CLARIFICATION TEXT AND PRIVACY POLICY

Clarification Text on the Personal Data Protection Law" on the website metalsistem.com.tr (hereinafter referred to as Setraf website) by SETRAF SİSTEMLERİ LTD. ŞTİ. (SETRAF) (hereinafter referred to as “SETRAF”), in line with our Clarification Obligation as the data controller, has been prepared for our valued visitors and customers in order to protect your fundamental rights and freedoms when you will be visiting the website and shopping for hotel-related products and services and inform you on what legal grounds and by what methods we collect your personal data obtained by us and how we process your data obtained and the methods by which we ensure your data security. SETRAF reserves the right to update and make changes in this "Clarification Text on the Personal Data Protection Law" in line with the provisions of the PDPL and applicable legislation.

PERSONAL DATA

According to PDPL personal data is any information relating to an identified or identifiable natural person. This information is those such as the name, surname, date of birth, gender, identity number, e-mail address, residence/delivery address, telephone number of a certain person and they are defined as personal data in our legal regulations because they have the characteristics of making the person identifiable.

YOUR SPECIAL PERSONAL DATA

Within the scope of PDPL, your data related to your race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, your appearance, association, foundation or union memberships, your health, sexual life, your criminal conviction, if any, and your biometric and genetic information are your data of special nature. We recommend you not to share your personal data of special nature.

WHICH PERSONAL DATA WE PROCESS?

Your personal data that may be subject to processing, if you share it with us or if necessary, are as follows:

FOR WHAT PURPOSES WE PROCESS YOUR PERSONAL DATA?

Processing of personal data refers to all kinds of operations performed on data such as obtaining, recording, storing, preserving, changing, reorganizing, explaining, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means. Your personal/private data by SETRAF, limited to the purposes specified in this "Clarification Text on the Protection of Personal Data" and due to our legal obligations arising from the relevant legal regulations mainly the Law No. 6563 on the Regulation of Electronic Commerce, Personal Data Protection  Law No. 6698 are processed by us for a period stated by laws. Personal data may be collected verbally or electronically through automatic or non-automatic means, through the website, social media channels, mobile applications and similar means. In addition, personal data may be processed when using our website and visiting the website for the purpose of using Hotel services, and when you participate in any organization prepared by the hotel.

We process your personal data in accordance with the personal data processing conditions and purposes specified in Articles 5 and 6 of the Law. We process all processed personal data for the goals of ensuring your satisfaction, planning and execution of marketing processes of products and services, planning of customer relationship management processes, follow-up of requests and complaints submitted to us, follow-up of contract processes, ensuring the legal, technical and commercial work security of the persons who have a business relationship with the company, ensuring that it is carried out in accordance with company procedures and relevant Legislation, ensuring that personal data is accurate and up-to-date, providing information to authorized institutions originating from the Legislation (Identity Reporting Law no. 1774), carrying out the necessary work by our relevant business units for the realization of commercial activities and to carry out the related business processes, implementation of human resources policies, conducting Social Responsibility Activities, planning, control and execution of information security processes, follow-up of financial and accounting affairs, follow-up of legal affairs, planning and execution of business activities, planning and execution of corporate communication activities, management of relations with business partners and/or suppliers, planning and monitoring performance evaluation processes.

* Planning and execution of marketing activities such as promotions, special offers, discounts and campaigns (If you prefer to be informed about our campaigns and promotions, we save your information in order to send you bulk e-mails, SMS, and to benefit from customer satisfaction and campaigns.) Your processed personal data is processed in accordance with the law and relevant legal regulations, limited to the purposes of communicating with you and informing you about advertisements and campaigns, for a period of time to be related to the specified purposes and is destroyed when the purpose disappears.

* When the SETRAF website is accessed, when the contact button is clicked from the buttons on the relevant tab of the site, in "Write a Message" section that will come to the page, you, our valued visitors, customers or members, fill in the blank boxes with your name, surname, mobile phone number and e-mail address in order to contact us and if you share your message with us by clicking the Send Message button with your free will, it is deemed that you give your express consent for the processing of your name, surname, telephone number and also your e-mail address (personal data).

