Kişisel Verilerin İşlenmesi ve Korunması Politikası

PERSONAL DATA PROTECTION AND PROCESSING POLICY

INDEX

1. Purpose

2. Scope and Application

3. Definitions

4. Processing of Personal Data

a. The Principles to be Followed While Processing Data

b. The Purposes of Processing Personal Data

c. Legal Grounds of Processing Personal Data

d. Legal Grounds of Processing Sensitive Personal Data

5. Obligation to Inform

6. Data Security

a. Technical Measures

b. Administrative Measures

7. Transfer of Personal Data

a. Local Transfers

b. Transfers to Abroad

8. Personal Data Inventory

9. Roles and Responsibilities

10. Deletion, Destruction, and Anonymization of Personal Data

11. Rights and Exercises of Rights of the Data Subject

a. Rights of the Data Subject

b. Exercises of Rights of the Data Subject

c. Evaluation of the Application

d. Our Rights to Reject the Application

e. Right to Complaint

12. Issuing, Enforcement

13. Updating of the Policy

1. Purpose

The main objective of this Personal Data Protection and Processing Policy (“Policy”) is to provide explanations regarding the personal data processing activities carried out by Carex Bitkisel Ürünler ve Kozmetik Sanayi ve Ticaret Ltd. Şti. (“Company”) pursuant to the law and the systems adopted for the protection of personal data and, in this context, to provide transparency by informing the people whose personal data is being processed by the Company.

The Company carries out its activities in accordance with the provisions of especially The Constitution of the Republic of Turkey and the international agreement to which we are a party, as well as the Turkish Data Protection Law (“KVKK”) and relevant legislation regarding the protection and privacy of personal data. The company is sensitive to the protection of personal data, fundamental rights and freedoms. It keeps fundamental human rights such as privacy of private life and freedom of thought in focus in all its activities.

2. Scope and Application

This Policy has been prepared in line with the regulations in force and international standards. The Company will primarily apply this Policy in all its data processing activities such as data processing, transfer, and amendment.

The Company also has different policies that address the protection of personal data and ensuring information security with certain business activities and processes. This policy does not override the data protection terms in different company policies unless it contains additional terms or requires a higher standard for personal data protection. This Policy is implemented along with such other policies and procedures as appropriate.

If there is a conflict between the provisions of the relevant legislation in force on the protection and processing of personal data and the provisions of this Policy, the provisions of the legislation in force will apply primarily.

3. Definitions

KVKK: Turkish Data Protection Law numbered 6698

Data Processor: The natural person or legal entity that process data on behalf of the data controller with authority given by the data controller

Data Controller: The person who defines the purpose and the means of processing personal data and is responsible for the data recording system management Data Subject: A natural person, includes but is not limited to an employee, customer, business partners, stakeholders, authorities, leads, candidate for recruitment, intern, visitors, suppliers, employees of business partners, third parties of the Company and its affiliates with whom they have a commercial relationship, whose data is processed

Explicit Consent: Consent that is related to a specific issue based on the information and expressed with free will

Personal Data: Any information related to a natural person whose identity is known or identifiable Sensitive Personal Data: Biometric and genetic information related to race, ethnicity, political or philosophical opinions, religion, sect or other beliefs, appearance, union memberships, health, sex life, convictions, security measures, etc.

Processing of Personal Data: Any operation performed on data such as obtaining, recording, storing, preservation, modification, reorganization, disclosure, transfer, takeover, making available, classification or preventing the use of personal data in fully or partially automated or non-automated ways, provided that it is part of any data recording system

Anonymization of Personal Data: Rendering the data in such a way that it can no longer be associated with an identified or identifiable person even when the personal data is matched with other data

Deletion of Personal Data: Deleting or rendering the personal data in such a way that it is no longer accessible or reusable for the users

Destruction of Personal Data: Rendering the personal data to make it inaccessible, unrecoverable, and not useable by anyone

KVK Board/Board: Turkish Personal Data Protection Board

KVK Authority/Authority: Turkish Personal Data Protection Authority

4. Processing of Personal Data

a. The Principles to be Followed While Processing Data

The Company's policies and procedures are implemented in line with the processing principles in KVKK and relevant legislation. We know that these principles are vital importance in exercising the rights of the data subject and their control over data, and we are extremely sensitive to making these principles our focus in all our processing activities. Our principles in our personal data processing activities are as follows;

∙ Personal data are processed in accordance with the law and the principle of honesty and transparently.

The Company is based on the legal processing reasons included in data processing activities in KVKK. In addition, the Company takes the reasonable expectations of the data subject into consideration according to the principle of honesty. The Company uses clear and comprehensible language in its communication with the data subject, and the Company is always in an easily accessible position.

∙ Personal data are processed only for specific, explicit, and legitimate purposes.

The Company determines the purpose of the processing activity before the data processing activities. The data are processed for additional purposes that are compatible with the initial processing purpose only. Being compatible with the first purpose for each additional purpose is determined according to internationally accepted criteria. Our Company informs the data subject about the purposes of data processing by considering the principle of transparency.

∙ Personal data are relevant, limited, and proportionate to the purposes for which they are processed.

Our Company processes the data to the extent required for data processing purposes. Data is obtained through the most appropriate method for data privacy and security. Disproportionate interference with the data subject's rights, interests, and freedoms is avoided in our processing activities.

∙ Personal data are accurate and up-to-date when required.

The Company ensures that the data is up-to-date in all processing activities. Missing, erroneous, or incorrect data is destructed or corrected as soon as possible. The Company regularly checks that the data is up-to-date.

∙ Personal data are stored for the period stipulated in the relevant legislation or required for the purpose for which they are processed.

With the disappearance of data processing purposes, the data is deleted, destructed, or anonymized as soon as possible.

∙ Personal data are processed to ensure the appropriate security.

Our company applies data security as the main principle. It takes the necessary administrative and technical measures by following the best practices in this direction.

∙ The Company shows that it has compliance with other principles of KVKK.

Our company acts with the principle of accountability in its all processing activities.

b. The Purposes of Processing Personal Data

The purposes of processing personal data processed by the Company are as follows:

• Ensuring the Security of Data Controllers Operations

• Conducting Employee Candidate/Trainee/Student Recruitment and Onboarding Processes

• Execution of the Application Process of Employee Candidates

• Fulfillment of Employment Contractual and Legislative Obligations for Employees

• Execution of Compensation and Benefit Processes for Employees

• Execution of Activities in Compliance with Legislation

• Execution of Financial and Accounting Affairs

• Execution of Appointment Processes

• Planning of Human Resources Processes

• Execution/Control of Business Activities

• Execution of After Sales Support Services for Goods/Services

• Execution, Control of Sales Processes for Goods/Services

• Ensuring the Security of Data Controller Operations

• Giving Information to Authorized Persons, Institutions, and Organizations

• Execution of Agreement Processes

• Execution of Occupational Health and Safety Activities

• Execution of advertising / campaign / promotion processes, execution of sponsorship activities

• Carrying out activities for customer satisfaction

c. The Company’s Legal Grounds for Processing Personal Data:

The Company acts in accordance with one of the legal processing conditions stipulated in Article 5 of KVKK when processing personal data. The conditions of processing personal data, that is, the conditions of being lawful, are listed in a limited number in the Law, and these conditions cannot be expanded. The Company acts in accordance with the following legal grounds for processing personal data:

• Existence of the explicit consent of the data subject,

• That it is explicitly prescribed in laws,

• That processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent,

• Requirement on processing personal data of the parties subject to a contract/agreement, due to the execution of a contract/agreement,

• Legally being mandatory for the data controller to fulfill the legal liability,

• Publicized by the data subject directly,

• Legally being mandatory to be processed for granted right to be conducted, used and/or protected,

• Processing personal data for legitimate purposes without violating the fundamental rights and freedoms of the data subject.

Our company does not rely on the legal reason of the explicit consent in the presence of another legal reason.

d. The Company’s Legal Ground for Processing Sensitive Personal Data

Sensitive personal data is the type of data that will expose the person to discrimination; these sensitive personal data include religion, race, belief, health, and sexual life. Sensitive personal data cannot be processed without limited legal reasons listed in Article 6 of KVKK.

Within this scope, The Company uses sensitive personal data other than health or sexual life is processed based on;

∙ That it is explicitly prescribed in laws

On the other hand, the personal data on health and sexual life is processed based on;

∙ The presence of the explicit consent of the data subject,

The presence of the explicit consent of the data subject, by the persons subject to secrecy obligation or competent public institutions and organizations, for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing.

5. Obligation To Inform

The Company is obliged to inform the data subjects in accordance with KVKK and the Communique On Principles And Procedures To Be Followed In Fulfillment Of The Obligation To Inform. If the personal data is obtained from the data subject, the Company informs the data subject in person or by the persons authorized by the Company at the time of obtaining the data. If the personal data are not obtained from the data subject, obligation to inform is fulfilled within a reasonable time; if the data will be used for communication with the data subject, obligation to inform is fulfilled once communicated; if the data is to be transferred, the obligation to inform is fulfilled at the latest when the first transfer is made.

The company informs the data subjects at least about the legal entity and address information of the Company, for what purpose the personal data will be processed, to whom and for what purposes the processed data can be transferred, the method of personal data collection, and the legal reason for the rights outlined in the Article 11 of KVKK.

When the purpose of personal data processing changes, the obligation to inform is fulfilled for that purpose before the data processing activity.

6. Data Security

As the data controller, the Company is obliged to prevent and protect personal data from being illegally processed or accessed when processing personal data. For this reason, the Company has taken all technical and administrative measures regarding data security, including the additional measures required to protect sensitive personal data. In this context, the measures taken by our company are listed below.

∙ Technical Measures

∙ Administrative Measures

7. Transfer of Personal Data

a. Local Transfers

Our company transfers personal data to third parties based on the data processing conditions set forth in Article 5 and 6 of KVKK. The Company takes all necessary security measures in its data transfer activities. In this context, the recipient groups to which our company transfers data are as follows:

- Suppliers

-Partners
- Authorized Public Institutions and Organizations

b. Transfers to Abroad

Under Article 9 of KVKK, the Company transfers data abroad by meeting one of the following conditions. • Based on the explicit consent of the data subject, • If the country to which personal data will be

transferred is in the status of "adequate country" and provides adequate protection,

Based on the rights and obligations of the Company and the recipient party regarding data transfer are regulated, and by undertaking adequate protection in writing along with the permission of the Board.

8. Personal Data Inventory

The Company has established a data inventory with the details stipulated by the Law regarding the personal data processed within the scope of KVKK. The Company’s data inventory contains the following:

• Business processes where personal data is handled,

• Category of personal data,

• Processed personal data,

• Processed sensitive personal data,

• The purpose and legal reason for the processing activity,

• Recipients of personal data in the country,

• Whether personal data is transferred abroad,

• Retention periods of personal data

In case of a change in the processing activities of the Company, the Personal Data Inventory shall be updated. The company notifies the Data Controllers’ Registry of the information in the Personal Data Inventory and the updates if any. The information to be provided by the Company to the data subject within the framework of the obligation to inform is set forth in the Article of this Policy is compatible with the information disclosed in the Registry.

9. Roles and Responsibilities

• The roles and responsibilities of our company regarding the processing of personal data are as follows:

• Quality Assurance Department shall be liable to notify the data subjects such as customer, subcontractor, and supplier about this Policy.

• Quality Assurance Department shall be liable to inform the parties about this Policy who process data on behalf of the Company, such as employees, suppliers, and regularly check that the Policy is implemented by the aforementioned data processors.

• Quality Assurance Department shall be liable for updating this Policy. The relevant department makes the necessary improvements by considering the needs of the company's information processing systems and carries out the process of updating the Policy when necessary.

• Quality Assurance Department is the authorized for approving the updates regarding this Policy.

Quality Assurance Department shall be liable for the determination and implementation of sanctions in violations of the implementation of the policy.

10. Deletion, Destruction, and Anonymization of Personal Data

• Under Article 7 of KVKK and other relevant legislation provisions, when the reasons for the processing of personal data disappear, the personal data are deleted, destructed, or anonymized upon the Company's decision, periodic control and/or the request of the data subject.

• The company will not keep personal data for longer than necessary in line with obtaining personal data. The company deletes, destructs, or anonymizes personal data in the first periodic destruction process following the date of the obligation to delete, destruct or anonymize the personal data when the reasons for processing disappear.

• The Company has prepared a Retention and Destruction Policy to determine the procedures and principles in this direction. The retention period for each category of personal data has been set out in the Retention and Destruction Policy along with the criteria used to specify this period, including any statutory obligations that the Company has to retain the data. This Retention and Destruction Policy has been prepared in accordance with the Personal Data Inventory specified in Article 8 of this Policy.

• The company acts following the principles set out in Section 4/a of this Policy, the technical and administrative measures set out in Article 6, the Retention and Destruction Policy, the provisions of the relevant legislation, and the decisions of the Board in the deletion, destruction or anonymization of personal data.

Personal data will be destructed securely in accordance with the provisions of KVKK and related laws under the Retention and Destruction Policy. Upon the request of the data subject, the company chooses the appropriate method with justification.

11. Rights and Exercises of Rights of the Data

Subject a. Rights of the Data Subject

Data subjects have the following rights regarding their personal data processed following Article 11 of KVKK:

• To learn whether personal data is being processed,

• To make requests regarding the nature of information held and to whom it has been disclosed,

• To learn the processing purpose of personal data and whether it is used under this purpose,

• To be informed about the third parties that the personal data is transferred domestically or abroad and to make notification regarding the transactions made,

• To demand correction for the personal data that is processed as deficient or incorrect and notification of the third parties about this,

• To demand deletion or destruction of the personal data of which reason to process is no more available, even if the data is processed under the related law,

• To object to any result against the data subject,

• To demand compensation in case of any damage caused by illegal processing of personal data.

b. Exercises of Rights of the Data Subject

Applications and requests regarding personal data can be sent via the Data Subject Application Form,

1. By signing with a secure electronic signature or mobile signature, sending it to the carex@hs01.kep.tr via registered electronic mail (KEP) or,

2. By applying in person to the by sending your signature and photocopy of identity to the Veliköy Yalıboyu OSB Mah. 84.Cad. No:4 Çerkezköy/TEKİRDAĞ or, with a valid identity document, to the Company.

Data subjects should include their name and surname, their signature if the application is in written form, their Turkish ID Number if they are Turkish citizen, their nationality and passport number (or if they have ID number) they are foreigner, place of residence, or business address to be based on notifications, their e mail address, and fax number, subject of the request in their application with respect to the legal requirements regarding the applications to data controllers. In addition, they should add documents and information confirming the identity of their application.

To operate this process in the most effective way, it should be clearly and understandably indicated in their request which right is wished to be used and the details of the requested transaction.

The subject of the request should be about the data subject itself. If the application is made on behalf of someone else, the person making the request should rely on a specially documented authorization for the requested transaction (power of attorney). Unauthorized applications will be ignored.

c. Evaluation of the Application

Applications are evaluated as soon as possible and at the latest within 30 days from the date of receipt of the application. During the evaluation process, additional information and documents can be requested if required, and a fee may be charged for fulfilling the request in cases that comply with the relevant legislation.

The Company takes all necessary administrative and technical measures to conclude the applications made by the data subject effectively and in accordance with the law and the principle of honesty.

d. Rejection of the Application

Application is rejected if;

∙ The application is not made in accordance with the abovementioned procedure,

∙ The application contains a request that is contrary to the applicable legislation,

∙ The application is not justified or is an abuse of the right,

∙ If the personal data subject to application is processed for purposes such as research, planning, and statistics by making them anonymous with official statistics,

∙ The processing of personal data is made public by the data subject itself.

∙ One of the other conditions within the scope of Article 28 of KVKK exists.

In case the application is rejected, the Company declares its reason and notifies the data subject about the rejection.

e. Right to Complaint

In the applications made to the Company, the data subject has the right to complain to the Board when their application is rejected if the response given by the Company is insufficient; or if the Company does not respond within 30 days. The data subject shall exercise their rights to complaint within 30 days from the date of learning the response of the Company and in any case within 60 days from the date of application.

12. Issuing and Enforcement of the Policy

This Policy enters into force on 25.09.2024

The current version of this Policy is accessible at https://tr.celenesbysweden.com/ and https://tr.bionnex.com/

13. Updating the Policy

The Company is the owner of this document and Quality Assurance Department is responsible for ensuring that this procedure is reviewed.

The abolished old copies of this Policy are canceled with the approval of Quality Assurance Department and kept for 10 years Policies with expired retention periods are destructed by preparing a report by Quality Assurance Department.