Privacy Policy
Privacy and Personal Data Protection Policy
U TATİL TURİZM A.Ş (in short “U Tatil”) fulfills its obligations arising from the Law regarding the processing, deletion, destruction, anonymization, transfer of personal data, informing the relevant person and ensuring data security within the scope of the principles stipulated by the Law.
This Privacy and Personal Data Protection Policy, which has been prepared in accordance with the Law, is made available to the access of real persons (“data owner”) whose personal data is processed.
U TATİL TURİZM A.Ş will be referred to as “U Tatil” or “Company” in short, and the Personal Data Protection Law No. 6698 will be referred to as the “Law” in short.
1. Scope and Purpose of the Privacy and Personal Data Protection Policy
This Privacy and Personal Data Protection Policy is the;
The methods and legal reasons for collecting personal data,
Which groups of people's personal data are processed (Data Subject Categorization),
Which categories of data subjects' personal data are processed (Data Categories) and sample data types,
For what purposes the relevant personal data is used,
Technical and administrative measures taken to ensure the security of personal data,
To whom and for what purposes personal data can be transferred,
Personal data sharing with public institutions and organizations and official authorities,
Personal data storage periods,
What are the rights of data subjects over their own personal data and how they can exercise these rights,
it specifies in detail.
a. Personal Data Collection Methods and Legal Reasons
U Tatil collects personal data through the information provided by the data subject, websites, social media accounts, e-mail, mail, cookies, fax, notifications from administrative and judicial authorities and other communication channels, in an auditory, electronic or written manner, in accordance with the personal data processing conditions specified in the PDP Law and in line with the legal reasons specified in this Privacy and Personal Data Protection Policy.
b. Data Subject (Relevant Person) Categorization
U Tatil groups the data subjects whose personal data it processes as follows, and these person groups may expand in light of the process and legal reasons specified in this policy.
i. Customer,
ii. Online Customer,
iii. Visitor
iv. Online Visitor
v. Business Solution Partner / Supplier
vi. Employee
c. Data Categories and Sample Data Types
| N. | Data Owner | Data Category | Data Types |
| 1. | Customer | Identity Information | Name-Surname, Gender, TR Identity Number, TR Identity Information (Cardbook serial number, family order number, etc.),Date of Birth, Place of Birth, Marital Status, Passport Number |
| Contact Information | Address (home/work),Email, Phone/Mobile Phone | ||
| Financial Information | Bank Account Information, Financial Transaction Information, IBAN Number, Payment Information | ||
| Financial Information | Customer Number, Customer Commercial Relationship Start / End Date and Reason, Customer Requests, Customer Satisfaction Information, Product-Related Complaint and Request Information | ||
| Transaction Security Information | Call Center Records, Credit Card Number, Credit Card Expiration Date | ||
| Family Members and Relatives Information | Name-Surname, Relationship Degree, Profession, School, Date of Birth, Mobile Phone | ||
| Other | Call Center Records, CCTV | ||
| 2. | Online Customer | Identity Information | Name-Surname, Gender, Date of Birth, Place of Birth |
| Contact Information | Address (home/work),Email, Phone/Mobile Phone | ||
| Financial Information | Bank Account Information, Payment Information | ||
| Customer Information | Customer Number, Customer Commercial Relationship Start / End Date and Reason, Customer Requests, Customer Satisfaction Information, Product-Related Complaint and Request Information, Website Usage Habit, Search Details, Customer Instructions and Records | ||
| Personal and Professional Information | Retirement Information, Insurance Information, Educational Status, Graduation Certificate, Affiliated Organization | ||
| Marketing Knowledge | Product Preferences, Satisfaction Survey Results | ||
| 3. | Visitor | Identity Information | Name-Surname, TR ID Number, Passport Number |
| Contact Information | Email, Phone / Mobile Phone | ||
