General Data Protection GDPR - Emaar Aquarium and Underwater Zoo

EMAAR TURKEY

PERSONAL DATA PROTECTION AND PROCESSING POLICY 2026

INTRODUCTION

Protection of personal data has utmost importance for Emaar Libadiye Gayrimenkul Geliştirme A.Ş. (“Company” and/or “Emaar Turkey”) and it is one of the most important priorities of our Company. As a Company, we do not only consider protection and processing of personal data in terms of our compliance with the applicable legislation, but we also strive to place human-being and humane values at the basis of our approach. Based on this awareness, we are fully taking any and all administrative and technical measures for the protection and processing of personal data in line with the Law on Protection of Personal Data No. 6698 (“KVK Law”). This Personal Data Protection and Processing Policy (“Policy”) aims to make explanations about the personal data processing activities executed by Emaar Turkey in accordance with the law and relevant purpose and about the systems adopted for the protection of personal data and clarifies which of the processed data are considered as personal data by Emaar Turkey and which data are stored; what are the specific administrative and technical measures taken for the protection of personal data; what kind of information is provided for the clarification of personal data owners and what kind of measures are taken in sharing personal data with the third persons and finally, attempts to inform our employee candidates, company’s shareholders, company’s authorized representatives, our visitors, suppliers’ representatives and employees, representatives and personnel of our business partners, our customers, potential customers, our web site visitors and other third persons for assuring transparency and availability in our operations.

1 Table of Contents

GENERAL EXPLANATIONS…………………………………………………………………………3
PROCESSING OF PERSONAL DATA……………………………………………………………….5.
CATEGIORIZATION OF THE PERSONAL DATA PROCESSED BY OUR COMPANY, PURPOSES OF PROCESSING AND DURATION OF SAFE KEEPING PERSONAL DATA…………6

TRANSFER OF PERSONAL DATA AND SENSITIVE PERSONAL DATA……………………..24
THIRD PERSONS TO WHOM PERSONAL DATA ARE TRANSFERRED AND PURPOSES OF TRANSFER…………………………………………………………………………………………………..30.
RIGHTS AND OBLIGATIONS ARISING FROM PERSONAL DATA ………………………….33.
SAFE KEEPING OF PERSONAL DATA AND TECHNICAL AND ADMINISTRATITVE MEASURES TAKEN IN ORDER TO PREVENT ILLEGAL PROCESSING AND ACCESSING OF PERSONAL DATA………………………………………………………………………………………….37.
DELETION, DESTRUCTION AND MAKING ANONYMOUS OF PERSONAL DATA………..
TIME PERIODS FOR SAFE KEEPING AND DESTROYING PERSONAL DATA …………….49.
OUR DEPARTMENT IN CHARGE OF PROTECTION, PROCESSING AND DESTRUCTION OF PERSONAL DATA…………………………………………………………………………………………….51.
RECORDING ENVIRONMENTS………………………………………………………………………55.

1. GENERAL EXPLANATIONS

1.1 Scope and Purpose of the Policy

This Policy is prepared about all personal data of real persons that are processed by automated means or non-automated means provided that it is part of a data recording system, including personal data of our employee candidates, company’s shareholders, company’s authorized representatives, our visitors, representatives, shareholders and personnel of those entities with which we cooperate, our customers, potential customers, our web site visitors and other third persons.

Below mentioned assets used in the processing and storage of personal data in Emaar Turkey and all processes for these assets shall be within the scope of this Policy:

All printed or written documents and files containing personal data;
All applications containing personal data; and
All databases containing personal

Therefore, this Policy is related to the personal data collected with the consent of our employee candidates, company’s shareholders, company’s authorized representatives, our visitors, representatives, shareholders and personnel of those entities with which we cooperate, our customers, potential customers, our web site visitors and other third persons, which are processed in part on in whole by automated means or non-automated means provided that it is part of any data recording system. Data that became anonymous and that could not be identified such as data obtained for statistical evaluations and procedures, which do not contain any personal data and data relating to legal entities shall not be considered as personal data and shall not be subject to this Policy.

Scope of application for this Policy prepared in relation to the personal data owner groups included in above mentioned categories may be the whole Policy or certain provisions of it.

Although this Policy is applicable for the real persons whose personal data are processed by Emaar Turkey in part on in whole by automated means or non-automated means provided that

it is part of any data recording system, any issues related to the protection of the personal data of Emaar Turkey personnel will be separately arranged in the “Policy for Protection and Processing of Personal Data of Emaar Turkey Employees”.

1.2 Implementation of the Policy and Applicable Legislation

Relevant legal arrangements that are in effect in connection with the processing and protection of personal data including specifically KVK Law will be implemented hereunder. In the event of a contradiction between the provisions of the applicable legislation and this Policy, Emaar Turkey agrees to implement the applicable legislation.

As Emaar Turkey, we are taking all administrative and technical measures to assure proper protection of personal data that are processed as per KVK Law.

In the processing of personal data,, we have adopted the following principles: (i) Processing personal data in accordance with law and rules of honesty, (ii) keeping personal data accurate and updated, (iii) Processing personal data for definite, clear and legitime purposes, (iv) Processing personal data only in connection with and limited to the relevant processing purpose and on a reasonable basis, (v) keeping personal data for such time required under the applicable legislation or for the time necessary under the relevant purpose of processing, (vi) Clarifying and informing the owner of personal data, (vii) creating the technical and administrative infrastructure required for the personal data owner in exercising their rights, (viii) taking necessary technical and administrative measures for the safe storage of personal data, (ix) acting in compliance with the applicable legislation and arrangements made by the Personal Data Protection Board in the transfer of personal data to the third persons in line with the requirements of the purpose of processing personal data, (x) Acting with special care and diligence during processing of sensitive personal data.

As a consequence, this Policy represents Emaar Turkey’s attempts to make concrete arrangements about personal data in line with the rules set forth the in the applicable legislation.

1.3 Effectiveness of the Policy

This policy has been published and made accessible to the public on its internet site by Emaar Turkey. Emaar Turkey reserves the right to revise this Policy in parallel to the legal arrangements. You may access to the current version of this Policy at the official web site of Emaar Turkey: (https://tr.emaar.com/tr/)

2. PROCESSING OF PERSONAL DATA

In order to ensure lawful processing of personal data, Emaar Turkey will take technical and administrative measures after taking into consideration technological capabilities available to it and costs of implementation. The employees are informed and their undertakings are obtained that they are not entitled to disclose to others or use for any purpose other than the intended purpose of processing any of the personal data they learned contrary to the provisions of KVK Law and that this obligation will survive after termination of their employment relationship with the Company. Personal data processing activity of Emaar Turkey includes all kinds of transactions made on the date by automated, semi-automated or non-automated means without any restriction.

Thus, this Policy aims to enhance the awareness of our business partners and suppliers and similar data processing entities about prevention of unlawful processing and accessing of personal data and ensuring lawful storage / safe keeping of personal data.
Obligations that Emaar Turkey must comply with in its capacity as data controller while processing personal data and the obligation to comply with the legal, administrative and technical measures developed by Emaar Turkey for that purpose are imposed to the data processing entities such as our suppliers and business partners depending on the nature of the specific data processing activity undertaken by them.
Emaar Turkey is taking technical and administrative measures depending on the technological capabilities available to it and costs of implementation in order to ensure keeping of personal data in safe environments and prevent illegal destruction, loss or alteration of personal data.
In line with article 12 of KVK Law, Emaar Turkey conducts or causes conduct of necessary audits. Results of these audits are reported and necessary corrective actions are taken in order to improve these measures.
In line with article 12 of KVK Law, Emaar Turkey maintains a system enabling informing of the relevant personal data owner and KVK Board as soon as possible after illegal obtaining of personal data by others.

Personal data processing activity carried out by Emaar Turkey includes all kinds of transactions made on the date by automated, semi-automated or non-automated means without any restriction. In other words, personal data processing activity encompasses obtaining or collecting personal data from the data owners or third parties for the purpose of transferring, distributing or making available by different means, grouping or consolidation, blocking, deletion on destruction of personal data and includes photographing, audio recording, video recording, organization, storage, alteration, restoring, retrieving or explanation, obtaining by automated means or by non-automated means provided that they are part of data recording system, recording, safe keeping, maintaining, changing, rearrangement, disclosure, transfer, transfer to abroad, acquisition, rendering retrievable, classification or preventing use of personal data.

3. CATEGORIZATION, PROCESSING PURPOSES AND STORAGE TIME OF THE PERSONAL DATA PROCESSED BY OUR COMPANY

3.1 Categorization of Personal Data

In line with the legitimate and lawful purposes of processing personal data by Emaar Turkey; based on and limited to one or several of the personal data processing conditions set forth in article 5 of KVK Law and in compliance with the general principles set forth under KVK Law and with all obligations set out in KVK Law including specifically those principles set out in article 4 of KVK Law concerning processing of personal data and only on limited basis with the subjects defined in this Policy (employee candidates, company’s shareholders, company’s authorized representatives, our visitors, representatives, shareholders and personnel of those

entities with which we cooperate, our customers, potential customers, our web site visitors and other third persons), personal data included in the below mentioned categories will be processed by informing relevant persons as required under article 10 of KVK Law:

Personal Data Owners

Personal Data Owner Category	Explanation
Employee Candidates	Real persons who made a job application to Emaar Turkey and presented their CV or relevant information to the review of our Company.
Company’s Authorized Representatives	Board members and other authorized real persons of Emaar Turkey.
Visitors	All real persons who entered into or who visited the physical premises owned by Emaar Turkey for any purpose whatsoever.
Employees, Shareholders and Representatives of the Entities with which We Cooperate	Real persons working for the companies with which Emaar Turkey maintains business relationships (including but not limited to business partner, supplier etc.) including shareholders and representatives of these companies.
Representatives and Employees of the Suppliers	Real persons such as shareholders, representatives and employees of the suppliers.

Representatives and Employees of the Business Partners	Real persons such as shareholders, representatives and employees of the business partners.
Customers/Guests	Real persons purchasing the products and services provided by our Company (including accommodation services) irrespective of whether they have a contractual relationship with Emaar Turkey or not.
Potential Customers	Real persons who demanded and who were interested in using our products and services or who were evaluated to have such interest in line with commercial practices and rules of honesty.
Members	Real persons who became member for the relevant service by concluding a membership contract in order to enjoy the services provided by Emaar Turkey.
Potential Members	Real persons who demanded and who were interested in using our products and services or who were evaluated to have such interest in line with commercial practices and rules of honesty.
Web Site Visitors	Real persons visiting the web site of Emaar Turkey.

