.
.
.
Data Protection
Data Protection
1. INTRODUCTION

Eltemtek Elektrik Tesisleri Mühendislik Müteahhitlik Danışmanlık ve Ticaret A.Ş. (“Company”) takes all necessary measures to protect the rights of personal data owners protected by the Constitution of the Republic of Turkey and the Personal Data Protection Law No. 6698 (“KVKK”) regarding the protection of personal data.

The data controller Company’s headquarters is located at “Ziyabey Cad. 1419. Sok. No: 14 Balgat/ANKARA” and provides services in the fields of engineering, project management and consultancy in the energy sector.

This Personal Data Protection and Processing Policy (“Policy”) has been prepared to set forth the principles and rules to be applied by the Company in terms of compliance with the regulations regarding the processing and protection of personal data stipulated in the KVKK and relevant national legislation.

2. BASIS

Personal Data Protection Law No. 6698 and other relevant legislation

3. PURPOSE OF THE POLICY

This Policy aims to explain the principles of processing, legal basis for processing and purposes of processing, data collection methods, measures taken for transferring, storing, anonymizing, deleting, destroying data and ensuring data security, the rights of personal data owners and the methods of exercising these rights, and to inform the persons whose personal data is processed by the Company in this context.

The Company attaches importance to the security and confidentiality of personal data, and takes the necessary administrative and technical measures to collect, record, process, share, protect them securely and in accordance with the law, and to delete or anonymize them when necessary.

This policy aims to discipline, internalize and comply with the regulations introduced by the KVKK and the processing of personal data by the Company.

4. SCOPE OF THE POLICY

The Policy is applied to all activities carried out for the processing and protection of all personal data owned and managed by the Company. All natural persons whose personal data are processed by the Company in relation to its field of activity are within the scope of this Policy. Personal data belonging to natural person officials and employees of legal entities are also within the scope of this Policy.

In terms of the Policy, the legislation in force regarding the protection and processing of personal data will be applied. In the event of any inconsistency between the legislation in force and this Policy, the Company accepts and undertakes that the legislation in force will be applied.

5. PURPOSES OF PROCESSING PERSONAL DATA BY THE COMPANY

Personal data is processed by the Company for specific purposes and under the conditions specified in the relevant legislation, while protecting the fundamental rights and freedoms of personal data owners, especially the right to privacy and information security.

The Company takes the necessary measures to comply with the KVKK, makes its practices compliant with the KVKK and takes care to raise awareness on this issue. In this context, personal data is processed by the Company for the following purposes, including but not limited to those listed here:

  • Execution of Emergency Processes,
  • Planning and execution of the company's promotional activities,
  • Execution of the purchase/sale of goods/services processes,
  • Execution of contract processes, 4
  • Planning and execution of the company's corporate governance activities,
  • Planning and execution of the company's corporate communication activities,
  • Execution of the company's personnel supply processes,
  • Fulfillment of the obligations arising from the employment contract and legislation for the company's employees,
  • Execution of training activities for the company's employees,
  • Execution of the fringe benefits and benefits processes of the company's employees,
  • Execution of occupational health and safety processes,
  • Execution of the company's risk management processes,
  • Following up and executing the company's legal affairs,
  • Execution of the company's management activities,
  • Conducting marketing processes of products and services,
  • Customer satisfaction, management of customer demands and complaints, execution of customer relations management processes,
  • Planning and execution of processes related to increasing employee satisfaction and loyalty,
  • Conducting employee candidate / intern / student selection and placement processes,
  • Conducting employee performance evaluation processes,
  • Planning and execution of human resources processes,
  • Conducting internal audit/control, investigation and intelligence activities,
  • Conducting security of movable goods and resources and logistics activities,
  • Planning, auditing and execution of information security processes, creation and management of information technology infrastructure,
  • Providing information to authorized persons, institutions and organizations based on legislation,
  • Conducting finance and accounting affairs,
  • Ensuring physical location security,
  • Creating and monitoring visitor records.
6. PERSONAL DATA COLLECTION METHOD AND LEGAL REASON

The Company collects personal data in all kinds of verbal, written and electronic media and within the framework of the purposes specified in this Policy, provided that it is clearly prescribed by law, the processing of personal data belonging to the parties to a contract is necessary provided that it is directly related to the establishment or execution of a contract, it is mandatory for the data controller to fulfill its legal obligation, data processing is mandatory for the establishment, exercise or protection of a right, data processing is mandatory for the legitimate interests of the data controller provided that it does not harm the fundamental rights and freedoms of the relevant person, the relevant person has made the data public or the explicit consent of the data owner, by automatic means or by non-automatic means provided that it is part of any data recording system, and processes it in accordance with the conditions specified in the Law.

