TURKUAZ ELEKTROTEKNİK SANAYİ VE TİCARET LİMİTED ŞİRKETİ
PERSONAL DATA PROTECTION AND PROCESSING POLICY
SECTION 1
1.1. INTRODUCTION
The protection of personal data is among the most important priorities for TURKUAZ ELEKTROTEKNİK SANAYİ VE TİCARET LİMİTED ŞİRKETİ, and the Company exercises maximum care, attention, and sensitivity to act in accordance with the legislation in force in this regard.
Within the framework of this Personal Data Protection and Processing Policy; the fundamental principles and bases adopted in the execution of personal data processing activities carried out by our Company and the rules regarding the position of our Company's data processing activities against the Law No. 6698 on the Protection of Personal Data, relevant regulations, communiqués, principle decisions, guides, and other secondary regulations are explained. Hereby, our Company aims to inform personal data subjects, ensure transparency, establish data processing activities within a systematic corporate framework, and ensure the sustainability of compliance with the legislation.
With full awareness of our responsibility in this context; personal data belonging to employees, employee candidates, interns, intern candidates, visitors, customer officials, customer employees, potential customer officials, suppliers, supplier officials, supplier employees, dealer and distributor officials, business partners, service providers, subcontractor employees, persons contacted during logistics and shipment processes, website visitors, persons applying via communication forms, and other real persons in relationship with the Company are processed within the scope of this Policy and in accordance with the relevant legislation.
Our Company, as an industrial and commercial company conducting the production, sales, marketing, shipment, export, dealer-distributor relations, quotation, order and after-sales operations of electrical installation and cable management systems, plastic and metal cable glands, Ex-proof solutions, spiral and straight pipes, connection elements, and similar electrotechnical products as well as corporate management processes; takes compliance with the law, integrity, transparency, accountability, data minimization, purpose limitation, proportionality, accuracy, currency, confidentiality, integrity, accessibility, and data security as its basis in personal data protection and processing processes; and continuously develops its technical and administrative organization in this direction.
The Company considers the protection of personal data not only as a legislative obligation but also as a natural result of corporate governance, commercial reliability, preservation of export and supply chain discipline, information security, contractual loyalty, and respect for the fundamental rights and freedoms of the relevant individuals. For this reason, in all processes where personal data is processed, from the acquisition of data to its classification, use, transfer, storage, and destruction, it is aimed to establish a controlled, recorded, and auditable system at every stage.
1.2. PURPOSE
In line with this Personal Data Protection and Processing Policy, TURKUAZ ELEKTROTEKNİK SANAYİ VE TİCARET LİMİTED ŞİRKETİ commits to comply with the principles and rules brought by the Constitution of the Republic of Turkey, Law No. 6698 on the Protection of Personal Data, relevant regulations, communiqués, Personal Data Protection Board decisions, Personal Data Protection Authority announcements, guides, other secondary regulations, and other applicable legislation regarding the protection of personal data and to protect the rights of the individuals concerned. For this purpose, the Company has adopted a written personal data protection system and corporate data governance structure to be implemented and developed. Especially in the processes of processing special categories of personal data and transferring data abroad, the current legal regulations that came into force in 2024 and the secondary legislation linked to these regulations are taken as a basis.
The Company presents the principles to be adopted and taken into account in practice regarding the protection and processing of personal data within the scope of production, quality control, warehouse and stock management, purchasing, sales and marketing, quotation, order management, shipment, export, customer relations, after-sales services, finance and accounting, human resources, administrative affairs, visitor management, occupational health and safety, information technologies, law and contract management, and other operational processes linked to its commercial activities with this Policy.
The Policy aims to determine the framework for compliance activities to be carried out within the Company to ensure compliance with the Law No. 6698 on the Protection of Personal Data, to ensure internal coordination, to clarify roles and responsibilities, to ensure unity of application for business units, and to bind the data governance structure to a corporate standard.
In this context, the purpose of this Policy is:
• to ensure the sustainability of activities in accordance with the principles of legality, integrity, and transparency,
• to ensure that the Company establishes and implements its own corporate standards in the management of personal data,
• to determine organizational goals and obligations,
• to establish control mechanisms aligned with acceptable risk levels,
• to fulfill national obligations in the field of personal data protection and, where applicable, data security requirements touching international commercial relations,
• to observe the fundamental rights and freedoms of individuals, the privacy of private life, and the interests related to the protection of their personal data at the highest level,
• to ensure harmony between the records related to the registry of data controllers, actual data processing processes, and internal policy and procedure documentation,
• to ensure that personal data processing activities are made auditable, traceable, and sustainable.
1.3. SCOPE
This Policy covers all activities carried out within the Company and the personal data processing processes related to these activities. The provisions of the Policy cover all information systems, sub-systems, production and operation areas, contracts, physical and electronic archives, environmental and physical areas, infrastructures, software, devices, applications, and all corporate regulations regarding these in the Company's fields of activity and work.
This Policy covers:
• all departments and units of the Company,
• managers,
• employees,
• employee candidates,
• interns,
• intern candidates,
• contracted personnel,
• customer officials,
• customer employees,
• potential customer officials,
• visitors,
• suppliers,
• supplier officials and employees,
• real persons contacted in logistics, storage, cargo, and shipment processes,
• business partners,
• service providers,
• dealer and distributor officials,
• consultants,
• other real persons establishing legal, commercial, operational, technical, or administrative relations with the Company.
Any transaction, action, or omission that constitutes a violation of the Law on the Protection of Personal Data or this Policy is evaluated within the framework of relevant legislation, internal company regulations, contractual obligations, disciplinary provisions, and, when necessary, legal processes, and required sanctions are applied.
Business partners, data processors, external service providers, technical service providers, software and hardware suppliers, cloud or hosting service providers, consultants, financial advisors, legal advisors, auditing parties, cargo and logistics firms, and other third parties working with the Company who have or may have access to personal data are invited to read this Policy and act accordingly. In this context, third parties are expected to have established a security and compliance system that is at least as strong, adequate, and sustainable as the Company's in terms of personal data protection.
The Company management and the authorized personal data protection structure are responsible for the preparation, updating, supervision of implementation, and coordination of this Policy. All departments within the Company and all employees, managers, and relevant officers involved in data processing processes are responsible for the daily application of the Policy within their own spheres of duty.
1.4. TARGET
With this Policy of the Company, it is aimed to create corporate awareness regarding the legal processing and protection of personal data within the Company; to establish necessary systems; to operate policies, procedures, job descriptions, and control mechanisms; to spread the data security culture and to ensure sustainability of compliance with the legislation.
In this context, the Company Policy aims to guide the implementation of regulations set forth by the Personal Data Protection Law No. 6698 and relevant legislation; contributing to the standardization of data processing activities across the company, the establishment of harmony between the personal data processing inventory and actual operation, and the adoption of a risk-based control approach.
The Company aims not only to meet current compliance requirements through this Policy but also to spread the personal data protection culture throughout the company, increase employee and manager awareness, establish systems to prevent data security violations, strengthen the data security approach in supply chain and external service provider management, and create a dynamic corporate structure that can adapt to legislative changes.
SECTION 2
2.1. DEFINITIONS
|
DEFINITION |
EXPLANATION |
|
The Company |
TURKUAZ ELEKTROTEKNİK SANAYİ VE TİCARET LİMİTED ŞİRKETİ |
|
Explicit consent |
Consent regarding a specific subject, based on information and declared with free will. |
|
Anonymization |
Rendering personal data such that it cannot be associated with an identified or identifiable real person under any circumstances, even if matched with other data. For example; making personal data unassociable with an identified or identifiable real person through techniques such as masking, aggregation, data corruption, and similar methods. |
|
Relevant person (Data Subject) |
The real person whose personal data is processed. For example; employees, employee candidates, interns, visitors, customer officials, customer employees, supplier officials, dealer representatives, and other real persons. |
|
Personal data |
Any information relating to an identified or identifiable real person. Data relating to legal entities and not directly making a real person identifiable is not considered within this scope. For example; name and surname, Republic of Turkey identity number, e-mail address, address information, date of birth, telephone number, bank account information, and similar data. |
|
Special category personal data |
Data related to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data. Following the amendments that came into force on June 1, 2024, the processing conditions of this data category are evaluated within the framework of the current Article 6 of the Law. |
|
Processing of personal data |
Any operation performed on data such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying, or preventing the use of personal data by fully or partially automated means or by non-automated means provided that they are part of any data recording system. |
|
Data controller |
The real or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system. |
|
Relevant person application form |
The application form to be used by the relevant person when exercising their rights set out in Article 11 of the Personal Data Protection Law No. 6698. |
|
Constitution of the Rep. of Turkey |
Constitution of the Republic of Turkey dated November 7, 1982 and numbered 2709. |
|
Personal Data Protection Law |
Law on the Protection of Personal Data dated March 24, 2016 and numbered 6698. |
|
Policy |
TURKUAZ ELEKTROTEKNİK SANAYİ VE TİCARET LİMİTED ŞİRKETİ Personal Data Protection and Processing Policy. |
|
Communiqué on rules for fulfillment of lighting obligation |
The Communiqué published in the Official Gazette dated March 10, 2018 and numbered 30356. |
|
Personal data storage and destruction policy |
The policy in which the maximum periods required for the purposes for which personal data are processed and the deletion, destruction, and anonymization processes are regulated by the Company in accordance with the Regulation on Deletion, Destruction or Anonymization of Personal Data. |
|
Periodic destruction |
The deletion, destruction, or anonymization process to be carried out at recurring intervals in the event that all the processing conditions of personal data in the Law disappear. |
|
Registered electronic mail (REM) |
A system that protects all kinds of commercial and legal correspondence and document sharing in the form it is sent, definitely identifies the identity of the recipient, ensures the immutability of the content, and carries the quality of legally valid evidence. |
|
Data controllers registry information system |
The information system accessible via the internet, created and managed by the Presidency of the Personal Data Protection Authority, used by data controllers in their application to the Registry and in other transactions related to the Registry. |
|
Standard contract |
Standard contract texts published by the Personal Data Protection Authority as one of the appropriate assurance methods in cases where there is no adequacy decision in the transfer of personal data abroad. |
2.2. CLASSIFICATION OF PROCESSED PERSONAL DATA
Personal Data
Personal data are any information relating to an identified or identifiable real person. The protection of personal data only concerns real persons, and data belonging to legal entities and not containing information regarding a real person is not considered within this scope. Therefore, this Policy does not apply to purely corporate data belonging to legal entities.
The categories of personal data processed by the Company are as follows:
|
Personal Data Categories |
Sub-headings and Explanations |
|
Identity |
Name and surname, Republic of Turkey identity number, nationality information, mother's name, father's name, place of birth, date of birth, gender, identity card, birth certificate, passport, driver's license information, signature information, tax number, and similar data |
|
Communication |
Telephone number, mobile phone number, address information, e-mail address, registered e-mail address, notification address, in-company communication information, emergency contact information, and other communication data |
|
Personnel |
Payroll information, attendance records, leave information, CV information, recruitment-exit records, task and title information, performance evaluation records, training records, data within the scope of the personnel file |
|
Legal Action |
Information in lawsuit and enforcement files, official institution correspondence, notices, defenses, minutes, legal demand, and application information |
|
Customer Transaction |
Request information, offer information, order records, contract information, waybill and delivery information, shipment and logistics records, complaint and satisfaction information, after-sales support records |
|
Physical Space Security |
Entry-exit records of employees, visitors, and other relevant persons, visitor records, security camera records |
|
Transaction Security |
Website entry-exit information, electronic mail usage records, system user information, records regarding password management, internet traffic information, log records, system access and transaction records |
|
Finance |
Bank account information, payment and collection information, fee information, current account records, tax information, invoice information, accounting records |