Policy of Personel Dara Protection

IC GAYRİMENKUL YATIRIM ORTAKLIĞI ANONİM ŞİRKETİ
KİŞİSEL VERİLERİN İŞLENMESİ VE KORUNMASI POLİTİKASI

I. INTRODUCTION

The Personal Data Protection Law No. 6698 (“Law”) entered into force on 7 April 2016 and contains regulations regarding the processing of all kinds of information relating to “identified or identifiable” natural persons (“data subjects”). As IC Gayrimenkul Yatırım Ortaklığı Anonim Şirketi (“Company”), we attach the utmost importance to the lawful processing and protection of personal data as required by the Law, and we act with this diligence in all our planning and operations. With this awareness, our Company takes all administrative and technical measures for the protection and processing of personal data. The most significant component of this approach is the protection of the personal data of our Job Applicants, Company Shareholders, Company Officers, Visitors, and the Employees, Shareholders, Officers of the Institutions which we cooperate with and Third Parties, and this process is managed according to this Personal Data Processing and Protection Policy (“Policy”).

According to Article 20 of the Constitution, everyone has the right to request the protection of their personal data. As the protection of personal data is a constitutional right, our Company exercises the necessary diligence regarding the protection of the personal data of our Job Applicants, Company Shareholders, Company Officers, Visitors, and the Employees, Shareholders and Officers of the Institutions with which we cooperate with and Third Parties, which is managed under this Policy, and our Company incorporates this diligence into a corporate policy.

This Policy provides detailed explanations regarding the fundamental principles adopted by the Company in the processing of personal data, which are listed below:

• Processing personal data in compliance with the law and the principles of good faith,
• Ensuring that personal data are accurate and, where necessary, kept up to date,
• Processing personal data for specific, explicit, and legitimate purposes,
• Processing personal data in a manner that is relevant, limited, and proportionate to the purposes for which they are processed,
• Retaining personal data for the period prescribed under the applicable legislation or for the period required for the purposes for which they are processed,
• Informing and clarifying data subjects,
• Establishing the necessary system to enable data subjects to exercise their rights,
• Taking the necessary measures to ensure the security of personal data,
• Complying with the applicable legislation and the regulations of the Personal Data Protection Board (“Board”) when transferring personal data to third parties in line with the requirements of the processing purpose,
• Exercising due diligence in the processing and protection of sensitive personal data.

1. The Purpose of the Policy

The purpose of this Policy is to inform data subjects — primarily our Job Applicants, Company Shareholders, Company Officers, Visitors, and the Employees, Shareholders and Officers of the Institutions with which we cooperate with and Third Parties — regarding the procedures and principles to be followed by our Company in compliance with the Constitution, International Conventions, Law, the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), the Regulation on the Deletion, Destruction or Anonymization of Personal Data (“Regulation”), and other applicable legislation, which form the legal basis of our Personal Data Processing and Retention/Destruction Policy.

This Policy also aims to set forth, in line with the purpose of the Law, the procedures and principles applicable to the processing and protection of personal data, as well as the deletion, destruction, and anonymization of processed personal data, and to ensure the utmost protection of individuals’ fundamental rights and freedoms in particular the right to privacy regulated under Article 20 of the Constitution.

In line with the purpose of the Policy, our Company aims to ensure full compliance with the applicable legislation in all personal data processing and protection activities carried out, and to safeguard data subjects’ rights to privacy and data security.

2. Scope of the Policy

This Policy applies to all personal data of our Job Applicants, Company Shareholders, Company Officers, Visitors, and the Employees, Shareholders and Officers of the Institutions with which we cooperate and Third Parties, that are processed through automated means or through non-automated means provided that they form part of a data recording system. Accordingly, all provisions of this Policy may apply to the data subjects listed above, or only certain provisions may apply depending on the circumstances.

3. Implementation of the Policy and the Applicable Legislation

This Policy has been prepared by concretizing and structuring the rules set out under the applicable legislation within the framework of our Company’s practices. In this regard, the legal provisions in force concerning the processing and protection of personal data shall primarily apply. In the event of any inconsistency between the applicable legislation and this Policy, our Company acknowledges that the provisions of the legislation in force shall prevail. As a company, we are implementing the necessary systems and preparations to act in accordance with the validity periods stipulated in the Law.

4. Enforcement of the Policy

The Policy has been prepared and entered into force by our Company. The policy is published on our Company's website at https://www.icgyo.com.tr/en/policy-of-personel-dara-protection

II. PROTECTION OF PERSONAL DATA

In order to ensure data security, our Company takes the following measures and precautions as required by Article 12 of the Law.

1. Security

Our Company takes all necessary technical and administrative measures to ensure an appropriate level of security in order to prevent the unlawful access to and unlawful processing of personal data, and to ensure the safe storage of personal data, in compliance with the Law.

2. Audit

Our Company conducts and commissions necessary audits to ensure the establishment, regularity, and continuity of the data security measures described above. In this context, an internal team composed of representatives from the HR, IT, and Legal departments has been established, and external support is also obtained where necessary.

3. Confidentiality

Our Company takes all necessary technical and administrative measures, taking into account technological capabilities and implementation costs, to ensure that relevant data controllers and data processors do not disclose personal data to third parties or use such data for purposes other than processing, in violation of the Law and this Policy. In this regard, our employees are provided with information and training regarding the Law and the Policy.

4. Unauthorized Access to Personal Data

In the event that personal data processed by our Company are obtained by third parties through unlawful means, our Company takes the necessary steps to notify the data subject and the Board as soon as possible. Where deemed necessary by the Board, such incident may be announced on the Board’s website or through another method deemed appropriate by the Board.

5. Protection of the Legal Rights of Data Subjects

Our company respects all legal rights of relevant persons regarding the implementation of the Policy and Law and takes all necessary measures to protect these rights.

6. Protection of Sensitive Personal Data

According to Article 6 of the Law, personal data relating to a person’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and attire, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data, are deemed sensitive personal data. Sensitive data are those which carry the risk of causing discrimination or victimisation if processed and therefore must be protected under significantly stricter conditions compared to other types of personal data.

For this reason, although the principal approach of our Company is to refrain from collecting such data, all necessary measures are taken with the utmost diligence to ensure the protection of sensitive personal data when they are processed lawfully.

III. PROCESSING AND TRANSFER OF PERSONAL DATA

1. General Principles for the Processing of Personal Data

Personal data is processed by our Company in accordance with the procedures and principles stipulated in the Law and this Policy. When processing personal data, our Company acts in accordance with the following principles regulated by Article 4 of the Law.

a. Processing in Compliance with the Law and the Principles of Good Faith

Our Company processes personal data in accordance with the relevant legislation and the requirements of the principle of good faith and uses such data within these limits. In this context, our Company considers the interests and reasonable expectations of the data subject when processing personal data and ensures that the processing activity is transparent for the data subject.

b. Being Accurate and Where Necessary, Up to Date

Our Company ensures that the personal data it processes are accurate and, where necessary, kept up to date, taking into consideration the fundamental rights and legitimate interests of data subjects. To this end, our Company carefully considers matters such as the identification of the sources from which personal data are obtained, verification of their accuracy, and assessment of whether updates are needed. Our Company keeps the necessary channels open to allow data subjects to ensure that their information remains accurate and up to date.

c. Processing for Specific, Explicit and Legitimate Purposes

Our Company processes personal data for legitimate purposes and shares with data subjects the data processing purposes that are clearly and explicitly determined. A legitimate purpose means that the personal data processed by our Company are related to and necessary for the work it performs or the services it provides. In the clarifications provided to data subjects and in the explicit consents obtained from them, the purposes for which personal data are processed are clearly and unambiguously stated.

d. Being Relevant, Limited and Proportionate to the Purposes for Which They Are Processed

Our Company ensures that the personal data processed are suitable for achieving the purposes determined, and does not process personal data that are not related to or not necessary for achieving such purposes. In this regard, our Company does not engage in personal data processing activities for the purpose of meeting potential future needs.

e. Being Retained for the Period Prescribed in the Relevant Legislation or for the Period Necessary for the Purposes for Which They Are Processed

Our Company complies with the retention periods stipulated under the relevant legislation where such periods exist; otherwise, personal data are retained only for the period necessary for the purposes for which they are processed. The retention period of personal data varies depending on the nature of the work or service carried out by our Company, or the nature of the personal data obtained. In cases where all conditions for the processing of a personal data item no longer exist, such personal data are destroyed during the first six-month periodic destruction period following the date on which the obligation to destroy the data arises.

2. Conditions for the Processing of Personal Data

The explicit consent of the data subject is one of the legal grounds that allows the lawful processing of personal data. In addition to explicit consent, personal data may also be processed where any of the other conditions listed below are present. The legal basis for a personal data processing activity may consist of only one of the conditions set out below, or more than one of these conditions may apply to the same processing activity.

a. Explicit Consent

Where the personal data of a data subject are not processed on the basis of any other legal ground, such data are processed on the basis of the data subject’s explicit consent. Data subjects are informed about which of their personal data are processed, for which purposes and on what legal grounds their personal data are processed, from which sources such data are collected, with whom these personal data will be shared, and how they will be used, and their explicit consent is obtained accordingly.

b. Explicitly Provided for by Law

Our Company may process the personal data of data subjects without their explicit consent in cases expressly provided for by law. For example, the processing of our Employees’ personal data pursuant to Labour Law legislation shall be considered within this scope.

c. Situations Where the Data Subject Is Unable to Give Consent Due to Actual Impossibility or Where Consent Is Not Legally Valid, and the Processing Is Mandatory for the Protection of the Life or Physical Integrity of the Data Subject or Another Person

In cases where the data subject is unable to declare their consent due to an actual impossibility, or where the consent declared is not legally valid, our Company may process personal data without explicit consent if such processing is mandatory for the protection of the life or physical integrity of the data subject or another person.

For example, where an individual is unconscious or where their consent is not valid due to a mental incapacity, personal data may be processed during a medical intervention for the purpose of protecting the individual’s life or physical integrity. Similarly, the personal data of a person whose liberty has been restricted may be processed through their phone, computer or other technical device in order to determine their location; such processing does not require the explicit consent of the data subject.

d. Processing of Personal Data Belonging to the Parties of a Contract, Provided That It Is Necessary for the Establishment or Performance of a Contract

Our Company may process personal data in connection with the establishment or performance of a contract. For example, pursuant to a contract, the bank account number of the creditor may be collected in order to make a payment.

e. Processing Is Mandatory for Our Company to Fulfil Its Legal Obligations

Where the processing of personal data is mandatory for our Company to fulfil its legal obligations, the necessary personal data may be processed without obtaining the explicit consent of data subjects. For instance, during a tax audit, information belonging to our employees or customers may be submitted for review by the relevant public officials.

f. Personal Data Made Public by the Data Subject

Personal data that have been made public by the data subject — in other words, disclosed to the public by any means and thereby made accessible to everyone — may be processed by our Company on the basis that the legal interest requiring protection is deemed to have ceased.

f. Bir Hakkın Tesisi, Kullanılması veya Korunması İçin Veri İşlemenin Zorunlu Olması

Şirketimiz hukuken meşru bir hakkın kullanılması veya korunması için veri işlemenin zorunlu olduğu hallerde ilgili kişilerin kişisel verilerini açık rıza aramaksızın işleyebilir.

g. Processing Is Mandatory for the Establishment, Exercise, or Protection of a Right

Our Company may process the personal data of data subjects without explicit consent where such processing is mandatory for the establishment, exercise, or protection of a legally legitimate right.

h. Processing Is Mandatory for the Legitimate Interests of Our Company, Provided That It Does Not Harm the Fundamental Rights and Freedoms of the Data Subject

Our Company may process personal data where it is mandatory for the pursuit of its legitimate interests, provided that such processing does not harm the fundamental rights and freedoms of data subjects protected under the Law and this Policy. In this context, our Company exercises due diligence to comply with the fundamental principles of personal data protection and to maintain the balance of interests between the data subjects and the Company.

3. Conditions for the Processing of Sensitive Personal Data

Our Company does not process sensitive personal data unless required and without the explicit consent of the data subject. However, sensitive personal data other than those relating to health and sexual life may be processed without the explicit consent of the data subject in cases expressly provided for by law.

Personal data relating to health may be processed by our Company without explicit consent only for the purposes of protecting public health, conducting medical diagnosis, treatment and care services, and managing such services, and only under circumstances in which we are subject to a duty of confidentiality.

Our Company carries out the necessary procedures to ensure that the adequate precautions determined by the Board are implemented in the processing of sensitive personal data.

4. Conditions for the Transfer of Personal Data Abroad

In line with its personal data processing purposes and by taking the necessary security measures, our Company may transfer the personal data and sensitive personal data of data subjects to third parties located abroad.

In accordance with Article 9 of the Law, personal data may be transferred by our Company to foreign countries that are declared by the Board to provide an adequate level of protection, or in cases where adequate protection is not available, foreign countries where the data controllers in Türkiye and in the relevant foreign country provide a written undertaking of adequate protection and where the Board grants approval.

IV. METHOD AND LEGAL BASIS FOR COLLECTING PERSONAL DATA, CATEGORIZATION OF PERSONAL DATA, PURPOSE OF PROCESSING AND TRANSFER, AND RECIPIENT GROUPS

1. Method and Legal Basis for Collecting Personal Data

Personal data are collected through verbal, written, or electronic means; through technical or other methods; via various channels such as our Company’s website; and for the purposes set out in this Policy. Personal data are collected within the framework of the legal grounds arising from legislation, contracts, requests, or demands, to fully and accurately fulfil the obligations arising from law, and are processed by our Company or by data processors authorized by our Company.

2. Classification of Personal Data

Identity Information: Personal data relating to an individual’s identity, such as name–surname, Turkish Republic identification number, marital status, nationality, parents’ names, place and date of birth, gender, and other identity details; and documents containing such information, including driver’s licence, identity card, passport, title deed, and similar documents, as well as tax identification number, social security number, signature information, vehicle plate number, and other related data.

Contact Information: Telephone numbers (home, work, etc.), address, e-mail address, fax number, IP address, and other similar information.

Transaction Security Information: Personal data processed in connection with the technical, administrative, legal, and commercial security of both the data subject and the Company during the conduct of the Company’s activities. For example, internet username and password.

Financial Information: Personal data relating to information, documents, and records that reflect any financial outcome arising from the employment relationship established between the Company and the data subject; as well as bank account number, branch code, bank card information, IBAN number, credit card information, financial profile, credit score, asset data, income information, and other similar information.

Visual and Audio Information: Photographs and camera recordings, audio recordings, and any other personal data contained in such visual or audio materials.

Personnel Information: All personal data processed for the purpose of obtaining information necessary to ensure the protection of the personnel rights of natural persons who are in an employment relationship with the Company.

Location Information: Data identifying the geographical location of the data subject while using vehicles belonging to the Company, the Company’s group companies, or business partners within the scope of their operations and activities; travel data and other related information.

Family Members and Relatives Information: Identity and contact information — as defined above — relating to the data subject’s family members (e.g., spouse, mother, father, child), relatives, and other persons to be contacted in emergencies, processed within the scope of the activities and operations of the Company, the Company’s group companies, or cooperating institutions, or for the purpose of protecting the legal and other interests of the Company and the data subject.

Physical Location Security Information: Personal data relating to records and documents obtained during entry into a physical location and during the data subject’s presence within such location; including camera recordings, records taken at security checkpoints, and other related data.

Legal Transaction Information: Personal data processed within the scope of establishing, exercising, or protecting the Company’s legal claims and rights, fulfilling its obligations, and performing its legal liabilities.

Sensitive Personal Data: Personal data specified under Article 6 of the Law, including data relating to a person’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and attire, association, foundation or trade-union membership, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.

Request/Complaint Management Information: Personal data relating to the receipt and evaluation of requests or complaints submitted to our Company.

3. Purposes of Processing Personal Data

Our Company processes personal data in accordance with the provisions of the applicable legislation for the purposes of providing our services and improving their quality; carrying out activities prescribed and/or exempted by public authorities; fulfilling the activities of the Company and/or the Group Companies; complying with data retention, reporting and clarification obligations; ensuring the effective planning and implementation of our human resources policies; accurately planning and executing our commercial partnerships and strategies; ensuring the legal, commercial and physical security of our Company and our business partners; and maintaining the corporate functioning of our Company. In addition, personal data are processed for the purposes of enabling visits to our Company, ensuring security and the protection of legitimate interests in connection with such visits, providing our Company’s products and services, establishing communication regarding the products and services you receive or will receive, and conducting marketing activities. Personal data may also be processed to offer products/services, to perform modelling, reporting, scoring, risk monitoring, development of existing or new products, identification of potential customers, to provide services relating to the business activities of our Company and to improve the quality of such services, to fulfil our clarification obligations, to develop the services offered on our Company’s website, to communicate with individuals who submit requests or complaints to our Company, and to resolve errors occurring on our Company’s website. Additionally, to enable you to visit our Company, to protect the security and legitimate interests related to your visit, to provide our Company's products and services, to establish communication regarding the products and services you have received or will receive in this regard, as well as for use in marketing activities, to offer products/services, modelling, reporting, scoring, risk monitoring, current or new product development and potential customer identification, to provide services related to our Company's activities and to improve the quality of these services and to carry out other activities, to comply with information obligations and to develop the services offered on our Company's website, Contacting those who submit requests and complaints to our Company, and rectifying errors on our Company's website, your personal data are processed within the scope of the personal data processing conditions specified in Articles 5 and 6 of the Law, limited to these purposes.

4. Purposes of Transferring Personal Data

Your personal data are transferred for the purposes of ensuring the effective planning and implementation of our human resources policies; accurately planning and executing our commercial partnerships and strategies; ensuring the legal, commercial, and physical security of our Company and our business partners; maintaining the corporate functioning of our Company; carrying out activities to enable you to benefit from the products and services offered by our Company in the best possible manner; customising and recommending the products and services offered by our Company in line with your demands, needs, and preferences; ensuring the highest level of data security; creating databases; developing the services offered on our Company’s website; communicating with individuals who submit requests or complaints to our Company; and remedying errors occurring on our Company’s website. Personal data are transferred solely for these purposes and within the scope of the conditions for transfer set out under Articles 8 and 9 of the Law.

5. Persons to Whom Personal Data Will Be Transferred

Your personal data may be transferred by our Company to our business partners, suppliers, group companies, affiliates, companies and institutions with which we cooperate, and to third-party service providers from which we receive external support (e.g., in the fields of security, health, occupational safety, legal services, etc.) for the purpose of fulfilling our contractual or legal obligations, as well as to authorised institutions and organisations. Within this scope, our Company ensures, to the highest degree, that the transfer of your personal data among the relevant units complies with the Law.

V. TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN FOR THE SECURITY OF PERSONAL DATA

1. Technical Measures

The Company exercises the utmost care and diligence to ensure the secure storage of personal data and to prevent their unlawful processing and access. In accordance with Article 12 of the Law, the applicable regulations, the general principles listed above, and the relevant Regulation and Board decisions, the Company takes the necessary technical and administrative measures based on technological capabilities and implementation costs. The main technical measures taken by the Company to ensure the secure storage of personal data are as follows:

• Systems compatible with technological advancements are used to ensure the secure storage of personal data.
• Personnel with technical expertise are employed.
• Technical security systems are established for storage environments; implemented measures are reported internally as part of internal controls; risks are re-evaluated, and necessary technological solutions are developed.
• Legally compliant backup programs are used to ensure the secure storage of personal data.
• Work continues regarding logging access to data storage environments, and logging is performed in parts of the system.
• Through information security incident management, risks and threats that may affect the continuity of IT systems are continuously monitored via real-time analyses.
• Access to IT systems and user authorisation is performed through an access and authorisation matrix and through security policies implemented over the corporate active directory.
• Necessary precautions are taken to ensure the physical security of the Company’s IT equipment, software, and data.
• To ensure the security of IT systems against environmental threats, both hardware-based measures (such as access control systems ensuring only authorised personnel can enter the server room, 24/7 monitoring systems, the physical security of edge switches forming the local area network, fire extinguishing systems, climate control, etc.) and software-based measures (such as firewalls, intrusion prevention systems, network access control, anti-malware systems, etc.) are implemented.
• Access instructions are established within the Company, and reporting and analysis activities regarding access to personal data are conducted.
• Access to storage environments containing personal data is logged, and inappropriate access or access attempts are monitored.
• The Company takes necessary measures to ensure that deleted personal data are inaccessible and cannot be reused by relevant users.
• A system and infrastructure have been established by the Company to notify the data subject and the Board in the event that personal data are unlawfully obtained by third parties.
• Security vulnerabilities are monitored, appropriate security patches are installed, and information systems are kept up to date.
• Strong passwords are used in electronic environments where personal data are processed.
• Secure logging systems are used in electronic environments where personal data are processed.
• Data backup programs ensuring the secure storage of personal data are used.
• Access to personal data stored in electronic or non-electronic environments is restricted based on access principles.
• Employees involved in the processing of sensitive personal data receive sensitive data security training, confidentiality agreements are executed, and user authorisations are defined for those granted access to such data.
• Electronic environments in which sensitive personal data are processed, stored and/or accessed are protected using cryptographic methods; cryptographic keys are kept in secure environments; logging of all transactions is carried out in parts of the system; security updates of the environments are continuously monitored; and necessary security tests are performed or commissioned on a regular basis, with the results recorded.
• Adequate physical security measures are taken for physical environments in which sensitive personal data are processed, stored and/or accessed; physical security is ensured to prevent unauthorised entry and exit.

2. Administrative Measures

The main administrative measures taken by the Company to ensure the secure storage of personal data are as follows:

• Employees receive training to enhance their competencies regarding the prevention of unlawful processing of personal data, the prevention of unlawful access to personal data, the secure storage of personal data, communication techniques, technical knowledge and skills, and the applicable legislation.
• When external services are procured for technical reasons relating to the storage or processing of personal data, the contracts executed with such service providers include provisions requiring them to take the necessary security measures to protect personal data and to ensure compliance with these measures within their own organisations; and/or Data Transfer Undertaking are executed with these parties.
• Employees are required to sign confidentiality agreements regarding activities carried out within the Company.
• Prior to commencing any personal data processing activity, the Company fulfils its obligation to inform data subjects.
• A personal data processing inventory has been prepared.
• Periodic and ad random internal audits are conducted.
• Employees receive information security training.
• All activities carried out by the Company are analysed in detail on a departmental basis, and the personal data processing activities specific to each department are identified through this analysis.
• For each department’s personal data processing activities, the requirements necessary to ensure compliance with the personal data processing conditions under the Law are determined in detail.
• Awareness is raised within relevant departments regarding the legal compliance requirements identified on a departmental basis, and implementation rules are established; the necessary administrative measures are put into effect through internal policies and training to ensure the continuity and monitoring of compliance.
• Provisions imposing obligations not to process, disclose, or use personal data — except in cases permitted under the Company’s policies, procedures, work instructions, or statutory exemptions — are incorporated into the agreements and documents governing the legal relationship between the Company and its employees; employee awareness is ensured, and compliance is monitored through audits.

VI. PERSONAL DATA DESTUCTION POLICY AND RETENTION PERIODS

1. Deletion, Destruction or Anonymisation of Personal Data

Without prejudice to the provisions contained in other laws regarding the deletion, destruction, or anonymisation of personal data, our Company deletes, destroys, or anonymises personal data ex officio or upon the request of the data subject when the reasons requiring their processing no longer exist, even if such data have been processed in compliance with the relevant legislation. This obligation is carried out in accordance with Article 138 of the Turkish Criminal Code No. 5237, Article 7 of the Law, and the provisions of the Regulation published in the Official Gazette dated 28 October 2017.

Pursuant to Article 7 titled “Principles” of the Regulation, all transactions relating to the deletion, destruction, or anonymisation of personal data are recorded by our Company, and such records are retained for a minimum of three years, without prejudice to our other legal obligations.

Personal data are rendered completely inaccessible and irretrievable for relevant users upon deletion. Accordingly, as the data controller, our Company takes all necessary technical and administrative measures to ensure that deleted personal data cannot be accessed or reused by relevant users.

Destruction of data refers to rendering the information permanently inaccessible and unusable by destroying the materials in which the data are stored—such as documents, files, CDs, diskettes, hard disks, and other data-storage media—in a manner that makes recovery impossible.

Anonymisation of data refers to the process of rendering personal data impossible to associate with an identified or identifiable natural person, even when such data are matched with other datasets.

2. Techniques for Deletion, Destruction and Anonymisation of Personal Data

a. Techniques for Deletion and Destruction of Personal Data

If the reasons requiring the processing of personal data are no longer exist—despite the data having been processed in accordance with the relevant provisions of the law —our Company may delete or destroy such personal data either on its own initiative or upon the request of the data subject.

The following methods may be used by our Company for deletion and destruction:

• Physical Destruction: Personal data may also be processed by our Company through non-automated means, provided that they form part of a data recording system. When such data are destroyed, the method applied ensures that the data are physically destroyed in a manner that makes them permanently inaccessible, unusable, and irrecoverable by anyone.
• Secure Deletion by a Specialist: In certain cases, our Company may engage a specialist to destroy personal data on its behalf. In such cases, personal data may be securely destroyed by an expert who is professionally competent in this field.

b. Techniques for Anonymising Personal Data

The anonymisation of personal data means that personal data cannot be associated with any identifiable or identifiable natural person, even if it is matched with other data. In accordance with Article 28 of the Law, anonymised personal data may be processed for purposes such as research, planning, and statistics. Such processing activities fall outside the scope of the Law, and therefore the explicit consent of the data subject is not required. The anonymisation techniques specified by the Personal Data Protection Authority may be used for these processing activities.

3. Retention and Periodic Destruction Periods for Personal Data

Our Company retains personal data for the periods prescribed in the applicable laws and other relevant legislation. If no retention period is stipulated in the laws or other legislation, personal data are processed for the duration necessary to fulfil the purpose of processing within the scope of the activity carried out at the time the personal data are processed. Such data are deleted, destroyed, or anonymised on the first periodic destruction date following the date on which the obligation to destroy the data arises.

Our Company has designated 15–30 January and 15–30 June as periodic destruction periods for the purpose of destroying personal data for which the processing purpose has no longer exist. During these periods, personal data for which the reasons requiring processing no longer exist shall be destroyed—automatically, semi-automatically, or manually.

VII. INFORMATION REGARDING THE PROCESSING OF PERSONAL DATA AND THE RIGHTS OF THE DATA SUBJECT UNDER THE LAW

1. Clarification of the Data Subject

Our Company, in accordance with Article 10 of the Law and the provisions of the Communiqué on the Principles and Procedures to Be Followed in Fulfilling the Clarification Obligation published in the Official Gazette on 10.03.2018, provides clarification to data subjects at the time personal data are obtained. Within this scope, and as stated above, the Company clarifies, where applicable, the identity of the Company representative, the purposes for which personal data will be processed, the persons to whom and the purposes for which the processed personal data may be transferred, the method and legal basis for collecting personal data, and the rights of the data subject.

2. The Rights of the Data Subject Under the Law

Our Company, in accordance with Article 11 of the Law and the provisions of the Communiqué on the Principles and Procedures of Application to the Data Controller published in the Official Gazette on 10.03.2018, informs you of your rights, provides guidance on how such rights may be exercised, and implements the necessary internal processes and administrative and technical arrangements for this purpose. Pursuant to Article 11 of the Law, our Company informs data subjects that they have the right to:

• learn whether their personal data are being processed;
• request information if their personal data have been processed;
• learn the purpose of the processing of their personal data and whether such data are being used in compliance with the stated purpose;
• learn the third parties, in Türkiye or abroad, to whom personal data are transferred;
• request the rectification of personal data that are incomplete or inaccurate;
• request the deletion or destruction of personal data within the framework of the conditions set forth in Article 7 of the Law;
• request that the actions carried out pursuant to subparagraphs (d) and (e) of Article 11 be notified to the third parties to whom personal data have been transferred;
• object to a result that is to their detriment arising from the analysis of processed data exclusively through automated systems;
• request compensation for damages in the event they suffer harm due to the unlawful processing of personal data.

You may submit your requests regarding the implementation of the Law by using the Personal Data Protection Law Data Subject Application Form, which can be accessed at https://www.icgyo.com.tr/en/pdpl-application-form and by following the methods described therein. Pursuant to Article 13/2 of the Law, our Company shall conclude the requests submitted to it, depending on the nature of the request, as soon as possible and within no later than thirty days, free of charge. However, if the action in question requires an additional cost, the fee set forth in the tariff determined by the Authority may be collected.

Our Company may accept your request or reject it by providing its justification and shall notify you of its response in writing or in electronic form. In cases where your request is rejected, where you find our response insufficient, or where no response is provided within the statutory period, you have the right to lodge a complaint with the Board within thirty days from the date you learn of our response, and in any event within sixty days from the date of your application.

VIII. CASES WHERE THE POLICY AND THE LAW SHALL NOT BE FULLY OR PARTIALLY APPLICABLE

Pursuant to Article 28/1 of the Law, the provisions of this Policy and the Law shall not apply in the following cases:

• Processing of personal data by natural persons exclusively within the scope of activities related to themselves or their family members living in the same residence, provided that the personal data are not disclosed to third parties and the obligations relating to data security are complied with.
• Processing of personal data for purposes such as research, planning and statistics, by anonymising them and ensuring that they are used solely for official statistical purposes.
• Processing of personal data for artistic, historical, literary or scientific purposes, or within the scope of freedom of expression, provided that such processing does not violate national defence, national security, public security, public order, economic security, privacy of private life or personality rights, and does not constitute a criminal offence.
• Processing of personal data within the scope of preventive, protective or intelligence activities carried out by public institutions and organizations that have been granted duties and powers by law for the purpose of ensuring national defence, national security, public security, public order or economic security.
• Processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial or execution procedures. 

Provided that it is in line with the purpose and fundamental principles of this Policy and the Law, and proportionate; the provisions regulating the data controller’s obligation to clarify (Article 10), the data subject’s rights—excluding the right to request compensation for damages—(Article 11), and the obligation to register with the Data Controllers’ Registry (Article 16), shall not apply in the following cases pursuant to Article 28/2 of the Law:

• Where the processing of personal data is necessary for the prevention of a crime or for a criminal investigation.
• Where the personal data processed are made public by the data subject themselves.
• Where the processing of personal data is necessary for the execution of supervisory or regulatory duties, or for disciplinary investigation or prosecution, by public institutions and organizations, or professional organizations having the status of public institutions, based on the authority granted by law.
• Where the processing of personal data is necessary for the protection of the economic and financial interests of the State in relation to budgetary, fiscal or financial matters.

IX. CLASSIFICATION OF DATA SUBJECT AND MATCHING WITH PERSONAL DATA

1. Classification of Data Subject

Pursuant to Article 3 of the Law, only natural persons may benefit from the protection provided under this Policy and the Law. In this context, data subjects are grouped as follows:

Employee Candidate: Natural persons who have applied for a job at our Company through any method, or who have made their resumes and related information available for our Company’s review. 

Group Company Customer: Natural persons whose personal data are obtained through IC Gayrimenkul Yatırım Ortaklığı A.Ş.

Company Business Partner, Business Partner’s Shareholder, Representative or Employee: All natural persons who are in any form of business relationship with our Company, including the employees, shareholders and authorized representatives of natural or legal persons (such as business partners or suppliers) with whom our Company has a business relationship. 

Company Customer: Natural persons who use or have used the products or services offered by our Company, regardless of whether they have any contractual relationship with the Company. 

Potential Customer: Natural persons who have expressed interest in or requested to use our products and services, or who are reasonably assessed—pursuant to commercial practices and the principle of good faith—to potentially have such interest.

Company Employee: Natural persons employed within IC Gayrimenkul Yatırım Ortaklığı A.Ş. and its affiliated companies.

Company Shareholder: Persons who are shareholders of IC Gayrimenkul Yatırım Ortaklığı A.Ş. and its affiliated companies.

Company Representative: Members of the board of directors and other authorized representatives of IC Gayrimenkul Yatırım Ortaklığı A.Ş. and its affiliated companies.

Third Person: Natural persons who do not fall within the scope of the IC Gayrimenkul Yatırım Ortaklığı A.Ş. Policy and who are not included under any other data subject category defined in this Policy. 

Visitor: All natural persons who enter the physical premises owned by our Company for various purposes, or who visit our websites for any purpose.

2. Matching of Personal Data with Data Subjects, Data Controller and Data Processors

The categorised personal data defined above are matched with the corresponding groups of data subjects as set out below.

Pursuant to Article 6 of the Regulation, the titles, departments and the duties assigned under the Personal Data Protection Law of the individuals involved in the storage and destruction processes of personal data within our Company are set out below.