Protection and Processing of Personal Data

BETA PHARMACEUTICAL WAREHOUSE TRADE INDUSTRY LIMITED COMPANY

PERSONAL DATA PROTECTION AND PROCESSING POLICY

1. Purpose and Scope

This website you are visiting is affiliated with BETA ECZA DEPOSU TİCARET SANAYİ LİMİTED ŞİRKETİ.

The main purpose of this Personal Data Protection Policy is to explain the personal data processing activities carried out by the Company in accordance with the law and the systems adopted for the protection of personal data, and to ensure transparency by informing the persons whose personal data are processed by our company in this context.

This Policy is implemented with the relevant detailed data procedures in all activities carried out for the processing and protection of personal data managed by the Company.

Data subjects included in the scope and whose personal data are processed

Employees Real persons who continue their employment relationship with the Company.

Employee Candidates: Natural persons who apply for a job with the Company or who make their background information accessible to the Company in any way.

Visitors: Natural persons who have entered the Company’s physical facilities for various purposes or who visit the Company’s websites.

Third Parties: Other natural persons whose personal data are processed within the framework of this Policy, although not defined in the Policy

2. Definitions

Personal Data: Any information relating to an identified or identifiable natural person

Sensitive Personal Data: Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data

Processing of Personal Data: All kinds of operations performed on personal data such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data in whole or in part, automatically or provided that it is part of any data recording system, by non-automatic means

Related Person: Employees, customers, business partners, shareholders, officers, potential customers, prospective employees, trainees, interns, visitors, suppliers, employees of the institutions with which the Company and its subsidiaries have commercial relations, third parties and real persons whose personal data are processed, including but not limited to those listed here.

Data Controller: The person who determines the purposes and means of processing personal data and manages the place where the data is kept systematically (data recording system)

Data Processor: Natural and legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller

Company: The data controller company.

Data Processor: Natural and legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller

Explicit Consent: Consent on a specific subject, based on information and expressed with free will

KVKK Law No. 6698 on the Protection of Personal Data

Deletion of Personal Data: Making personal data inaccessible and non-reusable in any way for the relevant users

Destruction of Personal Data: The process of making personal data inaccessible, unrecoverable and unusable by anyone in any way

Anonymization of Personal Data: Making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data

Board: Personal Data Protection Board

Institution: Personal Data Protection Authority

3. Policy

The provisions of the relevant legislation in force regarding the processing and protection of personal data shall have priority; in the event of a conflict between the relevant legislation and the provisions of this Policy, the provisions of the current legislation shall prevail.

The Company has different Policies that address the protection of personal data and the provision of information security in relation to specific business activities and functions. This Policy does not override the data protection requirements in these different Policies of the Company, unless it contains additional requirements or requires a higher standard for the protection of personal data.

This Policy has been established in accordance with the rules and procedures stipulated in the provisions of the KVKK and other relevant legislation for the protection of personal data. In this sense, the Data Controller is also obliged to take all necessary technical and administrative measures to prevent unlawful processing of personal data and unlawful access to personal data and to ensure their protection in accordance with the KVKK.

4. Principles to be followed when processing personal data

Our Company acts in accordance with the general principles described below within the scope of all Personal Data Processing activities:

• Processing personal data in accordance with the law and good faith and in a transparent manner
• Collection of personal data only for specific, explicit and legitimate purposes
• Personal data are relevant, limited and proportionate to the purpose for which they are processed
• Ensuring that personal data is accurate and up-to-date when necessary, and that it is deleted or corrected without delay
• Retention for the period stipulated in the relevant legislation or required for the purpose for which they are processed
• Processing personal data in a manner to ensure appropriate security

5. Personal Data Collected under the Data Processing Policy

Your Personal Data collected by our Company varies according to the nature of the relationship with our Company and legal obligations. Your Personal Data collected can be listed as follows:

Identity Information (T.R. identification number, name, surname, parents’ name, date and place of birth, marital status, identity card serial-sequence number, photograph, etc.).

Contact Information (telephone number, mobile phone number, address, e-mail address, etc.)

Customer Information (customer number associated with the person, customer income information, invoice, promissory note, check information, information on box office receipts, order information, request information, etc.)

Family Members and Relative Information (identity information, contact information, etc. related to the Data Subject’s children, spouses, especially in relation to employees and employee candidates)

Customer Transaction Information (customer instructions based on an instruction and request associated with the person, customer instructions, records recorded in the relevant channels, etc.)

Physical Location Security Information (camera records, etc.)

Transaction Security Information (Ip Address Information, website password and password information, etc.)

Financial Information (in case of a legal proceeding, in parallel with the information received from official authorities; credit card debt, loan amount, loan payments, debt balance, receivable balance, etc. and accounting information and related records)

Legal Procedure and Compliance Information (data contained in documents such as court and administrative authority decisions, etc.)

Audit and Inspection Information (information on all kinds of records and transactions related to legal proceedings associated with the Data Subject and asserting our rights, etc.)

Personal Data of Special Nature (data related to health, clothing, criminal conviction and security measures)

Request / Complaint Management Information (information and records collected regarding the requests and complaints made to our Company regarding our products and services associated with the person, and information regarding the reports where the results of these are evaluated by the relevant business units, etc.)

Audiovisual Data (photographs, camera recordings, etc.)

The types of Personal Data listed do not cover all your processed data, and Personal Data similar to the data listed by our company can be processed.

6. Purposes of Processing Personal Data

In accordance with the LPPD and other relevant legislation, our Company informs the relevant persons during the acquisition of personal data. In this context, the Company informs and informs the data subject about the purpose for which personal data will be processed, to whom and for what purposes the processed data can be transferred, the method of collecting personal data and the legal reason for collecting personal data. The purpose of processing personal data varies according to the relationship between the company and the personal data owner and the legal nature of the business.

The purposes of processing personal data processed by the Company are as follows:

• Planning and development of company-specific commercial activities, execution of the business
• Realization of legally required transactions, fulfillment of obligations
• Notifications to official institutions
• Activities related to the establishment and performance of contracts
• Activities related to the execution, management, planning and execution of relations with customers
• Activities for the realization of post-contract services
• Planning, monitoring and execution of finance and accounting activities
• Planning and execution of information technologies and data security activities
• Planning and execution of activities for the physical and electronic / network security of the company
• Planning and execution of actions to increase the level of perception about the organization and its activities
• Within the scope of managing and finalizing demand-complaint processes after and during the service;
• Activities for receiving, evaluating and finalizing requests and complaints
• Realization and follow-up of transactions and activities for the fulfillment of obligations arising from the contractual relationship
• Planning, execution and management of corporate relations,
• Management, development, planning and execution of relations with suppliers / business partners / customers
• Design and execution of corporate governance and communication activities
• Planning and execution of activities such as receiving and providing external training
• Ensuring the legal, technical and commercial security of the Company and persons having business relations with the Company
• Providing information to authorized institutions and organizations due to legal obligations and / or performance of activities and obligations related to audit
• Ensuring the security of the physical and/or electronic environments of the Company and its premises and the parties with whom the Company has a relationship
• Keeping records of the parties with whom the Company has business relations, organizing, executing and auditing activities for commercial security
• Fulfillment of activities to ensure that data is kept accurate and up-to-date
• Planning and/or execution of occupational health and/or safety processes
• It is processed for the purposes of fulfilling the obligations regarding all kinds of visitors entering and exiting the Company in accordance with the law.

7. Methods of Processing Personal Data and Legal Grounds

Personal data may be processed by our company with the explicit consent of the personal data owner. Personal data may be processed without the explicit consent of the data owner in the presence of one of the legitimate reasons listed in Article 5/2 and Article 6/3 of the KVKK:

• It is explicitly stipulated in the laws and any relevant legislation
• It is mandatory for the protection of the life or physical integrity of the person who is unable to disclose his consent due to actual impossibility or whose consent is not legally valid, or of another person
• Provided that it is directly related to the conclusion or performance of a contract, it is necessary to process personal data of the parties to the contract
• It is mandatory for the data controller to fulfill its legal obligation
• It has been made public by the person concerned
• Data processing is mandatory for the establishment, exercise or protection of a right
• Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject
• Personal data other than health and sexual life may be processed without the explicit consent of the data subject in cases stipulated by law. Personal data relating to health and sexual life can only be processed by persons or authorized institutions and organizations under the obligation of confidentiality for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, without seeking the explicit consent of the data subject.

8. Storage and Destruction of Personal Data

• • While determining the retention periods of personal data, our Company determines by taking into account the legislation in force and the purposes of processing the data subject to the process. In this context, legal obligations and statute of limitations regarding the Personal Data Processing activity are taken into consideration. Pursuant to Article 7 of the LPPD and other relevant legislation provisions, personal data are deleted, destroyed or anonymized upon the Company’s decision, periodic control and / or upon the request of the person concerned, if the reasons for processing the processed personal data disappear
  • Personal data transmitted to us in error by any means or transferred in cases where it is understood that the will of the person concerned is not directed to give explicit consent shall be immediately destroyed by our Company by methods in accordance with the Law
  • In connection with the reason for collecting the data, our Company will not store personal data for longer than necessary to enable the identification of the data subject
  • Our Company may store personal data for longer periods only for public interest, scientific or historical research or statistical purposes, by taking appropriate technical and organizational measures to protect the rights and freedoms of the data subject and to ensure data security
  • The retention period for each category of personal data and the criteria used in determining this period, including the legal obligations that the Company has to retain the data, are set out in our Company’s Personal Data Retention and Destruction Policy and will be applied in all cases

9. Transfer of Personal Data

Although our Company makes transfers domestically due to the law and legal obligations, no transfer is made abroad. Without prejudice to the cases where the transfer of personal data to administrative and judicial institutions and organizations is required by the KVKK or the relevant legislation, the personal data of the persons concerned by the Company are not transferred to other persons without the explicit consent of the person concerned, but in cases where the issues listed in Articles 5 and/or 6 of the KVKK are in question, your personal data will be transferred to the relevant institutions and organizations within the legal framework without seeking explicit consent due to the existence of a reason for compliance with the law.

Our Company fulfills its obligation to inform the Data Owner regarding this transfer. Accordingly, the institutions, organizations and / or persons that can be transferred are listed below. Our Company;

• Relevant public institutions and organizations,
• With the competent authorities,
• Administrative institutions and organizations, including tax offices, workplace inspectors, İŞKUR, Regional Labor and SSI,
• If requested, it may be shared with courts and other official and judicial authorities.
• To business partners and affiliates with whom we cooperate in Turkey,
• To the outsourced law firm, courts and other official and judicial authorities upon request,
• It can be transferred to business partners we work with abroad.

10. Measures to Ensure Data Security

Our Company takes administrative and technical measures to prevent data breaches to ensure the security of personal data. In this context, our Company;

Administratively

There are disciplinary regulations containing data security provisions for employees.

Training and awareness raising activities on data security are carried out periodically for employees.

An authorization matrix has been established for employees.

Corporate policies on access, information security, use, storage and destruction have been prepared and implemented.

Confidentiality undertakings are made.

Signed contracts contain data security provisions.

Personal data security policies and procedures have been determined.

Personal data is minimized as much as possible.

Technical aspects;

Network security and application security are ensured.

Closed system network is used for personal data transfers through the network.

Security measures are taken within the scope of procurement, development and maintenance of information technology systems.

Security of personal data stored in the cloud is ensured.

Access logs are kept regularly.

The authorizations of employees who change their duties or leave their jobs are removed.

Up-to-date anti-virus systems are used.

Firewalls are used.

Personal data security is monitored.

Necessary security measures are taken for entry and exit to and from physical environments containing personal data.

Physical environments containing personal data are secured against external risks (fire, flood, etc.).

Security of environments containing personal data is ensured.

Personal data is backed up and the security of backed up personal data is also ensured.

User account management and authorization control system is implemented and monitored.

Log records are kept without user intervention.

Existing risks and threats have been identified.

Encryption is performed.

12. Data Inventory

Our Company has created a data inventory to identify risks and opportunities during the KVKK and GDPR compliance process. The Company’s data inventory identifies

• The organization where the personal data is used
• Processed personal data
• Special categories of personal data processed
• Personal data subject
• Method of collecting personal data – source of personal data
• Purpose of personal data processing
• Legal grounds for personal data processing
• Personal data retention period
• Environments where personal data are processed
• Recipient / group of recipients to which data is transferred
• Technical and administrative measures

13. Rights of the Data Subject

Within the scope of Article 11 of the LPPD, the data subject has the following rights and can exercise his/her rights by contacting the data controller by the methods determined by him/her:

• To learn whether personal data is processed or not
• If personal data has been processed, to request information on the nature of this information and to learn to whom it has been disclosed
• To learn the purpose of processing personal data and whether they are used in accordance with their purpose
• To know the third parties to whom personal data are transferred domestically or abroad and to request notification of the transaction made in this direction to third parties
• In case of incomplete or incorrect processing of personal data, to request correction and notification of this to third parties
• To request the deletion or destruction of personal data in the event that the reasons requiring its processing disappear, although it has been processed in accordance with the provisions of the relevant law
• Objecting to a result that is unfavorable to oneself
• In case of damage due to unlawful processing of personal data, to demand compensation for the damage

14. Exercising the Rights of the Data Subject

Data owners, in order to exercise the aforementioned rights, if you fill out the “Relevant Person Application Form” on the link [https:// betapethealth.com] and submit it to [Bayındır Mahallesi Gazi Bulvarı No:18 Muratpaşa/Antalya] by hand or by sending it to with documents identifying your identity, your request will be finalized within 30 days at the latest.

Although data owner applications are processed free of charge as a rule, if the transaction requires an additional cost, the fee in the tariff determined by the Personal Data Protection Board will be charged.

15. Response Procedure

In accordance with Article 13 of the KVK Law, our Company will finalize the application requests made by the personal data owner free of charge as soon as possible and within 30 (thirty) days at the latest, depending on the nature of the request.

In accordance with Article 13 of the KVK Law, your application must be submitted to our Company in writing or by other methods determined by the KVK Board. The application of the personal data owner may be rejected in the following cases:

1. a) It prevents the rights and freedoms of other persons
2. b) Requires disproportionate effort
3. c) The information is publicly available
4. d) jeopardizing the privacy of others
5. e) Existence of one of the situations excluded from the scope pursuant to the KVK Law