As EAE ELEKTRİK AYDINLATMA ENDÜSTRİSİ SAN. VE TİC. A.Ş. (hereinafter shall be referred to as “EAE LIGHTING”), our top priority is to ensure that the personal data of the real entities including our customers, suppliers and employees is processed in accordance with the Constitution of the Republic of Turkey and the international conventions on the human rights to which our country is a party and the relevant legislation, particularly the Law on Protection of Personal Data No. 6698 (“LPPD”) and effective exercise of the rights of the related persons with the personal data processed.
Therefore, we have been performing the processes related to the processing, retention, transfer of the personal data of the real entities including but not limited to our employees, suppliers, customers, users visiting our website acquired through automated or non-automated means provided to be a part of any data recording system during our operations and processes in accordance with EAE LIGHTING Policy on Protection and Processing of the Personal Data (hereinafter shall be referred to as “Policy”).
Protection of personal data and observance of the fundamental rights and freedoms of real persons with the personal data collected are the basic principles of our policy with respect to the processing of personal data. Therefore, we have been sustaining and maintaining our entire activities and operations in which the personal data is processed by observing the right to protect the right of privacy, confidentiality of communication, freedom of thought and belief, and to practice effective legal remedies. We take the entire administrative and technical protection measures and precautions required by the relevant data nature in accordance with the legislation and the applicable technology for the protection of the personal data.
This Policy describes the methods applied by us for the processing, retention, transfer and deletion of the personal data disclosed during our commercial or social responsibility and similar activities and operation within the framework of the principles set forth in the LPPD.
The entire personal data of our customer, business contacts, employees, suppliers, potential customers and various third parties processed by the Corporation is within the scope of this Policy.
Our Policy is applied in the entire activities and operations for processing of the personal data, owned or managed by the Corporation and addressed and drawn up by observing LPDD and other legislation and regulations related to the personal data and the international standards applicable in this field.
3-DEFINITION AND ABBREVIATIONS
Corporation: EAE ELEKTRİK AYDINLATMA ENDÜSTRİSİ SAN. VE TİC. A.Ş.
Explicit Consent: Refers to approval granted only limited to the particular process or transaction related to a certain matter, based on information and freewill with the explicitness beyond any doubt.
Employee: Corporate personnel.
Personal Data Subject (Related Person): Refers to the real entity with the personal data processed.
Personal Data: All sorts of information relating to an identified or identifiable real entity.
Personal Data of Special Nature: Refers to the data on a person’s race, ethnic origin, political and philosophical opinions, religion, religious sect and other beliefs, apparel, membership information to associations, foundations or syndicates, sexual life, conviction, security measures, biometric and genetic information
Processing of Personal Data: Refers to all sorts of processes and transactions performed on the data such as acquiring, recording, storing, maintaining, altering, rearranging, disclosing, rendering to a retrievable state, classifying or prevention of using personal data entirely or partially through entirely or partially automated or non-automated ways provided to be a part of any data registry system.
Data Processor: Refers to the real or legal entity processing personal data on behalf of the data supervisor based on the authorization granted by the data supervisor.
Data Controller: Refers to the real or legal entity determining the objectives and instruments of personal data processing and responsible for the installation and management of data recording system,
Personal Data Protection Board: Refers to the Personal Data Protection Board.
Personal Data Protection Institution: Refers to the Personal Data Protection Institution.
LPPD: Law on Protection of Personal Data promulgated on the Official Gazette dated April 7, 2016 and No. 29677.
4-ROLES AND RESPONSIBILITIES
Committee for Personal Data Protection
The Committee for Personal Data Protection, established within EAE LIGHTING and comprising of representatives of Human Resources, Accounting, Data Processing, Quality, Sales Departments and Senior Management are responsible for drawing up this policy and keeping it updated. In case of determination of any action and behavior inconsistent and contrary to the provisions of this Policy, the Committee for Personal Data Protection assessed the situation in accordance with the Procedure for Management of Personal Data Breach Incident.