7. PRINCIPLES ON PROCESSING PERSONAL DATA

The Company processes personal data in accordance with the general principles set forth in the legislation to ensure compliance with the KVKK. In this context, the Company acts in accordance with the principles set forth below in the processing of personal data.

7.1. Principle of Compliance with Law and the Rules of Integrity

The Company takes into account the interests and reasonable expectations of data owners while trying to achieve its purposes in data processing in accordance with the principle of compliance with law and the rule of integrity. The Company also carries out its data processing activities in a transparent manner, acts in accordance with its obligations of information and warning, and personal data is processed to the extent and limited to the Company's activities.

7.2. Principle of Ensuring that Personal Data is Accurate and Up-to-Date When Necessary

The Company ensures that personal data is kept accurate and up-to-date and takes the necessary measures for this purpose. In this context, the Company has established a system for personal data owners to correct, verify and update their personal data.

7.3. Processing for Specific, Clear and Legitimate Purposes Principle

The Company primarily processes personal data in a specific, legitimate and lawful manner and clearly and precisely determines the purpose of processing personal data before processing personal data.

7.4. The Principle of Personal Data Being Related, Limited and Proportionate to the Purpose for Which They Are Processed

The Company processes the processed data in a proportionate manner suitable for the realization of the specified purposes and avoids processing personal data that is not related to the realization of the purpose or is not needed. In addition, the processed data is limited to only the personal data necessary for the realization of the purpose.

7.5. Retention Principle for the Period Stipulated in the Relevant Legislation or Necessary for the Purpose of Processing

If there is a period stipulated in the legislation for the processing of personal data, the Company first complies with this period; if no such period is stipulated, it only stores personal data for the period necessary for the purpose of processing. Within this framework, it is first determined whether a period is stipulated in the relevant legislation for the storage of personal data, and if a period is stipulated in the legislation, the relevant personal data is stored for this period, or if not, for the period necessary for the purpose for which the personal data is processed. At the end of the storage periods, personal data is deleted, destroyed or anonymized according to periodic destruction periods or the application of the data owner and the specified destruction methods.

The Company does not store personal data thinking that it may be used again in the future or for any other reason.

7.6. Transparency Principle

The Company attaches importance to transparency in personal data processing. It provides information to the relevant institutions and, upon request, to personal data owners regarding the purposes and legal basis for which personal data is processed.

8. CONDITIONS FOR PROCESSING PERSONAL DATA

Personal data is processed by the Company in accordance with Articles 5 and 6 of the KVKK and the relevant legislation, distinguishing between personal data and special personal data.

 

8.1. Conditions for Processing Personal Data

Personal data is processed by the Company in accordance with the personal data processing conditions specified in Article 5 of the KVKK. In this context, the Company evaluates whether the activity falls within the scope of one of these conditions while conducting personal data processing activities and terminates personal data processing activities that do not comply with one of these conditions.

The basis for personal data processing activities may be only one of the conditions specified below, or more than one of these conditions may be the basis for the same personal data processing activity:

  • Explicit Consent of the Personal Data Owner
    Personal data can be processed if the data owner has given explicit consent based on information and free will. For this purpose, the explicit consent of the personal data owners is obtained through methods suitable for proof. Even if the data owner does not have explicit consent, personal data can be processed if any of the following conditions are present.
  • Explicitly Provided by Laws
    The Company may process personal data within the scope of this provision in cases where it is explicitly provided by laws.
  • Failure to Obtain Explicit Consent Due to Actual Impossibility
    The personal data of the person who is unable to express his/her consent due to actual impossibility or whose consent is not legally valid may be processed if it is necessary for the protection of his/her own life or physical integrity or that of another person.
  • Directly Related to the Establishment or Performance of a Contract
    If it is directly related to the establishment or performance of a contract and the processing of personal data belonging to the parties to the contract is mandatory, the processing of personal data of the relevant persons is possible for this purpose. For example, obtaining the account number of the creditor party for the payment of money as required by a contract, or the seller recording the address of the buyer in order to fulfill the obligation to deliver the goods as required by the contract, or the employer keeping the bank information of the employees in order to make the payment of the salary can be evaluated within this scope.
  • Mandatory for the Data Controller to Fulfill His/Her Legal Obligation
    In cases where data processing is mandatory for the data controller to fulfill his/her legal obligation, the personal data of the relevant person can be processed.
  • If the Data Subject Has Been Made Public by Himself
    Personal data that has been made public by the data subject, in other words, disclosed to the public in any way, may be processed. An example of this situation is when a person publicly announces his/her contact information in order to contact him/her in certain cases. If employees' workplace telephone numbers and corporate e-mail addresses are shared openly for third parties to access on corporate websites, this may also be considered public.
  • If It Is Mandatory for the Establishment, Use or Protection of a Right
    Processing of the data subject's personal data is possible if it is mandatory for the establishment, use or protection of a right. For example, when a company uses certain data as evidence in a lawsuit filed by its own employee. In addition, keeping documents such as invoices, contracts and sureties for these purposes until the end of the statute of limitations against possible legal proceedings after the contract is terminated will also be evaluated within this scope.
  • Mandatory for the Legitimate Interest of the Data Controller
    Provided that it does not harm the fundamental rights and freedoms of the personal data owner, if data processing is mandatory for the legitimate interests of the data controller, personal data may be processed.

 

8.2. Conditions for Processing of Special Personal Data

As stated in Article 6 of the KVKK, special personal data are; data related to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, appearance and dress, membership in associations, foundations or unions, health, sexual life, criminal conviction and security measures of individuals, as well as biometric and genetic data. According to the KVKK;

  • Personal data other than health and sexual life may be processed without the explicit consent of the data owner in cases stipulated by law.
  • Personal data related to health and sexual life may only be processed by persons or authorized institutions and organizations under a confidentiality obligation without the explicit consent of the data owner for the purposes of protecting public health, conducting preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing. In other cases, the explicit consent of the data owner must be obtained in order for the data owner's special personal data to be processed.

The Company is more sensitive and meticulous in protecting personal data determined as “special personal data” in the KVKK. Special personal data is not processed by the Company without the explicit consent of the data owner.

The Company processes the criminal record data of its employees and job candidates, health reports, disability status to be included in the personnel file or to be able to assign according to the health status and to take occupational health and safety measures in accordance with the relevant legislation and by taking sufficient measures to be determined by the legislation. The blood group data of the employees is processed in order to be used in case of need during any emergency intervention within the scope of occupational health and safety. In addition, the union membership information of the employees is processed within the scope of the case files.

9. PERSONS WHOSE PERSONAL DATA IS PROCESSED

The Company processes the personal data of employees, relatives of employees, candidates for employment, interns, trainers, employees and officials of shareholders/partners, employees and officials of legal entities and real persons who purchase/receive goods and services, employees and officials of business partners and subcontractors, members of the board of directors and visitors. The categories of data subjects, in other words, those whose personal data is processed, are shown in the table below.

Employees, Employee Relatives

It refers to the company's employees and their relatives.

Employee candidates

It refers to individuals who have applied for a job with the Company through any means or who have not applied for a job but have shared their CV and other information with the Company.

interns

Refers to those who do internships at the company.

Employees and Officials of Natural Persons and Legal Entities from Whom Goods and Services Are Purchased

It refers to the employees and officials of real persons and legal entities who sell goods and services to the company.

Employees and Officials of Natural Persons and Legal Entities Purchasing Goods and Services

It refers to the employees and officials of real persons and legal entities who receive goods and services from the company.

Employees and officials of Subcontractors

Refers to employees and officials of Subcontractors.

Employees and officials of business partners

Refers to employees and officials of business partners.

Instructors

It refers to those who are responsible for carrying out training activities for employees in the company.

Visitors

It refers to people who come to the company's buildings for purposes such as visits etc.

Employees and officials of the Company Partners/Shareholders

It refers to the employees and officials of the legal entity partner/shareholder of the company.

Board Members

Refers to the members of the Board of Directors of the company.

