As InterContinental Istanbul, we attach great importance to the privacy and safety of your personal data. In this context, we would like to inform you on how we process the personal data belonging to our guests, suppliers, business partners, their employees and authorities, and all other third parties, as well as for what purposes we use this information, and how we protect it.
All concepts and expressions used in this statement shall have the meaning attributed to them in Law No. 6698 on the Protection of Personal Data (“ KVKK“) and relevant regulations. The term “you” in this statement refers to your party. The term “personal data” has been used in this document to also include personal data of special nature. Please see Appendix – Abbreviations for a full list of meanings expressed by the terms and abbreviations used in the Policy.
We would like to remind you that if you do not accept the terms of this statement, you should not convey any personal data to us. If you prefer not to convey any personal data to us, it may not be possible for us at times to provide you with services and respond to your requests, or we may not guarantee the full functionality of the services we offer to you.
We would like to remind you that it is your responsibility to ensure that the personal data you provide to our Company is accurate, complete, and up to date. Beyond that, if you share the personal data of other persons with us, it shall also be incumbent upon you to gather this information in accordance with all legal obligations in your locality. This shall mean that you have obtained the consent of the third parties in question as regards our gathering, processing, using and disclosing their personal data, and our Company shall not be held liable in this respect.
ABOUT INTERCONTINENTAL ISTANBUL
InterContinental Istanbul is operated by Kassanov Hotel Management and Tourism Inc. under the IHG Hotels Limited license, and provides accommodation and catering services in the hospitality industry.
The expressions “ we” or “ Company” or “ InterContinental Istanbul” refer to the personal data processing activities of the Data Controller, Kassanov Hotel Management and Tourism Inc. (“ InterContinental Istanbul“), which is registered with the number 51695-5 at Istanbul Trade Register and operates at the address, Gümüşsuyu Mah. Asker Ocağı Cad. No:1 Beyoğlu/İstanbul, as a member of the InterContinental Hotels Group PLC (“ IHG Group“) headquartered in England.
OUR PRINCIPLES FOR PROCESSING PERSONAL DATA
All personal data processed by our Company are processed in accordance with KVKK and relevant regulations. As per Article 4 of KVKK, the following are the fundamental principles we uphold when processing your personal data:
DATA SUBJECT CATEGORIES
The following are the categories of data subjects, except for the employees whose data is processed by our Company (including interns and employees of subcontractors). We have a separate, internal policy for processing the personal data of our employees. Those who fall outside the scope of the categories listed below can also send us requests as per KVKK; their requests shall also be evaluated.
| RELEVANT PERSON CATEGORY | EXPLANATION |
|---|---|
| Customer | Real and/or legal persons (such as agencies or other hotels) staying at our hotel and/or benefiting from the services we offer |
| Potential Customer | Real or legal persons that have stayed at our hotel and/or have taken an initiative to or shown interest in benefiting from our services, or are considered, in conformity with rules of bona fides, to have such an interest |
| Visitor | Real persons who entered the physical premises (offices etc.) of our Company on the occasion of an event or for other purposes, or who visited our website |
| Third Person | Third-party real persons who are associated with the abovementioned real persons for the purposes of ensuring the commercial transactional safety between our Company and the abovementioned persons, protecting their rights, and achieving their interests (e.g. sureties, companions, family members and relatives) or all real persons whose personal data our Company has to process even though it is not explicitly stated in the Policy (e.g. former employees, suppliers of our suppliers) |
| Employee and Intern Candidates | Real persons who applied for a position at our Company or dropped their CVs or related information for our review |
| Group Company Employee | Employees and representatives of companies belonging to the IHG Group – headquartered in England – of which our Company is a member |
| Employees, Shareholders, Officials of the Institutions with Which We Cooperate | Real persons, including shareholders and officials, that work at organizations with which our Company has a business relationship (including, but not limited to, business partners and suppliers) |
WHEN DO WE COLLECT YOUR PERSONAL DATA?
We collect your personal data typically in the following situations:
We shall process the personal data we collect in the abovementioned situations only in accordance with this Statement.
WHICH TYPES OF PERSONAL DATA DO WE PROCESS ABOUT YOU?
The personal data we process about you varies depending on the nature of the business relationship between you and us (e.g. customer, supplier, business partner etc.) and on the means of communication you choose to contact us (e.g. phone, email, written document etc.).
Basically, we process your information when you contact us via phone or email to make a reservation at our hotel; when you stay at our hotel; when you receive services such as parking, fitness, massage, pool access etc.; when you attend events held at our hotel; when you participate in surveys we hold or interact with us in any other way. In this context, the personal data we process about you can be broken down into the categories:
| Data categories | Examples |
|---|---|
| ID information | Information found of ID documents such as name, surname, title, date of birth etc. |
| Contact information | Email, phone number, address |
| Pictures and/or videos that can identify you | Pictures, videos and audio that is processed when you visit our Company or when you attend an event organized by our Company, for reasons of security |
| Financial data | Bank account data, invoice information, credit card information |
| Any other information you voluntarily decide to share with InterContinental Istanbul | Personal data you share with us of your own accord (personal data you convey to us in order for your secretarial requests to be met), feedback, opinion, requests, complaints, assessments, and comments that you share with us, and our evaluations regarding the same, as well as uploaded files, fields of interest, and information shared with us for our detailed review before we establish a business relationship with you |
| Electronic data collected automatically | We may also collect electronic data that is sent to us by your computer, smartphone, or other device when you visit or use our website, or interact with us through other electronic channels (e.g. device hardware model, IP address, operating system version and settings, your date and duration of using our digital channels or products, your actual location when you activate location-based products or features, the links you click, movement sensor data etc.) |
| Information on legal transaction and compliance | Your personal data, as well as audit and inspection data arising from our legal obligations, payment of our debt, identification of our legal receivables and rights, and need for compliance with our Company policies |
| Customer/Supplier data | Information obtained regarding data subject customers/suppliers or employees and signatories working for any customer/supplier as a result of the operations conducted by our business units, and information necessary for creating reservations for the restaurant, spa, fitness and other services |
| Management and security information | Information and assessments regarding events that have the potential to impact the employees, executives, or shareholders of our company, including license plates and vehicle information, travel and transport information, and facial composite information |
| Personal data collected from other sources | We may also collect your personal data from public databases, and using the methods and platforms with which our business partners collect data on our behalf, to the extent that is lawful as per existing laws and regulations. For instance, before we establish a business relationship with you, we may do research about you using public records in order to ensure the technical, administrative, and legal security of our commercial activities and transactions. In addition, it is also possible that the personal data of third parties might be conveyed to us through you (e.g. the personal data of any of your guests, sureties, companions, family members etc.). In order for us to manage our technical and administrative risks, we may process your personal data via methods that are used in accordance with generally accepted legal and commercial conventions and the principle of bona fides. |
PROCESSING THE PERSONAL DATA OF EMPLOYEE CANDIDATES
We process the personal data of Employee Candidates such as the schools they graduated from, prior business experiences, disability status etc. so that we can better understand their qualifications and evaluate their fitness for the vacant position, and in order to verify the accuracy of the information they have provided to us, do research about the candidate by contacting third parties, comply with the relevant regulations, and implement the recruitment rules and human resources policies of our Company.
