English
Türkçe
Français
Deutsch
YILCAN TOURISM
KVKK CLARIFICATION TEXT
PRIVACY STATEMENT
The protection of all information belonging to our users is an important and sensitive issue for our company. This privacy statement includes declarations regarding the confidentiality of all user and visitor information when you visit Yılcan Tourism.
Collection of Your Personal Information
Yılcan Tourism does not collect personal information such as name, surname, email address, and postal address during your visit, unless you register on our site for reasons such as membership, newsletter subscription, or product purchase.
Use of Your Personal Information
Personal information is used solely for the purpose of enabling the use of Yılcan Tourism or for the purpose of contacting you as Yılcan Tourism. Except for situations mandated by the laws of the Republic of Turkey, personal information will never be shared with third parties without your consent.
Freedom to Choose
The control of the personal information you provide to Yılcan Tourism is entirely yours. You can update your personal information, or cancel your newsletter subscription or site membership at any time. You can communicate your requests by sending an email to iletisim@yilcanturizm.com.tr.
Non-Personal Information
While browsing Yılcan Tourism's website, to provide you with better service, your non-personal data (internet browser used, number of visits, average time spent on the site, pages viewed) is automatically recorded. This information is not subjected to any further processing and is not shared with third parties.
İŞCAN FURNITURE LTD. STI (YILCAN TOURISM) PERSONAL DATA PROTECTION POLICY
The protection of personal data is of importance to İşcan Furniture Ltd. Şti/Yılcan Tourism Travel Agency (the "Law" or "Company"), and maximum effort is made to act in accordance with all applicable legislation. İşcan Furniture Ltd. Şti implements a data protection and processing policy that meets international standards pursuant to the Law No. 6698 on the Protection of Personal Data (KVKK).
Within the scope of Article 10 of the Law No. 6698 on the Protection of Personal Data, İşcan Furniture Ltd. Şti, in its own operations and activities, acts with the title of "data controller" to fulfill its "obligation to inform". The information and principles contained in the Policy on the Protection of Personal Data are applicable to İşcan Furniture Ltd. Şti. Our company reserves the right to make changes to the Policy to provide up-to-date information about our practices regarding the protection of personal data and statutory regulations. In the event of substantial changes made to the Policy, Data Owners will be informed through various channels.
1-GENERAL INFORMATION
İşcan Furniture Ltd. Şti processes your personal data within the limits foreseen by the legislation as follows.
1.1.Methods of Collecting Personal Data:
The processed personal data may vary depending on the type and nature of our products and services. We may collect your personal data verbally, in writing, or electronically through our offices, call center, website, social media platforms, branches and dealers with whom we have a business relationship, and similar means, using either automated or non-automated methods.
As long as you benefit from our products and services, your personal data may be processed, and your data may be updated when necessary to ensure its accuracy and up-to-date status. Furthermore, when you physically visit our company offices, branches, agents, stores, and centers, or use our call centers, visit our web pages and/or other social and digital channels, or participate in activities such as events, seminars, organizations, and training that our company organizes, your personal data may also be processed.
CCTV Usage
Our company may obtain visual and auditory data through a closed-circuit camera system in accordance with the Law No. 5188 on Private Security Services and relevant legislation, and these data will only be kept for the necessary duration for the purposes listed below. The use of the closed-circuit camera system serves to prevent and monitor anti-social and criminal behaviors, to ensure the security of our facilities and the tools and equipment located therein, to protect the health and safety of visitors and employees, to increase efficiency, to ensure the safety of our business, guests, and others, to improve the quality of the service provided, to ensure the legal, commercial, and technical safety of individuals in business relations with our company, to establish the business relationship, to implement health and safety regulations, and to fulfill legal obligations. All necessary technical and administrative measures are taken by our company to ensure the security of the data obtained through the camera monitoring activity. The monitoring activity is conducted in compliance with the Constitution, KVKK, the Law on Private Security Services, and other relevant legislation, and access to the digital records is limited to the authorized personnel, including System Room Staff, General Manager, and Security Manager, with utmost care taken regarding this matter. A limited number of persons who have access to the records in our business declare with a confidentiality agreement that they will maintain the confidentiality of the data they access.
Additionally, our business is required to process personal data in accordance with the principle of relevance, limitation, and proportionality stipulated in Article 4 of the Law. The purpose of maintaining the monitoring via video cameras is limited to the objectives stated in this Policy.
Areas that could infringe on an individual's privacy due to surveillance beyond security purposes are not monitored. In accordance with Article 10 of the Law, information about monitoring with cameras is announced to all employees and visitors, and data subjects are informed about this in multiple ways. Notification letters are posted at the entrances of monitored areas.
