PURPOSE AND SCOPE OF THE POLICY
We have prepared this Personal Data Processing and Privacy Policy (the “Policy”) (Voyag Turizm Otelcilik İşletmesi ve İnş. San. Ticaret A.Ş. and MRA Turizm ve Otel İşletmeciliği A.Ş. and all together to be referred to as “Maxx Royal Resorts” or the “Company”) in order to inform you, our valued guests and stakeholders, about the principles and values we adopt and the methods and procedures we apply with respect to our personal data processing activities.
The protection of personal data is among our fundamental principles and priorities as Maxx Royal Resorts. Owing to the nature of the activities carried out by Maxx Royal Resorts, we process all personal data obtained from our facility guests and prospective guests in accordance with international information security standards, and we do not process or transfer such data in any way unless there is a legal ground arising from Law No. 6698 on the Protection of Personal Data (the “Law”) and the relevant legislation.
We have adopted as a fundamental principle to ensure full compliance with the Law and the relevant legislation; to prevent the unlawful processing and transfer of personal data; to take the necessary technical and administrative measures in this regard; and to regularly inform our employees so that they act in accordance with these principles. In this respect, periodic audits are carried out to ensure compliance with the Law. This Policy covers all personal data processing activities carried out by Maxx Royal Resorts with respect to all Personal Data, including their collection, processing, storage and destruction, updating where necessary, and transfer. The Policy covers the Personal Data of all natural persons associated with the Company, including guests, prospective guests, employees, business partners, suppliers, and third parties, and sets out the procedures and principles regarding the processing, protection, and security of such Personal Data in accordance with the Law and the relevant legislation.
DEFINITIONS
|
Term |
Definition |
|
Recipient Group |
Natural or legal persons to whom the Company transfers personal data |
|
Explicit Consent |
Consent relating to a specific matter, based on information, and expressed with free will |
|
Anonymization |
Rendering personal data anonymous in such a manner that the data can no longer be associated with an identified or identifiable natural person, even by matching it with other data |
|
Employee |
Employees of Maxx Royal Resorts |
|
Inventory |
The inventory created by Maxx Royal Resorts in connection with its personal data processing activities related to its business processes, in which such activities are associated with the purposes and legal grounds for processing personal data, the data category, the recipient group to which the data is transferred, and the group of data subjects concerned, and which details the maximum retention period required for the purposes for which the personal data are processed, the personal data envisaged to be transferred abroad (if any), and the measures taken regarding data security |
|
Data Subject |
The natural person whose personal data is processed |
|
Authorized User |
Persons who process personal data within the data controller's organization or under the authority and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection, and back-up of the Personal Data |
|
Contact Person |
The natural person notified to VERBİS for the purpose of ensuring the Company's communication with the Authority regarding its obligations arising from the Law and the relevant legislation |
|
Destruction |
The erasure, destruction, or anonymization of personal data |
|
Law |
Law No. 6698 on the Protection of Personal Data |
|
Recording Medium |
Any medium containing personal data that is processed wholly or partly by automated means, or by non-automated means provided that it forms part of a data recording system |
|
Personal Data Processing/Processing |
Any operation performed on Personal Data, such as obtaining, recording, storing, retaining, altering, reorganizing, disclosing, transferring, taking over, rendering retrievable, classifying, or preventing the use of Personal Data, wholly or partly by automated means, or by non-automated means provided that it forms part of a data recording system |
|
Personal Data Transfer |
The transfer of Personal Data processed by the Company or by Data Processors on behalf of the Company to natural or legal persons within Turkey or abroad, outside the Company |
|
Authority |
The Personal Data Protection Authority |
|
Board |
The Personal Data Protection Board |
|
Special Categories of Personal Data |
Data relating to a person's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress and attire, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data |
|
Periodic Destruction |
The erasure, destruction, or anonymization process to be carried out ex officio at recurring intervals specified in the personal data retention and destruction policy, in the event that all of the conditions for processing Personal Data set out in the Law cease to exist |
|
Policy |
This Personal Data Processing and Privacy Policy |
|
Erasure |
The erasure of personal data, i.e. rendering personal data inaccessible and unusable for Authorized Users in any way whatsoever |
|
Data Processor |
The natural or legal person who processes Personal Data on behalf of Maxx Royal Resorts based on the authority granted by the Company |
|
Data Recording System |
The recording system in which Personal Data are structured and processed according to specific criteria |
|
Data Controller |
The natural or legal person who determines the purposes and means of processing Personal Data and who is responsible for the establishment and management of the data recording system |
|
VERBİS |
The information system accessible over the internet, established and operated by the Presidency of the Personal Data Protection Authority, to be used by data controllers for registration with the registry and other related registry transactions, i.e. the Data Controllers' Registry Information System |
