PROCESSING AND PROTECTION OF PERSONAL DATA POLICY

  1. ENTRANCE

Within the framework of this Personal Data Protection and Processing Policy (“Policy”), ““Hera Charge Elektronik A.Ş.” (hereinafter briefly " Hera Charge" The principles adopted in the execution of personal data processing activities carried out by our Company and the basic principles adopted in terms of compliance of Hera Charge data processing activities with the regulations in the Personal Data Protection Law No. informs personal data owners about general principles.

Your personal data is processed and reasonably protected within the scope of this Policy.

  1. POLITICIAN OBJECTIVE

The main purpose of this Policy is to set forth the principles of personal data processing and the protection of personal data, carried out in accordance with the law by Hera Charge, and to ensure transparency by enlightening and informing the persons whose personal data are processed by our company.

  1. CONTENT POLITICIAN

This Policy; Regarding your personal data processed by Hera Charge; The principles of the processing of personal data and personal health data, the purposes and conditions of the processing of this data, the transfer and destruction of this data in the country and abroad, and the practices and principles regarding your rights on the processed data are notified to you below.

  1. ACCESS AND UPDATE

The policy is published on the website of our Company and made available to the relevant persons upon the request of the personal data owners and updated when necessary. (Your personal data that we collect and process must be accurate and up-to-date when necessary in accordance with Article 4 of the Personal Data Processing Law No. 6698. Therefore, in case of any change in your personal data, you can report your current and accurate personal information with the methods described in the Clarification Text on our website. .)

Our company reserves the right to make changes in the Policy in line with the legal regulations.

In case of conflict with the legislation in force, especially the Law, and the regulations included in this Policy, the provisions of the legislation shall apply.

  1. DEFINITIONS

The definitions used in this Policy are as follows:

Express Consent: Consent on a particular subject, based on information and expressed with free will

Anonymization: Making personal data incapable of being associated with an identified or identifiable natural person under any circumstances, even by matching with other data.

Personal Data: Any information relating to an identified or identifiable natural person

Processing of Personal Data: Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or using personal data

completely or partially by automatic or non-automatic means provided that it is a part o any data recording system. All kinds of operations performed on data, such as blocking

KVK Law: Law No. 6698 on the Protection of Personal Data

KVK Board : Personal Data Protection Board

KVK Institution: Personal Data Protection Authority

Special Categories of Personal Data: Data on race, ethnic origin, political opinion, philosophical  belief, religion, sect or other beliefs, disguise and dress, membership in associations, foundations  or unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data

Data Owner : The natural person whose personal data is processed and who is deemed to be the "relevant person" in the KVK Law

Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system

Data Processor : The natural or legal person who processes personal data on behalf of the data controller based on the authority given by him.

Data Responsibles track record: Data controllers registry (VERBIS) kept by the Presidency under the supervision of the Personal Data Protection Board

Data inventory: Personal data processing activities carried out by Hera Charge in connection with its business processes; personal data processing purposes, the recipient group to which  the personal data is transferred, and the inventory created and detailed by associating with the relevant personal data owner group.

İnventory: Personal data processing activities carried out by Hera Charge in connection with  its business processes; personal data processing purposes, the recipient group to which  the personal data is transferred, and the inventory created and detailed by associating with the relevant personal data owner group.

  1. PERSONAL DATA INVENTORY AND CLASSIFICATION OF PERSONAL DATA

By Hera Charge; In line with the legitimate and lawful personal data processing purposes of Hera Charge, based on and limited to one or more of the personal data processing conditions specified in Article 5 of the KVK Law, especially the principles specified in Article 4 regarding the processing of personal data, the KVK Law Personal data owners (Product and Service User, Potential Product and Service Buyer, Employees, Employee Candidates, Visitors, Supplier Employees, Supplier Authorities, Shareholder/Partner), Employee Relative, Reference Person) without being limited to;

