Target Audience: Individuals whose Personal Data is processed by POWER TK MAKİNA SERVİS SANAYİ VE TİCARET ANONİM ŞİRKETİ, the Data Controller, and who are defined by category under this Privacy Policy

Prepared by: POWER TK MAKİNA SERVİS SANAYİ VE TİCARET ANONİM ŞİRKETİ

This document may not be reproduced, distributed, or used for any commercial purpose without the written consent of POWER TK MAKİNA SERVİS SANAYİ VE TİCARET ANONİM ŞİRKETİ.
 INTRODUCTION

 

Within the scope of the Personal Data Protection Law No. 6698 (“Law”), the protection of personal data is of the utmost importance to POWER TK MAKİNA SERVİS SANAYİ VE TİCARET ANONİM ŞİRKETİ (“Data Controller” or “Company”) registered with the Istanbul Trade Registry under registration number 858936-0 and located at Hüseyinli Village, Beykoz Street No. 155/1, Çekmeköy, ISTANBUL.

 

This Privacy Policy sets forth the fundamental principles and guidelines established under the Personal Data Protection Law, and presents all processes and measures related to the protection, processing, transfer, and destruction of personal data, along with their details, with the utmost transparency and care.

 

1. DEFINITIONS

 

COMPANY	refers to POWER TK MAKİNA SERVİS SANAYİ VE TİCARET ANONİM ŞİRKETİ.
EXPLICIT CONSENT	It refers to consent that is informed, relates to a specific matter, and is given of one’s own free will.
ANONYMIZATION	This refers to the process of rendering personal data incapable of being linked to an identified or identifiable natural person, even when combined with other data.
TO DELETE	Refers to the process of rendering personal data inaccessible and unusable in any way by the relevant users who process the data.
TO DESTROY	This refers to the process of rendering personal data inaccessible, irrecoverable and unusable by anyone in any way.
DATA SUBJECT (RELEVANT PERSON)	The data subject refers to the natural person whose personal data is being processed.
PROCESSING OF PERSONAL DATA	It refers to any operation performed on personal data, such as the collection, recording, storage, retention, alteration, organisation, disclosure, transfer, acquisition, making available, classification or restriction of use of such data, whether carried out wholly or partly by automated means or by non-automated means provided that it forms part of a filing system.
DATA CONTROLLER	This refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system.
DATA PROCESSOR	This refers to a natural or legal person who processes Personal Data on behalf of the Data Controller, acting under the authority granted by the Data Controller.
DATA RECORDING SYSTEM	This refers to any record-keeping system in which personal data is processed in accordance with specific criteria, and any environment in which such systems are located.
ONLINE PURCHASING PLATFORM	An online purchasing platform where natural or legal persons who have a commercial relationship with the Company or who purchase goods and/or services as part of their professional activities can create a user account and carry out the relevant transactions via the Company’s website.
DESTROY	This refers to the erasure, destruction or anonymisation of personal data.
PERIODIC DISPOSAL	This refers to the process of erasure, destruction or anonymisation to be carried out ex officio by the Data Controller at six-monthly intervals, should all the conditions for the processing of personal data as set out in the Law cease to apply.
LOG	This refers to the transaction logs of all users regarding the access to and retrieval of information from the servers on which Personal Data is stored by the Data Controller or persons or organisations authorised by the Data Controller.
IP ADDRESS	It refers to a unique identifier that determines which service provider or network the device used to access the internet is connected to, and from which location it is connected.
AUTHORITY	refers to the Personal Data Protection Authority.
BOARD	refers to the Personal Data Protection Board.
LAW	refers to the Law on the Protection of Personal Data No. 6698.
REGULATION	This refers to the Regulation on the Erasure, Destruction or Anonymisation of Personal Data, published in the Official Gazette dated 28 October 2017 and numbered 30224.

 

2. PURPOSE OF THE PRIVACY POLICY

 

This Privacy Policy has been drawn up by the Company, in its capacity as Data Controller, in accordance with and in line with the principles and guidelines set out in the Law and relevant legislation, regarding the protection, processing, transfer, erasure, destruction, and anonymisation of Personal Data, to inform Data Subjects, ensure data security, specify which technical and organisational measures will be taken and how, describe how the system will operate, and to clarify and regulate rights, obligations and similar matters.