The personal data of employee candidates is processed via the job application form found online; the electronic job application form of our Company; the applications submitted to our Company physically or via email, or through recruitment or consultancy firms; interviews conducted face-to-face or online, checks carried out about the employee candidate by our Company; and recruitment tests conducted by human resources experts in order to verify the fitness of the employee candidate for the vacant position.
When applying for a position, employee candidates are informed via a detailed disclosure statement – as per KVKK – before they share their personal data with us, and their explicit consent is sought for the processing of their personal data.
PROCESSING THE PERSONAL DATA OF VISITORS AT OUR HOTEL
Our Company processes the personal data of visitors to our hotel during their check-in and check-out processes, for the purposes of ensuring the physical safety of our Company, employees, and visitors, and monitoring compliance with workplace rules. In that regard, in order to monitor the visitor check-in/check-out activity, the name-surname and Turkish identification numbers of visitors are verified through their ID cards and noted down in the visitor book. In addition, visitors are given visitor cards in exchange for ID cards during their time at the hotel, and their ID cards are returned upon leaving.
The visitor is informed with a disclosure statement located at the security checkpoint before their personal data is collected and processed. However, since our company has a legitimate interest in this case, we do not seek the explicit consent of the visit as per Article 5/2/f of KVKK. This data is only kept in the physical visitor book and not transferred to another environment unless the Company’s security is under threat. However, this information can be utilized to prevent crime or ensure the security of the Company.
We make copies of the ID cards of the individuals who come to the hotel as visitors to our guests, and share them with legal authorities, in accordance with our legal obligations.
In addition, we provide internet connection to the visitors who request it throughout their visit in order to ensure their safety and for the purposes stated in the Policy. In this case, the log records for their internet access are recorded as stipulated by Law No. 5651 and relevant regulations; these records are shared only when requested by legal authorities, and processed only for the purpose of fulfilling our legal obligations during internal audit processes at our Company.
The log records made in this context can only be accessed by a select group of InterContinental employees. The Company employees who have access to the abovementioned records can only access them when responding to requests by public authorities or for use in internal audit processes.
PROCESSING PERSONAL DATA VIA CLOSED CIRCUIT CAMERA RECORDING
Security cameras are used to ensure the safety of our Company and hotel, which involves processing personal data. Our Company has the following purposes for its security camera monitoring: enhance the quality of the services on offer, ensure the physical and material safety of the individuals at our hotel and the premises within which our hotel is located, prevent misconduct, and protect the legitimate interests of data subjects.
The personal data processing activity conducted by our Company via security cameras, is being carried out in accordance with the Constitution, KVKK, Law No. 5188 on Special Security Services, and relevant regulations.
Our Company processes personal data in keeping with the purposes for which they are collected as per Article 4 of KVKK, and in a limited and measured manner. Individuals are never monitored in a way that pursues security goals at the expanse of infringing upon their privacy. In that regard, warning signs are placed in common halls where CCTV recording is conducted, and thereby informing data subjects. However, their explicit consent is not sought as the Company has a legitimate interest in preserving CCTV records. In addition, as per Article 12 of KVKK, we take all necessary technical and administrative measures to ensure the security of personal data obtained as a result of the CCTV monitoring activity.
In addition, a procedure has been prepared and implemented by our Company governing the locations where CCTV cameras are installed, the angles that the cameras monitor, and the time periods for which records are kept. This procedure is taken into account before CCTV cameras are installed. Installing cameras in a way that transcends the purpose of security and infringes upon the privacy of individuals is not allowed. Only select Company personnel can access CCTV recordings, and their authorizations are regularly reviewed. The personnel who can access these records sign a letter of undertaking, committing that they shall protect the personal data in a lawful manner.
Our Hotel conducts camera recordings with its 176 CCTV cameras in the hotel’s entrance and exit, the building’s exterior walls, guest and personnel common areas, parking lot, security control checkpoints, and guest & personnel joint floor corridors, in a bid to ensure the protection of the building. The recording process is monitored by the Security Department.
FOR WHICH PURPOSES DO WE USE YOUR PERSONAL DATA?
Our purposes for using your personal data vary depending on the nature of the business relationship between you and us (e.g. guest, customer, supplier, business partner etc.). The main purposes for which we process your personal data are listed below. Personal data processing activities regarding Employee Candidates are explained in the section above titled “The Processing of Personal Data Belonging to Employee Candidates”.
| Our Purposes for Processing Personal Data | Examples |
|---|---|
| Evaluating potential suppliers/business partners | Managing our assessments and conflict-of-interest evaluations as per our risk rules, and promoting the services provided by our hotel |
| Guest/Customer Establishing and managing relationships with guests and customers, and managing and closing out our contracts with our suppliers/business partners | Taking and closing out your reservations for your stay at InterContinental Istanbul, making your registration for your stay, creating your membership record for the IHG Group international chain, fulfilling your requests before and during your stay at our hotel, enabling you to benefit from the services we provide, creating the necessary health forms for you to benefit from services such as massage, skin care, Turkish bath, pool etc., fulfilling your requests for travel, airport welcome, and tours, responding to and resolving your complaints and demands quickly, taking your reservations for you to have an enjoyable time at our restaurants, providing food of your choice (vegan, vegetarian or other types), determining your room bill, organizing events such as seminars and conferences at our hotel, storing your lost belongings and delivering them to you, providing you with tailoring services, ensuring your security, managing the payment and invoicing processes related to your stay, making offers to our individual and group guests, carrying out the purchasing transactions for the services of our Company, tabling offers, supplying materials, invoicing, creating and executing contract, ensuring the legal transaction safety after the signing of the contract, continuously improving services, assessing new technologies and practices, determining and implementing the commercial and business strategies of our Company, managing operations (request, offer, assessment, order, budgeting, and contract) financial operations, managing financial matters, providing alternatives to real/legal persons with which we have a business relationship, organizing the business processes we conduct with agencies, reviewing the invoices and bills coming from outlets, managing the suppliers for events, providing laundry services to other hotels, meeting the secretarial needs and requests of guests, identifying the individuals who have the potential to harm others, procuring from the pharmacy the medication requested by guests, and creating attendee lists for events held at the hotel |
| Managing appropriate marketing processes | Sending marketing messages via email and phone regarding our services, conducting satisfaction surveys or evaluating your opinions, complaints and comments you post on social media, online platforms, or other venues, giving you feedback, informing our customers of what’s new about our company and of our campaigns, managing ad campaigns, and sending out ads and media bulletins |
| Communication and support (upon your request) | Responding to your queries for information about our services, providing support as regards requests coming through our channels of communication, and updating our records and database |
| Compliance with legal obligations | Managing taxation and insurance processes; fulfilling our legal obligations arising from Law No. 5651 and relevant regulations, Law No. 6563 on Regulation of Electronic Commerce and relevant regulations, Turkish Penal Code No. 5237, Law No. 6698 on Protection of Personal Data, and Identity Notification Law No. 1774; managing processes at public institutions; managing relevant processes within the context of compliance with the laws and regulations we are subject to regarding obligations to store records and to notify, compliance and audit, audits and inspections by authorities, following and concluding lawsuits, and disclosing data at the request of legal authorities; Creating emergency plans and risk documents as per the requirements specified in order to fulfill our legal obligations in accordance with the KVKK, in our dealings with regulatory institutions or as stipulated by existing regulations |
| Protecting the Company’s interests and security | Conducting the auditing activities necessary for protecting the interests of the Company, checking against conflicts of interest, ensuring the legal and commercial security of the persons that have a business relationship with our Company, storing CCTV recordings in order to protect the Company’s equipment and assets, taking the necessary technical and administrative security measures, carrying out the necessary efforts to improve the quality of the services we offer, implementing and monitoring the implementation of workplace rules, managing processes related to quality control, planning and executing social responsibility activities, protecting the commercial reputation of the IHG group companies and the credibility they inspire, reporting, dealing with, and taking measures against all incidents, accidents, complaints, theft etc. that take place on the hotel’s premises, declaring the rules that must be upheld in case of any emergency that might arise during repairs and maintenance, measuring the professional competence of contractors, regulating the check-ins and check-outs or company employees, carrying out quality inspections and fulfilling our legal obligations for reporting and other issues, evaluating the fitness of suppliers, reporting the incidents that take place at the hotel 24/7 in order to maintain security |
| Planning and executing the company’s commercial activities | Determining, planning, and implementing the short-term, medium-term, and long-term policies of the Company, determining and implementing the Company’s commercial and business strategies; conducting activities as regards communications, market research, social responsibility, purchasing, and customs, organizing the logistics of goods in free movement as part of export-import operations |
| Reporting and auditing | Ensuring communication with companies belonging to IHG group headquartered in England, conducting the internal auditing and reporting processes related to necessary business activities |
| Protecting rights and interests | Mounting legal defense against legal rights claims such as lawsuits, investigations etc. filed against our Company |
HOW DO WE USE YOUR PERSONAL DATA FOR MARKETING PURPOSES?