  • Fulfilling the requirements of commercial activities carried out by our company, and the performance of the service, and ensuring that the relevant persons benefit from the products and services offered by our company,
  • Carrying out the necessary work by the relevant business units of our company, executing the related business processes and making reports,
  • Determining the commercial, operational and business strategies of our company; determination of suitable products, projects and services,
  • Evaluation of requests and complaints,
  • Ensuring the legal and commercial security of third parties who have a business relationship with our company with the products and services offered by our company, following the legal processes and establishing, using and protecting the rights arising from the legislation,
  • Ensuring that our company activities are carried out in accordance with company procedures or relevant legislation,
  • Execution of works carried out with our business partners in sectors that differ according to needs and management of reference relations,
  • Fulfilling the information sharing, reporting and informing obligations stipulated by the public institutions and all authorities,
  • Fulfillment of information and document retention obligations arising from legal legislation,
  • Execution of our finance, communication, market research and purchasing operations,
  • It will be processed in accordance with the personal data processing conditions and purposes specified in Articles 5 and 6 of the Law No. 6698, in order to manage our legal processes and to provide you with uninterrupted be er and reliable service.Fulfillment of information and document retention obligations arising from legal legislation,
  • Execution of our finance, communication, market research and purchasing operations,
  • It will be processed in accordance with the personal data processing conditions and purposes specified in Articles 5 and 6 of the Law No. 6698, in order to manage our legal processes and to provide you with uninterrupted be er and reliable service.

Hera Charge has created a personal data inventory in accordance with the Data Controllers Registry Regulation issued by the Personal Data Protection Authority. Data in this data inventory  categories, the source of the data, the purposes of data processing, the data processing process, the recipient groups to which the data is transferred, and the retention periods.

In this context, the following types of data categories are included in Hera Charge, but are not limited to these types;

Credentials : Written on your identity card; Name, surname, mother's name, father's name, place of birth, date of birth, marital status, religion, blood group, registered province, district and neighborhood and the information wri en on your identity card without being limited to these.

Communication information : Requested or given by you in order to be able to communicate with you; your contact data such as home phone number, mobile phone number, residential address or other address information, e-mail address. Your voice call recordings kept in accordance with customer representatives or call center standards.

Personal Information: Copy of identity card, Identity register copy, Certificate of residence, Health report, Diploma copy, criminal record, passport photo, Document stating the family status, Military status certificate, Employment Contract / Service Contract, SSI job entry declaration, Health to your situation related information and documents.

Professional experience: Diploma information, courses a ended, vocational training information, certificates, etc.

Bank Account Information (Finance): Bank account number, IBAN number, other information about the bank card.

Background Information: What is wri en in your CV or Hera Charge by requestmade of Information about your education, school information about your education, certificate information, education status and information about your education,

Place, date and duration information about your work experience wri en in your CV or requested by Hera Charge or given by you, information about your previous job and task, any information about your work experience,  written in your CV or requested by Hera Charge, or your photo provided by you,  Your driver's license wri en in your CV or requested by Hera Charge or given by you, and the information wri en in your driver's license,  Information about your references and references wri en in your CV or requested by Hera Charge or given by you.

Physical Venue Security (Visitor Information): Name, surname, camera recording, internet access information, visitor and other information of visitors to the company.

Health Data: All kinds of health information and data (disability information, blood group information, personal health information, etc.)

Criminal Conviction Data: With the criminal record document obtained while creating the personnel file

Transaction Security: Such as IP address information, website login and exit information, password and password information.

Location Data: Location information of its location (with GPS devices in company vehicles) Customer Transaction: Invoice, promissory note, check information, information on box office receipts, order information, request information,

Legal Action: İnformation in correspondence with judicial authorities, such as information in the case file,

Marketing: Historical service information, survey, cookie records, information obtained   through campaign work.

Biometric Data Other : Face Recognition Information. Information such as the education level of the relative working in the AGI process, the number of children, the hobby information you declared in the CV and the signature in the signature circular.

  1. GENERAL PRINCIPLES ON THE PROCESSING OF PERSONAL DATA
    • Legal Compliance   Our company carries out its personal data processing activities in accordance with the law and honesty rules, in accordance with the Constitution, the KVK Law and the relevant legislation. In this context, our Company determines the legal grounds that will require the processing of personal data, takes action, takes into account the proportionality requirements, does not use personal data other than what is required for the purpose, and does not perform any processing activities without the knowledge of individuals.
    • Accurate and up-to-date data when necessary   Our company; It ensures that the personal data it processes are accurate and up-to-date, taking into account the fundamental rights of personal data owners and their own legitimate interests, and takes the necessary measures in this direction. In this context, data on all categories of persons are tried to be kept up-to-date, and all kinds of administrative and technical measures are taken to ensure accuracy and up-to-date.
    • Definite,Legitimate and Clear Purpose Our company; It processes personal data only for clearly and precisely determined legitimate purposes and does not process data other than these purposes. The purpose for which personal data will be processed by our company is determined before the processing activity and“Personal Data Inventory” nor processed.
    • Relating to the Purpose for which Data are Processed, Limited and Measured Personal data is processed by our company to the extent necessary to achieve the determined purposes. Data processing is not carried out with the assumption that it can be used later. In this context, processes are constantly reviewed,reduction of personal data principle is being implemented.
    • Retention of Personal Data as Necessary and then Deletion   Our company retains personal data only for as long as required by the relevant legislation or for the purpose for which they are processed. In this context, our Company first determines whether a period is foreseen for the storage of personal data in the relevant legislation, if a period is determined, it acts in accordance with this period. In the event that the period expires or the reasons requiring its processing disappear, personal data is deleted, destroyed or anonymized in accordance with our Company's "Data Destruction Policy".

 

  1. PERSONAL DATA PROCESSING CONDITIONS

Personal data may only be collected, processed or used within the scope of the legal bases set out below.

  • Open Consent

Explicit consent in Article 3 of the Law; It is defined as “consent on a certain subject, based on information and expressed with free will”. In addition, in the 3rd paragraph of Article 20 of the Constitution, it is stipulated that personal data can only be processed in cases stipulated by the law or with the explicit consent of the person. Explicit consent is envisaged in the Law No. 6698 as the main reason for compliance with the law in terms of both sensitive personal data and non-private personal data. Accordingly, the Law

In paragraph 1 of Article 5, “Personal data cannot be processed without the express consent of the person concerned”,

•In paragraph 2 of article 6, “Processing of personal data of special nature is prohibited without the explicit consent of the person concerned”,

•In paragraph 1 of article 8, “Personal data cannot be transferred without the explicit consent of the person concerned”,

•In paragraph 1 of Article 9, “Personal data cannot be transferred abroad without the explicit consent of the person concerned”.

Personal data is processed by obtaining explicit consents (wri en, electronic or recorded verbally) that are declared with free will and obtained in a provable manner in this direction by our company. In case of processing of personal data of special nature, express consent will be obtained in writing when necessary.

Process managers who process personal data are obliged to control the existence and validity of the explicit consent of the relevant data owner when collecting the personal data they process. If it is determined that there is no explicit consent (with the exceptions below), data processing will not be done.

  • Processing of Personal Data without Explicit Consent

In the presence of one of the following conditions, it is possible to process personal data without seeking the explicit consent of the data subject:

    • Clearly stipulated in the law,
    • It is compulsory for the protection of the life or physical integrity of the person or another person, who is unable to express his consent due to actual impossibility or whose consent is not legally valid,
    • It is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract.
    • Obligatory for the data controller to fulï¬ ll its legal obligation to be,
    • Having been made public by the data owner himself,
    • Data processing is mandatory for the establishment, exercise or protection of a right,
    • Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data owner, In such cases, it can be processed without express consent.
    1. Processing of Private Personal Data

Our company shows special sensitivity in the processing of special quality personal data, which is believed to be of more critical importance for data owners from various aspects. In this context, provided that adequate measures determined by the Board are taken, such data are not processed without the explicit consent of the data owners. However, special  categories of personal data other than data related to health and sexual life may be retained by the data owner in cases stipulated by law.without express consentcan also be processed. However, data related to health and sexual life can be obtained on the condition that adequate precautions are taken and in the presence of the reasons listed below.  without express consentcan be processed: Protection of public health, Preventive ,Medicine, Medical diagnosis, Execution of treatment and care services, Planning and Management of health services and its financing.  In all cases where sensitive personal data needs to be processed, the KVKK Commi ee will be informed.

  1. TRANSFERRING PERSONAL DATA

Hera Charge collects the personal data of data subjects within the scope of the personal data processing conditions specified in Articles 5 and 6 of the KVK Law No. 6698 and limited to the purposes specified in this Policy, in accordance with the 8th and 9th articles of the KVK Law. will be able to transfer it to individuals and institutions.  Your personal data; In order to continue our company's activities and business processes, our business partners, main contractor company, subcontractors, our company's consultants or solution partners, our suppliers, insurance companies, notary public, banks and financial institutions, legal, financial consultancy , tax etc. to our consultancy firms, legally authorized public institutions and private individuals, from which we receive support in similar fields, domestic and/or abroad storage, archiving, information technology support (server, hosting, software, cloud computing, etc.) that process personal data on behalf of our company. to our service providers that we receive support in the fields of the Law No. 6698.  It can be transferred within the framework of the personal data processing conditions specified in Articles 8 and 9 and the purposes stated above.

  • Domestic Transfer of Personal Data ;

In accordance with Article 8 of the KVK Law, the domestic transfer of personal data will be possible provided that one of the conditions (processing conditions) specified in the 8th section of this Policy, titled "Personal Data Processing Conditions"  (processing conditions) are met.

  • Transfer of Personal Data Abroad;

In accordance with Article 9 of the KVK Law, in case personal data is transferred abroad without express consent, one of the following conditions is sought in addition to fulfilling the conditions for domestic transfers:

•The country to be transferred is counted among the countries with adequate or protection declared by the Board,

•In the event that there is no adequate protection in the country to which the transfer will be made, the data controllers in Turkey and the relevant foreign country must undertake in writing an adequate protection and have the permission of the Board.

  • Transfer of Private Personal Data Abroad

Our company, by taking the necessary security measures and taking the adequate measures prescribed by the KVK Board; In line with the legitimate and lawful personal data processing purposes, it can transfer the sensitive data of the personal data owner to the Foreign Countries where the Data Controller has Sufficient Protection or Undertakes Sufficient Protection in the following cases.

  • If the personal data owner has express consent, or
  • If the personal data owner does not have express consent;
    • Special categories of personal data other than the health and sexual life of the personal data owner (race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, dress and clothing, membership to associations, foundations or unions, criminal convictions and security measures) and biometric and genetic data), in cases stipulated by law,
    • Persons or authorized institutions and organizations that are under the obligation to keep con dential, only for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing. covered by the processing.

The relevant employee who transfers is responsible for ensuring compliance with the obligations to be complied with during the transfer of sensitive data.

  1. RIGHTS OF RELATED PERSONS
  1. Hera Charge will respond to the requests of the persons whose personal data it processes, within the scope of the following rights, within 30 days:  
    • Learning whether personal data is processed or not,
    • If personal data has been processed, requesting information about it,
    • Learning the purpose of processing personal data and whether they are used in accordance with its purpose,
    • Knowing the third parties to whom personal data is transferred at home or abroad,
    • Requesting correction of personal data in case of incomplete or incorrect processing and requesting notification of the transaction made within this scope to the third parties to whom the personal data has been transferred,
    • Requesting the deletion or destruction of personal data in the event that the reasons requiring its processing have disappeared, although it has been processed in accordance with the provisions of the KVK Law and other relevant laws, and requesting that the transaction carried out within this scope be notified to the third parties to whom the personal data has been transferred,
    • Objecting to the emergence of a result against the person himself by analyzing the processed data exclusively through automated systems,
    • To request the compensation of the damage in case of loss due to unlawful processing of personal data.
  1. Data owners can apply within the scope of the above-mentioned rights with theinformation and documents that will determine their identities and with the methods specified below or with the KVKK application form on the website, with other methods determined by the Personal Data Protection Board. information and documents that will determine their identities and with the methods specified below or with the KVKK application form on the website, with other methods determined by the Personal Data Protection Board.
  1. PRIVACY AND DATA SECURITY MEASURES;

All of the personal data processed in Hera Charge are confidential and are subject to Article 12 of the Law.  specified in the article;

  1. To prevent the unlawful processing of personal data,
  2. To prevent unlawful access to personal data,
  3. To ensure the protection of personal data,

takes all necessary technical and administrative measures to ensure the level of security suitable for its purpose.

  • Technical Measures Taken to Ensure Legal Processing of Personal Data and to Prevent

Unlawful Access to Personal Data

Hera Charge has taken all kinds of technical and technological security measures to protect your personal data and protects your personal data against possible risks. For example;

Network security and application security are provided.

  • Authorities of employees who have a change of job or quit their job in this field is removed.
  • Current anti-virus systems are used.
  • Firewalls are used.
  • Personal data security is monitored.
  • Required security regarding entry and exit to physical environments containing personal data measures are taken.
  • Protection of physical environments containing personal data against external risks (fire, flood, etc.)security is provided.
  • The security of environments containing personal data is ensured.
  • Personal data is backed up and the security of the backed up personal data is also is provided.
  • User account management and authorization control system is implemented. follow-up is also done.
  • Encryption is done. Access to systems containing personal data is provided by using a user name and password.

 

  • Administrative Measures Taken to Ensure Legal Processing of Personal Data and to Prevent Unlawful Access to Personal Data

A management framework has been established to initiate and control information security operation and implementation within the organization.

a).KVKK Commi ee and Liaison Person have been appointed and their job descriptions have been determined.

b).KVKK Application channels have been determined.

c). Violation, claim/complaint management workflows have been determined.

  • Main Principles, policies and procedures regarding the processing and protection of personal data have been determined.  
  • Training and awareness on personal data security for employees works are carried out.
  • Aware of the information security responsibilities of employees and contractors role in data security to ensure that they and responsibilities and job descriptions were determined. Role in data security to ensure that they and responsibilities and job descriptions were determined.
  • Worķ gu for momentş non-compliance with veterinary policy, guidelines and procedure
  • There is a disciplinary process that will come into play.
  • Confidentiality commitments are made.
  • Employees, customers, suppliers, etc. Clarification text has been published for
  • Processes requiring explicit consent are determined and implemented.
  • Organisation intra- periodic and/or random controls being done is being made. Confidentiality and security resulting from audits rectifies its vulnerabilities.
  • Whether there is a need for the aforementioned personal data for the purpose of processing   are evaluated and personal data is reduced as much as possible.
  • In case the data is obtained by others unlawfully, Necessary measures are taken by the employees to inform the relevant person and the Board as soon as possible.

 

  • Measures to be Taken in Case of Unlawful Disclosure of Personal Data

In case the processed personal data is obtained by others illegally, our Company will notify the relevant data owner and the Board as soon as possible (within 72 hours at the most).

 

  1. DATA PROCESSING ACTIVITIES FOR OUR GUESTS;
  • For the purpose of ensuring security by Hera Charge and for other purposes specified in this Policy; Internet access can be provided by Hera Charge to our visitors during their stay in our production center, office, building and facilities, and log records are kept.
  • In order to ensure security by Hera Charge, personal data processing activities are carried out for monitoring the entrance and exit of guests with security cameras in Hera Charge buildings. In places where privacy is high, viewing is not possible.
  • While obtaining the identity data of the people who come to Hera Charge offices and locations as guests, or through the texts posted by Hera Charge or made available to the guests in other ways, the personal data owners are enlightened in this context.
  • The data obtained for the purpose of tracking guest entry-exit is processed only for this purpose, and the relevant personal data is recorded in the data recording system in physical and electronic environment within the framework of legitimate interests.
  • Public health and data processing, within the scope of protection measures related to the pandemic Covid-19 virus, all our employees and visitors entering our locations will be checked with a thermometer and those with fever will be directed to the workplace physician. will be questioned.
  • This tracing activities, relating to legislation to the provisions suitable is being continued.

 

  1. PERSONAL DATA ANONYMIZATION) CONDITIONS (DELETE, NO TO BE AND)

In accordance with Article 138 of the Turkish Penal Code, Article 7 of the KVK Law and the "Regulation on the Deletion, Destruction and Anonymization of Personal Data" issued by the Institution; Although it has been processed in accordance with the provisions of the relevant law, personal data is deleted, destroyed or anonymized upon the request of the personal data owner or at Hera Charge's own decision, in the event that the reasons requiring its processing are eliminated. Hera Charge has created a Policy in accordance with the provisions of the regulation on this subject and in accordance with this Policy, destruction is made according to the nature of the data. In accordance with this regulation, periodic destruction dates have been determined by Hera Charge, and a calendar has been established according to which periodic destruction will be carried out at various intervals with the commencement of the obligation.

  1. EXECUTIVE

A management structure has been established to ensure that Hera Charge complies with the regulations of the KVK Law from the execution of this Policy.

  1. EFFECTIVE DATE OF THE POLICY

This Policy07.01.2022 entered into force on