Personal Data Access, Information Security and Usage Policy
With this Personal Data Protection and Processing Policy (“Policy”), the issues to be taken into account in the implementation by Zigana Enerji ve Yatirim Anonim Sirketi (“Zigana Energy”, “Company”) and other group companies within its organization with respect to the protection and processing of the personal data.
The policy aims at conducting the activities which have been conducted by Zigana Enerji since its incorporation in line with the care that it has taken to the protection of the personal data in compliance with the principles and rules stipulated in the Personal Data Protection Law No 6698 (“Law”), mainly the compliance to the law, honesty and transparency principles at this time.
Within the organization of Zigana Energy, all kinds of technical and administrative measures necessary for the processing and protection of the personal data are taken in line with the principles regulated in the Law and the text of this Policy. Within this scope, the necessary trainings are organized to raise the awareness of the employees.
The necessary notifications and warnings are made to the personal data owners on this matter.
2. CATEGORIZATION OF PERSONAL DATA
2.1. Personal Data
Personal data is all kinds of information regarding identified or identifiable real persons. The protection of the personal data refers only to the data belonging to real persons. The data that belongs to our company and that does not contain any information about real persons are excluded from the scope of the personal data protection. Therefore, this Policy is not applicable to the other data belonging to Zigana Energy.
2.2. Sensitive Personal Data
The sensitive personal data is the data which, if learned, may cause discrimination against or victimization of the relevant person. The data regarding the individuals’ race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, their clothing, membership to associations, foundations or unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data are sensitive personal data.
As Zigana Energy and its group companies, special importance is attached to the processing and protection of the sensitive personal data. While the sensitive personal data is being processed, first of all whether the data processing conditions exist or not is determined, and the data processing activities are carried out after ensuring the existence of conditions for the compliance to the law. The sensitive personal data is processed directly in the cases required by the legislation in accordance with the measures stipulated by the Personal Data Protection Board, and with the explicit consent of the sensitive personal data owner in other cases.
3. PRINCIPLES FOR PROCESSING OF PERSONAL DATA
Zigana Energy and its group companies process the personal data in accordance with the principles specified below and closely follow up the amendments in the legislation and other areas.
3.1. Processing in compliance with the Law and Honesty Principles
Zigana Energy processes the personal data in compliance with the law and honesty principles. Within this framework, the personal data is processed by our Company with limited information to the extent required by the business operations.
3.2. Ensuring Personal Data Is Accurate and Up-to-Date When Necessary
Zigana Energy has taken the necessary technical and administrative measures in order to ensure the accuracy and up-to-dateness of the personal data throughout the processing period. It ensures that the data is corrected upon the application of the data owner or if detected.
3.3. Processing for Specific, Explicit, and Legitimate Purposes
Zigana Energy specifically and explicitly clarifies the purposes of processing the personal data and processes it for legitimate purposes in connection with its business operations.
3.4. Personal Data Related, Limited and Restricted to the Purpose for which it is processed
Zigana Energy processes the personal data to the extent that it is necessary for the achievement of the purposes of processing data in connection with the conditions for data processing.
3.5. Retention of Personal Data for the Period stipulated by the Legal Regulations and during the Commercial Requirements
Zigana Energy complies with the period stipulated in the relevant legislation or required by the purpose of processing data. If such a period has been determined, the personal data is deleted, destroyed or anonymized in the event that the period expires or the reasons requiring the processing of the personal data disappear.
4. OUR PURPOSES FOR PROCESSING PERSONAL DATA
The personal data processing purposes of Zigana Energy and its group companies within its organization are given below as examples:
– Fulfilling the wage payment process for the employees and arranging the mandatory notifications to the Public Authorities,
- Organizing trainings for the employees,
- Developing the personal files for the employees,
- Executing the financial transactions,
- Executing the marketing activities,
- Executing the logistics activities,
- Executing the contract processes,
– Ensuring the compliance with the legislation,
- Fulfilling the financial and accounting transactions,
- Arranging the documents for performing representation activities such as power of attorney, authorization certificate for the employees,
- Establishing the necessary communication with the banks,
- Giving written replies to the notifications received from the official authorities,
- Contacting with the persons or entities with whom the company has commercial relationships,
– Ensuring the security of the workplace,
– Fulfilling the obligations to the subcontractor’s employees,
- Carrying out the transactions regarding the contracts entered into,
– Fulfilling the legal obligations,
- Following up the workplace entry times of the employees,
– Fulfilling the obligations stipulated under the Law No. 6331,
- Keeping records in terms of the legal disputes that may arise,
– Keeping the records of internet access pursuant to the Law No. 5651,
– Developing the visitor records,
- Executing the strategic planning activities,
– Ensuring the security of physical environment
5. TRANSFER OF PERSONAL DATA
Zigana Energy and the companies within the organization of the group may transfer the personal data and sensitive personal data of the personal data owners to the third parties in the country, in accordance with the law, by taking the necessary security measures in line with the purposes of processing the personal data. Accordingly, the action is taken in compliance with the personal data transfer conditions regulated in the Article 8 of the Law.
5.1. Transfer of the Personal Data in the country
Zigana Energy acts in compliance with the data processing conditions in the data transfer activities carried out in the country in accordance with the Article 8 of the Law. Accordingly, no transfer is made to third parties without the explicit consent of the data owner. However, the transfer of the personal data to third parties in the country without the explicit consent of the data owner is possible in the presence of any of the cases where the explicit consent of the data owner will not be required within the framework of the exceptions stipulated in the Law.
5.2. Transfer of the Personal Data to Abroad
Zigana Energy and the group companies within its organization can transfer the Personal Data and Sensitive Personal Data of the Personal Data Owners to third parties in abroad by taking the necessary security measures for the purposes of processing the Personal Data. The Personal Data can be transferred by our Company to the foreign countries declared to have sufficient protection by the Personal Data Protection Board or, in the absence of sufficient protection, to the foreign countries where the data controllers in Turkey and the relevant foreign country undertake sufficient protection in written and where the permit of the PDP Board has been obtained.
5.3. Third Parties to whom the Personal Data can be transferred
Zigana Energy can transfer the personal data of the data owners to the categories of persons listed below within the framework of the principles set forth in the Article 3 of this Policy in accordance with Article 8 of the Law:
– Third Party Companies in cooperation,
– Official Authorities
– Workplace Doctor
– Contracted OSGB Companies
– Company Shareholders
– Group Companies
6. EXCEPTIONAL CASES WHERE EXPLICIT CONSENT IS NOT REQUIRED IN PROCESSING OF PERSONAL DATA
Even if there is no explicit consent of the personal data owner, the personal data can be processed by taking the necessary administrative and technical measures by the company in case of the following conditions.
– The personal data processing activity is clearly stipulated in the law,
– The explicit consent of the working data owner cannot be obtained due to the actual impossibility and it is mandatory to process the personal data,
– The personal data processing activity is directly related to the establishment or performance of a contract,
– It is mandatory to perform the personal data processing activities in order for the Company to fulfill its legal obligations,
– The personal data owner anonymize his/her personal data,
– It is mandatory to process the data for the establishment or protection of a right,
– It is mandatory to process the data for the legitimate interest of our Company.
7. OBLIGATIONS FOR PROTECTION AND PROCESSING OF PERSONAL DATA
7.1. Obligation to Register with the Registry of Data Controllers (VERBIS)
Zigana Energy and other companies within its organization shall fulfill the obligation to register with the Registry of Data Controllers, which is stipulated in the Law and the Regulation on the Registry of Data Controllers, to be established by the Personal Data Protection Board if they meet the stipulated criteria, and accordingly, share the following information with the public:
– Identity and address details of the data controller and the representative of the data controller as the contact person,
– Purpose for which personal data will be processed,
– Data categories,
– Recipient or recipient groups to whom personal data will be transferred,
– Personal data intended to be transferred to the foreign countries,
– Technical and administrative measures taken with respect to the personal data security,
– Maximum period required for the purpose for which the personal data is processed.
7.2. Obligation to Inform the Personal Data Owner
Zigana Energy shall share the following information with the data owners under the Article 10 of the Law during the acquisition of the personal data.
– Identity of the Data Controller,
– Purpose for which the personal data will be processed,
– To whom and for what purpose the personal data can be transferred,
– Method and legal reasons for collecting the personal data,
– Rights of the data owner.
7.3. Obligation to Comply with the Requests of the Personal Data Owner
The personal data owners have the right to request information regarding their own data under the Article 11 of the Law by applying in written or by other methods to be determined by the Personal Data Protection Board in the cases that they consider necessary.
In this context, the personal data owners have the following rights;
<![if !supportLists]>- <![endif]>To learn whether their personal data has been processed or not,
<![if !supportLists]>- <![endif]>To request relevant information if their personal data has been processed,
<![if !supportLists]>- <![endif]>To learn the purpose of processing their personal data and whether their personal data is used as suitable for the purpose,
<![if !supportLists]>- <![endif]>To know the third persons to whom the personal data has been transferred in the country or in abroad,
<![if !supportLists]>- <![endif]>To request the correction of the personal data if the personal data has been processed deficiently or incorrectly and to request the notification of the procedure that is performed within this scope to the third persons to whom the personal data has been transferred,
<![if !supportLists]>- <![endif]>To object to the occurrence of a result against the person by analyzing the processed personal data,
<![if !supportLists]>- <![endif]>To request the elimination of the damage if they are exposed to damage due to the processing of their personal data in contrary to the Law.
7.4. Obligation to Ensure the Security of Personal Data
Zigana Energy and other companies within the organization of the group take the necessary technical and administrative measures for ensuring the appropriate level of security in order to prevent the unlawful processing of the personal data that they are processing, to prevent unlawful access to the personal data, and to ensure that the such data is stored in compliance with the law, in accordance with the Article 12 of the Law.
In the event that the personal data owners notify their requests for their rights listed above to the address of Gayrettepe Mah. Gonenoglu Sk. No: 7 34349 Besiktas Istanbul / Turkey with wet signature or by other means specified in the legislation, their requests shall be concluded within 30 days at latest.
9. RIGHT TO COMPLAIN TO THE PERSONAL DATA PROTECTION BOARD
The personal data owner must be informed that he/she has the right to complain to the Personal Data Protection Board within 30 days if his/her application is rejected, if he/she considers the response insufficient or if the application is not responded to in time.
10. COMPLIANCE WITH THE POLICY
– The systems for deletion, destruction and anonymization of the personal data are updated.
– The necessary security systems have been established for the protection of the personal data. The system is kept up-to-date.
– The personal data owners are informed during the acquisition of the data, and the necessary information is provided if they request information.
- While establishing the policies for the protection and processing of the personal data, the actions are taken in compliance with the regulations stipulated in the Law and the relevant legislation.
11. ISSUANCE AND ENFORCEMENT OF THE POLICY
The Policy, which has been issued and entered into force by Zigana Energy, is published on the Company's website (www.ziganaenerji.com) and is made available to the relevant persons upon request. The policy is regularly audited and, if deemed necessary, updated by taking into account the developments in the legislation.