Since marketing activities are not considered among the exceptions regulated in Article 5/2 and 6/3 of KVKK, we seek your consent as a rule for processing your personal data for marketing purposes. Our Company may send you regular promotional messages regarding our products, services, events, campaigns, and promotions. Such promotional communications may be sent to you via email, mail, or social network belonging to third parties.
In order to provide you with the most effective and custom-made experience, these communications may be tailored to your preferences (for instance, when you tell us to send you messages in a particular manner, or as we find out from your visits to our websites and mobile sites, or based on the links you clicked in our emails).
We may pursue marketing activities for purposes such as presenting you with campaigns, advantages and other opportunities with your consent, sending you electronic commercial messages (such as ad campaigns, customer satisfaction surveys), sending you gifts and promotions, conducting corporate communications, events, and receptions, and related promotional activities.
When stipulated by existing regulations, we shall seek your consent before launching any such activity. In addition, you shall reserve the right to revoke (suspend) your consent any time you see fit. You may opt out of email and SMS messages and therefore stop all marketing communications by following the link embedded in each email and SMS.
You may contact us any time to ask us to stop sending you any marketing messages (you can find contact details in the section titled “What are Your Rights Regarding Your Personal Data?”).
FOR WHICH LEGAL REASONS DO WE PROCESS YOUR PERSONAL DATA?
We process your personal data in accordance with the legal reasons specified below, as per the Turkish Commercial Code No. 6102, Turkish Code of Obligations No. 6098, Tax Procedure Law No. 213, Article 5 of KVKK and relevant electronic commerce regulations:
| Legal Reason | Examples |
|---|---|
| We process your personal data by seeking your consent in cases where it is necessary as per KVKK and relevant regulations (We would like to remind you that you may always revoke your consent) | We seek your consent to conduct marketing activities. |
| Whenever existing regulations permit | Naming the relevant person on the invoice as per Article 230 of Tax Procedure Law |
| When it is necessary to protect the critical interests of a person | Transferring the medical data of a guest/employee that faints at a meeting to a physician |
| When we are obliged to enter into a contract with you, execute the contract, and fulfill our obligations arising from the contract | Obtaining the bank account information of a guest due to our contractual relationship with the said guest |
| Fulfilling our legal obligations | Fulfilling our tax obligations, and submitting to court information that is requested by a court order |
| When your personal data is made public by you | You sending us email for us to contact you, an employee candidate writing their information on a website that collects job applications, using information that you made public on social media and similar platforms |
| Our obligation to process data for establishing or protecting a right, using our legal rights, and mounting a defense against legal claims made against us | Storing and using when necessary documents that are in the form of proof/evidence |
| When our legitimate interests necessitate it so long as fundamental rights and freedoms are not violated | Ensuring the security of our company’s communications and information, managing the Company’s activities, identifying dubious transactions and researching them in compliance with our risk rules, benefiting from storage, maintenance, and support services in order to receive IT services, leveraging cloud technology in order to ensure the effectiveness of Company activities and benefit from technological developments |
We would like to underline that should you choose to revoke an explicit consent you provided to us, you shall be removed from the commercial membership program that requires the processing of personal data based on explicit consent, and you shall not be able to benefit from any advantages that necessitate this type of processing as of the day you revoke your consent.
WHEN DO WE SHARE YOUR PERSONAL DATA?
Domestic Transfer of Personal Data
Our Company is under the obligation of acting in accordance with the regulations, including KVKK, and decisions made by the Board. As a principle, the personal data and personal data of special nature belonging to data subjects cannot be shared by our Company with other real or legal persons without the explicit consent of these data subjects.
On the other hand, it is possible to share this data without explicit consent in situations specified in Article 5-6 of KVKK. Our Company may share personal data with third parties based in Turkey unless otherwise stipulated in the law or relevant regulations (or in a contract entered into with the data subject), so long as it complies with all the conditions specified in KVKK and other regulations and takes the necessary security measures outlined in regulations.
International Transfer of Personal Data
Just as our Company may transfer personal data to third parties in Turkey, it may also share it with international actors after processing it in Turkey or processing and storing it abroad, in accordance with the Law and relevant regulations and taking the necessary security precautions specified in the law. We transfer your personal data using cloud technology taking all necessary technical and administrative measures in the process. We do this to manage our Company’s activities in the most effective manner possible and to leverage existing technology.
As per Article 9 of KVKK, we seek the explicit consent of data subjects before transferring personal data internationally. However, as per Article 9/2/a of KVKK, if an exception listed in Article 5/2 or 6/3 of KVKK exists or
(a) sufficient protection is provided in the foreign country where the data is to be transferred,
(b) the controllers in Turkey and in the related foreign country guarantee sufficient protection in writing and the Board has authorized such transfer,
International transfer of personal data becomes possible without seeking explicit consent.
In that regard, in exceptional cases where explicit consent is not needed as per the law, our Company seeks to ensure that there is sufficient protection in the foreign country. The Personal Data Protection Board shall determine whether there is sufficient protection in the foreign country, and where sufficient protection is not provided, the controllers in Turkey and in the related foreign country shall guarantee sufficient protection in writing and the Board must authorize such transfer.
