PRIVACY POLICY

EMAAR GROUP POLICY ON PROTECTION OF PERSONAL DATA

Objective of Policy on Personal Data Protection 

Hereby this Policy on Protection of Personal Data (“Policy”), sets forth the approach of Emaar Libadiye Gayrimenkul Gelistirme Co.Inc., Emaar Properties Gayrimenkul Gelistirme Co. Inc., Emaar Gayrimenkul Gelistirme Co. Inc., Emaar Properties PJSC, being group companies and contact offices of Emaar Group (“Emaar Group”) on protection of personal data and;
  • Personal data refers to: all kinds of information on real persons, identified or can be identified;
  • Processing Personal Data refers to: all kinds of transactions conducted on personal data partially or completely such as acquisition, record, storage, maintain, alteration, re-arrangement, disclosure, transfer, take-over, making acquirable, classification or prevention of usage by automatic or non-automatic means, provided that being a part of any data recording system;
  • Special Quality Personal Data refers to: race, ethnic origin, political opinion, philosophical belief, religion, communion or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal convictions and data relating to security measures and biometric and genetics data of people;
  • Data Controller refers to: any legal or real person determining personal data processing tools and purposes and responsible for installation and management of data recording system or any Emaar Group company;
  • Data Processor refers to: any Emaar Group company or any real or legal person processing personal data basing on the authority granted by and on behalf of Emaar Group company;
  • Data Owner refers to: real person being subject matter of personal data;
  • Data Recording System refers to: recoding system processing personal data utilized by any Emaar Group company by configuring personal data according to the criteria determined;
  • Board refers to: Board of Protection of Personal Data;
  • Institute refers to: Institute of Protection of Personal Data;
  • Code refers to: Code on Personal Data Protection which was published in the Official Gazette with 29677 number on April 7, 2016.
Policy provides details on Personal Data Collected by Emaar Group in terms of
  • Contents and categories;
  • Manner of utilization;
  • People and institutions at home and abroad with which data may be shared;
  • Manner of processing personal data;
  • Conditions of maintaining personal data;
  • Rights of Personal Data owners;
  • Measures taken for the Protection of Personal Data; and aims at informing Personal Data owners on these issues within the context of the activities of Emaar Group.
 

Personal Data collected by Emaar Group and Purpose of Processing These

The objective of Emaar Group is the whole of the purposes determined in registries in which Emaar Group companies are registered. Emaar Group may collect and process the following information, including but not limited to the followings, belong to its customers, employees and authorities in association with its objective:
  • Identity card, driver’s license, passport, residency certificate, birth certificate, marriage certificate etc. identity certificates and copies of those;
  • Health reports, blood type certificate etc. health information;
  • Photograph, video, finger print etc. biometric and genetic data;
  • Phone number, e-mail address;
  • Various information on penal conviction and security measures, including criminal record;
  • Any official documents certifying their signatures;
Purpose and ground of Emaar Group’s Personal Data processing is summarized as follows and Emaar Group commits that it will not go beyond the aforementioned objective and ground in terms of Personal Data processing;The objective of personal data collection is provided in the following: For commercial partners: Without prejudice to the exceptions in Code on Protection of Personal Data (CPPD) art. 5(2)(c),
  • Using the data obtained beforehand in subsequent transactions;
  • Resolution of Commercial Disputes;
  • Saving time;
  • Transmitting data to abroad or domestic servers with the aim of providing data security;
  • Data backup;
  • External and internal audit, accounting, tax counselling;
  • Intragroup data transfer;
  • BT, translation, legal consultancy services;
  • Forward planning;
  • Keeping statistics;
  • Follow-up of previous studies;
  • Ensuring order and control, management and harmony in work place;
  • Archiving data acquired from office activities;
  • Facilitating the operation of recruitment process.
 

Data Collection Methods

Emaar Group shall collect the personal data by means of the methods specified in the following:
  • E-mail, Fax, Phone, Mail, Courier, Hand delivery.
 

Permission for Processing and Transfer

Domestic Processing and Transfer:

Emaar Group’s processing personal data of related people at home and transfer of these to real or legal third parties is only possible with explicit consent of related people and can only be actualized in case of following conditions, if explicit consent is not provided:
  • Explicitly foreseen in codes;
  • Obligated for protection of his/her or others’ life or bodily integrity of any person who cannot grant consent due to actual impossibility or whose consent is not valid legally;
  • Provided that it is directly related with drawing up or execution of a contract, necessity of processing Personal Data belong to the parties of the contract;
  • Obligated for the performance of legal liabilities of Emaar Group or other Data Controller;
  • Made public by related person;
  • Data processing’s being obligated for establishment, utilization or protection of a right;
  • Data processing’s being obligated for legitimate interests of Emaar Group or other Data Controller provided that it does no harm to fundamental rights and freedoms of related person.
 

