+90 242 710 2100 Reserve
  • Home
  • Accomodation
  • Restaurants & Bars
  • Children Club
  • Activities
  • Spa & Wellness
  • Mice & Sports
  • Zoo & Horse Club
  • Contact




This Personal Data Processing Policy has been aimed at defining the methods and principles to be observed by Çalışkan Kardeşler Turizm İşletmeleri A.Ş. Bellis Deluxe Hotel A.Ş. (“COMPANY” in short) as the data controller in processing the personal data that the COMPANY maintains pursuant to the Personal Data Protection Act no 6698 and the other legislation.



The personal data of our employees, candidate employees, visitors and all natural persons whose personal data is being kept by the COMPANY for any reason whatsoever has been managed according to the laws within the framework of this Personal Data Processing Policy.



Law/KVKK: Personal Data Protection Law no 6698, dated 24/3/2016.

Board/Agency: Personal Data Protection Board/Personal Data Protection Agency.

Personal Data: All kinds of data in relation to a natural person with specific or specifiable identity.

Related Person: The person whose personal data is being processed.

Express Consent: Informed consent given with free will for a certain subject.

Anonymization: Rendering personal data such that it becomes impossible to relate it to a natural person with a specific or specifiable identity in any way even if by way of matching with other data.

Deletion of Personal Data: Deletion of personal data; making personal data inaccessible and non-reusable in any way by the users.

Destruction of Personal Data: Making personal data inaccessible, non-retrievable and non-reusable in any way by any person.

Processing of Personal Data: All kinds of processing performed on personal data such as obtaining personal data by partly or entirely automatic means or by non-automatic means which has to be part of a data recording system, recording, storing, protecting, changing, reorganizing, clarifying, transferring, taking over, rendering accessible, classifying or preventing personal data from use.

Data processor: Natural or legal person who processes personal data on behalf of a data controller on the basis of the authorization given by the latter.

Data controller: Natural or legal person who defines the purposes and means of personal data processing and is responsible for establishing and managing the data recording system.

Sensitive Personal Data: Data about people’s race, ethnicity, political view, philosophical belief, religion, sect or other beliefs, appearance, membership of societies, foundations or unions, health, sexual life, criminal conviction and security measures and biometric and genetic data.

Clarification Obligation: During the collection of personal data, the data controller or its authorized representative gives information to the related people about the identity of the data controller or its authorized representative, the purpose of processing personal data, the reason why and the persons to whom the processed data may be transferred, the method and the legal basis of collecting personal data, other rights as listed in article 11 of the Law.

SEDNA: The Front office, accounting and purchasing Automation System where the information about visitors is saved.

Destruction Policy: The policy on which data controllers base themselves when determining the maximum period for the purpose-related processing of personal data and for deleting, destroying and anonymizing such data.

Recording Environment: All kinds of electronic environment for saving personal data which is obtained by partly or entirely automatic means or by non-automatic means which has to be part of a data recording system.

Netahsilat: Online payment system.

Company: Çalışkan Kardeşler Turizm İşletmeleri A.Ş. Bellis Deluxe Hotel A.Ş.







Personal data processing is performed in two different ways.

Processing data by totally or partly automated means; Includes receiving, collecting and storing data, taking photographs, making sound and video records, organizing, storing, altering, restoring, recovering and clarifying data in relation to the related persons or third parties specified in this policy in order to transfer, distribute or present in different ways, group and combine, block, delete or destroy the data.

Processing/obtaining data by non-automatic means; Includes storing, saving, maintaining, altering, reorganizing, clarifying, transferring, transferring to abroad, taking over, making available, classifying or preventing the use of data on the condition of being a part of some kind of recording system.




Fundamentals of Data Processing



  1. Providing and/or implementing a service targeted at the related person,
  2. Data processing being compulsory for purposes of protecting the lawful rights of the COMPANY and/or the third persons,
  3. Fulfilling the legal responsibilities of the COMPANY,
  4. Processing the personal data of the related person being necessary on the condition of a having a direct relation with the establishment and execution of a contract between the related person and the COMPANY,
  5. Data processing being compulsory for establishing, exercising and using a certain right,
  6. Other considerations to which the related person gives express consent,
  7. Other considerations expressly stated in the legislation.





Purposes of Data Processing

Third parties that process the personal data shared upon the consent of the COMPANY and/or the related persons may process the personal data of the related person or of the persons under the guardianship of the related person for the below listed purposes.