Please go to the link istanbul.intercontinental.com regarding the service providers that are based abroad and that we receive support from, as per the abovementioned provision.
Domestic and International Parties to Which Personal Data is Transferred
We share your personal data only in accordance with the following compulsory purposes. We take special care not to share your personal data otherwise. The parties with which we share personal data are listed below:
With that said, our general data sharing process with IHG Group hotels is carried out through financial reports that focus on company profitability and efficacy and do not contain any personal data. In some special cases, we may share personal data with IHG Group, rather than sharing anonymized data.
Your personal data which is being shared is processed only on the condition that your explicit marketing consent has been achieved, and that the data in question is used by the hotel you previously stayed in. You can access detailed information as to how your personal data is processed for marketing purposes in the Policy section titled “How Do We Use Your Personal for Marketing Purposes?”.
FOR HOW LONG DO WE STORE YOUR PERSONAL DATA?
We store your personal data solely for the purposes for which we collected them and for a period of time necessary to fulfill the said purposes. We determine these periods separately for each business process, and we destroy your personal data in accordance with KVKK if there are no other reasons for which we should keep them at the end of the process.
We take into account the following criteria when determining when do destroy your personal data:
HOW DO WE DESTROY YOUR PERSONAL DATA?
As per Article 138 of the Turkish Penal Code and Article 7 of KVKK, despite being processed under legal provisions and other related laws, personal data shall be erased, destructed or anonymized by the controller, ex officio or upon demand by the data subject, upon the disappearance of reasons which require the process.
In that regard, we have prepared a Policy on Storing and Destroying Personal Data. Our Company reserves the right to not honor the requests of the data subject in cases where we have a legal right and/or obligation to store personal data. When personal data is processed automatically – provided that it is part of a data recording system – we implement the procedure of physically destroying the data in a manner that ensures it can never be used again. When our Company cooperates with another person or entity to process personal data on its behalf, the personal data in question shall be deleted by this person or entity irrevocably. As per law, our Company may anonymize personal data when the reasons for which they were processed no longer apply.
METHODS OF DESTROYING PERSONAL DATA
Deleting Personal Data
Despite being processed in accordance with the law, personal data shall be erased by our Company ex officio or upon demand by the data subject, upon the disappearance of reasons which require the process. Deleting personal data refers to the process by which personal data can never be accessed or used again. Our Company takes all necessary technical and administrative measures to ensure that deleted personal data becomes inaccessible to users and cannot be used again for any purpose.
The Process of Deleting Personal Data
The process that must be followed while deleting personal data is as follows:
Methods of Deleting Personal Data
| Data Recording Medium | Explanation |
|---|---|
| Personal Data Found in Servers | For personal data found in servers whose period of storage has ended, the system administrator deactivates the right to access the data, and then deletes the data itself. |
| Personal Data Found in Electronic Media | Personal data found in electronic media whose period of storage has ended is rendered inaccessible and unusable to all employees (relevant users) other than the database administrator. |
| Personal Data Found in Physical Media | Personal data found in physical media whose period of storage has ended is rendered inaccessible and unusable to all employees other than the document archive administrator. In addition, documents are crossed out/painted/deleted line by line to ensure they are completely unintelligible. |
| Personal Data Found in Portable Media | Personal data kept in flash storage whose period of storage has ended is encrypted by the system administrator and stored in a secure environment, with only the system administrator authorized to access it using encryption keys. |
Since personal data can be stored in various recording media, they must be deleted using methods fit for the type of medium they are found in. The following examples illustrate this point:
Application-as-a-Service Cloud Solutions (Office 365, Salesforce, Dropbox etc.): In cloud systems, data should be deleted using the delete command. While carrying out this procedure, it must be ensured that the user does not have the ability to retrieve any deleted data.
Personal Data in Written Form: Personal data in written form should be obscured. Obscuring is done by shredding the paper if possible, and if not, painting the paper in indelible ink and thereby making it irrevocably unintelligible.
Office Files Found in a Central Server: The file should be deleted with the delete command in the operating system, or it should be rendered inaccessible by removing the users’ access to the index where the file or folder in question is located. While carrying out this procedure, it must be ensured that the user is not the system administrator.
Personal Data Found on Portable Media: Personal data found on portable media should be stored with encryption and deleted using software fit for use on this media.
Databases: The lines where personal data are found must be deleted with database commands (DELETE etc.). While carrying out this procedure, it must be ensured that the user is not the database administrator.
Destroying Personal Data
Despite being processed in accordance with the law, personal data shall be erased by our Company ex officio or upon demand by the data subject, upon the disappearance of reasons which require the process. Destroying personal data refers to the process by which personal data can never be accessed or used again. The data controller is obligated to take all technical and administrative measures with regard to destroying personal data.
| Data Recording Medium | Explanation |
|---|---|
| Personal Data Found in Physical Media | Personal data in written form whose period of storage has ended is irrevocably destroyed using shredders. |
| Personal Data Found in Optical/Magnetic Media | Personal data on optical or magnetic media whose period of storage has ended is destroyed by melting, burning, or grinding the media. In addition, magnetic media are put through a special device that exposes the media to extreme magnetic force, rendering any information that is on it inaccessible. |
Destroying Physically: Personal data can be processed automatically, provided that it is part of any data recording system. When personal data is processed automatically, we implement the procedure of physically destroying the data in a manner that ensures it can never be used again.
Deleting safely from software: While deleting and/or destroying personal data processed automatically or semi-automatically and stored in digital environments, we use methods that ensure personal data is irrevocably deleted from any relevant software.
Secure Data Deletion by Expert: In some cases, our company can cooperate with an expert for deleting personal data. In such cases, personal data are deleted/destroyed by the expert in a manner that renders the data irrevocable.
Obscuring: This refers to rendering personal data physically unintelligible.
Methods of Destroying Personal Data
In order to destroy personal data, it is necessary to find all copies of the said data and destroy them using one or more of the methods listed below, depending on the system in which the data is located:
Peripheral Systems: The methods of destruction that can be used depending on the type of medium/environment are found below: i) Network devices (switch, router etc.): The storage media found in these devices are fixed. Such products typically have a delete command but lack a destroy command. Personal data must be destroyed using one or more of the methods listed in (a). ii) Flash-based media: Personal data found on flash-based hard disks with interfaces such as ATA (SATA, PATA etc.) and SCSI (SCSI Express etc.) must be destroyed using the command if it is supported, and if not, one or more of the methods mentioned in (a), or the method of destroying data recommended by the manufacturer must be used. iii) Magnetic tape: This refers to media that carry data with micro magnets found on flexible tape. Personal data must be deleted using de-magnetization by exposing the media to highly magnetic environments, or by way of physically burning or melting the media. iv) Units such as magnetic disks: This refers to media that carries data using micro magnets found on flexible (plate) or fixed media. Personal data must be deleted using de-magnetization by exposing the media to highly magnetic environments, or by way of physically burning or melting the media. v) Mobile phones (SIM cards or fixed storage areas): There is a delete command in smartphones; however, there is no command to destroy. Personal data must be destroyed using one or more of the methods listed in (a). vi) Optical disks: this refers to data storage media such as CDs and DVDs. Personal data must be destroyed by physically burning, grinding, or melting the media. vii) Peripheral units such as printers, fingerprint-activated access gates whose data recording media are modular: Confirming that all data storage media are taken out of the relevant devices, personal data must be destroyed by using one or more of the methods listed in (a). viii) Peripheral units such as printers and fingerprint-activated access gates whose data storage media are fixed: There is a command to delete data in most such devices, but there isn’t a command to destroy data. Personal data must be destroyed using one or more of the methods mentioned in (a).
