1.Legal Basis: We use the Personal Data Protection Law No. 6698 to attach utmost importance to the protection and processing of Personal Data in accordance with the law and we act with this care in all our planning and activities based on the fundamental legal basis regulated under Article 20 of the Constitution that everyone has the right to demand the protection of their personal data and this right includes being informed about personal data about oneself, accessing such data, requesting its correction or erasure, and learning whether personal data is used for the relevant purposes and it can only be processed in the cases stipulated by the law or with the explicit consent of the person. At our Company, we take all administrative and technical measures for the protection and processing of Personal Data as the basis of privacy, and we inform and warn our personnel about the legal sanctions regulated in Article 135 and following articles of the Turkish Penal Code (TPC) No. 5237.

2.Objective : The current Personal Data Protection Law No. 6698 regulates the protection of fundamental rights and freedoms of persons, in particular the privacy of private life, in the processing of personal data and the procedures and principles to be followed by natural and legal persons processing such data. Prepared by taking into account the relevant regulation, our policy aims to ensure compliance with the obligations on the protection of personal data, evaluate matters related to the processing and transfer of the information obtained as part of the activities carried out by our Company and protect its confidentiality with a risk-based approach, determine strategies, internal checks and measures, operate rules and responsibilities, and raise awareness of the Company employees on these issues. Also, we aim to ensure transparency by informing the persons whose personal data are processed by our Company, especially our customers, potential customers, employees, employee candidates, Company shareholders, Company officials, visitors, as well as employees, shareholders and officials of the institutions/organizations we cooperate with, and third parties.

3.Scope: This policy concerns all personal data of our customers, potential customers, employees, employee candidates, Company shareholders, Company officials, visitors as well as employees, shareholders and officials of the institutions we cooperate with, and third parties, which are processed automatically or non-automatically provided that they are part of any data recording system.

4.Definitions

• 4.1. Explicit Consent: Informed consent expressed with free will about a particular subject.
• 4.2. Anonymization: Alteration of personal data in an irreversible way that it loses its ability to be associated with an identified or identifiable person.. Example: Making personal data unassociated with a natural person by means of techniques like masking, aggregation, data corruption, etc.
• 4.3. Employee: Persons working in the Company pursuant to the employment contract concluded with the Company
• 4.4. Employee Candidate: Real persons who have either applied for a job to the Company or have made their CV and related information accessible to the Company's examination.
• 4.5. Real Persons and Legal Persons under Private Law: Real persons are those who were born alive and without any damage and currently alive in accordance with the Turkish Civil Code. Private law legal persons are the Business Enterprises defined in the Turkish Commercial Code and the associations and foundations defined in the Turkish Civil Code.
• 4.6. Public: It refers to a group of people that does not constitute any characteristic and includes every person.
• 4.7. Shareholders: They are natural or legal persons who own shares (stocks) in the data controller Company.
• 4.8. Business Partner: They are parties with which the data controller conducts business activities and engages in business relations.
• 4.9. Employees, Shareholders and Officials of the Organizations We Collaborate with:Real persons working in institutions (such as but not limited to business partners and suppliers) with which the company has any business relations including shareholders and officials of such institutions,
• 4.10. Affiliates and subsidiaries: Affiliate is called a company in which the data controller has a partnership through shares in its capital. If the company has more than 50% of the voting rights, the relationship with such company forms a subsidiary and if it does not have majority in the company it leads to a simple affiliate relationship.
• 4.11. Processing of Personal Data: Any operation performed on the data such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or blocking the use of using personal data in partially or wholly automatic means or non-automatic means provided that they are a part of any data recording system.
• 4.12. Personal Data Owner: Natural person whose personal data is processed. For example, customers and employees.
• 4.13. Personal Data: Any information relating to an identified or identifiable natural person. Processing of information of legal entities is not covered by law. For example, name and surname, ID no, e-mail, address, birth date, credit card number, etc.
• 4.14. Customer: Real persons who use or have used the products and services offered by the Company, regardless of whether they have any contractual relationship with the Company.
• 4.15. Special Categories of Personal Data: Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions and security measures, and the biometric and genetic data are deemed to be special categories of personal data.
• 4.16. Potential Customer: Real or legal persons who have requested to purchase or have an interest in purchasing our products or services, or who have been evaluated in accordance with the rules of practice and honesty that they may have this interest therein.
• 4.17. Intern: Real persons who have applied for internship to the Company by any means to put their theoretical knowledge about the profession into practice in the workplace.
• 4.18. Company Shareholder: Natural persons who are shareholders of the company
• 4.19. Company Official: Member of the company's board of directors and other authorized natural persons
• 4.20. Supplier: Parties that have a business relationship with the Data Controller based on the service contract and/or the power of attorney agreement for service procurement as per the data controller's commercial activities.
• 4.21. Group Companies: According to the definition in the Turkish Commercial Code, "Companies that are directly or indirectly affiliated with the dominant company form the group of companies together with it.”
• 4.22. Third Party: Third party real persons who have relations with the aforementioned parties for the purpose of ensuring the security of commercial transactions with our Company or protecting the rights and interests of the relevant parties (e.g. Family Members and relatives)
• 4.23. Data Processor: VA natural and legal person who processes personal data on behalf of the data controller, based on the authority given by it. For example, the firm or companies that keep the Company's data, etc.
• 4.24. Data Controller: A natural or legal person who determines the purpose and means of processing personal data, bears responsibility for managing the place where data is kept systematically (data registry system), provides necessary information and guidance to the data owner about their personal information upon their request/application.
• 4.25. Authorized Public Institutions and Organizations: Public institutions and organizations authorized by the relevant legislation to request information and documents from the data controller as it has to comply for them to fulfill their legal obligations.
• 4.26. Visitor: Real persons who enter the physical premises of the Company for various purposes or visited our websites.

5. Abbreviations

• 5.1. PDPL: Law No. 6698, Personal Data Protection Law No. 6698, dated March 24, 2016, published in the Official Gazette No. 29677, dated 7 April 2016.
• 5.2. Constitution: The Constitution of the Republic of Turkey no. 2709 issued on November 7 as published in the Official Gazette no. 17863 on November 9, 1982
• 5.3. PDP Board: Personal Data Protection Board
• 5.4. PDP Authority: Personal Data Protection Authority
• 5.5. Policy:The Company’s Personal Data Protection and Processing Policy
• 5.6. TCO Turkish Code of Obligations dated January 11, 2011 and no. 6098 as published in the Official Gazette dated February 4, 2011 and no. 27836.
• 5.7. TPC Turkish Penal Code No. 5237 dated September 26, 2004 as published in the Official Gazette no. 25611 dated October 12, 2004.
• 5.8. TCCTurkish Commercial Code No. 6102 dated January 13, 2011, as published in the Official Gazette no. 27846 dated February 14, 2011.

6. Data Categories: The company may save, process or transfer data in the following data categories.

• 6.1. Identity (such as name, surname, mother’s/father’s name, date of birth, place of birth, marital status, ID card serial number, ID number)
• 6.2. Contact(such as address no, e-mail address, contact address, registered e-mail address (KEP), telephone number)
• 6.3. Personnel (such as information on payroll, disciplinary investigation, start/end of employment document records, resume information, performance evaluation reports)
• 6.4. Legal Action (such as information in correspondence with judicial authorities and case files)
• 6.5. Customer Transaction(such as invoice, promissory note, check, order and request information)
• 6.6. Physical Space Security (such as employee and visitor entry and exit registration information, camera recordings)
• 6.7. Transaction Security (such as IP address, website login and logout, password and code information)
• 6.8. Risk Management (such as information processed to manage commercial, technical, administrative risks)
• 6.9. Finance (such as IBAN number, fee information)
• 6.10. Professional Experience (such as information on diplomas, courses attended, vocational training, certificates and transcripts)
• 6.11. Marketing (cookie records)
• 6.12. Audio and Visual Recordings (such as audio-visual recordings)
• 6.13. Health Information (such as information on disability, blood type, personal health, device and prosthesis, test and diagnosis during pandemic and epidemic periods)
• 6.14. Criminal Conviction and Security Measures (Criminal record)

7. Personal Data Processing Purposes: The Company may record, process or transfer personal data for the following purposes.

• 7.1. Execution of Emergency Management Processes
• 7.2. Execution of Information Security Processes
• 7.3. Execution of Employee Candidate/Intern/Student Selection and Placement Processes
• 7.4. Execution of Application Processes of Employee Candidates
• 7.5. Execution of Employee Satisfaction and Engagement Processes
• 7.6. Fulfillment of Employment Contract and Legislative Obligations for Employees
• 7.7. Execution of Benefits and Rewards Processes for Employees
• 7.8. Execution of Audit/Ethical Activities
• 7.9. Execution of Educational Activities
• 7.10. Execution of Access Authorizations
• 7.11. Execution of Activities in Compliance with the Legislation
• 7.12. Execution of Finance and Accounting Activities
• 7.13. Execution of Company/Product/Service Loyalty Processes
• 7.14. Ensuring Physical Space Security
• 7.15. Execution of Assignment Processes
• 7.16. Follow-up and Execution of Legal Activities
• 7.17. Execution of Internal Audit/Investigation/Intelligence Activities
• 7.18. Execution of Communication Activities
• 7.19. Planning of Human Resources Processes
• 7.20. Execution/Supervision of Business Activities
• 7.21. Execution of Occupational Health/Safety Activities
• 7.22. Receiving and Evaluating Suggestions for Improving Business Processes
• 7.23. Execution of Activities for Ensuring Business Continuity
• 7.24. Execution of Logistics Activities
• 7.25. Execution of Goods/Services Procurement Processes
• 7.26. Execution of Goods/Services After-Sales Support Services
• 7.27. Execution of Goods/Services Sales Processes
• 7.28. Execution of Goods/Services Production and Operation Processes
• 7.29. Execution of Customer Relationship Management Processes
• 7.30. Execution of Activities for Customer Satisfaction
• 7.31. Organization and Event Management
• 7.32. Conducting Marketing Analysis Activities
• 7.33. Execution of Performance Evaluation Processes
• 7.34. Execution of Advertising/Campaign/Promotion Processes
• 7.35. Execution of Risk Management Processes
• 7.36. Execution of Storage and Archive Activities
• 7.37. Execution of Social Responsibility and Civil Society Activities
• 7.38. Execution of Contract Processes
• 7.39. Execution of Sponsorship Activities
• 7.40. Execution of Strategic Planning Activities
• 7.41. Follow-up of Requests/Complaints
• 7.42. Ensuring the Security of Movable Property and Resources
• 7.43. Execution of Supply Chain Management Processes
• 7.44. Execution of Wage Policy
• 7.45. Execution of Marketing Processes of Products/Services
• 7.46. Ensuring the Security of Data Controller Operations
• 7.47. Work and Residence Permit Procedures of Personnel of Foreign Nationalities
• 7.48. Execution of Investment Processes
• 7.49. Execution of Talent/Career Development Activities
• 7.50. Providing Information to Authorized Persons, Institutions and Organizations
• 7.51. Execution of Management Activities
• 7.52. Creating and Tracking Visitor Records

8. Legal Reasons for Processing Personal Data: The legal reasons for processing personal data are regulated under Article 5 of the PDPL.

• Personal data cannot be processed without the explicit consent of the data subject.
• 8.1 It is possible to process the personal data of the subject without explicit consent if one of the following conditions exists:
• 8.1.1. If it is expressly stipulated in the law.
• 8.1.2. If it is mandatory for the protection of life or physical integrity of a person or someone else, who is physically incapable of expressing their consent or because such consent is not considered legally valid.
• 8.1.3. If it is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a Contract.
• 8.1.4. If it is mandatory for the data controller to fulfill its legal obligation.
• 8.1.5. If the data subject goes public themselves.
• 8.1.7. If data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

9. Legal Reasons for Processing Special Categories of Personal Data: The legal reasons for processing personal data are regulated under Article 6 of the PDPL.

• 9.1. Processing special categories of personal data is prohibited without the explicit consent of the person concerned.
• 9.2. special categories of personal data other than health and sexual life may be processed without seeking the explicit consent of the data subject in cases stipulated by the laws. Persons or authorized institutions and organizations under the confidentiality obligation may process personal data related to health and sexual life only for protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and their financing without seeking the explicit consent of the data subject.

10. Personal Data Transfer Recipient Groups: The Company may transfer personal data to the following Personal Data Transfer Recipient groups.

• 10.1. Shareholders
• 10.2. Business Partners
• 10.3. Suppliers
• 10.4. Authorized Public Institutions and Organizations

11. Persons Subject to Personal Data - The Company may record, process or transfer personal data according to the following types of persons.

• 11.5. Visitor

12. Personal Data Storage Periods: Personal data storage periods are regulated in detail in the Personal Data Storage and Destruction Policy.

13. Erasure, Destruction or Anonymization of Personal Data:

• 13.1. Although the personal data is processed in accordance with the law, such data are deleted, destroyed or anonymized by the data controller ex officio or upon the request of the data subject in the event that the reasons for the processing them disappear.
• 13.2. The data controller deletes, destroys or anonymizes personal data in the first periodical destruction process following the date on which the obligation to delete, destroy or anonymize personal data arises.
• 13.3. The actions to be taken regarding these matters are explained in detail in the Personal data storage and destruction policy.

14. Transfer of Personal Data: Personal data obtained for processing pursuant to the general principles specified in the Law may be transferred to third parties after obtaining the explicit consent of the data subject.

• 14.1. Domestic transfer: Details regarding the domestic transfer of personal data and special categories of personal data are regulated in the Procedure for the Transfer of Personal Data.
• 14.2. International transfer: Personal data can be transferred to countries with adequate protection in the presence of the conditions specified in the Law provided that the data subject gives an explicit consent. Data transfer to countries without adequate protection can take place if it is pledged in writing and the Board gives permission in addition to the presence of the conditions specified in the Law and explicit consent. Details on this subject are regulated in the Procedure for Transfer of Personal Data.

15. General (Basic) Principles in the Processing of Personal Data: Personal data will be processed according to the following basic principles as detailed in the procedure for processing personal data. These basic principles are regulated under Article 4 of the Personal Data Protection Law.

• 15.1. Compliance with the law and the principle of good faith,
  Compliance with the law and the principle of good faith means the obligation to act according to the principles of laws and other legal regulations in the processing of personal data.The principle of good faith refers to acting according to the rules of trust and as expected from a reasonable person while exercising one’s rights.
• 15.2. Being accurate and up-to-date when necessary,
  Keeping your personal data accurate and up-to-date is necessary for the protection of fundamental rights and freedoms of individuals. This principle not only protects the rights of the data subject, but also serves the interests of the data controller.
• 15.3. Processing data for specific, explicit and legitimate purposes,
  This principle obliges data controllers to determine a legitimate purpose for data processing in a clear and precise manner. Legitimacy of purpose means that processed data is linked and required by the work undertaken or service performed.
• 15.4. Being limited, proportionate and relevant to the purpose of processing
  Personal data must be processed adequately for carrying out the determined purposes and processing of personal data that is not necessary for fulfilling the purposes must be avoided. Similarly, personal data shall not be processed to meet the needs that may arise later. The principle of proportionality means sustaining a reasonable balance between data processing and the intended purpose.
• 15.5. Storing for the period stipulated in the relevant legislation or the period required for the processing purpose
  Personal data must only be stored for the period stipulated in the relevant Legislation or for the period required for the personal data processing purpose. Personal data must be erased, destructed, or anonymized upon the expiry of the periods stipulated under the legislation to which the data controller is subject to due to its legal obligations or those set by itself.

16. Explicit Consent: Informed consent expressed with free will about a particular subject. As detailed in the procedure for obtaining explicit consent, such consent must be related to a specific issue, based on information and expressed with free will.

17. Disclosure obligation: The Company informs the data subjects while collecting personal data. As detailed in the Disclosure Procedure, this information includes at least the following subjects.

• 17.1. Identity of the data controller and its representative, if any,
• 17.2. The purpose for which personal data will be processed,
• 17.3. To whom and for what purpose personal data can be transferred,
• 17.4. Method and legal reason for collecting personal data,
• 17.5. Other rights of the data subject as listed in Article 11 of the Law.

18. Methods to be used by the data subject for legal remedies: Data subjects have the right to apply to the Company to learn whether their personal data are processed, to request such data in that case, to request their correction if the data content is incomplete or inaccurate, to request their erasure or destruction in unlawful situations and notification of such actions to third parties to whom the data is disclosed, and to demand compensation for damages due to unlawful processing. The data subject can exercise their right of appeal and complaint as specified in the Procedure for Data Subject’s Remedies.

• 18.1. Application: It is obligatory for the data subjects to apply to the data controller first in order to exercise their rights. A complaint cannot be made to the Board before this remedy is exhausted.
• 18.2. Complaint: A data subject can file a complaint if their application to the Company is rejected, the response given is found insufficient, or the application is not answered within 30 days. Data subjects cannot directly complain to the Board without applying to the Company.

19. Obligation to Fulfill Board Decisions: If the Board determines the existence of an infringement as result of its examination of the issues ex officio upon complaint or after finding out about such claim, it shall decide that the identified infringements shall be remedied by the relevant data controller and notify this decision to the relevant parties. As detailed in the Procedure for the Execution of Board Decisions, the Company shall fulfill this decision without delay and within thirty days after the date of notification.

20. Data Controllers’ Obligation to Register with Registry (VERBIS): The Company must register in the registration system for data controllers where they declare information about their data processing activities and update any revised registry information, as specified in the Data Controllers Registry (VERBIS) registration procedure.

21. Personal Data Violation: In case the data processed are obtained by others by unlawful means, the data controller shall communicate the breach to the data subject and notify it to the Board within the shortest time. Where necessary, the Board may announce such breach at its official website or through in any other way it deems appropriate.

22. Kişisel Veri Güvenliği Tedbirleri : Şirket Kişisel verilerin hukuka aykırı olarak işlenmesini önlemek, Kişisel verilere hukuka aykırı olarak erişilmesini önlemek, Kişisel verilerin muhafazasını sağlamak için aşağıdaki teknik ve idari tedbirleri Şirket yapısına uygun düzeyde almaktadır.

• 22.1. Network security and application security are provided.
• 22.2. Key management is implemented.
• 22.3. The personal data stored in the cloud is secured.
• 22.4. Disciplinary regulations are available for employees, including data security provisions.
• 22.5. Employees receive data security training and awareness activities at certain intervals.
• 22.6. An authorization matrix has been created for employees.
• 22.7. Corporate policies on access, information security, usage, storage and destruction have been prepared and implemented.
• 22.8. Data masking is applied when necessary.
• 22.9. Confidentiality commitments are made.
• 22.10. Authorizations are removed for employees who have a change of position or quit their job.
• 22.11. Firewalls are used.
• 22.12. The signed contracts contain data security provisions.
• 22.13. Personal data security policies and procedures have been determined.
• 22.14. Personal data security issues are reported quickly.
• 22.15. Personal data security is monitored.
• 22.16. Necessary security measures are taken regarding entry to and exit from physical environments containing personal data.
• 22.17. Physical environments containing personal data are protected against external risks (fire, flood, etc.).
• 22.18. The security is provided in environments containing personal data.
• 22.19. Personal data is reduced as much as possible.
• 22.20. Personal data is backed up and the backed up personal data is also secured.
• 22.21. User account management and authorization control system are implemented and monitored.
• 22.22. Periodic and/or random audits are conducted and commissioned within the organization.
• 22.23. Existing risks and threats have been identified.
• 22.24. Protocols and procedures have been determined and implemented for special categories of personal data security.
• 22.25. If special categories of personal data will be sent via e-mail, it must be sent in encrypted form and using a registered e-mail or corporate e-mail account.
• 22.26. Cyber security measures have been taken and their implementation is constantly monitored.
• 22.27. Encryption is applied.
• 22.28. Data processing service providers are periodically audited on data security.
• 22.29. Awareness of data security is built among data processing service providers.

