HT Solar Enerji AŞ. (HT Solar Enerji) respects the confidentiality of personal data and attaches importance to data security. In this context, a policy for the conservation and destruction of personal data (Policy) has been drawn up for the retention and destruction of data processed by HT Solar Enerji, within the framework of the law on the protection of personal data n ° 6698, of the Regulation on the deletion, destruction or anonymization of personal data and other relevant legislation. If the relevant legislation changes, HT Solar Enerji undertakes to update this policy in a manner compatible with the legislation.

Article 1 – Purpose and Basis

In the third paragraph of article 7 of the law on the protection of personal data n ° 6698, appears the provision according to which “The procedures and principles concerning the erasure, destruction or anonymization of personal data are regulated by a regulation “.

In accordance with this provision and paragraph (e) of the first paragraph of article 22 of the law, a regulation (regulation) on the deletion, destruction or anonymization of personal data has been drawn up by the Protection Council of personal data (Committee) and published in the Official Journal of October 28, 2017 and numbered 30224.

Article 5 of the regulation stipulates that “data controllers, who are required to register with the register of data controllers in accordance with article 16 of the law, are required to develop a policy for the retention and destruction of personal data in accordance with the inventory of processing of personal data ”.

In accordance with the regulations, HT Solar Enerji, as data controller with registration obligation, is required to prepare a personal data retention policy in accordance with the personal data inventory and to delete, destroy or anonymize if necessary, and to act in accordance with this policy. The policy has been prepared for this purpose and covers all retention and destruction activities that HT Solar Enerji will carry out on personal data.

Personal datas belonging to HT Solar Enerji customers, potential customers, employees, employee candidates, service providers, business partners, visitors and other third parties fall within the scope of this Policy, and all records in which personal data held by HT Solar Enerji or managed by HT Solar Enerji are processed.This policy is applied in activities related to environments and the processing of personal data.

Articlee 2 – Scope

This Policy covers the following information:

  • The purpose of preparing the personal data retention and destruction policy,
  • Recording environments regulated by the personal data retention and destruction policy,
  • Definitions of legal and technical terms included in the personal data retention and destruction policy,
  • A statement regarding the legal, technical or other reasons that require the retention and destruction of personal data,
  • Technical and administrative measures taken for the safe retention of personal data and the prevention of unlawful processing and access,
  • Technical and administrative measures taken for the legal destruction of personal data,
  • The titles, units and job descriptions of those involved in the retention and destruction processes of personal data,
  • The table showing the retention and disposal times,
  • Periodic destruction periods,
  • Updates to the personal data retention and destruction policy.

Article 3 – Definitions

Explicit Consent: Consent about a specific subject, based on information and expressed with free will.

Recipient Group: The real or legal person category to whom personal data is transferred by the data controller.

Anonymization: Making personal data impossible to associate with an identified or identifiable natural person under any circumstances, even by matching with other data.

Employee: HT Solar Enerji personnel.

Electronic Media: Environments where personal data can be created, read, changed and written with electronic devices.

Non-Electronic Media: All written, printed, visual etc. other than electronic media. other environments.

Service Provider: The real or legal person who provides services to HT Solar Enerji under a certain contract.

Relevant Person: The real person whose personal data is processed.

Relevant User: Persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller, excluding the person or unit responsible for technical retention, protection and backup of the data.

Destruction: Deletion, destruction or anonymization of personal data.

Law: Law on Protection of Personal Data No. 6698.

Recording Media: Any environment where personal data is processed wholly or partially automatically or non-automatically, provided that it is a part of any data recording system.

Personal Data: Any information relating to an identified or identifiable real person.

Personal Data Processing Inventory: Personal data processing activities carried out by data controllers depending on their business processes; The inventory, which is created by associating the personal data processing purposes and legal reason, the data category, the transferred recipient group and the data subject group, by explaining the maximum retention period required for the purposes for which personal data is processed, the personal data to be transferred to foreign countries and the measures taken regarding data security

Processing of Personal Data: Obtaining, recording, storing, storing, changing, rearranging, disclosing, transferring, taking over, making available, classifying personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system or any kind of operation performed on the data, such as preventing its use.

Board: Personal Data Protection Board

Sensitive Personal Data: Data about the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, costume and clothing, membership to associations, foundations or unions, health, sexual life, criminal convictions and security measures, and biometric data and genetic data.

Periodic Destruction: The deletion, destruction or anonymization process, which will be carried out ex officio at repetitive intervals and specified in the personal data retention and destruction policy, in the event that all the conditions for processing personal data in the law are eliminated.

Policy: Personal Data Retention and Disposal Policy.

Deletion: The process of making personal data inaccessible and unusable for the relevant users in any way.

Data Processor: The real or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller.

Data Registration System: The registration system in which personal data is processed and structured according to certain criteria.

Data Controller: The real or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system. Within the scope of this Policy, he has the title of HT Solar Enerji data controller.

VERBIS: Data Controllers Registry Information System.

Destruction: The process of making personal data inaccessible, unrecoverable and unusable by anyone in any way.

Regulation: Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28 October 2017.

Article 4 – Responsibilities and Duties Distributions

In order to properly implement the technical and administrative measures taken within the framework of the policy, to increase the training and awareness of other employees of the unit, to monitor and control personal data, to prevent illegal processing personal data, to prevent unlawful access to personal data and to ensure that personal data is stored in accordance with the law, personal data is processed, Responsible units and employees of HT Solar Enerji with regard to the Data Protection Actively support other units and employees in taking technical and administrative measures to ensure data security in all environments.

 

The distribution of titles, units and job descriptions of the persons involved in the processes of retention and destruction of personal data is given in Table 1.

UNITS DUTIES
 

Human Ressources

It is responsible of the employees to act in accordance with the policy.
 

 

Legal

It is responsible for the preparation, development, execution, publication and updating of the Policy.
 

IT

It is responsible for providing the technical solutions needed in the implementation of the Policy.
 

Administrative Affairs

It is responsible for the execution of the Policy in accordance with its duties.

 

 

Article 5 – Recording Media

With this Policy, HT Solar Enerji preserves personal data in the environments listed below.

Electronic Media:

  1. a) Computers,
  2. b) Network devices,
  3. c) Information security devices,
  4. d) Mobile devices and all retention areas inside,
  5. e) Servers and software,
  6. f) Peripherals such as printer, scanner, copier and fingerprint reader,
  7. g) Optical discs and portable memory sticks.

Non-Electronic Media:

  1. a) Paper,
  2. b) Written, printed and visual media.

 

Article 6 – Explanations and Causes on Retention and Disposal

It is stated in Article 4 of the Law that the personal data processed should be related to the purpose for which they are processed, limited and measured, and should be kept for the period required for the purpose for which they are processed or stipulated in the relevant legislation. In Article 7 of the Law; “Although it has been processed in accordance with the provisions of the law and other relevant laws, personal data is deleted, destroyed or anonymized by the data controller ex officio or upon the request of the data subject, in case the reasons requiring its processing are eliminated”.

In this direction, Personal data of the persons concerned are stored and destroyed in accordance with the Law by HT Solar Enerji. In this context, detailed explanations regarding retention and disposal are given below, respectively.

Legal Reasons for Retention

Personal data processed at HT Solar Enerji are kept for the period stipulated in the relevant legislation. In this context, personal data is processed in accordance with and within the framework of below listed and all other secondary regulations in force and stored for the foreseen retention periods.

 Law on Protection of Personal Data No. 6698

 Turkish Commercial Code No. 6102

 Turkish Code of Obligations No. 6098

 Tax Procedure Law No. 213

 Labor Law No. 4857

 Occupational Health and Safety Law No. 6331

 Law No. 5651 on Arranging Broadcasts on the Internet and Combating Crimes Committed Through These Broadcasts

 Law No. 6563 on the Regulation of Electronic Commerce

 Identity Reporting Law No. 1774

 Electronic Communications Law No. 5809

 Highway Traffic Law No. 2918

 Road Transport Law No. 4925

 Turkish Penal Code No. 5237

 Regulation on Health and Safety Measures to be Taken in Workplace Buildings and Attachments

 Law on Unions and Collective Bargaining Agreement No. 6356

 Social Insurance and General Health Insurance Law No. 5510

 Law on Mediation in Civil Disputes No. 6325

 Free Zones Law No. 3218

 Free Zones Implementation Regulation

 Regulation on Work Permits of Foreigners to Work in Free Zones

 

Processing Purposes Requiring Retention

HT Solar Enerji stores the personal data it processes for the following purposes:

  • Establishment and execution of the employment contract and fulfillment of the personnel file transactions
  • Monitoring of employee targets and evaluation of performance and supervision of compliance with company policies
  • Fulfillment of obligations arising from legislation and other legislation related to occupational health and safety
  • Ensuring the follow-up of the devices provided to the employee and fulfilling the information security processes
  • Ensuring network and application security
  • Planning of human resources processes
  • Making individual retirement transactions
  • Access to software and platforms used within the framework of company activities
  • Fulfillment of necessary procedures for the performance of payments and aids and the provision of various fringe benefits
  • Carrying out employee training activities
  • Conducting disciplinary investigations and collecting evidence in this context
  • Camera surveillance to ensure building and office security
  • Ensuring and controlling building entrances and exits
  • Realization of celebrations and events within the company and sharing of visual and audio data within the scope of these activities
  • Ensuring corporate communication
  • Performance of works and transactions as a result of signed contracts and protocols,
  • Liaising with real / legal persons who have a business relationship with the company.
  • Fulfilling the burden of proof as evidence in legal disputes that may arise in the future
  • Fulfilling legal obligations for building visitors and website visitors
  • Confirmation of identity
  • Execution of risk assessment processes
  • Fulfilling the obligations arising from the applicable legislation, meeting the demands of authorized institutions and organizations
  • Creation of statistical information
  • Execution and follow-up of legal works and transactions
  • Carrying out marketing analysis studies and improving service quality.
  • Management of Internet access records
  • Execution of the necessary audit and control processes within the scope of company activities, reporting and examinations
  • Evaluation of requests and complaints

Reasons for Destruction

In the following cases, Personal data is deleted, destroyed or ex officio deleted, destroyed or anonymized by HT Solar Enerji upon the request of the person concerned;

  • Amendment or repeal of the provisions of the relevant legislation, which are the basis for processing,
  • The disappearance of the purpose that requires processing or storage,
  • In cases where the processing of personal data takes place only on the basis of explicit consent, the data subject withdraws his explicit consent,
  • HT Solar Enerji’s application for the deletion and destruction of personal data within the framework of the rights of the person concerned, pursuant to Article 11 of the Law,
  • In cases where HT Solar Enerji rejects the application made by the person concerned with the request for the deletion, destruction or anonymization of personal data, finds the answer insufficient or does not respond within the time stipulated in the Law; Making a complaint to the Board and this request being approved by the Board,
  • The maximum period for keeping personal data has passed and there are no conditions to justify keeping personal data for a longer period of time.

 

Article 8 – Technical and Administrative Measures Regarding the Retention and Disposal of Personal Data

 

All the administrative and technical measures taken by HT Solar Enerji in accordance with Article 12 of the Law in order to securely store personal data, to process it in accordance with the law, to prevent access and to destroy the data in accordance with the law are listed below:

 

  • The obligation to inform is fulfilled.
  • The security of personal data stored in the cloud is ensured.
  • There are disciplinary regulations that include data security provisions for employees.
  • Training and awareness activities are carried out periodically for employees on data security.
  • An authorization matrix has been created for the employees.
  • Access logs are kept regularly.
  • Institutional policies on access, information security, use, storage and destruction have been prepared and started to be implemented.
  • Confidentiality commitments are made.
  • Employees who have a job change or quit their job are removed from this field.
  • Firewalls are used.
  • Signed contracts include data security provisions.
  • In case the processed personal data is obtained by others unlawfully, this situation will be notified to the relevant person and the Board by HT Solar Enerji as soon as possible.
  • Personal data security policies and procedures have been determined.
  • Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
  • The security of environments containing personal data is ensured.
  • Personal data is reduced as much as possible.
  • Log records are kept without user intervention.
  • Protocols and procedures for special quality personal data security have been determined and implemented.
  • Awareness of data processing service providers on data security is ensured.

 

 

 

Article 9 – Time for Ex officio Deletion, Destruction or Anonymization of Personal Data

HT Solar Enerji deletes, destroys or anonymizes personal data in the first periodical destruction process following the date on which the obligation to delete, destroy or anonymize personal data arises.

The time interval for periodic destruction is 6 months.

Article 10 – Periods of Deletion and Destruction of Personal Data upon Request by the Relevant Person

If the relevant person requests the deletion or destruction of his personal data by applying to HT Solar Enerji, all the conditions for processing personal data have been removed; Personal data requested by HT Solar Enerji are deleted, destroyed or anonymized. The request of the relevant person is finalized within thirty days at the latest and the relevant person  is informed by HT Solar Enerji.

If all the conditions for processing personal data have been removed and the personal data subject to the request has been transferred to third parties, this situation is notified to the third party by HT Solar Enerji; It is ensured that necessary actions are taken before the third party.

If all the conditions for processing personal data have not disappeared, this request may be rejected by HT Solar Enerji by explaining the reason in accordance with the third paragraph of Article 13 of the Law. The rejection response is notified to the relevant person in writing or electronically by HT Solar Enerji within thirty days at the latest.

Article  11- Personal Data Destruction Techniques

Methods of Deletion of Personal Data

Since personal data can be stored in various recording media, they must be deleted by methods suitable for recording media. The methods for this are listed below:

 

Personal data is deleted by the methods given in the table below:

Data Recording Media Description
Personal Data on Computers and Servers The system administrator removes the access authorization of the relevant users and deletes the personal data on the servers for those whose period of time has expired. Permanent deletion ( Acronis True Image ) is performed on the hard disk for those whose computer use is terminated or changed.
Personal Data in Electronic Media Among the personal data in the electronic environment, the ones whose period has expired are rendered inaccessible and non-reusable for other employees (related users) except the database administrator.
Personal Data in Physical Environment Among the personal data kept in the physical environment, it is made inaccessible and non-usable in any way for other employees, except for the unit manager responsible for the document archive, for those whose period of time has expired. In addition, the blackening process is applied by drawing/painting/erasing in an unreadable manner.
Personal Data in Portable Media Flash-based storage environments that require storage of personal data held in the period ended those, and encrypted by the system administrator access privileges are stored in a secure environment with the encryption key only by giving the system administrator.

 

Destruction of Personal Data

Personal data is destroyed by the methods given in the table below:

Data Recording Media Description
Personal Data in Physical Environment Of the personal data in the paper medium, the ones that need to be kept, which have expired, are irreversibly destroyed in the paper clipping machines.
Personal Data in Optical / Magnetic Media The physical destruction of the personal data in optical media and magnetic media, such as melting, burning or pulverizing, is applied. In addition, magnetic media is passed through a special device and exposed to a high magnetic field, making the data on it unreadable.

 

 

Anonymization of Personal Data

Anonymization of personal data means that personal data cannot be associated with an identified or identifiable natural person under any circumstances, even if it is matched with other data.

 

No Process Retention Time Disposal Time
1 Employee Candidate Job Application Process 1 year for employee candidates / 10 years for employees At the first periodic disposal period following the end of the storage period
2 Creating an Employee Personnel File 10 Years from Resignation At the first periodic disposal period following the end of the storage period
3 Processes of Security Personnel 10 Years from Resignation At the first periodic disposal period following the end of the storage period
4 Contract Processes 10 years At the first periodic disposal period following the end of the storage period
5 Invoice, Payment and Credit Processes 10 years At the first periodic disposal period following the end of the storage period
6 Log Tracking Systems 10 years At the first periodic disposal period following the end of the storage period
7 Camera Recordings 10 days At the first periodic disposal period following the end of the storage period
8 Litigation Follow-up 3 years from the expiry of the power of attorney At the first periodic disposal period following the end of the storage period
9 Execution of Logistics Processes During the validity of the contract At the first periodic disposal period following the end of the storage period
10 Execution of Marketing Activities Until consent is removed At the first periodic disposal period following the end of the storage period
11 Projecting 2 years Saklama süresinin bitimini takip eden ilk periyodik imha süresinde
12 Execution of Emergency Processes During the person’s mandate At the first periodic disposal period following the end of the storage period

 

Even using techniques appropriate for the recording medium and the field of activity concerned, such as the return of personal data by HT Solar Enerji or groups of buyers and / or the matching of data with others data so that personal data are anonymised, they should no longer be linked to an identified or identifiable natural person.

 

Article 12 – Periodic Disposal Time

Pursuant to Article 9 of this Policy, HT Solar Enerji has determined the periodical destruction period as 6 months. Accordingly, periodic destruction is carried out by HT Solar Enerji in June and December every year.

Article 13 – Update Period of the Policy

The policy is reviewed as needed and the necessary sections are updated. The last update date is 09.11.2020.