General Explanations
At SHARK AVIATION, we place maximum importance on the lawful processing and protection of personal data in accordance with the Personal Data Protection Law No. 6698 (“Law”). For this reason, to provide better service to you in terms of customer security, we act in compliance with the Personal Data Processing and Protection Policy, the general principles of which are outlined below, regarding the protection, storage, processing, use, destruction, commercial electronic communications, and other matters related to personal data. In this context, we present this Personal Data Processing and Protection Policy (“Policy”) to inform you about the administrative and technical measures we take regarding the processing and protection of personal data, as well as fulfilling our obligation to inform under Article 10 of the Law.
Purpose and Scope of the Policy
The primary purpose of this Policy is to provide information regarding the systems for the processing and protection of personal data in accordance with the law and the objective of the Law, and to inform about all personal data processed by SHARK AVIATION, whether automatically or as part of a data recording system, through non-automatic means.
Personal Data Owner / Relevant Person
The term refers to our employees, hotel guests, potential customers, business partners, visitors, and third parties whose personal data we process.
Definition of Personal Data
The following are the types of personal data processed by SHARK AVIATION and considered personal data under the Law. Unless explicitly stated otherwise, the term “personal data” in this policy refers to the following information:
Personal Data Shared by You: Name, surname, date of birth, Turkish ID number, phone number, email address, address, photos, video recordings, and other personal data shared with us through the channels mentioned above, including through surveys and contests.
Other Information Collected Automatically: This includes information collected automatically when visiting our website, such as visit count, average time spent on the site, and pages viewed. It also includes data gathered by automatic systems such as search engines, image and sound recording devices.
Personal Data Obtained from Other Sources: This includes updated address information, account details, purchasing information, page views, search terms, and results shared by third parties, such as social media platforms, business partners, and other third parties based on your previous consent.
Sensitive Personal Data
Sensitive personal data includes race, ethnicity, political views, philosophical beliefs, religion, sect or other beliefs, dress, membership in associations, foundations, or unions, health data, criminal convictions, and security measures, as well as biometric and genetic data. If the data being processed is considered sensitive personal data under the Personal Data Protection Law, it may only be processed with the explicit consent of the data owner, unless sufficient measures determined by the Personal Data Protection Board are taken.
Data Controller
The data controller is the real or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system. Legal persons are considered “data controllers” in the context of their activities related to personal data processing, and the legal responsibility will fall on the legal entity. There is no distinction between public law legal persons and private law legal persons in this regard.
According to the law, the data controller is the person who determines the “why” and “how” of data processing activities. In this context, SHARK AVIATION acts as the data controller.
Obligations of the Data Controller
Obligation to Inform
The law grants data subjects the right to know who is processing their personal data, for what purposes, on what legal grounds, and to whom and for what purposes the data may be transferred. The data controller is required to provide this information. SHARK AVIATION is obliged to provide the following information to the relevant person during the data collection process:
- The identity of the data controller and its representative (if any),
- The purpose of processing personal data,
- The recipients to whom the personal data may be transferred and for what purposes,
- The method and legal grounds for collecting personal data,
- The other rights specified in Article 11 of the Law.
Other rights under Article 11 of the Law include:
- Learning whether personal data is being processed,
- Requesting information if personal data is processed,
- Learning the purpose of processing personal data and whether it is used in accordance with the purpose,
- Learning the third parties to whom personal data is transferred, domestically or internationally,
- Requesting the correction of incomplete or incorrect personal data,
- Requesting the deletion or destruction of personal data in accordance with the principles of the Personal Data Protection Law,
- Requesting the notification of third parties regarding corrections or deletions,
- Objecting to a result that is processed solely by automated means,
- Requesting compensation for damages caused by unlawful processing of personal data.
The data controller must inform the data subject in cases where data processing depends on the explicit consent of the data subject or where the processing is carried out under another condition set forth in the Law.
Obligations Regarding Data Security
According to Article 12 of the Law, SHARK AVIATION, as the data controller, is obliged to:
- Prevent unlawful processing of personal data,
- Prevent unlawful access to personal data,
- Ensure the storage of personal data securely.
As the data controller, SHARK AVIATION is required to take all necessary technical and administrative measures to ensure an appropriate level of security to fulfill these obligations. In determining these obligations, the Personal Data Protection Board may issue regulations. Additionally, additional measures may be required depending on the nature of the personal data being processed and the sector in which it is processed.
If personal data is processed by another real or legal person on behalf of SHARK AVIATION, both parties are jointly responsible for taking the necessary precautions.
Obligation to Respond to Applications from Data Subjects
SHARK AVIATION is required to respond to requests made by data subjects in writing or through other methods specified by the Board regarding the implementation of the Law. These requests must be answered as quickly as possible and at the latest within 30 days, free of charge. However, if the process incurs a cost, SHARK AVIATION may charge the data subject according to the fee determined by the Board.
If a request is accepted, SHARK AVIATION must fulfill it. If the request is rejected, the response must be provided to the data subject in writing or electronically.
In case the application is rejected, the response is insufficient, or no response is given within the time limit, the data subject can file a complaint with the Board within 30 days from learning of the response and within 60 days from the date of application.
Obligation to Implement Board Decisions
If the Board determines that there is a violation based on a complaint or on its own initiative, SHARK AVIATION is required to comply with the decision and rectify the situation within 30 days.
Registration Obligation in the Data Controllers’ Registry (VERBİS)
SHARK AVIATION is required to register in the Data Controllers’ Registry (VERBİS) and declare information about its data processing activities.
Data Processor
A data processor is the person or entity authorized by the data controller to process personal data on its behalf, under the responsibility of the data controller. Data processors must comply with the applicable legal provisions and take necessary precautions to ensure the protection of personal data.