Paper and microfiche: Personal data on the said media must be destroyed by permanently destroying the media. While carrying out this procedure, the media must be shredded to pieces so small that they cannot be put back together by putting the media in a paper shredder, both horizontally and vertically, if possible. Personal data transferred to an electronic environment by scanning a paper document must be destroyed using one or more of the methods listed in (a).
Cloud Environment: Personal data must be encrypted in cloud systems, and encryption keys must be separate for each cloud solution procured for storing personal data. When the business relationship with a cloud provider ends, all copies of the encryption keys must be destroyed to render personal data inaccessible. In addition to the abovementioned environments, the destruction of personal data on devices that need repair or have been sent for maintenance is carried out as follows: i) destroying personal data found on a device using one or more of the methods mentioned in (a) before the said device is sent to third-party firms such as manufacturers, vendors, or service providers; ii) In cases where it is not possible or appropriate to destroy data, removing and storing the data storage media, and sending other parts to third-party firms such as manufacturers, vendors, and service providers, iii) taking the necessary measures to ensure that the technicians who come in to do maintenance work or repairs on the equipment are not able to copy personal data and transfer it outside the company.
Anonymizing Personal Data
Anonymizing personal data refers to the process by which personal data can never be associated with an identified or identifiable person, even by cross-referencing it with other sources of data. As per law, our Company may anonymize personal data when the reasons for which they were processed no longer apply. To verify that data is anonymized, it is necessary to ensure that data cannot be associated with an identified or identifiable person using any data storage methods, including the retrieval of the data by the data controller or recipient groups, and/or comparing the data with other data sources. Our company takes all technical and administrative measures with regard to anonymizing personal data.
As per Article 28 of KVKK, anonymized personal data can be processed for purposes such as research, planning, and statistics. Such processing is outside the scope of KVKK; therefore, the explicit consent of the data subject shall not be sought.
Methods of Anonymizing Personal Data
Anonymizing personal data refers to the process by which personal data can never be associated with an identified or identifiable person, even by cross-referencing it with other sources of data.
To verify that data is anonymized, it is necessary to ensure that data cannot be associated with an identified or identifiable person using any data storage methods, including the retrieval of the data by the data controller or recipient groups, and/or comparing the data with other data sources.
Anonymizing personal data refers to a process by which all direct and/or indirect identifiers in a dataset are taken out, thereby preventing the relevant person to be identified or to be singled out in a group or crowd. Data that does not point to a specific person as a result of the abovementioned procedure is considered anonymized. In other words, anonymized data is data that has lost its ability to identify a person, and its connection with the person has been severed. The purpose of anonymizing data is severing the connection between the data and the person that the data identifies. The methods to severe this connection, such as grouping, masking, deriving, generalizing, and randomizing – which are applied to the records kept in the data recording system housing the personal data in question – are called anonymization methods. The data that is processed with anonymization methods must have lost its ability to identify a person.
The following are examples of methods of anonymization:
Anonymization Techniques that Do Not Create Value Irregularity: When methods that do not introduce value irregularity are used for anonymization purposes, the values that the data in the cluster have are not subjected to any change, addition, or omission; instead, changes are introduced to entire rows and columns in the cluster. Therefore, while the data set at large is modified, the values located in the fields preserve their original state.
Removing Variables
This is an anonymization technique whereby one or more of the variables in a table are removed. This means removing all columns in the table. This method can be used on the grounds that the variable is a highly effective identifier, an alternative solution cannot be found, the variable is too sensitive to be made public, or it doesn’t serve analytical purposes.
Removing Records
This method involves removing a row that is unique in the dataset, which strengthens anonymization and reduces the possibility of generating extrapolations based on the dataset. In general, the records that are taken out are records that do not have common values with other records and that can easily be guessed by individuals familiar with the dataset. For instance, let’s say that only one person was included to represent an entire sector in a dataset that contains survey results. In this case, it might be preferable to remove the record referring to the individual, rather than removing the entire “sector” variable.
Local Suppression
The purpose of local suppression is to make the dataset more secure and reduce the risk of predictability. If the combination of values belonging to a record creates a rare situation, and this causes the likelihood of that person being singled out to rise, then the value that causes the rare situation is changed to “unknown”.
ç. Generalization
This refers to the process whereby a special value in the personal data is converted into a more generic value. This is the most frequently used technique when creating cumulative reports and in operations conducted over aggregate numbers. The new values show the aggregate values or statistics referring to a group that makes it impossible to identify a single person. For example, let’s say that a person with a Turkish identification number of 12345678901 purchased diapers from an e-commerce platform, and then purchased wet wipes. Using the generalization method, we can achieve a result that says xx% of the people who purchase diapers from the e-commerce platform also buy wet wipes.
Top and Bottom Limit Coding
The method of top and bottom limit coding is implemented by defining a category for a certain variable and combining the values that remain in the grouping created by this category. Generally, the lowest and highest values of a variable are brought together, and a new definition is made for these values.
Global Coding
Global coding is a grouping method used for datasets to which bottom and top coding cannot be applied or which don’t include numeric values or have values that cannot be listed numerically. Generally, it is used where certain values are grouped to facilitate making predictions and assumptions. A common and new group is formed for the selected values and all the records in the dataset are replaced with this new definition.
Sampling
In the sampling method, instead of the whole dataset, a subset taken from the dataset is disclosed and shared. In this way, as it is not known whether a person, who is known to be within the whole dataset, is found in the disclosed or shared sample subset, the risk of making accurate predictions on the persons is reduced. Simple statistical methods are used in the determination of the subset to be used for sampling. For example, if a dataset concerning the demographics, professions and health conditions of women living in Istanbul is disclosed or shared after anonymization, it may be meaningful to scan and make predictions from the dataset concerning a woman who is known to be living in Istanbul. However, if the data is disclosed or shared after anonymization by leaving only the records of the women whose registered province is Istanbul and removing the records of those who are registered in other provinces, since an intruder who has accessed the data cannot predict whether a woman, who is known to live in Istanbul, is registered in Istanbul or not, he/she will not be able to make accurate predictions about whether the information of the woman he/she knows is included in this body of data.
Anonymization Methods That Create Value Irregularity: In contravention to the abovementioned methods, in methods that create value irregularity, the current values are altered, and the values of the dataset are distorted. In this case, as the values of the records are changing, it is necessary to precisely calculate the benefit is expected to be obtained from the dataset. Although the values in the data set are indeed changing, it may still be possible to benefit from this body of data by protecting the overall statistics from being distorted.
Micro-aggregation
In this method, all the records in the dataset are first arranged in a meaningful order, and then the whole set is divided into a certain number of subsets. Afterward, the average value for the specified variable in each subset is calculated, and the value in the subset for that variable is replaced with the average value. Therefore, the average value of that variable valid for the whole dataset will not change.
Data Swapping
Data swapping refers to record alterations obtained by swapping the values of a subset of variables between selected pairs of records. This method is typically used for variables that can be categorized, and the main idea is to transform the database by swapping the values of the variables between the records of the individuals.
Adding Noise
In this method, additions and omissions are applied to ensure a determined level of distortion in a selected variable. This method is employed mostly for datasets that contain numerical values. Distortion is applied equally to each value.
Statistical Methods That Strengthen Anonymization
As a result of bringing some values of anonymized datasets together in unique scenarios, the possibility may emerge of being able to determine the identities of the people in the records or making assumptions concerning their personal data.
For this reason, the anonymization procedure may be strengthened by minimizing the uniqueness of the records within the dataset by applying various statistical methods to the anonymized datasets. The main objective of these techniques is to minimize the risk of disrupting anonymization while preserving, to a certain degree, the benefit to be obtained from the data set.
K-Anonymity
Being able to identify persons or predict information belonging to a certain person in the anonymized data sets when indirect identifiers fall together in the right combinations has called into question the reliability of anonymization processes. Therefore, the necessity arose of making the datasets anonymized by means of various statistical methods more reliable. K-anonymity has been developed to enable the definition of more than one person using certain fields in a dataset so as to prevent people who demonstrate individual characteristics in certain combinations from being exposed. In the event that there are more records than one regarding the combinations formed by gathering some of the variables in a dataset, the probability of identifying the persons that correspond to this combination is reduced.
L-Diversity
L-Diversity method, developed on the basis of the studies carried out on the deficiencies of K-anonymity, takes into account the diversity formed by the sensitive variables corresponding to the same variable combinations.
T-Closeness
Although the L-diversity method provides diversity in personal data, as the method does not care about the content and sensitivity levels of the personal data, there may be circumstances where it cannot provide sufficient protection. The anonymization of personal data in such a way by calculating the closeness levels of the values among them and dividing them into subclasses according to these closeness levels is called the method of T-closeness.
Choosing the Anonymization Method
Our Company decides on which of the abovementioned methods and techniques to use depending on the nature of the data on hand, and the following features and properties of the dataset that we own:
Nature of the data,
Data size,
Type of physical media used to store data,
Data diversity,
The benefit expected from the data / the purpose of processing the data,
The frequency of processing the data,
The reliability of the party to which data will be transferred,
Whether the effort to anonymize the data will be meaningful,
The scope of the impact that might occur if the anonymized nature of the data is harmed,
Distribution of the data,
Controlling the access of the users to the data, and
The probability that an individual may make a meaningful effort to prepare and launch an attack that will distort the anonymity of the data.
When anonymizing a body of data, our Company checks, through the agreements it strikes and the risk analyses it conducts, whether the anonymized data would regain its ability to identify a person when combined with information that is public or that is known to be at other companies that the company shares the data with.
Reliability of Anonymization
When making the decision to anonymize a set of personal data rather then deleting or destroying it, our Company takes into account the following points: Whether it would be possible that the anonymization of the data would be compromised when it is combined with another dataset, or it achieves a meaningful whole if multiple sources of data creates a unique case, or whether values come together to enable assumptions to be made and conclusions to be drawn. Our Company conducts regular checks as the aspects mentioned in this provision change, and ensures that anonymity is preserved.
Risks Pertaining to the Distortion of the Anonymity of Anonymized Data in a Reverse Procedure
Since the procedure of anonymization is applied to personal data and seeks to remove the identifying qualities of a dataset, there is the risk of reversing this procedure with various interventions, recovering the dataset’s ability to identify real persons. This is referred to as distortion of anonymity. Anonymization can be made manually, automatically, or featuring a mix between the two. However, what is important is that necessary measures must have been taken so that the users of the anonymized data that has been shared and disclosed are not able to harm the anonymity of the data in any shape or form. Intentional efforts to distort anonymity are called “attacks aimed at distorting anonymity”. In that regard, our Company does research on whether there is the risk of reversing the anonymity of a dataset and recovering its ability to identify a real person and takes action in accordance with the results of this research.
HOW DO WE PROTECT YOUR PERSONAL DATA?
As per the Personal Data Security Guide published by the KVK Institution in a bid to protect your personal data and prevent it from being accessed unlawfully, our Company takes all the necessary administrative and technical measures, carries out procedures internally, prepares disclosure statements and explicit consent forms, conducts or outsources the necessary audits to ensure compliance with KVKK provisions as per Article 12/3 of KVKK. The results of such audits are evaluated as part of the Company’s internal mechanisms, and necessary action is taken to improve the quality of the measures taken.
Your personal data shall be transferred to the physical archives and IT systems of our Company and/or our suppliers, and preserved in both digital and physical environments. The measures taken to ensure the safety of personal data are explained in great detail under two separate headings.
Technical Measures
In order to protect personal data, we use generally accepted technology standards and business safety methods, including the technology called Secure Socket Layer (SSL). However, information can be accessed by unauthorized persons over the Internet, without the necessary precautions in place. Depending on the state of the art in technology, associated costs, and the nature of the data to be protected, we take the necessary measures to prevent your personal data from being impacted by destruction, loss, tampering, unauthorized disclosure, or unauthorized access. In that respect, we enter into contracts with the service providers we work with regarding data safety. You can access more information on these service providers at istanbul.intercontinental.com.
If personal data is in an electronic environment, access may be restricted between network units, or they may be separated, in order to prevent security breaches. For instance, if personal data is processed in an area of the network demarcated for the purpose of processing data, then existing resources may be concentrated on securing this area, rather than the entirety of the network.
The physical paper documents that include personal data are stored in environments where they can be accessed only by the authorized personnel, thereby preventing unauthorized access.
If the personal data processed in compliance with article 12 of the Law is obtained by third persons through unlawful means, our company runs a system that ensures notification of such issue to the data subject and KVK Board as soon as possible. If it is deemed necessary by the KVK Board, this issue may be announced on the web site of the KVK Board or via any other means.
Administrative Measures
HOW DO WE PROTECT YOUR PERSONAL DATA OF SPECIAL NATURE?
A separate policy has been prepared and has entered into force regarding the processing and protection of personal data of special nature.
As per Article 6 of KVKK, personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership to associations, foundations or trade-unions, health, sexual life, convictions and security measures, and the biometric and genetic data are deemed to be personal data of special nature, as their unlawful processing can lead to grave injustices or discrimination. Therefore, the law stipulates a higher standard of protection for personal data of this type.
As per Article 10 of KVKK, our Company notifies Relevant Persons when collecting personal data of special nature. We process personal data of special nature by taking appropriate precautions as per KVKK, and conducting or commissioning necessary audits. Another categorical condition for processing personal data of special nature is the explicit consent of the data subject. Our Company allows data subjects to express their explicit consent regarding a specific topic, on the basis of being notified, and of their own free will.
