Notification on the Personal Data Protection Law (PDPL)

Notification on the Personal Data Protection Law (PDPL)

POLICY ON PERSONAL DATA PROTECTION

1. INTRODUCTION, SCOPE AND DEFINITIONS

1.1. Introduction: The Personal Data Protection Law (“PDP Law”) Number 6698 was enacted pursuant to its publication in the Official Gazette on 07.04.2016. The Law provides a legal regulation for the protection of the personal data of individuals based on a holistic approach. In this regard, the Policy on the Protection and Processing of Personal Data (“Policy”) offers guidance to Enda Energy Holding Co. (“Company”) on how to tangibly implement the PDP Law and the rules set forth by relevant legislation. Accordingly, our Company shall ensure sustained compliance with the Policy by enacting necessary measures to ensure conformity to the Policy within the company and practice internal auditing mechanism for the same purpose.

1.2. Scope: Hereby this “Policy” concerns the automated or non-automated processing as a component of any data recording system of all personal data pertaining to Employees, Former Employees, Employee Candidates, Interns, Group Employees, Employee Relatives, Company Shareholders/Partners, Company Executives, Recipients of Products or Services (Customers), Potential Product or Service Buyers, Visitors, Supplier Executives and Supplier Employees as defined in Article 1.3.

1.3. Definitions: Definitions featured in the PDP Law and secondary legislations have not been featured in this section. The mentioned definitions are identical to those in legislations unless otherwise stated within this Policy.

  • Employee: Natural persons who have an employee-employer relation with our company as per a signed contract of employment.
  • Group Employee: Group Company employees whose personal information is processed in scope of activities such as the data recording system, human resources, auditing, provision of information technologies security and infrastructure, legal compliance etc.
  • Employee Candidate: Natural persons who have applied for employment at our Company and/or Group Companies through any medium or those who have shared relevant information for review by our Company.
  • Intern: Persons who are working for our Company and/or Group Companies to gain experience, gain knowledge on the nature of the business and build on occupational know-how.
  • Former Employee: Real persons whose contract of employment between our Company and/or Group Companies has ended for any reason.
  • Group Companies: The company’s direct, indirect group companies and affiliated partners.
  • Company Shareholder/Partner: Real persons who are a shareholder/partner of the Company and Group Companies.
  • Company Executives: Real persons acting as members of the Board of Directors and other executives of the Company and/or Group Companies.
  • Supplier Employee: Employees of suppliers, business partners and third parties who provide services to our Company without a contract or contractual relation, but nonetheless in compliance with the Company’s orders and instructions in the execution of commercial activities of the Company and/or Group Companies.
  • Supplier Executive: Real persons acting as members of the Board of Directors, managing director etc. of suppliers, business partners and third parties involved in commercial activities with the Company and/or Group Companies.
  • Recipient of Products or Services (Customers): Real persons whose personal data is acquired on the basis of business relations of the Group Companies in scope of the operations executed by the business departments of our Company regardless of having any contractual relations with our Company and/or Group Companies.
  • Potential Product or Service Buyer: People who receive advertisements and marketing information on products and services offered by our Company and/or Group Companies.
  • Visitor: Real persons who have accessed physical facilities owned by our Company and/or Group Companies for various reasons and those who have visited our websites.

2. PRINCIPLES CONCERNING THE PROCESSING OF PERSONAL DATA

The company has to adopt the following basic principles in order to ensure sustained compliance with the PDP Law and other secondary legislation:

