Mobidictum OÜ, a company incorporated under the laws of the Republic of Estonia with the registration number 12831002, having its registered address at Kesklinna Iinnaosa, Pärnu mnt 106-11, 11312, Tallinn – Estonia.
Table of Contents
- Objective and Purpose
- Data protection principles
- Responsibility allocation
- Access to data
- Rules of data processing
- Rules of data transferring
- Records of data processing activities and categories of data processing activities
- Data privacy in short
- Objective and Purpose
Mobidictum is dedicated to conducting business lawfully and ethically. This Policy establishes appropriate, European and worldwide standards for data protection (privacy) and security of the personal and general data (data) that we collect and process. Our privacy standards are designed to be consistent with applicable laws and requirements and also take into account and comply with any notices and contracts or other agreements that we enter into in relation to data processing.
Being aware of the risks that the collection and use of personal data may entail for Data subjects’ privacy, Mobidictum has made personal data protection and respect for privacy a major concern.
This Policy sets out the commitments by Mobidictum, as well as by all its employees, to enable the responsible collection and use of data strictly for the purposes of the company’s activities and accordingly to applicable laws and regulations, in particular, the General Data Protection Regulation (GDPR), Personal Data Protection Act (PDPA) and the various national laws and regulations of the countries where Mobidictum does business.
This Policy stipulates basic principles, objectives, conditions, and methods for Personal data protection and standards for processing and transferring Personal data within Mobidictum in order to ensure that the Data subjects’ personal rights are adequately protected.
It applies to all Personal data processed within Mobidictum or on behalf of Mobidictum by processors in the indicated categories: employees, customers, sponsors, event participants, visitors, website visitors, all online platform visitors, suppliers, other business partners, and any other data subjects’ personal data.
The processing of personal data is governed by this Policy, and supplemented by the IT Policies and all internal procedures and rules relating to the principles discussed in this document. Where provisions of national or international law provide for less stringent data protection requirements, the provisions of this Policy will take precedence. Companies must comply with the provisions of this Policy in its currently valid version and are not authorized to establish rules derogating this Policy.
For the purpose of this Policy, the following terms have the following meaning:
Anonymization – modification of data so that a connection to a person can no longer be made. Company – Mobidictum OÜ, which is Personal data Controller.
Consent – any freely given specific and informed indication of will by which the data subject signifies agreement to Personal data being processed.
Controller – entity or subject that alone or jointly with others determines the purposes and means of the processing of personal data and decides what personal data is necessary to fulfil that purpose.
Data owner – head of a department in Mobidictum, that is accountable for Personal data asset, in particular that the processing of personal data is addressed as main task of this department.
Data Privacy Officer (DPO) – a person appointed to monitor Personal data privacy processes in Mobidictum, in particular responsible for compliance with the respective data protection legislation as well as develop strategies to ensure compliance, managing [email protected] mailbox and supporting data privacy issues throughout Mobidictum.
Data subject – identified or identifiable natural person, from whom or about whom Personal data are collected. An identifiable person is one who can be identified, directly or indirectly, e.g. by reference to an identification number.
Personal data – any personal and factual information relating to an identified or identifiable natural person. Name, surname, e-mail-address are classified as personal data.
Processing of personal data – any operation which is performed upon Personal data, whether or not by automatic means, such as collection, recording, modification, transfer, blocking, erasing or archiving.
Processor – any natural or legal person who processes personal data on behalf of the controller, who deals with personal data as instructed by a controller for specific purposes and services offered to the controller that involve Personal data processing.
Pseudonymization – replacing a person’s name and other identifying characteristics with a label, in order to preclude identification of the data subject or to render such identification substantially more difficult.
Transfer of personal data – transmission, dissemination, or any other form of disclosure of personal data to third parties, including inspecting and retrieving the information.
Personal data protection breach – any ascertained fact leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal data. This includes breaches that are the result of both accidental and deliberate causes or fact of unauthorized disclosure of data, sharing or enabling access to them by unauthorized persons, taking data by an unauthorized person, damaging any element.
