PERSONAL DATA PROCESSING, PROTECTION, STORAGE AND DESTRUCTION POLICY
1. Introduction
1.1. Purpose and Scope of the Policy
The Law on the Protection of Personal Data numbered 6698 (“Law”) entered into force on April 7, 2016; this “ZEYBEK ELEKTRİK ANONİM ŞİRKETİ” (ZEYBEK ELEKTRİK in short) Personal Data Processing and Protection Policy (Policy) aims to ensure ZEYBEK ELEKTRİK’s compliance with the law and to determine the principles to be followed by our Company in fulfilling its obligations regarding the protection and processing of personal data. Personal data refers to primarily identity information, communication information such as IP, address, telephone, e-mail addresses; vehicle and license plate information; family status information; job title, profession and workplace information; graduation and professional experience information and photograph, image and similar information.
The Policy determines the processing conditions of personal data and sets forth the main principles adopted by our Company in the processing of personal data. Within this framework, the Policy covers all personal data processing activities by our Company within the scope of the Law, the personal data it processes and the owners of personal data.
In case personal data is shared with our Company, our Company, as the Data Controller, will be able to obtain, record, store, preserve, update, change, reorganize personal data in order to continue its services within the framework explained in the law, disclose, transfer, convey, share, classify, anonymize and process in other ways listed in the law to third parties in the cases and to the extent permitted by the legislation.
Regarding your personal data processed by our Company; the principles of processing personal data and special personal data, the purpose and conditions of processing this data, and the implementation and principles regarding the transfer, destruction within the country and your rights on the processed data are notified to you below.
Our Company will act in accordance with the procedures and processes specified in this policy in order to comply with the KVKK and other relevant regulations and in the processing, use, destruction, transfer and other matters of your personal data in accordance with the Law and other regulations.
1.2. Definitions
Explicit Consent: Consent expressed by the free will of the relevant person, based on the information provided to the relevant person on a specific subject.
Open Data: Data that is made available to everyone over the internet free of charge or not exceeding the cost of preparation, has no intellectual property rights and can be used freely for any purpose, is machine-readable and therefore interoperable with other data and systems, and has been rendered anonymous.
Recipient Group: The category of natural or legal persons to whom personal data is transferred by the data controller.
Anonymization: Making personal data in no way associated with an identified or identifiable natural person, even when matched with other data.
Relevant User: Persons who process personal data within the data controller organization or in accordance with the authorization and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of data.
Contact Person: The person responsible for ensuring communication between the data controller and the relevant person or the Personal Data Protection Authority. If the data controller is a legal entity resident in Turkey, it must appoint a contact person and process the information of this contact person, which it has appointed during registration in the Data Controllers Registry, into VERBIS.
Law: Law No. 6698 on the Protection of Personal Data dated 24.03.2016.
Obscuration: Operations such as crossing out, painting and blurring the entirety of personal data in a way that it cannot be associated with an identified or identifiable natural person.
Recording Medium: Any medium containing personal data processed by fully or partially automatic means or non-automatic means provided that it is part of any data recording system.
De-identification: Processing of personal data in a way that it cannot be associated with the relevant person, provided that technical and administrative measures are taken to prevent it from being associated with an identified or identifiable natural person and without bringing it together with other data stored in a different medium.
Personal Data Processing Inventory: Personal data processing activities carried out by data controllers in connection with their business processes; the inventory they create by associating the personal data with the processing purposes, data category, the group of recipients transferred and the group of data subjects, and detailing the maximum period required for the purposes for which personal data is processed, the personal data planned to be transferred to foreign countries and the measures taken regarding data security.
Personal Data Owner/Relevant Person: The natural person whose personal data is processed,
Personal Data: Any information related to an identified or identifiable natural person,
Destruction of personal data: Deletion, destruction or anonymization of personal data.
Processing of Personal Data: Any operation performed on data such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data, either fully or partially by automatic means or non-automatic means provided that it is part of any data recording system.
Deletion of personal data: The process of rendering personal data inaccessible and non-reusable for the relevant users in any way,
Destruction of personal data: The process of rendering personal data inaccessible, non-recoverable and non-reusable by anyone in any way,
Board: Personal Data Protection Board.
Masking: Operations such as erasing, crossing out, coloring and starring certain areas of personal data in a way that cannot be associated with an identified or identifiable natural person.
Special Personal Data: Data related to individuals’ race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership in associations, foundations or unions, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data are special personal data.
