PROCEDURES AND PRINCIPLES FOR PERSONAL DATA PROTECTION
GENERAL RULES FOR PROCESSING PERSONAL DATA
Dutch Enerji processes personal data in accordance with the procedures and rules provided in the KVKK and the other relevant laws. Accordingly, the following rules included in the KVKK are fully observed when personal data is being processed by Dutch Enerji. • Compliance with law and rules of integrity: Pursuant to this rule, Dutch Enerji’s data processing is performed by observing the limitations required by the entire relevant legislation and integrity rules in particular the Constitution and the KVKK.
- Accurate and up-to-date when necessary: Necessary measures are taken for the accuracy and currency of the personal data processed by Dutch Enerji the data owners are informed and provided with necessary opportunities in order to ensure that the data being processed reflect the truth.
- Processing for certain, express and legitimate purposes: Dutch Enerji processes personal data for only express and absolutely determined legitimate purposes and performs no processing activities out of these purposes. With this regard, Dutch Enerji processes personal data solely in connection with the business relation established with the data owners and if it is necessary for them.
- Relation with the purpose of processing, limited and prudent: Dutch Enerji processes data in accordance with the KVKK and the other relevant legislation, conveniently for the fulfilment of the purposes determined according to data categories, in relation with the achievement of the purpose and prudently and avoids processing of unneeded personal data.
- Maintenance for the period provided in the relevant legislation or required for the purpose of processing: Personal data processed by Dutch Enerji are maintained only for the period provided in the relevant legislation or required for the purpose they are processed. With this regard, Dutch Enerji observes the period, if any provided in the relevant legislation for storing data; if there is no such period, it maintains them for the period required for the purpose they are processed. Dutch Enerji does not save data based on the existence of a possibility of future use.
CONDITIONS OF PROCESSING PERSONAL DATA Conditions for processing personal data are governed by the KVKK and Dutch Enerji processes personal data in accordance with the below-given conditions. With the exceptions listed in the law, Dutch Enerji processes personal data only by receiving the express consent of data owners. In case of existence of the following conditions listed in the law, personal data can be processed even without the express consent of a data owner:
If expressly provided in the laws,
- If required for protecting the life or physical integrity of a person who is unable to express his/her consent due to actual inability or whose consent is not legally effective or another person,
- If it is required to process personal data of parties to a contract, provided that it is directly related to the execution or performance of that contract,
- If required for the data manager to fulfil its legal obligation, • If made public by the data owner him/herself,
- If it is required to process data to establish, exercise or protect a right,
- If it is required to process data for the legitimate interests of the data manager provided that the data owner’s fundamental rights and freedoms are not injured. Dutch Enerji applies special sensitivity for processing private personal data the protection of which is believed to be more critically important for a data owner. With this regard, such kind of data is not processed without the express consent of a data owner provided that sufficient measures determined by the Board are taken. But, private personal data apart from the data about health and sexual life can be processed without the express consent of a data owner as provided in the laws.
Nevertheless, data about health and sexual life can be processed without the express consent in case of existence of the below-listed reasons provided that sufficient measures are taken:
- Protection of public health,
- Preventive medicine,
- Medical diagnosis,
- Performance of treatment and care services,
- Planning and management of healthcare services and financing.
PURPOSES FOR PROCESSING PERSONAL DATA
Your personal data acquired by Dutch Enerji shall be processed within the scopes listed below:
- HR operations,
- Intra-company operations,
- Intra-group operations, • Processes and operations in contact with customers,
- Activities with legal, technical and administrative consequences,
- Strategy, planning and business partners/supplier management,
- Planning and performance of corporate communication activities, The above-given categories are only for informative purposes and we are free to add new categories for Dutch Enerji to perform its future business and operational activities. In such cases, Dutch Enerji shall continue to update the said categories in the relevant texts for you in order to be able to continue to inform you as soon as possible
STORAGE OF PERSONAL DATA The personal data we acquire is stored safely in a physical or electronic environment for an appropriate period to allow Dutch Enerji to perform its business activities. Within the scope of the aforementioned activities, Dutch Enerji acts in compliance with the obligations set forth in the entire legislation, in particular the KVKK for the protection of personal data. Pursuant to relevant legislations, except where it is allowed or required to store personal data for prolonged periods when the purpose for processing personal data no longer exists, Dutch Enerji shall delete, destroy or anonymize the data upon request of the data owners directly or through the data owner’s application form attached hereto and using other available techniques. In case of deletion of personal data through the said methods, such data shall be destroyed in such a way that they shall never be reused or restored again. However, in case of a legitimate interest of the data manager, personal data may be stored until the expiry of the general prescription provided in the Law of Obligations (ten years) provided that a data owner’s fundamental rights and freedoms are not injured even if the purpose for processing and the periods set forth in the relevant laws have expired. Following the expiry of the said prescription, personal data shall be deleted, destroyed or anonymized as per the above-stated procedure.