Personal Data Protection Law Policy

EKALDES LIGHTING INDUSTRY AND TRADE INC.

PERSONAL DATA PROTECTION POLICY IN ACCORDANCE WITH THE PROCEDURES AND PRINCIPLES OF LAW NO. 6698 ON THE PROTECTION OF PERSONAL DATA (“KVKK”)

  1. Entrance

In accordance with Law No. 6698, the secure protection, processing, transfer, deletion, and destruction of personal data in both physical and digital environments is of utmost importance to EKALDES AYDINLATMA SAN. VE TİC. A.Ş., and all necessary administrative and technical measures are taken in this regard in all our activities. All activities of EKALDES AYDINLATMA SAN. VE TİC. A.Ş. regarding the protection of personal data are carried out in accordance with this Personal Data Storage, Processing, Transfer, and Destruction Policy (“Policy”).

Ekaldes Lighting will analyze its personal data processing activities using this Policy as a guide and will take all necessary technical and administrative measures to ensure compliance with the Policy. After the determined actions and measures are implemented, internal audit mechanisms will be operated to ensure continued compliance with the Policy.

  1. The purpose of policy

The main purpose of this Policy is to inform identified or identifiable individuals whose personal data we process about Ekaldes Lighting’s personal data processing, storage, protection, and deletion activities, the measures taken in this context, the rights of data subjects, and how these rights can be exercised.

  1. Scope of Policy

This Policy covers all personal data processed of identified or identifiable individuals whose data we process.

The provisions stated in the Policy also cover all information and documents that can be linked to an identified or identifiable natural person, as well as the measures and regulations taken in relation to them.

  1. Implementation of the Policy

This Policy, prepared by Ekaldes Lighting, came into effect on October 14, 2020. In the event of any revisions to the entire Policy or to specific clauses, the revision date will be indicated.

In the event of any inconsistency between the existing legislation and this Policy, the provisions of the legislation shall take precedence. If there are other policies or regulations on the same subject created for more specific purposes outside of this core Policy, the provisions containing those specific regulations shall apply first. Provisions in other policies and documents that conflict with this Policy and related legislation shall not be applied.

  1. Definitions
DEFINITION  EXPLANATION
Explicit Consent Informed and freely given consent regarding a specific matter.
Anonymization Making personal data impossible to link to an identified or identifiable natural person by combining it with other data.
Worker Ekaldes Lighting employees
Job Candidate Candidate interviewed for recruitment purposes
Contact Person The natural person whose personal data is processed
Relevant User Except for the person or unit technically responsible for the storage, protection, and backup of the data, individuals within the data controller organization or those processing personal data under the authority and instructions of the data controller.
Destruction The process of deleting, destroying or anonymizing personal data.
Law Personal Data Protection Law (KVKK)
Recording medium Any medium containing personal data processed wholly or partly automatically, or by non-automatic means as part of a data recording system.
Personal Data Any information relating to an identified or identifiable natural person.
Personal Data Processing Inventory A personal data processing inventory is created by data controllers, detailing their personal data processing activities based on their business processes; associating these activities with the purposes of personal data processing, data category, recipient group to whom the data is transferred, and data subject group; and specifying the maximum period for which the personal data is necessary for the purposes for which it is processed, the personal data intended to be transferred to foreign countries, and the measures taken regarding data security.
Anonymization of Personal Data Anonymization of personal data means rendering personal data in such a way that, even when matched with other data, it cannot in any way be linked to an identified or identifiable natural person.
Destruction of Personal Data The process of deleting, anonymizing, or destroying personal data.
Deletion of Personal Data The process of making personal data completely inaccessible and unusable for the relevant users.
Destruction of Personal Data Data destruction is the process of rendering personal data inaccessible, irretrievable, and unusable by anyone in any way.
Personal Data Protection Law (KVKK) Personal Data Protection Law published in the Official Gazette dated April 7, 2016, and numbered 29677.
Personal Data Protection Board Personal Data Protection Board
Special Category Personal Data Data relating to a person’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
VERBIS (Data Registry Information System) The information system created and managed by the Presidency, accessible via the internet, which data controllers will use for applications to the Registry and other related transactions concerning the Registry.
Data Processor A natural or legal person who processes personal data on behalf of the data controller, based on the authority granted by the data controller.
Data Controller The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
  1.  Rules Regarding the Processing of Personal Data

6.1 Processing Personal Data in Accordance with the Principles Stipulated in the Legislation

Ekaldes Lighting processes personal data in accordance with the provisions and rules set forth in the Law No. 6698 on the Protection of Personal Data (“ the Law ”) and other relevant legislation. The Law defines the principles of personal data processing. Ekaldes Lighting acts in accordance with these principles in every data processing activity.

 6.1.1 Lawful and Fair Operation

Ekaldes Lighting acts in accordance with legal regulations and the principle of honesty in the processing of personal data. In this context, Ekaldes Lighting processes personal data in accordance with the rules established by personal data protection legislation and related regulations, does not process personal data for purposes other than those announced to data subjects, and applies the principles of proportionality and necessity in the processing of personal data, processing only as much personal data as is necessary and at a level appropriate to the data processing purposes.

6.1.2 Ensuring that Personal Data is Accurate and Up-to-Date When Necessary

Ekaldes Lighting takes the necessary precautions in its data processing processes to ensure that the processed data is accurate and up-to-date. In this context, it provides the data subject with the opportunity to apply to Ekaldes Lighting to update or correct their own data.

6.1.3 Processing for Specific, Explicit and Legitimate Purposes

Ekaldes Lighting processes personal data only for legitimate purposes. Before commencing data processing activities, Ekaldes Lighting determines the purposes of personal data processing, except for the exceptions stipulated in the Personal Data Protection Law (KVKK), and clearly informs data subjects of these purposes when collecting their personal data.

6.1.4 Personal Data Must Be Relevant, Limited, and Proportional to the Purpose for Which They Are Processed

Personal data is processed in a limited and proportionate manner, only for the clearly and precisely defined purpose, and we avoid processing personal data that is not necessary.

6.2 Conditions for Processing Personal Data

Ekaldes Lighting processes personal data based on one or more of the personal data processing conditions specified in Articles 5 and 6 of the KVKK (Law on Protection of Personal Data), if the data subject has given their explicit consent or if it falls within the exceptions specified in the KVKK. Our company processes personal data in accordance with the regulations set forth in the Law. Data processing activities that do not fall within this scope are stopped.

6.2.1 Exceptional Cases Where Explicit Consent is Not Required for the Processing of Personal Data

  • If there is an explicit provision in the laws regarding the processing of personal data
  • If the data subject is unable to express their consent due to factual impossibility, or if it is necessary for the protection of the life or physical integrity of the person whose consent is legally valid, or of another person.
  • If the processing of personal data of the parties to a contract is necessary, provided that it is directly related to the establishment or performance of the contract.
  • If the processing of personal data is necessary for our company to fulfill its legal obligations
  • If personal data has been made public by the data subject
  • If the processing of personal data is necessary for the establishment, exercise or protection of a right
  • Ekaldes Lighting may process personal data if it is necessary for its legitimate interests, provided that it does not harm the fundamental rights and freedoms of the personal data owner.

6.2.2 Exceptional Cases Where Explicit Consent is Not Required for Processing Special Categories of Personal Data

In the exceptional cases specified below and arising from the law, special categories of personal data are processed without obtaining explicit consent:

  • Special categories of personal data other than those relating to the health and sexual life of the data subject (such as race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, membership in associations, foundations or trade unions, data relating to criminal convictions and security measures, as well as biometric and genetic data) may be processed in cases stipulated by law.
  • Special categories of personal data relating to the health and sexual life of the data subject may only be disclosed by persons or authorized institutions and organizations under an obligation of confidentiality, for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and planning and managing health services and their financing.
  • Provided that adequate precautions are taken.

