EASY WAY MOBILITY GROUP LTD (new.easytaxis.net) Privacy Policy – UK GDPR and KVKK Compliant

  1. Introduction to Our Privacy Policy

Purpose and Scope of the Policy

This Privacy Policy transparently explains how EASY WAY MOBILITY GROUP LTD collects, uses, stores, and protects personal data. At EASY WAY MOBILITY GROUP LTD, we prioritize your privacy and the protection of your personal information. This policy is designed to comply with the strict requirements of all relevant data protection legislation, including the United Kingdom General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, as well as the Personal Data Protection Law No. 6698 (KVKK) in Turkey.[1, 2] This dual compliance ensures the highest level of protection for users from both the UK and Turkey, or for individuals whose data is processed across these jurisdictions.

The scope of this policy covers all users of the new.easytaxis.net website and all related services provided by EASY WAY MOBILITY GROUP LTD. This comprehensive approach ensures that users gain a clear understanding of the legal frameworks under which their data is protected. Compliance with data protection legislation is not only a legal obligation but also a fundamental element in building user trust and ensuring data transparency. The policy clearly outlines all processes related to the processing of user data, demonstrating our company’s commitment to data protection from start to finish.

Who We Are (Data Controller Information)

As EASY WAY MOBILITY GROUP LTD, we are the legal entity responsible for the processing of your personal data. Our full registered address is located in the United Kingdom. A dedicated contact email address will be provided for all privacy-related inquiries.

We are defined as the “Data Controller” under both UK GDPR and KVKK, meaning we determine the purposes and means of processing your personal data.[2, 3] This is a fundamental requirement of data protection legislation, clearly stating who is responsible for your data.

Our Commitment to Your Privacy

We are strongly committed to protecting your personal data and respecting your privacy rights. This commitment is demonstrated by our strict adherence to the fundamental data protection principles enshrined in both UK GDPR and KVKK: lawfulness, fairness, and transparency; purpose limitation, data minimization, accuracy; storage limitation; integrity and confidentiality (security); and accountability.[1, 2, 4]

These principles are central to our approach to data processing. We not only comply with legal requirements but also take proactive steps to ensure that your data is processed responsibly and ethically. The principle of accountability requires not only compliance but also the ability to demonstrate compliance.[4, 5] This includes being transparent in our policies and procedures and maintaining records related to our data processing practices. This approach creates an environment of trust and transparency with our users and ensures that our data protection practices are fully aligned with legal and ethical standards.

  1. Information We Collect About You

Personal Data You Provide Directly

When you interact with our services, for example, by making a transfer booking, creating an account, or contacting customer support, we collect certain categories of personal data directly from you. This data is essential for the accurate provision and execution of our services.

The data collected may include: Your First Name, Last Name, Contact Phone Number, Email Address, Departure/Destination Addresses, and Payment Information (e.g., bank details, credit card information).[6] This information is necessary for core service functions such as processing, distributing, and controlling the execution of bookings, as well as providing consultation and support related to your booking.[6] This direct data collection forms the basis for fulfilling the contractual relationship between the user and our company and ensures the lawfulness of data processing. It is important for users to guarantee that the personal data they provide is truthful, accurate, complete, and up-to-date; otherwise, they may be responsible for any direct or indirect damages that may arise as a result of non-compliance with this obligation.[6]

Automatically Collected Information (e.g., Usage Data, Device Information)

Certain types of data are collected automatically when you interact with our website or services. This data helps us analyze service usage, improve website functionality, enhance user experience, and optimize our offerings.

Examples of automatically collected information include: IP address, access time, software and hardware information, device information (type, operating system), unique identifiers, error information, cookie data, and information about the pages you viewed before using our service.[6] However, the collection of this data must be meticulously justified with a clear purpose and relevant legal basis, in accordance with the “data minimization” principle.[2, 4] A clear distinction must be made between automatically collected data that is strictly necessary for the functionality of the service and data collected for analytical or marketing purposes, as these may require different legal bases (e.g., legitimate interest or explicit consent for specific marketing activities).