Processing and Transfer of Special Quality Personal Data:

Processing and transfer of Special Quality Personal Data is only possible with explicit consent of related people and can only be actualized in case of following conditions, if explicit consent is not provided:
  • Personal Data not associated with health and sexual life can be processed without seeking for explicit consent of related person in the events foreseen in codes.
  • Personal Data on health and sexual life can only be processed by authorized institutions and organizations or people under confidential obligation without requiring explicit consent of the concerned people for purposes of protection of public health, preventive medicine, medical diagnosis, carrying out treatment and care services, planning and management of financing and health services.
 

Proceesing and Transfer Abroad:

In associated with the partners and employees of Emaar Group, domestic processing of related personal data and transfer of these to real or legal third parties is only possible with explicit consent of related people and can only be actualized in case of following conditions, if explicit consent is not provided:
  • In case of presence of the provisions specified in 4.a and 4.babove and in addition to these;
  • Presence of adequate protection in the foreign country to which Personal Data will be transferred;
    • as determined and declared by Board;
    • In the event that adequate protection is not available, data controllers in Turkey and related foreign country shall undertake sufficient protection in writing and Council shall grant permission.
Furthermore, Personal Data can be transferred to foreign countries, without prejudice to the provisions of international convention, in the cases when interest of related person or country will severely get harmed, with the permission of the Board by receiving opinion of related public institution or organization.  

Security of Personal Data

Emaar Group shall provide security of Personal Data to actualize following purposes and take all kinds of technical and administrative measures required for fulfilling convenient security level to achieve these purposes:
  • to prevent processing of Personal Data contrary to law;
  • to prevent illegal access to Personal Data;
  • to provide conservation of Personal Data.
Emaar Group companies are jointly responsible for taking measures specified in5.a together with Data Processors, in the event that personal data is processed by any other legal or real third party on behalf of group companies. Emaar Group companies has to carry out necessary audits or have these audits done within its institution or organization with the purpose of ensuring performance of provisions of Code. Data Controllers and Data Processors cannot disclose the Personal Data they are informed of to others contrary to law and cannot use these beyond the purpose of processing. This obligation also continues after resignation. In the event that processed Personal Data is acquired by others in illegal manners, Emaar Group companies shall notify this issue to concerned party and Board in the soonest time. If deemed necessary, Board may declare this issue on its website or by any other means considered appropriate.  

Rights Associated with Personal Data

Everybody has the following rights related to them by applying to Emaar Group companies.
  • Learning whether their Personal Data is processed or not;
  • Requesting information on it if their Personal Data is processed;
  • Learning the purpose of processing of their Personal Data and whether these data are used for the purpose or not;
  • Learning about the third parties at home or abroad to whom their Personal Data is transferred;
  • Requesting correction in case of misprocessing or underprocessing of Personal Data;
  • Requesting deletion or demolition of Personal Data within the scope of 7th article of the Code;
  • 6.a.v And requesting notification of the procedures conducted pursuant to6.a.vi section to the third parties to whom Personal Data is transferred;
  • Objecting to emergence of result against concerned person by means of analysing processed Personal Data exclusively through automatic systems, and
  • Requesting compensation of damages, in case of suffering from any loss because of illegal processing of Personal Data.
It is required for usage of aforementioned rights that the request in question regarding Personal Data shall be submitted to following communications in writing together with the information that provide identification of related person:  

Measures for the Protection of Personal Data and Conserving these Correctly and Currently

Emaar Group preserves Personal Data in correct and current manner by means of the methods specified in the following: Emaar Group conserves Personal Data in correct and current manner within the scope of following methods:
  • Daily backups;
  • Firewall;
  • Anti-virus programs and administrative limitations.
 

Alterations to be conducted in the Policy on Personal Data Protection

Emaar Group may make alterations in this Policy from time to time to the extent its activities require and required by law. Aforementioned alterations will gain validity upon sharing altered Policy text on “http://www.emaarsquaremall.com”, “http://www.emaarakvaryum.com” and “https://tr.emaar.com”. Moreover, customers, employees and authorities shall be informed on the alterations to be made by means of electronic mail.
   