Our Company seeks the written consent of Relevant Persons when processing personal data of special nature. However, as per Article 6/3 of KVKK, explicit consent is not sought if one of the conditions specified in Article 5/2 of KVKK is present. In addition, Article 6/3 of KVKK stipulates that personal data relating to health and sexual life may only be processed, without seeking explicit consent of the data subject, by any person or authorized public institutions and organizations that have confidentiality obligation, for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing. Whatever the pretense, general data processing principles are taken into account in all relevant processes, and compliance with such principles is sought.
Our Company takes special measures to ensure the protection of personal data of special nature. As per the principle of data minimization, personal data of special nature is not collected unless necessary for the relevant business process, and such data is only processed where necessary. When personal data of special nature is processed, our Company takes all necessary technical and administrative precautions to comply with provisions specified by the KVK Board and other legal obligations.
WHAT ARE YOUR RIGHTS WITH RESPECT TO YOUR PERSONAL DATA?
As per Article 11 of KVKK, you as the data subject have the following rights with respect to your personal data:
You can convey your requests to our Company using one of the methods explained below, as per the Application Communique:
The application is required to have the following:
Name, surname, signature if the application is in written form, Turkish identification number for Turkish citizens, ethnicity, passport number and ID number (if possible) for foreigners, residency or business address, email address, phone and fax number if any, and the subject of application. The information and documents relevant to the application are also attached.
It is not possible for third persons to make applications on behalf of data subjects. In order for the data subject to make a personal data request with regard to another individual, the data subject must produce a power of attorney letter prepared for the concerned individual, notarized and carrying a wet signature. With regard to the application that you make in order to exercise your abovementioned rights as data subject, it is essential that you clearly explain your request, that your request concerns yourself or if you’re acting on behalf of another person, you are specially authorized to act on their behalf and you have documents to support your authorized status, that your application includes ID and address information, and that your application is supplemented with documents verifying your identity.
Your applications made according to this guide shall be finalized as soon as possible, and at most within 30 days. Such applications are made free of charge. However, in the event that this effort leads to an expense, you shall be charged according to the fees determined by the KVK Board.
Provided that you as data subject file a request with our Company with regard to your rights in line with the style and means of communication stipulated in the Law, your request shall be processed immediately and executed free of charge within thirty days, depending on the nature of the request. However, in the event that this effort leads to an expense, you shall be charged according to the fees determined by the KVK Board. Our Company might request information from the data subject in order to verify whether the applicant is indeed the data subject in question. Our Company might also pose questions to the data subject so as to clarify any points mentioned in the application.
As per Article 14 of KVKK, if the application is declined, the response is found unsatisfactory or the response is not given in due time, the data subject may file a complaint with the KVK Board within thirty days as of he learns about the response of the controller, or within sixty days as of the application date, in any case.
WHAT ARE THE CASES IN WHICH DATA SUBJECTS CANNOT EXERCISE THEIR RIGHTS?
As the following cases are exempted from the scope of the law pursuant to Article 28 of KVKK, data subjects are not entitled to exercise their rights:
Pursuant to Article28/2 of KVKK, data subjects are not entitled to exercise their rights in the following cases, except for the right to request compensation:
OTHER ISSUES
As explained in great detail above, your personal data shall be stored and preserved, classified with regard to market research, financial and operational processes, and marketing activities, updated in various periods, transferred to third persons and/or suppliers and/or service providers and/or our foreign shareholders to the extent possible as per relevant regulations and in accordance with the principle of confidentiality, as well as transmitted, stored, processed through reporting, and documented electronically and physically in accordance with the policies we are bound by and for reasons specified by other authorities.
Where there is a conflict between KVKK/other regulations and this Policy, the provisions of KVKK and other regulations shall take precedence.
This Policy prepared by our Company has entered into force pursuant to the decision made by the InterContinental Istanbul Board of Directors.
We would like to remind you that we may update this statement in the future to reflect changes in regulations and company policies. We shall publish the up-to-date version of the Statement on our website.
User/Users have irrevocably agreed, acknowledged, and declared that they have read this Policy on the Protection of Personal Data before entering the website, that they shall comply with all the provisions of the Policy, and that the entirety of the contents of our website, as well as all electronic and computer records belonging to our Company are considered conclusive evidence as per Article 193 of the Code of Civil Procedure.
Date of Effectiveness: 25 December 2019
Version: 001
APPENDIX – ABBREVIATIONS
| ABBREVIATIONS | |
|---|---|
| Law No. 5651 | The Law on the Regulation of Publications on the Internet and Combating Crimes Committed by Means of Such Publication, which entered into force after being published on the Official Gazette No. 26530 on May 23, 2007 |
| Constitution | the Republic of Turkey Constitution No. 2709 dated November 7, 1982, published on the Official Gazette No. 17863 on November 9, 1982 |
| Application Communique | Communique on the Principles of Application to the Data Controller, which entered into force after being published on the Official Gazette No. 30356 on March 10, 2018 |
| Relevant Person/Relevant Persons or Data Subject | Refers to the InterContinental Istanbul’s and group companies’ guests, customers, corporate customers in a business relationship, business partners, shareholders, officials, employee candidates, interns, visitors, suppliers, employees of the companies in a business relationship, third persons, and any real person whose personal data is processed. |
| The Regulation on the Deletion, Destruction, and Anonymization of Personal Data | The Regulation on the Deletion, Destruction, and Anonymization of Personal Data that entered into force on January 1, 2018, after being published on the Official Gazette No. 30224 on October 28, 2017 |
| KVKK | The Law on the Protection of Personal Data that entered into force after being published on the Official Gazette No. 29677 on April 7, 2016 |
| KVKK Board | Personal Data Protection Board |
| KVK Institution | Personal Data Protection Institution |
| E.g. | Example |
| Policy | InterContinental Istanbul’s Policy on the Protection of Personal Data and Privacy |
| Company/ InterContinental Istanbul | Kassanov Otel Yönetimi ve Turizm A.Ş. |
| Turkish Penal Code | Turkish Penal Code No. 5237 dated September 26, 2004, which was published on the Official Gazette No. 25611 on October 12, 2004 |
Last Update Date: 25 December 2019
Version: 001
We process your personal data for a variety of purposes through cookies when you visit our websites or mobile sites. We aim to be as transparent as possible on this matter.
This policy has been created for the purpose of explaining to you what cookies are and how they are used. In addition, we also clarify what types of cookies there are and how you can change or delete them.
We hope this policy will arm you with sensible information about the use of cookies, and help you feel safe. If you have more questions on this issue, please do not hesitate to contact us.
This Cookie Policy is subject to change through revisions. Please review the “LAST UPDATED ON” segment at the top of this page in order to see the date of the last revision made to this Cookie Policy. Any changes to this Cookie Policy shall enter into force upon being published on our Website.
For more information about your personal data collected through cookies, please review the Policy on Privacy and the Protection of Personal Data found on our website, istanbul.intercontinental.com.
What is a Cookie?
A browser cookie is a piece of data that gets stored on your device and helps websites and mobile applications remember information about you. Other technologies associated with your device can also be used for similar purposes. In this policy, we will call all these other technologies “Cookies”.
