1.1. Purpose of the Policy
Within the scope of the Personal Data Protection Law No. 6698 ("Law"), FIBER DENIZCILIK VE GEMI IŞLETMECILIĞI TIC. A.Ş. ("Company" and "Firm"), processing and protecting personal data in accordance with the law are among our top priorities. We also follow the same priority in all our planning and business activities. In this context, in accordance with Article 10 of the Law, we aim to inform you and to of all administrative and technical measures we will implement regarding the processing and protection of personal data, and hereby present this Personal Data Processing and Protection Policy ("Policy") for your information.
1.2 Scope
This Policy determines the conditions for the processing of personal data and sets out the principles adopted by the Company for the processing of personal data. In this context, the Policy covers all personal data processing activities carried out by the Company within the scope of the Law, all processed personal data, and the owners of this data.
1.3 Definitions
Explicit Consent :Consent based on information regarding a specific issue and expressed with free will.
Anonymization: :Making data previously associated with an individual unidentifiable or not associable with any identifiable or identifiable real person in any way by matching it with other data.
Job Applicant: :Individuals who are not employed within the Company but are in the status of job applicants.
Personal Data: : Any kind of information related to an identified or identifiable real person.
Data Subject: :The real person whose personal data is processed.
Processing of Personal Data: :Any kind of transaction carried out on data, including but not limited to obtaining, recording, storing, preserving, altering, rearranging, disclosing, transferring, taking over, making available, classifying, or preventing the use of data, either wholly or partially automated, or as part of any data recording system.
Law :Personal Data Protection Law No. 6698 published in the Official Gazette dated April 7, 2016 and numbered 29677
Special Categories of Personal Data : Data related to race, ethnicity, political opinion, philosophical belief, religion, sect, or other beliefs, appearance, association, foundation or union membership, health, sexual life, criminal conviction, and security measures, as well as biometric and genetic data.
Policy :FİBER DENİZCİLİK VE GEMİ İŞLETMECİLİĞİ TİC. A.Ş. Company Personal Data Processing and Protection Policy
Company : FİBER DENİZCİLİK VE GEMİ İŞLETMECİLİĞİ TİC. A.Ş. Company
Data Processor : The real or legal person who processes personal data on behalf of the data controller based on the authority given by them.
Data Controller: :The person who determines the purposes and means of processing personal data and manages the place where the data is systematically kept.
Data Recording System : The recording system in which personal data is processed according to specific criteria.
Business Partners: :Individuals with whom the Company establishes partnerships within the framework of contractual relations within the scope of its commercial activities.
1.4 Effectiveness of the Policy
This Policy, prepared by the Company, entered into force on 10.05.2024 and has been made available to the public. In case of contradiction between the regulations in force, especially the Law, and the regulations included in this Policy, the provisions of the legislation shall apply. The Company reserves the right to amend the Policy in parallel with legal regulations. The current version of the Policy can be accessed from the Company's website (http://www.fibermarine.com.tr).
2 Information Regarding the Personal Data Processing Activities Conducted by the Company
2.1 Data Subjects
The data subjects within the scope of this Policy are all natural persons whose personal data is processed by the Company, excluding Company employees. Generally, data subjects can be categorized as follows:
Data Subject Categories Explanation
Customers :Refers to individuals who benefit from the services provided by the Company and individuals who show interest in the services provided by the Company, with the potential to become customers.
Worker : Refers to individuals who are employed by the Company, including Company Shareholders, Company Representatives appointed by the Company, Group Company Employees/Shareholders/Authorized Personnel/Board Members, White- collar employees, Blue-collar employees, Former Employees/Retirees, Job Applicants, Active Interns, Intern Applicants.
3 Parties
Potenial Customers : Refers to individuals who show interest in the services provided by the Company, with the potential to become customers.
Employee Candidates : Refers to individuals who apply for jobs by sending their CVs to the Company or through other methods.
Vsisitors :Refers to individuals who visit the Company for any reason.
3rd persons :It refers to real persons excluding Company employees, along with the data subject categories mentioned above.
2.2 Purposes of Processing Personal Data
2.2.1 Conducting necessary activities by relevant departments of the Company to benefit the relevant individuals from the services provided by the Company and to carry out business processes:
1 Planning service processes,
2 Planning and executing customer relationship management processes,
3 Monitoring contract processes and/or legal demands,
4 Tracking customer requests and/or complaints.
2.2.2 Planning and executing human resources policies and processes of the Company:
- Planning and executing talent-career development activities,
- Fulfilling employment contracts and/or legal obligations for Company employees,
- Planning and executing fringe benefits and benefits for employees,
- Planning and executing internal orientation activities,
- Planning and executing employee exit processes,
- Wage management,
- Planning human resources processes,
- Managing staff procurement processes,
- Planning and executing appointment-promotion and termination processes for the Company,
- Planning and executing performance evaluation processes for employees,
- Tracking and/or auditing employees' work activities,
- Planning and/or executing internal training activities,
- Planning and executing employee satisfaction and/or loyalty processes,
- Planning and executing processes to receive and evaluate suggestions for improving employees' work and/or production processes,
- Planning and executing internship and/or student recruitment, placement, and operation processes.
Conducting necessary activities by relevant departments of the Company to carry out commercial activities and related business processes:
1 Event management,
2 Planning and execution of business activities,
3 Planning and execution of corporate communication activities,
4 Planning and execution of operational processes,
5 Planning, auditing, and execution of information security processes,
6 Establishment and management of information technology infrastructure,
7 Planning and execution of access rights for business partners,
8 Monitoring of financial and/or accounting tasks,
9 Planning and execution of corporate sustainability activities,
10 Planning and execution of corporate governance activities,
11 Planning and execution of business continuity activities.
2.2.4 Planning and execution of the Company's commercial and/or business strategies:
Management of relationships with business partners.
2.2.5 Ensuring the legal, technical, and commercial security of the Company and related individuals in the business relationship with the Company:
1 Tracking legal affairs,
2 Planning and execution of operational activities to ensure that Company activities are carried out in accordance with company procedures and/or relevant legislation,
3 Providing information to competent authorities as required by legislation,
4 Creation and tracking of visitor records,
5 Planning and execution of emergency management processes,
6 Execution of company and partnership law transactions,
7 Planning and execution of company audit activities,
8 Planning and execution of occupational health and/or safety processes,
9 Execution of credit process risk management,
10 Ensuring the security of Company campuses and/or facilities,
11 Ensuring the security of Company operations,
12 Planning and execution of Company's financial risk processes,
13 Ensuring the security of Company assets and/or resources.
2.3 Categories of Personal Data
Personal data categorized by the Company is processed in accordance with the personal data processing conditions specified in the Law and relevant legislation.
Date Category Explanation
Identity information : includes data found on documents such as driver's licenses, identity cards, residence permits, Seaman book, passports, lawyer IDs, marriage certificates, and similar documents.
Contact information :Refers to details used to communicate with an individual, such as email address, phone number, mobile phone number, and address.
Lokasyon bilgisi : Veri sahibinin konumunu tespit etmeye yarayan bilgiler (örn. araç kullanımı sırasında edinilen konum bilgileri).
Location information :Refers to data that helps determine the data subject's whereabouts, such as location data acquired during the use of a vehicle.
Customer information :Refers to data belonging to customers who benefit from our services, such as customer number, occupation information, etc.
Customer transaction information :encompasses all details related to transactions carried out by customers who benefit from our services.
Physical space security information :Physical space security information includes personal data related to records and documents such as camera recordings and fingerprint records taken at the entry and during the stay within physical premises.
Transaction security information :Firma’nın kişisel veri sahibi ile kurmuş olduğu hukuki ilişkinin tipine göre yaratılan her türlü finansal sonucu gösteren bilgi, belge ve kayıtlara ilişkin işlenen kişisel veriler.
Financial information :Financial information refers to personal data processed regarding any kind of financial outcome created based on the legal relationship established between the Company and the data subject.
Prospective employee information :Prospective employee information refers to personal data processed regarding individuals who have applied to become an employee of the Company, have been evaluated as prospective employees based on business customs and honesty rules, or are individuals involved in a working relationship with the Company.
Denetim ve teftiş bilgisi :Firma’nın kanuni yükümlülükleri ve şirket politikalarına uyumu kapsamında işlenen kişisel veriler.
Legal transaction and compliance information. :Legal transaction and compliance information refer to personal data processed for the identification, pursuit, and execution of the Company's legal rights and obligations, as well as for compliance with legal obligations and the Company's policies.
Talep/şikayet yönetimi bilgisi :Firma’ya yöneltilmiş olan her türlü talep veya şikayetin alınması ve değerlendirilmesine ilişkin kişisel veriler.
Audit and inspection information :Audit and inspection information refer to personal data processed within the scope of the Company's legal obligations and compliance with company policies.
Special category of data :Special category of data includes information about an individual's race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance, association membership (such as membership in associations, foundations, or unions), health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data.
Complaint/Request Management :Complaint/Request Management Information refers to personal data related to the receipt and evaluation of any kind of complaint or request directed to the Company.
Reputation management :Reputation management information includes data collected to protect the commercial reputation of the Company, along with information regarding assessment reports and actions taken in response to them.
Incident management information :Incident management information refers to personal data processed for taking necessary legal, technical, and administrative measures to protect the commercial rights and interests of the Company and its customers against emerging events.
3 Principles and Conditions for Processing Personal Data
In accordance with Article 4 of the Law, the Company processes personal data by adhering to legal and ethical principles, ensuring accuracy and, when necessary, updating, pursuing specific, clear, and legitimate purposes, processing personal data activities in a manner that is relevant to the purpose, limited, and proportionate. The Company retains personal data for as long as required by laws or the purpose of personal data processing.
3.1 Principles of Processing Personal Data
In compliance with Article 10 of the Personal Data Protection Law, the Company informs data subjects and, in cases where consent is required, requests their consent for processing personal data, based on the principles outlined below.
3.1.1 Processing Data in Compliance with Legal and Ethical Principles
The Company acts in accordance with the legal principles and general trust and honesty principles in the processing of personal data. In accordance with the principle of compliance with the rule of honesty, while striving to achieve its data processing goals, the Company takes into account the interests and reasonable expectations of the relevant individuals.
3.1.2 Ensuring the Accuracy and Timeliness of Personal Data
Ensuring the accuracy and timeliness of personal data is necessary for the protection of fundamental rights and freedoms of the data subject from the Company's perspective. The Company has an active diligence obligation to ensure that personal data is accurate and up-to-date. Therefore, all communication channels are open for keeping the information of the data subject accurate and up-to-date.
3.1.3 Processing Data for Specific, Clear, and Legitimate Purposes
The Company clearly and definitively determines the legitimate and legal purpose of processing personal data. It processes personal data to the extent necessary for its commercial activities and related operations.
3.1.4 Relevance, Limitation, and Proportionality of Data Processing to the Purpose
The Company processes personal data within the scope of the purposes relevant to its business activities and necessary for the conduct of its business. Therefore, it processes personal data in a manner conducive to achieving the defined purposes and avoids processing personal data that is irrelevant to or unnecessary for achieving the purpose.
3.1.5 Retaining Data for as Long as Required by Relevant Legislation or the Purpose of Processing
The Company retains personal data only for the period specified by relevant legislation or for the duration necessary for the purpose of processing. Accordingly, the Company determines whether there is a period specified by relevant legislation for the storage of personal data, complies with this period if specified, and stores personal data for the period necessary for the purpose for which they are processed. After the purpose of personal data processing ceases to exist or the specified statutory period expires, the personal data is deleted, destroyed, or anonymized by the Company.
3.2 Conditions for Processing Personal Data
Personal data is processed by the Company if at least one of the conditions for processing personal data specified in Article 5 of the Law exists.
3.2.1 Obtaining the Explicit Consent of the Data Subject
One of the conditions for processing personal data is obtaining the explicit consent of the data subject. The explicit consent of the data subject must be based on specific information and given freely and voluntarily.Personal data is processed by obtaining the explicit consent of customers, potential customers, and visitors through the relevant methods.
3.2.2 Processing Personal Data Activities Explicitly Envisaged in the Legislation
Personal data of the data subject can be processed without the explicit consent of the data subject if explicitly envisaged in the legislation.
3.2.3 Inability to Obtain the Explicit Consent of the Person Due to Impossibility
If personal data processing is necessary to protect the life or bodily integrity of the data subject himself/herself or another person, due to impossibility to obtain consent, personal data of the data subject may be processed.
3.2.4 Direct Relevance of Personal Data to the Establishment or Performance of a Contract
Personal data may be processed if it is directly related to the establishment or performance of a contract, provided that it is related to the parties of the contract.
3.2.5 Fulfillment of the Company's Legal Obligations
Personal data of the data subject may be processed if it is necessary for the Company to fulfill its legal obligations as the data controller.
3.2.6 Public Disclosure of Personal Data of the Data Subject
Personal data of the data subject may be processed if the data subject has already made his/her personal data public.
3.2.7 Necessity of Data Processing for Establishing or Protecting a Right
Personal data of the data subject may be processed if it is necessary to establish, use, or protect a right.
3.2.8 Obligation of Data Processing for the Legitimate Interests of the Company
Personal data of the data subject may be processed for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the data subject.
3.3 Processing of Special Categories of Personal Data
In the processing of personal data designated as "special categories" by the Personal Data Protection Law, the Company complies with the regulations envisaged in the Personal Data Protection Law with sensitivity. The Company processes special categories of personal data under the following conditions, provided that adequate measures determined by the Personal Data Protection Board are taken:
- If the data subject has explicit consent, or
- If the data subject does not have explicit consent:
- Special categories of personal data other than health and sexual life of the data subject are processed in cases envisaged by the laws,
- Special categories of personal data regarding the health and sexual life of the data subject are processed only by persons or authorized institutions and organizations who are under confidentiality obligation for the purposes of protecting public health, conducting preventive medicine, medical diagnosis, treatment, and care services, planning and managing health services and their financing, or by authorized institutions and organizations.
4 Transfer of Personal Data
The Company, in accordance with the lawful purposes of personal data processing, can transfer the personal data and special categories of personal data of the data subject to third parties domestically or internationally by taking necessary security measures. In this regard, the Company complies with the regulations envisaged in Article 8 of the Personal Data Protection Law.
4.1 Transfer of Personal Data to Third Parties Domestically
Your personal data may be transferred by the Company if at least one of the data processing conditions explained under the 3rd Heading of this Policy and the basic principles regarding data processing conditions are complied with.
4.2 Transfer of Personal Data to Third Parties Internationally
The Company, if at least one of the data processing conditions explained under the 3rd Heading of this Policy exists and by taking necessary security measures, can transfer the personal data and special categories of personal data of the data subject to third parties internationally. The personal data is transferred by the Company to foreign countries ("Countries with Adequate Protection") declared to have adequate protection by the Personal Data Protection Board, or to foreign countries ("Countries with a Data Controller Committing Adequate Protection") where data controllers in Turkey and the relevant foreign country have committed to adequate protection in writing and with the permission of the Personal Data Protection Board. In this regard, the Company complies with the regulations envisaged in Article 9 of the Personal Data Protection Law.
4.3 Third Parties to Whom Personal Data is Transferred and Purposes of Transfer
In accordance with the general principles of the law and the data processing conditions specified in Articles 8 and 9 of the law, the Company may transfer data to the categorized parties listed in the table below:
Authorized contracted
agents, Charterers, and
other organizations
| Persons Eligible for Data Transfer | Definition | Purpose |
|---|---|---|
| Business Partner | Parties with whom the company establishes partnerships while conducting its commercial activities. |
Sharing of limited personal data to ensure the fulfillment of the objectives of establishing the business partnership. |
| Shareholder | The shareholders authorized to design the strategies and audit activities related to the company's commercial activities in accordance with the relevant legislation. |
Sharing personal data is limited to designing strategies and conducting audits related to the company's commercial activities. |
| Company authorized Indiviuals | Board members and other authorized individuals |
Sharing personal data is limited to designing strategies, ensuring top- level management, and conducting audits related to the company's commercial activities. |
| Legally Authorized Public Institutions and Organizations |
Public institutions and organizations legally authorized to obtain information and documents from the Company |
Sharing personal data limited to the purpose of requesting information from relevant public institutions and organizations |
| Legally Authorized Private Legal Entities |
Legally Authorized Private Legal Entities to Obtain Information and Documents from the Company |
Sharing of data limited to the purpose requested by the relevant private legal entities within their legal authority |
| Flag State of the Vessel | Flag states authorized to request information and documents from the company legally. |
Ship registration procedures, personnel applications, and other transactions that may arise with the flag state. |
| Port State and Port Authorities authorized by law. |
Port State and Port Authorities authorized by law to obtain information and documents from the company for the operations carried out by the ship. |
Port operation processes and ship operations |
| Organizations that require the provision of documents or information according to the agreements made |
The necessary permits for the completion of ship operation processes |
|
| Classification societies, insurance institutions, and other organizations |
Organizations that require the provision of documents or information according to the agreements made |
Carrying out ship operation processes |
5 Rights of the Data Subject and Exercise of Relevant Rights
5.1 Rights of the Data Subject:
1 To learn whether personal data is being processed,
2 If personal data has been processed, to request information regarding this,
3 To learn the purpose of processing personal data and whether they are being used in accordance with their purpose,
4 To know the third parties to whom personal data are transferred domestically or abroad,
5 If personal data is incomplete or incorrectly processed, to request correction and, within this scope, to request notification of the transactions made to third parties to whom personal data have been transferred,
6 To request the deletion or destruction of personal data or anonymization of personal data in case the reasons requiring their processing no longer exist, even though they have been processed in accordance with the KVK Law and other relevant laws, and to request notification of these transactions to third parties to whom personal data have been transferred,
7 To object to the occurrence of a result against oneself as a result of personal data being analyzed exclusively through automated systems,
8 In case personal data is processed unlawfully, to request compensation for any damages incurred. If personal data is not obtained directly from the data subject, (1) within a reasonable period from obtaining personal data, (2) in case personal data will be used to contact the data subjects, at the time of initial contact, (3) in case of transfer of personal data, activities are carried out to inform the data subjects at the latest at the time of the first transfer of personal data.
5.2 Cases where the data subject cannot assert their rights
Data subjects cannot assert their rights listed in 5.1 regarding the following cases, as they are excluded from the scope of the KVK Law according to Article 28:
1 Processing of personal data by real persons solely within the scope of activities related to themselves or family members living in the same residence, provided that personal data are not transferred to third parties and data security obligations are complied with,
2 Processing of personal data for research, planning, and statistical purposes by anonymizing personal data through official statistics,
3 Processing of personal data for artistic, historical, literary, or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy, or personal rights, without constituting a crime,
4 Processing of personal data by public institutions and organizations authorized by law to carry out preventive, protective, and intelligence activities for ensuring national defense, national security, public security, public order, or economic security,
5 Processing of personal data by judicial authorities or enforcement authorities in connection with investigation, prosecution, adjudication, or execution procedures.
According to Article 28.2 of the KVK Law; data subjects cannot assert their other rights listed in 5.1 in the following cases, except for the right to request compensation for damages:
1 Necessity of processing personal data for preventing a crime or for conducting a criminal investigation, 2 Processing of personal data that has been publicly disclosed by the data subject,
3 Necessity of processing personal data by authorized and competent public institutions and organizations or professional organizations with public institution status for the performance of regulatory, disciplinary investigation or prosecution duties, or for audit purposes,
4 Necessity of processing personal data for safeguarding the economic and financial interests of the State concerning budget, taxation, and financial matters.
6 Deletion, Destruction, and Anonymization of Personal Data
In accordance with the relevant provisions of the Turkish Penal Code Article 138 and the KVK Law Article 7, if the reasons requiring their processing cease to exist, personal data are deleted, destroyed, or anonymized at the discretion of the Company or upon the request of the data subject. In this context, the Company takes necessary technical and administrative measures within the Company, develops necessary operational mechanisms, and educates, appoints, and raises awareness of relevant departments to fulfill its obligations.
Contact Us
To convey all your questions and opinions regarding the Personal Data Protection Policy, contact us!