NORM GRUP OTELCİLİK VE TURİZM İŞLETMESİ ANONİM ŞİRKETİ

PERSONAL DATA PROTECTION AND PRIVACY POLICY

During your visit to this website and your use of the service through this Site, how the information that we receive regarding you and the services you request will be used and protected are subject to this ‘’Confidentiality Agreement’’. You hereby accept the conditions stipulated in this ‘’Confidentiality Agreement’’ when you visit this website and request to use the services we provide through this Site.

PURPOSE OF PERSONAL DATA PROTECTION AND PROCESSING POLICY

Data and information of our customers or potential customers have been kept confidential and have never been shared with third parties by virtue of the sensitivity of our business as NORM GRUP OTELCİLİK VE TURİZM İŞLETMESİ ANONİM ŞİRKETİ. Personal data protection is our essential policy. As THE NORM GROUP, we undertake to adhere to all liabilities of the Law on Personal Data Protection.

SCOPE AND CHANGE OF PERSONAL DATA PROTECTION AND PROCESSING POLICY

This Policy prepared by our Company has been regulated in accordance with Law on Protection of Personal Data (“KVKK”) no. 6698. The data received with your consent or pursuant to the other regulations as per to the Law shall be used to make our service more quality, to improve our services and quality policy and for sales and marketing purposes in accordance with your permission. On the other hand, some of the data we obtain are removed from the scope of personal data and anonymized. These data are used for statistical purposes and not subject to the enforcement of Law and our Policy. “Personal Data Protection and Processing Policy of THE NORM GROUP aims and regulates the protection of the data which are automatically obtained from our customers, potential customers, employees and the customers and employees of the companies in cooperation with us for solution partnership and the other parties. Our company reserves the right to change our Policy and Regulation – provided to comply with the Law and protect the personal data in a better way.

PURPOSE OF DATA PROCESSING

Collection and processing of personal data by NORM GRUP OTELCİLİK VE TURİZM İŞLETMESİ ANONİM ŞİRKETİ shall be executed in line with the purposes stipulated in the letter of clarification. The data are collected and processed to draw up contracts and provide better services to the customers.
These rules are:
a) Being in compliance with the law and good faith: THE NORM GROUP questions the source of the data it collects or sent by other companies and attaches importance to handling these in compliance with the law and good faith. Within this framework, it warns and notifies the third parties (agencies and other intermediary firms) that sell the services provided by THE NORM GROUP to protect the personal data.
b) Being accurate and up to date, if necessary: THE NORM GROUP attaches importance to the accuracy of all of the data kept within the organization, to the fact that they don’t include any misinformation and that personal data are updated only if the changes are notified.
c) Being processed for specified, explicit, and legitimate purposes: THE NORM GROUP processes the data limited to the services and purposes for which consent of the persons are taken during the services. It shall not process, use and make use of the data out of business purposes.
d) Being relevant, limited and proportionate to the purposes for which data are processed: THE NORM GROUP uses the data only for processing purposes and to the extent what the service requires.
e) Being stored only for the time designated by relevant legislation or necessitated by the purpose for which data are collected: THE NORM GROUP keeps the contractual data as long as it’s required by the commercial and taxation law as well as the periods of conflicts of law. Nevertheless, it shall delete or anonymize the data in case the reasons necessitating their processing cease to exist.

It’s crucial to state that whether THE NORM GROUP collects or processes the data by one’s will or in compliance with the law, the abovementioned provisions shall apply anyhow.

Maximum Savings Policy/Scrimping Policy
Pursuant to our policy called as maximum savings policy or scrimping policy, the data received by us are processed into the system as required. Thus, which data we will collect shall be determined according to the purpose. Unnecessary data shall not be collected. Redundant information is not stored in the system, they are deleted or anonymized. These data may be used for statistical purposes. Health data among the special quality data are only kept in the system to provide better service to the customers and to protect their health.

Deletion of personal Data
When the retention period necessitated by the Law expires, judicial procedures are completed or other requirements no longer exists, these data shall be deleted, removed or anonymized automatically, by the company or upon the request of the relevant person.

Accuracy and Currency of Data
TThe data within the body of THE NORM GROUP are processed as declared by the relevant persons as a rule. Our company is not obliged to check up on the accuracy of the data declared by the customers or the persons in touch with us and it’s also contrary to the Laws and our working principles. The declared data are regarded as correct and accurate. The principle of accuracy and currency of personal data has also been adopted by THE NORM GROUP. The personal data processed upon the request of the relevant person or from official documents that are submitted to our company are updated. Necessary precautions are taken for this purpose. If your data is not correct or is changed in any way, we kindly ask you to update them by contacting us via the email you’ve provided to the hotel.
E-mail address for application: kvkk@thenormhotels.com
(If your e-mail is not registered in our system, we won’t reply within the scope of the Law. In that case, please fill out the application form on our website.)