10. DATA CATEGORIES

In accordance with the purposes of processing personal data by the Company, the following information is processed: identity, communication, personnel, legal transactions, customer transactions, finance, physical space security, transaction security, professional experience, visual and audio data, and health, criminal conviction and security measures of employees and union membership information from among special personal data.

Identity

Identity data includes the information on people's IDs such as their name, surname, Turkish Republic identity number, nationality, passport, place of birth, date of birth, gender, tax number, title, etc.

Communication

The information used for communication, such as the person's address, telephone number, e-mail address, and KEP address, are communication data.

Personnel

This is the information in the person's personnel file. Information such as payroll information, disciplinary investigations, criminal record information, employment entry and exit records, CV information, performance evaluation reports are evaluated in this category.

Legal Action

Information in correspondence with judicial authorities and information in the case file are evaluated in this category.

Customer Transaction

Invoices issued for services provided, bills, promissory note and check information, order and request information, membership information, call center records, etc. are customer transaction data.

Physical Space Security

Visitor records, employee and visitor entry and exit records, camera records, vehicle information, etc. are personal data regarding physical space security.

Transaction Security

IP information, website login and logout information, system logs, password and passphrase information are considered as information technology security data.

Finance

Individuals' bank information, IBAN number, account information, credit and risk information, and asset information are financial data.

Location

Information that determines the location of employees through the vehicle tracking system.

Professional Experience

Diploma information, education certificates, certificates of participation, courses attended, certificates of expertise on a specific subject, information on previous jobs and work experiences, projects carried out, etc. are professional experience data.

Visual and Audio Data

Video recordings, photographs, sound recordings, camera images constitute visual and audio data.

Special Personal Data

Data regarding race, ethnic origin, political views, philosophical beliefs, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data are special personal data. In this context, the Company processes criminal and security measures data, health data and union membership information of employees.

11. LIABILITIES OF THE COMPANY

The Company's obligations within the framework of the KVKK and related legislation in terms of processing personal data are as follows:

11.1. Obligation to Inform the Personal Data Owner

The Company informs data owners about how their data will be processed during the collection of personal data.

Within the scope of Article 10 of the KVKK, the Company informs personal data owners;

  • The identity of the Company and its representative, if any, as the data controller,
  • The purpose for which personal data will be processed,
  • To whom and for what purpose personal data can be transferred,
  • The method and legal reasons for collecting personal data,
  • The rights of the personal data owner under Article 11 of the KVKK, provide information on the subject.

In accordance with this obligation, the Company informs the relevant persons with the information text it has prepared and the said information is provided at the first contact with the relevant person.

11.2. Obligations Regarding the Security of Personal Data

The Company, in accordance with Article 12 of the KVKK;

  • To prevent the unlawful processing of personal data,
  • To prevent unlawful access to personal data,
  • To ensure the preservation of personal data,

In order to ensure the appropriate level of security, the Company takes all necessary technical and administrative measures.

The Company shows due diligence and takes the necessary administrative and technical measures in order to fulfill its obligations regarding data security in accordance with the guidelines of the Personal Data Protection Authority regarding obligations regarding data security.

The Company creates systems within its body to conduct or have conducted the necessary audits in order to ensure the implementation of the provisions of the KVKK. In this context, the necessary organizational structure is established by the Company. The results of the audits in question are evaluated within the organizational structure established within the Company and the necessary measures are taken.

In this context, the company takes the following administrative and technical measures to ensure that personal data is processed and stored in accordance with the law:

All processes related to data processing activities within the company are analyzed and a “personal data processing map” is created within this scope. The personal data inventory created is updated regularly.

  • Corporate policies are prepared within the scope of KVKK and these policies are updated when necessary.
  • Personal data processing processes are audited with technical methods and reported to the designated relevant person. 11
  • Company employees are informed and trained on the lawful processing of personal data and the sanctions of unlawful data processing.
  • Training is provided to ensure the awareness of company employees on the protection and processing of personal data.
  • The company includes provisions regarding the confidentiality of personal data shared with them and how this data will be processed and stored in the contracts and other documents that determine the legal relationship between its employees, affiliates, business partnerships, service providers and customers.
  • The decisions taken by the Personal Data Protection Board are monitored and the measures to be taken by the Company are determined according to these decisions.
  • The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.

