GUEST INFORMATION NOTICE
Data Controller: Serenat Hotel Management Tourism Trade Joint Stock Company
Belek Mahallesi, Turizm (Çamlık) Street, No:14/1 Serik/Antalya
As Serenat Otelcilik Turizm Tic. A.Ş. (hereinafter referred to as “Serenat”), acting in the capacity of a data controller as defined under the Personal Data Protection Law No. 6698 (“KVKK”), we place great importance on the security of your personal data. Accordingly, we would like to inform you, our esteemed guests, regarding the processing of your personal data
During the reservation phase, your personal data — such as identity (name, surname, date of birth, gender, nationality), contact (phone number, email address, mailing address), customer transaction (accommodation details, room type, check-in/check-out dates, special request details), financial (bank and payment details), and information about your family members/companions (name, surname, date of birth, gender) — may be collected through agencies, our website, email, phone, and documents you provide.
These data are processed for the purposes of:
· Carrying out/monitoring business activities,
· Managing goods/services production and operational processes,
· Managing sales processes of goods/services,
· Managing contract processes,
· Executing financial and accounting tasks,
· Conducting storage and archiving activities,
based on the legal ground set out in Article 5/2 of KVKK: “It is necessary to process personal data of the parties to a contract, provided that it is directly related to the establishment or performance of the contract.”
Your personal data may be transferred, in accordance with Article 8 of the KVKK and by taking necessary technical and administrative measures, to:
· Authorized Public Institutions and Organizations, if required, for compliance with legal obligations, legal proceedings, or reporting,
· Affiliates, for purposes such as business operations, production, and archiving.
Additionally, in accordance with the international transfer rules in Article 9 of KVKK and based on the “standard contract” mechanism, your data may be transferred — to the extent necessary — to Suppliers located abroad, for:
· Business operations and monitoring,
· Communication activities,
· Storage and archiving.
At the check-in stage, we may collect and process the following data via previously obtained reservation data, printed forms, and information/documents you provide:
· Identity: name, surname, signature, Turkish ID number, gender, date of birth, nationality, passport number, vehicle license plate
· Contact: phone number, email address, mailing address
· Customer Transaction: voucher number, reservation number, accommodation details, check-in/check-out dates, room number, request details, payment information
· Family/Companion Information: name, surname, Turkish ID number, passport number, date of birth, gender
These data are processed for the purposes of:
· Executing/monitoring business operations,
· Managing goods/services production and operations,
· Ensuring compliance with legal obligations,
· Managing contract and customer relationship processes,
· Conducting storage and archiving activities,
under the legal grounds in Article 5/2 of KVKK:
· “It is necessary to process personal data of the parties to a contract,”
· “It is necessary to fulfill the legal obligation of the data controller.”
If applicable, health data (e.g., allergy, disability) and related information of your family/companions are processed, based on your explicit consent in accordance with Article 6/3 of KVKK, solely for:
· Managing goods/services production and operations,
· Managing contracts and customer relations.
Your personal data may be transferred, in accordance with Article 8 of KVKK and by taking necessary technical and administrative measures, to:
· Authorized Public Institutions and Organizations, for compliance, reporting, and legal processes,
· Affiliates, for business operations, production, and archiving — only to the extent necessary for the stated purposes.
During payment, refund, and invoicing processes, the following personal data — obtained during the reservation and check-in phases, from banks, printed forms, and your declarations — may be processed:
· Identity: name, surname, signature, Turkish ID number, passport number
· Contact: phone number, email address, mailing address
· Customer Transaction: room number, accommodation details, refund request
· Financial: bank details, IBAN, payment/debt/refund information
These data are processed for:
· Ensuring compliance with legal obligations,
· Managing contracts, finance, accounting,
· Sales and production of goods/services,
· Business continuity,
· Storage and archiving activities,
based on the legal grounds in Article 5/2 of KVKK:
· “It is necessary to process personal data of the parties to a contract,”
· “It is necessary to fulfill the legal obligation of the data controller.”
If invoicing is to be done on behalf of a company, additional data may be collected via printed forms:
· Identity: name, surname, signature, Turkish ID number, date of birth, copy of ID, company information
· Customer Transaction: room number
· Financial: payment amount, IBAN,
фотокопия кредитной карты card details
These are also processed under the same legal grounds for purposes including contract management, finance and accounting, sales, and archiving.
Your personal data may be transferred, in compliance with Article 8 of the KVKK and with appropriate technical and administrative safeguards, to:
· Authorized Public Institutions and Organizations, for the purposes of legal compliance, reporting to competent authorities, carrying out financial and accounting tasks, and pursuing and managing legal affairs,
· Affiliates, for the execution/monitoring of business operations, production and operational processes of goods/services, and storage and archiving activities,
· Suppliers, for the execution/monitoring of business operations, goods/services production and operational processes, post-sale support services, financial and accounting processes, and archiving — only to the extent required to fulfill the intended purposes.
