and these apply to electronic commerce activities within the designated scope.

Application Form for Data Owners