1. Data Controller
This Disclosure is prepared in accordance with Article 10 of Turkish Law No. 6698 on the Protection of Personal Data ("KVKK") and the Communiqué on the Procedures and Principles for Compliance with the Disclosure Obligation, by FTK Makina Turizm İnşaat ve Ticaret Limited Şirketi ("FTK Group" or the "Company") as the data controller. Our Company's contact details, as well as MERSIS, tax registry and KEP information, are accessible from the contact section at the bottom of the page and from our official channels. In every context in which we contact you or receive data from you, this document informs you in detail of the purposes for which your data is processed, the legal basis relied upon, the parties to whom it may be transferred, the retention period and your rights under KVKK.
2. Definitions
The principal terms used in this Disclosure carry the following meanings: Personal Data — any information relating to an identified or identifiable natural person; Special Category Personal Data — data listed under KVKK Art. 6 (race, ethnic origin, political opinion, philosophical belief, religion, sect, health and sex life, biometric and genetic data); Data Subject (Relevant Person) — the natural person whose personal data is processed; Data Controller — the person responsible for determining the purposes and means of processing and for the establishment and management of the data filing system (FTK Group); Data Processor — third parties that process personal data on behalf of the data controller under its authority; Processing — any operation performed on personal data such as collection, recording, storage, modification, disclosure, transfer, classification or restriction of use; Explicit Consent — consent that is specific, informed and freely given; Authority — the Personal Data Protection Authority and its Board.
3. Categories of Personal Data Processed
Depending on the nature of your relationship with the Company, the following categories of personal data may be processed: Identity Data (first name, last name, Turkish ID number — only where legally required, date of birth); Contact Data (email address, phone number, employer, postal address); Customer / Supplier Transaction Data (request and message content, contract data, invoice and payment information); Professional Experience Data (CV, education and reference information for career applications); Visual and Audio Records (CCTV image recordings taken during site visits); Transaction Security Data (IP address, browser type, session records, log files, cookie data); Legal Process Data (records arising in legal procedures). We do not request special category personal data; if you provide such data within career applications or messages, it is processed under KVKK Art. 6 and subject to special protection measures.
4. Categories of Data Subjects
Within the scope of our processing activities, data subjects are grouped principally as follows: (a) Website visitors and contact-form users; (b) Career applicants; (c) Authorised representatives and employees of suppliers, subcontractors and business partners; (d) Customer / employer representatives and contracting parties; (e) Site and office visitors; (f) Third parties contacting us for press, partnership or information requests. The processing purpose, legal basis and retention period may differ for each category; the relevant sections of this document provide category-specific information.
5. Purposes of Processing
Your data is processed in line with the general principles of KVKK Art. 4 (lawfulness and fairness, accuracy and currency, processing for specific and legitimate purposes, relevance and proportionality, retention only for the period required by law or for the processing purpose) for the following purposes: (1) Communication, response to your queries and feedback; (2) Management of proposal, contract and partnership processes; (3) Evaluation of career applications and HR processes; (4) Procurement, purchasing and service management; (5) Financial and accounting operations, invoicing and verification; (6) Compliance with legal obligations including reporting to public authorities; (7) Audit, internal control and risk management; (8) Information security and system administration; (9) Physical premises security and occupational health and safety; (10) Service improvement and customer satisfaction. We do not carry out marketing-purpose data processing; without your explicit request we do not perform advertising, profiling or targeting.
6. Legal Basis for Processing
Your personal data is processed on the legal grounds enumerated in KVKK Art. 5 and Art. 6: (a) Art. 5/2-a — where processing is expressly provided for in laws (e.g. Tax Procedure Law, Commercial Code, Labour Code obligations); (b) Art. 5/2-c — where processing is necessary for the establishment or performance of a contract (proposal evaluation, contract, order, service); (c) Art. 5/2-ç — where processing is necessary for compliance with the data controller's legal obligations (notifications to authorities, tax, audit); (d) Art. 5/2-e — where processing is necessary for the establishment, exercise or protection of a right; (e) Art. 5/2-f — where processing is necessary for the legitimate interests of the data controller, provided that fundamental rights and freedoms are not harmed (information security, fraud prevention, service quality); (f) Art. 5/1 — your explicit consent for processing not covered by the above. Personal data sent through the contact form is processed on the explicit-consent basis represented by the form's consent checkbox; you may withdraw this consent at any time.
7. Transfer of Personal Data
Your personal data may be transferred under the conditions set out in KVKK Art. 8, solely for the purposes specified in this document, to the following parties: (a) Authorised Public Institutions — courts, prosecutors' offices, tax authorities, the Social Security Institution, the Personal Data Protection Authority, the General Directorate of Highways and the State Hydraulic Works for the fulfilment of legal obligations; (b) Business Partners and Service Providers — server, hosting, email infrastructure providers, software providers, courier and logistics firms, contact-centre service providers; (c) Legal, Accounting, Tax and Audit Advisors — for the conduct of legal processes and financial obligations; (d) Affiliates and Group Companies — for corporate governance and intra-group coordination; (e) Insurance Companies — for occupational and asset insurance requirements; (f) Banks and Financial Institutions — for the management of payment processes. All transfers are carried out under appropriate technical and organisational measures and data processing agreements; recipients are subject to KVKK obligations as data controllers or data processors.
8. Cross-Border Transfer
Your personal data is processed in Türkiye in principle. Cross-border transfer is carried out under KVKK Art. 9. If the country of destination is on the Authority's list of countries providing adequate protection, transfer may be carried out without further conditions. For countries not providing adequate protection, transfer is subject to either your explicit consent, or to a written undertaking by the data controllers in Türkiye and the foreign country sufficient to ensure adequate protection, with the permission of the Authority. Where our service providers operate servers abroad, cooperation is conducted under standard contractual clauses (SCCs) or binding corporate rules (BCRs) approved by the Authority.
9. Retention Period
Your personal data is retained for the period required by the processing purpose and the minimum periods set out in applicable law. Periods applied include: contact-form messages and general inquiries — 2 years; career applications and CVs — 6 months from application date (extended with the candidate's consent if a suitable position arises); customer and supplier contracts and invoice / accounting records — 10 years under the Commercial Code and Tax Procedure Law; CCTV image and audio records — up to 30 days per Authority guidance; transaction security and log records — 2 years per Information and Communication Technologies Authority regulations; legal-process files — until the statute of limitations expires. When the processing purpose disappears and the statutory period ends, your data is deleted, destroyed or anonymised under KVKK Art. 7 and the Regulation on the Erasure, Destruction or Anonymisation of Personal Data.
10. Data Security Measures
FTK Group takes reasonable administrative, technical and physical measures consistent with the criteria set out in the Personal Data Protection Authority's guidance to prevent the unlawful processing of personal data, prevent unlawful access and ensure the preservation of your data. Administrative Measures — establishment of internal policies and procedures, periodic KVKK awareness training for employees, confidentiality undertakings, segregation of duties, breach notification and response procedures, written agreements with data processors. Technical Measures — role-based access permissions, strong authentication, password management policy, firewall and antivirus infrastructure, SSL/TLS encryption, logging and regular backups, vulnerability assessments, penetration testing and patching processes. Physical Measures — server and data-centre security, physical access control, CCTV recording systems, visitor-log management. When a data breach is detected, notification is given to the Authority within 72 hours under KVKK Art. 12/5 and the relevant Board decision, and to the affected data subject without delay.
11. Your Rights Under KVKK Article 11
KVKK Art. 11 grants every data subject specific rights over their personal data. You may exercise these rights by applying to our Company. Your rights are listed visually below; you can use the application procedure that follows to exercise them.
- 01
Right to Information
Learn whether your personal data is being processed; if so, request information about it.
- 02
Purpose of Processing
Learn the purpose of processing and whether your data is used in line with that purpose.
- 03
Knowledge of Transfers
Know the third parties to whom your data has been transferred, domestically or abroad.
- 04
Rectification
Request the correction of incomplete or inaccurate data.
- 05
Erasure or Destruction
Request erasure or destruction of your data under KVKK Article 7.
- 06
Notification
Request that correction, erasure or destruction be notified to third parties to whom your data has been transferred.
- 07
Objection to Automated Decisions
Object to a result that arises against you due solely to automated processing.
- 08
Compensation
Claim compensation for damages suffered as a result of unlawful processing.
12. How to Apply
To exercise the above rights, you may apply to our Company in line with the "Communiqué on the Procedures and Principles for Application to the Data Controller." Your application must contain the mandatory information of: full name and signature where the application is made in writing, Turkish ID number (for foreigners; nationality, passport number or ID number), residential or business address for service of notice, and where available the email address, phone and fax number for notification, together with the subject of the request. The three steps below set this out in detail.
- 01
Prepare Your Application
Prepare a written application including your name, surname, Turkish ID number (or passport for foreigners), contact details, the right you want to exercise, and the subject of your request.
- 02
Send It to Us
Send your application wet-signed to our Head Office, or by registered email to info@ftkgrup.com.tr from your registered electronic mail address. Attach any supporting documents.
- 03
Receive a Response
Your application is concluded free of charge within 30 days at the latest, depending on its nature. Where the action requires a separate cost, the fee determined by the Authority's tariff may be charged.
13. Right to Complain to the Personal Data Protection Authority
If your application to our Company is rejected, if you find our response insufficient or if no answer is provided within thirty days, you may file a complaint with the Personal Data Protection Board within thirty days of becoming aware of our response and in any case within sixty days of the application date. Under KVKK Art. 14, complaints to the Authority are subject to having first applied in writing to our Company. Complaints to the Authority may be submitted via the channels at kvkk.gov.tr.
14. Policy Changes and Effective Date
This Disclosure may be updated by FTK Group at any time in line with regulatory changes, decisions of the Authority, changes in the Company's activities or updates in our service processes. The current version takes effect on the date it is published on our site and replaces previous versions. Where significant changes are made, additional notification may be given. For questions about the Disclosure or the processing of your personal data, please contact us at info@ftkgrup.com.tr.