ZİYLAN GAYRİMENKUL YATIRIM VE YÖNETİM ANONİM ŞİRKETİ / WATERGARDEN AVM 

PERSONAL DATA PROTECTION AND PROCESSING POLICY 

***All content in this Policy text, excluding individual use, is forbidden to be copied, reproduced, used, published, and distributed, partially or entirely, without permission. Legal action will be taken according to the Law on Intellectual and Artistic Works No. 5846 against those who do not comply with this prohibition. All rights of the product are reserved. 

​​TABLE OF CONTENTS  

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

​​ 

  1. 1– INTRODUCTION 
  1. Introduction 

According to the Constitution of the Republic of Turkey, everyone has the right to request the protection of personal data concerning him/her. This right includes the right to be informed about personal data related to him/her, to access such data, to request their correction or deletion and to learn whether they are used for their intended purposes.  

Law No. 6698 on the Protection of Personal Data (“PDPL” or “Law”) regulates the protection of fundamental rights and freedoms of individuals in the processing of personal data and the obligations of real and legal persons who process personal data and the procedures and principles to be followed. 

Protection of personal data is among the most important priorities of ZİYLAN GAYRİMENKUL YATIRIM VE YÖNETİM ANONİM ŞİRKETİ (“Ziylan” or “Company”). In order to inform personal data owners, the principles adopted in the conduct of personal data processing activities carried out by our Company within the framework of Ziylan Personal Data Protection and Processing Policy (“Policy”) and the basic principles adopted in terms of compliance of our Company’s data processing activities with the regulations in the PDPL are explained. With the awareness of our responsibility within this scope, your personal data is processed and protected within the scope of this Policy. 

Information regarding the identity of the data controller for all kinds of personal data processing activities covered by this policy is given below. 

The company accepted as the data controller in this policy (“Ziylan” or “Company”):  

ZİYLAN GAYRİMENKUL YATIRIM VE YÖNETİM ANONİM ŞİRKETİ 

Mersis No: 0998077118600017 

Address: Mahmutbey Merkez Mahallesi Taş Ocağı Yolu Caddesi No:24/4 

BAĞCILAR/ISTANBUL 

  1. Objective and Scope 

The main purpose of this Policy is to make explanations about the personal data processing activities carried out by Ziylan in accordance with the law and the systems adopted for the protection of personal data, and to ensure transparency by informing the persons whose personal data are processed by our company in this context. 

This Policy is related to all personal data of persons other than the employees of our Company, which are processed in whole or in part by automatic means or by non-automatic means provided that they are part of any data recording system. 

  1. Definitions 

The definitions used in this Policy are given below: 

Open Consent Consent related to a specific subject, based on information and expressed with free will. 
Relevant Person Real person whose personal data is processed. 
Relevant User Persons who process personal data within the organization of the data controller or in accordance with the authorization and instruction received from the data controller, except for the person or unit responsible for the technical storage, protection and backup of the data. 
Relevant Person Application Form  The application form to be used by the relevant person whose personal data is processed within the Company while using their applications regarding their rights described in Article 11 of the Law. 
Law or PDPL Law No. 6698 on the Protection of Personal Data. Any information relating to an identified or identifiable natural person. 
Personal Data Any information relating to an identified or identifiable natural person. 
Personal Data Processing Inventory:  Inventory in which data controllers detail the personal data processing activities they carry out depending on their business processes by associating them with the purposes and legal grounds for processing personal data, the data category, the group of recipients transferred and the group of data subjects, and by explaining the maximum retention period required for the purposes for which personal data are processed, the personal data envisaged to be transferred to foreign countries and the measures taken regarding data security. 
Processing of Personal Data: Any operation performed on personal data, such as the acquisition, recording, storage, retention, alteration, reorganization, disclosure, transfer, acquisition, making available, classification or prevention of the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system. 
Board Personal Data Protection Board. 
Institution Personal Data Protection Board. 
Sensitive Personal Data: Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data. 
Politicy: Ziylan Personal Data Protection and Processing Policy. 
Data Processor: A natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller. 
Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system. 
Data Controllers Registry (VERBIS): The registry of data controllers kept by the Presidency under the supervision of the Personal Data Protection Board. 
  1. Implementation of the Policy and Related Legislation 

The relevant legal regulations in force regarding the processing and protection of personal data will primarily apply. In case of any incompatibility between the legislation in force and the Policy, our Company accepts that the legislation in force will be applied. 

The Policy has been created by concretizing and organizing the rules set forth by the relevant legislation within the scope of Ziylan practices. 