 

The Company takes the following administrative and technical measures to prevent unlawful access to personal data:

The Company restricts access to personal data to employees who are explicitly authorized to process data. Company employees are restricted from accessing personal data that they do not use due to their duties.

  • Necessary technical measures are taken to prevent access by anyone other than the relevant person to the system and locations where personal data is stored, and the measures taken are updated periodically.
  • The technical measures taken are regularly reported to the relevant person.
  • The software and hardware, software and systems that include virus protection systems and firewalls required to ensure the protection of personal data are installed by the Company.
  • The Company obtains commitments from its employees that they will not disclose personal data they learn due to their duties to anyone else in violation of the provisions of the KVKK and will not use them for purposes other than processing, which will be valid even after they leave their jobs.

If the processed personal data is obtained by others through illegal means despite all administrative and technical measures being taken, the Company shall notify the Board within 72 hours at the latest from the date it learns of this situation. Following the identification of the persons affected by the data breach in question, the relevant persons shall be notified within the shortest reasonable period of time, directly if the contact address of the relevant person can be reached, or through appropriate methods such as publishing the information on the data controller's own website if it cannot be reached.

 

11.3. Obligation to Result in Applications Made by Personal Data Owners

The Company is obliged to respond to applications made by personal data owners in accordance with Article 13 of the KVKK in order to evaluate the rights of personal data owners and to provide the necessary information to personal data owners.

In this context, personal data owners may submit their requests regarding the implementation of the KVKK to the Company in writing or through other methods specified below.

APPLICATION METHODREQUIREMENTS FOR APPLICATIONAPPLICATION ADDRESSOTHER REQUIREMENTS
Application in PersonYou can apply in person at the address where our company operates by verifying your identity or through a proxy by presenting a power of attorney. The application can be made with an application form or a petition; however, it must have a wet signature.Eltemtek Elektrik Tesisleri Mühendislik Müteahhitlik Danışmanlık ve Ticaret A.Ş. Ziyabey Cad. 1419. Sok. No: 14 Balgat/ANKARAThe application must be made in a sealed envelope, and the phrase "Request for Information Within the Scope of the Personal Data Protection Law" must be written on the envelope.
Application by MailApplications can also be made by sending a signed application form or petition by post. If the application is made through a proxy with a notarized signature circular, the original power of attorney must also be placed in the envelope.Eltemtek Elektrik Tesisleri Mühendislik Müteahhitlik Danışmanlık ve Ticaret A.Ş. Ziyabey Cad. 1419. Sok. No: 14 Balgat/ANKARAThe phrase “Request for Information Within the Scope of the Personal Data Protection Law” should be written on the envelope.
Application via NotaryAn application can also be made through a notary, either personally or through a proxy. The method by which the response is to be received must also be specified in this application.Eltemtek Elektrik Tesisleri Mühendislik Müteahhitlik Danışmanlık ve Ticaret A.Ş. Ziyabey Cad. 1419. Sok. No: 14 Balgat/ANKARA 
Application via Registered Electronic Mail (KEP)It is also possible to apply by sending a petition signed with an electronic signature from the KEP address. Unless otherwise stated, the response will be sent to your KEP address.eltemtek.teklif@hs01.kep.trAn e-mail should be sent with the subject line "Request Within the Scope of the Personal Data Protection Law" added.
Application via e-mailIf the e-mail address is provided for communication with the Company, applications can also be made via this e-mail address.kvkk@eltemtek.com The e-mail should be sent with the subject line "Request Within the Scope of the Personal Data Protection Law".

The Company finalizes the requests regarding the implementation of the KVKK submitted to it by personal data owners as soon as possible and within thirty days at the latest, free of charge, depending on their nature. However, if the transaction requires an additional cost, the Company may request the fees specified in the tariff determined by the Personal Data Protection Board from the applicant personal data owner.

The applicant must apply with the documents and papers proving the identity of the personal data owner. A positive response will not be given to the application without the confirmation of these documents.

Unless otherwise stated by the applicant, the Company will respond using the method used in the application.

The Company may accept the request of the personal data owner or reject it by explaining the reason and notify the relevant person in writing or electronically. If the request in the application is accepted by the Company, the necessary action will be taken by the Company. If the application is due to the Company's error, the fee received, if any, will be returned to the relevant person.