Confidentiality and data security
Only authorized persons shall access the personal data. All necessary technical and administrative measures are taken to protect the personal data collected by THE NORM GROUP and to prevent the damage on our customers and potential customers. Within this framework, it shall be ensured that the software complies with the standards, third parties are selected with caution and data protection policy is observed within the company.

DATA OF CUSTOMER, POTENTIAL CUSTOMER AND BUSINESS SOLUTION PARTNERS

As all the hotels serving under the roof of NORM GRUP OTELCİLİK VE TURİZM İŞLETMESİ ANONİM ŞİRKETİ, we process your personal data in the capacity of data supervisor within the scope of Personal Data Protection Law no. 6698 and other relevant legislations. In this sense, categories and explanations of personal data to be processed are as follows:
- Identity Information: Name-surname, name-surname of companying guest/guests; nationality, birth place and date, T.R. Identity, driver’s license and passport numbers (including date and place of issue).
- Contact Information: Address, telephone number, e-mail address.
- Financial Information: Mobile invoice information, bank account information, payment card information and other payment information.
- Customer reviews, feedbacks and complaints: Special preferences in accommodation, marketing and communication fields; reviews, opinions or complaints about the brands and properties.
- Other: Reservation details, travel history; information on participation in competitions, draws or marketing programs, information of vehicles used to access the property; booked hotel, airline and rental car packages; associated groups to stay in the properties, frequent-flyers or Travel Partnership Program memberships and member numbers, information provided during membership and account applications.

Collection and Processing of Data for Contractual Relationship
In case of a contractual relationship with our customers and potential customers, the collected personal data may be used without the approval of the customers. However, this use shall be for the purpose of the contract. The data shall be used for better execution of the contract and as required by the services and updated, if necessary, by contacting the customers. Nevertheless, the data provided to us by our potential customers shall be processed to offer easier and more quality services later. These data shall be deleted upon requests in case of lack of any contractual relationship.

Data of Business and Solution Partners
THE NORM GROUP adopts as a principle to act in compliance with the laws when exchanging the data both with business and solution partners. The data are shared with the business and solution partners with the understanding of data confidentiality and as required by the services and it’s definitely ensured that these parties take measures regarding the data security.

Processing Data to Manage, Analyse and Improve the Services Provided in the Properties
- Carrying out a questionnaire study with the aim of measuring the services provided,
- Communicating with guests for marketing purposes in line with the communication permits within the scope of miscellaneous laws,
- During the stays at the hotel; making internal correspondence regarding guests who act against the Regulation on the Relations of Tourism Enterprises with the Ministry, Each Other and Their Customers, property rules and general rules of etiquette and preparing a list in line with this information.
- Recording the comments of guests on social media, blogs, review portals etc. into the system to analyse the feedback of the service provided,
- Carrying out Sales and Marketing activities to offer a tailor-made holiday experience by processing the data of services provided to the guests.

Managing our relationships with guests before, during and after their stay
- Conducting phone calls prior to check-in.
- Managing the Guest Loyalty Program.
- Answering guests' questions regarding the Loyalty Program, card levels, upgrading to the next level, and similar topics.
- Processing data related to reservation history, travel preferences, and services received to effectively manage marketing activities and perform segmentation.
- Handling reviews, complaints, and claims on review websites, complaint pages, and social media platforms related to services and facilities.
- Keeping guests' personal information up to date and merging it with data from third-party sources for analytical purposes.
- Managing additional service reservations such as a la carte, spa services, and more.
- Evaluations and requests from guests (surveys, emails, WhatsApp messages, etc.) regarding our services.
- Special service requests (if you have any specific needs such as illness, disability, allergies, special dietary requirements, or special vehicle transfer information, along with supporting documents to provide you with the necessary service before, after and during your stay upon your request and approval).
- Information to prevent fraud (Device Identification Information, device names, installation IDs, IP addresses, location data, login dates, browser types).

