NOVA ARSA GELİŞTİRME İNŞAAT SANAYİ VE TİCARET ANONİM ŞİRKETİ

Clarification Text Regarding Personal Data Processed in Communication and Information Request Forms

The Personal Data Protection Law (Law No. 6698), which is currently in force in the Republic of Türkiye, is largely aligned with the European Union’s General Data Protection Regulation (GDPR) and is based on the same fundamental principles. Both regulatory frameworks require that personal data be processed lawfully, fairly, and transparently for specific, explicit, and legitimate purposes; that such data be accurate and kept up to date where necessary; that processing be relevant, limited, and proportionate to the intended purposes; and that personal data be retained only for the period necessary for those purposes.

The Personal Data Protection Law governs the personal data processing activities of data controllers operating within Türkiye and incorporates many elements similar to those found in the GDPR, including data security obligations, data subject rights, the obligation to inform, requirements for explicit consent, and lawful bases for processing.

The documents presented on this website have been prepared in accordance with the provisions of the Personal Data Protection Law. They are structured in parallel with the GDPR and reflect the legal obligations applicable to data processing activities carried out within Türkiye. Accordingly, given the structural similarities between the two laws, these documents are considered to be consistent with data processing practices concerning individuals located within the European Economic Area (EEA).

Thanks to the structural alignment between the Personal Data Protection Law and the GDPR, our data processing principles comply not only with domestic legislation but also with international data protection standards.

As NOVA ARSA GELİŞTİRME İNŞAAT SANAYİ VE TİCARET ANONİM ŞİRKETİ (“NOVA ARSA” or “Company“), we value the protection of your personal data. Accordingly, we make every effort and show utmost care to ensure that your personal data is processed and stored in compliance with the Personal Data Protection Law No. 6698 (“Law“). As the data controller, NOVA ARSA takes all necessary legal, administrative, and technical measures to ensure the security of your personal data throughout all stages of processing. This notice has been prepared in accordance with the Law to inform you about how and under which conditions your personal data is processed within the scope of the “Communication and Information Request Form.”

Identity and Contact Details of the Data Controller

Data Controller: NOVA ARSA GELİŞTİRME İNŞAAT SANAYİ VE TİCARET ANONİM ŞİRKETİ (Tax No: 6321251367)
Address: Altunizade Mah. Mahir İz Cad. No:31, 34662 Üsküdar/İSTANBUL
Phone: 444 5 675
Email: info@novaarsa.com
Registered Email (KEP): novaarsagelistirme@hs01.kep.tr

Definitions Relating to the Protection of Personal Data

• Personal Data: Any information relating to an identified or identifiable natural person (e.g., ID, address, email, phone number, photograph, etc.).
• Data Recording System: Any recording system in which personal data is processed according to specific criteria.
• Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
• Data Subject: The natural person to whom the personal data belongs (e.g., employee, customer, supplier, visitor, etc.).
• Explicit Consent: Freely given, specific, informed, and unambiguous consent of the data subject.
• Processing of Personal Data: Any operation performed on personal data including collection, recording, storage, preservation, alteration, disclosure, transfer, retrieval, classification, or destruction.
• Special Categories of Personal Data: Data relating to race, ethnic origin, political opinion, religion, health, sexual life, criminal convictions, biometric and genetic data.
• Anonymization: Rendering personal data impossible to link with an identified or identifiable natural person.
• Board: Personal Data Protection Board.
• Website: https://www.novaarsa.com

Personal Data Processed and Purposes of Processing

Personal data collected through the Communication and Information Request Forms such as name, surname, email, phone number, and any information voluntarily shared in the message field, are processed in compliance with Articles 5 and 6 of the Law, based on legitimate interests and with your explicit consent, for purposes including but not limited to:

• Managing events and services organized by the Company,
• Executing business communication and service delivery,
• Conducting commercial activities and strategic planning,
• Ensuring legal, technical, and commercial security of the Company,
• Sales, marketing, accounting, and financial operations,
• Managing customer relations and satisfaction processes,
• Resolving technical or legal issues, contract execution,
• HR management and planning,
• Anonymized statistical analysis,
• Customizing services based on preferences,
• Maintaining information and operational security,
• Responding to user inquiries and feedback submitted via the Form,
• Ensuring compliance with laws and regulations.

Transfer of Personal Data

Within the scope of its activities and for the purposes outlined above, NOVA ARSA may transfer personal data, in accordance with the conditions set out in Articles 5 and 6 of the Personal Data Protection Law and the rules on data transfer in Article 8, to the following recipients:

• Shareholders of the Company,
• Business partners (limited to fulfilling the purpose of the partnership),
• Technology providers that support the technological systems used by the Company (e.g., website hosting services, CRM/customer relationship management software providers),
• Outsourced service providers contracted by the Company,
• The Company’s sales and marketing departments,
• System administrators and legally authorized third parties,
• Internal departments involved in the planning and execution of the Company’s commercial and/or business strategies, operations, and human resources policies and processes,
• Third parties involved in corporate transactions such as asset transfers, mergers, acquisitions of subsidiaries or new business ventures,
• Competent official authorities (e.g., courts, regulatory bodies, public institutions and organizations),
• Other private entities authorized by law.

The transfer of personal data will be carried out strictly in accordance with the relevant legal grounds and principles of lawfulness, fairness, and transparency under the Personal Data Protection Law.

Transfer of Personal Data Abroad

Currently, NOVA ARSA does not directly transfer data abroad. However, should data transfer become necessary under agreements with international service providers, such transfer will be made in compliance with Article 9 of the Law and the security measures set by the Board.

Method and Legal Basis for Collecting Personal Data

Personal data may be collected by automated or non-automated means, provided they are part of a data recording system, through the following channels:

• Communication and Information Request Forms or similar electronic platforms filled out by the data subject via the Company’s Website,
• Emails, faxes, legal notices, letters, or platforms used for correspondence sent to the Company or its departments,
• Systems designed for collecting feedback, requests, complaints, or consent for communication or marketing purposes,
• Printed forms, electronic newsletters, contracts signed with the Company,
• Participation in events, seminars, or campaigns organized by the Company,
• Communications via the call center, face-to-face meetings, phone calls, or other communication tools,
• Social media platforms, mobile devices such as phones or tablets, or mobile applications,
• Verbal, written, or electronic communications carried out through any communication channel with the Company.

Personal data is processed based on the following legal grounds under Articles 5 and 6 of the Law:

• With the explicit consent of the data subject,
• Where processing is necessary for the establishment or performance of a contract,
• For compliance with legal obligations,
• For the legitimate interests of the data controller, provided that fundamental rights and freedoms of the data subject are not harmed.

Data Security

NOVA ARSA ensures that all personal data—whether processed by fully or partially automated means or by non-automated means as part of a data recording system—is stored and processed in a manner that minimizes the risk of destruction, loss (including accidental loss), unauthorized access/use, or misuse inconsistent with the original purpose of collection.

In line with this approach, NOVA ARSA does not establish business or solution partnerships with any third-party providers except for CRM firms that meet the highest standards of data security and implement robust protective measures.

Moreover, data transfer protocols are signed with third-party service providers to which personal data may be transferred. In order to protect personal data from unlawful use, unauthorized access, damage, loss, or disclosure, NOVA ARSA implements secure databases, antivirus software, data backup, encryption, data masking, Cloudflare integrations for website protection, secure servers, and cybersecurity tools including Fortilogger, SOPLOG, Sonlogger, and Omaspot, as well as firewalls and other comprehensive security software.

In this context, the Company continues to implement:

• System access controls,
• Data access controls,
• Secure transfer protocols.

Through its data security policies, NOVA ARSA conducts ongoing assessments of data value and risk levels in light of current technological developments and enforces proactive security measures and business continuity controls, alongside other necessary institutional safeguards.

In accordance with Article 12 of the Personal Data Protection Law, the Company undertakes the following responsibilities:

• To prevent the unlawful processing of personal data,
• To prevent unauthorized access to personal data,
• To ensure that personal data is securely stored by implementing all necessary technical and administrative measures.

Personal data is retained by NOVA ARSA for the duration required by applicable legal retention periods and for the fulfillment of the purposes set forth in this Clarification Text. Upon expiration of such purposes or legal retention requirements, the relevant personal data is securely deleted, destroyed, or anonymized.

Detailed information regarding NOVA ARSA’s data security protocols and its compliance with the Personal Data Protection Law is available in the Company’s Data Protection Policy published on its official website.

Data Subject Rights Under the Law

Pursuant to Article 11 of the Law, data subjects may exercise the following rights by submitting the “Data Subject Application Form” available at https://www.novaarsa.com :

• Learn whether personal data is processed,
• Request information if personal data is processed,
• Learn the purpose of data processing and whether it is used accordingly,
• Know the third parties to whom personal data is transferred,
• Request rectification of incomplete or inaccurate data,
• Request erasure or destruction of data when processing purposes cease,
• Request notification of the above actions to third parties,
• Object to processing based solely on automated systems,
• Request compensation for damages due to unlawful processing.

Applications can be submitted in writing to the address of NOVA ARSA or via registered email (KEP) to novaarsagelistirme@hs01.kep.tr  Requests will be concluded free of charge within 30 days, unless additional costs arise, in which case the applicable fee determined by the Board may be charged.