BABAKAMP TURİZM TARIM VE TİCARET LİMİTED ŞİRKETİ
PRIVACY AND PERSONAL DATA PROTECTION POLICY
In this "Privacy and Personal Data Protection Policy," the company, Babakamp Turizm Tarım ve Ticaret Limited Şirketi, with MERSIS number 0128047537700001, located at Karaağaç Mahallesi, Karaağaç Sokak No:43 Fethiye, Muğla, referred to as the "Company," complies with the Law on the Protection of Personal Data No. 6698, referred to as the "Law."
The Company, in accordance with the principles set forth in the Law, fulfills its obligations arising from the Law regarding the processing, deletion, destruction, anonymization, transfer, informing of the data subject, and ensuring data security.
This Privacy and Personal Data Protection Policy, which is prepared in accordance with the Law, is made accessible to the real persons ("Data Subject") whose personal data is processed.
1. Scope and Purpose of Privacy and Personal Data Protection Policy:
This Privacy and Personal Data Protection Policy includes:
a. Methods of Collecting Personal Data and Legal Reasons:
The Company collects personal data through stores, call centers, websites, social media accounts, email, mail, call centers, CCTV, cookies, fax, notifications from administrative and judicial authorities, and other communication channels, in oral, electronic, or written form, in compliance with the personal data processing conditions specified in the Law and the legal reasons stated in this Privacy and Personal Data Protection Policy.
b. Data Subject Categorization:
The Company categorizes the data subjects whose personal data it processes as follows, and the expansion of these groups may be possible in light of the processes and legal reasons specified in this policy.
c. Data Categories and Example Data Types:
No. |
Data Subject |
Data Category |
Data Types |
1. |
Customer |
Identity Information |
Name-Surname, Gender, Turkish ID Number, Turkish ID Details (ID card serial number, family sequence number, etc.), Date of Birth, Place of Birth, Passport Number |
Contact Information |
Address (home/work), Email, Phone / Mobile Phone |
||
Financial Information |
Bank Account Details, Financial Transaction Details, IBAN Number, Payment Information |
||
Customer Information |
Customer Number, Start/End Date and Reason of Customer Commercial Relationship, Customer Requests, Customer Satisfaction Information, Complaint and Request Information Regarding the Product |
||
Personal and Professional Information |
Retirement Information, Insurance Information, Education Status, Graduation Information, Affiliated Organization |
||
Legal Transaction and Compliance Information |
Official Records (Police, etc.), Power of Attorney |
||
Specially Qualified Personal Data |
Diopter Information, Hospital Reports |
||
Transaction Security Information |
Call Center Records, Credit Card Number, Credit Card Expiry Date |
||
Family Members and Close Relations Information |
Name-Surname, Degree of Relationship, Occupation, School, Date of Birth, Mobile Phone |
||
Other |
Call Center Records, CCTV |
||
2. |
Online Customer |
Identity Information |
Name-Surname, Gender, Date of Birth, Place of Birth |
Contact Information |
Address (home/work), Email, Phone / Mobile Phone |
||
Financial Information |
Bank Account Details, Payment Information |
||
Customer Information |
Customer Number, Start/End Date and Reason of Customer Commercial Relationship, Customer Requests, Customer Satisfaction Information, Complaint and Request Information Regarding the Product, Internet Site Usage Habits, Search Details, Customer Instructions and Records |
||
Personal and Professional Information |
Retirement Information, Insurance Information, Education Status, Graduation Information, Affiliated Organization |
||
Marketing Information |
Product Preferences, Satisfaction Survey Results |
||
3. |
Visitor |
Identity Information |
Name-Surname, Turkish ID Number, Passport Number |
Contact Information |
Email, Phone / Mobile Phone |
||
Transaction Security Information |
5651 Logs |
||
Other |
License Plate, CCTV |
||
4. |
Online Visitor |
Transaction Security Information |
Password, Member Number, Mobile Phone |
Legal Transaction Information |
IP Address |
||
5. |
Business Solution Partner / Supplier |
Identity Information |
Name-Surname, Gender, Turkish ID Number, Turkish ID Details (ID card serial number, family sequence number, etc.), Date of Birth, Place of Birth, Professional Identifications |
Contact Information |
Address, Email, Phone / Mobile Phone |
||
Financial Information |
Bank Account Details, Financial Transaction Details, IBAN Number, Payment Information, Copies of Guarantee Letters |
||
CV and Professional Information |
Education Status, Military Status, Sector Information, Affiliated Organization, Start/End Date of Employment, Title, Insurance Information |
||
Legal Transaction and Compliance Information |
Signature Circulars, Activity Information, Power of Attorney |
||
Specially Qualified Personal Data |
Criminal Record, Signature, Health Information |
||
Other |
License Plate, CCTV, Photograph |
d. Purpose of Using Personal Data
The Company utilizes personal data for the following purposes:
e. Technical and Administrative Measures Taken to Ensure the Security of Personal Data
The Company is committed to taking all necessary technical and administrative measures to ensure the confidentiality, integrity, and security of your personal data. In this context, measures are taken to prevent the unauthorized use of personal data, its unlawful processing, unauthorized access to data, disclosure, alteration, or destruction of data.
