SKYLAND ISTANBUL LAW ON THE PROTECTION OF PERSONAL DATA

1. AIM OF THE PROTECTION AND PROCESSING OF PERSONAL DATA POLICY

By force of legal and social responsibility, SKYLAND ISTANBUL accepts and undertakes to act in accordance with the legal regulations and international standards. For SKYLAND ISTANBUL(hereinafter referred to as “Company”) ensuring data protection constitutes the basis of a confidential business relation and Company reputation.

2. THE SCOPE AND AMENDMENT OF THE PROTECTION AND PROCESSING OF PERSONAL DATA POLICY

This Protection and Processing of Personal Data Policy includes together with the statements of the Clarification Text ( statements carried out in order to fulfil the liability to clarification on data collection channels) the processing of all personal data. Anonymized data for purposes such as statistical assessments or researches are not subject to this Protection and Processing of Personal Data Policy.

This Protection and Processing of Personal Data Policy has been drawn in accordance to the Law no. 6698 on the Protection of Personal Data (“KVKK”) dated April 7th, 2016.

This policy concerns the personal data of our customers, potential customers, candidate employees, employees, employees, shareholders and authorities of partner institutions and of third persons, whether these are automatically processed or non-automatically processed on the condition that they are part of a data recording system.

This Policy on The Protection and Processing of Personal Data is dated October 7th, 2016. In case the whole or certain articles of the Policy are amended, the effective date and the version of the Policy will be updated. The Policy shall be published on the official internet site of our Company and upon request from personal data owners, be presented to the access of those related persons.

3. BASIC RULES REGARDING THE PROCESSING OF PERSONAL DATA

a. Compliance to the Law and to the rules of correctness
In case of processing personal data, the rights of the persons in question shall be protected. Personal data shall be collected and processed equitably and in compliance to the Law.

b. Ad hoc limitations
Personal data shall only be processed for the purpose defined before collection thereof. Additions and alterations of purpose shall only be possible with justification and on a limited scale.

c. Transparency and clarification
The related person shall be informed regarding the use of his/her own data. Personal data is generally collected directly from the person. When data are collected, the related person shall be aware of or informed about the articles below:

d. Data reduction and data economy
Before processing the personal data, it shall be determined whether such process is necessary in order to reach the aim or to what extent such process is necessary. In cases where the aim is acceptable and balanced, statistical data may be used.

e. Purging the personal data
Data which is no longer necessary, including record keeping obligations and recording procedures necessary for substantiation may be deleted, purged or anonymized, after legal or business process related term is over.

f. Correctness and actualness of the data
Personal data on the file shall be held actual in case it is correct, complete and known. Appropriate measures to delete, correct, complete or actualize incomplete or missing data are taken by the Company.

g. Confidentiality and data security
Personal data is subject to confidentiality. In order to prevent unauthorized access, illegal operations, sharing, accidental disappearance, change or damage, it shall be protected by appropriate organizational and technical measures and be held confidential on a personal basis.

4. AIMS OF DATA PROCESSING

The Clarification Text on the Collection and Processing of Personal Data shall be effectuated within the belowmentioned aims.

5. CUSTOMER AND BUSINESS PARTNERS DATA

a. Data processing for contractual relations
Personal data belonging to a customer (customer and potential customers) or a partner ( in case partner is a legal entity, to its representative or to its officers) may be processed in order to draw up, to administer or to terminate a contract. Prior to the contract or at the starting phase of the contract, personal data may be processed on the purpose of shopping center and thus customer security, ensuring customer satisfaction, executing contractual acts in accordance to their aim and to the law and meeting contractual requirements. During the process of contract preparation, communication may be established with the data owners in light of the information they provided.

b. Data processing with the aim of advertisement and information
If the data owner requests information from the Company his personal data may be processed in order to meet this request.
Personal data may be processed for advertisements or for market and opinion research only in case the aim of collecting this data is in accordance to the aforesaid aims. The data owner shall be informed regarding the use of his data for advertisement purposes. In case information is only collected for advertisement purposes, data owners may not give this information. The data owner shall be informed regarding his freedom to give information for this purpose. Personal consent is received in order to process the information of the data owner for advertisement purposes. The data owner may select from appropriate communication channels such as mail, electronic mail or telephone. In case data owner does not permit his information to be used for business purposes, the data shall no longer be used for such purpose and its use for such purposes shall be prevented.

c. Data operations made for the legal liability of the Company or due to clear legal stipulations
Personal data may be processed without receiving personal express consent, in case such processing is clearly stipulated on the related legislation or for the purpose of executing a legal liability determined by the legislation. The type and extent of the data processes shall be necessary for the legally permitted data processing activity and in accordance to the related legal provisions.

d. Data processing for the legitimate interest of the Company
Personal data may be processed without receiving personal express consent in case it is necessary for a legitimate interest of the Company. Such legitimate interests are in general legal (e.g. collection of accounts receivable) or economic (e.g. preventing breach of contract) interests.

e. Processing sensitive data
Sensitive data shall be processed with the condition of taking the sufficient measures determined by the Board for the Protection of Personal Data (“Board”) in belowmentioned cases:

In case the above said data processing conditions are not present, the Company shall receive express consent of the related person for processing such data.

Data processed through exclusively automatic systems
Procession of personal data through exclusively automatic systems in order to specify certain factors may not be by itself a basis for decisions having negative legal conclusions and affecting the related person negatively. The related person has the right to object to the emergence of a result to his detriment the rough the analysis of processed data through exclusively automatic systems. For the purpose of preventing erroneous decisions, test and reliability control are being conducted by the Company employee.

g. User data and the Internet
In case of collection, process and use of personal data on web sites and applications, the related persons shall be informed about the privacy statement and if necessary, cookies. Privacy statement and cookie information shall be integrated in an easily identifiable, directly accessible and continuously available way for the related person.
In case of the formation of user profiles for the evaluation of website and web applications’ use, the related person shall be appropriately informed thereof by the privacy statement.
If websites and applications are able to access personal data in an area limited to registered users, the identification of the related person and the verification of his identity shall provide sufficient protection during access.

6. EMPLOYEE DATA

a. Data processing for employment relations
For employment relations, personal data are processed without receiving specific consent in case they are necessary to draw up, execute and terminate an employment contract. If the candidate is declined, data belonging to the candidate are stored during the appropriate data storage duration for the next selection process; such data are deleted, destroyed or anonymized at the end of this duration

b. Data processes made for the purposes clearly stipulated by the law or for a legal liability of the Company
Personal data belonging to the employee may be processed without receiving specific consent in case the process is clearly stipulated by the related legislation or in order to execute a legal liability stated by the legislation.

c. Data processing in accordance to the legitimate interests
Personal data belonging to the employee may be processed without receiving specific consent if necessary for a legitimate interest of the Company. Such legitimate interests are generally legal (e.g. filing, executing or defending legal rights) or economic (e.g. evaluation of the Company) interests.
In personal cases where it is necessary to protect the interests of the employees, personal data may not be processed for legitimate interests. Before data processing it shall be determined whether interests requiring protection are present.
In case data belonging to the employees are processed in accordance to the legitimate interest of the Company, it shall be examined whether the process is balanced. It shall be controlled whether the legitimate interest causing the Company to take such control measure is breaching an employee right needing protection and processing shall be carried out only in case it is balanced.

d. Processing sensitive data
Sensitive personal data may only be processed under certain conditions. Data such as race and ethnic background, political opinion, religion, philosophical beliefs, sects and other beliefs, attire and outfit, society, foundation or syndicate membership, health, sexual life, conviction history, data related to security measures, biometric and genetic data are classified as sensitive data.
Sensitive personal data may be processed in case the express consent of the employee is present. Upon express consent the personal data may be processed depending on its nature based on the principles stated on this policy and by taking the necessary administrative and technical measures.
In case express consent of the employee is not present sensitive personal data may be procesed in the belowmentioned cases on the condition that sufficient measures determined by the Board are taken.
In cases stipulated by the law, sensitive personal data except the health and the sexual life of the employee,
Sensitive personal data regarding the health and sexual life of the employee may only be processed for the purpose of protecting public health, protective medicine, medical diagnosis, performing treatment and care services, planning and management of the health services and their finance, by the persons under confidentiality obligation or by authorized institutions or organizations.

e. Data processed by exclusively automatic systems
In case personal data is processed by exclusively automatic systems as a part of the employment relation (ex. As part of the personnel selection or in order to evaluate talent profiles) the employee has the right to object to the emergence of a result to his detriment.

f. Telecommunication and internet
Telephone hardware, e-mail addresses, intranet and internet together with internal lines, are provided by the Company primarily for duties related to work. These are work tools and Company resources. These tools shall be used in accordance to legal regulations and to the internal regulations of the Company.
A general supervision regarding telephone and e-mail communication or intranet and internet use does not take place. In order to prevent attacks against the IT infrastructure or individual users, protective measures blocking technically harmful contents or analysing the modelling of the attacks are implemented on the transition to the Company web. The use of telephone hardware, e-mail addresses, intranet/internet and/or internal social webs are stored for a limited duration for security purposes. The evaluation of these data regarding the person are only made in case a concrete doubt concerning the breach of legal regulations is present. These controls are implemented by the related departments only for the condition of keeping the balance principle.

7. TRANSMISSION OF PERSONAL DATA

Transmission of personal data to a 3rd person outside the Company shall be carried out within the scope of the aims stated on the Clarification Text and the below mentioned aims.
The Company shall be able to transmit personal data to the below mentioned persons and institutions for specific aims:

Personal data shall be transmitted to those foreign countries, after foreign countries having sufficient protection are announced by the Board. Regarding those countries announced as not having sufficient protection, personal data shall only be transmitted in cases the data responsible in Turkey or in the related foreign country undertake a sufficient protection in written and the Board’s permission exists, or in cases the data owner gives consent.

8. RIGHTS OF THE RELATED PERSON

All data owners possess the below mentioned rights. In case the data owner uses the mentioned rights and presents a request to the Company, the Company shall offer the necessary information and the Company shall hereby with this data confidentiality regulation inform the related data owner regarding the way the right in question may be used and how the cases related to the information request are evaluated.

For the cases kept outside the scope of KVKK and mentioned below, the related persons may not claim their above stated rights and the Company is not under obligation to execute the requests made in this scope:

In accordance to the KVKK, in the below stated cases , the related persons may not, with the exception of the right to request an indemnification of damages, claim their other rights:

Personal data owners may address their requests regarding their abovementioned rights by completely filling and undersigning the form found at the Company’s official internet address www.skylandistanbul.com and by sending it to SKYLAND ISTANBUL Huzur Mh., Cendere Cd. No:114, 34396 Sarıyer/ ISTANBUL address by registered letter with return receipt and with a copy of their identification document (for the identity card, only the front side copy). For a person to address a request on behalf of the personal data owner, such person shall hold a specific proxy statement regarding the subject matter drafted by the personal data owner for the addressing person.

The requests addressed in due form to the company shall be completed within thirty days at the latest. In case the completion of the requests in question requires an additional cost, the Company may charge the petitioner a fee at the rate determined by the Board.

The Company may, in order to determine whether the petitioner is the owner of the personal data, request additional information from the related person and address the personal data owner questions regarding his request in order to clarify issues stated on the request.

9. CONFIDENTIALITY OF THE PROCEDURES

Personal data are subject to confidentiality. Collection, processing and unpermitted use of data by the employees are prohibited. Unauthorized use is unauthorized data processing which employees executed outside their legitimate duties. All principle is valid: Employees may access personal data only in case it is in accordance to the scope and nature of the duty in question.

Employees are prohibited from using personal data for personal or commercial purposes, to distribute them to unauthorized persons or to make it accessible in another way. The managers shall in from employees regarding their obligations concerning data protection, when the employment relation starts. This obligation continues after the employment relation is terminated.

10. PROCESS SECURITY

The company takes the necessary measures and controls, makes or lets make the necessary supervisions in this scope, in order to prevent the processed personal data being illegally processed, to prevent data being illegally accessed and to ensure the appropriate security level in order to store data. This case is valid independently from whether the data processing is made electronically or by writing. Particularly during migration to new IT systems, before starting new methods of data processing, technical and organizational measures aimed at the protection of personal data are identified and practiced. These measures lean on the latest developments and to the need to protect data, determined by the process risks and the information classification procedure. Technical and organizational measures concerning the protection of personal data are a part of the Company’s information security management and they are being constantly adapted to technical developments and organizational changes.

11. DATA PROTECTION CONTROL

The accordance to the Personal Data Protection and Processing Policy and to KVKK is ensured through regular data protection supervisions and other controls. The company is making or letting make the necessary supervisions.

12. DATA BREACH MANAGEMENT

The Company may, in case the personal data processed in accordance to this Personal Data Protection and Processing Policy herein and to the KVKK are illegally obtained by others, operates the system ensuring that this situation is announced within the shortest time to the related person and to the Board. In cases deemed necessary by the Board, this case may be announced on the website of the Board or by another means.

13. DESCRIPTIONS

14. CONFIDENTIALITY AND APPROVAL

Your personal information will only be used in accordance to the service exigencies, to access information specific to you or to get in touch with you. These information will not be shared with third persons and will not be published anywhere. Automatically saved information (Non-personal data), when you enter the Website, the general non-personal information (browser used, visitor amount, average time spent on the site, pages viewed) are saved automatically (separate from the member registration). This information is used in order to improve the general quality of our website. Your information will not be subject to any further processes and will not be transmitted to third persons. Within this context, we would like to state that with your approval in question you will declare that you accept that your sensitive personal data (telephone, e-mail, address and other communication information included) may be processed in accordance to the Law no. 6698 on the Protection of Personal Data (“KVKK”), used and shared on the condition of being limited to its processing aims within the related process, stored for the necessary duration by Eroğlu Yapı İnşaat ve Gayrimenkul Geliştirme Sanayi ve Ticaret A.Ş., group companies, related partnerships and subsidiaries; that being subject to the activities within the scope of electronical trade legislation you may be contacted through SMS, e-mail and calls and that the necessary clarification was made to you regarding the subject matter, that you declare that you have read and understood this text.

15. SCOPE

This policy herein and all approvals and permissions within apply for Eroğlu Holding A.Ş., Eryap Mühendislik İnşaat Taahhüt Tur.San.Tic. A.Ş., Eroğlu Yapı İnşaat ve Gayrimenkul Geliştirme Sanayi ve Ticaret A.Ş., Erasta Edirne Emlak Gel. ve Yat. A.Ş., Eroğlu Gayrimenkul Geliştirme ve Yatırım A.Ş., Loft Mağazacılık A.Ş., Erk Pazarlama Ve Giyim Sanayi Ticaret A.Ş., İnoliva İlaç ve Gıda Sanayi Ticaret A.Ş., and all group companies, partnerships and subsidiaries; these data may be processed by all of these companies and these apply to electronic commerce activities within the designated scope.

Commercial Title: ERYAP MÜHENDİSLİK İNŞ.TAAH.TUR.SAN.TİC.A.Ş.

Address: HUZUR MAH.CENDERE CAD.SKYLAND SİTESİ B.APT.NO:114 B/13 SARIYER/ISTANBUL

Mersis No: 0376 0142 4360 0017

Telefon: 02128122651

E-posta: info@skylandistanbul.com

KEP Adresi: eryapmuhendislik@hs03.kep.tr

3D SANAL GEZİNTİ