Website Confidentiality Agreement

Elista Hotel & Spa ("Hotel"), under the scope of the Law on Protection of Personal Data No. 6698 ("KVKK"), respects and protects the privacy of your personal data. This policy explains how your data is collected, stored, processed, and protected when you interact with us. We are committed to processing your data in accordance with the law and ensuring your rights as a data subject are respected.

​

COLLECTION OF PERSONAL DATA

Personal data may be collected through:

• Reservation forms (online or in person)

• Check-in/check-out procedures

• Customer service interactions

• Surveys, promotional activities, and campaigns

• Use of the Hotel's Wi-Fi services

• Security systems (camera and thermal)

• Communication with the Hotel through any physical or digital channel

​

Types of Personal Data

Processed The data processed may include:

• Name, surname, identity information, passport number, nationality

• Contact details (e.g. telephone, email, address)

• Reservation and stay details (check-in/out dates, room preferences)

• Payment and invoice information

• Health data (if provided voluntarily or required by regulations)

• Security footage from CCTV

• Digital data (e.g. IP address, login details, preferences, Wi-Fi login)

​

Purpose of Processing Personal Data

The Hotel processes your personal data for the following purposes:

• Managing reservation and accommodation processes

• Fulfilling legal obligations (e.g. sharing with law enforcement, issuing invoices)

• Improving service quality and guest satisfaction

• Conducting marketing and promotional communications (with consent)

• Managing complaints and requests

• Ensuring physical security of the Hotel premises

• Managing loyalty programs, surveys, or other promotional activities

​

Legal Grounds for Data Processing

Your personal data is processed based on one or more of the following legal grounds:

• Your explicit consent

• Necessity for performance of a contract

• Compliance with legal obligations

• Legitimate interests of the data controller, provided it does not harm fundamental rights and freedoms

 

E-INVOICING & E-ARCHIEVE INVOICE

Within the scope of this program, customer is automatically enrolled in e-invoicing program and invoices are sent to the e-mail address he/she has provided to the property. It’s the responsibility of the customer to ensure that the e-mail address is accurate and preferred one for this communication, which is provided during check-in or updated later. If a reservation is made for another family member or other persons using this e-mail address, e-invoice of the relevant invoice is sent to the address of the e-mail address.

 

E-Invoice is an invoice that is issued in electronic environment, not printed on the paper and sent to the receiver and/or vendor through the servers. It has entered into force with TPL communique with order no. 397 of Turkish Republic’s Tax Procedure Law and has been put into practice since March 5, 2010.

 

As per TPL, e-Invoice contains all information required to be present in an invoice and mutual invoice submission between the receiver and vendor are realized in electronic environment.

 

E-Archive Invoice is an implementation that ensures the invoice which must be issued, kept and submitted on paper as per Tax Procedure Law is issued in electronic environment and its secondary copy is kept and submitted in electronic environment in compliance with General Communique on Tax Procedure Law with order no. 433. In e-Archive Invoice, all invoices except for the invoices issued for taxpayers registered in e-Invoice Implementation are designated as e-Archive Invoice.

 

Data Processing for Advertisement Purposes

Electronic messages for advertisement purposes can only be sent to the persons with prior consent in compliance with the Law on the Regulation of E-Commerce and the Law on Commercial Communication and Commercial Electronic Messages. An explicit consent of the person is required to send advertisements. “Elista Hotel & Spa” obeys the details of ‘’the consent’’ specified in the same legislation. The consent to be obtained should cover all commercial electronic messages that are sent to the electronic communication addresses of the recipients to promote and market the goods and services of the company, to promote the business or to increase the recognition level of the company with contents including greetings and wishes. This consent may be obtained via any electronic communication channel or at physical medium in written. The important thing is to obtain the declaration of the recipient that he/she accepts to receive commercial electronic messages and to have his/her full name and electronic communication address.

 

Data Processing Due to Legal Obligations of the Company or Being Stipulated Explicitly in the Law

Messages with your assistant (concierge/guest services) may be stored securely for a period of 3 years for potential disputes. These communications may not be published or shared without written consent. Legal obligations, including court or authority requests, will be fulfilled accordingly.

​

Processing of Special Quality Data

In order to provide better services, Elista Hotel & Spa may, with the consent of the individuals, process special data exclusively for the purpose for which it was collected. In accordance with circulars issued under Covid-19 and statutory provisions, our hotel facilities may request certain personal data, including special personal data such as health data from you and your relatives. These personal data can be passed on to authorities and health facilities if required.

​

Pursuant to the Law, race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothes, membership of association, foundation or union, health, sexual choice, juridical sentence and data regarding safety measures and biometric and genetic data are among the special quality data. “Elista Hotel & Spa” also takes adequate measures determined by the Board for the processing of special quality data. We may process these only for the corresponding purposes to provide better services.

 

Data Processed with Automatic Systems

Elista Hotel & Spa acts in compliance with the Law for data processed with automatic systems. The information obtained from these data without the explicit consent of the persons shall not be used against the person. However, decisions regarding the persons that it will perform process may be taken by using the data within the system.

​

Purpose of Collecting and Processing Safety Data from Properties

Security footages taken due to your visit to Elista Hotel & Spa are collected to ensure security of both you and our company and to provide service to you securely. Your personal data are not used for the purposes other than stated and processed based on the cause of action of the data controller for its legitimate interests. Collected personal data cannot be shared with any third person or entity unless required by law.

​

Use of Thermal Imaging Camera

At the entrance to our property, a Thermal Imaging Camera/Thermometer is used to measure the body temperature and the relevant information is not used for purposes other than the protection of Public Health.

 

DOMESTIC AND INTERNATIONAL TRANSFER OF PERSONAL DATA 

Your personal data may be shared with business and solution partners for the purpose of offering accommodation, transfer, invoicing, surveys, marketing notifications, and loyalty card services.

Your personal data may be transferred to foreign countries declared to have sufficient protection by the Personal Data Protection Board. In the absence of adequate protection, your personal data may be transferred to countries where data controllers in Türkiye and the relevant foreign country have committed to providing sufficient protection in writing and have obtained permission from the Board.

The transfers will be carried out meticulously, ensuring that the data security commitments in the respective country are thoroughly examined, using only the necessary information and up-to-date data protection methods.

 

Deletion, Destruction or Anonymization of Personal Data

Personal data obtained directly or indirectly in accordance with the data processing conditions in the Law are kept by the Company for the period stipulated by the relevant legislation or required by the purpose of processing. The deletion, destruction or anonymization of personal data is regulated in Article 7 of the Law. When the purpose of collecting your data isn’t deemed valid anymore, your data will be destroyed.

 

RIGHTS OF THE RELEVANT PERSON

You have the right to: a) Be informed whether your personal data is processed or not, b) Request information regarding the processing, c) Learn the purpose of processing and whether it’s used accordingly, d) Know the third parties to whom the data is transferred domestically or internationally, e) Request correction in case of incomplete or inaccurate processing, f) Request deletion/destruction under Article 7, g) Request that these operations are notified to third parties, h) Object to negative outcomes due to automated data processing, i) Request compensation for damages due to unlawful processing.

These rights can be exercised by completing the form available on our website and sending it with a copy of your ID via registered mail to the Hotel.

 

CONFIDENTIALTY PRINCIPLE

The data of employees and other persons within Elista Hotel & Spa are confidential. No one may use, copy, reproduce, or transfer these data except for business purposes.

​

PROCESS SECURITY

All necessary technical and administrative measures are taken to protect the personal data received by Elista Hotel & Spa and to prevent the retention of them by unauthorized persons. This includes software compliance, secure selection of third parties, and adherence to a robust data protection policy.

 

INSPECTION

Elista Hotel & Spa carries out internal and external inspections for protection of personal data.

 

NOTIFICATION OF VIOLATION 

Elista Hotel & Spa shall immediately act to remedy any violations and mitigate any damage. In case personal data are obtained by unauthorized persons, this will be immediately notified to the Personal Data Protection Board.