  1. PART 2- ISSUES RELATED TO THE PROTECTION OF PERSONAL DATA 
  1. Ensuring the Security of Personal Data 

In accordance with Article 12 of the Law, our Company takes the necessary measures according to the nature of the data to be protected in order to prevent unlawful disclosure, access, transfer or other security deficiencies that may occur in other ways.  

In this context, our Company takes administrative measures to ensure the necessary level of security within its own organization in accordance with the guidelines published by the Personal Data Protection Board (“Board”), and conducts or has audits performed. The results of these audits are reported to the relevant department within the scope of the internal functioning of the Company and necessary activities are carried out to improve the measures taken.   

In the event that the processed personal data is obtained by others illegally, our Company operates the system that ensures that this situation is notified to the relevant personal data owner and the Board as soon as possible. 

  1.  Observing the Rights of the Data Subject 

Our Company carries out the necessary channels, internal functioning, administrative and technical arrangements in accordance with Article 13 of the PDPL in order to evaluate the rights of personal data owners and to provide the necessary information to personal data owners. 

Detailed information on the rights of data subjects is provided in Section 10 of this Policy. 

  1. Protection of Special Categories of Personal Data 

The data determined as special categories by the Law are; race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data. 

Our Company acts sensitively in the protection of special categories of personal data processed in accordance with the law. In this context, the technical and administrative measures taken by our Company for the protection of personal data are carefully implemented in terms of sensitive personal data and necessary audits are provided within Ziylan. 

Detailed information on the processing of sensitive personal data is provided in Section 3.3 of this Policy. 

  1.  Awareness Raising and Audit of Business Units on Protection and Processing of Personal Data 

Our Company ensures that necessary trainings and seminars are organized for its business units, business partners and suppliers in order to raise awareness to prevent unlawful processing of personal data, unlawful access to personal data and to ensure the protection of personal data. 

Necessary systems are established in order to raise the awareness of the existing employees of Ziylan’s business units and the employees, business partners and suppliers who are newly included in the business unit on the protection of personal data, and if necessary, professional persons are employed on the subject. 

The results of the trainings conducted by our Company to raise awareness on the protection and processing of personal data are reported to the relevant department. In this direction, our Company evaluates the participation in the relevant trainings, seminars and information sessions and conducts or has the necessary audits carried out. Our Company updates and renews its trainings in parallel with the updating of the relevant legislation. 

  1. PART 3–ISSUES RELATED TO THE PROCESSING OF PERSONAL DATA 

In accordance with Article 20 of the Constitution and Article 4 of the PDPL; (i) in accordance with the law and honesty rules, (ii) accurate and up-to-date when necessary; (iii) for specific, clear and legitimate purposes; (iv) in a purpose-related, limited and measured manner; (v) to be kept for the period stipulated in the relevant legislation or required for the purpose for which they are processed.  

In accordance with Article 20 of the Constitution and Article 5 of the PDPL, our Company processes personal data based on one or more of the conditions in Article 5 of the PDPL regarding the processing of personal data. 

In accordance with Article 6 of the PDPL, our Company acts in accordance with the regulations stipulated for the processing of special categories of personal data. 

In accordance with Articles 8 and 9 of the PDPL, our Company acts in accordance with the regulations stipulated in the law and set forth by the Board regarding the transfer of personal data. 

  1. Processing of Personal Data in Compliance with the Principles Stipulated in the Legislation 
  1. Compliance with the Law and the Rule of Honesty 

Our Company acts in accordance with the principles introduced by legal regulations and the general rule of trust and honesty in the processing of personal data. In this context, our Company processes personal data to the extent and limited to the extent required by the purpose, taking into account the proportionality requirements in the processing of personal data.  

  1. Ensuring that Personal Data is Accurate and Up-to-Date When Necessary 

Our Company ensures that the personal data it processes are accurate and up-to-date, taking into account the fundamental rights of personal data owners and their legitimate interests. In this direction, it takes necessary measures and establishes appropriate mechanisms.  

  1. Processing for Specific, Explicit and Legitimate Purposes 

Our Company clearly and precisely determines the legitimate and lawful purpose of personal data processing. Our Company processes personal data within the scope of the purposes related to the service it provides. 

  1. Being relevant, limited and proportionate to the purpose for which they are processed 

Our Company processes personal data in a manner that is conducive to the realization of the specified purposes and avoids the processing of personal data that is not related to the realization of the purpose or is not needed. 