Survey Delivery and Data Processed with This Form
Survey deliveries are made within the framework of ARTICLE 6 – (1) of the Law on the Regulation of Electronic Commerce No. 6563, regarding the commercial electronic message transmission clause. Your valuable opinions will be processed in order to increase our existing service quality, collect plannings and insights regarding new services and enable property officials to evaluate the services they provide from your perspective. Your information, limited only to the e-mail address, will be shared with Related Marketing Cloud (RMC) and SurveyMonkey software companies in order to enable survey delivery. In addition, our guests accept and undertake that they write their reviews according to their own experience, they are their own sincere opinions about the hotel, they have no personal or commercial ties to the property and no material/moral incentive or payment is offered to write such review.

Visitor records
Our company, as the data controller under law no. 6698, has obtained an official document in exchange for the visitor card provided to you during your visit to our property. The purpose of obtaining this document is to ensure the safety of both our company and you, and to provide you with a secure service. Your personal data is only used for the purposes listed and processed based on the legitimate interest of the data controller, as regulated in Article 5/2 (f) of the KVKK (Law on Personal Data Protection). It is our policy to not share your collected personal data with any third party or institution. However, it may be shared if there are demands from legally authorized public institutions and organizations to fulfill the legal obligations set forth in article 5/2(ç) of the law. The information collected will be destroyed if the purpose of collection has been fulfilled or after 2 years at most.

E-invoice & E-archive Invoice
Within the scope of this program, guest is automatically enrolled in e-invoicing program and invoices are sent to the e-mail address he/she has provided to the property. It’s the responsibility of the customer to ensure that the e-mail address is accurate and preferred one for this communication, which is provided during check-in or updated later. If a reservation is made for another family member or other persons using this e-mail address, e-invoice of the relevant invoice is sent to the address of the e-mail address. e-Invoice is an invoice that is issued in electronic environment, not printed on the paper and sent to the receiver and/or vendor through the servers. It has entered into force with TPL communique with order no. 397 of Turkish Republic’s Tax Procedure Law and has been put into practice since March 5, 2010. As per TPL, e-Invoice contains all information required to be present in an invoice and mutual invoice submission between the receiver and vendor are realized in electronic environment. e-Archive Invoice is an implementation that ensures the invoice which must be issued, kept and submitted on paper as per Tax Procedure Law is issued in electronic environment and its secondary copy is kept and submitted in electronic environment in compliance with General Communique on Tax Procedure Law with order no. 433. In e-Archive Invoice, all invoices except for the invoices issued for taxpayers registered in e-Invoice Implementation are designated as e-Archive Invoice.

Data Processing for Advertising Purposes
Electronic messages for advertisement purposes can only be sent to the persons with prior consent in compliance with the Law no. 6563 on the Regulation of E-Commerce and the Regulation on Commercial Communications and Commercial Electronic Messages. THE NORM GROUP complies with the details of the consent specified in the same legislation. The consent for communication can be obtained in written in physical environment or via any kind of electronic communication channel. Some and/or all of information like Name, Surname, Activity, Agency, Loyalty card details, City, Country and E-mail address are shared in compliance with the service provider Related Marketing Cloud (RMC) and Law on Personal Data Protection no. 6698. Personal data may be processed without obtaining separate approval for the purpose of explicitly stating the processing in the relevant legislation or fulfilling a legal obligation determined by the legislation. The type and scope of data processing must be necessary for the legally permitted data processing and must comply with the relevant legal provisions.
In this context, the consent that our guests has given to us to send e-mail will be shared with IYS which is the national database system where Service Providers can store and manage different types of message submissions like call, message and e-mails, the receivers can view and remove permissions, complain about unauthorized submissions, the public can view the message complaints and the status of the permission subject to the complaint, provide service over the website, short message number and call center, record all permissions with the stamp and store them securely in accordance with the Regulation no. 30998 published in the Official Gazette dated January 4, 2020. If you wish, you can visit the IYS website via https://iys.org.tr for more detailed information on the subject.

Processing of Personal Data of Special Nature
In order to provide services more effectively, THE NORM GROUP can only process personal data of special nature with the consent of individuals for the purpose for which they were collected. As per the regulations and legal requirements related to Covid-19, our facilities may request certain personal data, including sensitive personal data such as health information, belonging to you and your loved ones. These personal data may be shared with official authorities and healthcare institutions when necessary.
According to the Law, the following are considered personal data of a special nature: race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, attire and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, biometric and genetic data. THE NORM GROUP takes the adequate measures determined by the Board and may only process data of special nature for the purpose for which it was collected and with the consent of the individual, in order to provide better services.

