As Egesim, we value the security of the personal data of those who contact us or represent a company or organization whose data we process.

As a Data Controller, Egesim has put into effect this Personal Data Protection Policy to explain our rules and policies regarding the collection, processing, protection, and destruction of personal data and the legal, administrative (assignments and authorizations), and technical measures (information security technologies and physical security) to be taken regarding these processes. 

Considering the administrative and technical measures determined by the KVKK in force in our country and the regulations, decisions and other legislation published by the Board, in the processing of personal data, it is our main goal to protect the fundamental rights and freedoms, especially the privacy of private life of the persons concerned.

Our goal is to raise awareness of the importance of personal data protection and the sensitivity of personal data.

Ensuring compliance of the practices and conditions in Egesim with the obligations regarding the protection and processing of personal data set by the relevant authorities, evaluating the events that may occur during the activities carried out with a risk-based approach, determining the strategies, internal controls and measures, operating rules and responsibilities are discussed in the policy. 

Policy, means provided that they are part of Employee candidates, employees (current and past), shareholders and partners, interns, supplier officials and employees, visitors and personal data of persons representing these persons, wholly or partially automated or in any data recording system, covers the regulation of all kinds of transactions/processes performed on data such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing use and destruction by non-automatic.

The scope includes legal and real persons who are authorized to access personal data in any way and for any purpose during the execution of these processes.

Listed below are our companies that will be collectively named Egesim. The different practices of each company are stated in the Clarification Texts of the relevant company regarding the relevant persons. The Policy that we follow applies to all our companies. For more information, consult the links in Policy.

o  Egesim Electricity: Egesim Electricity Industry and Trade Limited Company (central registration system no: 0325049110100017)

o  Egesim Energy: Egesim Energy Electromechanical and Electricity Contracting Industry Trade Limited Company (central registration system no: 0013003322900014)

o  Egesim Automation: Egesim Automotive Control and Computer Systems Industry and Trade Limited Company (central registration system no: 0325006850500015)

Definitions in this Policy;

Explicit Consent: Consent on a specific subject, based on information and expressed with free will.

Constitution: Constitution of the Republic of Turkey (Law No. 2709)

Anonymization: Making personal data incapable of being associated with an identified or identifiable real person under any circumstances, even by matching with other data.

Related person: Real person whose personal data is processed.

Personal data: Any information relating to an identified or identifiable real person.

Processing of personal data: All kinds of operations performed on data such as obtaining personal data completely or partially automatically or by non-automatic means provided that it is a part of any data recording system, recording, storing, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing use.

Board: Personal Data Protection Board

KVKK: Protection of Personal Data Law No. 6698 and all relevant legislation

Policy: Policy on Protection and Processing of Personal Data

Data Processor: The real or legal person who processes personal data on behalf of the data controller based on the authority given by data controller (KVKK Article 3-(1)-ğ)

Data registration system: The registration system in which personal data is processed and structured according to certain criteria

Data controller: The real or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data registration system

Validity

This Policy has taken into account the applicable legislation at the time of publication and the practices required by business conditions. Therefore, it should be known that the legislation is essential.

This Policy is valid in all our companies. Policy terms are common.

Reviews

Changes in the relevant legislation that will take place after the publication date are reviewed, and the policy, other procedures and practices are brought into compliance with the legislation. Reviews are made regularly, at least once a year, with or without any changes.

Compliance With Laws

Confidentiality and protection of personal data is a right granted by the Constitution of the Republic of Turkey and is regulated by law. Not knowing is not an excuse. Therefore, it is mandatory for everyone, without exception, to comply with it. It should be known that penal actions required by the relevant legislation and contracts will be applied in cases of violation.

Basic legal and ethical principles of Egesim are regulated in accordance with KVKK (Article 4).

Personal data can only be processed in accordance with the procedures and principles stipulated in the KVKK and other laws.

The following principles are complied with in the processing of personal data:

a) Compliance with the law and honesty rules.

b) Being accurate and up to date when it is needed.

c) Processing for specific, explicit and legitimate purposes.

ç) Being relevant, limited and proportionate to the purpose for which they are processed.

d) To be kept for the time period specified by applicable legislation or for the purpose for which they are processed.

Our company follows these principles.

This Policy has been prepared in accordance with Article 10 of the KVKK, in order to inform about the processing of personal data and legal rights within the scope of the Obligation of Disclosure.

In this Policy and in the Clarification Texts of other companies and related persons;

a) The identity of the data controller and its representative, if any

b) For what purpose personal data will be processed,

c) To whom and for what purpose the processed personal data can be transferred,

ç) Method and legal reason for collecting personal data,

d) obliged to give information about their other rights listed in Article 11.

Subjects are clearly stated.

Personal data clearly belonging to an identified or identifiable real person, processed partially or completely automatically or non-automatically as part of the data recording system, are classified as follows within the scope of the law.

Payroll information, disciplinary proceeding, statement of employment, dismissal notice, goods declaration information, resume information, performance evaluation reports etc.

Personal data for which Egesim is the Data Controller are evaluated and classified according to the following groups.

The data categories of the people whose information we process are listed in the table below.

The Clarification Texts prepared for the relevant person groups address the purposes of collecting and processing personal data, as well as legal and legislative requirements.

Egesim Electric:

o  Employee and Employee Candidate Disclosure Text

o  Supplier and Supplier Employee Disclosure Text

o  Customer Clarification Text

Egesim Energy:

o  Employee and Employee Candidate Disclosure Text

o  Supplier and Supplier Employee Disclosure Text

o  Customer Clarification Text

Egesim Automation:

o  Employee and Employee Candidate Disclosure Text

o  Supplier and Supplier Employee Disclosure Text

o  Customer Clarification Text

Personal data is processed in accordance with KVKK (6698), Income Tax Law (193), Tax Procedure Law (213), Code of Obligations (6098), Enforcement and Bankruptcy Code (2004), Turkish Commercial Code (6102), Labor Law (4857), Occupational Health and Safety Law (6331), Social Security and General Health Insurance Law (5510), Personal Pension Savings and Investment System Law (4632), Vocational Training Law (3308), Unemployment Insurance Law (4447), Stamp Tax Law (488), Act of Fees (492), Corporate Tax Law (5520), Electronic Communications Law (5809), Law on Intellectual and Artistic Works (5846), Electronic Signature Law (5070), Law on Regulation of Publications on the Internet and Suppression of Crimes Committed by Means of Such Publications (5651) and other legislation (laws, regulations, circulars, and communiques).

General application

Institutional policies on information access, security, use, storage, and destruction have been developed and are being implemented.

Personal data security policies and procedures have been determined.

Personal data security issues are being immediately reported.

The security of personal data is being monitored.

Personal data is being reduced to the greatest extent possible.

Existing threats and risks have been identified.

Protocols and procedures for sensitive personal data security have been determined and implemented.

Protection of personal data by employees

Employees are subject to disciplinary rules that include data security provisions.

Employees are subjected to data security training and awareness activities on a regular basis.

An authorization matrix has been created for employees.

Employees who change position or leave their jobs have their authorizations revoked.

Confidentiality commitments are signed.

Physical protection measures

Personal data transferred via paper is subject to additional security measures, and the relevant document is sent in confidential document format.

Entry and exit to physical environments containing personal data are subject to the necessary security measures.

Physical environments containing personal data are protected from external threats (fire, flood, etc.).

It is ensured that environments containing personal data are secure.

Suppliers accessing personal data

With suppliers who have access to personal data, a Confidentiality Protocol is signed.

Technical protection measures

Network and application security are provided.

A closed system network is used for personal data transfers via the network.

Security precautions are taken as part of the procurement, development, and maintenance of information technology systems.

Access logs are kept on a regular basis.

Antivirus software that is up to date is used.

Firewalls are used.

Data security provisions are included in the signed contracts.

It is ensured that environments containing personal data are secure.

Personal data is backed up, and the security of that data is also ensured.

The user account management and authorization control systems have been implemented and are being followed.

If sensitive personal data is sent via e-mail, it must be encrypted and sent through a KEP or corporate mail account.

Encryption is done.

Data processing service providers are audited on a regular basis for data security.

Information containing personal data is shared with government agencies, banks, insurance companies and public institutions and organizations that are private to the sector to which the company is affiliated.

Personal information is shared with the construction project's owner or responsible contractor.

Information sharing is ensured by using secure communication tools provided by these institutions.

Personal information is shared among Egesim companies Egesim Electric, Egesim Energy, and Egesim Automation.

Egesim does not transfer personal data-containing information abroad for the purpose of processing personal data.

Our e-mail system, on the other hand, is used as a service of a reputable company based both abroad and within the borders of the European Union, with adequate security measures and standards. Therefore, personal data is transferred abroad during communication.

It retains personal data only for as long as is necessary to achieve the purposes set out here, except where a longer period is legally required or permitted.

Although it has been stored and processed in accordance with the provisions of KVKK (Article 7) and other relevant legislation, personal data is deleted, destroyed or anonymized in case the reasons requiring processing disappear or the storage period expires.

Physical documents containing personal data are shredded in the machine and destroyed.

Personal data in applications is destroyed by formatting media and deleting from databases and backups.

Personal data can be anonymized and processed for purposes such as research, planning and statistics. Anonymized data cannot be associated with a person in any way. As a result, it will be excluded.

These transactions are carried out at our company's discretion or at the request of the personal data owner.

The processes of deletion, destruction, and anonymization are carried out in accordance with applicable laws, regulations, and decisions.

To carry out this work, the necessary procedures have been established.

Everyone has the right to be informed about their personal data, according to the Constitution.

In accordance with the "law and honesty" rule, our company provides accurate information and transparency regarding personal data processing activities when necessary.

During the acquisition of personal data, the data owners are informed about the purpose for which the personal data will be processed, to whom and for what purpose the processed personal data will be transferred, the method of collecting personal data, the legal reason of data processing and the rights of the personal data owner.

Personal data owners have the right to inquire about the nature of their collected, stored, processed, and transferred personal data, as well as the purpose for which it is processed. Furthermore, in the event of incomplete or incorrect processing, it has the right to request correction and notify the appropriate parties.

Personal data owners have the right to request the destruction of their stored or processed data in accordance with legal requirements if these requirements cease to exist, and to know the outcome of the request.

According to Article 11 of the KVKK, the relevant individuals have the following rights:

a) Learning whether personal data is processed or not,

b) If personal data has been processed, requesting information about it,

c) Learning the purpose of processing personal data and whether they are used in accordance with the purpose,

ç) Knowing who the third parties are to whom personal data is transferred, whether at home or abroad,

d) Requesting correction of personal data when processing is incomplete or incorrect,

e) Requesting the deletion or destruction of personal data within the parameters set out in Article 7,

f) Requesting notification of transactions carried out in accordance with subparagraphs (d) and (e) to third parties to whom personal data has been transferred,

g) Objecting to the emergence of a result against the individual by analyzing processed data solely through automated systems,

ğ) To seek restitution for damages incurred as a result of wrongful processing of personal data, Application to data controller

Making requests

Requests must be made in writing to Egesim (Article 13 of the KVKK).

In your written request;

o  What the demand is, in a clear and understandable way,

o  Identity (TCKN, name, surname) information,

o  Contact (e-mail, phone, address) information,

o  Documents proving the identity and contact information of the person concerned,

must be found.

Applications should be submitted using the application forms found at the links below, corresponding to the relevant company.

o  Egesim Electricity Application Form

o  Egesim Energy Application Form

o  Egesim Automation Application Form

Egesim concludes the requests in the application free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, the fee in the tariff determined by the Board may be charged.

Egesim accepts the request or rejects it by explaining its reason and notifies the relevant person in writing or electronically. In case the request in the application is accepted, the data controller fulfills its requirements. If the application is rejected due to Egesim's fault, the application fee will be refunded.

An issue that should not be forgotten (Article 14 of the KVKK) is the right to complain.

In cases where the application is rejected, the answer provided is insufficient, or the application is not responded to in a timely manner, the person concerned may file a complaint with the Board within thirty days of learning the data controller's response and, in any case, within sixty days of the date of application. According to Article 13, a complaint cannot be filed unless the remedy has been exhausted. According to the general provisions those whose personal rights are violated, the right to compensation is reserved.

Egesim has fulfilled its KVKK obligation (Article 16) by registering with VERBIS.

Our company agrees to fulfill its obligations under the KVKK (Article 15) and to provide the required notifications within the legal time limits.

This policy is reviewed by our company once a year.

Every year, an internal audit is performed to ensure that the policy is being followed.

The followings were considered when creating the policy.

o  Constitution of the Republic of Turkey

o  Turkish Penal Code No. 5237

o  Protection of Personal Data Law No. 6698, Regulations and communiques

o  Personal Data Protection Board Decisions and Decision Summaries

o  VERBİS (Data Controllers Registry Information System)

o  All other laws and legislation related to Personal Data and which Egesim is obliged to comply with

o  Personal Data Protection Policy

o  Company policies, rules and procedures