Protection Of Personal Data




General Remarks

As KERVANSARAY HOTEL, we give utmost importance to the legal processing and protection of personal data in accordance with the Law No. 6698 on the Protection of Personal Data (“Law”). Therefore, in order to provide a better service to you in terms of customer safety, we act in accordance with the Personal Data Processing and Protection Policy, which is set out below, for the protection, storage, processing, use, destruction, commercial electronic communications and other matters of personal data (information). In this context, we hereby submit this Personal Data Processing and Protection Policy (“Policy”) to your information, both in order to fulfil the obligation of clarification under Article 10 and to notify all administrative and technical measures we have taken in the processing and protection of personal data.


Purpose and Scope of Policy

The main purpose of this Policy is to provide information on systems for the processing and protection of personal data in accordance with the law and the purpose of the Law and to provide information on all personal data processed automatically or processed in non-automatic ways provided that it is part of any data recording system by KERVANSARAY HOTEL in this context.


Personal Data Owner / Concerned Person

It refers to our employees, hotel customers, potential customers, business partners, visitors and third parties, whose personal data are processed.


Personal Data Definition

Below is the list of data processed by KERVANSARAY HOTEL and considered as personal data in accordance with the Law. Unless expressly stated otherwise, the term “personal data” under the terms and conditions provided under this policy shall include the following information:

1) Personal Data You Share With Us: Name-surname, date of birth, Turkish ID number, telephone number, e-mail address, photographs and video recordings forwarded within the scope of surveys and contests other all types of personal data you share via channels mentioned above.

2) Other Information Including Personal Data Collected via Automatic Methods: Other Information Including Personal Data Collected via Automatic Methods: Automatically collected information via automatic search machines, video and audio recording devices and entering our website; this includes the number of visits, the average time spent on the site, and the page information displayed.

3) Personal Data From Other Sources and Other Information : Social media vehicles, your personal data such as updated address information account information, purchase, page view information, search term and search results that our business partners and other third parties share with us with prior permission obtained from you.


Sensitive Personal Data

Data regarding race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, disguise, association, foundation or union membership, health, criminal convictions and security measures and biometric and genetic data. In the event that the processed data is of a sensitive personal data as defined in the GDP Law; If the personal data owner does not have explicit consent, the personal data can only be processed provided that adequate measures defined by GDP Board are taken.


Data Responsible

The data officer refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system. Legal persons are themselves “data officers" within the scope of their activities regarding the processing of personal data and the legal responsibility specified in the relevant regulations shall arise in the person of the legal entity. There is no difference in this regard in terms of public legal entities and private legal entities.

According to the law, the person responsible for data is the person who determines the purpose and method of processing of the personal data. In other words, it is the person who will answer the “why” and “how“ of the processing activity. In this context, İSTANBUL KERVANSARAY HOTEL AND TOURISM INC. (“KERVANSARAY HOTEL”) acts as the data responsible.




Liabilities of the Data Responsible

a) Liability of Clarification

The law provides the persons concerned with the right to obtain information about whom, for what purposes and for what legal reasons this data can be processed and to whom it may be transmitted and for which purposes the data officer is responsible for disclosure. Accordingly KERVANSARAY HOTEL is required to provide the following information   to the concerned person through itself or the person which it authorized during obtaining the personal data in accordance with Article 10 of the Law:

  • The identity of the data officer and the representative, if any,
  • The purpose for which personal data will be processed,
  • To whom and for what purpose personal data may be transmitted,
  • Method and legal reason of personal data collection,
  • Other rights defined in Article 11 of Law.


Other rights listed in Article 11 of the Law;

  1. To learn whether personal data is processed or not,
  2. To demand information if personal data has been processed,
  3. To learn the purpose of processing personal data and whether they are used in accordance with their purpose,
  4. To know the third parties to whom personal data is transferred at home or abroad,
  5. To request correction of personal data in case of incomplete or incorrect processing,
  6. To request deletion or destruction of personal data within the principles laid down in GDPR,
  7. To request to notify third parties in case the data have been incorrectly transferred, deleted or destroyed
  8. To object to a conclusion against her/himself by analysing the processed data exclusively through automated systems,
  9. To demand damages in case of damage due to unlawful processing of personal data,


In cases where the data processing activity is subject to the express consent of the person concerned or the activity is carried out under another condition in the Law, the data officer's obligation to inform the relevant person continues. That is, the person concerned is clarified in every situation where his/her personal data is processed.

b) Liabilities Regarding Data Security

KERVANSARAY HOTEL, which is data responsible regarding data security according to Article 12, is obliged to:

  • Prevent unlawful processing of personal data,
  • Prevent unlawful access to personal data,
  • Maintain personal data.

