PURPOSE OF PREPARATION OF THE POLICY
DOLMABAHÇE İNŞAAT VE GAYRİMENKUL A.Ş. (the “Company”) acts as the data controller, keeping the privacy and security of personal data obtained within the scope of the Law No. 6698 on the Protection of Personal Data (LPPD) and other relevant legislation at the forefront. The Company aims to ensure full compliance with the LPPD and the related legislation and to establish a data protection policy aligned with international standards.
The Company's Policy on the Protection of Personal Data (the “Policy”) is set forth in line with the principles of lawfulness, objective good faith and transparency adopted by the Company in the protection and processing of personal data.
The Company establishes its personal data processing processes within the framework of the Turkish Constitution and the LPPD through the Personal Data Inventory and processes such data in compliance with the relevant legislative provisions and this Policy.
SCOPE
This Policy covers all personal data of natural persons described as (“Data Subjects”) in accordance with the LPPD and the relevant legislation, which are processed either by automatic means or by non-automatic means provided that they are part of a data recording system. The channels through which the personal data of data subjects reach the Company, the method of collection of the personal data reaching through these channels, obtained on the basis of data subjects, the legal grounds for the collection, the purposes of processing and the parties to which they are disclosed are included in the Privacy Notice and Express Consent Texts presented to the data subjects in detail.
DEFINITIONS
| Anonymization | The process of rendering it impossible for personal data to be associated with any identified or identifiable natural person in any way, even though matching with other data. |
|---|---|
| Explicit Consent | The process where the person whose personal data will be processed (data subject) gives his/her consent to the processing after having been informed before the relevant operation is performed. |
| Information Text | Explanations to the data subject about the purpose for which the personal data will be retained, how long the personal data will be retained, by which method the personal data are collected, how the personal data are preserved and whether the personal data will be disclosed to third parties. |
| Presidency | The Presidency of the Personal Data Protection Authority. |
| Personal Data Inventory | The inventory where data controllers give details of their personal data processing activities which are carried out according to their business processes, the purpose and legal ground for/on which they process personal data, the maximum period of retention of personal data necessary for the purposes of processing them, which is determined based on the data category, data subject group and the recipient group the personal data are transferred to, the personal data envisaged to be transferred to foreign countries, and the measures taken regarding data security. |
| Data Subject | The natural person whose personal data is processed. |
| Disposal | The Erasure, destruction or anonymization of personal data. |
| Processing | The processes of saving, storing, preserving, modifying, editing, describing, transferring, receiving, making available and classifying personal data as referred to in Article 3 of LPPD. |
| Law/LPPD | The Law on the Protection of Personal Data. |
| Personal Data | Any information relating to an identified or identifiable natural person. For example, name and surname, Turkish ID No., e-mail, address, date of birth, bank account number, etc. Thus, processing of the information in relation to legal persons is outside the scope of LPPD. |
| Processing of Personal Data | All kinds of operations carried out on the data, such as obtaining, saving, storing, preserving, modifying, editing, describing, transferring, receiving, making available, classifying or blocking the use of personal data automatically, completely or in part, or non-automatically provided that they constitute a part of any data recording system. |
| Board | The Personal Data Protection Board. |
| Authority | The Personal Data Protection Authority. |
| Special Categories of Personal Data | Data related to race, ethnic origin, political opinions, philosophical opinions, religion, sect or other beliefs, appearance; association, foundation or trade union memberships; health, sexual life, criminal convictions and security measures, and biometric and genetic data. |
| VERBİS | Information system, created and managed by the Presidency, which can be accessed via the Internet and will be used by data controllers for applying to register with the Registry and other transactions related to the Registry. |
| Data Processor | Natural or legal person processing personal data on behalf of the data controller, based on the authority granted by the data controller. |
| Data Controller | The natural or legal person who determines the purposes and means of the processing of personal data, and who is responsible for the establishment and management of the data recording system. |
| Data Controllers' Registry | The Data Controllers' Registry kept by the Presidency |
| Data Controller Contact Person | The natural person notified by the data controller, during registration with the Registry, for the communications to be established with the Authority regarding the obligations of the legal persons residing in Türkiye and the representatives of a legal person data controller not residing in Türkiye, within the scope of the Law and secondary regulations to be enacted based on this Law. |
| Erasure | Erasure of personal data, the process of rendering personal data inaccessible to and non-reusable by relevant users in any way whatsoever. |
| Destruction | Destruction of personal data, the process of rendering personal data inaccessible to, non-restorable and non-reusable by anybody in any way whatsoever. |
BASIC PRINCIPLES IN THE PROCESSING OF PERSONAL DATA
The Company adheres to the following principles to ensure that personal data are processed in conformity with the Constitution and the LPPD; and our employees also implement these principles throughout Company practices with a high level of awareness.
Prohibition of processing of personal data in principle
With the awareness the processing of personal data is restricted in principle, the Company processes personal data only within the limits prescribed by the legislation.