In cases where the application is rejected by the Company, the response is found insufficient or the application is not responded to in a timely manner; the relevant person may file a complaint with the Board within thirty days from the date of learning the Company's response and in any case within sixty days from the date of application.

11.4. Obligation to Register in the Data Controllers Registry

Before starting data processing, the Company shall register in the Data Controllers Registry with the application information and documents listed in the KVKK within the period to be determined and announced by the Personal Data Protection Board.

12. RIGHTS OF PERSONAL DATA OWNERS

Personal data owners have the following rights as specified in Article 11 of the KVKK:

  • To learn whether their personal data has been processed,
  • To request information about their personal data if it has been processed,
  • To learn the purpose of processing their personal data and whether it is used in accordance with its purpose,
  • To know the third parties to whom their personal data has been transferred, whether in Turkey or abroad,
  • To request correction of their personal data if it has been processed incompletely or incorrectly, to request that it be deleted or destroyed within the framework of the conditions stipulated in the KVKK and that these transactions be notified to third parties to whom their personal data has been transferred,
  • To object to the emergence of a result against the person by analyzing their processed data exclusively through automated systems,
  • To request compensation for damages in the event that they suffer damages due to the processing of their personal data in violation of the law.

All kinds of measures are taken by the Company to ensure that personal data owners can easily exercise these rights. However, in accordance with the Communiqué on the Procedures and Principles of Application to the Data Controller published by the Personal Data Protection Authority, it has been deemed mandatory for personal data owners to include the following information in their applications:

  • Name, surname and signature if the application is in writing,
  • For citizens of the Republic of Turkey, T.R. identity number,
  • For foreigners, nationality, passport number or identity number if any,
  • Residence or workplace address for notification,
  • E-mail address, telephone and fax number for notification, if any, 14
  • Subject of request.

Personal data owners can prepare a petition containing the above information themselves, or they can exercise their rights by using the application form they can obtain from our website http://www.eltemtek.com/tr/.

Applications of personal data owners that do not contain incomplete information are finalized by the Company in accordance with the law and rules of honesty within a period not exceeding thirty days. If there is incomplete information in the application, additional information is requested from the personal data owner and the application is answered.

On the other hand, for data that can only be processed with the explicit consent of the personal data owner, the data owner has the right to withdraw the explicit consent he/she has given at any time. In this case, such personal data is deleted, destroyed or anonymized.

13. STORAGE PERIOD OF PERSONAL DATA

The Company stores personal data for the period specified in the relevant legislation. If no period is stipulated in the legislation for the storage of personal data, personal data is processed for the period required to be processed in accordance with the customs of commercial life or for the period necessary for the purpose for which it is processed. In this context, it is first determined whether a period is stipulated in the relevant legislation for the storage of personal data, and if a period is stipulated in the legislation, the relevant personal data is stored for this period, or if not, for the period necessary for the purpose for which the personal data is processed. At the end of the storage periods, personal data is deleted, destroyed or anonymized according to periodic destruction periods or the application of the data owner and according to the determined destruction methods.

14. DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA

Although processed by the Company in accordance with the provisions of the KVKK and other relevant laws, personal data is deleted, destroyed or anonymized ex officio or upon the request of the relevant person if the reasons requiring processing are eliminated.

The deletion, destruction and anonymization of personal data are carried out in accordance with the principles specified in the Regulation on the Deletion, Destruction or Anonymization of Personal Data and the methods in the guide published by the Personal Data Protection Authority on the subject.

In the deletion, destruction or anonymization of personal data;

  • The general principles required to be followed in the processing of personal data in the relevant legislation,
  • The administrative and technical measures to be taken within the scope of the obligations of data controllers regarding data security,
  • The decisions of the Personal Data Protection Board,
  • The personal data storage and destruction policy is complied with.

The Company also takes technical and administrative measures that will be discussed in detail within the scope of the Personal Data Storage and Destruction Policy.

14.1. Deletion of Personal Data

Deletion of personal data is the process of rendering personal data inaccessible and non-reusable for the relevant users in any way.

The Company takes all necessary technical and administrative measures to ensure that deleted personal data is inaccessible and non-reusable for the relevant users.

