Eczacıbaşı Tüketim Ürünleri Sanayi ve Ticaret A.Ş.

Policy of Protection and Processing of Personal Data

This Eczacıbaşı Tüketim Ürünleri Sanayi ve Ticaret A.Ş. Policy of Protection and Processing of Personal Data (“Policy"), includes the Company's statements and explanations regarding the processing of Personal Data of real persons other than the employees of our Company, particularly employee candidates and customers, within the scope of the Law on Protection of Personal Data ("Law") by Eczacıbaşı Tüketim Ürünleri Sanayi ve Ticaret A.Ş. (“Company”).

Our company reserves the right to make changes in the Policy in order to provide up-to-date information about our practices on the protection of Personal Data and legal regulations. In case of the changes made in the Policy are essential changes, Data Owners shall be informed through various channels.

The matters related to the processing of Personal Data of the employees whose Personal Data are processed by our Company are regulated within the scope of Eczacıbaşı Tüketim Ürünleri Sanayi ve Ticaret A.Ş. Policy of Protection and Processing of Employee Personal Data.

Definitions related to the concepts used within the scope of this Policy are included in ANNEX-1 taking also into account the personal data protection legislation.

1)              Principles Regarding Data Privacy

Our Company acts in accordance with the general principles described below within the scope of all Personal Data Processing activities.

Acting in compliance with law and in good faith: Our Company acts in accordance with the legislation in force in any Personal Data Processing process and abides by the rules of good faith.

Accuracy and currency: Our Company provides Data Owners the opportunity to update their Personal Data and takes the necessary measures to ensure proper data transfer to databases.

Processing for specific, clear and legitimate purposes: Our Company restricts the Personal Data Processing activities to specific and legitimate purposes and informs Data Owners clearly about the relevant purposes through disclosure texts.

To be connected, restricted and moderate with the purpose for which they are processed: Personal Data is processed to the extent that required by the purpose informed to the Data Owner during its provision and in connection with this purpose and restrictedly by our Company.

To be kept for the period prescribed in the relevant legislation or necessary for the relevant purpose:

Our Company keeps the Personal Data during a given period if it is determined within the scope of the legislation in force. If such a period is not specified in the legislation, reasonable storage periods are determined by considering the data usage purpose and procedures of the Company and the data is stored limited by this time. Following the expiration of the mentioned periods, the data is deleted, destroyed or anonymized in accordance with the procedures of our Company.

2)     Your Collected Personal Data

Your Personal Data collected by our Company varies according to the nature of the relationship with our Company and the legal obligations.

Your collected Personal Data may be sorted as follows:

       Identity Information (to be varied insofar as necessary, T.R. identification number, name-surname, passport number, information written on the identity card if the identity card is shared, photos, etc.)

       Contact Information (E-mail address, phone number, mobile phone number, address, etc.)

       Location Data (location information obtained when using our services, especially in mobile apps, or when using our company's tools, etc. associated with the person)

       Customer Information (Customer number associated with the person, customer income information, customer occupation information, license plate, other information about the vehicle, educational information, etc.)

       Family Members and Relative Information (especially in relation to employee candidates, children of the Data Owner, information about his/her spouses, contact information and professional, educational information etc.)

       Customer Transaction Information (an order and CDR (call detail record) on demand, call center records, credit card statement, pay desk receipts, customer orders, records recorded in channels intended for this, etc. associated with the person)

       Physical Space Security Information (entry-exit records, visit information, camera records, etc.)

       Transaction Security Information (website password and password information, etc.)

       Risk Management Information (KRO query results and records, address registration system records, IP address tracking records, etc. associated with the Personal Data Owner)

       Financial Information (In case of a legal follow-up, credit card debt, loan amount, loan payments, amount of interest to be paid and rate, debt balance, receivable balance etc. in parallel with the information received from official authorities)

       Employee Candidate Information (curriculum vitae, interview notes, personality test results, etc.)

       Legal Transaction and Compliance Information (data in documents such as court and administrative authority decisions etc.)

       Audit and Inspection Information (Legal follow-up associated with the Data Owner and information regarding all kinds of registration and transaction regarding claiming our rights)

       Specialized Personal Data (information about association, foundation or union membership, data about health, data about criminal conviction and security measures)

       Marketing Information (Reports and assessments records showing the habits, likes of the person to be used for marketing purposes targeting information, cookie records, data enrichment activities, surveys made with the person, satisfaction surveys, information and evaluations etc. obtained through campaigns and direct marketing activities associated with the Data Owner)

       Claims/Complaint Management Information (information and records collected about the requests and complaints made to our Company regarding our products and services associated with the person and the information related to the reports in which the results of these are evaluated by the relevant business units etc.)

       Reputation Management Information (information associated with the person and information collected for the purpose of protecting our company's commercial reputation etc.)

                     Audio Visual Data (photos, camera recordings, audio recordings, etc.)

Mentioned Personal Data types do not cover all of your processed data and Personal Data similar to the data mentioned can be processed by our Company.

3)                  Our Personal Data Processing Purposes

Within the scope of Personal Data Processing terms set forth in the 5th and 6th articles of the Act, your obtained Personal Data may be processed within the purposes of;

       Within the scope of designing, coordinating, developing and executing company specific commercial activities, planning and executing business development activities;

o Carrying out notifications of legally required transactions/records, execution of obligations, communication with official institutions, giving information to authorized institutions

o Establishing, executing the contracts, performing, managing, planning and executing the relations with the customers and carrying out post contractual services

o Follow-up, planning and executing of activities intended for service/consulting outsourcing etc.   

o Planning, follow-up and executing of activities intended for financial and accounting

o Executing strategic planning activities

o Carrying out, planning and executing activities/developments and analyzes intended for access to systems

o Planning and executing information technologies and data security activities

o Planning and executing activities intended for the development, follow-up and control of commercial affairs, works, operations

o Carrying out studies intended for control, data management, analysis, social activities, process development and similar activities and relevant reporting

o Planning and executing activities intended for crisis and emergency management

o Planning and executing works intended for physical/electronic security of the Company

       Within the scope of the designing and executing activities intended for personalization of products and services, profiling, promotion and marketing;

o Planning and executing actions intended for increasing the perception level about the brand and brand management activities

o Planning and executing operations intended for advertising, sales and marketing for customers

o Planning, managing and executing organizations, meetings, invitations and events

o Carrying out taste, commitment, profiling, satisfaction studies and analysis related to products and services

o Planning and executing customer specific campaigns, promotions

o Planning and executing activities intended for developing products and services and / or customizing for customer by analyzing customers' usage habits and tendencies

o Planning and executing market research activities related to products and services

       Within the scope of designing and/or executing post-sales processes with demand and complaint management;

o Planning and executing demand and complaint management activities intended for receiving, evaluating and concluding demands and complaints

o Carrying out operation, research, analysis and reporting activities intended for entering into contractual relationship with customers or renewing contracts

o Carrying out and follow-up transactions and activities intended for the fulfillment of the obligations arising from post-sales services and contractual relationship

       Within the scope of planning, executing and managing its corporate relations;

o Managing, developing, planning and executing relations with supplier/dealer/business partner

o Carrying out activities and requirements for planning and executing operations intended for vehicle users and establishing and performing car rental contracts

o Designing, developing and executing corporate management and communication activities

o Planning and/or executing provision of business continuity activities

o Planning and executing activities such as external training/giving scholarship/support

o Executing strategic planning activities

       Within the scope of carrying out activities intended for Ensuring legal, technical and commercial-occupational safety of the Company and the relevant persons who have business relations with the Company;

o Planning and executing organizational structure, follow-up and studies intended for execution of the Company's activities in accordance with the company policies, directives, articles of association and related legislation

o Providing information to authorized institutions due to legal liability and/or conducting activities and liabilities related to auditing

o Ensuring the security of the physical and/or electronic environment of the company and its premises and of the parties in which the company is in contact with

o Keeping records of persons attending organizations and events

o Keeping records related to the parties in which the company is in a business relationship and planning and executing listing works

o Performing activities to ensure keeping the data accurate and up-to-date

o Planning and/or executing occupational health and/or safety processes

o Lawful planning and executing operations and works related to any visitor entering and leaving the company

o Organizing, planning, executing and auditing the works for the commercial safety of the company and/or the persons with whom the Company is in business relationship.

4)              Storage of Personal Data

Our company determines the duration of storage of personal data by taking into consideration the legislation in force and the purposes of processing the data subject to the process. In this context, if legal obligations related to Personal Data Processing activity and term of limitations are in question they are absolutely taken into consideration. In case of the purpose of Personal Data Processing is removed, the data is deleted, destroyed or anonymized unless there is another legal basis or ground that allows keeping the Personal Data..

5)              Transferring of Personal Data

Your Personal Data may be shared with our suppliers and business partners with whom we cooperate domestically or abroad and receive external service or support, within the scope of above purposes including utilizing you from the products and services of the parties providing products or services for our Company or on behalf of our Company. Your Personal Data may be shared with the legally authorized public authorities and private persons within the scope of their authorities. In these cases where your Personal Data is shared, our Company takes the necessary measures to ensure that the party to which the data is shared carries out processing and transferr activities in accordance with the rules in this Policy and the provisions in the legislation.

Your Personal Data may be subject to transfer if our Company partially or completely changes hands by means of sale of shares or subject to merger, division or change of title. In this context, in case of your Personal Data is transferred, the necessary steps will be taken to ensure that the party to which the data is transferred complies with the processing and transfer rules in this Policy.

The transfer of your personal data abroad may be carried out only if;

        There is your express consent, or

       In the cases of one or more of the other data processing requirements specified in the Law are met;

o there is adequate protection in the country where that data is transferred or

o In the case of absence of adequate protection in the country where the data is transferred, provided that our Company commits the adequate protection together with the Data Officer in the relevant foreign country in writing and obtaining the permission of the Personal Data Protection Board.

6)     Data Security

Our Company takes reasonable technical and administrative measures to prevent unauthorized access risks, accidental loss of data, deliberate deletion or damage of data to ensure the security of your Personal Data.

Within this scope, our Company;

       Records the accesses to Personal Data,

       Ensures data security using software and hardware including virus protection systems and firewalls,

       Monitors Personal Data processing activities on the basis of business unit,

       Ensures that necessary audits are carried out to ensure the implementation of the provisions of the Law in accordance with Article 12 of the Law,

       Provides compliance of the data processing activities with Law by Company's internal policies and procedures,

       Makes authorizations appropriate to the nature of the data accessed within the company,

       Subjects to the access to Specialized Personal Data stricter measures,

       Provides additional security checks to people having access to Specialized Personal Data,

       In case of access to Personal Data outside the Company for reasons such as outsourcing, our Company takes commitments from the external service provider to ensure compliance with the Law,

       Takes necessary actions to inform all its employees, primarily those who have access to Personal Data, about their duties and responsibilities within the scope of the Law.

7)     Rights of Data Owners

According to Article 11 of the Law, Data Owners have the following rights against Data Officer:

       Learn if Personal Data about him / herself has been processed, and request information regarding this if it has been processed.

       To learn the purpose of processing the Personal Data and whether it is used in accordance with its purpose.

       To know the third parties to which the Personal Data is transferred in the country or abroad.

       To request correction of personal data in case of incomplete or incorrect processing.

       To request deletion or destruction of the Personal Data in accordance with the terms prescribed in the relevant legislation, to request the transactions carried out to be notified to third parties to which the Personal Data is transferred.

       To object to the emergence of a result against the person by analyzing the processed data exclusively through automated systems.

       To request to claim damages in case of incurring loss due to unlawful processing of the Personal Data.

Article 28, paragraph 2 of the Law, lists the conditions where data owners have no right to demand and within this context;

       Personal Data processing is necessary for the prevention of committing crime or for criminal investigation,

       Processing of personal data publicized by the relevant person him/herself,

       Personal Data processing is required by commissioned and authorized public institutions and organizations and public professional organizations for conducting inspection and regulation tasks and disciplinary investigation or prosecution based on the authority granted by the law,

       Personal Data processing is required for the protection of the economic and financial interests of the State regarding budget, tax and financial matters,

the rights specified above cannot be used in these cases except for the right to request to claim damages for the data.

8)     Use of Rights by Data Owners

If you submit your requests regarding your rights to us by filling out Data Owner Application Form which you can access from www.eczacibasituketim.com.tr, your request will be concluded within the shortest time and within 30 (thirty) days at the latest according to the nature of your request. However, if the transaction requires an additional cost, the fee will be charged in the tariff determined by the Personal Data Protection Board.

In order for third parties to request an application on your behalf, you must have given a special power of attorney to this third party issued by notary public.

Our Company may request information from the Relevant Person in order to determine whether the applicant is a Data Owner and may ask questions to the Data Owner in order to clarify the issues mentioned in the application.

9)     CCTV (Closed Circuit Television) Usage

In the case of you visit our company's premises, your visual and audio data may be obtained through the closed circuit camera system and can only be stored for the time required for the purposes listed below. By using closed circuit camera system, prevention and monitoring of anti-social behavior and criminal behavior, providing the security of our company's premises and the vehicles and equipment in our company's premises, protecting the health and safety of visitors and employees visiting our company's premises is aimed. All technical and administrative measures required to ensure the security of your data obtained through the closed circuit camera system shall be taken by our Company.

ANNEX-1

CONCEPTS

DEFINITIONS

Express consent

It refers to a declaration of consent by Data Owners with their free wills, on a specific subject, based on being informed.

Anonymization

It refers to making Personal Data that cannot be associated with any identified or identifiable real person even if by matching with other data.

Relevant Person / Data Owner

It refers to the real person whose personal data is processed.

Personal Data

It refers to any kind of information about the real person who is identified or identifiable

Specialized personal data

It refers to the data subject to a stricter protection regime within the scope of law which may cause Data Owner to be aggrieved or may be exposed to discrimination in cases such as disclosure, loss.

Processing of personal data

It refers to any transaction carried out on data such as obtaining, recording, storing, keeping, changing, re-arranging, disclosing, transferring, taking over, making accessible, classification or prevention of use of Personal Data fully or partially by automated or non-automated means provided that it is a part of any Data Record System.

Data record system

It refers to the record system in which personal data is configured and processed according to certain criteria.

Data officer

It refers to the real or legal person who determines the processing purposes and means of the Personal Data and responsible for establishing and managing the Data Record System.

Data processor

It refers to the real or legal person that processes Personal Data on behalf of the data officer based on the authority granted by him/her.

 

1. Information About Personal Data Supervisor:

Within the scope of the survey we have provided to you, your personal data is processed by Eczacıbaşı Tüketim Ürünleri Sanayi ve Ticaret A.Ş. (”Company“ or ”Our Company") in the capacity of data supervisor, within the scope of this Disclosure Text and in accordance with Law on Protection of Personal Data No. 6698 (”Law No. 6698").   


2. Purposes Regarding Processing of Your Personal Data:

Your personal data is processed by Our Company for the purposes such as;

·              Design, coordination, development, execution of company-specific business activities, planning and execution of activities intended for business development and commercial activities,

·              Personalization of products and services, design and execution of activities intended for profiling, promotion and marketing,

·              Demand and complaint management along with design and/or execution of post-sales processes,

·              Planning, execution and management of corporate relations,

·              Ensuring the legal, technical and commercial-occupational safety of the Company and related persons in business relationship with the Company along with carrying out activities intended for performing legal obligations.

You can access more detailed information on the protection and processing of your personal data, from "Eczacıbaşı Group Companies Personal Data Protection Policy" in http://www.eczacibasituketim.com.tr/ website. 


3. Parties That Your Personal Data Can be Transferred to and Transfer Purposes:

Your personal data can be transferred to other Eczacıbaşı Group organizations particularly Eczacıbaşı Holding A.Ş., to our suppliers in the country or external suppliers providing service abroad, business partners and service providers and also to legally authorized public institutions and/or natural persons in accordance with the aforementioned purposes, within the framework of personal data processing requirements and purposes specified in Articles 8 and 9 of the Law No. 6698. 


4. Collection Method of Your Personal Data and its Legal Reason:

Your personal data is collected and maintained in physical and/or electronic environments by our Company through different channels and depending on different legal reasons. Your personal data is collected depending on legal reasons such as the provision of rights and benefits to you, the maintenance and improvement of intercompany activities, and the fulfillment of the contracts and obligations arising from legislation. 


5. Rights of the Personal Data Owner:

·              As personal data owners, pursuant to Article 11 of Law no. 6698, you have rights;

·              To learn whether your personal data is processed,

·              If your personal data is processed to request information regarding this,

·              To learn the purpose of processing your personal data and whether they are used appropriate to its purpose,

·              To know the third parties to which the Personal Data is transferred in the country or abroad,

·              To request correction of personal data in case of incomplete or incorrect processing and to request that the transaction carried out in this context to be notified to third parties to which your personal data is transferred, to request the deletion or destruction of your personal data in the case of reasons that require processing have removed even if it has been processed in accordance with the provisions of the Law No. 6698 and other legislation and transaction carried out in this context to be notified to third parties to which your personal data is transferred,

·              To object to the emergence of a result against the person by analyzing the processed data exclusively through automated systems,

·              To request to claim damages in case of incurring loss due to unlawful processing of the Personal Data. If you submit your requests regarding your rights in writing to our Company through etu-kvkk@eczacibasi.com.tr, your request will be concluded within the shortest time and within 30 (thirty) days at the latest according to the nature of your request. However, if the transaction requires an additional cost, the fee will be charged in the tariff determined by the Personal Data Protection Board.

1. Application Method

You can submit your requests within the scope of Article 11 of the Law on Protection of Personal Data No. 6698 ("Law"), pursuant to Article 13 of the Law, and Article 5 of the Statement on the Procedures and Principles of the Application to the Data Officer, to our Company with this form and by one of the 4 methods described below:.

 

APPLICATION

METHOD

APPLICATION ADDRESS

INFORMATION TO BE REVEALED IN THE APPLICATION

1. Written Application

Wet-signed personal application or through Notary Public

Kavacık Ofis Rüzgarlı Bahçe Mahallesi, Kavak Sokak No:20 Beykoz 34805, Istanbul

"Information Request within the scope of the Law on Protection of Personal Data" shall be written on the envelope/notification.

2. Through Registered Electronic Mail (REM)

With Registered Electronic Mail (REM) address

eczacibasituketim

@eczacibasituketi

m.hs02.kep.tr

"Information Request of the Law on Protection of Personal Data" shall be written on the subject of e-mail

3. Application by Electronic Mail Address in Our System

By using your e-mail address registered in our company's system

etu-kvkk@eczacibasi.com.tr

"Information Request of the Law on Protection of Personal Data" shall be written on the subject of e-mail

4. Application by Electronic Mail Address Not in Our System

By using your e-mail address not in our Company's system containing mobile signature/e-signature

etu-kvkk@eczacibasi.com.tr

"Information Request of the Law on Protection of Personal Data" shall be written on the subject of e-mail

2. Your Identity and Contact Information

 

Please fill out the following fields so that we can contact you and verify your identity.

Name-Surname

 

 

T.R. Identification Number /

For Citizens of Other Country Passport Number or Identification Number

 

 

Residence Address / Work Place Address Subject to Notification

 

 

Mobile Phone

 

 

Phone Number

 

 

Fax Number

 

 

E-mail Address

 

 

3.                    Your relationship with our Company

4.                    Your relationship with our Company

 

 

Customer

 

 

Business Partner

 

 

Visitor

 

 

Other

(please indicate)

 

 

Within our company: the unit you are in contact

 

 

□ Former Employee

□ Job Application / I Shared My CV

Years I have Worked:...................................................................

Date :.................................................................................

□ Other:...................................................................

□ I am employee of third party firm

 

Please indicate your company and position information

 

 

5.                    Subject of Request

Please clearly write down your request regarding your personal data. Information and documents related to the subject should be attached to the application.


Select the Method of Notification of the Reply to Your Party

 I want the reply to be sent to my mail address I provided in part 2.                                                                                                                                                                                             

I want the reply to be sent to my electronic mail address I provided in part 2.                                                                                                                                                                                               

I want the reply to be sent to my fax number I provided in part 2.                                                                                                    

In line with the above-mentioned requests, I kindly request that the application I made to your company to be evaluated in accordance with Article 13 of the Law and information to be given to me.

I hereby declare and acknowledge that my information and documents that I have provided to you are correct and up-to-date, that your Company may request additional information in order to conclude my application, and that I have been informed about the matter that I may be required to pay the fee determined by the Personal Data Protection Board if it requires an additional cost..

Applicant Relevant Person (Data Owner) Name Surname      : Application Date :

Signature            :

This application form has been issued in order to determine your relationship with our Company and, by completely determining your personal data processed by our Company, if any, to respond to your application in the correctly and within the legal period. Our Company reserves the right to request additional documents and information for the purpose of authentication and authorization, in order to eliminate the legal risks that may arise from data sharing in an unlawful and unfair manner and particularly to ensure the security of your personal data. If the information you submit about your requests on the form is not correct and up-to-date or an unauthorized application is made, our Company does not accept any liability regarding the requests related to relevant incorrect information or unauthorized application.