  1. Providing the accommodation services as declared, providing and performing better and more reliable services for the guests, 
  2. The COMPANY uses Netahsilat online system for receiving online payments and collecting money. Using guest information (name surname, date of birth, e-mail address, telephone number and credit card) for these transactions, doing information search and survey assessments, providing planning, statistics, archiving and storage services, doing guest satisfaction work,
  3. The necessity of controlling the accommodation history and/or behavioral patterns of the related person for optimizing and improving COMPANY services,
  4. The COMPANY’s ability to offer a new and/or additional service or non-service product,
  5. Changing the current conditions of a service already being offered by the COMPANY, 
  6. Statistical data analysis performed by the COMPANY, preparing and presenting various reports, researches and/or presentations,
  7. Ensuring security as well as identifying and/or preventing abuse and other criminal activities,
  8. Responding to the complaints, questions and demands of the related person,
  9. Verifying the credentials of the related person,
  10. Performing promotion, marketing and campaign activities in relation to the accommodation service,
  11. Fulfilling the other purposes suggested in the national and international laws and legislation.


Processing, Transferring and Clarifying the Data

The COMPANY has been fulfilling the liabilities imposed by the related legislation and board resolutions in association with the procedures of processing, transferring or clarifying of personal data. In line with the purposes defined in this policy, in order to process, transfer and/or clarify all kinds of information depending on the content and variety of the accommodation service provided by the COMPANY, personal data of the related person and of the persons accompanying the related person the accommodation service purchase period, including but not limited do the below listed data, is being used; name and surname of the related person, personal identification number and/or the specific feature of the identity card, the registered address and/or residence address, telephone/mobile phone number, E-mail address, information about the employer, information about employment conditions (place of work, salary, working hours, etc.), activities of the related person or the third person designated by the same when using various electronic channels and/or the internet (including but not limited to web cookies etc) and when using the above listed channels (including but not limited to the verification of these channels, performed transactions or the history of transactions).




Processing the Data of Applicants or the Employees 



In the job application process, collecting information from the third parties in relation to the applicant is done within the frame of the provisions in the Personal Data Protection Act no 6698.

Express consent of the applicant is required for processing the personal data which is related to the business relations but is not an integral part of the execution of the service contract.




Transferring Data to/from and Sharing Data with Third Parties

This policy is transferred to/shared with the related person and/or the third parties designated by the related person within the frame of data processing in order for the COMPANY to give services to the related person. The related person grants the COMPANY the right to obtain, save, store, maintain, alter, reorganize, clarify, transfer, take over, make available, classify and use personal data by all departments, internet, call centers, public institutions and organizations and the parties and suppliers from whom services are purchased as the supplement or extension of COMPANY activities by using means that is totally or partly automatic or that is non-automatic but is part of some kind of recording system.


Responsibility of Data Controller and Data Processor 



  1. Personal data is being processed in accordance with the principles stipulated in the legislation. 
  2. Express consent is obtained from the related person, after having given information and made clarifications as necessary.


Data controller sends feedback to the related person as soon as possible and within 30 days at the latest if the related person makes a demand about the information related to his/her own personal data or a complaint or statement is received with respect to the conformance of the data controller to the legislative obligations.


Also if, during the data processing one of the parties represents the data processor and the other the data controller, data processor fulfils the following liabilities. The data processor is responsible for doing the following;

  1. Processes the data sent/disclosed by the other party in accordance to the extent and scope as defined in the provisions of this policy and permitted by the legislation; or upon the demand of a regulatory authority,
  2. Implements all reasonable technical and administrative measures and takes all necessary actions in order to prevent unauthorized processing of the data sent/disclosed by the data controller and the loss, destruction, damaging, unauthorized alteration and disclosure of the same and informs the data controller about all measures taken in this respect,
  3. The COMPANY, working through its authorized personnel, inspects the data security measures and applications implemented by the data processor, 
  4. Makes cooperation and gives support in relation to the investigation of a complaint or statement sent/disclosed by the COMPANY including the following, 
  5. Provides the COMPANY, within 7 work days after the date of request, detailed information in relation to the complaint and statement involving the personal data (also electronic data) of the related person that was sent/disclosed by the data controller to the data processor, 
  6. Prevents any form of data transfer by the data processor to a country and/or an international organization which is not a part of the European Economic Area and not listed as one of the countries which are qualified for personal data protection or is not allowed by the related person or the Personal Data Protection Board for being transferred to,
  7. Does not transfer/disclose data to third parties without having prior express consent of the COMPANY in writing,
  8. Even in cases where the COMPANY has given prior express consent in writing; the data processor is liable for transferring/disclosing data pursuant to a written contract. In the said written contract, the third party and its subcontractors are responsible for taking all kinds of technical and administrative measures in order to prevent unauthorized processing of the data and the loss, destruction, damaging, unauthorized alteration and disclosure of the same. 
  9. Compensating all the loss/damage incurred by the COMPANY when the data processor fails to take or fully implement the required actions (as stipulated in the policy and the legislation). Data processor gives express consent and agrees with the data controller to indemnify the loss and compensate the damages when, as a result of any violation of the data processor, the COMPANY incurs some kind of loss/damage (including but not limited to consequential loss), receives complaints, pays costs (including but not limited to the costs incurred when the COMPANY exercises its legal rights), is subjected to legal actions and other liabilities. 
  10. Unless stated otherwise in the contract executed between the COMPANY and the data processor, and upon termination of the contractual relation between the COMPANY and the data processor, the data processor shall be responsible for returning all data (including personal data) transferred/disclosed by the COMPANY, taking all kinds of measures to prevent third parties having unauthorized access to the data, destroying the personal data transferred/disclosed by the COMPANY and giving feedback to the COMPANY confirming that such action has been taken.


