GENERAL DATA PROTECTION POLICY AND INFORMATION ON DATA PROCESSING
Objective of Policy on Personal Data Protection
Hereby this Policy on Protection of Personal Data (“Policy”), sets forth the approach of Emaar Libadiye Gayrimenkul Gelistirme Co.Inc., Emaar Properties Gayrimenkul Gelistirme Co. Inc., Emaar Gayrimenkul Gelistirme Co. Inc., Emaar Properties PJSC, being group companies and contact offices of Emaar Group (“Emaar Group”) on protection of personal data and;- Personal data refers to: all kinds of information on real persons, identified or can be identified;
- Processing Personal Data refers to: all kinds of transactions conducted on personal data partially or completely such as acquisition, record, storage, maintain, alteration, re-arrangement, disclosure, transfer, take-over, making acquirable, classification or prevention of usage by automatic or non-automatic means, provided that being a part of any data recording system;
- Special Quality Personal Data refers to: race, ethnic origin, political opinion, philosophical belief, religion, communion or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal convictions and data relating to security measures and biometric and genetics data of people;
- Data Controller refers to: any legal or real person determining personal data processing tools and purposes and responsible for installation and management of data recording system or any Emaar Group company;
- Data Processor refers to: any Emaar Group company or any real or legal person processing personal data basing on the authority granted by and on behalf of Emaar Group company;
- Data Owner refers to: real person being subject matter of personal data;
- Data Recording System refers to: recoding system processing personal data utilized by any Emaar Group company by configuring personal data according to the criteria determined;
- Board refers to: Board of Protection of Personal Data;
- Institute refers to: Institute of Protection of Personal Data;
- Code refers to: Code on Personal Data Protection which was published in the Official Gazette with 29677 number on April 7, 2016.
- Contents and categories;
- Manner of utilization;
- People and institutions at home and abroad with which data may be shared;
- Manner of processing personal data;
- Conditions of maintaining personal data;
- Rights of Personal Data owners;
- Measures taken for the Protection of Personal Data; and aims at informing Personal Data owners on these issues within the context of the activities of Emaar Group.
Personal Data collected by Emaar Group and Purpose of Processing These
The objective of Emaar Group is the whole of the purposes determined in registries in which Emaar Group companies are registered. Emaar Group may collect and process the following information, including but not limited to the followings, belong to its customers, employees and authorities in association with its objective:- Identity card, driver’s license, passport, residency certificate, birth certificate, marriage certificate etc. identity certificates and copies of those;
- Health reports, blood type certificate etc. health information;
- Photograph, video, finger print etc. biometric and genetic data;
- Phone number, e-mail address;
- Various information on penal conviction and security measures, including criminal record;
- Any official documents certifying their signatures;
- Using the data obtained beforehand in subsequent transactions;
- Resolution of Commercial Disputes;
- Saving time;
- Transmitting data to abroad or domestic servers with the aim of providing data security;
- Data backup;
- External and internal audit, accounting, tax counselling;
- Intragroup data transfer;
- BT, translation, legal consultancy services;
- Forward planning;
- Keeping statistics;
- Follow-up of previous studies;
- Ensuring order and control, management and harmony in work place;
- Archiving data acquired from office activities;
- Facilitating the operation of recruitment process.
Data Collection Methods
Emaar Group shall collect the personal data by means of the methods specified in the following:- E-mail, Fax, Phone, Mail, Courier, Hand delivery.
Permission for Processing and Transfer
Domestic Processing and Transfer: Emaar Group’s processing personal data of related people at home and transfer of these to real or legal third parties is only possible with explicit consent of related people and can only be actualized in case of following conditions, if explicit consent is not provided:- Explicitly foreseen in codes;
- Obligated for protection of his/her or others’ life or bodily integrity of any person who cannot grant consent due to actual impossibility or whose consent is not valid legally;
- Provided that it is directly related with drawing up or execution of a contract, necessity of processing Personal Data belong to the parties of the contract;
- Obligated for the performance of legal liabilities of Emaar Group or other Data Controller;
- Made public by related person;
- Data processing’s being obligated for establishment, utilization or protection of a right;
- Data processing’s being obligated for legitimate interests of Emaar Group or other Data Controller provided that it does no harm to fundamental rights and freedoms of related person.
