GDPR Policy

“FORM DIS TICARET LIMITED SIRKETI”

 

POLICY ON THE PROCESSING AND PROTECTION OF PERSONAL DATA

 

  1. INTRODUCTION

 

1.1. Introduction

1.2. Scope

1.3. Implementation of the Policy and PDPL Legislation

1.4. Enforcement of the Policy

 

2. ISSUES ABOUT PROTECTION OF PERSONAL DATA

 

2.1. Ensuring the Security of Personal Data

2.2. Protection of Private Personal Data

2.3. Raising Awareness and Supervision of Business Units on the Protection and Processing of Personal Data

 

3. ISSUES ABOUT PROCESSING OF PERSONAL DATA

 

3.1. Processing of Personal Data in Accordance with the Principles Stipulated in the Legislation

3.2. Requirements for Processing Personal Data

3.3. Processing of Private Personal Data

3.4. Enlightening of Personal Data Owner

3.5. Processing of data currently processed by Form Dis Ticaret Ltd.Sti. by

DELTASOFT OTOMASYON YAZ.MUH.HIZM.SAN.VE TIC.LTD.STI.

FUAT ARI (DBS DANISMANLIK)

ONUR TURIZM TAS.INS.SAN.TIC.A.S.

SOREDEV BILGI TEKNOLOJILERI LTD.STI.

CAN AKADEMI IS SAG.VE GUV.OLC.KAL.DAN.HIZ.LTD.STI.

3.6. Transfer of Personal Data

 

4. CATEGORIZATION AND PROCESSING PURPOSES OF PERSONAL DATA PROCESSED BY OUR COMPANY

 

5. STORAGE AND DISPOSAL OF PERSONAL DATA

 

6. RIGHTS OF PERSONAL DATA OWNERS AND EXERCISE OF THESE RIGHTS

 

6.1. Rights of Data Subject

 

7. SPECIAL CASES WHERE PERSONAL DATA IS PROCESSED

 

7.1. Personal Data Processing Activities Performed at the Entrances and Inside of Buildings and Facilities, and Website Visitors

7.2. Camera Monitoring Activities of “FORM DIS TICARET LIMITED SIRKETI” at the Entrances and Inside of Buildings and Facilities

7.3. Tracking of Entries and Exits of Visitors at the Entrances and Inside of Buildings and Facilities of “FORM DIS TICARET LIMITED SIRKETI”

 

8. PRECAUTIONS FOR THE SECURITY OF PERSONAL DATA

 

1.                   INTRODUCTION

 

                         Introduction

Since the protection of personal data is a fundamental human right, it is among the most important priorities of “FORM DIS TICARET LIMITED SIRKETI” Company (“Company”). The company makes maximum efforts to comply with all applicable legislation in this regard in order to secure the right to the protection of personal data. Within the framework of this “FORM DIS TICARET LIMITED SIRKETI” Policy for the Protection and Processing of Personal Data (“Policy”), the principles adopted in the conduct of personal data processing activities carried out by our Company and the basic principles adopted in terms of compliance of our Company's data processing activities with the regulations in the Law No. 6698 on the Protection of Personal Data (“Law”) are explained, and thus, our Company provides the necessary transparency by informing the data subjects. Your personal data is processed and protected within the scope of this Policy with full awareness of our responsibility in this context.

 

                          Scope

“FORM DIS TICARET LIMITED SIRKETI” (“COMPANY”) Policy for the Processing and Protection of Personal Data (“Policy”) has been prepared with the aim of disciplining the processing of personal data within the framework of the legislation on personal data and protecting the fundamental rights and freedoms, especially the privacy of private life, as stipulated in the Constitution.

While preparing the “Policy”, it has been determined as the basic principle to determine which data is collected by the business units and why, and why they need to transfer these data to third parties within the organizational chart of the “COMPANY” and to understand the personal data processing method of the COMPANY. While transferring the requirements of the relevant legislation to the “Policy”, it is adopted as a principle to explain in a simple and understandable manner what data the “COMPANY” provides and why, and why it processes these data by being privatized, within the framework of the requirement of protecting personal data. In addition, it is aimed to take the necessary administrative and technical precautions to protect data privacy within and outside the organization of the “COMPANY” and to inform and enlighten the individuals whose data are processed.

All natural persons whose data is processed by the “COMPANY” are included in the scope of the “Policy”.

Within the scope of this “Policy”, it has been tried to include customized information about the data processed within the framework of the processes and activities in the “COMPANY” organization, data categorization, data recipient groups, legal reason and method of data collection, third party groups to which the data is transferred, processing periods of data, and deletion periods of data. However, apart from the current processing activities, if data processing is/will be performed by the “COMPANY”, it is possible to carry out processing activity and enlightening within an external clarification text, provided that the basic principles specified in this policy are complied with. In this case, the enlightening shall constitute an integral part of this “Policy” and it cannot be claimed that it is not included in this “Policy”. As a matter of fact, within the scope of Article 5 of the Communiqué on the Procedures and Principles to be Followed in Fulfilling the Obligation of Enlightening, it is possible to make the enlightening verbally, in writing, and by using physical or electronic media such as voice recording and call center.

 

                        Implementation of the Policy and PDPL Legislation

Regarding the processing and protection of personal data, the relevant legal regulations in force shall be applied first. In case of inconsistency between the current legislation and the Policy, our Company accepts that the applicable legislation shall prevail. The Policy regulates the rules laid down by the relevant legislation by concretizing them within the scope of Company practices.

 

                        Enforcement of the Policy

The effective date of this Policy is 01.01.2021. The version issued by “FORM DIS TICARET LIMITED SIRKETI”, which entered into force on 05.09.2019 and was updated on 08.03.2021, has been renewed as of the effective date of this Policy.

 

This Policy is published on the website of “FORM DIŞ TICARET LIMITED SIRKETI” [https://www.formdis.com/][https://www.dugmem.com/].

 

 

2.                   ISSUES ON THE PROTECTION OF PERSONAL DATA

 

                        Ensuring the Security of Personal Data

Our company takes the necessary measures depending on the nature of the data to be protected in order to prevent the illegal disclosure, access and transfer of personal data or security deficiencies that may occur in other ways, in accordance with Article 12 of the Law. In this context, our Company takes administrative measures, conducts inspections or have them done in accordance with the guidelines published by the Personal Data Protection Board (“Board”) to ensure the required security level.

 

                        Protection of Private Personal Data

Particular attention has been given to the use of some personal data by the Law due to the risk of victimization or discrimination of persons when they are processed illegally. These data are data with respect to race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, appearance, association, foundation or trade union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.

 

“FORM DIS TICARET LIMITED SIRKETI” acts sensitively for the protection of private personal data determined by the Law as “private” and processed in accordance with the law. Within this context, the technical and administrative measures taken by “FORM DIS TICARET LIMITED SIRKETI” for the protection of personal data are carefully applied with respect to the private personal data and necessary controls are provided within “FORM DIS TICARET LIMITED SIRKETI”.

 

Note: Detailed information on technical and administrative measures taken for the processing of personal data is included in section "8" of this policy.

 

                        Raising Awareness and Supervision of Business Units on the Protection and Processing of Personal Data

“FORM DIS TICARET LIMITED SIRKETI” organizes regular trainings in order to raise awareness to prevent unlawful processing of personal data, illegal access to personal data and to protect personal data.

 

Necessary systems are established to create awareness of the employees of “FORM DIS TICARET LIMITED SIRKETI” on the protection of personal data, and it is worked with consultants in case of need. In this regard, our Company participates in the relevant trainings, seminars and information sessions especially organized by the Personal Data Protection Authority through its employees and renews its trainings in parallel with the updating of the relevant legislation.

 

 

3.                  ISSUES ON PROCESSING OF PERSONAL DATA

 

                        Processing of Personal Data in Accordance with the Principles Stipulated in the Legislation

 

                        Processing in Accordance with the Law and Good Faith

“FORM DIS TICARET LIMITED SIRKETI” acts in accordance with the principles enforced by legal regulations and the general rule for trust and good faith in the processing of personal data. In this context, personal data is processed to the extent required by and limited to the business activities of our Company.

 

                        Ensuring the Personal Data to Be Accurate and, When Necessary, Up-to-Date

“FORM DIS TICARET LIMITED SIRKETI” takes the necessary measures to ensure that personal data are accurate and up-to-date during the period of processing and establishes the necessary mechanisms to ensure the accuracy and currency of personal data for certain periods.

 

                        Processing with Specific, Clear and Legitimate Purposes

“FORM DIS TICARET LIMITED SIRKETI” clearly reveals the purposes of processing personal data and processes it within the scope of the purposes related to these activities in line with its business activities.

 

                        Being in Line with, Limited to and Restrained with the Purpose They are Processed

“FORM DIS TICARET LIMITED SIRKETI” collects personal data only in the nature and extent required by its business activities and processes it only for the specified purposes.

 

                   Keeping for the Time Envisaged in the Relevant Legislation or Required for the

                   Purposes for Which It is Processed

“FORM DIS TICARET LIMITED SIRKETI” stores personal data for the period required for the purpose for which it is processed and the minimum period stipulated in the legislation to which the relevant activity is subjected. In this context, our Company first determines whether a period is stipulated for the storage of personal data in the relevant legislation, and if a period is specified, it acts in accordance with this period. If there is no legal period, personal data is stored for the period necessary for the purpose for which it is processed. At the end of the specified storage periods, personal data is destroyed in accordance with the periodic destruction periods or upon the application of the data owner and by means of the determined destruction methods (deletion and/or destruction and/or anonymization).

 

                         Requirements for Processing Personal Data

Except for the explicit consent of the personal data owner, the basis of the personal data processing activity may be only one of the conditions stated below, or more than one condition may be the basis of the same personal data processing activity. In case the processed data is private personal data, the conditions included in item 3.3 (“Processing of Private Personal Data”) of this Policy shall be applied.

 

i.            Presence of Explicit Consent of the Personal Data Owner

One of the conditions for the processing of personal data is the explicit consent of its owner. The explicit consent of the personal data owner must be explained on a specific matter, on an informed basis and with a free will.

 

In the presence of the following personal data processing conditions, personal data can be processed without the need for the explicit consent of the data owner.

 

ii.            Explicit Prediction in Laws

If the personal data of the data owner is explicitly stipulated in the law, in other words, if there is an explicit provision in the relevant law regarding the processing of personal data, the existence of this data processing requirement may be mentioned.

 

iii.            Failure to Obtain Explicit Consent of the Data Subject Due to Actual Impossibility

The personal data of the data owner may be processed in case it is compulsory to process personal data in order to protect the integrity of the life or body of the person himself/herself who cannot explain his/her consent or whose consent cannot be validated due to the actual impossibility, or of another person.

 

iv.             Being Directly Related with the Establishment or Execution of the Contract

Provided that it is directly related to the establishment or performance of a contract to which the data owner is a party, this condition may be deemed to be fulfilled if the processing of personal data is necessary.

 

v.            Company's Fulfillment of its Legal Obligation

The data owner's personal data may be processed if it is compulsory for our Company to fulfill its legal obligations.

 

vi.             Making the Personal Data Public by the Personal Data Owner

If the data owner has made his/her personal data public, the relevant personal data may be processed in a limited way for the purpose of making it public.

 

vii.              Compulsory Data Processing for the Establishment or Protection of a Right

The data owner's personal data may be processed if data processing is compulsory for the establishment, use or protection of a right.

 

viii.            Compulsory Data Processing for the Legitimate Interest  of our Company

The personal data of the data owner may be processed if the data processing is compulsory for the legitimate interests of our Company provided that the basic rights and liberties of the data owner are not damaged.

 

                         Processing of Private Personal Data

Private personal data are processed by our Company in accordance with the principles specified in this Policy and by taking all necessary administrative and technical precautions, including the methods to be determined by the Board, and in the presence of the following conditions:

 

(i)            Private personal data other than health and sexual life can be processed without requiring the explicit consent of the data owner, in case it is clearly stipulated in the laws, in other words, there is an explicit provision in the law to which the relevant activity is subject regarding the processing of personal data. Otherwise, the explicit consent of the data owner shall be obtained in order to process such private personal data.

 

(ii)           Private personal data related to the health and sexual life can be processed by the persons or authorized institutions and organizations under the obligation of confidentiality without requiring the explicit consent, for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, and planning and management of health services and their financing. Otherwise, the explicit consent of the data owner shall be obtained in order to process such private personal data.

 

                         Enlightening Data Subjects

“FORM DIS TICARET LIMITED SIRKETI” enlightens personal data owners in accordance with Article 10 of the Law and the secondary legislation. In this context, “FORM DIS TICARET LIMITED SIRKETI”, as the data supervisor, informs the data subjects about who processes the personal data and for what purposes, for what purposes it is shared, with which methods it is collected, and its legal reason and the rights of the data owners within the scope of the processing of their personal data.

 

                         Transfer of Personal Data

Our company may transfer the personal data and private personal data of the personal data owner to the third persons (third party companies, public and private authorities, third party real persons) by taking necessary security measures in line with the legal personal data processing purposes. In this respect, our Company acts in compliance with the regulations set out in Article 8 of the Law. Detailed information on this subject can be found in ANNEX 5 of this Policy (“ANNEX 5- Third Persons to Whom Personal Data is Transferred by Our Company and Purposes of Transfer”).

 

                         Transfer of Personal Data

Although the personal data owner has not given his/her explicit consent, personal data can be transferred by our Company with due care to third parties by taking all necessary security precautions, including the methods prescribed by the Board, in case one or more of the conditions stated below are present.

 

  • If the relevant activities regarding the transfer of personal data are clearly stipulated in the laws,
  • If the transfer of personal data by the Company is directly related with and necessary for the establishment or performance of a contract,
  • If the transfer of personal data is mandatory for our Company to fulfill its legal obligation,
  • If the personal data is transferred by our Company in a limited way for the purpose of making it public, provided that it has been made public by the data owner,
  • If the transfer of personal data by the Company is mandatory for the establishment, use or protection of the rights of the Company or the data owner or third parties,
  • If it is mandatory to carry out personal data transfer activities for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the data owner,
  • If it is compulsory for the protection of the life or physical integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid.

 

                         Transfer of Private Personal Data

Private personal data can be transferred by our Company in accordance with the principles specified in this Policy and by taking all necessary administrative and technical precautions, including the methods to be determined by the Board, and in the presence of the following conditions:

 

(i)      Private personal data other than health and sexual life can be processed without requiring the explicit consent of the data owner, in case it is clearly stipulated in the laws, in other words, there is an explicit provision in the law regarding the processing of personal data. Otherwise, the explicit consent of the data owner shall be obtained.

 

(ii)    Private personal data related to the health and sexual life can be processed by the persons or authorized institutions and organizations under the obligation of confidentiality without requiring the explicit consent, for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, and planning and management of health services and their financing. Otherwise, the explicit consent of the data owner shall be obtained.

 

4.                  CATEGORIZATION AND PROCESSING PURPOSES OF PERSONAL DATA PROCESSED BY OUR COMPANY

 

In our Company, the data subjects are informed pursuant to Article 10 of the Law and the secondary legislation, and in line with the purposes of our Company regarding the processing of personal data, personal data is processed based on and limited to at least one of the personal data processing conditions specified in Article 5 and Article 6 of the Law and in accordance with the general principles specified in the Law, especially the principles specified in Article 4 of the Law on the processing of personal data. Within the framework of the purposes and conditions specified in this Policy, the processed personal data categories and detailed information about the categories shall be accessed from ANNEX 3 (“ANNEX 3 - Personal Data Categories”) of the Policy.

 

Detailed information on the purposes of processing such personal data is included in ANNEX 1 (“ANNEX 1- Purposes of Processing Personal Data”) of the Policy.

 

 

5.                   STORAGE AND DISPOSAL OF PERSONAL DATA

 

Our Company stores personal data for the period required for the purpose for which it is processed and the minimum period stipulated in the legislation to which the relevant activity is subjected. In this context, our Company first determines whether a period is stipulated for the storage of personal data in the relevant legislation, and if a period is specified, it acts in accordance with this period. If there is no legal period, personal data is stored for the period necessary for the purpose for which it is processed. At the end of the specified storage periods, personal data is destroyed in accordance with the periodic destruction periods or upon the application of the data owner and by means of the determined destruction methods (deletion and/or destruction and/or anonymization).

 

 

6.                   RIGHTS OF DATA SUBJECT

 

                         Rights of Data Subject

 

Within the scope of PDPL, you have the right to

                    i.    Learn whether your personal data is processed,

                  ii.    Request information on your Personal Data if it has been processed,

                iii.    Learn the purpose of processing your Personal Data and whether they are used appropriately for this purpose,

                 iv.    Know the third parties to whom your Personal Data is transferred, at home or abroad,

                   v.    Request correction of your Personal Data if it is incomplete or improperly processed,

                 vi.    Request your Personal Data to be deleted or destroyed within the framework of the provisions of the PDPL legislation,

 

               vii.    Request the transactions made pursuant to subparagraphs v. and vi. to be notified to third parties to whom your Personal Data is transferred,

             viii.    Object to the appearance of a result against yourself by analyzing the processed data exclusively through automated systems,

                 ix.    Request the compensation of damages in case of loss due to the illegal processing of your Personal Data.

 

How Can You Exercise Your Rights?

            You can fill in the "application form", which you can download using the link https://www.formdis.com/, in line with your request/complaint, send this form to us via info@formdis.com, or you can fill the form physically and send it to “AKÇABURGAZ MAHALLESİ 3093. SOKAK NO: 16/1 ESENYURT İSTANBUL” by courier/mail.

            If you submit your request to us using one of the methods indicated above, your request shall be evaluated within 30 days at the latest and you will be informed about the subject, pursuant to Article 13/2 of the PDPL. If your request is accepted, the necessary actions shall be carried out immediately by the data supervisor COMPANY.

            As a rule, requests are met free of charge, but if fulfilling the request requires costs, a fee can be charged by the COMPANY pursuant to the following provision stipulated in article 7 of the “Communiqué on the Procedures and Principles of Application to the Data Supervisor”: “If the application of the data subject will be answered in writing, no fee is charged for up to 10 pages. A transaction fee of 1 TL shall be charged for each page after ten pages. If the answer is given to the application in a recording medium such as CD or flash memory, the fee that may be requested by the data supervisor shall not exceed the cost of the recording medium.”.

 

 

7.         SPECIAL CASES WHERE PERSONAL DATA IS PROCESSED

 

                         Personal Data Processing Activities Performed at the Entrances and Inside of Buildings and Facilities, and Website Visitors

In order to ensure security, “FORM DIS TICARET LIMITED SIRKETI” performs personal data processing activities in the buildings and facilities of “FORM DIS TICARET LIMITED SIRKETI” by security cameras for monitoring the entrances and exits of the visitors.

                          

                         Camera Monitoring Activities of “FORM DIS TICARET LIMITED SIRKETI” at the Entrances and Inside of Buildings and Facilities

"FORM DIS TICARET LIMITED SIRKETI” carries out camera monitoring activities in accordance with the Law on Private Security Services and the relevant legislation in order to ensure security in its buildings and facilities. “FORM DIS TICARET LIMITED SIRKETI” carries out security camera monitoring activities for the purposes stipulated in the relevant legislation in force and in accordance with the personal data processing conditions listed in the Law, in order to ensure security in its buildings and facilities.

 

In accordance with Article 10 of the Law, “FORM DIS TICARET LIMITED SIRKETI” informs the personal data owner through more than one method regarding the camera monitoring activity. In addition, “FORM DIS TICARET LIMITED SIRKETI” processes personal data in line with, limited to and restrained with the purpose they are processed, in accordance with Article 4 of the Law.

 

The purpose of maintaining the video camera monitoring activity by “FORM DIS TICARET LIMITED SIRKETI” is limited to the purposes listed in this Policy. In this regard, the monitoring areas of security cameras, their number and time of monitoring are implemented in a sufficient and limited way to achieve the security goal. Areas (for example, toilets) that may result in interference with the privacy of the person exceeding the security goals are not subject to monitoring.

 

Only a limited number of employees of “FORM DIS TICARET LIMITED SIRKETI” have access to the records saved and preserved on the digital media with vital camera images. A limited number of persons with access to the records declare that they will protect the confidentiality of the data they obtain through a confidentiality commitment.

 

            Tracking of Entries and Exits of Visitors at the Entrances and Inside of Buildings and Facilities of “FORM DIS TICARET LIMITED SIRKETI”

“FORM DIS TICARET LIMITED SIRKETI” performs personal data processing activities for monitoring the entrances and exits of the visitors to ensure security and for the purposes specified in this Policy, in the buildings and facilities of “FORM DIS TICARET LIMITED SIRKETI”.

 

While obtaining the names and surnames of the persons who come to the buildings of “FORM DIS TICARET LIMITED SIRKETI” as visitors, or through texts posted by “FORM DIS TICARET LIMITED SIRKETI” or made available to the visitors in other ways, the personal data owners are informed in this context. The data obtained for the purpose of monitoring the entrances and exits of the visitors is processed only for this purpose and the relevant personal data is recorded in the data recording system in the physical environment.

 

 

  1. PRECAUTIONS FOR THE SECURITY OF PERSONAL DATA

 

With the awareness of the responsibility of being a well-established company, the “COMPANY” provides all reasonable attention and care to ensure the confidentiality and security of the personal data it processes. In addition to the requirements of the relevant legislation, the “COMPANY” takes technical and administrative measures at a reasonable level to ensure data privacy and security within the framework of Article 12 of the PDPL. With the aforementioned administrative and technical security precautions, it is aimed to prevent illegal processing of personal data, to prevent illegal access to personal data, and to keep personal data at an appropriate security level.

The “COMPANY” shall take the necessary measures to ensure that the above-mentioned precautions are also taken by the data operators in the event that personal data is processed by another natural or legal person (data operator) on its behalf.

In case personal data is illegally seized by third parties, it shall notify the data owners, the Board and other relevant public institutions and organizations in accordance with the provisions of the relevant legislation.

The Personal Data Security Guide (Technical and Administrative Precautions) published by the Board is taken into account when taking precautions regarding the security of personal data.

 

Administrative Precautions

  • Establishing and operating an information security management system within the Company,
  • Signing covenants and confidentiality agreements with Company staff and related parties,
  • Performing risk analyzes on business processes,
  • Establishing personal data inventories,
  • Operating information security policies and procedures,
  • Organizing and evaluating trainings on information security and personal data processing activities,
  • Use of computers, etc. of the employees only by the authorized persons in order to prevent unauthorized access to these tools and equipment,
  • Reviewing the activities through internal or independent audits,
  • Creating records that will produce objective evidence for the transactions carried out,

 

Technical Precautions

  • The risks, threats, vulnerabilities and, if any, gaps in the Company's information systems are revealed with penetration tests and necessary precautions are taken.
  • As a result of real-time analyzes performed with information security event management, risks and threats that will affect the continuity of information systems are constantly monitored.
  • Access to information systems and authorization of users are performed through access and authorization matrix and security policies over the corporate active directory.
  • When software changes and/or updates will be made on the systems, tests are made in the test environment, security vulnerabilities, if any, are detected, necessary precautions are taken and the change to be made is finalized after these processes.
  • Necessary precautions are taken for the physical security of information systems equipment, software and data of “FORM DIS TICARET LIMITED SIRKETI”.
  • In order to ensure the information security systems against environmental threats, hardware (access control system that allows only authorized staff to enter the system room, ensuring physical security of the edge switches forming the area network, fire extinguishing system, air conditioning system, etc.) and software (firewalls, attack prevention systems, network access control, systems that prevent malicious software, etc.) precautions are taken.
  • Risks to prevent illegal processing of personal data are identified, ensuring that technical precautions are taken for these risks, and technical controls are carried out regarding the precautions taken.
  • By establishing access procedures within the company, reporting and analysis studies regarding access to personal data are carried out.
  • The Company takes the necessary precautions to ensure that the deleted personal data is inaccessible and unavailable for the relevant users.
  • In case personal data is illegally obtained by others, preparations have been made by the Company accordingly in order to inform the relevant person and the Board about this situation.
  • Security vulnerabilities are monitored, appropriate security patches are installed and information systems are kept up-to-date.
  • Strong passwords are used in electronic environments where personal data are processed.
  • Secure logging systems are used in electronic environments where personal data is processed.
  • Data backup programs that ensure the safe storage of personal data are used.
  • Access to personal data stored in electronic or non-electronic media is limited according to access principles.
  • Access to the company website is encrypted with SHA 256 Bit RSA algorithm using secure protocol (HTTPS).
  • Private personal data security trainings have been provided for the employees involved in private personal data processing processes, confidentiality agreements have been concluded, and the authorities of users with access to data have been identified.
  • Electronic environments where private personal data is processed, stored and/or accessed are preserved using cryptographic methods, cryptographic keys are kept in secure environments, all transaction records are logged, security updates of the environments are constantly monitored, necessary security tests are carried out regularly, and test results are recorded.
  • Adequate security measures are taken in physical environments where private personal data is processed, stored and/or accessed, and unauthorized entry and exit are prevented by ensuring physical security.
  • If private personal data needs to be transferred via e-mail, it is transferred in encrypted form from a corporate e-mail address or by using a REM account. If it needs to be transferred via media such as portable memory, CD or DVD, it is encrypted with cryptographic methods and the cryptographic key is kept in a different environment.
  • If it is required to be transferred via paper media, necessary precautions are taken against risks such as theft, loss or viewing of the document by unauthorized persons, and the document is sent in a “confidential” format.

 

 

 

 

 

 

ANNEX 1 – Definitions

Explicit Consent

Refers to the consent with regard to a specific subject, based on information and expressed by free will.

Company

“FORM DIS TICARET LIMITED SIRKETI” operating at AKCABURGAZ MAHALLESI 3093. SOKAK NO: 16/1 ESENYURT ISTANBUL.

Cookie

They are small files that are saved on the computers or mobile devices of the users and help store their choices and other information on the web pages they visit.

Relevant User

The persons who process personal data within the organization of the data supervisor or in line with the authorization and instruction received from the data supervisor, except for the person or unit responsible for the technical storage, protection and backup of the data.

Disposal

Deletion, destruction or anonymization of personal data.

Contact Person

The real person notified by the data supervisor during the registration to the Registry for communication to be established with the Authority, regarding the liabilities of the legal persons residing in Turkey and the representative of the legal person data supervisor who are not resident in Turkey within the scope of the Law and the secondary regulations to be issued based on this Law.

(The contact person is not authorized to represent the Data Supervisor. As is evident from its name, s/he is the person assigned to establish "contact" amongst the data supervisor, data subjects and the Authority.)

Law/PDPL

24 March 2016 dated Law No. 6698 on the Protection of Personal Data, published in 7 April 2016 dated Official Gazette No. 29677.

Recording Media

Any media where personal data is processed wholly or partially automatically or non-automatically, provided that it is a part of any data recording system.

Personal Data

Any information related to the person whose identity is identified or identifiable.

Processing of Personal Data

All kinds of operations performed on data such as obtaining, recording, storing, maintaining, altering, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the using of personal data through fully or partially automated or non-automatic means provided that it is part of any data recording system.

 

Anonymization of Personal Data

Making data in no way to be associated with an identified or identifiable natural person, even by matching with other data.

Deletion of Personal

Data

Deletion of personal data; making personal data inaccessible and unusable for Relevant Users in any way.

Destruction of Personal

Data

The process of making personal data inaccessible, unrecoverable and reusable in any way.

Board

Personal Data Protection Board

Private

Personal

Data

Data with respect to race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, appearance, Company, foundation or trade union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.

Periodical Disposal

The deletion, destruction or anonymization process to be carried out ex officio at recurring intervals specified in the personal data storage and disposal policy in the event that all the conditions sought for the processing of personal data are eliminated.

Policy

Personal data protection policy established by the Company.

Data Operator

Real or legal person who processes personal data on behalf of the data supervisor basing on the authority given by him/her.

Data Recording System

The recording system where personal data are structured and processed based on certain criteria.

Data Owner/Data Subject

The real person whose personal data is processed.

Data Supervisor

Real or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

Regulation

Regulation on Deletion, Destruction or Anonymization of Personal Data.

Source:

Law No. 6698 on the Protection of Personal Data - Regulation on Deletion, Destruction or Anonymization of Personal Data - Regulation on the Registry of Data Supervisors - Communiqué on the Procedures and Principles to be Followed in Fulfilling the Enlightening Obligation - Communiqué on the Procedures and Principles of Application to the Data Supervisor

 

 

 

 

 

 

 

 

ANNEX 2 – Purposes of Processing Personal Data

 

 

PERSONAL DATA CATEGORY

DESCRIPTION OF CATEGORIZATION

Identity Data

Personal data regarding the identity information of natural persons shall be considered under this category. (name and surname, mother’s and  father's name, mother's maiden name, date of birth, place of birth, marital status, national ID no)

Contact Data

Any personal data that can be used for communication with individuals shall be considered under this category. (address no, e-mail address, contact address, registered electronic mail address (REM), phone number)

Location Data

Location information of the place where persons are located, etc.

Personal File Data

Within the scope of the relevant legislation, the data included in the personal files of the Company staff include payroll information, disciplinary investigation, entry-exit document records, property declaration information, leave information, resume information, diploma, maternity leave, inability report, military service, performance evaluation reports, and for the applications of the sentenced persons, criminal convictions and security precaution records (criminal record).

In general, the following documents are found in the personal files.

1.Criminal record

2.Family status notification form

3.Employment Certificate/Service Certificate

4.Report indicating that s/he can work in heavy and dangerous work for very dangerous work

5.Copy of diploma

6.Maternity leave, ability/inability reports, breastfeeding leave petitions,

7.Disability report if s/he is a disabled worker, ISKUR application registration document

8.Documents showing military status for male workers

9.ISKUR application registration document of the ex-convict and terror victim worker

10.Copy of marriage certificate

11.Worker’s approval letter for overtime work

12.Document indicating the consent of the worker to be transferred to another workplace temporarily

13.If there is a just termination, documents proving this situation, resignation letter or termination notice

14.Acquittance

15.Residence certificate

16.Employment contract

17.All correspondence made and records kept about the worker

18.A letter stating that the workers are informed about occupational health and safety, occupational risks, necessary precautions and their legal rights and responsibilities

19.Worker's payrolls and payment documents

20.Recruitment and release notices

21.Reports and warning letters for not coming to work / coming late without permission

22.Blood group card

23.Severance pay and notice pay payrolls

24.Copy of ID card

25.Birth registration copy

26.Resume

27.Medical report and periodic health examination reports

28.Photo

29.Medical Report

30.Letter from the Revenue Administration stating that discounts will be applied for those who will benefit from the disability allowance

31.Documents regarding the administrative actions to be taken in insurance events (work accident report, work accident notification, etc.)

32.Certificate of custodianship for the delivered tools and equipment, if any

33.Petitions, forms and tables regarding unpaid leaves and annual paid leaves

34.Training certificates, if any

35.Employability certificate for foreign workers

Data on Education, Business and Professional Life

All kinds of data regarding the education and business life of the persons shall be included under this category. (Education - Diploma - Certificate, Transcript, On-The-Job Training Information)

Legal Transaction Data

Information in correspondence with judicial authorities, Information in the case file, etc.

Financial Data

Account, bank, invoice information of persons

Visual and Audio Records

Audio/visual records kept for customer satisfaction

Digital Media Usage Data

Any personal data obtained as a result of tracking the activities of the users in the digital media shall be classified under this category.

Private Personal Data

Health, Criminal Conviction - Security Measures,

 

 

ANNEX 4 – Categories of Personal Data

 

 

CATEGORY OF PERSONAL DATA OWNER

DESCRIPTION OF CATEGORIZATION

Company Staff

Administrative staff.

Members of the Board and Senate

Data of the members taking part in the Company's organs and activities

Third Persons Involved in Company’s Activities

Third parties involved in Company’s commissions, working groups and organizations

Invitees of Company’s Activities

Natural persons invited to the Company's organizations

Participants of Company’s Activities

Persons participating in Company’s organizations

Payee/Service Provider

Third parties to be paid in Company’s Activities

Relatives of Company Staff

Relatives of Company Staff, Persons living in the same residence and dependent persons

Potential Employees

Potential employees making job applications to the Company

Supplier

Persons, organizations or persons associated with them who provide goods or services to the “COMPANY”.

Project Partner

Persons involved in the projects carried out by the “COMPANY”

Consultant

Persons, organizations or persons associated with them who provide consultancy services to the “COMPANY”.

Potential Product and Service Buyer, Person Buying Products or Services

Persons who buy and are likely to buy products and services from the “COMPANY”

Other

Apart from the above, persons, organizations or persons associated with them who have permanent, occasional, direct or indirect relations with the “COMPANY”

 

 

 

ANNEX 5 – Third Parties to Whom Personal Data is Transferred by Our Company and Purposes of Transfer

 

“FORM DIS TICARET LIMITED SIRKETI” may transfer the personal data of the data owners managed by this Policy to the persons included in the following categories in accordance with Articles 8 and 9 of the PDP Law:

(i)      Business partners of “FORM DIS TICARET LIMITED SIRKETI”,

(ii)     Suppliers of “FORM DIS TICARET LIMITED SIRKETI”,

(iii)   DELTASOFT OTOMASYON YAZ.MUH.HIZM.SAN.VE TIC.LTD.STI.

FUAT ARI (DBS DANISMANLIK)

ONUR TURIZM TAS.INS.SAN.TIC.A.S.

SOREDEV BILGI TEKNOLOJILERI LTD.STI.

CAN AKADEMI IS SAG.VE GUV.OLC.KAL.DAN.HIZ.LTD.STI.

(iv)   Legally authorized public institutions and organizations

(v)     Legally authorized private law persons

The scope of the persons to whom the transfer is made and the purposes of data transfer are stated below.

 

Persons to whom Data can be

Transferred

Description

Purpose of Data Transfer

 

 

 

 

 

Business Partner

Identifies the parties with whom “FORM DIS TICARET LIMITED SIRKETI” established business partnerships while conducting its commercial activities, carrying out various projects and receiving services with DELTASOFT OTOMASYON YAZ.MUH.HIZM.SAN.VE TIC.LTD.STI.,

FUAT ARI (DBS

DANISMANLIK

ONUR TURIZM TAS.INS.SAN.TIC.A.S.

SOREDEV BILGI TEKNOLOJILERI LTD.STI.

CAN AKADEMI IS SAG.VE GUV.OLC.KAL.DAN.HIZ.LTD.STI.

Banks,

Retirement and Aid Fund Foundation

 

 

 

 

 

Limited to ensure the fulfillment of the purposes for which the business partnership was established

 

 

 

Supplier

Identifies the parties that provide services to “FORM DIS TICARET LIMITED SIRKETI” on a contract basis in accordance

with the orders and instructions of “FORM DIS TICARET LIMITED SIRKETI” while carrying out the commercial activities of “FORM DIS TICARET LIMITED SIRKETI”.

Limited in order to ensure that the services that are outsourced by "FORM DIS TICARET LIMITED SIRKETI” from the supplier and necessary to carry out the commercial activities of "FORM DIS TICARET LIMITED SIRKETI” are provided to "FORM DIS TICARET LIMITED SIRKETI”.

 

Legally Authorized Public Institutions and Organizations

Public institutions and organizations authorized to receive information and documents from “FORM DIS TICARET LIMITED

SIRKETI” according to the provisions of the relevant legislation

Limited to the purpose requested by the relevant public institutions and organizations within their legal authority

 

 

 

 

 

Legally Authorized Private Law Persons

Private law persons authorized to receive information and documents from “FORM DIS TICARET

LIMITED SIRKETI”

Limited to the purpose requested by the relevant private law persons within their legal authority

 

 

 

 

 

ANNEX – 6 Identity of Data Supervisor

 

Data Supervisor         : “FORM DIS TICARET LIMITED SIRKETI”

Address                      : AKCABURGAZ MAHALLESI 3093.SOKAK NO:16/1 ESENYURT ISTANBUL

Phone                         : 0 212 886 17 00        

REM                           : formdisticaret@hs01.kep.tr

Website                       : https://www.formdis.com/