Background

Personel Data Protection Policy

 

Introduction

As Egesim, we value the security of the personal data of those who contact us or represent a company or organization whose data we process.

As a Data Controller, Egesim has put into effect this Personal Data Protection Policy to explain our rules and policies regarding the collection, processing, protection, and destruction of personal data and the legal, administrative (assignments and authorizations), and technical measures (information security technologies and physical security) to be taken regarding these processes. 

 Objective

Considering the administrative and technical measures determined by the KVKK in force in our country and the regulations, decisions and other legislation published by the Board, in the processing of personal data, it is our main goal to protect the fundamental rights and freedoms, especially the privacy of private life of the persons concerned.

Our goal is to raise awareness of the importance of personal data protection and the sensitivity of personal data.

Ensuring compliance of the practices and conditions in Egesim with the obligations regarding the protection and processing of personal data set by the relevant authorities, evaluating the events that may occur during the activities carried out with a risk-based approach, determining the strategies, internal controls and measures, operating rules and responsibilities are discussed in the policy. 

Scope

Policy, means provided that they are part of Employee candidates, employees (current and past), shareholders and partners, interns, supplier officials and employees, visitors and personal data of persons representing these persons, wholly or partially automated or in any data recording system, covers the regulation of all kinds of transactions/processes performed on data such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing use and destruction by non-automatic.

The scope includes legal and real persons who are authorized to access personal data in any way and for any purpose during the execution of these processes.

Our Companies

Listed below are our companies that will be collectively named Egesim. The different practices of each company are stated in the Clarification Texts of the relevant company regarding the relevant persons. The Policy that we follow applies to all our companies. For more information, consult the links in Policy.

o  Egesim Electricity: Egesim Electricity Industry and Trade Limited Company (central registration system no: 0325049110100017)

o  Egesim Energy: Egesim Energy Electromechanical and Electricity Contracting Industry Trade Limited Company (central registration system no: 0013003322900014)

o  Egesim Automation: Egesim Automotive Control and Computer Systems Industry and Trade Limited Company (central registration system no: 0325006850500015)

Definitions

Definitions in this Policy;

Explicit Consent: Consent on a specific subject, based on information and expressed with free will.

Constitution: Constitution of the Republic of Turkey (Law No. 2709)

Anonymization: Making personal data incapable of being associated with an identified or identifiable real person under any circumstances, even by matching with other data.

Related person: Real person whose personal data is processed.

Personal data: Any information relating to an identified or identifiable real person.

Processing of personal data: All kinds of operations performed on data such as obtaining personal data completely or partially automatically or by non-automatic means provided that it is a part of any data recording system, recording, storing, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing use.

Board: Personal Data Protection Board

KVKK: Protection of Personal Data Law No. 6698 and all relevant legislation

Policy: Policy on Protection and Processing of Personal Data

Data Processor: The real or legal person who processes personal data on behalf of the data controller based on the authority given by data controller (KVKK Article 3-(1)-ğ)

Data registration system: The registration system in which personal data is processed and structured according to certain criteria

Data controller: The real or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data registration system

General Principles

Validity

This Policy has taken into account the applicable legislation at the time of publication and the practices required by business conditions. Therefore, it should be known that the legislation is essential.

This Policy is valid in all our companies. Policy terms are common.

Reviews

Changes in the relevant legislation that will take place after the publication date are reviewed, and the policy, other procedures and practices are brought into compliance with the legislation. Reviews are made regularly, at least once a year, with or without any changes.

Compliance With Laws

Confidentiality and protection of personal data is a right granted by the Constitution of the Republic of Turkey and is regulated by law. Not knowing is not an excuse. Therefore, it is mandatory for everyone, without exception, to comply with it. It should be known that penal actions required by the relevant legislation and contracts will be applied in cases of violation.

Basic legal and ethical principles of Egesim are regulated in accordance with KVKK (Article 4).

Personal data can only be processed in accordance with the procedures and principles stipulated in the KVKK and other laws.

The following principles are complied with in the processing of personal data:

a) Compliance with the law and honesty rules.

b) Being accurate and up to date when it is needed.

c) Processing for specific, explicit and legitimate purposes.

ç) Being relevant, limited and proportionate to the purpose for which they are processed.

d) To be kept for the time period specified by applicable legislation or for the purpose for which they are processed.

Our company follows these principles.

Disclosure Requirement

This Policy has been prepared in accordance with Article 10 of the KVKK, in order to inform about the processing of personal data and legal rights within the scope of the Obligation of Disclosure.

In this Policy and in the Clarification Texts of other companies and related persons;

a) The identity of the data controller and its representative, if any

b) For what purpose personal data will be processed,

c) To whom and for what purpose the processed personal data can be transferred,

ç) Method and legal reason for collecting personal data,

d) obliged to give information about their other rights listed in Article 11.

Subjects are clearly stated.

Personal Data Processed

Personal data clearly belonging to an identified or identifiable real person, processed partially or completely automatically or non-automatically as part of the data recording system, are classified as follows within the scope of the law.

Data Category

Explication

Identity

Name, Surname, parents name, mother's maiden name, date of birth, place of birth, marital status, identity card serial number, TR identity no. etc.

Communication

 

Address, address no, e-mail address, contact address, registered e-mail address (KEP), telephone number etc.

Location

Vehicle tracking system or location information of the place of traffic fines etc.

Personal

Payroll information, disciplinary proceeding, statement of employment, dismissal notice, goods declaration information, resume information, performance evaluation reports etc.

 

Legal Transaction

Correspondence with judicial authorities, information in the case file etc.

Customer Transaction

Demand and order information, invoice, promissory note, and check information, information on payment receipts etc.

Physical Space Security

Entry and exit registration information of employees and visitors, camera recordings etc.

Process Security

IP address information, website login and logout information, password etc.

Occupational Experience

Diploma, courses attended, vocational training, certificates and transcript information

Audiovisual Recordings

Audio-visual recordings such as photographs

Philosophical Belief, Religion, Sect and Other Beliefs

 

Information on religious affiliation written in old identities etc.

Dress

Information on dress, such as measurements

Health Information

Information on disability status, personal health, blood type, device used, prosthesis etc.

Criminal Conviction and Security Measures

Information on criminal convictions in criminal records and traffic fines, data on security measures etc.

 

Groups whose personal data are processed

Personal data for which Egesim is the Data Controller are evaluated and classified according to the following groups.

Data Subject Group

Processed Personal Data

Employee Candidate

Real persons who have submitted their personal data to our company at any time and through any communication methods and are considered as candidates.

Employee

Real persons who still have employment contracts and work in our company and their relatives.

Real persons who have worked in our company in the past and whose employment contract has now expired, and their relatives.

Shareholder/Partner

Real persons or representatives of legal persons who have a partnership or share with Egesim in any way.

Intern

Real persons, who are mature or underage, in student status and working within the scope of short-term internship through an educational institution.

Supplier Employee

Real persons who are employees of the real or legal persons from whom we purchase goods and services.

Supplier Representative

Real persons who are authorized by the real and legal persons from whom we purchase goods and services.

Product or Service Recipient

Real persons who are authorized by the real and legal persons to whom we sell goods.

Parent / Guardian / Representative

Real persons who are the guardian of real or legal persons or represent them.

Visitor

Real persons who have come to our company for a visit or who conduct transactions through our website.

 

Related personal data categories of the groups whose data are processed

The data categories of the people whose information we process are listed in the table below.

Data Subject Group

Processed Personal Data

Employee Candidate

Identity, Communication, Personal, Physical Space Security, Occupational Experience, Audiovisual Recordings

Employee

Biometry, Identity, Communication, Personal, Physical Space Security, Process Security, Occupational Experience, Audiovisual Recordings, Philosophical Belief, Religion, Sect and Other Beliefs, Dress, Health Information, Criminal Conviction and Security Measures,

Shareholder/Partner

Identity, Communication, Legal Transaction, Physical Space Security, Process Security, Audiovisual Recordings

Intern

Identity, Communication, Personal, Physical Space Security, Process Security, Occupational Experience, Audiovisual Recordings, Dress

Supplier Employee

Identity, Communication, Personal, Legal Transaction, Physical Space Security, Process Security, Occupational Experience, Audiovisual Recordings, Health Information

Supplier Representative

Identity, Communication, Legal Transaction, Audiovisual Recordings,

Product or Service Recipient

Identity, Communication, Location, Physical Space Security, Customer Transaction, Audiovisual Recordings

Parent/Guardian/Representative

   

Identity, Communication

Visitor

Identity, Communication, Physical Space Security, Audiovisual Recordings, Process Security

 

Terms and purposes of processing personal data

The Clarification Texts prepared for the relevant person groups address the purposes of collecting and processing personal data, as well as legal and legislative requirements.

Egesim Electric:

o  Employee and Employee Candidate Disclosure Text

o  Supplier and Supplier Employee Disclosure Text

o  Customer Clarification Text

Egesim Energy:

o  Employee and Employee Candidate Disclosure Text

o  Supplier and Supplier Employee Disclosure Text

o  Customer Clarification Text

Egesim Automation:

o  Employee and Employee Candidate Disclosure Text

o  Supplier and Supplier Employee Disclosure Text

o  Customer Clarification Text

 

Personal data is processed in accordance with KVKK (6698), Income Tax Law (193), Tax Procedure Law (213), Code of Obligations (6098), Enforcement and Bankruptcy Code (2004), Turkish Commercial Code (6102), Labor Law (4857), Occupational Health and Safety Law (6331), Social Security and General Health Insurance Law (5510), Personal Pension Savings and Investment System Law (4632), Vocational Training Law (3308), Unemployment Insurance Law (4447), Stamp Tax Law (488), Act of Fees (492), Corporate Tax Law (5520), Electronic Communications Law (5809), Law on Intellectual and Artistic Works (5846), Electronic Signature Law (5070), Law on Regulation of Publications on the Internet and Suppression of Crimes Committed by Means of Such Publications (5651) and other legislation (laws, regulations, circulars, and communiques).

Obligations regarding data security

General application

Institutional policies on information access, security, use, storage, and destruction have been developed and are being implemented.

Personal data security policies and procedures have been determined.

Personal data security issues are being immediately reported.

The security of personal data is being monitored.

Personal data is being reduced to the greatest extent possible.

Existing threats and risks have been identified.

Protocols and procedures for sensitive personal data security have been determined and implemented.

Protection of personal data by employees

Employees are subject to disciplinary rules that include data security provisions.

Employees are subjected to data security training and awareness activities on a regular basis.

An authorization matrix has been created for employees.

Employees who change position or leave their jobs have their authorizations revoked.

Confidentiality commitments are signed.

Physical protection measures

Personal data transferred via paper is subject to additional security measures, and the relevant document is sent in confidential document format.

Entry and exit to physical environments containing personal data are subject to the necessary security measures.

Physical environments containing personal data are protected from external threats (fire, flood, etc.).

It is ensured that environments containing personal data are secure.

Suppliers accessing personal data

With suppliers who have access to personal data, a Confidentiality Protocol is signed.

Technical protection measures

Network and application security are provided.

A closed system network is used for personal data transfers via the network.

Security precautions are taken as part of the procurement, development, and maintenance of information technology systems.

Access logs are kept on a regular basis.

Antivirus software that is up to date is used.

Firewalls are used.

Data security provisions are included in the signed contracts.

It is ensured that environments containing personal data are secure.

Personal data is backed up, and the security of that data is also ensured.

The user account management and authorization control systems have been implemented and are being followed.

If sensitive personal data is sent via e-mail, it must be encrypted and sent through a KEP or corporate mail account.

Encryption is done.

Data processing service providers are audited on a regular basis for data security.

Transfer of personal data

Information containing personal data is shared with government agencies, banks, insurance companies and public institutions and organizations that are private to the sector to which the company is affiliated.

Personal information is shared with the construction project's owner or responsible contractor.

Information sharing is ensured by using secure communication tools provided by these institutions.

Personal information is shared among Egesim companies Egesim Electric, Egesim Energy, and Egesim Automation.

Transfer of personal data abroad

Egesim does not transfer personal data-containing information abroad for the purpose of processing personal data.

Our e-mail system, on the other hand, is used as a service of a reputable company based both abroad and within the borders of the European Union, with adequate security measures and standards. Therefore, personal data is transferred abroad during communication.

Destruction or anonymization of personal data

It retains personal data only for as long as is necessary to achieve the purposes set out here, except where a longer period is legally required or permitted.

Although it has been stored and processed in accordance with the provisions of KVKK (Article 7) and other relevant legislation, personal data is deleted, destroyed or anonymized in case the reasons requiring processing disappear or the storage period expires.

Physical documents containing personal data are shredded in the machine and destroyed.

Personal data in applications is destroyed by formatting media and deleting from databases and backups.

Personal data can be anonymized and processed for purposes such as research, planning and statistics. Anonymized data cannot be associated with a person in any way. As a result, it will be excluded.

These transactions are carried out at our company's discretion or at the request of the personal data owner.

The processes of deletion, destruction, and anonymization are carried out in accordance with applicable laws, regulations, and decisions.

To carry out this work, the necessary procedures have been established.

Rights of the person concerned

Everyone has the right to be informed about their personal data, according to the Constitution.

In accordance with the "law and honesty" rule, our company provides accurate information and transparency regarding personal data processing activities when necessary.

During the acquisition of personal data, the data owners are informed about the purpose for which the personal data will be processed, to whom and for what purpose the processed personal data will be transferred, the method of collecting personal data, the legal reason of data processing and the rights of the personal data owner.

Personal data owners have the right to inquire about the nature of their collected, stored, processed, and transferred personal data, as well as the purpose for which it is processed. Furthermore, in the event of incomplete or incorrect processing, it has the right to request correction and notify the appropriate parties.

Personal data owners have the right to request the destruction of their stored or processed data in accordance with legal requirements if these requirements cease to exist, and to know the outcome of the request.

According to Article 11 of the KVKK, the relevant individuals have the following rights:

 

a) Learning whether personal data is processed or not,

b) If personal data has been processed, requesting information about it,

c) Learning the purpose of processing personal data and whether they are used in accordance with the purpose,

ç) Knowing who the third parties are to whom personal data is transferred, whether at home or abroad,

d) Requesting correction of personal data when processing is incomplete or incorrect,

e) Requesting the deletion or destruction of personal data within the parameters set out in Article 7,

f) Requesting notification of transactions carried out in accordance with subparagraphs (d) and (e) to third parties to whom personal data has been transferred,

g) Objecting to the emergence of a result against the individual by analyzing processed data solely through automated systems,

ğ) To seek restitution for damages incurred as a result of wrongful processing of personal data, Application to data controller

Making requests

Requests must be made in writing to Egesim (Article 13 of the KVKK).

In your written request;

o  What the demand is, in a clear and understandable way,

o  Identity (TCKN, name, surname) information,

o  Contact (e-mail, phone, address) information,

o  Documents proving the identity and contact information of the person concerned,

must be found.

Applications should be submitted using the application forms found at the links below, corresponding to the relevant company.

o  Egesim Electricity Application Form

o  Egesim Energy Application Form

o  Egesim Automation Application Form

 

Egesim concludes the requests in the application free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, the fee in the tariff determined by the Board may be charged.

Egesim accepts the request or rejects it by explaining its reason and notifies the relevant person in writing or electronically. In case the request in the application is accepted, the data controller fulfills its requirements. If the application is rejected due to Egesim's fault, the application fee will be refunded.

An issue that should not be forgotten (Article 14 of the KVKK) is the right to complain.

In cases where the application is rejected, the answer provided is insufficient, or the application is not responded to in a timely manner, the person concerned may file a complaint with the Board within thirty days of learning the data controller's response and, in any case, within sixty days of the date of application. According to Article 13, a complaint cannot be filed unless the remedy has been exhausted. According to the general provisions those whose personal rights are violated, the right to compensation is reserved.

Data controllers registry

Egesim has fulfilled its KVKK obligation (Article 16) by registering with VERBIS.

Notifications to the Board and violations

Our company agrees to fulfill its obligations under the KVKK (Article 15) and to provide the required notifications within the legal time limits.

Reviews

This policy is reviewed by our company once a year.

Every year, an internal audit is performed to ensure that the policy is being followed.

References

The followings were considered when creating the policy.

o  Constitution of the Republic of Turkey

o  Turkish Penal Code No. 5237

o  Protection of Personal Data Law No. 6698, Regulations and communiques

o  Personal Data Protection Board Decisions and Decision Summaries

o  VERBİS (Data Controllers Registry Information System)

o  All other laws and legislation related to Personal Data and which Egesim is obliged to comply with

o  Personal Data Protection Policy

o  Company policies, rules and procedures