Third Persons

Other real persons whose personal data are processed by Emaar Turkey.

Categorization of Personal Data and Relevant Data Owners

PERSONAL DATA CATEGORIZATION

PERSONAL DATA CATEGORIZATION EXPLANATION

PERSONAL DATA OWNER CATEGORIZATION

Identity details

Driving license, identity card, passport or similar document including information such as name-surname, TR Identity Number, nationality, name of parents, birth place, birth date, sex and tax number, SGK number, sample signature, plate number of the motor vehicle etc.

Our employee candidates, company’s shareholders,

company’s authorized representatives, our visitors, representatives, shareholders and personnel of those entities with which we cooperate, our customers, potential customers, our web site visitors and other third persons.

Contact details

Information such as phone number, address, e-mail, IP address etc.

Our employee candidates, company’s shareholders,

Customer details

Name-surname, TR Identity Number, nationality, birth date, sex, credit card details, passport number, phone number, e-mail address, notification address.

Our customers and potential customers

Customer Transaction Details

Records kept about our customers included in our data recording system during purchasing our products and services; information obtained from the instructions given on purchases; personal data processed for the purpose of customization of our products and services based on the usage and purchasing habits and in line with the preferences and needs of the personal data owner who purchased and/or used our products and services and any reports and evaluations prepared as a result of these personal data processing activities.

Our customers, potential customers

Location Data

Information about the position of the site, IP address and location data relating to the operations executed by the

Our candidate employees, visitors, customers, potential customers, web site visitors and other third persons

	business departments of Emaar Turkey.
Close Relative Details	Personal data belonging to the family members of the data owner which are processed in order to protect lawful and other benefits of Emaar Turkey and the personal data owner in relation to the operations executed by the business departments of Emaar Turkey.	Our employees
Membership details	Name-surname, TR Identity Number, blood type, birth date, sex, credit card and/or bank card details, passport number, phone number, e-mail address, notification address, invoice details.	Our members
Financial information	Personal data processed and contained on the documents, records and information arising from the financial consequences created depending on the type of legal relationship established by Emaar Turkey with the personal data owner and bank account number, IBAN Number, credit card details, financial profile,	Our employees, our customers

	wealth information, income details etc.
Video/audio information	All kinds of photos and camera records (except for the records taken for the security of the physical premises), audio records, data contained on the copies of the documents including personal data.	Our employee candidates, company’s shareholders, company’s authorized representatives, our visitors, our customers, potential customers and other third persons.
Personnel details	All kinds of personal data processed in order to obtain the information that will serve as basis in the establishment of personnel rights and benefits (CV, etc.)	Our employees, family members of our employees.
Sensitive Personal Data	Prescription details, physician’s report, results of laboratory analyses and radiology, health report, blood type, genetic data and similar health care data, and religion, membership to associations, nationality, etc.	Our employee candidates, our employees, our customers, potential customers and other third persons.
Demand/Complaint Management Information	Personal data involved in obtaining and evaluation of all kinds of demands and complaints raised against Emaar Turkey.	Our employee candidates, our customers, potential customers, suppliers’ representatives and/or personnel, representatives and/or

		personnel of our business partners and other third persons
Transaction Security Details	Personal data processed in order to ensure technical, administrative, legal and commercial security of both personal data owners and also of Emaar Turkey in the course of trading activities carried out by Emaar Turkey.	Our employee candidates, our customers, potential customers, web site visitors, suppliers’ representatives and/or personnel, representatives and/or personnel of our business partners and other third persons
Physical Site Security Details	Personal data contained in the records taken and documents prepared during entry into and staying inside the physical sites owned by Emaar Turkey and/or leased by Emaar Turkey including camera records, fingerprints, records taken at the security point and similar data.	Our employee candidates, our visitors, our customers and potential customers, suppliers’ representatives and/or personnel, representatives and/or personnel of our business partners and other third persons
Legal Transaction Details	Data processed during determination and follow-up of legal rights and receivables of Emaar Turkey and during payment of its liabilities; and data that may be demanded from Emaar Turkey in order to protect the rights and benefits of the customers; data disclosed to	Our employee candidates, company’s shareholders, Company’s representatives, our visitors, our customers, potential customers, web site visitors, suppliers’ representatives and/or personnel, representatives and/or personnel of our

	the judicial authorities, arbitratos etc. and during fulfillment of legal obligations.	business partners and other third persons
Risk Management Details	Personal data processed with the methods used in line with the generally accepted commercial practices and rules of honesty in order to ensure proper management of commercial, technical and administrative risks.	Our employee candidates, company’s shareholders, Company’s representatives, our visitors, our customers, potential customers, web site visitors, suppliers’ representatives and/or personnel, representatives and/or personnel of our business partners and other third persons
Training Data	Photocopies of diplomas, education status, details of certificates obtained, CV, trainings participated.	Our employee candidates, employees, suppliers’ representatives and/or personnel, representatives and/or personnel of our business partners
Other	Motor vehicle plate numbers, hobbies, accident reports, fuel- oil consumption details, interview notes	Our employee candidates, suppliers’ representatives and/or personnel, representatives and/or personnel of our business partners and other third persons

Principles of Processing of Personal Data

Pursuant to article 5 of KVK Law, personal data may be processed only with the methods and based on the principles set forth in KVK Law and other applicable legislation. Emaar Turkey process personal data with the methods and based on the principles set forth in KVK Law and other applicable legislation and it has been clearly indicated in the KVK Law that principles listed below must be observed in the processing of personal data.

i. Processing of personal data in accordance with the law and rule of honesty

Emaar Turkey executes its personal data processing activities in line with the legal arrangements including specifically Constitution of Republic of Turkey, KVK Law and other applicable legislation and according to the rule of honesty based on a relationship of trust.

ii. Ensuring accuracy and updated status of personal data processed

In the course of its personal data processing activities, Emaar Turkey has designed the systems and processes to ensure accuracy and updated status of the personal data processed. In that regard, Emaar Turkey takes necessary measures to enable personal data owners to correct their personal data and confirm their accuracy.

iii. Processing personal data for definite, clear and legitimate purposes

In line with its obligation of clarification set forth in article 10 of the KVK Law, Emaar Turkey will develop a clear and definitive definition for the relevant personal data processing purpose before starting the personal data processing activity and processes personal data only for clear and lawful purposes.

iv. Processing of personal data in connection with the relevant purpose and on limited and reasonable basis

Emaar Turkey processes personal data in connection with the purpose of providing its services as defined before starting personal data processing activity and only to the

extent required. Emaar Turkey does not carry out any personal data processing activity if it is not related to the relevant purpose or only based on future needs. Thus, processing of personal data is limited to the activities and legal obligations of the Emaar Turkey.

v. Safe keeping personal data for the time period contemplated in the applicable legislation or for the time necessary for the relevant purpose of processing

Emaar Turkey will store personal data for the time period contemplated in the KVK Law and other applicable legislation or for the time needed for the relevant purpose of processing. Therefore, Emaar Turkey will store the personal data for the time period, if any, contemplated in the applicable legislation or for the time needed for the relevant purpose of processing if no such time was given in the legislation. Emaar Turkey will not store any personal data for future possible uses. Emaar Turkey will delete, destroy or make anonymous all personal data at the expiration of this term or once reasons requiring processing cease to exist.

3.3 Processing conditions of personal data

Emaar Turkey will process your personal data with your explicit consent and on a limited basis with the purposes and conditions set forth in the personal data processing conditions defined in the 2^nd paragraph of article 5 and 3^rd paragraph of article 6 of the KVK Law.

However, your personal data will be processed without your explicit consent in the following circumstances.

When processing of personal data is absolutely required by law in connection with the activities of Emaar Turkey,
When processing of personal data is necessary or is directly related to the establishment or performance of a contract by Emaar Turkey,
When processing of personal data is required by Emaar Turkey in the fulfillment of its legal obligations,
Processing of personal data by Emaar Turkey on limited basis for the purpose of making anonymous, which was applicable when you made your personal data anonymous,
When processing of personal data by Emaar Turkey is necessary for the establishment, exercising and preservation of the rights of Emaar Turkey, yourself and third persons,
When processing of personal data is necessary for the legitimate activities of Emaar Turkey provided that no harm is given to your fundamental rights and freedoms,
When processing of personal data by Emaar Turkey is necessary for the protection of life or bodily integrity of the personal data owner or another person and when in such case, personal data owner is incapable of providing its consent due to actual or legal invalidity,

Your special categories of personal data may be processed without your explicit consent, in addition to the conditions stated above, provided that the following conditions are met:

Where it is necessary for the purposes of protecting public health, preventive medicine, medical diagnosis, the provision of treatment and care services, as well as the planning, management and financing of healthcare services, by persons under a duty of confidentiality or by authorized institutions and organizations;
Where it is mandatory for the fulfillment of legal obligations in the fields of employment, occupational health and safety, social security, social services and social assistance;
Where it relates to foundations, associations and other non-profit organizations or formations established for political, philosophical, religious or trade-union purposes, provided that it is in compliance with their applicable legislation and objectives, limited to their field of activity, and not disclosed to third parties; and where it concerns their current or former members and affiliates, or persons who are in regular contact with such organizations or formations..

