1. Purpose and Scope
This Personal Data Protection and Processing Policy (“Policy”) outlines the principles of processing personal data belonging to our guests, website visitors, and all other real persons with whom we have a business relationship, by [Official Trade Name of Forum Hotel & Residence] (“Hotel” or “Data Controller”).
This Policy is intended to ensure that the Hotel’s data processing activities are fully compliant not only with the Law No. 6698 on the Protection of Personal Data (“KVKK”), but also, where applicable, with the General Data Protection Regulation (EU) 2016/679 (“GDPR”).

2. Definitions
The following terms used in this Policy shall be understood as:

• KVKK: Law No. 6698 on the Protection of Personal Data,

• GDPR: General Data Protection Regulation (EU) 2016/679,

• Personal Data: Any information relating to an identified or identifiable natural person,

• Data Subject: The individual whose personal data is being processed (e.g., guest, visitor),

• Data Controller: Refers to our Hotel.

3. Identity of the Data Controller

• Legal Title: [PUNFİ TURİZM İNŞAAT TEKSTİL KUYUMCULUK İTH.İHR.SANAYİ, (PUNFİ Tourism, Construction, Textile, Jewelry, Import-Export, Industry)]

• MERSIS Number: [0734045397300016]

• Address: Sirinyer Mah, Siteler, Kenan Evren Blv. No:42, 48700 Marmaris/Muğla

• Phone: +90 252 417 10 60

• Email / Data Protection Contact Point: info@forumresidence.com

4. Processing of Personal Data: Categories, Purposes, and Legal Grounds

Data CategoryExample DataPurpose of ProcessingLegal Ground (KVKK Art. 5-6 / GDPR Art. 6)

Identity DataName, Surname, National ID, Passport NoReservation, accommodation, legal notification processesContract performance; Legal obligation

Contact DataPhone, Email, AddressReservation confirmation, communication, request management, marketingContract performance; Legitimate interest; Explicit consent

Financial DataMasked Credit Card Number, Billing InfoPayments and invoicingContract performance

Special CategoriesHealth Information (e.g., allergies)Customization of service if requestedExplicit consent

Visual/Audio DataCCTV FootageEnsuring safety of persons and property in common areasLegitimate interest

5. Transfer of Personal Data
Your personal data may be transferred to third parties, within the legal framework and with necessary safeguards:

• Domestic Transfers: May include payment providers, software support companies, travel agencies, and legally authorized public bodies (e.g., law enforcement).

• International Transfers: If we work with overseas reservation platforms or cloud service providers, your data may be transferred abroad. Data transfers outside the EU/EEA will only take place under conditions specified in the GDPR, such as:

  • The presence of an adequacy decision by the European Commission,

  • Appropriate safeguards (e.g., Standard Contractual Clauses – SCCs),

  • Or your explicit consent.

6. Data Subject Rights (Under KVKK Article 11 and GDPR Chapter 3)
You have the right to:

• Learn whether your personal data is processed,

• Request information about the processing,

• Learn the purpose and whether it is being used accordingly,

• Know third parties to whom the data is transferred domestically or abroad,

• Request correction if the data is incomplete or inaccurate,

• Request erasure or destruction of your personal data under conditions stated by KVKK and GDPR (“Right to be Forgotten”),

• Request notification of rectification or erasure to third parties,

• Object to outcomes against you arising from automated data processing,

• Claim compensation if you suffer damage due to unlawful processing.

Additional Rights for Data Subjects Residing in the EU (Under GDPR):

• Right to Data Portability (Art. 20): You may receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.

• Right to Restrict Processing (Art. 18): You may request restriction of processing in certain cases, such as where you contest the accuracy of your data.

• Right to Lodge a Complaint (Art. 77): If you believe your data is being processed unlawfully under the GDPR, you may file a complaint with the supervisory authority in the EU Member State of your residence, workplace, or the place of alleged violation.

To exercise these rights, you may submit your request along with identity verification documents via the contact channels listed in Section 3. Your request will be concluded within thirty (30) days.

7. Data Security and Retention Periods
Our Hotel takes all necessary technical and administrative measures such as encryption, access controls, and firewalls to ensure the security of your personal data.
Your personal data is stored for the period stipulated by relevant legal regulations or as long as required for the purpose of processing (e.g., 10 years for commercial records). After this period, data is securely deleted or destroyed.

This Policy may be updated in accordance with changing legal requirements or business needs.