PROCESSING PERSONAL DATA AND SECURITY POLICY

 

1. PURPOSE OF THE POLICY

As ODEON Turizm İşletmeciliği A.Ş.(“Odeon”), we collect and process some of your personal data in accordance with the Law on Protection of Personal Data of relevant countries (“DP Law”) and relevant legislation in order to provide our services in the best way possible.
This Personal Data Processing and Security Policy (“Policy”) has been prepared to determine and show for what purposes your personal data is processed, to which third parties it is transferred, your rights regarding your personal data and Odeon's obligations in terms of processing and protecting personal data.

2. SCOPE OF THE POLICY

This Policy covers our activities regarding the processing of the personal data we have obtained from the following persons:
•   Representative, attorney and shareholders of our company and group companies,
•   Employees and officials of our business partners,
•   Employees and officials of our suppliers,
•   Our customers and potential customers,
•   Our employee candidates, trainees, trainee candidates and the people they refer to in their applications,
•   Family members of our employees,
•   Legally authorized persons,
•   Our visitors,
•   Other third parties.

3. AUTHORITIES AND RESPONSIBILITIES

Odeon Employees: Within the scope of all our business activities, they are obliged to comply with this Policy and relevant legislation.
Our suppliers: They are obliged to comply with this Policy and relevant legislation in all services they provide to Odeon.
Odeon Senior Management: They are responsible for ensuring that all our business activities are carried out in accordance with this Policy.

4. DEFINITIONS AND ABBREVIATIONS

The abbreviations in this Policy shall be used for the following definitions:

 

ABBREVIATIONS

DEFINITIONS

Odeon

ODEON Malta İnternational LTD.

Personal Data

All the information relating to an identified or identifiable natural person.

Sensitive Personal Data

Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership to associations, foundations or trade-unions, health, sexual life, convictions and security measures, and the biometric and genetic data.

Data Subject

Natural persons whose personal data are processed.

Processing Personal Data

Any operation performed upon personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making retrievable, classification or preventing the use thereof, fully or partially through automatic means or provided that the process is a part of any data registry system, through non-automatic means.

Explicit Consent

Freely given, specific and informed consent on a particular subject. 

Anonymizing

Rendering personal data impossible to link with an identified or identifiable natural person, even though matching them with other data.

DP Law

Referred to the Personal Data Protection Law of all relevant countries.

Board

The Personal Data Protection Board of relevant countries.

Authority

The Personal Data Protection Authority of relevant countries.

Policy

Personal Data Processing and Security Policy of companies in relevant countries.

Data Controller

The natural or legal person determines the purpose and means of processing personal data and manages the place where the data is kept systematically.

Data Processor

The natural or legal person who processes personal data on behalf of the controller upon his authorization

 

5. PERSONAL DATA PROCESSED BY ODEON


As a data controller, Odeon processes the following personal data, including but not limited to those listed here, within the scope of its current activities:

 

PERSONAL DATA GROUP

PERSONAL DATA

ID Information

Information such as name, surname, ID number, photo, date and place of birth, marital status, driver's license information, passport number, identity card serial number.

Contact Information

Email, phone number, mobile phone, social media account information associated with the contact.

Location Information

Information such as residence address, workplace address.

Personnel Information

Payroll information, disciplinary investigation, entry-exit document records, property declaration information, CV information, performance evaluation reports, Social Security Institution entry declarations, company title, tax registration and identification number, room registration number, reference information.

Legal Transaction Information

Information in correspondence with judicial authorities, information in the case file (execution information).

Physical Space Security Information

Entry-exit information of our customers and visitors to the campuses, records of CCTV in the campuses.

Transaction Security Information

IP address information and access logs.

Financial Information

Balance sheet information, financial performance information, credit and risk information, assets information, salary slips, Bank account information, payment amount, credit and debit card information, amount to be refunded, debt information.

Professional Experience Information

Diploma information, courses attended vocational training information, certificates, transcript information.

Marketing Information

Shopping history, survey results, information obtained as a result of campaign work.

Audio and Visual Recordings

Audio recording, camera footage taken.

Philosophical Belief, Religion, Sect and Other Beliefs

Information on religious affiliation and philosophical belief.

Association Membership

Association membership information in the resumes of employee or trainee candidates.

Foundation Membership

Foundation membership information in the resumes of employee or trainee candidates.

Health Information

Blood group information, personal health information, information specified in the health report, disability status information.

