Meander Feribot - Ferry to Greek Islands.
Contact Meander Feribot. Contact Us
Send your email to Meander Feribot. Email Signup
Meander Feribot's Blog. Blog
ENG | TR
Back to Legal Overview

PERSONAL DATA PROCESSING, PROTECTION, AND DISPOSAL POLICY UNDER THE SCOPE OF THE KVKK

A. INTRODUCTION

As MEANDER FERIBOT ISLETMELERI ANONIM SIRKETI (“Company”), we attach great importance to the lawful processing and protection of personal data in accordance with the Personal Data Protection Law No. 6698 (“Law” or “KVKK”). In this regard, we pay the utmost attention to the security and transparency of personal data in all our digital processes, ticket sales and reservation transactions, visa applications, and other services.

This Personal Data Processing, Protection, and Destruction Policy (“Policy”) has been prepared to explain the procedures and principles regarding the processing of personal data collected on the website operated by the Company, namely https://meanderferibot.com; inform the relevant persons in accordance with Article 10 of the Law, and share the technical and administrative measures taken by the Company.

The Personal Data Protection Law No. 6698 entered into force upon its publication in the Official Gazette dated 07.04.2016 and numbered 29677.

The Law regulates the conditions for processing personal data, the obligations regarding its protection, the rights of data subjects, and the administrative and criminal penalties that will be applied in case of non-compliance.

B. PURPOSE OF THE POLICY

The main purpose of this Policy is to explain the principles regarding the processing, protection, and destruction of personal data collected within the scope of the https://meanderferibot.com website operated by the Company and the door visa and ferry ticket sales services, in accordance with the Personal Data Protection Law No. 6698.

The Policy aims to ensure that personal data processing activities carried out by the Company are conducted in accordance with the law, rules of good faith, and the principle of transparency, that the relevant persons are informed, and that the rights of data subjects arising from the Law are protected.

C. ENFORCEMENT OF THE POLICY

This Information Text and Cookie Policy regarding the Processing, Protection, and Destruction of Personal Data shall enter into force on the date it is published, as regulated by MEANDER FERIBOT ISLETMELERI ANONIM SIRKETI (“Company”). The text is published on the website https://meanderferibot.com and is made available to data subjects upon request.

The Company reserves the right to make changes to these texts in line with changes in the legislation in force or updates in data processing activities. Any changes made shall enter into force upon publication of the updated version on the same websites.

D. SCOPE OF THE POLICY AND DATA SUBJECTS

This Policy applies to all personal data processed automatically or non-automatically as part of a data recording system on the https://meanderferibot.com website operated by the Company and within the scope of ferry ticket sales, reservations, visa on arrival, and other services offered by the Company.

The Policy covers only data processing activities carried out by the Company in its capacity as data controller and is directed at natural persons whose personal data is processed. These data subjects consist of the following categories:

    • Customers (persons who purchase ferry tickets or make reservations),
    • Passengers applying for a visa on arrival,
    • Website visitors,
    • Suppliers and business partners,
    • Company employees and candidates (within the scope of relevant processes),
    • Representatives of authorized public institutions and organizations.

Data Subject Group

Visitor

All individuals who visit the website operated by the Company, https://meanderferibot.com, and who share limited personal data through cookies or contact forms.

Person Making a Communication Request

Real persons who contact the Company via its websites or communication channels and share information such as their name, surname, email address, and telephone number to ask questions, make suggestions, submit complaints, or request cooperation.

Passenger / Prospective Customer

Real persons who apply to use the ferry ticket, reservation, or visa on arrival services offered by the Company and whose personal data is processed in this context. This person may be a passenger acting on their own behalf during the ticketing process, or they may be a representative making a group reservation or family application.

Third Party

Other individuals whose data may be processed indirectly, although they do not fall directly into the above groups (e.g., family members declared during a port visa application, persons reported as emergency contacts, third parties referenced, persons from whom technical support is obtained, etc.).

The data subject categories are specified for the purpose of sharing general information. The fact that the data subject does not fall within the scope of any of these categories does not eliminate their status as a data subject as specified in the Law.