Some of the technical and administrative measures taken by the Company include:
Despite taking necessary information security measures, in the event of a data breach or unauthorized access due to attacks on the platforms operated by the Company or the Company's systems, the Company promptly notifies you and the Personal Data Protection Board and takes the necessary precautions.
f. To Whom and for What Purpose Personal Data May be Transferred
The Company transfers personal data only to third parties and abroad in accordance with the purposes specified in this Privacy and Personal Data Protection Policy and in compliance with Articles 8 and 9 of the Law.
These transfers of personal data are made through secure environments and channels provided by the relevant third party. Depending on the content and scope of the service received from third parties, data subject personal data is transferred using Pseudonymous data when transfer is not necessary.
The personal data subject to domestic and international transfer, in addition to ensuring their security with technical measures, is legally protected through the inclusion of Law-compliant provisions in our contracts, taking into account whether the counterparty of the legal relationship is a data controller or data processor.
No |
Data Subject |
Personal Data Shared With and Purpose |
1. |
Customer / Online Customer |
- Sharing customer personal data with the Social Security Institution (SGK) during SGK and Ministry of Health audits. |
- Reporting unlawful situations occurring in the store to relevant official institutions such as the prosecutor's office. |
||
- Sharing invoices and collection receipts with representatives of the Ministry of Finance during tax audits. |
||
2. |
Visitor / Online Visitor |
- Sharing traffic information, such as personal data related to visits or membership on the electronic commerce platforms operated by the company, and navigation information. |
- Sharing log records with official institutions under legal obligations (fight against crime, threat to state and public security, and similar situations limited to cases where the company has a legal or administrative obligation to notify or provide information). |
||
- Sharing camera records with official institutions such as the prosecutor's office and court in case of requests. |
||
3. |
Business Solution Partner / Supplier |
- Sharing current card openings related to relationships with Business Solution Partners/Suppliers with Trade Registry Offices and notaries. |
- Sharing personal data with relevant public institutions and notaries for the legal notifications that Accounting must perform. |
||
- Sharing invoices and collection receipts with representatives of the Ministry of Finance during tax audits. |
||
- Sharing financial data with banks to fulfill payment obligations arising from the current commercial relationship. |
h. Duration of Storage of Personal Data The Company retains the personal data it processes in compliance with the Law for the periods envisaged in the relevant legislation or for the durations required by the purpose of processing. In the Personal Data Storage and Destruction Policy, [insert link], these periods are approximately as follows:
Type of Data |
Storage Period |
Legal Basis |
Personal Data Regarding Customers |
10 years after the termination of the legal relationship; 3 years according to Law No. 6563 and related secondary legislation |
Law No. 6563, Law No. 6102, Law No. 6098, Law No. 213, Law No. 6502 |
Personal Data Regarding Business Solution Partners / Suppliers |
10 years after the termination of the legal relationship |
Law No. 6102, Law No. 6098, Law No. 213 |
CV and Personal Information Obtained During Job Application |
2 years |
Contacting Past Applicants About New Positions |
Personal Data Regarding Online Customers |
10 years after the termination of the legal relationship; 3 years according to Law No. 6563 and related secondary legislation |
Law No. 6563, Law No. 6102, Law No. 6098, Law No. 213, Law No. 6502 |
Personal Data Regarding Potential Customers |
1 year |
Retrospective Analysis |
Personal Data Regarding Visitors (Camera Records) |
3 months |
Ensuring Security |
Personal Data Regarding Online Visitors |
2 years |
Law No. 5651 |
All Records Regarding Accounting and Financial Transactions |
10 years |
Law No. 6098 |
i. Profiling and Segmentation The Company, using the personal data it processes for Customer and Online Customers, engages in profiling and segmentation to: i. Customize content, advertisements, promotions, and discounts based on the preferences of Customers and Online Customers who have granted permission for commercial electronic messaging. ii. Perform profiling and segmentation for Customers and Online Customers who have not given consent for commercial electronic messaging, including: • Improving products based on customer preferences, complaints, and suggestions (updating the product catalog by identifying the most and least preferred products), • Organizing special campaigns for customers with a high potential to purchase a product using models created as a result of the analysis of customer product preferences, • Conducting efforts to increase the popularity of products, • Personal data of Customers and Online Customers is not used directly in profiling and segmentation studies; instead, transactions are carried out through unique customer numbers assigned to each member. This ensures the protection of personal data, and these customer numbers are only accessible to the relevant individuals or departments within the scope of the "Need to Know" principle.
j. Rights of Data Subjects and How to Exercise Them The rights of data subjects under Article 11 of the Law are as follows: (1) Learn whether personal data is being processed, (2) Request information if personal data has been processed, (3) Learn the purpose of processing personal data and whether they are used in accordance with their purpose, (4) Know the third parties to whom personal data is transferred domestically or abroad, (5) Request correction of personal data if it is incomplete or incorrect, (6) Request deletion or destruction of personal data within the framework of the conditions specified in Article 7 of the Law, (7) Request notification of third parties to whom personal data has been disclosed, in cases mentioned in paragraphs (d) and (e), (8) Object to the emergence of a result against the individual by analyzing processed data exclusively through automatic systems, (9) Request compensation for damages in case of harm due to the illegal processing of personal data. To exercise your rights regarding your personal data, you can use the "Personal Data Application Form" available on the Company's website [insert link], or you can perform necessary changes, updates, and/or deletions and submit relevant requests via the email address kvkk@babakamp.com.
PERSONAL DATA
STORAGE AND DESTRUCTION POLICY
The purpose of this Personal Data Storage and Destruction Policy ("Policy") is to determine the processing periods of personal data processed by Babakamp Turizm Tarım ve Ticaret Limited Şirketi ("Company"), with headquarters at Karaağaç Neighborhood, Karaağaç Street No:43 Fethiye, Muğla, with the Mersis number 0128047537700001, and to establish criteria and methods for the deletion, destruction, or anonymization of personal data whose processing period and/or processing purpose have ceased to exist.
This Policy also includes technical and administrative measures taken to ensure data security, as well as current provisions in relevant legislation, in accordance with Article 6 of the Regulation on Deletion, Destruction, or Anonymization of Personal Data, which came into effect on October 28, 2017. Additionally, the Policy takes into account the Guide on Deletion, Destruction, and Anonymization of Personal Data published by the Personal Data Protection Authority.
This Policy covers the processes of deletion, destruction, or anonymization of all personal data processed by the COMPANY as the "Data Controller," either entirely or partially automatically, or non-automatically as part of any data recording system, in electronic and/or paper format, in accordance with Article 7 of Law No. 6698 on the Protection of Personal Data.
The COMPANY processes personal data of employees, job applicants, employees' relatives, business partners, suppliers, visitors, and online visitors to carry out business processes and related activities performed by various departments within the company, in line with their job descriptions. These personal data are stored for the periods specified in the legislation or within the framework of the processing purpose determined by the relevant department. All these processes are included in the Personal Data Processing Inventory. When the relevant storage periods expire, personal data for which the processing purpose has ceased are destroyed using the deletion, destruction, or anonymization methods specified in this Policy.