| Transaction Security Information | 5651 Logs | ||
| Other | Vehicle License Plate, CCTV | ||
| 4. | Online Visitor | Transaction Security Information | Password, Membership Number, Mobile Phone |
| Legal Procedure Information | IP Address | ||
| 5. | Business Solution Partner / Supplier | Identity Information | Name-Surname, Gender, TR ID Number, TR ID Information (Card serial number, family order number, etc.),Date of Birth, Place of Birth, Marital Status, Professional IDs |
| Contact Information | Address, Email, Phone / Mobile Phone | ||
| Financial Information | Bank Account Information, Financial Transaction Information, IBAN Number, Payment Information, Copies/Photocopies of Letter of Guarantee | ||
| Legal Process and Compliance Information | Signature Circular, Activity Information, Power of Attorney | ||
| Special Personal Data | Criminal Record, Signature, Health Information | ||
| Other | Vehicle Plate, CCTV, Photo | ||
| 6 | Employee | Identity Information | Name-Surname, Gender, TR ID Number, TR ID Information (Card serial number, family order number, etc.),Date of Birth, Place of Birth, Marital Status, Professional IDs |
| Contact Information | Address, Email, Phone / Mobile Phone | ||
| Personal and Professional Information | Retirement Information, Insurance Information, Educational Status, Graduation Information, Affiliated Organization | ||
| Legal Process and Compliance Information | Official Reports (Police etc.),Power of Attorney | ||
| Special Personal Data | Diopter Information, Hospital Reports | ||
| 7 | Employee Candidate | Identity Information | Name-Surname, Gender, TR ID Number, TR ID Information (Card serial number, family order number, etc.),Date of Birth, Place of Birth, Marital Status, Professional IDs |
| Contact Information | Address, Email, Phone / Mobile Phone | ||
| CV and Professional Information | Educational Status, Military Status, Industry Information, Affiliated Organization, Job Start/End Date, Title, Insurance Information |
d. For What Purposes Are Personal Data Used
Personal data is used by U Tatil for the following purposes;
Carrying out the necessary studies by the relevant business units for the realization of commercial activities carried out by the company and carrying out the related business processes
Planning and/or Executing the Activities of Carrying Out Effectiveness/Efficiency and/or Appropriateness Analysis of Business Activities
Conducting finance and accounting works,
Conducting goods/service sales processes
Planning and/or Executing Business Continuity Activities
Planning and Executing Logistics Activities
Planning and Executing Corporate Communication Activities
Planning and Executing Supply Chain Management Processes
Planning, Auditing and Executing Information Security Processes
Following Up Company Finance and Accounting Works
Planning and Executing Company Operation Processes
Planning and Executing External and Internal Training Activities
Management of Relationships with Business Partners and/or Suppliers
Planning and Executing Sales Processes of Products and/or Services Execution
Planning and/or Execution of After-Sales Support Services Activities
Following Up Legal Affairs and Fulfilling Legal Responsibilities
Planning and Execution of Necessary Operational Activities to Ensure Company Activities Are Carried Out in Accordance with Company Procedures and/or Relevant Legislation
Providing Information to Authorized Institutions Resulting from Legislation
Planning and Execution of Company Audit Activities
Ensuring the Security of Company Premises and/or Facilities
Ensuring the Security of Company Operations
Ensuring the Security of Company Premises and Movables
Ensuring the Security of Company Fixed Assets and/or Resources
Fulfillment of obligations arising from employment contracts/legislation for employees
Ensuring Compliance with Occupational Health and Safety Legislation
e. Technical and Administrative Measures Taken to Ensure the Security of Personal Data
U Tatil undertakes to take all necessary technical and administrative measures and show due diligence to ensure the confidentiality, integrity and security of your personal data. In this context, it takes the necessary measures to prevent the misuse, unlawful processing, unauthorized access to data, disclosure, alteration or destruction of personal data.
