BAKIRLAR ENERGY
POLICY ON THE PROTECTION AND PROCESSING OF PERSONAL DATA
CONCEPTS
| Processing of Personal Data | Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, obtaining personal data in whole or in part by automatic or non-automatic means, provided that it is a part of any data recording system. All kinds of operations performed on data such as making it accessible, classifying or preventing its use. |
| Personal Data Owner/Relevant Person | The real person whose personal data is processed. |
| Personal Data | Any information relating to an identified or identifiable natural person. |
| Special Quality Personal Data | Data on race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric data and genetic data. |
| Data Controller | The person who determines the purposes and means of processing personal data and manages the place where the data is kept systematically (data recording system). |
| Delete | It is the process of making personal data inaccessible to relevant users and not reusable in any way. |
| Destroy | |
| Anonymization | It is to render personal data incapable of being associated with an identified or identifiable natural person under any circumstances, even if it is matched with other data. With this method, personal data should be rendered unrelated to an identified or identifiable natural person, even by using appropriate techniques for the recording medium and the relevant field of activity, such as returning personal data by the recipient or recipient groups and matching the data with other data. |
| Data Processor |
CHAPTER I
INTRODUCTION
The purpose of this regulation is to protect our customers, employee candidates, employees, people with whom we have business relations, visitors and all other personal data within the scope of the Law on Protection of Personal Data No. 6698.
With this Policy, the principles to be adopted by our Company and to be taken into account at the point of implementation have been set forth in the processing, protection, deletion, destruction and anonymization of personal data.
PURPOSE
The purpose of this Policy is to inform our target audience, whose personal data are processed, and to determine the policy for the protection and processing of personal data, regarding the personal data processing activity carried out by our Company in accordance with the law and the processes adopted for the protection of personal data.
SCOPE
This Policy; It relates to all personal data of real persons processed by our company.
ENFORCEMENT OF THE POLICY
This policy, which has been issued and put into effect by us, is published on our Company’s website and is made available to personal data owners in this way.
CHAPTER II
1-PROCESSING OF PERSONAL DATA IN ACCORDANCE WITH RELATED LEGISLATION
Our company, in accordance with Article 4 of the KVKK, regarding the processing of personal data;
1.1-Performing Personal Data Processing Activities in Compliance with Law and Integrity
In our company, the processes of processing personal data are carried out in accordance with legal regulations and honesty rules. In this context, our Company processes only as much personal data as necessary, in accordance with the purposes of data processing.
1.2-Ensuring Personal Data Are Accurate and Up-to-Date When Necessary
Our company takes the necessary measures to ensure that personal data is up-to-date and accurate, taking into account the fundamental rights and legitimate interests of personal data owners.
1.3-Processing for Specific, Clear and Legitimate Purposes
The purpose for which personal data will be processed by our company is set out before the personal data processing activity begins.
1.4-Related to the Purpose for which they are Processed, Limited and Proportionate
Our company, in the form of personal data It processes the data as much as required by the work in the context of the requirements brought by the activities it carries out and in line with the scope and scope of the relevant legal regulations, and the processing of irrelevant or unnecessary personal data is avoided.
1.5-Preservation for as long as required by the relevant legislation or for the purpose for which they are processed.
Our company preserves personal data only for the periods stipulated in the relevant legislation or for the purpose for which they are processed. In this context, if a period is determined for the storage of personal data in the relevant legislation, this period is complied with. If a period has not been determined, personal data are retained for the period necessary for the purpose for which they are processed. Personal data is deleted, destroyed or anonymized by our Company in the event that the period expires or the reasons requiring its processing are eliminated. Personal data is not stored by our Company for the possibility of future use. Detailed information on this subject is given in section 7 of this policy.
2- PROCESSING OF PERSONAL DATA
Our company processes personal data only in cases stipulated by law or with the explicit consent of the person.
Apart from express consent, personal data may also be processed in the presence of one of the other conditions listed below;
2.1- Explicit Consent of the Personal Data Owner
One of the conditions for the processing of personal data is the explicit consent of the owner. The explicit consent of the personal data owner should be disclosed on a specific subject, based on information and free will.
2.2- Explicitly Provided in Laws
The personal data of the data owner can be processed in accordance with the law, if it is expressly stipulated in the law.
2.3- Failure to Obtain the Explicit Consent of the Related Person Due to Actual Impossibility
The personal data of the data owner may be processed if it is necessary to process the personal data of the person who is unable to express his or her consent due to actual impossibility or whose consent cannot be validated, in order to protect the life or bodily integrity of himself or another person.