  1. Storage for the Period Stipulated in the Relevant Legislation or Required for the Purpose for which they are Processed 

Our Company retains personal data for the period specified in the relevant legislation or required for the purpose for which they are processed. In this context, our Company first determines whether a period of time is stipulated for the storage of personal data in the relevant legislation, if a period is determined, it acts in accordance with this period, and if no period is determined, it retains personal data for the period required for the purpose for which they are processed. Personal data are deleted, destroyed or anonymized by our Company in the event that the period expires or the reasons requiring their processing disappear. 

  1. Terms of Processing Personal Data 

Protection of personal data is a constitutional right. Fundamental rights and freedoms may be restricted without prejudice to their essence only for the reasons specified in the relevant articles of the Constitution and only by law. Pursuant to the third paragraph of Article 20 of the Constitution, personal data may only be processed in cases stipulated by law or with the explicit consent of the person. Our Company processes personal data within the framework of these rules.  

The basis of personal data processing activity may be only one of the following conditions, or more than one of these conditions may be the basis of the same personal data processing activity.  

Although the legal bases for the processing of personal data by our Company may differ, we act in accordance with the general principles specified in Article 4 of Law No. 6698 (See Section 3.1.) in all kinds of personal data processing activities. 

  1. Explicit Consent of the Personal Data Owner 

One of the conditions for processing personal data is the explicit consent of the owner. The explicit consent of the personal data owner must be related to a specific subject, based on information and free will.  

For the purpose of processing for the reasons for obtaining personal data, at least one of the conditions in (b), (c), (d), (e), (f), (g) and (h) of this title is sought; If one of these conditions is not present, these personal data processing activities are carried out by our Company based on the explicit consent of the personal data owner for these processing activities. 

  1. Explicitly Stipulated in the Laws 

The personal data of the data subject may be processed in accordance with the law if the processing of personal data is expressly provided for in the law. 

  1. Failure to Obtain the Explicit Consent of the Relevant Person Due to Actual Impossibility 

The personal data of the data subject may be processed if it is mandatory to process the personal data of the person who is unable to disclose his/her consent due to actual impossibility or whose consent cannot be recognized as valid, in order to protect the life or physical integrity of himself/herself or another person. 

  1. Direct Relevance to the Establishment or Performance of the Contract 

Provided that it is directly related to the establishment or performance of a contract, it is possible to process personal data if it is necessary to process personal data belonging to the parties to the contract. 

  1. Fulfillment of Legal Obligations by the Company 

Personal data of the data subject may be processed if processing is mandatory for our Company to fulfill its legal obligations as a data controller. 

  1. Publicization of Personal Data by the Personal Data Owner 

In the event that the personal data of the data owner has been made public by the data owner, the relevant personal data may be processed within the framework of the purpose of publicization. 

  1. Data Processing is Mandatory for the Establishment or Protection of a Right 

Establishment or Protection of a Right 

If data processing is mandatory for the establishment, exercise or protection of a right, the personal data of the data subject may be processed. 

  1.  Processing is Mandatory for the Legitimate Interest of our Company 

Legitimate Interest of our Company 

Provided that it does not harm the fundamental rights and freedoms of the personal data owner, the personal data of the data owner may be processed if data processing is mandatory for the legitimate interests of our Company 

  1. Processing of Sensitive Personal Data 

In accordance with the PDPL, special categories of personal data are processed by our Company in the following cases, provided that adequate measures to be determined by the Board are taken: 

  • Explicit consent of the personal data subject or 
  • Only if the personal data subject does not have explicit consent; 
  • Sensitive personal data other than health and sexual life, in cases clearly stipulated by law, 
  • Sensitive personal data relating to health and sexual life are processed by persons or authorized institutions and organizations under the obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing. 
  1.        Enlightening and Informing the Personal Data Owner 

In accordance with Article 10 of the Law, our Company informs personal data subjects during the acquisition of personal data. In this context; the relevant persons are informed about who is the data controller of personal data, for what purposes, for what purposes, with whom it is shared, by which methods it is collected and its legal reason and the rights of data subjects within the scope of processing their personal data. Detailed information on this subject is provided in Section 10 of this Policy. 

Article 20 of the Constitution stipulates that everyone has the right to be informed about personal data concerning him/her. In this direction, “requesting information” is also listed among the rights of the personal data owner in Article 11 of the Law. In this context, our Company provides the necessary information in case the personal data owner requests information in accordance with Article 20 of the Constitution and Article 11 of the PDPL. Detailed information on this subject is provided in Section 10 of this Policy. 

  1. Transfer of Personal Data 

Our Company may transfer the personal data and sensitive personal data of the personal data owner to third parties (third party companies, group companies, third real persons) by taking the necessary security measures in line with the lawful personal data processing purposes. In this direction, our Company acts in accordance with the regulations stipulated in Article 8 of the PDPL. 

