logo
The New Mobile Platform
for
Shopping & Consumer Loans

Personal Data Protection Policy

LEGAL BASIS

Regulated in Article 20 of the Constitution; this right, that everyone has the right to demand the protection of their personal data; In accordance with the Law on the Protection of Personal Data No. 6698, on the basis of the basic legal basis that personal data can be processed only in cases stipulated by the law or with the explicit consent of the person. We attach utmost importance to the protection and processing of Personal Data in accordance with the law and we act with this care in all our planning and activities. As the company, we take all administrative and technical measures for the protection and processing of Personal Data, which is the basis of privacy, and we inform and warn our personnel about the legal sanctions regulated in Article 135 of the Turkish Penal Code (TPC) No. 5237 and the following.

PURPOSE

With the Law No. 6698 on the Protection of Personal Data in force, the protection of fundamental rights and freedoms of individuals, in particular the privacy of private life, and the obligations of natural and legal persons processing personal data, as well as the procedures and principles to be followed, are regulated in the processing of personal data. The aim of our policy, which was prepared by taking into account the regulation in question; ensuring compliance with the obligations regarding the protection of personal data, processing, transferring and protecting the confidentiality of the information provided within the scope of the activities carried out by our Company, by evaluating with a risk-based approach, determining strategies, internal controls and measures, operating rules and responsibilities, and raising awareness of the employees of the institution on these issues. At the same time; It is aimed to ensure transparency by informing the people whose personal data are processed by our Company, especially our customers, potential customers, employees, employee candidates, Company shareholders, Company officials, visitors, employees, shareholders and officials of the institutions/organizations we cooperate with, and third parties.

SCOPE

This policy applies to all transactions processed automatically or non-automatically, provided that it is a part of any data recording system, of our customers, potential customers, employees, employee candidates, Company shareholders, Company officials, visitors, employees, shareholders and officials of the institutions we cooperate with, and third parties. regarding your personal data.

DEFINITIONS

Explicit Consent

Consent, which is based on information on a particular subject and expressed with free will.

Anonymization

It is the change of personal data in such a way that it loses its ability to be associated with an identified or identifiable person and this situation cannot be undone. Example: Masking, aggregation, data corruption etc. making personal data incapable of being associated with a natural person with techniques.

Worker

Persons working in the Company pursuant to the employment contract concluded with the Company.

Employee Candidate

Real persons who have either applied for a job in the Company by any means or have opened their CV and related information to the Company’s inspection.

Real Persons and Private Law Legal Entities

Real persons are those who were born right and full and currently living in accordance with the Turkish Civil Code. Private Law Legal persons refer to the Commercial Companies defined in the Turkish Commercial Code and the associations and foundations defined in the Turkish Civil Code.

Open to Everyone

It refers to the group of people that does not constitute any characteristic, that is, all people.

Shareholders

Real or legal persons who own shares (shares) in the Company of the Data Controller.

Business Partner

The parties with which the Data Controller carries out commercial activities and has a commercial relationship.

Employees, Shareholders and Officials of the Institutions We Collaborate with

Natural persons, including the shareholders and officials of these institutions, working in the institutions (such as but not limited to business partners, suppliers) with which the company has all kinds of business relations.

Affiliates and Subsidiaries

Affiliates are companies in which the Data Controller has a share in the capital of another company. If the company has more than 50% of the voting rights of the company it is a partner of, the relationship between the company and the partner company creates a subsidiary, if the majority is not in the company, there is a simple affiliate relationship.

Processing of Personal Data

Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available personal data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system, All kinds of operations performed on data such as classification or prevention of use.

Personal Data Owner

The natural person whose personal data is processed. For example; Customers and employees.

Personal Data

Any information relating to an identified or identifiable natural person. The processing of information regarding legal persons is not within the scope of the law. For example; name-surname, TR, e-mail, address, date of birth, credit card number etc.

Customer

Real persons who use or have used the products and services offered by the Company, regardless of whether they have any contractual relationship with the Company.

Special Quality Personal Data

Data related to race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data are special data.

Potential Customer

Real persons who have requested or interested in using our products and services or who have been evaluated in accordance with commercial practices and honesty rules that they may have.

Intern

Real persons who have applied for an internship to the company by any means, and who aim to put their theoretical knowledge about the profession into practice in the workplace.

Company Shareholder

The shareholders of the company are natural persons.

Company Official

Member of the company’s board of directors and other authorized natural persons.

Supplier

Parties that have a business relationship with the Data Controller based on the service contract and/or power of attorney agreement for service procurement within the scope of the Data Controller’s commercial activities.

Group Companies

According to the definition in the Turkish Commercial Code, “Companies that are directly or indirectly affiliated with the controlling company form the group of companies together with it.”

Third Party

Third party real persons (eg Family Members and relatives) who are related to these persons in order to ensure the security of commercial transactions between the Company and the above-mentioned parties or to protect the rights of the aforementioned persons and to obtain benefits.

Data Processor

It is the natural and legal person who processes personal data on behalf of the Data Controller based on the authority given by him. For example, the firm or companies that hold the Company’s data, etc.

Data Controller

The person who determines the purposes and means of processing personal data, manages the place where the data is kept systematically (data recording system), provides the data owner with the necessary information about his personal information as a result of the request / application of the data owner, and makes the referrals.

Authorized Public Institutions and Organizations

Public institutions and organizations that are authorized by the relevant legislation to request information and documents from the Data Controller and are also required to transfer in order for the Data Controller to fulfill their legal obligations.

Visitor

Real persons who enter the physical premises of the company for various purposes or visit our websites.

ABBREVIATIONS

PDP Law

Law No. 6698, Law on Protection of Personal Data No. 6698, dated March 24, 2016, published in the Official Gazette No. 29677, dated 7 April 2016.

Constitution

The Constitution of the Republic of Turkey, dated 7 November 1982 and numbered 2709, published in the Official Gazette dated 9 November 1982 and numbered 17863.

PDP Board

Personal Data Protection Board

PDP Authority

Personal Data Protection Authority

Policy

Company Policy on Protection and Processing of Personal Data

TCO

Turkish Code of Obligations dated 11 January 2011 and numbered 6098, published in the Official Gazette dated 4 February 2011 and numbered 27836.

TPC

Turkish Penal Code No. 5237, dated 26 September 2004, published in the Official Gazette dated 12 October 2004 and numbered 25611.

TCC

Turkish Commercial Code No. 6102, dated January 13, 2011, published in the Official Gazette dated February 14, 2011 and numbered 27846.

DATA CATEGORIES

The Company may save, process or transfer data for the following categories of data.

Identity

Information such as name, surname, mother and father’s name, mother’s maiden name, date of birth, place of birth, marital status, identity card serial number, Turkish Citizenship identification number.

Contact

Information such as address number, e-mail address, contact address, registered e-mail address (KEP), telephone number.

Location

The location information of the current location.

Personal

Information such as payroll information, disciplinary investigation, entry-exit document records, property declaration information, resume information, performance evaluation reports.

Legal Action

Information such as information in correspondence with judicial authorities, information in the case file.

Customer Transaction

Information such as call center records, invoice, promissory note, check information, information in box office receipts, order information, request information.

Physical Space Security

Information such as entry and exit registration information of employees and visitors, camera recordings.

Transaction Security

Information such as IP address information, website login and exit information, password and password information.

Risk Management

Information such as information processed to manage commercial, technical, administrative risks.

Finance

Information such as balance sheet information, financial performance information, credit and risk information, and asset information.

Professional Experience

Information such as diploma information, courses attended, vocational training information, certificates, transcript information.

Marketing

Shopping history information, survey, cookie records, information obtained through campaign work.

Audio-Visual Recordings

Recordings such as audio-visual recordings.

Health Information

Information about disability, blood group information, personal health information, PCR test results, pandemic health information, such as device and prosthesis information.

Criminal Conviction and Security Measures

Information such as information on criminal convictions, information on security measures.

PURPOSES OF PERSONAL DATA PROCESSING

The Company may save, process or transfer personal data for the following purposes:

Execution of Emergency Management Processes

Execution of Information Security Processes

LearningExecution of Employee Candidate/Intern/Student Selection and Placement Processes

Execution of Application Processes of Employee Candidates

Execution of Employee Satisfaction and Loyalty Processes

Fulfillment of Employment Contract and Legislative Obligations for Employees

Execution of Benefits and Benefits Processes for Employees Conducting Audit/Ethical Activities

Conducting Audit/Ethics Activities

Conducting Educational Activities

Execution of Access Authorizations

Execution of Activities in Compliance with the Legislation

Execution of Finance and Accounting Affairs

Execution of Company/Product/Services Loyalty Processes

Providing Physical Space Security

Execution of Assignment Processes

Follow-up and Execution of Legal Affairs

Conducting Internal Audit/Investigation/Intelligence Activities

Execution of Communication Activities

Planning of Human Resources Processes

Execution/Audit of Business Activities

Conducting Business Continuity Ensuring Activities

Receiving and Evaluating Suggestions for Improvement of Business Processes

Execution of Occupational Health/Safety Activities

Execution of Logistics Activities

Execution of Goods/Service Procurement Processes

Execution of Goods/Services After Sales Support Services

Execution of Goods/Service Sales Processes

Execution of Good/Service Production and Operation Processes

Execution of Customer Relationship Management Processes

Execution of Activities for Customer Satisfaction

Organization and Event Management

Conducting Marketing Analysis Studies

Execution of Performance Evaluation Processes

Execution of Advertising / Campaign / Promotion Processes

Execution of Risk Management Processes

Creating and Tracking Visitor Records

Execution of Management Activities

Providing Information to Authorized Persons, Institutions and Organizations

Execution of Talent/Career Development Activities

Execution of Investment Processes

Foreign Personnel Work and Residence Permit Procedures

Ensuring the Security of Data Controller Operations

Execution of Marketing Processes of Products/Services

Execution of Wage Policy

Ensuring the Security of Movable Property and Resources

Follow-up of Requests/Complaints

Execution of Strategic Planning Activities

Execution of Sponsorship Activities

Execution of Contract Processes

Conducting Social Responsibility and Civil Society Activities

Execution of Storage and Archive Activities

LEGAL REASONS FOR PERSONAL DATA PROCESSING

The legal reasons for the processing of personal data are regulated in Article 5 of the PDP.

Personal data cannot be processed without the explicit consent of the person concerned.

In the presence of one of the following conditions, it is possible to process personal data without seeking the explicit consent of the data subject:

LEGAL REASONS FOR PROCESSING SPECIAL QUALITY PERSONAL DATA

The legal reasons for the processing of personal data are regulated in Article 6 of the PDP.

It is prohibited to process sensitive personal data without the explicit consent of the person concerned.

Special categories of personal data other than health and sexual life may be processed without seeking the explicit consent of the person concerned, in cases stipulated by the laws. Personal data related to health and sexual life are only for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing, by persons or authorized institutions and organizations under the obligation of secrecy without seeking the explicit consent of the person concerned. can be processed.

PERSONAL DATA TRANSFER RECEIVER GROUPS

The Company may transfer personal data to the following Personal Data Transfer Recipient groups.

Public

Shareholders

Business Partner

Affiliates and Subsidiaries

Supplier

Community Company

Authorized Public Institutions and Organizations

PERSONS SUBJECT TO PERSONAL DATA

The company may save, process or transfer personal data according to the following types of persons:

Employee Candidate

Worker

Shareholder/Partner

Potential Product and Service Buyer

Intern

SupplierSupplier Employee

Supplier Representative

Product or Service Recipient

Visitor

DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA

Although the personal data has been processed in accordance with the law, in the event that the reasons for the processing disappear, these data are deleted, destroyed or anonymized by the data controller ex officio or upon the request of the person concerned.

The Data Controller deletes, destroys or anonymizes personal data in the first periodical destruction process following the date on which the obligation to delete, destroy or anonymize personal data arises.

The actions to be taken regarding these matters are explained in detail in the Personal Data Retention and Destruction Policy.

PERSONAL DATA STORAGE PERIOD

Personal data retention periods are regulated in detail in the Personal Data Retention and Disposal Policy.

DATA CONTROLLER INFORMATION

For questions and/or comments regarding the Personal Data Protection Policy, please contact us using the contact information below:

Mersis No

KEP Address

E-Mail Address

Physical Mailing Address

0388143442200001

finsoteknoloji@fhs05.kep.tr

info@finso.com.tr

Küçükbakkalköy Mahallesi Kayışdağı Caddesi Allianz Plaza Sitesi No: 1 İç Kapı No: 108 Kat:29 Ataşehir-İstanbul