SPACE İSTANBUL GAYRİMENKUL DEVELOPMENT AND DANIŞMANLIK A.Ş. CORPORATE PERSONAL DATA PROTECTION POLICY

  • PURPOSE

    Every individual's right to request the protection of their personal data is a sacred right arising from the Constitution. Space Istanbul Real Estate Development and Consultancy Inc. As (“Space Istanbul”), we consider fulfilling the requirements of this right as one of our most valuable duties. Therefore, we attach importance to the legal processing and protection of your personal data. The Corporate Personal Data Protection Policy has been prepared to determine the principles we base and the procedures we apply when processing and protecting personal data, as a result of the importance we attach to the protection of personal data.

  • SCOPE

    All personal data managed by Politics Space Istanbul is obtained, recorded, stored, preserved, changed, rearranged, disclosed, transferred, by fully or partially automatic or non-automatic means provided that it is part of any data recording system, It covers all kinds of operations performed on data such as acquiring, making available, classifying or preventing its use.

    The policy relates to all processed personal data of Space Istanbul's partners, officials, customers, employees, supplier officials and employees, and third parties.

    Space Istanbul may change the Policy in order to comply with the legislation and the decisions of the Personal Data Protection Authority and to better protect personal data.

  • DEFINITIONS
    Abbreviation Definition
    Recipient Group The category of natural or legal person to whom personal data is transferred by the data controller.
    Explicit Consent Consent regarding a specific subject, based on information and expressed with free will.
    Anonymization Making personal data impossible to associate with an identified or identifiable natural person in any way, even by matching it with other data.
    Contact Person The real person whose personal data is processed.
    Relevant User Except for the person or unit responsible for the technical storage, protection and backup of the data, they are the persons who process personal data within the data controller organization or in line with the authority and instructions received from the data controller.
    Destruction Deletion, destruction or anonymization of personal data.
    Law/KVKK Personal Data Protection Law No. 6698.
    Recording Media Any environment containing personal data that is processed by fully or partially automated or non-automatic means, provided that it is part of any data recording system.
    Personal Data Any information regarding an identified or identifiable natural person.
    Data Inventory The personal data processing activities carried out by data controllers depending on their business processes; The inventory they create by associating the personal data with the purposes and legal reason for processing personal data, the data category, the transferred recipient group and the data subject person group, and detailing the maximum retention period required for the purposes for which personal data are processed, the personal data envisaged to be transferred to foreign countries and the measures taken regarding data security.
    Processing of Personal Data Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying personal data by fully or partially automatic or non-automatic means provided that it is part of any data recording system or any action performed on the data, such as preventing its use.
    Board Personal Data Protection Board.
    Institution Personal Data Protection Authority
    Special Personal Data Data regarding people's race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic information data.
    Periodic Destruction The process of deleting, destroying or anonymizing personal data specified in the personal data storage and destruction policy and to be carried out ex officio at recurring intervals in case all the conditions for processing personal data specified in the Law are eliminated.
    Policy Personal Data Protection Policy
    Data Processor A natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller.
    Data Controller A natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.
  • GENERAL PRINCIPLES

    Space Istanbul checks the compliance of the data to be processed with the following principles during the preparation phase of the workflow requiring the processing of each new personal data. Workflows that are deemed inappropriate are not implemented.

    While Space Istanbul processes personal data;

    • Complies with the law and the rules of honesty.
    • Ensures that personal data is accurate and, when necessary, up-to-date.
    • Makes sure that the purpose of processing is specific, clear and legitimate.
    • It checks that the processed data is related to the purpose of processing, that it is processed as limited and proportionate as necessary.
    • It preserves the data only as long as required by the relevant legislation or for the purpose of processing, and destroys it when the purpose of processing ceases to exist.
  • PRECAUTIONS TAKEN FOR DATA SECURITY

    Space Istanbul takes all necessary technical and administrative measures to ensure the appropriate level of security in order to (i) prevent unlawful processing of personal data, (ii) prevent unlawful access to personal data, (iii) ensure the preservation of personal data.< /p>

  • Technical Measures
    • Network security and application security are provided.
    • Security measures are taken within the scope of supply, development and maintenance of information technology systems.
    • Access logs are kept regularly.
    • Up-to-date anti-virus systems are used.
    • Firewalls are used.
    • Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
    • The security of physical environments containing personal data is ensured against external risks (fire, flood, etc.).
    • The security of environments containing personal data is ensured.
    • Personal data is backed up and the security of the backed up personal data is ensured.
    • User account management and authorization control system is implemented and these are also monitored.
    • Encryption is being done.
  • Administrative Measures
    • There are disciplinary regulations that include data security provisions for employees.
    • Training and awareness activities are carried out for employees at regular intervals regarding data security.
    • Corporate policies on access, information security, use, storage and destruction have been prepared and implemented.
    • Data masking measures are applied when necessary.
    • Confidentiality commitments are made.
    • Employees who change their duties or leave their jobs have their authorizations in this area removed.
    • The signed contracts contain data security provisions.
    • Personal data security policies and procedures have been determined.
    • Personal data security issues are reported quickly.
    • Personal data security is monitored.
    • Personal data is reduced as much as possible.
    • Current risks and threats have been identified.
    • Protocols and procedures for the security of special personal data have been determined and implemented.
  • RIGHTS OF THE RELATED PERSON REGARDING PERSONAL DATA

    The relevant person can apply to Space Istanbul and request the following issues:

    • Learning whether personal data is processed,
    • Requesting information if personal data has been processed,
    • Learning the purpose of processing personal data and whether they are used for their intended purpose,
    • Your personal data may be processed domestically or learning the third parties to whom it was transferred abroad,
    • Requesting correction of personal data in case their personal data has been processed incompletely or incorrectly and requesting that the action taken in this context be notified to third parties to whom personal data has been transferred,
    • Requesting the deletion, destruction or anonymization of personal data in case the reasons requiring processing are eliminated, even though it has been processed in accordance with the provisions of KVKK and other relevant laws, and requesting that the transaction carried out in this context be notified to third parties to whom personal data has been transferred,
    • Objecting to the emergence of an unfavorable result by analyzing the processed data exclusively through automatic systems,
    • Requesting compensation for damages in case of loss due to unlawful processing of personal data.
  • VIOLATION NOTIFICATIONS

    Space Istanbul employees report to the Board of Directors any work, action or fact that they believe violates the provisions of KVKK and/or the Policy. Following this violation notification, the Committee meets if deemed necessary and creates an action plan regarding the violation.

    If the violation has occurred by illegally obtaining personal data by others, the Board of Directors will notify the relevant person and the Board within 72 hours within the scope of the Board's decision dated 24.01.2019 and numbered 2019/10.

  • CHANGES

    Changes to the policy are prepared and approved by the Space Istanbul Board of Directors. The updated Policy can be sent to employees via e-mail or published on the website.

  • EFFECTIVE DATE

    This version of the Policy came into force after being approved by the Board of Directors on 17.10.2023.