RENWORLD
Access Our Catalog

1. Introduction

As Renworld Energy Technologies Industry and Trade Inc. ("Our Organization"), we prioritize the security of your personal data. With this awareness, we are committed to processing and preserving all kinds of personal data related to you in the best possible way and with utmost care. Acknowledging this responsibility, we process your personal data within the framework outlined below, in compliance with the Personal Data Protection Law No. 6698 ("Law") and related legislation as a Data Controller.

To provide you with high-standard services, we collect your personal data verbally, in writing, visually, or electronically, depending on the nature of the service provided, through channels such as call centers, the internet, mobile applications, physical locations, and similar means.

In this context, the personal and technical data primarily required for the execution of all proposals, inspections, tests, and fault analysis services are listed as follows:

• Your identity data, such as name, surname, national ID number, passport number or temporary national ID number if you are not a Turkish citizen, place and date of birth, marital status, and gender, as well as a photocopy of your national ID card or driver’s license.
• Your contact data, such as address, phone number, and email address.
• Your financial data, such as bank account numbers and IBAN.
• Data obtained during the provision of our services, including certification laboratory test results, power plant performance data, and product recipe information submitted for monitoring purposes.
• Responses and feedback you provide to evaluate our services.
• Audio and visual recordings captured during your visits to our administrative buildings and work areas through closed-circuit camera systems.
• Audio recordings of your calls with our call center.
• Bank, insurance, and Social Security Institution data provided for the financing and planning of our services.
• Browsing information, IP address, browser details, medical documents you share voluntarily, surveys, forms, and location data obtained during your use of our website and mobile application.

The above-mentioned “Personal and Sensitive Data” may be meticulously stored in physical and electronic archives within Renworld, in compliance with relevant legal provisions.

1.1. Purpose of the Policy

As Renworld, we place utmost importance on the lawful processing and protection of personal data under the Personal Data Protection Law No. 6698 (KVKK), secondary regulations, KVK Board Decisions, and other legal provisions. This sensitivity is reflected in all our planning and activities.

Our Vision:

We recognize our significant responsibility to protect energy resources while using them to ensure the right of future generations to live a quality life.

In terms of sustainability, we are committed to being a globally leading and reputable solution partner that symbolizes trust in project inspection and certification services throughout the entire value chain of renewable energy plants, contributing to our country’s development and adding value to all our stakeholders.

We provide unrivaled and innovative solutions to maintain these responsibilities while addressing the needs of our customers and stakeholders.

Our Mission:

To offer innovative solutions that inspire and set new standards in terms of safety, reliability, efficiency, circularity, ease of use, and sustainability.

To provide accredited inspection and supervision services recognized and trusted on a national and international scale, helping our customers and stakeholders adopt solar energy and storage solutions worldwide and playing an active role in setting international standards and shaping the renewable energy landscape for a better future.

To ensure transparency in line with Article 10 of the KVKK and to inform Data Subjects of the administrative and technical measures we have adopted to process and protect personal data, this Personal Data Processing and Protection Policy ("Policy") has been prepared.

1.2. Scope and Relevant Individuals

This Policy applies to all personal data processed by our Organization, whether through automated means or non-automated means as part of a data recording system, including employees, employee candidates, auditors, employees and customers of audited organizations, visitors, and other third parties whose personal data is processed by our Organization.

This Policy does not apply to legal entities or data related to legal entities.

1.3. Implementation of the Policy and Relevant Legislation

Legal regulations in force concerning the processing and protection of personal data will primarily apply. In case of any conflict between the provisions of this Policy and current legislation, our Organization acknowledges and undertakes to apply the provisions of the legislation in force. This Policy concretizes and regulates the rules set forth by the relevant legislation within the scope of our Organization's practices.

2. Processing and Transfer of Personal Data

2.1 General Principles for Processing Personal Data

Our Organization processes personal data in compliance with the procedures and principles stipulated in the Law and this Policy. While processing personal data, our Organization adheres to the following principles:

2.1.1. Processing in Accordance with the Law and Rules of Good Faith

Personal data is processed in compliance with applicable legal rules and the requirements of the principle of good faith.

2.1.2. Ensuring the Accuracy and, Where Necessary, the Up-to-Date Status of Personal Data

While carrying out personal data processing activities, our Organization has systems and processes to ensure the accuracy and currency of the personal data it processes. This includes determining the sources of personal data, verifying their accuracy, and evaluating whether they need to be updated. In this regard, data subjects can apply to our Organization to ensure that their personal data is continuously kept accurate and up-to-date.

2.1.3. Processing for Specific, Explicit, and Legitimate Purposes

Personal data is processed for specific, explicit, and legitimate purposes by our Organization. Legitimate purposes mean that the personal data processed by our Organization are relevant and necessary for the work it performs or the services it provides. Our Organization informs data subjects of its specific, explicit, and legitimate purposes via this policy and other documents before the data processing activity begins.

2.1.4. Being Relevant, Limited, and Proportional to the Purposes for Which They Are Processed

Our Organization processes personal data within the scope of its business activities and only for purposes necessary for the execution of its operations. The data processed is limited to what is necessary to achieve the purpose. Excessive personal data that is not required for the purpose of processing is not processed. In this context, the personal data processed is relevant, limited, and proportional to the purpose for which it is processed.

2.1.5. Retaining Data for the Period Required by Relevant Legislation or for the Purpose for Which They Are Processed

Our Organization complies with the periods prescribed by relevant legislation for the retention of data; otherwise, it retains personal data only for the duration necessary for the purpose for which they are processed. If there is no valid reason to retain the data further, the data is deleted, destroyed, or anonymized.

3. Conditions for Transferring Personal Data

Your personal data may be transferred, for the purposes specified in this Policy, to legally authorized public institutions and organizations, suppliers, business partners, and other relevant persons or entities involved in providing/receiving services. Such transfers are conducted in a manner that is limited, relevant, and proportional to the purpose of processing, in accordance with the conditions and purposes for personal data processing stipulated in Articles 8 and 9 of the Personal Data Protection Law (KVKK).

Personal data may be transferred to third parties if:

• The explicit consent of the data subject is obtained;
• A clear regulation in the law mandates the transfer of personal data;
• It is necessary to protect the life or physical integrity of the data subject or another person;

or if the data subject cannot express consent due to physical impossibility or lack of legal validity in their consent,

• The transfer of personal data is directly related to the establishment or performance of a contract;
• The transfer is necessary for our Organization to fulfill its legal obligations;
• The personal data has been made public by the data subject;
• The transfer is necessary for the establishment, exercise, or protection of a legal right;
• Provided it does not harm the fundamental rights and freedoms of the data subject,

the transfer of personal data is necessary for the legitimate interests of our Organization.

3.1 Conditions for Transferring Sensitive Personal Data

If sensitive personal data is provided to our Organization without being requested, such data is immediately destroyed and not shared with any third party or institution.

By taking necessary precautions, ensuring security measures, and complying with the sufficient measures prescribed by the Board, our Organization may transfer the sensitive personal data of the data subject to third parties under the following conditions, provided the data is processed for legitimate and lawful purposes:

a. With the explicit consent of the data subject, or

b. Without the explicit consent of the data subject under the following conditions:

• Sensitive personal data other than those related to the data subject's health and sexual life (e.g., philosophical beliefs, religion, sect, or other beliefs, criminal convictions, and security measures) may be transferred in cases stipulated by law.
• Sensitive personal data related to the data subject's health and sexual life may be transferred for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment, and care services, or planning and managing healthcare services and their financing, but only by persons or organizations bound by confidentiality obligations or authorized institutions and organizations. For example, transfers may be made by our workplace physician to hospitals.

3.2 Transfer of Personal and Sensitive Personal Data Abroad

Our Organization does not transfer personal data abroad.

4. Purposes of Processing and Transferring Personal Data, Recipients

4.1 Purposes of Processing and Transferring Personal Data

Personal data is processed in compliance with the law and for the purposes of our Organization, including but not limited to:

• Ensuring Compliance with Legal Regulations
• Conducting Business Continuity Activities
• Managing Communication Activities
• Carrying Out Business Activities/Monitoring
• Promoting, Announcing, and Sharing Corporate Activities with Relevant Parties
• Executing Performance Evaluation Processes
• Managing Employee Satisfaction and Engagement Processes
• Carrying Out Assignment Processes
• Executing Human Resources Processes
• Fulfilling Employment and Legal Obligations for Employees
• Managing Training Activities
• Conducting Internal Auditing/Inquiry/Intelligence Activities
• Ensuring Physical Space Security
• Managing Information Security Processes
• Executing Risk Management Processes
• Creating and Tracking Visitor Records
• Collecting and Evaluating Suggestions for Improving Business Processes
• Managing Talent/Career Development Activities
• Carrying Out Accreditation Activities
• Processing Payments
• Issuing Certificates
• Managing DTU Acquisition Processes
• Tracking Participation
• Conducting Audit/Ethics Activities
• Handling Requests/Complaints/Appeals/Information Requests
• Managing Goods/Services Procurement Processes
• Monitoring and Conducting Legal Procedures
• Managing Application Processes for Job Candidates
• Executing Employee Benefits Processes
• Managing Compensation Policies
• Managing Emergency Management Processes

Personal data is processed under the conditions specified in Articles 5 and 6 of the Law, including but not limited to:

• The inability to obtain explicit consent due to factual impossibility.
• Data processing being necessary for the establishment or execution of a contract directly related to the data subject.
• The necessity of data processing to fulfill the data controller’s (Organization’s) legal obligations.
• The necessity of data processing to establish, use, or protect a legal right.
• Data processing being necessary for the legitimate interests of the data controller, provided it does not infringe on the fundamental rights and freedoms of the data subject.

In cases where none of the conditions specified by the Law are met, explicit consent is obtained from the data subject for the data processing activities performed for the aforementioned purposes.

4.2 Recipients of Personal Data

Personal data may be shared, with the explicit consent of the data subject, with public and authorized institutions, suppliers, accredited organizations or those in the accreditation process, audit team members, UDKs, and other relevant parties, limited to the purpose of ensuring complete and flawless service delivery.

Aside from explicit consent, personal data may only be shared with third parties who must access the relevant information to ensure complete and flawless service delivery. Additionally, data may be shared with other third parties when necessary to comply with the Organization’s legal obligations, as explicitly stipulated by laws, or based on a lawful judicial or administrative order. In such cases, personal data will only be shared with the relevant individual or institution.

5. Methods of Collecting, Deleting, Destroying, Anonymizing, and Retaining Personal Data

5.1. Methods of Collecting Personal Data

To ensure compliance with Article 1, which outlines the purpose of the Law, and Article 2, which defines its scope, personal data may be collected through automated or non-automated means as part of a recording system. Personal data may be collected via internet access within our Organization, through identification documents, license plate information, closed-circuit cameras located in our buildings, reference contacts provided by you (based on the Organization’s legitimate interests), corporate emails, emails sent to our employees, and various technical and other methods such as our Organization’s website. These data are collected electronically, in writing, or verbally for purposes stated in this Policy and processed by our Organization or data processors appointed by our Organization to fulfill legal obligations derived from legislation, contracts, requests, or requirements in a complete and accurate manner.

5.2. Deleting, Destroying, or Anonymizing Personal Data

In accordance with the relevant provisions of the Law and other applicable regulations, our Organization will delete, destroy, or anonymize personal data upon the elimination of the reasons requiring its processing, either ex officio or upon the request of the data subject. Detailed regulations regarding the deletion, destruction, and anonymization of personal data are included in our Organization’s Personal Data Retention and Destruction Policy.

Deletion of personal data ensures that it cannot be recovered or reused. Data stored in physical or digital formats (e.g., documents, files, CDs, disks, hard drives) is erased in an irreversible manner. Destruction of personal data involves completely eliminating storage mediums so that the data cannot be recovered or used again. Anonymization ensures that personal data can no longer be associated with an identified or identifiable person, even if combined with other datasets.

5.3. Retention Period for Personal Data

Our Organization retains personal data for the period specified in the relevant legislation. If no such period is stipulated, the data is retained for as long as necessary for the purposes of processing during the relevant activities and subsequently deleted, destroyed, or anonymized.

When the purpose of processing personal data ceases and the retention periods stipulated by applicable legislation or determined by our Organization expire, personal data may still be retained solely for the purpose of serving as evidence in potential legal disputes, asserting rights related to the data, or establishing a defense. Retention durations in such cases are determined based on statutes of limitations for asserting the related rights. After the expiration of these periods, personal data is anonymized, drawing on examples from similar requests previously directed to our Organization. During this retention period, data is accessed solely for legal disputes when necessary and for no other purpose. Once the statute of limitations expires, the personal data is deleted, destroyed, or anonymized.

Detailed regulations regarding the retention, deletion, destruction, and anonymization of personal data are included in our Organization’s Personal Data Retention and Destruction Policy.

6. Personal Data Protection Measures

Our Organization, in compliance with Article 12 of the Law, takes necessary technical and administrative measures to ensure an appropriate level of security to prevent unlawful processing of personal data, unlawful access to data, and to safeguard the data. Accordingly, necessary audits are conducted or commissioned.

6.1 Ensuring the Security of Personal Data

Our Organization adopts technical and administrative measures based on technological capabilities and implementation costs to ensure the lawful processing of personal data.

6.1.1. Technical Measures to Ensure Lawful Processing and Prevent Unauthorized Access

• Network and application security is ensured.
• Closed system networks are used for personal data transfers via the network.
• Key management is implemented.
• Security measures are taken during the procurement, development, and maintenance of IT systems.
• Cloud systems are not used.
• Authorization matrices for employees are established.
• Access logs are maintained regularly.
• Data masking is applied when necessary.
• Permissions are revoked upon role changes or employee departures.
• Updated antivirus systems are utilized.
• Firewalls are deployed.
• Necessary security measures are implemented for physical environments containing personal data.
• Data loss prevention software is used.
• Penetration testing is conducted.
• Data encryption is applied.
• Intrusion detection and prevention systems are utilized.
• Portable media containing sensitive personal data is encrypted when needed.
• Personal data is backed up, and backup security is ensured.
• User account management and authorization controls are applied and monitored.
• Log records are kept without user interference.
• Existing risks and threats are identified.
• Cybersecurity measures are in place and continuously monitored.

6.1.2. Administrative Measures to Ensure Lawful Processing and Prevent Unauthorized Access

• Personal data security issues are reported promptly.
• Disciplinary regulations include data security provisions.
• Periodic training and awareness programs on data security are conducted for employees.
• Confidentiality agreements are signed.
• Contracts include data security provisions.
• Additional security measures are applied for personal data transmitted on paper, and such documents are sent as classified materials.
• Personal data security policies and procedures are defined.
• Security of personal data-containing environments is ensured against external risks (e.g., fire, flood).
• Periodic and random internal audits are conducted.
• Protocols and procedures for securing sensitive personal data are established and enforced.
• Emails containing sensitive personal data are encrypted and sent via secure corporate email accounts.

6.1.3. Storing Personal Data in Secure Environments

Our Organization stores personal data in secure electronic or non-electronic environments appropriate to the nature of the data. Necessary technical and administrative measures are taken to prevent unlawful destruction, loss, or alteration of personal data.

6.1.4. Measures in Case of Unauthorized Disclosure of Personal Data

In case personal data processed in accordance with KVKK is unlawfully accessed by others, our Organization will notify the data subject and the Personal Data Protection Board as soon as possible. If deemed necessary by the Board, this situation may be announced on the website of the Personal Data Protection Authority or through other methods.

6.2. Monitoring Measures for Personal Data Protection

Our Organization, in compliance with Article 12 of the Law, conducts or commissions necessary audits. A dedicated committee within our Organization oversees the lawful processing of personal data and reports its findings to relevant departments to ensure improvement in measures taken.

6.3. Protection of Sensitive Personal Data

The Law assigns special importance to certain personal data that may cause discrimination or harm individuals if processed unlawfully. These include data on race, ethnicity, political opinion, religion, association membership, health, sexual life, criminal record, and biometric and genetic data. Our Organization takes utmost care to protect sensitive personal data and ensures the technical and administrative measures applied to personal data are rigorously implemented for sensitive personal data. Regular audits are conducted to ensure compliance.