» / / KVKK

ISOTEC ENERGY JOINT STOCK COMPANY

WITHIN THE SCOPE OF THE PERSONAL DATA PROTECTION LAW

PRIVACY POLICY

This Privacy Policy is made by İsotec Enerji Anonim Şirketi (“İsotec Enerji Anonim Şirketi”) within the framework of the Personal Data Protection Law No. 6698.Company”), and is available on the Company’s official website www.isotec.com.tr (“Website") The contents on the address, users, visitors, members and other persons (“User or Contact Person“) determines the terms and conditions regarding the processing and transfer by the Company of personal data that the User shares or generates with the Company during its use.

Your personal data is processed by our Company as the data controller in accordance with the following explanations in accordance with the Law on the Protection of Personal Data. Anonymized data is not considered as personal data in accordance with the Law and processing activities related to this data are carried out without being bound by the provisions of the Privacy Policy. 

  1. Purposes of Processing Personal Data:

Your Personal Data defined in the Information Text is processed limited to the purposes specified in the Personal Data Processing Policy of Isotec Energy Inc., which is shared on the website of the Company at www.isotec.com.tr, for the purposes of improving and developing the services offered to the User on the Website; informing the User who submits their requests and complaints and being able to contact the User; providing higher quality and personalized service to the User; informing and contacting for marketing purposes, provided that it is shared by the User in the relevant sections of the Website and consent is given; eliminating the security vulnerabilities of the Website in the fastest way possible, improving the User experience, eliminating the errors occurring on the Website, interpreting the User data, planning and implementing marketing policies; planning and implementing human resources policies; carrying out reporting and business development activities, creating a database; ensuring the functioning of the corporate policies of Isotec Energy Inc. 

In case one of the conditions sought in the second paragraph of Article 5 and the third paragraph of Article 6 of the Law is met, personal data may be processed by the Company without the explicit consent of the User. 

  1. Transfer of Personal Data:

The company; listed above and www.isotec.com.t is The personal data may be shared with third parties from which it receives service (such as call centers, work safety, security, health, law offices, service providers, hosting service providers) for the purposes specified in the Personal Data Processing Policy of Isotec Energy Inc., which is shared on the internet address. The User accepts that his/her personal data may be stored by the Company on servers located in any location belonging to a third party in accordance with the Law, and that Isotec Energy Inc. has fulfilled its obligation to inform in this regard and consents to this. 

The Company may transfer personal data to third parties without seeking the explicit consent of the User, provided that one of the conditions sought in paragraph 2 of Article 5 and paragraph 3 of Article 6 of the Law is met and, if necessary, by ensuring compliance with paragraph 2 of Article 9 of the Law.

  1. Processed Personal Data:

Depending on the User's access to the Website and the transactions he/she makes on the Website, the Company;

  • Identity Information, 
  • In-site Movement Information, 
  • IP Information, 
  • User Information,
  • Legal Transaction Information,
  • Contact and Address Information,
  • It may process Request/Complaint Management Information and personal data that may be required for İsotec Enerji Anonim Şirketi to operate the Website in accordance with the Personal Data Protection Law.
  1. Cookies:

Cookies are information files consisting of small particles sent to users by servers. In this context, the Company stores certain information in the form of text files on the User's computer, phone, etc. for a specified period of time and uses it again when necessary.

Personal data related to the transactions carried out by the User while browsing the website may be processed by İsotec Enerji Anonim Şirketi for the purposes listed below and may be shared with third parties for this purpose. In this context, İsotec Enerji Anonim Şirketi may track the User's browsing information and usage history on the Website in order to provide special services to the User and increase the quality of service through the website; to make special promotions; to improve the page contents according to the User; to improve the User experience; and to offer promotional and marketing suggestions; and may process the information collected from the User and use it together with information received from other sources such as third parties.

The User expressly accepts, declares and consents to the processing of the data that he/she may share with İsotec Enerji Anonim Şirketi for the purposes specified within the scope set forth in this Privacy Policy.

Users can change their browser settings to not accept cookies or to alert them when they are sent.

  1. Rights of the Data Subject Pursuant to Article 11 of the Law:

The Company informs the Data Subject of his/her rights in accordance with Article 10 of the Law; provides guidance on how to use these rights and carries out the necessary internal functioning, administrative and technical arrangements for all these.

ISOTEC Energy Inc. In accordance with Article 11 of the Law, persons whose personal data are collected;

  • Learning whether personal data is being processed,
  • To request information regarding the processing of personal data,
  • To learn the purpose of processing personal data and whether they are used in accordance with their purpose,
  • To know the third parties to whom personal data is transferred, either domestically or abroad,
  • To request correction of personal data if it is processed incompletely or incorrectly,
  • Request the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7 of the Law,
  • Request that the transactions carried out in accordance with subparagraphs (d) and (e) of Article 11 of the Law be notified to third parties to whom personal data has been transferred,
  • To object to a result that is to the detriment of the person himself/herself, as a result of the analysis of the processed data exclusively through automatic systems,
  • Explains that they have the right to demand compensation in case of damages due to unlawful processing of personal data.
  1. ISOTEC Energy Inc.Application to:

The Relevant Person may submit their requests regarding the implementation of the Law by filling out the Personal Data Protection Law Relevant Person Application Form (“Application Form to Data Controller”) on the Website and submit it to the Company in the manner specified in the Application Form. The Company shall finalize the requests included in the application free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, the fee in the tariff determined by the Board may be charged. The Company may respond to such requests in the manner specified in the Application Form.

In cases where the application is rejected, the response is found insufficient or the application is not responded to in a timely manner; the Relevant Person may complain to the Board within thirty days from the date of learning the response of Isotec Energy Inc. and in any case within sixty days from the date of application. A complaint cannot be filed without exhausting the above-mentioned remedy.

  1. Storage Period of Personal Data; Deletion, Destruction or Anonymization:
  • The purposes of processing personal data have been realized,
  • There is no possibility of realization,
  • The period required for the performance of the service provided to the User by Isotec Energy Anonim Şirketi has expired or 
  • If the storage periods determined by the relevant legislation and İsotec Enerji Anonim Şirketi have expired, personal data will be deleted, destroyed or anonymized. These personal data may only be stored to be used as evidence in possible legal disputes or to exercise a relevant right related to personal data.
  1. Method of Collecting Personal Data, Legal Reasons and Data Security:

Personal data is collected in all kinds of verbal, written and electronic media for the purposes stated above and processed by the Company or assigned data processors.

  1. In order to ensure data security, the Company;
    • To prevent the unlawful processing of personal data,
    • To prevent unlawful access to personal data,
    • To ensure the protection of personal data,
    • It must take all necessary technical and administrative measures to ensure an appropriate level of security.

In case of redirection to other sites or applications via the website ISOTEC Energy Inc. It has no knowledge of the compliance of the referred sites and applications with the legislation on the protection of personal data and is not responsible for their privacy policies and content.

ISOTEC Energy Inc. The Privacy Policy reserves the right to change its provisions without prior notice.

User, ISOTEC Energy Inc. He/she declares that he/she has read and accepted all the terms written in the Website Privacy Policy, that he/she has been informed about the processing of his/her personal data by this Privacy Policy, and that he/she accepts and consents to the use of his/her personal data as stated in the Privacy Policy.