 

3. SCOPE OF THE PRIVACY POLICY

 

PERSONAL DATA CATEGORISATION	CATEGORISATION EXPLANATION
IDENTITY DETAILS	First and last name, Turkish ID number, place of birth, date of birth, gender, signature, tax ID number, Social Security number, etc.
CONTACT DETAILS	Information such as phone number, address, email, fax number, etc.
PHYSICAL PREMISES SECURITY INFORMATION	Records and data related to entries and exits at the company headquarters or company-affiliated premises, records of the duration of stay, camera footage, records taken at security checkpoints, and similar records
VISUAL AND AUDIO INFORMATION	Data related to camera footage, photographs, and audio recordings taken within the Company’s physical premises, excluding records falling under the scope of physical premises security information
CUSTOMER TRANSACTION DATA	Records related to the purchase and use of products or services through the company’s website or stores, including information such as customer number, contract number, transaction date, account number, etc.
FINANCIAL INFORMATION	Any financial information, documents, and records created in connection with the nature and purpose of the relationship established by the Company with the data subject, as well as data processed therein, including bank account numbers, IBAN numbers, income information, receivables and payables information, etc.
LEGAL PROCEDURE INFORMATION	All data processed in connection with the identification, monitoring and execution of legal proceedings and the Company’s legal obligations
PERSONAL DETAILS	All information that must be legally documented under the employment contract entered into with the employee and regarding job applicants, and that may serve as the basis for the personnel file
EDUCATION DATA	Information shared by employees and job applicants via forms or other means during the job application process, as well as data such as diplomas, transcripts, certificates, etc., included in their resumes or shared with the Company as required by the process
PROFESSIONAL EXPERIENCE DETAILS	Information that job applicants provide through forms or other means during the application process, as well as data in their resumes that reflects their professional experience and references
TRANSACTION SECURITY DATA	Information such as IP addresses, access logs, the start and end times of the service provided, the type of service used, the amount of data transferred, etc.
REQUEST/COMPLAINT ADMINISTRATION INFORMATION	Any requests, complaints, comments, and suggestions directed to the Company in its capacity as the Data Controller

 

This Privacy Policy has been prepared for natural persons whose Personal Data is processed by the Company, whether through automated means or non-automated means, provided that such processing forms part of a data recording system.

 

4. PERSONAL DATA TO BE COLLECTED AND PROCESSED AND PURPOSES

 

For the purpose of ensuring the security of the Company and workplaces affiliated with the Company; monitoring and execution of processes that result in or may result in legal, technical, and administrative consequences; planning, conducting, and execution of sales and after-sales services; planning, conducting, and execution of human resources organization and operations; planning, conducting, and execution of collection and procurement transactions within goods/service procurement or provision processes, including the issuance of invoices; creation of employees’ personnel files; determination of the employee’s capacity to perform the requirements and expectations of the job with the same level of efficiency and continuity; planning, conducting, and execution of machinery and equipment usage; arrangement and monitoring of travel planning; provision of private health insurance; protection of occupational health and safety rights; protection of legal rights; ensuring that Company internet, shared network, and computer usage comply with applicable laws; maintenance and monitoring of financial and accounting records; responding to questions, requests, and complaints and monitoring subsequent processes; monitoring service quality; planning, conducting, and execution of logistics activities; management and security of internet access-related processes; carrying out the necessary work by our relevant business units for the realization of the commercial and/or operational activities conducted by our Company and execution of the related business processes; visiting the Company website and creating an account through the online purchasing platform; sharing information during communications/correspondence conducted with the Company via telephone or e-mail; or providing information to the Company by completing forms for any reason, the Personal Data categorized below may be processed.

 

Since data anonymized under Articles 3 and 7 of the Law is not considered personal data in accordance with the relevant provisions of the Law, the provisions of this Privacy Policy shall not apply to processing activities related to such data.

 

5. CATEGORIZATION OF RELEVANT PERSONS

 

RELEVANT PERSON	DESCRIPTION
CUSTOMER	Refers to natural or legal persons to whom goods or services are provided to the company within the scope of a contractual or non-contractual relationship with the Company.
POTENTIAL CUSTOMER	This term refers to any natural or legal person who, whether in a contractual or non-contractual relationship with the Company, is likely to be provided with goods or services, engages in conduct aimed at becoming a customer, or makes a request or offer to the Company by any means.
BUSINESS PARTNERS	Refers to natural or legal persons with whom the Company has established a business partnership in line with its commercial objectives and activities.
SUPPLIERS	This term refers to natural or legal persons who, whether under a contractual or non-contractual relationship with the Company, provide goods or services to the Company in accordance with the Company’s requests.
EMPLOYEE/INTERN	Refers to individuals who provide services under the service agreement entered into with the company.
JOB APPLICANT	Refers to individuals who have applied for a job within the company
SHAREHOLDERS (PARTNERS)	Refers to shareholders who hold shares in the Company.
OFFICIALS	This refers to individuals authorized by the Company’s decision-making bodies to represent the Company.
VISITORS	Refers to natural persons who visit the Company and all of its affiliated business locations or the Company’s official website.
BUSINESS PARTNERS/ SUPPLIERS’ EMPLOYEES, SHAREHOLDERS, AND OFFICIALS	This refers to natural persons, including employees, shareholders, and authorized representatives of entities and organizations that have any type of contractual or non-contractual relationship with the Company (such as business partners, suppliers, and other entities and organizations, without limitation).
THIRD PARTIES	This refers to all natural persons other than the categories of Data Subjects included in this classification.

 

Data subject categories are classified for informational purposes only. The fact that an individual does not fall into any of these categories does not negate the rights they possess as a data subject under the Law.

 

6. METHOD OF COLLECTING AND PROCESSING PERSONAL DATA AND LEGAL BASES

 

The Company may collect and process Personal Data in physical or electronic formats.

 

Personal Data collected in a physical setting, including contracts signed with the Company for any reason, various forms filled out for any reason during visits to the Company’s headquarters or other Company-affiliated business locations, or filled out for any reason with the intent of physically sending them to the Company _ even if the individual is not physically present at those locations _ and subsequently sent to the Company via various means, information shared with the Company for the purpose of a job application (such as resumes, forms, surveys, tests, etc.), information shared with the Company to facilitate or conclude contractual or non-contractual relationships with the Company, and information collected through face-to-face meetings with Data Subjects in a physical setting or by similar means may be collected and processed.

 

Personal Data collected in physical and electronic formats may be recorded in the Company’s database and processed through automated or non-automated means.

 

Within the scope of commercial and non-commercial, and contractual and non-contractual relationships with the Company, Personal Data may be collected and processed in accordance with Articles 5 and 6 of Law No. 6698, for the purposes and under the conditions detailed below.

 

Explicit consent will be obtained through forms available at the Company’s headquarters or affiliated business locations in exchange for a handwritten signature, or electronically by checking the consent/approval checkboxes on the website if the privacy notice is deemed appropriate, or through other automated and/or non-automated means.

 

7. THE FUNDAMENTAL PRINCIPLES SET FORTH IN THE LEGISLATION GOVERNING THE COLLECTION AND PROCESSING OF PERSONAL DATA

 

1. Compliance with the law and the principle of good faith

In accordance with this principle, the Company acts in a transparent and sensitive manner when collecting and processing Personal Data, just as it does in all other activities and transactions; it operates in compliance with the law and the constitution, within the framework required by the principle of good faith, and based on a relationship of trust.

1. Accuracy and, where necessary, timeliness

The company takes all necessary measures to ensure that the Personal Data it collects and processes is accurate and up-to-date, closely monitoring this process with great care and diligence, and establishing the systems required to implement these measures.

1. Processing for specific, explicit, and legitimate purposes

The company collects and processes personal data for legitimate purposes, provided that such collection and processing are necessary in the context of its relationships with data subjects, and does so in a clear and unambiguous manner.

1. Being relevant, limited and proportionate to the purpose for which they are processed

The Company collects and processes Personal Data in a limited and proportionate manner, consistent with the purposes of the business. The Company avoids collecting and processing Personal Data that is not necessary for business or relationship purposes.

1. Retained for the period specified in the relevant legislation or as necessary for the purpose for which they are processed

The Company retains Personal Data in accordance with any retention period specified in the Law or relevant legislation; where no such period is specified in the Law or relevant legislation, it retains such data for as long as necessary to fulfill the purpose for which it was collected and processed. Except for these matters, the Company does not retain personal data on the basis of potential future use, unless it has a legal right or obligation to do so. The Company destroys Personal Data in accordance with the law, regulations, and the principle of good faith through designated methods following the expiration of the specified retention periods. Such destruction may take the form of deletion, erasure, or anonymization.

 

8. CONDITIONS REGARDING THE COLLECTION AND PROCESSING OF PERSONAL DATA

 

In accordance with the “Conditions for the Processing of Personal Data” as regulated by Law No. 6698, the Company processes Personal Data only with the explicit consent of the Data Subject, except for the exceptions provided for in the law. Personal Data may be processed even without the Data Subject’s explicit consent if the following conditions are met:

1. Explicitly provided for by law,
2. Where it is necessary to protect the life or physical integrity of the person or of another person and the person is unable to express consent due to actual impossibility, or their consent is not legally valid,
3. Provided that it is directly related to the conclusion or performance of a contract, the processing of Personal Data belonging to the parties to the contract is necessary,
4. It is necessary for the Data Controller to fulfill its legal obligations,
5. The data has been made public by the data subject themselves,
6. Data processing is necessary for the establishment, exercise, or defense of a legal claim,
7. Provided that it does not infringe upon the data subject’s fundamental rights and freedoms, the processing of data is necessary for the legitimate interests of the Data Controller.

 

The processing of Special Category Personal Data is also of great importance to the Company, and this matter is handled with the utmost care. Special Category Personal Data may be processed provided that the measures specified by the Board are implemented and the Data Subject’s explicit consent is obtained. In the absence of the Data Subject’s explicit consent;

– The data subject’s Personal Data of a sensitive nature, other than that relating to health and sexual life, may be processed in the exceptional cases provided for by law,

– Personal data of a sensitive nature concerning an individual’s health and sexual life may be processed by persons subject to a duty of confidentiality or by authorized institutions and organizations for the purposes of protecting public health, providing preventive medicine, conducting medical diagnosis, treatment, and care services, and planning and managing health services and their financing.

 

9. TRANSFER OF PERSONAL DATA

The Company may transfer personal data within Turkey or abroad, provided that the conditions for such transfer are met, in accordance with Articles 8 and 9 of the Law and the additional regulations established by the Personal Data Protection Board. The transfer of personal data to third parties within the country is carried out by the Company provided that at least one of the data processing conditions set forth in Articles 5 and 6 of the Law and explained in this Privacy Policy is met, and provided that the fundamental principles regarding data processing conditions are complied with. On the Company’s online purchasing platform, personal data may be processed for the purposes of providing services, managing order processes, ensuring system security, processing payments, monitoring performance, and improving services.

 

Limited to the purposes specified above; within the scope or Articles 8 and 9 of the Law, based on the legal grounds set forth in the Law and, where necessary, with the explicit consent of the data subject, Personal data may be transferred to our business partners, shareholders, group companies, suppliers, legally authorized public institutions and organizations, and authorized private individuals, both within and outside Turkey, including Perkins and its affiliates located abroad. Transfers of personal data abroad may be made to countries, sectors, or international organizations for which the Personal Data Protection Board has issued an adequacy decision; In the absence of a qualification decision, the transaction will be carried out by providing the appropriate safeguards prescribed by the Law (such as a standard contract, a letter of undertaking, or other mechanisms determined by the Board). This is without prejudice to the cases of incidental transfer provided for in the Law. The transferred personal data will be processed in accordance with applicable legislation and limited to the specified purposes.

 

Your Personal Data will be stored in secure environments accessible only to authorized personnel using unique passwords and usernames that are periodically changed for security purposes; provided that such data may be transferred and made accessible, subject to Articles 8 and 9 of the Law and relevant legislation, and provided that appropriate technical and administrative measures are taken.

 

10. STORAGE AND DISPOSAL OF PERSONAL DATA

 

In accordance with Article 7 of the Law, even if personal data has been processed lawfully, the Company shall delete, destroy, or anonymize such data on its own initiative or at the request of the data subject, in accordance with the guidelines published by the Authority, once the grounds for processing no longer exist.

Personal Data may be retained by the Company for as long as the purpose remains valid. The Company will destroy Personal Data during the first periodic destruction cycle following the date on which the obligation to destroy arises, or within 30 (thirty) days if the obligation to destroy arises upon the Data Subject’s request. Periodic destruction will be conducted every 6 (six) months starting from the date the Regulation enters into force, and logs of the operations performed will be retained for 3 (three) years.

 

11. RETENTION AND DISPOSAL PERIODS

 

SOURCE OF PERSONAL DATA	RETENTION PERIOD	DISPOSAL PERIOD
CONTRACTS	10 years from the expiration of the contract	During the first scheduled disposal period following the expiration of the retention period
CAMERA RECORDS	1 year	During the first scheduled disposal period following the expiration of the retention period
DATA RELATED TO PAYROLL RECORDS RETAINED WITHIN THE SCOPE OF LABOR CODE	For a period of 5 years following the termination of the employment relationship	During the first scheduled disposal period following the expiration of the retention period
DATA OBTAINED THROUGH THE MONITORING OF EMPLOYEES BY THE COMPANY DURING THEIR PERIOD OF EMPLOYMENT, OR THROUGH ACCESS TO COMPANY TOOLS AND EQUIPMENT SUCH AS COMPANY COMPUTERS AND E-MAIL ADDRESSES DUE TO THE TERMINATION OF EMPLOYMENT CONTRACTS	For a period of 2 years following the termination of the employment relationship	During the first scheduled disposal period following the expiration of the retention period
DATA RETAINED WITHIN THE SCOPE OF LABOR LAW	For a period of 10 years following the termination of the employment relationship	During the first scheduled disposal period following the expiration of the retention period
DATA STORED WITHIN THE SCOPE OF SGK REGULATIONS	For a period of 10 years following the termination of the employment relationship	During the first scheduled disposal period following the expiration of the retention period
DATA STORED WITHIN THE SCOPE OF OCCUPATIONAL SAFETY AND HEALTH REGULATIONS	For a period of 15 years following the termination of the employment relationship	During the first scheduled disposal period following the expiration of the retention period
INFORMATION REGARDING COMPANY PARTNERS AND OFFICERS	10 years	During the first scheduled disposal period following the expiration of the retention period
PERSONAL DATA RELATING TO JOB APPLICANTS	1 year (If no job interview has taken place, 6 months)	During the first scheduled disposal period following the expiration of the retention period
PERSONAL DATA PROCESSED IN CONNECTION WITH SENDING A RESPONSE TO THE EMAIL ADDRESS OF A JOB APPLICANT WHO WAS NOT SELECTED FOR HIRING	2 years	During the first scheduled disposal period following the expiration of the retention period
PERSONAL DATA PROCESSED IN CONNECTION WITH THE OFFER SENT TO THE EMAIL ADDRESS OF THE JOB CANDIDATE WHO HAS BEEN DEEMED SUITABLE FOR HIRING	working period	During the first scheduled disposal period following the expiration of the retention period
PERSONAL DATA PROCESSED IN ACCORDANCE WITH GENERAL ASSEMBLY PROCEDURES	10 years	During the first scheduled disposal period following the expiration of the retention period
CONSENT RECORDS RELATED TO COMMERCIAL ELECTRONIC MESSAGES SENT TO BUYERS’ ELECTRONIC CONTACT ADDRESSES FOR THE PURPOSE OF PROMOTING, MARKETING, ADVERTISING, OR INCREASING AWARENESS OF GOODS AND SERVICES	1 year	During the first scheduled disposal period following the expiration of the retention period
PERSONAL DATA RELATED TO TAX RECORDS AND PERSONAL DATA PROCESSED IN CONJUNCTION WITH DOCUMENTS REQUIRED TO BE KEPT UNDER THE TAX PROCEDURE LAW	5 years	During the first scheduled disposal period following the expiration of the retention period
PERSONAL DATA RELATING TO VISITORS	2 years	During the first scheduled disposal period following the expiration of the retention period
PERSONAL DATA PROCESSED DUE TO THE MANDATORY NATURE OF AFTER-SALES SERVICE	10 years	During the first scheduled disposal period following the expiration of the retention period
CUSTOMER TRANSACTION INFORMATION (CALL RECORDS RELATED TO CUSTOMERS’ REQUESTS, COMPLAINTS, AND SUGGESTIONS)	2 years	During the first scheduled disposal period following the expiration of the retention period
PERSONAL DATA RELATING TO POTENTIAL CUSTOMERS	1 year	During the first scheduled disposal period following the expiration of the retention period
INFORMATION, DOCUMENTS, FINANCIAL STATEMENTS, ETC., RELATED TO ENTRIES IN COMMERCIAL RECORDS KİŞİSEL VERİLER	10 years	During the first scheduled disposal period following the expiration of the retention period
PERSONAL DATA AND VOICE RECORDINGS RELATED TO TELEPHONE RECORDS	1 year	During the first scheduled disposal period following the expiration of the retention period
PERSONAL DATA RELATING TO CUSTOMERS, BUSINESS PARTNERS, AND SUPPLIERS	For a period of 10 years following the termination of the business relationship	During the first scheduled disposal period following the expiration of the retention period
PERSONAL DATA RELATED TO LOG RECORDS	For a period of 2years following the termination of the business relationship	During the first scheduled disposal period following the expiration of the retention period
RECORDS RELATING TO EMPLOYEE ACCESS RESTRICTIONS	For a period of 10 years following the termination of the business relationship	During the first scheduled disposal period following the expiration of the retention period
WHEN PERSONAL DATA CONSTITUTES A CRIME OR IS THE SUBJECT OF A CRIME UNDER THE LAW	During the statute of limitations period	During the first scheduled disposal period following the expiration of the retention period

 

Based on the results of periodic checks and assessments conducted every six months, the Company may, on its own initiative, carry out the process of deletion, destruction, or anonymization.

 

In cases where specific retention periods for certain Personal Data are prescribed by law and relevant regulations, the Company will comply with these periods.

 

12. RECORDING MEDIA

 

Our company stores all personal data subject to data processing activities under the Law in the environments listed below, where such personal data is processed either fully or partially by automated means or by non-automated means provided that it forms part of a data recording system.

– Electronic Environments: Servers, (databases, email, business unit-specific e-folders) on the Company’s servers and network systems, in applications developed in-house or obtained as a service from third parties, and in cloud systems, Company-owned mobile devices (cell phones, computers) and the website created by contracted companies as part of the camera recording infrastructure

– Non-Electronic Environments: Paper, manual data recording systems (visitor logbook), locked cabinets, and the archive room.

 

13. PRACTICES AIMED AT DESTRUCTION

 

Personal Data for which the retention periods have expired will be deleted, destroyed, or anonymized by the Company.

The Company will maintain records of all operations related to the erasure, destruction, or anonymization of Personal Data. These records will be retained for at least 3 (three) years, except where other legal obligations apply.

 

14. LEGAL EXPLANATION REGARDING THE OBLIGATION TO STORE, DELETE, DESTROY, AND ANONYMIZE PERSONAL DATA

 

As provided for in Article 138 of the Turkish Penal Code and Article 7 of the Law, personal data will be erased, destroyed, or anonymized at the Company’s discretion or upon the Data Subject’s request, even if it was processed in accordance with the relevant legal provisions, once the grounds for its processing no longer exist. In this context, our Company fulfills its relevant obligation using the methods described below. If a request is received from the data subject in this regard, an investigation is conducted, and whichever of the following methods – deletion, destruction, or anonymization – is deemed most appropriate is selected; the process is carried out, and the data subject is informed.

 

15. TECHNIQUES FOR THE ERASURE, DESTRUCTION, AND ANONYMIZATION OF PERSONAL DATA

 

The processes of erasing, destroying, and anonymizing personal data are carried out in accordance with the techniques set forth in the Regulation and in the relevant guidelines published by the Personal Data Protection Board.

 

16. TECHNIQUES FOR THE ERASURE AND DESTRUCTION OF PERSONAL DATA

 

Although our Company processes personal data in accordance with the relevant legal provisions, it may delete or destroy such data at its own discretion or upon the request of the Data Subject if the grounds for processing no longer exist. The most commonly used deletion or destruction techniques by our Company are listed below:

(i) Physical destruction: Personal data may also be processed by non-automated means, provided it forms part of a data recording system. When such data is deleted or destroyed, a system is implemented to physically destroy the personal data in a manner that prevents its subsequent use.

(ii) Secure deletion via software: When data processed through fully or partially automated means and stored in digital environments is deleted or destroyed, methods are used to ensure that the data is permanently erased from the relevant software so that it cannot be recovered.

(iii) Secure deletion by a professional: In certain cases, the Company may engage a specialist to delete personal data on its behalf. In such cases, the personal data is securely deleted or destroyed by the specialist in a manner that prevents its recovery.

 

17. TECHNIQUES FOR ANONYMIZING PERSONAL DATA

 

The anonymization of personal data refers to the process of rendering personal data incapable of being associated with any identified or identifiable natural person, even when combined with other data. Our company may anonymize personal data once the reasons requiring its processing in accordance with the law no longer apply. In accordance with Article 28 of the Law, personal data that has been anonymized may be processed for purposes such as research, planning, and statistics. Such processing falls outside the scope of the Law, and the Data Subject’s explicit consent will not be required. The anonymization techniques most commonly used by our Company are listed below.

(i) Masking: Data masking is a method of anonymizing personal data by removing its key identifying information from the dataset.

(ii) Consolidation: Through data aggregation, large amounts of data are aggregated, and personal data is rendered unidentifiable.

(iii) Data derivation: The data derivation method is used to create a more general form of content from personal data, ensuring that the personal data can no longer be linked to any specific individual.

(iv) Data obfuscation: The data obfuscation method involves scrambling the values within a dataset to sever the link between the values and the individuals.

 

18. RIGHTS OF THE DATA SUBJECT

 

The rights of the data subject regarding Personal Data processed by the Company, as set forth in Article 11 of the Law, are listed below:

• The right to inquire whether Personal Data has been processed,
• The right to request information regarding the processing of Personal Data if it has been processed,
• The right to learn the purpose of the processing of Personal Data and whether it is being used in accordance with that purpose,
• The right to know the Third Parties to whom Personal Data has been transferred, whether within the country or abroad,
• Requesting the correction of Personal Data if it has been processed inaccurately or incompletely,
• Requesting the erasure or destruction of Personal Data under Article 7 of the Law,
• The right to request the correction of Personal Data that has been processed inaccurately or incompletely, and/or to have Third Parties to whom the Personal Data has been transferred notified of the actions taken to correct or delete such data,
• The right to claim compensation for damages suffered as a result of the unlawful processing of Personal Data.

 

The Data Subject may not exercise the rights listed above in the cases set forth in Article 28(1) of the Law and specified below:

• The processing of personal data by natural persons solely in connection with activities concerning themselves or family members living in the same household, provided that such data is not disclosed to third parties and that obligations regarding data security are complied with,
• The processing of personal data for purposes such as research, planning, and statistics by anonymizing it through official statistics,
• The processing of personal data for artistic, historical, literary, or scientific purposes, or within the scope of freedom of expression, provided that such processing does not violate national defense, national security, public safety, public order, economic security, the privacy of private life, or personal rights, nor does it constitute a criminal offense,
• The processing of personal data in the context of preventive, protective, and intelligence activities carried out by public institutions and organizations that have been granted duties and authority by law to ensure national defense, national security, public safety, public order, or economic security,
• The processing of personal data by judicial authorities or enforcement authorities in connection with investigations, prosecutions, trials, or enforcement proceedings.

 

The data subject’s rights set forth above may not be exercised in the cases specified below, as provided for under Article 28(2) of the Law:

• The processing of personal data is necessary for the prevention of crime or for a criminal investigation,
• Processing of Personal Data that has been made public by the data subject,
• The processing of personal data by public institutions and organizations, as well as professional associations with the status of public institutions, acting within the authority granted by law, where such processing is necessary for the performance of their supervisory or regulatory duties, or for disciplinary investigations or proceedings,
• the processing of personal data is necessary to protect the State’s economic and financial interests in relation to budgetary, tax, and financial matters.

 

Data subjects may submit requests regarding the rights granted to them under the Law and relevant legislation, in writing in the Turkish language, either by personally delivering a physically signed document to the Company’s address, or by sending a document through a notary public or by certified mail, or via a registered electronic mail (“KEP”) address, by using a secure electronic signature, mobile signature, or the email address previously notified by the Data Subject to the Data Controller and registered in the Data Controller’s system, to the Company’s registered email address via electronic means.

 

In addition, the information that must be included in requests submitted to the Company by Data Subjects under the Communiqué on the Procedures and Principles for Submitting Requests to the Data Controller is listed below:

• First name, last name, and, if the application is in writing, a signature,
• Turkish ID number for citizens of the Republic of Turkey; for foreigners, nationality, passport number, or ID number (if available),
• Residence or business address for service of process,
• If available, the email address, phone number, and fax number to be used for notifications,
• Subject of the request,
• Information and documents related to the matter.

 

The Company will process requests submitted by Data Subjects as soon as possible, depending on the nature of the request, and within a maximum of 30 (thirty) days. For a Third Party to submit a request on behalf of a Data Subject, there must be a special power of attorney issued by a notary public in the name of the person submitting the request.

 

The general rule for processing and resolving requests from data subjects is that the Company does not charge a fee; however, if the Board establishes a fee schedule, the Company may charge fees in accordance with that schedule. If the request arises from an error on the part of the Data Controller, the fee collected will be refunded to the data subject.

 

The company may request information from the Data Subject to determine whether the applicant is the Data Subject, and may ask the Data Subject questions regarding the application to clarify the matters specified therein.

 

19. MEASURES FOR THE PROTECTION OF PERSONAL DATA

 

For the purpose of protecting and securing personal data, Article 12(1) of the Law mandates the implementation of necessary technical and administrative measures. In this context, the Company takes all necessary technical and administrative measures to prevent the unlawful processing of Personal Data, prevent unauthorized access, and ensure that an appropriate level of security is established to safeguard the data in a secure environment.

 

It is of great importance to the Company that the measures listed below be implemented and that the necessary audits regarding their operation be conducted and/or commissioned. The Company is establishing the necessary systems to implement technical and administrative measures related to these matters and to ensure their implementation and monitoring.

 

If Personal Data belonging to the Data Subject is obtained by others through unlawful means, the Company will notify the Data Subject and the Board of this matter as soon as possible.

 

1. Technical Measures

• The Company must ensure that its relevant personnel receive the necessary training regarding the Law and hire experienced staff for matters requiring specialized expertise,
• Ensuring that the physical locations where personal data is stored are kept under lock and key, with access granted only to authorized personnel using a unique password, and that these passwords are changed periodically,
• Installation of a network gateway to prevent attacks on personal data via electronic channels and to block access to websites that could pose security risks,
• Monitoring and updating software and program licenses; conducting all necessary organizational, research, and development activities to enhance efficiency; performing audits; and conducting regular checks to prevent potential security vulnerabilities in software,
• Establishing an authorization matrix and controls to ensure access to and the security of personal data,
• Maintaining log records that track the activities of authorized and designated personnel who have access to personal data,
• In the event that personal data is deleted or becomes inaccessible for any reason, whether due to the Company or external factors, regular backups must be performed via a separate server and from outside the network,
• To ensure the continuity, effectiveness, and oversight of technical measures and to carry out the necessary work to enhance these measures, matters related to such measures must be reported to the personnel authorized and assigned by the Company,
• Conducting compliance audits for all stages, from the collection to the deletion of personal data,
• Protecting personal data records by encrypting them using an internationally recognized encryption program,
• Developing the necessary programs and software to ensure that personal data can be securely collected in an electronic environment,
• Revocation of access permissions to personal data for employees who have changed roles or left the company,
• Backing up personal data and ensuring the security of the backed-up data,
• Sensitive personal data sent via email must be sent in an encrypted format using KEP or a corporate email account,
• The use of secure encryption and cryptographic keys for Special Category Personal Data and their management by different departments,
• Conducting penetration tests and using intrusion detection and prevention systems as part of cybersecurity measures,
• Using up-to-date antivirus software, implementing data masking when necessary, and maintaining firewalls,
• Encrypted transfer of Special Category Personal Data transmitted via USB drives, CDs, or DVDs,
• Use of data loss prevention software.

 

1. Administrative Measures

• The Company must ensure that its relevant personnel receive the necessary training regarding the Law and hire experienced staff for matters requiring specialized expertise,
• Ensuring that access to personal data is restricted to individuals who have been properly authorized by the Company, and implementing the necessary monitoring and controls in this regard,
• Ensuring compliance with the conditions for the processing of personal data and conducting audits to verify such compliance, specifically for each department and unit,
• Signing a framework agreement with the parties with whom personal data is shared, or adding clear and explicit provisions regarding this matter to the relevant agreements,
• In contracts, documents, and policies entered into with employees, clear provisions must be included stating that personal data must not be processed, disclosed, or used in violation of the provisions of the Law and relevant legislation, and that these obligations continue even after the employee leaves the Company,
• Ensuring that the necessary security measures are taken regarding access to and from physical locations containing personal data, and ensuring the security of these locations against external risks (such as fire, flooding, etc.),
• Ensuring the security of all systems containing personal data,
• Ensuring that data processors are audited and made aware of data security requirements at regular intervals,
• Implementation of protocols and procedures for the security of Special Category Personal Data.

 

21. OTHER MATTERS AND AMENDMENTS TO THE PRIVACY POLICY

 

This Privacy Policy shall take precedence over the Law and relevant regulations, as well as all other matters pertaining to the protection and processing of personal data.

 

In the event of any conflict between this Privacy Policy and Law No. 6698 and all relevant legislation, the provisions of the legislation shall prevail.

 

The Company reserves the right to update this Privacy Policy in light of changing legal regulations and in compliance with applicable laws. Any new changes will be published as soon as possible and will take effect immediately.

 

21. EFFECTIVENESS

 

This Privacy Policy shall enter into force upon publication on the Company’s website at www.powertk.com.tr and shall be made available to the public.