OUR IDENTITY AS DATA RESPONSIBLE

Spice Hotel & SPA is an Ickale Turizm İnşaat San. Tic. A.S. affiliated hotel that offers a 5-star hotel service at Iskele Mevkii 07506 Belek/Antalya address since 2007. You can find more information about us on our website at www.spice.com.tr

PURPOSE AND SCOPE OF THE POLICY

This policy aims to explain the measures taken, your rights and the methods of exercising these rights regarding the principles of processing, the legal basis of processing and the purposes of processing, data collection methods, transfer, storage and security of your personal data which is being processed by Spice Hotel & SPA as the data responsible.

Guests, employees, employee candidates, trainees, supplier representatives, supplier employees and visitors, and their parents, guardians or representatives whose personal data processed by Spice Hotel & SPA are covered by this policy.

OUR DATA PROCESSING PRINCIPLES

Compliance with laws, fairness and transparency: We process your personal data in compliance with laws, fairly and transparently.

Proportionality and Limitedness: We collect your personal data with certain, clear and legitimate purposes and we don’t process them noncompliant those purposes.

Minimum data complaint to the purposes: Personal data are relevant, sufficient and limited as required by the purposes of process. None of your personal data unrelated with their purpose would not be processed

Accuracy: Personal data are processed accurately and updated when required. The wrong personal data would be deleted or fixed without any delay according to their purposes.

Keep for required period: Your personal data are kept for required period by the purposes of process. At the end of this period your data are deleted, wiped out or anonymized.

Data integration and confidentiality: We process your personal data by taking the technical and administrative measures to prevent the unauthorized unlawfully process and the loss, deletion or damage.

Accountability: We have the responsibility which presents our compliance to all aforementioned principles.

PROCESSING CONDITIONS OF PERSONAL DATA AND OUR DATA PROCESSING PURPOSES ACCORDING TO THOSE CONDITIONS

Your personal data could not be processed without your explicit consent. By receiving your explicit consent we process your personal data for the purposes of;

• Promotion of our hotel, send e-mail messages to inform you about the promotions,
• Enable to use our web page by means of cookies and similar technologies when you visit our web site and offer you the marketing advertisements and promotions.

In case the existence of the conditions in the legislative regulations your personal data are processed without your explicit consent. According to those conditions, our purposes of data processing are as follows.

In case it was foreseen in the laws explicitly, your personal data might be processed. Spice Hotel processes personal data of

• its customers as it was foreseen explicitly in the Identification Law no. 1774 and Law no. 6458 on Foreigners and International Protection,
• its employees as it was foreseen explicitly in the Labor Law no. 4857 and social security and health insurance law no. 5510,
• its customers, visitors and employees - including their internet logs - under the law no. 5561, if they uses the internet connection of the hotel.

Personal data may be processed in case it is compulsory for the protection of the life or bodily integrity of the person or someone else who cannot express her/his consent because of virtual impossibility or whose consent has no legal validity. Spice Hotel processes you personal data to,

• share your personal data with the emergency services when there is a life threat for you or someone else, avoid the situations may threaten your life because of diet, allergy or disability.

Personal data may be processed in case it is required to process personal data of the parties to draw up or execute a contract. As a hotel service provider Spice Hotel & SPA processes personal information of;

• the customers to make their room reservations,
• to offer the products and services demanded,
• to process the payments,
• to communicate,
• to inform the notices like mail, phone or the unscheduled situations;
• its employees, employee candidates and trainees to discharge the contractual responsibilities,
• the supplies officer or employee at the contracts signed with the suppliers in order to provide the supply chain.

Personal data may be processed to perform the legal obligations. Within that scope, your personal data are processed to perform our legal obligations resulting from the situations clearly foreseen in the laws.

Although the personal data made public by the related person oneself may be processed, Spice Hotel does not process personal data for any reason on this basis.

Personal data may be processed in case data processing is compulsory to constitute, exercise and protect a right.