KERVANSARAY HOTEL, acting as a data officer, has to take all necessary technical and administrative measures to ensure the appropriate level of security in order to fulfil these obligations. It is among the powers and duties of the Board to carry out regulatory procedures in order to determine obligations related to data security. However, it may be possible to take additional measures based on the nature of the personal data processed on a sector basis, based on the minimum criteria to be determined by the Board.

KERVANSARAY HOTEL is jointly responsible for taking necessary measures in case personal data is processed by another real or legal person on its behalf. Therefore, data processors are also obliged to take measures to ensure data security. Accordingly, if, for example, the records of the data officer's company are kept by an accounting company, the data officer KERVANSARAY HOTEL shall be jointly responsible with the accounting company for taking measures regarding the processing of the data.

The law also imposes an audit obligation on the data officer regarding data security. The data officer is obliged to perform or have the necessary audits carried out in his own institution or organization in order to ensure the implementation of the provisions of the Law. Therefore, the data supervisor can perform this inspection himself or by means of a third party. On the other hand, the data responsible and the persons who process the data cannot disclose the personal data they have learned in contradiction with the provisions of this Law and use it for any purpose other than processing. This obligation continues even after they leave the office.

Finally, if the personal data processed is obtained by others by unlawful means, the data officer shall inform the relevant person and the Board as soon as possible. If necessary, the Board may announce this situation on its website or in any other way it deems appropriate.

Data security measures to be taken for each one of the data responsible for the structure, activities and be subject to the risks that must be appropriate. Therefore, a single model of data security cannot be foreseen. In determining the appropriate measures, the size or turnover of the company, as well as the nature of the work performed by the data officer and the personal data protected are important.

c) Obligation to reply to applications made by the persons concerned

Data responsible KERVANSARAYHOTEL, finalizes demands that are in writing or other methods to be determined by the Board about the application of the Law, according to their qualifications, as soon as possible and within 30 days at the latest, free of charge. However, in the event that the transaction requires additional cost, KERVANSARAY HOTEL may request the fees from the relevant person applying the tariff determined by the Board.

If KERVANSARAY HOTEL accepts the request or rejects it by explaining the reason, it informs the person in writing or electronically. In case the request in the application is accepted, the requirement of this request is fulfilled. If the application is due to the mistake of KERVANSARAY HOTEL, the fee will be returned to the person concerned.

In case of rejection of the application, inadequate response or failure to respond to the application in due time; the person concerned may lodge a complaint with the Board within thirty days from the date of receipt of the reply and in any event within sixty days from the date of application.


d) Obligation to Fulfil Board Decisions

If the Board detects the existence of a violation as a result of the investigation that it will carry out  upon the complaint or if it learns the allegation of violation, it shall be resolved by KERVANSARAY HOTEL , the data officer responsible , and notified the decision to the related parties. KERVANSARAY HOTEL shall fulfil this decision without delay as of the date of notification and within thirty days at the latest.



e) Obligation to register with the Data Responsible Register

KERVANSARAY HOTEL is obliged to register to the system called Data Responsible Registry (VERBİS) and declare the information about data processing activities.

Data Processing Person

In the case of data processing, it may be defined as real or legal persons outside the organization of the data officer who process personal data on behalf of the data officer based on the authorization of the data officer, and it is also possible to combine the data officer and data processing attributes into a single legal or natural person. KERVANSARAY HOTEL acts as a Data Processor at the same time and processes your personal data in accordance with the Law.

Processing of Personal Data

Processing of Personal Data is any kind of process where the data is obtained by means of fully or partially automatic or non-automated means provided that it is part of any data recording system, recorded, stored, saved, changed, rearranged, disclosed, transferred, taken over, made available or prevented from use.

The purpose of personal data processing by KERVANSARAY HOTEL is set forth before the beginning of personal data processing. In addition, personal data are processed by KERVANSARAY HOTEL in connection with the service it provides and as much as necessary for the service.

