PERSONAL DATA PROTECTION POLICY

This policy sets down the personal data processing principles of RUYA RESTAURANTS (“Hereinafter referred to as “Rüya Dubai”) as they are required to be disclosed to the natural persons whose personal data is processed by the company, such as its suppliers, visitors, and users of its website (http://www.ruyadubai.com)

  1. Definitions

Within the context of this policy, the following terms shall have the meanings set forth below;

Rüya Dubai:
the owner of the Website

Data Subject/Natural Person:
The owner of the personal data

Data Storage:
Any storage medium for personal data that is processed either wholly or partly by automatic means or otherwise by non-automatic means which form part of a filing system

Website:
 
The website located at the address of
http://www.ruyadubai.com

Data Processor:
The natural person or legal entity that is authorized to process the data on behalf of the data controller

Data Controller:
The natural person or legal entity that determines the purpose and method of the processing of the personal data, and is responsible for establishing and operating a data recording system

Law No. 5651:
 Law on Regulating Broadcasting on the Internet and Fighting against Crimes Committed through Internet Broadcasting

Law No. 6698
or
KVKK:
 Law on the Protection of Personal Data

  1. Collection and Processing of Your Personal Data
  2. Processing of the Personal Data of Website Users (Online Visitors), WI-FI Service Users, and Call Center Users


1.1.       Processing of the Personal Data of Website Users (Online Visitors)

Users of the Website may, for the purposes of giving feedback and making suggestions, fill the form at the “Contact” page at the address http://www.ruyadubai.com by entering their personal data such as name and surname, email address, phone number, sex, birthdate, address, message, sector, and subject matter.

Users agree and accept that the personal data is required for the express purpose of addressing their feedback and suggestions, and that they share their personal data with the Website of their own volition.

In addition, user traffic information on the visitors to the Website may be processed in accordance with the provisions of the Law No. 5651.


1.2.      Processing of the Personal Data of WI-FI Service Users

Rüya Dubai processes the mobile phone numbers and traffic information of visitors on its premises who wish to use the WI-FI services provided therein, with the purpose of providing the aforementioned service and ensuring compliance with the Law No. 5651 and its relevant secondary legislation.


1.3.      Processing of the Personal Data of Call Center Users

Personal data of users who contact the Rüya Dubai call center at 0212 666 68 08 is collected and kept by the Call Center contractor of Rüya Dubai, which shares the same legal and technical responsibilities with Rüya Dubai with respect to data protection and security, and is subject to the same legislative provisions.

Users who contact the Call Center are asked to provide their personal data in the form of name and surname, telephone number, and email address. This data is processed with the purposes of guiding the works and informing the processes necessary to offer to you the company’s product and services, planning and executing the activities necessary for customizing and marketing the products and services in accordance with your preferences, usage habits and needs, carrying out the company’s commercial activities and work processes through the efforts of the company’s relevant business units, planning and executing the company’s commercial and/or business strategies, and managing the legal, strategic and commercial risks that may face our company or relevant persons with whom we work.

The personal data you share with the Call Center are collected and kept by the Call Center contractor to handle your request, suggestion and complaints and inform you of the results, and to improve upon our relevant service and product offering.

  1. Processing of Personal Data in Supply Processes:

In order to supervise and manage its product, service and goods supply processes, Rüya Dubai processes the personal data of natural person suppliers, supplier employees and/or officers, as well as the personal data of natural persons and employees and/or officers of the legal entities to whom it supplies products, services, or goods.


2.1.      Personal Data Processed in Supply Processes

Rüya Dubai processes the following personal data in the course of its supply processes:

  • For natural person suppliers and/or purchasers, identity information such as name, surname and T.R. identity number, financial information such as bank account, contact information such as mailing address, email address and mobile phone number, and other specific personal information such as photograph or signature displayed on signature statements or circulars
  • For the authorized officers of suppliers and/or purchaser, identity information such as name, surname and T.R. identity number, specific personal information such as photograph or signature displayed on signature statements or circulars, and contact information such as mailing address, email address and mobile phone number
  • For the employees of suppliers and/or purchasers, identity information such as name, surname and T.R. identity number, personnel information such as social security statement and OHS certificates, specific personal information such as medical report and criminal report, education/professional experience information such as educational background and training certificates, and contact information such as mailing address, email address and mobile phone number.


2.2.      Purpose of Processing the Personal Data in Supply Processes

  • Fulfilling legislative obligations such as those arising out of the Occupational Health and Safety Law, Social Security Law, Labor Law, Turkish Commercial Code, and Tax Procedures Code
  • Monitoring and execution of contracts related to the supply of goods, products or services
  • Ensuring compliance with corporate rules


2.3.       Methods of Collection and Processing of Personal Data of Suppliers and/or Purchasers

  • Supplier and/or purchaser’s officers, supplier and/or purchaser’s employees or natural person suppliers/purchasers themselves
  • Documents such as Circulars/Letters of Attorney
  • Communication channels such as email, phone, or website
  • Contract
  • Reference Check Form
  1. Processing of Personal Data of Visitors


3.1.       Processed Personal Data of Visitors to the Rüya Dubai Head Office Premises

Rüya Dubai processes the following types of personal data/specific personal data of natural persons who visit its Head Office premises:

  • Identity information (T.R. identity card, driver’s license, passport, lawyer ID, etc.)
  • The identity of the person whom the visitor is visiting
  • Time of entrance and exit
  • Model, make and license plate of the visitor’s vehicle
  • Visitor’s firm
  • CCTV footage of the visit

Rüya Dubai utilizes CCTV systems with cameras both inside and outside of the premises in order to ensure the security of its employees and visitors. Visitors are informed of the video surveillance upon their entrance to the building.

3
.

2.      Processed Personal Data of Restaurant Guests

Rüya Dubai processes the following types of personal data/specific personal data of natural persons who visit its restaurants:

  • Identity information
  • Phone number
  • Payment information
  • CCTV footage

Rüya Dubai utilizes CCTV systems with cameras both inside and outside of the premises in order to ensure the security of its employees and visitors. Visitors are informed of the video surveillance upon their entrance to the building.


3.3.      Purpose of Processing the Personal Data of Visitors

Rüya Dubai processes the personal data of visitors to its premises to:

  • ensure the safety and security of the premises
  • collect personal information and identity documents in line with legal obligations
  • issue visitor passes and give visitor numbers
  • record times of entrance and exit
  • keep a firearm collection report for visitors surrendering their firearms at the entrance
  • share the building’s internal and external layout and necessary safety information
  • plan and execute emergency management processes (such as against a terrorist attack, fire, etc.)
  • perform security scans of visitors entering the premises
  • inform law enforcement of any criminal or unlawful acts

Rüya Dubai processes the personal data of its restaurant guests to:

  • confirm and plan reservations
  • draw up invoices
  • ensure safety and security of its premises


3.3.      Methods of Collection and Processing of Personal Data of Visitors

  • Identity information (T.R. identity card, driver’s license, passport, lawyer ID, etc.)
  • CCTV footage
  • Reservation requests received over phone, or applications such as Rezervin or Zubizu


3.4.      Security and Sharing of Personal Data of Visitors

Both the identity information and CCTV footage of visitors are stored in secure systems accessible only to authorized personnel. Such information may be shared with legally authorized public agencies and officials upon formal request.

  1. Processing of Personal Data of Social Responsibility Project and Educational Activity Participants


4.1.       Rüya Dubai processes the following types of personal data of project partners and individuals (employee volunteers, parents, students, etc.) who participate in its social responsibility projects and educational activities:

  • Identity information
  • Contact information
  • Educational background
  • Financial background


4.2.      


Purpose of Processing the Personal Data of Social Responsibility Project and Educational Activity Participants

  • Increasing brand recognition
  • Raising awareness and create public benefit
  • Planning and executing corporate communication activities
  • Event management
  • Planning and executing social responsibility and/or civil society projects
  • Planning and executing sponsorship activities
  • Fulfilling the company’s legal obligations


4.3.     


Methods of Collection and Processing of Personal Data of Project Partners, Project Participants and Educational Activity Participants

Personal data is collected from the project partners, project participants and educational activity participant themselves.

  • Security of Your Personal Data, Transferring of Personal Data, and Exercising Your Rights Pertaining to Your Personal Data

The personal data you share with Rüya Dubai is kept strictly confidential in Rüya Dubai’s databases pursuant to the provisions of Article 12 of the Law No. 6698 on the Protection of Personal Data, and is not shared with third parties for commercial purposes.

Rüya Dubai has taken the following measures to ensure the security of the personal data it processes, and to prevent unlawful access and processing:

  • Hash, encryption, access log, access restriction and physical security measures are utilized to protect information technology systems that contain personal data against unauthorized access and unlawful actions
  • The Website and all networks that contain personal data are protected by a firewall

Rüya Dubai keeps personal data it collects from online and on-premises visits in accordance with legislative requirements, and may share such data with legally authorized public agencies and officials upon formal request. Personal data of suppliers and/or purchasers may also be shared with Rüya Dubai companies, Doğuş Holding affiliates and relevant public agencies, depending on the goods, product or service supplied. Personal data of participants and/or project partners of social responsibility projects organized by Rüya Dubai may also be shared with print, broadcast and social media in accordance with the open consent obtained from the participants. For more information on Rüya Dubai Doğuş Holding companies and affiliates, please visit
http://www.ruyadubai.com

With regard to the personal data you share with us for the purposes and through the methods outlined herein, and as per Article 11 of the Law No. 6698, you are entitled to:

  1. a) inquire about whether your personal data has been processed,
  2. b) if so, request information on the processing,
  3. c) learn the purpose of processing of the personal data and whether your data is used in accordance with their purpose,

ç) receive information on domestic and foreign third parties with whom your data has been shared,

  1. d) request correction in case personal data is inaccurate or incomplete,
  2. e) request deletion or destruction of personal data in case the reasons necessitating its processing cease to exist, even if such data has been processed in compliance with the provisions of the Law No. 6698 or other relevant laws,
  3. f) request that the actions taken within the framework of paragraphs (d) and (e) be notified to the third parties to whom the personal data is transferred,
  4. g) object to any result that is to your detriment as a result of an exclusively automated analysis of your personal data,

ğ) claim compensation for the damages you might suffer in the event your personal data is processed in an unlawful manner.

You may contact us at any time to exercise these rights by using the “Application Form” on our website or through other methods specified in this policy.

  1. Accuracy and Validity of the Personal Data

Individuals whose personal data we process accept and agree that the accuracy and validity of the personal data they submit to the Website and/or in person, or obtained otherwise for contractual purposes, are instrumental for their ability to exercise their rights regarding the personal data as per the KVKK and other relevant legislation, and that they shall take full responsibility for inaccurate data.

  1. Duration of Keeping of Personal Data

Personal data collected during online visits is kept for a period of 2 years as per the Law No. 5651. CCTV footage of on-premises visits is kept for 90 days. Personal identity data is stored for the period of time as prescribed by the relevant legislation. Personal data of suppliers and/or purchasers are kept for a period of 10 years beyond the end date of the relevant contract.

  1. Deletion, Destruction and Anonymization of Personal Data

The data processed for the purposes specified in this Personal Data Protection Policy shall be anonymized and remain in use when the initial condition for processing of the personal data set out in Article 7/f.1 in the Law No. 6698 is no longer valid, and respective legal periods expire as per Article 138 of the Turkish Penal Code.

Upon the end of the prescribed time period as specified in the relevant legislation or as required by the purpose of processing, Rüya Dubai shall, within the period of six months stipulated for the periodical destruction of data, use any one or more of the methods described in the Guidelines for the Deletion, Destruction and Anonymization of Personal Data published by the Personal Data Protection Board as it deems suitable for its business processes and operations to anonymize the data, and may continue to use the anonymized data for further purposes.

  • Categorization of Personal Data
Data Subject Data Category
Online Visitor, WI-FI User, Call Center User Identity Data, Contact Data, Legal Proceedings Data
Natural Person Suppliers/Purchasers, Supplier and/or Purchaser’s Officers, Supplier and/or Purchaser’s Employees Identity Data, Contact Data, Legal Proceedings Data, Financial Data, Corporate Identity, Visual and Audio Data, Specific Personal Data, Personnel Data
On-premises Visitor Identity Data, Visual and Audio Data
Project Partner, Project Participant, Educational Activity Participant Identity Data, Contact Data, Visual and Audio Data, Financial Data, Educational Data
  • Amendments and Revisions to the Policy

Rüya Dubai may amend, revise and change this policy in line with the Company Policy. Relevant persons shall be notified through the website of the new Policy document containing such changes and revisions.

December 2018