Protection of Personal Data
1.Data Controller’s Identity
At Gediz Elektrik Perakende Satış A.Ş. (“Gediz” or the “Company”), we exercise due care to ensure safety and confidentiality of your personal data. Therefore, as the data controller as per the Personal Data Protection Law No. 6698 (the “Law”), we kindly bring the following to your attention under our liability to inform you to ensure that we can act in accordance with the Law with regards to the personal data we hold:
2. Processing of Personal Data and the Purposes for Processing
Your personal data is processed to ensure that our Company can offer the best services possible, although the purpose may vary depending on the services and commercial activities offered by Gediz. To this end:
If you are a natural person customer of our Company/ an employee/contact person/partner/authorized person or, in some situations, guardian/custodian/representative, guarantor or potential customers of legal entity or natural person commercial customers of our Company:
Your personal data (identity, contact details, customer transaction data) and sensitive personal data (as per the Regulation on Electricity Market Consumer Services, such data can be indirectly obtained from medical reports, and the religion and blood type details can be indirectly obtained from identity card and/or driver’s license copy, if shared by natural person customers) are processed in a limited manner for
Carrying out the subscription contract processes; following up the after-sales support services, customer relations management processes, customer satisfaction activities, legal/financial/accounting processes, and any requests/complaints; ensuring that the activities are in compliance with the Electricity Market Law and the secondary legislation, as well as other relevant legislations; conducting advertising/campaing/promotion/survey activities as part of the marketing analysis efforts and the marketing processes for the services offered; carrying out/auditing business activities; making audits; conducting activities to ensure business continuity; carrying out risk management processes; carrying out strategic planning activities; receiving and assessing the recommendations to improve business processes; following up and carrying out social responsibility and civil society activities; informing the authorized persons, entities and organizations if requested; carrying out communications activities; carrying out storage and archiving activities; carrying out information security processes and ensuring compliance with the policies and procedures of the Company and of the Aydem Holding group companies which the Company is affiliated with.
If you are an employee/contact person/partner/authorized person of our legal entity or natural person commercial customers/suppliers/business partners/subcontractors:
Your personal data (identity, contact and financial details and personnel information) and if shared, your sensitive personal data (medical and criminal sentence data) may also be processed to carry out contractual processes and product and service sales processes; to follow up legal, financial and accounting procedures; to carry out risk management processes; to carry out occupational health and safety processes; to carry out/audit businesses activities; to carry out performance assessment processes; to inform the authorized persons, entities and organizations if requested; to carry out communication activities and to conduct information security processes.
Furthermore:
- If you visit the workplaces of our Company, your identity data and physical location security data may be processed in a prudent and limited manner to ensure safety of the physical location, create visitor records and ensure compliance with the policies and procedures of Gediz;
- If you visit our website, your processing security data may be processed in a prudent and limited manner to keep logs on the electronic environment to fulfill the regulatory liabilities stipulated by Law No. 5651, ensure compliance with the policies and procedures of Gediz and carry out information security processes;
- If you log on to the free wireless network system provided by our Company, your personal data related to your identity, contact details and processing security may be processed in a prudent and limited manner to allow you to access the system, fulfill regulatory liabilities, prevent unlawful and unethical use of the system, ensure compliance with the policies and procedures of Gediz and carry out information security processes.
- Your personal data may also be transferred to physical archives and information systems to be stored in both digital and physical environments.
3. Parties to Whom the Personal Data Processed may be Transferred, and the Related Purposes
For the purposes set out in Article 2 of this Clarification Text, and depending on and limited to the reasons for transfer within the scope of the Law and the related regulations, your personal data collected may be transferred to the governmental bodies and organizations; independent audit companies; attorneys, law offices and mediation firms; banks; our business partners; systems of domestic and overseas information technology companies that we receive services from and collaborate with, including our suppliers; our Company’s domestic shareholders and group companies to carry out the operational processes and to get support from them and to databases used jointly with these companies.
4. Method and Legal Basis for Collecting Personal Data
For the purposes stated in Article 2 of this Clarification Text and depending on and limited to the legal reasons of performance of a contract, establishment and exercise of a right, legitimate interests of the data controller and presence of express consent as stated in Article 5 of the Law in accordance with the basic principles stipulated in the Law, your personal data may be collected via automated or non-automated methods, verbal or written information directly communicated to our electronic mail address by your employer or by you, applications and software used as part of the Company activities and through closed circuit camera systems.
5. Your Rights under Personal Data Protection
As per the legislation on personal data protection, you have the rights to find out if your personal data has been processed; request information regarding the processing of your personal data if processed; find out the purpose for processing the personal data and if the data is used by us in line with such purposes; find out the third parties to whom your personal data is transferred at home and abroad; request correction if your personal data was processed incompletely or incorrectly and request that the third parties to whom the data was transferred (if transferred) be informed of such procedure; request deletion or destruction of your personal data if the conditions that require processing of such data are no longer valid and request that the third persons to whom the data was transferred (if transferred) are informed of such procedure; raise an objection if you believe that there is a consequence to the detriment of you due to the fact that the processed data was analyzed by automated systems exclusively; and request compensation if you incur any loss due to unlawful processing of your personal data.
You can fill out the form at www.gedizperakende.com.tr to send your requests related to Article 11 of the Law, which sets out the rights of the relevant person, to Adalet Mahallesi, Anadolu Caddesi, Megapol Tower No:41 İç Kapı No:211 Bayraklı/İzmir in writing and by person with approved identity, or to kvk.gediz@aydemenerji.com.tr from your email address through which your membership was approved, as per the “Communiqué on the Procedures and Principles for Application to the Data Controller”.
As per Article 13 of the Law, our Company will conclude application requests as soon as possible and, in any case, within 30 (thirty) days at the latest depending on the nature of the request. If the process incurs any cost, the tariff determined by the Personal Data Protection Board shall apply. If the request is rejected, the reason(s) for rejection shall be justified in writing or in electronic environment. You can read our Company’s Policy on Protection and Processing of Personal Data for further information on the evaluation of application requests.