Periodic Destruction: The process of deleting, destroying or anonymizing personal data specified in the personal data storage and destruction policy and carried out ex officio at recurring intervals in the event that all of the processing conditions for personal data specified in the law are eliminated.
Registry: Data controllers registry (VERBIS) kept by the Presidency of the Personal Data Protection Authority.
Company: Refers to the data controller real or legal person who has prepared this policy text.
Third Party: Third party real persons who are related to these persons in order to ensure the security of commercial transactions between our institution and the above-mentioned parties or to protect the rights of the said persons and to provide benefits (For example, the company from which the service is received
2. RESPONSIBILITIES AND DUTY DISTRIBUTIONS
All units and employees of our Company actively support the responsible units in taking technical and administrative measures to ensure data security in all environments where personal data is processed in order to ensure that employees are trained and aware of KVKK, personal data is processed in accordance with the legislation and the Policy, personal data is processed in accordance with the law, personal data is accessed illegally, and personal data is processed and stored in accordance with the law. The distribution of titles, units and job descriptions of those who are involved in the processing, storage and destruction of personal data is given in the table below.
Title / Unit | Duty |
Employer / Employer Representative | Responsible for employees to act in accordance with the policy. |
Human Resources, Finance / Accounting, Sales / Marketing Unit, Security Unit, Legal Unit, Secretariat / Customer Representative, Purchasing Unit | Responsible for the execution of policy in accordance with their duties. |
Real and Private Law Legal Entities (Lawyer, Work Safety Specialist, Workplace Physician, Certified Public Accountant, Consultant etc.) | They are obliged to process, store and destroy the personal data they receive from the institution in accordance with the matters specified in the Privacy Agreement and this policy and the relevant law. |
3. OUR DATA PROCESSING PURPOSES, PROCESSED DATA AND DATA SUBJECT GROUPS
3.1. Data Subject Groups
The data subject categories within the scope of the policy are as follows:
Employee: Refers to real persons employed in the workplace.
Employee Candidate: Refers to real persons applying for a job.
Intern/Apprentice: Refers to real persons doing an internship for vocational education and training.
Family Members and Relatives: Refers to the family and relatives of the Apprentice/Intern Student.
Parent/Guardian/Representative: Refers to real persons with custody who represent the interns under their custody.
Event Participant: Refers to real persons participating in meetings and events organized by the institution.
Customer: Refers to real persons who benefit from the products and services offered by the company.
Visitor: Refers to real persons who visit the institution.
Supplier: Refers to the authorized person acting on behalf of the real and legal entity that provides services to the institution in line with the needs of the institution.
Supplier Employee: Refers to the real person employed by the supplier and producing goods or services on behalf of the supplier.
Institution Official / Representative: Refers to real persons authorized to represent the institution.
Reference Person: Refers to real persons who are references to the job applicant.
Third Parties: Refers to real persons excluding the data owner categories listed above and the institution employees.
Data owner categories are specified for general information sharing purposes. The fact that the data owner does not fall within the scope of any of these categories does not eliminate the data owner qualification as specified in the Law.
3.2. Purposes of Processing Personal Data
Your personal data and special personal data may be processed by our company in accordance with the personal data processing conditions set forth in the Law and relevant legislation for the following purposes:
Execution of Emergency Management Processes
Execution of Information Security Processes
Execution of Employee Candidate / Intern / Student Selection and Placement Processes
Execution of Application Processes of Employee Candidates
Execution of Employee Satisfaction and Loyalty Processes
Fulfillment of Employment Contract and Legislation-Related Obligations for Employees
Execution of Side Rights and Benefits Processes for Employees
Execution of Audit / Ethics Activities
Execution of Training Activities
Execution of Access Authorizations
Execution of Activities in Accordance with Legislation
Execution of Finance and Accounting Affairs
Execution of Loyalty Processes to Company / Products / Services
Protection of Physical Space Security Provision
Execution of Assignment Processes
Following and Executing Legal Affairs
Execution of Internal Audit/Investigation/Intelligence Activities
Execution of Communication Activities
Planning of Human Resources Processes
Execution/Inspection of Business Activities
Execution of Occupational Health/Safety Activities
Obtainment and Evaluation of Suggestions for the Improvement of Business Processes
Execution of Business Continuity Activities
Execution of Logistics Activities
Execution of Goods/Services Purchasing Processes
Execution of Goods/Services After-Sales Support Services
Execution of Goods/Services Sales Processes
Execution of Goods/Services Production and Operation Processes
