CONTACT US
EMAIL PHONE NUMBER
SOCIAL MEDIA
INSTAGRAM LINKEDIN FACEBOOK
Arvatera Pharma operates with a commitment to ethical values, a science-focused approach, innovation, and a dedication to human health.
CONTACT

PROTECTION OF PERSONAL DATA

1. INTRODUCTION

The protection of personal data is an issue of great importance for Arvatera İlaç San. ve Tic. A.Ş. (hereinafter referred to as the “Company”). Since its establishment, Arvatera has kept the personal data obtained from natural persons within the scope of its activities confidential and has taken all necessary technical and administrative measures to ensure the protection of personal data and data security. Even before the Law on the Protection of Personal Data No. 6698 (“Law”) entered into force on April 7, 2016, Arvatera had adopted and implemented the principle of confidentiality of personal data as a working policy.

The Company adopts all principles set forth by the Law in order to conduct all its activities in compliance with both the Constitution of the Republic of Türkiye and the Law, as well as secondary legislation related to the matter. In this regard, the Company fulfills its obligations concerning the processing, deletion, destruction, anonymization, transfer of personal data, informing the data subject, and ensuring data security. This Data Protection Policy has been prepared within this scope and is made available to all natural persons whose personal data are processed.

1.1. DEFINITIONS

“Explicit Consent”

Consent that is related to a specific subject, based on information, and declared with free will.

“Employee”

A natural person who has an employment contract or service contract with Arvatera, in an employer-employee type relationship.

“Law”

Law on the Protection of Personal Data No. 6698.

“Personal Data”

Any information relating to an identified or identifiable natural person.

“Anonymization of Personal Data”

The process of rendering personal data impossible to associate with an identified or identifiable natural person under any circumstances, even by matching it with other data.

“Processing of Personal Data”

Any operation performed on personal data, whether fully or partially by automatic means, or by non-automatic means provided that it is part of a data recording system, such as obtaining, recording, storing, retaining, altering, reorganizing, disclosing, transferring, taking over, making available, classifying, or preventing the use thereof.

“Deletion of Personal Data”

The process of rendering personal data inaccessible and non-reusable for relevant users in any way.

“Destruction of Personal Data”

The process of rendering personal data inaccessible, irretrievable, and non-reusable by anyone in any way.

“Board”

Personal Data Protection Board

“Authority”

Personal Data Protection Authority

“Special Categories of Personal Data”

Data relating to an individual’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and attire, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.

“PDP Policy”

Arvatera Personal Data Protection Policy

“Arvatera” or “Company”

Arvatera İlaç San. ve Tic. A.Ş.

Data Processor

The natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller

Data Controller

The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system

 

1.2. PURPOSE AND SCOPE OF THE PDP POLICY
This PDP Policy explains the issues related to the collection, use, transfer, destruction, and other forms of processing of personal data by Arvatera, the technical and administrative measures taken by the Company for the protection of personal data, and the rights of the data subjects. This Data Protection Policy;

 

  • Employees,
  • Employee candidates,
  • Company shareholders,
  • Company officials,
  • Visitors,
  • Employees of institutions with which the Company cooperates,
  • Individuals accessing any applications and services offered by the Company, and
  • Third parties.

 

applies to the personal data processed under the Law on the Protection of Personal Data for: The Policy applies to personal data processed within the scope of the PDP Law. Personal data obtained either with the explicit consent of the data subjects or under other lawful grounds specified in the PDP Law are processed by Arvatera for the purposes of fulfilling its legal obligations, properly providing its services, improving the quality of its services, enhancing its quality policy, and for other purposes set forth in this PDP Policy.

2. PROCESSING OF PERSONAL DATA
2.1. GENERAL PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATA
Arvatera conducts its personal data processing activities in compliance with the principles set forth in Article 4 of the PDP Law.

 

  • Compliance with the law and the principle of good faith:

 

Arvatera questions the source of the personal data obtained from the data subject or third parties and attaches importance to ensuring that such data is obtained and processed lawfully and in line with the principle of good faith. In this context, the Company makes the necessary warnings and notifications to third parties to whom it transfers personal data in order to ensure the protection of such data.

 

  • Accuracy and, where necessary, being up to date:

 

Arvatera ensures that all data within its legal entity are accurate, do not contain incorrect information, and, where changes in personal data are communicated, such data is updated accordingly. The Company exercises reasonable care and diligence regarding the accuracy and currency of the personal data declared by its customers or third parties with whom it interacts.

 

  • Processing for specific, explicit and legitimate purposes:

 

Arvatera identifies legitimate and lawful purposes for data processing clearly and explicitly before commencing the personal data processing activity. Personal data are not processed for purposes other than those determined in advance.

 

  • Being relevant, limited and proportionate to the purpose for which they are processed:

 

Arvatera processes personal data only to the extent limited to the purpose of processing. Personal data not related to the specified purpose are not processed by Arvatera.

 

  • Retention for the period stipulated in the relevant legislation or required for the purpose for which they are processed:

 

Arvatera retains personal data for the period stipulated by legislation or for as long as required by the purpose of processing. However, when the period stipulated by the legislation expires or all purposes of processing cease to exist, personal data are deleted, destroyed, or anonymized.
These principles apply regardless of whether the Company processes personal data based on explicit consent or under other legal bases for processing. At this point, Arvatera processes personal
data in compliance with the conditions for processing and the general principles, and also fulfills its obligation of information.

2.2. CONDITIONS FOR PROCESSING PERSONAL DATA
Arvatera processes personal data with explicit consent, or in the presence of other lawful grounds for processing as listed below:

 

  • Where it is explicitly stipulated by laws,
  • Where it is necessary to protect the life or physical integrity of the person who is unable to give consent due to actual impossibility or whose consent is not legally valid, or of another person,
  • Where it is necessary to process personal data of the parties to a contract, provided that it is directly related to the establishment or performance of the contract,
  • Where it is necessary for the data controller to fulfill its legal obligations,
  • Where the data has been made public by the data subject,
  • Where it is necessary for the establishment, exercise, or protection of a right,
  • Where it is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

 

According to the Law, data concerning individuals’ race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, clothing and attire, association, foundation or trade union membership, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data, are considered special categories of personal data.

Arvatera takes additional measures stipulated by the Law and the Personal Data Protection Board in processing special categories of personal data.
In this context, the conditions for processing special categories of personal data are set forth in Article 6 of the Law and the additional measures announced by the Board. Accordingly, special categories of personal data are processed in the following cases:

 

  • Where the explicit consent of the data subject has been obtained,
  • Where the processing of special categories of personal data, other than those relating to health and sexual life, is stipulated by laws,
  • Where data concerning health and sexual life are processed by persons under a confidentiality obligation for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and planning and management of healthcare services and their financing.

 

The procedures and principles regarding the processing, destruction, and protection of special categories of personal data are regulated by the Arvatera Policy on the Protection and Processing of Special Categories of Personal Data.

2.3. PURPOSES OF PROCESSING PERSONAL DATA
Arvatera processes personal data within the scope of the legal grounds set forth in Articles 5 and 6 of the Personal Data Protection Law (KVK Law) for the purposes listed below:
Within the scope of planning and execution of human resources activities; personal data of job applicants are processed for the purpose of evaluating job suitability and conducting recruitment processes, and personal data of employees are processed for the performance of the employment contract, establishment of fringe benefits, execution of promotion/bonus/salary increase processes, fulfillment of obligations arising from the legislation to which the Company is subject, primarily the Labor Law, implementation of social insurance processes, evaluation of employee performance, etc.

In addition, within the scope of its ordinary corporate activities and services provided to its clients, the Company processes personal data for purposes including: planning and execution of corporate sustainability activities, event management, management of relationships with business partners or suppliers, execution/monitoring of financial reporting and risk management activities, execution/monitoring of legal affairs, planning and execution of corporate communication activities, execution of corporate governance processes, performance of corporate and partnership law transactions, request and complaint management, management of investor relations, ensuring the security of Arvatera’s buildings and facilities, creation and follow-up of visitor records, determination and implementation of the Company’s commercial and business strategies, resolving issues and complaints of data subjects, ensuring satisfaction and providing efficient service, responding to requests for information from administrative and judicial authorities, compliance with legal processes and legislation, ensuring information and transaction security, and prevention of misuse, among others.

If the data processing activity carried out for the aforementioned purposes does not meet any of the legal bases stipulated under the Law, Arvatera obtains the explicit consent of the data subject for the relevant data processing activity.

2.4. METHOD OF COLLECTING PERSONAL DATA
Arvatera collects personal data through Contracts, digital media, notifications from administrative and judicial authorities, e-mails and other communication channels, in audio, electronic, or written form, both physically and electronically, in compliance with the personal data processing conditions stipulated in the PDP Law and based on the legal grounds set forth in this PDP Policy. Such personal data are primarily processed for the establishment of contracts and to provide better services to the relevant individuals within the scope of this Data Protection Policy.

In this context, personal data may be obtained when benefiting from the services offered by the Company, when a legal relationship (purchase, brokerage, employment, etc.) is established with the Company, or when communicating with the Company through means (mail, e-mail, etc.) related to the services.

Arvatera adopts the principle of acting in accordance with the law when obtaining personal data from its business partners or solution partners. Only the data required for the provision of services are collected, with a data privacy commitment from such partners, and measures are taken to ensure data security at this stage.

Arvatera processes the personal data of its employees only to the extent necessary in the context of employment relations and, in other cases permitted by the applicable legislation, without requiring consent, while ensuring the confidentiality and protection of employee personal data.

3. TRANSFER OF PERSONAL DATA
The Company transfers personal data to third parties only for the purposes specified in this PDP Policy and in compliance with Articles 8 and 9 of the Personal Data Protection Law (KVK Law). Within this scope, the Company may transfer the collected personal data to the following persons and entities for specific purposes: 

 

  • To the Company’s business partners, in a limited manner, for the purpose of fulfilling the objectives of the business partnership, 
  • To the Company’s suppliers, limited to the purpose of enabling the provision of services procured externally from the supplier and necessary for the Company to carry out its commercial activities,
  • To the Company’s customers,
  • To authorized public institutions and organizations upon request,
  • To the Company’s solution partners, 

 

The purpose of the Company’s sharing of personal data is to provide access to services, to fulfill its legal obligations, to ensure the execution of contracts concluded with the data subject, to carry out purchase and sales transactions, to prevent and detect fraudulent or unlawful activities related to the services, and to conduct its other commercial activities in compliance with the law.
Arvatera adopts the principle of acting in compliance with the law in all data sharing activities. Personal data is shared with third parties only to the extent required by the provision of services. The Company exercises the utmost care to ensure that such third parties take necessary measures regarding data security.

The personal data subject to transfer both domestically and internationally, as mentioned above, are legally protected through data transfer agreements in addition to the technical measures ensuring data security.
The Company may share the personal data it processes with public authorities and institutions legally authorized to request such information in order to fulfill its legal obligations (in cases of combating crime, threats to state and public security, and similar situations, but not limited thereto, where the Company is legally or administratively obliged to notify or provide information).

4. RETENTION AND DESTRUCTION OF PERSONAL DATA
In accordance with the PDP Law, personal data are kept accurate and up-to-date and are retained for the duration stipulated in the relevant legislation or as long as required for the purposes for which they are processed. This period is determined separately for each category of personal data, and once the relevant retention period expires, such personal data is deleted, destroyed, or anonymized at the end of the periodic destruction periods determined under the Regulation on the Deletion, Destruction, or Anonymization of Personal Data.

The deletion of personal data refers to the process by which personal data is rendered completely inaccessible and unusable for relevant users; the destruction of personal data refers to the process by which personal data is rendered completely inaccessible, irretrievable, and unusable by anyone; the anonymization of personal data refers to the process by which personal data is made impossible to associate with an identified or identifiable natural person under any circumstances, even when matched with other data.

Within this scope, Arvatera has determined the necessary periodic destruction periods and established a Personal Data Retention and Destruction Policy. The Company records all actions carried out regarding the deletion, destruction, and anonymization of personal data and retains such records for a minimum period of three years, except for other legal obligations.

When data subjects apply to the Company requesting the deletion or destruction of their personal data, Arvatera shall:

 

  • If all conditions for processing personal data have ceased, delete, destroy, or anonymize the personal data subject to the request. The request of the data subject is concluded within thirty days at the latest, and the individual is informed accordingly.
  • If all conditions for processing personal data have ceased and the personal data subject to the request have been transferred to third parties, notify the third party of this situation and ensure that the necessary actions are taken before the third party.
  • If all conditions for processing personal data have not ceased, reject the request pursuant to Article 13, paragraph 3 of the PDP Law by providing justification, and notify the data subject of the rejection in writing or electronically within thirty days at the latest.

 

5. TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN TO ENSURE THE SECURITY OF PERSONAL DATA
Arvatera takes technical and administrative measures, in accordance with technological capabilities and implementation costs, to ensure the lawful processing of personal data. Measures taken for the protection of personal data are applied with particular care and supplemented with additional safeguards in relation to special categories of personal data, and the Company ensures the highest-level periodic audits within its organization.

Arvatera has implemented all appropriate security measures to ensure that personal data is processed only for the purposes specified in this Data Protection Policy and to reduce risks such as malicious use, unauthorized access, disclosure, destruction, or alteration of personal data. This security also covers other measures taken in cases such as the transfer of personal data to countries that may not provide an adequate level of data protection. 
Personal data are confidential, and Arvatera respects this confidentiality. Access to personal data is restricted to authorized personnel within the Company. Accordingly, the Company ensures that software complies with standards, that third parties are selected with due diligence, and that compliance with the data protection policy is observed within the organization.

Within the scope of the technical and administrative measures taken to ensure data security, Arvatera:

 

  • Conducts regular training and awareness programs for employees on the protection of personal data.
  • Establishes policies based on the Company’s personal data processing inventory and designs the necessary processes for the implementation of such policies.
  • Identifies risks within the scope of personal data protection law and diligently carries out activities to eliminate these risks,
  • Conducts periodic internal audits to ensure compliance with obligations under personal data protection law.
  • Conducts periodic internal audits to ensure compliance with obligations under personal data protection law.
  • Obtains continuous legal consultancy services to ensure compliance with updated legislation.
  • Prepares a separate policy for the protection of special categories of personal data and implements additional safeguards determined by the Authority.
  • Implements data sharing agreements and similar safeguards to properly manage relationships with data processors.
  • Uses widely accepted security technology standards such as firewalls and Secure Socket Layer (SSL) encryption.
  • Employs virus protection systems, secure databases, servers, and firewalls.
  • Performs risk analysis and adopts the broadest and most appropriate preventive security measures to protect personal data in line with current technological developments, including encryption of email information.
  • Establishes a secure technical infrastructure to ensure the security of databases where personal data is stored.
  • Defines procedures for reporting on the technical measures taken and audit processes.
  • Adopts other administrative measures regarding the protection of personal data.
  • Security measures are periodically renewed and improved. 

 

Despite Arvatera’s adoption of necessary information security measures, in the event that personal data are compromised or obtained by unauthorized third parties as a result of attacks on platforms operated by Arvatera or on the Company’s systems. Arvatera shall promptly notify the data subject and the Authority of such incidents and take all necessary measures.

6. RIGHTS OF DATA SUBJECTS OVER THEIR PERSONAL DATA
According to the Constitution of the Republic of Türkiye, everyone has the right to demand the protection of their personal data. In this context, the rights of data subjects over their personal data are listed in Article 11 of the Law on the Protection of Personal Data as follows:

 

  • To learn whether their personal data is being processed,
  • If personal data has been processed, to request information regarding such processing,
  • To learn the purpose of the processing of personal data and whether they are used in accordance with the stated purpose,
  • To learn the third parties, whether domestic or abroad, to whom personal data has been transferred,
  • To request the rectification of personal data in case it is incomplete or incorrectly processed,
  • To request the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7 of the Law,
  • To request that the processes of deletion, destruction, or rectification be notified to third parties to whom the personal data has been transferred,
  • To object to the occurrence of any result against the data subject by means of the analysis of processed data exclusively through automated systems,
  • To demand compensation for damages in case of suffering damage due to the unlawful processing of personal data.

 

If the data subjects submit their requests regarding the rights listed above to the Company in accordance with the application procedures set forth in the Communiqué on the Principles and Procedures for the Application to the Data Controller, Arvatera shall conclude such request free of charge as soon as possible and within no later than 30 (thirty) days depending on the nature of the request. However, if the process requires an additional cost, Arvatera may charge the fee in the tariff determined by the Authority.

The data subject may submit their requests within the scope of the rights stated above either in writing, or by using a registered electronic mail (KEP) address, secure electronic signature, mobile signature, or the electronic mail address previously notified to the Company by the data subject and registered in Arvatera’s system. Applications must include:

 

  • Name, surname, and if the application is in writing, signature,
  • For Turkish citizens, T.R. ID number; for foreigners, nationality, passport number, or identity number if available,
  • Residential or workplace address for notification,
  • If available, electronic mail address, telephone, and fax number for notification,
  • Subject of the request,

 

It is mandatory to include the necessary information and documents regarding the subject in the application. Applications will only be evaluated if submitted in Turkish. For third parties to apply on behalf of the data subject, a notarized power of attorney issued specifically for such application by the data subject must be provided.

7. AMENDMENTS TO THE PDP POLICY
Arvatera may amend this PDP Policy at any time. Such amendments shall become effective on the date the revised Policy is published. Necessary notifications shall be made to data subjects to ensure they are informed of changes to this Policy.