Criminal Conviction and Security Measures

Criminal record, criminal conviction or security measure information in the criminal record.

Family Members Information

Information about family members such as the person's number of children, spouse status.

Customer Transaction Information

Invoice, promissory note, check information, membership information, customer request and complaint information, product information received and used.

Complaint and Request Information

Complaint and request information regarding products and services.

 

 6. METHODS OF COLLECTING PERSONAL DATA

As Odeon, we collect your personal data through the following channels:
•   E-mail, SMS, business cards,
•   Telephone, Fax,
•   CCTV (Closed Circuit Camera Records),
•   Cookies and similar tracking technologies,
•   Physical form,
•   Our website,
•   Postal, cargo, courier,
•   Face-to-face meetings,
•   Other physical and electronic media.

7. PURPOSES OF PROCESSING PERSONAL DATA

As Odeon, we give great importance to the privacy of your personal data we process, collect, and process your personal data in accordance with the general principles and processing conditions specified of the relevant countries DP Law. In this context, we process your personal data limited to the following purposes:
•   Presenting our products and/or services and executing our sales processes,
•   Execution of our product and/or service purchasing processes,
•   Execution of our customer relations processes,
•   Managing our customer return and exchange request processes,
•   Examining and evaluating customer requests and complaints and communicating, if necessary,
•   Carrying out activities for customer satisfaction,
•   Updating, customizing and developing our products and services in line with your needs and demands,
•   Sending e-mails, messages, newsletters and other publications about our new products or services, changes in our existing products or services, and our campaigns and promotions,
•   Planning and execution of our communication processes,
•   Managing cookies in order to improve the experience of our visitors on our websites, to identify requests and problems and to quickly conclude their searches. (For more detailed information, you can refer to our Cookie Policy),
•   Execution of our marketing activities and advertising/campaign/promotion processes,
•   Execution and supervision of our business activities and ensuring business continuity,
•   Execution of our activities and performance of our obligations in accordance with the agreements made with suppliers, business partners and other third parties,
•   Execution of our performance management processes for suppliers,
•   Carrying out our service, maintenance, repair, inspection works,
•   Execution of our repair and maintenance processes,
•   Execution of our finance and accounting works,
•   Providing information to authorized public institutions and organizations, when necessary,
•   Ensuring the realization of independent audits and managing the process,
•   Follow-up of legal affairs directed against our company,
•   Ensuring the physical space security of our buildings and facilities and creating and monitoring our visitor records,
•   Compliance with legal regulations and fulfillment of our legal obligations,
•   Evaluating job applications of employee candidates, conducting interviews and meetings, communicating with the people they refer to in their resumes.

8. LEGAL GROUNDS FOR PROCESSING PERSONAL DATA

We process your personal data based on the following legal grounds:
•   Pursuant to relevant country and related Articles of the DP Law, cases where we have obtained your express consent to process your personal data.
•   Pursuant to relevant country and related Articles of the DP Law, clearly stipulated in the laws.
•   Pursuant to relevant country and related Articles of the DP Law, if your personal data is required for the establishment or performance of a contract. For example, Odeon's processing of customers' personal data in order to serve customers.
•   Pursuant to relevant country and related Articles of the DP Law, fulfillment of the company's legal obligations. For example, Odeon logs the access records of the people to whom it provides internet access in accordance with Turkish DP Law No. 5651 and forwards it to the relevant administration upon request. 
•   Pursuant to relevant country and related Articles of the DP Law, being made public by the data subject. For example, Odeon's processing of customer or potential customers' contact addresses that they have made public on their websites in order to carry out purchasing, sales or marketing activities.
•   Pursuant to relevant country and related Articles of the DP Law, Odeon's establishment, exercise and protection of its own right. For example, in order for Odeon to defend itself in a possible dispute or lawsuit, keeping personal data from the termination of the contractual relationship for the duration of the statute of limitations.
•   Pursuant to relevant country and related Articles of the DP Law, if necessary for the legitimate interest of the company. For example, Odeon's processing of potential customers' personal data to respond to potential customers' questions about products.
•   Pursuant to relevant country and related Articles of the DP Law, stipulated in the law for sensitive personal data. For example, the processing of relevant personal data in terms of notifiable diseases.
•   Pursuant to relevant country and related Articles of the DP Law, processing of personal data other than health and sexual life by persons or authorized institutions and organizations that are under the obligation to keep secrets in cases stipulated by law. For example, the collection and storage of health reports by the Joint Health And Safety Unit.

