Privacy policy

FİDAN KAPLAMA AĞAÇ MAMÜLLERİ TEKSTİL SAN. TİC. LTD. ŞTİ.

(“myfidan”)


PERSONAL DATA PROTECTION AND PROCESSING POLICY

2018

 

 

 

1. PURPOSE

 


As FİDAN KAPLAMA AĞAÇ MAMÜLLERİ TEKSTİL SAN. TİC. LTD. ŞTİ. (“Company” or “myfidan”), the protection and processing of personal data belonging to natural persons such as our customers, consumers, suppliers and employees in accordance with the Constitution of the Republic of Türkiye, international conventions on human rights to which our country is a party, and in particular the Law on the Protection of Personal Data No. 6698 (“LPPD” or “KVKK”) and the relevant secondary legislation, and ensuring that data subjects can effectively exercise their rights, is among our primary priorities.


For this reason, without limitation, we carry out all activities relating to the processing, storage and transfer of personal data belonging to our employees, visitors, business contacts, business partners, customers, suppliers, consumers and users visiting our website – in short, all personal data obtained in the course of our activities – in accordance with this myfidan Personal Data Protection and Processing Policy (“Policy”).


The protection of personal data and the safeguarding of the fundamental rights and freedoms of the data subjects whose personal data are collected constitute the basic principle of our Policy on the processing of personal data. Therefore, we conduct all our activities in which personal data are processed by taking into consideration the protection of privacy, the confidentiality of communication, freedom of thought and belief, and the right to an effective legal remedy.


We take all administrative and technical measures required by applicable legislation and current technology, proportionate to the nature of the personal data in question, in order to ensure the protection of personal data.


This Policy explains the methods we follow regarding the processing, storage, transfer and deletion or anonymisation of personal data shared with us in the course of our commercial activities, social responsibility activities and similar operations, in line with the principles set out in the LPPD.

 

 

 

2. SCOPE

 


This Policy covers all personal data processed by the Company, including but not limited to those belonging to our customers, consumers, business contacts, business partners, employees, suppliers, potential customers and third parties.


Our Policy applies to all activities carried out in relation to the processing of personal data in all systems owned or managed by the Company. It has been prepared in accordance with the LPPD, the relevant legislation on personal data and international standards in this field.

 

 

 

3. DEFINITIONS AND ABBREVIATIONS

 


This section briefly explains specific terms, concepts and abbreviations used in the Policy.


3.1. Company: “myfidan”.


3.2. Explicit Consent: Freely given, specific and informed consent regarding a particular issue, expressed clearly and limited to that specific processing activity.


3.3. Anonymisation: Rendering personal data impossible to link with an identified or identifiable natural person, even by matching them with other data.


3.4. Employee: Company personnel.


3.5. Personal Data Subject (Data Subject): The natural person whose personal data are processed.


3.6. Personal Data: Any information relating to an identified or identifiable natural person.


3.7. Special Categories of Personal Data (Sensitive Personal Data): Personal data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.


3.8. Processing of Personal Data: Any operation performed on personal data such as collection, recording, storage, retention, alteration, re-organisation, disclosure, transfer, acquisition, making available, classification or preventing the use thereof, fully or partially by automatic means or by non-automatic means which form part of a data filing system.


3.9. Data Processor: A natural or legal person who processes personal data on behalf of the data controller upon its authorisation.


3.10. Data Controller: A natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system.


3.11. Board: Personal Data Protection Board.


3.12. Authority: Personal Data Protection Authority.


3.13. LPPD / KVKK: Law No. 6698 on the Protection of Personal Data, published in the Official Gazette dated 7 April 2016 and numbered 29677.


3.14. Policy: myfidan Personal Data Protection and Processing Policy.

 

 

 

4. ROLES AND RESPONSIBILITIES

 


E-Commerce Manager:

The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system, and who processes personal data.


E-Commerce Specialist:

The natural or legal person who processes personal data on behalf of the data controller upon its authorisation.


(Note: In practice, the Company acts as “data controller”; employees with these titles may act as authorised persons or data processors on behalf of the Company.)

 

 

 

5. LEGAL OBLIGATIONS

 


As a data controller, our legal obligations regarding the protection and processing of personal data under the LPPD are listed below.


 

5.1. Obligation to Inform (Disclosure Obligation)

 

As a Data Controller, when collecting personal data, we are obliged to inform the Data Subject about:

 

  • For what purposes personal data will be processed,

  • Our identity and, if any, the identity of our representative,

  • To whom and for what purposes the processed personal data may be transferred,

  • Our method and legal basis for collecting personal data,

  • The rights arising from the law.

 


As a Company, we ensure that this publicly available Policy is clear, understandable and easily accessible.


 

5.2. Obligation to Ensure Data Security

 

As a Data Controller, we take the administrative and technical measures required by legislation to ensure the security of personal data under our responsibility. Our obligations and measures relating to data security are detailed in Sections 9 and 10 of this Policy.

 

 

 

6. CLASSIFICATION OF PERSONAL DATA

 


 

6.1. Personal Data

 

Personal data are any information relating to an identified or identifiable natural person.


The protection of personal data applies only to natural persons. Data relating to legal entities that do not contain information about an identifiable natural person do not fall within the scope of personal data protection. Therefore, this Policy does not apply to data belonging solely to legal entities.


 

6.2. Special Categories of Personal Data

 

Special categories of personal data are data relating to racial or ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.

 

 

 

7. PROCESSING OF PERSONAL DATA

 


 

7.1. Our Principles for Processing Personal Data

 

We process personal data in accordance with the principles set out below.


 

7.1.1. Processing in Compliance with the Law and the Principle of Good Faith

 

We process personal data in a lawful, fair and transparent manner and within the scope of our obligation to inform the Data Subject.


 

7.1.2. Ensuring that Personal Data are Accurate and, Where Necessary, Kept Up to Date

 

We take the necessary measures in our data processing procedures to ensure that the personal data we process are accurate and, where necessary, kept up to date. We also provide the Data Subject with the opportunity to update their data or correct any inaccuracies by applying to us.


 

7.1.3. Processing for Specific, Explicit and Legitimate Purposes

 

As a Company, we process personal data for specific and clearly defined purposes, within the framework of legitimate purposes determined in line with the legislation and the ordinary course of commercial life, and necessary for conducting our activities.


 

7.1.4. Being Relevant, Limited and Proportionate to the Purposes for Which They Are Processed

 

We process personal data in a manner that is relevant, limited and proportionate to the purposes we have clearly identified.


We avoid processing personal data that are not related to the purpose or not needed. Therefore, unless there is a legal obligation, we do not process special categories of personal data; if we must process such data, we obtain explicit consent in relation to the matter.


 

7.1.5. Retention for the Period Prescribed by Legislation or Required for the Purpose for Which They Are Processed

 

Many legal provisions require personal data to be retained for a certain period. Accordingly, we retain personal data for the period stipulated in the relevant legislation or for as long as required for the purposes for which they are processed.


When the legally prescribed retention period expires or the purpose of processing ceases to exist, we delete, destroy or anonymise the personal data. Our principles and procedures relating to retention periods are detailed in Article 9.1 of this Policy.


 

7.2. Purposes of Processing Personal Data

 

As a Company, we process personal data for purposes including but not limited to:

 

  • Conducting our activities,

  • Providing support services to customers within the scope of contracts and service standards,

  • Determining the preferences and needs of our customers and thereby shaping, personalising and updating the services to be provided to them,

  • Fulfilling our legal obligations as required or mandated by legal regulations,

  • Conducting market research and statistical analyses,

  • Conducting surveys, competitions, promotions and sponsorship activities,

  • Organising events,

  • Evaluating job applications,

  • Maintaining communication with persons who have a business relationship with the Company,

  • Carrying out marketing activities,

  • Managing compliance processes,

  • Managing vendor / supplier relationships,

  • Conducting advertising activities,

  • Legal reporting,

  • Invoicing.

 


 

7.3. Processing Special Categories of Personal Data

 

Special categories of personal data are processed by us only in cases where required by law and where administrative and technical measures determined by the Board are taken, and where explicit consent has been obtained, or in cases where processing is mandatory under legislation.


Since health data and data relating to sexual life may be processed for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and managing health-care services and their financing, by persons or authorised institutions and organisations under a confidentiality obligation, such data are not processed by us except with respect to our employees. Special categories of personal data belonging to our employees may only be processed by persons or entities authorised in the relevant legislation.


 

7.4. Processing of Personal Data within the Scope of Memberships and Programmes

 

If you become a member of our programmes, our website or any scheme offered by us (for example, to benefit from campaigns or be informed about our advantages), we collect your personal data through membership forms, and we process and transfer the personal data you have shared.


 

7.5. Processing of Personal Data Collected via Cookies on Our Website

 

We use cookies to improve the functioning and usability of our website and to make the time you spend on our site more efficient and enjoyable. In addition, we benefit from certain cookies to remember your preferences on our website, thus providing you with an enhanced and personalised experience.


We may collect personal data through cookies on our website and process, transfer and store the data we collect.


If you do not want your personal data to be collected and processed through cookies, you may refuse cookies used on our website. However, please note that if you reject cookies, our website may not function properly and disruptions may occur in the display or provision of goods and services.


For detailed information about the cookies we use on our website, you can review our Cookie Policy.


 

7.6. Exceptional Circumstances Where Explicit Consent is Not Required

 

In the exceptional cases listed below and arising from the law, we may process personal data without obtaining explicit consent:

 

  • Where it is expressly provided for by law,

  • Where it is necessary for the processing of personal data of the parties to a contract, provided that it is directly related to the establishment or performance of the contract,

  • Where processing is necessary for the establishment, exercise or protection of a right,

  • Where data processing is necessary for our legitimate interests as data controller, provided that it does not harm the fundamental rights and freedoms of the Data Subject.

 


Exceptional cases where special categories of personal data may be processed without the Data Subject’s explicit consent are set out in Article 7.3 of this Policy.

 

 

 

8. TRANSFER OF PERSONAL DATA

 


 

8.1. Transfer of Personal Data Within Türkiye

 

As a Company, we act in accordance with the LPPD and the decisions and regulations of the Board regarding the transfer of personal data.


Except in cases explicitly provided for in the legislation, personal data and special categories of personal data are not transferred to other natural or legal persons by us without the Data Subject’s explicit consent.


In exceptional cases stipulated in the LPPD and other relevant legislation, personal data may be transferred without the Data Subject’s explicit consent to competent administrative or judicial authorities or institutions, in the manner and within the limits prescribed by the legislation.


Furthermore, in addition to the exceptional cases foreseen in the legislation:

 

  • In the circumstances set out in Article 7.6 of this Policy,

  • In relation to special categories of personal data, in the circumstances set out in Article 7.3 of this Policy,

  • Provided that administrative and technical measures determined by the Board and relevant legislation are taken, personal data relating to the health and sexual life of the Data Subject may be transferred, without explicit consent, only to persons under a confidentiality obligation or to authorised institutions and organisations for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and planning and managing healthcare services and their financing.

 


 

8.2. Transfer of Personal Data Abroad

 

As a rule, personal data are not transferred abroad without the Data Subject’s explicit consent. However, in the presence of one of the exceptional circumstances set out in Articles 7.3 and 7.6 of this Policy, personal data may be transferred abroad without explicit consent only if:

 

  • The foreign country to which the data will be transferred is deemed to provide adequate protection by the Board, or

  • In cases where adequate protection is not provided, the data controllers in Türkiye and in the relevant foreign country undertake, in writing, to provide adequate protection and the Board grants permission.

 


Your personal data may be transferred to our business partners located abroad and may be processed by such business partners and third parties, for purposes such as providing you with better services, customising our website in line with the needs and preferences of our customers, members and consumers, promoting our products and services, and enabling our search engines to remember your preferences.


 

8.3. Recipients of Personal Data

 

Personal data may be transferred, including but not limited to:

 

  • Our suppliers,

  • Our business partners and business contacts,

  • Competent public institutions and organisations,

  • Competent private legal entities,

  • Our shareholders,

 


in accordance with the principles and rules explained above.


 

8.4. Measures Taken to Ensure Lawful Transfer of Personal Data

 

 

8.4.1. Technical Measures

 

In order to protect personal data, we take the following technical measures, among others:

 

  • Establishing internal technical organisation to ensure that personal data are processed and stored in compliance with legislation,

  • Ensuring that the security of the databases in which your personal data are stored is provided by our business partners,

  • Monitoring and auditing the processes of the technical infrastructure we have established,

  • Determining procedures for reporting our technical measures and audit processes,

  • Periodically updating and renewing technical measures,

  • Reviewing risky situations and producing the necessary technological solutions,

  • Using antivirus systems, firewalls and similar software or hardware security products and installing security systems in line with technological developments,

  • Employing staff with technical expertise or working with business partners who employ such experts.

 


 

8.4.2. Administrative Measures

 

In order to protect your personal data, we take the following administrative measures, among others:

 

  • Establishing policies and procedures for access to personal data, including access by Company and subsidiary employees,

  • Informing and training our employees on the lawful protection and processing of personal data,

  • Including provisions in our employment contracts and/or internal policies regarding the measures to be taken in cases where Company employees process personal data unlawfully,

  • Auditing the personal data processing activities of data processors with whom we work, or of their partners.

 

 

 

 

9. STORAGE OF PERSONAL DATA

 


 

9.1. Retention of Personal Data for the Period Prescribed in the Relevant Legislation or Required for the Purpose of Processing

 

We retain personal data for as long as required by the purposes of processing, without prejudice to statutory retention periods.


Where we process personal data for more than one purpose, and where all of the purposes of processing have ceased to exist or, upon the Data Subject’s request, there is no legal obstacle to deletion, personal data are deleted, destroyed or anonymised. In this regard, we comply with the provisions of the legislation and the decisions of the Board.


 

9.2. Measures Taken Regarding the Storage of Personal Data

 

 

9.2.1. Technical Measures

 

 

  • Creating technical infrastructure and audit mechanisms for the deletion, destruction and anonymisation of personal data,

  • Taking necessary measures to ensure the secure storage of personal data,

  • Employing staff with technical expertise,

  • Developing business continuity and emergency plans and establishing systems for their implementation to manage potential risks,

  • Installing security systems for storage environments of personal data in line with technological developments.

 


 

9.2.2. Administrative Measures

 

 

  • Informing our employees about technical and administrative risks relating to the storage of personal data and raising awareness,

  • Including provisions in agreements signed with third parties (where we cooperate for storage) requiring such parties to take necessary security measures to protect and securely store the transferred personal data.

 

 

 

 

10. SECURITY OF PERSONAL DATA

 


 

10.1. Our Obligations Regarding the Security of Personal Data

 

We take administrative and technical measures, taking into account technological capabilities and implementation costs, in order to:

 

  • Prevent unlawful processing of personal data,

  • Prevent unlawful access to personal data,

  • Ensure that personal data are stored in accordance with the law.

 


 

10.2. Measures Taken to Prevent Unlawful Processing of Personal Data

 

 

  • Conducting and having conducted necessary internal audits within our Company,

  • Training and informing our employees on the lawful processing of personal data,

  • Evaluating in detail all activities carried out by all business units of our Company and processing personal data specific to the commercial activities carried out by the relevant units,

  • Including provisions in agreements concluded with third parties in cases where we cooperate with data processors for the processing of personal data, which require such data processors to take necessary security measures,

  • In the event that personal data are unlawfully disclosed or a data breach occurs, notifying the Board and conducting the investigations and taking the measures prescribed by the legislation.

 


 

10.2.1. Technical and Administrative Measures Taken to Prevent Unlawful Access to Personal Data

 

In order to prevent unlawful access to personal data, we:

 

  • Employ staff with technical expertise or work with business partners that employ such experts,

  • Periodically update and renew technical measures,

  • Establish access authorisation procedures within our Company,

  • Determine procedures for reporting our technical measures and audit processes,

  • Establish and periodically audit data recording systems used within our Company in compliance with the legislation,

  • Develop emergency plans and systems for their implementation to manage potential risks,

  • Train and inform our employees about access to personal data and authorisation issues,

  • Include provisions in agreements concluded with third parties in cases where we cooperate with them for the processing and storage of personal data, requiring such parties to take necessary security measures,

  • Establish security systems within the framework of technological developments to prevent unlawful access to personal data,

  • Where the above activities are carried out through our business partners, ensure that such business partners have staff with technical expertise.

 


 

10.2.2. Measures Taken in the Event of Unlawful Disclosure of Personal Data

 

We take and regularly update administrative and technical measures and related procedures to prevent the unlawful disclosure of personal data. In the event that we determine that personal data have been disclosed without authorisation, we establish systems and infrastructure to notify the Data Subject and the Board in accordance with the legislation.


Despite all administrative and technical measures taken, if an unlawful disclosure occurs, the Board may decide to announce this situation on its website or by other methods, if it deems necessary.

 

 

 

11. RIGHTS OF THE DATA SUBJECT

 


Within the scope of our obligation to inform, we inform the Data Subjects and establish systems and infrastructure regarding this information. We make the necessary technical and administrative arrangements to enable the Data Subject to exercise their rights regarding their personal data.


The Data Subject has the following rights regarding their personal data:

 

  • To learn whether personal data are being processed,

  • If personal data has been processed, to request information regarding such processing,

  • To learn the purpose of processing personal data and whether they are used in accordance with this purpose,

  • To know the third parties in Türkiye or abroad to whom personal data are transferred,

  • To request the correction of personal data if they are incomplete or incorrect,

  • To request the deletion or destruction of personal data in the event that the reasons requiring their processing cease to exist,

  • To request notification to third parties to whom personal data have been transferred of the correction, deletion or destruction carried out,

  • To object to a result against them arising from the analysis of processed data exclusively through automated systems,

  • To request compensation for damage arising from the unlawful processing of personal data.

 


 

11.1. Exercise of Rights Regarding Personal Data

 

The Data Subject may submit their requests concerning their personal data in writing and signed, to the address:

Harbiye Mahallesi Maçka Caddesi Ralli Apt. No: 37, 34367 Şişli / İstanbul

or may send them to our registered e-mail address myfidan@myfidan.com with secure electronic signature, unless another method is determined by the Board.


In the application containing the explanations of the right that the Data Subject wishes to exercise, the following must be included:

 

  • The request must be clear and understandable,

  • The requested matter must be related to the applicant’s own person, or, if acting on behalf of another, the applicant must be specifically authorised in this regard and such authorisation must be documented,

  • The application must include identity and address information,

  • Documents confirming identity must be attached to the application.

 


Requests must be made individually; applications filed by unauthorised third parties regarding personal data will not be processed.


 

11.2. Evaluation of Applications

 

 

11.2.1. Time Limit for Responding to Applications

 

Requests relating to personal data will be finalised as soon as possible, and in any event within 30 (thirty) days, free of charge, or subject to a fee in accordance with the tariff to be published by the Board, if the conditions specified in the tariff are met.


Additional information and documents may be requested during or after the application.


 

11.2.2. Our Right to Reject Applications

 

Applications regarding personal data may be rejected, with justification, in the following cases:

 

  • Where personal data are processed for purposes such as research, planning and statistics, by anonymising them with official statistics,

  • Where personal data are processed for artistic, historical, literary or scientific purposes, or within the scope of freedom of expression, provided that they do not violate the privacy of private life or personal rights and do not constitute a crime,

  • Where personal data have been made public by the Data Subject,

  • Where the application does not rely on a justified reason,

  • Where the application contains a request contrary to the relevant legislation,

  • Where the application does not comply with the procedure.

 


 

11.3. Procedure for Evaluating Applications

 

For the response period specified in Article 11.2.1 of this Policy to begin, applications must be submitted in writing and signed or via [electronically signed and KEP (registered e-mail)] or by other methods determined by the Board, together with identity documents and information confirming the identity of the applicant.


If the request is accepted, the relevant action will be carried out and the applicant will be informed in writing or electronically. If the request is rejected, the applicant will be informed in writing or electronically, together with the reasons for rejection.


 

11.4. Right to Lodge a Complaint with the Personal Data Protection Board

 

If the application is rejected, if the reply is deemed insufficient, or if no reply is given within the time limit, the applicant has the right to lodge a complaint with the Board within 30 (thirty) days from the date of learning of the reply and, in any event, within 60 (sixty) days from the date of the application.

 

 

 

12. PUBLICATION AND STORAGE OF THE DOCUMENT

 


This Policy is stored in two formats: in hard copy and in electronic form.

 

 

 

13. UPDATE PERIOD

 


This Policy is reviewed at least once a year and, if necessary, updated in accordance with the principles set out in the Documentation Management Procedure.

 

 

 

14. ENTRY INTO FORCE

 


This Policy is deemed to have entered into force upon its publication on the Company’s website.