In accordance with the international data transfer procedures outlined in Article 9 of the KVKK and based on the “standard contract” mechanism, and with the necessary technical and administrative safeguards in place, your data may be transferred to:
· Suppliers located abroad, for the purposes of conducting/monitoring business operations, communication activities, and storage/archiving — only to the extent required for the stated purposes.
If you stay at our Xanadu Hotel, identity (name, surname) and customer transaction data (accommodation details, loyalty point information) obtained from our systems during reservation and check-in processes may be processed for:
· Conducting/monitoring business activities,
· Managing post-sales support services,
· Executing customer satisfaction activities,
· Managing customer relationship processes,
· Carrying out marketing/campaign/promotion processes,
based on the legal grounds in Article 5/2 of the KVKK:
· “It is necessary for the processing of personal data of the parties to a contract,” and
· “Provided that it does not violate the fundamental rights and freedoms of the data subject, processing is necessary for the legitimate interests of the data controller.”
Your data may be transferred, in accordance with Article 8 of KVKK and with necessary technical and administrative safeguards, to:
· Suppliers, for the purposes of business operations, customer satisfaction activities, customer relationship management, and marketing/campaign/promotion processes — only to the extent required for the relevant purposes.
Within the scope of guest complaint and request management, personal data collected through telephone calls, printed forms, email, corporate WhatsApp line, and documents/information provided by you — including identity (name, surname, signature), contact (email address, phone number), customer transaction (accommodation details, room number, request/complaint info), and visual/auditory data (call center voice recordings) — are processed for:
· Conducting communication activities,
· Following up on requests/complaints,
· Performing necessary investigations regarding requests,
· Providing information and support,
· Managing customer relationship processes,
· Collecting and evaluating feedback to improve business processes,
· Carrying out customer satisfaction activities,
· Managing post-sale support services,
· Using such data as evidence in potential disputes,
based on the legal grounds in Article 5/2 of the KVKK:
· “It is necessary for the processing of personal data of the parties to a contract,”
· “Provided that it does not harm fundamental rights and freedoms, processing is necessary for the legitimate interests of the data controller,”
· “Processing is necessary for the establishment, exercise, or protection of a right.”
Your data may be transferred, in accordance with Article 8 of KVKK and with necessary safeguards, to:
· Authorized Public Institutions and Organizations, for legal compliance, reporting, and managing legal affairs,
· Affiliates, for the execution/monitoring of business operations, goods/services production and operations, archiving, communication, and complaint/request tracking — only to the extent required for these purposes.
In accordance with the procedures in Article 9 of KVKK and based on the “standard contract” method, your data may be transferred to:
· Suppliers located abroad, for the purposes of conducting/monitoring business operations, communication, and archiving — only to the extent required for the intended purposes.
For guest airport transfer services, your personal data — such as identity (name, surname, Turkish ID number, nationality, passport number), customer transaction (accommodation, flight details), and family member/companion information (age) — obtained through reservation and check-in processes, email, and your declarations may be processed for:
· Conducting/monitoring business operations,
· Managing sales processes of goods/services,
· Executing production and operational activities,
· Managing logistics activities,
based on the legal ground in Article 5/2 of the KVKK: “It is necessary for the processing of personal data of the parties to a contract.”
Your personal data may be transferred, in accordance with Article 8 of KVKK and with necessary technical and administrative measures, to:
· Affiliates and Suppliers, for the purposes of business operations, production and operational processes, and logistics — only to the extent necessary.
In accordance with Article 9 and the “standard contract” transfer mechanism, and with the necessary safeguards in place, your data may be transferred to:
· Suppliers located abroad, for business operations, communication, and archiving purposes — only to the extent necessary.
G. Day-Use Guest Visits
When guests visit for a day-use stay, during the hotel check-in process, personal identification information (name, surname, signature, national ID number, gender, date of birth, nationality, passport number, vehicle plate number), contact details (phone number, email address, home address), customer transaction data (accommodation information, check-in/check-out dates, room number, request details, payment information), as well as information about family members/relatives (name, surname, national ID number, passport number, date of birth, gender) will be collected via printed forms, statements, and documents provided by you. This information will be processed in accordance with the objectives of carrying out/monitoring business activities, producing goods/services and operational processes, ensuring compliance with regulations, managing contractual processes, conducting customer relationship management, and storing and archiving information. Under Article 5, Paragraph 2 of the Turkish Personal Data Protection Law (KVKK), this data is processed for the legal reasons: "It is necessary for the conclusion or performance of a contract" and "It is necessary for the data controller to fulfill its legal obligations."
Additionally, health data (such as allergy information, disability status, etc.), and information about family members/relatives (such as allergy information, disability status, etc.) will be processed, limited to the scope of producing goods/services, operational processes, contract management, and customer relationship management, in accordance with Article 6, Paragraph 3 of the KVKK, for the legal reason of "Obtaining explicit consent."
Your personal data will be transferred, in compliance with the relevant rules of Article 8 (domestic transfer) of KVKK, and with necessary technical and administrative precautions, as follows:
· To the competent public institutions and authorities for the purpose of conducting activities in compliance with legislation, informing authorized individuals, institutions, and organizations, and following up on legal matters.
· To affiliates, for the purpose of performing/monitoring business activities, producing goods/services, conducting operational processes, and performing archiving and storage functions. Transfers will be made only to the extent necessary to achieve these purposes.
H. Survey Processes
If you participate in online surveys conducted as part of the services we provide to you, your personal data, collected through relevant forms, including identity information (name, surname, gender, nationality), contact details (email address), and customer transaction information (request/complaint/suggestion details), will be processed, limited to the scope of carrying out/monitoring business activities, conducting communication activities, managing customer relationships, following up on requests/complaints, receiving and evaluating suggestions for process improvements, and providing after-sales support services. This is done in accordance with the legal reason outlined in Article 5, Paragraph 2 of the KVKK: "The processing of data is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the relevant person."
Your personal data will be transferred domestically, following the rules in Article 8 of the KVKK, with necessary technical and administrative precautions, to:
· Affiliates, for the purpose of carrying out/monitoring business activities, customer relationship management processes, customer satisfaction activities, audit/ethical activities, and storage/archiving purposes. Transfers will be made only to the extent necessary to achieve these purposes.
In compliance with the international transfer provisions of Article 9 of KVKK, and using the "standard contract" transfer method, your personal data may be transferred to foreign-based suppliers, solely for the purposes of managing storage and archiving activities, conducting business operations/audits, and managing customer relationships.
I. Social Media Posts
If you participate in events or organizations organized by us, visual and auditory recordings (photos, videos) will be collected via devices such as cameras or other audiovisual recording equipment. These recordings will be processed and shared for the purposes of event management, customer relationship management, promoting customer satisfaction activities, business operations/audits, and conducting advertising/campaign/promotion processes, in compliance with Article 5, Paragraph 2 of the KVKK: "The processing of data is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the relevant person."
Your visual and auditory recordings may be shared publicly on social media accounts, websites, and digital platforms belonging to Serenat for promotional purposes, event management, and publicizing these activities. This will be based on the legal ground of "Explicit consent" according to Article 5, Paragraph 2.
If you withdraw your consent, the personal data related to the shared content will no longer be publicly shared on Serenat’s social media accounts, websites, or digital platforms. Any personal data previously shared will be removed from Serenat’s managed social media accounts and websites. However, please be aware that Serenat cannot remove personal data from online platforms or digital media it does not manage or control.
Your personal data will be transferred, in compliance with both the domestic and international transfer provisions of the KVKK (Articles 8 and 9), and with necessary technical and administrative precautions, to:
· Serenat's social media accounts, websites, and digital platforms for promotional and event management purposes, making the data publicly accessible.
Your personal data may also be shared through international social media platforms such as Instagram, YouTube, Facebook, and X (Twitter), which are based abroad. Please review the privacy policies of those platforms for more details on how your personal data is handled.
J. Incident Investigation
During the course of the services we provide to you, in the event of any incidents, personal data such as identification (name, surname, age), contact (email address, phone number), customer transaction (accommodation information, room number, incident details), and visual and audio recordings (photos, CCTV footage) may be collected via printed forms and CCTV devices. This data is processed for the purposes of managing emergency situations, carrying out occupational health and safety activities, executing business operations and audits, conducting ethical audits, collecting and evaluating suggestions for process improvement, and tracking requests/complaints. This processing is carried out in accordance with Article 5, Paragraph 2 of the Personal Data Protection Law (KVKK) based on the legal grounds of "necessary for the data controller to fulfill a legal obligation" and "necessary for the establishment, exercise, or protection of a right."
Health-related data (symptom information) will be processed for the purposes of emergency management, occupational health and safety activities, business operations, audits, and tracking requests/complaints, based on the legal grounds set out in Article 6, Paragraph 3 of KVKK, including "necessary for the establishment, exercise, or protection of a right" and "necessary for public health protection, preventive healthcare, medical diagnosis, treatment, and the provision of health services."
Personal data may be transferred, in accordance with Article 8 of KVKK and with necessary technical and administrative measures, to:
· Authorized Public Institutions and Organizations for the purpose of carrying out activities in compliance with the law, providing information to authorized persons, and tracking legal affairs, only to the extent necessary to achieve the related purposes.
In accordance with Article 9 of KVKK, data may also be transferred abroad in compliance with the "standard contract" procedure, with necessary technical and administrative measures, to:
· Suppliers abroad, for the purposes of conducting archiving activities, business operations, and communication activities, only to the extent necessary for the related purposes.
K. Support, Development, and Information Security
As part of the services we provide, personal data regarding transaction security (website login/logout information, log records, IP addresses) is collected through information security systems and electronic devices for the purposes of executing support and development activities and information security processes. The collected personal data will be processed for the purposes of ensuring information security, conducting audits/ethical activities, performing archiving tasks, securing operations, providing information to authorized persons, and ensuring compliance with regulations, based on the legal grounds of "explicitly provided for by law," "necessary for the data controller to fulfill a legal obligation," and "necessary for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not violated," as outlined in Article 5, Paragraph 2 of KVKK.
Personal data may be transferred to authorized public institutions and organizations, in accordance with Article 8 of KVKK, and with the necessary technical and administrative measures, to fulfill our legal obligations and comply with legal regulations.
L. Legal Processes
In the event of legal proceedings, personal data collected during the provision of services will be processed for the purposes of conducting business operations in compliance with the law, tracking legal affairs, and providing information to authorized institutions. This will be carried out in accordance with Article 5, Paragraph 2 of KVKK, based on the legal grounds of "necessary for the data controller to fulfill a legal obligation" and "necessary for the establishment, exercise, or protection of a right."
Personal data may be transferred to authorized public institutions and organizations, as required by legal regulations, in compliance with Article 8 of KVKK, and with necessary technical and administrative measures, to fulfill our legal obligations.
Rights of the Data Subject Regarding Personal Data
As a data subject, you have the following rights regarding your personal data:
· To learn whether your personal data is being processed,
· To request information about your personal data if it has been processed,
· To learn the purpose of processing your personal data and whether it is being used appropriately,
· To know the third parties to whom your personal data has been transferred, both within the country and abroad,
· To request the correction of incomplete or incorrect personal data,
· To request the deletion or destruction of your personal data, in accordance with the conditions specified in KVKK,
· To request that third parties to whom your personal data has been transferred be informed of any corrections, deletions, or destructions of personal data,
· To object to any result that arises solely from the processing of your personal data through automated systems, which may negatively affect you,
· To request compensation for any damages caused by unlawful processing of your personal data.
How Can You Exercise Your Rights?
You can submit your application and requests related to your personal data through the following methods:
· By sending it to the address Belek Mahallesi Turizm (Çamlık) Cad. No:14/1 Serik/Antalya, along with a signed copy of your ID and a photocopy of your identification.
· By applying in person to Serenat with a valid identification document.
· By signing it with a mobile signature or secure electronic signature and sending it via email to kvkk@xanaduhotels.com.tr.
· By sending it via registered electronic mail (KEP) using a secure electronic signature or mobile signature to [serenatotel@hs01.kep.tr].
· By sending it from the previously notified and registered email address of the data subject to kvkk@xanaduhotels.com.tr.
In accordance with the Regulation on the Procedures and Principles for Applications to the Data Controller, the data subject’s application must include the following information: full name, surname, signature if the application is in writing, Turkish Identity Number (for foreign nationals, nationality, passport number, or identity number, if available), the residence or business address for notification purposes, email address (if applicable), phone number, fax number, and details related to the subject of the request.
The data subject must specify the requested action clearly and understandably in their application for the right they wish to exercise. Relevant information and documents must be attached to the application.
While the subject of the request must be related to the data subject’s own data, if someone else is acting on their behalf, the applicant must be authorized to do so, and this authorization (power of attorney) must be documented. In cases where the request involves sensitive personal data, the person making the request must be specifically authorized as per Article 10 of the Regulation on Personal Health Data. Furthermore, the application must include identity and address information, and documents confirming identity must be attached to the application.
Requests made by unauthorized third parties on behalf of someone else will not be taken into consideration.
How Long Will It Take to Respond to Your Requests Regarding the Processing of Your Personal Data?
Your requests related to your personal data will be evaluated and responded to as soon as possible, and no later than 30 days from the date we receive them. If your request is accepted or rejected with a justification, our response will be sent to the address specified in your application, either by postal mail or email, or, if possible, via the same method by which the request was made. If the evaluation and decision-making process incurs additional costs, the fee determined by the Personal Data Protection Board will apply based on the applicable tariff.