For Which Purpose Do We Use Cookies?
We use cookies to protect your data and account, identify the most popular features, count the number of views on a page, enhance the user experience, keep our services secure, make our website more user-friendly, and adjust our website to your liking and needs. Cookies remember information about you that makes the abovementioned functionalities possible, helping us to provide you with these services. We may also need personal data such as your IP address in order to fulfill our legal obligations.
Types of Cookies
We have listed for you below the types of cookies we use on our website and mobile site. For more information about your personal data collected through cookies, please review the Policy on Privacy and the Protection of Personal Data found on our website, istanbul.intercontinental.com.
Basic Cookies: Basic cookies are necessary for accessing our website and mobile site, and for the proper functioning of these sites. In addition, they allow you to benefit from services associated with the sites. Without the basic cookies, it will not be possible for our website or mobile site to work smoothly, and some services that you request may be disrupted.
| Cookie Type | Why Do We Use This Cookie? |
|---|---|
| Session | Session cookies are kept on your browser only during your session and enable temporary storage. |
| Load Balancing | Load balancing cookies are used to distribute workloads across computer resources and ease the burden on the servers. |
| Security | Security Cookies are used for security checks and controls. |
Preference Cookies: Preference cookies gather your personal data regarding your behavior and preferences online and remember your local settings, helping us to customize your use of the website.
| Cookie Type | Why Do We Use This Cookie? |
|---|---|
| Language | Language cookies are used to store the language the user has selected, and to show the correct options. |
| Last visit and activity | Date of last visit, activity, and other information are stored in order to update the users on “what has changed since your last visit”, and to better understand user preferences. |
| Page History | Page history is used to track the order of the websites visited by the user. If the user receives a warning during their visit to the website, the information contained in the cookie is saved in the daily log for troubleshooting purposes. |
Social Media Cookies These cookies are used to monitor social media users for market research analysis and product development.
| Cookie Type | Why Do We Use This Cookie? |
|---|---|
| Cookies are used to monitor Facebook users for market research analysis and product development. |
Analysis Cookies: These cookies help us gather information about how you use our website so that we can further develop the website’s working mechanism. For instance, analysis cookies show the most visited pages, the challenges you have faced on the website, and whether or not ads are effective. Rather than showing the usage characteristics of one individual, this tool gives us a general view of usage patterns.
| Cookie Type | Why Do We Use This Cookie? |
|---|---|
| Google Analytics | Google Analytics cookies gather aggregated statistical data, contributing to the presentation and management of the website. Google’s aggregate data give us insight into demographics and interest, helping us better understand our visitors. Cookies used by Google; Location Cookies: The approximate address (city, state, country, postcode) of the user determined by the IP address is stored in order to choose the most appropriate country automatically and show the retail and promotional days within that locality. Reference Cookies: Reference cookies are stored in order to better understand the user’s preferences. |
| YouTube Cookies | Using YouTube private developer mode, we embed videos on our website from our YouTube channel. This mode may install cookies on your computer when you click on the YouTube player. The last watched video cookie stores the date and title of the last watched video so as to better understand user preferences. Instant Cookies are used to play audio and video content. For more information, please visit YouTube’s information page on embedded videos. YouTube stores cookies as part of its marketing activities, including marketing, market analysis, campaign and fraud detection. |
How to Manage Cookies
Many internet browsers accept cookies by default. This also applies when you benefit from our website and mobile sites. If you want to remove the existing cookies from your device, you can do this by changing your browser settings. In addition, if you do not want to store any cookies on your device going forward, you can block cookies from your browser.
If you remove or block the cookies we use, please bear in mind that this might have an impact on your user experience on our website or mobile site, and you may not be able to use certain features. If you haven’t changed the settings of your browser to block all cookies, even if you have deleted the cookies, they will be re-installed on your next visit to our website, or through an email we send you.
Blocking Cookies
While cookie use improves the functionality of our Website, if you wish you can block cookies altogether. However, please note that the website will not function to its fullest and you will not be able to take advantage of all its features. In order to block cookies, you’ll need to change your browser settings. These changes vary according to the type of device and browser you use. Below you can find the steps to take in order to block cookies on a variety of browsers:
Internet Explorer
Google Chrome
Safari
Mozilla Firefox
Contact Us
If you have more questions about our “Cookie Policy”, please contact us via [email protected].
KASSANOV OTEL YÖNETİMİ VE TURİZM A.Ş.
INFORMATION APPLICATION FORM
As Kassanov Otel Yönetimi ve Turizm A.Ş (“ InterContinental İstanbul”), we uphold the principles of protecting fundamental rights and freedoms, protecting the right to privacy, ensuring information safety, and respect for ethical values. Article 11 titled “The Rights of Data Subject” of Law No. 6698 on the Protection of Personal Data (“ KVKK“) allows the data subject to make certain requests as to how their personal data is processed. Our Company has prepared this application form in order to ensure that Data Subjects are able to exercise these rights and that the Company is able to fulfill its obligation to inform borne out of Article 10 of KVKK.
As per Article 11 of KVKK, by applying to Intercontinental Istanbul and filling in the attached form you can exercise your right to:
As per Article 13 of KVKK, the data subject should lodge an application in writing to the controller about their demands concerning the implementation of this Law or via other methods specified by the Personal Data Protection Board (“ Board“). In that regard, applications to our Company can be conveyed to us with a filled-in and printed copy of this form using one of the four methods specified below.
| No. | Method of Application | Address of Application | What to Do |
|---|---|---|---|
| 1 | Applying in person at our Company premises (data subject is obligated to produce ID documents) | Gümüşsuyu Mah., Asker Ocağı Cad. No:1 Beyoğlu/İstanbul | The envelope must read, “Information Request on Personal Data Protection”. |
| 2 | Notification through a notary public | Gümüşsuyu Mah., Asker Ocağı Cad. No:1 Beyoğlu/İstanbul | The notification envelope must read, “Information Request on Personal Data Protection”. |
| 3 | Via Registered E-Mail (KEP), signed with the “Secure electronic signature” defined in the Electronic Signature Law No. 5070 | [email protected] | The subject of the email should be “Personal Data Protection Information Request”. |
| 4 | Via email | In written form communicated using your email that has been declared to our Company and is registered in our systems (to [email protected]) | The subject of the email should be “Personal Data Protection Information Request”. |
It is not possible for third parties to exercise the right to obtain information as per Article 11 of KVKK on behalf of data subjects. In order for the data subject to make a personal data request with regard to another individual, the data subject must produce a power of attorney letter prepared for the concerned individual, notarized and carrying a wet signature.
Your applications that have been communicated to us shall receive a response within 30 days of the delivery of the application to our Company, depending on the nature of the application as per Article 13/2 of KVKK. Responses will be sent to you in written form or electronically, as per Article 13 of KVKK.
Data Controller:
Kassanov Otel Yönetimi ve Turizm A.Ş
Gümüşsuyu Mah., Asker Ocağı Cad. No:1 Beyoğlu/İstanbul
Tel: 0 212 368 4444
İstanbul Ticaret Sicil Müdürlüğü/ sicil no: 51695-5
istanbul.intercontinental.com