Lawfulness and compliance with the rule of objective good faith
The Company processes personal data lawfully and in compliance with the rule of good faith pursuant to Article 4 of LPPD and aims to balance the conflicting interests by observing “legitimate interests”. Transparency and good faith are the basis for informing; clear information is given about the intended use of the personal data collected and the data are processed within this framework.
Being limited to and in connection with the processing purposes, and compliance with the principle of proportionality
The Company processes personal data solely in line with the determined purposes and proportionate to those objectives, refraining from collecting data that is irrelevant to the purpose of processing or is unnecessary.
Ensuring that the personal data are accurate and, if necessary, up to date
The Company ensures that the personal data it processes is accurate and respects the statements of the data subject to this end and where necessary, the company verifies and updates the data.
Processing of personal data for specific, clear and legitimate purposes
The Company collects personal data for purposes directly related to its activities and in a lawful manner and retains such data only for the period required by the applicable legislation or as necessary for the stated purpose of processing.
Principle of data security
With the awareness that the security of personal data cannot be ensured solely through legal measures, the Company also implements technology-supported security measures.
Principle of data minimization
The principle of data minimization refers to the collection and processing of data in a manner that is adequate, relevant and limited to what is strictly for the purpose of collection and processing.
PERSONAL DATA COLLECTION CHANNELS
The Company may collect the personal data of data subjects mentioned in Article 4 of this Policy, verbally, in writing or electronically, by automated or non-automated methods. In this context, the processes for obtaining personal data are given below. Data subjects are informed in accordance with the relevant legislation, based on the channels of obtaining personal data.
TYPES OF THE PERSONAL DATA OBTAINED
Personal data obtained by the Company from the data subjects specified in this Policy, data categories, collection channels, processing purposes and legal grounds for processing are set out in detail in the Data Subject Privacy Notices taking notice of also the third parties to whom the personal data are transferred and the purposes of transfer. In the event of a change in the personal data obtained from data subjects, the Inventory and VERBİS records are updated accordingly.
OBLIGATION TO INFORM
The Company informs data subjects pursuant to Article 10 of the LPPD before or at the latest at the time of obtaining their personal data.
The information required to be communicated to the data subjects within the framework of the said obligation to inform is outlined below.
- Identity of the data controller and, if applicable, its representative,
- The purposes for processing of personal data,
- To recipients and for what purposes the personal data processed may be transferred,
- The Method of and legal grounds for the collection of personal data,
- The rights of the data subject listed in Article 11 of the LPPD.
The Company has prepared Privacy Notices on the basis of the data subject and process. Where explicit consent is required, explicit consent statements are also obtained following the presentation of the Privacy Notices.
POLICY ON SPECIAL CATEGORIES OF PERSONAL DATA
In line with the Personal Data Protection Board’s Decision no. 2018/10 of 31/01/2018 on the Adequate Measures to be taken by Data Controllers for the Processing Special Categories of Personal Data, special categories of personal data are protected by the Company, taking special security measures. In this context, a Policy on Special Categories of Personal Data has been prepared and implemented by the Company.
With respect to the processing of special categories of personal data, Article 6 of the LPPD, the provisions of the relevant legislation, the guidelines published by the Personal Data Protection Board, and the Board’s decisions are closely followed and reflected in practice. In the protection and processing of such data, the Company upholds the principles of lawfulness, good faith and transparency. The security of sensitive personal data is ensured through role-based access control and the necessary technical/administrative measures; all environments in which such data are processed are managed in a manner that ensures protection against unauthorized access.
RIGHTS OF THE PERSONAL DATA SUBJECT
Under Article 11 of the LPPD, each data subjects have the right to apply to the Company in its capacity as data controller, for the following issues:
(1) Each data subject has the right, by applying to the data controller, to:
- a) To learn whether or not their personal data are processed,
- b) To request for relevant information, if their personal data has been processed,
- c) To learn the purposes of processing their personal data and whether or not those data are used in accordance with the purposes,
- d) To know the third parties, domestically or abroad, to whom their personal data has been transferred,
- e) To request for rectification in case their personal data have been processed incompletely or inaccurately,
- f) To request for erasure or destruction of their personal data within the framework of the conditions stipulated by Article 7 of the Law No. 6698,
- g) To request that the operations carried out under the sub-paragraphs (d) and (e) be notified to the third parties to whom their personal data has been transferred,
- h) To object to occurrence of any results that are to their detriment arising from analysis of their processed data exclusively through automated systems,
- i) To request for compensation of the damages in case they incur damages due to the unlawful processing of their personal data.
METHOD OF EXERCISE OF THE RIGHTS BY THE PERSONAL DATA SUBJECT
Under Article 13 of the LPPD and the relevant Communiqué, data subjects may apply to the Company in writing using the following methods, in order to exercise their rights arising from Article 11 of the LPPD:
- Through application in person by the applicant,
- By mail with the signature declaration attached,
- Through a notary public,
- Via secure electronic signature,
- By signing with the applicant’s secure electronic signature and sending it to our Company’s Registered E-mail (REM) address,
- By sending from the email address previously notified to the data controller by the data subject and registered in the data controller's system.