PURPOSE OF TRANSFER OF PERSONAL DATA

Your personal data collected by us may be shared within the framework of the personal data processing conditions and purposes specified in the Identity Reporting Law no. 1774 and Articles 8 and 9 of the Law with Hotel Management automation program (currently used Modhotel Aktif Bilişim), İBYS (e-prescription etc.) (currently used Uludağ Bilişim), real persons or private legal entities, Shareholders, Authorized Public Institutions and Organizations, for the realization of the commercial activities of the Company detailed above, carrying out the necessary work by our relevant business units and execution of related business processes, ensuring the legal, technical and commercial occupational safety of the Company and the persons who have a business relationship with the Company, making the necessary work by our business units in order to benefit the relevant people from the products and services offered by the company and execution of related business processes.

TRANSFER OF PERSONAL DATA

SETRAF may transfer the personal data it obtains to third natural or legal persons in the country only with the express consent of the data subject. The transfer of the personal data of the data subject to the 3rd real or legal person without his explicit consent is possible in the following cases and may be transferred to the persons authorized in accordance with the law and in connection with the purpose.

• It is clearly stipulated in the laws,
• It is compulsory for the protection of the life or physical integrity of the person or another person, who is unable to
  express his/her consent due to actual impossibility or whose consent is not legally recognized,
• It is necessary to process the personal data of the parties to the contract, provided that it is directly related to the
  establishment or performance of a contract,
• It is mandatory for the data controller to fulfill its legal obligation,
• The data subject has been made public by himself,
• Data processing is mandatory for the establishment, exercise or protection of a right,
• It is necessary to process data for the legitimate interests of the data controller, provided that it does not harm the
  fundamental rights and freedoms of the data subject,
• If you prefer to be informed about our campaigns and promotions, we transfer your personal data to the suppliers
  providing the relevant service in order to send you bulk e-mails and SMS.
• We transfer your opinions and thoughts about your satisfaction as a result of the service you receive to the authorities providing the relevant service. If you share with us the audio and video data you have taken during the service you have received from us with your consent, we share it on the internet (social media, website, etc.).

PRIVACY POLICY

Personal data is confidential and SETRAF respects this confidentiality. Only authorized persons can access personal data within the company. All necessary technical and administrative measures are taken to protect the personal data collected by our company, to prevent it to be learned by unauthorized persons and to prevent our customers and prospective customers from being victims. In this framework, it is ensured that the software complies with the standards and that the data protection policy is complied with within the Company. 

UPDATE PERIOD

This text will be updated in line with the economic and commercial decision of the company or the principle decisions of the Personal Data Protection Board.

GENERAL PRINCIPLES OF PROCESSING PERSONAL DATA

SETRAF accepts, declares, and undertakes that it complies and will comply with the following basic principles when processing personal data.

• We state that we will process data with lawfulness and fairness
• Being accurate and kept up to date where necessary.
• Being processed for specified, explicit and legitimate purposes.
• Being relevant, limited and proportionate to the purposes for which they are processed.
• Being stored for the period laid down by relevant legislation or the period required for the purpose for which the
  personal data are processed.

DATA SECURITY

SETRAF accepts, declares and undertakes that it will establish the necessary systems and control mechanisms for the deletion, destruction or anonymization of the personal data it obtains, prevent unlawful processing of data, prevent unlawful access to data, ensure the protection of data and take all kinds of technical and administrative measures in this direction, carry out and have the necessary inspections made within its own body and in case the data is processed by another natural person or legal person and also take all kinds of technical and administrative measures. SETRAF will inform the person concerned and the Personal Data Protection Board as soon as possible if the processed personal data is unlawfully captured or obtained by others. 

WHAT ARE YOUR RIGHTS?

The real persons whose personal data are processed have the right to apply to SETRAF as a data controller for the implementation of the provisions of the PDPL and other relevant legal regulations, and the rights you have as a data subject in accordance with Article 11 of the PDPL are presented below for your information.

a) to learn whether his/her personal data are processed or not,
b) to demand for information as to if his/her personal data have been processed,
c) to learn the purpose of the processing of his/her personal data and whether these personal data are used in compliance with the purpose,
ç) to know the third parties to whom his personal data are transferred in country or abroad,
d) to request the rectification of the incomplete or inaccurate data, if any,
e) to request the erasure or destruction of his/her personal data under the conditions referred to in Article 7 of PDPL,
f) to request reporting of the operations carried out pursuant to sub-paragraphs (d) and (e) to third parties to whom his/her personal data have been transferred,
g) to object to the occurrence of a result against the person himself/herself by analyzing the data processed solely through automated systems,
ğ) to claim compensation for the damage arising from the unlawful processing of his/her personal data.

APPLICATION TO DATA CONTROLLER

The person whose personal data is processed accepts that he/she is under the obligation to apply to SETRAF as a data controller within the most appropriate time frame in connection with the exercise of the right, if he/she requests the exercise of his/her rights regarding the personal data processed or learned to be processed by SETRAF. 

The Relevant Person accepts that he/she is under the obligation to submit his/her applications to SETRAF in writing via registered letter/notary public or e-mail with the subject explanation of the "Information Request on Personal Data Protection Law".

In order to exercise the rights set forth in article 6 above, titled the rights of data subject, in accordance with Article 5/2 of the Communiqué on the Procedures and Principles of Application to Data Controller, which was published in the Official Gazette No. 30356 on 10.03.2018, the obligatory matters that must be included in the application are presented below for your information to be answered in accordance with the law and legislation;

• Name, surname and signature if the application is in writing,
• For citizens of the Republic of Turkey, T.R. identity number, nationality for foreigners, passport number or
  identification number, if any,
• Domicile or workplace address for notification,
• E-mail address, telephone and fax number for notification, if any
• Subject of request.

A petition containing the above-mentioned information and documents and explanations for the requested right can be sent as a notification to the address of SETRAF, Çakmak Mah. Alemdağ Cad. No:480/B Ümraniye / İstanbul, or as a message to the e-mail address info@setraf.com . 

SETRAF accepts, declares and undertakes that it will conclude the requests in the application as soon as possible and within 30 (thirty) days at the latest, depending on the nature of the request. If the application is responded in writing, no fee will be charged from the data subject. However, if the process requires a separate cost, the fee in the tariff determined by the Personal Data Protection Board will be charged by the Company. In case the application is caused by the fault of SETRAF, the fee will be returned to the relevant person.

SETRAF has the right to accept the request regarding the exercise of the right directed to it by the data subject in the capacity of data controller or to reject it by explaining the reason. If the request in the application is accepted, the data controller accepts, declares and undertakes that he is under the obligation to fulfill the requirement. 

In cases where the application is rejected, the response given is insufficient, or the application is not responded within 30 (thirty) days; the data subject has the right to file a complaint with the Personal Data Protection Board within 30 (thirty) days from the date of learning the answer of the data controller and in any case within sixty 60 (sixty) days from the date of application. It is foreseen that the Board will give a response to the data subject within sixty days. It is possible for data subject, whose application is implicitly or explicitly rejected, to file a complaint with the Board, and to take legal action directly against the data controller. Those whose personal rights are violated have the right to compensation according to the general provisions. In this context, the data subjects may apply to court. You can request the destruction of your personal data from the Company within the framework of the conditions stipulated in Article 7 of the PDPL. If you suffer damage due to the unlawful processing of your personal data, you can request the elimination of the damage. All your requests and complaints will be answered by us.

CONTACT INFORMATION

Çakmak Mah. Alemdağ Cad. No:480/B Ümraniye / İstanbul
+90 (216) 527 86 35
info@setraf.com
www.setraf.com
www.setraf.com.tr
www.metalsistem.com.tr

Mersis No  (Central Registration System No): XXXX XXXXX XXXXX