Within the scope of Law No. 6698 on the Protection of Personal Data (“Law” or “LPPD”), as the Firm FOL YAZILIM A.Ş. (“Firm” or “Company”), the processing and protection of personal data in accordance with the law is among our most important priorities. We follow the same priority in all our planning and business activities. In this context, in accordance with Article 10 of the Law, we hereby present this Policy on Processing and Protection of Personal Data (“Policy”) for your information in order to enlighten you and to inform you of all administrative and technical measures we will implement within the scope of processing and protection of personal data.
This Policy determines the conditions for processing personal data and sets out the principles adopted by the Company in the processing of personal data. In this context, the Policy covers all personal data processing activities carried out by the Company within the scope of the Law, all personal data processed and the owners of this data.
|Consent on a specific issue, based on information and freely explained and given.
|Making the data previously associated with a person impossible to associate with an identified or identifiable natural person under any circumstances, even by matching with other data.
|Real persons who do not work for the company but have the status of employee candidate.
|Any information relating to an identified or identifiable natural person.
|The natural person whose personal data is processed.
|Processing of Personal Data
|Any operation performed on personal data such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, taking over, making
|available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system.
|Law No. 6698 on the Protection of Personal Data (LPPD) published in the Official Gazette dated April 7, 2016 and numbered 29677.
|Special Categories of Personal Data
|Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.
|Policy on Processing and Protection of Personal Data of the Firm / Company……
|The Firm ……………… the Company………………
|A natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller.
|The person who determines the purposes and means of processing personal data and manages the place where the data is kept systematically.
|Data Recording System
|It is a recording system where personal data is structured and processed according to certain criteria.
|Persons with whom the Company has established a partnership within the scope of contractual relations within the framework of its commercial activities.
This Policy issued by the Company entered into force on 10.01.2023 and was presented to the public. In case of conflict between the legislation in force, especially the Law, and the regulations in this Policy, the
provisions of the legislation shall apply.
The Company reserves the right to make changes to the Policy in parallel with legal regulations. The current version of the Policy can be accessed from the Company (https://www.river.com.tr/eng) website.
Data subjects within the scope of the Policy are all natural persons, other than the Company’s employees, whose personal data are processed by the Company. In general, data subjects can be listed as follows:
|Data Subject Categories
|It refers to real persons who benefit from the products and services offered by the Company and real persons who show interest in the products and services offered by the Company and have the potential to become customers.
|Company Shareholder, Company official, Group Company
Employee/Shareholder/Authorized Persons/Members of the Board of Directors White collar, blue collar, Former Employee/Retired, Employee Candidate, Active Intern, Intern Candidate
|Refers to real persons who show interest in the products and services offered by the Company and have the potential to become customers.
|Refers to real persons who apply for a job by sending a CV to the Company or by other methods.
|Refers to people who visit the Company for any reason.
|It refers to real persons other than the employees of the Company as well as the categories of data subjects mentioned above.
The categories of data subjects described in the table above are indicated for general information sharing purposes. The fact that the data subject does not fall within the scope of any of these categories does not eliminate the nature of the data subject as stated in the Law.
Managing relationships with business partners.
Personal data categorized by the Company as follows are processed in accordance with the personal data processing conditions in the Law and the relevant legislation:
|Information contained in documents such as driver’s license, identity card, residence card, passport, lawyer ID, marriage certificate.
|Information used to contact the person (e.g. e-mail address, phone number, cell phone number, address).
|Information that enables the location of the data subject to be determined (e.g. location information obtained when driving).
|Information about customers who benefit from our products and services (e.g. customer number, occupation, etc.).
|Customer transaction information
|Information on all kinds of transactions made by customers who benefit from our products and services.
|Physical space security knowledge
|Personal data related to records and documents such as camera recordings, fingerprint records taken at the entrance to the physical space, during the stay in the physical
|Transaction security knowledge
|Personal data processed to ensure technical, administrative, legal and commercial security while conducting the Company’s commercial activities.
