EAE ELEKTRİK AYDINLATMA ENDÜSTRİSİ SAN. ve TİC. A.Ş.
POLICY ON PROTECTION OF PERSONAL DATA
The purpose of this present Policy Document on Protection of Personal Data (“Policy” or “Policy Document”) is determination of legal and data security framework prescribed by the relevant legislation especially by the Law No. 6698 on Protection of Personal Data, and establishment of the appropriate data protection level with regard to processes such as storage, processing and transfer of the personal data existing within EAE ELEKT-RİK AYDINLATMA ENDÜSTRİSİ SAN. VE TİC.A.Ş. VE TİC. A.Ş. (“EAE AYDINLATMA”) to the relevant parties.
All personal data, which exist within EAE AYDINLATMA and which EAE AYDINLATMA will obtain and process due to its legal obligations and activities together with information assets containing this data, including personal data belonging to EAE AYDINLATMA’s employees, customers, business partners, suppliers, affiliates, visitors, online visitors, employees, employee candidate, trainees, shareholders, partners and managers, are under the scope of this Policy.
Amendments made to this present Policy Document and its current version can be found at https://eaelighting.com/en-en/gdpr/
Law No. 6698 (or Law): Refers to the Law on Protection of Personal Data.
Anonymization: Refers to rendering the personal data in a manner that it is made not to be affiliated with identified or identifiable real person.
Employee: Refers to real persons working full-time, part-time labour contract or as trainees with EAE AYDINLATMA.
Personal Data. Refers to all kinds of information on the identified or identifiable person. For example; name, surname, date of birth, IP address, etc.
Processing of Personal Data: Refers to any and all procedures on data such as collecting, recording, retaining, maintaining, changing, rearranging, disclosing, making collectable, classifying or preventing the use of the personal data, in whole or in part, by automated or non-automated means.
Committee: Refers to the Personal Data Protection Board.
Contact Person: Refers to the person defined in article 4.2 of this policy document.
Person in Charge: Refers to the real person whose personal data is processed.
Special Categories of Personal Data: Data of individuals regarding their rate, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, costume and attire, association, foundation or trade union membership, health, sexual life, criminal conviction and security precautions together with their biometric data refers to private personal data.
Legislation: Refers to all other legislation, especially the Law No. 6698 on Protection of Personal Data, where the rules for the retaining, processing and protection of personal data are provided.
Data Processor: Refers to real or legal person processing data according to the authority given by EAE AYDINLATMA.
Data Recording System: Refers to the recording system that is structured according to certain criteria to facilitate access to personal data and is primarily retained within EAE AYDINLATMA and secondarily retained within EAE AYDINLATMA for purposes such as data backup/disaster recovery.
Data Supervisor: Refers to real or legal person determining the processing purposes of the personal data and responsible for the establishment and management of the data recording system. Refers to EAE ELEKTRIK AYDINLATMA ENDÜSTRİSİ SAN. VE TİC. A.Ş., which is Data Supervisor within the scope of Policy on Protection of Personal Data.
4. AUTHORITY AND RESPONSIBILITIES
4.1. Information Security Committee
The Information Security Committee, which is formed within EAE AYDINLATMA and consists of Factory Manager, representatives of Accounting, Quality, Data Processing, Media Center Department, is responsible for writing and maintaining this policy up to date. In the event that an act violating the principles included in this Policy Document is found, the Information Security Committee shall inform the contact person of EAE AYDINLATMA of the situation in question.
The overall responsibility of the Information Security Committee is to audit whether the duties assigned to the Data Supervisor by the Law No. 6698 have been performed within EAE AYDINLATMA. Its special responsibility is collection and processing of the personal data in accordance with the Law, coordination, taking and monitoring the necessary administrative and technical security measures in order to conduct the procedures with regard to personal data within the framework of the relevant legal regulations, including this present Policy Document and the Law on Protection of Personal Data. The Information Security Committee also works in coordination with the Contact Person of EAE AYDINLATMA.
In addition, the Information Security Committee is responsible for reviewing this Policy and regulating it in accordance with relevant legislation.
4.3. Contact person
He/she is the person, who makes contact with the Board on behalf of EAE AYDINLATMA with regard to the obligations under the data supervisors registration for the legal persons residing in Turkey and who accepts, evaluates and respond application made by the Relevant Persons, and who is assigned by the General Manager.
Employees are obliged to comply with this Policy and other policies, procedures, which are prepared specifically for the processing of personal data, and also with the relevant legislation.
Data Supervisor is authorized to give necessary decisions and determine authorities throughout the entire life cycle of the personal data retained within EAE AYDINLATMA in accordance with the Law no. 6698. Data Supervisor appoints a Contact Person to fulfil his/her obligations arising from the Law.
Personal data is protected in such a manner that only the units that need to access this data for their own business have access.
Personal data is kept encrypted in all possible environments.
Any personal data, whether sensitive or not, can be processed in accordance with the Legislation, generally within the express consent of the concerned person to whom the personal data belongs to, or in cases in which excusatory causes provided in articles 5.2 and 6 of the Law no. 6698 exist.
The following principles are taken into consideration when processing the personal data;
- Being compliant with the Law and honesty rules.
- Being accurate and up-to-date as required.
- Processing for specific, open and for legitimate purposes.
- Being connected, limited and measured with the purpose for which they are processed.
- Retaining for the period foreseen in the related legislation or necessary for the purpose they are processed.
Sensitive data may not be stored and processed unless the person concerned has given express consent in accordance with article 6.2 of the Law No. 6698, and unless it is expressly provided in the laws pursuant to article 6.3.
In case that the personal data is shared with the third persons at home or abroad, the requirements with regard to the transfer at home in article 8 and those with regard to the transfer to abroad in article 9 of the Law No. 6698 must be met.
The personal data is anonymized and whose information on real person is rendered inaccessible when it is to be processed numerically and categorically for the purposes such as research, planning and statistics.
When processing the sensitive personal data, the measures determined by the Personal Data Protection Committee must also be taken into consideration.
It is ensured that access to the data recording system and the environments in which the processed data is stored and the transactions performed are recorded.
Access records should be stored in accordance with the conditions prescribed by the relevant legislation and also for the period provided. In case that there is no relevant provision in the legislation, the access records must be stored at least for 2 years.
When the reasons requiring process of sensitive or non-sensitive personal data disappear, the personal data is deleted, destroyed or anonymized by the Data Supervisor within the framework of the Policy on Retention and Destruction of Personal Data ex officio or at the request of the person concerned.
The Data Supervisor is responsible for the following issues regarding the protection of personal data:
- To enlighten the person concerned on the matter in accordance with article 10 of the Law no. 6698 to enable him/her to exercise rights he/she has according article 11. (Provided that it complies with the purpose and basic principles of the Law No. 6698, and it is proportionate, the obligations of EAE AYDINLATMA with regard to the rights of the person concerned shall not be applied in the following cases: (i) In the event personal data processing is necessary for crime prevention or criminal investigation. (ii) Processing of personal data made public by the data subject. Obligation to enlighten and right to claim for removal of the damage of EAE AYDINLATMA are excluded.)
- To take all necessary technical and administrative measures to protect this data and prevent processing, accessing and protection of personal data against this policy and the Law No. 6698 and other relevant legislation.
- To work with a Data Supervisor who has technical and administrative measures required to protect personal data if there are cases that require processing of personal data by a Data Processor on behalf of the Data Supervisor.
- To perform, or cause to perform, necessary audits to ensure that this policy and the relevant legislation are complied with within EAE AYDINLATMA.
- To inform the relevant Person, Committee and/or relevant official authority pursuant to the Law no. 6698 and the other relevant legislation, in case it is found that processed personal data is disclosed and/or obtained by unauthorized persons in violation of the legislation.
6. VIOLATIONS AND SANCTIONS
If this policy and other policies, procedures and instructions are not complied with, Disciplinary Management Procedure for employees, contract articles and legal processes for the third parties may be applied.
Exclusive violation of this Policy Document on Protection of Personal Data may constitute a crime in accordance with articles 135-140 of the Turkish Criminal Code through the instrumentality of article 17 of the Law No. 6698. Similarly, sanctions requiring administrative fine may be in question in accordance with Article 18 of the Law No. 6698.