I. INTRODUCTION
1.1. Purpose of the Policy
Pursuant to Article 20 of the Constitution titled “Privacy of Private Life” and the Law No. 6698 on the Protection of Personal Data (“Law”), applicable regulations and communiques; during the processing of personal data obtained by Mars34 İnşaat Gayrimenkul Anonim Şirketi (“Company” or “Mars“) is essential for the privacy of the data owners. The purpose of this Policy is to protect the rights and freedoms of the data owners, to perform the data processing activities of the data controller in accordance with the Law, and to determine the principles regarding the protection, processing, storage, and, if necessary, destruction of the personal data obtained.
1.2. Scope of the Policy
The establishment of the procedures and principles of the data processing activity carried out by Mars within the scope of this Policy determines since all kinds of transactions such as obtaining by non-automatic means, recording, storing, preserving, modifying, rearranging, disclosing, transferring, taking over, making available, classifying or preventing use of any information relating to an identified or identifiable natural person, as personal data, fully or partially automatically or non-automatically, provided that it is a part of any data recording system.
1.3. Application of the Policy and Relevant Legislation
The Policy has been prepared in accordance with the relevant prevailing legislation particularly Turkish Commercial Code No. 6102 in force, Turkish Code of Obligations No. 6098, Protection of Personal Data Law No. 6698, Regulation on Data Controllers Registry No. 30286, Regulation on Deletion, Destruction or Anonymization of Personal Data No. 30224, the Regulation on the Processing of Personal Health Data and the Protection of Privacy, and the rules shown in the regulations, communiques, decisions and guides published by the Board.
In the event that there is a change in the Law or other relevant legislation after the publication date of the Policy by Mars and the Policy becomes incompatible with the said amendment, the amended provisions and rules will be applicable. All communiques, decisions and guides published by the Board are followed by Mars, and the rules stipulated by the Policy are kept up to date.
1.4. Enforcement of the Policy
The policy has been published on the website of Mars at www.marsintgroup.com and entered into force on the date of its publication.
II. PARTICULARS REGARDING THE PROTECTION OF PERSONAL DATA
2.1. Ensuring the Security of Personal Data
According to Article 12 of the Law No. 6698, the data controller is obliged to take all necessary administrative and technical measures to ensure the appropriate level of security.
For the reasons explained, Mars implements security measures to prevent unlawful processing, transfer, and disclosure to third parties of personal data, unauthorized access and security deficiencies arising through other means. Explanations on the administrative and technical measures taken are included in the section “VI. ADMINISTRATIVE AND TECHNICAL MEASURES TO PROTECT PERSONAL DATA”.
2.2. Protection of Special Categories of Personal Data
The data that is sensitive due to its nature and may cause victimization or discrimination of the data owner if it is in the hands of third parties is accepted as special categories of personal data within the scope of the Law. Sensitive Personal Data includes data related to the race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions and security measures, and the biometric and genetic data.
Special categories of personal data cannot be processed without the explicit consent of the data subject. Among the special categories of personal data, the health data of the persons concerned may be processed without seeking the explicit consent of the data subject, but only by persons or authorized institutions and organizations that are under the obligation of confidentiality, for the purposes of protecting public health, carrying out preventive treatment and care services, planning health services and financing, and management. In addition, regardless of the type, all sensitive personal data could be processed only if adequate measures determined by KVKK are taken as per the law.
All necessary measures are taken by Mars to protect sensitive personal data, and it is essential that such data are not obtained and processed as much as possible.
III. PARTICULARS REGARDING THE PROCESSING OF PERSONAL DATA
3.1. Processing of Personal Data in Compliance with the Principles Established in the Legislation
The principles to be applied in the processing of your personal data in accordance with Article 4 of the Law are as follows:
3.2. Conditions for Processing Personal Data
Personal data obtained by Mars cannot be processed without the explicit consent of the person concerned, except for the exceptions stipulated in the Law. Your personal data may be processed without seeking the explicit consent in the following situations:
3.3. Exceptions to Obligation to Obtain Explicit Consent
a) Expressly provided by the laws
One of the data processing conditions is that it is expressly provided by the laws. The provisions in the laws regarding the processing of personal data may establish a data processing condition. In such a case, the explicit consent of the data subject is not required.
