EAE ELEKTRİK LIGHTING INDUSTRY İNŞAAT SAN.VE TİC.A.Ş. (shortly as “EAE LIGHTING”); Processing personal data of real persons, including our customers, suppliers and employees, in accordance with the Constitution of the Republic of Turkey, international conventions regarding human rights to which our country is a party, and the relevant legislation, in particular the Law on the Protection of Personal Data No. 6698 (“KVKK”), and to effectively enforce the rights of the data subjects. Ensuring its use is our priority.
Therefore, but not limited to those listed; EAE AYDINLATMA Personal Data Protection and Processing Policy (shortly “Policy”).
Protection of personal data and observance of the fundamental rights and freedoms of natural persons whose personal data are collected are the basic principles of our policy regarding the processing of personal data. For this reason, we carry out all our activities in which personal data are processed, taking into account the protection of privacy, the confidentiality of communication, freedom of thought and belief, and the right to use effective legal remedies. In order to protect personal data, we take all administrative and technical protection measures required by the nature of the relevant data in accordance with the legislation and current technology.
This Policy explains the methods we follow for the processing, storage, transfer and deletion of personal data shared during our commercial or social responsibility and similar activities within the framework of the principles mentioned in the PDPL.
All personal data processed by the Company, including our customers, business contacts, business partners, employees, suppliers, potential customers and other third parties, are within the scope of this Policy.
Our policy is implemented in all activities related to the processing of personal data owned or managed by the Company, and has been handled and prepared by considering the KVKK and other relevant legislation regarding personal data and international standards in this field.
In this section, special terms and phrases, concepts, abbreviations, etc. in the Policy. briefly explained.
Company: EAE ELEKTRİK AYDINLATMA ENDÜSTRİSİ İNŞAAT SAN.VE TİC.A.Ş.
Explicit Consent: Consent to a particular subject, based on information and free will, with a clear and unambiguous, limited only to that transaction.
Employee: Company Personnel.
Personal Data Owner (Relevant Person): The natural person whose personal data is processed.
Personal Data: Any information relating to an identified or identifiable natural person.
Sensitive Personal Data: Regarding the race, ethnic origin, political opinion, philosophical belief, religion, sect, or other beliefs, clothing, association, foundation or union membership, health, sexual life, criminal conviction, and security measures. data and biometric and genetic data.
Processing of Personal Data: Obtaining, recording, storing, storing, changing, rearranging, disclosing, transferring, taking over, making available, classifying personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system. or any kind of operation performed on the data, such as preventing its use.
Data Processor: The natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller.
Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
KVK Board: Personal Data Protection Board.
KVK Authority: Personal Data Protection Authority.
KVKK: Law on Protection of Personal Data published in the Official Gazette dated 7 April 2016 and numbered 29677.
Personal Data Protection Committee
The Personal Data Protection Committee, which is formed within EAE ELEKTRİK and consists of Human Resources, Accounting, IT, Quality, Sales Department representatives and Senior Management, is responsible for writing this policy and keeping it up-to-date. If a behavior contrary to the principles in this Policy is detected, the Personal Data Protection Committee evaluates the situation in accordance with the Personal Data Breach Incident Management Procedure.
Legal obligations within the scope of protection and processing of personal data as a data controller pursuant to KVKK are listed below:
5.1. Our obligation to inform
While collecting personal data as a data controller;
For what purpose your personal data will be processed,
Our identity, information on the identity of our representative, if any,
To whom and for what purpose your processed personal data can be transferred,
Our method of collecting the data and the legal reason,
Rights arising from the law,
We have an obligation to inform the Relevant Person regarding these matters.
As a company, we take care to ensure that this Policy, which is open to the public, is clear, understandable and easily accessible.
5.2. Our obligation to ensure data security
As the data controller, we take the administrative and technical measures stipulated in the legislation to ensure the security of the personal data in our responsibility. Obligations and measures regarding data security are detailed in the 9th and 10th sections of this Policy.
6.1. Personal data
Personal data; Any information relating to an identified or identifiable natural person.
The protection of personal data is only related to real persons, and information belonging to legal entities that do not contain information about the real person is excluded from personal data protection. Therefore, this Policy does not apply to data belonging to legal entities.
6.2. Special categories of personal data
Biometric and genetic data of individuals regarding their race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, their clothing, membership to associations, foundations or unions, health, sexual life, criminal convictions, and security measures. are special categories of personal data.
7.1. Our personal data processing principles
We process personal data in accordance with the principles below.
7.1.1. Processing in accordance with the law and honesty rules
We process personal data in accordance with the rules of honesty, transparently and within the framework of our disclosure obligation.
7.1.2. Ensuring that personal data is accurate and, where necessary, up to date
We take the necessary measures in our data processing procedures to ensure that the processed data is accurate and up-to-date. We also allow the Personal Data Owner to apply to us to update their data and to correct any errors in their processed data, if any.
7.1.3. Processing for specific, explicit and legitimate purposes
As a company, we process personal data within the scope and content of which are clearly defined, within the scope of our legitimate purposes determined to continue our activities within the framework of the legislation and the ordinary course of commercial life.
7.1.4. Personal data must be connected, limited and measured for the purpose for which they are processed.
We process personal data in connection with the purpose we have clearly and precisely determined, in a limited and measured way.
We avoid the processing of personal data that is not relevant or does not need to be processed. For this reason, we do not process personal data of a private nature unless there is a legal requirement, or we obtain express consent on the subject when we need to process it.
7.1.5. Storage of personal data for the duration of our legitimate commercial interests and stipulated by legal regulations
Many regulations in the legislation require personal data to be kept for a certain period of time. For this reason, we keep the personal data we process for as long as required by the relevant legislation or for the purposes of processing personal data.
We delete or destroy personal data in the event that the storage period stipulated in the legislation expires or the purpose of processing disappears. Our principles and procedures regarding retention periods are stated in Article 9.1 of this Policy. detailed in the article.
7.2. Explicit consent to be obtained within the scope of processing the data of the Relevant Person
We obtain the explicit consent of the person concerned, except for the cases listed in the Law and which do not require explicit consent.
7.3. Our purposes for processing personal data
As a company, we process personal data for purposes similar to those listed below, including but not limited to:
Conducting our activities,
Determination of human resources policy, planning and execution of processes,
To provide support services to customers within the scope of the contract and within the framework of service standards,
Determining the preferences and needs of our customers and shaping and updating the services to be provided to our customers within this scope,
To ensure that our legal obligations are fulfilled as required or required by legal regulations,
To be able to do market research and statistical studies,
Surveys, contests, campaigns, promotions and sponsorships,
Evaluating job applications,
To contact people who have a business relationship with the company,
Monitoring of marketing processes,
Vendor / supplier management,
Planning, execution of advertising and promotional activities,
Planning of commercial and business strategies,
Business partners/thedamanagement of risk relations
7.4. Processing of special categories of personal data
Special categories of personal data are processed by us by taking the administrative and technical measures stipulated by the laws and stipulated by the KVK Board, and if there is express consent, or in cases where the legislation requires it.
Since sensitive personal data related to health and sexual life can be processed by persons or authorized institutions and organizations under the obligation of keeping confidentiality for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, It is not processed by us other than the data of our employees. Such data belonging to our employees may be processed by the persons stipulated by the laws.
7.5. Processing of personal data collected through cookies on our website
7.6. Processing personal data for human resources and employment purposes
Your CV, diploma, etc. that you shared with us during the application process as an Employee Candidate. We process, store and transfer your personal data in other documents for the purpose of job application evaluation. The processing, transfer and storage of the personal data you share as an Employee Candidate are covered by this Policy and the Personal Data Protection Policy for Candidate Employees.
7.7. Exceptional cases where express consent is not sought in the processing of personal data
In exceptional cases listed below and arising from the law, we may process personal data without express consent:
expressly provided for in laws;
It is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract;
Data processing is mandatory for the establishment, exercise or protection of a right;
It is necessary for us to process your data for our legitimate interests as data controller, provided that it does not harm fundamental rights and freedoms;
Obligatory for the fulfillment of any of our legal obligations as a data controller;
It is necessary for the protection of the life or physical integrity of the person or another person, who is unable to express his consent due to actual impossibility or whose consent is not legally valid;
Being made public by the person concerned.
Exceptional cases where sensitive personal data can be processed without the explicit consent of the Relevant Person can be found in Article 7.4 of this Policy. specified in the article.
8.1. Transfer of personal data to the country
As a company, we act in accordance with the decisions and regulations stipulated in the KVKK and taken by the KVK Board regarding the transfer of personal data.
Without prejudice to the exceptional circumstances in the legislation, personal data and sensitive data are not transferred by us to other real persons or legal entities without the express consent of the person's parent or legal representative, in case the Relevant Person or Relevant Person is a person under the age of 18.
In exceptional cases stipulated by the KVKK and other legislation, in the event that the Relevant Person or the Relevant Person is a person under the age of 18, the administrative or judicial institution authorized for the data in the manner and within the limits stipulated in the legislation, without the express consent of the Relevant Person's parent or legal representative. or transferred to the organization.
In addition, with the exceptional cases stipulated by the legislation;
7.7 of the Policy. In the cases described in Article
7.4 of the Policy regarding sensitive personal data. in the cases listed in the article,
With the measures stipulated by the KVK Board and the relevant legislation, special personal data related to the health and sexual life of the Relevant Person can only be provided for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing. It can be transferred to persons or authorized institutions and organizations under the obligation of keeping secrets for the purpose of keeping their secrets, without seeking their explicit consent.
8.2. Transfer of personal data abroad
As a rule, personal data is not transferred abroad without the express consent of the Relevant Person's parent or legal representative, in case the Relevant Person or Relevant Person is a person under the age of 18. However, Article 7.4 of this Policy. and 7.7. In cases where one of the exceptions specified in Articles of Association exists, third parties abroad can only:
Being located in countries where there is sufficient protection declared by the KVK Board;
Data controllers in Turkey and in the foreign country in question, if they are located in countries where there is no adequate protection.the undertaking of adequate protection in writing and the permission of the KVK Board;
In such cases, personal data may be transferred abroad without express consent.
When the storage of the data in the cloud system is technically necessary, the data can be transferred abroad by obtaining explicit consent and in accordance with the regulations determined by the laws.
8.3. Institutions and organizations to which personal data is transferred
Personal data, including but not limited to;
To our suppliers,
To our business partners and business contacts,
To our company's subsidiaries and group companies,
Legally authorized public institutions and organizations,
Legally authorized private legal persons,
To the person or third parties from whom service is received, or to the consultants, organizations or authorities that cooperate,
To our shareholders,
According to the principles and rules explained above, it can be transferred within the conditions and purposes listed in Articles 8 and 9 of the Law.
8.4. Measures we take regarding the legal transfer of personal data
8.4.1. technical measures
To protect personal data, but not limited to those listed;
To make the internal technical organization for the processing and storage of personal data in accordance with the legislation,
Establishing the technical infrastructure to ensure the security of the databases where your personal data will be stored,
Follows and audits the processes of the technical infrastructure created,
It determines the procedures regarding the reporting of the technical measures and audit processes we take,
Periodically updating and renewing the technical measures,
Risky situations are re-examined and necessary technological solutions are produced,
We use virus protection systems, firewalls and similar software or hardware security products and establish security systems in line with technological developments,
We employ employees who are experts in technical matters.
8.4.2. Administrative measures
To protect your personal data, but not limited to those listed;
Establishing personal data access policies and procedures, including company and subsidiary employees within our company,
Informing and training our employees on the legal protection and processing of personal data,
In the contracts we make with our employees and/or in the Policies we create, the company records the measures to be taken in case of unlawful processing of personal data by our employees,
We control the processing of personal data of the data processors we work with or the partners of the data processors.
9.1. Keeping personal data for the period required by the relevant legislation or for the purpose for which they are processed.
We keep personal data for as long as required by the purpose of processing personal data, without prejudice to the storage periods stipulated in the legislation.
In cases where we process personal data for more than one purpose, if the purposes of processing the data disappear or if the Relevant Person or the Relevant Person is a person under the age of 18, in case the legislation does not prevent the deletion of the data upon the request of the Relevant Person's parent or legal representative. deleted or destroyed. Legislative provisions and KVK Board decisions are complied with in matters of destruction or deletion.
9.2. Measures we take regarding the storage of personal data
9.2.1. technical measures
Establishes technical infrastructures and related control mechanisms for the deletion and destruction of personal data,
Takes necessary measures for the safe storage of personal data,
Employs employees with technical expertise,
It creates business continuity and emergency plans against possible risks and develops systems for their implementation,
We establish security systems in accordance with technological developments regarding the storage areas of personal data.
9.2.2. Administrative measures
Raising awareness by informing our employees about the technical and administrative risks related to the storage of personal data,
In case of cooperation with third parties for the storage of personal data, contracts made with companies to which personal data are transferred; We include provisions regarding taking the necessary security measures for the protection and safe storage of the transferred personal data of the persons to whom personal data is transferred.
10.1. Our obligations regarding the security of personal data
To prevent illegal processing,
To prevent illegal access,
To ensure that it is stored in accordance with the law,
We take administrative and technical measures according to technological possibilities and implementation costs.
10.2. Measures we take to prevent unlawful processing of personal data
Carries out and has the necessary inspections made within our company,
To train and inform our employees about the legal processing of personal data,
The activities carried out by our company will be detailed.It is evaluated specifically for all business units, and as a result of this evaluation, personal data is processed specifically for the commercial activities carried out by the relevant units,
In contracts made with companies that process personal data, in cases where cooperation is made with third parties for the processing of personal data; It includes provisions regarding the taking of necessary security measures by the persons who process personal data,
In case of unlawful disclosure of personal data or data leakage, we notify the KVK Board about the situation and carry out the investigations stipulated by the legislation and take the measures.
10.2.1. Technical and administrative measures taken to prevent unlawful access to personal data
To prevent unlawful access to personal data;
Employs employees with technical expertise,
Periodically updating and renewing the technical measures,
Establishes access authorization procedures within our company,
It determines the procedures regarding the reporting of the technical measures and audit processes we take,
It creates the data recording systems used in our company in accordance with the legislation and makes periodic audits,
It creates emergency aid plans against the risks that may occur and develops systems for their implementation,
We train and inform our employees about accessing and authorizing personal data,
In contracts with companies that provide access to personal data, in cases where cooperation is made with third parties for activities such as processing and storage of personal data; It includes provisions regarding taking the necessary security measures of persons accessing personal data,
We establish security systems within the scope of technological developments in order to prevent unlawful access to personal data.
10.2.2. Measures we take in case of unlawful disclosure of personal data
We take administrative and technical measures to prevent the unlawful disclosure of personal data and update them in accordance with our relevant procedures. If we detect that personal data has been disclosed without authorization, we establish a system and infrastructure to notify the Relevant Person or, in case the Relevant Person is under the age of 18, the parent or legal representative of the Relevant Person and the KVK Board.
In case of an unlawful disclosure despite all the administrative and technical measures taken, this may be announced on the website of the KVK Board or by any other method, if deemed necessary by the KVK Board.
Within the scope of our disclosure obligation, we inform the Personal Data Owner and establish systems and infrastructures for this information. We make the necessary technical and administrative arrangements for the Personal Data Owner to exercise their rights regarding your personal data.
On the Personal Data Owner's personal data;
Learning whether personal data is processed or not,
If personal data has been processed, requesting information about it,
Learning the purpose of processing personal data and whether they are used in accordance with its purpose,
Knowing the third parties to whom personal data is transferred at home or abroad,
Requesting correction of personal data if it is incomplete or incorrectly processed,
Requesting the deletion or destruction of personal data in case the reasons requiring the processing of personal data disappear,
Requesting notification of the above-mentioned correction, deletion or destruction processes to third parties to whom personal data has been transferred,
Objecting to the emergence of an unfavorable result by analyzing the processed data exclusively through automated systems,
Requesting the compensation of the damage in case of damage due to the unlawful processing of personal data,
11.1. Exercise of rights regarding personal data
Personal Data Owner may submit his/her request regarding his/her personal data by using this method, in case a separate method is determined by the KVK Board, or by using the "KVKK Application Form" on our website to [email protected], in writing and with wet signature, or via eae. It will be able to send it to our registered e-mail address .[email protected] signed with a secure electronic signature.
In the application containing the explanations regarding the right to be made and requested by the Personal Data Owner to use the above-mentioned rights; The requested matter must be clear and understandable, the requested subject must be related to the applicant's person or, if acting on behalf of someone else, he must be specifically authorized in this regard and this authority must be documented, and the application must include identity and address information, and documents proving his identity must be attached to the application. In case the Relevant Person is under the age of 18, the parent or legal representative submits the application regarding the personal data to the Relevant Person.i is required to send the above-mentioned documents together with the supporting documents.
Such requests will be made individually and requests made by unauthorized third parties regarding personal data will not be taken into consideration.
11.2. Evaluation of the application
11.2.1. Application response time
Requests regarding personal data are concluded as soon as possible and in any case, within 30 (thirty) days at the latest, free of charge or against the fee in the tariff in case the conditions in the tariff to be published by the KVK Board are met.
Additional information and documents may be requested during the application or while the application is being evaluated.
11.2.2. Our right to refuse the application
Applications regarding personal data;
Processing personal data for purposes such as research, planning and statistics by making them anonymous with official statistics,
Processing personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that it does not violate the privacy or personal rights of private life or constitute a crime,
Processing of personal data made public by the Personal Data Owner,
The application is not based on a just cause,
The application contains a request contrary to the relevant legislation,
Failure to comply with the application procedure,
rejected with justification.
11.3. Evaluation procedure of the application
In order for the response period specified in Article 11.2.1 of this Policy to begin, the requests must be sent with written and wet signatures or electronic signature and via KEP or by other methods determined by the KVK Board, with information and documents proving the identity of the applicant. In case the Relevant Person is under the age of 18, the parent or legal representative must submit the application regarding the personal data, along with the documents proving the identity of the Relevant Person, by attaching the above-mentioned documents.
If the request is accepted, the relevant process is applied and a notification is made in written or electronic form. In case of rejection of the request, the applicant is notified in writing or electronically by explaining the reason.
11.4. Right to complain to the Personal Data Protection Board
In cases where the application is rejected, the answer we give is insufficient or the answer is not given on time; The applicant has the right to lodge a complaint with the KVK Board within 30 (thirty) days from the date of learning the answer and in any case within 60 (sixty) days from the date of application.
In order to ensure security and maintain the operation by our company, our company's buildings (internal and external) security camera monitoring and guest entries and exits are followed, and personal data is processed in accordance with the Constitution, KVK Law and other relevant legislation. Our company's building, building entrances and inside the building, through the camera monitoring system, image recordings of our visitors are taken for purposes such as ensuring their safety, increasing the quality of service, ensuring the security of our company, visitors and other people, and for this purpose, data processing is carried out. Only a limited number of Company employees have access to the records recorded and maintained in the digital environment and declares that they will protect the confidentiality of the accessed data with a confidentiality agreement. On the other hand, live camera images can be watched by outsourced security tasks. In accordance with Article 12 of the KVK Law, necessary technical and administrative measures are taken to ensure the security of personal data obtained as a result of camera monitoring. Log records regarding your internet access provided to our guests are recorded in accordance with the Law No. 5651 and the mandatory provisions of the legislation regulated in accordance with this Law; These records are only processed when requested by authorized public institutions and organizations or to fulfill our legal obligations in audit processes to be carried out within our Company. Only a limited number of Company employees who make a commitment to confidentiality have access to the log records obtained, and these records are accessed only for use in requests or audit processes from authorized public institutions and organizations, and shared with legally authorized persons. On the websites owned by our company; for purposes such as ensuring that people who visit these sites perform their visits on the sites in accordance with the purposes of their visit; Internet movements within the site are recorded in accordance with the provisions of the Law and relevant legislation.
Although it has been processed in accordance with Article 7 of the KVKK and the provisions of other relevant laws (Article 138 of the Turkish Penal Code), in the event that the reasons for its processing are eliminated, the personal data is deleted ex officio, that is, upon the decision of the Company or upon the request of the personal data owner. or destroyed. Provisions in other laws regarding the deletion or destruction of personal data are reserved. Our company, as deletion or destruction techniques; Deletion of personal data, physically destroying personal data, securely deleting from existing software, can be used by the company's expert technical personnel or an expert to be agreed. The techniques used in anonymization are; aggregation, derivation, masking, mixing techniques. Since the anonymized personal data will not be covered by the KVK law, it may be processed for purposes such as research and statistics.
This Policy is stored in two different media, printed paper and electronic media.
This Policy is reviewed at intervals to be determined by the Company and, if necessary, updated within the principles determined by the laws and regulations within the Company.
This Policy is deemed to have entered into force after it is published in the QDMS environment, which is the Document Management System of our company, and on the company website.