- Personal Data not associated with health and sexual life can be processed without seeking for explicit consent of related person in the events foreseen in codes.
- Personal Data on health and sexual life can only be processed by authorized institutions and organizations or people under confidential obligation without requiring explicit consent of the concerned people for purposes of protection of public health, preventive medicine, medical diagnosis, carrying out treatment and care services, planning and management of financing and health services.
- In case of presence of the provisions specified in 4.a and 4.babove and in addition to these;
- Presence of adequate protection in the foreign country to which Personal Data will be transferred;
- as determined and declared by Board;
- In the event that adequate protection is not available, data controllers in Turkey and related foreign country shall undertake sufficient protection in writing and Council shall grant permission.
Security of Personal Data
Emaar Group shall provide security of Personal Data to actualize following purposes and take all kinds of technical and administrative measures required for fulfilling convenient security level to achieve these purposes:- to prevent processing of Personal Data contrary to law;
- to prevent illegal access to Personal Data;
- to provide conservation of Personal Data.
Rights Associated with Personal Data
Everybody has the following rights related to them by applying to Emaar Group companies.- Learning whether their Personal Data is processed or not;
- Requesting information on it if their Personal Data is processed;
- Learning the purpose of processing of their Personal Data and whether these data are used for the purpose or not;
- Learning about the third parties at home or abroad to whom their Personal Data is transferred;
- Requesting correction in case of misprocessing or underprocessing of Personal Data;
- Requesting deletion or demolition of Personal Data within the scope of 7th article of the Code;
- 6.a.v And requesting notification of the procedures conducted pursuant to6.a.vi section to the third parties to whom Personal Data is transferred;
- Objecting to emergence of result against concerned person by means of analysing processed Personal Data exclusively through automatic systems, and
- Requesting compensation of damages, in case of suffering from any loss because of illegal processing of Personal Data.
-
- e-mail to: “info@emaarsquaremall.com”; “info@emaarakvaryum.com” or “info@emaar.com.tr”:
- Mail to: “Emaar Square Ofis Kulesi, Unalan Mah. Libadiye Cad. No:82-F Kat:1 Uskudar, Istanbul-Turkey”:
Measures for the Protection of Personal Data and Conserving these Correctly and Currently
Emaar Group preserves Personal Data in correct and current manner by means of the methods specified in the following: Emaar Group conserves Personal Data in correct and current manner within the scope of following methods:- Daily backups;
- Firewall;
- Anti-virus programs and administrative limitations.
Alterations to be conducted in the Policy on Personal Data Protection
Emaar Group may make alterations in this Policy from time to time to the extent its activities require and required by law. Aforementioned alterations will gain validity upon sharing altered Policy text on “http://www.emaarsquaremall.com”, “http://www.emaarakvaryum.com” and “https://tr.emaar.com”. Moreover, customers, employees and authorities shall be informed on the alterations to be made by means of electronic mail.EMAAR GROUP POLICY ON PROTECTION OF SPECIAL QUALITY PERSONAL DATA
Objective
Hereby this Policy on Protection of Special Quality Personal Data (“Policy”), sets forth the approach of Emaar Libadiye Gayrimenkul Gelistirme Co.Inc., Emaar Properties Gayrimenkul Gelistirme Co. Inc., Emaar Gayrimenkul Gelistirme Co. Inc., Emaar Properties PJSC, being group companies and contact offices of Emaar Group (“Emaar Group”) on protection of Special Quality Personal Data and;- Personal data refers to: all kinds of information on real persons, identified or can be identified;
- Special Quality Personal Data refers to: race, ethnic origin, political opinion, philosophical belief, religion, communion or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal convictions and security measures etc. data and biometric and genetics data of people;
- Processing Special Quality Personal Data refers to: all kinds of transactions conducted on Special Quality Personal Data partially or completely such as acquisition, record, storage, maintain, alteration, re-arrengement, disclosure, transfer, take-over, making acquirable, classification or prevention of usage by automatic or non-automatic means, provided that being a part of any data recording system;
- Data Controller refers to: any legal or real person determining personal data processing tools and purposes and responsible for installation and management of data recording system or any Emaar Group company;
- Data Processor refers to: any Emaar Group company or any real or legal person processing personal data basing on the authority granted by and on behalf of Emaar Group company;
- Data Owner refers to: real person being subject matter of personal data;
- Data Recording System refers to: recoding system processing personal data utilized by any Emaar Group company by configuring personal data according to the criteria determined;
- Board refers to: Board of Protection of Personal Data;
- Institute refers to: Institute of Protection of Personal Data;
- Code refers to: Code on Personal Data Protection which was published in the Official Gazette with 29677 number on April 7, 2016;
- Verdict refers to: the verdict of Board related to measures required to be taken by data controller during processing of Special Quality Personal Data pursuant to 31.01.218 dated and 2018/10 numbered Code Article 6 (4) and 22 (1).