Data from Other Sources (e.g., Third-Party Bookings)

In some cases, you may book a transfer not for yourself, but on behalf of another person. In such instances, you may provide us with the personal data of another individual. In these situations, you are fully responsible for ensuring that the person or persons whose personal data you provided are aware of, understand, and agree to how their data will be used in accordance with this Privacy Policy.[6] Our company may conduct due diligence checks to verify this fact.[6]

III. How and Why We Use Your Personal Data (Purposes and Legal Bases)

Our purposes for processing your personal data and the legal bases for such processing are transparently explained in accordance with the fundamental principles of both UK GDPR and KVKK. It is mandatory to have a specific legal basis for each processing activity.[7]

Table 1: Overview of Data Processing Activities

Data Category Purpose of Processing UK GDPR Legal Basis KVKK Legal Basis
Name, Surname, Contact Phone, Email, Address, Payment Information Service Provision and Booking Management: Processing, distribution, control over execution of bookings, providing consultation and support. Performance of a Contract (Art. 6(1)(b)) Necessity for the Establishment or Performance of a Contract (Art. 5(2)(c))
Name, Surname, Phone Number, Email Customer Support and Communication: Responding to inquiries, troubleshooting, providing information about booking details. Performance of a Contract (Art. 6(1)(b)), Legitimate Interest (Art. 6(1)(f)) Necessity for the Establishment or Performance of a Contract (Art. 5(2)(c)), Legitimate Interest of the Data Controller (Art. 5(2)(f))
IP Address, Device Information, Page Visits, Cookie Data Service Improvement and Analytics: Improving service based on website visit statistics, sales, and feedback, analyzing website usage. Legitimate Interest (Art. 6(1)(f)), Explicit Consent (for Cookies, Art. 6(1)(a)) Legitimate Interest of the Data Controller (Art. 5(2)(f)), Explicit Consent (for Cookies, Art. 5(1))
Email, Phone Number Marketing and Promotional Activities: Sending updates about services and relevant promotions, targeted advertising. Explicit Consent (Art. 6(1)(a)), Legitimate Interest (for existing customers, Art. 6(1)(f)) Explicit Consent (Art. 5(1)), Legitimate Interest of the Data Controller (for existing customers, Art. 5(2)(f))
Payment Information, Usage Data Fraud Prevention and Security: Combating fraud, improving security measures, detecting and preventing illegal activities. Legal Obligation (Art. 6(1)(c)), Legitimate Interest (Art. 6(1)(f)) Legal Obligation (Art. 5(2)(ç)), Legitimate Interest of the Data Controller (Art. 5(2)(f))
Any Personal Data Compliance with Legal Obligations: Complying with legal requirements, transferring information to competent authorities. Legal Obligation (Art. 6(1)(c)) Legal Obligation (Art. 5(2)(ç))

 

Service Provision and Booking Management

The primary purpose of processing your personal data is to provide the transportation service you have requested. This includes processing your booking, its distribution, control over its execution, and providing consultation and support related to your booking.[6] The legal basis for this processing is the performance of the contract between us. Under UK GDPR Article 6(1)(b) and KVKK Article 5(2)(c), explicit consent is not required when processing is necessary for the establishment or performance of a contract.[2, 7] For example, your name, contact information, and departure/destination addresses are essential for arranging and completing your transfer.

Customer Support and Communication

We use your personal data to respond to your inquiries, troubleshoot issues, and provide information about booking details. This processing is carried out as part of our service contract or in pursuit of our legitimate interests. UK GDPR Article 6(1)(b) and Article 6(1)(f), along with KVKK Article 5(2)(c) and Article 5(2)(f), constitute the legal bases for this processing.[2, 7] For instance, if you encounter an issue with your booking, our ability to contact you via your email address or phone number is essential for the smooth delivery of the service.

