Corporate
Corporate

Personal Data Protection and Data Privacy Policy

Download as PDF

CHAPTER 1 : INTRODUCTION

1.1. INTRODUCTION

With the Law on the Protection of Personal Data, the subject of protecting the data of the persons whose data is processed
has become a basic necessity for every company. For this reason,
in addition to paying maximum attention to accessing the private life and information of individuals
and taking effective and deterrent measures in this regard, being transparent to our customers,
potential customers, visitors, company officials, all of the parties and institutions we cooperate with,
in short, people we directly or indirectly
contact with our company whose data
Our process is the main goal of our company data policy.

With this Policy, our company determines and implements the rules
for the processing of personal data within the framework of transparency and clarity principles.

1.2. PURPOSE AND SCOPE OF THE POLICY

The main purpose of this policy is to protect the fundamental rights, especially the right of privacy, and freedom of the persons whose data have been processed, in the processing of personal data, and in this sense, to ensure the transparency of every activity of our company through public disclosure.

The extent of the provisions of this policy is all personal data of the persons whose data we process directly or indirectly.

1.3. APPLICATION OF THE POLICY

In case of incompatibility between the current legislation and our policy, the current legislation will be applied with priority and in case there is another policy or regulation on the same subject for more specific purposes other than this main policy, primarily the articles containing special provisions will be applied. The provisions of other policies and documents that conflict with this policy and the relevant legislation will not be applied.

CHAPTER 2: ISSUES RELATED TO THE PROCESSING OF PERSONAL DATA

2.1. GENERAL PRINCIPLES IN THE PROCESSING OF THE PERSONAL DATA

2.1.1 Compliance with the Law and Rules of good faith

While processing the personal data, the data must be obtained and processed by the law and rules of good faith. While processing the data, LDR Tourism Inc. Co. processes the data with the highest sensitivity and control per the law and rules of good faith.

2.1.2 Being Accurate and up-to-date when necessary

The processed data must be accurate and up-to-date when recency is necessary for data of individuals. LDR Tourism Inc. Co. checks the accuracy of the processed data in every processing stage and makes the necessary preparations to keep it up-to-date when necessary.

2.1.3 Processing for Specific, Explicit, and Legitimate purposes

During the processing of the data, it should be clear which data is processed, how much of them are processed, and for what purpose they are processed and, it should be by the law, namely, legitimate. LDR Tourism Inc. Co. only processes data for legitimate purposes and takes care to ensure that the data to be obtained during this processing are specific. LDR Tourism Inc. Co. processes the data clearly and explicitly so that the information obtained is not used for different purposes and does not cause any misunderstanding.

2.1.4 Being Related, Limited, and Proportional to the purposes for which they are processed

Data must be processed in a controlled manner while being faithful, limited, and measured to the purpose of the processing. While processing data, LDR Tourism Inc. Co. only processes the data of the data owners in a measured manner, limited and related only to the purpose for which they are processed.

2.1.5 Retaining them for the period of time stipulated by the relevant legislation or the period deemed necessary for the purpose of the processing

Processed personal data must be acted upon with maximum protection following the period specified in the relevant legislation or the period of the relevant purpose. In this context, if a period is stipulated for the storage of personal data in the relevant legislation, LDR Tourism Inc. Co. retains personal data limited to these periods. If a period is not stipulated in the legislation or there is no legal reason to keep the data for any longer, LDR Tourism Inc. Co. retains personal data for as long as necessary for the purpose for which they are processed. Thus, the security of data owners is ensured at the maximum level. (For more information See Chapter 6.4)

2.2 TERMS OF PROCESSING PERSONAL DATA

2.2.1 Terms Of Processing Personal Data

LDR Tourism Inc. Co. processes the data of data owners by the law and the provisions of the relevant legislation below.

Terms Of Processing General Personal Data

General Data Concept: The concept of any personal data processed by LDR Tourism Inc. Co., which does not fall into the sensitive data category specified in this section, constitutes the general category of personal data.

General Condition: Personal data cannot be processed without the explicit consent of the relevant person.

Exceptions: In case of the existence of one of the following conditions, it is possible to process personal data without seeking the explicit consent of the relevant person:

Explicitly stipulated by the law.

In case it is mandatory for the protection of the life or bodily integrity of the person or another person’s life or bodily integrity, who is unable to express their consent due to actual impossibility, or whose consent is not legally valid.

In case it is mandatory to process the personal data of the parties of the contract,
provided that it is directly related to the establishment or execution of a contract.

In case it is mandatory for the data controller to fulfill their legal obligation.

Being publicized by the person concerned.

If the data processing is required for the establishment, exercise, or protection of a right.

If data processing is required for the legitimate interests of the data controller,
provided that the fundamental rights and freedoms of the relevant person are not harmed.

Terms Of Processing Sensitive Personal Data

Sensitive Personal Data: Data about convictions, security measures with biometric and genetic data of people concerning race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, appearance and clothing, membership to an association, foundation, or trade union, medical condition, sexual life.