2.4- Directly Related to the Establishment or Performance of the Contract
It is possible to process personal data if it is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract.
2.5- Fulfillment of Legal Obligation
Our company will be able to process the personal data of the data subject if the processing is necessary in order to fulfill its legal obligations as a data controller.
2.6- Making Personal Data Public by the Personal Data Owner
If the personal data of the data owner has been made public by him, it may be processed, limited to the purpose.
2.7- Mandatory Data Processing for the Establishment or Protection of a Right
If data processing is necessary for the establishment, exercise or protection of a right, the personal data of the data owner may be processed.
2.8- Obligatory Data Processing for the Legitimate Interest of the Data Controller
Provided that it does not harm the fundamental rights and freedoms of the personal data owner, the personal data of the data owner may be processed if data processing is necessary for the legitimate interests of our Company.
3- DISCLOSURE AND INFORMATION OF THE PERSONAL DATA OWNER
Our company clarifies for what purpose the personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method of collecting personal data and the rights of the personal data owner for legal reasons. (See Illumination Text)
4- PROCESSING OF SPECIAL QUALITY PERSONAL DATA
Our company acts in accordance with the regulations stipulated in the KVKK in the processing of personal data determined as “special quality” by KVKK.
These data are; Data related to race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.
By our company; Special categories of personal data are processed in the following cases by taking the necessary precautions:
If the personal data owner has express consent, or
If there is no explicit consent of the personal data owner, it can be processed in the cases stipulated by the laws.
Data on health and sexual life are only processed with the explicit consent of the data owner.
III. SECTION
PERSONAL DATA PROCESSED BY OUR COMPANY, PURPOSE OF PROCESSING AND STORAGE PERIOD
- Personal data processed by our company are listed below. However, which data will be processed for each personal data owner; It may vary depending on various factors such as the type and nature of the relationship between the personal data owner and our Company and the communication channels used.
| PERSONAL DATA | DESCRIPTION |
| Credential | Data that contains information about the identity of the person; name-surname, T.C. Documents such as driver’s license, identity card and passport, including information such as identity number, nationality information, mother’s name and father’s name, place of birth, date of birth, gender, personnel registration number, signature information, etc. information |
| Contact Info | Information such as phone number, address, e-mail address, cap address, fax number, IP address |
| Family Members and Relatives | Information about family members (e.g. spouse, children), relatives and other persons who can be contacted in case of emergency, reported to our Company by the personal data owner, within the framework of the operations carried out by the units of our Company |
| Security Information | Personal data regarding the records and documents obtained at the entrance to our company’s facilities and during their stay in these places; camera recordings and recordings taken at the security point, etc. |
| Financial Information | |
| Visual/Audio Information | Photo, camera recordings |
| Personal Information | |
| Special Quality Personal Data | Data specified in Article 6 of the KVK Law (eg health data including blood group, biometric data (fingerprint), body size etc. |
| Professional Knowledge | Data on diploma and certificate information of employee candidates, our employees and people who have a business relationship with our Company |
- PERSONAL DATA OWNERS PROCESSED BY OUR COMPANY
Our company’s customers, subsidiaries, visitors, employee candidates, employees, company shareholders, employees of companies with which we have business relations, employees of institutions with which we cooperate.
- PURPOSE OF PROCESSING PERSONAL DATA
By our company;
Execution of the application processes of employee candidates
Execution of human resources processes
Fulfillment of legal obligations for employees
Conducting social responsibility and civil society activities,
Execution of finance and accounting works,
Conducting communication activities
Execution of the procurement of goods and services
Execution of goods service sales process
Execution of wage policy
Execution of fringe benefits and benefits processes for employees
Execution of Storage and Archive Activities
Execution of Emergency Management Processes,
Conducting Business Activities
Conducting Business Continuity Ensuring Activities,
Ensuring the Security of Movable Property and Resources
Providing Information to Authorized Persons, Institutions and Organizations,
Conducting Educational Activities
Carrying out the Activities in Compliance with the Legislation,
Providing Physical Space Security
Carrying out Internal Audit Activities
Execution of Occupational Health / Safety Activities
Execution of Management Activities,
Execution of Goods / Services Production and Operation Processes
Execution of Goods / Services After-Sales Support Services
Execution of Logistics Activities
Execution of Contract Processes
For purposes such as Execution of risk management processes
- Fulfilling our legal obligations,
- It is necessary to process the personal data of the parties based on the established business relationship,
- Prescribed by law and
- For legal reasons such as the protection of our Company’s legitimate interests, provided that it does not harm the fundamental rights and freedoms of the person concerned, and with the explicit consent of the person concerned
III of this policy. Personal data specified in section 1 are processed.
- STORAGE TIMES OF PERSONAL DATA
Our company keeps personal data for the period required by the relevant legislation or for the purpose for which they are processed.
If a period of time is not regulated in the legislation regarding how long personal data should be kept, Personal Data is processed for a period of time that requires processing in accordance with our Company’s practices and commercial life practices, depending on the activity carried out while processing that data.
The purpose of processing personal data has ended; if the storage periods determined by the relevant legislation or our Company have also come to an end; personal data only constitute evidence in possible legal disputes.
The spouse or personal data can be kept for the purpose of asserting the relevant right or establishing a defense. Despite the expiry of the statute of limitations and the statute of limitations for the right to assert the aforementioned right in the establishment of the periods herein, retention periods are determined based on the examples in the requests submitted to our Company on the same issues before. In this case, the stored personal data cannot be accessed for any other purpose, and access to the relevant personal data is provided only when it is required to be used in the relevant legal dispute. Here, too, personal data is deleted, destroyed or anonymized after the aforementioned period expires.
- CHAPTER
- OUR COMPANY’S MONITORING ACTIVITY WITH CAMERA CONDUCTED AT AND INSIDE THE BUILDINGS AND FACILITIES
Our company, within the scope of monitoring with security cameras; Certain areas are subject to camera monitoring in order to ensure the interests of the company and other persons regarding ensuring their safety, and to be limited to this policy, in a way that does not result in an interference with the privacy of the person exceeding the security purposes. Our company acts in accordance with the KVKK in the camera surveillance activities carried out for security purposes. Information about the monitoring activity with the camera is made by publishing this policy on the website and by hanging the signs and plates and the lighting text regarding the monitoring in the monitoring areas.
Surveillance areas, number of security cameras and when to be monitored are sufficient to achieve the security purpose and are implemented in a limited manner for this purpose. Necessary technical and administrative measures are taken to ensure the security of personal data obtained as a result of camera monitoring. Detailed information about the retention period of our Company’s personal data obtained through camera monitoring is given in Article 3.4 of this Policy, titled Personal Data Retention Periods.
Only a limited number of Company employees have access to live camera footage and recordings recorded and preserved in digital media. A limited number of people who have access to the records declare that they will protect the confidentiality of the data they access with a confidentiality agreement.
- FOLLOW-UP OF GUEST ENTRANCES AND EXITS AT OUR COMPANY’S BUILDING AND FACILITY ENTRANCES AND ITS INSIDE
By our company; Personal data processing is carried out in order to ensure security and for the purposes specified in this Policy, in order to monitor guest entries and exits in our Company’s buildings and facilities.
While obtaining the names and surnames of people who come to our Company’s premises as guests, personal data owners are informed in this context. The data obtained for the purpose of tracking guest entry-exit is processed only for this purpose and the relevant personal data is recorded in the data recording system in the physical environment.
CHAPTER V
TRANSFERRING PERSONAL DATA
Although the third parties to whom personal data can be transferred may vary depending on various factors such as the type and nature of the relationship between the data owner and our Company and the markets in which transactions are made, the third parties to whom the data can be transferred are generally as follows:
Authorized public institutions
Private law legal entities limited to the purpose requested within its legal authority,
Business partners of our company in the country and / or abroad,
Customers, Suppliers,
Our Shareholders, Our Auditors
- CHAPTER
ISSUES REGARDING THE PROTECTION OF PERSONAL DATA
Our company takes the necessary technical and administrative measures to ensure the appropriate level of security in order to prevent the unlawful processing of the personal data it processes, to prevent illegal access to the data and to ensure the preservation of the data, and in this context, it makes or has the necessary inspections made.
The actions and measures taken by our company to ensure “data security” in accordance with Article 12 of the KVKK are listed below.
Our company takes technical and administrative measures according to technological possibilities and implementation costs in order to ensure that personal data is processed in accordance with the law. Employees are informed that they cannot disclose the personal data they have learned to others in violation of the provisions of the KVKK and cannot be used for purposes other than processing, and that this obligation will continue after they leave their job, and necessary commitments are taken from them in this direction.
Our company provides the necessary trainings to prevent the illegal processing of personal data, to prevent illegal access to data, and to raise awareness to ensure data protection.
Our company protects personal data from being stored in secure environments and destroyed, lost or changed for unlawful purposes. takes the necessary technical and administrative measures according to the technological possibilities and the cost of implementation.
VII. SECTION
TERMS OF DELETING, DESTROYING AND ANONYMIZING PERSONAL DATA
Although it has been processed in accordance with the provisions of the relevant law as regulated in Article 7 of the KVKK, personal data is deleted, destroyed or anonymized for 3 months, pursuant to the decision of our Company, in the event that the reasons requiring processing are eliminated. In the event that all the conditions for processing personal data are no longer valid, our company also deletes, destroys or anonymizes the personal data subject to the request, upon the request of the person concerned. Our company finalizes the request of the person concerned within thirty days at the latest and informs the person concerned.
Anonymized personal data may be processed for purposes such as research, planning and statistics in accordance with Article 28 of KVKK. Since such transactions are outside the scope of KVKK, the explicit consent of the personal data owner is not sought.
VIII. SECTION
RIGHTS OF PERSONAL DATA OWNERS; METHOD OF USE AND ASSESSMENT OF THESE RIGHTS
Our company carries out the necessary channels, internal functioning, administrative and technical regulations in accordance with Article 13 of the KVKK in order to evaluate the rights of personal data owners and to provide necessary information to personal data owners.
Personal data owners;
Learning whether personal data is processed or not,
If personal data has been processed, requesting information about it,
Learning the purpose of processing personal data and whether they are used in accordance with its purpose,
Knowing the third parties to whom personal data is transferred at home or abroad,
Requesting correction of personal data in case of incomplete or incorrect processing and requesting notification of the transaction made within this scope to the third parties to whom the personal data has been transferred,
Despite the fact that it has been processed in accordance with the provisions of the KVKK and other relevant laws, it has the right to request the deletion or destruction of personal data in case the reasons requiring its processing disappear, and to request the notification of the transaction made within this scope to the third parties to whom the personal data has been transferred.
- CHAPTER
PERSONAL DATA PROTECTION AND PROCESSING POLICY MANAGEMENT STRUCTURE
Our company establishes the necessary management structure in order to fulfill the obligations in the KVK Law and to implement this Policy and to fulfill the following functions.
- Preparing the basic policies and amendments regarding the Protection and Processing of Personal Data and submitting them to the approval of the senior management in order to put them into effect,
- Deciding on how to implement and control the policies regarding the Protection and Processing of Personal Data, and within this framework, to make internal assignments and to provide coordination issues to the top management for approval,
- Identifying the issues that need to be done in order to ensure compliance with the Law on Protection of Personal Data and the relevant legislation, and submitting the necessary actions to the approval of the senior management; to oversee and coordinate its implementation,
- To raise awareness within the Company and before the Company’s business partners on the Protection and Processing of Personal Data,
- Identifying the risks that may arise in the personal data processing activities of the company, ensuring that the necessary measures are taken, and presenting improvement suggestions to the senior management for approval,
- To design and implement trainings on the protection of personal data and the implementation of policies,
- To respond to the applications of personal data owners in due time,
- Managing relations with the Personal Data Protection Board and Institution.
While the management structure is being formed, a committee is established and the composition of this committee and the distribution of duties are determined by our Company’s senior management. In addition to the above-mentioned duties, the Committee and the person(s) responsible for this matter may be assigned other duties and responsibilities depending on the needs of our Company and the nature of the activities it carries out.
- CHAPTER
TECHNICAL AND ADMINISTRATIVE MEASURES FOR THE SECURITY OF PERSONAL DATA
Our company takes the necessary administrative and technical measures to keep personal data legally and securely. For this;
- There are disciplinary regulations for employees that include data security provisions
- Personal data processing inventory has been prepared and kept up to date
- Contracts (between data controller and data processor)
- Corporate policies (access, information security, use, data retention and destruction)
- Business contract
- Disciplinary regulation (addition of provisions in accordance with the law)
- Confidentiality commitments are made.
- In-house periodic and/or random audits
- Education and awareness activities
- Securing the environments that provide personal data
- Risk analyzes are performed and personal data are reduced as much as possible
- Network security and application security are provided,
- Corporate policies on access information security use, storage and destruction have been prepared and implemented.
- Confidentiality commitments are made.
- Current anti-virus systems are used.
- Personal data security policies and procedures have been determined.
- Personal data security is monitored.
- Security of environments containing personal data is ensured.
- Personal data is backed up and the security of the backed up personal data is also ensured.
- Existing risks and threats have been identified.
- Private personal data must be sent in encrypted form and using a kep or corporate mail account.
- Encryption is in progress.
- A closed system network is used for personal data transfers via the network.
- Firewalls are used.
- Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
- The security of physical environments containing personal data against external risks is ensured.
- In case it is determined that the personal data processed or transferred by our company is illegally in the hands of unauthorized persons, the situation will be notified to the KVK Board and the relevant data owner as soon as possible.