Policy For The Protection And Processing Of Personal Data

1. Objective

The objective of this Policy is:

• To describe the methods adopted for the protection of personal data and personal data processing activities in compliance with the Personal Data Protection Law No. 6698 (“the PDPL”) in all kinds of activities carried out by Anarat Hotel (Toros Turizm İşletmeleri ve Yatırımları A.Ş.) (“the Firm”), and

• To ensure transparency by informing all persons whose personal data are processed by the Firm, particularly the Firm’s administrative officials, personnel, customers, personnel candidates, suppliers, visitors, the employees of the entities the Firm cooperates with and third parties about the principles adopted and the systems established by the Firm for the protection of personal data.

2. Scope

This Policy covers all personal data which pertain to the persons whose personal data are processed automatically or non-automatically -provided that they constitute a part of any data recording system- by the Firm in the Firm’s processes, particularly the personal data of the Firm’s administrative officials, personnel, customers, personnel candidates, suppliers, visitors, the employees of the entities the Firm cooperates with and third parties.

3. Authorities and Responsibilities

In the fulfillment of the requirements regarding the destruction of data as specified by the Law, the Regulation and the Policy within the Firm; all employees, outsourced service providers and everyone storing and processing personal data in another way at the entity are responsible for the fulfillment of these requirements.

4. Definitions and Abbreviations

• Firm: Anarat Hotel (Toros Turizm İşletmeleri ve Yatırımları A.Ş.)

• Explicit Consent: Consent which is related to a specific matter, based on information and expressed with free will.

• Destruction: Erasure, destruction or anonymization of personal data.

• Law/PDPL: The Personal Data Protection Law No. 6698.

• Personal Data: All kinds of information related to an identified or identifiable natural person.

• Data Subject/Relevant Person: A natural person whose personal data is processed.

• Data Controller: A natural or legal person who determines the processing purposes and means of personal data.

5. Policy for the Protection and Processing of Personal Data

By the Policy, the Firm sets forth concretely the measures necessary for and the processes applied to the protection and processing of personal data. The Firm acknowledges that it shall comply with the legislation in force, in cases where there is an inconsistency between this Policy and the relevant laws and by-laws.

5.1.1. Ensuring the security of personal data

The Firm takes all kinds of technical and administrative measures necessary to ensure the appropriate level of security required for the protection of personal data, including:

• Preventing unlawful processing of personal data,

• Preventing unlawful access to personal data,

• Ensuring protection of personal data.

5.1.2. Administrative Measures

The Firm employs knowledgeable persons and provides its personnel with the necessary information security awareness. Employees are informed that they shall not disclose accessed personal data in violation of the PDPL, even after they leave the office.

5.1.3. Technical Measures

The Firm ensures the installation of software and hardware containing anti-virus systems and firewalls. Physical spaces storing personal data are protected against theft, loss, and external risks (fire, flood, etc.). Passwords for systems are generated through complex algorithms.

5.1.7. Measures implemented for the protection of special categories of personal data

The Firm takes the measures necessary in the protection of "special categories of personal data" (health, religion, ethnicity, etc.) as determined by the PDPL. Sensitivity is shown in technical and administrative measures for these data.

5.2. Principles for the processing of personal data

The Firm processes personal data in compliance with:

• Lawfulness and good faith.

• Accuracy and up-to-dateness.

• Specific, clear, and legitimate purposes.

• Proportionality and limitation to the purpose.

• Retention for the period stipulated by legislation.

5.6. Transfer of personal data to the persons abroad

The Firm does not transfer personal data to foreign countries in any way and does not keep personal data on the servers held in foreign countries.

5.7. Rights of personal data subjects

Data subjects have the right to learn if their data is processed, request information, request rectification, erasure, or destruction of their data.

• Data controller: Anarat Hotel (Toros Turizm İşletmeleri ve Yatırımları A.Ş.)

• Data controller’s contact person: IT Personnel

5.9. Conditions for the erasure, destruction and anonymization of personal data

The personal data obtained by the Firm will be erased, destroyed or anonymized in line with the requests of the data subjects or when legal processing requirements cease to exist.

Release Date: 28.08.2020

Date of Update: 01.02.2021