1. DEFINITIONS

  1. Explicit consent: Consent that is freely given, specific, informed, and unambiguous regarding a particular matter.
  2. Anonymization: The process of rendering personal data unidentifiable, such that it cannot be associated with any identifiable or identifiable natural person, even when combined with other data.
  3. President: The President of the Personal Data Protection Authority,
  4. Data subject: The natural person whose personal data is processed,
  5. Personal data: Any information relating to an identified or identifiable natural person,
  6. Processing of personal data: Any operation performed on data, such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, acquiring, making available, classifying, or preventing the use of personal data, whether fully or partially automated or non-automated, provided that it is part of a data recording system,
  7. Board: The Personal Data Protection Board,
  8. Authority: The Personal Data Protection Authority,
  9. Data processor: A natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller,
  10. Data recording system: A recording system in which personal data is processed according to specific criteria.
  11. Data controller: A natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

    12. The Data Controller in this context is MEANDER FERIBOT ISLETMELERI ANONIM SIRKETI

    Furthermore;

  12. Destruction: The deletion, erasure, or anonymization of personal data,
  13. Recording medium: Any medium containing personal data processed by fully or partially automated means or by non-automated means provided that it is part of a data recording system,
  14. Personal data processing inventory: Personal data processing activities carried out by data controllers in accordance with their business processes; personal data processing purposes and legal grounds, data category, recipient group to whom the data is transferred, and data subject group, specifying the maximum retention period necessary for the purposes for which the personal data is processed, personal data intended for transfer to foreign countries, and measures taken regarding data security,
  15. Personal data retention and destruction policy: The policy used by data controllers as a basis for determining the maximum period necessary for the purposes for which personal data are processed and for the processes of deletion, destruction, and anonymization,
  16. Periodic destruction: Refers to the deletion, destruction, or anonymization of personal data, as specified in the personal data storage and destruction policy, which will be carried out automatically at recurring intervals when all the conditions for processing personal data set forth in the law cease to exist.

2. PERSONAL DATA

Pursuant to KVKK No. 6698, “Personal Data” means any information relating to an identified or identifiable natural person. Personal data is processed in accordance with the procedures and principles stipulated by KVKK and other laws and the principles listed in Article 4 of KVKK.

Personal data cannot be processed without the explicit consent of the person concerned. However, the Company may process personal data without the explicit consent of the person concerned in the following exceptional cases under the KVKK:

  1. When expressly provided for by law.
  2. Where it is necessary to protect the life or physical integrity of the data subject or another person, where the data subject is unable to express their consent due to actual impossibility or where their consent is not legally valid.
  3. Where it is necessary to process personal data belonging to the parties to a contract, provided that it is directly related to the establishment or performance of the contract.
  4. It is necessary for the data controller to fulfill its legal obligations.
  5. The data has been made public by the data subject.
  6. Data processing is necessary for the establishment, exercise, or protection of a right.
  7. Data processing is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

3. SENSITIVE PERSONAL DATA

“Special Category Personal Data” refers to your data related to race, ethnic origin, political opinion, philosophical belief, religion, denomination or other beliefs, attire and clothing, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.

Pursuant to the KVKK, the processing of special category personal data is generally prohibited. However, pursuant to Article 6(3) of the KVKK, processing is possible in the following cases:

  1. Where the data subject has given their explicit consent,
  2. Where expressly provided for by law,
  3. Where it is necessary to protect the life or physical integrity of the data subject or another person, where the data subject is unable to give consent due to factual impossibility or where their consent is not legally valid,
  4. Where it relates to personal data made public by the data subject and is in accordance with their intention to make it public,
  5. It is necessary for the establishment, exercise, or protection of a right,
  6. It is necessary for the protection of public health, the provision of preventive medicine, medical diagnosis, treatment, and care services, and the planning, management, and financing of health services by persons or authorized institutions and organizations subject to confidentiality obligations,
  7. It is necessary for the fulfillment of legal obligations in the areas of employment, occupational health and safety, social security, social services, and social assistance,
  8. For foundations, associations, and other non-profit organizations or entities established for political, philosophical, religious, or trade union purposes, provided that it is in accordance with the legislation to which they are subject and their purposes, is limited to their field of activity, and is not disclosed to third parties; it must be directed at current or former members and associates or persons who are in regular contact with these organizations and entities.

Within the scope of Meander's activities, the processing of special categories of personal data may only be considered with the explicit consent of passengers and limited to ensuring travel safety (e.g., disability status, pregnancy information, need for assistance). This information will only be processed within the framework of explicit consent and will not be processed unless it is necessary for the safe and healthy provision of travel services.

4. DATA SECURITY

The Company takes all necessary technical and administrative measures to ensure an appropriate level of security in order to prevent the unlawful processing of personal data, prevent unlawful access to personal data, and ensure the preservation of personal data. The Company conducts the necessary audits to ensure the implementation of the provisions of the KVKK.

5. COLLECTION OF PERSONAL DATA

MEANDER FERIBOT ISLETMELERI ANONIM SIRKETI (“Company”) collects the personal data of individuals who visit its websites or communicate via forms on its pages directly from the individuals concerned and through cookies and similar digital tools.

Personal data may be collected in accordance with the conditions specified in Articles 5 and 6 of the Personal Data Protection Law No. 6698, using the methods listed below:

  1. Filling out reservation and contact forms on websites,
  2. Contacting the Company via email, telephone, or similar digital means,
  3. Analyzing visitor activity through cookies,
  4. Carrying out ferry ticket reservation, purchase, and visa on arrival application processes,
  5. Carrying out application or communication processes within the scope of fulfilling the Company's legal obligations.
  6. Personal data collected is processed for the purposes specified in this Policy, within the scope of relevant legislation, for the purpose of fulfilling the Company's legal obligations and/or based on explicit consent, and may also be processed by data processors authorized by the Company when necessary.

6. PERSONAL AND SENSITIVE PERSONAL DATA PROCESSED BY THE COMPANY

The personal data processed by our institution is detailed in the table numbered APPENDIX-1 below.

7. PERSONAL AND SENSITIVE PERSONAL DATA PROCESSED BY THE COMPANY

Personal Data processed by the Company is processed in accordance with the procedures and principles set forth in the Law and this Policy. The Company processes personal data within the framework of the principles listed below.

    • Compliance with the law and rules of good faith
    • Accuracy and, where necessary, updating
    • Processing for specified, explicit, and legitimate purposes
    • Relevance, limitation, and proportionality to the purpose for which they are processed
    • Retention for the period required by the relevant legislation or necessary for the purpose for which they are processed

8. PURPOSES OF PROCESSING PERSONAL DATA

Personal data collected by the Company is processed for the following purposes, in accordance with the data processing conditions specified in Articles 5 and 6 of the Personal Data Protection Law No. 6698:

    • To carry out ferry ticket reservations, purchases, and changes,
    • To receive and evaluate door visa applications and forward them to the relevant authorities,
    • To carry out information and promotion processes related to the services offered by the Company,
    • To carry out corporate communication activities and respond to customer requests,
    • Improving user experience by analyzing visitors' digital movements,
    • Planning and executing digital infrastructure and information security processes,
    • Recording, archiving, and, when necessary, using applications related to customer and visitor requests as evidence,
    • Fulfilling the Company's legal obligations.

9. TRANSFER OF PERSONAL DATA WITHIN THE COUNTRY

Personal data obtained by the Company through its website may be transferred to third parties only within the scope of Article 8 of the Personal Data Protection Law No. 6698 and limited to the purposes of personal data processing, with the necessary security measures taken. Pursuant to Article 8 of the KVKK, personal data may be transferred without the explicit consent of the relevant person only if one of the conditions specified in the second paragraph of Article 5 or, provided that sufficient measures are taken, in the third paragraph of Article 6 of the same Law is met. Accordingly, personal data may be transferred in the following cases:

    • The data subject's explicit consent,
    • Data processing is explicitly provided for by law,
    • It is necessary to process the relevant data to protect the life or physical integrity of the person who is unable to express their consent due to actual impossibility or whose consent is not legally valid, or that of another person,
    • The processing of personal data belonging to the parties to a contract is necessary, provided that it is directly related to the establishment or performance of the contract,
    • Data processing is necessary for the data controller to fulfill its legal obligations,
    • The personal data has been made public by the data subject,
    • Data processing is necessary for the establishment, exercise, or defense of a legal claim,
    • Data processing is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

10. TRANSFER OF PERSONAL DATA ABROAD

Personal data processed by the Company may be transferred abroad provided that it complies with the conditions set forth in Articles 5, 6, and 9 of the Personal Data Protection Law No. 6698 (“KVKK”). In this context, in particular, the transmission of visa applications to the relevant Greek authorities, the sharing of necessary information with port authorities in relation to international ferry transportation, and data sharing with service providers located abroad (e.g., cloud-based software and hosting services, payment institutions) may be required.

