1. Introduction
1.1 Purpose of the Policy
Within the scope of Law No. 6698 on the Protection of Personal Data (“Law” or “LPPD”), as the Firm FOL YAZILIM A.Ş. (“Firm” or “Company”), the processing and protection of personal data in accordance with the law is among our most important priorities. We follow the same priority in all our planning and business activities. In this context, in accordance with Article 10 of the Law, we hereby present this Policy on Processing and Protection of Personal Data (“Policy”) for your information in order to enlighten you and to inform you of all administrative and technical measures we will implement within the scope of processing and protection of personal data.
1.2 Scope
This Policy determines the conditions for processing personal data and sets out the principles adopted by the Company in the processing of personal data. In this context, the Policy covers all personal data processing activities carried out by the Company within the scope of the Law, all personal data processed and the owners of this data.
1.3 Definitions
Open Consent | Consent on a specific issue, based on information and freely explained and given. |
Anonymization | Making the data previously associated with a person impossible to associate with an identified or identifiable natural person under any circumstances, even by matching with other data. |
Employee Candidate | Real persons who do not work for the company but have the status of employee candidate. |
Personal Data | Any information relating to an identified or identifiable natural person. |
Data Subject | The natural person whose personal data is processed. |
Processing of Personal Data | Any operation performed on personal data such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, taking over, making |
available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system. | |
Law | Law No. 6698 on the Protection of Personal Data (LPPD) published in the Official Gazette dated April 7, 2016 and numbered 29677. |
Special Categories of Personal Data | Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data. |
Policy | Policy on Processing and Protection of Personal Data of the Firm / Company…… |
Company/Firm | The Firm ……………… the Company……………… |
Data Processor | A natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller. |
Data Controller | The person who determines the purposes and means of processing personal data and manages the place where the data is kept systematically. |
Data Recording System | It is a recording system where personal data is structured and processed according to certain criteria. |
Business Partners | Persons with whom the Company has established a partnership within the scope of contractual relations within the framework of its commercial activities. |
1.4 Entry into Force of the Policy
This Policy issued by the Company entered into force on 10.01.2023 and was presented to the public. In case of conflict between the legislation in force, especially the Law, and the regulations in this Policy, the
provisions of the legislation shall apply.
The Company reserves the right to make changes to the Policy in parallel with legal regulations. The current version of the Policy can be accessed from the Company (https://www.river.com.tr/eng) website.
2. Information on Personal Data Processing Activities Conducted by the Company
2.1 Data Subjects
Data subjects within the scope of the Policy are all natural persons, other than the Company’s employees, whose personal data are processed by the Company. In general, data subjects can be listed as follows:
Data Subject Categories | Description |
Customers | It refers to real persons who benefit from the products and services offered by the Company and real persons who show interest in the products and services offered by the Company and have the potential to become customers. |
Employee | Company Shareholder, Company official, Group Company
Employee/Shareholder/Authorized Persons/Members of the Board of Directors White collar, blue collar, Former Employee/Retired, Employee Candidate, Active Intern, Intern Candidate |
3rd Persons | |
Potential Customers | Refers to real persons who show interest in the products and services offered by the Company and have the potential to become customers. |
Employee Candidates | Refers to real persons who apply for a job by sending a CV to the Company or by other methods. |
Visitors | Refers to people who visit the Company for any reason. |
Third Parties | It refers to real persons other than the employees of the Company as well as the categories of data subjects mentioned above. |
The categories of data subjects described in the table above are indicated for general information sharing purposes. The fact that the data subject does not fall within the scope of any of these categories does not eliminate the nature of the data subject as stated in the Law.
