Policy on Processing Sensitive Personal Data
SOWIND ENERJİ SİSTEMLERİ DIŞ TİCARET LİMİTED ŞİRKETİ
Policy on Processing Sensitive Personal Data
- Purpose
The purpose of this Policy on the Protection and Processing of Sensitive Personal Data is to fulfill the legal obligations arising from the decision of the Personal Data Protection Board dated 31/01/2018 and numbered 2018/10 on Adequate Measures to be Taken by Data Controllers in the Processing of Sensitive Personal Data and to set out the technical and administrative measures taken in the processing of sensitive personal data.
- Definitions
| Abbreviation | Definition |
| Explicit Consent | Consent on a specific issue, based on information and freely given. |
| Extermination | Deletion, destruction, or anonymization of personal data. |
| Law | Law No. 6698 on the Protection of Personal Data. |
| Personal Data | Any information relating to an identified or identifiable natural person. |
| Anonymization of Personal Data | Making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even if it is matched with other data. |
| Processing of Personal Data | Any operation performed on personal data such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, taking over, making available, classifying, or preventing the use of personal data by fully or partially automatic means or by non-automatic means if it is part of any data recording system. |
| Deletion of Personal Data | The process of making personal data inaccessible and non-reusable in any way for the relevant users. |
| Destruction of Personal Data | The process of making personal data inaccessible, irretrievable, and non-reusable by anyone in any way. |
| Board | Personal Data Protection Board |
| Policy | Policy on Protection and Processing of Sensitive Personal Data |
| Company | SOWIND ENERJİ SİSTEMLERİ DIŞ TİCARET LİMİTED ŞİRKETİ |
| Data Owner | Natural person whose personal data is processed |
| Data Controller | The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system. |
- Processing of Special Categories of Personal Data
The race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data are personal data of special nature.
The Company complies with the Law and other legislation provisions in the processing of sensitive personal data. Accordingly, special categories of personal data are processed in accordance with the following principles:
- Compliance with the law and good faith
- Accurate and, where necessary, up to date
- Being relevant, limited and proportionate to the purpose for which they are processed.
- Processing for specific, explicit, and legitimate purposes
- Retention for the period stipulated in the legislation or required for the purpose for which they are processed.
Sensitive personal data other than health and sexual life are processed by the Company in cases where the explicit consent of the data subject is obtained or in cases stipulated by law.
Data related to health and sexual life are processed in cases where the explicit consent of the data subject is obtained or for the protection of public health, medical diagnosis, treatment and care services, preventive medicine, planning and management of health services and financing and in accordance with the principles and procedures stipulated in the Regulation on Personal Health Data.
- Technical and Administrative Measures Taken for the Protection of Sensitive Personal Data
The Company takes all kinds of measures to ensure the processing of sensitive personal data in accordance with the Law and the relevant legislation and to ensure the security of sensitive personal data. The measures taken in this context are listed below.
- Administrative Measures
- The Company provides regular trainings on the protection and processing of sensitive personal data for employees involved in the processing of sensitive personal data.
- The Company concludes confidentiality agreements with its employees to ensure data security.
- Users authorized to access data, their scope and duration of authorization are clearly defined, and periodic authorization checks are carried out.
- The authorization to access personal data of employees who change their duties or leave their jobs is immediately removed. In this context, the Company immediately returns the inventories allocated to employees.
- Technical Measures
- Technical Measures Taken for Sensitive Personal Data Stored and/or Accessed Electronically
- Transaction records of all actions performed on sensitive personal data are securely logged based on the creator and the last updater.
- Security updates for the environments where sensitive personal data are stored are constantly monitored, necessary security tests are regularly performed/conducted, and test results are recorded.
- User authorizations are made for the software through which sensitive personal data are accessed, security tests of these software are regularly performed/conducted, and test results are recorded.
- In cases where remote access to sensitive personal data is provided, at least two-stage verification system is used.
- Technical Measures Taken for Sensitive Personal Data Stored and/or Accessed in Physical Environment
- Adequate security measures are taken according to the nature of the environment where sensitive personal data is located.
- Physical security of these environments is ensured and unauthorized entry and exit are prevented.
- Transfer of Special Categories of Personal Data
The Company transfers special categories of personal data within the framework of the data processing conditions set out in Articles 8 and 9 of the Law. To ensure data security, the following rules are applied by the Company in data transfer and periodic audits are carried out within this scope.
– Transfer via E-Mail
In cases where sensitive personal data is transferred via e-mail, the transfer is made encrypted with a corporate e-mail address or by using a Registered Electronic Mail (KEP) account.
– Transfer via Media such as Portable Memory, CD, DVD
In cases where sensitive personal data is transferred via media such as portable memory, CD, DVD, encryption is performed for security purposes.
– Transfer between Servers in Different Physical Environments
In the transfer of sensitive personal data between servers in different physical environments, data transfer is realized by establishing a VPN between servers or by sFTP method.
– Transfer via Paper Media
If it is necessary to transfer sensitive personal data via paper media, necessary precautions are taken against risks such as theft, loss or unauthorized viewing of the document and the document is sent in the format of “confidential documents”.
- Storage and Destruction of Sensitive Personal Data
Sensitive personal data are stored by the Company in accordance with the Law and other legislation and the decision titled “Adequate Measures to be Taken by Data Controllers in the Processing of Sensitive Personal Data” published by the Board in the following cases:
- The explicit consent of the data subject has been obtained.
- The retention of sensitive personal data other than health and sexual life is stipulated by law.
- Storage of data on health and sexual life for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing
Sensitive personal data stored by the Company in accordance with the Law and other legislation shall be deleted, destroyed, or anonymized ex officio or upon the request of the data subject in case the following reasons arise:
- In cases where the special categories of personal data storage activity is based on the explicit consent of the data subject, the explicit consent is withdrawn.
- The purpose of storing special categories of personal data has been realized, has become impossible or has disappeared in any other way.
- Changes or abrogation of the provisions of the legislation that constitute the basis for the storage of special categories of personal data.
- All the conditions for processing set out in Article 6 of the Law have disappeared.
- The request of the data subject for the destruction of his/her special categories of personal data duly communicated to the Company is justified and concluded positively by the Company.
- In cases where the Company rejects the application made by the data subject with the request for the destruction of special categories of personal data, the response is found insufficient or does not respond within the period stipulated in the Law; a complaint is made to the Board and this request is approved by the Board.
Other issues regarding the storage and destruction of special categories of personal data are regulated in the Company’s Personal Data Storage and Destruction Policy.