GUEST INFORMATION TEXT REGARDING THE PROTECTION OF PERSONAL DATA

At Çenger Beach Resort, we are aware of the importance of our valued guests’ personal data; therefore, we take high-level security measures to protect your personal data against unauthorized access. In order to protect your privacy and your fundamental rights and freedoms, your personal data is processed within the limits prescribed by the Personal Data Protection Law No. 6698 (PDPL), secondary regulations issued under this law, the Identity Notification Law No. 1774, the Tax Procedure Law No. 213, the Turkish Commercial Code No. 6102, and other applicable legislation.

Identity of the Data Controller

Pursuant to the Personal Data Protection Law No. 6698, ÇENGER YATIRIM TİCARET A.Ş. acts as the “data controller”. In accordance with Article 10 of the PDPL titled “Data Controller’s Obligation to Inform” and Article 11 titled “Rights of the Data Subject,” we hereby inform our guests, visitors, business partners, and the natural or legal persons we are in contact with, regarding for which purposes your personal data will be processed, to whom and for what purpose your processed personal data may be transferred, the method and legal ground for collecting personal data, and your rights. This “Personal Data Protection Information and Consent Text” has been prepared to fulfill our obligation to inform as the data controller.

Our institution reserves the right to revise this “Personal Data Protection Information and Consent Text” at any time due to possible changes in current legislation.

Personal Data We Process

• Identity information (name–surname, ID number, etc.)
• Contact information (e-mail address, phone number, etc.)
• Location information (address, etc.)
• Information regarding your children (age, date of birth, etc.)
• Financial information (payment transaction details)
• Requests, complaints, or comments during or after your stay at our facilities

** In compliance with the principle of data minimization, we may collect limited information about minors (under 18) accompanying you, such as name, surname, nationality, and date of birth, only through you.**

Collection of Personal Data

Your personal data may be collected verbally, in writing, or electronically, either directly from you or through intermediaries, during the services we provide.

During hotel activities, personal data may be collected during:

• Room reservation procedures
• Communication with tour operators or travel agencies
• Hotel check-in, check-out, and payment processes
• Submitting feedback, requests, or complaints
• Completing satisfaction surveys or guest feedback forms
• Participation in events, seminars, or activities organized by the hotel
• Visiting our corporate website

Method and Legal Grounds for Processing Personal Data

Your personal data may be processed under Article 5 of the PDPL in the following cases:

• When explicit consent is given
• When it is clearly provided for by law
• Where the data subject is unable to give consent due to physical impossibility, and processing is necessary for the protection of life or physical integrity
• When processing of personal data is necessary for the establishment or performance of a contract
• When processing is mandatory for the data controller to fulfill its legal obligations
• When personal data is made public by the data subject
• When processing is mandatory for the establishment, exercise, or protection of a right
• When processing is necessary for the legitimate interests of the data controller, provided that it does not violate fundamental rights and freedoms of the data subject

Special categories of personal data (sensitive data) may be processed under Article 6 of the PDPL only when the required legal conditions are met or based on explicit consent. Sensitive personal data includes: racial or ethnic origin, political opinion, philosophical beliefs, religion/sect or other beliefs, clothing and appearance, association/foundation/union membership, health, sexual life, criminal record and security measures, biometric and genetic data.

Sensitive personal data regarding health and sexual life may only be processed without explicit consent by persons under a confidentiality obligation or authorized institutions for the purposes of protecting public health, preventive medicine, diagnosis, treatment, care services, or management of health services and financing.

Required security measures are taken during the processing of sensitive personal data.

Purposes of Processing Personal Data

• To carry out room reservation procedures
• To fulfill legal and regulatory obligations
• To conduct quality improvement activities
• To manage risk processes
• To manage guest relations
• To determine and implement commercial strategies and business operations
• To carry out marketing and sales activities
• To conduct routine audits
• To carry out and audit financial transactions
• To plan, audit, and implement information security processes
• To prevent possible abuse or unauthorized transactions by employees
• To evaluate, respond to, and improve feedback, requests, and complaints via all channels

Retention Period of Personal Data

When the purpose of processing personal data no longer exists, or when the legal retention periods expire, personal data will be deleted, destroyed, or anonymized.

Rights of the Personal Data Owner (Data Subject)

Every individual may apply to the data controller and exercise the following rights:

• To learn whether personal data is being processed
• To request information if personal data has been processed
• To learn the purpose of processing personal data and whether it is used in line with its purpose
• To know the third parties in Türkiye or abroad to whom personal data has been transferred
• (This may require legal retention periods to expire; deletion cannot be fulfilled before legal retention obligations end.)
• To request the correction of incorrect or incomplete personal data
• To request the deletion or destruction of personal data within the framework of Article 7
• To request notification of the correction, deletion, or destruction to third parties to whom personal data has been transferred
• To object to a decision resulting from the exclusively automated processing of personal data
• To request compensation in case of damage arising from unlawful processing of personal data