9. TRANSFER OF PERSONAL DATA

Within the framework of the data transfer conditions specified in relevant country and related Articles of the DP Law, in line with the purpose or purposes specified in other connected articles, your personal data may be transferred to our employees, business partners, group companies, suppliers, company representatives, authorities and legally authorized public/private institutions and organizations, 
For example, as Odeon,
•   Due to the corporate identity of our company, we may share the requests and complaints from our customers with our group companies so that the necessary actions can be taken most efficiently
•   We may share the data we collect from our customers with our suppliers in order to provide our services.
•   We may share the necessary information with authorized public institutions and organizations if the events occurring on our company campuses are of judicial nature.
Odeon may share your personal data with third parties abroad if one of the following conditions is met:
•   If you give your explicit consent to the transfer activity abroad,
•   If there is adequate protection in the country to which we will transfer the personal data, or
•   If the party to whom the personal data will be transferred undertakes in writing to provide adequate protection and the Board approves this commitment, in the event that there is no adequate protection in the country,

10. STORAGE AND DESTRUCTION OF PERSONAL DATA

Your personal data processed for the purposes set out in this Policy will be stored and destroyed in accordance with the DP Law and the Regulation on the Deletion, Destruction or Anonymization of Personal Data. Odeon stores and destroys your personal data in accordance with the Odeon Personal Data Storage and Destruction Policy. You can request our Personal Data Storage and Destruction Policy at kvkk@odeontours.com in order to learn about the precautions we have taken regarding the safe storage and destruction of your personal data and the storage and destruction periods we have determined.

11. ENSURING THE SECURITY OF YOUR PERSONAL DATA

As Odeon, we ensure the security of the personal data we process while providing our services in accordance with the DP Law and relevant legislation. In this context, Odeon takes appropriate security measures and incorporates necessary security technologies in order to ensure the compliance of the personal data it processes with the law, to prevent illegal access and to ensure its preservation. Odeon has prepared and implements a Personal Data Security Policy for the technical and administrative measures it has taken to ensure the security of personal data.
In addition, we take some additional technical and administrative measures in order to ensure the security of the sensitive personal data that we process as a data controller. In order to determine these measures, Odeon has prepared and implements the Processing and Security of Sensitive Personal Data Policy.
Odeon ensures the security of the personal data processed by acting in accordance with the two policies mentioned in this section and generally accepted good practices.

12. YOUR RIGHTS REGARDING YOUR PERSONAL DATA AND APPLICATION

As a Data Subject, you have the following rights regarding your personal data in accordance with relevant country and related Articles of the DP Law:
•   information about whether your Personal Data has been processed,
•   if your Personal Data has been processed, information about such data processing,
•   information about purposes for the processing of your Personal Data and whether your processed Personal Data has been used for such purpose,
•   information about third parties in Turkey or abroad to whom your Personal Data is transferred,
•   if your Personal Data has been incompletely or inaccurately processed, correction of such data processing, and requesting notification of the transaction made within this scope to the third parties to whom your personal data has been transferred,
•   if the grounds for processing your Personal Data are no longer valid even if it has been processed in accordance with the provisions of the relevant countries of DP Law and inlinewith other connected laws, requesting of deletion or destruction of the Personal Data, and requesting the notification of the transaction made within this scope to the third parties to whom your personal data has been transferred,
•   objection to any negative consequence of your processed Personal Data being analyzed exclusively through automated systems, 
•   if you suffer any damages due to the illegal processing of your Personal Data, indemnification of such damages and losses.

You can submit your requests regarding these rights through the Data Subject Application Form on our website.
Your application will be carried out free of charge. However, if the requested transaction requires an additional cost, the fees in the tariff determined by the Personal Data Protection Board will be requested from the applicant.
Your applications will be answered in writing or electronically as soon as possible and within 30 (thirty) days at the latest, depending on the nature of the request. If your request is rejected, your application will be answered with justification.

13. REFERENCES AND BASIS

• Law on the Protection of Personal Data of relevant countries.

14. RELATED DOCUMENT

•   General Privacy Notice on Personal Data of relevant countries.
•   Cookie Policy
•   Personal Data Storage and Destruction Policy
•   Personal Data Security Policy of companies in relevant countries.
•   Policy on Processing and Security of Sensitive Personal Data