  • 2.1 Working in Compliance with Law and Covenant of Good Faith: Our company complies with the law and covenant of good faith in processing personal data pursuant to legislation on the protection of personal data and particularly the Constitution of the Republic of Turkey.
  • 2.2 Ensuring the Accuracy and Currency of Personal Data on Demand: Our company ensures the accuracy and currency of the personal data which is processed with consideration to the respective persons’ basic rights and own legitimate interests. Necessary measures are taken to achieve this.
  • 2.3 Processing for Defined, Clear and Legitimate Purposes: Our company openly and clearly defines the purpose of processing legitimate and legal personal data. Our company processes personal data for the sole purpose of ongoing commercial activities and only to the extent necessary.
  • 2.4 Processing Relevant Information at a Limited and Prudent Degree: Our company processes personal data in a way that facilitates the realisation of specific purposes and avoids processing personal data which is unrelated to the said purpose or unnecessary.
  • 2.5 Keeping Data for the Duration Foreseen by Relevant Legislation or the Duration Required by the Purpose: Our company keeps data only for the duration foreseen by relevant legislation or the duration required by the purpose. In this regard, our Company first determines whether a duration is foreseen for the keeping of personal data in relevant legislation. If a duration has been set then this is adhered to, if a duration has not been set, then the personal data is kept for as long as it is necessary for the purpose. If the duration expires or if there is no longer need to process the data, then our Company shall delete, exterminate or anonymise personal data.

3. CONDITIONS ON PROCESSING PERSONAL DATA

Our Company processes personal data in compliance with condition(s) indicated in Article 5 of the PDP Law save and except of express consent by the respective person. If the processed data is of a sensitive nature, then the conditions set forth in Article 4.3 (Processing and Transfer of Sensitive Personal Data”) of this Policy shall apply.

  • 3.1 Express Consent by the Relevant Person: Express consent by the relevant person should be given at free will and must be based on explanations on a specific subject. Personal data may be processed without the relevant person’s express consent should the below mentioned conditions for processing personal data apply.
  • 3.2 Express Mention in Laws: The presence of a clear provision on the processing of personal data of the relevant person will be considered as a fulfilment of data processing conditions.
  • 3.3 Inability to Acquire Express Consent due to Actual Impossibilities: The relevant person’s personal data can be processed if it is imperative to do so on the grounds of protecting the life or physical integrity of the relevant person or other persons in case the relevant person is unable to declare express consent or his/her express consent is invalid due to actual impossibilities  
  • 3.4 Direct Relation with the Establishment or Execution of the Agreement: On condition that it is directly related to the establishment or execution of an agreement to which the relevant person is a party, this condition is considered fulfilled if a need to process personal data arises.
  • 3.5 The Company’s Fulfilment of Legal Obligations: The relevant person’s personal data can be processed if processing is necessary for the fulfilment of our company’s legal obligations.
  • 3.6 The Publicization of Personal Data by the Respective Person: If the relevant person has publicised his/her personal data, then the respective personal data can be processed in a limited way for the purposes of publicising.
  • 3.7 Force Majeure Processing of Data for the Establishment or Protection of a Right: The relevant person’s personal data can be processed if there is a force majeure need to process data for the establishment or protection of a right.
  • 3.8 The Force Majeure Processing of Data for the Legitimate Interests of our Company: The relevant person’s personal data can be processed if there is a force majeure need to process data for the legitimate interests of our Company, on condition that the relevant person’s basic rights and freedoms are not infringed.

4. DISCLOSURE OF PERSONAL DATA

In scope of the objectives on processing legitimate and legally justifiable personal data, our Company can disclose the relevant person’s personal data or sensitive personal data at a national scale on the condition of taking necessary security measures as indicated in this Policy and after ensuring confidentiality;

  • (i)    To legally authorised organisations and institutions, and particularly the Energy Markets Regulatory Board, limited to the purpose requested in scope of the legal jurisdiction of relevant public organisations and institutions,
  • (ii)    To Group Companies and Company activities requiring the involvement of Group Companies, limited to disclosure in accordance with the principles and strategies of the Group,
  • (iii)    To Company Shareholders/Partners, limited to purposes of realising commercial activities and auditing of our Company pursuant to relevant legal provisions,
  • (iv)    To Suppliers, limited to purposes of making it possible for our Company to receive the services provided by the supplier which are required for the realisation of commercial activities,
  • (v)    To legally authorised private entities, limited to the issues included in the scope of activities executed by relevant private organisations and institutions, particularly the banks registered with the Turkish Union of Banks in scope of payments and independent auditors appointed by the Company and Group Companies as well as ensuring the provision of side benefit and interests of our employees.