The legal obligations accordance with LPPD within the scope of protection and processing of personal data acting with the capacity of the data controller are as follows:
While collecting personal data acting with the capacity of the data controller;
Purpose of processing of your personal data;
Information on our identity and our representative, if any,
To whom and for which purposes your processed personal data may be transferred,
Our data collection method and legal grounds for the collection of data,
Rights arising from the law,
We have the obligation to disclose the information stated hereinabove to the Related Person.
We are attentive for this Policy open to public to be explicit, comprehensive and easily accessible.
We are taking the entire administrative and technical measures and precautions stipulated in the regulation to ensure the security of the personal data processed as acting with the capacity of the data controller. The obligations related to the data security as well as the precautions and measures taken are detailed in Sections 9 and 10 of this Policy.
6-CLASSIFICATION OF PERSONAL DATA
The Personal Data refers to all sorts of information relating to an identified or identifiable real entity.
Protection of personal data only aims for the real entities and the data of the legal entities and the information not including any data of a real entity shall be excluded from the scope of protection of personal data. Therefore, this Policy shall not be applied to the data of the legal entities.
The personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership to associations, foundations or trade-unions, health, sexual life, convictions and security measures, and the biometric and genetic data are deemed to be personal data of special nature.
7-PROCESSING OF PERSONAL DATA
We are processing the personal data in accordance with the principals stated hereinbelow.
7.1.1. Processing Complying with Law and in Good Faith
We are processing the personal data in accordance with the good faith in a transparent manner within the framework of our obligation of providing clarification.
7.1.2. Ensuring the Accuracy and Actuality of Personal Data If Required
We take the required precautions and measures in our data processing procedures to ensure the accuracy and actuality of the data processed. We provide the opportunity to the Personal Data Subject to apply to us to update the data thereof and if any, correct the errors and omissions in the data processed.
7.1.3. Processing for Certain, Explicit and Legal Purposes
We, as the corporation, process the personal data within our legitimate purposes defined in order to sustain our operations and activities with the scope and content explicitly identified within the framework of the legislation and within the ordinary course of commercial life.
7.1.4. Personal Data Being Associated, Limited and Restrained with the Purpose of Processing
We process the personal data being associated, limited and restrained with the purpose of processing determined explicitly and precisely.
We refrain from processing of personal data that is not relevant or not required to be processed. Therefore, as long as there is no legal requirement, we do not process the personal data of special nature or should a requirement arises, we obtain explicit consent on the matter.
7.1.5. Retention of personal data throughout the periods stipulated by the legal regulations and our legitimate commercial benefits.
Numerous regulations in the legislation entail retention of the personal data. Therefore, we store the personal data for the period stipulated in the relevant legislation or required for the purposes of processing personal data.
In case of expiration of the retention periods stipulated in the relevant regulation or the purpose of processing personal data no longer exist, we are delete or destroy the personal data. Our principles and procedures for the retention periods are detailed in Article 9.1. of this Policy.
We obtain the explicit consent of the Related Person, excluding the circumstances stipulated in the Legal in where explicit consent is not required.
We, as the Corporation, perform processing of the personal for the purposes including but not limited with the following:
Execution of our operations and activities,
Determination of human resources policy, planning and execution of processes,
Providing support services to the customers within the scope of the Agreement and the service standards,
Shaping and updating the services to be offered to our customers upon determining the preferences and requirements of our customers,
Ensuring the fulfillment of our legal liabilities and obligations as required or imposed by the legal regulations,
Ability to perform market researches and statistical studies,
Surveys, contests, campaigns, promotions and sponsorships,
Evaluating the job applications,
Establishing contact with the entities with business relations with the corporation,
Monitoring of marketing processes,
Planning, execution of advertising and promotional activities,
Planning of commercial and business strategies,
Management of business partners/supplier relationships.
Personal data of special nature is processed by us in case of explicit consent or in circumstances imposed by the legislation by taking the administrative and technical precautions and measures stipulated in the laws and set forth by the PDP Board.
In case of personal data of special nature related to medical condition and sexual life of the, the said data can and public shared to parties to or authorized institutions and organizations under the obligation of non-disclosure merely for the purpose of protection of public health, preventive medicine, medical diagnosis, execution of treatment and healthcare services, planning and management of healthcare services and financing. Such type of data of our employees can be processed by the persons stipulated in the laws.
We apply cookies for the purpose of improving the functioning and usage of our website and we perform endeavors to provide you a better user experience and improve the time you spend on our website to become more efficient and enjoyable. In addition to this, we make use of certain cookies to remember your preferences on our website and thus, offering you an improved and customized navigation experience on our website.
During process of the applications you shall file as an Employee Candidate, we process, store and transfer your personal data in documents such as your CV, diploma etc. you disclosed to us for job application evaluation process. Processing, transferring and storing the personal data you disclosed as an Employee Candidate are within the scope of this Policy and the Policy on the Protection of Personal Data for Employee Candidates.
We are entitled to process the personal data without obtaining the explicit consent in exceptional circumstances stated hereinbelow and arising from law:
Being Explicitly Set Forth in Laws
Provided to be directly associated with the conclusion or the execution of an agreement, requirement for the processing of the personal data of the contractual parties;
Obligatory Data Processing for Establishment, Exercise or Protection of a Right;
In case of an obligation for processing your data for the legitimate interests of the corporation as the data controller, provided not to harm the fundamental rights and freedom;
As a data controller, being obligatory for fulfilling any of our legal obligations;
Being obligatory for the protection of a life or bodily integrity of an individual unable to grant his explicit consent due to physical incapabilities or with consent unable to be recognized on a legal basis or any others;
Personal Data Made Public by Related Person.
The exceptional circumstances in where the personal date of special nature can be processed without the explicit consent of the Related Person are specified in Article 7.4. of this Policy.
8-TRANSFER OF PERSONAL DATA
As a corporation, with regards to transferring of personal data, we are acting in accordance with the LPPD and the resolution rendered by PDP Board.
Save for the exceptional circumstances stipulated by the legislation, the personal data of special nature cannot be transferred to other real or legal entities without the explicit consent of the Related Person or the guardian or legal representative thereof in case the Related Person is a minor.
In exceptional circumstances stipulated by LPPD and various legislations, data can be transferred to administrative or judicial organizations or institutions granted with the required authorization subject to the manner and limits set forth in the legislation without the explicit consent of the Related Person or the guardian or legal representative thereof in case the Related Person is a minor.
Moreover, in exceptional circumstances stipulated by the legislation;
In circumstances described in article 7.7. of the Policy,
In circumstances stated in article 7.4. of the Policy regarding the personal data of special nature,
Upon taking the precautions and measures set forth by the PDP Board and the relevant legislation, in case of personal data of special nature related to medical condition and sexual life of the employee, the said data can only be shared to parties to or authorized institutions and their explicit consent under the obligation of non-disclosure merely for the purpose of protection of public health, preventive medicine, medical diagnosis, execution of treatment and healthcare services, planning and management of healthcare services and financing.
The personal data cannot be transferred overseas without the explicit consent of the Related Person or the guardian or legal representative thereof in case the Related Person is a minor. However, in case of any of the exceptional circumstances stated in articles 7.4. and 7.7. of this Policy, only in case the overseas third parties are; located at the countries in where sufficient protective measures stated by PDP Board are in place;
located at the countries in where sufficient protective measures are not in place, written affirmative covenant related to a sufficient degree of protection issued by the data controllers residing at the said foreign country and the authorization of PDP Board in place;
The personal data can be transferred overseas without the explicit consent.
When the storage of the data in the cloud system is technically necessary, the data can be transferred abroad by obtaining explicit consent and in accordance with the regulations determined by the laws.
The personal data can be transferred to, including but not limited to
Our business associates and business contacts,
Affiliates and group companies of our corporation,
Legally authorized public authorities and organizations,
Legally authorized private law entities,
Entities from whom services are received or third parties or advisors, organizations or authorities with whom we are collaborating,
within the terms and purposes stipulated in Articles 8. and 9. of the Law in accordance with the principles and rules stated hereinabove.
8.4.1. Technical Measures
For the purpose of protection of the personal data, we are taking the required technical measures, including but not limited to; performing the in-house technical organization for the processing and retention of the personal data in accordance with the legislation, establishing the technical infrastructure to ensure the security of the databases where your personal data shall be stored, monitoring and controlling the processes of the technical infrastructure established, determining the procedures for reporting the technical measures and audit processes we have taken, periodically updating and renewing the technical measures, reviewing and examining the risky situations are re-examined and producing the required technological solutions, utilizing virus protection systems, firewalls and similar software or hardware security products, and establishing security systems in accordance with technological advancements.
We employ personnel specialist in technical aspects.
8.4.2. Administrative Measures
For the purpose of protection of the personal data, we are taking the required technical measures, including but not limited to; establishing policies and procedures for access to personal data, including employees of the corporation and affiliates within our company, informing and training our employees regarding the protection and processing of personal data in accordance with the law, recording the measures to be taken in case of illegal processing of the personal data by our employees in the employment agreements and/or Policies, auditing the personal data processing activities of the data processors we work with or the partners of the data processors.
9-STORAGE OF PERSONAL DATA
9.1. Keeping personal data for the period required by the relevant legislation or for the purpose for which they are processed.
We keep personal data for as long as required by the purpose of processing personal data, without prejudice to the storage periods stipulated in the legislation.
In cases where we process personal data for more than one purpose, if the purposes of processing the data disappear or if the Relevant Person or the Relevant Person is a person under the age of 18, in case the legislation does not prevent the deletion of the data upon the request of the Relevant Person's parent or legal representative. deleted or destroyed. Legislative provisions and KVK Board decisions are complied with in matters of destruction or deletion.
9.2. Measures we take regarding the storage of personal data
9.2.1. technical measures
Establishes technical infrastructures and related control mechanisms for the deletion and destruction of personal data,
Takes necessary measures for the safe storage of personal data,
Employs employees with technical expertise,
It creates business continuity and emergency plans against possible risks and develops systems for their implementation,
We establish security systems in accordance with technological developments regarding the storage areas of personal data.
9.2.2. Administrative measures
Raising awareness by informing our employees about the technical and administrative risks related to the storage of personal data,
cooperation with third parties for the storage of personal data, contracts made with companies to which personal data are transferred; We include provisions regarding taking the necessary security measures for the protection and safe storage of the transferred personal data of the persons to whom personal data is transferred.
10-SECURITY OF PERSONAL DATA
10.2.1. Technical and Administrative Measures Taken by Us for Prevention of Unlawful Processing of Personal data
For the purpose of prevention of unlawful the processing of personal data;
We employ personnel with technical specialization in their respective fields, periodically updating and renewing technical measures, establishing access authorization procedures within our corporation, determining the procedures for reporting the technical measures and audit processes we have taken, establishing the data recording systems employed in our corporation in accordance with the legislation and periodically auditing them, developing and implementing emergency service plans against the risks that may occur and developing systems for the implementation thereof, training and informs our employees regarding access to personal data and authorization, In cases where cooperation is made with third parties for activities such as processing and storing personal data, in contracts with companies that provide access to personal data; including provisions in the agreements concluded with the corporations processing personal data in cases of cooperation with the persons who process personal data to take necessary security measures, and establishing security systems within the technological advancements in order to prevent unlawful access to personal data.
10.2.2. Measures Taken by Us In Case of Unlawful Disclosure of Personal Data
We are taking administrative and technical measures from the prevent unlawful disclosure of personal data and to duly update the relevant procedures appropriately. In the event that we identify unauthorized disclosure of the personal data, we have been establishing infrastructures and system to notify this situation to the Related Person or the guardian or the legal representative thereof in case the Related Person is minor and to PDP Board accordingly.
In case of occurrence of an unlawful disclosure in despite of the entire administrative and technical measures taken, this condition shall be notified on the website of PDP Board or through any other means.
11-RIGHTS OF PERSONAL DATA OWNER
Within the scope of our disclosure obligation, we inform the Personal Data Owner and establish systems and infrastructures for this information. We make the necessary technical and administrative arrangements for the Personal Data Owner to exercise their rights regarding your personal data.