Your personal data may be processed for our legitimate interests on the condition do no harm to your fundamental rights and freedoms. Within this scope your personal data are processed for;

• Enabling the customer satisfaction,
• Sustaining our commercial reputation,
• Dispute resolution,
• Fraud protection (monitoring and control of our systems, detection of the validation of your credit card for the payments with credit card and fraud avoidance)
• Business performance and development,
• The safety and secure of our employees and guests, quality management system, worker’s health and safety, environmental safety, guest satisfaction, food safety and cleanliness monitoring, monitoring any accident or deleterious situation, avoidance and detection of the crime, (usage of the surveillance cameras and call logging system)
• Marketing our products and services;
• Conducting our business under legislative regulations.

PROCESSING THE SPECIAL QUALITY PERSONAL DATA

Under the legislative regulations, race, ethnic origin, political opinion, philosophical belief, religion, communion or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal convictions and data relating to security measures and biometric and genetics data of people are defined as the special quality personal data.

Personal data other than health and sexual life may be processed without seeking for the explicit consent of the related person in cases foreseen in the laws. Personal data related to the health and sexual life may be processed without seeking for the explicit consent of the related person by the persons or authorized institutions and organizations under the confidentiality obligation for the protections of public health, preventive medicine, medical diagnosis, conducting the treatment and nursing services, projection and management of the healthcare services and their finance. Except those situations, the special quality personal data are not processed without the explicit consent of the person.

The data related to the situations of disability, diet or allergy stated by the guests themselves or through their guardians/custodians or representatives are processed only to provide the services demanded by the guests and should not be shared with the third parties except those purposes.

Spice Hotel processes the health certificates and data related to the criminal convictions and security measures of its employees, employee candidates and trainees to append to the personal file and to charge suitably to their states of health under the related legislation and because of the legal obligations.

The blood type data of the employees are processed to be used in case of need during any emergency action within the scope of health and safety at work.

DATA INVENTORY AND CATEGORIES OF DATA

Spice Hotel collects personal data of the customers, employees, employee candidates, trainees, supplier officers, supplier employees, guests and their guardians, custodians or representatives in a data inventory. The inventory is arranged under the rules issued by the data protection authorities.

In personal data processing inventory, the data are classified under the name of identity, communication, location, personnel, legal act, customer operation, physical location security, process security, risk management, finance, occupational experience, marketing, audiovisual records, information of health, criminal convictions and security measures.

Whether which categories of data are processed according to the organizational structure of Spice Hotel, the legal causes, processing purposes, storage times, the places they transferred at home and abroad, administrative and technical precautions taken to protect the data for those are stated in detail.

The accuracy and currency of the inventory is checked periodically and the amendments are made if required.

SAFEKEEPING, ANONYMIZATION-DELETION OF PERSONAL DATA

Due to 138th Article of Turkish Criminal Law and 7th article of the Privacy Act no. 6698, although personal data are processed comply with the related provisions of law, with the decision of Spice Hotel in case the causes related to data processing are removed or in case the owner of personal data makes a request in this manner, the data would be deleted irrevocably, destroyed or anonymized. The retention periods of data are determined according to the relevant legislation and the needs of Spice Hotel.

The decisions and suggestions made by Personal Data Protection Institute are considered for the deletion, disposal and anonymization processes. The most suitable solution to the extent of technology is applied considering the needs and potentials of Spice Hotel.

RETENTION PERIODS OF DATA

Spice Hotel records the personal data processed for the period required subject to the relevant legislation of the purpose of receiving those data and then destroys or anonymizes them. The retention periods of personal data are shown at the table below.

ANONYMIZATION

Anonymizing personal data is to make them cannot be associated with an actual person who has a determined or determinable identity by no means even if the personal data are matched with other data. For the anonymization of personal data, it is required that the personal data cannot be associated with an actual person who has a determined or determinable identity even by using the appropriate techniques for the record medium and related activity field like revoking and/or matching data with other data by data controller or receiver groups.

Spice Hotel & SPA takes all kinds of technical and administrative precautions during the anonymization of personal data. The anonymization of personal data is performed according to the rules stated in the Regulations of Deletion, Destroy or Anonymization of Personal Data and the methods in the related guide issued by Personal Data Protection Institution.

DELETION OF PERSONAL DATA

Deletion of personal data is the process to make personal data inaccessible and nonreusable by the related users by no means.

Spice Hotel takes all kinds of technical and administrative precautions to make personal data inaccessible and nonreusable by the related users. The methods below are used for the deletion of data.

Application Type as Service: Cloud Solutions

In the cloud system data are deleted by issuing the delete command. While performing the aforesaid process, attention should be paid that the related user has not the authority to revoke the deleted data on the cloud system.

Personal Data on the Paper

Personal data on the paper are deleted by using the black out method. The black out process is performed by cutting personal data on the related documents if it is possible or otherwise by making unseen to the related users by using indelible ink as it cannot be revoked and read by technological solutions.

Office Files on the Central Server

Enable that the file is deleted by the delete command on the operating system or the access rights of the related user on the file or the directory in which the file exists are removed. While performing the aforesaid process, attention should be paid that the related user is not the system administrator at the same time.

Personal Data on the Portable Medium

Any kind of confidential data are not carried on the portable media. Personal data on the portable medium are deleted with the software suitable to the related hardware.

Databases

The related lines of personal data are deleted by database commands (DELETE, etc.) While performing the aforesaid process, attention should be paid that the related user is not the system administrator at the same time.

DISPOSAL OF PERSONAL DATA

Disposal of personal data is the process making personal data inaccessible, irrevocable and nonreusable by anybody by no means. Spice Hotel & SPA takes all kinds of technical and administrative precautions related to the disposal of personal data

Local Systems

One or several of the methods below are used for the disposal of data on the aforesaid systems.

Demagnetization: That is the process of disrupting and making unreadable the data on the magnetic medium by passing it through a special device and exposing it to a magnetic field with a very high value.

Physical Disposal: That is the process of physically disposal of optical and magnetic medium by melting, burning or pulverizing. It is enabled to make data inaccessible with the processes like melting, burning, pulverizing or passing the optical or magnetic medium through a metal grinder. If overwriting or demagnetization processes were not successful for solid state drives, so that media is physically destroyed.

Overwriting: That is the process to avoid the recovery of data by writing random data consisted of zeros and ones for seven times minimum over the magnetic medium and rewritable optical medium. That process is done by using special software.

Environmental Systems

The disposal methods may be used according to the medium type are as follows:

Network devices (switch, router etc.): The storage media in the aforesaid devices are fixed. The products mostly has the delete command but there is not any disposal feature. They are destroyed by using one or several suitable methods aforementioned for the "Local Systems."

Flash based media: Flash based hard drives having ATA (SATA, PATA, etc.), SCSI (SCSI Express, etc.) interfaces are destroyed by using the related command if supported, the disposal method suggested by the manufacturer if not supported or one or several suitable methods aforementioned for the "Local Systems."

Magnetic band: Those are the media storing data by the help of micro magnet pieces on the flexible band. It is destroyed by demagnetizing subject to very powerful magnetic media or by physical disposal methods like burning and melting.

Units like magnetic drive: Those are the media storing data by the help of micro magnet pieces on the flexible (plate) or fixed media. They are destroyed by demagnetizing subject to very powerful magnetic media or by physical disposal methods like burning and melting.

Mobile phones (Sim card and fixed memory fields): There is delete command in the fixed memory fields of portable smart phones but there is not destroy command in most of them. They are destroyed by using one or several suitable methods aforementioned for "Local Systems."

Optical drives: These are data storage fields like CD and DVD and destroyed by physically disposal methods like burning, breaking up into small pieces and melting.

The peripheral units like the printer system with a removable data record medium: It is verified all data record media are removed and according to their features they are destroyed by using one or several suitable methods aforementioned for the "Local Systems."

The peripheral units like the printer system with a fixed data record medium: Most of aforesaid systems has the delete command but there is not any disposal feature. They are destroyed by using one or several suitable methods aforementioned for the "Local Systems."

Paper and Microfiche Media

As the personal data in the aforesaid media are permanent and written on the medium physically, the main medium is destroyed. While that process is performed, the medium is divided into small pieces having intangible dimensions, horizontal and vertical if possible and noncombinable again with paper shredders. Personal data transferred from original paper format to the electronic medium by scanning are destroyed by using one or several suitable methods aforementioned according to the electronic medium they exist.

