Personal Data Protection Law
1. Purpose and Scope
The main purpose of this Personal Data Protection Policy (“Policy”) is to make statements about the personal data processing activities carried out by the Company in accordance with the law and the systems adopted for the protection of personal data, and to ensure transparency by informing the persons whose personal data are processed by our company.
This Policy is the responsibility of relevant department managers and employees in the activities carried out for the processing and protection of all personal data managed by the Company.
2. Definitions
KVKK: Personal Data Protection Law No. 6698
GDPR: European Union General Data Protection Regulation
Data Processor: Real or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller.
Data Controller: The person who determines the purposes and means of processing personal data and manages the place where the data is systematically kept (data recording system).
Data Owner / Related Person: Employees, customers, business partners, shareholders, officials, potential customers, candidate employees, internship sites, visitors, suppliers, employees of the institutions it cooperates with, third parties with whom the Company and its subsidiaries have commercial relations. and real persons whose personal data are processed, including but not limited to those listed here.
Explicit Consent: Consent regarding a specific subject, based on information and expressed with free will.
Personal Data: Any information regarding an identified or identifiable natural person.
Personal Data of Special Nature: Data regarding individuals' race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, appearance and attire, association, foundation or union membership, health, sexual life, criminal convictions and security measures. biometric and genetic data
Processing of Personal Data: Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available personal data by fully or partially automatic or non-automatic means provided that it is part of any data recording system, Any action performed on data, such as classifying or preventing its use
Anonymization of Personal Data: Making personal data not associated with an identified or identifiable natural person in any way, even by matching it with other data.
Deletion of Personal Data: Making personal data inaccessible and unusable for relevant users in any way
Destruction of Personal Data: The process of making personal data inaccessible, irretrievable and unusable by anyone.
Company: The data controller is BOAT ISTANBUL Company.
KVK Board/Board: Personal Data Protection Board
KVK Authority/Institution: Personal Data Protection Authority
3. Politics
BOAT ISTANBUL implements technical and administrative measures to protect personal data and ensure information security regarding certain business activities and functions. This Policy will take relevant measures to protect personal data, unless it contains additional terms or when a higher standard for the protection of personal data is required.
The relevant legislative provisions in force regarding the processing and protection of personal data will be primarily applied; If there is a conflict between the relevant legislation and the provisions of this Policy, the current legislation provisions will prevail.
This Policy has been created in accordance with the rules and procedures stipulated in KVKK and other relevant legislation for the protection of personal data. In this sense, the Data Controller is obliged to take all necessary technical and administrative measures, as he is obliged, in accordance with the KVKK, to prevent unlawful processing of personal data and unlawful access to personal data and to ensure its preservation.
4. Principles to be followed when processing personal data
BOAT ISTANBUL acts in accordance with the general principles explained below within the scope of all Personal Data Processing activities:
Processing of personal data in a transparent and lawful manner,
Collecting personal data only for specific, clear and legitimate purposes,
Personal data must be relevant, limited and proportionate to the purpose for which they are processed,
Keeping personal data accurate and up-to-date when necessary, deleting or correcting it without delay,
Keeping them for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed,
Processing of personal data to ensure appropriate security.
5. Personal Data Collected
Your Personal Data collected by BOAT ISTANBUL varies depending on the nature of your relationship with our Company and legal obligations. Your collected Personal Data is listed as follows.
Identity: Name and surname, mother and father's name, mother's maiden name, date of birth, place of birth, marital status, identity card serial number, TR ID number, etc.
Contact: Address no, E-mail address, Contact address, Registered e-mail address (KEP), Telephone number etc.
Personnel: Payroll information, Disciplinary investigation, Employment document records, Property declaration information, Resume information, Performance evaluation reports, etc.
Family Members Relation Information: Identity information, contact information and professional, educational information, etc. regarding the Data Owner's children, spouses, especially regarding employee candidates.
Legal Procedure: Information in correspondence with judicial authorities, information in the case file, etc.