  1. Transfer of Personal Data 

In line with the legitimate and lawful personal data processing purposes, our Company may transfer personal data to third parties based on one or more of the personal data processing conditions specified in Article 5 of the Law listed below and in a limited manner, with due care and by taking all necessary security measures, including the methods stipulated by the Board: 

  • If there is explicit consent of the personal data subject, 
  • If there is a clear regulation regarding the transfer of personal data in the laws, 
  • If it is mandatory for the protection of the life or physical integrity of the personal data owner or someone else and the personal data owner is unable to disclose his consent due to actual impossibility or his consent is not legally valid; 
  • If it is necessary to transfer the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,  
  • If personal data transfer is mandatory for our company to fulfill its legal obligation, 
  • If personal data is made public by the personal data owner, limited to the purpose of publicization, 
  • If personal data transfer is mandatory for the establishment, exercise or protection of a right,  
  • If personal data transfer is mandatory for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the personal data owner. 

In addition to the above, personal data may be transferred to foreign countries declared by the Board to have adequate protection (“Foreign Country with Adequate Protection”) in the presence of any of the above conditions. In the absence of adequate protection, in accordance with the data transfer conditions stipulated in the legislation, personal data may be transferred to foreign countries where the data controllers in Turkey and the relevant foreign country undertake adequate protection in writing and where the Board has permission (“Foreign Country Where the Data Controller Undertakes Adequate Protection”). 

  1. Transfer of Sensitive Personal Data 

Our Company may transfer the personal data of the personal data owner to third parties in the following cases in accordance with the legitimate and lawful personal data processing principles by taking all necessary administrative and technical measures and taking adequate measures stipulated by the Board. 

  • Explicit consent of the personal data subject or 
  • If the personal data subject does not have explicit consent; 
  • Sensitive personal data other than the health and sexual life of the personal data owner in cases stipulated by law, 
  • Sensitive personal data relating to the health and sexual life of the personal data owner can only be transferred by persons or authorized institutions and organizations under the obligation of confidentiality for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing. 

In addition to the above, personal data may be transferred to Foreign Countries with Adequate Protection in the presence of any of the above conditions. In the absence of adequate protection, personal data may be transferred to Foreign Countries where there is a Data Controller Committed to Adequate Protection in line with the data transfer conditions stipulated in the legislation. 

  1. PART 4 –PURPOSES OF PROCESSING PERSONAL DATA PROCESSED BY OUR COMPANY 

Personal data are processed by our Company based on and limited to at least one of the personal data processing conditions specified in Articles 5 and 6 of the Personal Data Protection Law No. 6698, in accordance with the general principles specified in the Law.  The categories of personal data processed can be found in section 5 of this policy. 

Purposes of processing personal data; 

  • Execution of Emergency Management Processes 
  • Execution of Information Security Processes 
  • Execution of Employee Candidate / Intern / Student Selection and Placement Processes 
  • Execution of Employee Candidate Application Processes 
  • Execution of Employee Satisfaction and Loyalty Processes 
  • Fulfillment of Employment Contract and Regulatory Obligations for Employees 
  • Execution of Employee Benefits and Benefits Processes 
  • Conducting Audit / Ethics Activities 
  • Conducting Training Activities 
  • Execution of Access Authorizations 
  • Execution of Activities in Compliance with the Legislation 
  • Execution of Finance and Accounting Affairs 
  • Execution of Company / Product / Service Loyalty Processes 
  • Ensuring Physical Space Security 
  • Execution of Assignment Processes 
  • Monitoring and Execution of Legal Affairs 
  • Conducting Internal Audit / Investigation / Intelligence Activities 
  • Execution of Communication Activities 
  • Planning Human Resources Processes 
  • Execution / Supervision of Business Activities 
  • Execution of Occupational Health / Safety Activities 
  • Execution of Business Continuity Ensuring Activities 
  • Execution of Logistics Activities 
  • Execution of Goods / Service Procurement Processes 
  • Execution of Goods / Services After Sales Support Services 
  • Execution of Goods / Service Sales Processes 
  • Execution of Goods / Services Production and Operation Processes 
  • Execution of Customer Relationship Management Processes 
  • Execution of Activities for Customer Satisfaction 
  • Organization and Event Management 
  • Conducting Marketing Analysis Studies 
  • Execution of Performance Evaluation Processes 
  • Execution of Advertising / Campaign / Promotion Processes 
  • Execution of Risk Management Processes 
  • Execution of Storage and Archive Activities 
  • Execution of Contract Processes 
  • Execution of Strategic Planning Activities 
  • Tracking Requests / Complaints 
  • Ensuring the Security of Movable Property and Resources 
  • Execution of Supply Chain Management Processes 
  • Execution of Wage Policy 
  • Execution of Marketing Processes of Products / Services 
  • Ensuring the Security of Data Controller Operations 
  • Execution of Investment Processes 
  • Providing Information to Authorized Persons, Institutions and Organizations 
  • Execution of Management Activities 
  • Creating and Tracking Visitor Records 
  1. PART 5 –OWNERS OF PERSONAL DATA PROCESSED BY OUR COMPANY AND CATEGORIZATION OF PERSONAL DATA 

