GDPR Information

PRIVACY AND PERSONAL DATA PROTECTION PRINCIPLES

1. PURPOSE AND SCOPE

These Privacy and Personal Data Protection Principles (hereinafter referred to as the “Principles”) set out the principles adopted by Fine Otel Turizm İşletmecilik A.Ş. and all brands within its structure such as The Land of Legends, Nickelodeon Play!, Rixos Hotels (hereinafter referred to as the “Company”) regarding the protection of personal data, and aim to inform all relevant groups of data subjects within the scope of the Personal Data Protection Law No. 6698 (hereinafter referred to as “KVKK No. 6698”).

2. PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATA

As the Company, acting in the capacity of Data Controller, we process your personal data in accordance with the principles set out below.

2.1 Processing in Compliance with Law and the Principle of Good Faith

In processing your personal data, the principles introduced by legal regulations and the general principles of trust and good faith are observed. In accordance with this principle, while striving to achieve our purposes for processing personal data, we take your interests and reasonable expectations into consideration, do not abuse our rights, and act in line with the principle of transparency in our data processing activities.

2.2 Ensuring that Personal Data is Accurate and Up-to-Date When Necessary

In line with this principle, which emphasizes the importance of the accuracy and up-to-dateness of personal data, periodic checks and updates are carried out and necessary measures are taken to ensure that processed data are accurate and current, taking into account your legitimate interests. Within this scope, systems are established within the Company to verify the accuracy of personal data and to make necessary corrections. In addition, the accuracy of the sources from which personal data are collected is checked, and requests arising from inaccuracies in personal data are taken into consideration. Therefore, this principle is implemented in compliance with your right to request the correction of your personal data pursuant to KVKK No. 6698.

2.3 Processing for Specific, Explicit and Legitimate Purposes

Your personal data are processed based on explicit, specific, and legitimate purposes. In this context, we ensure that our personal data processing activities are clearly understandable by data subjects and we determine and expressly state, in Article 3 of these Principles, which purposes and legal grounds they are based on.

2.4 Being Related, Limited and Proportionate to the Purpose of Processing

Your personal data are processed in a proportionate, purpose-related and limited manner to the extent necessary for the realization of the envisaged purpose(s), and processing of personal data that is not related to or not needed for the fulfillment of the purpose is avoided. Likewise, within the scope of this principle, personal data are not collected or processed for purposes that do not currently exist or are considered to arise in the future.

2.5 Retention for the Period Stipulated in Relevant Legislation or Required for the Purpose

Your personal data are retained only for the period stipulated in relevant legislation or required for the purpose for which they are processed. In this regard, the Company takes and implements the necessary administrative and technical measures. Within this scope, first it is determined whether a retention period is prescribed in relevant legislation; if a period is prescribed, personal data are retained in accordance with that period; if not, personal data are retained for as long as necessary for the purpose of processing. If the necessity of the related processes ceases, access to your personal data by irrelevant departments is prevented within the scope of deletion as set out in KVKK No. 6698. Upon expiration of the retention period or disappearance of the reasons requiring processing, and in the absence of a legal ground allowing longer processing, your personal data are destroyed or anonymized in accordance with personal data protection legislation.

3. CONDITIONS FOR PROCESSING PERSONAL DATA

3.1 Explicitly Stipulated by Law

Within the scope of KVKK No. 6698, your personal data and sensitive personal data may be processed under the conditions set out below.The main rule is that personal data cannot be processed without the explicit consent of the data subject. However, in cases where processing of personal data is explicitly stipulated by law, your personal data may be processed without seeking your explicit consent.

3.2 Inability to Obtain Explicit Consent Due to Actual Impossibility

Your personal data may be processed if the data subject is unable to express consent due to actual impossibility or if such consent cannot be legally recognized, and processing is mandatory to protect the life or physical integrity of the data subject or another person.

3.3 Directly Related to the Establishment or Performance of a Contract

Your personal data may be processed if it is necessary to process personal data belonging to the parties to a contract, provided that processing is directly related to the establishment or performance of that contract.