Data Processed with Automatic Systems
THE NORM GROUP acts in compliance with the Law for data processed with automatic systems. The information obtained from these data without the explicit consent of the persons shall not be used against the person. However, THE NORM GROUP may take decisions regarding the persons that it will perform process by using the data within the system.

Purpose of Collecting and Processing Safety Data from Properties
Security footages taken due to your visit to NORM GRUP OTELCİLİK VE TURİZM İŞLETMESİ ANONİM ŞİRKETİ that acts in the capacity of data controller within the scope of Law no. 6698 are collected to ensure security of both you and our company and to provide service to you securely. Your personal data are not used for the purposes other than stated and processed based on the cause of action of the data controller for its legitimate interests as per Article 5/2 (f) of The Law on Personal Data Protection. Collected personal data cannot be shared with any third person or entity pursuant to the rules. However, they can be shared to meet the demands of state institutions and organizations authorized by law to fulfil the legal obligations stipulated in Article 5/2 (ç) of the Law. When the purpose of collecting your data isn’t deemed valid anymore, your data will be destroyed.

TRANSFERRING OF THE PERSONAL DATA DOMESTICALLY AND INTERNATIONALLY

Your personal data may be shared with business and solution partners by NORM GRUP OTELCİLİK VE TURİZM İŞLETMESİ ANONİM ŞİRKETİ for the purpose of offering accommodation, transfer, ticketing, invoicing, surveys, marketing notifications, and loyalty card sending services. Your personal data may be transferred to foreign countries ("Countries with Adequate Protection") declared to have sufficient protection by the Personal Data Protection Board. In the absence of adequate protection, your personal data may be transferred to foreign countries ("Adequate Countries with Data Controllers Committing Adequate Protection"), where data controllers in Türkiye and the relevant foreign country have committed to providing sufficient protection in writing and have obtained permission from the Board. The transfers will be carried out meticulously, ensuring that the data security commitments in the respective country are thoroughly examined, using only the necessary information and up-to-date data protection methods.

NORM GRUP OTELCİLİK VE TURİZM İŞLETMESİ ANONİM ŞİRKETİ may transfer personal data to the individuals and institutions listed below for specific purposes:
a) NORM GRUP OTELCİLİK VE TURİZM İŞLETMESİ ANONİM ŞİRKETİ's business partners, within the scope of the established business partnership, for the purpose of offering services (transfer planning, ticketing, pre-flight hospitality services).
b) NORM GRUP OTELCİLİK VE TURİZM İŞLETMESİ ANONİM ŞİRKETİ’s suppliers, to offer services necessary for the company's commercial activities that are sourced externally from the supplier (server, storage, archiving, GSM services, hosting, IT support, legal and similar consultancy firms),
c) NORM GRUP OTELCİLİK VE TURİZM İŞLETMESİ ANONİM ŞİRKETİ, Ets Ersoy Turistik Servisleri A.Ş. and other solution partners, limited to ensure the execution of our company's commercial activities requiring the participation of subsidiaries (loyalty card discounts, ticketing, transfer, guide services).
d) The potential employers requesting references or requesting information within the scope of occupational health and safety, with the consent of our former employees limited to sharing the necessary documents within the scope of relevant legislation,
e) Institutions or organizations established in compliance with specific conditions determined by the relevant legislation and continuing their activities within the framework defined by the law (independent audit firms, international accredited institutions).

NORM GRUP OTELCİLİK VE TURİZM İŞLETMESİ ANONİM ŞİRKETİ ensures full compliance with the Law on Personal Data Protection no. 6698 and related legislation when transferring your data domestically and internationally. Additionally, your Personal Data may be transferred to state institutions, judicial bodies, and foreign missions established by international agreements (embassies, consulates, etc.) in accordance with legal obligations and when deemed necessary.

DELETION, DESTRUCTION, OR ANONYMIZATION OF PERSONAL DATA

Personal data obtained directly or indirectly in accordance with the data processing conditions specified in the Law are kept by the Company in compliance with the relevant legislation and the principles of lawfulness and fairness for the period required by the processing purpose. The deletion, destruction, or anonymization of personal data is regulated in Article 7 of the Law on Personal Data Protection, according to which it is the responsibility of the data controller to delete, destroy, or anonymize personal data when the reasons requiring its processing no longer exist. It is not necessary for the individual to make a request for this. However, in case of negligence on the part of the data controller, the individual has the right to request the deletion or destruction of their personal data. For any questions regarding our policy, you can contact us at
kvkk@thenormhotels.com