Although the personal data of the categories of personal data subjects listed below are processed by our Company, the scope of application of this Policy is limited to our customers, potential customers, employee candidates, company shareholders, company officials, visitors, employees, shareholders and officials of the institutions we cooperate with and third parties.  

The personal data protection and processing activities of our employees will be evaluated under the Ziylan Employees Personal Data Protection and Processing Policy.  

Although the categories of persons whose personal data are processed by our Company are within the scope of the above-mentioned scope, persons outside of these categories may also direct their requests to our Company within the scope of PDPL; the requests of these persons will also be evaluated within the scope of this Policy.  

Below, the concepts of customer, potential customer, visitor, third party, employee candidate, shareholder and board member, real persons in the institutions we cooperate with and third parties related to these persons within the scope of this Policy are clarified: 

Personal Data Subject Category Definition 
Customer Natural persons who use, will use or have used the products and services offered by our Company, regardless of whether they have any contractual relationship with our Company.   
Potential Customer Natural persons who have made a request or interest in using our products and services or who have been evaluated in accordance with the commercial custom and honesty rules that they may have this interest. 
Supplier:  Persons, officials, partners and employees whose personal data are obtained, who provide products or services to the Company within the scope of commercial activities carried out by the Company, regardless of whether there is any contractual relationship.   
Visitor: Natural persons who have entered the physical premises owned by our Company for various purposes or who visit our websites. 
Third Party: Third party natural persons (e.g. Guarantor, Companion, Family Members and relatives) who are associated with these persons in order to ensure the security of our Company’s commercial transactions with the aforementioned parties or to protect the rights of the aforementioned persons and to provide benefits, or other natural persons who are not covered by this Policy and Ziylan Employees Personal Data Protection and Processing Policy. 
Employee Candidate:  Natural persons who have applied for a job to our company by any means or who have opened their CV and related information to our company’s review. 
Company Shareholder: Real persons who are shareholders of our Company. 
Company Official: Board members and other authorized real persons. 
Employees, Shareholders and Authorities of the Institutions we cooperate with: Real persons, including, but not limited to, shareholders and officials of these organizations, working in organizations with which our Company has all kinds of business relations (such as business partners, suppliers, etc.). 

The table below details the categories of personal data mentioned above and the description of the data within these categories: 

PERSONAL DATA CATEGORIZATION DEFINITION 
Credentials: Name, surname, parents’ name, mother’s maiden name, date of birth, place of birth, marital status, identity card serial number, Turkish ID number. 
Contact Information: Information such as address no, e-mail address, contact address, registered electronic mail address (REM), telephone no. 
Family Members and Relatives: Information about the personal data owner’s family members (e.g. spouse, mother, father, child), relatives and other persons who can be reached in case of emergency, related to the services offered by Ziylan or processed to protect the legal and other interests of the Company and the personal data owner. 
Customer Transaction Information: Call center records, invoice, promissory note, check information, information in box office receipts, order information, request information. 
Physical Location Security Info: Information such as entry and exit registration information of real persons, camera recordings. 
Transaction Security Knowledge: IP address information, website login and exit information, password and password information, etc. 
Risk Management Knowledge: Information such as information processed for the management of commercial, technical and administrative risks. 
Financial Knowledge: Information such as balance sheet information, financial performance information, credit and risk information, asset information. 
Legal and Compliance Knowledge: Information regarding the determination and follow-up of our legal receivables and rights and the fulfillment of our debts and compliance with our legal obligations and our Company’s policies. 
Audit and Inspection Information: Information regarding the execution of our Company’s operational, financial, fraud and compliance audit activities. 
Sensitive Personal Data: Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership to associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data. 
Request/Complaint Management Information: Information regarding the receipt and evaluation of any request or complaint addressed to Ziylan. 
  1. PART 6 –ENSURING THE SECURITY AND CONFIDENTIALITY OF PERSONAL DATA 

In accordance with Article 12 of the Law, our Company takes all necessary technical and administrative measures to prevent unlawful processing of personal data and unlawful access to personal data, and to ensure the appropriate level of security to ensure the protection of personal data. 