U Tatil takes the following technical and administrative measures to prevent unlawful access to personal data it processes, to prevent unlawful processing of these data and to ensure the preservation of personal data:
Anti-Virus
All PCs and Servers in U Tatil’s information technology infrastructure have a periodically updated anti-virus application installed.
Firewall
The Data Center and Disaster Recovery Centers hosting U Tatil servers are protected by firewalls loaded with periodically updated software, and the relevant new generation firewalls check the internet connections of all personnel and provide protection against viruses and similar threats during this check.
User Definitions and Need to Know
The authority of U Tatil employees to U Tatil systems is limited only to the extent necessary by their job descriptions, and in the event of any change in authority and duty, their system authority is also updated urgently.
Information Security Threat and Incident Management
Events occurring on U Tatil servers and firewalls are transferred to the “Information Security Threat and Incident Management” system. This system warns the responsible personnel when a security threat occurs and provides the opportunity to respond to the threat urgently.
Apart from these, U Tatil implements the necessary and appropriate measures according to the type of data and process by its information security personnel and information security experts from whom it receives service.
Although U Tatil takes the necessary information security measures, if personal data is damaged or falls into the hands of unauthorized third parties as a result of attacks on the platforms operated by U Tatil or the U Tatil system, U Tatil immediately notifies you and the Personal Data Protection Board of this situation and takes the necessary measures.
f. To Whom and for What Purposes Can Personal Data Be Transferred
U Tatil transfers personal data only in line with the purposes specified in this Privacy and Personal Data Protection Policy and in accordance with Articles 8 and 9 of the Law, to third parties and solution partners/group companies, and to Booking Site Tourism Inc., with which it has a special business partnership.
Personal data transfers made within this scope are carried out through secure environments and channels provided by the relevant third party. Depending on the content and scope of the service received from third parties; In all cases where the transfer of data owner personal data is not required, transfer is made using pseudonymous data.
The personal data subject to domestic and international transfers mentioned above are legally protected thanks to the technical measures that will ensure their security, as well as the provisions in our contracts that are compatible with the Law, considering whether the other party of the legal relationship is the data controller or the data processor.
| No | Data Owner | With Whom and For What Purposes Are Personal Data Shared? |
| 1. | Customer / Online Customer | These processes include sharing customer reservation information with the relevant supplier/business partner (hotel or accommodation facility where the reservation is made),sharing contact information with the SMS Supplier in order to send marketing and commercial messages to customers with ETK permits or to send SMS for organizational issues such as reservation confirmation, voucher sending, reservation change notification; sharing invoice information with the e-invoice supplier in order to send the e-invoice to the Customer electronically; sharing personal data with the Call Center in order to resolve customer demands and complaints; sharing personal data with the lawyer in order to prepare a defense petition in case consumers apply to the Consumer Arbitration Board; sharing the person information to whom the purchased product will be delivered with the cargo company; sharing with shareholders within the scope of reporting and statistical studies; sharing with suppliers in order to store physical and electronic customer data; and sharing with third parties in order to perform segmentation and communicate with the Customer in line with their likes and preferences regarding website usage preferences and browsing history. |
| 2. | Business Solution Partner / Supplier | There are processes such as sharing physical and electronic business solution partner / supplier data with suppliers for storage purposes, and sharing the contact information of hotel officials with customers for organizational reasons. |
g. Sharing of Personal Data with Public Institutions and Organizations and Official Authorities
| No | Data Owner | With Whom and For What Purposes Are Personal Data Shared? |
| 1. | Customer / Online Customer | Processes include sharing identity and customer transaction data with TÜRSAB in connection with complaint management processes; sharing customer personal data with SGK during SGK and Ministry of Health inspections; reporting illegal situations carried out on the web to relevant official institutions such as the prosecutor's office; and sharing invoices and collection receipts with representatives of the Ministry of Finance during tax inspections. |
| 2. | Visitor / Online Visitor | U Tatil includes processes such as sharing personal data and traffic information such as navigation information regarding visits or membership to the website www.utatil.com; sharing this information with public institutions and organizations that are legally authorized to request this information within the scope of legal obligations (including but not limited to combating crime, threats to state and public security, and similar situations where there is a legal or administrative obligation to notify or provide information); sharing log records with official institutions; and sharing camera recordings with official institutions such as the prosecutor's office and the court upon request. |
| 3. | Business Solution Partner/ Vendor/ Supplier | Processes such as sharing current cards opened within the scope of relations with Business Solution Partners / Suppliers with Trade Registry Offices and notaries; Sharing personal data with relevant public institutions and notaries in order to carry out legal notifications required by the accounting department; Sharing invoices and collection receipts with representatives of the Ministry of Finance during tax audits; and Sharing financial data with the bank in order to fulfill payment obligations arising from the existing commercial relationship. |
| 4. | Employee | Sharing with the SGK in accordance with the SGK legislation, with other official institutions and courts for the resolution of legal disputes, and with the General Directorate of Security in accordance with the Identity Notification Law. |
h. Storage Periods of Personal Data
U Tatil stores the personal data it processes in accordance with the Law for the periods stipulated in the relevant legislation or required by the purpose of processing.