5. PROCESSING AND DISCLOSURE OF SENSITIVE PERSONAL DATA

Sensitive personal data is only processed and disclosed by our Company in accordance with the principles set forth in this Policy and after taking all administrative and technical measures available including those measures determined by the Personal Data Protection Committee (“Committee”) and only if the below conditions are met:

  • (i)    Sensitive personal data excluding those about health and sexual life can be processed without express consent of the relevant person if it is explicitly mentioned in the law or in other words if there is a clear provision concerning the processing of personal data in laws governing the relevant activity. Under any other condition, express consent of the relevant person shall be acquired for the processing of sensitive personal data.
  • (ii)    Sensitive personal data about health and sexual life can be processed without express consent from people or authorised organisations and institutions who are under confidentiality obligations for purposes of protecting public health, the execution of preventative medicine, medical diagnosis, treatment and care services, the planning and management of medical services and its financing. Under any other condition, express consent of the relevant person shall be acquired for the processing of sensitive personal data.

6. THE PURPOSE OF CATEGORISING AND PROCESSING PERSONAL DATA HANDLED BY OUR COMPANY

uant to Article 10 of the PDP Law, our Company informs relevant people during the acquiring of personal data. In this regard, our Company provides information about the identity of any representatives, the purpose of processing personal data, people with access to the processed personal data and for what purpose, means of collecting personal data, the legal justification and the rights granted to the relevant person.

Detailed information about personal data categories processed in scope of the objectives and conditions set forth in this Policy can be found in Annex-1 (“Personal Data Categorisation”). Detailed information about the purposes of processing the mentioned personal data are provided in Annex-2 of the Policy (“Purposes of Processing Personal Data”).

In accordance with our company’s legitimate and legally justified personal data processing objectives, our company processes the personal data categories identified in Annext-1 (“Personal Data Categorisation”) pursuant to Article 10 of the PDP Law, based on and limited to one or more of the personal data processing conditions set forth in Article 5 of the PDP, in compliance with the general principles set forth in the PDP law particularly those indicated in Article 4 on the processing of personal data, in compliance with all the obligations regulated in the PDP Law and limited to the durations indicated in our Company’s Personal Data Keeping and Extermination Procedures.

7. SPECIAL OCCASIONS THAT CALL FOR THE PROCESSING OF PERSONAL DATA

  • 7.1 CCTV Surveillance at the Entrances and Inside Company Buildings, Facilities and Plants: Our company aims to protect the security interests of the company and other people by CCTV surveillance inside work areas. Those concerned with the mentioned personal data are informed by means of notifications displayed in visible areas inside our company or through written notices accessible to visitors and employees.
  • 7.2 Keeping Activity Records of Internet Services Provided to Visitors Inside Company Buildings, Facilities and Plants: Our Company grants internet access to requesting visitors during their time inside our building and facilities to ensure security and solely for the purposes set forth in this Policy. In such cases, access log records are kept in accordance with the Law Nr. 5651 entitled The Regulation of Publications on the Internet and Suppression of Crimes Committed by means of Such Publications and the mandatory provisions of the legislation regulated in accordance with this Law. These records are only processed if requested by authorised public organisations and institutions or in order to fulfil our legal obligations during auditing processes taking place within our Company. Log records obtained in this scope can only be accessed by a limited number of authorised personnel. Company employees with access to the mentioned log records can only access these records in case of receiving a request by authorised public organisations and institutions or during auditing processes and can only disclose such information to legally authorised individuals.

8. MEASURES TO PROTECT PERSONAL DATA

8.1 Technical Measures Taken to Ensure the Security of Personal Data:

Our Company takes necessary measures and employs necessary actions in compliance with Organisational regulations aimed at providing adequate security in order to prevent the illegal processing of, illegal access to and safekeeping of personal data which is processed in compliance with Article 12 of the PDP Law.

8.2 Administrative Measures on the Protection of Personal Data:

Our Company has a “Personal Data Protection Committee” consisting of appointed authorised representatives in order to manage, implement and execute specific actions in scope of this policy and other policies and procedures related to or affiliated with this Policy.
All activities executed by our Company are analysed specifically according to business departments. Personal data processing activities specific to the commercial activities executed by the relevant department are determined and necessary confidentiality agreements are signed in accordance with this analysis.