3.4 Purposes of processing personal data

Emaar Turkey will process your personal data for the purposes defined below:

Execution of our internal operations and business activities; ensuring security of Company’s operations and carrying out activities to ensure efficiency, productivity and appropriateness analyses for the business activities,
Execution and management of strategical planning activities and relations with the Business Partners and Suppliers,
Planning and execution of logistics activities,
Ensuring business continuity and planning and execution of corporate management and sustainability activities,
Management, planning and execution of corporate communication activities,
Performance of marketing and promotional activities for the purpose of managing corporate communications,
Activity/event management,
Execution of personnel recruitment (employment) processes by Emaar Turkey,
Execution/follow-up of financial reporting and risk management in Emaar Turkey,
Planning, evaluation and follow-up of procurement activities,
Execution/follow-up of legal affairs in Emaar Turkey,
Making Emaar Turkey web site easier to use
Execution of activities that have legal, technical and administrative consequences; providing information required under the applicable legislation to the competent authorities; activities relating to legal requests and execution of our legal affairs,
Keeping accurate and updated data,
Collection, evaluation and responding to the complaints, questions, demands and suggestions of the personal data owner,
Planning and execution of customer relations management processes,
Planning and/or execution of customer satisfaction activities,
Performance of the obligations arising from the contracts concluded with the customers,
Planning and execution of sales processes for all products and/or services provided by Emaar Turkey (e.g. Shopping Mall, aquarium, residence etc.),
Follow-up of contractual processes and/or legal requests,
Knowing and developing our communication with our customers,
Performance of traffic measurement, statistical and analytical examinations, profiling/segmentation studies in connection with the sales and marketing activities to be carried out for all products and/or services provided by Emaar Turkey (e.g. Shopping Mall, aquarium, residence etc.),
Providing better and more secure services to the customer; developing better products and services and providing them on uninterrupted basis,
Making customized suggestions for all products and/or services provided by Emaar Turkey (e.g. Shopping Mall, aquarium, residence etc.) based on the customer’s preferences, usage habits and requirements,
Compliance with the applicable legislation,
Reputation management,
Demand and complaint management,
Establishment of potential claims for rights and receivables of relevant persons,
Providing information to the competent authorities as required under the applicable legislation,
Creation and follow-up of visitor records,
Ensuring security/safety of Company’s premises, depots and/or offices,
Execution of information security procedures and of the activities relating to the information technology infrastructure,
Planning and execution of emergency management processes and execution of occupational health and/or safety procedures,
Execution of the operations for the group companies and enabling employees to have access to the information,
Preparation and submission of various reports, researches and/or presentations,
Management of social media accounts and Web Site,
Performance of obligations arising from the Law on the Protection of Consumers and other legislation by using channels by or on behalf of our Company including our call center, subsidiaries, internet sites, social media pages etc.,
Execution of marketing, promotion and sales activities for all products and/or services provided by Emaar Turkey (e.g. Shopping Mall, aquarium, residence ); management of processes involving creation of and/or increasing loyalty for the products and/or services provided by the Company, and execution of market research activities for the sales and marketing of our products and services,
Providing you with better services, various advantages and opportunities; execution of sales and marketing activities and providing necessary information about campaigns, promotions and their terms and conditions; carrying out surveying and customer satisfaction activities; and ensuring/accelerating your buying transactions,
Determining customers that could be potential buyers/lessees for the real properties included in the portfolio of Emaar Turkey and carrying out target-oriented sales and marketing activities for these customers, and
Providing offers to the data owners about special products and services through targeting and re-targeting.

3.5 METHOD OF COLLECTION OF YOUR PERSONAL DATA

Personal data of the persons whose data are processed under this Policy will be collected for the purposes presented in this Policy and defined before through preliminary sale forms, application forms, request forms, preliminary sale change notification forms, information forms, sale promise contracts, reports and powers of attorney to be exchange physically or through references, or in offices and other physical environments in which contact with business partners or agencies and other subcontractors is possible and/or through all kinds of channels including but not limited to our Company/our internet site/call center / business partners or suppliers, contracted entities, market research companies, companies or software used for traffic and customer satisfaction measurements, and further including written mails or electronic mails, short message (SMS), Web Site and other mobile applications, online and physical application forms, proposals, communication forms, call center, switchboard and tele-secretary services, complaint management systems, marketing automations, customer relations management systems, closed circuit camera systems (CCTV), audio and video recording devices, social media and other public platforms, Facebook, Pixel, Google products and similar cookies applications.

Personal data that you directly provided us: These personal data includes all personal data provided to Emaar Turkey by employee candidates, company’s shareholders, company’s authorized representatives, our visitors, suppliers’ representatives and employees, representatives and personnel of our business partners, our customers, potential customers, our web site visitors and other third persons such as name-surname, contact details, identity details, responses given to surveys, demographic data and content data.
Personal data that we obtain when you use our Web Site: These are the personal data relating to the usage habits of our Web Site visitors and other third persons, which are collected through software or other technological means, such as location data and frequently used sites, areas of interest and usage You may exercise/change your powers relating to such data by using the settings on your mobile device.
Emaar Turkey is entitled to correlate the behaviors of the users of our Web Site by using a cookie available on the browser and define remarketing lists that take as a basis certain metrics such as number of viewed pages, visit times and target accomplishment number for the purpose of carrying out online behavioral advertising and Later, such users may be shown target-oriented advertising content on our Web Site or on the other sites included in the Video Advertising Network depending on their areas of interest.
During directing to Emaar Turkey of Google AFS advertisements, Google may place cookies on the browser of the users or read the cookies available on them or use web marks in order to collect information.

If above mentioned data processing activities fail to meet any of the conditions set forth in the the KVK Law, your explicit consent will be obtained by Emaar Turkey in connection for that personal data processing in line with applicable laws. However, if any conditions described above are relevant, your personal data may be also processed without your explicit consent provided that other principles are observed.

In addition to that, personal data and sensitive personal data collected by Emaar Turkey during the employment process of Employee Candidates, which represents the personal data category in which most of the data are collected by Emaar Turkey will be processed for the purposes defined below:

Evaluating qualifications, experiences and interest of the employee candidate and his/her fitness for the open position,
Conducting inquiries about the employee candidate by contacting third persons,
Communicating with the employee candidate during the application and recruitment process,
Communicating with the employee candidate if a suitable position is opened later, and
Meeting the requirements arising from the applicable legislation and/or demands of the competent authorities.

In that regard, personal data of the Employee Candidates are collected (i) through the written application forms or digital application forms published in electronic environment, (ii) CVs of them forwarded to Emaar Turkey by e-mail, cargo, reference etc. and (iii) by the employment and/or consulting companies and online recruitment platforms, (iv) during face-to-face meetings, (v) through the recruitment tests performed and evaluated by experienced experts in order to determine the skills and personality traits of the candidate, (vi) during recruitment process, and (vii) for any other purpose defined before just after the employment.

The Employee Candidates shall be entitled to forward their demands arising from their rights as the data owner and from the applicable legislation by using the application methods defined in this Policy.

3.6 Time for storage of personal data

Emaar Turkey will process and use the personal data in accordance with the applicable legislation and requirements of the rules of honesty. In that regard, Emaar Turkey will take into account the requirements of proportionality in the processing of personal data and will not use the personal data for any purpose other than the intended purpose of processing.

Our Company will ensure that personal data processed by taking into account the fundamental rights and legitimate interests of the data owners are accurate and updated. It is therefore taken great care to identify the sources from which personal data are obtained, confirm their accuracy and assess any need for updating.

Emaar Turkey will define the specific purpose of processing personal data very clearly and definitely and ensures that this is a legitimate purpose. When the processing purpose is legitimate, personal data processed by Emaar Turkey will be related to and will be necessary for the business operations carried out and services provided by Emaar Turkey. Specific purpose of processing personal data will be defined by Emaar Turkey before the start of processing activity.

Emaar Turkey will ensure that personal data processed are appropriate for the achievement of processing purposes defined before and will avoid processing personal data if they are not related to or needed in the achievement of that purpose. In order process personal data for meeting any future requirements, Emaar Turkey will first fulfill the conditions of processing personal data arising from the Law as if it the first time for our Company to process them. Emaar Turkey will also process personal data only to the extent required for that purpose. Therefore, Emaar Turkey will not process any personal data based on potential future needs.

If there is any time period specified for the storage of personal data under the applicable legislation, Emaar Turkey will comply with these time periods or otherwise, Emaar Turkey will store the personal data only for the time period required for the specific purpose of processing. This time period is determined by Emaar Turkey. If there is no valid reason for our Company for storing personal data for longer periods, personal data will be deleted, destroyed or made anonymous once that period expires.

Under KVK Law, special importance is given to the illegal processing of certain personal data since it carries the risk of causing poor treatment or discrimination of certain persons. As mentioned in the section of this document for the definitions, any personal data about the race, ethnical origin, political thoughts, philosophical beliefs, religion, sect or other faiths, dressing, membership to associations, foundations or labor union, health status, sexual life, criminal conviction and security measures, including any biometric and genetic data of any person shall be considered as sensitive personal data. Such sensitive personal data will be processed with your explicit consent like your other data.

Our Company takes into account the fact that if sensitive personal data are acquired by others, it might result in poor treatment or discrimination of the relevant data owner and for that reason, our Company diligently takes all measures to protect such personal data processed in line with the applicable laws.

If the purpose of processing personal data has ceased to exist and time periods determined for storage of personal data under the applicable legislation and by Emaar Turkey expire, personal data will be stored beyond that point only if they serve as evidence in legal disputes or used to claim a right or make defense in relation to the personal data. These time periods are determined by Emaar Turkey after taking into account prescription periods applicable for these rights and similar cases in which demands were made against Emaar Turkey in connection with personal data. In that event, the stored personal data cannot be accessed for any other purpose and access is granted to such personal data only if they will serve as evidence in legal disputes. After this time period expires, personal data are deleted, destroyed or made anonymous.

4. TRANSFER OF PERSONAL DATA AND SENSITIVE PERSONAL DATA

4.1 Transfer of personal data

Emaar Turkey may transfer the personal data and sensitive personal data of the data owner to the third persons only after taking necessary security measures needed for the relevant purpose of processing in line with the applicable laws. In that regard, Emaar Turkey acts in accordance with the arrangements made under article 8 of the KVK Law.

Emaar Turkey may transfer personal data to the third persons in line with the legitimate and lawful personal data processing purposes and in order to enhance/support data security in certain conditions and based on and limited to one or several of the personal data processing conditions stipulated in article 5 of the KVK Law as provided below:

If explicit consent was obtained from the personal data owner,
If there are clear arrangements in laws for the transfer of such personal data,
If transfer of personal data is necessary for the protection of life or bodily integrity of the personal data owner or another person and if the personal data owner is not in a position to grant this explicit consent due to physical impediments or if no legal effect is given to his/her consent for any reason whatsoever,
If it is necessary to transfer personal data to the parties of a contract provided that it is directly related to the establishment or performance of that contract,
If transfer of personal data is necessary for Emaar Turkey in the fulfillment of its legal obligations and if personal data has been put into public domain by the owner,
If transfer of personal data is necessary for the establishment, exercising or protection of a right,
If transfer of personal data is necessary for the legitimate interest of Emaar Turkey provided that no harm is given to the fundamental rights and freedoms of the personal data owner.