1.2.Purposes and Methods of Processing Personal Data:
The personal data obtained may be processed by our company within the framework of the conditions for processing personal data stipulated in Articles 5 and 6 of the Law, and;
1.2.1.For the purpose of structuring, coordinating, developing, executing commercial activities specific to the Company;
• Carrying out legally required transactions/notifications and fulfilling obligations, communicating with official institutions, and providing information to authorized institutions
• Establishing, executing and managing the contracts, conducting post-contract services with clients
• Monitoring, planning, and executing activities related to the procurement of external services/consultation
• Planning, monitoring, and implementing financial and accounting activities
• Executing strategic planning activities
• Planning and executing IT and data security activities
• Conducting reporting related to control, data management, analysis, social purpose activities, process improvement, and similar activities
• Planning and executing crisis and emergency management activities
• Planning and executing activities related to physical/electronic security of the Company
• Conducting processes related to agency applications and agency contracts
• Creating policy offers, arranging policies, submitting policy renewal offers, and carrying out policy cancellation processes
• Calculating insurance compensation, making payments to the insured or beneficiaries, and tracking recourse
• Monitoring ambiguous claims files
• Carrying out processes related to the collection of premium payments
• Preparing claims files and reconciling payment results of claims
• Creating and monitoring expert and expertise reports
• Conducting reinsurance processes
• Conducting co-insurance processes
• Making recourse requests to insurance companies and third parties and monitoring these requests
• Evaluating and responding to recourse requests submitted by insurance companies and third parties
• Creating and tracking visitor records
• Ensuring that activities are carried out in line with the insurance procedures of İşcan Furniture Ltd. Şti and related legislation through necessary internal audit activities
• Ensuring that our business activities, business relations, and human resources processes are managed properly
• Carrying out processes arising from corporate law
• Managing risk assessment processes in accordance with insurance legislation.
• To carry out room reservation transactions
• Facilitating quality improvement activities
• Ensuring risk management
• Ensuring the management of guest relations
• Determining and implementing commercial strategies
• Conducting marketing and sales activities
• Performing routine audits
• Managing and auditing processes related to financial resources
• Planning, auditing, and executing information security processes
• Preventing abuse and unauthorized transactions that may arise from employees,
1.2.2.For the purpose of increasing brand awareness;
• Planning and executing actions to increase the perception level regarding the institution, its activities, and the brand
• Planning, managing, and executing organizations, meetings, invitations, and events
1.2.3.As part of shaping and/or executing demand and complaint management and post-sales processes;
• Planning and executing demand and complaint management activities for receiving, evaluating, and concluding demands and complaints
• Conducting operations, research, analysis, and reporting activities regarding entering into or renewing contracts
• Executing and monitoring processes necessary for fulfilling obligations arising from contractual relationships
1.2.4.For planning, implementing, and managing corporate relations;
• Managing the relationships with suppliers/partners, developing, planning, and executing those relationships
• Carrying out activities and requirements for establishing and executing vehicle rental contracts
• Structuring and implementing corporate governance and communication activities
• Planning and executing additional activities such as providing education/scholarships/support from outside the company
1.2.5.For ensuring the legal, technical, and commercial security of the Company and the relevant individuals involved in business relationships;
• Providing information to relevant authorities due to legal obligations and/or fulfilling audit-related activities and obligations
• Ensuring the security of physical and/or electronic environments of the Company and the parties connected to it
• Keeping records of the persons attending organizations and events
• Keeping records regarding the parties with whom the Company is in business relations, organizing and implementing activities aimed at commercial security,
• Performing activities to ensure that the data is kept accurate and up to date
• Planning and/or executing occupational health and safety processes
• Planning and executing works related to all kinds of visitors entering and exiting the Company in accordance with the law.
1.3.Processing of Personal Data:
a.Presence of the Data Subject's Explicit Consent
One of the conditions for processing personal data is the explicit consent of the data subject. The explicit consent of the data subject must be based on being informed and declared freely regarding a specific subject. Data will be processed within the scope of the explicit consent and for the purposes specified in the explicit consent. As a rule, in cases where the other conditions are present, there is no need to obtain the explicit consent of the data subject.
b.Clearly Specified in Laws
If it is clearly specified in the law, the personal data of the data subject will be processed in accordance with the law. In cases where processing is permitted by law, data will be processed within the limits of the reasons and data categories specified in the related law.
c.Unable to Obtain the Explicit Consent of the Data Subject due to Physical Impossibility
If the person is unable to disclose their consent due to physical impossibility or if their consent cannot be accepted, their personal data may be processed if it is necessary to protect the life or bodily integrity of that person or another person.
d.Directly Related to Contract Formation or Execution
Personal data of the parties to a contract may be processed if it is necessary for the conclusion or execution of a contract.
e.Fulfilling Legal Obligations
The personal data of the data subject may be processed if necessary for our company to fulfill its legal obligations.
f.Alienation of the Personal Data by the Data Subject
If the personal data of the data subject has been made public by themselves, these personal data may be processed to the extent of the purpose of making them public.
g.Necessity of Processing to Establish or Protect a Right
Personal data can be processed if it is necessary to establish, use, or protect a right.
h.Necessity of Processing for Legitimate Interests
Personal data may be processed if it is necessary for the legitimate interests of our company, provided that it does not harm the fundamental rights and freedoms of the data subject.