|
Destroying/Destruction (irreversible) |
The destruction of Personal Data, i.e. rendering personal data inaccessible, irretrievable, and unusable by anyone in any way whatsoever |
BASIC RULES REGARDING THE PROCESSING OF PERSONAL DATA
OBLIGATION TO INFORM
As Maxx Royal Resorts or Data Processors, we are obliged, pursuant to the obligation to inform set out in Article 10 of the Law and the provisions of the “Communiqué on the Procedures and Principles to be Followed in Fulfilling the Obligation to Inform,” to inform Data Subjects of the matters set out below before or, at the latest, at the time personal data are processed. The matters required to be notified under the relevant legislation are communicated to data subjects through privacy notices specifically prepared for each group of data subjects. Although there is no formal requirement as to how the obligation to inform is to be fulfilled, since the burden of proving that the obligation to inform has been fulfilled rests with the Company as Data Controller, measures evidencing fulfilment of the obligation to inform are taken when designing the personal data processing process. These measures may vary depending on the method by which the information is provided (for example, where information is provided through printed documents, the signature of Data Subjects may be obtained at the end of the privacy notice; where information is provided verbally at a call center, the relevant voice recording may be retained; or where information is provided through digital means, digital log records evidencing that the information was provided may be retained).
PROCESSING OF PERSONAL DATA
As Maxx Royal Resorts, we act in accordance with the following principles in the processing of Personal Data:
- Lawfulness and fairness: Personal data are processed in accordance with the law and the rules of fair dealing. Personal data are never collected or processed without the knowledge of the Data Subject and are processed in accordance with applicable legislation and in a manner that does not exceed the reasonable expectations of the data subject. Data processing activities do not proceed in a manner that would mislead the data subject, cause harm to them, or provide an unfair advantage. Within this principle, Personal Data are processed through open and transparent methods; practices that would undermine the trust of the Data Subject are avoided.
- Accuracy and being kept up to date where necessary: The necessary measures are taken in personal data processing processes to ensure that the Personal Data processed are accurate and up to date. The Data Subject whose Personal Data are processed is given the opportunity to apply to update their data and, if any, to correct errors in the data processed.
- Processing for specified, explicit and legitimate purposes: Personal Data are processed for specified, explicit and legitimate purposes, with their scope and content clearly defined, and within the legitimate purposes determined to ensure the continuity of legislation and business processes. Accordingly, care is taken to act in accordance with the principles of certainty and clarity in the legal texts prepared within the scope of the legislation on the processing of Personal Data. The purpose of data processing set out in the Company's personal data protection documents does not contain vague, general, or ambiguous expressions; it is clear enough for the Data Subject to understand for what purpose their data is processed.
- Being relevant to, limited to, and proportionate with the purposes for which they are processed: Personal Data are processed in a manner that is relevant to, limited to, and proportionate with the purposes for which they are determined. In this context, pursuant to the principle of data minimization, the Company does not process any Personal Data that is not related to the purpose of processing and that is not necessary/mandatory for the processing process. The collection of data that is not necessary for the purpose or excessive is avoided.
- Being retained for the period stipulated by the relevant legislation or required for the purpose for which they are processed: Personal Data are retained for the period stipulated by the relevant legislation or required for the purpose for which they are processed. Once these periods have elapsed, the processing of Personal Data is terminated, and the Personal Data are destroyed through erasure, destruction, or anonymization. Matters relating to the destruction of Personal Data are set out in the Personal Data Retention and Destruction Policy.
TRANSFER OF PERSONAL DATA
Personal Data may be transferred by Maxx Royal Resorts and Data Processors to third parties, provided that the conditions set out in Articles 5/2 and 6/3 of the Law are satisfied and adequate measures stipulated by the Board are taken. The Company may transfer Special Categories of Personal Data without the explicit consent of the Data Subject, provided that the conditions set out in Articles 5/2 and 6/3 of the Law are satisfied and adequate measures stipulated by the Board are taken. Personal Data are always processed in confidentiality and are not transferred in any way to third parties not acting on behalf of the Company, unless consent has been given in writing or electronically for the transfer of personal data, or unless the grounds set out under Articles 5/2 and 6/3 of the Law exist, or unless there is a legal obligation to do so.
Transfer of Personal Data Abroad
Your personal data may be transferred abroad pursuant to Articles 8 and 9 of Law No. 6698 on the Protection of Personal Data, provided that the data processing conditions stipulated in the Law exist and the necessary security measures are taken. In this context, your personal data may be transferred to countries with adequate protection, or, in the absence of adequate protection, to countries where the relevant data controllers undertake to provide adequate protection and which are approved by the Personal Data Protection Board.