Service Improvement and Analytics

To continuously improve our services, we analyze statistical data based on website visits, sales, and service-related feedback.[6] This includes using automatically collected data (e.g., IP address, cookie data) to analyze website usage and enhance user experience.[6] The legal basis for this processing is our legitimate interest in optimizing our services and providing a better experience for our users (UK GDPR Article 6(1)(f) and KVKK Article 5(2)(f)).[2, 7] For certain automatic data collection methods, such as cookies, particularly those used for marketing or analytical purposes, your explicit consent will be obtained.[6]

Marketing and Promotional Activities

With your consent, or if you have previously used our services, we may send you updates about our services and relevant promotions.[6] This includes using your personal data to improve our offers and for targeted advertising.[6] The legal basis for marketing communications is generally explicit consent (UK GDPR Article 6(1)(a) and KVKK Article 5(1)).[2, 8] For existing customers, legitimate interest (UK GDPR Article 6(1)(f) and KVKK Article 5(2)(f)) may apply for marketing communications related to similar products or services, but your right to object is always reserved.[6, 8]

Fraud Prevention and Security

We may process your personal data to combat fraud and enhance security. This includes implementing appropriate security procedures to prevent unauthorized access and misuse.[6] The legal basis for this processing is compliance with our legal obligations (UK GDPR Article 6(1)(c) and KVKK Article 5(2)(ç)) and our legitimate interest in detecting and preventing fraud and other illegal activities within our business (UK GDPR Article 6(1)(f) and KVKK Article 5(2)(f)).[2, 7]

Compliance with Legal Obligations

We may process your personal data to comply with legal requirements or to respond to requests from competent authorities.[6] The legal basis for this processing is compliance with legal obligations to which we are subject (UK GDPR Article 6(1)(c) and KVKK Article 5(2)(ç)).[2, 7] For example, we may transfer personal data to law enforcement agencies when required by law or when strictly necessary to prevent, detect, or suppress criminal acts.[6]

  1. Your Data Protection Rights

As a data subject, you have specific rights regarding your personal data. These rights provide you with control over how your data is processed and are guaranteed by both UK GDPR and KVKK.[1, 2]

Table 2: Your Data Subject Rights at a Glance

| Right | Meaning | How to Exercise? | | :– | :—— | :————— | | Right of Access | The right to know whether your personal data is being processed and, if so, to access that data. | By sending an email to privacy@new.easytaxis.net or a written request to our registered address. | | Right to Rectification | The right to request the correction of inaccurate or incomplete personal data concerning you. | By sending an email to privacy@new.easytaxis.net or a written request to our registered address. | | Right to Erasure (“Right to be Forgotten”) | The right to request the deletion of your personal data under certain conditions (e.g., if the data is no longer necessary for the purposes for which it was collected). | By sending an email to privacy@new.easytaxis.net or a written request to our registered address. | | Right to Restriction of Processing | The right to request the temporary suspension of data processing in certain situations, such as when you contest the accuracy of your data or if the processing is unlawful. | By sending an email to privacy@new.easytaxis.net or a written request to our registered address. | | Right to Data Portability | The right to receive the personal data you have provided in a structured, commonly used, and machine-readable format, and to transmit that data to another data controller. | By sending an email to privacy@new.easytaxis.net or a written request to our registered address. | | Right to Object | The right to object to the processing of your personal data in certain circumstances (e.g., for direct marketing). | By sending an email to privacy@new.easytaxis.net or a written request to our registered address. | | Rights in Relation to Automated Decision-Making and Profiling | The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. | By sending an email to privacy@new.easytaxis.net or a written request to our registered address. |

Exercising Your Rights

To exercise any of your rights mentioned above, you can send your request via email to privacy@new.easytaxis.net or send a written and signed request to our registered address in the United Kingdom. Your request must contain sufficient identifying information to verify your identity.

Upon receiving your request, we will endeavor to respond within the timeframes required by relevant legislation. UK GDPR generally requires a response within one month, which can be extended to two months in certain circumstances.[9] KVKK also stipulates that the data controller must respond to requests as soon as possible.[2]

If you believe your rights have not been adequately addressed, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) in the United Kingdom or the Personal Data Protection Authority (KVKK) in Turkey.[1, 6]

  1. Data Retention: How Long We Keep Your Information

We retain your personal data for as long as necessary to fulfill the purposes for which it was collected. This period is also necessary to demonstrate that the data has been processed lawfully and that services have been properly provided.[2, 6, 4]

Data retention periods vary depending on the purpose of processing:

  • Service Provision and Contract Performance: We may retain your data for up to six years after the completion of service provision. This period allows us to protect ourselves against potential claims arising from the execution of the service.[6] This is consistent with both the UK GDPR’s storage limitation principle [4] and the KVKK’s principle of retaining data for the period specified by relevant legislation or as long as necessary for the processing purpose.[2]
  • Management of Service Contract Finalization: For transactional communications sent when you initiate but do not complete a booking process, your data will be retained until these communications are sent. If you complete the transaction, your data will be retained for the duration of service provision.[6]
  • Commercial Communications: Your data for commercial communications will be retained until you withdraw your consent to receive such communications. In any case, the data retention period will not exceed 2 years.[6] If your data is processed based on our legitimate interest arising from an existing contract, it will be kept until you object to receiving commercial communications.[6]

Data retention periods are determined in compliance with the data minimization principle, reflecting only the duration strictly necessary for the stated purposes.[4]

  1. Sharing Your Personal Data and International Transfers

Sharing with Third Parties

EASY WAY MOBILITY GROUP LTD discloses your personal data only when strictly necessary to provide contracted services or to comply with legal obligations.[6] Your data may be received by other parties we involve in providing services to you, including financial institutions and advertising companies.[6]

  • Service Providers: We use third-party services to process your personal data on our behalf. This processing occurs for various purposes, including sending marketing materials or authenticating the email address you provided during the booking process.[6] These third-party service providers are bound by confidentiality obligations and do not have the right to use your personal data for purposes other than in accordance with our company’s instructions.[6]
  • Competent Authorities: We transfer personal data to law enforcement agencies to the extent required by law or when strictly necessary to prevent, detect, or suppress criminal acts and fraud.[6] Additionally, we may need to transfer personal data to competent authorities to protect our rights or property, as well as the rights and property of our business partners.[6]

In all circumstances, any data accessed by third parties with whom we collaborate to deliver our services will be handled in strict accordance with the provisions outlined in UK GDPR, KVKK, and other relevant regulations.[6]

Cross-Border Data Transfers (UK-Turkey and Other Jurisdictions)

EASY WAY MOBILITY GROUP LTD may transfer your personal data to countries outside the United Kingdom or to international organizations. Such transfers are subject to specific conditions to ensure that the level of data protection is maintained, in accordance with the relevant provisions of UK GDPR and KVKK.[10, 11]

Differences Between UK GDPR and KVKK: UK GDPR offers a more flexible and structured approach for international data transfers, including “Adequacy Decisions” by the European Commission and appropriate safeguards such as “Standard Contractual Clauses (SCCs)” or “Binding Corporate Rules (BCRs).”[10, 11, 12] These mechanisms generally do not require prior authorization from a regulatory authority.[11, 13, 14]

KVKK, on the other hand, has a stricter regulatory framework for cross-border data transfers. While KVKK has its own “Adequacy Decision” framework, a list to be published by the Board is still awaited.[2, 15] Currently, KVKK does not explicitly recognize SCCs or BCRs as automatic transfer mechanisms; instead, contractual agreements governing international data transfers generally require case-by-case approval or notification from the KVKK Board.[11, 15] Notably, even when explicit consent is obtained from the data subject, KVKK typically requires approval from the KVKK Board before transferring data abroad, unless an exemption applies.[11] This can lead to a slower and more bureaucratic cross-border transfer process compared to GDPR.[11]

Definition: “Transfer of Personal Data Abroad”: KVKK Guidelines define transfer activity based on three criteria: (i) the data transferor is subject to KVKK regarding personal data processing; (ii) the processed data is directly shared or made accessible in another way; and (iii) the data recipient is located in a third country.[15] For example, remote access from a third country for technical support, troubleshooting, or management (even if data is only displayed on the screen) is considered a data transfer abroad.[15]

VII. Data Security Measures

We implement appropriate security procedures to prevent unauthorized access to and misuse of your personal data.[6] We apply relevant corporate systems and procedures to protect the personal data provided to us.[6] Under KVKK Article 12, as the data controller, we are obligated to take all necessary technical and organizational measures to ensure an appropriate level of security to prevent unlawful processing of personal data, unlawful access to personal data, and to ensure the protection of personal data.[16]

Security procedures and technical and physical restrictions are also applied to the use of and access to personal data on our servers.[6] Only employees with special rights have access to personal data in the course of performing their duties.[6]

If data processing is carried out by another natural or legal person (a data processor) on behalf of the data controller, the data controller is jointly responsible with these persons for implementing the necessary security measures.[16] This means that data processors are also required to take measures to ensure data security.

