CLARIFICATION TEXT

GENERAL CLARIFICATION TEXT ON THE PROCESSING OF PERSONAL DATA

ABOUT THE DATA CONTROLLER

Title: GAMA ENERJÄ° A.Åž.

Address: Nergiz Sokak No: 9 BeÅŸtepe, 06560, Yenimahalle, Ankara

We, GAMA ENERJÄ° A.Åž. (Company), exhibit maximum sensitivity to the security of your personal data. We attach great importance with this awareness to the processing and preservation of all kinds of personal data belonging to all persons associated with our Company, including those who benefit from our products and services, in accordance with the Personal Data Protection Law Numbered 6698 (“PDP Law“) and their transfer in accordance with the PDP Law. With the full realisation of this responsibility, we process your personal data as “Data Controller” within the scope of our commercial relations or within the scope of our business relationship with you in accordance with the law and the rule of honesty within the framework of the purpose that requires their processing in accordance with the law and the rule of honesty, and within the framework of the conditions and limits stipulated by PDP Law by maintaining the accuracy and the most up-to-date version of your personal data as you have notified us or as notified to us in a limited and measured manner in connection with this purpose.

  1. Collection and Processing of Personal Data and Processing Purposes

Your personal data may vary depending on the service, product or commercial activity provided by our Company, and may be collected verbally, in writing or electronically by automatic or non-automatic methods when you visit our Company or our website, on social media channels, during your participation in our events, in all our activities and similar means.

In this context, your personal data can be processed in an up-to-date manner as long as you benefit from the products and services of our Company.

Your collected personal data is processed for the following purposes;

  • Carrying out the necessary work by our business units in order for you to benefit from the services offered by our Company,
  • Customizing the services offered by our Company according to your needs and demands and recommending them to you,
  • Ensuring the legal and commercial security of our Company and real and legal persons who have business relations with our Company (ensuring the physical security and control of the Company’s locations, conducting business partner / customer / supplier (authorized or employees) risk management and evaluation processes, conducting legal compliance processes, monitoring financial affairs, etc.),
  • Determining and implementing the commercial and business strategies of our Company,
  • Ensuring the execution of our Company’s human resources policies,
  • Fulfilment of our obligations arising from the legislation to which our Company is subject, such as the relevant PDP Law and secondary legislation,
  • Fulfilment of information and reporting obligations when requested by official and/or administrative authorities,
  • Audit of company activities by relevant institutions,
  • Maintaining relations with public institutions and organizations and other organizations,
  • Planning and execution of corporate sustainability, corporate governance, strategic planning, and information security processes,
  • Conducting financial operations and following up financial issues,
  • Execution of business partnership, procurement, tender and sales transactions,
  • Enabling our relevant business units to carry out the necessary work for real and/or legal third parties, institutions, and organisations (employee candidates, employees, visitors, suppliers, business partners, etc.) who have a relationship with the Company to benefit from its products and services,
  • Ensuring the security of life and property, legal, commercial, and occupational health, and safety of real and/or legal third party institutions and organizations where the Company’s business is carried out or in the headquarters and units of the Company,
  • Carrying out the auditing and/or regulatory duties to be carried out by the public institutions and organizations in charge and authorized and professional organizations in the nature of public institutions in accordance with Turkish Commercial Code Numbered 6102, Turkish Code of Obligations Numbered 6098, Consumer Protection Law Numbered 6502, Personal Data Protection Law Numbered 6698, Regulation on Processing and Protection of Privacy of Personal Health Data,
  • Fulfilment of information and document requests by judicial bodies and/or administrative authorities,
  • Performing listing, reporting, verification, and analysis studies on the usage patterns of the products and services offered in our Company and all centers and units affiliated to our Company, producing statistical and scientific information in this regard, developing our products and services, accordingly, increasing satisfaction with our products and services and making customizations regarding the user in this context,
  • Training and development of all employees,
  • Fulfilment of rights and obligations such as offers, promotions, exemptions, etc. offered by contracted private insurance companies and/or other institutions within the framework of agreements,
  • Taking all necessary technical and administrative measures for systems and applications within the scope of data security,
  • Protection of public order and health,

In accordance with Article 5 and Article 6 of the PDP Law and the decisions of the Personal Data Protection Board, it is processed under the following conditions:

  • Explicit consent,
  • It is clearly stipulated in the laws,
  • Provided that it is directly related to the conclusion or performance of a contract, it is necessary to process personal data of the parties to the contract,
  • It is mandatory for the data controller to fulfil its legal obligation,
  • Data processing is mandatory for the establishment, use or protection of a right,
  • It is mandatory to process data for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of data owner.
  1. To Whom Your Processed Personal Data Can Be Transferred

Your collected personal data; limited to the above-mentioned personal data processing conditions and purposes;,may be transferred to our business partners, group companies and shareholders, authorized public institutions as required by legal obligation, domestic institutions and solution partners that we have contracted with due to our activities, lawyers or attorney partnerships, mediators, private law real and legal persons in accordance with Article 8 of the PDP Law for the follow-up of legal affairs.

However, your personal data processed in the categories of identity, communication, transaction security, finance, professional experience may be transferred by our Company to shareholders and/or business partners located abroad within the scope of your explicit consent in accordance with Article 9 of the PDP Law in order to fulfil our business activities.

In addition, your personal data are processed within the framework of our policies and procedures determined in accordance with the Regulation on Deletion, Destruction or Anonymization of Personal Data, for the period required by our activities and the legislation and related secondary regulations to which we are subject and are deleted in cases where there is no longer a relationship, no reasonable or legal necessity or compliance.

  1. Methods and Legal Reason for Collecting Your Personal Data

For the above-mentioned purposes in all kinds of verbal, written or electronic media, your personal data are obtained in order to provide the products and services offered by our Company within the legal framework determined and to fulfil the obligations arising from the contracts to which our Company is a party and the legislation we are subject to and the secondary regulations in a complete and accurate manner. Your personal data collected for this legal reason may be processed and transferred in accordance with Article (1) and Article (2) of this clarification text within the scope of the personal data processing conditions and purposes specified in Article 5 and Article 6 of PDP Law.

In this context, the following categorised data are collected as personal data;

  • Identity: It is a data category that contains information about the person’s identity.

(Name, Surname, Turkish ID Number, Tax Identification Number, Signature etc.)

  • Communication: It is a data category that can be used to reach the person.

(Telephone Number, E-Mail Address, Supplier Information (Name, Title, Tax Number, E-Mail Address etc.), Business Address, Delivery Address etc.)

  • Legal Action: It is a data category that contains data types such as information in correspondence with judicial authorities and information in the case file.

(Side benefits and Benefits’ Information, Legal Action and Compliance Information, Request/Complaint Management Information, etc.)

  • Physical Space Security: It is a data category that contains data types such as entry-exit registration information of employees and visitors, camera recordings.
  • Transaction Security: It is a data category that contains data types such as IP address information, website login and logout information and password information.

(Security Keys, Password, Usernames, E-signature, Session Keys Information, Encryption Method, Cookie Information (for Transaction Security Information) etc.)

  • Risk Management: It is a data category that contains information processed for managing commercial, technical, and administrative risks, among other data types.
  • Finance: It is a data category that contains the financial information of the person.

(Bank Account Number, IBAN, Cheque and Draft amounts etc.)

  • Visual and Audio Records: It is a data category that contains visual and auditory data of the person.

(Camera Recording etc.)

  1. Data Processing Time and Retention Period                                                                                                                                                   

Your personal data, limited to the purposes specified in this clarification text, will be processed by complying with the data processing and statute of limitations periods specified in all relevant laws and legislation to which our Company, the centers and units of our Company are subject and the secondary regulations. In case of amendments to the laws regarding the data processing periods, the new periods determined will be taken as basis.

As a requirement of the principle of purpose limitation, your personal data is processed for the fulfilment of the purposes described in this disclosure text and in any case limited to the period required for processing in accordance with the company practices and the customs of commercial life; following the expiration of the periods, it is deleted, destroyed, or anonymized.

The procedures and principles regarding this are specified in the Procedure for Storage, Destruction and Anonymization of Personal Data.

  1. Rights of Personal Data Owner Listed in Article 11 of PDP Law

In case you submit your requests regarding your rights as personal data owners to our Company by the methods set out in this clarification text, it will be finalized free of charge within 30 (thirty) days at the latest depending on the nature of the request. However, if a fee is stipulated by the Personal Data Protection Board, the fee in the tariff determined will be charged by our Company.

The rights you have pursuant to Article 11 of the PDP Law titled “Rights of the Data Subject” are set out below:

  • Learning whether your personal data is processed or not,
  • Requesting information regarding the personal data if it is processed,
  • Learning the purpose of processing your personal data and whether your personal data is used in accordance with its purpose,
  • Knowing the third parties to whom your personal data is transferred in country or abroad,
  • Requesting the correction of your personal data in case of incomplete or incorrect processing and requesting the notification of the transaction made within this scope to the third parties to whom your personal data is transferred,
  • Requesting the deletion or destruction of your personal data in the event that the reasons requiring its processing disappear, although it has been processed in accordance with the PDP Law and other relevant laws, and requesting notification of the transaction made within this scope to the third parties to whom your personal data is transferred,
  • In the event that a result arises to the detriment of the person himself/herself by analyzing your processed personal data exclusively through automated systems, to object to this result,
  • Requesting compensation for damages in case you suffer damage due to unlawful processing of your personal data.
  1. Exercise of Rights by the Relevant Person

As the relevant person whose personal data is processed, you can submit your requests regarding your rights specified in the clarification text to our Company free of charge by filling out and signing the Application Form with the information-documents that we can identify your identity and the methods specified below or other methods determined by the Personal Data Protection Board.

You can apply to the Company:

  • by filling out the personal data application form available at https://enerji.gama.com.tr/tr/kisisel-verilerin-korunmasi/ or by submitting a copy in writing by hand or by registered mail with return receipt requested or by applying in person after preparing a petition in accordance with the procedure,
  • after filling in the personal data application form available at https://enerji.gama.com.tr/tr/kisisel-verilerin-korunmasi/ and signing it with a secure electronic signature within the scope of the Electronic Signature Law Numbered 5070, by sending the securely electronically signed form by e-mail registered to the address, using a secure electronic signature, mobile signature or your e-mail address previously notified to the Company and registered in the Company’s system, or by applying through a software or application developed for the purpose of application.

You can access detailed information from the Personal Data Information Booklet available at https://enerji.gama.com.tr/tr/kisisel-verilerin-korunmasi/.

Pursuant to the “Communiqué on Procedures for the Application to the Data Controller”, in order for your application to be accepted as a valid application;

  1. Name, surname, and your signature if the application is in writing,
  2. If you are a citizen of the Republic of Turkey, your Turkish ID number; if you are a foreigner, your nationality, passport number or your identity number, if any,
  • Your residential or business address for the notification,
  1. Your e-mail address, telephone, and fax numbers, if any,
  2. The subject of your request,

must be specified. Otherwise, the application will not be considered as a valid application.

For applications to be made without filling out the application form, the above-mentioned issues must be fully submitted to the Company.

In addition, in order for third parties to make an application request on your behalf, a special power of attorney must be issued by you through a notary public on behalf of the person who will make the application.