b) Physical Disability
The personal data of the person concerned can be processed without explicit consent in cases where it is necessary for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid.
c) Being directly related to the establishment or performance of the contract
In the event that data processing is deemed necessary during the conclusion or performance of a contract to which the data owner is a party, the processing of personal data may come to the fore without obtaining explicit consent.
d) Compliance with a legal obligation of the company
Personal data might be processed without obtaining explicit consent to perform the legal obligations that Mars shall perform as a data controller.
e) Have been made public by the data subject
Personal data made public by the data subject, in other words, personal data disclosed to the public in any way, might be processed without obtaining explicit consent. Even in this case, the publicized personal data cannot be used for purposes other than its intended use.
f) Processing of Data is necessary for the establishment, exercise, or protection of any right
In cases where it is necessary for the establishment, exercise, or protection of a right, it is possible to process the personal data of the person concerned without his/her explicit consent.
g) Processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject
If the processing of personal data is necessary for the data controller and the data processing will not violate the fundamental rights and freedoms of the data subject, personal data may be processed without obtaining explicit consent.
The legitimate interest of the data controller is the interest and benefit to be obtained due to the processing to be carried out.
The benefit to be obtained by the data controller must be related to a legitimate, sufficiently effective, specific, and already existing interest to compete with the fundamental rights and freedoms of the data subject. It should be a process that is related to the current activities of the data controller and will benefit it soon.
3.4. Processing of Special Categories of Personal Data
The processing of special categories of personal data is subject to Article 6 of the Law, and it is prohibited to be processed without the explicit consent of the person concerned.
Sensitive Personal Data are the data related to the race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions and security measures, and the biometric and genetic data. The data included in this scope is limited and cannot be expanded through interpretation.
Due to its nature, special categories of personal data are data that, if learned, may cause discrimination and victimization of the person concerned. Therefore, they need to be protected much more strictly than other personal data.
a) Special categories of personal data beside health and sexual life
Special categories of personal data other than personal data related to health and sexual life can be processed without seeking the explicit consent of the person concerned, in cases stipulated by the laws.
b) Special categories of personal data regarding health and sexual life
Special categories of personal data regarding health and sexual life can only be processed by persons or authorized institutions and organizations that are under the obligation of confidentiality for the purpose of protecting public health, conducting preventive medicine, medical diagnosis, treatment, and care services, planning and managing health services and financing.
3.5. Clarifying and Informing the Personal Data Owner
During the acquisition of personal data, data owners are informed in the capacity of data controller or by persons authorized by Mars. The procedures and principles regarding the information provided are specified in the related Clarification Texts on the Processing of Personal Data published by Mars, and the information briefly includes the following elements:
a) The identity of the data controller and of its representative
In accordance with the Article 10 of the Law, personal data obtained from data owners (employee, employee candidates, suppliers, shareholders/partners, company officials, visitors and other third parties) are processed by Mars34 İnşaat Gayrimenkul Anonim Şirketi in the capacity of data controller and can be provided through communication channels located at www.marsintgroup.com.
b) Purposes of processing of personal data
The processing of personal data is carried out for specific, clear, and legitimate purposes and is based on informing the data owners. The purposes for which your obtained data are processed are listed in the “V. CATEGORIZATION AND PROCESSING PURPOSE OF PERSONAL DATA PROCESSED BY OUR COMPANY” section of the Policy.
c) Persons to whom personal data are transferred and the purposes for which the data is transferred
Within the framework of the data controller’s obligation to inform the data owner, the persons to whom personal data are transferred and the purposes for which they are transferred should be clearly stated. Personal data cannot be transferred to third parties without the explicit consent of the data owner. Recipient groups to which personal data is transferred by Mars and the purposes for which they are transferred are shown in the “IV. TRANSFERRING PERSONAL DATA” section of the Policy.
d) Procedure and legal reason for collecting personal data
In accordance with Articles 5 and 6 of the Law, the data controller must clearly indicate on which of the personal data processing conditions it is processed. Data collection procedure and mediation are determined by the data controller. The processing conditions of personal data, that is, the conditions of compliance with the law, are listed in numerus clausus in the Law (art. 5-6) and these conditions cannot be extended.
Data controller Mars evaluates whether the purpose of the personal data processing activity is primarily based on one of the processing conditions other than express consent, and if this purpose does not meet at least one of the conditions other than the express consent specified in the Law, in this case, the explicit consent of the person is required for the continuation of the data processing activity.
IV. TRANSFERRING PERSONAL DATA
4.1. Domestic Transfer
Personal data cannot be transferred without the explicit consent of the person concerned. However, if one of the conditions specified
it can be transferred without seeking the explicit consent of the person concerned.
Accordingly, personal data of the person concerned may be transferred to third parties without their explicit consent in the event that it is expressly provided for by the laws (1), it is necessary for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid (2), processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract (3), it is necessary for compliance with a legal obligation to which the data controller is subject (4), personal data have been made public by the data subject himself/herself (5), data processing is necessary for the establishment, exercise or protection of any right (6), processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject (7).
Meanwhile, personal data other than health and sexual life, which are among the special categories of personal data of the persons concerned, may be transferred to third parties without seeking the explicit consent of the data subject in cases stipulated by the laws. Personal data related to health and sexual life can be transferred to third parties without explicit consent of the data subject, by persons or authorized institutions and organizations under the obligation of secrecy for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment, care services, planning and management of health services and financing.
Information about the recipient groups, to which your personal data processed by Mars is transferred, is included in the ANNEX 4 – Third Parties to which Personal Data are Transferred and the Purposes of Transfer of the Policy.
4.2. Transfer of Personal Data Abroad
Personal data cannot be transferred abroad without the explicit consent of the person concerned. However, it can be transferred abroad without the explicit consent of the person concerned, provided that one of the conditions specified in the second paragraph of Article 5 and the third paragraph of Article 6 of the Law exists and the event that
V. CATEGORIZATION OF PERSONAL DATA PROCESSED BY OUR COMPANY AND THE PURPOSE OF PROCESSING
The data categorization obtained by Mars from the data subjects and the purposes pursued in the processing of personal data are shown in the relevant sections of the clarification texts on our website for each category of data subject.
VI. ADMINISTRATIVE AND TECHNICAL MEASURES TO PROTECT PERSONAL DATA
Administrative and technical measures are taken by Mars to securely store personal data, to prevent unlawful processing and access to personal data.
In order to ensure personal data security, it is determined what all personal data processed by Mars is, the probability of the risks that may arise regarding the protection of this data, and whether the personal data is special categories of personal data (1), which degree of confidentiality is required by its nature ( 2), the nature and quantity of the damage that may arise in terms of the person concerned in the event of a security breach (3) are taken into account.
After defining and prioritizing these risks, control, and solution alternatives to reduce or eliminate the said risks are evaluated in line with the principles of cost, applicability and usefulness, and necessary technical and administrative measures are planned and put into practice.
6.1. Administrative Measures
It is of great importance to ensure personal data security that the attacks that will violate personal data security and cyber security employees’ first response even if they have limited information. For this reason, awareness and information activities are carried out in our internal organization as a data controller.
It is provided that is given necessary training to employees on issues such as not unlawfully disclosing and sharing personal data, is conducted awareness activities for employees, and is created an environment where security risks can be identified, is determined the roles and responsibilities of personal data security in their job descriptions, regardless of the position of the data controller and is ensured employees are aware of their roles and responsibilities in this regard.
On the other hand, confidentiality agreements are signed as part of the recruitment processes of the employees, and a disciplinary process is carried out if the employees do not comply with the security policies and procedures.
In case of any change in the policies and procedures regarding personal data security, trainings are provided to inform and explain the change to the employees, and the information about the threats to data security and security is kept up to date.
In accordance with Article 4(b) and (d) of the Law, personal data must be accurate and up to date when necessary and must be kept for as long as required by the relevant legislation or for the purpose for which they are processed. In this context, the data processed are processed in accordance with the principles and rules that must be observed in data processing activities and are kept for the period required for the purpose for which they are processed. Information on the storage and disposal procedure and retention periods of personal data processed by Mars is shown in the VIII. STORAGE AND DISPOSAL OF PERSONAL DATA and ANNEX –4: Retention Periods of Personal Data sections of this Policy.