 

ISOTEC ENERGY JOINT STOCK COMPANY

PROCESSING OF PERSONAL DATA 

INFORMATION TEXT

Isotec Energy Joint Stock Company (Hereinafter "Company" ), Personal Data Protection Law No. 6698 (Hereinafter referred to as “Law” (Referred to as ), it carries out personal data processing activities in accordance with the law and the rules of honesty; accurate and up-to-date when necessary; for specific, clear and legitimate purposes; in a limited, proportionate and purpose-related manner; and by keeping personal data for a period limited to the period stipulated in the laws or required by the purpose of processing personal data, in accordance with Article 20 of the Constitution of the Republic of Turkey No. 2709 and Article 4 of the Law. 

This Information Text, Isotec Energy Inc. It has been prepared based on Article 10 titled “Information Obligation of the Data Controller” of the Personal Data Protection Law No. 6698 and the relevant communiqué.

  1. Definitions
  1. Data Controller: It is the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
  1. Personal Data: It refers to any information relating to an identified or identifiable real person; data such as the person's Name, Surname, Date of Birth, Place of Birth, Information Regarding the Person's Physical, Economic, Family and Other Characteristics, Telephone Number, Identity Number are "Personal Data".
  1. Special Personal Data: Data regarding individuals' race, ethnic origin, political views, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
  1. Data Recording System: It refers to the recording system in which personal data is structured and processed according to certain criteria. These systems can be created in physical or electronic environments.
  1. Data Controller and Representative 

Your personal data is processed by our Company as the data controller in accordance with the Personal Data Protection Law and in accordance with the procedures explained below.

Data Controller: Isotec Energy Inc. 

Address: Çerkeşli Osb Mah. İmes-19 Cad. A Block No: 18 Dilovası / KOCAELİ

Tax Office: Uluçınar Tax Office

Tax Identification Number: 4811429316

Phone: +90 262 244 43 09 

E-posta Adresi : muhasebe@isotec.com.tr

Kep Adresi : mailto:isotec@hs01.kep.tr

  1. Purposes of Processing Personal Data

Your personal data; the best planning and implementation of our human resources policies; the correct planning and execution of our commercial partnerships and strategies; ensuring the legal, commercial and physical security of our company and our business partners, ensuring the corporate functioning of the company, carrying out studies to make you benefit from the products and services offered by our company in the best way; customizing the products and services offered by our company according to your demands, needs, usage habits and requests and recommending them to you; ensuring the highest level of data security, creating databases, developing the services offered on our company's website, communicating with those who send their demands and complaints to our company, eliminating errors on our company's website and www.isotec.com.t is It is processed within the scope of the personal data processing conditions specified in Articles 5 and 6 of the Law for the purposes of ensuring compliance with the provisions in the Personal Data Processing Policy of İsotec Enerji Anonim Şirketi shared on the internet address.

  1. To Whom and For What Purposes Can Processed Personal Data Be Transferred?

Your personal data will be shared with our shareholders, business partners, suppliers, group companies, affiliates, companies and institutions we cooperate with, and companies from which we receive external services in order to fulfill our contractual or legal obligations (in matters such as security, health, work safety, law, etc.),  It is transferred to authorized institutions and organizations within the scope of the conditions specified in Articles 8 and 9 of the Law, limited to the purposes specified in Article b of this text.

  1. Method and Legal Reason for Collecting Personal Data

Your personal data is collected in all kinds of verbal, written, electronic media; through technical and other methods, through various means such as call center, our company's website, mobile application, within the framework of legal reasons based on legislation, contract, request and request, limited to the purposes specified in our company's Personal Data Processing Policy, and processed by our company or data processors assigned by our company.

  1. Rights of the Personal Data Owner According to Article 11 of the Law

Our company informs you of your rights in accordance with Article 10 of the Law; provides guidance on how to use these rights and carries out the necessary internal functioning, administrative and technical arrangements for all of these. Our company provides the following to persons whose personal data is collected in accordance with Article 11 of the Law; 

  • Learning whether personal data is being processed, 
  • To request information regarding the processing of personal data, 
  • To learn the purpose of processing personal data and whether they are used in accordance with their purpose,
  • To know the third parties to whom personal data is transferred, either domestically or abroad,
  • To request correction of personal data if it is processed incompletely or incorrectly,
  • Requesting the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7 of the Law, 
  • Request that the transactions carried out in accordance with subparagraphs (d) and (e) of Article 11 of the Law be notified to third parties to whom personal data has been transferred, 
  • To object to a result that is to the detriment of the person himself/herself, as a result of the analysis of the processed data exclusively through automatic systems, 
  • Explains that they have the right to demand compensation in case of damages due to unlawful processing of personal data.

Your requests regarding the implementation of the Law Personal Data Protection Law Data Owner Application Form'nude in writing or with a secure electronic signature or by the Personal Data Protection Board (Hereinafter "The Board”) You can forward it to our company by sending it to the address in the application form by other methods determined by the Board. Our company will finalize your requests in the application free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request. However, if the transaction in question requires an additional cost, the fee in the tariff determined by the Board may be charged.

Finally, we would like to state that; the protection of your personal data is of great importance to our Company and the highest level of care is taken in terms of security and other issues in the processing of your personal data. For this purpose, the processing and transfer of your personal data by our Company in a secure manner in accordance with the Law and other legislation is always of primary importance to our Company. In this regard, your personal data is processed in accordance with all relevant legislation.

This Disclosure Text may be updated in order to comply with the KVKK legislation due to the changing processes of the Company. We kindly request you to visit the company's website for such updates.

Please Click to Access Our KVKK Company Policy

Please Click to Access the Application Form to the KVKK Data Controller

 

 

ISOTEC ENERGY JOINT STOCK COMPANY

PERSONAL DATA PROTECTION AND PROCESSING POLICY

This Personal Data Protection and Processing Policy is prepared by İsotec Enerji Anonim Şirketi (“İsotec Enerji Anonim Şirketi”) within the framework of the Personal Data Protection Law No. 6698.Company”), which is the official website of the Company. www.isotec.com.t is (“Website") The contents on the address, users, visitors, members and other persons (“User or Contact Person") provides information about our company policy regarding the processing and transfer of personal data shared or produced by the User with the Company during its use by the Company. Based on these principles and procedures, as a Company, we take all administrative and technical measures in line with the policy we have implemented for the protection and processing of Personal Data.

  1. Purpose of the Personal Data Protection and Processing Policy:

Personal Data Protection and Processing Policy (“Policy”), the purpose of which is to manufacture and assemble parts of solar energy systems in the energy sector, our company is subject to the Law No. 6698 on the Protection of Personal Data regarding the processing of personal data, the protection of this data and the destruction of it when necessary. Our aim is to regulate the principles and fundamentals determined by our company in line with the scopes specified in the framework. It should also be noted that within this scope, it is to protect the fundamental rights and freedoms of individuals, especially the privacy of private life regulated in Article 20 of the Constitution, to the maximum extent and to inform Personal Data Owners about the obligations of our Company and the procedures and principles it will apply in accordance with the Personal Data Protection Law No. 6698. The most primary and important purpose of our policy is to protect the privacy of private life and the security of data of Personal Data Owners.