Request and Complaint: Information and records collected regarding the requests and complaints made to our Company regarding our products and services associated with the person, and information regarding the reports where the results are evaluated by the relevant business units, etc.
Customer Transaction: Call center records, Invoice, promissory note, check information, Information on box office receipts, Order information, Request information, etc.
Physical Space Security: Entry and exit registration information of employees and visitors, Camera recordings, etc.
Transaction Security: IP address information, Website login and exit information, Password and password information, etc.
Financial Balance Sheet: Information Financial performance information, Credit and risk information, Asset information, etc.
Financial Information: In case of a legal pursuit, credit card debt, loan amount, loan payments, debt balance, receivable balance, etc. in parallel with the information received from the official authorities.
Professional Experience Diploma information: Courses attended, In-service training information, Certificates, Transcript information, etc.
Visual and Audio Records: Visual and Audio records, etc.
Philosophical Belief: Religion, Sect and Other Beliefs, Information regarding other beliefs, Information regarding religious affiliation, Information regarding philosophical belief, Information regarding sect affiliation, etc.
Health Information: Information regarding disability status, Blood type information, Personal health information, Device and prosthesis information used, etc.
Criminal Conviction and Security Measures: Information regarding criminal convictions, information regarding security measures, etc.
6. Purposes of Processing Personal Data
In accordance with KVKK and other relevant legislation, BOAT İSTANBUL informs the relevant persons during the acquisition of personal data. In this context, the Company informs the relevant person about the purpose for which personal data will be processed, to whom and for what purposes the processed data can be transferred, the personal data collection method and the legal reason for collecting personal data.
The purpose of personal data processing varies depending on the relationship between the company and the personal data owner and the legal nature of the business.
The purposes of processing personal data processed by the company are as follows:
Conducting Emergency Management Processes
Execution of Information Security Processes
Conducting Employee Candidate / Intern / Student Selection and Placement Processes
Carrying out the application processes of employee candidates
Conducting Employee Satisfaction and Loyalty Processes
Fulfillment of Employment Contract and Legislation Obligations for Employees
Execution of Fringe Benefits and Benefits Processes for Employees
Conducting Audit / Ethics Activities
Conducting Educational Activities
Execution of Access Authorizations
Conducting Activities in Compliance with Legislation
Carrying out Finance and Accounting Affairs
Execution of Commitment Processes for Company / Product / Services
Ensuring Physical Space Security
Follow-up and Execution of Legal Affairs
Conducting Internal Audit / Investigation / Intelligence Activities
Carrying out Communication Activities
Planning Human Resources Processes
Execution/Audit of Business Activities
Carrying out Occupational Health / Safety Activities
Receiving and Evaluating Suggestions for Improving Business Processes
Carrying out Business Continuity Ensuring Activities
Conducting Logistics Activities
Execution of Goods / Service Purchasing Processes
Execution of Goods/Service After-Sales Support Services
Execution of Goods / Service Sales Processes
Execution of Goods / Service Production and Operation Processes
Execution of Customer Relationship Management Processes
Carrying out Activities for Customer Satisfaction
Organization and Event Management
Conducting Marketing Analysis Studies
Conducting Performance Evaluation Processes
Conducting Risk Management Processes
Execution of Contract Processes
Carrying out Sponsorship Activities
Conducting Strategic Planning Activities
Tracking of Requests / Complaints
Ensuring the Security of Movable Goods and Resources
Execution of Supply Chain Management Processes
Execution of Wage Policy
Execution of Marketing Processes of Products / Services
Ensuring the Security of Data Controller Operations
Foreign Personnel Work and Residence Permit Procedures
Execution of Investment Processes
Conducting Talent / Career Development Activities
Providing Information to Authorized Persons, Institutions and Organizations
Conducting Management Activities
Creation and Tracking of Visitor Records
7. Processing Methods of Personal Data and Legal Reason
Personal data may be obtained from the personal data owner or from third parties to whom the personal data owner has given explicit consent. These personal data obtained can be processed by collection, recording, editing, structuring, storage, adaptation, modification, use, transfer, deletion, destruction and anonymization methods.
