HERA EĞLENCE VE MİMARİ AYDINLATMA SİSTEMLERİ İÇ VE DIŞ TİC. A.Ş DATA PROTECTION PERSONAL DATA PROCESSING AND PROTECTION POLICY

INTRODUCTION In accordance with Law No. 6698 on the Protection of Personal Data ("Law"), this Personal Data Processing and Protection Policy ("Policy") has been established by HERA ENTERTAINMENT AND ARCHITECTURAL LIGHTING SYSTEMS DOMESTIC AND FOREIGN TRADE INC. (MERSIS: 0461061621100001) ("HERA LED" or "COMPANY"). The Policy regulates the procedures and principles to be followed by "HERA LED" in protecting and processing personal data in compliance with the obligations regarding the protection of personal data.

  1. PURPOSE AND SCOPE The sustainability of the principle of conducting "HERA LED" activities transparently is aimed. In this context, the fundamental principles adopted for compliance with the regulations in Law No. 6698 on the Protection of Personal Data ("PDPA") are determined, and the practices implemented by "HERA LED" are explained. The Policy determines the processing conditions of personal data and sets forth the main principles adopted by (HERA LED) in the processing of personal data. In this framework, the Policy is applicable to all personal data processing activities within the scope of the PDPA, carried out by the company, whether automated or non-automated, as part of any data recording system. "HERA LED" reserves the right to make changes to the "Policy" in parallel with legal regulations.

1.1. Definitions

COMPANY:  HERA EĞLENCE VE MİMARİ AYDINLATMA SİSTEMLERİ İÇ VE DIŞ TİC. A.Ş  

Personal Data/Data: Any information about an identified or identifiable real person.

Personal Data Processing: Any operation performed on personal data, including but not limited to, obtaining, recording, storing, preserving, altering, rearranging, disclosing, transferring, taking over, making it obtainable, classifying, or using personal data through fully or partially automatic means or non-automatic means, as part of any data recording system.

Special Categories of Personal Data: Data related to race, ethnic origin, political opinion, philosophical belief, religion, sect, or other beliefs, appearance, association membership, foundation or union membership, health, sexual life, criminal conviction, and security measures, as well as biometric and genetic data.

Data Subject/Concerned Person: Refers to the stakeholders and employees of "COMPANY," Business Partners, Authorities, Job Applicants, Visitors, and Group Customers, Potential Customers, Third Parties, and individuals whose personal data is processed by the company.

Data Controller: A real or legal person who determines the purposes and methods of processing personal data and is responsible for the establishment and management of the data recording system.

Data Recording System: Refers to the recording system in which personal data is processed according to specific criteria.

Data Processor: Real or legal person who processes personal data on behalf of and based on the authority given by the data controller.

Explicit Consent: Informed and freely given consent based on information on a specific subject.

Anonymization: Making the data that has been previously associated with an individual in any way, including but not limited to, matching with other data, no longer attributable to a specific or identifiable real person.

Law: Refers to Law No. 6698 on the Protection of Personal Data.

PDPA Board: Personal Data Protection Board.

1.2. Effectiveness and Amendments The Policy has been publicly disclosed by "COMPANY" by being published on the company's website. In case of a contradiction between the regulations in force, especially the Law, and the arrangements specified in this Policy, the provisions of the legislation will be applied. "COMPANY" reserves the right to make changes to the Policy in parallel with legal regulations. The current version of the Policy can be accessed on the "COMPANY" website [ www.heraled.com ].

  1. PERSONAL DATA, DATA SUBJECTS, PROCESSING PURPOSES, AND DATA CATEGORIES 

2.1. What Are Your Personal Data? Personal data refers to information that identifies or makes an individual identifiable. The categories of personal data that may be processed by "COMPANY" are specified below.

  • Identity Data: This data category includes data types such as T.C. Identification Number, name, surname, place, and date of birth, marital status, gender, identity card sample.
  • Family Members and Close Information: Information about the family members and close relations of the data subject.
  • Contact Data: A data group that can be used to reach the individual (telephone, mailing address, e-mail, fax number, IP address).
  • Special Categories of Personal Data: This data category includes health data obtained from personnel within the scope of personnel and occupational safety, biometric data taken during entry and exit, and data related to criminal convictions and security measures.
  • Visual Data: Images of individuals taken during the entry of personnel or in camera records in physical environments of "COMPANY" for security purposes.
  • Personnel Data: A data type that includes information such as identity, contact information, as well as profession, education, financial data, etc., within the scope of the personnel file that must be legally created within the framework of the employment contract established with personnel.
  • Contract Data: All data processed by "COMPANY" in the company database as a result of the contractual relationship established with customers, business partners, suppliers, and external resources in line with legal obligations.
  • Location Data: All location data of employees processed by "COMPANY" for internal audit purposes.
  • Performance Data: Data processed within "COMPANY" for internal audit and to increase efficiency for the purpose of performance control for personnel inside "COMPANY" and for external partners.
  • Employee and Job Application Information: Personal data processed for individuals who have applied to become an employee of "COMPANY" or whose applications have been evaluated in line with the human resources needs of "COMPANY" or who are in a working relationship with "COMPANY."
  • Physical Space Security Information: Personal data related to records and documents such as camera records taken during entry into physical space, while staying inside the physical space.
  • Visual Data: Visual records within the data recording system that are clearly associated with an identified or identifiable real person.
  • Operational Security Information: Personal data processed to ensure our technical, administrative, legal, and commercial security while conducting our commercial activities.
  • Risk Management Information: Personal data processed to manage the commercial, technical, and administrative risks of "COMPANY."
  • Financial Information: Personal data processed depending on the type of legal relationship established between "COMPANY" and the data subject, which includes information, documents, and records showing any financial result created.
  • Location Information
  • Request and Complaint Data: Personal data related to all kinds of requests or complaints directed to "COMPANY," including the reception and evaluation of such data.

2.2. Data Subject Categories Data subjects within the scope of the Policy are all real persons whose personal data is processed by "COMPANY." In this context, the general data subject categories are as follows:

DATA SUBJECT CATEGORIZATION AND EXPLANATION

  1. Employee:  Refers to real persons who perform services under an employment contract at "COMPANY."
  2. Intern: Real persons working as interns at "COMPANY."
  3. Job Applicant: Refers to real persons who apply to "COMPANY" by sending a CV or by other methods.
  4. Third Parties: Refers to real persons other than "COMPANY" employees, as well as the categories mentioned above.
  5. Business Partners / Shareholders / Supplier companies and their employees: Parties that provide goods or services to "COMPANY" in accordance with "COMPANY" instructions and contract-based, and their employees. The data subject categories are specified for general information sharing purposes. The fact that the data subject does not fall within the scope of any of these categories does not eliminate the status of the data subject as specified in the Law.
  6. Visitor: Refers to real persons visiting the premises and website of "COMPANY."
  7. Customer: Refers to real persons benefiting from the products and services offered by the company.
  8. Potential Customer: Refers to real persons who show interest in using the products and services offered by "COMPANY" and have the potential to become customers.

Formun Üstü

2.3. Processing Purposes for Personal Data

For Employees:

  • Execution of Employee Satisfaction and Loyalty Processes
  • Fulfillment of Employee Contractual and Legal Obligations
  • Conducting Audits/Ethical Activities
  • Implementation of Training Activities
  • Management of Access Rights
  • Ensuring Compliance with Regulations
  • Execution of Financial and Accounting Affairs
  • Planning of Human Resources Processes
  • Execution/Audit of Business Activities
  • Implementation of Occupational Health/Safety Activities
  • Providing Information to Authorized Individuals and Organizations
  • Execution of Management Activities
  • Ensuring Business Continuity and Physical Space Security
  • Implementation of Information Security Processes
  • Execution of Employee Rights and Benefits Processes
  • Employee Auditing and Data Processing within the Scope of Employer's Management Rights

For Job Applicants:

  • Execution of Selection and Placement Processes
  • Implementation of Human Resources Operations, especially Recruitment Processes
  • Ensuring Business Continuity and Physical Space Security
  • Management of Human Resources Operations, including Recruitment Policies and Employment Contracts
  • Tracking Requests/Complaints
  • Implementation of Information Security Processes
  • Internal Audit/Investigation/Intelligence Activities
  • Compliance with Regulations
  • Providing Information to Authorized Individuals, Organizations
  • Execution of Emergency Management Processes
  • Implementation of Communication Activities
  • Legal, Technical, and Administrative Activities with Consequential Results

For Interns/Students:

  • Tracking Requests/Complaints
  • Implementation of Information Security Processes
  • Internal Audit/Investigation/Intelligence Activities
  • Compliance with Regulations
  • Providing Information to Authorized Individuals, Organizations
  • Execution of Emergency Management Processes
  • Implementation of Communication Activities
  • Ensuring Business Continuity Activities
  • Legal, Technical, and Administrative Activities with Consequential Results
  • Organizing and Monitoring Employment Relationships
  • Ensuring Physical Space Security
  • Execution of Business Process Improvement Suggestions
  • Ensuring Security of Movable Assets and Resources
  • Ensuring Data Controller Operations Security
  • Implementation of Occupational Health and Safety Activities
  • Execution of Salary Payments

For Shareholders/Business Partners/Supplier Companies in the Commercial Relationship with "COMPANY":

  • Execution of Supply Chain Management Processes
  • Performance of Functions such as Enterprise Resource Planning, Reporting, Marketing, etc.
  • Conducting Investment and Product/Service Marketing Processes
  • Determination of Risk Limits and Collateralization Studies
  • Conducting Necessary Quality, Confidentiality, and Standard Audits
  • Fulfillment of Legal Requirements Specified by Laws and Regulations
  • Fulfillment of Obligations Related to E-Invoice, E-Waybill, and E-Archive
  • Fulfillment of Requests from Public Institutions and Organizations as Required by Legal Regulations
  • Ensuring Data Controller Operations Security
  • Ensuring Security of Movable Assets and Resources
  • Tracking Requests/Complaints
  • Implementation of Storage and Archiving Activities
  • Execution of Advertising/Campaign/Promotion Processes
  • Execution of Performance Evaluation Processes
  • Conducting Marketing Analysis Studies
  • Organization and Event Management
  • Conducting Customer Satisfaction Activities
  • Execution of Customer Relationship Management Processes
  • Execution of Product/Service Production and Operation Processes
  • Execution of Product/Service Sales Processes
  • Execution of After-Sales Support Services
  • Execution of Purchasing Processes for Products/Services
  • Conducting Logistic Activities
  • Internal Audit/Investigation/Intelligence Activities
  • Conducting Processes Related to Loyalty to Firm/Product/Services
  • Implementation of Information Security Processes

For Customers:

  • Execution of Customer Relationship Management Processes
  • Ensuring Physical Space Security
  • Conducting Transactions and Activities within the Scope of Commercial/Contractual Relationship for Products and Services
  • Introduction and Marketing of Products and Services, and Contacting You Regarding Them
  • Tracking Requests/Complaints
  • Fulfillment of Warranty Obligations within the Scope of Producer Responsibility
  • Ensuring Compliance with "COMPANY" Quality, Information Security, and Privacy Policies and Standards
  • Recording and Monitoring Information Regarding Payments
  • Preparation of Reports and Analyses for Top Management
  • Conducting Customer Satisfaction Activities
  • Execution of Customer Relationship Management Processes
  • Execution of Product/Service Production and Operation Processes
  • Execution of Product/Service Sales Processes
  • Execution of After-Sales Support Services
  • Execution of Purchasing Processes for Products/Services
  • Conducting Logistic Activities
  • Internal Audit/Investigation/Intelligence Activities
  • Conducting Processes Related to Loyalty to Firm/Product/Services
  • Implementation of Information Security Processes
  • Fulfillment of Legal Requirements Specified by Laws and Regulations

For Potential Customers:

  • Directly obtained identity and contact information through visits to "COMPANY" premises, requests for orders and quotations, complaints, and business cards shared at fairs and events are processed for creating offers for requested products, establishing contracts, and managing your requests and complaints. If you are not a merchant or tradesperson, your data is processed for marketing purposes with your consent.

For Visitors:

  • Data such as identity and visual information obtained during visits to "COMPANY" and our website are processed for ethical activities, information security, ensuring physical space security, providing information to authorized individuals, organizations, and ensuring the security of data controller operations.

3. PRINCIPLES TO BE FOLLOWED IN DATA PROCESSING 3.1. Principles of Personal Data Processing

  • Your personal data is processed by "COMPANY" in accordance with the principles of personal data processing specified in Article 4 of the Law. Personal data is processed lawfully and fairly.

 

DATA PROTECTION AND PROCESSING POLICY

  1. Introduction: "HERA LED" prioritizes the processing of personal data within the scope and purpose specified by the Law on the Protection of Personal Data ("KVKK"). To ensure the accuracy and currency of personal data, data subjects have the right to request correction or deletion of inaccurate or outdated data.
  2. Processing Conditions for Personal Data: "HERA LED" evaluates the processing of personal data for each category of data subjects in line with specific, clear, and legitimate purposes. Personal data is deleted, destroyed, or anonymized after the purpose of processing is fulfilled or upon the expiration of the specified legal period.
  3. Conditions for Processing Special Categories of Personal Data: Special categories of personal data, as defined in Article 6 of the Law, include race, ethnic origin, political opinion, philosophical belief, religion, sect, attire, association, foundation, or union membership, health, sexual life, criminal conviction, and biometric and genetic data. "HERA LED" may process such data under certain conditions, including explicit consent or when explicitly allowed by the law.
  4. Collection Methods and Legal Basis for Personal Data: Personal data is collected through various means such as website visits, contract establishment, performance processes, job application processes, and visits to our premises. The legal basis for processing personal data includes compliance with local or foreign regulations, necessity for the performance of a contract, compliance with legal obligations, publicly disclosed information, protection of fundamental rights and freedoms, and legitimate interests of "HERA LED."
  5. Transfer of Personal Data: Personal data may be transferred domestically or abroad in compliance with the additional regulations determined by the Personal Data Protection Board. The transfer is subject to the presence of conditions specified in Articles 5 and 6 of the Law, ensuring compliance with data processing conditions and basic principles.
  6. Informing Data Subjects and Their Rights: As data subjects, individuals have the right, according to Article 11 of the Law, to inquire whether their personal data is processed, request information if processed, learn the purpose of processing and whether it is used for its purpose, know third parties to whom personal data is transferred, request correction or deletion of incorrect or incomplete data, object to automated decision-making, and seek compensation for damages in case of unlawful processing.
  7. Ensuring the Security and Confidentiality of Personal Data: "HERA LED" takes administrative and technical measures to prevent the unlawful disclosure, access, transfer, or any security vulnerabilities regarding personal data. In case of a breach, actions are taken in line with the measures prescribed by the Law.
  8. Destruction of Personal Data: Personal data is deleted, destroyed, or anonymized in accordance with the Data Protection and Destruction Policy. "HERA LED" follows specific retention periods determined for each data type and process in the personal data inventory.
  9. Aspects of Personal Data Protection: "HERA LED" ensures the necessary technical and administrative measures to prevent the unlawful processing, unauthorized access, and preservation of personal data in line with Article 12 of the Law. Technical measures include encryption of stored data, regular backups, and secured sharing of data with third parties. Administrative measures involve employee training, defining responsibilities for data sets and processes, and conducting regular internal audits.

 

The necessary security measures are taken for exits, and the security of physical environments against external risks (fire, flood, etc.) is ensured.

  • Employees of "HERA LED" cannot access the system with personal devices.
  • A permission matrix has been created for employees of "HERA LED," specifying which employee can access which information, and authorization limits have been determined. The permissions of employees who undergo a change in duties or leave the company in this regard are revoked.
  • Personal data is backed up by "HERA LED," and the security of the backed-up personal data is ensured.
  • The software on the servers at "HERA LED" is up-to-date and licensed.
  • The devices at "HERA LED" have up-to-date antivirus software and hardware.
  • Information Technology systems at "HERA LED," including procurement, development, and maintenance, do not have an in-house department. External services are utilized.
  • Access logs are regularly maintained by "HERA LED," and data masking measures are applied when necessary.
  • Security firewalls are present in the systems at "HERA LED."
  • External users/guests cannot access information sources when logging into the system at "HERA LED."
  • "HERA LED" uses Active Directory or a user account management and authorization control system.
  • Log records are stored by "HERA LED" in a way that prevents user intervention.
  • Files/programs containing personal data at "HERA LED" are encrypted.
  • Data loss prevention software is used at "HERA LED."
  • There is no personal data on "HERA LED" website.

(9.2): Administrative Measures 

  • Employees of "HERA LED" are informed and trained about the protection of personal data law and the lawful processing of personal data.
  • All personal data processing activities carried out by "HERA LED" are executed in accordance with the detailed personal data inventory created by analyzing all business units.
  • The personal data processing activities of relevant departments within "HERA LED" are bound by written policies and procedures, ensuring compliance with the processing conditions required by the Personal Data Protection Law (KVKK). Each business unit has been informed about this topic, and specific considerations have been identified for each activity.
  • The management and audit of personal data security within "HERA LED" are organized by the Personal Data Protection Committee. Awareness is created for compliance with legal requirements in each business unit, and protocols and procedures for the security of special category personal data are determined and implemented.
  • Service contracts and related documents between "HERA LED" and its employees include records related to personal data, information, and data security.
  • Rapid reporting of personal data security issues is ensured by "HERA LED," and the tracking of personal data security is carried out.
  • Security measures are taken for the entry and exit of personnel into physical environments containing personal data at "HERA LED," and the security of these environments against external risks (fire, flood, etc.) is ensured.
  • Personal data processed by "HERA LED" is minimized as much as possible.
  • Privacy commitments are made by "HERA LED."
  • The monitoring of personal data security is carried out by "HERA LED," and internal periodic and/or random audits are conducted.

Contact Information:

Requests regarding the mentioned rights can be sent in writing to the addresses below:

HERA EĞLENCE VE MİMARİ AYDINLATMA SİSTEMLERİ İÇ VE DIŞ TİC. A.Ş. (Mersis: 0461061621100001) Address: Güllübağlar Mah. Firketeci Sk. No: 2 P.K:34906 Pendik/İSTANBUL Tel +90 216 307 79 00 & 

Kep Address: hera.led@hs03.kep.tr Email:  info@heraled.com
 Website:  www.heraled.com

Effective Date: 26.12.2019 
Publication Date: 26.12.2019
 Version No/Document No: 1.1./KVK.12. 
Revision Date: 24.01.2024