3.4 Fulfillment of the Company’s Legal Obligations

Your personal data may be processed if processing is mandatory for the Company to fulfill its legal obligations arising from the legislation, contracts, or similar legal duties to which it is subject or responsible.

3.5 Personal Data Being Made Public by the Data Subject

If your personal data have been made public by you, meaning shared with the public by your own will, they may be processed in a manner that is related and proportionate to the purpose of such disclosure.

3.6 Processing Being Mandatory for the Establishment, Exercise or Protection of a Right

Your personal data may be processed if processing is mandatory for the establishment, exercise, or protection of a right within the scope of conducting and managing processes related to the Company’s legal and commercial rights.

3.7 Processing Based on Legitimate Interest

Your personal data may be processed if processing is necessary for the legitimate interests of the Company. Where processing is carried out on this legal ground, our Company evaluates the matter by also considering your fundamental rights and freedoms, and makes a decision based on the outcome of this assessment.

3.8 Processing Based on Explicit Consent

Although processing based on explicit consent is the main rule, explicit consent is not relied upon when other conditions specified in this article exist; otherwise, this could constitute abuse of rights. Accordingly, if none of the conditions set out in these Principles apply, your personal data are processed based on your explicit consent. In particular, unless otherwise stated, your explicit consent for the sending of commercial electronic messages may be interpreted as covering campaign and announcement communications of all brands within the Company (The Land of Legends, Nickelodeon Play!, Rixos, etc.).

3.9 Processing of Sensitive Personal Data

Sensitive personal data are processed only under the conditions below, pursuant to Article 6 of KVKK No. 6698:

a) The data subject has explicit consent,

b) Explicitly stipulated in laws,

c) Mandatory to protect the life or physical integrity of the data subject or another person, where the data subject cannot express consent due to actual impossibility or where consent is not legally recognized,

ç) Related to personal data made public by the data subject and in line with the intention of disclosure,

d) Mandatory for the establishment, exercise, or protection of a right,

e) Necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, and planning, management and financing of health services by persons under confidentiality obligation or authorized institutions and organizations,

f) Mandatory for fulfilling legal obligations in the fields of employment, occupational health and safety, social security, social services and social assistance,

g) Related to current or former members and affiliates of foundations, associations and other non-profit organizations or formations established for political, philosophical, religious or trade union purposes, provided that processing is in line with their legislation and purposes, limited to their field of activity, and not disclosed to third parties, as well as persons who are in regular contact with such organizations.

3.10 Processing of Location Data via the Mobile Application

Through the “Legendary App” mobile application provided by our Company, your location data may be processed by using Geofence (Geographical Fence) technology at all locations required by the service network, without being limited to the facilities belonging to the brands operating under Fine Otel Turizm İşletmecilik A.Ş. (such as The Land of Legends, Nickelodeon Play!, Rixos Hotels, etc.).

Within this scope, your location data are processed for the purposes of providing location-specific navigation support, improving user experience, and offering location-based services. Depending on the type of permission you choose, your precise location data may also be processed while the mobile application is closed or not actively in use. Campaign, promotion, and offer notifications carried out based on your location data shall be delivered to you only if you have provided valid commercial electronic communication consent, independently of the technical location permission.

The aforementioned personal data are processed in accordance with Article 5, Paragraph 1 of the Turkish Personal Data Protection Law No. 6698, based on your Explicit Consent (approval given via your mobile device’s operating system as “Allow Always” or “Allow While Using the App”), for the purpose of enabling the integrated provision of services and in compliance with the principle of proportionality. You may withdraw your explicit consent at any time by disabling location sharing permissions through your mobile device’s settings menu.