Personal data may be processed by one or more of the above methods without seeking the explicit consent of the data owner, in the presence of one of the legitimate reasons listed in KVKK Article 5:
It is clearly provided for in the laws and any relevant legislation.
It is necessary for the protection of the life or physical integrity of the person or someone else who is unable to express his/her consent due to actual impossibility or whose consent is not given legal validity.
It is necessary to process personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract.
It is mandatory for the data controller to fulfill its legal obligation.
It has been made public by the person concerned.
Data processing is mandatory for the establishment, exercise or protection of a right.
It is necessary to process data for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the person concerned.
8. Storage and Destruction of Personal Data
When determining the storage period of personal data, our company takes into account the applicable legislation and the purposes of processing the data subject to the process. In this context, legal obligations and statute of limitations regarding Personal Data Processing are taken into consideration, if applicable. If the purpose of Personal Data Processing ceases to exist, the data is deleted, destroyed or anonymized unless there is another legal reason or basis that allows the Personal Data to be retained.
In accordance with Article 7 of the KVKK and other relevant legislation, if the reasons for processing personal data are eliminated, personal data will be deleted, destroyed or anonymized upon the Company's decision, periodic control and/or upon the request of the relevant person.
Personal data transmitted to us incorrectly by any means or in cases where it is understood that the will of the relevant person does not lead to explicit consent is immediately destroyed by our Company using methods in accordance with the Law.
Our company has prepared a Personal Data Storage and Destruction Policy accordingly. This Storage and Disposal Policy will apply in all cases.
Our company will not store personal data for longer than necessary to enable the identification of the data owner, depending on the reason for collecting the data.
Our company may store personal data for a longer period of time only for public interest, scientific or historical research or statistical purposes by taking appropriate technical and organizational measures to protect the rights and freedoms of the data owner.
The retention period for each category of personal data and the criteria used to determine this period, including the legal obligations that the Company has to retain the data, are specified in the Personal Data Storage and Destruction Policy.
Personal data will be destroyed securely in accordance with the provisions of KVKK and relevant legislation in order to protect the rights and freedoms of the data owner and to ensure data security. Deletion, destruction and anonymization of data will be done in accordance with the Storage and Destruction Policy.
9. Transfer of Personal Data
a. Domestic Transfer
Without prejudice to the cases where the transfer of personal data to administrative and judicial institutions and organizations is required in accordance with the KVKK or the relevant legislation, the personal data of the relevant persons are not transferred by the Company to other persons without the express consent of the relevant person, but the matters listed in Articles 5 and/or 6 of the KVKK are not transferred. In cases where this is the case, your personal data will be transferred to the relevant institutions and organizations within the legal framework without requiring explicit consent due to reasons of compliance with the law. Our company fulfills its obligation to inform the Data Owner regarding this transfer. Accordingly, the institutions, organizations and/or persons to whom transfers can be made are listed in article c of this policy.
b. International Transfer
BOAT İSTANBUL may transfer personal data abroad by taking the necessary security measures in accordance with the conditions stipulated in the KVKK and relevant legislation and by obtaining the explicit consent of the relevant person. In cases where the express consent of the relevant person is not required, the country to which the personal data will be transferred must have the status of a "safe country" and whether it provides adequate protection. In cases where the country to which data is transferred is not considered a safe country by the Board, a data transfer protocol is signed with the Board's permission to ensure adequate protection.
c. Institutions, Organizations and Persons to whom Transfer is Made
BOAT İSTANBUL, personal data, in accordance with the Labor Law, Law of Obligations, Income Tax Law, Commercial Law, Private Employment Agencies Regulation and all other legislation related to our services;
Relevant public institutions and organizations,
To the competent authorities,
It can be shared with administrative institutions and organizations, especially Tax Offices, workplace inspectors, İŞKUR, Regional Labor and Social Security Institution.
