MEGA INDUSTRY ETHICAL RULES ON THE PROTECTION OF PERSONAL DATA



The Ethical Rules Document on GDPR outlines the ethical rules that will be taken into account by Mega Industry Control Systems in the implementation of the protection and processing of personal data. Within the framework of these ethical rules, it aims to define the framework and legal boundaries of the compliance activities to be carried out specifically for the companies involved in order to ensure compliance with the Law on the Protection of Personal Data No. 6698 regarding the protection and processing of personal data under the responsibility of MEGA Industry. In this context, as Mega Industry Control Systems, it is aimed to continue the pursuit of the principles of legality, honesty and transparency adopted since its establishment, in accordance with the principles of legality, honesty and transparency.

Mega Industry Control Systems, in line with this goal, will establish the necessary structure, procedures and processes for compliance with the Law on the Protection of Personal Data, prepare the legal ground and integrate it into technical applications, and implement the necessary applications to raise awareness among employees and business partners.

1. PURPOSE OF USE OF ETHICAL RULES ON THE PROTECTION AND PROCESSING OF PERSONAL DATA

With the GDPR Ethical Rules, it is aimed to ensure the necessary applications within the companies by means of the arrangements that are important for compliance with the GDPR process by Mega Industry Control Systems. In this context, the Ethical Rules Document in this context is a guide for Mega Industry Control Systems on how and in what way to implement the rules laid down by the Law on the Protection of Personal Data and the relevant legislation during the compliance process. In this direction, both companies will make the necessary arrangements within themselves to comply with this ‘Ethical Rules Document’ and periodically operate internal audit mechanisms to ensure compliance with the GDPR Ethical Rules and ensure the continuity of compliance with the ‘Ethical Rules’.

One of the most important issues for Mega Industry Control Systems is to act in accordance with the legislation in the processing of personal data. In this context, Mega Industry Control Systems will primarily act in accordance with the principles outlined below in the processing of personal data in accordance with the Constitution and the GDPR.

a) Engaging in Personal Data Processing Activities in Accordance with Law and Fairness
Mega Industry Control Systems will engage in personal data processing activities in accordance with law and fairness, accurate and up-to-date when necessary, as well as for specific, explicit and legitimate purposes, in a way that is related to the intended purpose, limited and proportionate, in accordance with Article 4 of the GDPR. In this context, Mega Industry Control Systems will take into account the proportionality requirements in the processing of personal data and will not use personal data beyond what is required for the intended purpose.

b) Ensuring the Accuracy and Updating of Personal Data When Necessary
Mega Industry Control Systems will ensure the accuracy and updating of the personal data it processes by taking into account the fundamental rights of the personal data subjects, its employees, consultants, and all individuals and organizations that own their personal data, and will establish systems aimed at protecting all data and information in the safest way possible by taking necessary measures in this direction.

c) Processing for Specific, Explicit and Legitimate Purposes
Mega Industry Control Systems will only process personal data for legitimate and lawful reasons. Mega Industry Control Systems will process and protect personal data only within the legal limits, in connection with the activities it carries out and to the extent necessary. The purpose, method, and location of personal data processing by Mega Industry Control Systems will be determined before the start of the personal data processing activity, and the process will be managed in accordance with the ethical rules and the law regarding personal data processing.

d) Personal Data Must Be Related to the Purpose for Which It Is Processed, Limited
Mega Industry Control Systems will process personal data in a manner consistent with the achievement of the intended purposes and will avoid processing personal data that is not relevant to or necessary for the achievement of the determined goal. Data that is not relevant to the intended purpose will not be processed.

e) Preservation of Personal Data
In accordance with Article 138 of the Turkish Penal Code and Articles 4 and 7 of the GDPR, Mega Industry Control Systems will keep the personal data it processes only for the period stipulated in the relevant legislation and laws or as required by the purpose of personal data processing. In this context, Mega Industry Control Systems will first determine whether there is a specific period stipulated in the relevant legislation for the storage of personal data, if any, will act in accordance with that period, and if no period is determined, will store the personal data for the period necessary to achieve the purpose of personal data processing. Upon the expiry of the period or the disappearance of the reasons requiring the processing, the personal data will be deleted, destroyed, or anonymized by Mega Industry Control Systems. Personal data will not be stored by Mega Industry Control Systems for possible future use.

f) Requirements to be Followed in the Transfer of Personal Data Mega Industry Control Systems must comply with the rules given below regarding the sharing of personal data, including special category personal data.

a. Sharing of Personal Data Domestically
Mega Industry Control Systems will transfer the data subject's personal data to third parties in accordance with the purposes of personal data processing and only after taking the necessary security measures. In this direction, Mega Industry Control Systems will design the necessary processes to act in accordance with the conditions stipulated in Article 8 of the GDPR and will continue the entire process securely and within the legal limits.
b. Transfer of Personal Data Abroad
Mega Industry Control Systems will take the necessary security measures in accordance with the processing purposes when transferring personal data abroad. Mega Industry Control Systems will only share personal data with foreign countries declared by the Data Protection Authority to have adequate protection or, in the event of a lack of adequate protection, with foreign countries where the data controllers in Turkey and the relevant foreign country have provided adequate protection in writing and have obtained the consent of the Data Protection Authority. In this direction, Mega Industry Control Systems will design the necessary processes to act in accordance with the regulations stipulated in Article 9 of the GDPR and will implement them afterwards.

2. MEGA INDUSTRY'S OBLIGATIONS REGARDING THE PROTECTION AND PROCESSING OF PERSONAL DATA

a. Obligation to Register in the Data Controller Registry

Mega Industry Control Systems must register in the data controller registry by 31.12.2019 before starting data processing. The following information must be provided in the application for registration in the Data Controller Registry:

• Identity and address information of Mega Industry Control Systems and, if any, its representative as the data controller.
• The purpose for which the personal data will be processed.
• Explanations about the data subject group and groups and the data categories related to these individuals.
• Recipient or recipient groups to whom personal data may be transferred.
• Personal data that is planned to be shared with foreign countries.
• Measures taken regarding personal data security.
• The period for which the personal data is processed (the period until destruction).
• Obligation to Inform the Data Subject

Mega Industry Control Systems will inform the personal data subject about the following matters during the collection of personal data.

• Identity of Mega Industry Control Systems companies' representatives as the data controller,
• The purpose for which personal data will be processed,
• To whom and for what purpose personal data may be transferred,
• The method and legal grounds for collecting personal data,
• The rights of the personal data subject:
• To learn whether personal data is processed or not,
• To learn the purpose of processing and whether it is used in accordance with the purpose,
• To know the individuals to whom personal data is transferred,
• To request correction in the event of incomplete or incorrect processing and, if the conditions are met, to request the deletion of personal data and to have this request transmitted to third parties,
• To object to the processing of the data through automated systems that result in a decision against them,
• To demand compensation for damages if they suffer damage due to unlawful processing.

In this context, Mega Industry Control Systems will identify personal data collection channels to fulfill the obligation to inform, enlighten the data subject with the scope and conditions required by the GDPR for these collection activities in terms of enlightenment points and texts, and design processes accordingly.

b. Obligation to Ensure the Security of Personal Data
Mega Industry Control Systems, being aware of the importance of ensuring security in every way, will take the necessary technical and administrative measures to ensure an appropriate level of security to prevent the unlawful processing of the personal data they process, prevent unauthorized access to the data, and ensure the protection of the data, in accordance with Article 12 of the GDPR, and will conduct the necessary audits in this context. In this context, Mega Industry Control Systems will set up the necessary systems to take the measures listed below, periodically audit these systems both legally and technically, and take measures to eliminate the risk in question without delay in cases where security poses a risk.

I. Taking Technical and Administrative Measures to Ensure Legitimate Data Processing
Mega Industry Control Systems will take the necessary technical and administrative measures, including technological capabilities, to ensure the lawful processing of personal data.

II. Technical Measures to be Taken to Ensure the Legitimate Processing of Personal Data

a. All processes related to personal data processing activities carried out by the business units within Mega Industry Control Systems should be analyzed, and a "personal data processing process plan" should be created in this context. The legality of all activities carried out by Mega Industry Control Systems business units from data collection to deletion will be audited.
b. The personal data processing activities carried out within Mega Industry Control Systems will be monitored by the technical systems established.
c. The technical measures taken will be reported to the relevant party periodically as part of the internal audit mechanism and will be continuously monitored.

III. Administrative Measures to be Taken to Ensure the Legitimate Processing of Personal Data

a. Mega Industry Control Systems will inform and train its employees on personal data protection law and the lawful processing of personal data.
b. Records will be included in the contracts and other documents that govern the legal relationship between Mega Industry Control Systems and its employees, obligating them not to process, disclose, or use personal data in a manner that violates the regulations in the GDPR.
c. Access to personal data should be limited to the relevant company employee in accordance with the purpose of processing, and not every employee will have access to all personal data kept within Mega Industry Control Systems.
d. All activities carried out by Mega Industry Control Systems will be analyzed in detail, especially for each business unit, and as a result of the analysis, personal data processing activities will be determined for the commercial activities carried out by the relevant business units.
e. The conditions for ensuring the compliance of each department's activities with the personal data processing conditions stipulated in the GDPR should be identified for each department and the detailed activities it carries out.
f. In order to ensure the legal compliance process determined for each department, Mega Industry Control Systems will raise awareness among the relevant departments and determine application rules. Mega Industry Control Systems will take the necessary administrative measures to monitor this and ensure the continuity of the application, and will implement policies, procedures, ethical rules, and trainings.

IV. Taking Technical and Administrative Measures to Prevent Unauthorized Access to Personal Data

Mega Industry Control Systems will take the necessary technical and administrative measures to prevent personal data from being disclosed, viewed, transferred, or otherwise obtained unlawfully by third parties due to carelessness or unauthorized access, taking into account the nature of the data to be protected and technological capabilities.

V. Technical Measures to be Taken to Prevent Unauthorized Access to Personal Data

a. Technical measures will be taken in accordance with technological developments, and the measures taken will be periodically updated and renewed.
b. Mega Industry Control Systems will implement technical solutions for access and authorization in accordance with legal requirements on a departmental basis.
c. The technical measures taken will be reported to the relevant party periodically as part of the internal audit mechanism, and the risky issues will be reassessed and the necessary technological solutions will be produced.
d. Software and hardware, including virus protection systems and firewalls, and related software and systems including logging will be established.
e. Personnel knowledgeable in technical matters will be employed.
VI. Administrative Measures to be Taken to Prevent Unauthorized Access to Personal Data
a. Mega Industry Control Systems employees will be trained on the technical measures to be taken to prevent unauthorized access to personal data.
b. Mega Industry Control Systems will design and implement access and authorization processes within the management level on a departmental basis in accordance with legal requirements.
c. Mega Industry Control Systems will obtain the necessary commitments from its employees that they will not disclose the personal data they learn to others in violation of the GDPR provisions, that they will not use it for purposes other than the purpose of processing, and that this obligation will continue even after they leave their jobs.
d. Mega Industry Control Systems will include provisions in the contracts concluded with the individuals to whom personal data is transferred, stating that the individuals to whom personal data is transferred will take the necessary security measures to protect personal data and that they will ensure compliance with these measures.

VII. Audit of Measures Taken Regarding the Protection of Personal Data
Mega Industry Control Systems will establish systems to audit the functioning of the technical and administrative measures it will take and to calculate all kinds of risks. The results of this audit should be reported to the relevant department and legal counsel within Mega Industry Control Systems's internal operations, and the necessary activities should be carried out to improve the measures taken. Mega Industry Control Systems will design and implement the necessary processes to increase the awareness and audit of its departments, business partners, and suppliers regarding the protection and processing of personal data.

VIII. Measures to be Taken in the Event of Unauthorized Disclosure of Personal Data
Mega Industry Control Systems is obligated to notify the relevant personal data subject and the Data Protection Authority as soon as possible in the event that the processed personal data is obtained by others through unlawful means. In this context, the necessary internal structure will be established and the relevant persons will be appointed.
g) Obligation to Inform the Data Subject

Personal data subjects have the right to apply in writing or by other methods determined by the Data Protection Authority, if necessary, to request information about their own data. In this context, Mega Industry Control Systems will establish and implement the necessary application channels, evaluation of applications, internal operations, answering applications within the time limits stipulated in the Law, and other administrative and technical regulations regarding the evaluation of the rights of personal data subjects and the provision of necessary information to personal data subjects in accordance with the GDPR.

Data subjects in this context:

• To learn whether personal data is processed or not,
• To request information if personal data has been processed,
• To learn the purpose of processing personal data and whether it is used in accordance with the purpose,
• To know the third parties to whom personal data is transferred domestically or abroad,
• To request correction of incomplete or incorrect processing of personal data and to have the operation carried out in this context notified to third parties to whom personal data is transferred,
• To request the deletion or destruction of personal data if, although processed in accordance with the GDPR and relevant other legal provisions, the reasons requiring processing have ceased to exist, and to have the operation carried out in this context notified to third parties to whom personal data is transferred,
• To object to the processing of data solely through automated systems that result in a decision against them,
• To demand compensation for damages if they suffer damage due to unlawful processing of personal data.

If personal data subjects submit their requests regarding the rights listed above to Mega Industry Control Systems in writing, Mega Industry Control Systems will finalize the relevant request as soon as possible and no later than thirty days free of charge, depending on the nature of the request.
When finalizing the relevant application, Mega Industry Control Systems will provide information in a language and format that the individual can understand, and the relevant person will be informed.
Mega Industry Control Systems may accept the application or, giving reasons, reject it. Mega Industry Control Systems will issue necessary warnings and raise awareness within itself about the personal data subject's right to complain to the Data Protection Authority within 30 days in case their application is rejected, they find the response given insufficient, or no response is received to the application within the specified time.

MEGA INDUSTRY'S COMPLIANCE PROCESS WITH THE ETHICAL RULES ON THE PROTECTION AND PROCESSING OF PERSONAL DATA

Articles to be Applied by Mega Industry Control Systems for Compliance with the GDPR and Related Legislation:

• Mega Industry Control Systems will carry out the necessary systems and preparations to act in accordance with the GDPR and related legislation in line with the entry into force periods of the GDPR.
• Mega Industry Control Systems will establish the necessary mechanisms to ensure compliance with the regulations contained in this Ethical Rules Document and, in this context, Mega Industry Control Systems;
• Will establish and implement the necessary processes for registration in the data controller registry in accordance with Article 16 of the GDPR.
• Will enlighten personal data subjects during the collection of data in accordance with Article 10 of the GDPR and will provide the necessary information if personal data subjects request information.
• Personal data will be processed in accordance with one or more of the processing conditions in the law and in accordance with the personal data processing principles stipulated in Article 4 of the GDPR and this ethical rules document, as required by Article 5 of the GDPR.
• The regulations in Article 6 of the GDPR will be strictly adhered to in the processing of special category personal data, and special category data will not be requested from the data subject unless it is mandatory for the performance of the activities.
• The regulations stipulated in Articles 8 and 9 of the GDPR will be followed regarding the transfer of personal data.
• The necessary security systems for the protection of personal data will be established in accordance with Article 12 of the GDPR.
• The necessary systems will be established for the deletion, destruction, and anonymization of personal data in accordance with Article 7 of the GDPR.