Besides that, Emaar Turkey is entitled to transfer personal data to the third persons under the following circumstances provided that explicit consent is obtained from the relevant data owner and cases requiring such transfer by law are exempted:

Performance of traffic measurement, statistical and analytical examinations, profiling/segmentation studies in connection with the sales and marketing activities,
Correction of mistakes,
Confirmation of user names,
Performance of necessary processes by the business units in order that products and services provided by Emaar Turkey are enjoyed by the customers and customization of the products and services of Emaar Turkey based on the preferences, usage habits and requirements of the customers,
Ensuring legal and commercial security of the persons with whom Emaar Turkey has a business relationship,
Defining and implementing commercial and business strategies of Emaar Turkey and implementation of the human resources policy of the Company,
Execution of our internal operations and business activities; ensuring security of Company’s operations and carrying out activities to ensure efficiency, productivity and appropriateness analyses for the business activities,
Ensuring business continuity and planning and execution of corporate management and sustainability activities,
Management, planning and execution of corporate communication activities,
Performance of marketing and promotional activities for the purpose of managing corporate communications,
Activity/event management,
Execution of personnel recruitment (employment) processes by Emaar Turkey,
Execution/follow-up of financial reporting and risk management in Emaar Turkey,
Planning, evaluation and follow-up of procurement activities,
Execution/follow-up of legal affairs in Emaar Turkey,
Execution of activities that have legal, technical and administrative consequences; providing information required under the applicable legislation to the competent authorities; activities relating to legal requests and execution of our legal affairs,
Keeping accurate and updated data,
Collection, evaluation and responding to the complaints, questions, demands and suggestions of the personal data owner,
Planning and execution of customer relations management processes,
Planning and/or execution of customer satisfaction activities,
Performance of the obligations arising from the contracts concluded with the customers,
Planning and execution of sales processes for all products and/or services provided by Emaar Turkey (e.g. Shopping Mall, aquarium, residence etc.),
Follow-up of contractual processes and/or legal requests,
Compliance with the applicable legislation,
Demand and complaint management,
Establishment of potential claims for rights and receivables of relevant persons,
Providing information to the competent authorities as required under the applicable legislation,
Creation and follow-up of visitor records,
Ensuring security/safety of Company’s premises, depots and/or offices,
Execution of information security procedures and of the activities relating to the information technology infrastructure,
Execution of the operations for the group companies and enabling employees to have access to the information,
Preparation and submission of various reports, researches and/or presentations,
Management of social media accounts and Web Site,
Performance of obligations arising from the Law on the Protection of Consumers and other legislation by using channels by or on behalf of our Company including our call center, subsidiaries, internet sites, social media pages etc.,
Improving user experiences (including improvement and customization),
Ensuring safety of the users and determining fraud,
Execution of marketing, promotion and sales activities for all products and/or services provided by Emaar Turkey (e.g. Shopping Mall, aquarium, residence ); management of processes involving creation of and/or increasing loyalty for the products and/or services provided by the Company, and execution of market research activities for the sales and marketing of our products and services,
Providing you with better services, various advantages and opportunities; execution of sales and marketing activities and providing necessary information about campaigns, promotions and their terms and conditions; carrying out surveying and customer satisfaction activities; and ensuring/accelerating your buying transactions,
Determining customers that could be potential buyers/lessees for the real properties included in the portfolio of Emaar Turkey and carrying out target-oriented sales and marketing activities for these customers, and
Providing offers to the data owners about special products and services through targeting and re-targeting.

In that regard, for the achieving any of the purposes set out in this Policy, personal data may be shared by Emaar Turkey with: (i) the ministries, judicial authorities and similar public establishments and organizations, (ii) outsourced service providers, (iii) cargo companies, (iv) law offices, (v) research companies, (vi) call centers, (vii) software companies in charge of security and company’s management, (viii) agencies, (ix) consulting firms, (x) companies operating in print/publication sector, (xi) social media (Facebook, Instagram, Tweeter, etc.) and with the payment institutions pursuant to the framework contract of the payment institution to be approved by the user at the payment phase and for the purpose of identification required under the Regulation on the Measures for Prevention of Laundering of Criminal Revenues and Financing of Terrorism, as published on the Official Gazette dated 09.01.2008 and numbered 26751.

4.2 Transfer of sensitive personal data

Emaar Turkey may transfer the sensitive personal data of the owner to the third persons in the following circumstances, by acting diligently in the process and taking all security measures required under the Board’s resolutions and in line with the purposes of legitimate and lawful data processing:

When there is explicit consent of the data owner,
Where it is explicitly prescribed by law;
Where it is mandatory to protect the life or physical integrity of the data subject or another person, in cases where the data subject is unable to express consent due to de facto impossibility or where their consent is not legally valid;
Where it relates to personal data that has been made public by the data subject, and such processing is in line with the data subject’s intention to make it public;
Where it is necessary for the establishment, exercise or protection of a right;
Where it is necessary for the purposes of protecting public health, preventive medicine, medical diagnosis, the provision of treatment and care services, and the planning, management and financing of healthcare services, by persons under a duty of confidentiality or authorized institutions and organizations;
Where it is mandatory for the fulfilment of legal obligations in the fields of employment, occupational health and safety, social security, social services and social assistance;
Where it is carried out by foundations, associations and other non-profit organizations or formations established for political, philosophical, religious or trade-union purposes, provided that such processing is in compliance with their applicable legislation and objectives, limited to their field of activity, and not disclosed to third parties; and is directed at their current or former members and affiliates, or persons who are in regular contact with such organizations or formations.

4.3 Transfer of personal data to abroad

Emaar Türkiye may transfer the Data Subject’s personal data and special categories of personal data to third parties by taking the necessary security measures in line with its lawful purposes of personal data processing. In this context, where the conditions for processing personal data specified in this Policy are met and (i) the Personal Data Protection Board (“Board”) has issued an adequacy decision regarding the country to which the transfer will be made, the sectors within such country, or the relevant international organizations, the personal data may be transferred abroad by Emaar Türkiye.

In the absence of an adequacy decision, personal data may be transferred abroad by Emaar Türkiye, provided that one of the conditions set forth in this Policy exists, the data subject has the opportunity to exercise their rights and to apply to effective legal remedies in the destination country, and one of the appropriate safeguards listed below is ensured by the parties:
Where there is an agreement (other than an international treaty) between public institutions and organizations abroad or international organizations, and public institutions and organizations in Türkiye or professional organizations having the status of a public institution, and the Board grants permission for the transfer;
Where binding corporate rules approved by the Board, containing provisions on the protection of personal data and which the companies within a group of undertakings engaged in joint economic activity are obliged to comply with, are in place;
Where a standard contract announced by the Board is in place, which includes, inter alia, the data categories, purposes of data transfer, recipients and recipient groups, technical and administrative measures to be implemented by the data recipient, and additional measures for special categories of personal data;
Where a written undertaking containing provisions ensuring adequate protection is in place and the Board grants permission for the transfer.

Emaar Türkiye may transfer personal data abroad, on an incidental basis, only in the event that there is no adequacy decision and none of the appropriate safeguards listed above can be provided, provided that one of the following conditions exists:

The data subject provides explicit consent to the transfer, provided that they are informed about the possible risks;
The transfer is necessary for the performance of a contract between the data subject and the data controller, or for the implementation of pre-contractual measures taken at the request of the data subject;
The transfer is necessary for the establishment or performance of a contract to be concluded between the data controller and another natural or legal person for the benefit of the data subject;
The transfer is necessary for overriding public interest;
The transfer of personal data is necessary for the establishment, exercise or protection of a right;
The transfer of personal data is necessary to protect the life or physical integrity of the data subject or another person, where the data subject is unable to express consent due to de facto impossibility or where their consent is not legally valid;
The transfer is made from a registry that is open to the public or to persons having a legitimate interest, provided that the conditions required under the applicable legislation for accessing such registry are met and the person having a legitimate interest requests such transfer.

4.3.1 Transfer of sensitive personal data to abroad

Emaar Türkiye may transfer the Data Subject’s personal data and special categories of personal data to third parties by taking the necessary security measures in line with its lawful purposes of personal data processing. With respect to the transfer of such data abroad, Emaar Türkiye acts in accordance with the provisions set forth under Article 9 of the Law, subject to the matters specified in Section 4.3.

5. THIRD PERSONS TO WHOM YOUR PERSONAL DATA ARE TRANSFERRED AND PURPOSES OF TRANSFER

In line with the provisions of article 10 of the KVK Law, Emaar Turkey inform the personal data owner about the groups of persons to whom his/her personal data were transferred.

In line with the provisions of articles 8 and 9 of the KVK Law, Emaar Turkey may transfer the personal data of the data owners that are subject to this Policy to the categories of persons listed below:

Business Partners of Emaar Turkey,
Suppliers of Emaar Turkey,

Representatives of Emaar Turkey,

Group companies/affiliates of Emaar Turkey,
Legal authorized public establishments and organizations,
Legally authorized persons subject to private law,

Other third persons in line with the personal data transfer

Specific types of the abovementioned persons to whom personal data will be transferred and personal data transfer purposes are provided below.

PERSONS MAKING DATA TRANSFER

DESCRIPTION

PURPOSE OF DATA TRANSFER

Business Partner

Refers to the parties with whom Emaar Turkey has established a business partnership for the purpose executing various projects either directly or through its Group Companies and procuring services in the course of its commercial activities.

Limited to the purpose of achieving the foundation purposes of the business partnership (e.g. to the cargo companies, agencies, companies providing cloud communication services and to the infrastructure providers offering IT support, providing support in the area of traffic / customer satisfaction measurement, profiling and segmentation and providing support in the area of processing of personal data including specifically sales and marketing , SMS, mailing, archiving and to the solution partners and firms from which services are obtained such as logistics firms, call centers, consultants / advisers etc.)

Supplier

Refers to the parties providing services to Emaar

Limited to the purpose of providing Emaar Turkey

Turkey on the basis of a contract and in line with the orders and instructions of Emaar Turkey to be given in the course of its commercial activities.

with the services required in the course of its commercial activities, which are outsourced by Emaar Turkey from external sources.

Company’s Representatives

Board members of and other real persons authorized by Emaar Turkey.

Limited to the purpose of those activities executed by Emaar Turkey in connection with corporate law, event management and corporate communication processes in line with the applicable legislation.

Group Companies

Group Companies of Emaar Turkey

All companies to which Emaar Turkey is directly or indirectly affiliated (e.g. affiliate, partner etc.) including specifically İstanbul Seyir Terası Otelcilik ve Turizm Yatırımları Ticaret A.Ş., Emaar Hospitality Group LLC and Emaar Properties PJSC.

Legally authorized public establishments and organizations

Public establishments and organizations entitled to obtain information and

documents from Emaar

Limited to the purpose of designing the strategies for the commercial activities of

Emaar Turkey; ensuring its

Turkey under the applicable legislation.

optimum management and auditing as per the provisions of the applicable legislation.

Legally authorized real persons subject to private law

Real persons subject to private law, who are entitled to obtain information and documents from Emaar Turkey under the applicable legislation.