|Personal data processed regarding information, documents and records showing all kinds of financial results created according to the type of legal relationship established by the Company with the personal data subject.
|Employee candidate information
|Personal data processed in relation to individuals who have applied to become an employee of the Company or who have been evaluated as employee candidates in line with human resources needs in accordance with commercial practices and honesty rules or who are in a working relationship with the Company.
|Legal process and compliance knowledge
|Personal data processed within the scope of determination, follow-up and fulfillment of the Company’s legal receivables and rights, and compliance with its legal
obligations and company policies.
|Audit and inspection knowledge
|Personal data processed within the scope of the Company’s legal obligations and compliance with company policies.
|Special categories of data
|Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or
other beliefs, appearance and dress, membership of associations, foundations or trade
|unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.
|Personal data processed for the marketing of the products and services offered by the Company by customizing them in line with the usage habits, tastes and needs of the personal data subject, and the reports and evaluations created as a result of these processing results.
|Knowledge of request/complaint management
|Personal data regarding the receipt and evaluation of any request or complaint addressed to the Company.
|Knowledge of reputation management
|Information collected for the purpose of protecting the Company’s commercial reputation and information about the evaluation reports and actions taken.
|Knowledge of incident management
|Personal data processed in order to take the necessary legal, technical and administrative measures against the events that develop in order to protect the commercial rights and interests of the Company and the rights and interests of its customers.
In accordance with Article 4 of the Law on the processing of personal data, pursuant to the law and honesty rules, the company carries out personal data processing activities in accordance with the law and honesty rules, in an accurate and, where necessary, up-to-date, specific, clear and legitimate purposes, in connection with the purpose, in a limited and measured manner. The company retains personal data for the period stipulated by law or required by the purpose of personal data processing.
The company enlightens data subjects in accordance with Article 10 of the LPPD and processes this personal data based on the following principles by requesting consent from data subjects in cases where consent is required.
The Company acts in accordance with the principles introduced by legal regulations and the general rule of trust and honesty in the processing of personal data. In accordance with the principle of compliance with the rule of honesty, the Company takes into account the interests and reasonable expectations of the relevant persons while trying to achieve its goals in data processing.
Keeping personal data accurate and up-to-date is necessary for the Company to protect the fundamental rights and freedoms of the person concerned. The Company has an active duty of care to ensure that personal data is accurate and up-to-date when necessary. For this reason, all communication channels are open for the Company to keep the information of the data subject accurate and up-to-date.
The company clearly and precisely determines the legitimate and lawful purpose of personal data processing. It processes personal data in connection with and necessary for the commercial activity it carries out.
The company retains personal data only for the period specified in the relevant legislation or required for the purpose for which they are processed. In this context, First of all, it determines whether a period of time is stipulated for the storage of personal data in the relevant legislation, if a period is determined, it acts in accordance with this period, if a period is not determined, it keeps personal data for the period required for the purpose for which they are processed. Personal data are deleted, destroyed or anonymized by the
Company after the purpose of personal data processing disappears or upon expiration of the period stipulated in the legislation.
In the presence of at least one of the personal data processing conditions in Article 5 of the Law, your personal data is processed by the Company.
One of the conditions for processing personal data is the explicit consent of the data subject. The explicit consent of the personal data subject must be related to a specific subject, based on information and free will.
In order to process personal data based on the explicit consent of the personal data subject, explicit consent is obtained from customers, potential customers and visitors through relevant methods.
The personal data of the data subject may be processed in accordance with the law without the explicit consent of the data subject, if expressly provided for in the law.
The personal data of the data subject may be processed if it is mandatory to process the personal data of the person who is unable to disclose his/her consent due to actual impossibility or whose consent will not be recognized as valid, in order to protect his/her or another person’s life or physical integrity.
Provided that it is directly related to the establishment or performance of a contract, it is possible to process personal data if it is necessary to process personal data belonging to the parties to the contract.
Personal data of the data subject may be processed if processing is mandatory for the Company to fulfill its legal obligations as the data controller.
If the data subject has made his/her personal data public by himself/herself, the relevant personal data may be processed.
If data processing is mandatory for the establishment, exercise or protection of a right, the personal data of the data subject may be processed.
Provided that it does not harm the fundamental rights and freedoms of the personal data subject, the personal data of the data subject may be processed if data processing is mandatory for the legitimate interests of the Company.
In the processing of personal data determined as “special quality” by the LPPD, the Company acts in strict compliance with the regulations stipulated in the LPPD.
Special categories of personal data are processed in the following cases by the Company provided that adequate measures to be determined by the PPD Board are taken:
The company may transfer the personal data and special categories of personal data of the data subject to domestic or foreign third parties by taking the necessary security measures in line with the lawful personal
data processing purposes. In this direction, the company acts in accordance with the regulations stipulated in Article 8 of the LPPD.
Your personal data may be transferred by the Company in the presence of at least one of the data processing conditions specified in Articles 5 and 6 of the Law and explained under Title 3 of this Policy and provided that the basic principles regarding the data processing conditions are complied with.
The Company may transfer the personal data and special categories of personal data of the personal data subject to third parties abroad in the presence of at least one of the data processing conditions described under Title 3 of this Policy and by taking the necessary security measures. Personal data is transferred by the company to foreign countries declared by the PPD Board to have adequate protection (“Foreign Country with Adequate Protection”) or, in the absence of adequate protection, to foreign countries where the data controllers in Turkey and the relevant foreign country undertake adequate protection in writing and where the PPD Board has permission (“Foreign Country Where the Data Controller Undertakes Adequate Protection”). In this direction, the company acts in accordance with the regulations stipulated in Article 9 of the LPPD.
Within the general principles of the Law and the data processing conditions in Articles 8 and 9, the Company may transfer data to the parties categorized in the table below:
|Persons to whom data can be
|Parties with which the Company
establishes a business partnership while conducting its commercial activities
|Sharing of personal data limited to the purpose of ensuring the
fulfillment of the purposes for
which the business partnership was established
|Shareholders who are authorized to
design the strategies and audit activities regarding the Company’s commercial activities in accordance with the provisions of the relevant legislation
|Sharing of personal data limited to the design of strategies regarding the commercial activities of the Company and for audit purposes
|Board members and other authorized persons
|Sharing of personal data limited to the design of strategies regarding the commercial activities of the Company, ensuring its management at the highest level and for audit purposes
|Legally Authorized Public Institutions and Organizations
|Public institutions and organizations legally authorized to receive information and documents from the Company
|Sharing personal data limited to the purpose of requesting information by the relevant public institutions and organizations
|Legally Authorized Private Law Persons
|Private law persons legally authorized to receive information and documents from the Company
|Sharing data limited to the purpose requested by the relevant private law persons within their legal
In the event that personal data is not obtained directly from the data subject, the Company carries out activities to enlighten data subjects (1) within a reasonable period of time from the acquisition of personal data, (2) if personal data will be used for communication with the data subject, during the first
communication, (3) if personal data will be transferred, at the latest during the first transfer of personal data.
Pursuant to Article 28 of the LPPD, personal data subjects cannot assert their rights listed in 5.1 in these matters, since the following cases are excluded from the scope of the LPPD:
Pursuant to Article 28.2 of the LPPD, in the cases listed below, personal data subjects cannot assert their other rights listed in 5.1, except for the right to demand compensation for the damage:
organizations and professional organizations in the nature of public institutions based on the authority granted by law,
Although it has been processed in accordance with the provisions of the relevant law as regulated in Article 138 of the Turkish Penal Code and Article 7 of the LPPD, personal data shall be deleted, destroyed or anonymized upon the resolution of the Company or upon the request of the personal data subject if the reasons requiring its processing disappear. In this context, the Company has taken the necessary technical and administrative measures within the Company in order to fulfill its relevant obligation, has developed the necessary operating mechanisms in this regard, and trains, assigns and raises awareness of, the relevant
business units, to act in accordance with these obligations.
Contact us for all your questions and comments regarding the Personal Data Protection Policy!
Request a Demo
Request a Demo