Record – used for both record of data processing activities (for controller) and record of categories of processing activities (for processor), and considers any of this record depending on role of company in data processing.
- Data protection principles
Mobidictum performs data processing with due diligence to the protection of rights and freedoms of Data subjects, including the protection of privacy rights and confidentiality, based on the following principles:
– Lawfully, fairly and transparent processing
If processing is not explicitly allowed by law, it is prohibited.
Legal grounds of Personal data processing are: performance of a contract or performance of pre-contractual measures that Data subject is a party of; compliance with a legal obligation; the pursuit of Controller’s legitimate interests; Data subject’s consent. Legal ground should be determined by Data owner and stated in the Record.
- Purpose limitation
Personal data needs to be collected for specified, explicit and legitimate purposes and can only be used for realization of those purposes. The following exemplary purposes can be indicated: providing requested information or services; employment; payroll management; communicating on social networks; information about your use of our sites including details of your visits such as pages viewed and the resources that you access; traffic data, location data, operating system and other communication data; information provided when you order an admission ticket/pass for any of our conferences, parties or networking events;
Each processing operation has its own purposes which needs to be clearly stated and put in the Record.
- Data minimization
Only Personal data strictly necessary for the purposes determined is collected. Mobidictum endeavours to minimize and limit the Personal data collected. Before gathering Personal data, Data owner should always critically examine if the scope of Personal data is firstly suitable to attain the desired goal, and secondly adequate and necessary for its purposes. Personal data should only be collected and processed if the purpose of the processing could not reasonably be fulfilled by other means which are less intrusive to the fundamental rights and freedoms of the Data subjects.
Data owner periodically reviews the amount of Personal data processed and the scope of its processing, as well as scope of system users having access to Personal data at least once a year ensuring that Personal data are processed in the most limited way possible.
- Data Accuracy
Personal data must be correct and – where necessary – up-to-date.
Appropriate measures shall be taken to correct or delete incorrect or incomplete data, in particular, at least once a year Data owner should verify whether the processed data are still up-to-date and if not it should be corrected or deleted.
- Data Retention/Storage limitation
Personal data should be processed only for the period required to ensure the complete performance of lawful purpose determined while collecting or the legal obligation.
Data about employees will be kept during their period of employment in the Company and, thereafter, during the applicable periods due to legal provisions.
At the end of the retention period, the data will be deleted, pseudonymized, or anonymized. Retention period shall be specified either by law or by Retention Policy.
- Data Security/Integrity and confidentiality of the processing
Mobidictum implements data protection measures that are appropriate in light of the type of data processed and the Company’s activities, in particular the technical security measures which are covered by the IT Policies and solutions. Mobidictum needs to ensure Personal data protection with physical and technical measures in its own premises.
In case of noticing a breach or breach attempt, it is critical to report it to Data Processing Officer (DPO) as soon as possible in accordance with Mobidictum’s internal policies.
- Data Transfer compliance
Data transfer within Mobidictum or outside of it is accepted only under safety guarantees and only under the legal requirement or on contractual grounds after signing the processing contract.
Company ensures that legal tools are in place to ensure that the countries where this data will be received offer an adequate level of protection, in particular when transferred to countries from the European Union to outside of it.
Mobidictum requires from all Processors to furnish guarantees necessary to provide at least the same level of security, protection, and confidentiality to the Personal data transmitted to it as it is in the Company, as well as compliance with the international and local laws.
Depending on the processing operations, Personal data may be transferred to the following recipients: the relevant departments of the Mobidictum; third parties who have concluded a contract with the Company and who act as Processors; public or private legal and/or regulatory bodies.
With the exception of the recipients listed above, no data may be transmitted without the express prior agreement of Data subject.
- Respect for Data subjects’ rights
Mobidictum takes the necessary measures to enable Data subjects to effectively exercise their rights over the Personal data collected, including:
- Transparent information
Mobidictum provides Data subjects with proper information relating to processing of Personal data in a concise, transparent, intelligible and easily accessible form, using clear and plain language when collecting data,
i.e. notice forms in recruitment process.