6.3 Transfer of Personal Data

6.3.1 Domestic Transfer of Personal Data

Our company may transfer personal data it processes to third parties with the explicit consent of the data subject, except for the exceptions mentioned above, in line with the purposes of personal data processing. Ekaldes Lighting carries out the transfer of personal data in accordance with the provisions of the Personal Data Protection Law (KVKK) and the decisions and regulations taken by the Personal Data Protection Board, if necessary.

6.3.2 Transfer of Personal Data Abroad

As a matter of principle, Ekaldes Lighting does not transfer personal data abroad without the explicit consent of the data owner.

6.4 Informing the Data Subject

Ekaldes Lighting, in compliance with the disclosure obligation stipulated in the Law, informs personal data owners about how their personal data will be processed during the collection of personal data. In this context, Ekaldes Lighting informs data owners about at least the following points:

  • The identity of the data controller and, if applicable, their representative,
  • The purpose for which personal data will be processed,
  • To whom and for what purpose personal data may be transferred,
  • Methods and legal grounds for collecting personal data,
  • Rights of the personal data owner according to Article 11 of the KVKK (Law on Protection of Personal Data).
  1. Storage of Personal Data

7.1 Personal data shall be stored for the period stipulated in the relevant legislation or for the period necessary for the purpose for which they are processed.

Ekaldes Lighting stores the personal data it processes in accordance with the principles set forth in the Law for the periods stipulated in the legislation. After the relevant regulations are put into effect by the Personal Data Protection Board, a contact person will be appointed within the scope of personal data processing activities and registration will be completed in VERBİS.

Unless a specific retention period is stipulated in the legislation for the relevant types of personal data, personal data is retained until the purpose for which it was processed has ended.

Where the legislation does not specify a particular retention period for the relevant types of personal data, retention periods are determined specifically for each data processing purpose. In this context, retention periods are determined taking into account Ekaldes Lighting’s practices and customary business practices.

Personal data may be stored for purposes other than the processing purpose, such as serving as evidence in potential legal disputes, asserting a right that can be proven with personal data, establishing a defense, and responding to information requests from authorized public institutions. In determining these periods, the statute of limitations for asserting the aforementioned rights, as well as company practices and general customs in the same areas, are taken into consideration.

Ekaldes Lighting may retain personal data until the expiration of the general statute of limitations (ten years) stipulated in the Turkish Code of Obligations No. 6098, provided that it does not harm the fundamental rights and freedoms of data subjects, even after the processing purpose and the periods specified in the relevant laws have expired, where it has a legitimate interest. Following the expiration of the aforementioned statute of limitations, personal data will be deleted, destroyed, or anonymized according to the procedure described above.

7.1.1 Measures we have taken regarding the storage of personal data

The Personal Data Protection Board may introduce detailed regulations regarding obligations related to data security. If detailed regulations are introduced, reasonable efforts should be made to ensure maximum security while complying with the obligations in those regulations.

Technical Measures:

  • For technical matters, qualified personnel may work with an external consulting firm.
  • All data processing activities within Ekaldes Lighting are analyzed on a departmental basis, and each department prepares a Personal Data Processing Inventory accordingly.
  • Databases and software/hardware storage units and similar technical infrastructure are being created and used to store your personal data.
  • Risky situations are re-evaluated and necessary technological solutions are developed.
  • Relevant software and systems are being installed, including software and hardware that incorporate antivirus systems and firewalls.

Administrative Measures:

  • Awareness campaigns and training sessions are conducted regarding the lawful storage of personal data.
  • When we cooperate with third parties for the storage of personal data, the contracts with the companies to which the personal data is transferred include provisions regarding the necessary security measures to be taken by the recipients of the transferred personal data for its protection and secure storage.
  • We sign confidentiality agreements with the subcontractors we receive services from who transfer personal data to us, and we obtain confirmation through these agreements that this data transfer is lawful.
  • Access to personal data is restricted to employees authorized for the purpose of processing. Employees’ access to personal data that they do not use in the course of their duties should be restricted.
  • In order for employees to comply with this Policy, it is published on Ekaldes Lighting’s internal network (portal) and includes provisions in their employment contracts stating that they will comply with company procedures and rules.
  • Contracts concluded with parties to whom personal data is transferred include provisions regarding the implementation of necessary security measures to protect personal data.
  1. Destruction of Personal Data

8.1 Obligation to Destroy Personal Data

Ekaldes Lighting destroys the relevant personal data by preparing a report and using one of the 3 (three) methods listed below when the specified periods expire. These are:

  • Deletion of personal data
  • Destruction of personal data
  • It is the process of anonymizing personal data.

Details regarding these three methods are provided in the following sections. Additionally, personal data is deleted, destroyed, or anonymized upon the request of the data subject.

Ekaldes Lighting’s “Personal Data Processing Inventory” is checked by the Data Controller at six-month intervals, and necessary destruction procedures are carried out if required. The records (including information on destroyed documents) are kept in logs for the two-year period stipulated by law.

8.2 Conditions for the Destruction of Personal Data

Ekaldes Lighting destroys personal data, either automatically or upon request from the data subject (data owner), when the reasons requiring the processing of personal data as specified in Articles 5 and 6 of the KVKK (Law on Protection of Personal Data) cease to exist, provided the request is approved. Furthermore, if all conditions for processing personal data have ceased to exist and the personal data in question has been transferred to third parties, Ekaldes Lighting will notify the third party of this situation and request that the necessary actions be taken by the third party.

8.3 Measures We Have Taken Regarding the Destruction of Personal Data

Technical Measures:

  • Technical infrastructure, related monitoring mechanisms, and technical measures are being established to ensure the secure destruction of personal data, and the appropriate destruction method is being determined.
  • We employ staff with technical expertise in the destruction of personal data.
  • Paper-based data is destroyed by shredding machines. These machines are located in easily accessible locations for data processors.

Administrative Measures:  

  • We are raising awareness among our employees by informing them about the obligations stipulated in the Personal Data Protection Law (KVKK).
  • Audit mechanisms are in place to check whether personal data destruction processes are carried out on time and whether relevant records are kept. Within this scope, a personal data protection committee will be established, and this committee will hold one meeting annually to audit the data destruction processes of the relevant departments. This committee within Ekaldes Lighting will submit its report to the Data Controller for their information and approval after each meeting.

8.4 Deletion and Destruction of Personal Data

At Ekaldes Lighting, the deletion and destruction of personal data is carried out in accordance with the principles stated in this Policy and using the methods described below.

8.4.1 Deletion of Personal Data

The Contact Person assigned within Ekaldes Lighting is responsible for taking all necessary technical and administrative measures to ensure that deleted personal data is inaccessible and unusable for the relevant users.

8.4.1.1 Process for Deleting Personal Data

The basic process that the Data Controller must follow in the deletion of personal data is outlined below.

  • Personal data subject to destruction must be identified in the “Personal Data Processing Inventory”.
  • Detailed breakdown of groups of Relevant Users, categorized by person/role, within the “Personal Data Processing Inventory”.
  • Identifying the relevant Users’ access, retrieval, and reuse rights and methods.
  • Closing the access, retrieval, and reuse authorizations and methods of the relevant Users regarding their personal data, destroying the data, and keeping logs of the data to be destroyed.

8.4.1.2 Methods of Deleting Personal Data

Personal data held by Ekaldes Lighting can be stored in different media and must therefore be deleted using methods appropriate to that media. Examples of methods used by Ekaldes Lighting for deleting personal data are listed below.

  1. Application-as-a-Service (AUSP) Cloud Solutions (such as Google Suite, Google Drive)

In our company’s cloud system applications, personal data can be permanently deleted by the Relevant User. The Relevant User does not have the authority to retrieve this data from the cloud system.

