Personal Data Protection Law (KVKK) Information

PRIVACY NOTICE ON THE PROCESSING OF PERSONAL DATA

This Privacy Notice has been prepared by our Company, in its capacity as data controller, in accordance with the Turkish Personal Data Protection Law No. 6698 ("PDPL" / "KVKK") to inform you about the purposes for which your personal data is processed, to whom it may be transferred, the methods and legal grounds by which it is collected, and your rights under the PDPL.

Note: This English version is provided for informational purposes. In case of any discrepancy, the original Turkish version shall prevail.

1. Identity of the Data Controller

Title: Vass Asansör Yazılım Limited Şirketi
Address: Fevzi Çakmak Mahallesi, 10798. Sokak, No: 3 Karatay / KONYA / TÜRKİYE
E-Mail: info@vass.net.tr
Website: www.vass.net.tr

2. Categories of Personal Data Processed

The following categories of personal data are processed by our Company within the scope of the relevant purposes:

• Identity Data: Full name, mother's and father's names, mother's maiden name, date of birth, place of birth, marital status, ID card serial/sequence number, Turkish Republic ID number, etc.
• Contact Data: Address information, e-mail address, contact address, registered electronic mail (KEP) address, phone number, etc.
• Location Data: Location information of the current whereabouts, etc.
• Personnel Data: Payroll information, disciplinary investigation records, employment entry document records, asset declaration information, CV information, performance evaluation reports, etc.
• Customer Transaction Data: Call center records, invoice, promissory note and check information, bank receipt information, order information, request information, etc.
• Transaction Security Data: IP address information, website entry/exit information, password and PIN information, etc.
• Professional Experience Data: Diploma information, courses attended, in-service training information, certificates, transcript information, etc.

3. Categories of Data Subjects

The personal data listed above may belong to the following categories of data subjects:

• Company employees
• Persons receiving products or services (our customers and their authorized representatives)

4. Purposes of Processing Personal Data

Your personal data is processed for the following purposes within the scope of the data processing conditions set forth in Articles 5 and 6 of the PDPL:

• Conducting information security processes
• Managing access authorizations
• Conducting activities in compliance with applicable legislation
• Conducting assignment processes
• Conducting communication activities
• Planning human resources processes
• Conducting and supervising business activities
• Conducting procurement processes for goods/services
• Conducting after-sales support services for goods/services
• Conducting sales processes for goods/services
• Conducting production and operational processes for goods/services
• Conducting storage and archiving activities
• Conducting contract processes
• Conducting emergency management processes
• Conducting management activities
• Ensuring the security of data controller operations

5. Method and Legal Grounds for Collection of Personal Data

Your personal data is collected through our Company's website, mobile applications (Asansis and related applications), desktop software, e-mail, telephone, postal mail, courier services, contracts, application forms, and other communication channels in physical and electronic environments.

Your personal data is processed based on the following legal grounds set forth in Article 5 of the PDPL:

• Where it is expressly stipulated in laws,
• Where it is necessary to process personal data of the parties to a contract, provided that it is directly related to the establishment or performance of that contract,
• Where it is mandatory for the data controller to fulfill its legal obligation,
• Where data processing is mandatory for the establishment, exercise, or protection of a right,
• Where data processing is mandatory for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not harmed,
• The explicit consent of the data subject, in cases where the above conditions do not apply.

6. Transfer of Personal Data

Your personal data may be transferred to the following parties within the scope of the data processing conditions specified in Article 8 of the PDPL, and limited to the purposes stated above:

• Authorized public institutions and organizations (when requested within the scope of legal obligations),
• Accountants, auditing firms, and e-invoice integrators (for the purpose of fulfilling accounting and financial obligations),
• Business partners and suppliers (within the scope of service provision and with limited data),
• Information technology service providers (within the scope of server, software, and infrastructure services).

7. Transfer Abroad

Your personal data is not transferred abroad.

8. Retention Periods for Personal Data

Your processed personal data is retained for the period stipulated in the relevant legislation or required by the purpose of processing. Retention periods by data category are as follows:

• Identity: Until the data subject requests deletion
• Contact: Until the data subject requests deletion
• Location: For as long as the system is in use
• Personnel: 10 years
• Customer Transaction: 5 years
• Transaction Security: Until the data subject requests deletion
• Professional Experience: Until the date of termination of employment

Upon expiration of the retention period, your personal data is deleted, destroyed, or anonymized in accordance with Article 7 of the PDPL and the provisions of the "Regulation on the Deletion, Destruction or Anonymization of Personal Data".

9. Data Security Measures

In accordance with Article 12 of the PDPL, our Company takes all kinds of technical and administrative measures, including the following, to prevent the unlawful processing of and access to personal data, and to ensure the protection of such data:

• Ensuring network and application security,
• Using closed-system networks for data transfers conducted over networks,
• Implementing key management and encryption,
• Applying security measures within the scope of procurement, development, and maintenance of information technology systems,
• Ensuring the security of personal data stored in the cloud,
• Conducting regular data security training and awareness programs for employees,
• Establishing an authorization matrix for employees,
• Implementing corporate policies on access, information security, use, retention, and destruction,
• Maintaining access logs regularly and in a manner that prevents user intervention,
• Applying data masking measures when necessary,
• Signing confidentiality undertakings,
• Revoking the authorizations of employees whose duties have changed or who have left the Company,
• Using up-to-date antivirus systems and firewalls,
• Ensuring that signed contracts contain data security provisions,
• Minimizing personal data as far as possible (data minimization),
• Backing up personal data and ensuring the security of the backups,
• Implementing and monitoring user account management and authorization control systems,
• Using secure encryption and cryptographic keys for special categories of personal data, managed by different units,
• Using intrusion detection and prevention systems,
• Periodically auditing data-processing service providers,
• Using data loss prevention software.

10. Rights of the Data Subject (Article 11 of the PDPL)

Pursuant to Article 11 of the PDPL, as a data subject whose personal data is processed, you have the following rights:

1. To learn whether your personal data is being processed,
2. To request information if your personal data has been processed,
3. To learn the purpose of processing your personal data and whether it is being used in accordance with that purpose,
4. To know the third parties, whether domestic or abroad, to whom your personal data has been transferred,
5. To request rectification of your personal data if it has been processed incompletely or inaccurately,
6. To request the deletion or destruction of your personal data within the framework of the conditions set out in Article 7 of the PDPL,
7. To request that the operations carried out under items (5) and (6) above be notified to the third parties to whom the personal data has been transferred,
8. To object to the occurrence of an outcome to your detriment as a result of the analysis of your processed data exclusively through automated systems,
9. To request the compensation of damages in the event that you suffer loss due to the unlawful processing of your personal data.

11. Method of Exercising Your Rights

To exercise your rights listed above, you may submit your requests to our Company by one of the following methods, in accordance with the "Communiqué on the Procedures and Principles for Application to the Data Controller":

• In writing, by delivering a wet-signed petition to our Company's address in person or by registered mail with return receipt,
• By sending an e-mail to info@vass.net.tr using a registered electronic mail (KEP) address, secure electronic signature, or mobile signature.

Your application must contain the following information:

• Name, surname, and signature (if the application is in writing),
• Turkish Republic ID number (for foreign nationals: nationality, passport number, or ID number, if any),
• Place of residence or business address for notification purposes,
• E-mail address, telephone, and fax number for notification purposes,
• Subject of the request.

Our Company will respond to your request free of charge, as soon as possible and within a maximum of thirty (30) days, depending on the nature of the request. However, if the process requires additional cost, the fee set by the Personal Data Protection Board may be charged.

This Privacy Notice may be updated by our Company when deemed necessary. The current version is always published at www.vass.net.tr.

Vass Asansör Yazılım Limited Şirketi