On the Personal Data Owner's personal data;
Learning whether personal data is processed or not,
If personal data has been processed, requesting information about it,
Learning the purpose of processing personal data and whether they are used in accordance with its purpose,
Knowing the third parties to whom personal data is transferred at home or abroad,
Requesting correction of personal data if it is incomplete or incorrectly processed,
Requesting the deletion or destruction of personal data in case the reasons requiring the processing of personal data disappear,
Requesting notification of the above-mentioned correction, deletion or destruction processes to third parties to whom personal data has been transferred,
Objecting to the emergence of an unfavorable result by analyzing the processed data exclusively through automated systems,
Requesting the compensation of the damage in case of damage due to the unlawful processing of personal data,
11.1. Exercise of rights regarding personal data
Personal Data Owner may submit his/her request regarding his/her personal data by using this method, in case a separate method is determined by the KVK Board, or by using the "KVKK Application Form" on our website to [email protected] , in writing and with wet signature, or via eae . It will be able to send it to our registered e-mail address .[email protected] signed with a secure electronic signature.
In the application containing the explanations regarding the right to be made and requested by the Personal Data Owner to use the above-mentioned rights; The requested matter must be clear and understandable, the requested subject must be related to the applicant's person or, if acting on behalf of someone else, he must be specifically authorized in this regard and this authority must be documented, and the application must include identity and address information, and documents proving his identity must be attached to the application. In case the Relevant Person is under the age of 18, the parent or legal representative must submit the application regarding the personal data, together with the documents proving the identity of the Relevant Person , by attaching the above-mentioned documents .
Such requests will be made individually and requests made by unauthorized third parties regarding personal data will not be taken into consideration.
11.2. Evaluation of the application
11.2.1. Application response time
are concluded as soon as possible and in any case within 30 (thirty) days at the latest , free of charge, or against the fee in the tariff if the conditions in the tariff to be published by the KVK Board are met.
Additional information and documents may be requested during the application or while the application is being evaluated.
11.2.2. Our right to refuse the application
Applications regarding personal data;
Processing personal data for purposes such as research, planning and statistics by making them anonymous with official statistics,
Processing personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that it does not violate privacy or personal rights or constitute a crime,
Processing of personal data made public by the Personal Data Owner,
The application is not based on a just cause,
The application contains a request contrary to the relevant legislation,
Failure to comply with the application procedure,
11.3. Evaluation procedure of the application
In order for the response period specified in Article 11.2.1 of this Policy to begin, the requests must be sent with written and wet signatures or electronic signature and via KEP or by other methods determined by the KVK Board, with information and documents confirming the identity of the applicant . In case the Relevant Person is under the age of 18, the parent or legal representative must submit the application regarding the personal data, together with the documents proving the identity of the Relevant Person , by attaching the above-mentioned documents .
If the request is accepted, the relevant process is applied and a notification is made in written or electronic form. In case of rejection of the request, the applicant is notified in writing or electronically by explaining the reason.
11.4. Right to complain to the Personal Data Protection Board
In cases where the application is rejected, the answer we give is insufficient or the answer is not given on time; The applicant has the right to complain to the KVK Board within 30 (thirty) days from the date of learning the answer and in any case within 60 (sixty) days from the date of application.
This Confidential Policy includes our policy related to your personal data while offering services on the Corporate website. In accordance with the Law on Protection of Personal Data No. 6698 on Acquisition and Processing of your Personal Data (“LPPD”), we hereby inform you that your personal data disclosed to us and requested by us acting with the capacity of the Data Controller strictly in connection to, limited and restricted to the processing purpose and period, shall be recorded, stored, maintained and re-regulated again within the framework of the purpose required and disclosed to the organizations and institutions authorized to request such personal data and transferred to domestic and overseas third parties, assigned, classified under the circumstances and conditions set forth by LPPD and processed in any other ways stipulated in LPPD. The User(s) hereby acknowledge(s) and agree(s) that they disclose their personal data such as name, surname, e-mail address, job applications on our website for the purpose of filing job application, filing their requests and suggestions, introducing themselves and closely following the user preferences, directly using the website or establishing communication on their freewill and with their explicit consent in accordance with the Law on Protection of Personal Data No. 6698, and such data is requested from them for the mere purposes of getting familiar with them, offering better services, and getting informed on the applications or complaints filed and site events and novelties and the website traffic data can be processed as hosting provider during their visits. Your personal data can be transferred to the legally authorized public authorities and organizations, private legal and real entities, including but not limited to ones operating in accordance with the Turkish Code of Commerce (TCC), Turkish Code of Obligations, Law on Protection of the Consumer, other relevant laws and regulations and other relevant legislation and regulations and entitled to record the identity, address and other required information and data for the determination of the information on the party performing the process within the scope of above-cited legislation, to issue the entire required vouchers, records and documentation indicating the process or on paper means, maintain and store the records and documentation for the periods stipulated in the laws within the scope of the relevant laws and legislation, including but not limited to; for the purposes of ensuring the process security in accordance with the relevant regulations, fulfilling the obligations of data retention, reporting, providing information set forth by public organizations and institutions, evaluating, storing, collecting the personal data disclosed during the job applications on verbal, written or electronic environment explicitly authorized by the law. Your entire personal data disclosed to our corporation shall be stored in strict abidance and compliance to the principles of confidentiality in accordance with Article 12 of the Law on Protection of Personal Data No. 6698. Your said personal data can only be disclosed to the corporate employees authorized to store and maintain such data and public organizations and institutions authorized to request such data pursuant to the explicit consent of the users, except the exceptions stipulated in the law/circumstances excluded.
13- COMPANY ENTRANCES AND EXITS AND PROCESSING PERSONAL DATA WITHIN THE COMPANY
The entrance and exit processes of visitors and guests are monitored by a security camera within the premises of our Corporation (inside and outside) for the purpose of ensuring the security and sustaining the operations by our Corporation and the personal data is processed in accordance with the Constitution, LPPD and other relevant regulation. The camera images of our visitors are taken within the premises of our corporation, at the entrance of premises and within the building through the monitoring system for the purposes of ensuring the security, increasing the service quality and ensuring the security and safety of our Corporation, visitors and others and data processing is performed accordingly. Only a limited number of Corporate personnel has access to the records stored on the digital means and the confidentiality is ensured upon concluding a non-disclosure affirmative covenant. Live camera footages can be watched by the outsourced security personnel. In accordance with the article 12 of the LPPD, the required technical and administrative measures are taken to ensure the security of the personal data acquired as a result of the monitoring activities by cameras. The log records of your Internet access provided to our visitors are recorded in accordance with the Law No. 5651 and the governing provisions of the legislation regulated in accordance with this Law and these records are only processed when requested by authorized public institutions and organizations or to fulfill our legal obligations in the audit processes to be performed within our Corporation. Only a limited number of Corporate personnel with the affirmative covenant on the non-disclosure have access to the log records acquired, and access these records only to be used upon request audit processes from authorized public institutions and organizations, and disclose such data to legally authorized persons. The activities of the persons visiting the websites owned and operated by our corporation are recorded in accordance with the Law and the relevant legislation for the purpose of ensuring to optimize the experience of our visitors.
14-DELETING, ANONIMIZATION OF PERSONAL DATA
Although the person data is in accordance with Article 7 of the LPPD and other relevant laws (Article 138 of the Turkish Penal Code), in case the reasons for processing no longer exist, the personal data shall then be deleted or destroyed by the data controller, either ex officio, based on the decision of the Corporation or upon request of the personal data subject. The provisions stipulated in other laws related to the deletion or destruction of the personal data shall be reserved. Our corporation, as techniques for deletion or destruction, employs corporate specialist technical personnel or a contracted specialist for the deletion of the personal data in a non-retrievable manner, physically destruction of the personal data and secure deletion on the current software. The techniques employed for the anonymization process are as follows; consolidation, derivation, masking, mixed techniques and the personal data lawfully processed can be anonymized by our corporation or affiliates in case the purposes requiring processing shall no longer exist. As the anonymized personal data shall not within the scope of the LPPD, it can be processed for the purposes such as research and statistics.
15- PUBLISHING AND STORING THE DOCUMENT
This Policy is stored by two different means as printed paper and electronic environment.
This Policy shall be reviewed in the intervals to be designated by the Corporation and updated, if required, within the principles determined in the law and regulation as well as in-house.
This Policy shall deemed to be inured upon being released on QDMS environment, which is the Document Management System of our corporation and the corporate website.