1.4.Protection of Special Categories of Personal Data
Special categories of personal data shall be processed by our Company, in accordance with this Policy, and all necessary administrative and technical measures are taken, and under the following conditions;
a.Personal data other than health and sexual life may be processed without requiring explicit consent of the data subject, if it is clearly specified in the laws regarding the relevant activity. In other cases, explicit consent of the data subject will be required for processing these special categories of personal data.
b.Special categories of personal data related to health and sexual life may be processed without requiring explicit consent by individuals or authorized institutions and organizations who are under confidentiality obligations and for purposes such as protecting public health, preventive medicine, medical diagnosis, treatment, and management of health services and finance. In other cases, explicit consent of the data subject will be required for processing these special categories of personal data.
1.5.Security of Personal Data
Our Company, in accordance with Article 12 of the KVKK, takes all appropriate necessary security measures to prevent unlawful processing of personal data, to prevent unlawful access to personal data, and to ensure the preservation of personal data.
1.6.Transmission of Personal Data
Even without the explicit consent of the data subject, the Company may transmit personal data in good faith and under necessary safety precautions to domestic or foreign data controllers, in the presence of one or more of the following conditions:
• The activities of personal data transmission are clearly specified in laws
• The transmission of personal data by the Company is necessary for the conclusion or execution of a contract directly related
• The transmission of personal data is obligatory for the Company to fulfill its legal obligations
• The transmission of personal data by the Company is limited to the purpose intended by the data subject
• It is mandatory to protect life or bodily integrity in a state of physical impossibility.
In addition, personal data may be transferred to foreign countries declared by the Board to have adequate protection (“Adequate Protection Foreign Country”) provided any of the above conditions are met. If no adequate protection exists, personal data may be transmitted to foreign countries where the Turkish and the relevant foreign data controllers have provided written commitments for adequate protection and where the permission of the Personal Data Protection Board exists (“Foreign Country with a Data Controller Commits to Adequate Protection”).
In compliance with the personal data processing conditions stated in Articles 8 and 9 of the Law, your personal data will also be shared with:
• Business partners of the Company (in order to secure the fulfillment of the purposes for the establishment of the partnership),
• Suppliers of the Company (in order to provide the services necessary to carry out the commercial activities of the Company),
• Public institutions authorized by law (limited to the purpose for which the relevant public institutions have the legal authority to request),
• Private law individuals authorized by law (limited to the purpose for which the relevant private law individuals have the legal authority to request),
• Banks we cooperate with,
• Law firms, courts, and other official-judicial authorities that we receive external support from.
1.7.Rights of the Data Subject
According to Article 11 of the KVKK, personal data subjects have the following rights:
a) To learn whether personal data is being processed,
b) If personal data has been processed, to request information regarding that processing,
c) To learn the purpose of processing personal data and whether it is used in accordance with that purpose,
ç) To know the third parties to whom personal data has been transferred, domestically or abroad,
d) To request the correction of personal data if it is incomplete or incorrectly processed,
e) To request that the correction be communicated to the third parties to whom personal data has been transferred,
f) To request the deletion or destruction of personal data if the reasons necessitating processing have ceased to exist, provided that this is communicated to the third parties to whom personal data has been transferred,
g) To object to the emergence of a result against the data subject by exclusively analyzing the processed data through automated systems,
ğ) To demand compensation for damages arising from the unlawful processing of personal data.
It is important that the information/data you share is accurate and kept up to date for the exercise of rights over the data within the framework of the KVKK and other relevant legislation; all responsibility arising from providing incorrect information belongs to the data subject. Personal data subjects may communicate their requests regarding their rights in the manner determined by the Board. In this context, they may use the “Data Subject Application Form” available at www.yilcanturizm.com.tr.
2- BASIC PRINCIPLES
Our company acts in accordance with the general principles and conditions stipulated in the legislation regarding the protection and processing of personal data and strives to ensure that personal data is processed in compliance with the Constitution and the KVKK.
2.1.Processing of Personal Data in Compliance with Law and Integrity Principles
İşcan Furniture Ltd. Şti processes personal data in accordance with the provisions of Article 4 of the KVKK and adopts the principle of “transparency” towards data subjects by informing them regarding the processing of personal data. In the information provided, clarity and integrity are fundamental, and the data subjects are informed clearly about the purpose of data collection, and therefore the data is processed within this framework. Any use of the personal data without a legal justification that would negatively impact the data subject is to be avoided.