General Condition: It is forbidden to process sensitive personal data without the explicit consent of the relevant person.

Exceptions and Special Conditions: Personal data other than health and sexual life specified in the first paragraph may be processed without seeking the explicit consent of the relevant person, in cases stipulated by the laws.

Our company obtains the express consent of the relevant data owners while processing and storing sensitive data regarding the retaining of records of sensitive health problems.

Personal data related to health and sexual life can only be processed by persons and organizations under the obligation of confidentiality to protect public health, conducting preventive medicine, medical diagnosis, treatment and care services, the planning and management of health services and their financing, without the express consent of the relevant person.

Conditions of the Board of the Personal Data Protection Institution: In the processing of sensitive personal data, it is also necessary to take adequate measures determined by the Board.

CHAPTER 3: PROTECTION OF PERSONAL DATA

3.1. SECURITY OF PERSONAL DATA

By Article 12 of the Personal Data Protection Law, LDR Tourism Inc. Co. takes all kinds of technical and administrative measures according to technological possibilities and implementation costs to ensure that personal data is processed by the law. Data supervisors and data processors cannot unlawfully disclose the personal data they have learned to others and cannot use them for purposes other than processing.

The necessary training has been given to LDR Tourism Inc. Co. personnel regarding technical issues, awareness of the employees is created, and audits are carried out. LDR Inc. Co.’s relevant department and contracted legal consultancy works in coordination on this subject.

3.1.1. Measures Taken To Ensure The Legal Processing Of Personal Data

The main technical and administrative measures taken by LDR Tourism Inc. Co. to ensure the legal processing of personal data:

Personal data processing activities carried out within the body of LDR Tourism Inc. Co. are audited by technical systems and reported to the relevant persons.

Personal data processing activities carried out by the work units of LDR Tourism Inc. Co.; the requirements that will be fulfilled in order to ensure that these activities comply with the personal data processing provisions sought by Law No. 6698 are determined exclusively for each department and the activity carried out by the relevant unit.

Ensuring compliance with the law and the procedure prepared for the relevant departments are implemented through administrative measures, in-company policies, and training.

3.1.2. Measures Taken to Prevent Unlawful Access

LDR Turizm Inc. Co. takes technical and administrative measures according to the nature of the data to be protected to prevent the imprudent or unauthorized disclosure, access, transfer, or any other unlawful access to personal data. The main technical and administrative measures taken by LDR Tourism Inc. Co. to prevent unlawful access to the personal data:

Technical measures taken with access and authorization technical solutions are reported periodically, and the necessary technological solutions are produced by re-evaluating the issues posing a risk. Software and hardware that include logging, virus protection systems, and firewalls are installed.

Personnel with technical knowledge are employed.

Access and authorization to personal data processes are designed and implemented within the company in accordance with business unit-based legal compliance requirements.

Employees are informed that the personal data they have learned cannot be disclosed to others in violation of the provisions of the Personal Data Protection Law and all other relevant legislation, that they cannot use it for purposes other than processing, and that this obligation will continue after their resignation, and necessary commitments are taken from them in this direction.

Provisions regarding that the persons to whom personal data are transferred will take the necessary security measures for the protection of personal data are added to the contracts concluded with the persons to whom personal data are transferred per the law by LDR Tourism Inc. Co. and/or mutual agreement texts are signed.

3.1.3. Measures Taken for Storing Personal Data in Secure Environments

LDR Tourism Inc. Co. takes the necessary technical and administrative measures to store personal data in secure environments and to prevent their elimination, loss, or alteration for unlawful purposes.

Main administrative measures taken by our company for storing the personal data in secure environments:

Systems suitable for technological developments are used to store personal data in secure environments.

Personnel specialized in technical matters are employed.

Technical security systems are established for the storage areas, the technical measures taken are reported to the relevant person, subjects that pose a risk are re-evaluated and the necessary technological solution is produced.

To ensure the safe storage of personal data, backup programs are lawfully used.

Non-digital data are kept in locked cabinets and can only be accessed by authorized persons.

3.2. AUDIT

By the 3rd paragraph of Article 12 of the Protection of Personal Data Law, the data supervisor is obliged to carry out or have the necessary audits carried out in their institution or organization to ensure the implementation of the provisions of this law.

3.2.1. Audit of Measures Taken on Personal Data Protection

LDR Tourism Inc. Co. and our contracted legal consultancy company perform audits or have them performed to establish the data security described above and to ensure the regularity and continuity of the measures taken.

The results of these audits are reported to the relevant department or management within the scope of the internal functioning of our company, and the necessary activities for the improvement of the measures taken are carried out following the Protection of Personal Data Law and other legislation and this company policy.