- Handling requests
Every Data subject is entitled to request certain information about Personal data processing within Mobidictum. Before giving an answer to the request, Company verifies whether the applicant is an authorized Data subject. The law entitles Data Subjects to request information about categories of Personal data processed by Company, claim that data shall be rectified, updated or erased if it is inaccurate, erroneous, incomplete or obsolete, object to the use of their Personal data or request for a copy of them.
Every request should be handled after prior consultation with DPO.
- Privacy by design and by default
Launching new projects within Mobidictum or in any of the Companies takes into account the need to assess the impact of the project on Personal data protection, ensuring privacy and designing the processes in accordance with Personal data protection principles, in particular data security, retention and minimization.
Privacy by design is an approach to projects that promotes privacy and data protection compliance from the start. Privacy by design states that any action undertaken within Mobidictum that involves processing Personal data must be done with data protection and privacy in mind at every step from the very start, for example while planning who may get access to systems or during the design of a software there are already plans to implement a role concept that allows to restrict the access to the data. Privacy by design principle should be taken into consideration mainly by the relevant department and Data owners.
Privacy by Default means that the strictest privacy settings should apply by default, without any manual input from the end user. Any kind of pre-checked boxes or other default consents are not allowed.
- Responsibility allocation
Every employee and other subjects mentioned in this Policy are obliged to process Personal data in accordance with this Policy and fulfill responsibilities which Policy addresses.
Every employee authorized to process Personal data is required to participate in on-line training sessions considering data privacy during onboarding procedure and afterwards periodically, at least once a year. Reading “one-pagers” distributed by DPO shall be considered as a periodic knowledge development.
Mobidictum is responsible to ensure compliance with the Policy, in particular obedience of principles of data processing, timely and comprehensive fulfillment of the notice obligation for Data subjects and that every employee is processing data in accordance with Policy’s provisions and all standards introduced.
Data owner is obliged to maintain a Record of personal data processing activities, Record of personal data breaches and Record of all categories of personal data processing activities (in case of acting as a Processor). Standardized templates of all the records which should be in use are attached to this Policy and available on the Intranet.
Data owner is responsible for adequate employee training. In case available on-line trainings are insufficient for the needs of their Teams, Data owners are obliged to introduce request for additional, dedicated training sessions to DPO.
Data owner is responsible for assigning Personal data on-line trainings for new employees according to training matrix and Data owner requests, during the onboarding procedure and employment period.
Data owner is responsible for designing systems and solutions considering privacy by design principle and maintain security of all Company’s systems. Periodic reviews to verify the security status of IT systems should be implemented at least once every six months, as well as the review of accesses granted to the systems.
Data owner is responsible for keeping records of mobile devices that have been allowed to process Personal data, in particular: mobile device type and inventory number and serial numbers, the name of the person who is the user of the mobile device, data.
DPO is responsible for monitoring Personal data privacy processes in Mobidictum, in particular responsible for compliance with the respective data protection legislation as well as develop strategies to ensure compliance, managing [email protected] mailbox and supporting data privacy issues throughout Mobidictum. DPO organizes data privacy impact assessment if needed and coordinates breach reporting in accordance with Personal Data Breach Procedure.
In case of any doubts or in the event of noticing any non-compliance with this Policy, please notify the DPO immediately using email address: [email protected]
The notification may remain anonymous.
- Access to data
Only authorized persons may be allowed to process Personal data gathered by Mobidictum.
The immediate superior defines the scope of access for certain employee necessary to carry out employee’s responsibilities. The access should be limited as far as it is possible according to principle of data minimization.
The immediate superior is responsible for requesting for access granting and informing the relevant department in case of any changes in scope of this access.
Mobidictum grants, modifies or withdraws access in accordance with requests from immediate superior. The relevant department periodically – at least once a year – sends to Data owners and/or immediate superiors list of user accounts in individual IT systems matched with Data owners’ employees. Data owner and/or immediate superior is required to verify lists and confirm the validity of each user account on the list and send it back to IT Team and DPO within 5 business days of the receipt date. Accounts that have not been confirmed shall immediately be blocked by the relevant department.