In terms of employees during processing
Data policy to be implemented by Emaar Group during processing of Special Quality Personal Data in terms of Employees (“Employees”) is as follows:- Providing trainings on security of Personal Data to employees two times in a year within the scope of related legislation;
- Entering into confidentiality agreement with employees;
- Clear definition of scope and period of powers of employees;
- Controlling powers of employees periodically by Emaar Group;
- In case of changing position or ceasing employment, release of authorities immediately by Emaar Group.
In terms of place of storage
Data policy to be implemented by Emaar Group in terms of electronic environments where Special Quality Personal Data is processed, stored and/or accessed is as in the following:- Maintaining related data through cryptographic methods and keeping cryptographic keys in safe and different areas;
- Logging transaction records of motions actualized on related data in safe manner;
- Regular controls on security updates of environments including related data, performance of security tests two times in a year regularly and recording test results;
- Authorizing users concerning the data accessed by means of a software, performance of security tests associated with these software two times in a year regularly and recording test results;
- Providing two-stage verification system related to the data remote accessed.
- Taking adequate safety precautions according to the property of physical environment;
- Preventing unauthorized entrance and exit to provide security of physical environment.
With regard to the Transfer
Processing and transfer of Special Quality Personal Data is only possible with explicit consent of related people and can only be actualized in case of following conditions, if explicit consent is not provided:- Personal Data not associated with health and sexual life can be processed without seeking for explicit consent of related person in the events foreseen in codes.
- Personal Data on health and sexual life can only be processed by authorized institutions and organizations or people under confidential obligation without requiring explicit consent of the concerned people for purposes of protection of public health, preventive medicine, medical diagnosis, carrying out treatment and care services, planning and management of financing and health services.
- If related data will be transferred via electronic mail, transfer shall be carried out by using registered electronic mail or corporate electronic mail cryptically;
- If related data will be transferred via flash memory, CD, DVD etc. VPN shall be installed between servers or sFTP method shall be used;
- If related data shall be transferred in printed form, necessary precautions shall be taken against steal, loss or unauthorized observation and the document shall be sent with “confidential documents” format.
EMAAR GROUP POLICY ON DEMOLITION OF PERSONAL DATA
Objective
The objective of this Demolition Policy (“Demolition Policy”) is to perform methods and responsibilities on deletion, demolition and anonymization of personal data in Emaar Group in compliance with legislation on protection of related personal data and Emaar Group’s Policy on Protection of Personal Data, particularly, 6698 numbered Code on Protection of Personal Data (“CPPD”), Directive on deletion, demolition and anonymization of personal data (“Directive”).
Scope of Demolition Policy
Grounds and methods to be followed in preparation for anonymization, deletion or demolition of personal data are approached within the scope of this policy.Definition and concepts
- Demolition refers to: process of deletion, demolition and anonymization of personal data in a manner that those cannot be utilized afterwards.
- Deletion refers to: the process of making personal data processed by automatic means partially or wholly or maintained in digital environment in a manner that those cannot be used or accessed again by related users.