The table below provides a summary of the administrative measures taken to ensure data security:
Technical Measures
VII. PERSONAL DATA PROCESSING AT BUILDING ENTRANCES AND INSIDE THE BUILDING
Camera Monitoring Activity at Building Entrances and Inside
Within the scope of the Law on Private Security Services, camera monitoring is carried out to ensure the security of the Company entrance, working areas, common areas and its surroundings, and to protect the interests of ensuring the safety of Mars and other persons. The camera monitoring activity is carried out in accordance with the Law and is carried out within the scope of the data processing conditions listed both in the Law and in this Policy.
VIII. STORAGE AND DISPOSAL OF PERSONAL DATA
8.1. Personal data should be accurate and up to date when necessary and should be kept for the period required for the purpose for which they are processed or as stipulated in the relevant legislation, in accordance with the subparagraphs (b) and (d) of Article 4 of the Law. Your personal data which is kept by Mars is retained for as long as data processing is necessary. In the event that the obligation to delete, destroy or anonymize personal data arises, it is deleted, destroyed or anonymized within the first periodic destruction period following the date of occurrence of this obligation. In the deletion, destruction or anonymization of your personal data, the general principles set forth in Article 4 of the Law and the technical and administrative measures set forth in Article 12 are followed.
The period for periodic destruction is limited to a maximum of 1 year.
Personal data specialist personnel assigned by Mars regarding the storage and destruction of data is the person responsible for the execution and oversight of the personal data storage and destruction policy.
All transactions regarding the deletion, destruction, or anonymization of personal data by Mars are recorded and kept for at least 3 years in accordance with the legal obligation.
The retention periods of personal data processed by Mars are shown in Annex-4.
8.2. Obligation to Delete, Destroy and Anonymize Personal Data
Personal data processed by Mars are deleted, destroyed, or anonymized ex officio or upon the request of the relevant data owner, in case the reasons that require it to be processed in accordance with the provisions of the “Regulation on the Deletion, Destruction or Anonymization of Personal Data” published in the Official Gazette dated 28 October 2017 and numbered 30224 prepared by the Personal Data Protection Board with Article 7 of the Law are eliminated.
a) Deletion of personal data
Deletion of personal data is the process of making personal data inaccessible and non-reusable for the relevant employees.
All necessary technical and administrative measures are taken to ensure that the deleted personal data is not accessible and reusable for the relevant employees.
b) Destruction of personal data
Destruction of personal data is the process of making personal data inaccessible, unrecoverable, and unusable by anyone in any way.
The data controller is obliged to take all necessary technical and administrative measures regarding the destruction of personal data, and all technical and administrative measures are taken to make personal data inaccessible, unrecoverable, and unusable by anyone.
c) Anonymization of personal data
Anonymization of personal data means that personal data cannot be associated with an identified or identifiable natural person under any circumstances, even if it is matched with other data.
All kinds of technical and administrative measures are taken by Mars to anonymize your personal data, and it is anonymized by applying methods in accordance with our personal data retention and destruction policy.
8.3. Personal Data Recording Environments
Personal data recording environment refers to any environment where personal data is processed wholly or partially automatically or non-automatically provided that it is a part of any data recording system.
Personal data regarding the data subjects are stored securely by Mars in accordance with the relevant legislation, especially the provisions of the KVKK No. 6098, and within the framework of international data security principles, in the following data registers:
a) Technical recording media: Computer media, central servers, removable memories (USB, Memory Card etc.), information security devices and software.
b) Non-technical data recording media: Papers, manual data recording systems, written, printed and visual media.
8.4. Reasons for Disposal of Personal Data
Personal data related to data subjects by Mars are destroyed for such purposes and reasons including but not limited to;
8.5. Deletion, Destruction and Anonymization Techniques of Personal Data
The techniques for deletion, destruction or anonymization of personal data processed by Mars are shown below, and which of the techniques will be applied may vary depending on the nature of the personal data processed.
During the deletion, destruction or anonymization of personal data, necessary administrative and technical measures are taken, such as informing employees about information security and destruction processes, choosing the most appropriate method according to the nature of the data recording environment where personal data is kept, carrying out regular and periodic maintenance and follow-up studies regarding data security, using the most up-to-date destruction systems required in terms of technology and technique, giving automatic deletion commands, abolishing the access to deleted data and authorization to reuse and restore deleted data.
In this regard, firstly it is necessary to determining the personal data that is the subject of deletion, destruction or anonymization (1), identifying the relevant employees for each personal data using the access authorization and control matrix or a similar system (2), determining the authorizations and methods of the relevant employees such as access, retrieval and reuse (3), closing and eliminating the access, retrieval, reuse authorization and methods of the relevant employees within the scope of personal data (4).
The procedure to delete personal data is as follows:
The procedure to destroy personal data is as follows:
The procedure followed in anonymizing personal data is as follows:
IX. RIGHTS OF THE PERSONAL DATA OWNER AND USE OF RIGHTS
9.1. Rights of the Personal Data Owner
In accordance with Law No. 6698, you have rights as data owner:
data are used in compliance with the purpose,
9.2. Use of Personal Data Owner’s Rights
As Personal Data owners, you may forward your requests regarding your rights to the following address of Gullu Sokak No:2 Levent, Beşiktaş/Istanbul or to connect@marsintgroup.com with name, surname and, if the application is written, signature, for citizens of the Republic of Turkey, T.C. identification number, nationality for foreigners, passport number or identification number, if any, place of residence or workplace address for notification, e-mail address for notification, telephone and fax number, subject of request in writing or through registered e-mail (KEP) address, secure by using electronic signature, mobile signature or the e-mail address previously notified to Mars by the person concerned and registered in Mars’ system by filling the Data Subject Application Form published on the internet address of www.marsintgroup.com with the methods regulated in the data subject application procedure or by the methods specified in the Communiqué on the Procedures and Principles of Application to the Data Controller. If you forward it to the contact address, Mars will finalize the request free of charge as soon as possible and no later than thirty days after the notification, depending on the nature of the request. However, if the transaction requires an additional cost, the fee in the tariff determined by the Personal Data Protection Board will be charged by Mars.
9.3. Our Company’s Response to Applications
Depending on the nature of the application request, it is finalized by Mars as soon as possible. This period cannot exceed 30 days from the notification of your application to Mars. If additional information is requested due to the deficiencies and unclear explanations in your application, the response time will not run until the relevant additional information and documents are notified to us. However, if the transaction requires an additional cost, the fee in the tariff determined by the Personal Data Protection Board will be charged by Mars.
ANNEX – 1: Definitions
Explicit consent: means freely given, specific and informed consent,
Anonymization: means rendering personal data impossible to link with an identified or identifiable natural person, even though matching them with other data,
Recipient group: means the natural or legal person category to which personal data is transferred by the data controller,
Direct identifiers: means identifiers that directly reveal, disclose, and distinguish the person with whom they are in a relationship,
Indirect identifiers: means identifiers that come together with other identifiers, revealing, disclosing, and making the person they are in a relationship distinguishable,
Data subject/owner: means the real person, whose personal data are processed,
User concerned: means natural or legal persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of the data,
Destruction: means deletion, destruction, or anonymization of personal data,
Law: means Law on Protection of Personal Data No. 6698, dated 24/3/2016,
Blackening: means processes such as scratching, painting, and icing all of the personal data in a way that cannot be associated with an identified or identifiable natural person,
Recording medium: means any medium containing personal data that is fully or partially automated or processed by non-automatic means, provided that it is a part of any data recording system,
Personal data: means any information relating to an identified or identifiable natural person,
Processing of personal data: means all kinds of operations performed on data such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying by fully or partially automated or non-automatic means provided that it is a part of any data recording system.
Law on the Protection of Personal Data (“KVKK”): means the Law on the Protection of Personal Data No. 6698, which was published in the Official Gazette on April 7, 2016,
Board: means Personal Data Protection Board,
Institution: means Personal Data Protection Authority,
Data Processor: means the real or legal person who processes personal data on behalf of the data controller upon its authorization,
Data filing system: means the system where personal data are processed by being structured according to specific criteria,
Data Controller: means the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system.