  1. Scope of the Personal Data Protection and Processing Policy:

This Policy applies to certain company beneficiaries, provided that they consist of real persons existing within the company, and to other classes and to new real persons that can be obtained from outside the company; 

  • Company Shareholders,
  • Company Business Partners,
  • Company Officials,
  • Company Employees,
  • Company Interns,
  • Former Employees of the Company,
  • Employee Candidates,
  • Visitors,
  • Company Customers,
  • Potential Customers,
  • It has been prepared for Third Parties and will be applied to all real persons except those specified. 

The Company has implemented this Policy www.isotec.com.t is By publishing on the website, Law No. 6698 on the Protection of Personal Data As we have stated above, this Policy is not available to legal entities, regardless of their title or name. will not be applicable. In addition, the “Personal Data Processing Policy for Employees” will be applied to our company employees.

This Policy applies to the above mentioned real persons, in accordance with the Law No. 6698 on the Protection of Personal Data of our Company. within the scope of It will be applied if the Personal Data is processed by fully or partially automatic means or non-automatic means provided that it is part of any data recording system. The data is processed in the following definitions:Personal Data“If it is not included in the scope of this Agreement or if the Personal Data processing activity carried out by our Company is not through the means specified above, this Policy will not be applied.

  1. Definitions within the Scope of Personal Data Protection Law No. 6698:

The main definitions to be used in the application of the Law while implementing this Policy by our Company are;

Explicit Consent It is consent regarding a specific subject, based on information and expressed with free will.
Anonymization It is the process of making it impossible for Personal Data to be associated with an identified or identifiable natural person in any way, even when matched with other data.
Company It is Isotec Energy Joint Stock Company.
Company Official Members of the board of directors of Isotec Energy Joint Stock Company and other authorized real persons.
Company Shareholder The shareholders of Isotec Energy Joint Stock Company are real persons.
Company Business Partner, Shareholder, Officer, Employee of Business Partners All real persons, including the real persons with whom our Company has any kind of business relationship, and the employees, shareholders and officers of the real and legal persons (such as business partners, suppliers) with whom our Company has any kind of business relationship.
Employee Candidate They are real persons who have applied for a job in our company by any means or have made their CV and related information available for review by our company.
Company Customer They are real persons who use or have used the products and services offered by our Company, regardless of whether they have any contractual relationship with our Company.
Potential Customer Natural persons who have requested or shown interest in using our products and services or who have been assessed in accordance with commercial customs and rules of integrity as likely to have such interest.
Third Party Other persons who are not covered by the Data Protection and Processing Policy of Isotec Enerji Anonim Şirketi prepared for Company Employees and who are not included in any Personal Data Owner category in this Policy.
Visitor All real persons who have entered the physical premises of our company for various purposes or visited our websites for any purpose.
Law Refers to the Personal Data Protection Law No. 6698.
Secondary Legislation It means any regulation, circular, notification, principle decision or similar administrative decision or general opinion issued or received by the Personal Data Protection Authority in accordance with the law.
Related Users Persons who process personal data within the data controller organization or in accordance with the authority and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of data.
Personal Data/Data It refers to any information relating to an identified or identifiable real person.
Processing of Personal Data It refers to any operation performed on Personal Data, such as obtaining, recording, storing, preserving, changing, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of Personal Data, either fully or partially by automatic means or non-automatic means provided that it is part of any data recording system.
The Board Refers to the Personal Data Protection Board.
Organisation Refers to the Personal Data Protection Authority.
Special Personal Data Data regarding individuals' race, ethnic origin, political views, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
Record It refers to the Data Controllers Registry, which is a registration system in which data controllers are required to register and declare information regarding their data processing activities.
Data Processor It refers to the natural or legal person who processes Personal Data on behalf of the Data Controller based on the authority granted by him.
Data Recording System It refers to the recording system in which Personal Data is structured and processed according to certain criteria.
Data Protection Commission Refers to the Company's Personal Data Protection Commission.
Data Owner The Data Owner, defined as the "Relevant Person" in the law, refers to the natural person whose Personal Data is processed. Data Owners also include customers, internet users, individuals in communication, e-mail and marketing database lists, employees, contract parties and suppliers.
Data Controller It refers to the natural or legal person who determines the purposes and means of processing Personal Data and is responsible for the establishment and management of the data recording system.
Draft Regulation on Data Controllers Registry The Draft Regulation on the Data Controllers Registry has been prepared in accordance with Article 16 of the Law. It has not yet entered into force.
Deletion It refers to making personal data inaccessible and non-reusable for the Relevant Users in any way.
Deletion and Destruction Policy It refers to the policy prepared by the Company within the framework of the Regulation on the Deletion, Destruction or Anonymization of Personal Data, which regulates the procedures and principles regarding deletion and destruction.
Disposal It refers to making personal data inaccessible, irreversible and non-reusable by anyone in any way.
  1. Enforcement of the Personal Data Protection and Processing Policy:

Organized by Isotec Energy Inc. and published on the Company's website www.isotec.com.t is It is made available to the relevant persons upon request of the Personal Data Owners from the date of publication.

  1. Protection of Personal Data Within the Scope of Our Company Policy:
  1. Security of Personal Data;

Our Company takes all necessary technical and administrative measures to prevent unlawful processing and access of Personal Data and to ensure the appropriate level of security in order to ensure the preservation of Personal Data in accordance with the Personal Data Protection Law No. 6698.

  1. Control;

Our company carries out and has carried out the necessary audits in order to ensure the establishment of data security described above and the regularity and continuity of the measures taken.

  1. Security;

Our Company takes all necessary technical and administrative measures, in accordance with technological possibilities and implementation costs, to ensure that the relevant data controllers and data processors do not disclose the Personal Data they possess to others in violation of the provisions of the Law and the Policy and do not use it for purposes other than processing. In this context, information and training activities are carried out with our Company employees about the Law and the Policy.

  1. Unauthorized Disclosure of Personal Data;

If the Personal Data processed by our Company is obtained by others through illegal means, our Company will carry out the necessary procedures to notify the relevant Personal Data Owner and the PDP Board as soon as possible. If deemed necessary by the PDP Board, this situation may be announced on the PDP Board's website or by another method deemed appropriate by the PDP Board.

  1. Observing the Legal Rights of Personal Data Owners;

Our Company observes all legal rights of Personal Data Owners through the implementation of the Policy and the Law and takes all necessary measures to protect these rights.

  1. Protection of Special Personal Data;

As stated in the definitions section, data regarding race, ethnicity, political views, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data of individuals are considered as Special Personal Data. Our Company takes into consideration that Special Personal Data is data that may cause the relevant person to be victimized or discriminated against if learned by others, therefore all necessary measures are meticulously taken to protect such personal data processed in accordance with the law.

  1. General Principles in the Processing of Personal Data within the Scope of Our Company Policy:

Our Company processes Personal Data in accordance with the Personal Data Protection Law No. 6698 and the procedures and principles set forth in this Policy. Our Company acts within the framework of the following principles when processing Personal Data.

  1. The Principle of Compliance with the Rules of Law and the Rule of Integrity;

Our Company processes personal data in accordance with the principle of honesty in the most comprehensive manner, taking into account both private law and customary law within the scope of the Law on the Protection of Personal Data No. 6698 and the regulation attached to this law, and uses it meticulously and duly within these limits.