Cloud Systems

During the storage and usage of personal data exist in aforesaid systems, it is required to cipher them with cryptographic methods and to use separate encryption keys for each cloud solutions particularly service is procured. When the cloud computing service relation is finished, all copies of encryption keys required to make personal data usable are destroyed.

TRANSFER OF YOUR PERSONAL DATA AT HOME

In order to transfer personal data at home, minimum one of the following conditions should be ensured according to 8th Article of the law no. 6698:

• Receiving the explicit consent of the related person,
• Explicitly foreseen in the laws,
• Compulsory for the protection of the life or bodily integrity of the person or someone else who cannot express her/his consent because of virtual impossibility or whose consent has no legal validity,
• Required to process personal data of the parties, directly related to draw up or execute a contract,
• Compulsory to carry out the legal obligations of data controller,
• Being anonymized by the related person herself/himself,
• Compulsory to process data to constitute, use or protect a right,
• Compulsory to process data for the legitimate interests of data controller provided that do no harm to the fundamental rights and freedoms of related person.

Except the situations stated here, Spice Hotel & SPA does not share your persona data with third parties by no means.

According to aforementioned processing conditions of personal data and our purposes of processing data, your personal data are shared with authorized public enterprises and security forces for the purpose of performing our legal obligations foreseen in the laws, with our suppliers and other natural persons and private entities for the purpose of sustaining our commercial activities, carrying out the requirements of our contracts and protect our legitimate interests. These are the main ones: reservation service providers, payment providers, IT service providers, surveillance camera service providers, operator service providers, transfer service providers, legal service providers.

TRANSFER OF YOUR PERSONAL DATA TO ABROAD

Spice Hotel,

• Because of the reasons arising from the law or an international contract,
• In case it is compulsory within the execution of a contract,
• In case of virtual impossibility,
• Because of a legal responsibility of Spice Hotel & SPA,
• Because of to constitute, use or protect a right,
• Or within the essential legitimate interest of Spice Hotel & SPA,

shares data by receiving the recognizance related to ensuring sufficient protection and ensuring the following conditions.

Data transfer to abroad according to 9th Article of the Law;

• Presence of the explicit consent of related person,
• In data transfer to the countries have sufficient protection (the countries accepted as secure by the Institution), the presence of the situations stated in the Law (the conditions stated in 2nd item of 5th article and 3rd item of 6th article of the Law),
• In data transfer to the countries don’t have sufficient protection, the presence of the situations stated in the Law (the conditions stated in 2nd item of 5th article and 3rd item of 6th article of the Law) contract sufficient protection in written and the presence of the permission of Institute, may be performed. Data is not transferred to the third parties in abroad without the permission of Institute.

If Spice Hotel & SPA transfers data to the third parties in abroad and present as data controller, submits a recognizance in which the minimum requirements are determined by Personal Data Protection Institution, related to the situation that both parties are data controllers and signed by both parties. The aforesaid data is transferred with the approval of Personal Data Protection Institution. Spice Hotel & SPA doesn’t transfer data to the aforesaid third parties without that approval is granted.

If Spice Hotel & SPA transfers data to the third parties in abroad and present as data processor, submits a recognizance in which the minimum requirements are determined by Personal Data Protection Institution, drew up between data controller and data processor and signed by both parties. The aforesaid data is transferred with the approval of Personal Data Protection Institution. Spice Hotel & SPA doesn’t transfer data to the aforesaid third parties without that approval is granted.

*KVKK: Personal Data Protection Board in Turkey

HOW IS YOUR PERSONAL DATA COLLECTED?

Personal data of our customers is collected when applied to our hotel for reservations. This application may be done when you arrive at our hotel, or when you use our website or mobile applications and through filling out the forms to receive notifications such as campaigns and promotions via google, instagram, facebook, twitter. In addition, other personal data such as video recordings and wireless internet connections are processed in public areas during your stay at our hotel. Our visitors’ personal data is processed during their visit to our hotel. Video recordings and wireless internet connections are included in the data processing.

The processing of the personal data of our employees and trainees begins when they apply for the job, and continues until the end of the employment contract and by requesting information from them when case necessary. Images and sound recordings in common areas are processed when they are at work. The personal data of the employee candidates is processed at the time of the job application.