Limited to the purpose demanded by the legally authorized real persons subject to private law (e.g. law offices, audit firms, and payment institution for the purpose of identification required under the Regulation on the Measures for Prevention of Laundering of Criminal Revenues and Financing of Terrorism)

6. RIGHTS AND OBLIGATIONS ARISING FROM PERSONAL DATA

6.1 Obligation of Emaar Turkey to clarify the owners of personal data

Pursuant to the requirements of article 10 of the KVK Law, Emaar Turkey clarifies the personal data owners during obtaining their personal data. In that regard, Emaar Turkey provides information on the identity of its representative, if any, specific purpose of processing personal data, to whom and for what purpose processed personal data will be transferred, collection method and legal reason of collecting personal data and rights available to the owner of personal data.

Article 20 of the Turkish Constitution stipulates that everybody is entitled to be informed about the personal data related to him/her. Therefore, article 11 of the KVK Law lists “the right of requesting information” among the rights of the personal data owner. As a result, Emaar Turkey will provide necessary information at the request of the personal data owner pursuant to article 20 of the Constitution and article 11 of the KVK Law.

6.2 Rights of the personal data owner and application method

In line with article 13 of the KVK Law, Emaar Turkey utilizes necessary channels, internal operation, administrative and technical arrangements in order to evaluate the rights of the data owners and providing necessary information to the personal data owners.

If the personal data owners forward in writing to Emaar Turkey their requests relating to their rights listed below, the request will be finalized at latest within 30 (thirty) days without any charge depending on the nature of the request. However, a charge is foreseen by the KVK Board, the charge determined by the KVK Board will be collected by Emaar Turkey. Information will be provided about this charge to the relevant person without delay.

learn whether his/her personal data has been processed,
if processed, demand information about it,
learn the purpose of processing and whether his/her personal data has been used in line with that purpose,
learn the identity of the 3^rd persons to whom personal data are transferred in and out of the country,
request correction of any personal data that had been processed deficiently/inaccurately and in that regard, to demand that such correction operation is informed to the third persons to whom personal data was transferred,
request deletion/destruction of his/her personal data once the reasons requiring processing of personal data cease to exist although such personal data had been processed in line with the KVK Law and other applicable laws and demand that such deletion/destruction operation is informed to the third persons to whom personal data was transferred,
raise an objection to any negative results arising from analysis of his/her personal data exclusively by automated means, and
claim recovery for his/her losses suffered after illegal processing of his/her personal

Owners of personal data will be entitled to forward to Emaar Turkey their requests relating to their rights listed in article 11 of the KVK Law by submitting the information and documents that will be helpful in their identification and by completing/signing the application form with the methods set out below or with other methods defined by the Personal data Protection Board:

after completing the application form provided at the address https://tr.emaar.com/tr/, its wet signed copy shall be delivered to the address Ünalan Libadiye Cad.No:82f K:1 Üsküdar/İstanbul either directly or via a notary public,
after completing the application form provided at the address https://tr.emaar.com/tr/, its signed copy shall be sent by means of electronic mail to the address [email protected]

In order for third persons to apply on behalf of the personal data owners, a special power of attorney should be issued by a notary public and granted by the personal data owner in the name of the applying person.

6.3 Cases in which personal data owners do not have any rights

As the cases described below are kept out of the scope of the KVK Law pursuant to article 28 of the KVK Law, the personal data owners may not assert any rights set forth in article 6.2 of this Policy:

Processing of personal data for the purpose of research, planning and statistics by making them anonymous through official statistics,
Processing of personal data for the purpose of arts, history, literature or science or as part of freedom of expression provided that national defense, national security, public security, public order, economic security, privacy of personal life or personality rights are not breached,
Processing of personal data in the course of preventive, protective and intelligent activities conducted by the public establishments and organizations authorized and delegated to ensure national defense, national security, public security, public order or economic security,
Processing of personal data by the judicial authorities or enforcement officers during an investigation, prosecution, trial or enforcement proceeding.

Pursuant to article 28/2 of the KVK Law, the personal data owners may not assert any rights set forth in article 6.2 of this Policy except for the right to claim recovery of their losses:

When processing of personal data is necessary to prevent crime or to conduct a criminal investigation,
Processing of personal data that was p/ut into public domain by the relevant personal data owner,
When processing of personal data is required to be made public establishments and organizations and by the occupational institutions authorized and delegated by law for the purpose of executing audit or regulation duties or conducting a disciplinary investigation or prosecution,
When processing of personal data is necessary to protect the economic and financial benefits of the state in connection with the budget, taxation and financial affairs.

6.4 Principles and methods concerning the responses to be given to the applications of the data owner

An application can be made to Emaar Turkey only when Emaar Turkey is considered as data controller under the KVK Law. This happens when Emaar Turkey directly collects personal data from the relevant person under the KVK Law.

6.4.1 Method and time of responding to the applications by Emaar Turkey

If the personal data owner forwards his/her request to Emaar Turkey by using the method set forth in article 6.2 of this Policy, Emaar Turkey will finalize that request at latest within 30 (thirty) days without any charge depending on the nature of the request. However, if any charge is determined by the KVK Board for such applications, Emaar Turkey will collect that charge according to the tariff determined by the KVK Board.

6.4.2 Information to be requested by Emaar Turkey from the applying personal data owner

Emaar Turkey may request information from the relevant persons in order to determine that he/she is the personal data owner. Emaar Turkey may also forward questions to the personal data owner in order to clarify certain issues in his/her application.

6.4.3 Right of Emaar Turkey to refuse the application of the personal data owner

Emaar Turkey shall be entitled to refuse the application of the applicant in those cases described in article 28 of the KVK Law and also in the following circumstances:

If request to be made by the personal data owner potentially prevent the rights and freedoms of other persons,
If the fulfillment of the request requires a disproportionate effort, or
If information requested has entered into public domain

6.4.4 Right available to the personal data owner to submit a complaint the KVK Board

Pursuant to article 14 of the KVK Law, the personal data owner will be entitled to submit a complaint to the KVK Board within 30 (thirty) days from the date on which applicant has learned the response of Emaar Turkey or in any case, within 60 (sixty) day starting from the application date if his/her application is refused, the response given was found insufficient or no timely response was given to the application.

7. TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN FOR THE SAFE KEEPING OF PERSONAL DATA AND PREVENTION OF THEIR UNLAWFUL PROCESSING AND ACCESS

As Emaar Turkey, we are taking all technical and administrative measures required under article 12 of the KVK Law in order to ensure lawful processing of personal data, proper safe keeping of processed personal data and prevention of any unlawful access to the same.

7.1 Confidentiality in the processing of personal data

All personal data that are lawfully processed by Emaar Turkey shall be subject to data security requirements. Emaar Turkey is prepared to take any and all technical and organizational measures to ensure confidentiality and security of your sensitive personal data and your personal data collected on our web site.

For any employee of Emaar Turkey, unauthorized access or processing of such data or use of such data for commercial purposes or sharing of them with unauthorized persons or rendering them accessible in any other manner are all strictly forbidden. Therefore, employees of Emaar Turkey may have access to the personal data only on the basis and scope of their duties and authorities. For that purpose, Emaar Turkey makes detailed description and segregation of these duties and authorities. If any employee of Emaar Turkey attempts to process or processes personal data without proper authorization, it will be considered as unauthorized transaction.

The managers inform the employees at the beginning of their employment about the need to protect the confidentiality of personal data. These confidentiality obligations shall survive termination of any employment relationship by the Company.

7.2 Security in the processing of personal data

Personal data are protected by Emaar Turkey against unauthorized access, unlawful processing and disclosure or accidental loss, alteration or destruction. Your personal data will be stored in safe working environments that are not accessible to the public and that could be accessed only by the employees, brokers or contractors of Emaar Turkey.

7.3 Technical measures taken by Emaar Turkey to ensure confidentiality and security of personal data

Following technical measures are taken by Emaar Turkey in the course personal data processing activities:

Optimum technical systems are used and these systems are periodically
Technical measures taken are periodically reported to the relevant person as part of our internal audit mechanisms and any risky issues are reevaluated and necessary technological solutions are produced.
Necessary trainings are provided to the relevant persons/departments about technical
Software and hardware containing antivirus systems and firewalls are used (e.g. Secure Sockets Layer (SSL) encryption is used on all web pages through which personal data are collected with online services such as web site. A SSL-supported browser such as Safari, Firefox, Chrome or Internet Explorer must be used to use these services. In this manner, confidentiality of your personal data transferred online is assured).
Backup programs are lawfully used for the safe keeping of personal
Systems capturing technological developments are used to maintain personal data in safe environments.
Relevant department is regularly informed about technical
Technical security systems are installed for the storage areas; technical measures taken are periodically reported to the relevant person as required by the internal audit mechanisms and any risky issues are reevaluated and necessary technological solutions are produced.
Access to the data storage areas where personal data are maintained is logged and improper accesses or access attempts are momentarily communicated.
Technical measures are taken in line with the technological developments; proper software is used and measures taken are periodically updated and renewed as per natural requirements and requirements arising from the applicable legislation.
Technical solutions for access and authorization are put into practice on the basis of each business unit in line with the legal compliance requirements.
Access authorized are restricted and these authorities are regularly
All processes used to collect personal data are regularly made subject to security scans in order to detect any security gaps. Such gaps are remedied by the Company.