Apart from these, our Company may process your personal data, provided that it does not violate KVKK Articles 8 and 9 and takes all security measures specified in the relevant legislation;
To our business partners, suppliers and affiliates with whom we cooperate at home and/or abroad,
It can be transferred to the law firm receiving external support, the ISG consultancy firm, and, if requested, to the courts and other official-judicial authorities.
10. Measures to Ensure Data Security
Our company takes technical and administrative measures to prevent data breaches to ensure the security of personal data. In this context, our Company;
From an administrative perspective;
Conducts risk audits to identify current risks and threats.
Awareness activities for employees are carried out periodically.
There are personal data security policies and procedures.
It strives to reduce personal data as much as possible by adopting the data minimization approach.
Technically;
cyber security
11. Data Inventory
BOAT ISTANBUL has created a data inventory as part of its approach to identify risks and opportunities throughout the KVKK compliance process.
Boat Istanbul's data inventory determines:
Business processes that use personal data,
Processed personal data,
Processed special personal data,
Personal data owner,
Method of collecting personal data - source of personal data;
Purpose of personal data processing,
Legal reason for processing personal data,
Personal data retention period,
Domestic and International buyer group,
Technical and administrative measures.
12. Rights of the Data Subject
Within the scope of KVKK Article 11, the data owner has the following rights and, if he wishes, he can exercise his rights by reaching the data controller through the methods determined by him:
Learning whether personal data is processed or not,
If personal data has been processed, to request information regarding the structure of this information and to learn to whom it has been disclosed,
Learning the purpose of processing personal data and whether they are used for their intended purpose,
Knowing the third parties to whom personal data is transferred at home or abroad and requesting that the action taken in this regard be notified to third parties,
Requesting that personal data be corrected and notified to third parties if personal data has been processed incorrectly or incompletely,
Requesting the deletion or destruction of personal data in the event that the reasons requiring processing of personal data are eliminated, even though it has been processed in accordance with the provisions of the relevant law,
Objecting to a result that is unfavorable to oneself,
Request compensation for damages in case of damage due to unlawful processing of personal data.
13. Data Owner's Exercise of His Rights
Data owners may apply to BOAT ISTANBUL with their requests regarding their rights listed above, in accordance with the application procedures stipulated in the Communiqué on Application Procedures and Principles to the Data Controller. In this context, by filling out the "Application Form" published on the website (www.boatistanbul.com.tr); Confirming your identity in person, sending the application form via registered mail or notary to the address "Acıbadem Mahallesi, Çeçen Sokak, Akasya AVM, No:426 İç Kapı No: 25 Üsküdar / İSTANBUL" or with a confirmed identity from info@boatistanbul.com.tr You can submit your requests by sending an e-mail.
In this case, BOAT ISTANBUL will finalize the request free of charge as soon as possible and within 30 (thirty) days at the latest, depending on its nature. However, if the transaction requires an additional cost, BOAT ISTANBUL may request the fee at the tariff determined by the Personal Data Protection Board. Processes regarding receiving, transmitting and finalizing requests are carried out in accordance with the Relevant Person Application Process.
All personnel of BOAT ISTANBUL, regardless of their job description, are obliged to guide data owners on the correct application method for data owner access requests made to them. BOAT ISTANBUL staff will contact the Data Communication Officer on how to act regarding requests from data owners.
14. Keeping the Policy Up to Date
The owner of this document is Yacht Istanbul Luxury Yacht Rental Data Controller. This policy is responsible for reviewing BOAT ISTANBUL's processes for any changes that may occur or regularly once a year.
The current version of this document is published on www.boatistanbul.com.tr.
This policy was approved by the Board of Directors on 10.04.2022 and archived and published with the signature of the General Manager.
Revision History Records
First Publication: 10.04.2022