Any misuse of Personal data access, in particular: use for purposes other than the fulfilling employment obligations, granting unauthorized access to Personal data by sharing logins and passwords or not complying with “clear desk policy” might be found as Personal data breach with all the consequences established in internal regulations and legal provisions.
- Rules of data processing
Keys for buildings or rooms in which Personal data are processed may be issued only to employees authorized to process Personal data or other persons authorized to access to premises where Personal data are processed.
In buildings, rooms and parts of rooms forming the area in which Personal data is processed are allowed only to persons authorized to access those premises. Employees authorized to process Personal data and persons authorized to access to premises where Personal data are processed should be listed in the Record with their personal data (name, surname) and the company employing/delegating. This list should be updated regularly.
All rooms in which Personal data are processed must be locked in a case of leaving the room by the last employee authorized to process Personal data – also during business hours – even for temporary absence.
Prior to working with the electronic means and computer systems, the user is obliged to check the condition of electronic equipment and his workplace, paying particular attention to any circumstances indicating a breach of security or unauthorized access to Personal data.
The employee is required to authenticate in the computer system, solely on the basis of his/her own ID and password. Identifiers and access passwords to the computer system received by the employee are confidential and were provided solely for his/her use. They may not be revealed to anyone or noted in a place where they could be discovered by an unauthorized person (desk edge, bottom of keyboards, etc.). Authentication or authentication attempts using other employees’ ID or password may be treated as a conscious violation of this Policy.
Each employee has access only to those systems and resources that are necessary for their daily work and for which they have been authorized. Attempts to unauthorized access to other systems or any resources containing Personal data may be treated as a conscious violation the Policy.
Each employee is obliged to use the electronic means entrusted to them for the business purposes only and protect it from unauthorized use and against external hazards. In particular, avoid actions that may cause leakage or destruction of Personal data and/or damage to or destruction of equipment entrusted.
Employees are prohibited from using private mailboxes for business purposes. Employees are assigned with a company mailbox. All business correspondence must take place via company mailboxes. Using the company e-mail account referred for private purposes is acceptable in situations justified by circumstances and with marking in subject of correspondence it is ‘personal’, ‘private’ or equivalent. Otherwise, the employee allows the possibility of monitoring his private correspondence and authorizes Company to do so.
Loss or theft of equipment must be immediately reported to Data owner, IT Team and DPO.
Clean desk policy
It is necessary to set up monitors in a way that prevents insight into the Personal data of unauthorized persons. Screen timeout and locking of the unused computer needs to be set automatically after the expiration of no more than 5 minutes of inactivity.
Personal data stored in the traditional (paper) or electronic version after finishing work need to be stored in lockable cabinets or destroyed in a shredder, if no more needed. The keys to the cabinets should be secure against access of unauthorized persons.
When leaving the workplace log out of the system. For short breaks in work lock the workstation (Ctrl + Alt + Del Lock this button or key Windows icon + L).
Processing of Personal data should be performed in the Company’s office or any other safe premises, where unjustified access to Personal data is excluded or significantly limited.
Electronic equipment used outside the office should be transported in ways protecting them against mechanical damage. When transporting by public transport, it is recommended to avoid placing the equipment in generally accessible luggage racks for which other passengers have access.
Electronic equipment may not be left unattended by the person entrusted with it and it must be stored in a safe location.
Users are obliged to immediately notify the relevant department and DPO about observed irregularities in the functioning of the VPN software and suspected password takeover access to the user’s work account.
- Rules of data transferring
Mobidictum may entrust the processing of Personal data to another entity on grounds of binding processing agreement. Processing agreement needs to be prepared or reviewed obligatory by DPO before entrusting Personal data to the Processor. Processing agreement should specify at least the scope of entrusted data and the purpose of entrusting it for processing; include a commitment to implement safeguards; provide rules of auditing the Processor. Third parties who are selected as contractors, suppliers or service providers processing Personal data on behalf or for Mobidictum must provide sufficient guarantees that they will uphold a similar level of protection for Personal data as that applied within Mobidictum and respect the protection of personal rights of the Data subject.