7.4 Administrative measures taken by Emaar Turkey for the confidentiality and security of personal data

Following administrative measures are taken by Emaar Turkey in the course of its personal data processing activities:

The employees are informed and trained on the personal data protection law and processing of personal data in line with this law; and on the technical measures to be taken to ensure safe keeping of personal data and prevent any unauthorized/unlawful access. In this manner, all relevant obligations are aimed to be fulfilled according to the current requirements.
All activities carried out by Emaar Turkey are analyzed in detail in terms of all business units and as a result of this analysis, necessary personal data processing activities are defined specifically for the commercial operations of the relevant business units.
Any personal data processing activities executed by the business units of Emaar Turkey and the requirements to be met to ensure that these activities are made in accordance with the data processing conditions set forth in the KVK Law are specifically defined for each business unit and their detailed activities.
Awareness is created and implementation rules are defined for each business unit in order to ensure compliance with the legal requirements and administrative measures needed to inspect these activities and to ensure continuity in the practices are put into place through internal policies and in-house trainings.
On the contracts and documents managing the legal relationship between Emaar Turkey and its employees, reservations are placed to impose the obligation of not processing, disclosing or using personal data except as otherwise instructed by Emaar Turkey or required by law as an exception and awareness raising works are carried among the employees and inspections are conducted for that purpose.
Undertakings are obtained from the 3^rd persons for the protection of personal data in the course of our commercial activities.
In the event that technical services are obtained from the persons to whom personal data were lawfully transferred by Emaar Turkey or from the third persons for the safe keeping of personal data, certain provisions are included into the contracts concluded with these persons requiring them to take necessary measures and ensuring compliance with these measures in their companies in order to prevent unlawful processing of and access to the personal data and safe-keeping of personal data in line with the legal
Access and authorization processes are designed and applied about the access to and authorization for personal data in the Company in line with the legal compliance requirements applicable for each business unit.
The employees are informed and undertakings are taken from them that they shall not disclose any of the personal data that they have learned contrary to the provisions of the KVK Law and shall not use the same for any purpose other the processing purpose and this obligation will survive after termination of their employment with the Company.
Certain provisions are included into the contracts concluded with the persons to whom personal data was lawfully transferred by Emaar Turkey, requiring them to take all security measures for the protection of personal data and ensure their own companies to comply with these measures.
Pursuant to article 12 of the KVK Law, Emaar Turkey conducts or ensures conduct of necessary inspections and audits in its own organization. Results of these inspections and audits are reported to the relevant department of Emaar Turkey and necessary actions are taken to improve the measures taken.
Emaar Turkey organizes necessary trainings for its business units, business partners and suppliers in order to enhance the awareness about preventing unlawful processing of or access to the personal data and about safe-keeping of such data. In that regard, Emaar Turkey evaluates the participation levels in these trainings, seminars and informative sessions and carries out necessary inspections. Emaar Turkey also updates and renews its trainings in parallel to the changes in the applicable legislation.
Emaar Turkey acts in compliance with the applicable legislation in connection with the personal data acquired as part of a contractual relationship and relevant persons are fully informed about their rights.

7.5 Protection of sensitive personal data by Emaar Turkey

The Law stipulates certain additional arrangements for the processing and protection of sensitive personal data. Under the Law, any personal data about the race, ethnical origin, political thoughts, philosophical beliefs, religion, sect or other faiths, dressing, membership to

associations, foundations or labor union, health status, sexual life, criminal conviction and security measures, including any biometric and genetic data of any person shall be considered as sensitive personal data

In that regard, Emaar Turkey takes technical and administrative measures for the protection of personal data and carries out periodic inspections to achieve this. Emaar Turkey will take the technical and administrative measures listed below in order to prevent (i)) unlawful processing of personal data, (ii) negligent or unauthorized disclosure, access, transfer or illegal access to the personal data, and in order to ensure (iii) maintenance of personal data in safe environments and prevent any destruction, loss or alteration of the same against the law:

Any personal data processing activities carried out by Emaar Turkey are inspected with the technical systems installed for that purpose,
Technical measures taken are reported to the relevant person, if necessary,
Personnel having sufficient know-how on technical issues are employed,
On the contracts and documents managing the legal relationship between Emaar Turkey and its employees, reservations are placed to impose the obligation of not processing, disclosing or using personal data except as otherwise instructed by Emaar Turkey or required by law as an exception and awareness raising works are carried among the employees and inspections are conducted for that purpose,
Emaar Turkey Employees are periodically informed and trained about the law for the protection of personal data and lawful processing of personal data.
Business processes are regularly analyzed and data inventory is created and any personal data processing activities carried out by the business units and requirements to be met to ensure legal compliance in these activities are defined for each process.
Legal compliance requirements are established; policies are put into place to create awareness within the Company and ensure continuous implementation and carry out regular inspections and finally, periodic training is provided to the persons (including but not limited to other necessary people) having rights to access to the corporate system of Emaar Turkey.
Certain provisions are included into the contracts and documents managing the legal relationship between Emaar Turkey and its suppliers, business partners and other third persons requiring them not to process, disclose or use any of the personal data except for those exceptional cases arising from the Law and employee awareness is created in this manner,
Technical measures are taken in line with the technological developments and these measures are updated and renewed when necessary; accordingly:
- Cryptographic methods are used in the environments where sensitive personal data are stored,
- These cryptographic keys are kept in safe and different environments,
- Transaction records of all movements made on the date are safely logged,
- Security updates for the environments where data are stored are continuously monitored; necessary security tests are performed and test results are recorded,
- Authorizations are made to the software users for the relevant software; security tests are regularly run on such software and test results are recorded,
- Minimum two layered identification system is used in case of distant
Technical solutions are put into practice in connection with access and authorizations in line with the legal compliance requirements determined for each process,
Technical measures taken are reported to the relevant person if necessary and any risky issues are reevaluated and technological solution is developed,
Software and hardware containing antivirus systems and firewalls are installed,
Personnel having know-how on technical issues are employed,
Software and hardware containing antivirus systems and firewalls are installed,
Emaar Turkey Employees are trained about the technical measures to be taken in order to prevent unlawful access to the personal data,
Access and authorization processes are designed and implemented for the personal data within the Company in line with the legal compliance requirements applicable in the processing of personal data,
The employees are informed and undertakings are taken from them that they shall not disclose any of the personal data that they have learned contrary to the provisions of the KVK Law and shall not use the same for any purpose other the processing purpose and this obligation will survive after termination of their employment with the Company,
Certain provisions are included into the contracts concluded with the persons to whom personal data was lawfully transferred by Emaar Turkey, requiring them to take all security measures for the protection of personal data and ensure their own companies to comply with these measures,
Systems capturing technological developments are used to maintain personal data in safe environments,
Personnel specialized on technical matters are employed,
Technical security systems are installed for the storage areas; technical measures taken are periodically reported to the relevant person as required by the internal audit mechanisms and any risky issues are reevaluated and necessary technological solutions are produced,
Backup programs are used for the safe storage of personal data in line with the legal requirements,
Access to the data storage areas where personal data are maintained is logged and improper accesses or access attempts are momentarily communicated.
Emaar Turkey Employees are trained about safe keeping of personal data,
In the event that any service is outsourced by Emaar Turkey due to technical requirements relating to the safe keeping of personal data, certain provisions are included into the contracts concluded with the firms to which personal data were lawfully transferred, requiring them to take security measures to protect personal data and ensure compliance with these requirements in their own company,
Sufficient security measures are taken against risks of electric leakage, fire, flood, theft etc. depending on the characteristics of the physical environment where sensitive personal data are retained and inspections are made every 6 months, with the inspection results reported to the authorized person,
Access to the physical environments where sensitive personal data are kept is granted only to the authorized personnel and accesses are restricted to prevent all unauthorized
Necessary technical and administrative measures are taken in the transfer of sensitive personal data as follows:
- While personal data are transferred by e-mail, corporate e-mail address or Registered Electronic Mail (KEP) account is used for encrypted transfer of data,
- If it is necessary to transfer personal data via portable memory, CD, DVD etc., data should be encrypted by using cryptographic methods and cryptographic key should be kept at a different environment
- If transfer is to be made between servers at different physical locations, data transfer should be made only after installing VPN between the servers, and
- If the data will be transferred on hardcopy basis, necessary security measures should be taken against risks of loss, theft and access by unauthorized person of the relevant documents and the documents should be sent in the format of “classified confidential document”.

7.6 Measures to be taken against illegal disclosing of personal data

Emaar Turkey maintains a system enabling it to inform the relevant personal data owner and KVK Board when personal data processed in accordance with article 12 of the KVK Law is unlawfully obtained by others. If personal data are unlawfully disclosed, Emaar Turkey will serve a notice to the KVK Board at latest within 72 (seventy two) hours and immediately take all corrective actions in line with the current developments.

If it is deemed as necessary by the KVK Board, this breach shall be also announced on the internet site of the KVK Board or by another method.

7.7 Execution of inspection activities

Pursuant to article 12 of the KVK Law, Emaar Turkey carries out necessary inspections in the organization of Emaar Turkey and of its business partners or ensures performance of these inspections under the contracts concluded with the 3^rd party firms. Results of these inspections are reported within the organization of the Company and necessary actions are taken to improve the measures taken.

8. DELETION, DESTRUCTION AND MAKING ANONYMOUS OF PERSONAL DATA

All procedures involving deletion, destruction or making anonymous of personal data are recorded and these records shall be maintained for the time period determined under the Emaar Turkey Policy for the Maintenance and Destruction of Personal Data except for other time periods required under other legal obligations.

Emaar Turkey will destroy your personal data for the following reasons:

Expiration of the time periods defined by laws for the safe keeping of personal data,
Expiration of the time period defined under the Emaar Turkey Policy for the Maintenance and Destruction of Personal Data,
Expiration of the periodic destruction time defined under the Emaar Turkey Policy for the Maintenance and Destruction of Personal Data,
Amendment or annulment of the applicable legislation that serves as a basis for the processing of personal data,
Failure to establish the relevant contract, including its invalidity, automatic expiration, termination or withdrawal,
The purpose requiring processing of personal data ceases to exist,
Processing of personal data contrary to the law and rules of honesty,
When processing of personal data requires obtaining explicit consent from the data owner, withdrawal of this consent by the relevant person,
Acceptance by Emaar Turkey of the application filed by the relevant person by exercising his/her rights available to him/her in connection with his/her personal data,
Submission of a complaint to the KVK Board after refusal by Emaar Turkey of the application filed by the relevant persons with a request for deletion or destruction of his/her personal data or the response given to the application is found insufficient or no timely response is given, which complaint is deemed appropriate by the KVK Board,

No condition requiring safe keeping of personal data for longer periods exists although such personal data was maintained for the maximum time period,
Expiration of the conditions requiring processing of personal data under articles 5 and 6 of the KVK Law.

8.1 Techniques used in the deletion and destruction of personal data

Emaar Turkey may delete or destroy the personal data based on its own decision or at the request of the relevant personal data owner if the reasons requiring processing of personal data cease to exist although this personal data was processed before in line with the provisions of the applicable law. Deletion or destruction of personal data involves rendering personal data inaccessible or un-reusable for the users. In that regard, Emaar Turkey deletes or destroys personal data by using the techniques described below:

Emaar Turkey takes any and all technical and administrative measures to render deleted personal data non-accessible non-reusable for the relevant users,
Emaar Turkey will apply the rules described below if deletion of personal data would result in a failure of accessing or using other data in the system:
- Rendering personal data unrelated to the relevant persons and archiving them on that basis,
- Closing access to personal data by any other establishments, company and/or person,
- Taking any and all technical and administrative measures to ensure that personal data are accessed only by authorized persons, and
- If a direct deletion request is forwarded by real persons, deletion of the personal data of that person from the systems of Emaar Turkey.

Deletion of the personal data comprising part of any data recording system and processed by non-automated means:

Blank out of unnecessary personal data,
Masking the unnecessary personal data available on hardcopy but transferred to electronic format by means of scanning or without digitalization.

Based on the abovementioned conditions of deletion, those deletion or destruction techniques used most by Emaar Turkey are listed below:

Physical Destruction: Personal data may be processed by non-automated means provided that they are part of any data recording During deletion/destruction of that data, a system is applied involving physical destruction of personal data in a totally unusable manner in the future.
Secure Deletion Software: While deleting/destroying the data processed by automated means in part or in whole and maintained in digital environments, methods are used for deletion of the personal data from the software in an irretrievable manner.
Sending to a Specialist for Secure Deletion: In certain cases, Emaar Turkey may agree with a specialist for deleting personal data on its own In this case, personal data will be safely deleted/destroyed by a specialist in an irretrievable manner.

8.2 Techniques used to make personal data anonymous

Making personal data anonymous means making personal data impossible to be correlated with any identified or identifiable real person even if by matching them with other data. Once the reasons requiring processing of personal data that had been lawfully processed cease to exist, Emaar Turkey may make personal data anonymous.

Pursuant to article 28 of the KVK Law, personal data that were made anonymous may be processed for certain purposes such as research, planning and statistical studies. However, such processing shall be considered outside the scope of the KVK Law and explicit consent of the personal data owner will not be necessary. Personal data that are processed by making them anonymous will be outside the scope of the KVK Law and therefore, rights regulated under article 6 of this Policy will not be applicable for such data. The techniques of making anonymous used most by Emaar Turkey are listed below:

Masking: Data masking refers to the method of making personal data anonymous by extracting basic identifying information of the personal data from the data set.
Aggregation: With the data aggregation method, lots of data are aggregated and personal data are rendered impossible to be correlated with any person.
Data Derivation: With the data derivation method, a content that is more general than the specific content of the personal data is created and personal data are rendered impossible to be correlated with any person.
Data Shuffling, Permutation: Data shuffling method involves mixing of the values of the personal data set in order to break the bond between the values and persons.

9. TIME PERIODS APPLICABLE IN THE STORAGE AND DESTRUCTION OF PERSONAL DATA

In the first periodic destruction operation following the date on which the obligation of deleting, destroying or making personal data anonymous has first arisen for Emaar Turkey, Emaar Turkey will delete, destroy or make personal data anonymous. Time interval for these periodic destructions is six months. Time periods applicable in the storage of personal data are defined in line with the KVK Law and relevant business processes. However, KVK Board may reduce the time periods set out in this section if there is a potential for irretrievable damages or open breach of law.

If a real person having personal data applies to Emaar Turkey as per article 13 of the KVK Law and requests deletion or destruction of his/her personal data, then Emaar Turkey shall:

Delete, destroy or make the relevant personal data anonymous if all of the conditions requiring processing of personal data have ceased to exist. This request by the real person acting as the owner of personal data will be finalized by Emaar Turkey at latest within 30 (thirty) days and information will be given to the data owner.
If all conditions requiring processing of personal data have ceased to exist and relevant personal data has been transferred to the third persons, Emaar Turkey will inform the third persons about it and ensures that necessary process is started with that third

If all of the conditions requiring processing of personal data have not ceased to exist, this request may be refused by Emaar Turkey by explaining the reason thereof as per

the 3^rd paragraph of article 13 of the KVK Law and refusal response will be informed to the relevant person in writing or in electronic format at latest within 30 (thirty) days.

9.1 Time periods applicable in the arbitrary deletion, destruction and making anonymous of personal data

Emaar Turkey will take into account the time periods defined below in connection with its obligation to delete, destroy or make personal data anonymous:

At the first periodic destruction operation following the date on which the obligation has arisen,
Periodic destruction period may not be longer than 180 days (6 months).

9.2 Time periods applicable in the deletion or destruction of personal data at the request of the relevant person

In the event that relevant person applies to Emaar Turkey with a request for deletion or destruction of his/her personal data, Emaar Turkey shall:

Delete, destroy or make the relevant personal data anonymous if all of the conditions requiring processing of personal data have ceased to exist. This request by the real person acting as the owner of personal data will be finalized by Emaar Turkey at latest within 30 (thirty) days.
If all of the conditions requiring processing of personal data have not ceased to exist, this request may be refused by Emaar Turkey by explaining the reason thereof and refusal response will be informed to the relevant person in writing or in electronic format at latest within 30 (thirty) days.

10. OUR DEPARTMENT RESPONSIBLE FOR THE PROTECTION, PROCESSING AND DESTRUCTION OF PERSONAL DATA

Emaar Turkey ensures necessary coordination in its organization in connection with the compliance of the personal data processed by it with the KVK Law, applicable regulation and other legal arrangements and with the safe-keeping and maintenance of personal data through the “Data Processing Department”. This department is responsible for fulfillment of relevant rights and obligations, execution of the established system and its improvement and updating.

This Policy will be renewed once in every year and updated according to the applicable legislation. Any issues set forth in this Policy may be amended by Emaar Turkey in order to ensure legal compliance.

11. RECORDING ENVIRONMENTS

Emaar Turkey records and stores on the Emaar Turkey database all personal data processed by Emaar Turkey in part or in whole by automated means or by non-automated means provided that they are part of data recording system in line with the methods and principles set forth in the KVK Law and other applicable laws.

11.1 Recording and follow-ups made at the entry of and/or inside of the office and shopping mall

In Emaar Turkey offices and common areas in the shopping malls, personal data processing activity is carried out by the surveillance cameras for the monitoring of entrance-exit of the guests and visitors in order to enhance the quality and ensure reliability of the services provided by Emaar Turkey or ensure the security of Emaar Turkey employees, customers, visitors and other persons and protect the benefits arising from the services obtained by the customers. Monitoring activity carried out by Emaar Turkey with the help of cameras is executed in accordance with the Law on Private Security Services and applicable legislation. However, no monitoring is made in those areas that would result in intervention to the private life of an individual (for example toilets). Pursuant to article 4 of the Law, Emaar Turkey will process the personal data in relation to and on limited and reasonable basis with the relevant purposes of processing and monitoring by video cameras are continued according to the relevant purpose.

Emaar Turkey also takes necessary technical and administrative measures in order to ensure the security of personal data obtained as a result of monitoring activity through video recording. In that regard, limited number of Emaar Turkey employees will have access to these camera records.

Pursuant to article 10 of the Law, personal data owner is clarified. As part of the clarification obligation, this Policy is published on the internet site and certain warnings are displayed at the entrance of the monitored areas to remind that there will be video monitoring. Besides that, administrative and technical measures defined in this Policy are taken as part of the personal data processing activity through monitoring with surveillance cameras.

11.2 İnternet Accesses and Web Site

Emaar Turkey will record the log records showing internet access in line with the statutory provisions of the Law numbered 5651 and applicable legislation enacted under this Law and these records will be processed only at the request of the competent establishments or organizations or for the fulfillment of legal obligations in the relevant inspections to be made by the Company.

Any internet movements in the Web Site owned by Emaar Turkey are recorded (through cookies etc.) with technical methods in order to carry out online advertising activities, record the visits made to the Web Site and show them customized contents. Detailed explanations of Emaar Turkey about these activities carried out on its Web Site and about the protection and processing of personal data are provided in the section titled “Confidentiality Policy” of the relevant internet sites.

Emaar Turkey uses various systems in the execution of its activities. These systems may be used by the Emaar Turkey employees in the processing of personal data in line with the purpose of business and their job description and for the following purposes:

Execution of our internal operations and business activities; ensuring security of Company’s operations and carrying out activities to ensure efficiency, productivity and appropriateness analyses for the business activities,
Execution and management of strategical planning activities and relations with the Business Partners and Suppliers,
Planning and execution of logistics activities,
Ensuring business continuity and planning and execution of corporate management and sustainability activities,
Management, planning and execution of corporate communication activities,
Performance of marketing and promotional activities for the purpose of managing corporate communications,
Activity/event management,
Execution of personnel recruitment (employment) processes by Emaar Turkey,
Execution/follow-up of financial reporting and risk management in Emaar Turkey,
Planning, evaluation and follow-up of procurement activities,
Execution/follow-up of legal affairs in Emaar Turkey,
Making Emaar Turkey web site easier to use
Execution of activities that have legal, technical and administrative consequences; providing information required under the applicable legislation to the competent authorities; activities relating to legal requests and execution of our legal affairs,
Keeping accurate and updated data,
Collection, evaluation and responding to the complaints, questions, demands and suggestions of the personal data owner,
Planning and execution of customer relations management processes,
Planning and/or execution of customer satisfaction activities,
Performance of the obligations arising from the contracts concluded with the customers,
Planning and execution of sales processes for all products and/or services provided by Emaar Turkey (e.g. Shopping Mall, aquarium, residence etc.),
Follow-up of contractual processes and/or legal requests,
Knowing and developing our communication with our customers,
Performance of traffic measurement, statistical and analytical examinations, profiling/segmentation studies in connection with the sales and marketing activities to be carried out for all products and/or services provided by Emaar Turkey (e.g. Shopping Mall, aquarium, residence etc.),
Providing better and more secure services to the customer; developing better products and services and providing them on uninterrupted basis,
Making customized suggestions for all products and/or services provided by Emaar Turkey (e.g. Shopping Mall, aquarium, residence etc.) based on the customer’s preferences, usage habits and requirements,
Compliance with the applicable legislation,
Reputation management,
Demand and complaint management,
Establishment of potential claims for rights and receivables of relevant persons,
Providing information to the competent authorities as required under the applicable legislation,
Creation and follow-up of visitor records,
Ensuring security/safety of Company’s premises, depots and/or offices,
Execution of information security procedures and of the activities relating to the information technology infrastructure,
Planning and execution of emergency management processes and execution of occupational health and/or safety procedures,
Execution of the operations for the group companies and enabling employees to have access to the information,
Preparation and submission of various reports, researches and/or presentations,
Management of social media accounts and Web Site,
Performance of obligations arising from the Law on the Protection of Consumers and other legislation by using channels by or on behalf of our Company including our call center, subsidiaries, internet sites, social media pages etc.,
Execution of marketing, promotion and sales activities for all products and/or services provided by Emaar Turkey (e.g. Shopping Mall, aquarium, residence etc.); management of processes involving creation of and/or increasing loyalty for the products and/or services provided by the Company, and execution of market research activities for the sales and marketing of our products and services,
Providing you with better services, various advantages and opportunities; execution of sales and marketing activities and providing necessary information about campaigns, promotions and their terms and conditions; carrying out surveying and customer satisfaction activities; and ensuring/accelerating your buying transactions,
Determining customers that could be potential buyers/lessees for the real properties included in the portfolio of Emaar Turkey and carrying out target-oriented sales and marketing activities for these customers, and
Providing offers to the data owners about special products and services through targeting and re-targeting.

12. IN-HOUSE DATA PROTECTION BOARD FOR THE PROTECTION AND PROCESSING OF PERSONAL DATA

Personal Data Protection Committee (“Committee”) has been established in the organization of Emaar Turkey for the purpose of following-up and managing those actions required for compliance with the KVK Law:

II. Compliance with KVKK

The Committee will closely monitor KVKK, secondary legislation and Board’s opinions and resolutions in order to ensure permanent compliance of the works, transactions and processes executed or to be executed by our Company with KVKK, secondary legislation and Board’s opinions and resolutions. If any change, development or update becomes necessary in the Company’s activities, Emaar Turkey will take necessary steps to immediately comply with that change, development or update.

III. Creation of the inventory and keeping it up-to-date

It is the Committee’s essential duty to create our Company’s inventory and update this inventory in the event of a change, development and/or updating in KVKK, secondary legislation and the Board’s opinions and resolutions and/or in the works, transactions and processes of the Company. In order to perform this duty, the Committee will obtain all information and documents from all of its divisions in order to create and update that inventory, request that immediate information be provided to it in connection with the changes in the works, transactions and processes executed or to be executed in the business units; organize meetings with the relevant units, if necessary and finally control and update the Inventory, to the extent necessary.

IV. Development and updating of policies

The Committee will prepare and put into practice following policies as minimum in order to ensure compliance with KVKK:

Emergency actions policy and/or crisis management policy,
Personal data storage and destruction policy,
Policy for the processing and confidentiality of general personal data,
Access authorities and control matrix policy,
Management policy for the application of the personal data owner,
internet data security and confidentiality policy,
Internet Access Policy, and
Cookies

The Committee will be also entitled to develop additional policies other than those listed above but effecting these additional policies will require the evaluation and approval of the board of directors.

The Committee will ensure that both Committee members and all of our employees including members of the board of directors and general assembly acting in our organization act in accordance with these policies and will inform relevant employees about the platforms that could be used to access these policies for that purpose.

The Committee will control and update the policies if this is necessary after any change, development and/or update in the works, transactions and processes executed or to be executed by our Company and/or in KVKK, secondary legislation and Board’s opinions and resolutions.

V. Creation and updating of other documentation

In addition to the policies set forth above, the Committee will ensure following documentation is kept as minimum:

A clarification text prepared to fulfill our Company’s clarification obligation as per article 10 of KVKK,

Sample text for obtaining explicit consent from the personal data owners if our Company has this obligation as per article 5/1 of KVKK,

A standard data owner application form to be used by the personal data owners in exercising their rights arising from article 11 of KVKK against our Company,

A standard personal data processing contract to be concluded with the persons and entities that will process personal data on behalf of our Company,

In addition to the abovementioned documentation, the Committee may create further documents if this is necessary.

The Committee will control and update this documentation if this is necessary after any change, development and/or update in the works, transactions and processes executed or to be executed by our Company and/or in KVKK, secondary legislation and Board’s opinions and resolutions.

VI. Emergency/crisis management

The Committee will immediately take all steps in line with the emergency action policy and/or crisis management policy that will be developed and put into practice after any kind of emergency / crisis including but not limited to a breach notice directly served on our Company and/or to the third person and entities about our Company and/or our employees, system malfunctions, data loss and/or data leakages arising from other reasons.

VII. Destruction management

Pursuant to article 7 of KVKK, Regulation on the Deletion, Destruction and Making Personal Data Anonymous and personal data storage and destruction policy, if our Company becomes obliged to destroy the personal data it has been processing, our Company will immediately take all steps as required under the personal data storage and destruction policy that will be developed and put into practice for this purpose.

VIII. VERBİS management

The Committee will duly create a record in the name of our Company at the Data Registry Information System (“VERBİS”) under which our Company is obliged in the capacity of data controller and execute all procedures and transactions that must be executed over VERBİS under the applicable legislation. The Committee will also ensure that information that must be entered into VERBİS as per the applicable legislation totally match with the Inventory and if the Inventory is updated, the Committee will ensure that any information previously entered into VERBİS are updated accordingly.

The Committee shall delegate a real person as contact person in the communication to be established with the Personal Data Protection Authority in connection with the Company’s obligations arising from KVKK and secondary legislation. Later, this contract person will be notified by the Committee during recording with VERBİS on behalf of the Company. The Committee is also obliged to permanently supervise and inspect this real person appointed as contract person.

IX. Communication with the personal data owners

If the personal data owners exercise their rights arising from article 11 of KVKK against our Company and in similar circumstances, the Committee is obliged to execute the verbal and written communications with the personal data owners pursuant to the policy for the management of the personal data owner’s application.

X. Management of personal data processing persons/entities

The Committee will carry out necessary process required to transfer the personal data available to our Company as the data controller to the persons and/or entities that will process this personal data on behalf of our Company and will also inform all employees about these issues provided that a contract has been concluded between our Company and the data processing person or entity.

Therefore, the Committee will regularly inspect whether the personal data processing entity or person processes such personal data in accordance with the applicable legislation and provisions of the personal data processing contract concluded by the Company with the data processing entities or persons and take necessary measures to ensure that personal data are processed accordingly.

XI. Communication with the Board

If necessary, the Committee will execute all verbal and written communications with the Board on behalf of our Company.

XII. Responsibilities of the Committee

The Committee shall be responsible for all works and transactions that are within its delegation and powers. While exercising these powers and fulfilling these duties, the Committee shall:

Never exceed the limits of delegation and authorization defined hereunder for any reason whatsoever,

Act in accordance with applicable legislation, rules of law and principles of honesty and integrity including specifically KVKK under all conditions,

Act in line with objective criteria and show an equitable and transparent approach to all persons and entities including our employees under all conditions provided that no harm is given to the legitimate benefits of the Company, and

Committee members shall be jointly responsible for the above mentioned duties and obligations. The committee members will be made subject to a disciplinary process pursuant to our Company’s Disciplinary Regulation in the event of a negligence or breach in the fulfillment of above-mentioned responsibilities by the Committee.

ANNEX-1: ABBREVIATIONS AND DEFINITIONS

KVK Law	:	Law on the Protection of Personal Data, dated 24.03.2016 and numbered 6698, as published in the Official Gazette dated 07.04.2016 and numbered 29677
Board	:	Personal Data Protection Board
Authority	:	Personal Data Protection Authority
Company	:	Emaar Libadiye Gayrimenkul Geliştirme A.Ş.
Group Companies	:	Foreign group companies to which Emaar Turkey is directly or indirectly affiliated and all other companies (affiliates, partners etc.) including specifically İstanbul Seyir Terası Otelcilik ve Turizm Yatırımları Ticaret A.Ş., Emaar Hospitality Group LLC and Emaar Properties PJSC.

Company’s Representative

Emaar Turkey board members and other authorized real persons

Personal Data

All kinds of information relating to an identified or identifiable person. Therefore, processing of data relating to legal entities is not within the scope of the Law. For example: name- surname, TR Identity Number, e-mail, address, birth date, credit card number etc.

Sensitive Personal Data

Any personal data about the race, ethnical origin, political thoughts, philosophical beliefs, religion, sect or other faiths, dressing, membership to associations, foundations or labor union, health status, sexual life, criminal conviction and security measures, including any biometric and genetic data of any person.

Personal Data Owner

Real person whose personal data is processed, for example: employee candidates.

Processing of Personal Data

Personal data processing activity encompasses any kind of operation made on the personal data including obtaining or collecting of personal data by automated means or non- automated means in part or in whole provided that they are part of a recording system and recording, safe keeping, maintaining, changing, rearrangement, disclosure, transfer, acquisition, rendering retrievable, classification or preventing use of personal data.

Data Processor

Any real person or legal entitle processing personal data on behalf of the data controller based on the authorization granted

by the data controller. For example, cloud communication firm

keeping data of Emaar Turkey, call center firm making calls according to the predefined scripts.

Data Controller

The person determining the purposes and means of processing of personal data and managing the place where personal data are kept systematically (data recording system).

Contact Person

The real person whose name was notified by the data controller during recording with the Registry in order to be active in the communication to be established with the Authority in connection with the obligations of legal entities residing in Turkey and of the legal entity data controller not residing in Turkey arising from the Law and from the secondary arrangements to be made under this Law.

Explicit Consent

Explicit consent based on information provided about a specific issue and declared by free will.

Deletion / Destruction

The operation of making personal data inaccessible, irretrievable and unusable by anybody.

Making Anonymous

Change of personal data irretrievably to such extent that they lose the characters as personal data. For example: Rendering personal data impossible to be correlated with a real person by using certain techniques such as masking, aggregation, data shuffling, etc.

Destruction

Deletion, destruction or making personal data anonymous.

Application Form

“Application Form for the Applications to be made to the Data

Controller by the Relevant Person (Personal Data Owner) pursuant to the Law No. 6698 on the Protection of Personal

Data” which contains the application to be filed by the personal data owners in order to exercise their rights.

Employee Candidates

Real persons who made a job application to Emaar Turkey and presented their CV or relevant information to the review of our Company.

Employees, Shareholders and Representatives of the Entities with which We Cooperate

Real persons working for the companies with which Emaar Turkey maintains business relationships (including but not limited to business partner, supplier etc.) including shareholders and representatives of these companies.

Business Partner

Parties with whom Emaar Turkey has established a business partnership in order to execute various projects directly or together with Group Companies in the course of commercial operations of Emaar Turkey.

Supplier

Parties providing services to Emaar Turkey based on a contract concluded in line with the orders and instructions of Emaar Turkey in the course of its commercial activities.

Customer

Real persons buying products and/or services from Emaar Turkey

Potential Customer

Real persons who demanded and who were interested in using our products and services or who were evaluated to have such interest in line with commercial practices and rules of honesty.

Member		Real persons who became member for the relevant service by concluding a membership contract in order to enjoy the services provided by Emaar Turkey.
Potential Member		Real persons who demanded and who were interested in using our products and services or who were evaluated to have such interest in line with commercial practices and rules of honesty.
Third Person	:	Real persons whose personal data are processed under this Policy although they are not defined differently hereunder (for example, potential customers, attendants, ex-employees).
Visitor	:	Real persons who entered into the physical premises owned/used by Emaar Turkey.
Web Site	:	https://tr.emaar.com/tr/
Web Site Visitors	:	Real persons visiting the Web Site of Emaar Turkey.