  1. Personal Data in Paper Format

Personal data in paper form within our company is destroyed by shredding the paper. However, in exceptional cases, deletion can be carried out using an obscuring method. This process involves cutting out the personal data on the relevant documents whenever possible, and if this is not possible, using permanent ink that cannot be reversed or read using technological solutions, thus rendering the data invisible to the relevant users.

  1. Office files located on the central server.

If the relevant user has the authority to permanently delete a file containing personal data, they can delete the file using the operating system’s delete command, making it inaccessible again. If the user does not have the authority to permanently delete, their access rights to the directory containing the file are revoked. During these processes, necessary precautions are taken to ensure that the relevant user is not also a system administrator.

  1. Personal Data Contained on Portable Media

At Ekaldes Lighting, personal data stored on Flash-based storage media is kept encrypted and deleted using appropriate software for these media.

  1. Databases

Personal data stored in Ekaldes Lighting databases is deleted using database commands (DELETE, etc.). During this process, care is taken to ensure that the relevant user is not also the database administrator.

8.4.2 Destruction of Personal Data

Personal data destroyed by Ekaldes Lighting is rendered inaccessible, irretrievable, and unusable by anyone. The data controller is obligated to take all necessary technical and administrative measures regarding the destruction of personal data.

8.4.3 Methods of Destruction of Personal Data

To destroy personal data, all copies containing the data must be identified and individually destroyed using one or more of the methods listed below, depending on the type of system in which the data is stored.

Ekaldes Lighting may contract with an expert to delete personal data on its behalf when necessary. In this case, the personal data is securely destroyed by the expert in a way that prevents its recovery.

  1. Local Systems

Ekaldes Lighting may use one or more of the following methods to delete personal data on the aforementioned local systems.

  1. Demagnetization

Magnetic resonance imaging (MRI) is a process where magnetic media is passed through a special device and exposed to a very high magnetic field, rendering the data on it unreadable. Ekaldes Lighting can contract with a specialist for this process when necessary.

  1. Physical annihilation

Demagnetization is the process of physically destroying optical and magnetic media, such as melting, burning, or pulverizing them. Processes like melting, burning, pulverizing, or grinding optical or magnetic media render the data inaccessible. In the case of solid-state drives, if overwriting or demagnetization is unsuccessful, these media must also be physically destroyed. Ekaldes Lighting can contract with a specialist for this process when necessary.

  1. Writing on it

This process involves writing random data consisting of at least seven zeros and ones onto magnetic or rewritable optical media to prevent the recovery of old data. This process is carried out using specialized software. Ekaldes Lighting can contract with a specialist for this process when necessary.

  1. Environmental Systems

Depending on the type of environment, Ekaldes Lighting may use one of the following methods to delete personal data on the relevant environmental systems.

  1. Network devices (switches, routers, etc.)

The storage media inside these devices are fixed. The products often have a wipe command but no deletion feature. They are destroyed using one or more of the appropriate methods described in the Local Systems section.

  1. Flash-based environments

Flash-based hard drives with ATA (SATA, PATA, etc.) or SCSI (SCSIExpress, etc.) interfaces are destroyed using the command if supported, or by using the manufacturer’s recommended destruction method if not supported, or by using one or more of the appropriate methods specified in the Local Systems section.

  1. Magnetic Tape

These are media that store data using micromagnets on flexible tape. They need to be destroyed by demagnetizing them through exposure to very strong magnetic fields, or by physical destruction methods such as burning or melting. Ekaldes Lighting can contract with a specialist for this process when necessary.

  1. Units such as magnetic disks

These are media that store data using micromagnet particles on flexible (plate) or rigid surfaces. They need to be destroyed by demagnetizing them through exposure to very strong magnetic fields, or by physical destruction methods such as burning or melting. Ekaldes Lighting can contract with a specialist for this process when necessary.

  1. Mobile phones (SIM card and hard drive storage)

While most portable smartphones have a delete command for their hard drive storage, they lack a complete erase command. Erase must be performed using one or more of the appropriate methods described in the Local Systems section.

  1. Optical discs

CDs and DVDs are data storage media. They need to be destroyed using physical methods such as burning, shredding, or melting. Ekaldes Lighting can contract with a specialist for this process when necessary.

  1. Peripherals such as printers with removable data storage media and fingerprint access systems.

All data storage media must be removed and destroyed using one or more of the appropriate methods specified in the Local Systems section, depending on their characteristics. Ekaldes Lighting can contract with a specialist for this process if necessary.

  1. Paper, Microfiche and Similar Media

Paper shredding or shredding machines are used when destroying personal data found on paper, microfiche, and similar media.

Personal data transferred electronically from original paper format via scanning must be destroyed using one or more of the appropriate methods specified in the Local Systems section, depending on the electronic medium in which it is stored. Ekaldes Lighting may contract with a specialist for this process when necessary.

  1. Cloud Environment

When storing and using personal data in cloud systems, it is necessary to encrypt it using cryptographic methods and, where possible, to use separate encryption keys for each cloud solution used. When the cloud computing service relationship ends, all copies of the encryption keys necessary to make the personal data usable must be destroyed.

In addition to the above procedures, the process of deleting personal data on devices that are malfunctioning or sent for maintenance is carried out as follows.

  1. Personal data contained within the devices must be destroyed using one or more of the appropriate methods specified in the Local Systems section before the devices are transferred to third-party organizations such as manufacturers, sellers, or service providers for maintenance or repair.
  2. In cases where destruction is not possible or appropriate, the data storage medium should be disassembled and stored, and any other faulty parts should be sent to third parties such as the manufacturer, vendor, or service provider.
  3. Measures must be taken to prevent personnel coming from outside for purposes such as maintenance and repair from copying personal data and taking it outside the organization.

8.5 Techniques for Anonymizing Personal Data

Ekaldes Lighting may anonymize personal data when the reasons requiring the processing of personal data in accordance with the law cease to exist, and when necessary. The anonymization techniques that Ekaldes Lighting may use when needed are listed below.

  1. Masking

Data masking is a method of anonymizing personal data by removing its key identifying information from a dataset.

“Transforming a data set into one where identification of the personal data owner is impossible by removing information such as name, Turkish National Identity Number, etc.”

“Credit masking occurs if part of the person’s credit card number is asterisked. (6698 **** **** 0006)”

  1. Consolidation

Data aggregation methods combine large amounts of data, making personal data impossible to link to any single individual.

“Without showing the individual ages of the employees, it should be demonstrated that there are Z employees of age X.”

“The data regarding the company having Z number of female employees, with 40% being university graduates and 60% holding master’s degrees, has been anonymized.”

  1. Data Derivation

Data extraction methods are used to create more general content from the content of personal data, making it impossible to link the personal data to any single individual.

“Data anonymization was achieved by replacing the Day/Month/Year details of the date of birth with the person’s direct age, thereby generating data.”

  1. Data Hash

Data mixing involves mixing the values ​​within a personal data set, thereby breaking the link between those values ​​and individuals.

“Altering the quality of the audio recordings to make it impossible to link the voices to the data owner.”

“Data shuffling occurs when, in a class where the average age is to be calculated, the values ​​representing the ages of the individuals are swapped.”

  1. Titles, Units, and Job Descriptions of Those Involved in Personal Data Storage and Destruction Processes

All data processing activities within Ekaldes Lighting are analyzed on a departmental basis, and each department prepares a Personal Data Processing Inventory. The individuals involved in and responsible for the processes of storing and destroying personal data are the most authorized employees within each relevant department.

  1. Protection of Personal Data

Ekaldes Lighting, in accordance with Article 12 of the Turkish Personal Data Protection Law (KVKK), takes the necessary technical and administrative measures within its own organization to ensure the security of personal data and to prevent unlawful access to and processing of this data.

Ekaldes Lighting takes utmost care in protecting sensitive personal data. In this context, the technical and administrative measures taken by our company to protect personal data are meticulously applied with regard to sensitive personal data, and necessary audits are conducted within Ekaldes Lighting.

Ekaldes Lighting takes utmost care to ensure that if personal data it processes is obtained by others through unlawful means, this situation is reported to the relevant data owner and the Board as soon as possible.

10.1 Security of Personal Data

10.1.1 Auditing of Measures Taken Regarding the Protection of Personal Data

Ekaldes Lighting conducts internal audits in accordance with Article 12 of the Turkish Personal Data Protection Law (KVKK). The audit results report is submitted to the relevant Data Controller, and necessary corrective and preventive actions are taken in case of any issues.

 10.1.2 Measures to be Taken in Case of Unauthorized Disclosure of Personal Data

Ekaldes Lighting operates a system that, in accordance with Article 12 of the Personal Data Protection Law, ensures that if personal data processed is obtained by others through unlawful means, this situation is reported to the relevant personal data owner and the Personal Data Protection Board as soon as possible.

If deemed necessary by the Personal Data Protection Board, this situation may be announced on the Personal Data Protection Board’s website or by another method.

10.2 Protection of Special Categories of Personal Data

Special categories of personal data are defined in the definitions section.

Ekaldes Lighting takes utmost care in protecting special categories of personal data, as defined by the KVKK (Turkish Personal Data Protection Law), and processed lawfully. In this context, the technical and administrative measures taken by Ekaldes Lighting to protect personal data are meticulously applied with regard to special categories of personal data, and necessary audits are conducted within Ekaldes Lighting.

  1. Data Subject’s Rights and Rules for Exercising These Rights

11.1 Rights of the Personal Data Subject

The Data Subject has the following rights regarding their personal data:

  • To find out whether your personal data is being processed,
  • The right to request information regarding the processing of personal data.
  • To learn the purpose of processing personal data and whether it is being used appropriately for that purpose.
  • Knowing the third parties to whom personal data is transferred, whether domestically or internationally.
  • The right to request the correction of personal data if it has been processed incompletely or inaccurately.
  • You can request the deletion or destruction of personal data if the reasons requiring the processing of personal data cease to exist.
  • Requesting that the aforementioned correction, deletion, or destruction processes be notified to third parties to whom personal data has been transferred,
  • The right to object to an outcome that is detrimental to oneself, resulting from the analysis of processed data exclusively through automated systems.
  • The right to claim compensation for damages incurred as a result of the unlawful processing of personal data.

11.2 Exercise of Data Subject Rights

The Data Subject may submit their request regarding their personal data either through the method determined separately by the Personal Data Protection Board, or in writing and with a wet signature to the Ekaldes Aydınlatma address.

In order to exercise the rights mentioned above, the Data Subject must submit an application that includes a clear and understandable statement of the right they wish to exercise; the request must relate to the applicant personally, or if acting on behalf of someone else, they must be specifically authorized to do so and this authorization must be documented; the application must include their identity and address information, and supporting documents verifying their identity must be attached.

These requests will be made individually, and requests regarding personal data made by unauthorized third parties will not be considered.

11.3 Evaluation of the application

Requests regarding personal data are responded to as soon as possible, and no later than thirty days, depending on the nature of the request. Additional information and documents may be requested during the evaluation of the application.

11.4 Our right to refuse an application

If all the conditions for processing personal data have not ceased to exist, this request may be rejected by Ekaldes Aydınlatma with an explanation of the reasons, and the rejection will be notified to the data subject in writing or electronically within thirty days at the latest.

11.5 Application evaluation procedure

If the request is accepted, the relevant process will be implemented and notification will be provided in writing or electronically.

If, as a result of the review of accepted applications, our company decides to destroy personal data, the destruction process will be carried out by the Data Controller using the appropriate method specified in this Policy within a maximum of 30 (thirty) days or within the period stipulated by the Law, and the data subject will be informed.

If the request is rejected, the applicant will be notified in writing or electronically, along with an explanation of the reason.

Privacy Preference Center

Privacy Preferences