  1. Technical Measures Taken to Ensure Lawful Processing of Personal Data 

The technical measures taken by our Company to ensure the lawful processing of personal data are listed below: 

  • Network security and application security are ensured.  
  • Closed system network is used for personal data transfers through the network.  
  • Security measures are taken within the scope of procurement, development and maintenance of information technology systems.  
  • An authorization matrix has been established for employees.  
  • Access logs are kept regularly.  
  • The authorizations of employees who change their duties or leave their jobs are removed.  
  • Up-to-date anti-virus systems are used.  
  • User account management and authorization control system are implemented and monitored.  
  • Log records are kept without user intervention.  
  • Intrusion detection and prevention systems are used.  
  • Penetration testing is applied. 
  • Cyber security measures have been taken and their implementation is constantly monitored.  
  • Encryption is performed. 
  1. Administrative Measures Taken to Ensure Lawful Processing of Personal Data 

The administrative measures taken by our Company to prevent unlawful access to personal data are listed below: 

  • Training and awareness raising activities on data security are carried out periodically for employees.  
  • The obligation to inform the relevant persons is fulfilled. 
  • Corporate policies on access, information security, use, storage and destruction have been prepared and implemented.  
  • Confidentiality undertakings are made. 
  • Signed contracts contain data security provisions. 
  • Personal data security policies and procedures have been determined.  
  • Personal data security issues are reported quickly. 
  • Necessary security measures are taken for entry and exit to physical environments containing personal data.  
  • Physical environments containing personal data are secured against external risks (fire, flood, etc.).  
  • Security of environments containing personal data is ensured.  
  • Personal data is minimized as much as possible. 
  • Internal periodic and/or random audits are carried out and conducted. 
  • Protocols and procedures for the security of special categories of personal data have been determined and implemented.  
  • Awareness of data processing service providers on data security is ensured. 
  1. PART 7 – DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA 

Your data retained within the scope of the Law will be retained for the maximum period specified under the relevant legislation or required for the purpose for which they are processed, and in any case for the statutory statute of limitations. As regulated in Article 138 of the Turkish Penal Code and Article 7 of the Law, although it has been processed in accordance with the provisions of the relevant law as regulated in Article 138 of the Turkish Penal Code and Article 7 of the Law, in the event that the reasons requiring its processing disappear, personal data will be deleted, destroyed or anonymized under the conditions determined by the Regulation on Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28.10.2017 and numbered 30224 and the Ziylan Personal Data Retention and Destruction Policy prepared in accordance with this regulation. 

  1. PART 8 – THIRD PARTIES TO WHOM PERSONAL DATA ARE TRANSFERRED BY OUR COMPANY AND THE PURPOSES OF TRANSFER In accordance with Article 10 of the Law, our Company informs the personal data owner of the groups of persons to whom personal data are transferred. 

Our Company may transfer the personal data processed in accordance with Articles 8 and 9 of the Law to the categories of persons listed below: 

  1. To Ziylan business partners, 
  1. Ziylan suppliers, 
  1. Ziylan customers, 
  1. Ziylan subsidiaries, 
  1. To Ziylan shareholders,  
  1. Legally authorized public institutions and organizations, 
  1. To legally authorized private law persons. 
Persons to whom data can be transferred Definiton Data Transfer Purpose 
Business Partner Defines the parties with whom our Company has established business partnerships for purposes such as the sale, promotion and marketing of our Company’s products and services, after-sales support, and the execution of joint customer loyalty programs while conducting our Company’s commercial activities. Limited to ensure the fulfillment of the purposes of the establishment of the joint venture. 
Supplier Defines the parties that provide services to our Company on a contractual basis in accordance with the orders and instructions of our Company while conducting our Company’s commercial activities. Limited for the purpose of ensuring that the services outsourced by our Company from the supplier and necessary to fulfill the commercial activities of our Company are provided to our Company. 
Customer Natural or legal persons to whom the Company provides services and products while conducting its commercial activities. Limited to ensure the provision of products and services offered by our Company to its customers. 
Our Subsidiaries  Companies in which our Company is a shareholder. Limited to ensuring the execution of our Company’s commercial activities that require the participation of subsidiaries. 
Our Shareholders  Our shareholders who are authorized to design the strategies and audit activities regarding our Company’s commercial activities in accordance with the provisions of the relevant legislation. Limited to the purposes of designing strategies and auditing the commercial activities of our Company in accordance with the provisions of the relevant legislation. 
Legally Authorized Public Institutions and Organizations   Public institutions and organizations authorized to receive information and documents from our Company in accordance with the provisions of the relevant legislation. Limited to the purpose requested by the relevant public institutions and organizations within the legal authority. 
Legally Authorized Private Law Persons Private law persons authorized to obtain information and documents from our Company in accordance with the provisions of the relevant legislation. Limited to the purpose requested by the relevant private law persons within the scope of their legal authority. 
  1. PART 9 – PERSONAL DATA PROCESSING ACTIVITIES CARRIED OUT WITHIN THE COMPANY 