2.2.Ensuring the Accuracy and Updating of Personal Data
İşcan Furniture Ltd. Şti ensures the accuracy and up-to-date status of the personal data it processes.
2.3.Processing Personal Data for Specific, Clear, and Lawful Purposes
İşcan Furniture Ltd. Şti collects and processes personal data for legitimate and lawful reasons. It processes personal data within a reasonable scope and extent connected to its ongoing activities.
2.4.Connected, Limited, and Proportionate to the Purposes for Processing
İşcan Furniture Ltd. Şti avoids processing personal data that is not related to the purpose of processing or is not necessary. Accordingly, minimizing data processing activities is essential.
2.5.Storage and Destruction of Personal Data
Our Company stores the processed personal data, only as long as mandated by relevant legislation, as envisaged in Articles 4 and 7 of the KVKK. In this context, our company firstly checks whether there is a specific retention period stated in the relevant legislation. If a legal period has been specified, it will comply with that. If no legal period has been specified, the duration necessary for achieving the purpose of processing will be determined, and personal data will be stored only for that duration. Personal data will be destroyed at the end of the determined storage periods, either periodically or in line with requests from the data subject, in accordance with the designated destruction methods (deletion and/or destruction and/or anonymization).
3- EFFECTIVENESS AND IMPLEMENTATION
This Policy has come into effect on 25.12.2019. In the event of updates to any parts or the entirety of the Policy, such updates shall come into effect on the dates they are published. The Policy will be published in its most recent form on www.yilcanturizm.com.tr.
4- EXERCISING RIGHTS BY THE DATA SUBJECTS
In order to exercise your rights, it is sufficient to fill out the Data Subject Application Form, which you can access from www.yilcanturizm.com.tr, and submit it to us. Your request will be concluded free of charge as quickly as possible, and at the latest within 30 (thirty) days, depending on the nature of your request. However, if the process incurs additional costs, a fee will be charged as determined by the Personal Data Protection Board.
In order for third parties to make application requests on your behalf, you must provide a special power of attorney arranged by a notary public to that third party. Our Company may request information from the relevant individual to ascertain whether the applicant is the Data Subject and may ask questions regarding the request to clarify the matters stated in the application.
5- INFORMATION ON THE DATA CONTROLLER:
İşcan Mobilya is a capital company with legal personality operating in Turkey. The information regarding Yılcan Tourism as the data controller is as follows:
Title: İşcan Mobilya Gıda Dekorasyon Turizm Pazarlama Ltd. Şti.
Haydarçavuş Mahallesi Sunullah Caddesi 13/a BANDIRMA /BALIKESİR
MERSIS NO: 0481008599800013
iletisim@yilcanturizm.com.tr
Tax Office: Bandırma
Tax No: 4810085998
Phone: 0266 713 20 04/0507 313 8386
6- DEFINITIONS:
The meanings of the following terms included in this document express the definitions mentioned in the Law No. 6698, the Secondary Regulations, and Communiqués related to this Law, as specified below.
Explicit Consent: Consent is stated regarding a specific subject, based on being informed and declared freely. Anonymization: The process of altering personal data in a way that it will no longer be identifiable to a person and this change cannot be reverted, for example, by techniques such as masking, aggregation, or data destruction that prevents personal data from being associated with a real person.
Personal Data Subject: The natural person whose personal data is being processed. For example; customers, suppliers, visitors, employees, and job applicants.
Personal Data: Any information related to a natural person whose identity is certain or can be identified. Therefore, processing information related to legal entities is not covered by the Law. For example; name-surname, TR ID number, email, address, date of birth, credit card number, bank account number, etc.
Special Categories of Personal Data: Data related to race, ethnic origin, political thought, philosophical belief, religion, sect, or other beliefs, clothing, membership in associations, foundations, or trade unions, health, sexual life, criminal conviction, and security measures, as well as biometric and genetic data are classified as special categories of data.
Processing of Personal Data: Any operation performed on personal data, whether by automated means or not, such as collection, recording, storage, retention, alteration, rearrangement, disclosure, transmission, transfer, accessibility, classification, and prevention of its use.
Personal Data Storage and Destruction: The process of determining the maximum period necessary for the purposes for which personal data is processed, along with deletion, destruction, and anonymization of data.
Data Controller: The real or legal person who determines the purposes and means of processing personal data and manages the personal data filing system (data registry system). For instance, each corporate entity.
Data Processor: The real or legal person who processes personal data on behalf of a data controller based on the authority given by that data controller.
Data Registry System: The system where personal data is processed by being structured according to specific criteria.
Contact Person: The natural person designated by the data controller at the time of registration in the registry to fulfill the obligations concerning communication established with the Board in relation to the obligations and responsibilities of data controllers operating in Turkey.