Execution of Customer Relationship Management Processes
Execution of Activities for Customer Satisfaction
Organization and Event Management
Execution of Marketing Analysis Studies
Execution of Performance Evaluation Processes Execution
Execution of Advertising / Campaign / Promotion Processes
Execution of Risk Management Processes
Execution of Storage and Archive Activities
Execution of Contract Processes
Execution of Sponsorship Activities
Execution of Strategic Planning Activities
Following up Requests / Complaints
Ensuring the Security of Movable Goods and Resources
Execution of Supply Chain Management Processes
Execution of Wage Policy
Execution of Marketing Processes of Products / Services
Ensuring the Security of Data Controller Operations
Foreign Personnel Work and Residence Permit Procedures
Execution of Investment Processes
Execution of Talent / Career Development Activities
Providing Information to Authorized Persons, Institutions and Organizations
Execution of Management Activities
Creation and Follow-up of Visitor Records
3.3. Data Categories
Identity: Name-Surname, TR ID Number, Mother-Father Name, Mother’s Maiden Name, Date of Birth, Place of Birth, Marital Status, ID Card Serial Order Number, Family Order Number, Order Number, Volume Number, Province Where It Is Registered, District Where It Is Registered, Neighborhood / Village Where It Is Registered, Gender, Nationality, Last Validity Date.
Contact: Full address, phone number, corporate or personal e-mail address, internal company communication information (Extension No. etc.), registered electronic mail address (KEP), (including family members and relatives)
Location: Location information in the vehicle tracking system,
Personal Information: Payroll Information, Disciplinary Investigation Information, Employment Information (Date of Employment, Occupation Code etc.), Institution Title Information, Institution Registry Number Information, Job/Task Information, CV Information, Asset Declaration Information, Military Service Status, Permission Information (All Paid and Unpaid Leaves), Working Hours / Shift Information, Foreign Work Permit Information, Consent Information (Overtime, Parent or Guardian Approval etc.), Performance Evaluation Reports, Retirement Information, Request, Complaint and Suggestion Information About the Job,
Legal Transaction and Compliance Information: Within the scope of determining, following up on our legal receivables and rights, fulfilling our debts and our legal obligations and compliance with the Institution’s policies personal data processed.
Customer Transaction Information: Invoice Information, Promissory Note Information, Check Information, Receipt Information, Order Information, Goods / Service Request Information, and similar information on the Box Office Receipts,
Professional Experience Information: Diploma Information, Professional Qualification Information, Course Attended Information, Certificate Information, Vehicle / Operator License Information (Including Construction Equipment, Commercial, Private Vehicle), Transcript Information (Higher Education, School and Intern Information), Certificate / Service / Work Information and similar information,
Family Members and Relatives Information: Personal data of employees’ families and relatives.
Physical Location Security Information: Personal data regarding camera recordings taken at the entrance to the physical location, during the stay in the physical location, and identity documents, etc.
Transaction Security: Website Login and Exit Information, Password and Password Information, IP Address Information and internet access log records during the use of the internet and computers belonging to our institution.
Financial Information: Personal data processed regarding information, documents and records showing all kinds of financial results created according to the type of legal relationship our institution has established with the personal data owner.
Visual and Audio Data Information: Records such as photographs, audio and video recordings.
Special Quality Data – Health Information: Document / information showing the health status that must be obtained from employees according to the legislation.
Special Quality Data – Criminal Conviction and Security Measures: Criminal record given by judicial authorities,
Vehicle Plate Information: Information on the plate of the vehicle for the purpose of tracking visitors to the institution or identifying the vehicles of employees.
3.3.1. Employee / Employee Candidate / Supplier Employee / Intern
Personal Data Processed in Terms of
Personal data provided to us by the Employee / Candidate Employee / Supplier Employee / Interns themselves may be processed. Your processed personal data includes the information you have specified in the job application form, identity, contact, location, personnel, legal proceedings, physical space security, finance, professional experience, visual and audio records, transaction security, health information that is special data, criminal conviction and security measures, biometric data, reference person information, family and relative data, vehicle license plate information and similar information.
3.3.2. Personal Data Processed for Customers and Potential Customers
Personal data provided to us by the Customer and Potential Customer may be processed. Your processed personal data includes your identity, contact information, vehicle license plate information, camera recordings, invoices, checks, promissory notes, credit cards, orders, requests, complaints, and similar information.
3.3.3. Personal Data Processed by Shareholders, Business Partners and Suppliers
Personal data provided to us by Shareholders, Business Partners, Suppliers may be processed. Your processed personal data includes; identity, communication, legal proceedings, physical space security, finance, visual and audio records, vehicle license plate information and similar information.
3.3.4. Personal Data Processed Regarding Visitors
Visitor visual data; closed circuit security camera images, visitor identification information, vehicle information, institution and title.
4. METHOD AND LEGAL REASON FOR COLLECTING DATA
Your personal data is collected through automatic or non-automatic methods, written or electronic job application forms, contracts, visual and audio records, information systems and electronic devices, customer request and transaction documents and other documents submitted by the relevant person.
Your personal data is processed within the scope of the legal reasons of commercial activity, contract execution, right allocation, use and protection in accordance with the purposes stated in Article 3.2 of this Policy and within the framework of the personal data processing conditions and purposes specified in Articles 5 and 6 of Law No. 6698, especially in accordance with the relevant legislation, such as Labor and Social Security Legislation, Financial Legislation, Turkish Commercial Legislation, Turkish Code of Obligations.
5. PRINCIPLES AND CONDITIONS REGARDING THE PROCESSING OF PERSONAL DATA
5.1. Principles regarding the processing of personal data
Your personal data is processed by our company in accordance with the personal data processing principles set forth in Article 4 of the Law. It is mandatory to comply with these principles for each personal data processing activity:
Processing of personal data in accordance with the law and the rules of honesty
Our company acts in accordance with the laws, secondary regulations and general principles of law in the processing of your personal data. It attaches importance to processing personal data limited to the purpose of processing and taking into account the reasonable expectations of data owners.
Accurate and up-to-date personal data
Our company pays attention to whether your personal data processed by our company is up-to-date and to conduct checks regarding this. Data owners are granted the right to request correction or deletion of their inaccurate and out-of-date data within this scope.
Processing of personal data for specific, clear and legitimate purposes
Our company determines the data processing purposes before each personal data processing activity and takes care that these purposes are not against the law.
Personal data must be connected, limited and proportionate to the purpose for which it is processed
Our company limits its data processing activity to the personal data required to achieve the purpose of collection and takes the necessary steps to ensure that personal data that is not related to this purpose is not processed.
Storing personal data for the period required by the legislation or the processing purposes
Personal data is deleted, destroyed or anonymized by our company after the purpose of processing personal data ceases to exist or after the period stipulated in the legislation expires.
5.2 Conditions Regarding the Processing of Personal Data
Your personal data is processed by our Company if at least one of the personal data processing conditions stipulated in Article 5 of the Law is present. Explanations regarding the conditions in question are provided below:
As a general rule, personal data can be processed by our Company if the data owner gives their free will, sufficient information regarding the personal data processing activity, gives their explicit consent without any hesitation and limited to that transaction only.
If the personal data processing activity is clearly stipulated in the laws, our Company may process personal data without the explicit consent of the data owner within the framework of the relevant legal regulation.
If the explicit consent of the data owner cannot be obtained due to actual impossibility and personal data processing is mandatory; if personal data processing is mandatory in order to protect the life or physical integrity of the data owner or a third party, personal data belonging to the data owner who is unable to express their consent or whose consent cannot be validated will be processed without explicit consent.
If the personal data processing activity is directly related to the establishment or execution of a contract, if the processing of personal data belonging to the parties to the contract established or already signed between the data owner and our Company is necessary, the personal data processing activity will be carried out without explicit consent.
If personal data processing is mandatory for the data controller to fulfill its legal obligations, our Company may process personal data without the explicit consent of the data owner in order to fulfill its legal obligations stipulated under the applicable legislation.
Personal data that has been disclosed to the public in any way by the data owner and made available to everyone as a result of being made public may be processed by our Company, even without the explicit consent of the data owners, limited to the purpose of making public.
If personal data processing is mandatory for the establishment, exercise or protection of a right, our Company may process the personal data of the data owner without the explicit consent of the data owners within the scope of the obligation.
If data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data owner, our Company may process personal data provided that the balance of interests between our Company and the data owner is observed. In this context, when processing data based on legitimate interest, our Company first determines the legitimate interest it will obtain as a result of the processing activity. It evaluates the possible impact of the processing of personal data on the rights and freedoms of the data owner and if it is of the opinion that the balance is not disrupted, it may carry out the processing activity without the need for explicit consent.
5.3 Conditions Regarding the Processing of Special Personal Data
Article 6 of the Law specifies special personal data in a limited number. These are; data regarding the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures of the persons, as well as biometric and genetic data.
Our company can process special personal data in the following cases by ensuring that additional measures determined by the Personal Data Protection Board are taken:
Processing of special personal data other than health and sexual life can be processed if the data owner gives explicit consent or if it is clearly provided for in the laws.
Personal data processed within the scope of the Occupational Health and Safety (OHS) Law No. 6331 (Occupational Medicine Services) can only be processed by persons or authorized institutions and organizations under the obligation of confidentiality for the purpose of protecting public health, conducting preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, without seeking the explicit consent of the data owner.
6. TRANSFER OF PERSONAL DATA
Personal data may be transferred domestically and/or abroad by “ZEYBEK ELEKTRİK” in accordance with Articles 8 and 9 of the Law and other relevant legislation.
6.1 Transfer of Personal Data Domestically
Personal data cannot be transferred without the explicit consent of the relevant person. Subject to the provisions of other laws regarding the transfer of personal data, personal data may be transferred domestically by “ZEYBEK ELEKTRİK” without the explicit consent of the relevant person, in the event that one of the following conditions exists:
It is clearly provided for in the laws.
It is mandatory for the protection of the life or physical integrity of the person who is unable to give his/her consent due to a de facto impossibility or whose consent is not legally valid, or of another person.
It is necessary to transfer personal data belonging to the parties to the contract, provided that it is directly related to the establishment or performance of a contract.
It is mandatory for the data controller to fulfill its legal obligation.
It is made public by the relevant person himself/herself.
Data processing is mandatory for the establishment, exercise or protection of a right.
It is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the relevant person.
Data related to individuals’ race, ethnic origin, political views, philosophical beliefs, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data are special personal data. It is prohibited to transfer special personal data without the explicit consent of the person concerned.
Provided that sufficient measures are taken; personal data other than health and sexual life, among the special data listed above, may be transferred without the explicit consent of the person concerned in the cases stipulated by law.
Personal data related to health and sexual life may only be transferred by persons or authorized institutions and organizations under a confidentiality obligation for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, without the explicit consent of the person concerned.
6.2 Transfer of Personal Data Abroad
Personal data cannot be transferred abroad without the explicit consent of the relevant person. However, personal data may be transferred abroad without the explicit consent of the relevant person, provided that one of the conditions specified in Article 6.1 of this policy is present and that in the foreign country to which the personal data will be transferred;
a) There is sufficient protection,
b) In the absence of sufficient protection, the data controllers in Turkey and the relevant foreign country undertake in writing to provide sufficient protection and the Board has given its permission.
6.3 To Whom and for What Purposes Can Personal Data Be Transferred?
The groups of persons to whom personal data may be transferred and the purposes of data transfer in accordance with Articles 8 and 9 of the Personal Data Protection Law and the conditions specified in this policy are specified in the table below.
In order to prevent rights violations during data transfer to third parties, a confidentiality agreement is made and the necessary technical and legal measures are taken. However, “ZEYBEK ELEKTRİK” is not responsible for violations arising from the data protection policies of the third party receiving personal data and occurring under the responsibility of the third party.
Persons to whom data may be transferred | Definition | Purpose of Data Transfer |
Business Partner | Parties that ZEYBEK ELEKTRİK has established business partnerships within the scope of its commercial activities | To ensure that the business partnership activities are carried out in accordance with the partnership purpose and legislation. |
Supplier | Real and legal persons who provide services outside the organization of ZEYBEK ELEKTRİK, but in accordance with the instructions they receive from ZEYBEK ELEKTRİK in accordance with the contract made between the parties. | In order to provide service in accordance with the purpose of the contract made between ZEYBEK ELEKTRİK and the supplier and the legislation. |
Legally Authorized Public Institutions and Organizations | Public institutions and organizations authorized to receive information and documents from ZEYBEK ELEKTRİK | In order for public institutions and organizations to carry out their activities in accordance with the legislation, within the limits of the authority they receive from the legislation. |
Natural and/or Private Law Legal Entities | Authorized natural and/or Private Law Entities to receive information and documents from ZEYBEK ELEKTRİK | In order to carry out the activities in accordance with the legislation, limited to the legal authority of the relevant real and/or private law legal entities. |
Shareholders | Partners who have shares in ZEYBEK ELEKTRİK | In case it is necessary to transfer data to shareholders in accordance with the purpose and legislation within the scope of commercial activities. |
Open to Public | It refers to the entire public, especially potential customers, within the scope of commercial activity. | In case data transfer is required in accordance with the purpose and legislation within the scope of commercial activities (Example: Publishing a photo of a customer or employee on a web page) |
7. ENSURING THE SECURITY OF PERSONAL DATA
The necessary administrative and technical measures are taken to ensure the preservation and security of your personal data that we process within the scope of the company’s activities in accordance with the relevant legislation. In this context, appropriate technological facilities are used to take precautions against data breaches, unauthorized access, data loss, unauthorized modification of data and other threats, and the necessary inspections are carried out. If a data breach occurs despite all these measures and precautions, the situation will be reported to the relevant persons and the Personal Data Protection Authority within 72 hours at the latest.