14.2. Destruction of Personal Data

Destruction of personal data is the process of rendering personal data inaccessible, non-recoverable and non-reusable by anyone in any way. The Company takes all necessary technical and administrative measures regarding the destruction of personal data.

14.3. Anonymization of Personal Data

Anonymization of personal data is the process of rendering personal data incapable of being associated with an identified or identifiable natural person, even if it is matched with other data. In order for personal data to be anonymized; personal data must be rendered incapable of being associated with an identified or identifiable natural person, even through the use of techniques appropriate for the recording medium and relevant field of activity, such as being returned by the data controller or recipient groups and/or matching the data with other data. Data that does not indicate a specific person as a result of the blocking or loss of these features is considered anonymized data. In other words, anonymized data was information that identified a natural person before this process, but after this process, it became incapable of being associated with the relevant person and its connection with the person was severed.

The Company takes all necessary technical and administrative measures in the process of anonymizing personal data instead of deleting or destroying it. Anonymizing personal data is carried out in accordance with the principles set out in the Regulation on the Deletion, Destruction or Anonymization of Personal Data and the methods in the guide published by the Personal Data Protection Authority on the subject.

15. TRANSFER OF PERSONAL DATA BY THE COMPANY

The Company may transfer personal data of personal data owners to authorized institutions and organizations, business partners, service providers, shareholders and related persons in accordance with the KVKK and within the scope of personal data processing purposes.

15.1. Transfer of Personal Data Domestically

In accordance with Article 8 of the KVKK for the transfer of personal data domestically, personal data may be transferred even without the explicit consent of the data owner if at least one of the following conditions is met:

  • The transfer of personal data is clearly foreseen in the law,
  • The transfer of data is mandatory for the protection of the life or physical integrity of the person who is unable to give his/her consent due to a de facto impossibility or whose consent is not legally valid, or of another person,
  • The transfer of personal data belonging to the parties to the contract is necessary, provided that it is directly related to the establishment or performance of a contract,
  • The transfer of personal data is mandatory for the data controller to fulfill its legal obligation,
  • The transfer of personal data is limited to the purpose of publicization, provided that it is made public by the relevant person,
  • The transfer of personal data is mandatory for the establishment, exercise or protection of a right,
  • The transfer of personal data is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the relevant person.

If one of the above conditions is not present, the explicit consent of the relevant person must be obtained in order for personal data to be transferred. In order for special personal data to be transferred domestically, one of the following conditions must be present:

  • The explicit consent of the relevant person must be obtained,
  • For special personal data other than health and sexual life, it must be clearly stipulated in the laws, 16
  • For personal data related to health and sexual life, it must be processed by persons or authorized institutions and organizations under a confidentiality obligation for the purpose of protecting public health, conducting preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing.

Except for the cases specified above, the Company does not transfer personal data to third parties in any way.

In accordance with the conditions of processing personal data and the purposes of data processing, personal data may be transferred by the Company to business partners, service providers, shareholders, and to authorized institutions and organizations, judicial authorities and security units when necessary for the purpose of continuing commercial activities, meeting customer demands and providing the best service, and to fulfill legal obligations.

 

15.2. Transfer of Personal Data Abroad

According to Article 9 of the KVKK, data transfer abroad can be carried out in the following cases:

  • Explicit consent of the relevant person,
  • In data transfer to countries with sufficient protection (countries deemed safe by the Board), the conditions specified in the Law exist (conditions specified in Article 5, paragraph 2 and Article 6, paragraph 3 of the Law),
  • In data transfer to countries without sufficient protection, the conditions specified in the Law exist (conditions specified in Article 5, paragraph 2 and Article 6, paragraph 3 of the Law), written commitment of sufficient protection by data controllers in foreign countries and the permission of the Board exist.

The Company does not transfer data abroad in this context.

If the Company transfers data to third parties located abroad and who are data controllers, a commitment letter signed by both parties, whose minimum conditions are determined by the Personal Data Protection Authority in accordance with Article 9 of the KVK, will be submitted to the Personal Data Protection Authority. The data transfer in question will be made with the approval of the Personal Data Protection Authority and the Company will not transfer data to the third parties in question without this approval.

