THE LEGISLATION FOR THE PROTECTION OF PERSONAL DATA

Information Statement

Definitions

The following statements in this hereby information statement carry the following meanings:

Personal Data: All types of information concerning a real entity whose identity is known or can be determined;

Data Processor: The real or legal entity processing the Personal Data on the basis of the authority given by the Entity Responsible for the Data;

Entity Responsible for the Data: The real or legal entity who determines the objectives and tools for the processing of Personal Data and who is responsible for the establishment and management of the data recording system;

Relevant Individual: The real entity whose Personal Data is being or has been processed

As Az Otel İşletmeleri Turizm İnşaat Tic.Ltd.Şti. (“Our Company”),our primary principles include, in particular, the protection of fundamental rights and freedoms, as well as the preservation of the confidentiality of private life, ensuring and protecting the safety of information and respect for ethical values.

The Entity Responsible for the Data

The “Entity Responsible for the Data”, in respect of your Personal Data, is Az Otel İşletmeleri Turizm İnşaat Tic. Ltd. Şti., which has its company head office at “Kemerağzı Mah. Yaşar Sobutay Blv.No:339 Lara-Aksu-ANTALYA”, is registered at the Antalya Commercial Registry under the registration number 71500 and holds the Mersis (Central Registration System) number 5918953927254740.

The Parties whose Data is being Collected

We collect the data of the parties set out below, who are in a business relationship with our company, within the scope of the Legislation for the Protection of Personal Data:

• Our customers;

• Our suppliers;

• Our consultants;

• Our business partners;

• Our shareholders;

• The authorized representatives of our company;

• The legal representatives of our company;

• The persons and employees we are in a contractual relationship with;

• The persons who are the addressees of legal procedures;

• The participants in our surveys; and

• Our visitors.

The Data Collected and Processed by our Company from its Parties

We collect and process the following data from the parties of our company, within the scope of the GDPR (General Data Protection Regulations):

• Identity information;

• Information related to family and social life;

• Information concerning location;

• Information concerning education;

• Information related to the management of requests / complaints;

• Information concerning legal affairs;

• Information related to adherence to ethical values and laws;

• Financial information;

• Information concerning the use of electronic media;

• Information concerning the products and services being supplied and acquired;

• Information concerning the security of physical locations;

• Visual and audial information (photographs, film);

• Telecommunications records;

• E-mail and information systems services usage records;

• Login records; and

• Medical reports and health-related information.

The Data Collection Objectives of our Company

We collect and process data in order to be able to achieve the company objectives, which are set out below (subject to being limited to the relevant objectives), within the scope of GDPR:

• The conduct of the commercial activities of our company;

• The performance of the business processes connected to its commercial activities;

• The management and conduct of the relationships with business partners and / or suppliers;

• The technical management of the websites of our company;

• Client management and the tracking of complaints;

• The monitoring of product questionnaires and the questions you have sent to our Company;

• The performance of the required work by our business departments in order to ensure that you are able to benefit from the products and services offered by our Company;

• The planning and execution of the sales, marketing and after-sales services processes of our products and / or services;

• The provision of information concerning the content of our products and services;

• The sending of commercial electronic transmissions, subject to this being in accordance with the legislation and obtaining permission;

• The conduct of competitions, events and other organizations;

• The conduct of the legal and commercial relationships between our Company and the persons who our Company is in a business relationship with and ensuring the security of these relationships;

• The administrative operations directed at communication, conducted by our Company;

• Ensuring the physical security and inspection of the locations belonging to the Company;

• The planning of logistics activities;

• The conduct of the processes of research into repute;

• The conduct of activities and procedures related to adherence to ethical values and laws;

• The monitoring of contractual processes and / or legal claims;

• The planning and / or execution of occupational health and / or safety processes;

• The planning and conduct of organisational communication and corporate management activities;

• The conduct of information security systems services;

• The conduct of the activities directed at the monitoring and audit of finance and / or accounting activities;

• The determination and implementation of the commercial and business strategies of our Company;

• The creation and monitoring of visitor records;

• For any other reason or reasons to be notified to the relevant individual, during the process of obtaining the information; and

• In order to ensure that the legal obligations are met in the manner required by the relevant legislation.

The Transmission of the Data Collected and Processed by our Company, in line with its Objectives

The personal data collected by our Company within the scope of the GDPR and the within the framework of the conditions and objectives for the processing of personal data, may be shared with our affiliates, subsidiaries, business partners (only anonymously), legally authorised public institutions and private individuals and other persons, in line with the objectives, the details of which are set out above.

The Manner in which and the Legal Reasons for the Collection of Data by our Company

Personal data is collected, used, recorded, stored and processed by our company, by notifying the owners of the personal data verbally, in writing and / or through electronic means, in a manner which is clear and easy to understand, and where necessary by obtaining their consent, subject to it being in connection with and restricted to the lawful objectives set out clearly above and in accordance with the rules of law and honesty, and remaining within the framework of the principle of prudence.

We guarantee that your personal data will not be processed, transmitted to 3rd parties, either domestically or abroad and stored for any purpose other than those set out in this information statement.

The Period of Storage of the Data Collected by our Company

Your personal data is stored for the period of storage set out in the relevant legislation, and in the event that no period has been stipulated in the relevant legislation, in line with the practices of our Company and the customs of commercial life or for the term required in line with the objectives of processing the data referred to above, and then deleted, destroyed or made anonymous in a manner which adheres to the requirements of the GDPR.

The Security of the Data Collected and Processed by our Company

The requirements of the technical and administrative measures of the Information Security Management System (ISO 27001 Standard and its good practices manuals 27018 and 27701) and the Personal Data Protection Management System (Bureau Veritas – Data Protection Technical Standard, BS 10012 – Data Protection Personal Information Security System Standard), as subscribed to by our Company, are continuously active and developed within the scope of continuous improvement, in order to ensure that they are not subjected to unauthorised access and damaged in the environment where they are processed and stored.

Information Concerning Users Situated within the European Union

This section only applies in respect of the use of the services supplied by Corendon Hotels by persons who are situated in the member states of the European Union.

The International Transmission of Personal Data

Personal data may be forwarded to third countries or international organizations. In order to ensure your protection and the protection of your data, such a transfer of data is subject to legal requirements and the taking of the appropriate precautions in line with these (especially the implementation of the articles of the agreement concerning the EU standards) or a decision on adequacy published by the EU Commission (in accordance with the GDPR).

Moreover, we have an obligation to provide personal data to international organizations (in accordance with domestic and international regulations and agreements and article 6(1) (c) of the GDPR).

The Right of Objection in accordance with Article 21 of the GDPR

You have the right to make an objection to the processing of personal data related to you (including profiling) , at any time, and together with the reasons citing your special circumstances, within the scope of paragraphs (e) or (f) of Article 6(1) of the GDPR.

The entity responsible for the data is not allowed to process your personal data if he/she is unable to show a strong lawful justification such as one which is over and above the interests, rights and freedoms of the owner of the data or the instituting, use or protection of a legal right.

Where personal data is being processed directly for the purposes of marketing, you have the right to object to the processing of your personal data for marketing purposes, including profiling to the extent where it is related to the said direct marketing activities, at any time.

In the event that you have made an objection to the processing of your data, your personal data will no longer be processed for such purposes.

Your Rights as the Relevant Individual

The rights you possess within the scope of the European Union General Data Protection Charter (Reg. EU 2016/679) are as follows:

• The Right of Access

• The Right of Correction

• The Right of Deletion (“Right to be Forgotten”)

• The Right of Restricting the Processing of your Data

• The Right to Move the Data

• The Right of Objection (see the section on the Right of Objection in accordance with Article 21 of the GDPR).

You may send an e-mail to [ikgplara@corendonhotels.com.tr] in order to utilize your rights. However, do not forget that we may be required to process your personal data in order to be able to meet your requests and for the purposes of determining your identity, in accordance with the legal provisions.