Table of Content
A .SCOPE..................................................................................................................................... 3
B. DEFINITIONS.................................................................................................................................. 3
C. AMENDMENTS.........................................................................................................................3
1 PURPOSE.............................................................................................................................................. 4
2 PERSONAL DATA................................................................................................................................. 4
2.1 General Principles on Processing Personal Data.............................................................................4
2.2. Personal Data Processed by GDZ...................................................................................4
2.3. Purposes of Processing Personal Data...........................................................................................5
2.4. Transferring Personal Data....................................................................................................5
2.5. Collecting Personal Data....................................................................................................6
2.6. Retention Period for Personal Data...........................................................................................6
2.7. Rights of the Data Subject Under the KVKK............................................................................6
2.8. International Transfer of Data..........................................................................................................6
2.9. Safety of Personal Data.......................................................................................................6
3 MEASURES FOR THE SAFETY OF PERSONAL DATA......................................................................7
3.1 Administrative Measures for the Safety of Personal Data.........................................................................7
3.1.1 Identifying Risks and Threats.............................................................................7
3.1.2 Training and Awareness Sessions for Employees..............................................................7
3.1.3 Minimizing Personal Data................................................................7
3.1.4 Managing Relationships with Data Processors...................................................................................7
3.2 Technical Measures for the Safety of Personal Data......................................................................8
3.2.1 Ensuring Cyber Security..............................................................................................8
3.2.2 Tracking the Safety of Personal Data...........................................................................................8
3.2.3 Ensuring Safety in Media Containing Personal Data.....................................................9
3.2.4 Storing Personal Data on Cloud.................................................................................9
3.2.5 Supply, Improvement and Maintenance of Information Technology Systems...............................................9
3.2.6 Personal Data Backup............................................................................................9
4 COOKIES AND SIMILAR TECHNOLOGIES.................................................................................10
3.1. General.................................................................................................................................... 10
3.2. Types of Cookies......................................................................................................................... 10
3.3. Purpose of Using Cookies...............................................................................................10
3.4. Disabling Cookies.............................................................................................10
3.5. Information and Materials on the Website.............................................................................11
4 EFFECT AND UPDATES
A.SCOPE
This policy titled the Policy on the Protection of Personal Data and Privacy was drawn up to describe the set of rules regarding the processing of personal data and to provide information as necessary. The Policy was approved by the General Manager at GDZ Elektrik Dağıtım A.Ş. (GDZ) and entered into force on 07.04.2018.
B.DEFINITIONS
Personal data:Personal data is any kind of data that is personally identified or identifiable and covers all aspects of a person that allow them to be identified if it has a concrete content that states the physical, economic, cultural, social or psychological identity of a person, or as a result of associating that person with a record such as an ID certificate, tax ID or insurance policy number.
Sensitive personal data:It covers data on race, ethnicity, political views, philosophical beliefs, religion, sect or other beliefs; membership to an association or union; health data; data on sexual life; data on penal sentence and safety measures; biometric and genetic data.
Express consent:Consent expressed with free will based on information regarding a specific subject matter.
Anonymization:The process in which personal data cannot be associated with a personally identified or identifiable real person, even if it is paired with other data.
Processing personal data:All kinds of procedures applied to personal data such as obtaining said data through fully or partially automated systems, or non-automated systems provided that they are part of a data recording system; recording; storing; retaining; reorganizing; disclosing; transferring; taking over; making available; classifying; or preventing the use of personal data. This definition covers all procedures carried out on personal data, starting from the initial obtainment of such data.
Personal data subject:A real person whose personal data is processed
Data storage system:A recording system where personal data is configured and processed based on certain criteria
Data owner:A real or legal person that determines the purposes and means of processing personal data, and is responsible for establishing and managing the data recording system
Data processor:A real or legal person processing personal data on behalf of the data controller with authorization granted by them
Personal Data ProtectionA Law published in the Official Gazette dated 7 April 2016 and numbered 29677 24
Law (‘KVKK’):Law No. 6698 dated March 2016
Board: Personal Data Protection Board
Authority:Personal Data Protection Authority
Policy:GDZ Personal Data Protection and Privacy Policy
C. AMENDMENTS
Amendments to the Policy to be made upon new legislations or changes at various points in time shall be followed on the corporate website and documentation application software of GDZ.
1 PURPOSE
As a power distribution company offering services in İzmir and Manisa, GDZ processes personal data it obtains in verbal, written or electronic form through channels such as Directorate General, Regional Directorates or Business Directorates, as a Data Controller in a lawful manner. The purpose of the Policy is to inform the relevant persons through explanations regarding the such processing performed by GDZ, as well as the systems related to personal data, ensuring transparency on personal data. In this Policy, GDZ explains in detail the processing of personal data according to the KVKK, data subjects whose data is processed in this process and their rights, as well as the use of cookies and similar technologies.
2 PERSONAL DATA
2.1 General Principles on Processing Personal Data
As per Paragraph 2 of Article 4 of the KVKK, and for the purposes exemplified in the Policy section titled “Purposes of Processing Personal Data”, GDZ processes personal data in compliance with the principles below:
- Compliance with the law and code of integrity,
- Being correct, and up-to-date when necessary,
- Processing for specific, clear and lawful purposes,
- Being related and limited to the purpose of processing the relevant data,
- Retaining for up to periods set forth in the relevant legislation or required for the purpose of processing.
2.2. Personal Data Processed by GDZ
At GDZ, personal data is processed upon express consent from data subjects, or for actions not subject to express consent as per Articles 5 and 6 of the KVKK, and solely for the purposes exemplified in the Policy section titled “Purposes of Processing Personal Data”. These are pieces of data that depend on the type and nature of the relationship between GDZ and the data subject; vary and differentiate depending on the communication channels used and the relevant purpose; and include but are not limited to the following, in compliance with the principles set out in the Policy:
- Information that identifies the data subject such as first name, last name, title, labor information, educational status, gender, marital status, spouse/children details, citizenship, military status, criminal record and tax obligation,
- Data that can be found on identity certificates like copies of an ID card, copy of the birth certificate, passport or driver’s license, e.g. date of birth, place of birth, identification number, blood type, religion and photograph,
- Consumer details required to log into the website,
- Contact information such as address, email, telephone number and fax number, together with records of phone calls and email correspondence, and other voice data,
- Real person information on documents related to legal persons such as a tax certificate, trade registry gazette, competency documents, list of authorized signatures and certificate of activity,
- Detailed financial information on pricing, agreement, collection and payment activities.
2.3. Purposes of Processing Personal Data
Personal data can be processed by GDZ for the purposes below and retained for periods required for these purposes and as stipulated in relevant legislations. Purposes of Processing Personal Data
- To ensure that GDZ continues to offer power distribution services uninterruptedly,
- To ensure that GDZ can take the actions it is responsible for under legal and administrative obligations,
- To inform the data subject on amendments to the rules and policies in the legislation or those accepted by GDZ,
- To investigate, identify, report and prevent unlawful actions, as well as to manage and proceed with processes subject to law,
- To protect legitimate interests,
- To negotiate on, draw up and perform contracts,
- To determine the state of requests and questions and provide feedback to the relevant person,
- To carry out promotional activities, as well as surveys and voting sessions to get opinions of the data subjects and ensuring customer/employee satisfaction,
- To ensure workflow and coordination among units in order to increase efficiency,
- To assess suitability of candidates in job application, candidate assessment and recruitment processes, as well as to contact these candidates and other people linked to their application,
- To record visits and track shipments,
- To ensure safety of the digital systems and physical media belonging to or used by GDZ, and to perform relevant assessments in order to take necessary actions,
- To ensure that business units complete the tasks required so that customers can benefit from the products and services offered by GDZ,
- To plan and perform corporate sustainability activities,
- To perform GDZ’s corporate law actions,
- To ensure legal and commercial safety of GDZ and of the parties that have a business relationship with GDZ,
- To carry out commercial activities with the aim of determining and implementing commercial and business strategies of GDZ.
2.4. Transferring Personal Data
- For the purposes exemplified under the Policy section titled ‘Purposes of Processing Personal Data’, and as per Articles 8 and 9 of the KVKK, GDZ can transfer personal data domestically and such personal data can be processed and stored in the servers and digital media used in this context.
- The nature of such transfers and the parties that the data is transferred to depend on the type and nature of the relationship between the data subject and GDZ, purpose of the transfer and the relevant legal basis. In general, these parties are:
- MASAK (Financial Crimes Investigation Board), Judicial Bodies/Enforcement Offices, etc.,
- Real and legal persons offering support in legal actions, such as law offices,
- State institutions such as Ministries, Treasury, Revenue Administration, etc.,
- Energy Market Regulatory Authority, Ministry of Energy and Natural Resources, Directorate General of TEDAŞ (Turkish Electricity Distribution Corporation), EXIST (Energy Exchange Istanbul), Takasbank (an Information Technologies Organization) and other regulatory authorities, central exchange and depository institutions,
- GDZ’s affiliates and business partners,
- Group companies carrying out similar activities to ensure coordination, collaboration and efficiency,
- Research/survey firms ensuring customer satisfaction, etc.,
- Direct and indirect shareholders, and subsidiaries.
GDZ shall take the measures required to ensure that the third parties, to whom personal data is transferred and services are received from, act according to the privacy policy, standards and conditions of GDZ.
2.5. Collecting Personal Data
In order to fulfil the purposes exemplified in the Policy section titled ‘Purposes of Processing Personal Data’, GDZ can obtain personal data directly from employees and consumers, contractors, business partners, affiliates, call centers, Businesses, official institutions and physical media as set forth in Articles 5 and 6 of the KVKK; or it can obtain such data through websites, mobile applications, social media and other public media, training sessions, events and similar activities via digital, verbal, face-to-face, written or visual means.
2.6. Retention Period for Personal Data
Personal data shall be retained at GDZ for legal retention periods, and for the periods required for the actions related to such data and the purposes stated in the Policy to be fulfilled. Personal data that has expired and reached the end of the legal retention period shall be deleted, destructed or anonymized by GDZ as per Article 7 of the KVKK.
2.7. Rights of the Data Subject Under the KVKK
Article 11 of the KVKK regulates the rights of real persons whose personal data is processed. As per said Article, data subjects hold the following rights on GDZ:
- Find out if their personal data has been processed,
- If your personal data has been processed, request information on the processing of the same,
- Find out the purpose of processing your personal data and if the data has been used for the intended purpose,
- Find out the third parties to whom your personal data has been transferred at home or abroad,
- Request rectification if their personal data was processed incompletely or incorrectly,
- If the reasons for processing personal data are no longer valid, request deletion or destruction of such data,
- Request that such correction or deletion is communicated to third parties to whom the personal data was transferred,
- Object to a result that is against the person, arising from the analysis of their personal data exclusively by automated systems,
- Request indemnification if they incur loss due to unlawful processing of their personal data.
As per the first paragraph of Article 13 of the KVKK, you can send your request to exercise the rights above in a written form to the address registered at Üniversite Cad. No: 57 35042 Bornova/İZMİR, or
as per Article 5 of the Communiqué on the Procedures and Principles for Application to Data Controller, you can send such request to the registered email address (KEP) gdzelektrik@hs02.kep.tr signed with a secure
e-signature or mobile signature If requests require an additional cost, GDZ shall have the right to demand a fee determined by the relevant legislation.
2.8. International Transfer of Data
Personal data can be transferred internationally provided that such transfer is in compliance with the relevant legislation, with the aim of fulfilling the purposes exemplified in the Policy section titled ‘Purposes of Processing Personal Data’ to be processed, stored, administered or used in any other way as stated in the Policy. When performing such a transfer, measures are taken to protect the personal data as required.
2.9. Safety of Personal Data
GDZ takes due care to maintain the privacy and security of personal data, and takes technical and administrative safety measures to protect such data against unauthorized access, damage, loss or disclosure. To this end, required systemic access controls, data access controls, safe transfer controls, business continuity controls and other corporate controls necessary are applied. GDZ is not responsible for the safety or privacy of the links provided on the website to access other websites. The Company shall not accept any responsibility for material or non-material damages occurred upon visiting such websites.
3 MEASURES FOR THE SAFETY OF PERSONAL DATA
3.1 Administrative Measures for the Safety of Personal Data
3.1.1 Identifying Risks and Threats
GDZ shall use its “Personal Data Inventory” to identify the risks and threats related to the personal data it processes, and the processes in which personal data is processed within the Inventory shall be kept up-to-date by GDZ.
When identifying the mentioned risks, GDZ shall determine if the personal data being processed is sensitive or not, the level of confidentiality they require, and the damage that could potentially occur in case of a security breach.
3.1.2 Training and Awareness Sessions for Employees
GDZ offers employees trainings on personal data protection and cyber security, and conducts related awareness studies. Unlawful disclosure or sharing of personal data is one of the most common violations. To prevent such violations, GDZ:
- Offers awareness training for everyone working with personal data,
- Clearly describes roles and responsibilities regarding personal data in job definitions of employees.
- Ensures that people act in line with the principle “everything which is not allowed is forbidden”, instead of “everything which is not forbidden is allowed” when it comes to personal data.
- Ensures that employees comply with the Policies and Procedures, and in case of a non-compliance, makes sure that disciplinary actions are taken.
Keeps said Policies and Procedures up-to-date.
3.1.3 Minimizing Personal Data
In order to meet certain conditions such as “ensuring that personal data is correct, and kept up-to-date when required”, and “storing personal data as long as necessary for the purpose”, which are set forth in law and secondary legislation, GDZ:
- Regularly scans the personal data it is responsible for in order to update the relevant data, which does not serve any purpose or is not up-to-date, and to delete, destruct or anonymize the rest.
- Ensures that a safe environment is provided for personal data that is needed but does not require frequent access.
- Checks authorizations to ensure that personal data can only be accessed by those who, by nature of their positions, are required to view such data.
- Ensures that all sorts of Policies and Procedures regarding deletion, destruction and anonymization are kept up-to-date, and that these are implemented systematically.
3.1.4 Managing Relationships with Data Processors
GDZ ensures that the data processors with whom it signs a contract in service provision give as much due importance to information security as itself and act with a mindset of joint responsibility, and secures this contractually. Data processors process personal data lawfully within the limits of the contract signed with GDZ according to the instructions by GDZ, in compliance with the definition set forth in legislation.
Data processors have a confidentiality obligation.
Any potential data breach shall immediately be reported to GDZ and such breach shall be recorded contractually. As per the legislation, GDZ shall report such data breaches to the relevant data subjects and the Board. Contracts signed between GDZ and data processors shall contain a separate article, which sets forth the categories and types of data transferred to the data processor, to the extent qualitatively allowed by the contract.
As the “Data Controller”, GDZ shall perform the required audits on the data processor’s systems that contain personal data, then assess the resulting reports and the service provider itself in place. This is agreed upon mutually in the contract.
3.2 Technical Measures for the Safety of Personal Data
3.2.1 Ensuring Cyber Security
GDZ uses software for cyber security, and purchases products and services when necessary.
GDZ regularly scans the products it already has to remove unnecessary or expired products from the devices they are installed on; for those still necessary, the Company regularly checks if they are currently up-to-date. If deemed necessary, GDZ carries out development processes or purchases products for patch management.
In order to ensure controlled access to systems containing personal data, GDZ keeps access and authorization management up-to-date and informs employees on safe password use. To this end, GDZ creates an “access and authorization control matrix”, as well as policies and procedures for access.
GDZ carries out development processes or purchases products for password management. The Company takes necessary measures to prevent login attempts exceeding a certain number of times, ensure that passwords are changed regularly, ensure that passwords are complex enough to maintain high security, immediately take back the authorization of employees whose employments have been terminated, and so forth.
GDZ ensures that antivirus software is used that regularly scans networks and computers to identify threats, and takes necessary measures to keep such software up-to-date. If websites outside the GDZ network are used to obtain personal data, connections to such websites are established via means such as SSL.
3.2.2 Tracking the Safety of Personal Data
In order to track the safety of personal data, GDZ:
- Checks which software and services are working on its networks.
- Takes necessary measures to determine if a penetration or an unusual action is present on the networks.
- Performs log management.
- Informs employees on quick reporting of security breaches.
- Reports can be generated automatically by the system and, where necessary, can be submitted to the relevant unit upon consolidation by the system administrator.
- Ensures that warnings are observed and regular checks are performed on all kinds of reporting means associated with systemic security of personal data.
- Does regular vulnerability scans and penetration tests or has them done.
- In case of a cyber attack, ensures that all evidence is collected and stored in a safe manner.
3.2.3 Ensuring Safety in Media Containing Personal Data
GDZ takes internal and external physical security measures at places where it stores personal data physically and digitally, i.e. Directorate General, Regional Directorates, Business Directorates, archive and other places.
As part of these measures, GDZ ensures that buildings/structures storing personal data are protected against disasters such as earthquakes, fire or flood. To ensure security of physically stored personal data, the Company ensures that entries to and exits from these locations are controlled, and trains employees who process such data to prevent potential loss and theft.
GDZ is aware of the fact that majority of personal data breaches is a result of the theft or loss of devices containing personal data; so, it takes measures to minimize such incidents. As part of these measures, the Company may use methods such as access control authorization and encryption.
GDZ uses accepted solutions in cases where it utilizes encryption methods, and takes required measures regarding key management processes in cases where it uses asymmetric encryption.
3.2.4 Supply, Improvement and Maintenance of Information Technology Systems
GDZ strives to prioritize security in provision of supply, development and maintenance services for IT systems. To this end, GDZ:
- For personal data entries to be done on application systems, ensures that the personal data entered run in a manner that will not harm the integrity of the data and that there is a control mechanism in place.
- For devices that contain personal data but are to be sent to the Contractor (real/legal person) for a reason such as maintenance, failure, etc, ensures that the data storage media of the device are not sent with it; if an external contractor employee has arrived at GDZ, GDZ takes measures to ensure that the data is not moved out of GDZ.
3.2.5 Personal Data Backup
GDZ keeps backup of the personal data it is responsible for to ensure its security.
GDZ encrypts files that contain personal data as a way to develop data backup strategies and take measures against ransomware.
GDZ ensures that the personal data backed up can only be accessed by the system administrator and keeps these backups outside the network.
GDZ takes necessary measures for physical safety of said backups.
4 COOKIES AND SIMILAR TECHNOLOGIES
4.1 Overview
Small data files that a network server sends to user devices via the web browser used are called cookies. Websites use these cookies to recognize users, and the life of these cookies vary depending on browser settings. These cookies are generated via systems administered by GDZ, while also some internet service providers
authorized by GDZ place similar technologies to user devices to obtain information such as their IP address, browser and device identifier. In addition to this, third party links found in GDZ systems are subject to privacy policies of their respective third party owners and GDZ is not responsible for their privacy practices. As such, when a website is visited via such a link, it is recommended to read the privacy policy of that website.
4.2. Types of Cookies
Cookies are mainly designed to offer convenience to users and are divided into 4 main groups:
i.
Session Cookies: These cookies offer various advantages such as transferring data between webpages and the information entered by the user is systemically recalled. These are required for functions of the GDZ website to work properly.
ii.
Performance Cookies: These cookies collect information on the visit frequency of webpages, potential error messages, total time that users spend on the relevant page and their pattern of use on the website. These are used to improve the performance of the GDZ website.
iii.
Functional Cookies: These cookies recall selected options to offer convenience for the user. These are aimed at providing advanced internet properties for users on the GDZ website.
iv.
Advertising and Third-Party Cookies: These cookies belong to third parties and they allow to use some functions on the GDZ website and track advertisements.
4.3. Purpose of Using Cookies
Purposes of cookies used by GDZ are as follows:
i.
Operational use: In order to ensure systems administration and security, GDZ might use cookies that allow to use the functions on the website or detect unusual behavior.
ii.
Functional use: In order to offer ease of use on the systems and provide user-specific features, GDZ might use cookies that recall details and previous choices of users.
iii.
Performance use: In order to increase and measure the performance of systems, GDZ might use cookies that asses and analyze the interaction with messages sent, and user behavior.
iv.
Advertisement use: In order to send advertisements and similar content related to the user’s interests through its own or third party systems, GDZ might use cookies that measure the efficiency of or analyze clicks on these advertisements.
4.4. Disabling Cookies
Use of cookies is preselected by default on most browsers. Users can change this selection in browser settings; remove current cookies and reject the use of cookies in the future. However, it should be remembered that if cookies are disabled, some features on the GDZ systems might not be used. The method to change cookie options vary by browser type and information can be obtained from the relevant product/service provider on this matter at any given time.
4.5. Information and Materials on the Website
Information and materials on the GDZ website, together with the copyrights to regulate them, belong to GDZ. GDZ reserves all copyrights, registered trademarks, patents, intellectual and industrial property rights for information and materials that are found on the GDZ website and do not belong to third parties.
EFFECT AND UPDATES
The Policy and any amendments to it shall come into effect on the date they are approved by GDZ Directorate General. The Policy shall normally be reviewed once a year and updated if necessary. However, GDZ reserves the right to review, update (when necessary), amend, or replace this policy with a new one as a result of any change to legislation, a change to a technical standard referred, actions and/or decisions by the Personal Data Protection Board, or court decisions. GDZ Directorate General is the unit with authorization to revoke the Policy.