YOUR RIGHTS WITHIN THE SCOPE OF THE LAW

NORM GRUP OTELCİLİK VE TURİZM İŞLETMESİ ANONİM ŞİRKETİ hereby agrees that the relevant person must provide his/her consent before processing the data within the scope of the Law and he/she reserves the right to determine the destiny of the data after the data is processed.
Regarding the personal data, the relevant persons holds the right to do the following by applying to our official announced on the web page by NORM GRUP OTELCİLİK VE TURİZM İŞLETMESİ ANONİM ŞİRKETİ;
a) To be informed whether his/her personal data are processed or not,
b) To request information if the personal data are processed,
c) To learn the purpose of processing the personal data and whether the data are used for the corresponding purposes,
ç) To get information on the third parties to whom the personal data are transferred in the country and abroad,
d) In case the personal data are processed incompletely or inaccurately, to request the correction,
e) To request that personal data are deleted or removed within the framework of the conditions stipulated in article 7,
f) To request that the processes performed as per clause (d) and (e) are notified to the third parties to whom the personal data are transferred,
g) To appeal to the unfavourable results against himself/herself arising from the analysis of the data processed exclusively through the automatic systems,
ğ) In case the personal data are damaged due to the processing of the data contrary to the Law, to request that the damages are indemnified.
Nevertheless, the persons don’t reserve any right on the anonymized data within the company. THE NORM GROUP may share the personal data as required by a juridical function or governmental authority as per the business and contractual relationship.

The owners of the personal data shall submit their requests regarding the above-mentioned rights to the following contact address by completely filling out and putting their wet signatures on the application form given at www.thenormhotels.com, the official website of the Company, through registered letter with return receipt with the copies of their identity cards (only front page for birth certificate). The applications shall be replied within the shortest time according to the content of the application or within 30 days at the latest after the delivery to the company. You need to apply with registered letter with return receipt. Besides, only the questions about you shall be replied and any applications made regarding your spouse, relative or friends shall not be accepted. NORM GRUP OTELCİLİK VE TURİZM İŞLETMESİ ANONİM ŞİRKETİ may request other relevant information and document from the application holders.

CONFIDENTIALITY PRINCIPLE

The data of the employees and other persons within NORM GRUP OTELCİLİK VE TURİZM İŞLETMESİ ANONİM ŞİRKETİ are confidential. Nobody can use, copy, reproduce, transfer these data for other purposes apart from the business purposes without the compliance with the contract or the law.

PROCESS SECURITY

All necessary technical and administrative measures are taken to protect the personal data received by NORM GRUP OTELCİLİK VE TURİZM İŞLETMESİ ANONİM ŞİRKETİ and to prevent the retention of them by unauthorized persons and to prevent the damage on our customers and potential customers. Within this framework, it’s ensured that the software complies with the standards, third parties are selected with care and data protection policy is followed within the company. Measures related with the security are constantly renewed and developed.

Requests made pursuant to the Law on the Protection of Personal Data
All applications will be put into process if you complete the from at kvkk@thenormhotels.comattach a copy of your identity card and send it to the address written on the form via registered letter with return receipt or via e-mail registered in our system. The rights concerning personal data will only be used for one's own data. Requests regarding the personal data of others will not be taken into consideration. Forms without identity card photocopies will not be taken into consideration. The replies will only be provided if the request is made from the applicant's email address in the system. Requests for information about oneself or another guest from a different email address will not be answered. Please be informed that even if data deletion requests are fulfilled, we are required to share data with the authorities if requested.

Click for application form

CHANGES TO BE MADE IN PERSONAL DATA PROTECTION AND PRIVACY POLICY

NORM GRUP OTELCİLİK VE TURİZM İŞLETMESİ ANONİM ŞİRKETİ reserves the right to make changes on the declarations here. There is a link attached on the homepage of the website to access the up-to-date ‘Personal Data Protection and Privacy Policy’. When the last time this Policy was updated and update number are given at the end of this text. Each change made on the Policy becomes effective upon the publication of the changed declaration on the website. Latest additions to the updated policy is stated with bold and italic fonts. By using the website or any of our products and services following such changes, you accept the changed declaration that is effective at that time.
Policy Update: November 19, 2023

CONTACT

You can contact us for further questions on the confidentiality agreement by using the following contact information.

Norm Grup Otelcilik Ve Turizm İşletmesi Anonim Şirketi
Central Sales and Marketing Office
Güzeloba Mah. 2134 Sokak No:30/101
07230 Muratpaşa / Antalya
TÜRKİYE