CONDITIONS FOR THE PROCESSING AND TRANSFER OF PERSONAL DATA (LEGAL GROUNDS)
Personal Data may be processed only (i) with the “Explicit Consent” of the data subject, or (ii) without seeking the explicit consent of the data subject, where one of the following conditions exists:
- It is explicitly provided for by law,
- It is mandatory for the protection of the life or physical integrity of the person concerned or of another person, where the person concerned is unable to disclose their consent due to physical incapacity or whose consent is not given legal validity,
- It is necessary to process the personal data of the parties to a contract, provided that this is directly related to the establishment or performance of the contract,
- It is mandatory for the data controller to fulfil its legal obligation,
- The data has been made public by the data subject themselves,
- Data processing is mandatory for the establishment, exercise, or protection of a right,
- It is mandatory for the data controller to process data for its legitimate interests, provided that this does not harm the fundamental rights and freedoms of the data subject,
In the absence of any of the processing conditions set out in this provision, Maxx Royal Resorts may not process Personal Data; if one or more of these processing conditions, although initially present, subsequently cease to exist, the relevant Personal Data processing process is terminated. The conditions for processing Special Categories of Personal Data are addressed in the Company's Special Categories of Personal Data Processing Policy. With respect to Special Categories of Personal Data in particular, regard is had to whether such processing is necessary for persons or authorized institutions and organizations bound by a duty of confidentiality, for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, or for the planning, management and financing of health services, and whether it is mandatory for fulfilling legal obligations in the fields of employment, occupational health and safety, social security, social services, and social assistance.
OBLIGATIONS REGARDING THE INVENTORY AND VERBİS
Information regarding the Company's personal data processing processes is included in the Inventory. The Inventory is reviewed at regular intervals and updated where necessary. In the event of any change in the Company's existing personal data processing processes, the relevant personal data processing process is updated in the Inventory accordingly. In the event that the Company is to commence a new personal data processing process, the relevant personal data processing process is recorded in the Inventory accordingly.
OBLIGATIONS REGARDING DATA SECURITY
When processing Personal Data, the Company takes all kinds of technical and administrative measures to ensure an appropriate level of security, in order to prevent the unlawful processing of personal data, to prevent unlawful access to personal data, and to ensure the protection of personal data. These measures are as follows:
|
Technical Measures |
Administrative Measures |
|
In order to ensure that personal data are processed lawfully, advanced technical measures are implemented, such as ensuring network and system security, transferring data over closed networks, encryption and key management, secure storage in cloud environments, restricting access authorizations, and establishing logging mechanisms; in addition, data loss prevention systems, firewalls, antivirus software, intrusion detection and prevention systems, and regular penetration tests and security scans are carried out. In addition, data security is ensured in both physical and digital environments, back-up systems are used, user account and authorization controls are regularly reviewed, access is revoked in cases of role changes or termination of employment, and all of these processes are monitored through periodic internal audits, with the necessary improvements made accordingly. Furthermore, employees are provided with regular training, contracts include data security provisions, and the technical infrastructure is kept up to date in order to continuously take precautions against possible risks. |
In order to ensure that personal data are processed lawfully, regular training and awareness activities are carried out for employees, authorization matrices are established to keep access and authorizations under control, and confidentiality undertakings are obtained from employees, with data security disciplinary arrangements applied accordingly. In this context, institutional policies and procedures regarding access, retention, destruction, and information security have been established, a data inventory has been prepared and is regularly updated, and the principle of data minimization is observed. In addition, data security provisions are added to contracts, data processors and business partners are audited, additional measures are applied with respect to special categories of personal data, and data security breaches are reported and followed up promptly. Furthermore, the security of physical and digital environments is ensured, risks and threats are identified, VERBİS obligations are fulfilled, and all of these processes are monitored through regular audits to maintain their currency. |
Audit of Measures Taken Regarding the Protection of Personal Data
Maxx Royal Resorts carries out periodic internal audits and reports on them in accordance with Article 12 of the Law. Nonconformities and risks identified through internal audits are evaluated within the scope of corrective action, and preventive actions are implemented; the data security of Data Processor service providers is also audited at regular intervals.
RETENTION PERIOD AND DESTRUCTION OF PERSONAL DATA
Pursuant to Article 7 of the Law and Article 5 of the Regulation on the Erasure, Destruction, or Anonymization of Personal Data, the Maxx Royal Resorts Personal Data Retention and Destruction Policy has been established. The procedures and principles regarding the retention of personal data, as well as destruction techniques, are set out in this policy. Personal data and special categories of personal data are retained for the periods stipulated by Law No. 6698 on the Protection of Personal Data and the relevant legislation; where no explicit period is stipulated under the legislation, they are retained for a period determined by taking into account the purpose of processing, sectoral practices, the duration of the legal relationship, the data controller's legitimate interest, possible risks and obligations, and statute of limitations periods. Upon the expiry of these periods, personal data are erased, destroyed, or anonymized in accordance with the legislation.
Where the purpose for processing Personal Data has come to an end and the retention periods determined by the relevant legislation and by Maxx Royal Resorts have also come to an end, Personal Data continue to be retained solely for the purpose of serving as evidence in potential legal disputes or enabling the assertion of the relevant right associated with the Personal Data or the establishment of a defense. These periods are determined on the basis of the statute of limitations periods applicable to the assertion of the relevant right, and, despite the expiry of such limitation periods, by reference to examples of requests previously made to Maxx Royal Resorts on the same matters. In such cases, the Personal Data retained by Maxx Royal Resorts are not accessed for any other purpose, and access to the relevant personal data is only provided when it is required for use in the relevant legal dispute. Once the period referred to here has also come to an end, the Personal Data are erased, destroyed, or anonymized. When destroying Personal Data, the rules and instructions set out in the Personal Data Retention and Destruction Policy are observed.
MEASURES TO BE TAKEN IN THE EVENT OF A PERSONAL DATA BREACH
Rules and instructions have been prepared, in compliance with the Law, within the relevant internal company procedure, to be applied by Maxx Royal Resorts in the event that Personal Data processed in accordance with Article 12 of the Law are obtained by others through unlawful means.
RIGHTS OF THE DATA SUBJECT AND CONTACT
IDENTITY OF THE DATA CONTROLLER
|
Title: |
|
|
Address: |
MERDİVENKÖY MAH. NUR SK. C BLOK NO: 1 İÇ KAPI NO: 26 KADIKÖY / İSTANBUL |
|
Telephone: |
+90 242 715 33 80 |
|
E-mail: |
|
|
KEP: |
RIGHTS OF THE DATA SUBJECT
As a data subject, we hereby inform you that you have the following rights pursuant to Article 11 of the Law:
- To learn whether your personal data are being processed,
- To request information if your personal data have been processed,
- To learn the purpose for which your personal data are processed and whether they are used in accordance with such purpose,
- To know the third parties to whom your personal data are transferred, whether in Turkey or abroad,
- To request the correction of your personal data in the event that they have been processed incompletely or inaccurately, and to request that the relevant transaction be notified to the third parties to whom your personal data have been transferred,
- To request the erasure or destruction of your personal data in the event that, although processed in accordance with the Law and other relevant legal provisions, the reasons requiring their processing have ceased to exist, and to request that the relevant transaction be notified to the third parties to whom your personal data have been transferred,
- To object to a result that is to your detriment arising from the analysis of the processed data exclusively through automated systems,
- To request compensation for damages in the event that you suffer damage due to the unlawful processing of your personal data.
APPLICATION BY THE DATA SUBJECT AND CONTACT
You may submit an application to the Company regarding the rights set out above in accordance with the requirements set out in the Communiqué on the Procedures and Principles of Application to the Data Controller (if you wish, by completing fully and accurately the “Data Subject Application Form” available on our website). You may submit your applications using any of the methods listed below:
Please write the following statement exactly as it appears, on the envelope/in the heading of the letter/in the subject line of the e-mail, when submitting your application:
“VOYAG TURİZM OTELCİLİK İŞLETMESİ VE İNŞAAT SANAYİ TİCARET A.Ş., ATTENTION OF THE LEGAL DEPARTMENT, DATA SUBJECT APPLICATION UNDER THE LAW ON THE PROTECTION OF PERSONAL DATA”
|
WRITTEN APPLICATION |
APPLICATION BY E-MAIL/KEP |
Address: Merdivenköy Mah. Nur Sok. C Blok No:1 İç Kapı No:26. Kadıköy/İstanbul |
|
UPDATES
Maxx Royal Resorts may amend or update this Policy due to changes made to the Law, pursuant to Board decisions, in line with developments in the sector or in the field of information technology, or for any other reason it deems necessary.
|
No |
Date |
Description and Changes Made |
|
v.1 |
12/05/2025 |
Personal Data Processing and Privacy Policy (v.1) published. |
|
v.2 |
06/04/2026 |
Personal Data Processing and Privacy Policy (v.2) published. |
|
v.3 |
2.07.2026 |
Personal Data Processing and Privacy Policy (v.3) published. |