Personal Data Processing and Protection Policy.

Personal Data Protection and Processing Policy

INTRODUCTION

1.    Purposes and Scope

The Law on the Protection of Personal Data No. 6698 (“Law”) entered into force on April 7, 2016. This Personal Data Processing and Protection Policy (“PDP Policy”) of Sia Hotel Thermal Spa Turizm Otelcilik Sanayi Ticaret Anonim Şirketi (“Company” or “SİA HOTEL”) has been prepared and enacted to ensure compliance with the Law and to define the principles to be followed by SİA HOTEL in fulfilling its obligations regarding the protection and processing of personal data.

This PDP Policy sets out the conditions for processing personal data and outlines the main principles adopted by SİA HOTEL in processing personal data. In this context, the PDP Policy covers all personal data processing activities conducted by the Company within the scope of the Law for individuals other than SİA HOTEL employees and applies to all individuals whose personal data are processed by SİA HOTEL. The processing of personal data of SİA HOTEL employees is regulated separately in the Sia Hotel Thermal Spa Turizm Otelcilik Sanayi Ticaret Anonim Şirketi Employee Personal Data Processing and Protection Policy.

INTRODUCTION

1.    Purposes and Scope

The Law on the Protection of Personal Data No. 6698 (“Law”) entered into force on April 7, 2016. This Personal Data Processing and Protection Policy (“PDP Policy”) of Sia Hotel Thermal Spa Turizm Otelcilik Sanayi Ticaret Anonim Şirketi (“Company” or “SİA HOTEL”) has been prepared and enacted to ensure compliance with the Law and to define the principles to be followed by SİA HOTEL in fulfilling its obligations regarding the protection and processing of personal data.

This PDP Policy sets out the conditions for processing personal data and outlines the main principles adopted by SİA HOTEL in processing personal data. In this context, the PDP Policy covers all personal data processing activities conducted by the Company within the scope of the Law for individuals other than SİA HOTEL employees and applies to all individuals whose personal data are processed by SİA HOTEL. The processing of personal data of SİA HOTEL employees is regulated separately in the Sia Hotel Thermal Spa Turizm Otelcilik Sanayi Ticaret Anonim Şirketi Employee Personal Data Processing and Protection Policy

[14:00, 23.04.2025] Ela Alghabra Hanım: Effectiveness and Changes
This Personal Data Protection (PDP) Policy is effective from the date it is approved and enacted by SİA HOTEL. The Company reserves the right to make changes to the PDP Policy in accordance with legal regulations.
In case of a conflict between the provisions of this PDP Policy and the applicable legislation, the provisions of the applicable legislation will prevail.

DATA OWNERS, DATA PROCESSING PURPOSES, AND DATA CATEGORIES RELATED TO THE PERSONAL DATA PROCESSING ACTIVITIES CARRIED OUT BY OUR COMPANY

Data Owners
The data owners within the scope of the PDP Policy are all real persons, other than SİA HOTEL employees, whose personal data are processed by SİA HOTEL. The general categories of data owners are as follows:

DATA OWNER CATEGORIES
DESCRIPTION
Visitor
Refers to real persons who visit the company’s buildings, premises, and website.
Job Applicant
Refers to real persons who have applied for a job at the Company or at organizations by the Company.
Company Official
Refers to the members of the Company’s Board of Directors and other authorized real persons.
Employees, Shareholders, or Representatives of Partner Organizations/Companies
Refers to real persons who are employees, shareholders, or authorized representatives of organizations with which the Company has business relations (e.g., suppliers, business/solution partners, subcontractors, dealers, etc.).
Third Parties
Refers to other real persons, excluding the data owner categories listed above and the employees of the Company, whose personal data are subject to the Company’s data processing activities.
[14:01, 23.04.2025] Ela Alghabra Hanım: Effectiveness and Changes
This Personal Data Protection (PDP) Policy is effective from the date it is approved and enacted by SİA HOTEL. The Company reserves the right to make changes to the PDP Policy in accordance with legal regulations.
In case of a conflict between the provisions of this PDP Policy and the applicable legislation, the provisions of the applicable legislation will prevail.

DATA OWNERS, DATA PROCESSING PURPOSES, AND DATA CATEGORIES RELATED TO THE PERSONAL DATA PROCESSING ACTIVITIES CARRIED OUT BY OUR COMPANY

Data Owners
The data owners within the scope of the PDP Policy are all real persons, other than SİA HOTEL employees, whose personal data are processed by SİA HOTEL. The general categories of data owners are as follows:

DATA OWNER CATEGORIES
DESCRIPTION
Visitor
Refers to real persons who visit the company’s buildings, premises, and website.
Job Applicant
Refers to real persons who have applied for a job at the Company or at organizations by the Company.
Company Official
Refers to the members of the Company’s Board of Directors and other authorized real persons.
Employees, Shareholders, or Representatives of Partner Organizations/Companies
Refers to real persons who are employees, shareholders, or authorized representatives of organizations with which the Company has business relations (e.g., suppliers, business/solution partners, subcontractors, dealers, etc.).
Third Parties
Refers to other real persons, excluding the data owner categories listed above and the employees of the Company, whose personal data are subject to the Company’s data processing activities.

Personal Data Category         Description
Identity Information       All information related to an individual’s identity found on documents such as driver’s license, identity card, passport, bar association ID, marriage certificate, etc.

Contact Information       Information enabling communication with the data subject, such as phone number, address, and email address.

Physical Space Security Information      Personal data and documents obtained at the time of entering or while staying within a physical space, such as CCTV footage, vehicle information, and records taken at security checkpoints.

Financial Information    Personal data relating to documents and records showing any financial outcome arising from the type of legal relationship established between the Company and the data subject, such as bank account number, IBAN, debt/receivable information.

Candidate Employee Information    Personal data processed regarding individuals who have applied to become an employee of the Company or have been evaluated as candidates in line with the Company’s human resources needs under commercial customs and good faith principles.

Legal Procedure and Compliance Information         Personal data processed to establish and follow up on legal claims and rights, to fulfill obligations, to maintain lawful commercial relationships with suppliers/business partners, and to ensure compliance with legal obligations and Company policies.

Transaction Information        Data such as call center recordings, phone records, membership information, and cookie records processed in connection with services provided or to protect the legal and other interests of the Company or the data subject.

Visual and Audio Data    Photographs, video recordings (excluding those categorized under Physical Space Security Information), and voice recordings.

Vehicle Information         Information related to vehicles associated with the data subject (e.g., license plate information).

Request/Complaint Management Information       Personal data related to the receipt and evaluation of any request, complaint, or suggestion submitted to the Company.

Audit and Inspection Information      Personal data processed to ensure compliance with legal obligations and Company policies.

Sensitive Personal Data    Information regarding an individual’s race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, clothing, association/foundation/union memberships, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.