j. What are the Rights of Data Owners Over Their Personal Data and How They Can Exercise These Rights
The rights of data owners pursuant to Article 11 of the Law are as follows:
(1) To learn whether personal data has been processed,
(2) To request information regarding the processing of personal data,
(3) To learn the purpose of processing personal data and whether they are used in accordance with their purpose,
(4) To know the third parties to whom personal data is transferred domestically or abroad,
(5) To request correction of personal data if it is processed incompletely or incorrectly,
(6) To request the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7 of the Personal Data Protection Law,
(7) To request that the transactions carried out pursuant to subparagraphs (d) and (e) be notified to third parties to whom personal data is transferred,
(8) To object to the emergence of a result against the person by means of analysis of processed data exclusively through automated systems,
(9) To request compensation for damages incurred due to unlawful processing of personal data.
In order to exercise your rights over your personal data; You can make the necessary changes, updates and/or deletions and related requests through the “Contact Form” that you can access from the U Tatil head office or the website https://utatil.com/, and the official e-mail address of U Tatil at kvkk@utatil.com.
2. Conditions for Deletion, Destruction and Anonymization of Personal Data
U Tatil stores the personal data it obtains directly from the relevant persons within the scope of its business processes, and processes through channels such as physical, electronic, Website, E-mail, for the periods stipulated by the relevant laws and/or for the periods required by the purpose of processing, in accordance with Articles 7, 17 of the Law and Article 138 of the Turkish Penal Code. In the event that these periods expire, it will delete, destroy or anonymize them in accordance with the provisions of the Regulation on Deletion, Destruction or Anonymization of Personal Data and the Guide for Deletion, Destruction or Anonymization of Personal Data.
Deletion of personal data by U Tatil refers to the process of rendering personal data inaccessible and reusable for the relevant users in no way.
Destruction of personal data by U Tatil refers to the process of rendering personal data inaccessible, irretrievable and reusable by anyone in no way.
Anonymization of personal data by U Tatil means that personal data cannot be associated with an identified or identifiable real person under any circumstances, even if it is matched with other data.
U Tatil explains in detail the methods and technical and administrative measures it takes regarding deletion, destruction and anonymization within the scope of the Personal Data Storage and Destruction Policy prepared in accordance with the Regulation on the Deletion, Destruction or Anonymization of Personal Data. In this Policy, the time period for the periodic destruction foreseen by the Regulation is also determined as 6 months.
3. Changes to the Privacy and Personal Data Protection Policy
U Tatil may make changes to this Privacy and Personal Data Protection Policy at any time. These changes shall become effective immediately upon publication of the new amended Privacy and Personal Data Protection Policy. Necessary information will be provided to you so that you are informed of the changes to this Privacy and Personal Data Protection Policy.
