Information Security Policy • River

Information Security Policy

The senior management of FOL Yazılım has determined the ISMS policy to include the commitment to comply with the responsibilities of the services provided by our enterprise, to comply with the legislative requirements and to continuously improve its effectiveness, and to create a framework for the establishment and review of ISMS targets.

The senior management of FOL Yazılım ensures that the ISMS policy is communicated and understood and reviews it in the management review for continuous compliance.

As the management of FOL Yazılım, depending on our mission and vision, providing Information Technology services to our contracted customers is our priority area of work.

Production and Services;

Meeting the expectations of our customers and the institutions/organizations we provide services under contract at a high level, increasing their IT capabilities, keeping them informed of technological developments and helping them achieve their activity/process/performance targets are carried out within the scope and limits of ISMS.
By accepting that all kinds of confidential / commercial / proprietary information processed in all information technology systems we serve within the scope and boundaries of ISMS is the privacy of the customer of the institution / organization we serve, it is ensured that this information cannot be obtained from anywhere / person / institution / organization without the knowledge / approval of the customer, adhering to the Confidentiality / Integrity / Availability conditions.
FOL Yazılım will comply with the ISMS policy, legal and regulatory requirements, and take into account the obligations or dependencies arising from contracts or third parties, provided that they remain within the scope and limits of the ISMS.

FOL Yazılım represents that it will prove its commitment to the installation, realization, operation, monitoring, review, maintenance and improvement of the Information Security Management System (ISMS) within the framework stated above by performing the following matters:

ISMS objectives have been defined and respective plans have been
Risk analyses have been conducted, risk assessments and risk criteria have been put forward based on the results of the analysis, and risk management is ensured within this framework.
FOL Yazılım has defined and maintained the importance of meeting information security objectives and compliance with information security policies, responsibilities to the law and the need for continuous improvement.
FOL Yazılım has provided sufficient resources (financial, human resources, equipment, software, security, consultancy, training, etc.) to establish, implement, operate, monitor, review, maintain and improve the ISMS.
FOL Yazılım has organized and manages the necessary work to determine the criteria for accepting risks and acceptable risk levels.
FOL Yazılım will review the ISMS Policy at least once a year and announce it to the relevant parties by making arrangements when deemed necessary.

Home

Request a Demo

Open Consent	Consent on a specific issue, based on information and freely explained and given.
Anonymization	Making the data previously associated with a person impossible to associate with an identified or identifiable natural person under any circumstances, even by matching with other data.
Employee Candidate	Real persons who do not work for the company but have the status of employee candidate.
Personal Data	Any information relating to an identified or identifiable natural person.
Data Subject	The natural person whose personal data is processed.
Processing of Personal Data	Any operation performed on personal data such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, taking over, making
	available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system.
Law	Law No. 6698 on the Protection of Personal Data (LPPD) published in the Official Gazette dated April 7, 2016 and numbered 29677.
Special Categories of Personal Data	Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.
Policy	Policy on Processing and Protection of Personal Data of the Firm / Company……
Company/Firm	The Firm ……………… the Company………………
Data Processor	A natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller.
Data Controller	The person who determines the purposes and means of processing personal data and manages the place where the data is kept systematically.
Data Recording System	It is a recording system where personal data is structured and processed according to certain criteria.
Business Partners	Persons with whom the Company has established a partnership within the scope of contractual relations within the framework of its commercial activities.

Data Subject Categories	Description
Customers	It refers to real persons who benefit from the products and services offered by the Company and real persons who show interest in the products and services offered by the Company and have the potential to become customers.
Employee	Company Shareholder, Company official, Group Company Employee/Shareholder/Authorized Persons/Members of the Board of Directors White collar, blue collar, Former Employee/Retired, Employee Candidate, Active Intern, Intern Candidate
3rd Persons
Potential Customers	Refers to real persons who show interest in the products and services offered by the Company and have the potential to become customers.
Employee Candidates	Refers to real persons who apply for a job by sending a CV to the Company or by other methods.
Visitors	Refers to people who visit the Company for any reason.
Third Parties	It refers to real persons other than the employees of the Company as well as the categories of data subjects mentioned above.

Data Category	Description
Identity information	Information contained in documents such as driver’s license, identity card, residence card, passport, lawyer ID, marriage certificate.
Contact info	Information used to contact the person (e.g. e-mail address, phone number, cell phone number, address).
Location information	Information that enables the location of the data subject to be determined (e.g. location information obtained when driving).
Customer information	Information about customers who benefit from our products and services (e.g. customer number, occupation, etc.).

Customer transaction information	Information on all kinds of transactions made by customers who benefit from our products and services.
Physical space security knowledge	Personal data related to records and documents such as camera recordings, fingerprint records taken at the entrance to the physical space, during the stay in the physical space.
Transaction security knowledge	Personal data processed to ensure technical, administrative, legal and commercial security while conducting the Company’s commercial activities.
Financial information	Personal data processed regarding information, documents and records showing all kinds of financial results created according to the type of legal relationship established by the Company with the personal data subject.
Employee candidate information	Personal data processed in relation to individuals who have applied to become an employee of the Company or who have been evaluated as employee candidates in line with human resources needs in accordance with commercial practices and honesty rules or who are in a working relationship with the Company.
Legal process and compliance knowledge	Personal data processed within the scope of determination, follow-up and fulfillment of the Company’s legal receivables and rights, and compliance with its legal obligations and company policies.
Audit and inspection knowledge	Personal data processed within the scope of the Company’s legal obligations and compliance with company policies.
Special categories of data	Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade
	unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.
Marketing knowledge	Personal data processed for the marketing of the products and services offered by the Company by customizing them in line with the usage habits, tastes and needs of the personal data subject, and the reports and evaluations created as a result of these processing results.
Knowledge of request/complaint management	Personal data regarding the receipt and evaluation of any request or complaint addressed to the Company.
Knowledge of reputation management	Information collected for the purpose of protecting the Company’s commercial reputation and information about the evaluation reports and actions taken.
Knowledge of incident management	Personal data processed in order to take the necessary legal, technical and administrative measures against the events that develop in order to protect the commercial rights and interests of the Company and the rights and interests of its customers.

Persons to whom data can be transferred	Definition	Objective
Business Partner	Parties with which the Company establishes a business partnership while conducting its commercial activities	Sharing of personal data limited to the purpose of ensuring the fulfillment of the purposes for which the business partnership was established
Shareholders	Shareholders who are authorized to design the strategies and audit activities regarding the Company’s commercial activities in accordance with the provisions of the relevant legislation	Sharing of personal data limited to the design of strategies regarding the commercial activities of the Company and for audit purposes
Company Authorities	Board members and other authorized persons	Sharing of personal data limited to the design of strategies regarding the commercial activities of the Company, ensuring its management at the highest level and for audit purposes
Legally Authorized Public Institutions and Organizations	Public institutions and organizations legally authorized to receive information and documents from the Company	Sharing personal data limited to the purpose of requesting information by the relevant public institutions and organizations
Legally Authorized Private Law Persons	Private law persons legally authorized to receive information and documents from the Company	Sharing data limited to the purpose requested by the relevant private law persons within their legal authority

1. Introduction

1.1 Purpose of the Policy

1.2 Scope

1.3 Definitions

1.4 Entry into Force of the Policy

2. Information on Personal Data Processing Activities Conducted by the Company

2.1 Data Subjects

2.2 Purposes of Processing Personal Data

2.2.1 Carrying out the necessary work by the relevant units and executing business processes to ensure that the relevant people benefit from the products and services offered by the Company:

2.2.2 Planning and execution of company human resources policies and processes:

2.2.3 Carrying out the necessary work by the relevant business units for the realization of the commercial activities carried out by the company and carrying out the related business processes:

2.2.4 Planning and execution of the activities necessary to recommend and promote the products and services offered by the company to the relevant persons by customizing them according to their tastes, usage habits and needs:

2.2.5 Planning and execution of the Company’s commercial and/or business strategies:

2.2.6 Ensuring the legal, technical and commercial business security of the Company and the relevant persons who have a business relationship with the Company:

2.3 Categories of Personal Data

3. Principles and Conditions Regarding the Processing of Personal Data

3.1 Principles Regarding the Processing of Personal Data

3.1.1 Processing of Data in Compliance with the Law and Rules of Good Faith

3.1.2 Ensuring that Personal Data is Accurate and Updated When Necessary

3.1.3 Processing of Data for Specific, Explicit and Legitimate Purposes

3.1.4 Retention of Data for the Period Stipulated in the Relevant Legislation or Required for the Purpose for which they are Processed

3.2 Conditions Regarding the Processing of Personal Data

3.2.1 Explicit consent of the personal data subject

3.2.2 Personal data processing activities being explicitly prescribed by law

3.2.3 Failure to obtain the explicit consent of the person due to actual impossibility

3.2.4 The personal data being directly related to the establishment or performance of a contract

3.2.5 Fulfillment of legal obligations by the Company

3.2.6 Publicization of personal data of the data subject

3.2.7 Data processing being mandatory for the establishment or protection of a right

3.2.8 Data processing being mandatory for the legitimate interest of the Company

3.3 Processing of Special Categories of Personal Data

4. Transfer of Personal Data

4.1 Transfer of personal data to domestic third parties

4.2 Transfer of personal data to third parties abroad

4.3 Third parties to whom personal data are transferred and the purposes of transfer

5. Rights of the Data Subject and Exercise of Related Rights

5.1 Rights of the personal data subject:

5.2 Cases where the personal data subject cannot assert his/her rights:

6. Deletion, Destruction, Anonymization of Personal Data

Contact Us