When sharing Personal data only data which is necessary (on as-needed-basis) and only sent in an encrypted or password-protected way is acceptable to use. If it is possible and where central data is available employees should share a link instead of sending whole files containing Personal data.
It is forbidden to transfer Personal data to legal or natural persons who are not authorized to have access to them.
Personal data may be transferred to governmental agencies and authorities only in accordance with the applicable national laws. Each and every case of Personal data transfer must be consulted with DPO prior to such transfer.
- Records of data processing activities and categories of data processing activities
Records are a form of documenting data processing acts as a process map and are one of the key elements enabling the implementation of safe and clear Personal data processing in accordance with the aforementioned principles. Keeping the Record is mandatory for all Data owners. Failing to fulfill this obligation may be treated as a breach of this Policy.
Records kept by Data owners allow to systematize activities and take a complex overview of the processing of Personal data carried out in terms of compliance with both business objectives and legal requirements.
Correct Record keeping allows Data owners to constantly verify activity in the field of Personal data processing concerning Personal data principles and to evaluate each newly introduced or modified process at its earliest stage due to privacy by design idea.
Record of data processing activities is required to be maintained by all Data owners when acting as Controller of Personal data.
Record of categories of data processing activities is required to be maintained by all Data owners when acting as Processor of Personal data.
DISCLOSURE AND PROTECTION POLICY
ON DATA PROTECTION
Information about the protection of personal data those transferred to MOBIDICTUM OÜ (“Mobidictum”) are stated below. In order to fulfill the obligation to inform data subject in accordance with the General Data Protection Regulation (“GDPR”), Estonia Personal Data Protection Act (PDPA) and the Turkish Personal Data Protection Law No.6698 (“Law No.6698”) Article 10, the following explanations are presented to the attention of our customers (including visitors) and third parties who use our websites, participate in our events, do business with us, of those data obtained by us from all sort of sources stored on servers operated and maintained by or on behalf of us. Mobidictum reserves the right to update this text at any time in accordance with any amendments to applicable legislation.
1) What is the Legal Basis for Mobidictum’s Collection of Personal Data
There are regulations in various laws regarding the use of our customers’ personal data. In the first place, the principles of protection of personal data have been determined by the GDPR, PDPA and Law No. 6698.
2) What Methods Does Mobidictum Use to Collect Personal Data?
The data provided by our customers at https://mobidictum.biz/ is processed by Mobidictum in accordance with the consent and legal provisions of our customers.
Mobidictum website, at https://mobidictum.biz/, is a cookie site. Cookies; It is a file consisting mostly of letters and numbers which allows the device to be identified by storing it in the internet browser or hard disk of the device being used. [ab3]
Your personal data can be obtained through channels such as our company headquarters, our website, branches, events, call centers, social media accounts, orally, in writing or electronically, or in other channels that may be established/may occur in the future;
Mobidictum’s performance of the contract for the purposes stated above and within the framework of legal legislation, is expressly foreseen by law, has been publicized by you, is compulsory for the establishment, use or protection of the right to be granted to you; to the extent that it is legally necessary for Mobidictum to fulfill its legitimate interests and legal obligations without prejudice to your fundamental rights and freedoms.
3) For What Purposes Does Mobidictum Use Personal Data?
Mobidictum will be able to record, store, update, disclose, transfer, classify and process your personal information to the extent permitted by legislation.
Your personal data is used for the following purposes:
• Personal data is processed for the reasons stipulated in the GDPR, PDPA and Law no. 6698 and other local and international legal regulations.
• To be able to perform the services provided and/or to be provided by Mobidictum in accordance with the requirements of the legislation, related contract and technology, to develop our products and services, to understand customer needs, to respond to requests faster and to improve our communication with our customers, to provide better service, to inform you about our services, to get your opinions about our products and services, to offer you special advertising, campaigns, advantages and other benefits to be made for sales and marketing activities that will be done to increase the quality of our services and products, to be able to direct our procurement processes, to perform our business activities, to fulfill our obligations on information retention, reporting and information provided by local and international judicial and administrative authorities, to fulfill our obligations towards you, to arrange records and documents, to perform advertising and promotional activities, to analyze and develop our existing and potential human resources and customer portfolio, take your orders, make your payment transactions, provide logistics cooperation with third parties, provide products and services that may be of interest to you, offer your personal data to Mobidictum and will be presented to you in accordance with the laws and regulations for the purpose of determining and implementing Mobidictum’s commercial and business strategies; Financial operations, communication, events, organizations, finding investors, market research and social responsibility activities carried out by Mobidictum, procurement operations (demand, offer, evaluation, order, budgeting, contract), internal system and application management operations, managing legal operations, from domestic or foreign official authorities or to examine, evaluate and respond to requests from you and to process general and personal data in accordance with the GDPR, PDPA and Law No. 6698.
All your personal information recorded by Mobidictum will be processed within the scope and purposes of processing personal data in accordance with the provisions of the GDPR, PDPA and Law No. 6698 and will be protected by Mobidictum with all necessary and reasonable precautions.
4) How Does Mobidictum Protect Your Personal Data?
Personal data shared with Mobidictum is under the supervision and control of Mobidictum. Mobidictum undertakes the responsibility of establishing the necessary organization and taking and adapting technical measures in order to protect the confidentiality and integrity of the information in accordance with the applicable legislation. Being aware of our obligation on this subject, we conduct periodic pentests in accordance with international and national technical standards regarding data privacy and we inform you that we always update our data processing policies.
5) Does Mobidictum Share Your Personal Data?
Your collected personal data may be transferred to the followings within the framework of the personal data processing conditions and purposes specified in the GDPR, PDPA and Law No. 6698, limited with the realization of the abovementioned purposes and the reasons arising from the the GDPR, PDPA and Law No. 6698 and other legal regulations;
1. To domestic and foreign business partners, shareholders, visitors,
2. To third-party processors, financial institutions, other third-party service providers, business partners, dealers, performance aids, relevant supervisory agencies, government agencies those assist us when necessary for the execution and development of our business transactions,
3. To the persons or establishments permitted by the provisions of the relevant legislation,
4. To the public authorities and institutions, administrative and legal authorities authorized by local and international law,
5. To the natural and legal persons, program partners, organizations and institutions that we cooperate with in order to send the messages we send to our customers, cargo companies, lawyers, data processing in accordance with the purposes and conditions.
6) What Are Your Rights Under the Personal Data Protection Act?
If you, as data subject, submit your claims regarding your rights to Mobidictum in the following ways, Mobidictum will conclude the request as soon as possible and within 30 days at the latest according to the nature of the request.
Data subject, may request information regarding the followings by applying to the data controller within the scope of the GDPR, PDPA and Law No. 6698
a. To learn whether personal data is processed,
b. Request information if personal data is processed,
c. Learning the purpose of processing personal data and whether they are used in accordance with their purpose,
d. Learning the third parties to whom personal data is transferred at home or abroad,
e. Correction of personal data if it is incompletely or incorrectly processed,
f. Although the provisions of other laws relating to the deletion, destruction or anonymization of personal data are reserved; although personal data are processed in accordance with the GDPR, PDPA and Law No.6698 and other relevant legislation, personal data shall be deleted, destroyed or anonymized by the data controller. Data subject may request the deletion or destruction of personal data in such cases,
g. to request notification of the transactions carried out in accordance with paragraphs of (e) and (f) to third parties,
h. Objection to the emergence of a result against the person himself by analyzing the processed data especially with automated systems,
I. In the event of damage caused by unlawful processing of personal data, data subject has the right to claim the damages.
You may request your rights regarding the abovementioned rights in writing or by using the e-mail address, secure electronic signature, mobile signature or the e-mail address that has been previously notified to Mobidictum and registered in our system, by sending e-mail to our mail address of [email protected] or send signed application form to Kesklinna Iinnaosa, Pärnu mnt 106-11, 11312, Tallinn – Estonia, your applications will be evaluated and finalized as soon as possible and within 30 days at the latest. While it is essential that there is no charge for the claims, Mobidictum reserves the right to charge fees based on the tariffs, if any, set by the relevant authorities.