3.2.2. Supervising The Increasing of Business Units’ Awareness of Personal Data Protection and Processing

LDR Tourism Inc. Co. provides the necessary training to the business units through the seminars and sessions carried out to increase awareness towards preventing the illegal processing of personal data, illegal access to the data, and ensuring the protection of data. LDR Tourism Inc. Co. updates and renews its training in parallel with the updates in the relevant legislation. Necessary systems are established to raise awareness about the protection of personal data, and the relevant department of our company and our contracted legal consultancy company carry out the audits related to the subject.

The results of the training carried out to raise awareness on the protection and processing of personal data are reported to our company, and participation in these training is mandated and controlled by LDR Tourism Inc. Co.

3.3. CONFIDENTIALITY

To prevent the disclosure and transfer of personal data in violation of the provisions of the law and policy, access to these data and the transactions arising from other security deficiencies that may occur, LDR Tourism Inc. Co. takes all necessary measures within the possibilities and according to the nature of the personal data to be protected.

The necessary training has been given to LDR Tourism Inc. Co. personnel regarding this subject and the employment of knowledgeable personnel on this subject is ensured. Personal data processing activities are examined and audited by LDR Tourism Inc. Co. in detail and periodically. In case the technology allows , necessary measures are taken in the processing of personal data and it is essential to update and improve the measures taken. LDR Tourism Inc. Co.’s relevant department and contracted legal consultancy work in coordination on the execution of these activities and the audit of them.

3.4. UNAUTHORIZED DISCLOSURE OF PERSONAL DATA

In crimes related to unauthorized disclosure of personal data, the provisions of Articles 135 to 140 of the Turkish Penal Code No. 5237 and all relevant legislation are applied. Our company informs the employees and related persons of the provisions of all relevant legislation. Unlawfully transferring, spreading, recording, or seizing personal data, not destroying the data in the system despite the expiry of the periods stipulated by the laws, and in violation of the provision of Article 7³ of the, Personal Data Protection Law; real persons who do not delete or anonymize personal data despite the disappearance of the conditions that legitimize the storage or processing of personal data are punished with imprisonment according to Article 138 of the Turkish Penal Code. The procedures and principles regarding the deletion, destruction, or anonymization of personal data are regulated by regulations.

According to the regulations in the Turkish Penal Code, a person who unlawfully gives personal data to another person, distributes or seizes this data unlawfully, is punished with imprisonment from two to four years, and if they commit this crime by taking advantage of the convenience provided by a certain profession and art; then the person is punished for the qualified form of this punishment. The employee of the company committing the crime of displaying, obtaining, or hacking the personal data without the authorization to process the personal data, will be notified to the personal data owner, the prosecution office and the relevant authorities without delay and, the necessary actions will be taken against him and he will be punished with the qualified form of the crime.

Administrative fines are also imposed on those who do not fulfill their obligations regarding the disclosure or data security following the provision regulated under the heading of Misdemeanors in the Personal Data Protection Law, those who do not fulfill the decisions made by the Board, or who violate the obligation to register and notify in the Data Supervisors Registry.

CHAPTER 4: ORGANIZATIONAL MEASURES TO PROTECT THE COMPANY PERSONAL DATA

LDR Tourism Inc. Co. establishes a management structure to ensure the enforcement of the Policy of Processing and Protection of Personal Data.

A committee is established within the body of LDR Tourism Inc. Co. to manage this Policy and other policies related to this Policy. The duties of the committee to be established are stated below. Apart from these duties, the committee also performs other duties assigned by the senior management. The committee executes all of its activities with the approval of the senior management.

To prepare the basic policies regarding the Protection and Processing of Personal Data and, if necessary, the amendments to be made on these policies,

To decide how to implement and how to follow the implementation of the policies regarding the Protection and Processing of Personal Data,

Making assignments and ensuring coordination within the company,

To determine the points that need to be performed to ensure compliance with the Personal Data Protection Law and the relevant legislation and to ensure that these points are implemented,

To raise awareness within the Company and the institutions with which the Company cooperates on the Protection and Processing of Personal Data and to organize training within this scope,

To ensure that required measures are taken by identifying the risks that may incur in the company’s personal data processing activities,

To decide on the applications of personal data owners at the highest level,

To follow the developments and regulations on the protection of personal data and to take the necessary actions

Contact persons are the persons who are notified to the registry during registration by LDR Tourism Inc. Co. for the communication between the contracted legal consultancy company and the organization. This real person or persons to be notified are members of our department assigned to do this job within our company.

According to the Regulation on the Registry of Data Supervisors, LDR Tourism Inc. Co. limited the function of the contact person as the point of contact, to ensure that the requests made by the relevant persons to the data supervisor are answered quickly and effectively. Thus, it is aimed to respond to the problems or questions of data owners whose personal data are processed in the fastest and most explanatory way, but the contact person is not legally authorized to represent the data supervisor. For this reason, apart from providing information, they have no duty or authority other than to answer the questions of the person who has contacted the company and the data owner or contact person by law and to inform our company about this issue. As soon as LDR Tourism Inc. Co. is informed by the contact person, the authorized department or institution assigned by our company will take action regarding the problem as soon as possible and the necessary procedures will be carried out. During these processes, the personal data owner or the relevant person will be informed about all these processes and procedures, and if necessary, the personal data owner or related persons will be contacted by the authorized department or our company.

CHAPTER 5: THIRD PARTIES TO WHICH PERSONAL DATA IS TRANSFERRED AND THE PURPOSE OF THE TRANSFER

Our company notifies the personal data owner of the groups of persons to whom personal data is transferred following the Article4 104 of the PPD Law.

LDR Tourism Inc. Co., by the Articles 8 and 9 of the PPD Law (see Chapter 2/Title 2.1.5), may transfer the personal data of data owners managed by policy to the following categories of persons:

(i) Business partners,

(ii) Suppliers,

(iii) Joint companies,

(iv) Shareholders,

(v) Authorities,

(vi) Legally authorized public institutions and organizations,

(vii) Legally authorized private legal persons

of the Company.

The extent of the above-mentioned persons to whom the transfer is made and the data transfer purposes are stated below.

The Definition Purpose of Data Transfer
Joint Companies Companies The transfers
are made to ensure that all kinds of commercial and organizational measures that require the participation of companies are carried out.
Shareholders Real persons who are shareholders of the company According to the provisions of the relevant legislation,
it is limited to the purposes of its activities within the scope of corporate law, event management, and corporate communication processes.
Company Authorities Company board of directors In accordance with the provisions of the relevant legislation, the transfer is limited to designing the strategies regarding the commercial activities of the company, ensuring the management at the highest level and auditing purposes
members and other authorized real persons
Legally Authorized Public Institutions and Organizations Public institutions and organizations authorized to receive information and documents from the company following the provisions of the relevant legislation The transfer is limited to
the purpose requested by the
relevant public institutions and organizations within their legal authority
Legally Authorized Private Persons Suppliers Private persons authorized to receive information and documents from the company following the provisions of the relevant legislation The transfer is limited to the purpose requested by the relevant private persons within the scope of their legal authority

The parties that provide services to the company on a contractual basis under orders and instructions of the company while carrying out the commercial activities of the company. To ensure the services that the company procures from the supplier and that is necessary to fulfill the commercial activities of the company are provided to the company

CHAPTER 6: DELETING PERSONAL DATA, STORAGE PERIODS and DATA INVENTORY

6.1. Liability of LDR Tourism Inc. Co.

LDR Tourism Inc. Co. deletes, destroys, or anonymizes the personal data, which has been processed following the explanations in Article 7 of the Law on Protection of Personal Data No. 6698 and the article 138 of the Turkish Penal Code No. 5237, and of which the purpose of processing and storage has disappeared, with the decision to be made pursuant to the rights arising from the Turkish Commercial Code, the rights granted by all relevant legislative provisions and the principles outlined in this policy (see chapter 2.2.1 (e) and (f) ) or as stated in Article 7 of the Protection of Personal Data Law with the express consent of the data owner in a way that will not harm the interests of our company in its commercial life.

6.2. Deletion, Destruction or Anonymization of Personal Data

6.2.1.Deletion and Destruction of Personal Data

Deletion of personal data is defined in the 8th Article of the regulation as “the process of making personal data inaccessible and unusable for the relevant users in any way”.

Destruction of personal data is defined in the 9th Article of the regulation as “the process of making personal data inaccessible, unrecoverable and unusable by anyone in any way”.

6.2.2. Methods of Deletion of Personal Data

a) Application Type Cloud-Based Solutions as a Service (Office 365, Salesforce, etc.)

Data in the cloud system is deleted by issuing the delete command. While the process is taking place, the relevant user does not have the authority to restore the deleted data on the cloud system.

b) Personal Data on Paper Media

Personal data in paper media are deleted using the blackout method. Blackout operation is done in such a way that the personal data on the relevant document is cut where possible, it is made invisible to the relevant user by using fixed ink so that it cannot be restored and read by technological solutions.

c) Office Files on the Central Server

The file is deleted with the delete command in the operating system or the access rights of the relevant user on the directory where the file is located are removed.

d) Personal Data on Portable Media

Personal data in flash-based storage media is stored encrypted and deleted using software suitable for these media

e) Databases

The relevant lines containing personal data are deleted by database commands. While performing the said process, the relevant user is not a database administrator.

6.2.3. Personal Data Destruction Methods

a) Physical Destruction

Personal data can be processed with non-automatic means provided that they are a part of any data registry system. While such data is destroyed, physical destruction of personal data is applied in a way that it will not be used later.

b) De-magnetizing

It is the process of making the data incomprehensible and unreadable by exposing the magnetic media to a high magnetic field by passing it through a special device.

c) Paper Media

Destruction processes in this environment are the methods of destroying the papers by bringing them to incomprehensible dimensions with shredding and clipping machines.

6.2.4. Anonymization of Personal Data

Anonymization of personal data in the 10th Article of the regulation is defined as “the process of making personal data non-associable with an identified or identifiable natural person under any circumstances, even if it is matched with other data.’’

6.2.4.1. Methods of Anonymization of Personal Data

a) Masking

A method of anonymization is provided by removing or deleting the distinct attributes or characteristics of the data owners whose data is processed.

Example: Preventing the identification of the data owner by removing information such as TR Identity Number, etc., which enables the identification of the Personal Data Owner.

b)Data Shuffling, Permutation

This method is aimed to anonymize the data by relocating some of the information of the data owners who have data in the system.

Example: Ensuring that the Personal Data Owner is not recognized by relocating the sub-valued information alongside the data which is considered as the main category in the employee information.

c) Data Derivation

It is ensured that the information becomes undetectable or undefinable by adding or subtracting the variables in the data in the system to a certain extent.

Example: Only specifying the neighborhood or district where the personal data owner lives, instead of explaining in detail the residence of the data owner.

d) Aggregation

The process to convert the relevant personal data from a specific value to a more general value. With this method, the data is generalized and personal data is rendered unrelated to any person.

Example: Instead of specifying the neighborhoods where the employees live, specifying how many employees live in the X neighborhood.

6.2.4.2. LDR Tourism Inc. Co.’s Choosing Procedure of the Anonymization Method

One or more of the anonymization methods described above will be selected by the committee formed by the company to ensure the enforcement of this policy, in line with all relevant legislation and the interests of LDR Tourism Inc. Co. in business life. Detailed information about the committee has been described in the previous chapter. (see chapter 4)

The anonymization method to be chosen will be determined by the committee, taking into account the following issues:

Nature of the data

Size of the data

Structure of the data in physical environments

Diversity of data

Purpose of the processing of data

Anonymization will be carried out in line with the storage periods and principles outlined in the personal data inventory chapters of this policy.

6.3. STORAGE PERIOD

LDR Tourism Inc. Co. stores personal data in its data inventory by the periods determined in all relevant legislation.

In the absence of any period determined in the relevant legislation regarding these periods, LDR Tourism Inc. Co. stores the personal data within the periods determined in accordance with the interests of our company provided that it is in accordance with the laws and regulations, and practices arising from the sector in which the company is located in and when storage is no longer required, it is deleted or destroyed or anonymized in the ways described above.

If the purpose of processing and storing personal data has disappeared and the periods determined in all relevant legislation regarding personal data and the principles determined by our company in this policy (see chapter 2.2.1 (e) and (f)) has passed, personal data can also be stored for use in all kinds of legal disputes that may arise in the future. The personal data specified in this section are only stored for use in legal disputes and cannot be used for any other purpose. In line with the explanations above, all foreseen measures and precautions are taken by LDR Tourism Inc. Co.

For example, using the information in the data system to determine the residential area of the employee to determine the authorized court in the lawsuit to be filed against the employee who has left the workplace due to the wrongful termination of the contract can be evaluated within this scope. (The scope of the above explanations is not limited to the example given.)

6.4. PERSONAL DATA INVENTORY

It refers to the data (Word, excel vs.) which can be submitted to the PPD Institution when necessary and in which the data processed separately in each department within the body of LDR Tourism Inc. Co. by the Regulation on LPPD and Data Supervisor Registry are collected and the deletion, destruction, and the anonymization process is performed by the legislation and company policy as explained above.

What should be included in a personal data inventory according to the definition in the regulation:

i. Personal Data Processing Purposes

ii. Data Category

iii. The maximum periods required for the processing of personal data which is created by associating with the transferred recipient group and the data subject group

iv. Personal periods foreseen to be transferred to foreign countries

v. Data security measures taken

Considering the above-mentioned criteria, information regarding the processes to be made with personal data will be collected in the relevant inventory. Inventory content can be stored in digital media such as Word and Excel in line with our company’s own interests following the law and legislation and content that cannot be stored in a digital environment can be stored in paper media as well.

The deletion, destruction, anonymization processes of personal data described in chapter 6 are carried out by LDR Tourism Inc. Co. or by a person authorized by LDR Tourism Inc. Co., in the personal data inventory.

6.4.1. Preparation of Personal Data Inventory

If there is a provision in the relevant legislation regarding the preparation procedure of the Personal Data Inventory, the personal data inventory will be prepared by LDR Tourism Inc. Co. following those provisions. In cases where there is no provision in the relevant legislation regarding the preparation method of the Personal Data Inventory, our company is free to choose which method to prepare the personal data inventory with, taking into account its internal working discipline and business processes.

CHAPTER 7: RIGHTS OF THE DATA OWNER AND THE RULES ON THE USE OF THESE RIGHTS

7.1. RIGHTS OF THE PERSONAL DATA OWNER

LDR Tourism Inc. Co. carries out the necessary channels, internal processes, administrative and technical regulations following the 13th Article of the PPD Law to evaluate the rights of personal data owners and to provide the necessary information to personal data owners.

If personal data owners submit their requests regarding their rights listed below in writing to our company, our company concludes the request free of charge within thirty days at the latest, depending on the nature of the request. However, if a fee is stipulated by the PPD Board, the fee in the tariff determined by the PPD Board will be collected from the applicant. Personal data owners have the following rights;

To learn whether personal data has been processed or not,

Request information if their personal data have been processed,

Find out the purpose of processing personal data and whether they are used appropriately for their purpose,

Knowing the third persons in the country or abroad to whom personal data have been transferred,

Requesting correction of personal data in case of incomplete or incorrect processing and requesting notification of the process made within this scope to the third parties to whom the personal data has been transferred,

Although their data has been processed in accordance with the provisions of the PPD Law and other related laws, requesting the removal or destruction of their personal data in case the reasons requiring the processing of the data are not valid anymore and to notify the third parties to which the personal data has been transferred,

Objecting to the emergence of a result against the person themselves through the analysis of the processed data exclusively through automated systems,

To demand that the loss be recovered in case the person is harmed due to the unlawful processing of personal data.

Pursuant to the 13th Article5 of the Law on Protection of Personal Data, personal data owners are required to submit their requests for exercising their rights mentioned above to our Company by “written” or other methods determined by the Personal Data Protection Board.

7.1.1. Right to Access Personal Data

The related persons have the right to access their personal data without any charge. The interests of the company and its legitimate right to retain data are protected under the Personal Data Protection Law and relevant legislation; the right to change and delete is pursued. LDR Tourism Inc. Co. informs the related person of their rights to;

• Learn whether personal data is processed or not,

• Request the information related to personal data if personal data has been processed,

• Learn the purpose of processing the personal data and whether they are used for this purpose or not,

• Learn the third parties to whom their personal data have been transferred domestic or abroad.

7.1.2. Right to Change or Delete Personal Data

The related persons have the right to change or delete their personal data without any charge. In this context, the related person has the right to;

• Request the correction of incomplete or incorrect processing of personal data

• Request the deletion or destruction of personal data if the reasons requiring the processing of personal data no longer exist,

• Request notification of the correction, deletion or destruction processes mentioned above to third parties to whom personal data are transferred and

• Object to an adverse result arising through the analysis of the processed data exclusively through automated systems.

7.1.3. Ensuring the Up-to-dateness of Personal Data

Pursuant to the Personal Data Protection Law, there is an obligation to ensure that personal data is accurate and up-to-date when necessary, therefore, the relevant party should notify our company of the situation changes in order to keep personal data accurate and up-to-date. If the data change is not notified to LDR Tourism Inc. Co. in writing by the relevant person, LDR Tourism Inc. Co. is not responsible for any damage or enforcements occurring/will occur from the data not being updated.

7.2. PROTECTION OF THE RIGHTS OF PERSONAL DATA OWNER

In accordance with Article 12 of the Personal Data Protection Law, the data supervisor must take all the necessary technical and administrative measurements to ensure the appropriate security level to prevent;

• Illegal processing of personal data,

• Illegal access to personal data,

• And to ensure the conservation of personal data.

In case the personal data is processed by another real or legal person on its behalf, LDR Tourism Inc. Co. is jointly and severally responsible for the measures specified in the first paragraph following the relevant law article. In order to ensure the enforcement of the provisions of the Law, LDR Tourism Inc. Co. performs the necessary audits.

This provision has been added to all contract, commitment – agreement texts and shared by LDR Tourism Inc. Co. with the persons who can transfer data on page 13 of Chapter 5 of this policy; in cases where a contract or an agreement text cannot be drawn up due to actual impossibility or because it is not suitable for the ordinary course of life, this policy can be viewed on the website of www.liderfilo.com.tr, since this policy has been made available to the public.

7.3. CONDITIONS WHERE THE PERSONAL DATA OWNER CANNOT CLAIM THEIR RIGHTS

Since the following cases are excluded from the extent of the relevant law following the 28th Article of the Personal Data Protection Law, personal data owners cannot claim the following rights in these cases:

• Processing the personal data for the purposes of investigation, planning, and statistics by anonymizing with official statistics,

• Processing personal data within the context of artistic, historical, literary, or scientific purposes or freedom of speech provided that the personal data does not breach the national defence, national security, public security, public order, economic security and confidentiality of private life or personal rights, and does not constitute a crime,

• Processing the personal data within the scope of preventive, protective, and intelligence operations executed by public institutions and organizations authorized by the law to ensure national defence, national security, public safety, public order or economic security and

• Processing the personal data by judicial or enforcement authorities in relation to the investigation, proceedings, litigation, or execution procedures.

Personal data owners, pursuant to the 28th Article of the Law on PPD, may not claim their other rights, except the right to demand compensation for the damage, in the following cases:

• When processing personal data is required for the prevention of committing an illegal act or criminal investigation,

• Processing of personal data publicized by the personal data owner,

• Processing personal data being required for disciplinary investigation or prosecution and conducting supervisory or regulatory duties by the authorized public institutions and organizations and professional public organizations by the power granted by the law.

CHAPTER 9: PERSONAL DATA PROCESSING ACTIVITIES PERFORMED IN LDR TOURISM INC. CO. FACILITIES AND DATA PROCESSING ACTIVITIES PERFORMED ON THE WEBSITE

PERSONAL DATA PROCESSING ACTIVITIES IN BUILDINGS, FACILITY PREMISES AND ENTRANCES

Personal data processing activities conducted by LDR Tourism Inc. Co. at the entrance locations and in the buildings and premises are carried out in accordance with the Constitution, the Law on PPD and other relevant legislation.

In order to ensure security, LDR Tourism Inc. Co. conducts monitoring activities with security cameras in the buildings and premises, and data processing for tracking guest entrance and exits.

The company carries out personal data processing through the use of security cameras and recording of guest entrances and exits.

CAMERA SURVEILLANCE ACTIVITY AT LDR TOURISM INC. CO. BUILDING, ENTRANCES, AND WITHIN PREMISES

In this section, we will explain the camera-surveillance system of LDR Tourism Inc. Co., and give information on how personal data, privacy, and human fundamental rights are protected. Within the scope of surveillance activity with security cameras, LDR Tourism Inc. Co. aims to protect the interests of the company and other persons regarding their security.

Legal Basis of Camera Surveillance Activity

LDR Tourism Inc. Co. conducts camera surveillance activities by the Law on Private Security Services and related legislation.

Surveillance with Security Cameras According to the PPD Law

LDR Tourism Inc. Co. complies with the regulations of the Law on PPD in conducting surveillance activities with security cameras. To ensure security in the buildings and facilities, LDR Tourism Inc. Co. carries out surveillance activities in line with the purposes stipulated in the relevant legislation in force and in accordance with the personal data processing requirements set forth in the PPD Law.

Announcement of Camera Monitoring Activities

By the 10th Article of the PPD Law, the personal data owner is informed by LDR Tourism Inc. Co. In the clarification done by LDR Tourism Inc. Co. regarding the general issues, there is more than one method of notification regarding the surveillance activities. In this way, it is aimed to prevent damage to the fundamental rights and freedoms of the personal data owner, to ensure transparency, and to elucidate the data subject.

Concerning the camera surveillance activity conducted by LDR Tourism Inc. Co.; this Policy is published on LDR Tourism Inc. Co.’s website (online Policy regulation) and a notification letter stating that surveillance will be carried out is posted at the entrances of the areas which are surveilled (clarification in place).

The Purpose of Surveillance Activities with Cameras and Limitation of Purpose

By the 4th Article of the Law on PPD, LDR Tourism Inc. Co. processes personal data in a limited and restrained manner in connection with the purpose for which it was processed.

The purpose of video surveillance by LDR Tourism Inc. Co. is limited to the purposes set out in this Policy. In this respect, security camera coverage, the number of them, and when to conduct surveillance is determined in a way that is sufficient enough to achieve the security purpose and is limited for this purpose. Areas, where personal privacy takes precedence of the security goals (e.g. toilets), are not surveilled.

Ensuring the Security of the Data Obtained

Necessary technical and administrative measures are taken by LDR Tourism Inc. Co. by the 12th Article of the PPD Law to ensure the security of personal data obtained as a result of camera surveillance.

Retention Period of Personal Data Obtained by Surveillance with Cameras

The detailed information about the retention period of personal data obtained by camera surveillance activities of LDR Tourism Inc. Co. is presented in the article of the 6.4 Policy, titled “Retention Period of Personal Data”.

Persons Who Can Access Information Obtained as a Result of Surveillance and Persons This Information is Transferred to

Only a limited number of LDR Tourism Inc. Co. employees have access to records that are recorded with live camera recordings and stored digitally. A limited number of people who have access to the records declare, through the confidentiality commitment, that they will protect the confidentiality of the data they access.

MONITORING OF ENTRIES AND EXITS OF GUESTS IN THE COMPANY’S BUILDING, ENTRANCES, AND PREMISES

To ensure company security and in line with the purposes of this Policy, personal data processing is performed to track entrance and exits of guests in LDR Tourism Inc. Co. buildings and premises.

Subject personal data owners are informed when their names and surnames are obtained when entering the premises of LDR Tourism Inc. Co. as a guest, or through the texts that are posted before LDR Tourism Inc. Co. or otherwise made available to guests. The data obtained for tracking guest entrance and exits are processed for this purpose only, and the personal data are recorded in the data recording system in physical domains.