Updating and Processing Data, Period of Retention and Data Destruction 



A matrix system for authorization and control of access is in use. Related users for each piece of personal data are identified, authorization and methods of access, retrieval and reuse for the related users are defined, authorization and methods of access, retrieval and reuse for the related users are updated, cancelled or removed in cases such as service contract termination or change of position.

In cases when the period of time stipulated in the legislation for the retention of said personal data has expired or when no period of time has been stated in the legislation regarding the retention of said data, such data is deleted, destroyed or anonymized by the data controller every 10 years.



The office files saved in the central server are deleted by way of the delete command in the operating system of the file or users are denied the right of access to the file or to the directory of the file.


The use of memory sticks has been limited to authorized people. The database where personal data is saved is protected using degrees of authorization and deletion may only be made by authorized people. Execution of this operation depends on whether the related user is also a database administrator.


Deletion of personal data is the operation with which personal data is rendered inaccessible, irretrievable and non-reusable by anyone in any way whatsoever. The COMPANY as the data controller takes all kinds of necessary technical and administrative measures in relation to the destruction of personal data. For the purpose of destroying personal data, all copies containing the data are identified and the systems on which the data is located are physically destroyed by way of melting, burning or pulverizing the optical media and magnetic media. Data is rendered inaccessible by way of melting, burning or pulverizing the magnetic media or by passing it through a metal crusher. 


Network devices (switch, router etc.) are deleted by delete command, mobile telephones (sim card and memory areas); permanent memory areas of portable smart phones are deleted by delete command or physical destruction methods, data storage media such as optic disks; CD, DVD are destroyed by physical destruction methods such as burning, breaking to pieces, and melting. As for the personal data saved in devices which have been broken down or sent for maintenance, the data storage media is removed and retained and the rest of the defective device is delivered to the third parties such as producer, seller or technical service. External personnel who are here to provide repair and maintenance services are prevented from copying personal data and taking it outside the agency by putting the necessary measures in place. Confidentiality agreements have been signed with the related maintenance companies.

Anonymization is the process with which all direct and/or indirect identifiers in a data set are deleted or modified, making it impossible to specify the identity of the related person or making the person lose the capacity to be distinguished in a group/crowd by becoming unassociatable to a natural person. The purpose of anonymization is to break the connection between the data and the person identified by such data. Data is anonymized by selecting a suitable method for the related data from among such disconnection operations as automatic or non-automatic grouping, masking, deriving, generalizing, randomizing, all of which are applicable to the records in the data recording system where the personal data is stored. 

Rights of the Related Person 

Every related person has the right to learn whether the personal data has been processed or not, request related information if the personal data has been processed, know about the purpose of the personal data and whether the data has been used for the intended purpose, know about the third persons within or outside the country to whom the personal data has been transferred, ask for the correction of any incomplete or incorrect processing of the personal data, ask for the deletion or destruction of the personal data, ask for notification as to whether the personal data has been transferred to third persons within or outside the country, raise objection to any results occurring against the person him/herself when the processed data is analysed only by means of automatic systems, ask for the compensation of any damage that the person might have incurred because of the illegal processing of personal data.


Confidentiality of Data Processing 




Data Processing Security 

Personal data is secured against unauthorized access, illegal data processing and disclosure and accidental loss, alteration or destruction of data. Data is under protection whether processed by electronic media or on paper. For the purpose of taking technical and administrative measures with regard to the protection of personal data, new and advanced data processing methods and information technology systems are being followed up.


Data Protection Control

Conformance to this Data Protection Policy and to the related data protection laws is regularly monitored by the authorized people employed in the related COMPANY departments. Personal data protection agency has been entitled to personally inspect the conformance of the COMPANY, its partnerships and/or subsidiaries to the provisions in this policy as permitted by the national laws.



When the related person submits a written request to the Data Controller in relation to the application of this policy and the Personal Data Protection Law, Data Controller responds the request free of charge as soon as possible and within 30 days at the latest depending on the nature of the request in the application. However, if an additional cost is incurred due to the procedure, a fee is charged as stated in the tariff issued by the Personal Data Protection Agency.



© 2020 Bellis Deluxe Hotel. All rights reserved.
powered by 13/21