The purpose of Law No. 6698 on the Protection of Personal Data ("PDPL") is to protect the fundamental rights and freedoms of individuals, especially the privacy of private life, in the processing of personal data and to regulate the obligations of natural and legal persons who process personal data and the procedures and principles to be followed.
The provisions of the PDPL shall apply to natural persons whose personal data are processed and to natural and legal persons who process such data wholly or partially automatically or by non-automatic means provided that they are part of any data recording system.
The purpose of this General Clarification Text prepared within the scope of the disclosure obligation specified in Article 10 of the PDPL is to inform our customers and prospective customers, suppliers, business partners, subcontractors, institutions with which we have business relations, employees and prospective employees, office and website (eec.com.tr) visitors about our PDPL practices.
KVKK (PDPL): Law No. 6698 on the Protection of Personal Data.
Board: Personal Data Protection Board
Institution: Personal Data Protection Authority
Personal Data: It refers to any information relating to an identified or identifiable natural person. In order to be able to speak of personal data, the data must be related to a natural person and must be of a nature that makes this person directly or indirectly identifiable.
Sensitive Personal Data: Data that, if learned by others, may cause the person concerned to be victimized or subjected to discrimination. Within the scope of the PDPL, which personal data are special categories of personal data are specified one by one, and those other than those listed cannot be considered as special categories of personal data. In this respect, it is accepted that special categories of personal data are limited.
Sensitive personal data are data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership to associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.
Relevant Person: Relevant person refers to the natural person whose personal data is processed. In the Law, only the data of natural persons are protected and the data of legal entities are excluded from the scope of the PDPL.
Processing of Personal Data: Processing of personal data refers to all kinds of operations performed on personal data such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system. Personal data cannot be processed without the explicit consent of the data subject.
Data Recording System: Data recording system refers to the recording system in which personal data is structured and processed according to certain criteria. The data recording system, which can be characterized as a filing system, can be created in electronic or physical environment.
Explicit Consent: Explicit consent is a consent expressed with free will based on information on a specific subject. Explicit consent has three elements; it is related to a specific subject, it is based on information and it is expressed with free will. Explicit consent must include the "affirmative declaration of will" of the person giving consent. Explicit consent does not have to be obtained in writing; it is also possible to obtain it via electronic media, call center, etc.
Data Controller: The data controller may be a natural person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system, as well as legal entities such as public institutions, companies, associations or foundations.
The data controller is the person who will answer the questions of "why" and "how" the processing will be carried out.
Data Processor: The data processor is a natural or legal person who processes personal data on behalf of the data controller within the framework of the instructions given to him/her. The activities of the data processor are mostly limited to the technical parts of data processing. What is important here is that the data processor carries out the personal data processing activities within this scope in line with the instructions received from the data controller. The natural person responsible for the data processing activity cannot be the data controller.
Destruction of Personal Data: Destruction is the process of making personal data in electronic and physical environment inaccessible, unrecoverable and non-reusable by anyone in any way.
Transfer of Personal Data: It is the transfer of information, documents or documents containing personal data to a third natural or legal person. Personal data cannot be transferred without the explicit consent of the data subject, except for the exceptions specified in the law.
Anonymization of Personal Data: Anonymization means making personal data impossible to be associated with an identified or identifiable natural person, even if it is matched with other data, and eliminating the identifiability of the identity.
Obligations of the Data Controller:
According to Article 12 of the PDPL, the data controller is obliged to;
In order to fulfil these obligations, the data controller is obliged to take all necessary technical and administrative measures to ensure the appropriate level of security. It is among the powers and duties of the Board to take regulatory action to determine the obligations regarding data security. However, additional measures may also be taken depending on the nature of the personal data processed on a sectoral basis, based on the minimum criteria to be determined by the Board.
Pursuant to the PDPL, EEC Entegre Bina Kontrol Sistemleri Sanayi ve Ticaret Anonim Şirketi ("Company") will fulfil the above-mentioned obligations in the capacity of Data Controller.
The contact information of the Company is given below:
Title: EEC Entegre Bina Kontrol Sistemleri Sanayi ve Ticaret Anonim Şirketi
Address: Kaptanpaşa Mahallesi Halit Ziya Türkkan Sokak Famas Plaza A-Block Kat: 16 Okmeydanı, Şişli, İstanbul, Turkey
Telephone Number: 0212 320 1626
Website Address: eec.com.tr
E-mail Address: firstname.lastname@example.org
KEP Address: email@example.com
Basic Principles for Processing Personal Data:
As a rule, the processing of personal data is prohibited by law. However, the law has made it possible to process personal data in the presence of certain circumstances. The fact that data processing has a purpose and is limited to this purpose constitutes the limit of the data processing activity.
The Company will always act in accordance with the basic principles set forth under the PDPL in the processing of personal data. The basic principles in the processing of personal data are as follows:
The principle of being in compliance with law: refers to the obligation to act in accordance with the principles introduced by laws and other legal regulations in the processing of personal data.
The principle of being accurate and, where necessary, up-to-date: Emphasizes the importance of the accuracy and timeliness of data and is compatible with the right to request correction of data. In order to ensure that personal data can be kept accurate and up-to-date, the sources from which personal data are obtained should be identified, the accuracy of the source from which personal data are collected should be tested, requests arising from inaccuracy of personal data should be taken into account and reasonable measures should be taken in this context.
The principle of processing for specific, explicit and legitimate purposes: It means that personal data processing activities should be clearly understandable by the person concerned, the legal transaction condition on which the personal data processing activities are carried out should be determined, and the personal data processing activity and the purpose of this activity should be revealed in detail to ensure certainty.
The principle of being relevant, limited and proportionate to the purpose for which they are processed: It means that personal data should be appropriate for the purpose for which they are processed, limited and reasonable within the scope of this purpose. Personal data should not be collected and/or processed to an extent/amount that is not necessary for the realization of the personal data processing activity. Accordingly, personal data should only be collected for specific purposes and as much as necessary and used where required by the purpose.
The principle of retention for the period stipulated in the relevant legislation or required for the purpose for which they are processed: It refers to the obligation to retain personal data only for the period stipulated in the relevant legislation or required for the purpose for which they are processed. Accordingly, if there is a period stipulated in the relevant legislation for the retention of data, data controllers shall comply with this period and retain personal data only for the period necessary for the purpose for which they are processed. In the event that both the periods stipulated within the scope of the legislation to which the data controller is subject due to its legal obligations and the retention periods determined by the data controller are exceeded, the personal data must be deleted, destroyed or anonymized by the data controller in accordance with the Regulation on Deletion, Destruction and Anonymization of Personal Data.
Pursuant to Article 5 of the PDPL, personal data may be processed without explicit consent in the following cases
Personal health data may be processed by persons under the obligation of confidentiality or authorized institutions and organizations for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.
The conditions for the processing of personal data, i.e., the cases of lawfulness, are listed in a limited number within the scope of PDPL, and these conditions cannot be expanded for any reason.
Collection and Processing Purposes of Personal Data
The Company may obtain personal data directly from the data subjects themselves or indirectly from third parties and from the data made public by the data subject himself/herself. In this context, data is collected verbally, physically or electronically and this personal data is processed.
The categories of personal data that may be subject to processing by the Company are as follows;
The collected personal data may be processed in accordance with the basic principles stipulated in the PDPL and within the personal data processing conditions specified in Articles 5 and 6 of the PDPL; by the Company in the management processes of the personal data of the data owners, for the purpose of ensuring the commercial, technical, legal and business security of the Company and the relevant persons who have a business relationship with the Company and for the performance of the activities, within the framework of the Company's activities.
Personal data, in this respect, limited with the following purposes, can be processed within the scope of Personal Data Processing conditions specified in articles 5 and 6 of PDPL;
The Company, in its capacity as Data Controller, accepts and declares the following;
The Company may transfer personal data for the following purposes within the scope of the "Personal Data Transfer" conditions specified in Articles 8 and 9 of the PDPL;
for the above-mentioned purposes, to Group Companies (AVEKA Algılama ve Kontrol Teknolojileri Sanayi ve Ticaret A.Ş. and Elektronik Cihazlar Sanayi ve Ticaret A.Ş.), business partner, supplier and subcontractor officials, Company partners, Company officials, customer and/or prospective customer officials.
In addition, if requested by the relevant public institutions and organizations within their legal authority and if requested by the relevant private law persons within their legal authority in accordance with the provisions of the legislation; The Company may transfer Personal Data to legally authorized Public Institutions and Organizations and legally authorized Private Law Persons and / or third parties / organizations to be determined by them.
Pursuant to Article 11 of the PDPL, everyone has the following rights in relation to himself/herself by applying to the data controller;
Article 13 of the PDPL regulates the way of application to the Company regarding the requests of the data subject regarding the implementation of the PDPL. Accordingly, data subjects are obliged to submit their requests regarding the implementation of the PDPL to the Company.
The methods by which the Data Subjects can send their applications to the Company are specified below:
After filling out the KVKK Application Form on the Company website (eec.com.tr), it can be sent to the registered electronic mail (KEP) address firstname.lastname@example.org belonging to the Company or to the e-mail address email@example.com with secure electronic or mobile signature if the e-mail addresses are registered in the Company's systems.
The PDPL Application Form on the Company's website (eec.com.tr) can be filled out and sent with wet signature to the Company's headquarters address Kaptanpaşa Mahallesi Halit Ziya Türkkan Sokak Famas Plaza A-Blok Kat: 16 Okmeydanı, Şişli, Istanbul where the Company's head office is located or sent by registered letter with return receipt requested or through the notary public.
The Company will finalize the request within 30 (thirty) days at the latest. The Company may accept the request or reject it by explaining its reasoning. If the request in the application is accepted, the Company will fulfil the requirement and the relevant person will be informed in writing or electronically.
In the event that the relevant person finds the response given by the Company insufficient or fails to respond to his/her application in due time, he/she may file a complaint to the Board within 30 (thirty) days from the date he/she learns the Company's response and in any case within 60 (sixty) days from the date of application to the Company. However, in requests related to the protection of personal data, it is obligatory to apply to the Company first, and a complaint cannot be made to the Board without exhausting this remedy.