- Related user refers to: the users processing personal data within the direction of power and instruction taken from Emaar Group or within the organization of Emaar Group apart from the person or unit responsible for storage, protection and backup of personal data technically.
Method for Demolition of Personal Data
The method of deletion was adopted for demolition of personal data held in the body of Emaar Group among the demolition methods within the scope of directive. An access power and control matrix will be established by Emaar Group [IT / Department of Information Technologies] regarding the personal data held in the body of Emaar Group for deletion procedures, and the people having the power of access and control of each personal data in question will be determined (“related user/s”).Basic principles on Demolition of Personal Data
The personal data held in the body of Emaar Group shall be deleted in 3 months at the latest after disappearing of the reason for processing each personal data. In any case, Emaar Group IT / Department of Information Technologies shall scan all personal data held in the body of Emaar Group in yearly periods and personal data that are required to have been deleted but mistakenly conserved shall immediately be deleted. The process to be followed in deletion of personal data held in the body of Emaar Group is as follows:- Determination of the personal data to be subjected to deletion;
- Determination of related users for each personal data by using access power and control matrix;
- Determination of powers and methods of related users such as access, return and reusage; and
- Closing and removal of powers and methods of related users such as access, return and reusage within the scope of personal data.
Changes to be made on Demolition Policy
Emaar Group may make alterations in this Demolition Policy from time to time to the extent its activities require and required by law. Aforementioned alterations will gain validity upon sharing altered Demolition Policy text on “http://www.emaarsquaremall.com”, “http://www.emaarakvaryum.com” and “https://tr.emaar.com”. Moreover, customers, employees and authorities shall be informed on the alterations to be made by means of electronic mail.INFORMATION ON THE PROCESSING AND PROTECTION OF PERSONAL DATA
As Emaar, we attach importance to the privacy and security of your personal data. In this context, as Emaar Libadiye Gayrimenkul Geliştirme A.Ş. (“Emaar” and/or the “Company“) in the capacity of Data Supervisor with this Clarification Text (“Clarification Text“), we would like to inform you about the processing of your personal data in accordance with the provisions of the relevant legislation in force (“Legislation“), especially the Law on the Protection of Personal Data No.6698 (“KVKK“) and the Law on the Regulation of Electronic Commerce No.6563 (“ETK“). You may find further information about the purposes of processing your personal data from the Emaar Group Personal Data Protection Policy at “https://tr.emaar.com”Your Processed Personal Data, Processing Purposes and Legal Reason
Your identity data (name, surname), contact data (mobile phone number, e-mail address) and location and processing security information (consent records, IP address, pixel tags, clickstream, traffic data) will be processed in accordance with Paragraph 2 of the Article 5 of KVKK based on the legal reasons of, (i) “It is clearly stipulated in the laws”, (ii) “It is necessary to process personal data belonging to the parties to the contract, provided that it is directly related to the establishment or execution of a contract” and (iii) “Data processing is mandatory for the establishment, exercise or protection of a right.” within the scope of the following purposes:- If you request a product/service within the scope of the real estate in the Emaar portfolio, our Company’s making you an offer and provide information in accordance with your request, and carry out studies in order to fulfill your request and communicate with you in this context,
- Our company’s fulfilling its administrative and legal obligations within the scope of all applicable legal regulations,
- Conducting our business relations within our company, with our affiliates, business partners and third parties with whom we have business relations, ensuring the legal and commercial security of the said persons, following legal processes and establishing, using and protecting the rights arising from the legislation.
- Identifying potential buyers/tenants in terms of real estate in the Emaar portfolio and conducting targeted marketing activities for these customers,
- Determining the commercial and business strategies of our company, conducting our customer services/relations and evaluating your satisfaction and conducting statistical studies in this context,
- If you give permission, communicating with you in any way regarding real estate in the Emaar portfolio through your contact information, and informing, transferring data and information for promotional and marketing purposes via telephone, SMS (short message), e-mail and digital channels,
- Keeping statistics on customers in order to increase efficiency in terms of sales, marketing and customer service.