Data Controller’s Title: EMLAK KONUT ASANSÖR SİSTEMLERİ SANAYİ VE TİCARET ANONİM ŞİRKETİ

Mersis no: 0334106188900001

E-mail address: info@emlakkonutasansor.com.tr

Registered E-Mail Address: emlakkonut.asansor@hs01.kep.tr

Physical Postal Address: FİNANSKENT MAH. FİNANS CAD. SARPHAN FİNANS MERKEZİ SİTESİ A BLOK NO: 5A İÇ KAPI NO: 195 ÜMRANİYE / İSTANBUL

This information is about the disclosure to be made by EMLAK KONUT ASANSÖR SİSTEMLERİ SANAYİ VE TİCARET ANONİM ŞİRKETİ ("EKA") as the data controller under the provisions of the disclosure obligation, which is regulated under Article 10 of the Personal Data Protection Law (PDPL) No. 6698 about the recording, processing, automatic transfer of the personal data information communicated by https://emlakkonutasansor.com/ users to us via our website by filling out the Contact Form for the purposes described below.

1.Processing of Your Personal Data, its Purpose and Legal Reason

If you request information through our site, your personal data in the form of Identity (name, surname), Contact (email, telephone), information on the chosen topic, the information you type in your message section is processed to contact you based on the legitimate interest of the data controller and the establishment of a right as per legal reasons under Article 5/2 of the PDPL.

• 2.1. Your Personal Data may be shared with Authorized Public Institutions and Organizations when necessary to fulfill our obligations regarding information and document sharing as per the relevant legislation and other legal obligations based on legal reasons including the exercise of our rights clearly stipulated in the Laws pursuant to 5/2 of PDPL, those necessitating the Data controller to fulfill its legal obligation and the legitimate interest of the data controller.
• 2.2. Your Personal Data is shared with our "Suppliers" with whom we have a business relationship and from whom we receive services for the execution of contracts for procuring necessary external services and limited for these purposes based on legal reasons including when it is necessary for the data controller to process data for its legitimate interests, to establish or perform a contract, and to establish, exercise or protect a right. For example, your personal data is shared with "Lawyers" from whom we receive services in case of a legal dispute, "Financial Advisors" from whom we receive services due to financial obligations, "Auditors" in audit situations, and "Group Companies" for the provision of the relevant service due to the performance of some centrally provided services to be limited with the relevant purpose.

3. Transfer of Your Personal Data Abroad

If Your Personal Data is sent via e-mail, it is transferred abroad based on your explicit consent pursuant to Article 9 of the Personal Data Protection Law No. 6698 as our e-mail servers are abroad.

4. Your Rights

You have the following rights under Article 11 of the Personal Data Protection Law No. 6698 to the extent that your data is processed by EKA as a data controller:

“Learning whether any of your personal data is processed; requesting information regarding processing activities; learning the purposes of the processing; finding out relevant persons if your data have been transferred to third parties in the country or abroad; requesting their correction if they are processed incompletely or incorrectly; requesting the erasure or destruction of personal data if the reasons for processing it disappear or if EKA does not have a legal basis or legitimate interest to process the relevant data; requesting EKA to ensure that third parties, also authorized by EKA, who process personal data respect your rights under this section; objecting to the unfavorable results that may arise as a result of the processing of personal data through automatic systems; and requesting compensation for any loss in case you suffer such a loss due to unlawful processing"

5. Application to Data Controller

Pursuant to the "Communiqué on Procedures and Principles for Application to the Data Controller,” you can submit your requests under Article 11 of the Law, which regulates the rights of the data subject in writing or by registered electronic mail (KEP) address, secure electronic signature, mobile signature or electronic mail address previously notified by you and registered in our system.

6. Data Controller Information

Data Controller’s Title: EMLAK KONUT ASANSÖR SİSTEMLERİ SANAYİ VE TİCARET ANONİM ŞİRKETİ

Mersis no:0334106188900001

E-mail address: info@emlakkonutasansor.com

Registered E-Mail Address: emlakkonut.asansor@hs01.kep.tr

Physical Postal Address: FİNANSKENT MAH. FİNANS CAD. SARPHAN FİNANS MERKEZİ SİTESİ A BLOK NO: 5A İÇ KAPI NO: 195 ÜMRANİYE / İSTANBUL