MURADİYE ELEKTRİK ÜRETİM A.Ş.
INFORMATION NOTICE WITHIN THE SCOPE OF LAW NO. 6698 ON THE PROTECTION OF PERSONAL DATA
Muradiye Elektrik takes all kinds of technical and legal measures in accordance with the Law No. 6698 on the Protection of Personal Data (“KVKK”) in order to protect your personal data processed within the scope of its activities. Relevant persons can access detailed information regarding the categories of personal data processed, the legal grounds for processing personal data, the data transferred to third parties and the purpose of such transfers, as well as their rights under KVKK and GDPR, from the information notice below.
I. Data Controller
Title: Muradiye Elektrik Üretim A.Ş
Mersis No: 0624039013400013
Website: www.muradiyeelektrik.com.tr
Phone Number: 0 (212) 267 4206
E-Mail: info@muradiyeelektrik.com.tr
Address: İlkbahar Mahallesi 610 Sk.No:2 Çankaya ANKARA
II. Purposes of Processing Personal Data
Your personal data is processed by Muradiye Elektrik, in its capacity as data controller, for the purposes and within the scope set out below, in compliance with Articles 5 and 6 of the KVKK: - To improve, develop, diversify our products and services and offer alternatives to natural/legal persons with whom we have commercial relations, - To ensure communication and cooperation between Muradiye Elektrik group companies, provide coordination, carry out common business areas, identify the needs of our customers and employees, fulfill contractual obligations, conduct advertising and marketing activities, ensure customer follow-up, ensure occupational safety and business continuity, - To enhance and improve our service standards, - To determine and implement our commercial business strategies, - To ensure the full performance of contracts to which Muradiye Elektrik is a party and to verify that the counterparty fulfills its obligations, - To ensure the legal security of natural/legal persons having commercial relations with Muradiye Elektrik, - To issue commercial books, invoices, bank checks and payrolls that Muradiye Elektrik is required to prepare under the relevant laws, - To ensure the security of employees, visitors, and Muradiye Elektrik’s premises and to control entrances and exits, - To evaluate recruitment processes of job applicants, create personnel files of employees, and maintain Muradiye Elektrik’s human resources policies, - To increase the morale, motivation, performance, satisfaction, and interaction of the personnel working within Muradiye Elektrik with each other and with the company, and to ensure their loyalty to the company, - To provide internet access to visitors in Muradiye Elektrik’s public areas, - To perform Muradiye Elektrik’s commercial procurement transactions, - To carry out Muradiye Elektrik’s corporate correspondence, - To generate statistical data and record visitor information when our website is visited and to ensure feedback, - As well as to conduct necessary quality and standard audits or to fulfill other obligations stipulated by laws and regulations.
III. Transfer of Personal Data
The personal data we process may be transferred within the framework of the purposes above, in accordance with Articles 8 and 9 of the KVKK:
- To our business partners in order to fulfill our commercial activities and ensure continuity, - To our suppliers, to the extent necessary for providing products and services, - To relevant public institutions and organizations, especially the Social Security Institution, to fulfill legal obligations and ensure security, - To private and public legal entities, primarily banks, in order to fulfill the social and financial rights of employees employed within Muradiye Elektrik, - To legally authorized public institutions, organizations, and judicial authorities, in line with their requests and for the purposes of such requests, - To affiliated subsidiary companies for the creation of a common database, ensuring coordination and cooperation, - To domestic and foreign software companies and technology companies for creating databases of operating systems and computer programs used by our company and affiliates, ensuring program operability, and conducting program maintenance and repair, - To domestic and foreign technology companies providing cloud technology services, from which we receive cloud services, - To affiliates, domestic and foreign business partners, dealers, and suppliers of our company and affiliates, in order to ensure customer follow-up and meet customer needs, - To affiliates of our company and service providers in this field, for the realization of social and cultural events such as events, conferences, etc., - To relevant healthcare institutions and insurance companies, within the scope of occupational health and safety measures, to ensure that employees can work in a healthy work environment.
IV. Method and Legal Grounds for Collecting Personal Data
Your personal data is collected by Muradiye Elektrik or natural/legal persons authorized to process data on behalf of Muradiye Elektrik, through declarations, application forms, forms filled on the website, documents required to create personnel files, various contracts, all kinds of information forms, surveys, job application forms, and verbally, in writing or electronically via call centers, within the scope of your explicit consent or personal data processing conditions stipulated by law. This information is obtained for the purpose of providing our commercial and administrative activities within the framework of laws and for Muradiye Elektrik to carry out its services, maintain its commercial life, and fulfill its legal obligations fully and accurately.
V. Retention Periods of Personal Data
Our company stores the personal data it processes for the periods stipulated in the relevant legislation or for as long as required by the purpose of processing, in compliance with the Law.
| Data Category | Retention Period | Justification |
|---|---|---|
| Identity | 10 years from the termination date of the legal relationship | Law No. 6098 |
| Contact | 10 years from the termination date of the legal relationship | Law No. 6563 and related secondary legislation |
| Legal Transaction | 10 years from the termination date of the legal relationship | |
| Customer Transaction | 10 years from the termination date of the legal relationship | Law No. 6563, Law No. 6102, Law No. 6098, Law No. 213, Law No. 6502 |
| Transaction Security | 10 Years | |
| Risk Management | 10 Years | |
| Finance | 10 years from the termination date of the legal relationship | Law No. 6102, Law No. 213 |
| Visual and Audio Records | 10 Years | Law No. 6563 and related secondary legislation |
VI. Technical and Administrative Measures Taken by Our Company
We hereby present for your information the measures taken by our company to ensure the security of personal data:
- Network security and application security are ensured. - A closed system network is used for the transfer of personal data via the network. - Key management is implemented. - Security measures are taken within the scope of procurement, development, and maintenance of information technology systems. - Disciplinary regulations containing data security provisions are in place for employees. - Regular training and awareness activities on data security are provided for employees. - An authorization matrix has been created for employees. - Access logs are regularly maintained. - Data masking measures are applied when necessary. - Confidentiality agreements are signed. - The authorizations of employees who change roles or leave the company are revoked. - Up-to-date antivirus systems are used. - Firewalls are used. - Signed contracts include data security provisions. - Personal data security policies and procedures have been established. - Personal data security issues are reported promptly. - Personal data security is monitored. - Necessary security measures are taken for entry and exit to physical environments containing personal data. - Physical environments containing personal data are protected against external risks (fire, flood, etc.). - The security of environments containing personal data is ensured. - Personal data is minimized as much as possible. - Personal data is backed up, and the security of backed-up data is ensured. - User account management and authorization control systems are implemented and monitored. - Periodic and/or random internal audits are carried out. - Log records are kept without user intervention. - Existing risks and threats are identified. - If special categories of personal data are to be sent via email, they are always encrypted and sent via KEP or a corporate email account. - Intrusion detection and prevention systems are used. - Penetration testing is carried out. - Cybersecurity measures are taken and their implementation is continuously monitored. - Encryption is applied. - Data processors are periodically audited regarding data security. - Data processors are provided with awareness on data security.
V. Rights of Data Subjects under the KVKK
Natural persons whose personal data is processed within Muradiye Elektrik have the following rights pursuant to Article 11 of the KVKK:
- To learn whether their personal data is being processed, - To request information if their personal data has been processed, - To learn the purpose of processing personal data and whether it is used in line with that purpose, - To learn the domestic or international third parties to whom personal data has been transferred or will be transferred, the recipients, and recipient categories, - To request the correction of incomplete or inaccurate personal data and to request notification of such corrections to third parties to whom personal data has been transferred, - To request the deletion or destruction of personal data or the cessation of processing where the reasons requiring processing no longer exist, despite personal data having been processed in accordance with the KVKK and other relevant laws, and to request notification of such action to third parties to whom personal data has been transferred, - To object to the emergence of a result against them by analyzing the processed data exclusively through automated systems, - To request compensation if they suffer damage due to the unlawful processing of personal data.
If you would like to contact us under the KVKK, provide feedback, or submit your questions, please complete the Personal Data Protection Law Application Form for Data Controller along with identity-verifying documents:
By signing the form during application and submitting it together with identity-verifying documents (such as ID card, driver’s license, etc.), you may either apply in person to the address of Muradiye Elektrik, İlkbahar Mahallesi 610 Sk. No:2 Çankaya ANKARA, or send it through a notary public to the same address, or submit it via the registered electronic mail (KEP) address muradiyeelektrik@hs02.kep.tr or, if your email address is already registered in our systems, to muradiyekvkkbasvuru@enerturk.com together with identity-verifying documents.
We would like to remind you that such written applications will only be accepted following identity verification by us.
Requests of data subjects will be evaluated and concluded free of charge as soon as possible and within a maximum of thirty (30) days. If the evaluation and decision-making process requires an additional cost, the fee in the tariff set out in the Communiqué on the Procedures and Principles of Application to the Data Controller will apply. Data subjects who are not satisfied with our response following their application may file a complaint with the Personal Data Protection Authority.
Information Security Policy
This policy aims to ensure the business continuity of Muradiye Elektrik Üretim A.Ş. and to minimize the damages and risks arising from security breach incidents.
Scope:
This policy covers the information security management system, employees, and business functions of all Muradiye Elektrik A.Ş. headquarters and all related companies at relevant locations.
It is the policy of Muradiye Elektrik A.Ş. headquarters and all related companies to ensure the following:
- The confidentiality, integrity, and availability of all information belonging to all relevant parties is ensured. - All companies maintain an up-to-date inventory of information assets as well as all assets that process, store, or transfer this information. Risk analysis is carried out for these assets, and risk-mitigating measures are taken for such risks. - Confidentiality is ensured by granting access to information only within the scope of authority. - Integrity is ensured by protecting information against unauthorized changes and recording any modifications made. - Availability is ensured by keeping information accessible to authorized users when needed. - All supporting policies and procedures are implemented by each department. All legal requirements are fulfilled. - Continuous training on information security is provided to all employees to raise awareness. - All information security vulnerabilities and identified suspicious situations are reported to the relevant parties. Continuous improvement and controls are ensured by the relevant parties.
I hereby declare that the above-mentioned matters are supported by the management.
Applicability:
All employees of Muradiye Elektrik A.Ş. headquarters and all related companies who have access to or an impact on information assets within the scope of the information security management system are responsible for implementing this policy, and the management of these companies undertake to support it.
Objectives:
1. To identify the value of information assets, their vulnerabilities, and the threats that may expose them to risk through appropriate risk assessment and to reduce risks to acceptable levels.
2. To fulfill legal requirements through the design, implementation, and maintenance of the Information Security Management System.
3. To protect the institution’s reliability and corporate image.
4. To comply with all customer contractual requirements regarding information security.
5. To ensure business continuity of the institution.
6. To achieve and maintain compliance with TS ISO IEC 27001.
Continuous Improvement:
Muradiye Elektrik A.Ş. headquarters and all related companies continuously improve the Information Security Management System by using audit results, analysis of monitored information security incidents, corrective and preventive actions, and management reviews.
IS Committee Meeting:
Held as specified in the ISMS Roles and Responsibilities document.
Responsibilities and Sanctions:
The management of Muradiye Elektrik A.Ş. headquarters and all related companies establish, implement, and review this policy. All employees of the relevant companies are responsible for complying with this policy and the procedures and instructions supporting it. In case of non-compliance with policies, procedures, and instructions established under the Information Security Management System, the management may apply one or more sanctions such as warnings, reprimands, fines, or termination of contract.
In the event of violations of security and operational policies by employees of Muradiye Elektrik A.Ş. headquarters and all related companies, the management of the relevant companies shall take necessary disciplinary measures. If these violations cause damage to the relevant companies or those they serve, the management may hold the responsible personnel liable for compensation.
Muradiye Elektrik A.Ş. headquarters and all related companies are subject to disciplinary action and/or legal measures for any deliberate act that endangers the security of information belonging to customers or suppliers.
The Information Security Manager supports the implementation of this policy through appropriate standards and procedures. The IT Management of Muradiye Elektrik A.Ş. headquarters and all related companies update and ensure the continuity of the ISMS infrastructure. All employees and contracted suppliers are subject to the Information Security Policy. All personnel are responsible for reporting security incidents and notifying identified vulnerabilities.
Review:
Managing ISMS in an integrated manner with other management systems we apply ensures that our brands remain reliable and protect their image in terms of information security, setting an example as a leading institution. As the management of Muradiye Elektrik A.Ş. headquarters and all related companies, we declare that ensuring the implementation of the Information Security Policy, conducting compliance checks with legal regulations, applying necessary sanctions in case of security breaches, continuous improvement, and allocating necessary resources to improve processes are supported by the management.
Leadership
The top management of Muradiye Elektrik A.Ş. headquarters and all related companies demonstrate leadership and commitment regarding the information security management system by fulfilling the following:
a) Ensuring that the information security policy and information security objectives are established and aligned with the organization’s strategic direction,
b) Ensuring the integration of the requirements of the information security management system into the organization’s processes,
c) Ensuring the availability of resources necessary for the information security management system,
ç) Communicating the importance of effective information security management and compliance with the requirements of the information security management system,
d) Ensuring that the intended outcomes of the information security management system are achieved,
e) Directing and supporting individuals to contribute to the effectiveness of the information security management system,
f) Supporting continuous improvement,
g) Supporting other relevant management roles to demonstrate their leadership within their areas of responsibility.