In order to ensure security, our Company carries out personal data processing activities for the monitoring of guest entrances and exits with security cameras in our Company’s buildings and facilities. 

Personal data processing activities carried out by our Company at the entrances of the building and facilities and within the facility are carried out in accordance with the Constitution, PDPL and other relevant legislation. 

  1. CAMERA SURVEILLANCE ACTIVITIES CARRIED OUT IN ZIYLAN BUILDING, FACILITY ENTRANCES AND INSIDE 

Within the scope of security camera surveillance activities, our Company aims to increase the quality of the service provided, ensure its reliability, ensure the security of the company, customers and other persons, and protect the interests of customers regarding the service they receive. 

The camera surveillance activity carried out by our Company is carried out in accordance with the Law on Private Security Services and the relevant legislation. 

Our Company carries out security camera monitoring activities in order to ensure security in its buildings and facilities, for the purposes stipulated by law and in accordance with the personal data processing conditions listed in the PDPL.  

The personal data owner is informed by our Company in accordance with Article 10 of the Law. For camera surveillance activity by our Company; This Policy is published on our Company’s website (online Policy regulation) and a notification letter regarding the monitoring is posted at the entrances of the areas where the monitoring is carried out (on-site clarification)

In accordance with Article 4 of the Law, our Company processes personal data in a limited and measured manner in connection with the purpose for which they are processed. The purpose of the video camera surveillance activity carried out by our Company is limited to the purposes listed in this Policy. 

In accordance with Article 12 of the Law, necessary technical and administrative measures are taken by our Company to ensure the security of personal data obtained as a result of video surveillance. 

There is no monitoring in areas that may result in interference with the privacy of the person. Security camera recordings can only be accessed by a limited number of Company employees and authorized persons if necessary. These persons who have access to the records declare that they will protect the confidentiality of the data they access with the confidentiality undertaking they have signed. 

  1. MONITORING OF ENTRANCES AND EXITS CARRIED OUT IN ZİYLAN BUILDINGS, FACILITY ENTRANCES AND INSIDE 

Our Company carries out personal data processing activities to monitor guest entrances and exits in Ziylan buildings and facilities to ensure security and for the purposes specified in this Policy.  

While the identity data of the persons who come to Ziylan buildings as guests are obtained or through the texts posted in the Company or otherwise made available to the guests, the personal data owners in question are enlightened within this scope. The data obtained for the purpose of tracking guest entry-exit are processed only for this purpose and the relevant personal data are recorded in the data recording system in a physical environment. 

  1. PART 10 – RIGHTS OF PERSONAL DATA SUBJECTS; METHODOLOGY FOR THE EXERCISE AND EVALUATION OF THESE RIGHTS 

Our Company informs the personal data owner of the rights of the personal data owner in accordance with Article 10 of the Law, guides the personal data owner on how to exercise these rights, and our Company carries out the necessary channels, internal operation, administrative and technical arrangements in accordance with Article 13 of the Law in order to evaluate the rights of personal data owners and to provide the necessary information to personal data owners 

  1. RIGHTS OF THE DATA OWNER AND EXERCISING THESE RIGHTS 
  1. Rights of the Personal Data Owner 

Personal data subjects have the following rights: 

  1. Learn whether personal data is being processed, 
  1. Request information if their personal data has been processed, 
  1. To learn the purpose of processing personal data and whether they are used for their intended purpose, 
  1. To know the third parties to whom personal data are transferred domestically or abroad, 
  1. To request correction of personal data in case of incomplete or incorrect processing and to request notification of the transaction made within this scope to third parties to whom personal data is transferred, 
  1. Although it has been processed in accordance with the provisions of the PDPL and other relevant laws, to request the deletion or destruction of personal data in the event that the reasons requiring its processing disappear and to request notification of the transaction made within this scope to third parties to whom personal data is transferred, 
  1. To object to the emergence of a result to the detriment of the person himself/herself by analyzing the processed data exclusively through automated systems, 
  1. In case of damage due to unlawful processing of personal data, to demand compensation for the damage. 
  1. Cases where the Personal Data Owner cannot assert his/her rights 

As the following cases are excluded from the scope of the Law pursuant to Article 28 of the PDPL, personal data owners cannot assert the rights of personal data owners listed in 10.1.1: 

  1. Processing of personal data for purposes such as research, planning and statistics by anonymizing them with official statistics. 
  1. Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that such processing does not violate national defense, national security, public safety, public security, public order, economic security, privacy of private life or personal rights or constitute a crime. 
  1. Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security. 
  1. Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution procedures. 

Pursuant to Article 28/2 of the Law; In the cases listed below, personal data owners cannot assert their other rights listed in 10.1.1. except for the right to claim compensation for the damage: 

  1. Processing of personal data is necessary for the prevention of crime or criminal investigation. 
  1. Processing of personal data made public by the personal data owner himself/herself. 
  1. Processing of personal data is necessary for the execution of supervisory or regulatory duties and disciplinary investigation or prosecution by authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions based on the authority granted by law. 
  1. Personal data processing is necessary for the protection of the economic and financial interests of the State in relation to budget, tax and financial matters. 
  1. Exercising the Rights of the Personal Data Owner 

Personal data owners can submit their requests regarding their rights listed under Title 10.1.1. of this section to the Company by filling out the “Relevant Person (Personal Data Owner) Application Form” available at www.zulfikarlar.com.tr and using the methods determined by the Board. The method of the application to be made in this form is also explained in detail. 

It is not possible for third parties to make requests on behalf of personal data owners.  In order for a person other than the personal data owner to make a request, there must be a special proxy issued by the personal data owner on behalf of the person who will make the application. 

  1. Personal Data Subject’s Right to File a Complaint to the Board 

Pursuant to Article 14 of the LPPD, in cases where the application is rejected, the response is found insufficient or the application is not responded to in due time; the personal data owner may file a complaint to the Board within thirty days from the date of learning the response of our Company and in any case within sixty days from the date of application. 

  1. ZİYLAN’S RESPONSE TO THE APPLICATIONS 
  1. The Procedure and Duration of Our Company’s Response to Applications 

In the event that the personal data owner submits his/her request to our Company in accordance with the procedure in the section titled 10.1.3. of this section, our Company will finalize the relevant request free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request.  

However, if the transaction requires an additional cost, our Company will charge the applicant the fee in the tariff determined by the Board. 

  1. Information Our Company May Request from the Applicant Personal Data Subject 

Our Company may request information from the relevant person in order to determine whether the applicant is the personal data owner. 

In order to clarify the issues in the application of the personal data owner, our Company may ask questions to the personal data owner regarding the application. 

  1. Our Company’s Right to Reject the Personal Data Owner’s Application 

In the following cases, our Company may reject the application of the applicant by explaining its reasoning: 

  1. Processing of personal data for purposes such as research, planning and statistics by anonymizing them with official statistics. 
  1. Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that such processing does not violate national defense, national security, public safety, public security, public order, economic security, privacy of private life or personal rights or constitute a crime. 
  1. Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security. 
  1. Processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial or execution procedures. 
  1. Processing of personal data is necessary for the prevention of crime or criminal investigation. 
  1. Processing of personal data made public by the personal data owner himself/herself. 
  1. Personal data processing is necessary for the execution of supervisory or regulatory duties and disciplinary investigations or prosecutions by authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions based on the authority granted by law. 
  1. Personal data processing is necessary for the protection of the economic and financial interests of the State in relation to budget, tax and financial matters. 
  1. The request of the personal data owner is likely to prevent the rights and freedoms of other persons 
  1. Requests have been made that require disproportionate effort. 
  1. The requested information is publicly available. 
  1. Existence of one of the situations excluded from the scope pursuant to    the Law. 
  1. OTHER MATTERS 

This Policy is published in two different media, wet signed (printed paper) and on the Company’s website www.watergarden.com.tr, and disclosed to the public on the website. 

This Policy shall be updated in cases that require updating such as amendments to the Law, Board decisions or developments in the sector and the field of informatics and/or when necessary. Amendments made within this scope are immediately incorporated into the text and explanations regarding the amendments are included in the “Amendment Table” at the end of the policy. 

This Policy and the amendments made to the Policy within the scope of the update shall be deemed to have entered into force upon its publication on the Company’s website. 

TABLE OF CHANGES 
Article Number  Amendment Date Explanation