STORAGE OF RECORDS OF THE INTERNET ACCESS PROVIDED TO THE COMPANY’S GUESTS AND WEBSITE VISITORS

To ensure company security and in line with the purposes of this Policy, LDR Tourism Inc. Co. can record the logs of the internet access of the guests for the duration of their stay in the facilities by Law No. 5651 and the mandatory provisions of the legislation regulated following this Law.

Only a limited number of LDR Tourism Inc. Co. employees have access to the log records obtained within this framework.

These records are only processed and shared with third parties when requested by authorized public institutions and organizations or to fulfill our legal obligations in audit processes to be carried out within LDR Tourism Inc. Co. and/or protecting our legal rights and establishing LDR Tourism Inc. Co.’s defense rights.

VISITORS OF THE COMPANY’S WEBSITE

On the websites owned by LDR Tourism Inc. Co., internet movements within the site are recorded by technical means (e.g. cookies) to ensure that visitors of these sites conduct their visits on the sites in a manner suitable for the purpose of their visit, to show them customized content and to carry out online advertising activities.

Detailed explanations about the protection and processing of personal data regarding these activities of LDR Tourism Inc. Co. are included in the “Company’s Website Privacy Policy” texts of the websites.

CHAPTER 10: EFFECTIVE AND UPDATEABILITY

Organized by LDR Tourism Inc. Co. and entered into force on 26 March 2017. All or part of the Policy may be updated. Policy is published on the LDR Tourism Inc. Co. website (www.liderfilo.com.tr) and made available to the relevant persons upon the request of the personal data owners.

ANNEX-1 : DEFINITIONS

Sensitive Personal Data refers to making personal data unable to be associated with any identified or identifiable real person in any way even when personal data is paired with other data.

Institution refers to the Personal Data Protection Authority.

Data Processor refers to the natural or legal person who processes personal data on behalf of the data supervisor, based on the authority given by them.

Data Supervisor refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

Explicit Consent refers to the consent expressed with free will that is based on information, regarding a particular subject.

Anonymisation refers to making personal data unable to be associated with any identified or identifiable real person in any way even when personal data is paired with other data.

Business Partner refers to the companies to which personal data is transferred and with which LDR Tourism Inc. Co. establishes business partnerships for purposes such as carrying out projects, receiving services, in person, or together with joint companies while carrying out commercial and all kinds of organizational activities.

Personal Data refers to any information relating to an identified or identifiable natural person.

LPPD Law on the Protection of Personal Data No. 6698 dated March 24, 2016, published in the Official Gazette dated April 7, 2016, and numbered 29677

LPPD Article 7

(1) Although it has been processed following the provisions of this Law and other relevant laws, in the event that the reasons for its processing disappear, personal data are deleted, destroyed, or anonymized by the data supervisor ex officio or upon the request of the relevant person.

(2) The provisions in the relevant laws regarding the deletion, destruction, or anonymization of personal data are reserved.

(3) The procedures and principles regarding the deletion, destruction, or anonymization of personal data are regulated by regulations.

TCC Turkish Penal Code No. 5237, dated September 26, 2004, was published in the Official Gazette dated 12 October 2004 and numbered 25611.

TCC article 138

(1) Those who are obliged to destroy the data are sentenced to imprisonment from one year to two years if they do not fulfill their duties within the system despite the expiry of the periods stipulated by the laws.

(2) (Annex: 21/2/2014-6526/5 Article) If the subject data of the crime is data that needs to be eliminated or destroyed by the provisions of the Criminal Procedure Code, the penalty to be imposed is increased onefold.

Regulation on the Deletion, Destruction or Anonymization of Personal Data No. 30224 published in the Official Gazette on Saturday, 28 October 2017

¹ ARTICLE 12- (1) Data supervisor; must take all the necessary technical and administrative measures to ensure the appropriate level of security a) to prevent the unlawful processing of personal data, b) to prevent unlawful access to personal data, c) to ensure the preservation of personal data.

² (3) The data supervisor is obliged to carry out or have the necessary audits carried out in their institution or organization to ensure the implementation of the provisions of this Law.

³ ARTICLE 7- Although it has been processed by the provisions of this Law and other relevant laws, in the event that the reasons for its processing disappear, personal data is deleted, destroyed, or anonymized by the data controller ex officio or upon the request of the data subject.
The provisions in other laws regarding the deletion, destruction, or anonymization of personal data are reserved.
4 ARTICLE 10- (1)-c) To whom and for what purpose the processed personal data can be transferred,
5 ARTICLE 13- The related person submits their requests regarding the implementation of this Law to the data supervisor in writing or by other methods to be determined by the Board. The data supervisor concludes the requests in the application free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request. However, if the process requires an additional cost, the tariff determined by the Board is charged. The data supervisor accepts or rejects the application and notifies the concerned in writing or electronically. In case the request mentioned in the application is found acceptable, the data supervisor does what is necessary. In case the application is caused by the fault of the data supervisor, the fee is returned to the relevant person.