The collection of personal data of supplier representatives and supplier employees begins with forming the contract with them. Video recordings are processed during their visits to our hotel.

Spice Hotel & SPA keeps the IP information required to be kept under law No. 5651. Other than this IP information, cookies may be used with the purpose of design the website effectively, to provide a better service through the website designs and content, and to make the most effective use of the website for website users. When receiving this personal data, necessary notices are sent.

The legal reasons for Spice Hotel & SPA for collecting this data are to fulfill the data processing purposes described above.

MEASURES WE TAKE REGARDING DATA SECURITY

Spice Hotel takes all administrative and technical measures to ensure the security of your personal data as part of an information security management system implementation. As the administrative measure;

• Personal data security policies and procedures have been determined and follow up of the personal data security is conducted by the senior management,
• No personal data is processed other than its purposes, collecting personal data is tried to be reduced as much as possible,
• An authorization matrix is created for the employees,
• Confidentiality agreements are made with the employees,
• Contracts made with suppliers and other parties that receive data include data security provisions,
• Necessary security measures are taken when entering and leaving the physical environments that contain personal data,
• Physical environments that contain personal data are protected against external risks (fire, flood, etc.).

As the technical measure;

• Cyber security is handled as a whole and the physical infrastructures, applications, digital environments that contain information are constantly monitored,
• Attack detection and prevention systems are used,
• User account management and authorization control system are implemented,
• Firewalls are used,
• Up to date anti-virus software is used,
• Access logs to the information systems are handled so that there will be no user intervention,
• Personal data is backed up and stored and their security is ensured.

YOUR RIGHTS REGARDING THE PROCESSING OF YOUR PERSONAL DATA

You have the right to withdraw the express consent we received from you at any time in relation to our data processing purposes. In addition, various legal rights are granted to you within the scope of;

• Find out if your personal data is being processed, request information about it if your personal data is being processed,
• Learn about the purpose of processing your personal data and whether it is used for its purposes,
• Know the third parties which your personal data is transferred at home or abroad,
• If your personal data is incomplete or improperly processed, requesting them to be corrected, request them to be deleted or destroyed in accordance with the terms provided in the law, and requesting these changes to be informed to third parties to whom your personal data was transferred.,
• Objecting to any outcome emerged against you when analyzing your processed data, especially through automated systems,
• If you suffer any damage due to the illegal processing of your personal data, you have the right to request the damage to be remedied.

We have taken every precaution to provide you to exercise these rights easily. However, in accordance with the "Communiqué on the Procedures and Principles of Application to the Data Officer" which was published by the Personal Data Protection Board, the following information is required during your application.

• For written applications, your name, surname and signature,
• T.R. ID. no. for the citizens of the Republic of Turkey,
• Nationality, passport number or ID number (if applicable) for foreigners,
• Residency or business address that will be used as the notification address,
• E-mail address, telephone and fax numbers (if any) that will be used for notifications,
• The subject of the request.

While you can prepare a petition with the above information yourself, you can also use your rights by using the application form obtained from our website www.spice.com.tr.

Your applications that do not contain incomplete information will be concluded in accordance with the law and by good faith within 30 days. In case of missing information in the application, additional information is requested from you and then your application is concluded.

APPLICATION METHODS

You can send your requests within the scope of your rights listed in Article 11 of the Law on Protection of Personal Data No. 6698 by one of the following methods in accordance with Article 5 of the "Communiqué on the Application Procedures and Principles to the Data Officer" Your request will be answered within 30 days in accordance with Article 13 of Law No. 6698.

The applicant shall apply with the document/id card which will prove his/her identity. Unless these documents are confirmed, no positive response will be given. For more information you can review our Personal Data Protection Policy at www.spice.com.tr.

The response to your application is given by the method which is used during the application unless otherwise indicated. If requested, a reply can also be sent by any of the methods mentioned above.

Applications are free of charge. However, if a fee is required for us to respond, that fee may be charged to you according to the tariff set by the Personal Data Protection Board. According to the subject of the request, if Spice Hotel falls into any fault, the fee shall be refunded.

It is possible to make your application by choosing one of the five methods below.