Principles of Personal Data Processing

Provided that necessary measures are taken to protect your privacy and all legal principles regarding the processing of personal data are complied with, KERVANSARAY HOTEL processes personal data in accordance with the following principles for the purposes set out in this Personal Data Processing Policy:

  1. Compliance with the law and the rules of honesty,
  2. Being accurate and up-to-date when necessary,
  3. Processing for specific, clear and legitimate purposes,
  4. Being related with the purposes for which they are processed, being limited and moderate,
  5. Retention for the period required by the relevant legislation or for the purpose for which it was processed.


When can your personal data be processed?

If the personal data owner has explicit consent, if there is a clear regulation in the law that personal data will be transmitted, if it is necessary for the protection of the life or body integrity of the personal data holder or someone else, and if the personal data holder is unable to disclose his consent due to actual impossibility, or if his consent is not legally authorized, If it is necessary to transfer personal data of the parties to the contract provided that it is directly related to the establishment or performance of a contract, if the personal data is publicized by the personal data owner, and if the personal data transfer is compulsory for the establishment, use or protection of a right, the personal rights and freedoms of the personal data holder, personal data can be saved and transmitted without prejudice.


How Long Will Your Personal Data Be Preserved?

Your personal data processed in accordance with GDPR for the purposes specified in this Personal Data Processing and Protection Policy will be erased, destroyed or continue to be used by KERVANSARAY HOTEL when the objective requiring processing according to GDPR 7/f.1. is eliminated and/or the statute of limitations prescribed by legislation for processing personal data is timed out.

Security of Personal Data

KERVANSARAY HOTEL, in accordance with Article 12 of the GDP Law, takes appropriate measures to prevent unlawful processing of personal data, to prevent unlawful access to such data, and to prevent unlawful processing of personal data by third parties.


KERVANSARAY HOTEL has the responsibility on all kinds of transactions, applications and results of hotel customers, visitors and business partners, from www.grandoztanik.com address or other linked sites, mobile applications, promotions and advertisements and all kinds of information and notifications made to them electronically communicated with the decisions taken within the scope of the information they receive.

Since the legal/actual driving license status of our customers and visitors could not be known by KERVANSARAY HOTEL, the responsibility for the use and transactions of children and other minors belongs to their legal representatives. They may also exercise their rights to personal data through their legal representatives.

Periodic Destruction and Legal Retention Periods

Physical and digital data that expires the statutory storage and disposal periods is periodically destroyed. KERVANSARAY HOTEL erases, destroys or anonymises personal data in the process following the date when the obligation to delete, destroy or anonymize personal data arises.

Deletion and Destruction Process if Data Holders Request

In the event that data owners request that their personal data be deleted or destroyed by applying to KERVANSARAY HOTEL, KERVANSARAY HOTEL checks the current status of the personal data processing conditions and takes related actions accordingly.

If all the conditions for processing personal data have been removed, the personal data subject to the request will be deleted, destroyed or made anonymous. KERVANSARAY HOTEL shall conclude the request of the person concerned within thirty days at the latest and inform the person concerned.

If all of the personal data processing conditions have been removed and the personal data subject to the request have been transferred to third parties, KERVANSARAY HOTEL shall notify this to the third party and ensure that the necessary actions are taken by the third party under the regulation.

If all the conditions for processing personal data have not been removed, KERVANSARAY HOTEL may deny the request by explaining the reason to the relevant data owner and notify the person concerned in writing or electronically within thirty days at the latest.


Changes to Policy

Following any official changes to be made in the relevant legislation, KERVANSARAY HOTEL may make changes in this Policy in accordance with these changes.

Any changes that may be deemed necessary in the confidentiality by KERVANSARAY HOTEL, storing and destroying personal data, terms of use of the site, the products, services and activities offered to KERVANSARAY HOTEL customers will be effective as soon as they are announced via internet address or other appropriate communication means.

Changes to the Policy by KERVANSARAY HOTEL can be examined and all kinds of complaints and additional information about the changes can be made on www.grandoztanik.com.


Effectiveness of Policy

This Data Processing Policy, which was issued by KERVANSARAY HOTEL and entered into force on the date of its publication, is published on www.grandoztanik.com website and made available to the relevant persons upon request of Personal Data holders.

This Policy is regulated within the scope of the Obligation “Disclosure of the Data Officer” specified in Article 10 of the Law No. 6698 (Law).


Other Policies


Grand Öztanık Hotel

Topçu Cad. No: 9-11 Taksim, Istanbul, Türkiye