The Company commits to taking all necessary technical and administrative measures to ensure the confidentiality, integrity, and security of your personal data. In this context, the Company takes measures to prevent the misuse, unlawful processing, unauthorized access, disclosure, alteration, or destruction of data. The Company implements the following technical and administrative measures to prevent the unlawful processing and access of personal data:
Anti-Virus: The Company has periodically updated anti-virus software installed on all PCs and servers in its information technology infrastructure.
Firewall: Data centers hosting the Company's servers are protected by periodically updated software firewalls. These new-generation firewalls control internet connections for all staff members, providing protection against viruses and similar threats.
VPN: Stores connect to server systems using IP-SEC VPN, ensuring encrypted transmission of traffic between two points.
Suppliers can access the Company's servers or systems via SSL-VPN defined on firewalls. Separate SSL-VPN definitions are made for each supplier, allowing them access only to the systems they need or are authorized to use.
User Identifications and Need to Know: The Company limits the permissions of its employees and store staff related to Company systems only to the extent necessary based on their job descriptions. In case of any changes in authorization and duties, system permissions are promptly updated.
Information Security Threat and Incident Management: Events occurring on the Company's servers and firewalls are transferred to the "Information Security Threat and Incident Management" system. This system warns responsible personnel in case of a security threat, enabling an immediate response to the threat.
Penetration Test: Periodically, a penetration test is manually conducted by an external company on the Company's system servers, computers, and a sample store. Security vulnerabilities identified during the test are closed, and a verification test is conducted to confirm that the relevant security vulnerabilities have been addressed. Additionally, an automatic penetration test is performed by the Information Security Threat and Incident Management system.
Phishing Email Tests: Regularly, phishing emails are sent to Company system users to increase awareness. Based on the results, users are assigned training through the Company User Portal.
Training Portal: The Training Portal is actively used to increase the awareness of Company employees about various information security breaches and minimize the impact of the human factor in information breach incidents. All employees have received Cyber Security and Information Security training online.
Clean Table & Clean Desk: According to internal rules, both central and store employees are obliged to adhere to the "clean table & clean desk" principle.
Others:
Despite all these technical and administrative measures taken by the Company, if personal data is damaged due to attacks on the website and/or system or if it falls into the hands of unauthorized persons, the Company will inform the relevant persons and the Personal Data Protection Authority as soon as possible, take all necessary corrective actions, and provide all necessary support for the investigation and prevention of the incident. This obligation will not be valid if the relevant personal data is anonymized and the anonymization process is successful.
Personal data for which the processing period has expired and/or the processing purpose no longer exists are deleted, destroyed, or anonymized by the methods specified in this Policy.
Deletion: Personal data are deleted from the Company's system by marking them as "deleted" on the database. Once deleted, personal data cannot be accessed or used by the relevant departments.
Destruction: Physical destruction is applied to personal data in paper format. The destruction process is carried out using a shredder machine that provides cross-cutting and disposes of the data in a way that it cannot be reconstructed.
Anonymization: Personal data that is anonymized is processed in a way that it cannot be associated with an identified or identifiable natural person, even through additional data. The anonymization process is carried out by the relevant department that processed the personal data.
Personal data are deleted, destroyed, or anonymized by the relevant department or data processor ex officio or upon the data subject's request within the periods specified in the legislation or within the framework of the processing purpose determined by the relevant department. To exercise the right to deletion, destruction, or anonymization, data subjects must submit their requests in writing to the Company's data controller, using the methods specified in Article 7 of the Policy on the Processing and Protection of Personal Data. The relevant department or data processor will fulfill the request as soon as possible and no later than 30 days.
This Policy enters into force on the date of approval by the COMPANY. The provisions of the Policy will be monitored and reviewed by the COMPANY annually. Necessary updates and changes will be made in case of changes in legislation, the processing of personal data, and technological developments.
For your questions and requests regarding the processing and protection of personal data, you can contact the Company using the following contact information:
Babakamp Tourism Agriculture and Trade Limited Company Karaağaç Mahallesi, Karaağaç Caddesi No:43 Fethiye, Muğla
Phone: +90 (252) 614 00 10
Email: info@babakamp.com.tr
Upon the Data Subject's Request When the data subject requests the deletion or destruction of their personal data by applying to the COMPANY: a) If all processing conditions of personal data have ceased to exist, the COMPANY deletes, destroys, or anonymizes the personal data subject to the request. The COMPANY concludes the deletion or destruction requests of the data subjects within "thirty days" at the latest. b) If all processing conditions of personal data have ceased to exist, and the personal data subject to the request has been transferred to third parties, the COMPANY notifies this situation to the third party and requests the deletion or destruction of the relevant personal data. If all processing conditions of personal data have not ceased to exist, this request may be rejected by the COMPANY with an explanation of the reasons, in accordance with the third paragraph of Article 13 of the Law on the Protection of Personal Data. The rejection response is communicated to the data subject in writing or electronically within "thirty days" at the latest.
The Company has the right to make updates to this Policy, revise the articles, and publish the revised version along with the revision and approval date.
Document Date Revision Date / Number
PERSONAL DATA APPLICATION FORM
UNDER THE LAW ON PROTECTION OF PERSONAL DATA
Individuals defined as relevant persons in Law No. 6698 on the Protection of Personal Data ("Law") have been granted specific rights regarding the processing of their personal data in Article 11 of the Law. In accordance with the first paragraph of Article 13 of the Law; applications related to these rights to the data controller, Babakamp Turizm Tarım ve Ticaret Limited Şirketi with central address at Karaağaç Mahallesi, Karaağaç Sokak No:43 Fethiye, Muğla, and Mersis number 0128047537700001 ("Company") must be submitted in writing or through other methods specified by the Personal Data Protection Board ("Board").
In this context, "written" applications to our Company must be submitted by taking the printout of this form, either in person by the applicant or through a notary, or by being signed by the applicant with the "secure electronic signature" defined in the Law No. 5070 on Electronic Signature and sent to our Company's registered email address. Below are the details regarding how written applications will be delivered to us in terms of specific information channels for written applications.
Application Method |
Address of Application |
Information to be Specified in Application |
Submission In Person |
Karaağaç Mahallesi, Karaağaç Sokak No:43 Fethiye, Muğla |
Write "Information Request Within the Scope of the Personal Data Protection Law" on the envelope. |
Notary Notification |
Karaağaç Mahallesi, Karaağaç Sokak No:43 Fethiye, Muğla |
Write "Information Request Within the Scope of the Personal Data Protection Law" on the notification envelope. |
Secure Electronic Signature |
kvkk@babakamp.com |
Write "Information Request Within the Scope of the Personal Data Protection Law" in the subject of the email. |
Applications submitted to us will be responded within thirty (30) days from the date the application reaches us, in accordance with the second paragraph of Article 13 of the Law, depending on the nature of the request. Our responses will be sent to the applicant in writing or electronically in accordance with the provision of Article 13 of the Law. If the request involves a cost, according to the "Communiqué on Application Procedures and Principles to the Data Controller" published by the Board; a processing fee of 1 Turkish Lira per page for each page exceeding ten pages; if the response to the application is provided on a recording medium such as a CD, flash drive, the cost of the recording medium may be requested by the data controller, provided that it does not exceed its cost.
I. Information for the Recognition of the Applicant and Communication Regarding the Application:
Full Name:
Turkish ID / Passport Number:
Address:
Phone Number:
Email Address:
II. Explanations about your relationship with our Company (e.g., candidate, employee, supplier, customer, visitor, etc.):
III. Please specify in detail your request under the Personal Data Protection Law, including the type of data you want information about, the transfer method, application, and process:
IV. Please choose the notification management for the response to your application
I want it to be sent to my address.
I want it to be sent to my email address.
I want to receive it in person. (If received on behalf of someone else, a notarized power of attorney or authorization document is required.)
V. Explanations: This application form is prepared to determine your relationship with our Company, identify your personal data processed by our Company, and respond correctly and within the legal period to your relevant application. In order to eliminate legal risks that may arise from unauthorized and unlawful data sharing, especially for the security of your personal data, our Company reserves the right to request additional documents and information (such as a copy of an ID card or driver's license) for identity and authorization verification. Our Company does not accept responsibility for requests arising from incorrect information or unauthorized applications. The personal data you share in this form will be processed limited to the purposes of evaluating, finalizing your application under the Law, managing the entire relevant process, and communicating with you for these purposes. Your request may be transferred to our lawyers, business partners providing services in complaint management, quality control, auditing, and risk analysis fields, and service providers, as well as legally authorized public institutions and private individuals, depending on the nature of the request.
VI. Declaration: I request that my application made under the Personal Data Protection Law be concluded within the framework specified above. I acknowledge, declare, and undertake that the information and documents I have provided in this form are correct, up-to-date, and belong to me.
Name:
Date:
Signature:
CLARIFICATION/INFORMATION FORM FOR
PERSONAL DATA PROCESSING (ALL CANDIDATE CUSTOMERS)
In accordance with the Law on the Protection of Personal Data No. 6698 ("Law"), your personal data is processed by Babakamp Turizm Tarım ve Ticaret Limited Şirketi ("Company"), with the central address at Karaağaç Mahallesi, Karaağaç Sokak No:43 Fethiye, Muğla, and Mersis number 0128047537700001, as the data controller, as explained below.
Our company processes personal data directly obtained from you, our customers, through the contract relationship between us, our website, our mobile applications, email, mail, fax, notifications from administrative and judicial authorities, and other communication channels, in audio, electronic, or written form, in accordance with the personal data processing conditions specified in the Law. The processing of your personal data is necessary for the performance of the contract relationship between us or directly related to our obligation arising from this contract, ensuring compliance with legal obligations (such as approval and registration processes for commercial electronic messages), and, where necessary, with your explicit consent.
Your personal data will be processed for purposes such as establishing a contractual relationship with you, managing all stages of this contract process, planning and executing end-to-end marketing processes, preparing and presenting the most suitable offers to you, ensuring information security and legal transaction security, and conducting activities in compliance with the legislation. Other purposes include managing communication activities, ensuring the accuracy of your data, conducting statistical evaluations and market research, managing customer relationship processes, conducting activities for customer satisfaction, conducting marketing processes for products/services, managing risk management processes, and organizing and managing events.
Our company processes your personal data with due care, in accordance with the principles of "need to know" and "need to use," ensuring the necessary data minimization and taking the required technical and administrative security measures. Due to the necessity of continuous data flow with different stakeholders for the conduct and supervision of business activities, maintenance of business continuity, and operation of digital infrastructures, we are obliged to transfer processed personal data to third parties for specific purposes. Additionally, working with various business partners and service providers is necessary for fulfilling contractual and legal obligations and ensuring the accuracy and currency of your personal data. Your personal data, within the framework of the purposes mentioned above and limited to the fulfillment of these purposes, may be transferred to our service providers who provide our information technology infrastructure, our solution partners in communication and electronic communication, our service providers and business partners for communication based on customer preferences, Trade Ministry and its authorized company in terms of registration in the message management system (IYS) context, authorized commercial message infrastructure provider for message transmission, our business partners, consultants, and service providers for managing financial processes, detecting and evaluating risks, preventing fraud, our business partners in the field of organization and events, our business partners in quality control, complaint management, and risk analysis services, lawyers, auditors, and experts to fulfill legal obligations, and regulatory and supervisory authorities, courts, and execution offices, as limited to these purposes.
As the data subject whose personal data is processed, you may contact kvkk@babakamp.com or use the form available at www.babakamp.com/kvkk to exercise your rights under Article 11 of the Law, including the right to learn about the processing of personal data, request information about the processing, learn the purpose of processing, know the recipients of transfers, request correction of incomplete or incorrect processing, request deletion or destruction, object to automated decision-making, and request compensation for damages.