1.Data Controller’s Identity
At Gediz Elektrik Perakende Satış A.Ş. (“Gediz” or the “Company”), we kindly bring the following to your attention under our liability to inform you to ensure that we can act in accordance with the Personal Data Protection Law No. 6698 (the “Law”) and the related regulations regarding the personal data we obtain from you as the data controller:
2.Processing of Personal Data and the Purposes for Processing
Your personal data is processed to ensure that our Company can offer the best services possible, although the purpose may vary depending on the services and commercial activities offered by Gediz. To this end:
Your personal data (identity, contact details, customer transaction data) and sensitive personal data (as per the Regulation on Electricity Market Consumer Services, such data can be indirectly obtained from your medical reports, and the religion and blood type details can be indirectly obtained from your identity card and/or driver’s license copy, if shared by you) are processed in a limited manner for carrying out the subscription contract processes; following up the after-sales support services, customer relations management processes, customer satisfaction activities, legal/financial/accounting processes, and any requests/complaints; ensuring that the activities are in compliance with the Electricity Market Law and the secondary legislation, as well as other relevant legislations; conducting advertising/campaing/promotion/survey activities as part of the marketing analysis efforts and the marketing processes for the services offered; carrying out/auditing business activities; making audits; conducting activities to ensure business continuity; carrying out risk management processes; carrying out strategic planning activities; informing the authorized persons, entities and organizations if requested; carrying out communications activities; carrying out storage and archiving activities; carrying out information security processes and ensuring compliance with the policies and procedures of the Company and of the Aydem Holding group companies which the Company is affiliated with. Your personal data may also be transferred to physical archives and information systems to be stored in both digital and physical environments.
3.Parties to Whom the Personal Data Processed may be Transferred, and the Related Purposes
For the purposes set out in Article 2 of this Clarification Text, and depending on and limited to the reasons for transfer within the scope of the Law and the related regulations, your personal data collected may be transferred to the Energy Market Regulatory Authority and other governmental bodies and organizations; independent audit companies; law offices and attorneys; agencies; banks; our business partners; systems of Turkey-based information technology companies that we receive services from and collaborate with, including our suppliers; our Company’s domestic shareholders and group companies to carry out the operational processes and to get support from them and to databases used jointly with these companies.
4.Method and Legal Basis for Collecting Personal Data
As you are a customer of our Company, your personal data may be collected from the verbal or written information you provided to our Company through automated or non-automated means, from governmental bodies and agencies, from social media platforms, from the applications and software and the closed circuit camera systems used for the Company’s activities; for and limited to the legal reasons stipulated in Article 5 of the Law including express stipulation by law, establishment and performance of contracts, legal liabilities of the data controller, presence of an express consent, and legitimate interests of the data controller.
5.Your Rights under Personal Data Protection
As per the legislation on personal data protection, you have the rights to find out if your personal data has been processed; request information regarding the processing of your personal data if processed; find out the purpose for processing the personal data and if the data is used by us in line with such purposes; find out the third parties to whom your personal data is transferred at home and abroad; request correction if your personal data was processed incompletely or incorrectly and request that the third parties to whom the data was transferred (if transferred) be informed of such procedure; request deletion or destruction of your personal data if the conditions that require processing of such data are no longer valid and request that the third persons to whom the data was transferred (if transferred) are informed of such procedure; raise an objection if you believe that there is a consequence to the detriment of you due to the fact that the processed data was analyzed by automated systems exclusively; and request compensation if you incur any loss due to unlawful processing of your personal data.
1. Data Controller’s Identity
At Gediz Elektrik Perakende Satış A.Ş. (“Gediz” or the “Company”), we kindly bring the following to your attention under our liability to inform you to ensure that we can act in accordance with the Personal Data Protection Law No. 6698 (the “Law”) and the related regulations regarding the personal data we obtain from prospective employees as the data controller:
2. Processing of Personal Data and the Purposes for Processing
As you are a prospective employee, your personal data including your identity, contact details, professional experience, physical location security, family member details, visual data and your resumé that you provided to our Company, and your sensitive personal data including your medical and association membership data (if you have submitted) shall be processed, as part of the job application processes, to carry out the employee application processes and the selection, offer and recruitment processes; obtain camera recordings to ensure physical location security should you visit our Company; check references; ensure information and data security and to make sure that, if you are not recruited, we can assess your resumé for a potential future position or for an appropriate position at our group companies and that we can contact you in this regard. In addition, if you give your express consent, the said data shall be transferred to physical archives and information systems to be stored for 12 months in both digital and physical environments.
3. Parties to Whom the Personal Data Processed may be Transferred, and the Related Purposes
For the purposes set out in Article 2 of this Prospective Employee Clarification Text, and depending on and limited to the reasons for transfer within the scope of the Law and the related regulations, your personal data collected may be transferred to references, to Aydem Holding group companies which the Company is affiliated with, to databases used jointly with these companies and, if required, to governmental bodies and organizations.
4. Method and Legal Basis for Collecting Personal Data
Your personal data is collected in physical or electronic environments from the verbal or written applications made using our Company’s website or email address or made in person, from consultancy firms and from the information provided during interviews, from information provided by references and through closed circuit camera systems, in line with the basic principles stipulated in the Law and for and limited to the legal reasons stipulated in Article 5 of the Law including establishment of contracts, legitimate interests of the data controller, and presence of an express consent.
5. Your Rights under Personal Data Protection
As per the legislation on personal data protection, you have the rights to find out if your personal data has been processed; request information regarding the processing of your personal data if processed; find out the purpose for processing the personal data and if the data is used by us in line with such purposes; find out the third parties to whom your personal data is transferred at home and abroad; request correction if your personal data was processed incompletely or incorrectly and request that the third parties to whom the data was transferred (if transferred) be informed of such procedure; request deletion or destruction of your personal data if the conditions that require processing of such data are no longer valid and request that the third persons to whom the data was transferred (if transferred) are informed of such procedure; raise an objection if you believe that there is a consequence to the detriment of you due to the fact that the processed data was analyzed by automated systems exclusively; and request compensation if you incur any loss due to unlawful processing of your personal data.
PROLOGUE
Purpose
Protection of personal data is among the top priorities of Gediz Elektrik Perakende Satış A.Ş. (the “Company”), who makes its best efforts to act in line with all the applicable legislations in this regard. The Personal Data Protection Law No. 6698 (the “Law”) classifies persons’ data regarding their race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance, membership in associations, foundations or trade unions, health, sexual life or criminal conviction, or related to security measures, as well as biometric and genetic data as “Sensitive Personal Data”, attaching special importance to such data, and obliges data controllers to protect such data with an enhanced security standard.
Each of the group companies within the organization of Aydem Holding is subject to the provisions of this Policy.
This Gediz Elektrik Perakende Satış A.Ş. Sensitive Personal Data Processing Policy (the “Policy”) sets out the principles adopted while our Company conducts Sensitive Personal Data processing operations and minimum data security measures to be taken by the Company while conducting Sensitive Personal Data processing operations.
Scope
This Policy relates to Sensitive Personal Data belonging to identified or identifiable natural persons as defined under the Law, which is processed within the Company through automated or, provided it is part of a data storage system, non-automated means.
MATTERS WITH REGARD TO PROCESSING OF SENSITIVE PERSONAL DATA
General Principles to be Observed while Processing Sensitive Personal Data
Our Company processes Sensitive Personal Data
In accordance with the law and the rules of honesty;
In a way that is accurate, and whenever required, up-to-date;
For specific, clear and legitimate purposes;
In a way that is related, limited and restricted to the purpose for which the same is processed;
For the duration set out in the relevant legislation or that is necessary for the purpose of processing.
Conditions of Processing Sensitive Personal Data
Sensitive Personal Data is covered in the law separately and with limits,
Sensitive Personal Data is processed by our Company in accordance with the principles set out in this Policy, taking all necessary administrative and technical measures, including minimum security measures specified or to be specified by the Personal Data Protection Board (the “Board”), in the presence of at least one of the following conditions.
a) The data subject provides express consent;
b) It is expressly set out in the law;
c) It is required for protecting the life or corporal integrity of the person who is unable to express their consent due to actual impossibility or whose consent is not legally recognized, or of another person;
ç) It relates to the personal data made public by the data subject and is in line with the will of making public;
d) It is required for establishing, exercising or protecting a right;
e) It is required for the persons or authorized agencies and organizations who are under privacy obligation to protect public health and to carry out preventive medicine, medical diagnosis, treatment and care services, as well as to plan, manage and provide financing for health services;
f) It is required for fulfilling legal obligations in the areas of employment, work health and safety, social security, social services and social assistance;
g) It is intended for current or former members and regulars of foundations, associations and other non-profit organizations or entities that are incorporated for political, philosophical, religious or trade union purposes, or persons who are in regular contact with these organizations and entities, provided this is in line with the regulation they are subject to and their purposes, limited to their line of operations and that it is not disclosed to third parties.
MATTERS REGARDING TRANSFER OF SENSITIVE PERSONAL DATA
CLARIFICATION OF DATA SUBJECTS AT THE TIME OF OBTAINING SENSITIVE PERSONAL DATA
According to Article No. 10 of the Law, data controllers or the persons authorized by them have to provide clarification to data subjects at the time of obtaining personal data. While fulfilling its obligation to provide clarification to data subjects, our Company informs data subjects at least on the following matters:
Identity of the data controller and any representative thereof;
The purpose for which the personal data will be processed;
Parties to whom, and for which purposes, the personal data may be transferred;
Method and legal basis for collection of personal data;
The rights listed in the Article No. 11 of the Law and conferred to data subjects, and how these rights might be exercised.
Except in cases where alternative techniques and methods are adopted, disclosure forms are used which are offered to data subjects in the physical or electronic environment, in a way that it can be later proved, in order for the Company to fulfill its obligation of clarification. Company employees assigned to processes where Sensitive Personal Data is processed must ensure the necessary disclosure forms are provided to data subjects and data subjects are provided clarification prior to obtaining personal data.
STORAGE AND DESTRUCTION OF SENSITIVE PERSONAL DATA
Pursuant to the obligation of deletion, destruction or anonymization of personal data as regulated in Article No. 7 of the Law, if the reasons requiring processing thereof are no longer present even though they were processed by our Company in accordance with the provisions of the Law and the legislation, all personal data including Sensitive Personal Data is deleted, destroyed or anonymized pursuant to the decision made by our Company ex officio or personal request of the Data Subject. Our Company reserves the right to refuse to fulfill the request of the data owner where it has the right and/or obligation to keep personal data pursuant to the relevant provisions of the legislation.
Details regarding storage and destruction of personal data can be found in the Personal Data Storage and Destruction Policy, which can be accessed in QDMS, the integrated management system providing the Company management standards.
ENSURING SECURITY AND CONFIDENTIALITY OF SENSITIVE PERSONAL DATA
In this regard, our Company takes all necessary administrative and technical measures, the relevant measures are reviewed and updated according to current Board decisions, and if personal data is unlawfully disclosed, action is taken according to the measures set out in the Law.
The standard technical and administrative data security measures already taken by the Company in other processes shall continue to be taken to the extent it is appropriate with regard to processes where Sensitive Personal Data is processed. Detailed information regarding data security measures taken by the Company can be obtained from the Gediz Elektrik Perakende Satış A.Ş. Data Security Policy, which can be accessed from QDMS, the integrated management system providing the Company management standards.
Administrative Measures Taken by Our Company to Ensure Sensitive Personal Data is Processed Lawfully and to Prevent Unlawful Access to Sensitive Personal Data
Risks that might occur in relation to Sensitive Personal Data in our Company were identified and measures to be taken against these risks were determined;
Our Company trains its employees in relation to processing and protection of Sensitive Personal Data, informs them and conducts works to create awareness in them.
Employees who have access to Sensitive Personal Data are required to sign the Employee Non-Disclosure Commitment in order to ensure security of Sensitive Personal Data.
Scope and duration of access of employees to Sensitive Personal Data are restricted.
Authorizations are periodically checked.
Access authorizations of employees who are reassigned or who quit are immediately revoked. The inventory entrusted to them in this regard is returned as well.
As highlighted in the guides and publications of the Authority, Sensitive Personal Data is minimized to the extent possible, pursuant to the principle of minimization of data, and Sensitive Personal Data that is not required or is not up-to-date or that does not serve a purpose is not collected, and if such data was collected during the period prior to the KVKK, the same is destroyed in accordance with the Personal Data Storage and Destruction Policy.
Technical Measures Taken by Our Company to Ensure Sensitive Personal Data is Processed Lawfully and to Prevent Unlawful Access to Sensitive Personal Data
If the environments where Sensitive Personal Data is processed, kept and/or accessed are electronic environments;
Our Company keeps Sensitive Personal Data using cryptographic methods.
Cryptographic keys are kept in secure and different environments.
Transaction records of all actions performed on Sensitive Personal Data are securely logged.
Security updates regarding media where Sensitive Personal Data is kept, are continuously followed, regular vulnerability scans are performed in our Systems, any weaknesses of the operating systems and software that we use are detected and the necessary updates are made. The strength of our cyber security is tested through periodic penetration tests and the necessary improvements are made. Regular checks are performed on patch management and software updates, proper operation of software and hardware and whether the security measures taken for the systems are adequate. Our brands, the Company’s domain addresses and our internet services are continuously monitored through cyber intelligence services.
If Sensitive Personal Data is accessed through software, then user authorizations are made for that software, necessary security tests are regularly performed or procured, and test results are recorded.
If remote access to Sensitive Personal Data is required, minimum two-step authentication system is provided.
If the environments where Sensitive Personal Data is processed, kept and/or accessed are physical environments;
It is ensured that adequate security measures (against situations such as electrical leakage, fire, overflooding or theft) are taken depending on the nature of the environment where Sensitive Personal Data is kept.
Physical security of these environments is ensured and unauthorized entries and exits are prevented.
Measures Taken by Our Company to Ensure Lawful Transfer of Sensitive Personal Data
If Sensitive Personal Data needs to be transferred by e-mail, our Company transfers it in encrypted form using its corporate e-mail address or Registered Electronic Mail (REM) account.
If it needs to be transferred via media such as Flash Disk, CD or DVD, it is encrypted using cryptographic methods and the cryptographic key is kept in a different environment.
If transfer is made between servers in different physical environments, data transfer is made between servers using VPN or the sFTP method.
If Sensitive Personal Data needs to be transferred in printed format, necessary measures are taken against risks such as the document being stolen, lost or seen by unauthorized persons, and the document is sent in a “classified documents” format.
Measures to be Taken if Sensitive Personal Data is Unlawfully Disclosed
PROTECTION OF YOUR SENSITIVE PERSONAL DATA
KVKK, Article No. 6 specifies that data regarding their race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance, membership in associations, foundations or trade unions, health, sexual life or criminal conviction, or related to security measures, as well as biometric and genetic data are considered Sensitive Personal Data since they bear the risk of causing aggrievement of persons or discrimination if processed unlawfully, and subjects the processing of such data to a more sensitive protection.
Our Company provides clarification to Data Subjects at the time of obtaining Sensitive Personal Data in accordance with the KVKK, Article No. 10. Sensitive Personal Data is processed upon taking measures according to the KVKK and performing or procuring the necessary inspections.
With regard to processing Sensitive Personal Data, express consent of Data Subjects is not sought if any of the conditions specified in the KVKK, Article No. 6 is present. Regardless of the reason for processing, general principles of data processing are always considered and complied with.
Our Company takes special measures to ensure security of Sensitive Personal Data. Due to the principle of data minimization, Sensitive Personal Data is not collected unless it is required for the relevant business process and is only processed where necessary. Where Sensitive Personal Data is processed, technical and administrative measures deemed necessary for compliance with legal obligations and for compliance with the measures determined by the KVK Board are taken.
APPENDIX 1 - Definitions
Express Consent |
: |
Refers to consent that is declared at one’s free will, based on being informed on a certain matter. |
Data Subject |
: |
Refers to the natural person whose personal data is processed. |
Personal Data
|
: |
Refers to any information related to an identified or identifiable natural person (such as full name, Turkish Id Number, e-mail, address, date of birth, credit card number). Therefore, processing information related to legal entities does not fall under the scope of the Law. |
Sensitive Personal Data
|
: |
Refers to data regarding race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance, membership in associations, foundations or trade unions, health, sexual life or criminal conviction, or related to security measures, as well as biometric and genetic data. |
Processing of Personal Data |
: |
Refers to any transaction performed on data such as obtaining, recording, storing, maintaining, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data through entirely or partially automated or, provided they are part of a data storage system, non-automated means. |
Data Controller
|
: |
Refers to the natural person or legal entity determining the purposes and means of processing personal data and responsible for establishing and managing the data storage system. |
Registered Electronic Mail (REM) Address |
: |
Refers to a qualified type of e-mail address, which provides legal evidence regarding use of electronic messages including their submission and delivery. |
Mobile Signature |
: |
Refers to the electronic signature created using a mobile device. |
Secure Electronic Signature |
: |
Refers to the electronic signature that relates exclusively to the owner of the signature, generated using the tool for creating a secure electronic signature that is solely at the disposal of the owner of the signature, allowing identification of the owner of the signature based on qualified electronic certificate, as well as allowing detection of whether any subsequent modification was made on the signed electronic data. |
QDMS |
: |
The integrated management system providing the Company management standards |
Prologue
Pursuant to the Constitution of the Republic of Türkiye, article 20, everyone has the right to request protection of personal data relating to them. This right includes being informed of personal data relating to the person, requesting access to such data or correction or deletion thereof, and learning whether the data is used pursuant to the purposes of processing.
The Personal Data Protection Law No. 6698 (the “KVK Law”) regulates the protection of basic rights and freedoms of persons in the processing of personal data, the obligations of the natural persons and legal entities processing personal data, and the procedures and principles that they shall follow. The purpose of this Policy, which was prepared in this regard, is to ensure compliance to obligations regarding the regulations of the KVK Law.
The purpose of this Policy is to ensure protection of the personal data of guarantors, customers, visitors, suppliers and third parties through this Policy. Protection of personal data of our employees is handled under the Policy on the Protection and Processing of Employees’ Personal Data, which was drafted in parallel with the principles of this Policy.
In case of any contradiction between the KVK Law and other relevant legislation and the Policy on the Protection and Processing of Personal Data, the legislation in force shall prevail.
Purpose
The Gediz Elektrik Perakende Satış A.Ş. (the “Company”) Policy on the Protection and Processing of Personal Data (the “Policy”) was prepared in order to protect the fundamental rights and freedoms of persons in the processing of personal data, in particular privacy, and to establish the obligations of natural persons and legal entities processing personal data and the procedures and principles they shall follow.
The Policy aims to maintain and improve the operations carried out by the Company in line with the principles set out in the KVK Law.
Scope
The data owners whose personal data is processed under this Policy were categorized as follows:
Customers |
Natural persons whose personal data is obtained due to business relations under the scope of the operations conducted by the Company regardless of the presence of any contractual relationship |
Third Parties |
Third-party natural persons related to the aforementioned parties in order to ensure security of business transactions between our Company and said parties or to protect their rights and to obtain benefits (such as guarantors, attendants, family members and relatives) or any natural persons whose personal data needs to be processed by our Company for a certain purpose despite not being expressly specified under the Policy (such as former employees) |
Employee Candidate / Intern Candidate |
Natural persons who applied to our Company for a job through any means or who made their CV and relevant information available for perusal of our Company |
Employees, Shareholders and Officers of Organizations that We Collaborate With |
Natural persons employed at organizations with which our Company has any business relationship, including shareholders and officers of those organizations (including but not limited to business partners and suppliers) |
Visitor |
Natural persons who entered the physical facilities (offices, etc.) that our Company owns or where our Company holds an organization for various purposes or who visit our websites |
Definitions
The definitions used in this Policy are as follows:
Express consent |
Consent that is declared at one’s free will, based on being informed on a certain matter |
Anonymization |
Making personal data such that they cannot be associated with an identified or identifiable natural person in any way even by matching with other data |
Supplier |
Natural persons offering products or services to the Company |
Personal health data |
Any information relating to an identified or identifiable natural person’s physical and mental health and information regarding the health service offered to the person |
Processing of personal data |
Any transaction performed on data such as obtaining, recording, storing, maintaining, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing |
KVK Law |
Personal Data Protection Law No. 6698 |
KVK Board |
Personal Data Protection Board |
KVK Authority |
Personal Data Protection Authority |
Sensitive personal data |
Persons’ data regarding their race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance, membership in associations, foundations or trade unions, health, sexual life or criminal conviction, or related to security measures, as well as biometric and genetic data |
TCK |
Turkish Penal Code No. 5237 |
Data processor |
Natural person or legal entity processing personal data on behalf of the data controller based on the power granted by it |
Personal data owner |
Natural person who is named “data subject” in the KVK Law and whose personal data is processed |
Application Form for Personal Data Owners |
The application form to be used by the personal data owners whose personal data is processed within the organization of the Company while they file their application with regard to their rights set out in the KVK Law, article 11 |
Data controller |
Natural person or legal entity determining the purposes and means of processing personal data and responsible for establishing and managing the data storage system |
Registry of Data Controllers |
The registry of data controllers kept by the Directorate under supervision of the Personal Data Protection Board |
Data Inventory |
The inventory that the Company creates and details by associating the personal data processing operations carried out by it in relation to its business processes with the purposes of processing personal data, the group of receivers to whom personal data is transferred and the relevant group of personal data owners |
5. General Principles Regarding Processing of Personal Data
Pursuant to the KVK Law, article 3, any transaction performed on data such as obtaining, recording, storing, maintaining, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data through means that are entirely or partially automated or, provided they are part of a data storage system, non-automated, fall under the scope of personal data processing.
The following principles have to be observed in the processing of personal data:
Complying with the law and rules of honesty
Our Company carries out its personal data processing operations in accordance with the law and rules of honesty, in line with the KVK Law and the relevant legislation, in particular the Constitution.
Being accurate, and whenever required, up-to-date
All administrative and technical measures are taken by our Company to ensure the
personal data is accurate and current while carrying out the processing of personal data.
Processing for specific, clear and legitimate purposes
Our Company specifies its purpose of processing personal data clearly and precisely prior to
starting the processing of personal data.
Being related, limited and restricted to the purpose for which the data can be processed
Our Company processes personal data to the extent necessary for realizing the specified objectives. No data processing is performed on the assumption that they might be used later.
Keeping for the duration set out in the relevant legislation or that is necessary for the purpose of processing
Our Company keeps personal data for the limited duration which is set out in the KVK Law and the relevant legislation, or that which is required for the purpose of data processing.
6. Terms of Processing of Personal Data
Our Company may process personal data and sensitive personal data with the express consent of the
personal data owner, or without seeking express consent in cases that are set out in the KVK Law, articles 5 and 6.
6.1. Processing of Personal Data
Our Company carries out its personal data processing operations in accordance with the conditions of processing
data as set out in the KVK Law, article 5:
Being expressly set out in the law.
Being required for protecting the life or corporal integrity of the person who is unable to express their consent due to actual impossibility or whose consent is not legally recognized, or of another person.
Processing personal data of contractual parties is required, provided this is directly related to establishing or fulfilling the agreement.
Being required in order for our Company to fulfill its legal obligation.
Being made public by the owner of the personal data.
Data processing is required for establishing, exercising or protecting a right.
Data processing is required for the legitimate interests of our Company provided this does not bring harm to the fundamental rights and freedoms of the owner of the personal data.
6.2. Processing of Sensitive Personal Data
The Company attaches further significance to processing sensitive personal data that poses the risk of causing discrimination if processed unlawfully. In this regard, in the processing of sensitive personal data of the Employees by the Company, firstly it is determined whether the conditions of processing data are present, and once it is ensured that the lawfulness condition is satisfied, data processing is then performed.
Processing sensitive personal data is possible if
The data subject provides express consent;
It is expressly set out in the law;
It is required for protecting the life or corporal integrity of the person who is unable to express their consent due to actual impossibility or whose consent is not legally recognized, or of another person;
ç) It relates to the personal data made public by the data subject and is in line with the will of making public;
It is required for establishing, exercising or protecting a right;
It is required for the persons or authorized agencies and organizations who are under privacy obligation to protect public health and to carry out preventive medicine, medical diagnosis, treatment and care services, as well as to plan, manage and provide financing for health services;
It is required for fulfilling legal obligations in the areas of employment, work health and safety, social security, social services and social assistance;
It is intended for current or former members and regulars of foundations, associations and other non-profit organizations or entities that are incorporated for political, philosophical, religious or trade union purposes, or persons who are in regular contact with these organizations and entities, provided this is in line with the regulation they are subject to and their purposes, limited to their line of operations and that it is not disclosed to third parties.
6.3 Legal Grounds of Processing Your Personal Data
We process your personal data based on the legal grounds provided below, which are set out in the KVK Law article 5 and notably the Turkish Commercial Code No. 6102, Turkish Code of Obligations No. 6098, Tax Procedural Law No. 213 and the legislation on electronic commerce:
We process your data based on your consent in situations where we need to obtain your express consent pursuant to the KVK Law and the relevant legislation (Please note that in this case you may withdraw your consent any time)
In cases permitted by the applicable legislation
When it is required to protect life-critical interests of any person
In situations where we need to make an agreement with you, or where actions need to be performed under the agreement and where we need to fulfill our obligations under an agreement
To fulfill our legal obligations,
If you made your personal data public
If data processing is required for establishing or protecting certain rights; to exercise our legal rights and to make defense against legal claims against us
When required for our legal interests provided this does not bring harm to your fundamental rights and freedoms
7. Ensuring Security and Confidentiality of Personal Data
Our Company takes all the necessary technical and administrative measures for ensuring appropriate security level to maintain personal data, and to prevent unlawful processing and unlawful access to the personal data that it processes according to the KVK Law, article 12.
7.1. Technical Measures Taken to Ensure Lawful Processing of Personal Data and to Prevent Unlawful Access to Personal Data
Our Company took all technical and technological security measures to protect your personal data and secured your personal data against potential risks. The measures are as follows:
- Taking the technical measures to the extent permitted by technology
- Employing experts on technical matters
- Making inspections for the implementation of measures taken in regular intervals
- Creating the necessary software and infrastructure for ensuring security
- Limiting access to data processed within the organization of the company
- Using a backup program in line with the law to ensure secure storage of personal data
- Using software including virus protection systems
7.2. Administrative Measures Taken to Ensure Lawful Processing of Personal Data and to Prevent Unlawful Access to Personal Data
- Training and creating awareness among the company’s employees with regard to the KVK Law;
- When personal data transfer is being performed, ensuring an entry is added in the agreements made with the persons to whom the personal data is transferred, that the party to whom personal data is transferred shall ensure data security;
- Identifying what actions need to be performed for compliance with the KVK Law and preparing internal policies for the implementation of said actions;
- As highlighted in the guides and publications of the Personal Data Protection Authority, personal data is minimized to the extent possible, pursuant to the principle of minimization of data, and personal data that is not required or is not up-to-date or that does not serve a purpose is not collected, and if such data was collected during the period prior to the KVK Law, data is destroyed in accordance with the Personal Data Storage and Destruction Policy.
- Access authorizations are limited, an authorization matrix is created and powers are regularly reviewed. Relevant authorizations of employees who are reassigned or who quit are revoked.
- The Company inspects the operation of technical and administrative measures taken under the scope of protection and ensuring security of personal data and carries out applications that will ensure continuity of the operation. The results of the inspections conducted in this regard are reported to the relevant department at the Company. Activities aimed at developing and improving the measures taken for the protection of data are carried out pursuant to the inspection results.
7.3. Measures to be Taken if Personal Data is Unlawfully Disclosed If processed personal data is unlawfully obtained by others, our Company shall communicate the matter to the relevant data owner and the Board as soon as possible.
8. Purposes of Processing of Personal Data and Retention Periods
8.1. Purposes of Processing of Personal Data
The Personal Data may be processed by the Company under the following purposes and may be stored for the duration required for these purposes and required under the relevant legal terms.
Purposes of Processing Personal Data
Carry out electricity retail sale operations
Carry out operations the Company is required to conduct under legal and administrative obligations;
Clarify the data owner with regard to changes in the rules and policies set out in the legislation or accepted within the Company;
Inquire, detect, report and prevent unlawful actions, and manage and carry out activities that are subject to the legal process;
Protect legitimate interests;
Negotiate, create and perform under agreements;
Make due diligence under the scope of the requests and questions and respond to the data subject;
Carry out promotional activities, ask for the opinion of data owners through surveys and polls and ensure customer / employee satisfaction;
Maintain workflow and coordination between units and increase efficiency;
Examine the suitability of candidates for the relevant position during job application, candidate assessment and recruitment processes and contact the candidates, as well as the persons relevant to the job application;
Make entries for visits and track cargo;
Take the necessary measures by ensuring security of the digital systems and physical environments belonging to or used by the Company and making the relevant evaluations;
Ensure the business units carry out the necessary works so the customers benefit from the products and services offered;
Plan and execute corporate sustainability operations;
Perform the corporate law actions;
Ensure legal and commercial security of persons with whom a business relationship is in place;
Carry out business operations for determining and implementing commercial and work strategies.
8.2. Personal Data Retention Periods
We keep your personal data only for the duration that is necessary for fulfilling the purpose of collecting them. We determine these durations separately for each business process and we destroy your personal data according to the KVK Law and the Personal Data Storage and Destruction Policy upon expiry of the relevant duration if there is no other reason requiring us to keep your personal data.
We consider the following criteria while determining the destruction time of your personal data:
The time period commonly accepted in the sector where the data controller operates, given the purpose of processing of the relevant data category;
The period for which the legal relationship will continue, where the legal relationship is created with the data subject and requires the processing of the personal data in the relevant data category;
The period for which the legitimate interest maintained by the data controller will be applicable in accordance with the law and rules of integrity with a view to the purpose of processing of the relevant data category;
The period for which the risks, costs and obligations arising from storing the relevant data category according to the purpose of processing will be legally applicable;
Whether the maximum duration to be determined is convenient for keeping the relevant data category accurate and, where necessary, current;
The period for which the data controller is required to keep the personal data falling under the relevant data category due to their legal obligation;
The timeout period granted by the data controller for exercising certain rights related to the personal data in the relevant data category.
9. Deletion, Destruction and Anonymization of Personal Data
Pursuant to the KVK Law, article 7, personal data is deleted, destroyed or anonymized by our Company automatically or upon request of the personal data owner once the reasons requiring processing thereof are no longer present even though the personal data was processed in accordance with the relevant legislation.
Procedures and principles regarding the matter shall be fulfilled according to the KVK Law and the secondary legislation based on that Law.
9.1. Methods of Deletion and Destruction of Personal Data
Our Company may delete or destroy personal data at its own discretion or upon request of the personal data owner once the reasons requiring processing thereof are no longer applicable even though data was processed in accordance with the provisions of the relevant law. The deletion or destruction methods most used by our Company are as follows:
Physical Destruction
Personal data may also be processed through non-automated means provided this is part of a data storage system. When deleting or destroying such data, the system of physically destroying personal data is used so that it cannot be used later.
Safely Deleting from Software
While deleting or destroying data that was processed through entirely or partially automated means and kept in digital media, certain methods are used where the data is deleted from the relevant software so that it can never be recovered.
Secure Deletion by an Expert
In some cases, our Company may engage an expert to delete the personal data on the Company’s behalf. In this case, the personal data is securely deleted or destroyed by the specialist in such way that it can never be recovered.
9.2. Methods of Anonymization of Personal Data
Making personal data such that it cannot be associated with an identified or identifiable
natural person in any way even by matching with other data.
Masking
Data masking refers to the method of removing the fundamental identifying information from within the dataset, thereby anonymizing the personal data.
For example: Removing information such as Turkish Id Number and name, which allows identification of the personal data owner, thereby transforming the dataset into one where identifying the personal data owner is impossible.
Consolidation
Using the data consolidation method, many pieces of data are consolidated, where personal data can no longer be associated with any person.
For example: Displaying that there are y customers at the age of x, without showing the age of customers individually.
Derived Data
Using the data derivation method, a more general content is created from the personal data content, ensuring the personal data cannot be associated with any person.
For example: Stating age rather than date of birth; stating the area of residence rather than full address.
d. Data Mixing
Using data mixing method allows mixing the values within the personal dataset, removing any connections between values and persons.
For example: Altering the properties of audio records so the voices cannot be associated with the data owner.
10. Third Persons the Personal Data is Transferred to and the Purposes of Transfer
The procedures and principles to apply for personal data transfers are set out in the KVK Law, articles 8 and 9, and personal data and sensitive personal data of the personal data owner may be transferred to third parties at home or abroad. Your personal data may be shared with the third persons offering services to the Company, contracted agencies, lawyers for the resolution of legal disputes, natural persons and legal entities with which we have a proxy relationship, our business partners and other third parties, including but not limited to cases required by the Law and other legislation, other regulations related to the laws, regulations of supervisory and regulatory authorities and organizations, and public authorities, in order to provide the services. But, in any case, personal data cannot be transferred without express consent of the personal data owner, excluding exceptional cases.
10.1. Domestic Transfer of Personal Data
In accordance with the KVK Law, article 8, domestic transfer of personal data shall be possible provided one of the conditions set out in this Policy, part 6 titled “Conditions of Processing Personal Data” is met.
10.2. Overseas Transfer of Personal Data
Pursuant to the KVK Law, article 9, the Company may transfer personal data abroad;
If a decision of adequacy was issued by the Board regarding the country, the sectors inside the country or international organizations to which the transfer is to be made or;
If the parties provide one of the following appropriate assurances, provided the data subject is able to exercise their rights and commence effective legal proceedings in the country to which the transfer is to be made:
a) An agreement is in place that is not in the nature of an international agreement between the overseas public bodies and organizations or international organizations and the public bodies and organizations or professional organizations in the nature of a public agency in Türkiye, and the Board allows the transfer.
b) Binding company rules are in place containing provisions on the protection of personal data, which are approved by the Board and which are binding on the companies within the group of initiatives conducting shared economic activity.
c) A standard agreement is in place, setting out matters such as data categories, purposes of data transfer, receivers and receiver groups, technical and administrative measures to be taken by the data receiver, and additional measures taken for sensitive personal data, as announced by the Board.
ç) A written letter of commitment is in place containing provisions that would provide adequate protection and the Board allows the transfer.
The standard agreement is reported by the data controller or data processor to the Authority within five business days from the signature thereof.
If there is no decision of adequacy and any of the appropriate assurances set out in the fourth paragraph cannot be provided, data controllers and data processors may transfer personal data abroad only if one of the following situations is present, provided this is incidental:
a) The data subject provides express consent for the transfer, provided they are informed regarding possible risks.
b) The transfer is required for fulfilling an agreement between the data subject and the data controller or implementing the pre-agreement measures taken upon request of the data subject.
c) The transfer is required for establishing or fulfilling the agreement between the data controller and another natural person or legal entity for the benefit of the data subject.
ç) The transfer is required for the best interests of the public.
d) The transfer of personal data is required for establishing, exercising or protecting a right.
e) Transfer of personal data is required for protecting the life or corporal integrity of the person who is unable to express their consent due to actual impossibility or whose consent is not legally recognized, or of another person.
f) Making transfer from a registry that is open to the public or to persons with legitimate interests, provided the conditions for having access to the registry as set out in the relevant legislation are satisfied and the person with legitimate interests makes a request.
Provisions in other laws regarding overseas transfer of personal data are reserved.
10.3. Groups of Persons to Whom Our Company Transfers Personal Data
Our Company may transfer the personal data of personal data owners that fall under the scope of this Policy to the groups of persons specified below for the specified purposes in accordance with the KVK Law, articles 8 and 9:
GROUPS OF PERSONS |
DEFINITION |
PURPOSE OF TRANSFER |
Legally Authorized Public Bodies and Organizations |
Public and/or administrative bodies including but not limited to the Energy Market Regulatory Authority (EPDK), Energy Exchange Istanbul (EXIST), Turkish Electricity Transmission Corporation (TEİAŞ), Turkish Electricity Distribution Corporation (TEDAŞ), Turkish Statistical Institute (TurkStat), Republic of Türkiye Ministry of Energy, Turkish Employment Agency, Republic of Türkiye Ministry of Family, Labor and Social Services, Social Security Institution, District Health Directorates and municipalities
|
To comply with obligations such as reporting or notifying before these organizations and to fulfill their requests provided this is limited to the purpose of request within the framework of the powers of the relevant public bodies and organizations.
|
Legally Authorized Special Legal Persons |
Special legal persons authorized to obtain documents and information from our company in accordance with the relevant provisions of the legislation |
Limited to the purpose declared by the relevant special legal persons within their legal powers. |
Service providers |
Companies offering cloud computing services or companies offering database services, servers |
Limited to the purpose of executing the functions and services with maximum efficiency in accordance with current technologies. |
Professional Advisors |
Banks Insurance companies Auditors Lawyers Accountants Shipping Companies, Warehouses Cargo Companies Service Companies Travel Agencies
|
Limited to the purpose of maintaining business operations, carrying out tender processes, intermediation and arbitration processes, and maintaining our relations with our suppliers. |
11. Our Company’s Obligation of Clarification
Our Company must clarify personal data owners at the time of collecting personal data in accordance with the KVK Law, article 10. In this regard, our Company fulfills its obligation to make clarification on the following matters:
Our Company’s name in the capacity of data controller
The purpose for which the personal data will be processed
Parties to whom, and for which purposes, the personal data processed may be transferred
Method and legal basis for collection of personal data
Rights of the personal data owner
12. Rights of the Personal Data Owners and Exercising These Rights
In accordance with the KVK Law, article 13, evaluation of the rights of personal data owners and the required clarification to personal data owners are performed via the Company Personal Data Subject Application Form besides this Policy. Personal data owners may communicate their complaints or requests regarding processing operations for their personal data to us pursuant to the principles specified in the relevant form.
12.1. Right of Application
Pursuant to the KVK Law, article 11, anyone whose personal data is processed may consult our Company and make requests in relation to themselves on the following matters:
learning whether their personal data is processed or not;
demanding information as to whether their personal data has been processed;
finding out the purpose of processing their personal data and whether the data has been used for the intended purpose;
finding out the third parties to whom their personal data has been transferred at home or abroad;
requesting the rectification of the incomplete or inaccurate data, if any, and requesting reporting of the operations carried out as per this paragraph to third parties to whom their personal data has been transferred;
requesting the erasure, destruction or anonymization of their personal data under the conditions where the grounds for processing no longer exist, and requesting reporting of the operations carried out as per this paragraph to third parties to whom their personal data has been transferred;
objecting to the occurrence of a result against the data owner by analyzing the data processed solely through automated systems;
claiming compensation for the damage arising from the unlawful processing of their personal data.
12.2. Situations Outside the Scope of the Right of Application
Pursuant to the KVK Law, article 28, the personal data owners cannot claim their rights in the following situations:
Their personal data is processed by natural persons entirely under the scope of operations related to themselves or family members living in the same housing provided the data is not provided to third parties and data security obligations are fulfilled;
Their personal data is processed for official statistics, and upon anonymization, for purposes such as research, planning and statistics;
Their personal data is processed for art, history, literature or scientific purposes or under the scope of freedom of expression, provided this does not violate national defense, national security, public safety, public order, economic safety, privacy or personal rights or constitute a crime;
Their personal data is processed under the scope of preventive, protective and intelligence operations conducted by public bodies and organizations whose duties and powers are assigned by law for maintaining national defense, national security, public safety, public order or economic safety;
Their personal data is processed by judicial bodies or execution authorities with regard to investigations, proceedings, trials or executions.
Pursuant to the KVK Law, article 28, paragraph 2, personal data owners cannot claim their rights in the following situations (except for the right to request indemnification):
Personal data processing is required for the prevention of committing a crime or for investigating a crime.
Processing personal data that was made public by the data subject.
Processing personal data is required for the assigned and authorized public bodies and organizations and
professional organizations in the nature of public agencies to carry out their duties of inspection or regulation, and for disciplinary investigations and proceedings, based on the powers conferred by the law.
Processing personal data is required for protecting the economic and financial interests of the Government with regard to budget, taxes and financial matters.
12.3. Procedure for Replies
In accordance with the KVK Law, article 13, our Company shall finalize the application requests made by the personal data owner as soon as possible and in any case within 30 (thirty) days at the latest depending on the nature of the request, free of charge.
The application of the personal data owner may be declined in the following situations if
It prevents the rights and freedoms of other persons
It requires disproportionate effort
The information in question is publicly available
It endangers others’ confidentiality
One of the situations that are outside the scope according to the KVK Law is present
13. Personal Data Processing Operations Performed within the Company and Data Processing Operations Performed on the Website
13.1. Camera Surveillance inside the Company
Camera surveillance is implemented inside our Company to protect the interests of our Company and other persons with regard to ensuring their security.
A procedure was prepared with regard to areas with a camera, the field of view of the cameras and the durations of keeping records and is implemented in our Company.This procedure is considered prior to installing a camera and the camera is only installed after consideration thereof.
No surveillance is made in areas that might give rise to breach of privacy. Only a limited number of our Company employees, and if needed, the employees of the security company, which is in the position of a supplier, have access to security camera records. Those persons who have access to the records declare, through the non-disclosure commitment they sign, that they shall protect the confidentiality of the data they had access to.
13.2. Entrance-Exit of Customers Visiting the Company
Personal data processing is performed to keep track of entries and exits of our guests visiting our Company. While obtaining the full names of persons visiting our Company, such data is processed solely for this purpose and the relevant personal data is entered in the recording system in the physical environment.
13.3. Website Visitors
For the persons visiting our Company’s website, their internet movements within the website are recorded in order to allow the website to display content that is customized for the visitor and to display online ads (through technical means such as cookies) so that they can visit the website in line with their purpose of visiting. Detailed explanations regarding these activities of our Company can be found in the Privacy Policies texts on our website.
This Policy may be revised by the Company if deemed necessary. When a revision is made, the Policy’s updated version will be posted on the Company’s website.