For personal data to be transferred abroad:

Transfers may be made to countries for which the Personal Data Protection Board has issued an adequacy decision.

In cases where no adequacy decision exists, one of the safeguards stipulated in Article 9 of the KVKK and the “Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad” published in the Official Gazette dated 10.07.2024 and numbered 32598 must be provided. These include:

    • Binding corporate rules approved by the Board,
    • Standard contracts announced by the Board,
    • Written commitments and Board permission,
    • Special arrangements made with international organizations or public institutions.

In the absence of these safeguards, transfer abroad is only possible in exceptional cases (such as the explicit consent of the data subject, performance of a contract, public interest, establishment or protection of a right, protection of life or physical integrity, or obtaining information from public registers) in accordance with Article 9/6 of the KVKK.

The company takes technical and administrative measures in accordance with the provisions of the KVKK and the aforementioned Regulation to protect the fundamental rights and freedoms of the relevant persons in the transfer processes abroad and ensures that the third parties to whom the transfer is made also provide the necessary security measures.

11. STORAGE, DELETION, DESTRUCTION, AND ANONYMIZATION OF PERSONAL DATA

Personal Data is deleted, destroyed, or anonymized in accordance with the procedures and principles set forth in the KVKK and the Regulation on the Deletion, Destruction, or Anonymization of Personal Data published in the Official Gazette on October 28, 2017. The deletion of personal data is carried out in accordance with the decisions of the board and the personal data storage and destruction policy within the scope of this policy.

The INSTITUTION retains personal data for as long as necessary for the purposes specified in this policy. Even if processed in accordance with the provisions of the KVKK and other relevant laws, personal data is deleted, destroyed, or anonymized by the INSTITUTION ex officio or at the request of the relevant person when the reasons for processing no longer exist.

If all conditions for the processing of personal data cease to exist, the personal data shall be deleted, destroyed, or anonymized by the data controller on its own initiative or at the request of the relevant person.

As stipulated in Article 138 of the Turkish Penal Code and Article 7 of the KVK Law, even if the personal data has been processed in accordance with the relevant provisions of the law, if the reasons for processing it cease to exist, the Institution shall delete, destroy, or anonymize the personal data based on its own decision or upon the request of the personal data owner.

If the Company has an obligation to delete, destroy, or anonymize personal data, it shall delete, destroy, or anonymize the personal data during the first periodic destruction process following the date on which the obligation arises. The periodic destruction period is 6 months.

When the data subject applies to the Institution requesting the deletion or destruction of their personal data, this request is immediately evaluated for fulfillment.

If all conditions for processing personal data have ceased to exist, the Institution deletes, destroys, or anonymizes the personal data subject to the request. The Institution shall finalize the relevant person's request within thirty days at the latest and inform the relevant person.

If all conditions for processing personal data have ceased to exist and the personal data subject to the request has been transferred to third parties, the Institution shall notify the third party of this situation; it shall ensure that the necessary actions are taken within the scope of this policy on behalf of the third party.

If the conditions for processing personal data have not been completely eliminated, this request may be rejected by the Institution with an explanation of the reasons, and the rejection response shall be notified to the relevant person in writing or electronically within thirty days at the latest.

All operations performed regarding the deletion, destruction, and anonymization of personal data shall be recorded, and such records shall be retained for at least three years, except for other legal obligations.

The purposes of processing that require retention are:

    • Fulfilling user requests and executing application processes,
    • Conducting corporate communication activities,
    • Providing promotional and informational services,
    • Performing statistical analyses and reporting activities,
    • Fulfilling obligations arising from service contracts or legal obligations,
    • Ensuring the fulfillment of legal obligations as required or mandated by legal regulations,
    • Fulfilling the burden of proof to be used as evidence in future disputes.
    • To be able to perform the work and transactions as a result of signed contracts and protocols,
    • To establish contact with real/legal persons in a business relationship with the institution,

Reasons requiring destruction:

    • Amendment or repeal of the relevant legislation provisions forming the basis for the processing of personal data,
    • Cessation of the purpose requiring the processing or storage of personal data,
    • In cases where the processing of personal data is based solely on explicit consent, the withdrawal of the relevant person's explicit consent,
    • The acceptance by the Institution of the relevant person's request for the deletion and destruction of their personal data within the scope of their rights,
    • The Institution's rejection of the relevant person's request for the deletion, destruction, or anonymization of their personal data, finding the response insufficient or the Institution's failure to respond within the period specified in the Law; filing a complaint with the Personal Data Protection Board and this request being deemed appropriate by the Board,
    • The maximum period required for the storage of personal data has passed and there are no conditions that would justify storing the personal data for a longer period.

