Objective of Policy on Personal Data Protection

Hereby this Policy on Protection of Personal Data (“Policy”), sets forth the approach of Emaar Libadiye Gayrimenkul Gelistirme Co.Inc., Emaar Properties Gayrimenkul Gelistirme Co. Inc., Emaar Gayrimenkul Gelistirme Co. Inc., Emaar Properties PJSC, being group companies and contact offices of Emaar Group (“Emaar Group”) on protection of personal data and;

• Personal data refers to: all kinds of information on real persons, identified or can be identified;
• Processing Personal Data refers to: all kinds of transactions conducted on personal data partially or completely such as acquisition, record, storage, maintain, alteration, re-arrangement, disclosure, transfer, take-over, making acquirable, classification or prevention of usage by automatic or non-automatic means, provided that being a part of any data recording system;
• Special Quality Personal Data refers to: race, ethnic origin, political opinion, philosophical belief, religion, communion or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal convictions and data relating to security measures and biometric and genetics data of people;
• Data Controller refers to: any legal or real person determining personal data processing tools and purposes and responsible for installation and management of data recording system or any Emaar Group company;
• Data Processor refers to: any Emaar Group company or any real or legal person processing personal data basing on the authority granted by and on behalf of Emaar Group company;
• Data Owner refers to: real person being subject matter of personal data;
• Data Recording System refers to: recoding system processing personal data utilized by any Emaar Group company by configuring personal data according to the criteria determined;
• Board refers to: Board of Protection of Personal Data;
• Institute refers to: Institute of Protection of Personal Data;
• Code refers to: Code on Personal Data Protection which was published in the Official Gazette with 29677 number on April 7, 2016.

Policy provides details on Personal Data Collected by Emaar Group in terms of

• Contents and categories;
• Manner of utilization;
• People and institutions at home and abroad with which data may be shared;
• Manner of processing personal data;
• Conditions of maintaining personal data;
• Rights of Personal Data owners;
• Measures taken for the Protection of Personal Data; and aims at informing Personal Data owners on these issues within the context of the activities of Emaar Group.

 

Personal Data collected by Emaar Group and Purpose of Processing These

The objective of Emaar Group is the whole of the purposes determined in registries in which Emaar Group companies are registered. Emaar Group may collect and process the following information, including but not limited to the followings, belong to its customers, employees and authorities in association with its objective:

 

• Identity card, driver’s license, passport, residency certificate, birth certificate, marriage certificate etc. identity certificates and copies of those;
• Health reports, blood type certificate etc. health information;
• Photograph, video, finger print etc. biometric and genetic data;
• Phone number, e-mail address;
• Various information on penal conviction and security measures, including criminal record;
• Any official documents certifying their signatures;

Purpose and ground of Emaar Group’s Personal Data processing is summarized as follows and Emaar Group commits that it will not go beyond the aforementioned objective and ground in terms of Personal Data processing;The objective of personal data collection is provided in the following: For commercial partners: Without prejudice to the exceptions in Code on Protection of Personal Data (CPPD) art. 5(2)(c),

 

• Using the data obtained beforehand in subsequent transactions;
• Resolution of Commercial Disputes;
• Saving time;
• Transmitting data to abroad or domestic servers with the aim of providing data security;
• Data backup;
• External and internal audit, accounting, tax counselling;
• Intragroup data transfer;
• BT, translation, legal consultancy services;
• Forward planning;
• Keeping statistics;
• Follow-up of previous studies;
• Ensuring order and control, management and harmony in work place;
• Archiving data acquired from office activities;
• Facilitating the operation of recruitment process.

 

Data Collection Methods

Emaar Group shall collect the personal data by means of the methods specified in the following:

 

• E-mail, Fax, Phone, Mail, Courier, Hand delivery.

 

Permission for Processing and Transfer

Domestic Processing and Transfer:

Emaar Group’s processing personal data of related people at home and transfer of these to real or legal third parties is only possible with explicit consent of related people and can only be actualized in case of following conditions, if explicit consent is not provided:

 

• Explicitly foreseen in codes;
• Obligated for protection of his/her or others’ life or bodily integrity of any person who cannot grant consent due to actual impossibility or whose consent is not valid legally;
• Provided that it is directly related with drawing up or execution of a contract, necessity of processing Personal Data belong to the parties of the contract;
• Obligated for the performance of legal liabilities of Emaar Group or other Data Controller;
• Made public by related person;
• Data processing’s being obligated for establishment, utilization or protection of a right;
• Data processing’s being obligated for legitimate interests of Emaar Group or other Data Controller provided that it does no harm to fundamental rights and freedoms of related person.

Processing and Transfer of Special Quality Personal Data:

Processing and transfer of Special Quality Personal Data is only possible with explicit consent of related people and can only be actualized in case of following conditions, if explicit consent is not provided:

• Personal Data not associated with health and sexual life can be processed without seeking for explicit consent of related person in the events foreseen in codes.
• Personal Data on health and sexual life can only be processed by authorized institutions and organizations or people under confidential obligation without requiring explicit consent of the concerned people for purposes of protection of public health, preventive medicine, medical diagnosis, carrying out treatment and care services, planning and management of financing and health services.

Proceesing and Transfer Abroad:

In associated with the partners and employees of Emaar Group, domestic processing of related personal data and transfer of these to real or legal third parties is only possible with explicit consent of related people and can only be actualized in case of following conditions, if explicit consent is not provided:

 

• In case of presence of the provisions specified in 4.a and 4.babove and in addition to these;
• Presence of adequate protection in the foreign country to which Personal Data will be transferred;
  • as determined and declared by Board;
  • In the event that adequate protection is not available, data controllers in Turkey and related foreign country shall undertake sufficient protection in writing and Council shall grant permission.

Furthermore, Personal Data can be transferred to foreign countries, without prejudice to the provisions of international convention, in the cases when interest of related person or country will severely get harmed, with the permission of the Board by receiving opinion of related public institution or organization.

Security of Personal Data

Emaar Group shall provide security of Personal Data to actualize following purposes and take all kinds of technical and administrative measures required for fulfilling convenient security level to achieve these purposes:

 

• to prevent processing of Personal Data contrary to law;
• to prevent illegal access to Personal Data;
• to provide conservation of Personal Data.

Emaar Group companies are jointly responsible for taking measures specified in5.a together with Data Processors, in the event that personal data is processed by any other legal or real third party on behalf of group companies.

Emaar Group companies has to carry out necessary audits or have these audits done within its institution or organization with the purpose of ensuring performance of provisions of Code.

Data Controllers and Data Processors cannot disclose the Personal Data they are informed of to others contrary to law and cannot use these beyond the purpose of processing. This obligation also continues after resignation.

In the event that processed Personal Data is acquired by others in illegal manners, Emaar Group companies shall notify this issue to concerned party and Board in the soonest time. If deemed necessary, Board may declare this issue on its website or by any other means considered appropriate.

Rights Associated with Personal Data

Everybody has the following rights related to them by applying to Emaar Group companies.

 

• Learning whether their Personal Data is processed or not;
• Requesting information on it if their Personal Data is processed;
• Learning the purpose of processing of their Personal Data and whether these data are used for the purpose or not;
• Learning about the third parties at home or abroad to whom their Personal Data is transferred;
• Requesting correction in case of misprocessing or underprocessing of Personal Data;
• Requesting deletion or demolition of Personal Data within the scope of 7^th article of the Code;
• 6.a.v And requesting notification of the procedures conducted pursuant to6.a.vi section to the third parties to whom Personal Data is transferred;
• Objecting to emergence of result against concerned person by means of analysing processed Personal Data exclusively through automatic systems, and
• Requesting compensation of damages, in case of suffering from any loss because of illegal processing of Personal Data.

It is required for usage of aforementioned rights that the request in question regarding Personal Data shall be submitted to following communications in writing together with the information that provide identification of related person:

• • e-mail to: “info@emaarsquaremall.com”; “info@emaarakvaryum.com”  or “info@emaar.com.tr”:
  • Mail to: “Emaar Square Ofis Kulesi, Unalan Mah. Libadiye Cad. No:82-F Kat:1 Uskudar, Istanbul-Turkey”:

Measures for the Protection of Personal Data and Conserving these Correctly and Currently

Emaar Group preserves Personal Data in correct and current manner by means of the methods specified in the following: Emaar Group conserves Personal Data in correct and current manner within the scope of following methods:

 

• Daily backups;
• Firewall;
• Anti-virus programs and administrative limitations.

 

Alterations to be conducted in the Policy on Personal Data Protection

Emaar Group may make alterations in this Policy from time to time to the extent its activities require and required by law. Aforementioned alterations will gain validity upon sharing altered Policy text on “http://www.emaarsquaremall.com”, “http://www.emaarakvaryum.com” and “https://tr.emaar.com”. Moreover, customers, employees and authorities shall be informed on the alterations to be made by means of electronic mail.

EMAAR GROUP POLICY ON PROTECTION OF SPECIAL QUALITY PERSONAL DATA

Objective

Hereby this Policy on Protection of Special Quality Personal Data (“Policy”), sets forth the approach of Emaar Libadiye Gayrimenkul Gelistirme Co.Inc., Emaar Properties Gayrimenkul Gelistirme Co. Inc., Emaar Gayrimenkul Gelistirme Co. Inc., Emaar Properties PJSC, being group companies and contact offices of Emaar Group (“Emaar Group”) on protection of Special Quality Personal Data and;

 

• Personal data refers to: all kinds of information on real persons, identified or can be identified;
• Special Quality Personal Data refers to: race, ethnic origin, political opinion, philosophical belief, religion, communion or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal convictions and security measures etc. data and biometric and genetics data of people;
• Processing Special Quality Personal Data refers to: all kinds of transactions conducted on Special Quality Personal Data partially or completely such as acquisition, record, storage, maintain, alteration, re-arrengement, disclosure, transfer, take-over, making acquirable, classification or prevention of usage by automatic or non-automatic means, provided that being a part of any data recording system;
• Data Controller refers to: any legal or real person determining personal data processing tools and purposes and responsible for installation and management of data recording system or any Emaar Group company;
• Data Processor refers to: any Emaar Group company or any real or legal person processing personal data basing on the authority granted by and on behalf of Emaar Group company;
• Data Owner refers to: real person being subject matter of personal data;
• Data Recording System refers to: recoding system processing personal data utilized by any Emaar Group company by configuring personal data according to the criteria determined;
• Board refers to: Board of Protection of Personal Data;
• Institute refers to: Institute of Protection of Personal Data;
• Code refers to: Code on Personal Data Protection which was published in the Official Gazette with 29677 number on April 7, 2016;
• Verdict refers to: the verdict of Board related to measures required to be taken by data controller during processing of Special Quality Personal Data pursuant to 31.01.218 dated and 2018/10 numbered Code Article 6 (4) and 22 (1).

Policy pursues the goal of determination of the systems directed on security of related data during processing Special Quality Personal Data collected by Emaar Group.

In terms of employees during processing

Data policy to be implemented by Emaar Group during processing of Special Quality Personal Data in terms of Employees (“Employees”) is as follows:

 

• Providing trainings on security of Personal Data to employees two times in a year within the scope of related legislation;
• Entering into confidentiality agreement with employees;
• Clear definition of scope and period of powers of employees;
• Controlling powers of employees periodically by Emaar Group;
• In case of changing position or ceasing employment, release of authorities immediately by Emaar Group.

 

In terms of place of storage

Data policy to be implemented by Emaar Group in terms of electronic environments where Special Quality Personal Data is processed, stored and/or accessed is as in the following:

 

• Maintaining related data through cryptographic methods and keeping cryptographic keys in safe and different areas;
• Logging transaction records of motions actualized on related data in safe manner;
• Regular controls on security updates of environments including related data, performance of security tests two times in a year regularly and recording test results;
• Authorizing users concerning the data accessed by means of a software, performance of security tests associated with these software two times in a year regularly and recording test results;
• Providing two-stage verification system related to the data remote accessed.

Data policy system to be implemented by Emaar Group in terms of physical environments where Special Quality Personal Data is processed, stored and/or accessed is as in the following:

 

• Taking adequate safety precautions according to the property of physical environment;
• Preventing unauthorized entrance and exit to provide security of physical environment.

 

With regard to the Transfer

Processing and transfer of Special Quality Personal Data is only possible with explicit consent of related people and can only be actualized in case of following conditions, if explicit consent is not provided:

• Personal Data not associated with health and sexual life can be processed without seeking for explicit consent of related person in the events foreseen in codes.
• Personal Data on health and sexual life can only be processed by authorized institutions and organizations or people under confidential obligation without requiring explicit consent of the concerned people for purposes of protection of public health, preventive medicine, medical diagnosis, carrying out treatment and care services, planning and management of financing and health services.

If Special Quality Personal Data will be transferred within the body of Emaar Group, the data policy to be implemented is as in the following:

• If related data will be transferred via electronic mail, transfer shall be carried out by using registered electronic mail or corporate electronic mail cryptically;
• If related data will be transferred via flash memory, CD, DVD etc. VPN shall be installed between servers or sFTP method shall be used;
• If related data shall be transferred in printed form, necessary precautions shall be taken against steal, loss or unauthorized observation and the document shall be sent with “confidential documents” format.

EMAAR GROUP POLICY ON DEMOLITION OF PERSONAL DATA

Objective

The objective of this Demolition Policy (“Demolition Policy”) is to perform methods and responsibilities on deletion, demolition and anonymization of personal data in Emaar Group in compliance with legislation on protection of related personal data and Emaar Group’s Policy on Protection of Personal Data, particularly, 6698 numbered Code on Protection of Personal Data (“CPPD”), Directive on deletion, demolition and anonymization of personal data (“Directive”).

Scope of Demolition Policy

Grounds and methods to be followed in preparation for anonymization, deletion or demolition of personal data are approached within the scope of this policy.

Definition and concepts

 

• Demolition refers to: process of deletion, demolition and anonymization of personal data in a manner that those cannot be utilized afterwards.
• Deletion refers to: the process of making personal data processed by automatic means partially or wholly or maintained in digital environment in a manner that those cannot be used or accessed again by related users.
• Related user refers to: the users processing personal data within the direction of power and instruction taken from Emaar Group or within the organization of Emaar Group apart from the person or unit responsible for storage, protection and backup of personal data technically.

Method for Demolition of Personal Data

The method of deletion was adopted for demolition of personal data held in the body of Emaar Group among the demolition methods within the scope of directive.

An access power and control matrix will be established by Emaar Group [IT / Department of Information Technologies] regarding the personal data held in the body of Emaar Group for deletion procedures, and the people having the power of access and control of each personal data in question will be determined (“related user/s”).

Basic principles on Demolition of Personal Data

The personal data held in the body of Emaar Group shall be deleted in 3 months at the latest after disappearing of the reason for processing each personal data. In any case, Emaar Group IT / Department of Information Technologies shall scan all personal data held in the body of Emaar Group in yearly periods and personal data that are required to have been deleted but mistakenly conserved shall immediately be deleted.

The process to be followed in deletion of personal data held in the body of Emaar Group is as follows:

 

• Determination of the personal data to be subjected to deletion;
• Determination of related users for each personal data by using access power and control matrix;
• Determination of powers and methods of related users such as access, return and reusage; and
• Closing and removal of powers and methods of related users such as access, return and reusage within the scope of personal data.

Emaar Group IT / Information Technologies Department shall take all kinds of technical and administrative precautions to make deleted personal data inaccessible and not usable again by related user.

Emaar Group IT / Information Technologies Department may delete or demolish personal data upon disappear of the reasons for processing data referring to its own decision or upon request of personal data owner, despite the fact that those data are processed complying with the provisions of related code.

All kinds of procedures conducted in association with deletion, demolition or anonymization of personal data is recorded by Emaar Group IT / Information Technologies Department and aforementioned records are withheld for at least three years excluding other legal liabilities.

Changes to be made on Demolition Policy

Emaar Group may make alterations in this Demolition Policy from time to time to the extent its activities require and required by law. Aforementioned alterations will gain validity upon sharing altered Demolition Policy text on “http://www.emaarsquaremall.com”, “http://www.emaarakvaryum.com” and “https://tr.emaar.com”. Moreover, customers, employees and authorities shall be informed on the alterations to be made by means of electronic mail.

INFORMATION ON THE PROCESSING AND PROTECTION OF PERSONAL DATA

As Emaar, we attach importance to the privacy and security of your personal data. In this context, as Emaar Libadiye Gayrimenkul Geliştirme A.Ş. (“Emaar” and/or the “Company“) in the capacity of Data Supervisor with this Clarification Text (“Clarification Text“), we would like to inform you about the processing of your personal data in accordance with the provisions of the relevant legislation in force (“Legislation“), especially the Law on the Protection of Personal Data No.6698 (“KVKK“) and the Law on the Regulation of Electronic Commerce No.6563 (“ETK“).

You may find further information about the purposes of processing your personal data from the Emaar Group Personal Data Protection Policy at “https://tr.emaar.com”

Your Processed Personal Data, Processing Purposes and Legal Reason

Your identity data (name, surname), contact data (mobile phone number, e-mail address) and location and processing security information (consent records, IP address, pixel tags, clickstream, traffic data) will be processed in accordance with Paragraph 2 of the Article 5 of KVKK based on the legal reasons of, (i) “It is clearly stipulated in the laws”, (ii) “It is necessary to process personal data belonging to the parties to the contract, provided that it is directly related to the establishment or execution of a contract” and (iii) “Data processing is mandatory for the establishment, exercise or protection of a right.” within the scope of the following purposes:

 

• If you request a product/service within the scope of the real estate in the Emaar portfolio, our Company’s making you an offer and provide information in accordance with your request, and carry out studies in order to fulfill your request and communicate with you in this context,
• Our company’s fulfilling its administrative and legal obligations within the scope of all applicable legal regulations,
• Conducting our business relations within our company, with our affiliates, business partners and third parties with whom we have business relations, ensuring the legal and commercial security of the said persons, following legal processes and establishing, using and protecting the rights arising from the legislation.

Your collected personal data may be processed by Emaar for the following purposes in accordance with Paragraph 1 of the Article 5 of KVKK in the case of your explicit consent:

 

• Identifying potential buyers/tenants in terms of real estate in the Emaar portfolio and conducting targeted marketing activities for these customers,
• Determining the commercial and business strategies of our company, conducting our customer services/relations and evaluating your satisfaction and conducting statistical studies in this context,
• If you give permission, communicating with you in any way regarding real estate in the Emaar portfolio through your contact information, and informing, transferring data and information for promotional and marketing purposes via telephone, SMS (short message), e-mail and digital channels,
• Keeping statistics on customers in order to increase efficiency in terms of sales, marketing and customer service.

Parties to which Your Personal Data are Transferred and Transfer Purposes

Your personal data processed by Emaar may be transferred to the persons and institutions, their suppliers, service providers, and business partners from which Emaar receives services and/or consultancy services in Turkey and who are obliged to comply with confidentiality obligations for the purpose of Emaar’s providing the service and product or for the performance of the contract in accordance with the basic principles stipulated in KVKK and in accordance with Article 8/1 of KVKK in the presence of your explicit consent, in cases where your explicit consent is needed within the scope of the above-mentioned purposes. Besides, within the scope of the activities, we have explained above, your personal data shall be transferred to legally authorized public institutions and authorized private persons in accordance with KVKK Art.8/2.

Besides, in line with the realization of the above-mentioned objectives; In accordance with KVKK article 8/1, in the presence of your explicit consent, they may be shared with Emaar’s domestic group companies Emaar Properties Gayrimenkul Geliştirme A.Ş. (“Emaar Properties“) and Emaar Gayrimenkul Geliştirme A.Ş. (“Emaar Gayrimenkul“) and in accordance with KVKK Art.9/1 in the presence of your explicit consent, and with Emaar group companies abroad; Emaar Properties PJSC (“Emaar PJSC“) and affiliated group companies (Emaar Properties, Emaar Gayrimenkul and Emaar PJSC and affiliated group companies will be referred to as “Emaar Group Companies” hereinafter), our business partners and suppliers residing abroad, from whom we receive services and who are obliged to comply with confidentiality obligations.

Our Method Of Collecting Your Personal Data

Your personal data shall be collected and processed through the cookies we use if you visit our website (https://tr.emaar.com), or in case you fill and send the form on our “Get In Touch” and/or “Sign Up” pages or the electronic forms we provide through our social media channels within the scope of the Legislation by Emaar via e-mail, online communication systems, customer relations management systems (CRM, SAP etc.) or other automatic methods, or within the scope of the Legislation by Emaar from the suppliers with whom Emaar has a contractual relationship, provided that it is not contrary to the Legislation.

What Are Your Rights Under KVKK as a Data Owner?

By applying to our Company in terms of your personal data processed by our company, you have the right to request (i) to learn whether your personal data has been processed, (ii) to request information if they have been processed, (iii) to learn the purpose of processing and whether they have been used in accordance with its purpose (iv) to know the third parties to whom they were transferred at home / abroad, (v) if they have been processed incompletely/incorrectly, to ask for correction, (vi) to request their deletion/destruction within the framework of the conditions stipulated in article 7 of KVKK (vii) to request the third parties to whom your data is transferred to be notified of the transactions in subparagraphs (v) and (vi), (viii) to object to a result against you because it is analyzed exclusively by automated systems, and (ix), to demand the compensation of the damage, in case you suffer damage due to unlawful processing.

If you wish to exercise your mentioned rights, you may submit your applications to Emaar AVM, after filling out the Emaar Turkey KVKK application form to which you can access via our website https://tr.emaar.com and printing it out, by sending to the application address Ünalan Mah. Libadiye Cad. No:82F, K:1, Üsküdar/Istanbul with the words “Request for Information under the Personal Data Protection Law” written on the envelope or by sending an e-mail to the kvkk@emaar.com.tr address.

Depending on the nature of your request, your applications will be concluded free of charge as soon as possible and within thirty days at the latest; whereas, if the transaction requires an additional cost, you may be charged according to the tariff determined by the Personal Data Protection Board.