In this context, we identify existing risks and threats, train our employees and carry out awareness activities, and determine policies and procedures regarding personal data security. The administrative and technical measures taken by our company to ensure “data security” in accordance with Article 12 of the Law are specified in Article 7.1 of the Policy.
7.1. ADMINISTRATIVE AND TECHNICAL MEASURES TAKEN FOR THE SECURITY OF PERSONAL DATA
Network security of computers containing personal data is ensured.
The security of personal data stored in the cloud is ensured.
Training and awareness activities are carried out for employees on data security at certain intervals.
Persons authorized to access personal data have been determined and an authorization matrix has been created.
Appropriate access logs are kept regularly in accordance with Law No. 5651.
Institutional policies have been prepared and implemented on access, information security, usage, storage and destruction.
Data masking measures are applied when necessary. Confidentiality commitments are made with institutions and organizations to which personal data is transferred.
Employees who change their duties or leave their jobs have their access rights to personal data revoked.
Up-to-date anti-virus systems and firewalls are in place.
Signed contracts include data security provisions.
Extra security measures are taken for personal data transferred via paper and the relevant documents are sent in a confidential document format.
Personal data security policies and procedures have been determined.
Personal data security problems are reported quickly.
Personal data security is monitored.
Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
The security of environments containing personal data is ensured.
Personal data is reduced as much as possible.
User account management and authorization control systems are implemented and their monitoring is also carried out.
Periodic and/or random audits are carried out within the institution and the confidentiality of personal data is checked.
Log records are kept in a way that prevents user intervention.
Risks and threats regarding possible personal data breaches
8. DELETION, DESTRUCTION OR ANONYMIZATION OF PERSONAL DATA
In accordance with Article 7 of the Law, although processed in accordance with the law, if the reasons requiring processing are eliminated, our Company deletes, destroys or anonymizes personal data ex officio or upon the request of the data owner. Although the purpose of processing personal data has ended and the relevant legislation and storage periods have also expired, the storage period may be extended only for personal data to constitute evidence in possible legal disputes or to assert the relevant right related to personal data or to establish a defense. In this case, the stored personal data is not accessed for any other purpose and access is provided only when it is necessary to use it in the relevant legal dispute. After the expiration of the limitation periods for asserting the aforementioned right, personal data is again deleted, destroyed or anonymized.
8.1 Recording Media
Personal data is processed by our Company on personal computers, mobile devices, information security devices (firewall, modem), paper and printed visual media.
8.2 Legal Reasons Requiring Storage
Personal data processed within the scope of our company’s activities are stored for the period stipulated in the relevant legislation.
In this context, personal data;
Personal Data Protection Law No. 6698,
Turkish Commercial Code No. 6102,
Tax Procedure Law No. 213,
Turkish Code of Obligations No. 6098,
Public Procurement Law No. 4734,
Social Insurance and General Health Insurance Law No. 5510,
Law No. 5651 on Regulation of Publications Made on the Internet and Combating Crimes Committed Through Such Publications,
Occupational Health and Safety Law No. 6331,
Consumer Protection Law No. 6502,
Information Acquisition Law No. 4982,
Law on the Exercise of the Right to Petition No. 3071,
Labor Law No. 4857,
Retirement Health Law No. 5434,
Social Services Law No. 2828,
Occupational Health and Safety Services Regulation,
And other relevant legislation
It is stored for the storage periods stipulated within its framework.
8.3 Processing Purposes Requiring Storage
It is explained under the heading of the institution’s data processing purposes in Article 3 of the policy.
8.4 Reasons Requiring Destruction
Personal data is deleted, destroyed or anonymized by our Company ex officio or upon the request of the relevant person in cases where;
The relevant legislative provisions constituting the basis for processing are changed or repealed,
The purpose requiring processing or storage is eliminated,
In cases where personal data is processed only based on the explicit consent condition, the relevant person withdraws his/her explicit consent,
The application made by the relevant person for the deletion and destruction of his/her personal data within the framework of his/her rights in accordance with Article 11 of the Law is accepted by our Company,
In cases where our Company rejects the application made by the relevant person requesting the deletion, destruction or anonymization of his/her personal data, the relevant person finds the response given insufficient or our Company does not respond within the period stipulated in the Law; In cases where the relevant person files a complaint with the Board and this request is approved by the Board,
The maximum period requiring the storage of personal data has passed and there are no conditions that would justify storing personal data for a longer period.
8.5 Deletion of Personal Data
Personal data stored on personal computers and electronic media are deleted in a way that cannot be retrieved by the relevant user when the storage period expires.
Personal data in physical media are torn / destroyed in a way that cannot be retrieved by the relevant user when the storage period expires.
8.6 Personal Data Storage and Destruction Periods
When determining the storage periods of personal data processed within the scope of our Company’s activities, the relevant legislation is primarily taken into account, and if there is no period stipulated by the relevant legislation, a reasonable period required for the purpose of processing personal data is taken as basis. Detailed storage periods that vary on a process basis and according to the data owner are included in our Company’s personal data inventory.
Our Company’s periodic destruction periods are determined as June and December of each year. Unless there is any legal situation that interrupts or stops the statute of limitations, it is stored for the periods specified in the table below and destroyed on the first periodic destruction date following the storage period.
DATA CATEGORY | DATA STORAGE PERIOD |
IDENTITY | 15 years from the termination date of the employment contract |
CONTACT | 15 years from the termination date of the employment contract |
LOCATION | 5 years from the date of sale of the vehicle |
PERSONALITY | 15 years from the termination date of the employment contract |
LEGAL ACTION | Legal relationship+ 30 years |
CUSTOMER TRANSACTION | Legal relationship + 10 years |
PHYSICAL SPACE SECURITY | 6 months |
TRANSACTION SECURITY | 2 years |
FINANCE | Legal relationship + 10 years |
PROFESSIONAL EXPERIENCE | 15 years from the termination date of the employment contract |
VISUAL AND AUDIO RECORDINGS | 15 years from the termination date of the employment contract |
HEALTH INFORMATION | 40 years from the date of termination of the employment contract |
CEZA MAHKUMİYETİ VE GÜVENLİK TEDBİRLERİ | 15 years from the termination date of the employment contract |
BIOMETRIC DATA | 1 Year from the Termination Date of the Employment Contract |
CANDIDATE EMPLOYEE REFERENCE INFORMATION | 1 year from the date of application + 1 year from the date of termination of the employment contract if hired |
EMPLOYEE BANK ACCOUNT INFORMATION | 15 years from the date of termination of employment contract |
WORKING FAMILY RELATIVE INFORMATION | 15 years from the date of termination of employment contract |
9. WEBSITE VISITORS
The movements of visitors to our Company’s websites are recorded by our Company using technical means in order to ensure that they perform their activities in accordance with the purposes of their visit, to show them customized content and to engage in online advertising activities.
10. MONITORING ACTIVITY WITH CAMERA CONDUCTED IN OUR COMPANY CAMPUS
Our Company’s camera monitoring activities are carried out in accordance with the Law on Private Security Services and relevant legislation. Our Company carries out security camera monitoring activities in accordance with the personal data processing conditions listed in the Law and the purposes stipulated in the relevant legislation in force in order to ensure security in the internal and external areas of its campus. Our Company informs the personal data owner in accordance with Article 10 of the Law.
Regarding the camera monitoring activities by our Company; This Policy is published on our Company’s website and an information statement regarding monitoring is posted at the entrances of the areas where monitoring is carried out. Our Company processes personal data in a limited and proportionate manner in connection with the purpose for which they are processed in accordance with Article 4 of the Law. It is not subject to monitoring in areas that may result in interventions that exceed the privacy and security purposes of the person. Only a limited number of our Company employees have access to the records recorded and stored in digital environments with live camera images. A limited number of people who have access to the records declare that they will protect the confidentiality of the data they access with a confidentiality commitment.
11. MONITORING OF VISITOR ENTRANCE AND EXIT WITHIN THE CAMPUS
In order to ensure security and for the purposes specified in this Policy, our Company conducts personal data processing activities to monitor visitor entries and exits on its premises and for this purpose. Visitors to our Company premises are informed in this context while their personal data is being processed or through texts made available to visitors at appropriate locations.
12. INFORMATION OF DATA SUBJECTS AND RIGHTS OF DATA SUBJECTS
According to Article 10 of the Law titled “Data Controller’s Obligation to Inform”, during the collection of personal data, the data controller or the person authorized by him/her is obliged to inform the relevant persons about;
a) The identity of the data controller and his/her representative, if any,
b) The purpose for which personal data will be processed,
c) To whom and for what purpose the processed personal data may be transferred,
ç) The method and legal reason for collecting personal data,
d) Other rights listed in Article 11,
In accordance with the provision of the aforementioned Law, the necessary in-house structure has been established by “ZEYBEK ELEKTRİK ANONİM ŞİRKETİ” as the data controller to ensure that data owners are informed in every case where personal data processing activity is carried out.
In this context;
For the purpose of processing your personal data, please review Section 3.2 of the Policy.
For the parties to whom your personal data is transferred and the purpose of transfer, please review Section 6 of the Policy.
For the collection method and legal reason of your personal data, which can be collected through different channels in physical or electronic environments, please see Section 4 of the Policy.
The rights of the relevant person are regulated in Article 11 of the Law. Accordingly, everyone can apply to the data controller and have the following information about themselves; a) To learn whether personal data has been processed,
b) To request information about personal data if it has been processed,
c) To learn the purpose of processing personal data and whether it is used in accordance with its purpose,
ç) To know the third parties to whom personal data is transferred domestically or abroad,
d) To request correction of personal data if it is processed incompletely or incorrectly,
e) To request deletion or destruction of personal data within the framework of the conditions stipulated in Article 7 of the Law,
f) To request notification of the transactions made pursuant to subparagraphs (d) and (e) to third parties to whom personal data is transferred,
g) To object to the emergence of a result against the person by analyzing the processed data exclusively through automatic systems,
ğ) To request compensation for damages in the event of damages due to unlawful processing of personal data.
In matters related to the processing of your personal data, you can apply by filling out the “Personal Data Request Form” available on the Company’s website and “proving your identity” using the method specified in the form that is appropriate for you. If you exercise your rights listed above and apply for the above-mentioned issues, your applications will be finalized free of charge within thirty days at the latest, depending on the content of your request. However, if the transaction requires an additional cost, you may be charged a fee according to the tariff determined by the Personal Data Protection Board.
Our Company will notify data owners of data owner applications in writing or electronically. If the application is rejected, the reasons for rejection will be explained to the data owner with justification.
13. SCOPE OF THE LAW AND RESTRICTIONS ON ITS APPLICATION
The following situations are outside the scope of the Law:
Processing of personal data by real persons within the scope of activities related to themselves or their family members living in the same residence, provided that they are not disclosed to third parties and that data security obligations are complied with.
Processing of personal data for purposes such as research, planning and statistics by making them anonymous with official statistics.
Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that they do not violate national defense, national security, public safety, public order, economic security, privacy or personal rights or do not constitute a crime.
Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security.
Processing of personal data by judicial authorities or enforcement authorities regarding investigation, prosecution, trial or execution procedures.
In the following cases, the Authority is not required to inform data owners and data owners will not be able to exercise their rights specified in the Law, except for their rights to seek compensation for their losses:
Personal data processing is necessary for the prevention of crime or criminal investigation,
Personal data made public by the relevant person,
Personal data processing is necessary for the execution of supervisory or regulatory duties and disciplinary investigation or prosecution by authorized public institutions and organizations and professional organizations with the status of public institution, based on the authority granted by the law,
Personal data processing is necessary for the protection of the economic and financial interests of the State in relation to budget, tax and financial matters.
14. ENFORCEMENT AND CHANGE
This Policy has been published on the website by “ZEYBEK ELEKTRİK” and presented to the public. In case of conflict between the current legislation and the regulations included in this Policy, the provisions of the legislation shall apply.
“ZEYBEK ELEKTRİK” reserves the right to make changes to the policy in line with legal regulations. The current text of the policy can be accessed at www.zeybekgrup.com.