4. TRANSFER OF PERSONAL DATA

Your personal data and sensitive personal data may be transferred, within the scope of Article 2 of these Principles, for the purposes of carrying out cross-marketing activities, managing joint loyalty programs, and providing integrated services, to other brands within the Company (Nickelodeon Play!, The Land of Legends, etc.), our domestic business partners, public institutions and organizations and similar entities, or our business partners abroad. While carrying out such transfers, compliance with Articles 8 and 9 of KVKK No. 6698 is observed. Where necessary, your explicit consent is obtained and the transfer is made within that framework.

5. SECURITY OF PERSONAL DATA

In order to ensure the security of personal data and prevent unlawful processing, the Company takes all reasonable administrative and technical measures to prevent risks of unauthorized access, accidental data loss, intentional deletion of data, or damage to data.

Reasonable technical and physical measures are taken to prevent access to personal data by unauthorized persons other than those with access authority. In this context, especially the authorization system is designed in a way that prevents individuals and systems from accessing more personal data than necessary. The Company conducts and commissions necessary audits to ensure the implementation of KVKK No. 6698 within its own organization.

The measures taken are as follows:

• Network security and application security are ensured.
• Closed system networks are used for personal data transfers via network.
• Security measures are taken in the procurement, development and maintenance of information technologies systems.
• Security of personal data stored in the cloud is ensured.
• Disciplinary regulations including data security provisions for employees exist.
• Training and awareness activities on data security are conducted for employees at regular intervals.
• An authorization matrix has been created for employees.
• Access logs are kept regularly.
• Corporate policies on access, information security, use, retention and destruction have been prepared and implemented.
• Confidentiality undertakings are executed.
• Access authorizations of employees who change roles or leave employment are revoked.
• Up-to-date anti-virus systems are used.
• Firewalls are used.
• Signed contracts include data security provisions.
• Additional security measures are taken for personal data transferred via paper, and relevant documents are sent in confidential document format.
• Personal data security policies and procedures have been determined.
• Personal data security issues are reported promptly.
• Monitoring of personal data security is performed.
• Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
• Physical environments containing personal data are secured against external risks (fire, flood, etc.).
• Security of environments containing personal data is ensured.
• Personal data are minimized as much as possible.
• Personal data are backed up, and security of the backups is also ensured.
• User account management and authorization control systems are implemented and monitored.
• Periodic and/or random internal audits are conducted and commissioned.
• Log records are kept in a way that prevents user intervention.
• Existing risks and threats are identified.
• Protocols and procedures for the security of sensitive personal data are determined and implemented.
• If sensitive personal data will be sent via electronic mail, it is sent encrypted and via KEP or a corporate e-mail account.
• Attack detection and prevention systems are used.
• Penetration tests are carried out.
• Cyber security measures are taken and their implementation is continuously monitored.
• Sensitive personal data transferred via portable memory, CD, DVD media are encrypted.
• Service providers processing data are audited periodically regarding data security.
• Awareness of service providers processing data regarding data security is ensured.

6. RIGHTS OF THE DATA SUBJECT, APPLICATION PROCEDURE AND PRINCIPLES

As a data subject, if you have a request regarding your rights listed in Article 11 of Law No. 6698, and if you are a citizen of the European Union, regarding your rights under GDPR such as withdrawing your explicit consent, obtaining information about and accessing your data, correcting, deleting or restricting the processing of your personal data in certain cases, data portability under certain conditions, objecting to the processing of your personal data and similar rights, you may submit your requests to us through the methods below by filling out the Application Form Regarding the Protection of Personal Data, which you can download by clicking, or by submitting an application meeting the minimum conditions set out in the Communiqué on the Procedures and Principles of Application to the Data Controller.

The Company will finalize your application free of charge as soon as possible and at the latest within thirty days depending on the nature of your request. However, if the transaction requires an additional cost, the fee in the tariff determined by the Personal Data Protection Board will be charged by the Company. In cases where your application is rejected, the response is found insufficient, or no response is given within due time, you may inform us accordingly. In addition, as a data subject, you have the right to lodge a complaint with the competent data protection authority in your country within thirty days from the date you learn of our response and in any case within sixty days from the date you duly submit your application.