POLICY ON PERSONAL DATA PROTECTION
1. INTRODUCTION, SCOPE AND DEFINITIONS
1.1. Introduction: The Personal Data Protection Law (“PDP Law”) Number 6698 was enacted pursuant to its publication in the Official Gazette on 07.04.2016. The Law provides a legal regulation for the protection of the personal data of individuals based on a holistic approach. In this regard, the Policy on the Protection and Processing of Personal Data (“Policy”) offers guidance to Enda Energy Holding Co. (“Company”) on how to tangibly implement the PDP Law and the rules set forth by relevant legislation. Accordingly, our Company shall ensure sustained compliance with the Policy by enacting necessary measures to ensure conformity to the Policy within the company and practice internal auditing mechanism for the same purpose.
1.2. Scope: Hereby this “Policy” concerns the automated or non-automated processing as a component of any data recording system of all personal data pertaining to Employees, Former Employees, Employee Candidates, Interns, Group Employees, Employee Relatives, Company Shareholders/Partners, Company Executives, Recipients of Products or Services (Customers), Potential Product or Service Buyers, Visitors, Supplier Executives and Supplier Employees as defined in Article 1.3.
1.3. Definitions: Definitions featured in the PDP Law and secondary legislations have not been featured in this section. The mentioned definitions are identical to those in legislations unless otherwise stated within this Policy.
2. PRINCIPLES CONCERNING THE PROCESSING OF PERSONAL DATA
The company has to adopt the following basic principles in order to ensure sustained compliance with the PDP Law and other secondary legislation:
3. CONDITIONS ON PROCESSING PERSONAL DATA
Our Company processes personal data in compliance with condition(s) indicated in Article 5 of the PDP Law save and except of express consent by the respective person. If the processed data is of a sensitive nature, then the conditions set forth in Article 4.3 (Processing and Transfer of Sensitive Personal Data”) of this Policy shall apply.
4. DISCLOSURE OF PERSONAL DATA
In scope of the objectives on processing legitimate and legally justifiable personal data, our Company can disclose the relevant person’s personal data or sensitive personal data at a national scale on the condition of taking necessary security measures as indicated in this Policy and after ensuring confidentiality;
5. PROCESSING AND DISCLOSURE OF SENSITIVE PERSONAL DATA
Sensitive personal data is only processed and disclosed by our Company in accordance with the principles set forth in this Policy and after taking all administrative and technical measures available including those measures determined by the Personal Data Protection Committee (“Committee”) and only if the below conditions are met:
6. THE PURPOSE OF CATEGORISING AND PROCESSING PERSONAL DATA HANDLED BY OUR COMPANY
uant to Article 10 of the PDP Law, our Company informs relevant people during the acquiring of personal data. In this regard, our Company provides information about the identity of any representatives, the purpose of processing personal data, people with access to the processed personal data and for what purpose, means of collecting personal data, the legal justification and the rights granted to the relevant person.
Detailed information about personal data categories processed in scope of the objectives and conditions set forth in this Policy can be found in Annex-1 (“Personal Data Categorisation”). Detailed information about the purposes of processing the mentioned personal data are provided in Annex-2 of the Policy (“Purposes of Processing Personal Data”).
In accordance with our company’s legitimate and legally justified personal data processing objectives, our company processes the personal data categories identified in Annext-1 (“Personal Data Categorisation”) pursuant to Article 10 of the PDP Law, based on and limited to one or more of the personal data processing conditions set forth in Article 5 of the PDP, in compliance with the general principles set forth in the PDP law particularly those indicated in Article 4 on the processing of personal data, in compliance with all the obligations regulated in the PDP Law and limited to the durations indicated in our Company’s Personal Data Keeping and Extermination Procedures.
7. SPECIAL OCCASIONS THAT CALL FOR THE PROCESSING OF PERSONAL DATA
8. MEASURES TO PROTECT PERSONAL DATA
8.1 Technical Measures Taken to Ensure the Security of Personal Data:
Our Company takes necessary measures and employs necessary actions in compliance with Organisational regulations aimed at providing adequate security in order to prevent the illegal processing of, illegal access to and safekeeping of personal data which is processed in compliance with Article 12 of the PDP Law.
8.2 Administrative Measures on the Protection of Personal Data:
Our Company has a “Personal Data Protection Committee” consisting of appointed authorised representatives in order to manage, implement and execute specific actions in scope of this policy and other policies and procedures related to or affiliated with this Policy.
All activities executed by our Company are analysed specifically according to business departments. Personal data processing activities specific to the commercial activities executed by the relevant department are determined and necessary confidentiality agreements are signed in accordance with this analysis.
Awareness is raised and practice rules are determined specifically for the relevant business departments. Necessary administrative measures for the controlling of these measures and ensuring the sustainability of the practice are realised through intracompany policies, procedures, instructions and notifications, awareness raising training, and warning mechanisms (notice boards, announcements, orientation etc.).
Annual auditing is planned with intra/extra (supplier) organisation sources in scope of Internal Auditing / Quality / ISMS practices in order to verify the effective implementation of personal data collection, processing, classification, deletion / extermination / removal of access authorisation / anonymisation processes.
8.3 Protection of Sensitive Personal Data:
The PDP Law gives special importance to certain personal data due to their risk of causing victimisation or discrimination of the person when processed in illegal ways. These include data on race, ethnicity, political orientation, philosophical beliefs, religion, sect or other beliefs, appearance, membership to associations, foundations or unions, health, sexual life, convictions and security measures as well as biometric and genetic data. Our Company acts responsibly in the protection of legally processed sensitive personal data that has been classified as “sensitive” by the PDP Law. In this regard, the technical and administrative measures taken by our Company for the protection of personal data are practiced meticulously in the case of sensitive personal data. Necessary auditing on this matter is executed throughout our Company.
9. ERASING, EXTERMINATING AND ANONYMISING PERSONAL DATA
Our Company erases, exterminates or anonymises personal data according to the practices set forth in the Company’s Personal Data Storing and Extermination Policy or by request of the relevant person if the cause for processing ceases to exist even if the processing is compliant with the provisions of the relevant law. Our Company erases personal data or continues to use such data after anonymising through the employment of the most appropriate erasing or exterminating method(s) as indicated in the Committee’s Guidelines on Erasing, Exterminating or Anonymising of Personal Data.
10. RIGHTS OF THE RELEVANT PERSON
Pursuant to Article 10 of the PDP Law, our Company notifies the relevant person of his/her rights and offers guidance on how to use these rights. In compliance with Article 13 of the PDP Law, our Company oversees the necessary channels, internal operations, administrative and technical arrangements for the assessments of the rights granted to owners of personal data and provide owners of personal data with adequate notifications.
10.1. Rights of the Relevant Person
Owners of personal data have been granted the rights listed below:
10.2. Exercising of Rights by the Relevant Person
The relevant person may submit requests pertaining to the granted rights listed in section 9.1 of this section by completing and signing the application form available on our company’s website, while adhering to the methods determined by the Committee and providing supporting information and documentation for the verification of his/her identity.
10.3. Our Company Responding to Applications
Our company takes necessary administrative and technical measures to conclude potential applications by the relevant person in accordance with the Law and secondary legislation. Upon receipt of the relevant person’s request pertaining to the granted rights listed in section 9.1 in due form, our Company shall conclude the relevant request as soon as possible and within a maximum of 30 (thirty) days depending on the nature of the request at no cost. However, fees based on the tariff determined by the Committee may apply if the procedure incurs additional costs.
11. DETAILS OF DATA MANAGER
ENDA ENERGY HOLDING Co.
Address: İsmet Kaptan Mahallesi Şehir Nevres Bulvar No: 10/71 Konak İZMİR
Annex-1 Personal Data Categorisation
Annex-2 Purposes of Personal Data Processing
Personal Data Categorisation Purposes of Personal Data Processing