CONTACT US
EMAIL PHONE NUMBER
SOCIAL MEDIA
INSTAGRAM LINKEDIN FACEBOOK
Arvatera Pharma operates with a commitment to ethical values, a science-focused approach, innovation, and a dedication to human health.
CONTACT

PROTECTION OF PERSONAL DATA

1. INTRODUCTION

The protection of personal data is an issue of great importance for Arvatera İlaç San. ve Tic. A.Ş. (hereinafter referred to as the “Company”). Since its establishment, Arvatera has kept the personal data obtained from natural persons within the scope of its activities confidential and has taken all necessary technical and administrative measures to ensure the protection of personal data and data security. Even before the Law on the Protection of Personal Data No. 6698 (“Law”) entered into force on April 7, 2016, Arvatera had adopted and implemented the principle of confidentiality of personal data as a working policy.

The Company adopts all principles set forth by the Law in order to conduct all its activities in compliance with both the Constitution of the Republic of Türkiye and the Law, as well as secondary legislation related to the matter. In this regard, the Company fulfills its obligations concerning the processing, deletion, destruction, anonymization, transfer of personal data, informing the data subject, and ensuring data security. This Data Protection Policy has been prepared within this scope and is made available to all natural persons whose personal data are processed.

“Explicit Consent” Consent that is based on being informed regarding a specific subject and given through free will
“Employee” A natural person who has an employment or service agreement with Arvatera, in an employer–employee type of relationship
“Law” The Law on the Protection of Personal Data No. 6698
“Personal Data” Any information relating to an identified or identifiable natural person
“Anonymization of Personal Data” The process of rendering personal data incapable of being associated with an identified or identifiable natural person under any circumstances, even when matched with other data
“Processing of Personal Data” Any operation performed on personal data, whether fully or partially automated or not, provided that it is part of a data recording system, such as collection, recording, storage, preservation, alteration, reorganization, disclosure, transfer, acquisition, making available, classification, or prevention of use
“Deletion of Personal Data” The process of rendering personal data completely inaccessible and non-reusable for relevant users
“Destruction of Personal Data” The process of rendering personal data completely inaccessible, irretrievable, and non-reusable by anyone under any circumstances
“Board” Personal Data Protection Board
“Authority” Personal Data Protection Authority
“Special Categories of Personal Data” Data concerning individuals’ race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, clothing and attire, association, foundation or trade union membership, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data
“Data Protection Policy” Arvatera Personal Data Protection Policy
“Arvatera” or “Company” Arvatera İlaç San. ve Tic. ve Tic. A.Ş.
“Data Processor” A natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller
“Data Controller” A natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system

1.2. PURPOSE AND SCOPE OF THE DATA PROTECTION POLICY

This Data Protection Policy explains the matters relating to the collection, use, transfer, destruction, and other forms of processing of personal data by Arvatera, as well as the technical and administrative measures taken by the Company to protect personal data and the rights of data subjects. This Data Protection Policy;

  • Employees,
  • Employee candidates,
  • Company shareholders,
  • Company officials,
  • Visitors,
  • Employees of institutions with which the Company cooperates,
  • Individuals accessing any applications and services offered by the Company, and
  • Third parties.

applies to the personal data processed under the Law on the Protection of Personal Data for: Personal data obtained either with the explicit consent of the data subjects or under other lawful bases specified in the Law are processed by Arvatera for the purposes of fulfilling its legal obligations, properly delivering its services, improving the quality of the services provided and the quality policy, and for the other purposes stated in this Data Protection Policy.

2. PROCESSING OF PERSONAL DATA

2.1. GENERAL PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATA

While carrying out personal data processing activities, Arvatera complies with the principles set forth in Article 4 of the Law on the Protection of Personal Data.

  • Compliance with the law and the principle of good faith:

Arvatera questions the source of the personal data obtained from the data subject or third parties and attaches importance to ensuring that such data is obtained and processed lawfully and in line with the principle of good faith. In this context, the Company makes the necessary warnings and notifications to third parties to whom it transfers personal data in order to ensure the protection of such data.

  • Being accurate and, where necessary, up to date:

Arvatera ensures that all data within its legal entity are accurate, do not contain incorrect information, and, where changes in personal data are communicated, such data is updated accordingly. The Company exercises reasonable care and diligence regarding the accuracy and currency of the personal data declared by its customers or third parties with whom it interacts.

  • Being processed for specific, explicit, and legitimate purposes:

Arvatera identifies legitimate and lawful purposes for data processing clearly and explicitly before commencing the personal data processing activity. Personal data are not processed for purposes other than those determined in advance.

  • Being relevant, limited, and proportionate to the purposes for which they are processed:

Arvatera processes personal data only to the extent limited to the purpose of processing. Personal data not related to the specified purpose are not processed by Arvatera.

  • Being retained for the period stipulated in the relevant legislation or required for the purpose for which they are processed:

Arvatera retains personal data for the period stipulated by legislation or for as long as required by the purpose of processing. However, when the period stipulated by the legislation expires or all purposes of processing cease to exist, personal data are deleted, destroyed, or anonymized. These principles apply regardless of whether the Company processes personal data based on explicit consent or under other legal bases for processing. At this point, Arvatera processes personal data in compliance with the legal bases for processing and the general principles, while also fulfilling its obligation to inform data subjects.

2.2. CONDITIONS FOR PROCESSING PERSONAL DATA

Arvatera processes personal data either with explicit consent or in the following cases where other legal bases for data processing are present:

  • Where it is explicitly stipulated by laws,
  • Where it is necessary to protect the life or physical integrity of the person who is unable to give consent due to actual impossibility or whose consent is not legally valid, or of another person,
  • Where it is necessary to process personal data of the parties to a contract, provided that it is directly related to the establishment or performance of the contract,
  • Where it is necessary for the data controller to fulfill its legal obligations,
  • Where the data has been made public by the data subject,
  • Where it is necessary for the establishment, exercise, or protection of a right,
  • Where it is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

According to the Law, data concerning individuals’ race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, clothing and attire, association, foundation or trade union membership, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data, are considered special categories of personal data.

Arvatera takes additional measures stipulated by the Law and the Personal Data Protection Board in processing special categories of personal data. In this context, the conditions for processing special categories of personal data are set forth in Article 6 of the Law and the additional measures announced by the Board. Accordingly, special categories of personal data are processed in the following cases:

  • Where the explicit consent of the data subject has been obtained,
  • Where the processing of special categories of personal data, other than those relating to health and sexual life, is stipulated by laws,
  • Where data concerning health and sexual life are processed by persons under a confidentiality obligation for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and planning and management of healthcare services and their financing.

The procedures and principles regarding the processing, destruction, and protection of special categories of personal data are regulated by the Arvatera Policy on the Protection and Processing of Special Categories of Personal Data.

2.3.

PURPOSES OF PROCESSING PERSONAL DATA

Within the framework of the legal grounds set forth in Articles 5 and 6 of the Law on the Protection of Personal Data, Arvatera processes personal data for the following purposes: In the context of planning and execution of human resources activities, the personal data of job applicants are processed for the purpose of evaluating their suitability for employment and conducting recruitment processes; the personal data of employees are processed for the performance of the employment contract, establishment of fringe benefits, execution of promotion/bonus/salary increase processes, fulfillment of obligations arising from labor legislation and other regulations applicable to the Company, implementation of social insurance procedures, evaluation of employee performance, and similar purposes.

In addition, within the scope of its ordinary corporate activities and services provided to its clients, the Company processes personal data for purposes including: planning and execution of corporate sustainability activities, event management, management of relationships with business partners or suppliers, execution/monitoring of financial reporting and risk management activities, execution/monitoring of legal affairs, planning and execution of corporate communication activities, execution of corporate governance processes, performance of corporate and partnership law transactions, request and complaint management, management of investor relations, ensuring the security of Arvatera’s buildings and facilities, creation and follow-up of visitor records, determination and implementation of the Company’s commercial and business strategies, resolving issues and complaints of data subjects, ensuring satisfaction and providing efficient service, responding to requests for information from administrative and judicial authorities, compliance with legal processes and legislation, ensuring information and transaction security, and prevention of misuse, among others.

If the data processing activity carried out for the aforementioned purposes does not meet any of the legal bases stipulated under the Law, Arvatera obtains the explicit consent of the data subject for the relevant data processing activity.

2.4.

2.4. METHOD OF COLLECTING PERSONAL DATA

Arvatera collects personal data in physical and electronic environments, in compliance with the legal bases for personal data processing stipulated under the Law and for the legal purposes specified in this Data Protection Policy, through contracts, digital platforms, notifications from administrative and judicial authorities, e-mail and other communication channels, in audio, electronic, or written formats. Such personal data are primarily processed for the establishment of contracts and to provide better services to the relevant individuals within the scope of this Data Protection Policy.

Accordingly, personal data may be obtained when benefiting from the services offered by the Company, when a legal relationship (e.g., purchase, brokerage, employment, etc.) is established with the Company, or when communication is established with the Company (e.g., via mail, e-mail) regarding its services.

Arvatera adopts the principle of acting in accordance with the law when obtaining personal data from its business partners or solution partners. Only the data required for the provision of services are collected, with a data privacy commitment from such partners, and measures are taken to ensure data security at this stage.

Arvatera processes the personal data of its employees only to the extent necessary in the context of employment relations and, in other cases permitted by the applicable legislation, without requiring consent, while ensuring the confidentiality and protection of employee personal data.

3. TRANSFER OF PERSONAL DATA

The Company transfers personal data to third parties only for the purposes specified in this Data Protection Policy and in compliance with Articles 8 and 9 of the Law on the Protection of Personal Data. In this context, the Company may transfer the personal data it collects to the following persons and institutions for specific purposes:

  • To the Company’s business partners, limited to the purpose of fulfilling the objectives of the business partnership,
  • To the Company’s suppliers, limited to the purpose of enabling the provision of services procured externally from the supplier and necessary for the Company to carry out its commercial activities,
  • To the Company’s customers,
  • To authorized public institutions and organizations upon request,
  • To the Company’s solution partners.

The purpose of sharing personal data by the Company is to provide access to services, fulfill its legal obligations, ensure the execution of contracts concluded with data subjects, carry out purchase and sale transactions, prevent and detect fraudulent or unlawful activities related to services, and conduct other commercial activities lawfully. Arvatera adopts the principle of acting in compliance with the law in all data sharing activities. Personal data is shared with third parties only to the extent required by the provision of services. The Company exercises the utmost care to ensure that such third parties take necessary measures regarding data security.

The aforementioned personal data transfers, whether domestic or international, are legally protected not only through technical measures ensuring data security but also through data transfer agreements. The Company may share personal data it processes with public institutions and organizations legally authorized to request such information, for the purpose of fulfilling its legal obligations (including but not limited to situations involving crime prevention, threats to state and public security, or other cases where the Company is legally or administratively required to disclose or provide information).

4. STORAGE AND DESTRUCTION OF PERSONAL DATA

In accordance with the Law on the Protection of Personal Data, personal data is kept accurate and up to date and is retained for the period stipulated in the relevant legislation or required for the purpose for which it is processed. This period is determined separately for each category of personal data, and once the relevant retention period expires, such personal data is deleted, destroyed, or anonymized at the end of the periodic destruction periods determined under the Regulation on the Deletion, Destruction, or Anonymization of Personal Data.

The deletion of personal data refers to the process by which personal data is rendered completely inaccessible and unusable for relevant users; the destruction of personal data refers to the process by which personal data is rendered completely inaccessible, irretrievable, and unusable by anyone; the anonymization of personal data refers to the process by which personal data is made impossible to associate with an identified or identifiable natural person under any circumstances, even when matched with other data.

Within this scope, Arvatera has determined the necessary periodic destruction periods and established a Personal Data Retention and Destruction Policy. The Company records all procedures carried out regarding the deletion, destruction, and anonymization of personal data, and stores such records for at least three years, except where other legal obligations require longer retention.

When data subjects apply to the Company requesting the deletion or destruction of their personal data, Arvatera:

  • If all conditions for processing personal data have ceased to exist, deletes, destroys, or anonymizes the relevant personal data. The request of the data subject is concluded within thirty days at the latest, and the individual is informed accordingly.
  • If all conditions for processing personal data have ceased to exist and the personal data subject to the request has been transferred to third parties, Arvatera notifies the third party of this situation and ensures that the necessary actions are taken before the third party.
  • If not all conditions for processing personal data have ceased to exist, the Company may reject the request pursuant to Article 13(3) of the Law on the Protection of Personal Data by providing justification, and notifies the data subject of this rejection in writing or electronically within thirty days at the latest.

5. TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN TO ENSURE THE SECURITY OF PERSONAL DATA

Arvatera takes technical and administrative measures, in line with technological capabilities and implementation costs, to ensure that personal data is processed lawfully. Measures taken for the protection of personal data are applied with particular care and supplemented with additional safeguards in relation to special categories of personal data, and the Company ensures the highest-level periodic audits within its organization.

Arvatera has implemented all appropriate security measures to ensure that personal data is processed only for the purposes specified in this Data Protection Policy and to reduce risks such as malicious use, unauthorized access, disclosure, destruction, or alteration of personal data. These security measures also include additional safeguards taken in relation to the transfer of personal data to countries that may not provide an adequate level of data protection.

Personal data is confidential, and Arvatera respects this confidentiality. Access to personal data is restricted to authorized personnel within the Company. Accordingly, the Company ensures that software complies with standards, that third parties are selected with due diligence, and that compliance with the data protection policy is observed within the organization.

Within the scope of the technical and administrative measures taken to ensure data security, Arvatera:

  • Conducts regular training and awareness programs for employees on the protection of personal data.
  • Establishes policies based on the Company’s personal data processing inventory and designs the necessary processes for the implementation of such policies.
  • Identifies risks within the scope of personal data protection law and diligently carries out activities to eliminate these risks,
  • Conducts periodic internal audits to ensure compliance with obligations under personal data protection law.
  • Conducts periodic internal audits to ensure compliance with obligations under personal data protection law.
  • Obtains continuous legal consultancy services to ensure compliance with updated legislation.
  • Prepares a separate policy for the protection of special categories of personal data and implements additional safeguards determined by the Authority.
  • Implements data sharing agreements and similar safeguards to properly manage relationships with data processors.
  • Uses widely accepted security technology standards such as firewalls and Secure Socket Layer (SSL) encryption.
  • Employs virus protection systems, secure databases, servers, and firewalls.
  • Performs risk analysis and adopts the broadest and most appropriate preventive security measures to protect personal data in line with current technological developments, including encryption of email information.
  • Establishes a secure technical infrastructure to ensure the security of databases where personal data is stored.
  • Defines procedures for reporting on the technical measures taken and audit processes.
  • Adopts other administrative measures regarding the protection of personal data.
  • Periodically renews and improves security measures.

Despite Arvatera’s implementation of the necessary information security measures, in the event that personal data is compromised or obtained by unauthorized third parties as a result of attacks on platforms operated by Arvatera or the Company’s systems, Arvatera shall take immediate action to remedy the breach and minimize the damage to the data subject. Arvatera shall promptly notify the data subject and the Authority of such incidents and take all necessary measures.

6. RIGHTS OF DATA SUBJECTS OVER THEIR PERSONAL DATA

According to the Constitution of the Republic of Türkiye, everyone has the right to demand the protection of their personal data. In this context, the rights of data subjects over their personal data are listed in Article 11 of the Law on the Protection of Personal Data as follows:

  • To learn whether their personal data is being processed,
  • If personal data has been processed, to request information regarding such processing,
  • To learn the purpose of the processing of personal data and whether they are used in accordance with the stated purpose,
  • To learn the third parties, whether domestic or abroad, to whom personal data has been transferred,
  • To request the rectification of personal data in case it is incomplete or incorrectly processed,
  • To request the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7 of the Law,
  • To request that the processes of deletion, destruction, or rectification be notified to third parties to whom the personal data has been transferred,
  • To object to the occurrence of any result against the data subject by means of the analysis of processed data exclusively through automated systems,
  • To demand compensation for damages in case of suffering damage due to the unlawful processing of personal data.

If data subjects submit their requests regarding the rights listed above to the Company in accordance with the procedures set forth in the Communiqué on the Procedures and Principles of Application to the Data Controller, Arvatera shall conclude the request free of charge as soon as possible and within a maximum of thirty (30) days depending on the nature of the request. However, if the process requires an additional cost, Arvatera may charge the fee in the tariff determined by the Authority.

Within the scope of the rights specified above, the data subject may submit their requests in writing, or by using their registered electronic mail (KEP) address, secure electronic signature, mobile signature, or the electronic mail address previously notified to the Company and registered in Arvatera’s system. Applications must include:

  • Name, surname, and signature if the application is in writing,
  • For Turkish citizens, T.R. ID number; for foreigners, nationality, passport number, or identity number if available,
  • Residential or workplace address for notification,
  • If available, electronic mail address, telephone, and fax number for notification,
  • Subject of the request,

and information and documents related to the request must be attached to the application. Applications will only be evaluated if submitted in Turkish. For third parties to apply on behalf of the data subject, a notarized power of attorney issued specifically for such application by the data subject must be provided.

7. AMENDMENTS TO THE DATA PROTECTION POLICY

Arvatera may amend this Data Protection Policy at any time Such amendments shall become effective on the date the revised Policy is published. Necessary notifications shall be made to data subjects to ensure they are informed of changes to this Policy.