16. MEASURES TAKEN BY THE COMPANY WHEN TRANSFERRING DATA TO THIRD PARTY SERVICE PROVIDERS

The Company may share the personal data it collects with third-party service providers. In this case, articles regarding the protection of personal data are added to the contracts made with third-party service providers, a separate confidentiality agreement is made and additional commitments or protocols are drawn up. In this context, the audits conducted are carried out to check whether personal data is appropriately protected by the service providers with whom we have a business relationship.

17. ORGANIZATIONAL STRUCTURE OF PROTECTION AND PROCESSING OF PERSONAL DATA WITHIN THE COMPANY

There are three different roles in the Company's organizational structure, namely the Data Controller Contact Person, Data Controller Senior Management and the "Personal Data Protection Committee", within the scope of the principles and values ​​protected by this policy and to manage this policy and other policies related to and related to this policy.

17.1. Data Controller Senior Management

  • The Data Controller Senior Management, which we can define as those in the position authorized by the General Manager and/or the Board of Directors of the Company, has the following duties and responsibilities:
  • It audits whether the Data Controller Contact Person and the Personal Data Protection Committee fulfill their duties in accordance with the KVKK, other relevant legislation and the Company's policy documents through reports prepared by the internal audit/control unit.
  • When necessary, it makes changes in the Data Controller Contact Person and the Personal Data Protection Committee and makes new appointments.

17.2. Data Controller Contact Person

The Data Controller Contact Person has the following duties and responsibilities:

  • The Data Controller Contact Person represents the Data Controller in the Company's official and internal control/audit processes, ensures that the necessary work and transactions are carried out and concluded.
  • Represents the Company in communication with the Personal Data Protection Authority.
  • In case of any data breach, informs the Company's Senior Management and the Personal Data Protection Committee and leads the necessary work and transactions. Ensures that the necessary notifications in this area are made in accordance with the procedure.
  • In case of any change in the Company's VERBIS records, notifies the Personal Data Protection Authority of the changes without delay via VERBIS.
  • Evaluates the notifications of changes and arrangements in the data processing activities of the Data Controller and the relevant unit or persons together with the Personal Data Protection Committee and ensures that the necessary updates are made to the inventory.
  • Performs other duties assigned to him/her in this Policy and other policies and documents of the Company.

17.3. Personal Data Protection Committee

The duties of the Personal Data Protection Committee in terms of the protection and processing of personal data are as follows:

  • To prepare basic policies regarding the processing and protection of personal data and to make the necessary arrangements within the company for the Company to fulfill its obligations within the scope of the KVKK,
  • To submit the determined basic policies and action steps to the approval of the Company management,
  • To ensure that the Company's personal data policy complies with the legislation and to monitor it,
  • To make the necessary assignments to ensure the implementation of policies regarding the processing and protection of personal data,
  • To identify the risks that may arise in the Company's personal data processing activities and to ensure that the necessary measures are taken,
  • To ensure that the Company's employees receive training on the protection and processing of personal data and also on the policies established in this regard,
  • To decide on the applications of personal data owners,
  • To manage the relations with the Personal Data Protection Authority and the Personal Data Protection Board.
18. RISK ANALYSIS AND OUTSIDE POLICY PRACTICES

The risk analysis results resulting from the audits conducted within the company through internal audit/control mechanisms are evaluated by the Personal Data Protection Committee. The actions to be taken for the identified risks are addressed by the Personal Data Protection Committee and the Company's Senior Management and Data Controller are informed to take the necessary administrative and technical measures.

Persons who detect different situations and practices in terms of the protection and processing of personal data other than those covered by this Policy also inform the Personal Data Protection Committee in writing.

19. ENFORCEMENT OF THE POLICY

This Policy, prepared by the Company in accordance with the current legislation to be applied in the processing of personal data, was published and entered into force on 30.09.2020.

This policy is published on the Company's website and made available to the relevant persons upon the request of personal data owners. This Policy is reviewed once a year and updated when necessary, regardless of the content change requirements arising from corporate or legislation.

The Company also reserves the right to make changes to this Policy and other policies related to and related to this Policy in accordance with the decisions of the KVKK, the Personal Data Protection Board or in line with developments in the sector.

Changes made to this Policy are immediately incorporated into the text and enter into force upon publication on the Company's website.

 

Muhammed Ali OFLAZ 
General manager

Personal Data Protection and Processing Policy (703.21 KB)