The following must be contained in the application:
- Name, surname, and signature if the application is in writing,
- Republic of Türkiye ID number for Turkish citizens, and nationality, passport number, or identity number, if any, for foreign nationals,
- Residential or business address convenient for notifications,
- Electronic mail address, telephone and fax numbers for notifications, if any,
- The Subject of the request,
- Supporting information and documents related to the matter.
In written applications, the date when the document is served upon the data controller, or its representative shall be taken as the application date.
In the applications made through other methods, the date when the application is received by the data controller shall be taken as the application date.
Application shall be concluded on a free-of-charge basis, within the shortest time possible depending on the nature of the request, but in any event within no later than thirty days. However, if the process incurs an additional cost, the fee set out in the tariff determined by the Board may be collected.
Applications must be made by the individual himself/herself. An application may only be made on behalf of another person via a power of attorney, provided that it contains the authority to request for information within the scope of the LPPD. The Company reserves the right to request verification information if it has doubts regarding the identity of the applicant.
CONTACT INFORMATION
Company Name: DOLMABAHÇE İNŞAAT VE GAYRİMENKUL YATIRIM A.Ş.
Office Address: Levent Mah. Begonya Sk. No: 2 İç Kapı No: 1 Beşiktaş / İstanbul
Contact Information: [email protected]
MEASURES TAKEN FOR PROTECTION OF PERSONAL DATA
Under Article 12 of the LPPD, the Company takes all necessary administrative and technical measures to prevent the unlawful processing of and unauthorized access to personal data and to ensure their secure preservation; and conducts and/or procures the conduct of the necessary inspections in this context. Special categories of personal data are protected with even more stringent security measures.
STORAGE AND RETENTION OF PERSONAL DATA
Personal data obtained by the Company is stored securely in physical or electronic media during the suitable time period so that the Company can carry on its activities. Within the scope of these activities, the Company acts in compliance with its obligations regarding the protection of personal data as stipulated in all relevant legislation, the LPPD being in the first place. Our Company has prepared and implemented a Retention and Destruction Policy.
Pursuant to the relevant legislation, with the exception of the circumstances where personal data is allowed or made obligatory to be retained for a longer period, the personal data shall be deleted, destroyed or anonymized once the purposes of processing of the personal data cease to exist or upon request by the data subject.
TRANSFER OF PERSONAL DATA DOMESTICALLY
The Company diligently abides by the conditions stipulated in the LPPD in regard to sharing of the personal data with third parties, without prejudice to the provisions laid down of other laws.
In this context, as a rule, personal data is not transferred to third parties by our Company without the explicit consent of the data subject. However, in cases where one of the conditions regulated by the LPPD is present, personal data may be transferred by the Company without obtaining the explicit consent of the data subject.
TRANSFER OF PERSONAL DATA TO FOREIGN COUNTRIES
The transfer of personal data abroad is carried out in accordance with Article 9 of the Law on the Protection of Personal Data (LPPD). Such transfers are subject to the presence of at least one of the data processing conditions set forth in Articles 5 and 6 of the LPPD, compliance with the relevant legislative provisions, and an adequacy decision issued by the Board regarding the recipient country, sector, or international organization. The Adequacy Decisions are granted and published in the Official Gazette based on criteria such as reciprocity, the data protection framework of the recipient country, the existence of independent and effective data protection authorities, and participation in international agreements. These decisions are subject to review at least once every four years and may be amended, suspended, or revoked if deemed necessary.
In the absence of an Adequacy Decision, personal data may only be transferred abroad if appropriate safeguards are in place or if specific exceptional circumstances apply. Appropriate safeguards may be ensured through mechanisms such as binding corporate rules, standard contractual clauses, or written commitments approved by the Board. In exceptional cases, data transfers may be carried out based on the explicit consent of the data subject or on legal grounds such as the performance of a contract, the protection of public interest, or the safeguarding of legal rights. Subsequent transfers of data that have been transferred abroad must also comply with the same safeguards. The Company's practices adhere to the relevant Regulations governing the procedures and principles applicable to such transfers.
EFFECTIVENESS AND IMPLEMENTATION
The personal data processing and protection policies of the Company shall be drawn up primarily within the framework of the LPPD and other relevant legislation. In the event that all or certain articles of the Policy are updated, the updates shall take effect on the date of their publication. The Policy is published in its latest version on the Company’s website, the website of the Company.
In the event that the legislative provisions are amended, the Company shall update the Policy from time to time by making amendments to the Policy. In the event of any discrepancies between this Policy and the provisions of the LPPD and other relevant legislation, provisions of the LPPD and the relevant legislation shall prevail.