POLICY ON THE PROTECTION AND PROCESSING OF PERSONAL DATA

The Law on the Protection of Personal Data numbered 6698, published in the Official Gazette on 07.04.2016 and in effect as of that date (“Law”), regulates the processing of personal data and establishes the obligations of natural and legal persons who process personal data, while also aiming to protect the fundamental rights and freedoms of individuals. In this regard, this Policy has been prepared to ensure compliance with the obligations related to the Law.

This “BeneFarma İlaç Sanayi ve Ticaret A.Ş. Personal Data Protection and Processing Policy” (“Policy”) contains the Company’s statements and explanations regarding the processing of personal data within the scope of the Law, primarily for individuals other than the Company’s employees, including customers, suppliers, visitors, and third parties.

The Company reserves the right to make changes to this Policy to provide up-to-date information on our practices and legal regulations related to the protection of personal data. In case of substantial changes to the Policy, Data Subjects will be informed through various channels.

1) Principles Regarding Data Privacy

In accordance with Article 3 of the Law, any operation conducted on personal data, whether fully or partially automated or part of any data recording system, including non-automated methods, such as collection, recording, storage, retention, alteration, disclosure, transfer, takeover, making available, classification, or use, falls within the scope of processing of personal data. The Company operates in accordance with the following general principles in its Personal Data Processing activities:

  • Compliance with the law and ethical principles: The Company conducts its personal data processing activities in compliance with the Constitution, the Data Protection Law, and relevant legislation, and adheres to ethical principles.

  • Accuracy and currency: The Company provides individuals with the opportunity to update their personal data and takes necessary measures to ensure the accurate transfer of data to databases.

  • Processing for specific, explicit, and legitimate purposes: The Company limits personal data processing activities to specific and legitimate purposes, providing clear information to Data Subjects through information texts.

  • Being relevant, limited, and proportionate to the purposes for which they are processed: Personal data processed by the Company is relevant, limited, and processed in proportion to the purposes specified when obtained.

  • Retention for the duration prescribed by relevant legislation or the purpose for which they were processed: The Company retains personal data for the duration prescribed by the Data Protection Law and relevant legislation, or for the duration required for the purpose of data processing. After these periods expire, the data is deleted, destroyed, or anonymized in accordance with Company procedures.

2) Conditions for Processing Personal Data

Except for cases where the explicit consent of the data subject is required, personal data processing activities may be based on one or more of the conditions listed below. If the conditions mentioned below are met, personal data can be processed without requiring the explicit consent of the data subject:

(i) Explicit Consent of the Data Subject: One of the conditions for processing personal data is the explicit consent of the data subject. The explicit consent of the data subject must be based on informed consent regarding a specific matter and must be given freely and voluntarily. If the conditions specified below exist, personal data may be processed without requiring the explicit consent of the data subject.

(ii) Explicit Provisions in Laws: If personal data processing is explicitly prescribed by law, i.e., if there is a clear provision in the relevant law regarding the processing of personal data, this condition of data processing may be considered to exist.

(iii) Inability to Obtain Explicit Consent Due to Impossibility: If personal data must be processed to protect the life or physical integrity of the data subject or someone else, and it is impossible to obtain the explicit consent of the data subject due to physical impossibility, personal data may be processed.

(iv) Directly Related to the Establishment or Performance of a Contract: If the processing of personal data is necessary for the performance of a contract to which the data subject is a party, personal data may be processed.

(v) Compliance with Legal Obligations of the Company: If personal data processing is mandatory for the Company to fulfill its legal obligations, personal data may be processed.

(vi) Data Subject’s Disclosure of Personal Data: If the data subject publicly discloses their personal data, personal data may be processed for the purpose of making them public.

(vii) Necessity for the Establishment or Protection of a Right: If personal data processing is necessary for the establishment, exercise, or protection of a right, personal data may be processed.

(viii) Necessity for the Legitimate Interests of the Company: Personal data may be processed without seeking the explicit consent of the data subject if it is necessary for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of the data subject.

Processing of Special Categories of Personal Data

Special categories of personal data are processed by the Company in accordance with the principles specified in this Policy, taking all necessary administrative and technical measures, including methods determined by the Board, and the conditions specified below:

(i) **Special categories of personal data other than data related to health and sexual life may be processed without requiring the explicit consent of the data subject if it is explicitly provided in the laws. In other words, if there is a clear provision in the relevant law regarding the processing of personal data, personal data may be processed without requiring the explicit consent of the data subject. Otherwise, explicit consent of the data subject will be obtained.

(ii) **Special categories of personal data related to health and sexual life may be processed without requiring the explicit consent of the data subject, provided that it is necessary for the protection of public health, preventive medicine, medical diagnosis, treatment, and care services, planning and management of health services, financing of health services, under the obligation of confidentiality by persons or authorized institutions and organizations, or it is carried out by persons or authorized institutions and organizations who have confidentiality obligation, as required by law. Otherwise, explicit consent of the data subject will be obtained.

Informing Data Subjects

The Company informs data subjects in accordance with Article 10 of the Law and secondary legislation about who processes their personal data, for what purposes, with whom they are shared, how they are collected through which methods, and the legal reason for their processing. The Company aims to ensure that data subjects can exercise their rights effectively through the informative texts it provides.

3) Types of Personal Data Collected

The Company collects the following types of personal data within the framework of the principles and purposes specified in this Policy:

(i) Identity Information: Data such as name, surname, TR Identity Number, nationality, mother’s and father’s name, place and date of birth.

(ii) Contact Information: Data such as phone number, e-mail address, home address, and workplace address.

(iii) Location Data: Data indicating the location of the data subject.

(iv) Legal Process Information: Data such as records, notifications, correspondence, documents, information, opinions, and demands about the processes in which the data subject is a party or a party of interest.

(v) Transaction Information: Data such as transaction records, including information about the services and products received by the data subject, the date and time of these services, and their prices.

(vi) Financial Data: Data such as credit card information, tax number, financial statements, bank account number, IBAN, and payment details.

(vii) Marketing Data: Data such as communication and consent records, data related to the use of the website and mobile applications, IP address, and data from cookies.

(viii) Visual and Audio Recordings: Data in the form of visual and audio recordings that are obtained through security cameras or other recording devices used in public areas where the Company operates.

4) Purposes of Processing Personal Data

Personal data collected by the Company may be processed for the following purposes:

(i) Performance of Business Activities: Personal data may be processed in the context of the Company’s business activities.

(ii) Fulfillment of Legal Obligations: Personal data may be processed to fulfill the legal obligations of the Company.

(iii) Contract Management: Personal data may be processed for the purpose of managing the contracts to which the data subject is a party.

(iv) Performance of Financial Activities: Personal data may be processed in order to perform financial activities, including billing and invoicing.

(v) Strategic Planning and Management: Personal data may be processed for the purpose of planning and managing the Company’s strategies.

(vi) Ensuring System Access Security: Personal data may be processed to ensure the security of the Company’s information systems and networks.

(vii) Marketing Activities: Personal data may be processed for marketing and sales activities.

(viii) Customer Relationship Management: Personal data may be processed for customer relationship management and customer service activities.

5) Data Retention

The Company retains personal data for the periods required by relevant legislation or for the purpose of data processing. In this context, the Company follows the retention periods specified in the Law, sector-specific legislation, and other relevant legal regulations.

6) Sharing of Personal Data

Personal data may be shared with the Company’s business partners, suppliers, affiliated companies, and authorized public institutions and organizations in accordance with the conditions stipulated in the Data Protection Law and other relevant legislation. Data may also be transferred to third parties for the purposes specified in this Policy.

7) Data Security

The Company takes necessary administrative and technical measures to ensure data security in accordance with Article 12 of the Law. In this context, various security measures, including encryption methods, access control, and authorization mechanisms, are implemented to protect personal data against unauthorized access, accidental loss, deletion, or damage.

8) Rights of Data Subjects

Data subjects have certain rights regarding their personal data under Article 11 of the Law. These rights include the right to:

  • Learn whether personal data is processed,
  • Request information if personal data has been processed,
  • Learn the purpose of personal data processing and whether it has been used appropriately,
  • Know the third parties to whom personal data has been transferred in the country or abroad,
  • Request correction of personal data if it is incomplete or incorrect,
  • Request the deletion or destruction of personal data in accordance with the conditions stipulated in Article 7 of the Law,
  • Request that the correction, deletion, or destruction of personal data be notified to third parties to whom personal data has been transferred,
  • Object to the occurrence of a result against the data subject by analyzing the processed data exclusively through automated systems,
  • Request compensation for the damage in case of damage due to the processing of personal data unlawfully.

9) Exercising the Rights of Data Subjects

Data subjects can exercise their rights mentioned above by submitting their requests to the Company in writing. In this context, the Company may request information from the data subject to verify their identity. Data subjects can submit their requests and applications regarding their rights in accordance with the principles and procedures specified in the “Application to Data Controller” document published on the Company’s website. Data subjects are required to make their applications in Turkish.

10) Representation

Third parties can make requests on behalf of the data subject with a notarized or otherwise recognized power of attorney. Alternatively, third parties can submit their requests with a special power of attorney prepared in accordance with the sample in the “Application to Data Controller” document published on the Company’s website, along with the information and documents indicating their authority in favor of the data subject, and their own identification information. In this context, the Company may request information from the data subject to verify their identity.

DATA CONTROLLER and REPRESENTATIVE

Under the Personal Data Protection Law numbered 6698 (“Law”), your personal data may be processed by BeneFarma Pharmaceuticals Industry and Trade Inc. (“BeneFarma” or “Company”) as the data controller, as described below. Detailed information about the purposes for which your personal data will be processed can be found in BeneFarma Pharmaceuticals Industry and Trade Inc. Personal Data Protection Policy, which is publicly available at www.benefarma.com.tr.

Within the scope of this information text, you will be provided with information regarding the purposes for which your personal data may be processed, the method and legal basis of collecting your personal data, the parties to whom your personal data may be transferred, and your rights.

Purposes of Processing Personal Data

Your collected personal data may be processed within the scope of the purposes of providing you with services, responding to your suggestions, complaints, and requests related to our services and activities, fulfilling the legal obligations stipulated and required by regulatory and supervisory authorities, providing necessary information to official authorities and inspections in accordance with the requests of official authorities, improving the services we offer to you through our website, providing you with the most suitable service based on the sections you are interested in and the time you spend in these sections, increasing the use of our website, conducting marketing processes for our brand and products, and providing you with personalized advertisements. Your personal data will be processed in accordance with the personal data processing conditions and purposes specified in Articles 5 and 6 of Law No. 6698.

Method and Legal Basis of Collecting Your Personal Data

Your personal data is collected in a legal manner, either automatically or non-automatically, through your visit to www.benefarma.com.tr. Your personal data collected through these channels are processed based on legal grounds, including:

  • Explicit provisions in laws,
  • Necessity for the data controller to fulfill its legal obligation,
  • Necessity for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject, based on the legal reasons.

Parties to Whom Your Personal Data May Be Transferred and Transfer Purposes

Your personal data may be transferred, in accordance with the personal data transfer conditions stipulated in Articles 8 and 9 of Law No. 6698, to our suppliers, business partners, and authorized public institutions and organizations both domestically and abroad within the scope of the Purposes mentioned above.

Rights of the Data Subject as per Law No. 6698

As data subjects, you have the following rights:

  • To learn whether your personal data is being processed,
  • To request information if your personal data has been processed,
  • To learn the purpose of processing your personal data and whether they are used appropriately,
  • To know the third parties to whom your personal data has been transferred, either domestically or internationally,
  • To request the correction of your incomplete or incorrect personal data and request that the transaction made in this context be notified to third parties to whom your personal data has been transferred,
  • To request the deletion or destruction of your personal data within the framework of the conditions stipulated in Article 7 of Law No. 6698 and request that the transaction made in this context be notified to third parties to whom your personal data has been transferred,
  • To object to the occurrence of a result against you through the analysis of your processed data exclusively by automated systems,
  • To request compensation for the damage you may incur due to the unlawful processing of your personal data.

For the effective exercise of these rights, you can submit your request, which includes the necessary information to identify your identity and other requested information regarding the right you want to use, by filling out the form on the website www.benefarma.com.tr, by hand to Barbaros Mah. Lale Sok. My Office Business Center No:2/13, 34758 Ataşehir/Istanbul – Turkey, by sending it by registered mail, through a notary, or by sending it securely electronically signed to the address bilgi@benefarma.com.tr. Depending on the nature of the request, your request will be concluded as soon as possible and at the latest within 30 (thirty) days. However, if the transaction also requires a cost, the fee specified in the tariff determined by the Personal Data Protection Board will be charged.

APPLICATION METHOD

Within the scope of your rights specified in Article 11 of the Personal Data Protection Law No. 6698 (“Law”), you can submit your requests in this form to our Company using one of the four methods described below in accordance with Article 5 of the Regulation on Application Procedures and Principles to the Data Controller via this form. Your applications submitted to us will be answered, depending on the nature of the request, “as soon as possible and within a maximum of thirty days” from the date your request reaches us, in accordance with the second paragraph of Article 13 of the Law.

It is required that the information and documents requested from you be provided to us accurately and correctly, depending on the nature of this form and your request. If the requested information and documents are not provided correctly, there may be deficiencies in the research to be carried out by our company in line with your request. In this case, our company’s legal rights are reserved. Therefore, it is necessary to send the relevant form with the information and documents requested in a complete and accurate manner, depending on the nature of your request.

APPLICATION METHODAPPLICATION ADDRESSINFORMATION TO BE PROVIDED IN THE APPLICATION
1. Written Application

In person with a wet signature or through a Notary Public

 

“Request for Information Pursuant to the Personal Data Protection Law” should be written on the envelope/notification. 
2. Registered Electronic Mail (KEP)

Using the registered electronic mail (KEP) address

 

“Request for Information Pursuant to the Personal Data Protection Law” should be written in the subject line of the email

.

 

3. Application with an Electronic Mail Address in Our System

Using the electronic mail address registered in our company’s system

 

“Request for Information Pursuant to the Personal Data Protection Law” should be written in the subject line of the email 
4. Application with an Electronic Mail Address Not in Our System

Using your electronic mail address not in our company’s system, in a format including mobile signature/e-signature

 

“Request for Information Pursuant to the Personal Data Protection Law” should be written in the subject line of the email 
  1. Your Identity and Contact Information

Please fill in the following fields so that we can contact you and verify your identity.

Full Name: 
Turkish Identification Number/Passport Number or Identification Number for Citizens of Other Countries: 
Residential Address/Business Address for Notification: 
Mobile Phone: 
Phone Number: 
Fax Number: 
Email Address: 
  1. Your Relationship with Our Company
Şirketimizle İlişkiniz:Customer Other 
Employee:  
    • Former Employee

 

 

4.Request Subject

Please clearly state your request regarding personal data. Information and documents related to the subject should be attached to the application.

Method of Receiving the Response

I want the response to be sent to my postal address specified in the second part. I want the response to be sent to my specified email address in the second part.

In accordance with the requests I have specified above, I request that my application to your company be evaluated in accordance with Article 13 of the Law and that information be provided to me.

I declare and undertake that the information and documents I have provided in this application are accurate and up-to-date, that your company may request additional information in order to conclude my application, and that, if necessary, I may be required to pay the fee determined by the Personal Data Protection Board in case of any cost.

Applicant’s Name and Surname:

Application Date:

Signature:

According to the requests I have specified above, I request that my application to your company be evaluated in accordance with Article 13 of the Law and that information be provided to me.

I declare and undertake that the information and documents I have provided in this application are accurate and up-to-date, that your company may request additional information in order to conclude my application, and that, if necessary, I may be required to pay the fee determined by the Personal Data Protection Board in case of any cost.

Applicant’s Name and Surname:

Application Date:

Signature: