Personal Data Protection and Processing Policy

1. Introduction

   LUNA ELEKTRİK ELEKTRONİK SANAYİ VE TİCARET ANONİM ŞİRKETİ (hereinafter referred to as “LUNA” or “Company”), as data controller, pays ultimate attention about protecting the personal information of its customers, employees, and other real persons with whom it is in contact. The processing and protection of personal data is governed by this Policy and other written policies; it is the protection and legal processing of the personal data of our customers, potential customers, suppliers, employees, employee candidates, visitors, employees of the institutions with whom we cooperate, and third parties.

   In this context, necessary administrative and technical measures are taken by the Company for the processing and protection of personal data in accordance with the Personal Data Protection Law No. 6698 and the relevant legislation.

   In this Policy, the following basic principles adopted by the Company for the processing of personal data will be explained below:

   • Processing personal data within the scope of consent,

   • Processing personal data in accordance with the law and principle of good faith,

   • Keeping personal data accurate and up-to-date when necessary,

   • Processing personal data for specific, explicit and legitimate purposes,

   • Processing of personal data in a proportionate, measured manner and for the intended purpose,

   • Preserving personal data for as long as required by the relevant legislation or for the purpose for which they are processed,

   • Clarifying and enlightening the data subject,

   • Setting up the necessary infrastructure for the data subject to exercise their rights,

   • Taking necessary precautions to protect personal data,

   • To act in accordance with relevant legislation and regulations of the Personal Data Protection Authority in determining and implementing the processing purposes of personal data, and transferring them to third parties,

   • Specific regulations of the processing and protection of special categories of personal data

2. Purpose of the Policy 

    The main purpose of the Policy, to make explanations about the personal data processing activity conducted by the Company in accordance with the law and the systems adopted for the protection of personal data and in this context, to provide transparency towards the people with whom our company is related.
   
   

3.  Scope of the Policy   
   
   This Policy; It relates to all personal data of our customers, suppliers, employees, employee candidates, visitors, employees of the institutions we cooperate with and third parties that are processed automatically or non-automatically, provided that they are part of any data recording system.

1. Providing Safety of Personal Data

   According to article 12 of the Personal Data Protection Law, the Company takes the necessary technical and administrative measures to safeguard the data in the appropriate manner according to the nature of the data. For the purposes of preventing the unlawful processing of the personal data it processes, preventing unlawful access to the data, and ensuring its preservation; the Company has implemented a number of technical and administrative measures. In this context, our Company takes administrative precautions to ensure the required level of security in accordance with the guidelines published by the Personal Data Protection Authority (“Authority”), and carries out audits or have them made.

2. Protection of Special Categories of Personal Data

   With the Personal Data Protection Law, particular importance is given to certain types of personal data due to the risk of causing victimization or discrimination when processed unlawfully. Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions and security measures, and the biometric and genetic data are deemed to be special categories of personal data.

   The Company acts sensitively in the protection of special categories of personal data, which is determined as “special category” by the Personal Data Protection Law and processed in accordance with the law.  In this context, the Company ensures the protection of personal data by taking technical and administrative precautions and performing audits as necessary.

3. Supervision of the Measures Taken for the Protection of Personal Data

   The company has ISO 27001 Information Security Management System (ISMS) and ISMS committee. The Committee, on behalf of the Company, which is the data controller, carries out the necessary audits in person in order to ensure the implementation of the provisions of the Law in its own institution or organization, in accordance with its duty arising from Article 12 of the Law. It has done this by receiving assistance from competent institutions when necessary. According to the results of these audits, the violations detected, negativities and non-compliances are reported to the information security officer within the committee and necessary measures are taken regarding these issues. When a company outsources an external service based on technical requirements regarding the storage of personal data, additional agreements are signed with the relevant companies to which the personal data is transferred, as well as with the persons to whom the personal data is transferred, in order to ensure that personal data security measures are taken and that these measures are adhered to within their own organizations. In addition, the Company makes agreements with its personnel to comply with personal data protection measures in recruitment processes and in-house disciplinary policies.
   

4. . Education of the Personnel Regarding the Protection and Processing of Personal Data

   The Company provides its employees with the necessary educations in order to prevent the unlawful processing of personal data, unlawful access to data, and to raise awareness about data protection.

1. Processing of Personal Data in Compliance with the Principles Regulated in the Legislation

   The Company engages in personal data processing in a limited and measured manner, in accordance with Article 20 of the Constitution and Article 4 of the Personal Data Protection Law, regarding the processing of personal data; the following principles shall be complied within the processing of personal data: in accordance with the law and principle of good faith, taking into account the protection of public health, accurate and up-to-date when needed, specific, for explicit and legitimate purposes, linked to purpose. The Company preserves personal data for as long as required by law or for the purpose of processing personal data. The Company processes the specified personal information of its customers, employees, visitors, supplier company employees and third parties in the form of physical space security; identity information (name, surname, TR identity number, gender, age, date of birth), contact information (e-mail address, telephone number, address information), personnel data, financial data, occupational data, audio-visual data, education data , family members data, health information, information on criminal convictions and security measures, military service information, transaction security information. physical space security. While processing this data, it is processed within the framework of the performance of contracts, fulfillment of work and financial/legal/commercial obligations, as well as enabling the persons whose personal data are processed to benefit from the services of the Company effectively, to develop the product and service diversity, and to be informed about the marketing and innovations as a result of these services. 

   The Company informs the persons whose personal data is processed in accordance with Article 10 of the Personal Data Protection Law and requests the consent of the relevant persons in cases where consent is required, and processes this personal data based on the criteria specified below..

   1. Processing in Compliance with Law and Principle of Good Faith 

      In the processing of personal data, the Company acts in accordance with the principles introduced by legal regulations and the general rule of trust and principle of good faith. In accordance with the principle of being in compliance with the principle of good faith, the Company takes into account the interests and reasonable expectations of the data subjects while trying to achieve its goals in data processing.

   2. Ensuring Personal Data Is Accurate and Up-to-Date When Necessary

      Keeping personal data accurate and up-to-date is necessary for the Company to protect the fundamental rights and freedoms of the person concerned. The Company has an active duty of care to ensure that personal data is accurate and up-to-date when necessary. For this reason, all communication channels are open in order to keep the information of the persons whose personal data are processed by the Company accurate and up-to-date.

   3. Processing for Specific, Explicit, and Legitimate Purposes 

      The Company clearly and precisely determines the legitimate and lawful purpose of processing personal data. The Company only processes the amount of personal data required for and pertinent to the activity it performs.

   4. Being Relevant, Limited and Proportionate to the Purposes for which they are processed 

      The Company processes personal data within the scope of the purposes related to the field of activity and necessary for the conduct of its business. For this reason, the Company processes personal data in a way that is suitable for the realization of the determined purposes and avoids the processing of personal data that is not related or needed for the realization of the purpose.

   5. Retention for the Time Required for the Purpose of Processing or Regulated in the Relevant Legislation

      The Company retains personal data only for as long as required by the relevant legislation or for the purpose for which they are processed. As part of this process, the Company determines whether the relevant legislation specifies a period for storing personal data. If this period is determined, the Company acts accordingly, if no period has been determined, the Company preserves the personal data that is necessary to fulfill the purpose for which it processes them and for the period specified in the Company’s Internal Retention Policy. The company is based on the retention periods in the personal data inventory, and at the end of the periods specified here, personal data is erased, destroyed or anonymized according to the nature and the purpose of the data, within the framework of the obligations under the Law.

2. Conditions on Processing of Personal Data

   The explicit consent of the person whose personal data is processed is only one of the legal conditions that makes it possible to process personal data in accordance with the law. Apart from explicit consent, personal data may also be processed in the presence of one of the conditions specified in the law. The basis of the personal data processing activity can be only one of the conditions stated below, or more than one of these conditions can be the basis of the same personal data processing activity.

   1.  Explicit Consent of the Personal Data Subject
      One of the conditions for the processing of personal data is the explicit consent of the data subject. Explicit consent of the data subject should be expressed on a specific subject, based on information which was given before and free will. In case any of the following requirements are met for the processing of personal data, personal data may be processed without the data subject’s explicit consent
   2. It is expressly provided for by the laws
   3. In case it is necessary for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid, the personal data of those specified above shall be processed without explicit consent.
   4. Processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contractVeri sorumlusunun hukuki yükümlülüğünü yerine getirebilmesi için zorunlu olması
   5. It is necessary for compliance with a legal obligation to which the data controller is subject
   6. Personal data have been made public by the data subject himself/herself.
       Data processing is necessary for the establishment, exercise or protection of any right.7
   7. Processing of data is necessary for the legitimate interests pursued by the data controller,
      provided that this processing shall not violate the fundamental rights and freedoms of the data subject

   Processing Conditions	Scope	Sample
   Performance of the Contract	Labour Contract, Sales Contract, Contact of Service, Letter of Undertaking etc.	Keeping personnel information of the employee in accordance with the legislation.
   Performance of the Contract	Labour Contract, Sales Contract, Contact of Service, Letter of Undertaking etc.	Drawing up a sales contract on the company’s products
   Civil Liability of the Data Controller	Financial and Administrative Audits, Social Security Legislation, Compliance with Industry Oriented Regulations.	Sharing information in audits specific to areas such as the Social Security Institution.
   Making Public	Data subject submits his/her information to the public.	Announcement of the contact information of the person to be reached in case of emergency.
   Establishment, Exercise or Protection of any right	Mandatory data to be used in business such as filing a lawsuit and request/complaint etc.	Preserving necessary information about an employee who quits the job during the statute of limitations.
   Legitimate Interest	Processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject..	Data processing for the purpose of applying rewards and bonuses that increase employee loyalty.

3. Processing of Special Categories of Personal Data

   Special Categories of Personal Data is processed by our Company in accordance with the principles set forth in this Policy, by taking all necessary administrative and technical measures, including the methods to be determined by the Authority, and in the presence of the following conditions:

   1. Special categories of personal data other than health and sexual life may be processed without the explicit consent of the data subject, provided that it is expressly stipulated in the law, in other words, there is an explicit provision in the relevant law regarding the processing of personal data. Otherwise, the explicit consent of the data subject will be obtained.
   2. In accordance with confidentiality obligations, special categories of personal data can be processed without the explicit consent of individuals or authorized institutions and organizations in order to protect public health, to prevent disease, to diagnose, treat, and care patients, to plan and manage health services, and to finance health services. Otherwise, the explicit consent of the data subject will be obtained.

4. Clarification and Enlightenment of the Data Subject

   In accordance with Article 10 of the Personal Data Protection Law, the Company informs the persons whose personal data are processed during the acquisition of personal data. At the time when personal data are obtained, the Company is obliged to inform the data subjects about the identity of the data controller and of its representative, if any, the purpose of processing of personal data; to whom and for which purposes the processed personal data may be transferred, the method and legal basis of collection of personal data, other rights that the data subject have. In this context, Pre-Clarification Information and Clarification Texts have been placed that can be easily seen within the Company and in the common areas. Along with this policy, the customer clarification text, cookie policy and application form are also published on the company website.

5. Transfer of Personal Data

   The Company may transfer the personal data and special categories of personal data of the data subject to third parties by taking the necessary security measures in line with the purposes of processing personal data in accordance with the law. Data can be transferred by the Company to foreign countries that have been declared to have sufficient protection by the Personal Data Protection Authority, or, in the absence of adequate protection, to foreign countries where data controllers in Turkey and the relevant foreign country provide adequate protection in writing and obtain the permission of the Personal Data Protection Authority. The reasons for the transfer are explained below:

   • If there is an explicit regulation in the law regarding the transfer of personal data,
   • If it is necessary to transfer the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,
   • If personal data transfer is necessary for the Company to fulfill its legal obligations,
   • If personal data transfer is necessary for the establishment, exercise or protection of a right,
   • If personal data transfer is necessary for the Company’s legitimate interests, provided that it does not harm the fundamental rights and freedoms of the person concerned.

In accordance with the Company’s legitimate and lawful processing of personal data, the Company complies with the personal data processing requirements specified in article 5 and article 6 of the Personal Data Protection Law, primarily in article 4 about the processing of personal data. As per the Personal Data Protection Law, all personal data in the following categories, limited to those persons whose data is processed within this Policy, are processed in accordance with the general principles outlined in the Law and all obligations outlined in the Law.
The Company has created a personal data inventory in accordance with the By-Law On Data Controllers Registry issued by the Personal Data Protection Authority. This data inventory includes data categories, data source, data processing purposes, data processing process, recipient groups to which data is transferred, and retention periods. The Company’s inventory of personal data includes, but is not limited to, the following categories of data.

Based on the table above and with the Company Data Retention and Destruction Policy, the Company has determined the Company Personal Data Inventory, which it has formed based on data types used within the scope of data processing activities and internally in the company.

The Company processes personal data limited to the purposes and conditions within the personal data processing conditions specified in paragraph 2 of Article 5 and paragraph 3 of Article 6 of the Personal Data Protection Law.

These purposes and conditions are:

• • Conducting Emergency Management Processes
  • Conducting Data Security Processes
  • Conducting Employee Candidate/Intern/Student Selection and Placement Processes
  • Conducting Application Processes of Employee Candidates
  • Conducting Employee Satisfaction and Loyalty Processes
  • Fulfillment of Employment Contract and Legislative Obligations for Employees
  • Conducting Fringe Benefits and Benefits Processes for Employees
  • Conducting Audit/Ethical Activities
  • Conducting Educational Activities
  • Conducting Access Authorization
  • Conducting Activities in Compliance with the Legislation
  • Conducting Financial and Accounting Activities
  • Conducting Loyalty Processes of Company/Product/Services
  • Providing Physical Area Security
  • Conducting Employment Processes
  • Conducting and Following Legal Affairs
  • Conducting Internal Audit/Investigations/Intelligence Activities
  • Conducting Communication Activities
  • Planning Human Resources Processes
  • Conducting/Inspecting Business Activities
  • Conducting Business Health/Security Processes
  • Receiving and Evaluating Suggestions for Improvement of Business Processes
  • Conducting and Providing Business Continuity and Related Activities
  • Conducting Logistic Activities
  • Conducting Product/Service Processes
  • Conducting After Sales Support Services for Products/Services
  • Conducting Product/Service Sales Processes
  • Conducting Product/Service Production and Operation Processes
  • Conducting Customer Relationship Management Processes
  • Conducting Activities for Customer Satisfaction
  • Organization and Event Management within the Company
  • Conducting Marketing Analysis Studies
  • Conducting Performance Evaluation Processes
  • Conducting Advertisement/Campaign/Promotion Processes
  • Conducting Risk Management Processes
  • Conducting Storage and Archive Activities
  • Conducting Social Responsibility and Civil Society Activities
  • Conducting Contract Processes
  • Conducting Sponsorship Activities
  • Conducting Strategic Planning Activities
  • Following-up Requests/Complaints
  • Ensuring the Security of Movable Property and Resources
  • Conducting Supply Chain Management Processes
  • Conducting Wage Policies
  • Conducting Marketing Processes of Products/Services
  • Ensuring the Security of Data Controller Operations
  • Conducting Work and Residence Permit Procedures of Foreign Personnel
  • Conducting Investment Processes
  • Conducting Talent/Career Development Activities
  • Providing Information to Authorized Persons, Institutions and Organizations
  • Conducting Management Activities
  • Creating and Tracking Visitor Records
  • Carrying out Studies to Improve Service Quality and Providing Better Service,
  • Issuing Invoices for Our Services,
  • Identity Confirmation,
  • Answering Questions and Complaints,
  • Taking the Necessary Technical and Administrative Measures within the Scope of Data Security,
  • Providing financial reconciliation regarding the products and services offered by the relevant business partners and other third parties,
  • Providing the necessary information in line with the requests and inspections of regulatory and supervisory institutions and official authorities,
  • Preserving the information about the data that must be kept in accordance with the relevant legislation,
  • Providing the control of the consistency of the information,
  • In terms of employees; Creation of the personal file, determination of whether he/she is capable of constantly fulfilling the requirements of the job, making private health insurance, creating a health file, taking occupational safety measures,
  • Fulfillment of legal obligations,
  • Execution/follow-up of company financial reporting and risk management transactions

In case it is stipulated in the relevant laws and regulations, the Company keeps personal data for the period specified in these legislations.

If a period of time is not regulated in the legislation regarding personal data storage period, personal data is stored for a period of time that requires it to be kept in accordance with the practices of the Company and the practices of the industry, depending on the activity carried out by the Company while processing that data. It is then deleted, destroyed or anonymized in accordance with the Personal Data Retention and Disposal Policy established by the Company in accordance with the nature of the data.

If the purpose of processing personal data has ended and the storage periods determined by the relevant legislation and the Company have expired, personal data can be stored only to provide evidence in possible legal disputes or to assert the relevant right related to personal data or to establish a defense. Storage periods are determined based on the expiry of the statute of limitations and examples in the previous requests made to the Company on the same issues despite the expiry of the statute of limitations. In this case, the stored personal data is not accessible for any other purpose, but only will be accessible to the relevant personal data when it is required to be used in the relevant legal dispute. In the same way as mentioned above; personal data is deleted, destroyed or anonymized after the aforementioned period expires

In accordance with Article 10 of the Personal Data Protection Law, the company notifies the person groups to whom personal data is transferred to the person whose personal data is processed.

in accordance with Articles 8 and 9 of the Personal Data Protection Law, the Company may transfer the personal data of the persons whose personal data are processed under this Policy to the following stakeholder categories:

• Company business partners
• Landis+Gyr Group (of which Luna Eleketrik is part of ) and its global affiliates
• Our direct/indirect domestic/foreign shareholders
• Bank and insurance companies
• Travel agencies
• Hotels
• Education companies
• Company suppliers
• Company officials
• Lawyers and auditor companies
• Legally authorized public institutions and organizations

The scope and the purposes of the transfer are stated below:

1. In order to ensure security, the Company carries out personal data processing activities for monitoring the entrance and exit of guests with security cameras in the Company buildings and facilities.
   Personal data processing is carried out by the Company by using security cameras and recording guest entries and exits.
   The company, within the scope of monitoring with security cameras; It aims to protect the interests of the company and other persons in order to ensure their safety. This monitoring activity is carried out in accordance with the Law on Personal Data Protection and Private Security Services and the relevant legislation. In this context, the information that camera monitoring is performed is announced to all employees and visitors, and people are enlightened. Notifications are posted at the entrances of the monitoring areas. In accordance with Article 12 of the Personal Data Protection Law, the Company takes necessary technical and administrative measures to ensure the security of personal data obtained as a result of camera monitoring

   1. Follow-up of the Guest Entrances and Exits in the Company Building, Facility Entrances and Inside

      Company has been processing personal data by monitoring the entrance and exit of guests in the Company buildings and facilities, for the purpose of ensuring security and for other purposes specified in this Policy. While obtaining the identity data of the persons who come to the Company premises as guests, or through the texts posted by the Company or made available to the guests in other ways, the relevant persons are informed in this context. The data obtained for the purpose of tracking guest entry-exit is processed only for this purpose and the personal data of the relevant person is recorded in the data recording system in the physical environment.

   2. Keeping the Log Records of Internet Access Provided to Guests via Guest Internet Network in Company Facilities

                     For the purpose of ensuring security by the Company and for other purposes specified in this Policy, internet access can be provided to visitors who                       request during their stay in the buildings and facilities. In this case, log records regarding internet access are kept in accordance with the Law No.                           5651 and the mandatory provisions of the legislation regulated in accordance with this Law, and these records are processed only if requested by                           authorized public institutions and organizations or in order to fulfill the relevant legal obligation during the audit processes to be carried out within                       the Company.

1. TERMS OF DISPOSAL (DELETION, DESTRUCTION AND ANONYMIZATION) OF PERSONAL DATA

   Pursuant to Article 138 of the Turkish Penal Code, Article 7 of the Law on Personal Data Protection and the “Regulation on the Deletion, Destruction and Anonymization of Personal Data” issued by the Board, in case the reasons requiring its processing disappear, although it has been processed in accordance with the provisions of the relevant law. Personal data is deleted, destroyed or anonymized at the sole discretion of the Company or upon the request of the personal data subject. The company has established a policy in this regard in accordance with the provisions of the regulation, and in accordance with this policy, it destroys according to the nature of the data.

2. RIGHTS OF DATA SUBJECTS ; USE OF THESE RIGHTS

   The Company informs the data subject about their rights in accordance with Article 10 of the Law on Personal Data Protection and guides the data subject on how to use these rights regulated in Article 11. The Company carries out the necessary channels, internal functioning, administrative and technical regulations in accordance with Article 13 of the Personal Data Protection Law

   1. The Rights of the Relevant Person and the Use of These Rights

      1. Rights of the person whose personal data is processed

         The persons whose personal data are processed have the following rights:

         1. Learning whether personal data is processed or not,
         2. In case the personal data has been processed, requesting information about it,
         3. Learning the purpose of processing personal data and whether they are used in accordance with its purpose,
         4. Knowing the third parties to whom personal data is transferred in the country or abroad,
         5. Requesting correction of personal data in case of incomplete or incorrect processing and requesting notification of the transaction made within this scope to the third parties to whom the personal data has been transferred,
         6. Requesting the deletion or destruction of personal data in the event that the reasons requiring its processing have disappeared, although it has been processed in accordance with the provisions of the Law on Personal Data Protection and other relevant laws, and requesting the notification of the transaction made within this scope to the third parties to whom the personal data has been transferred,
         7. Objecting to a result against the person himself, by analyzing the processed data exclusively through automated systems,
         8. To request the compensation of the damage in case of a loss due to unlawful processing of personal data.

      2. Cases Where the Person whose Personal Data is Processed cannot Assert his Rights

         Persons whose personal data are processed cannot claim their rights listed in 20.1.1. in these matters, since the following cases are excluded from the scope of the KVK Law in accordance with Article 28 of the Law on Personal Data Protection:

         1. Processing personal data for purposes such as research, planning and statistics by making them anonymous with official statistics,
         2. Processing personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that they do not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or constitute a crime,
         3. Processing personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security,
         4. Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution proceedings

            Pursuant to article 28/2 of the Personal Data Protection Law; In the cases specified below, the persons whose personal data are processed cannot claim their other rights listed in 20.1.1., except for the right to demand the compensation of the damage:

            1. The processing of personal data is necessary for the prevention of crime or for criminal investigation,
            2. Processing of personal data made public by the person whose personal data is processed,
            3. The processing of personal data is necessary for the execution of inspection or regulation duties and for disciplinary investigation or prosecution by the authorized and authorized public institutions and organizations and professional organizations in the nature of public institution, based on the authority given by the law,
            4. The processing of personal data is necessary for the protection of the economic and financial interests of the State with regard to budget, tax and financial matters.

      3. The exercise of the rights of the person whose personal data is processed

         Data subjects may submit their requests regarding their rights listed in article 10 (“Rights of the Data subject”) to our Company through the methods determined by the Board.
         Persons whose personal data are processed will be able to submit their requests regarding their rights specified in this Policy to the Company free of charge by filling out and signing the Application Form, with the information and documents that will determine their identity, using the methods specified below or other methods determined by the Personal Data Protection Board. Comprehensive regulation in this regard has been made in the Company Personal Data Application and Response Procedure and Company Clarification Texts.

         • • You can exercise your rights by sending a wet-signed copy of the application form of the relevant person to the address at “10001 SOKAK NO: 9 A.O.S.B. ÇİĞLİ/İZMİR”, or by sending it to lunaelektrik@hs01.kep.tr electronically.

         In order for the above-mentioned application to be accepted as a valid application, in the application pursuant to the Communiqué on Application Procedures to the Data Controller;

         1. Name, surname and signature if the application is written,
         2. For citizens of the Republic of Turkey, T.R. identification number; for foreigners, passport number or identification number, if any,
         3. Domicile or workplace address for notification,
         4. If available, the e-mail address, telephone and fax number for notification,
         5. Subject of the request.

binformation is required. Otherwise, the application will not be considered as a valid application. In the applications to be made without filling out the application form, the issues listed here must be conveyed to the Company in full.

In order for third parties to request an application on behalf of the persons whose personal data are processed, a special power of attorney issued by the relevant person through a notary public on behalf of the applicant must be present.

Explicit Consent : Consent on a specific subject, based on information and expressed with free will.

Anonymization: It is the change of personal data in such a way that it loses its quality as personal data and this situation cannot be undone. Ex: With techniques such as masking, aggregation, data corruption etc. making personal data incapable of being associated with a natural person.

Application Form : “Application Form for Applications to be Made by the Related Person to the Data Controller in accordance with the Law on Protection of Personal Data No. 6698”, which includes the application to be made by the data subjects whose personal data are processed to exercise their rights.

ISMS : Information Security Management System

Employee Candidate : Real persons who have applied for a job to the Company by any means or have opened their resume and related information.

Relevant person : The natural person whose personal data is processed. Ex: Customer, staff.

Employees, Shareholders and Authorities of Collaborating Institutions : Real and legal persons, including shareholders and officials of these institutions, working in institutions (such as but not limited to business partners, suppliers) with which the Company has any business relationship.

Business Partner: Parties with whom the Company has established business partnerships for purposes such as carrying out various projects and receiving services while carrying out its commercial activities.

Processing of Personal Data: Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system, All kinds of operations performed on data such as classification or prevention of use.

Personal Data : Any information relating to an identified or identifiable natural person. Therefore, the processing of information regarding legal persons is not within the scope of the Law. For example: Name-surname, TCKN, e-mail, address, date of birth, credit card number etc.

Special Categories of  Personal Data : Data related to race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership to associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data. data.

Supplier : Parties that provide services to the Company on a contractual basis, in accordance with the Company’s orders and instructions, while carrying out the Company’s commercial activities.

Third Party : Natural persons whose personal data are processed within the scope of the policy, who are not defined differently within the scope of the policy. For example: Family members, former employees…

Data Processor : The natural and legal person who processes personal data on behalf of the data controller, within the authority given by the data controller. For example: Departments working within the company…

Data Controller : The person who determines the purposes and means of processing personal data and manages the place where the data is kept systematically (data recording system). Within the scope of this policy, LUNA ELEKTRİK ELEKTRONİK SANAYİ VE TİCARET ANONİM ŞİRKETİ is the data controller.

Deletion of Data : It means that all relevant users within the company are encrypted to prevent access to personal data and only the data protection officer has this password.

Destruction of Data : It refers to the complete elimination of personal data, physically or technologically, in a way that cannot be recovered.

Visitor : Real persons who have entered the physical campuses owned by the Company for various purposes or visited our websites.