Law No. 6698 · LPPD Compliance
Personal Data Protection Agreement
Conditions Regarding the Law on the Protection of Personal Data
Data Transferor
Fidelis Turizm Konaklama Kafe Oto. Ltd. Şti.
Yeni Mah. 537 Sokak No 2/14
G.O.P. Istanbul, Turkey
Customer / Supplier
..........................................
..........................................
This agreement has been drawn up and signed between the parties under the terms and conditions set forth herein.
The purpose of this agreement is to regulate the procedures and principles of personal data sharing between the parties within the scope of the Law on the Protection of Personal Data No. 6698 ("LPPD" or "the Law").
- Data Subject The natural person whose personal data is processed.
- The Law The Law on the Protection of Personal Data No. 6698, published in the Official Gazette dated 07.04.2016, No. 29677.
- Personal Data Any information relating to an identified or identifiable natural person.
- Processing of Personal Data Any operation performed on personal data — collection, recording, storage, alteration, disclosure, transfer, classification, or prevention of use — whether fully or partially by automated or non-automated means forming part of a data recording system.
- Special Categories of Personal Data Data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, health, sexual life, criminal conviction, security measures, and biometric or genetic data.
- Data Processor The natural or legal person who processes personal data on behalf of the data controller pursuant to the authority granted by the data controller.
- Data Controller The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.
This agreement covers all Personal Data to be transferred as a result of the business relationship between the parties within the framework of the relevant legislation and the principles set forth herein.
- Personal Data sharing may be carried out verbally, in writing, or electronically, and via other means as required by the business relationship. The Customer / Supplier is obliged to fulfil all obligations and take all measures prescribed by the relevant legislation regarding the protection of personal data, regardless of the transfer method.
- The Customer / Supplier accepts, declares, and undertakes to comply with the provisions of the LPPD, relevant legislation, and this agreement in every process related to Personal Data sharing. Where personal data of European Union citizens is involved, the Customer / Supplier shall also ensure compliance with applicable EU data protection legislation.
- The Customer / Supplier undertakes to process and store data only for the purpose of sharing and in line with the Data Transferor's instructions, and shall not engage in data processing activities beyond that purpose without written consent. Storage and destruction periods shall be governed by the Data Transferor's Personal Data Storage and Destruction Policy.
- The Customer / Supplier shall not share Personal Data provided under this agreement with third parties without written consent of the Data Transferor, and without signing an agreement containing at least the provisions of this agreement with those third parties.
- The Customer / Supplier shall respond to questions from the Data Transferor promptly and shall comply with the decisions and opinions of the Board regarding the processing of personal data subject to transfer.
- The Customer / Supplier must take all necessary technical and administrative measures to ensure the appropriate level of security according to the nature of the personal data — to prevent unlawful processing, prevent unlawful access, and ensure the preservation of personal data.
- The Customer / Supplier acknowledges that the Data Transferor has the authority to conduct or commission audits to verify compliance with commitments and obligations, and shall provide the necessary facilities for such audits.
- The Customer / Supplier undertakes that access and processing authorisations of its personnel and sub-employees shall be defined in accordance with the legislation; passwords/methods shall not be shared with anyone; and liability shall continue even after termination of employment. Non-compliance shall make the Customer / Supplier directly liable for all damages of the Data Transferor, including administrative fines.
- If the Customer / Supplier needs to transfer personal data to a sub-contractor, partner, or affiliated company in the course of providing the service, they must notify the Data Transferor in a provable manner and obtain their approval in advance.
- In the event of unauthorised access or breach of confidentiality by third parties, the Customer / Supplier must notify the Data Transferor immediately and in writing.
- The Customer / Supplier shall be jointly and severally liable with the Data Transferor to the Data Subjects for damages arising from unlawful processing or unauthorised access. The Data Transferor reserves all rights of recourse against the Customer / Supplier.
- Requests directed by Data Subjects regarding data processed by the Data Transferor as Data Controller shall also bind the Customer / Supplier. The Customer / Supplier is obliged to fulfil requests for correction, deletion, or destruction within the framework of the law.
- Upon termination of the business relationship, the Customer / Supplier undertakes to immediately and irreversibly destroy the Personal Data, unless statutory storage obligations apply.
- Where personal data is processed by another person on behalf of the Data Transferor and the Customer / Supplier acts as a data processor, both parties are jointly responsible for implementing the required administrative and technical measures.
- The Customer / Supplier is solely responsible for any damages, judicial or administrative sanctions, or penalties incurred by the Data Transferor as a result of the Customer / Supplier's breach of this Agreement.
- In the event of a conflict between previous agreements and this agreement concerning data security, the provisions of this agreement shall prevail.
- The parties shall make reasonable efforts to amend this agreement if necessitated by changes in applicable legislation, and must notify each other of any such legislative changes affecting their commitments. In such cases, the Data Transferor has the right to suspend data sharing or terminate the agreement.
- The Customer / Supplier declares that they are fully aware of their obligations as data controller or data processor and shall notify the Data Transferor and the Board immediately in the event of a breach, and shall take all required remedial measures without delay.
- The Customer / Supplier warrants that the data was obtained with the explicit and informed consent of the Data Subjects and that all notifications required under Article 10 of the Law were duly made.
- If compliance with instructions cannot be ensured or necessary security measures are not implemented, the Data Transferor has the right to terminate this agreement with immediate effect.
- The Customer / Supplier shall notify the Data Transferor as soon as possible of any legally binding requests from judicial authorities for the disclosure of personal data or of any unauthorised access to such data.
This Agreement is specific to the parties hereto, and no obligation or right specified in this Agreement may be assigned or transferred, in whole or in part, to any third party.
This Agreement shall bind the parties indefinitely as of …………………, which is the date of signature and entry into force.
The parties have designated the addresses specified in Article 1 of this Agreement as their legal residences. Any notification made to these addresses shall be deemed to have been duly served upon the respective party.
Unless changes in residence are notified to the other party in writing within 7 (seven) days, all notifications made to the existing addresses shall remain valid. All formal notifications between the parties shall be carried out through a Notary Public.
Data Transferor
Fidelis Turizm Konaklama Kafe Oto. Ltd. Şti.
Yeni Mah. 537 Sokak No 2/14, G.O.P. Istanbul
Authorised Signatory & Date
Customer / Supplier
..........................................
..........................................
Authorised Signatory & Date
For detailed information and assistance
Please feel free to contact us.
We are here for you with our 24/7 uninterrupted support line.