EMAAR GROUP POLICY ON PROTECTION OF SPECIAL QUALITY PERSONAL DATA

Objective

Hereby this Policy on Protection of Special Quality Personal Data (“Policy”), sets forth the approach of Emaar Libadiye Gayrimenkul Gelistirme Co.Inc., Emaar Properties Gayrimenkul Gelistirme Co. Inc., Emaar Gayrimenkul Gelistirme Co. Inc., Emaar Properties PJSC, being group companies and contact offices of Emaar Group (“Emaar Group”) on protection of Special Quality Personal Data and;
  • Personal data refers to: all kinds of information on real persons, identified or can be identified;
  • Special Quality Personal Data refers to: race, ethnic origin, political opinion, philosophical belief, religion, communion or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal convictions and security measures etc. data and biometric and genetics data of people;
  • Processing Special Quality Personal Data refers to: all kinds of transactions conducted on Special Quality Personal Data partially or completely such as acquisition, record, storage, maintain, alteration, re-arrengement, disclosure, transfer, take-over, making acquirable, classification or prevention of usage by automatic or non-automatic means, provided that being a part of any data recording system;
  • Data Controller refers to: any legal or real person determining personal data processing tools and purposes and responsible for installation and management of data recording system or any Emaar Group company;
  • Data Processor refers to: any Emaar Group company or any real or legal person processing personal data basing on the authority granted by and on behalf of Emaar Group company;
  • Data Owner refers to: real person being subject matter of personal data;
  • Data Recording System refers to: recoding system processing personal data utilized by any Emaar Group company by configuring personal data according to the criteria determined;
  • Board refers to: Board of Protection of Personal Data;
  • Institute refers to: Institute of Protection of Personal Data;
  • Code refers to: Code on Personal Data Protection which was published in the Official Gazette with 29677 number on April 7, 2016;
  • Verdict refers to: the verdict of Board related to measures required to be taken by data controller during processing of Special Quality Personal Data pursuant to 31.01.218 dated and 2018/10 numbered Code Article 6 (4) and 22 (1).
Policy pursues the goal of determination of the systems directed on security of related data during processing Special Quality Personal Data collected by Emaar Group.  

In terms of employees during processing

Data policy to be implemented by Emaar Group during processing of Special Quality Personal Data in terms of Employees (“Employees”) is as follows:
  • Providing trainings on security of Personal Data to employees two times in a year within the scope of related legislation;
  • Entering into confidentiality agreement with employees;
  • Clear definition of scope and period of powers of employees;
  • Controlling powers of employees periodically by Emaar Group;
  • In case of changing position or ceasing employment, release of authorities immediately by Emaar Group.
 

In terms of place of storage

Data policy to be implemented by Emaar Group in terms of electronic environments where Special Quality Personal Data is processed, stored and/or accessed is as in the following:
  • Maintaining related data through cryptographic methods and keeping cryptographic keys in safe and different areas;
  • Logging transaction records of motions actualized on related data in safe manner;
  • Regular controls on security updates of environments including related data, performance of security tests two times in a year regularly and recording test results;
  • Authorizing users concerning the data accessed by means of a software, performance of security tests associated with these software two times in a year regularly and recording test results;
  • Providing two-stage verification system related to the data remote accessed.
Data policy system to be implemented by Emaar Group in terms of physical environments where Special Quality Personal Data is processed, stored and/or accessed is as in the following:
  • Taking adequate safety precautions according to the property of physical environment;
  • Preventing unauthorized entrance and exit to provide security of physical environment.
 

With regard to the Transfer

Processing and transfer of Special Quality Personal Data is only possible with explicit consent of related people and can only be actualized in case of following conditions, if explicit consent is not provided:
  • Personal Data not associated with health and sexual life can be processed without seeking for explicit consent of related person in the events foreseen in codes.
  • Personal Data on health and sexual life can only be processed by authorized institutions and organizations or people under confidential obligation without requiring explicit consent of the concerned people for purposes of protection of public health, preventive medicine, medical diagnosis, carrying out treatment and care services, planning and management of financing and health services.
If Special Quality Personal Data will be transferred within the body of Emaar Group, the data policy to be implemented is as in the following:
  • If related data will be transferred via electronic mail, transfer shall be carried out by using registered electronic mail or corporate electronic mail cryptically;
  • If related data will be transferred via flash memory, CD, DVD etc. VPN shall be installed between servers or sFTP method shall be used;
  • If related data shall be transferred in printed form, necessary precautions shall be taken against steal, loss or unauthorized observation and the document shall be sent with “confidential documents” format.

EMAAR GROUP POLICY ON DEMOLITION OF PERSONAL DATA

Objective

The objective of this Demolition Policy (“Demolition Policy”) is to perform methods and responsibilities on deletion, demolition and anonymization of personal data in Emaar Group in compliance with legislation on protection of related personal data and Emaar Group’s Policy on Protection of Personal Data, particularly, 6698 numbered Code on Protection of Personal Data (“CPPD”), Directive on deletion, demolition and anonymization of personal data (“Directive”).

Scope of Demolition Policy

Grounds and methods to be followed in preparation for anonymization, deletion or demolition of personal data are approached within the scope of this policy.

Definition and concepts

  • Demolition refers to: process of deletion, demolition and anonymization of personal data in a manner that those cannot be utilized afterwards.
  • Deletion refers to: the process of making personal data processed by automatic means partially or wholly or maintained in digital environment in a manner that those cannot be used or accessed again by related users.
  • Related user refers to: the users processing personal data within the direction of power and instruction taken from Emaar Group or within the organization of Emaar Group apart from the person or unit responsible for storage, protection and backup of personal data technically.

Method for Demolition of Personal Data

The method of deletion was adopted for demolition of personal data held in the body of Emaar Group among the demolition methods within the scope of directive. An access power and control matrix will be established by Emaar Group [IT / Department of Information Technologies] regarding the personal data held in the body of Emaar Group for deletion procedures, and the people having the power of access and control of each personal data in question will be determined (“related user/s”).

Basic principles on Demolition of Personal Data

The personal data held in the body of Emaar Group shall be deleted in 3 months at the latest after disappearing of the reason for processing each personal data. In any case, Emaar Group IT / Department of Information Technologies shall scan all personal data held in the body of Emaar Group in yearly periods and personal data that are required to have been deleted but mistakenly conserved shall immediately be deleted. The process to be followed in deletion of personal data held in the body of Emaar Group is as follows:
  • Determination of the personal data to be subjected to deletion;
  • Determination of related users for each personal data by using access power and control matrix;
  • Determination of powers and methods of related users such as access, return and reusage; and
  • Closing and removal of powers and methods of related users such as access, return and reusage within the scope of personal data.
Emaar Group IT / Information Technologies Department shall take all kinds of technical and administrative precautions to make deleted personal data inaccessible and not usable again by related user. Emaar Group IT / Information Technologies Department may delete or demolish personal data upon disappear of the reasons for processing data referring to its own decision or upon request of personal data owner, despite the fact that those data are processed complying with the provisions of related code. All kinds of procedures conducted in association with deletion, demolition or anonymization of personal data is recorded by Emaar Group IT / Information Technologies Department and aforementioned records are withheld for at least three years excluding other legal liabilities.

Changes to be made on Demolition Policy

Emaar Group may make alterations in this Demolition Policy from time to time to the extent its activities require and required by law. Aforementioned alterations will gain validity upon sharing altered Demolition Policy text on “http://www.emaarsquaremall.com”, “http://www.emaarakvaryum.com” and “https://tr.emaar.com”. Moreover, customers, employees and authorities shall be informed on the alterations to be made by means of electronic mail.

DECLARATION ON EXPLICIT CONSENT FOR PROTECTION OF PERSONAL DATA WITH REGARDS TO CUSTOMERS

Hereby this Explicit Consent declaration (“Declaration”) was issued by [●] (“Data Owner”), citizen of [●], residing at [●] and with [●] T.R. identity number.

SUBJECT

The subject matter of this declaration organizes rights and liabilities of Emaar Group and explicit consent of Data Owner, being the customer of the group, concerning processing of personal data within the scope of related legislation on protection of personal data, notably 6698 numbered Code on Protection of Personal Data published in 29677 numbered and April 7, 2016 dated Official Gazette with respect to personal data that data owner shared with Emaar Group.

DATA WITHIN THE SCOPE OF EXPLICIT CONSENT

Explicit consent of customers on processing personal data covers the personal data of the customers, including the followings:
  • Identity card, driver’s license, passport, residency certificate, birth certificate, marriage certificate etc. identity certificates and copies of those;
  • Personal information such as interests, hobbies, age, number of children, supported team etc.
  • All kinds of contact information such as address, telephone, e-mail, workplace etc.
  • Photograph and video records shot during shooping, culture and entertainment and other activities or for security purposes.

COMMITMENTS AND LIABILITIES OF THE GROUP

Purpose and ground of Emaar Group’s Personal Data processing is to conduct activities conducted with customers by Emaar Group companies and it commits that it will not go beyond the aforementioned objective and ground in terms of Personal Data processing and it will transfer the personal data of the customers only to institutions and organizarions such as banks, insurance companies and private security companies. Emaar Group preserves Personal Data in correct and current manner for 5 years by means of the current technological methods. In the event that the reasons requiring processing data are disappeared, Emaar Group will delete or anonymize the personal data ex officio or upon request of the customer.