Awareness is raised and practice rules are determined specifically for the relevant business departments. Necessary administrative measures for the controlling of these measures and ensuring the sustainability of the practice are realised through intracompany policies, procedures, instructions and notifications, awareness raising training, and warning mechanisms (notice boards, announcements, orientation etc.).
Annual auditing is planned with intra/extra (supplier) organisation sources in scope of Internal Auditing / Quality / ISMS practices in order to verify the effective implementation of personal data collection, processing, classification, deletion / extermination / removal of access authorisation / anonymisation processes.

8.3 Protection of Sensitive Personal Data:

The PDP Law gives special importance to certain personal data due to their risk of causing victimisation or discrimination of the person when processed in illegal ways. These include data on race, ethnicity, political orientation, philosophical beliefs, religion, sect or other beliefs, appearance, membership to associations, foundations or unions, health, sexual life, convictions and security measures as well as biometric and genetic data. Our Company acts responsibly in the protection of legally processed sensitive personal data that has been classified as “sensitive” by the PDP Law. In this regard, the technical and administrative measures taken by our Company for the protection of personal data are practiced meticulously in the case of sensitive personal data. Necessary auditing on this matter is executed throughout our Company.

9. ERASING, EXTERMINATING AND ANONYMISING PERSONAL DATA

Our Company erases, exterminates or anonymises personal data according to the practices set forth in the Company’s Personal Data Storing and Extermination Policy or by request of the relevant person if the cause for processing ceases to exist even if the processing is compliant with the provisions of the relevant law. Our Company erases personal data or continues to use such data after anonymising through the employment of the most appropriate erasing or exterminating method(s) as indicated in the Committee’s Guidelines on Erasing, Exterminating or Anonymising of Personal Data.

10. RIGHTS OF THE RELEVANT PERSON

Pursuant to Article 10 of the PDP Law, our Company notifies the relevant person of his/her rights and offers guidance on how to use these rights. In compliance with Article 13 of the PDP Law, our Company oversees the necessary channels, internal operations, administrative and technical arrangements for the assessments of the rights granted to owners of personal data and provide owners of personal data with adequate notifications.

10.1. Rights of the Relevant Person
Owners of personal data have been granted the rights listed below:

  • To find out whether personal data is processed or not,
  • To request information about any form of personal data processing,
  • To find out the purpose of processing personal data and whether such data has been used solely for the purpose,
  • To know the third parties at home and abroad to which personal data has been disclosed,
  • To request the amendment of incompletely or incorrectly processed personal data, and in this scope, to request the notification of third parties in possession of the personal data about this amendment,
  • To request the erasing or extermination of personal data if reasons to process have ceased to exist even if the processing complies with the provisions of the PDP Law and other relevant laws, and to request the notification of third parties in possession of the personal data about this amendment,
  • To object to any objectionable outcome about his/herself due to the exclusive analysis of the processed data by automated systems,
  • To request for compensation if damages are incurred due to the illegal processing of personal data.

10.2. Exercising of Rights by the Relevant Person
The relevant person may submit requests pertaining to the granted rights listed in section 9.1 of this section by completing and signing the application form available on our company’s website, while adhering to the methods determined by the Committee and providing supporting information and documentation for the verification of his/her identity.

10.3. Our Company Responding to Applications
Our company takes necessary administrative and technical measures to conclude potential applications by the relevant person in accordance with the Law and secondary legislation. Upon receipt of the relevant person’s request pertaining to the granted rights listed in section 9.1 in due form, our Company shall conclude the relevant request as soon as possible and within a maximum of 30 (thirty) days depending on the nature of the request at no cost. However, fees based on the tariff determined by the Committee may apply if the procedure incurs additional costs.

11. DETAILS OF DATA MANAGER

ENDA ENERGY HOLDING Co.
Address: İsmet Kaptan Mahallesi Şehir Nevres Bulvar No: 10/71 Konak İZMİR
Kep: enda@hs03.kep.tr

Annex-1 Personal Data Categorisation
Annex-2 Purposes of Personal Data Processing

Personal Data Categorisation Purposes of Personal Data Processing