2.2 Purposes of Processing Personal Data
2.2.1 Carrying out the necessary work by the relevant units and executing business processes to ensure that the relevant people benefit from the products and services offered by the Company:
-
- Planning and execution of sales processes of products and/or services,
- Planning and/or execution of after sales support services activities,
- Planning and execution of customer relationship management processes,
- Follow-up of contract processes and/or legal requests,
- Follow-up of customer requests and/or
2.2.2 Planning and execution of company human resources policies and processes:
- Planning and execution of talent and career development activities,
- Fulfillment of obligations arising from the employment contract and/or legislation for Company employees,
- Planning and execution of side benefits and social benefits for employees,
- Planning and execution of internal orientation activities,
- Planning and execution of personnel exit procedures,
- Remuneration management
- Planning of human resources processes,
- Managing personnel recruitment processes,
- Planning and execution of appointment, promotion and termination processes for the company,
- Planning and execution of employee performance evaluation processes,
- Monitoring and/or supervision of employees’ work activities,
- Planning and/or execution of in-house training activities,
- Planning and execution of employee satisfaction and/or engagement processes,
- Planning and execution of the processes of receiving and evaluating suggestions for the improvement of employees’ work and/or production processes,
- Planning and/or execution of intern and/or student recruitment, placement and operation
2.2.3 Carrying out the necessary work by the relevant business units for the realization of the commercial activities carried out by the company and carrying out the related business processes:
- Event management,
- Planning and execution of business activities,
- Planning and execution of corporate communication activities,
- Planning and execution of supply chain management processes,
- Planning and execution of production and/or operation processes,
- Planning, auditing and execution of information security processes,
- Establishment and management of information technology infrastructure,
- Planning and execution of business partners’ authorizations to access information,
- Follow-up of financial and/or accounting affairs,
- Planning and execution of corporate sustainability activities,
- Planning and execution of corporate governance activities,
- Planning and/or execution of business continuity activities,
- Planning and execution of logistics
2.2.4 Planning and execution of the activities necessary to recommend and promote the products and services offered by the company to the relevant persons by customizing them according to their tastes, usage habits and needs:
- Identification and/or evaluation of people to be subject to marketing activities in line with consumer behavior criteria,
- Design and/or execution of customized marketing and/or promotional activities,
- Design and/or execution of advertising and/or promotion and/or marketing activities in digital and/or other media,
- Design and/or execution of activities to be developed on customer acquisition and/or value creation in existing customers in digital and/or other channels,
- Planning and/or execution of data analytics activities for marketing purposes,
- Planning and execution of marketing processes of products and/or services,
- Planning and/or execution of the processes of creating and/or increasing loyalty to the products and/or services offered by the Company.
2.2.5 Planning and execution of the Company’s commercial and/or business strategies:
Managing relationships with business partners.
2.2.6 Ensuring the legal, technical and commercial business security of the Company and the relevant persons who have a business relationship with the Company:
- Planning and execution of the necessary operational activities to ensure that the Company’s activities are carried out in accordance with Company procedures and/or relevant legislation,
- Providing information to authorized institutions due to legislation,
- Creation and follow-up of visitor records,
- Planning and execution of emergency management processes,
- Realization of company and partnership law transactions,
- Planning and execution of company audit activities,
- Planning and/or execution of occupational health and/or safety processes,
- Realization of risk management of credit processes,
- Ensuring the security of company premises and/or facilities,
- Ensuring the security of company operations,
- Planning and/or execution of the Company’s financial risk processes,
- Ensuring the security of company fixtures and/or
2.3 Categories of Personal Data
Personal data categorized by the Company as follows are processed in accordance with the personal data processing conditions in the Law and the relevant legislation:
Data Category | Description |
Identity information | Information contained in documents such as driver’s license, identity card, residence card, passport, lawyer ID, marriage certificate. |
Contact info | Information used to contact the person (e.g. e-mail address, phone number, cell phone number, address). |
Location information | Information that enables the location of the data subject to be determined (e.g. location information obtained when driving). |
Customer information | Information about customers who benefit from our products and services (e.g. customer number, occupation, etc.). |
Customer transaction information | Information on all kinds of transactions made by customers who benefit from our products and services. |
Physical space security knowledge | Personal data related to records and documents such as camera recordings, fingerprint records taken at the entrance to the physical space, during the stay in the physical
space. |
Transaction security knowledge | Personal data processed to ensure technical, administrative, legal and commercial security while conducting the Company’s commercial activities. |
Financial information | Personal data processed regarding information, documents and records showing all kinds of financial results created according to the type of legal relationship established by the Company with the personal data subject. |
Employee candidate information | Personal data processed in relation to individuals who have applied to become an employee of the Company or who have been evaluated as employee candidates in line with human resources needs in accordance with commercial practices and honesty rules or who are in a working relationship with the Company. |
Legal process and compliance knowledge | Personal data processed within the scope of determination, follow-up and fulfillment of the Company’s legal receivables and rights, and compliance with its legal
obligations and company policies. |
Audit and inspection knowledge | Personal data processed within the scope of the Company’s legal obligations and compliance with company policies. |
Special categories of data | Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or
other beliefs, appearance and dress, membership of associations, foundations or trade |
unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data. | |
Marketing knowledge | Personal data processed for the marketing of the products and services offered by the Company by customizing them in line with the usage habits, tastes and needs of the personal data subject, and the reports and evaluations created as a result of these processing results. |
Knowledge of request/complaint management | Personal data regarding the receipt and evaluation of any request or complaint addressed to the Company. |
Knowledge of reputation management | Information collected for the purpose of protecting the Company’s commercial reputation and information about the evaluation reports and actions taken. |
Knowledge of incident management | Personal data processed in order to take the necessary legal, technical and administrative measures against the events that develop in order to protect the commercial rights and interests of the Company and the rights and interests of its customers. |
3. Principles and Conditions Regarding the Processing of Personal Data
In accordance with Article 4 of the Law on the processing of personal data, pursuant to the law and honesty rules, the company carries out personal data processing activities in accordance with the law and honesty rules, in an accurate and, where necessary, up-to-date, specific, clear and legitimate purposes, in connection with the purpose, in a limited and measured manner. The company retains personal data for the period stipulated by law or required by the purpose of personal data processing.
3.1 Principles Regarding the Processing of Personal Data
The company enlightens data subjects in accordance with Article 10 of the LPPD and processes this personal data based on the following principles by requesting consent from data subjects in cases where consent is required.
3.1.1 Processing of Data in Compliance with the Law and Rules of Good Faith
The Company acts in accordance with the principles introduced by legal regulations and the general rule of trust and honesty in the processing of personal data. In accordance with the principle of compliance with the rule of honesty, the Company takes into account the interests and reasonable expectations of the relevant persons while trying to achieve its goals in data processing.
3.1.2 Ensuring that Personal Data is Accurate and Updated When Necessary
Keeping personal data accurate and up-to-date is necessary for the Company to protect the fundamental rights and freedoms of the person concerned. The Company has an active duty of care to ensure that personal data is accurate and up-to-date when necessary. For this reason, all communication channels are open for the Company to keep the information of the data subject accurate and up-to-date.
3.1.3 Processing of Data for Specific, Explicit and Legitimate Purposes
The company clearly and precisely determines the legitimate and lawful purpose of personal data processing. It processes personal data in connection with and necessary for the commercial activity it carries out.
- Data being relevant, limited and proportionate to the purpose for which they are processed The Company processes personal data within the scope of the purposes related to its field of activity and necessary for the execution of its business. For this reason, it processes personal data in a manner suitable for the realization of the specified purposes and avoids the processing of personal data that is not related to the realization of the purpose or is not needed.
3.1.4 Retention of Data for the Period Stipulated in the Relevant Legislation or Required for the Purpose for which they are Processed
The company retains personal data only for the period specified in the relevant legislation or required for the purpose for which they are processed. In this context, First of all, it determines whether a period of time is stipulated for the storage of personal data in the relevant legislation, if a period is determined, it acts in accordance with this period, if a period is not determined, it keeps personal data for the period required for the purpose for which they are processed. Personal data are deleted, destroyed or anonymized by the
Company after the purpose of personal data processing disappears or upon expiration of the period stipulated in the legislation.
3.2 Conditions Regarding the Processing of Personal Data
In the presence of at least one of the personal data processing conditions in Article 5 of the Law, your personal data is processed by the Company.
3.2.1 Explicit consent of the personal data subject
One of the conditions for processing personal data is the explicit consent of the data subject. The explicit consent of the personal data subject must be related to a specific subject, based on information and free will.
In order to process personal data based on the explicit consent of the personal data subject, explicit consent is obtained from customers, potential customers and visitors through relevant methods.
3.2.2 Personal data processing activities being explicitly prescribed by law
The personal data of the data subject may be processed in accordance with the law without the explicit consent of the data subject, if expressly provided for in the law.
3.2.3 Failure to obtain the explicit consent of the person due to actual impossibility
The personal data of the data subject may be processed if it is mandatory to process the personal data of the person who is unable to disclose his/her consent due to actual impossibility or whose consent will not be recognized as valid, in order to protect his/her or another person’s life or physical integrity.
3.2.4 The personal data being directly related to the establishment or performance of a contract
Provided that it is directly related to the establishment or performance of a contract, it is possible to process personal data if it is necessary to process personal data belonging to the parties to the contract.
3.2.5 Fulfillment of legal obligations by the Company
Personal data of the data subject may be processed if processing is mandatory for the Company to fulfill its legal obligations as the data controller.
3.2.6 Publicization of personal data of the data subject
If the data subject has made his/her personal data public by himself/herself, the relevant personal data may be processed.
3.2.7 Data processing being mandatory for the establishment or protection of a right
If data processing is mandatory for the establishment, exercise or protection of a right, the personal data of the data subject may be processed.
3.2.8 Data processing being mandatory for the legitimate interest of the Company
Provided that it does not harm the fundamental rights and freedoms of the personal data subject, the personal data of the data subject may be processed if data processing is mandatory for the legitimate interests of the Company.
3.3 Processing of Special Categories of Personal Data
In the processing of personal data determined as “special quality” by the LPPD, the Company acts in strict compliance with the regulations stipulated in the LPPD.
Special categories of personal data are processed in the following cases by the Company provided that adequate measures to be determined by the PPD Board are taken:
- If the personal data subject has explicit consent or
- If the personal data subject does not have explicit consent;
- Special categories of personal data other than the health and sexual life of the personal data subject, in cases stipulated by law,
- Special categories of personal data relating to the health and sexual life of the personal data subject are processed only for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, by persons or authorized institutions and organizations under the obligation of
4. Transfer of Personal Data
The company may transfer the personal data and special categories of personal data of the data subject to domestic or foreign third parties by taking the necessary security measures in line with the lawful personal
data processing purposes. In this direction, the company acts in accordance with the regulations stipulated in Article 8 of the LPPD.
4.1 Transfer of personal data to domestic third parties
Your personal data may be transferred by the Company in the presence of at least one of the data processing conditions specified in Articles 5 and 6 of the Law and explained under Title 3 of this Policy and provided that the basic principles regarding the data processing conditions are complied with.
4.2 Transfer of personal data to third parties abroad
The Company may transfer the personal data and special categories of personal data of the personal data subject to third parties abroad in the presence of at least one of the data processing conditions described under Title 3 of this Policy and by taking the necessary security measures. Personal data is transferred by the company to foreign countries declared by the PPD Board to have adequate protection (“Foreign Country with Adequate Protection”) or, in the absence of adequate protection, to foreign countries where the data controllers in Turkey and the relevant foreign country undertake adequate protection in writing and where the PPD Board has permission (“Foreign Country Where the Data Controller Undertakes Adequate Protection”). In this direction, the company acts in accordance with the regulations stipulated in Article 9 of the LPPD.
4.3 Third parties to whom personal data are transferred and the purposes of transfer
Within the general principles of the Law and the data processing conditions in Articles 8 and 9, the Company may transfer data to the parties categorized in the table below:
Persons to whom data can be
transferred |
Definition | Objective | |
Business Partner | Parties with which the Company
establishes a business partnership while conducting its commercial activities |
Sharing of personal data limited to the purpose of ensuring the
fulfillment of the purposes for which the business partnership was established |
|
Shareholders | Shareholders who are authorized to
design the strategies and audit activities regarding the Company’s commercial activities in accordance with the provisions of the relevant legislation |
Sharing of personal data limited to the design of strategies regarding the commercial activities of the Company and for audit purposes | |
Company Authorities | Board members and other authorized persons | Sharing of personal data limited to the design of strategies regarding the commercial activities of the Company, ensuring its management at the highest level and for audit purposes | |
Legally Authorized Public Institutions and Organizations | Public institutions and organizations legally authorized to receive information and documents from the Company | Sharing personal data limited to the purpose of requesting information by the relevant public institutions and organizations | |
Legally Authorized Private Law Persons | Private law persons legally authorized to receive information and documents from the Company | Sharing data limited to the purpose requested by the relevant private law persons within their legal
authority |
5. Rights of the Data Subject and Exercise of Related Rights
5.1 Rights of the personal data subject:
-
- Learn whether their personal data is being processed,
- Request information if their personal data has been processed,
- Learn the purpose of processing personal data and whether they are used for their intended purpose,
- Know the third parties to whom personal data are transferred domestically or abroad,
- Request correction of personal data in case of incomplete or incorrect processing and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,
- Although it has been processed in accordance with the provisions of the LPPD and other relevant laws, to request the deletion or destruction of personal data in the event that the reasons requiring its processing disappear and to request notification of the transaction made within this scope to third parties to whom personal data is transferred,
- In the event that the processed data is analyzed exclusively through automated systems and a result occurs to the detriment of the person himself/herself, to object to this result,
- In case of damage due to unlawful processing of personal data, demand compensation for the
In the event that personal data is not obtained directly from the data subject, the Company carries out activities to enlighten data subjects (1) within a reasonable period of time from the acquisition of personal data, (2) if personal data will be used for communication with the data subject, during the first
communication, (3) if personal data will be transferred, at the latest during the first transfer of personal data.
5.2 Cases where the personal data subject cannot assert his/her rights:
Pursuant to Article 28 of the LPPD, personal data subjects cannot assert their rights listed in 5.1 in these matters, since the following cases are excluded from the scope of the LPPD:
- Processing of personal data by natural persons within the scope of activities related to themselves or their family members living in the same residence, provided that personal data are not disclosed to third parties and obligations regarding data security are complied with,
- Processing of personal data for purposes such as research, planning and statistics by anonymizing them with official statistics,
- Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that such processing does not violate national defense, national security, public security, public order, economic security, privacy or personal rights or constitute a crime,
- Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security,
- Processing of personal data by judicial or enforcement authorities in relation to investigations, prosecutions, trials or executions.
Pursuant to Article 28.2 of the LPPD, in the cases listed below, personal data subjects cannot assert their other rights listed in 5.1, except for the right to demand compensation for the damage:
- Processing of personal data is necessary for the prevention of crime or criminal investigation,
- Processing of personal data made public by the personal data subject himself/herself,
- Personal data processing is necessary for the execution of supervisory or regulatory duties and disciplinary investigation or prosecution by the authorized and authorized public institutions and
organizations and professional organizations in the nature of public institutions based on the authority granted by law,
- Processing of personal data is necessary for the protection of the economic and financial interests of the State in relation to budgetary, tax and fiscal matters.
6. Deletion, Destruction, Anonymization of Personal Data
Although it has been processed in accordance with the provisions of the relevant law as regulated in Article 138 of the Turkish Penal Code and Article 7 of the LPPD, personal data shall be deleted, destroyed or anonymized upon the resolution of the Company or upon the request of the personal data subject if the reasons requiring its processing disappear. In this context, the Company has taken the necessary technical and administrative measures within the Company in order to fulfill its relevant obligation, has developed the necessary operating mechanisms in this regard, and trains, assigns and raises awareness of, the relevant
business units, to act in accordance with these obligations.
Contact Us
Contact us for all your questions and comments regarding the Personal Data Protection Policy!