Data Breach Notification Procedures

In the event that processed data is obtained by others through unlawful means, as the data controller, we are obligated to notify the data subject of the data breach and inform the Board as soon as possible.[16] The Board, in its Decision No. 2019/10 dated January 24, 2019, interpreted “as soon as possible” as 72 hours.[16] Therefore, as the data controller, we must notify the Board without delay and no later than 72 hours after becoming aware of the breach. If notification cannot be made within 72 hours, the reasons for the delay must be attached to the notification, and the notification must still be made without undue further delay.[16]

VIII. Our Use of Cookies and Tracking Technologies

We use cookies to ensure that interaction with our website is as informative and relevant to your interests as possible.[6] Cookies may be necessary for the normal operation of the website (e.g., to remember that you have logged in or made a booking).[6] They are also used to analyze website usage, improve it, and count the number of visitors; such cookies are called analytical cookies.[6] Social network cookies are used to integrate social networks with the website, while advertising cookies ensure that only the most useful and interesting advertisements are displayed to you.[6]

By using our website, you agree that we may download cookies to your computer or other device.[6] However, you can manage cookies. Please note that deleting or blocking cookies may affect the user interface, and some components of this website may become unavailable.[6] Most browsers allow you to see the cookies stored on your device and individually delete or block cookies from certain or all websites.[6]

We may also use technologies to track whether you read, open, or forward certain messages we send via email.[6] The purpose of these technologies is to make our communication tools more useful and attractive to the user.[6]

  1. Children’s Privacy

The services offered through the website are not permitted for use by individuals under the legal age of majority without the prior consent of their parents, guardians, or legal representatives.[6] These authorized parties will be solely responsible for any actions undertaken by minors under their care on the website, including the submission of forms containing personal data and the selection of relevant options.[6] EASY WAY MOBILITY GROUP LTD does not knowingly collect personal data from children. If we become aware that such data has been inadvertently collected, we will promptly delete it from our systems.

  1. Changes to This Privacy Policy

This Privacy Policy is subject to potential changes from time to time, based on evolving criteria determined by the relevant data protection authority.[6] EASY WAY MOBILITY GROUP LTD reserves the right to amend this policy to align with such criteria, as well as any jurisprudential or legislative developments.[6]

The updated Privacy Policy will be published on the new.easytaxis.net website with the date of the last update.[6] We will notify you in advance of any significant changes via email.[6] This ensures that users are always informed of important changes to our data processing practices, maintaining our commitment to the principles of transparency and accountability.

  1. Contact Us

If you require further clarification regarding the management of your personal data or have any questions, please do not hesitate to contact us via email at privacy@new.easytaxis.net. We are ready to answer all your privacy-related questions and assist you in exercising your data protection rights.

Conclusion

This Privacy Policy reflects EASY WAY MOBILITY GROUP LTD’s commitment, as a UK-based company, to comply with the complex requirements of both UK GDPR and KVKK.

The policy emphasizes users’ fundamental rights regarding the protection of their personal data and provides clear avenues for exercising these rights. In particular, the balance between the different legal approaches to international data transfers—namely, the more flexible mechanisms of UK GDPR versus the stricter rules of KVKK, which often require Board approval or notification—has been a critical focus of this policy. Clearly stating these differences ensures both legal compliance and helps users make informed decisions about the cross-border movement of their data.

The company places great importance on data security and breach notification procedures, demonstrating the data controllers’ responsibility to fulfill legal obligations and maintain the trust of data subjects. Transparent disclosure of cookie usage and automated data collection practices enhances users’ control over their online interactions.

This policy will be regularly reviewed and updated to adapt to evolving data protection legislation. This dynamic approach ensures that EASY WAY MOBILITY GROUP LTD adheres to best practices in data protection and prioritizes the privacy rights of its users.