All operations related to the deletion, destruction, and anonymization of personal data are performed by authorized persons in accordance with policies and procedures and are recorded.

12. DESTRUCTION OF PERSONAL DATA

1. Techniques for Deleting Personal Data

The Company is free to choose the method of deleting, destroying, or anonymizing personal data that is most appropriate for the type and medium of the data, unless the Board decides otherwise. The deletion process means that personal data is rendered inaccessible and unusable by the relevant users. In this context, the Company takes all necessary technical and administrative measures, and deletion processes are carried out only by authorized persons

  • Deletion of Personal Data Stored in Electronic Media

Secure Deletion via Software:

Personal data stored in automated or semi-automated systems is permanently deleted from the system in a manner that cannot be recovered using special software.

Deletion Using Database Commands (SQL, etc.):

Personal data is deleted at the database level using DELETE or equivalent commands, taking care to ensure that the user performing the deletion is not the database administrator.

Deletion in Cloud and Portable Media Environments:

Personal data stored on flash drives, external disks, or cloud-based storage systems is stored in encrypted form using specialized software appropriate for these environments and is then permanently deleted.

Deletion on Server Systems:

Personal data stored on server systems whose retention period has expired is removed from the systems by the system administrator, who revokes access rights, ensuring it cannot be recovered.

Secure Deletion by Experts:

When necessary, the Company may outsource the deletion of personal data to external service providers specializing in this field. In this case, the deletion process is carried out using specialized software and hardware in a manner that makes the data technically unrecoverable.

2. Techniques for Destroying Personal Data

The destruction of personal data is the process of rendering the data in question inaccessible, unrecoverable, and unusable by anyone. This process is carried out using different techniques depending on the nature of the medium in which the relevant data is stored. The Company carries out the processes related to the destruction of personal data only through authorized personnel, in accordance with the applicable data destruction policies and accompanied by technical/administrative measures.

  • Destruction of Personal Data Stored in Physical Media

Personal data processed by non-automated means and stored in physical (printed) media is physically destroyed in a manner that prevents its recovery or reuse when its use or storage is no longer necessary.

Examples of methods:
Shredding in document shredders,
Burning or melting,
Physical destruction to prevent access to data prior to recycling.

  • Destruction of Data Stored on Optical/Magnetic Media

The destruction of personal data stored on such media is carried out using the following techniques:

Demagnetization:

Magnetic media are exposed to a high magnetic field using special devices to render the data unreadable. (E.g., HDD, magnetic tapes)

Physical Destruction:

Optical or magnetic media such as CDs, DVDs, and floppy disks are permanently destroyed by melting, burning, pulverizing, or shredding in metal shredders.

Overwriting:

New data consisting of at least 7 random “0” and “1” values is written over the media containing the data using special software, ensuring that the existing data is irretrievably deleted.

This method is particularly used for rewritable disks and portable memory devices.

3. Techniques for Anonymizing Personal Data

Anonymization of personal data is the process of rendering such data unidentifiable or non-identifiable to a specific or identifiable natural person, even when matched with other data. The anonymization process aims to permanently eliminate the identifiable nature of personal data and must be irreversible.

The Company, as the data controller, shall fulfill its obligation to delete, destroy, or anonymize the personal data in question when the reasons for processing the personal data lawfully processed no longer exist. These operations shall be carried out in accordance with the schedule specified in the “Periodic Destruction” section of the Policy.

Pursuant to Article 28(1)(c) of the KVKK, anonymized data may be processed for purposes such as official statistics, research, planning, and statistical analysis, and such data processing activities are considered outside the scope of the Law. Therefore, the rights of the data subject under the KVKK cannot be asserted with regard to anonymized data.

Data Masking:

This is achieved by permanently removing the identifying parts of personal data or replacing them with meaningless content. For example, identifying data such as name, surname, Turkish ID number, and phone number in a data set are removed through masking.

Data Aggregation:

Individual data is grouped into statistical sets, making it impossible to link the data to a specific person. For example, the statement “Number of individuals born in 2020: 74” does not contain personal data.

Data Derivation:

The aim is to weaken the link to the relevant person and eliminate identifiability by obtaining more general data from existing personal data. For example, presenting general data such as “born in 1990” instead of the date of birth “12.02.1990”.

Data Shuffling:

By shuffling specific data fields within the dataset across rows, the connection between personal data components is severed. This makes data belonging to the same person appear to be randomly matched with other individuals.

Noise Injection:

By adding random and controlled deviations (distortions) to the data at certain rates, it becomes impossible to perform individual-level analysis and match the data to a specific person. This method is particularly preferred for large data sets and statistical analysis.

The company deletes, destroys, or anonymizes personal data during the first periodic destruction process following the date on which the obligation to delete, destroy, or anonymize personal data arises.

13. RIGHTS OF DATA SUBJECTS

In accordance with Article 10 of the Law, the Institution informs Data Subjects when Personal Data is obtained. You can access the KVKK Information text here.

In this context, the Institution informs the Data Subjects about the identity of the Institution's representative, the purpose for which the Personal Data will be processed, to whom and for what purpose the processed Personal Data may be transferred, the method and legal basis for collecting Personal Data, and the rights of the Data Subject. In accordance with Article 10 of the Law, the Institution informs you of your rights, provides guidance on how to exercise these rights, and implements the necessary internal procedures, administrative, and technical arrangements for all of these.

Personal data owners have the following rights in accordance with Article 11 of the KVKK:

  1. To learn whether personal data is being processed,
  2. To request information about the processing of personal data,
  3. To learn the purpose of the processing of personal data and whether it is being used in accordance with that purpose,
  4. To know the third parties to whom personal data has been transferred within or outside the country,
  5. To request the correction of personal data if it has been processed incompletely or incorrectly,
  6. To request the deletion or destruction of personal data within the framework of the conditions set forth in Article 7 of the KVKK,
  7. To request that the actions taken in accordance with subparagraphs (5) and (6) be communicated to third parties to whom the personal data has been transferred,
  8. Object to the analysis of processed data exclusively through automated systems resulting in a negative outcome for the individual,
  9. Request compensation for damages incurred due to the unlawful processing of personal data.

14. APPLICATION TO THE DATA CONTROLLER

Requests regarding the above-mentioned rights of personal data owners must be sent to our institution via a notarized letter or registered mail (or by filling out the application form below and sending it to "Meander Feribot Isletmeleri A.S., Mahmut Esat Bozkurt Cad. Camikebir Mah. Turistik Site No:2F, Kusadasi 09400, TURKIYE".). For third parties to submit requests on behalf of personal data subjects, a special power of attorney issued by a notary public on behalf of the person submitting the request must be provided by the data subject.

The Company, as the data controller, will respond to the requests in the application as soon as possible and within thirty days at the latest, free of charge, depending on the nature of the request. However, if the process incurs additional costs, the fee specified in the tariff determined by the Board may be charged.

15. RIGHT OF THE PERSONAL DATA SUBJECT TO COMPLAIN TO THE KVK BOARD

In cases where the application is rejected, the response is deemed insufficient, or no response is provided within the specified timeframe, the data subject has the right to file a complaint with the Personal Data Protection Board within thirty days from the date they learn of the response and, in any case, within sixty days from the date of application.

16. UPDATES, COMPLIANCE, AND CHANGES

The Company reserves the right to make changes to this Policy and other policies related to this Policy in accordance with the decisions of the Personal Data Protection Board or in line with developments in the sector or in the field of information technology, due to amendments made to the Law.

Changes made to this Policy are immediately incorporated into the text, and explanations regarding the changes are provided at the end of the Policy.

Data Controller: MEANDER FERIBOT ISLETMELERI ANONIM SIRKETI

Address: CAMIKEBIR MAH. MAHMUT ESAT BOZKURT CAD. TURISTIK SITE NO:2F KUSADASI/AYDIN

Mersis No: 0295010747400010

APPENDIX-1: DATA TABLE

DATA TYPE
DATA DESCRIPTION
DATA INFORMATION
Identity Information
Information used to identify a real person
Name, surname, Turkish ID number, passport number, date of birth, place of birth, gender, citizenship information, photograph, signature sample
Contact Information
Information used to reach and communicate with the person
Phone number, email address, residential address, emergency contact information
Financial Information
Information processed in the context of reservations and payment transactions
Bank account information (IBAN), credit card information (only through the payment provider), billing information
Travel and Visa Information
Data processed for ferry ticket, reservation, and visa on arrival procedures
Travel date, trip and route information, ticket number, reservation records, information on the visa application form, visa documents (copy of identity card, photo, hotel/transportation reservation, etc.)
Transaction Security Information
Data processed to secure transactions made in digital systems
Username, password, login/logout time, log records, IP address, access permissions, internet browser information
Marketing Information
Promotional and marketing data collected with the user's explicit consent
Commercial electronic communication consent, campaign participation information, survey responses, areas of interest
Cookie Data
Data collected to improve the user experience on the site and for statistical measurement
Cookie records, browser type, device information, page navigation data, session duration, preferred language, click history
Health Information (special category)
Information processed only with the passenger's explicit consent to determine security and escort needs during transportation services
Pregnancy status, disability information, allergies, and special health requirements (e.g., wheelchair needs)
Legal Transaction and Compliance Information
Data processed to fulfill legal obligations
Information and documents submitted to courts and administrative authorities, identity verification records, official correspondence

APPENDIX-2: KVKK APPLICATION FORM

A. Applicant's contact information:

Name:
Surname:
TC Identity Number:
Phone Number:
Email:
Address:

B. Relationship of the Applicant with our Institution:

The department you are in contact with within our company:
Years worked (for former employees):
The company I work for and my position (for third-party company employees):
Subject:

Please specify your request under the KVK Law in detail:

REQUEST No
SUBJECT of REQUEST
LEGAL BASIS
YOUR CHOISE
1
I would like to know whether your organization processes personal data about me.
Personal Data Protection Law Article 11/1 (a)
2
If your organization processes personal data about me, I request information about these data processing activities.
Personal Data Protection Law Article 11/1 (b)
3
If your organization processes my personal data, I would like to know the purpose of processing and whether it is being used for that purpose.
Personal Data Protection Law Article 11/1 (c)
4
If my Personal Data is transferred to third parties within or outside the country, I want to know who these third parties are.
Personal Data Protection Law Article 11/1 (d)
5
I believe my personal data has been processed incorrectly or incompletely, and I would like it to be corrected.
Personal Data Protection Law Article 11/1 (e)
6
Although my personal data has been processed in accordance with the law and other relevant legal provisions, I believe that the reasons for processing it no longer exist, and in this context, I request that my personal data be deleted or destroyed.
Personal Data Protection Law Article 11/1 (f)
7
I also want my Personal Data, which I believe has been processed incorrectly or incompletely, to be corrected by the third parties to whom it has been transferred.
Personal Data Protection Law Article 11/1 (g)
8
Although my personal data has been processed in accordance with the law and other relevant legal provisions, I belive that the reasons requiring its processing no longer exist, and in this context, I request that my personal data be deleted or destroyed by third parties as well.
Personal Data Protection Law Article 11/1 (h)
9
I believe that my Personal Data processed by your institution has been analyzed exclusively through Automated Systems and that this analysis has resulted in a decision against me. I object to this decision.
Personal Data Protection Law Article 11/1 (i)
10
I have suffered damage due to the unlawful processing of my personal data. I am seeking compensation for this damage.
Personal Data Protection Law Article 11/1 (j)
11
Other, Please specify:

Please select the method by which you would like to be notified of our response to your application:

Note: (If you choose the email method, we will be able to respond to you more quickly.)

(If delivered by proxy, a notarized power of attorney or authorization document is required.)

This application form has been prepared to identify your relationship with our Institution and, if applicable, to fully identify your personal data processed by our Institution, so that your relevant application can be answered correctly and within the legal time limit. In order to eliminate legal risks that may arise from unlawful and unjust data sharing, and in particular to ensure the security of your personal data, our Institution reserves the right to request additional documents and information (such as a copy of your ID card or driver's license) for identity and authority verification. Our Institution shall not be held liable for any requests based on incorrect or outdated information provided in the form or unauthorized applications.

In line with the requests stated above, I request that my application to our Institution be evaluated in accordance with Article 13 of the Law and that I be informed accordingly.

I declare and undertake that the documents and information I have provided to you in this application are accurate and up-to-date and belong to me.

I hereby authorize your Institution to process the information and documents I have provided in this application form solely for the purposes of evaluating and responding to my application made in accordance with Article 13 of the Personal Data Protection Law No. 6698, delivering my application to me, and determining my identity and address.

Applicant (Personal Data Owner) Name Surname:

Application Date:

Signature: