Step Into The Space

DATA POLICY

DATA POLICY

 

1. PURPOSE

As FAB DIŞ TİCARET ANONİM ŞİRKETİ; it is our priority that the personal data of natural persons — including our members, visitors, suppliers, and employees — is processed in accordance with the Constitution of the Republic of Turkey, the international treaties to which our country is a party regarding human rights, and, in particular, Law No. 6698 on the Protection of Personal Data ("KVKK") and other applicable legislation, and that the rights of data subjects whose data is processed are effectively exercised. For this reason, including but not limited to; we carry out all processing, storage, and transfer of personal data belonging to our employees, suppliers, customers, visitors, members, users of our website — in short, all personal data we obtain during our operations — in accordance with FAB DIŞ TİCARET ANONİM ŞİRKETİ's Personal Data Protection and Processing Policy ("Policy").

 

The protection of personal data and safeguarding the fundamental rights and freedoms of the natural persons whose data is collected is the core principle of our data processing policy. For this reason, we carry out all our activities involving personal data processing while observing the protection of privacy, confidentiality of communication, freedom of thought and belief, and the right to use effective legal remedies.

 

We take all administrative and technical protective measures required by legislation and current technology, as necessitated by the nature of the relevant data, to protect personal data.

 

This Policy explains the methods we follow for processing, storing, transferring, deleting, or anonymizing personal data shared during our commercial or social responsibility activities and similar operations, within the framework of the principles set out in the KVKK.

 

2. SCOPE

This Policy covers all personal data processed by the Company, including that of our visitors, business contacts, business partners, employees, suppliers, members, and third parties. Our Policy applies to all activities involving the processing of personal data owned or managed by the Company, and has been prepared taking into account the KVKK, other relevant legislation on personal data, and international standards in this field.

 

3. DEFINITIONS AND ABBREVIATIONS

This section briefly explains the special terms, phrases, concepts, abbreviations, etc. used in the Policy.

 

Explicit Consent                               : Consent relating to a specific matter, based on information and free will, expressed with clarity leaving no room for doubt, and limited to that specific transaction only.

Anonymization           : Rendering personal data in such a manner that it can no longer be associated with an identified or identifiable natural person, even when matched with other data.

Employee                                    : Company personnel.

Data Subject                  : The natural person whose personal data is processed.

Personal Data                             : Any information relating to an identified or identifiable natural person.

Special Category (Sensitive) Personal Data      : Data relating to a person's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, membership in associations, foundations, or trade unions, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data.

Processing of Personal Data     : Any operation performed on personal data, such as collection, recording, storage, retention, alteration, reorganization, disclosure, transfer, acquisition, making available, classification, or preventing use — whether by fully or partially automated means, or by non-automated means provided the process is part of a data recording system.

Data Processor                            : The natural or legal person who processes personal data on behalf of the data controller, based on the authority granted by the data controller.

Data Controller                      : The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.

PDP Board                           : Personal Data Protection Board.

PDP Authority                         : Personal Data Protection Authority.

KVKK                                    : Law on the Protection of Personal Data.

 

4. ROLES AND RESPONSIBILITIES

4.1. Board of Directors

The Board of Directors is responsible for the overall oversight of establishing and operating notification, review, and sanction mechanisms in the event of non-compliance with the Policy, rules, and regulations.

 

4.2. Data Processor

The data processor is responsible for the preparation, development, execution, and updating of this Policy. The data controller: evaluates this Policy when necessary in terms of its currency and development needs. Ensures the prepared document is published on the corporate portal/website when necessary and distributed internally within the organization. The Data Controller (Fab Dış Ticaret Anonim Şirketi) is responsible, within the framework of this policy, for managing its relationships with institutional investors, portfolio managers, analysts, current and potential shareholders, etc., and for carrying out public disclosure practices transparently and simultaneously to all relevant parties.

 

5. LEGAL OBLIGATIONS

As a data controller under the KVKK, our legal obligations regarding the protection and processing of personal data are listed below:

 

5.1. Our obligation to inform

As a data controller, when collecting personal data, we are obligated to inform the Data Subject about:

  • The purpose for which your personal data will be processed,
  • Our identity and, if applicable, information about our representative,
  • To whom and for what purpose the processed personal data may be transferred,
  • Our method of collecting data and its legal basis,
  • Rights arising from the law,

As a Company, we take care to ensure that this publicly available Policy is clear, understandable, and easily accessible.

 

5.2. Our obligation to ensure data security

As a data controller, we take the administrative and technical measures prescribed by legislation to ensure the security of the personal data in our possession. Obligations relating to data security and the measures taken are detailed in Sections 9 and 10 of this Policy. You may also review the Personal Data Retention and Destruction Policy.

 

6. CLASSIFICATION OF PERSONAL DATA

6.1. Personal data

Personal data is any information relating to an identified or identifiable natural person.

Protection of personal data applies only to natural persons; information belonging to legal entities that does not contain information about a natural person, as well as information belonging to personnel employed under a service contract (for as long as within the retention period, as required by KVKK), are excluded from personal data protection. Therefore, this Policy does not apply to data belonging to legal entities or to personnel data.

 

6.2. Special category personal data

Data relating to a person's race, ethnic origin, political opinion, philosophical belief, religion, sect, or other beliefs, as well as appearance and clothing, membership in associations, foundations, or trade unions, health, sexual life, criminal conviction and security measures, and biometric and genetic data, constitute special category (sensitive) personal data.

 

7. PROCESSING OF PERSONAL DATA

7.1. Our principles for processing personal data

We process personal data in accordance with the principles set out below.

 

7.1.1. Lawful and fair processing

We process personal data in a manner that is fair, transparent, and consistent with our obligation to inform.

7.1.2. Ensuring that personal data is accurate and kept up to date when necessary

We take the necessary measures in our data processing procedures to ensure that processed data is accurate and up to date. We also provide the Data Subject with the ability to apply to us to update their data and, where applicable, correct any errors in the data being processed.

7.1.3. Processing for specified, explicit, and legitimate purposes

As a Company, we process personal data within the scope of our legitimate purposes, clearly defined in scope and content, in order to continue our activities within the ordinary course of business and applicable legislation.

7.1.4. Ensuring personal data is relevant, limited, and proportionate to the purposes for which it is processed

We process personal data in a manner that is relevant, limited, and proportionate to the clear and specific purposes we have defined.

We avoid processing personal data that is unrelated or not needed for processing. For this reason, unless legally required, we do not process special category personal data, or when we must, we obtain explicit consent regarding the matter.

7.1.5. Retention of personal data for the period prescribed by legal regulations and for the duration of our legitimate commercial interests

Many legal regulations require personal data to be retained for a certain period. Due to lawsuits and legal obligations to which our Company is subject, all types of personal data are retained for the periods specified in the Personal Data Retention and Destruction Policy.

Upon expiration of the retention period prescribed by legislation, or when the purpose of processing no longer exists, we delete, destroy, or anonymize personal data.

 

7.2. Our purposes for processing personal data

As Fab Dış Ticaret Anonim Şirketi, we process personal data for the purposes listed below:

  • To carry out our operations,
  • To provide support services within the scope of contracts and service standards,
  • To determine the preferences and needs of our members/visitors and to shape and update the services we provide accordingly,
  • To fulfill our legal obligations as required or mandated by legal regulations,
  • To conduct market research and statistical studies,
  • Surveys, contests, promotions/channel development, and sponsorships,
  • To evaluate job applications,
  • To communicate with persons in a business relationship with the Company,
  • Marketing,
  • Compliance management,
  • Vendor/supplier management,
  • Advertising sales on physical and digital platforms,
  • Legal reporting,
  • Invoicing,
  • Communication with dealers,
  • Managing membership processes via social networks,
  • Managing call center processes,
  • Corporate communication,
  • Personalizing frequently used or favorite campaigns and offering campaign and promotion suggestions based on interests,
  • Providing personalized job listings and employment-related information,
  • Maintaining contact with suppliers and with the company after product purchases,
  • Sending newsletters or notifications via email.

 

7.3. Processing of special category personal data

Special category personal data is processed by us only where explicit consent exists or where required by legislation, and with the administrative and technical measures prescribed by law and the PDP Board.

Special category personal data relating to health and sexual life may only be processed, without seeking explicit consent, by persons under an obligation of confidentiality or authorized institutions and organizations, for purposes such as protection of public health, preventive medicine, medical diagnosis, treatment and care services, and planning and management of healthcare services and their financing; therefore, we do not process such data. Such data belonging to our employees may only be processed by persons authorized under the law.

 

7.4. Processing of personal data collected through cookies

We use cookies to improve the functioning and use of our website and/or mobile applications, and to make the time you spend on our digital platforms more efficient and enjoyable. In addition, we make use of certain cookies to remember your preferences on our website and/or mobile applications, providing you with an enhanced and personalized experience.

We may collect your personal data through cookies on our digital platforms, and process, transfer, and store the data we collect.

You can find detailed information about the cookies we use in the "Cookie Policy" on our website.

 

7.5. Processing of personal data for human resources and employment purposes

During the application process, we process, store, and transfer the personal data contained in your CV, diploma, and other documents shared with us as a job candidate, for the purpose of evaluating your job application. The processing, transfer, and storage of personal data you share as a job candidate falls within the scope of this Policy.

Personal data belonging to Employees is collected, processed, and stored within the framework of this Policy as well as Human Resources rules.

 

7.6. Exceptional cases where explicit consent is not required for the processing of personal data

We may process personal data without obtaining explicit consent in the following statutory exceptional cases:

  • Where explicitly provided for by law;
  • Where processing personal data belonging to the parties of a contract is necessary, provided it is directly related to the establishment or performance of the contract;
  • Where data processing is mandatory for the establishment, exercise, or protection of a right;
  • Where processing your data is mandatory for our legitimate interests as a data controller, provided this does not harm your fundamental rights and freedoms.

 

Exceptional cases in which special category personal data may be processed without the explicit consent of the Data Subject are specified in Article 7.3 of this Policy.

 

8. TRANSFER OF PERSONAL DATA

8.1. Domestic transfer of personal data

As a Company, we act in accordance with the decisions and regulations set out by the KVKK and adopted by the PDP Board regarding the transfer of personal data.

Except for the exceptional cases provided for in legislation, personal data and special category data are not transferred by us to other natural or legal persons without the explicit consent of the Data Subject.

In exceptional cases provided for under the KVKK and other legislation, data may be transferred without the explicit consent of the Data Subject, in the manner and within the limits prescribed by legislation, to authorized administrative or judicial institutions or organizations. In addition, in the exceptional cases provided for by legislation, as well as;

  • In the cases described in Article 7.6 of the Policy,
  • In the cases listed in Article 7.3 of the Policy regarding special category personal data,
  • Where the measures prescribed by the PDP Board and applicable legislation are taken, special category personal data relating to a Data Subject's health and sexual life may be transferred, without seeking explicit consent, to persons under an obligation of confidentiality or authorized institutions and organizations, solely for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and planning and management of healthcare services and their financing,

data may be transferred without seeking explicit consent.

 

8.2. International transfer of personal data

As a rule, personal data is not transferred abroad without the explicit consent of the Data Subject. However, in cases where one of the exceptional circumstances set out in Articles 7.3 and 7.7 of this Policy exists, personal data may be transferred abroad without explicit consent to third parties located abroad only:

  • If located in countries deemed to provide adequate protection as announced by the PDP Board;
  • If located in countries without adequate protection, provided the data controllers in Turkey and in the relevant foreign country provide a written undertaking of adequate protection and the PDP Board grants permission;

 

8.3. Institutions and organizations to which personal data is transferred

Personal data may be transferred, in accordance with the principles and rules explained above, to;

  • Our suppliers,
  • Our business partners and business contacts,
  • Production companies,
  • Group companies,
  • Legally authorized public institutions and organizations,
  • Legally authorized private law entities,
  • Our shareholders,

 

8.4. Measures we have taken to ensure lawful transfer of personal data

8.4.1. Technical measures

To protect personal data, including but not limited to;

  • We carry out internal technical organization to ensure that personal data is processed and stored in accordance with legislation,
  • We establish the technical infrastructure to ensure the security of the databases in which your personal data will be stored,
  • We monitor and audit the processes of the technical infrastructure we have established,
  • We establish procedures for reporting on the technical measures and audit processes we have taken,
  • We periodically update and renew technical measures,
  • Risky situations are re-examined and the necessary technological solutions are developed,
  • We use antivirus systems, firewalls, and similar software or hardware security products, and establish security systems appropriate to technological developments,
  • We employ staff with technical expertise.

 

8.4.2. Administrative measures

To protect your personal data, including but not limited to;

  • We establish policies and procedures for access to personal data, including for employees of our Company and affiliated companies,
  • We inform and train our employees on the lawful protection and processing of personal data,
  • We record, in the contracts we make with our employees and/or in the Policies we create, the measures to be taken in cases where personal data is processed unlawfully by our Company's Employees,
  • We audit the personal data processing activities of the data processors we work with or their partners.

 

9. RETENTION OF PERSONAL DATA

9.1. Retention of personal data for the period prescribed by relevant legislation or required for the purpose for which it is processed

Many legal regulations require personal data to be retained for a certain period. Due to lawsuits and legal obligations to which our Company is subject, all types of personal data are retained for the periods specified in the Personal Data Retention and Destruction Policy.

In cases where we process personal data for multiple purposes, if the purposes of processing cease to exist, or if there is no legal obstacle to deleting the data upon the Data Subject's request, the data is deleted, destroyed, or anonymized and stored. In matters of destruction, deletion, or anonymization, the provisions of legislation and decisions of the PDP Board are complied with.

 

9.2. Measures we have taken regarding the retention of personal data

9.2.1. Technical measures

  • We establish technical infrastructures and related audit mechanisms for the deletion, destruction, and anonymization of personal data,
  • We take the necessary measures for the secure storage of personal data,
  • We employ staff with technical expertise,
  • We develop business continuity and emergency plans, and systems for their implementation, against potential risks,
  • We establish security systems in line with technological developments regarding the storage areas of personal data.

9.2.2. Administrative measures

  • Training is provided on the development of employee competency, prevention of unlawful processing and unlawful access to personal data, ensuring proper safekeeping of personal data, communication techniques, technical knowledge and skills, Law No. 657, and other relevant legislation.
  • Employees involved in FABCO's activities are required to sign confidentiality agreements.
  • A disciplinary procedure has been prepared for employees who fail to comply with security policies and procedures.
  • Before beginning to process personal data, FABCO fulfills its obligation to inform the relevant data subjects.
  • A personal data processing inventory has been prepared.
  • Periodic and random internal audits are conducted.
  • Information security training is provided to employees.

 

10. SECURITY OF PERSONAL DATA

10.1. Our obligations regarding the security of personal data

To;

  • Prevent unlawful processing of personal data,
  • Prevent unlawful access to personal data,
  • Ensure lawful storage of personal data,

we take administrative and technical measures based on available technology and implementation costs.

 

10.2. Measures we take to prevent unlawful processing of personal data

  • We conduct and commission the necessary audits within our Company,
  • We train and inform our employees on the lawful processing of personal data,
  • The activities carried out by our Company are evaluated in detail specifically for all business units, and personal data is processed based on the commercial activities carried out by the relevant units as a result of this evaluation,
  • Where third parties are engaged for the purpose of processing personal data, the contracts made with companies processing personal data include provisions requiring those processing personal data to take the necessary security measures,
  • In the event of unlawful disclosure of personal data or a data breach, we notify the PDP Board of the situation and carry out the reviews and take the measures required by legislation.

 

10.2.1. Technical and administrative measures taken to prevent unlawful access to personal data

To prevent unlawful access to personal data;

  • We employ staff with technical expertise,
  • We periodically update and renew technical measures,
  • We establish access authorization procedures within our Company,
  • We establish procedures for reporting on the technical measures and audit processes we have taken,
  • We establish the data recording systems used within our Company in accordance with legislation and periodically audit them,
  • We develop emergency response plans and systems for their implementation against potential risks,
  • We train and inform our employees on access to and authorization of personal data,
  • Where third parties are engaged for activities such as processing or storing personal data, the contracts made with companies granting access to personal data include provisions requiring those with access to take the necessary security measures,
  • We establish security systems in line with technological developments to prevent unlawful access to personal data.
  •  

10.2.2. Measures taken in the event of unlawful disclosure of personal data

We take administrative and technical measures aimed at preventing the unlawful disclosure of personal data and update them in accordance with our relevant procedures. In the event that, despite all administrative and technical measures taken, an unlawful disclosure occurs, and if deemed necessary by the PDP Board, this situation may be announced on the PDP Board's website or through another method.

 

11. RIGHTS OF THE DATA SUBJECT

Within the scope of our obligation to inform, we inform the Data Subject and establish the systems and infrastructure related to this notification. We carry out the necessary technical and administrative arrangements to enable the Data Subject to exercise their rights regarding their personal data.

 

The Data Subject has the right to:

  • Learn whether their personal data is being processed,
  • Request information about it if their personal data has been processed,
  • Learn the purpose of processing their personal data and whether it is used in accordance with that purpose,
  • Know the third parties to whom their personal data is transferred, domestically or abroad,
  • Request correction of their personal data if it has been processed incompletely or incorrectly,
  • Request deletion or destruction of their personal data if the reasons requiring its processing no longer exist,
  • Request that the correction, deletion, or destruction operations mentioned above be notified to third parties to whom the personal data has been transferred,
  • Object to a result that arises to their detriment through analysis of the processed data exclusively via automated systems,
  • Request compensation for damages in the event of harm suffered due to unlawful processing of their personal data,

 

11.1. Exercising rights relating to personal data

The Data Subject may submit their request regarding their personal data via the method determined separately by the PDP Board, if any, or in writing with a wet-ink signature to Masko Mobilyacılar Sitesi, 6A Blok Sok. No: 15, Başakşehir/Istanbul, or by email to kvkk@fabco.com.tr.

 

In the application made to exercise the above-mentioned rights, containing explanations regarding the right requested to be used, the requested matter must be clear and understandable, must relate to the applicant personally (or, if acting on behalf of someone else, the applicant must be specifically authorized to do so and must document this authority), and the application must include identity and address information along with documents verifying identity.

 

Such requests must be made individually; requests made by unauthorized third parties regarding personal data will not be considered.

 

11.2. Evaluation of the application

11.2.1. Response time for applications

Requests regarding personal data are finalized free of charge as soon as possible depending on their nature, and in any case within 30 (thirty) days at the latest, or, if a fee schedule is published by the PDP Board, upon payment of the applicable fee under such schedule.

Additional information and documentation may be requested during or while evaluating the application.

 

11.2.2. Our right to reject the application

Applications regarding personal data will be rejected with justification in cases where;

  • Personal data is processed for purposes such as research, planning, and statistics by rendering it anonymous with official statistics,
  • Personal data is processed for artistic, historical, literary, or scientific purposes or within the scope of freedom of expression, provided it does not violate privacy or personal rights or constitute a crime,
  • Personal data has been made public by the Data Subject themselves,
  • The application is not based on a justified reason,
  • The application contains a request contrary to relevant legislation,
  • The application procedure has not been followed,

 

11.3. Application evaluation procedure

For the response period specified in Article 11.2.1 of this Policy to begin, requests must be submitted in writing with a wet-ink signature, or via electronic signature through the Registered Electronic Mail (KEP) system, or by other methods determined by the PDP Board, together with information and documents verifying the applicant's identity.

If the request is accepted, the relevant action is implemented and notification is given in writing or electronically. If the request is rejected, the reasoning is explained and communicated to the applicant in writing or electronically.

 

11.4. Right to complain to the Personal Data Protection Board

In cases where the application is rejected, the response given is found insufficient, or no response is given within the required time, the applicant has the right to file a complaint with the PDP Board within 30 (thirty) days of learning of the response, and in any case within 60 (sixty) days from the date of application.

 

12. PUBLICATION AND STORAGE OF THE DOCUMENT

This Policy is stored in two separate formats: printed paper and electronic media.

 

13. UPDATE PERIOD

This Policy is reviewed at least once a year and updated as needed.

 

14. ENTRY INTO FORCE

This Policy is deemed to have entered into force upon its publication on the Company's website.

 

15. REVOCATION

In the event a decision is made to revoke this Policy, the old wet-ink-signed copies of this Policy will be canceled with the written approval of the Data Controller (by stamping "canceled" or writing "canceled"), signed, and retained by the Data Processor for a period of 10 (ten) years.

 

Step Into The Space

More Information

For questions about orders, production, or materials used, please check our FAQ (Frequently Asked Questions) section.

View FAQ