  1. The Principle of Being Accurate and Up-to-date;

Our Company ensures that the Personal Data it processes is accurate and up-to-date, taking into account the fundamental rights and legitimate interests of Personal Data Owners. In this context, issues such as the determination of the sources from which the data is obtained, confirmation of its accuracy, and evaluation of whether it needs to be updated are carefully taken into consideration.

  1. The Principle of Processing for Identifiable, Clear and Legitimate Purposes;

Our Company clearly and precisely determines the purpose of data processing and ensures that this purpose is legitimate. The legitimate purpose means that the Personal Data processed by our Company is related to and necessary for the work it performs or the service it offers.

  1. The principle of being relevant, limited and proportionate to the purpose for which they are processed;

Our company ensures that the processed Personal Data is suitable for the realization of the determined purposes and avoids the processing of Personal Data that is not related to the realization of the purpose or is not needed. In order to process data to meet the needs that may arise later, it fulfills one of the conditions for processing Personal Data regulated in the Law, as if it were starting the processing for the first time. It also limits the processed data to only what is necessary for the realization of the purpose.

  1. The principle of preservation for the period prescribed by the relevant law or necessary for the purpose for which they are processed;

If there is a period of time stipulated in the relevant legislation for the storage of data, our Company complies with these periods; otherwise, it retains Personal Data only for the period necessary for the purpose for which it is processed. If there is no valid reason for our Company to store Personal Data any longer, the data in question is deleted, destroyed or anonymized.

  1. Conditions for Processing Personal Data Within the Scope of Our Company Policy:

Our Company does not process Personal Data without the explicit consent of the data owner. Our Company may process Personal Data without the explicit consent of the data owner if one of the following conditions is met.

  1. If Explicitly Provided in Relevant Laws

Our Company may process Personal Data of Personal Data Owners in cases expressly prescribed by law, even without explicit consent.

  1. In cases where it is necessary to protect the life or physical integrity of a person who is unable to express his/her consent due to a physical impossibility or whose consent is not legally recognized; or of someone else;

In cases where consent cannot be explained or is not valid, Personal Data may be processed without explicit consent in order to protect the life or physical integrity of individuals. In order to protect the life or physical integrity of individuals, the Personal Data of the Personal Data Owner may be processed during medical intervention. In this context, data such as blood type, past illnesses and surgeries, and medications used may be processed through the relevant health system.

  1. In cases where the processing of personal data belonging to the parties to a contract is necessary, provided that it is directly related to the establishment or performance of a contract;

Personal Data may be processed by our Company in connection with the establishment or performance of a contract. 

  1. In case it is mandatory for the data controller to fulfill its legal obligations;

If our company requests and discloses personal data from official institutions and organizations in order to resolve or clarify an incident, the data controller may share the requested personal data in order to fulfill its legal obligation.

  1. It has been made public by the relevant person himself;

Our Company may process the Personal Data of the Personal Data Owners that have been made public by them, in other words, disclosed to the public in any way, since it is deemed that the legal interest to be protected is eliminated in the processing of such data that has been made public by the Personal Data Owners and thus has become known by everyone.

  1. Data Processing is Necessary for the Establishment, Exercise or Protection of a Right;

In cases where data processing is mandatory for the establishment, exercise or protection of a right, the personal data of the data subjects may be processed without seeking their explicit consent.

  1. Data Processing is Necessary for the Legitimate Interests of the Data Controller, Provided That It Does Not Harm the Fundamental Rights and Freedoms of the Data Subject;

Our Company may process the Personal Data of Personal Data Owners in cases where processing of Personal Data is mandatory for the protection of legitimate interests, provided that it does not harm the fundamental rights and freedoms of Personal Data Owners protected under the Law and Policy. Our Company shows the necessary sensitivity to comply with the basic principles regarding the protection of Personal Data and to observe the balance of interests of our Company and Personal Data Owners.

  1. Conditions for Processing Special Personal Data within the Scope of Our Company Policy;

Our Company does not process Personal Data of a Special Nature without the explicit consent of the person concerned. However, Personal Data other than health and sexual life may be processed without the explicit consent of the person concerned in cases stipulated by law. Personal Data related to health and sexual life are processed by our Company only for the purposes of protecting public health, conducting preventive medicine, medical diagnosis and treatment and care services, planning and managing health services and their financing, and without the explicit consent of the person concerned under conditions where we are under a confidentiality obligation. In this regard, our Company meticulously carries out the necessary follow-up process and the measures and requirements that can be taken by our Company in terms of taking sufficient measures determined by the Board in the processing of Personal Data of a Special Nature.

  1. Deletion, Destruction or Anonymization of Personal Data within the Scope of Our Company Policy:

Although our Company has processed personal data in accordance with the Law and other relevant laws, if the reasons requiring processing are eliminated, personal data will be deleted, destroyed or anonymized by the data controller ex officio or upon the request of the relevant person. The provisions of other laws regarding the deletion, destruction or anonymization of personal data are reserved. The procedures and principles regarding the deletion, destruction or anonymization of personal data are regulated by regulation.

  1. Transfer of Personal Data Within the Scope of Our Company Policy:
  • If it is necessary to protect the life or physical integrity of the Personal Data owner or someone else and the Personal Data owner is unable to give his/her consent due to a de facto impossibility or if his/her consent is not legally valid,
  • If it is necessary to transfer Personal Data belonging to the parties to a contract, provided that it is directly related to the establishment or execution of a contract,
  • If the transfer of Personal Data is mandatory for our Company to fulfill its legal obligations,
  • If the Personal Data has been made public by the Personal Data owner,
  • If the transfer of Personal Data is mandatory for the establishment, exercise or protection of a right,
  • If the transfer of Personal Data is mandatory for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the Personal Data owner, it may be transferred.
  1. Transfer of Personal Data Abroad Within the Scope of Our Company Policy:

Our Company may transfer Personal Data and Special Personal Data of Personal Data Owners to third parties abroad by taking the necessary security measures in line with the purposes of processing Personal Data. For this purpose, considering the issues listed in the relevant law, our Company may transfer Personal Data to foreign countries declared by the KVK Board as having sufficient protection or, in the absence of sufficient protection, to foreign countries where the data controllers in Türkiye and the relevant foreign country have undertaken in writing to provide sufficient protection and where the KVK Board has granted permission. Countries with these characteristics are declared by the KVK Board.

  1. Classification of Personal Data Within the Scope of Our Company Policy:

Our company processes Personal Data by classifying it within a number of definitions in accordance with the Personal Data Protection Law No. 6698. Explanations regarding these classes are listed below.

  1. Personal Data Owner's Identity Information

Personal data is data related to the identity of the data owner. These data are;

  • Name-surname, 
  • Turkish identity number,
  • Marital status,
  • Nationality information,
  • Name and surname of mother-father,
  • Place and date of birth,
  • Gender 
  • Driving licence,
  • ID card
  • Passport
  • Tax number,
  • Social Security number,
  • Signature information,
  • It includes vehicle license plate and other information.
  1. Contact Information of the Personal Data Owner;

Personal data is data related to the identity of the data owner. These data are;

  • Telephone number,
  • Address,
  • Email address,
  • Fax number,
  • It includes IP address and other information.
  1. Transaction Security Information of the Personal Data Owner;

These are personal data processed regarding the technical, administrative, legal and commercial security of both the Personal Data Owner and the Company during the operations carried out by the Company in its internal and external operations.

  1. Financial Information of the Personal Data Owner;

These are information and documents showing all kinds of financial results arising from the employee-employer relationship established by the Company with the Personal Data owner. In addition;

  • Personal data processed regarding the records,
  • Bank account number,
  • Branch code,
  • Bank card information,
  • IBAN number,
  • Credit card information,
  • Financial profile,
  • Credit score,
  • Asset data,
  • It is included as income information and other information.
  1. Visual and Audio Information of the Personal Data Owner;

Photo and camera recordings, sound recordings, and any data and other information containing these data.

  1. Personal Data  Owner's Personal Information;

It is any personal data processed to obtain information that will form the basis for the protection of personal rights of real persons who are in a working relationship with the Personal Data Owner.

  1. Location Information of the Personal Data Owner;

Information that determines the location of the Personal Data owner while using Company vehicles within the scope of the activities and operations of the Company or companies and institutions it cooperates with; GPS location, travel data and other information.

  1. Information about the Family Members and Relatives of the Personal Data Owner;

 

Identity information and contact information, as defined above, about the family members (e.g. spouse, mother, father, child), relatives and other persons who can be reached in emergency situations within the framework of the activities and operations of the Company or companies and institutions it cooperates with or in order to protect the legal and other interests of the Company and the Personal Data owner.

  1. Personal Data Owner's Physical Location Security Information;

 

Personal data regarding records and documents taken upon entry to the physical location and during stay in the physical location; 

  • Camera recordings,
  • Fingerprint records
  • Records and other data taken at the security point.
  1. Legal Procedure Information of the Personal Data Owner;

Data processed within the scope of the determination and follow-up of the Company's legal receivables and rights, the fulfillment of its debts and legal obligations.

  1. Personal Data  Owner's Special Personal Information;

These are the data specified in Article 6 of the Personal Data Protection Law No. 6698. (Health data, biometric data, religion and association membership information, etc.)

  1. Request/Complaint Management Information of Personal Data Owner;

These are data related to the Personal Data owner regarding the receipt and evaluation of any request or complaint directed to our Company.

  1. Purposes of Processing Personal Data Within the Scope of Our Company Policy:

In order to fulfill the disclosure obligation in Article 10 of the Personal Data Protection Law No. 6698, our Company provides information to data owners about the purposes for which Personal Data will be processed, to whom and for what purpose the processed data can be transferred.

Your personal data is processed within the scope of the personal data processing conditions specified in Articles 5 and 6 of the Law, limited to the purposes of planning and implementing our human resources policies in the best way, planning and executing our commercial partnerships and strategies correctly, ensuring the legal, commercial and physical security of our Company and our business partners, ensuring the corporate functioning of our Company, carrying out studies to ensure that you benefit from the products and services offered by our Company in the best way possible; customizing the products and services offered by our Company according to your demands, needs and requests and recommending them to you, ensuring the highest level of data security, creating databases, developing the services offered on our Company's website, communicating with those who submit their demands and complaints to our Company, and eliminating errors on our Company's website.

  1. Purposes of Transferring Personal Data Within the Scope of Our Company Policy:

The data of the Personal Data owner is transferred within the scope of the conditions specified in Articles 8 and 9 of the Law, limited to the purposes of planning and implementing our human resources policies in the best way, planning and executing our commercial partnerships and strategies correctly, ensuring the legal, commercial and physical security of our Company and our business partners, ensuring the corporate functioning of our Company, carrying out studies to ensure that you benefit from the products and services offered by our Company in the best way; customizing the products and services offered by our Company according to your demands, needs and requests and recommending them to you, ensuring the highest level of data security, creating databases, developing the services offered on our Company's website, communicating with those who send their demands and complaints to our Company, and eliminating errors on our Company's website.

  1. Persons to Whom Personal Data Will Be Transferred Within the Scope of Our Company Policy

Data of the Personal Data owner; 

  • To our shareholders,
  • To our business partners,
  • To our suppliers,
  • To our affiliates,
  • To the companies and institutions we cooperate with,
  • It may be transferred to companies from which our Company receives external services (on issues such as security, health, occupational safety, law, etc.) and to authorized institutions and organizations in order to fulfill our contractual or legal obligations.
  1. Personal Data Collection Method and Legal Reason Within the Scope of Our Company Policy

For the purpose of auditing the type of compliance with Article 1, which regulates the purpose of the Law No. 6698 on the Protection of Personal Data, and Article 2, which regulates the scope of the law, Personal Data; 

  • All kinds of verbal,
  • Written,
  • In electronic environment, through technical and other methods, 
  • Call center, Our company website, 
  • Through various means such as mobile applications, 
  • Legislation to achieve the objectives set out in the policy, 
  • Agreement, 
  • It is collected in order to fulfill the responsibilities arising from the law completely and accurately within the framework of legal reasons based on demand and request.

After these collection methods, it is processed by our Company or data processors commissioned by our Company.

  1. Deletion, Destruction or Anonymization of Personal Data within the Scope of Our Company Policy:

Without prejudice to the provisions of other laws regarding the deletion, destruction or anonymization of Personal Data, our Company shall delete, destroy or anonymize Personal Data ex officio or upon the request of the data owner, in the event that the reasons requiring processing are eliminated, despite having processed the Personal Data in accordance with the Law No. 6698 on the Protection of Personal Data and other legal provisions.

By deleting personal data, this data is destroyed in a way that it cannot be used again and cannot be retrieved. Accordingly, personal data is deleted from the documents, files, CDs, floppy disks, hard disks, etc. in which they are recorded, in a way that cannot be recycled.

Destruction of Personal Data means destroying data storage materials such as documents, files, CDs, floppy disks and hard disks in which the data is recorded, in a way that the information cannot be retrieved or used again.

By making data anonymous, it is meant that Personal Data cannot be associated with an identified or identifiable natural person, even if it is matched with other data.

  1. Storage Period of Personal Data Within the Scope of Our Company Policy:

Our Company stores Personal Data in accordance with the periods stipulated in the Personal Data Protection Law No. 6698 and other legislation. If there is no regulation in the Personal Data Protection Law No. 6698 and other legislation regarding how long Personal Data should be stored, Personal Data is processed for a period of time until the activity carried out when our Company processes that Personal Data is realized for the purpose of processing the Personal Data, and then deleted, destroyed or anonymized.

  1. Informing the Personal Data Owner within the Scope of Our Company Policy:

Our Company informs the Personal Data Owners during the collection of personal data within the framework of Article 10 of the Law on the Protection of Personal Data No. 6698. In this context, information is provided on the identity of the Company representative, if any, the purpose for which personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method and legal reason for collecting personal data, and the rights of the Personal Data Owner.

  1. Rights of the Personal Data Owner in Accordance with the KVKK Law within the Scope of Our Company Policy:

Our company informs everyone about their rights in accordance with Article 10 of the Personal Data Protection Law No. 6698; provides guidance on how to use these rights and carries out the necessary internal functioning, administrative and technical arrangements for all of these. Our company provides the following to persons whose personal data is collected in accordance with Article 11 of the Law;

  • Learning whether personal data is being processed,
  • To request information regarding the processing of personal data,
  • To learn the purpose of processing personal data and whether they are used in accordance with their purpose,
  • To know the third parties to whom personal data is transferred, either domestically or abroad,
  • To request correction of personal data if it is processed incompletely or incorrectly,
  • Request the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7 of the Law,
  • Request that the transactions carried out in accordance with subparagraphs (d) and (e) of Article 11 of the Law be notified to third parties to whom personal data has been transferred,
  • To object to a result that is to the detriment of the person himself/herself, as a result of the analysis of the processed data exclusively through automatic systems,
  • Explains that they have the right to demand compensation in case of damages due to unlawful processing of personal data.

Your requests regarding the implementation of the Personal Data Protection Law No. 6698 Personal Data Protection Law Data Owner Application Form'in writing or with a secure electronic signature using the Personal Data Protection Board (“The Board") You can forward your requests to our Company by sending them to the address in the application form using other methods that it will determine. Our Company will finalize your requests in the application free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request. However, if the transaction in question requires an additional cost, the fee in the tariff determined by the Board may be charged. 

Our Company may accept or reject the request by explaining the reason; it shall notify the relevant person of its response in writing or electronically. If the request in the application is accepted, our Company shall fulfill its obligations. If the application is caused by the error of our Company, the fee received shall be refunded to the data owner.

In cases where the application is rejected, the response is found insufficient or the application is not responded to in a timely manner, the data owner has the right to lodge a complaint with the Board within thirty days from the date on which he/she learns of the response and, in any case, within sixty days from the date of application.

  1. Cases where the policy and law will not be applied fully or partially within the scope of our company policy:

This Company Policy and the provisions of the Law will not apply in the following cases:

  • Processing of personal data by natural persons within the scope of activities related to themselves or their family members living in the same residence, provided that they are not disclosed to third parties and that obligations regarding data security are complied with.
  • Processing of personal data by making them anonymous with official statistics for purposes such as research, planning and statistics.
  • Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public safety, public order, economic security, privacy or personal rights or does not constitute a crime.
  • Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security.
  • Processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial or execution proceedings.

Provided that it is in accordance with and proportionate with the purpose and basic principles of this Policy and the Law No. 6698 on the Protection of Personal Data, Article 10, which regulates the data controller's obligation to inform, Article 11, which regulates the rights of the relevant person, excluding the right to claim compensation for damages, and Article 16, which regulates the obligation to register with the Data Controllers Registry, shall not apply in the following cases.

  • Processing of personal data is necessary for the prevention of crime or criminal investigation.
  • Processing of personal data made public by the person concerned.
  • The processing of personal data is necessary for the performance of supervisory or regulatory duties or disciplinary investigation or prosecution by authorized public institutions and organizations and professional organizations with the status of public institutions, based on the authority granted by law.
  • The processing of personal data is necessary to protect the economic and financial interests of the State in relation to budgetary, tax and financial matters.
  1. Classification of Personal Data Owners Within the Scope of Our Company Policy:

Only natural persons can benefit from the protection of this Policy and the Law; Personal Data Owners within this scope are grouped as follows:

Employee Candidate They are real persons who have applied for a job in our company by any means or have made their CV and related information available for review by our company.
Group Company Customer Persons whose Personal Data is obtained through Isotec Energy Inc.
Company Business Partner, Business Partners

Shareholder, Officer, Employee

 All real persons, including the real persons with whom our Company has any kind of business relationship, and the employees, shareholders and officers of the real and legal persons (such as business partners, suppliers) with whom our Company has any kind of business relationship.
Company Customer They are real persons who use or have used the products and services offered by our Company, regardless of whether they have any contractual relationship with our Company.
Potential Customer They are real persons who have requested or shown interest in using our products and services or who have been assessed in accordance with commercial practices and rules of integrity as likely to have such interest.
Company Shareholder They are the shareholders of Isotec Energy Joint Stock Company.
Company Official Member of the board of directors and other authorized persons of Isotec Energy Joint Stock Company.
Third Party Other persons who are not covered by the Personal Data Protection and Processing Policy of Isotec Enerji Anonim Şirketi prepared for Company Employees and who are not included in any Personal Data Owner category in this Policy.
Visitor All real persons who have entered the physical premises of our company for various purposes or visited our websites for any purpose.
  1. Matching Personal Data with Personal Data Owners Within the Scope of Our Company Policy:

The mapping of the classified Personal Data, the definitions and scopes of which are given above, to the classified Personal Data Owners is presented below.

Identity Information Company Shareholder; Company Official; Company Customer; Group Company Customer; Potential Customer; Company Business Partner, Shareholder, Official, Employee of Business Partners; Employee Candidate; Visitor, Third Parties
Contact Information Company Shareholder; Company Official; Company Customer; Group Company Customer; Potential Customer; Company Business Partner, Shareholder, Official, Employee of Business Partners; Employee Candidate; Visitor, Third Parties
Transaction Security Information Company Shareholder; Company Official; Company Customer; Group Company Customer; Potential Customer; Company Business Partner, Shareholder, Official, Employee of Business Partners; Employee Candidate; Visitor, Third Parties
Financial Information Company Shareholder; Company Official; Company Customer; Group Company Customer; Potential Customer; Company Business Partner, Shareholder, Official, Employee of Business Partners; Employee Candidate; Visitor, Third Parties
Visual and Audio Information Company Shareholder; Company Official; Company Customer; Group Company Customer; Potential Customer; Company Business Partner, Shareholder, Official, Employee of Business Partners; Employee Candidate; Visitor, Third Parties
Personal Information Company Business Partner, Shareholder, Officer, Employee of Business Partners; Employee Candidate, Third Parties
Location Information Company Business Partner, Shareholder, Officer, Employee of Business Partners
Family Members and Relatives Information Company Customer; Group Company Customer; Potential Customer;

Company Business Partner, Shareholder, Officer, Employee of Business Partners; Employee Candidate; Visitor, Third Parties
Physical Space and Security Information Company Shareholder; Company Officer; Company Business Partner, Business Partners

Shareholder, Officer, Employee; Employee Candidate; Visitor, Third Parties
Legal Procedure Information Group Company Customer; Potential Customer; Company Business Partner, Business

Shareholders, Officers, Employees of Partners; Third Parties
Sensitive Personal Information Company Shareholder; Company Officer; Company Customer; Group Company Customer; Potential Customer; Company Business Partner, Shareholder, Officer, Employee of Business Partners; Employee Candidate; Visitor, Third

People
Request/Complaint Management Information Company Shareholder; Company Officer; Company Customer; Group Company Customer; Potential Customer; Company Business Partner, Shareholder, Officer, Employee of Business Partners; Employee Candidate; Visitor, Third

People

 

 

ISOTEC ENERGY JOINT STOCK COMPANY

PERSONAL DATA STORAGE AND DESTRUCTION POLICY

The purpose of this policy is to determine the procedures and principles regarding the deletion, destruction or anonymization of personal data processed by fully or partially automatic means or non-automatic means provided that it is part of any data recording system. This policy has been prepared by İsotec Enerji Anonim Şirketi in accordance with the Regulation on the Deletion, Destruction or Anonymization of Personal Data, which was prepared based on the third paragraph of Article 7 and subparagraph (e) of the first paragraph of Article 22 of Law No. 6698.

  1. DEFINITIONS
Buyer Group The category of natural or legal persons to whom personal data is transferred by the data controller.
Explicit Consent Consent based on informed consent and expressed freely on a specific subject.
Anonymization It is the process of making personal data in such a way that it cannot be associated with an identified or identifiable natural person in any way, even if it is matched with other data.
Electronic Media Environments where personal data can be created, read, changed and written using electronic devices.
Non-Electronic Media All written, printed, visual etc. media other than electronic media.
Related User Persons who process personal data within the data controller organization or in accordance with the authority and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of data.
Destruction It is the process of deleting, destroying or anonymizing personal data.
Law Personal Data Protection Law No. 6698.
Recording Environment It refers to any environment where personal data is processed by fully or partially automatic means or non-automatic means provided that it is part of any data recording system.
Personal Data Any information relating to an identified or identifiable natural person.
Personal Data Processing Inventory The inventory in which data controllers create personal data processing activities that they carry out in connection with their business processes by relating them to the purposes of processing personal data, data category, recipient group to which the data is transferred and the data subject group, and detail the maximum period required for the purposes for which personal data is processed, personal data planned to be transferred to foreign countries and the measures taken regarding data security.
Processing of Personal Data Any operation performed on personal data, such as obtaining, recording, storing, changing, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data, in whole or in part, by automatic means or non-automatic means provided that it is part of any data recording system.
Special Personal Data Data regarding individuals' race, ethnic origin, political views, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
Periodic Destruction It refers to the process of deletion, destruction or anonymization, which will be carried out ex officio at recurring intervals and specified in the personal data storage and destruction policy, in the event that all the processing conditions of personal data specified in the law are eliminated.
Policy It is the policy on which data controllers base their decision on the process of determining the maximum period necessary for the purpose for which personal data is processed and the process of erasing, destroying and anonymising personal data.
Deletion of Personal Data Deletion of personal data is the process of making personal data inaccessible and reusable for the relevant users in any way.
Destruction of Personal Data Destroying personal data is the process of making personal data inaccessible, irreversible and reusable by anyone.
Data Processor A natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.
Data Recording System It refers to the recording system in which personal data is structured and processed according to certain criteria.
Data Controller The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.
Data Controllers Registry Information System The information system created and managed by the Presidency, accessible via the internet, to be used by data controllers in applying to the Registry and other relevant transactions related to the Registry.
Verbis Data Controllers Registry Information System
Regulations Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28 October 2017
  1. RECORDING MEDIA
ELECTRONIC MEDIA NON-ELECTRONIC MEDIA
Servers (Domain, backup, email, database, web, file sharing, etc.)

  • Software (office software, portal, EBYS, VERBIS.)
  • Information security devices (firewall, intrusion detection and prevention, log file, antivirus, etc.)
  • Personal computers (Desktop, laptop)
  • Mobile devices (phone, tablet, etc.)
  • Optical discs (CD, DVD, etc.) 
  • Removable memories (USB, Memory Card etc.)
  • Printer, scanner, copier
  • Paper
  • Manual data recording systems (survey forms, visitor logbook)
  • Written, printed, visual media
  1. EXPLANATIONS ON STORAGE AND DESTRUCTION

Personal data of employees, job candidates, visitors and employees of third parties, institutions or organizations with whom it has relations as a service provider are stored and destroyed by İsotec Enerji Anonim Şirketi in accordance with the Law.

In this context, detailed explanations regarding storage and destruction are given below, respectively.

    1. Purposes of Storage

The concept of processing personal data is defined in Article 3 of the Law, and Article 4 states that the personal data processed must be related, limited and proportionate to the purpose for which they are processed and must be stored for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed, while Articles 5 and 6 list the conditions for processing personal data. Accordingly, within the scope of our Company's activities, personal data is stored for the period stipulated in the relevant legislation or in accordance with our processing purposes.

      1. 3.1.1.Legal Reasons Requiring Storage

Personal data processed within the scope of our company's activities are kept for the period stipulated in the relevant legislation. In this context, personal data;

  • Personal Data Protection Law No. 6698,
  • Turkish Code of Obligations No. 6098,
  • Social Insurance and General Health Insurance Law No. 5510,
  • Law No. 5651 on the Regulation of Publications Made on the Internet and Combating Crimes Committed Through These Publications,
  • Occupational Health and Safety Law No. 6361,
  • Law No. 4982 on Information,
  • Law No. 3071 on the Use of the Right to Petition,
  • Labor Law No. 4857,
  • Higher Education Law No. 2547,
  • Social Services Law No. 2828
  • Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Annexes,
  • Regulation on Archive Services
  • It is stored for the retention periods stipulated in other secondary regulations in force in accordance with these laws.
      1. Processing Purposes Requiring Storage

Our company stores the personal data it processes within the scope of its activities for the following purposes.

  • To carry out human resources processes.
  • To ensure corporate communication.
  • To ensure company security,
  • To be able to do statistical studies.
  • To be able to carry out work and transactions as a result of signed contracts and protocols.
  • Within the scope of VERBIS, to determine the preferences and needs of employees, data controllers, contact persons, data controller representatives and data processors, to organize the services provided accordingly and to update them if necessary.
  • To ensure the fulfillment of legal obligations as required or made mandatory by legal regulations.
  • To contact real/legal persons who have business relations with the Company.
  • To make legal reports.
  • Managing call center processes.
  • The burden of proof as evidence in legal disputes that may arise in the future.
    1. Reasons Requiring Destruction

Personal data;

  • Amendment or repeal of the relevant legislative provisions that form the basis of processing,
  • The purpose requiring processing or storage is eliminated,
  • In cases where personal data is processed only based on explicit consent, the relevant person must withdraw his/her explicit consent,
  • The Company accepts the application made by the relevant person for the deletion and destruction of his/her personal data within the framework of his/her rights in accordance with Article 11 of the Law,
  • In cases where the company rejects the application made by the relevant person requesting the deletion, destruction or anonymization of his/her personal data, finds the response insufficient or does not respond within the period stipulated in the Law; he/she may complain to the Board and the Board may approve this request,
  • In cases where the maximum period for which personal data must be stored has passed and there are no conditions that would justify storing personal data for a longer period, our Company will delete, destroy or ex officio delete, destroy or anonymize the data upon the request of the person concerned.
  1. TECHNICAL AND ADMINISTRATIVE MEASURES

In order to securely store personal data, prevent unlawful processing and access, and lawfully destroy personal data, technical and administrative measures are taken by our company within the framework of sufficient measures determined and announced by the Board for special personal data in accordance with Article 12 of the Law and the fourth paragraph of Article 6 of the Law.

    1. Technical Measures

The technical measures taken by the Company regarding the personal data it processes are listed below:

  • Penetration tests are used to identify risks, threats, vulnerabilities and gaps, if any, regarding our Company's information systems and to take necessary precautions.
  • As a result of real-time analysis with information security incident management, risks and threats that will affect the continuity of information systems are constantly monitored.
  • Access to information systems and authorization of users are done through security policies via the access and authorization matrix and the corporate active directory.
  • Necessary measures are taken for the physical security of the company's IT systems equipment, software and data.
  • In order to ensure the security of information systems against environmental threats, hardware (access control system that ensures only authorized personnel enter the system room, 24/7 monitoring system, ensuring the physical security of the edge switches that make up the local area network, fire extinguishing system, air conditioning system, etc.) and software (firewalls, intrusion prevention systems, network access control, systems that block malware, etc.) measures are taken.
  • Risks to prevent unlawful processing of personal data are identified, appropriate technical measures are taken against these risks, and technical checks are carried out regarding the measures taken.
  • Access procedures are established within the company and reporting and analysis studies are carried out regarding access to personal data.
  • Access to storage areas containing personal data is recorded and inappropriate access or access attempts are kept under control.
  • The Company takes the necessary measures to ensure that deleted personal data is inaccessible and non-reusable for the relevant users.
  • In case personal data is obtained by others unlawfully, the Company has established an appropriate system and infrastructure to report this situation to the relevant person and the Board.
  • Security vulnerabilities are monitored, appropriate security patches are installed, and information systems are kept up to date.
  • Strong passwords are used in electronic environments where personal data is processed.
  • Secure record keeping (logging) systems are used in electronic environments where personal data is processed.
  • Data backup programs are used to ensure the safe storage of personal data.
  • Access to personal data stored in electronic or non-electronic media is limited according to access principles.
  • Access to the company's website is encrypted with the SHA 256 Bit RSA algorithm using the secure protocol (HTTPS).
  • A separate policy has been determined for the security of special personal data.
  • Training on special personal data security has been provided to employees involved in special personal data processing processes, confidentiality agreements have been made, and the authorities of users authorized to access data have been defined.
  • Electronic environments where sensitive personal data is processed, stored and/or accessed are protected using cryptographic methods, cryptographic keys are kept in secure environments, all transaction records are logged, security updates of the environments are constantly monitored, necessary security tests are regularly performed/have them performed, test results are recorded,
  • Adequate security measures are taken for the physical environments where sensitive personal data is processed, stored and/or accessed, and unauthorized entry and exit are prevented by ensuring physical security.
  • If sensitive personal data needs to be transferred via e-mail, it is transferred encrypted using a corporate e-mail address or KEP account. If it needs to be transferred via portable memory, CD, DVD, it is encrypted using cryptographic methods and the cryptographic key is kept in a different environment. If the transfer is made between servers in different physical environments, VPN is established between the servers or data transfer is carried out using the sFTP method. If it needs to be transferred via paper, necessary precautions are taken against risks such as theft, loss or viewing by unauthorized persons and the document is sent in a “confidential” format.
    1. Administrative Measures

The administrative measures taken by the Company regarding the personal data it processes are listed below:

  • Training is provided on the prevention of unlawful processing of personal data, prevention of unlawful access to personal data, protection of personal data, communication techniques, technical knowledge and skills, Law No. 657 and other relevant legislation to improve the qualifications of employees.
  • Employees are required to sign confidentiality agreements regarding the activities carried out by the company.
  • Disciplinary procedures have been prepared for employees who do not comply with security policies and procedures.
  • Before processing personal data, the Company is obliged to inform the relevant persons.
  • A personal data processing inventory has been prepared.
  • Periodic and random audits are conducted within the company.
  • Information security training is provided to employees.
  1. PERSONAL DATA DESTRUCTION TECHNIQUES

At the end of the storage period required for the period stipulated in the relevant legislation or for the purpose for which they are processed, personal data are destroyed by the Company, either ex officio or upon the application of the relevant person, using the techniques specified below, in accordance with the relevant legislation.

    1. Deletion of Personal Data
Data Recording Environment Explanation
Located on Servers

Personal Data

 For personal data on the servers whose storage period has expired, the system administrator will delete the data by revoking the access rights of the relevant users.
Place in Electronic Environment

Field Personal Data

 Personal data in electronic media, whose storage period has expired, are rendered inaccessible and non-reusable by any means for employees (relevant users), except for the database administrator.
Located in the Physical Environment

Personal Data

 For personal data kept in a physical environment, the period requiring storage has expired and they are rendered inaccessible and non-reusable by any employees other than the unit manager responsible for the document archive. In addition, they are blackened by drawing/painting/erasing them so that they cannot be read.
On Portable Media

Personal Data Found

 Personal data kept in flash-based storage media, for which the period requiring storage has expired, are encrypted by the system administrator and stored in secure environments with encryption keys, with access authorization granted only to the system administrator.
    1. Destruction of Personal Data
Data Recording Environment Explanation
Located in the Physical Environment

Personal Data

 Personal data on paper whose storage period has expired are irreversibly destroyed in paper shredders.
On Optical / Magnetic Media

Personal Data Contained

 Personal data on optical and magnetic media that have expired are physically destroyed by melting, burning or pulverizing them. In addition, magnetic media is subjected to a high magnetic field by passing it through a special device, rendering the data on it unreadable.
    1. Anonymization of Personal Data

Anonymization of personal data means making personal data incapable of being associated with an identified or identifiable natural person in any way, even if matched with other data.

In order for personal data to be made anonymous, it must be rendered incapable of being associated with an identified or identifiable natural person, even through the use of techniques appropriate for the recording medium and relevant field of activity, such as the return of personal data by the data controller or third parties and/or matching of data with other data.

  1. STORAGE AND DESTRUCTION PERIODS

Regarding the personal data processed by the Company within the scope of its activities;

  • The retention periods for all personal data within the scope of activities carried out in accordance with the processes are listed in the Personal Data Processing Inventory;
  • Retention periods based on data categories are determined during registration with VERBIS;
  • Process-based retention periods are included in the Personal Data Retention and Destruction Policy.

If necessary, updates are made to the storage periods in question by the Data Management Department.

The ex officio deletion, destruction or anonymization process for personal data whose retention periods have expired is carried out by the Data Security and Information Systems Department.

PERIOD STORAGE PERIOD DESTRUCTION PERIOD
Board Procedures 10 years During the first periodic destruction period following the end of the storage period
Preparation of contracts 10 years following termination of the contract During the first periodic destruction period following the end of the storage period
Execution of Company Communication Activities 10 years following the end of activity During the first periodic destruction period following the end of the storage period
Human Resources

Execution of Processes

 10 years following the end of activity During the first periodic destruction period following the end of the storage period
Log Record Tracking Systems 10 years During the first periodic destruction period following the end of the storage period
Execution of Hardware and Software Access Processes 2 years During the first periodic destruction period following the end of the storage period
Registration of Visitors and Meeting Participants 2 years following the end of the event During the first periodic destruction period following the end of the storage period
Camera Records 3 months During the first periodic destruction period following the end of the storage period
  1. PERIODIC DESTRUCTION PERIODS

The Company destroys personal data whose storage period has expired within 6 months from the date of expiry of the storage period.

 

ISOTEC Türkiye – Export Office

ISOTEC Energy Inc.
Rüzgarlıbahçe, Kavak St. No:12
Beykoz Istanbul Turkey
Tel: +90 262 244 4309
info@isotec.com.t is

ISOTEC Türkiye – Factory

ISOTEC Energy Inc.
Cerkesli Mah. İmes OSB 19. Cad. No:18 
Kocaeli Dilovasi Turkey
Tel: +90 262 244 4309
info@isotec.com.t is

ISOTEC Germany – Sales Office

ISOTEC Solar GmbH
Goethestrasse 4-8, 
60313 Frankfurt am Main
Tel.: +49 69 2474 5529 0
info@isotecsolar.de

Menu

Quality Certificates

© Copyright – 2013-2022, ISOTEC Energy Ltd. Sti.. Design images, content, all product designs belong to ISOTEC and cannot be used for any purpose without the written permission of ISOTEC. All rights reserved.
error: