PERSONAL DATA PROTECTION POLICY

Policy, Scope and Purpose
1. In accordance with the Information Security Policy, Almer Kimya İlaç Ltd. Şti. Board of Directors and management hereby undertake to comply with the principles and rules stipulated by the Constitution of Turkish Republic, the Law on Protection of Personal Data No. 6698 (KVKK) and other laws and regulations and protect the rights and freedom of the individuals whose data is processed by Almer Kimya İlaç Ltd. Şti.. The Board of Directors has adapted a written personal data protection policy and system, subject to improvement, to implement for this purpose.
2. Scope
  The policy provisions cover all information systems and sub data, contracts, environmental and physical areas which are included in processing of personal data in the fields of activity and operations of Almer Kimya İlaç Ltd. Şti.and the systems and arrangements developed for the foregoing.

This policy covers all units of Almer Kimya İlaç Ltd. Şti., employers of the companies which provide support services, apprentices and contract personnel.

Purposes of the Personal Data Protection Policy and System
The purpose of the Personal Data Protection Policy and System is to ensure that Almer Kimya İlaç Ltd. Şti.establishes and implements its own standards in the management of personal data; identify and support the organizational objectives and obligations; establish control mechanisms in line with the acceptable risk level of Almer Kimya İlaç Ltd. Şti.; fulfil the obligations that Almer Kimya İlaç Ltd. Şti. is subject to pursuant to the international agreements on protection of personal data, the Constitution, laws, agreements and professional rules/code of practice and protect the interests of individuals in the best way possible.
Almer Kimya İlaç Ltd. Şti. shall comply with the protection of personal data legislation and data protection principles. The data protection principles adopted by Almer Kimya İlaç Ltd. Şti.include the following:
1. Process personal data only if explicitly required for legitimate corporate purposes;
2. Process minimum personal data required for these purposes and avoid processing more data than necessary;
3. Provide individuals with clear information about by whom and how their personal data is used;
4. Process only relevant and appropriate personal data;
5. Process personal data fairly and lawfully;
6. Maintain inventory the personal data categories processed by Almer Kimya İlaç Ltd. Şti.;
7. Keep the personal data accurate and, where necessary, up to date
8. Keep the personal data only for the period required by the legal regulations in force, the legal obligations or legitimate interests of Almer Kimya İlaç Ltd. Şti.;
9. Respect all rights of individuals regarding their personal data including their right to access;
10. Maintain all personal data secure;
11. Transfer the personal data abroad only if there is adequate protection;
12. Implement the exceptions allowed by the laws and regulations;
13. Establish and implement a personal data protection system for application of the policy;
14. Where necessary, identify the internal and external stakeholders of the personal data protection system and the extent such parties are involved in the personal data protection system of Almer Kimya İlaç Ltd. Şti.;
15. Determine the personnel who shall have special authority and responsibilities on personal data protection system.

Notices

Almer Kimya İlaç Ltd. Şti.informs the Personal Data Protection Board (“KVK Board”) that it is the data controller and which categories of personal data it processes. Almer Kimya İlaç Ltd. Şti. determines all categories of personal data that it processes in its personal data inventory.
The notification is made in accordance with the procedure and method to be determined by the KVK Board and a copy of the notification is stored by the Personal Data Protection Committee (KVK Committee)of Almer Kimya İlaç Ltd. Şti..
If deemed necessary by the relevant legislation or the KVK Board, the notifications are repeated periodically.
The KVK Committee reviews the data processing activities of Almer Kimya İlaç Ltd. Şti.and any changes thereof annually in order to identify potential changes to the notification to be made to the KVK Board and informs the KVKK Board if necessary.

This policy applies to all units of, employees of the companies which provide support services to, apprentices and contracted personnel of Almer Kimya İlaç Ltd. Şti.. The disciplinary rules of Almer Kimya İlaç Ltd. Şti. shall be applied to all acts violating the KVKK or this policy and if the violation constitutes an offense or misdemeanor, the relevant authorities shall be informed as soon as possible.

All solution partners of and third parties that work with Almer Kimya İlaç Ltd. Şti. which have actual or potential access to the personal data are invited to read and comply with this policy. No third party may have access to personal data processed by Almer Kimya İlaç Ltd. Şti. without a written confidentiality agreement that includes obligations and auditing rights that are as strict as those of Almer Kimya İlaç Ltd. Şti. in the protection of personal data.

Definitions

“Explicit consent” means the consent given on a specific matter based on information and free will.

“Anonymization” means converting personal data to such form that cannot be associated with an identified or identifiable person under any circumstances by even matching the personal data with other data.

“Data subject” means natural person whose personal data is processed,

“Personal data” means any information relating to an identified or identifiable natural person.

“Personal data of special (sensitive) nature” means the personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership to associations, foundations or trade unions, health, sexual life, convictions, and security measures, and the biometric and genetic data of individuals.

“Processing personal data” means any operation performed upon personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making retrievable, classification or preventing the use thereof, fully or partially through automatic means or provided that the process is a part of any data registry system, through non-automatic means.

“KVKK” means the Law on Protection of Personal Data No. 6698.

“KVKK Board” means the Personal Data Protection Board.

“KVKK Authority” means the Personal Data Protection Authority.

“Data processor” means a natural person or legal entity which processes personal data on behalf of and based on the authority given by the data controller.

“Data recording system” means the recording system where personal data is structured and processed according to specific criteria.

“Data controller” means the natural person or legal entity that determines purposes and means of the processing of personal data and that is responsible for establishment and management of a data recording system.

Roles and Responsibilities
1. Almer Kimya İlaç Ltd. Şti. is the data controller as per the KVKK.
2. Anyone who is a member of the Senior Management or assumes a management or auditing role is responsible for development and promotion of correct practices in the processing of personal data within Almer Kimya İlaç Ltd. Şti., as well as other obligations related to this matter which are included in the individual job descriptions.
3. The KVK Committee is established as the unit responsible for management of the personal data protection system and compliance and documentation of the KVKK and other relevant legislation and is responsible to the Board of Directors in these matters.
  1. KVK Committee

The members of the KVK Committee are appointed by the Board of Directors, taking into account their expertise and experience in the field of personal data protection legislation and practices and report directly to the Board of Directors.

The KVK Committee consists of 1 chairman and 5 members. The Committee holds ordinary meetings once every six months or extraordinary meetings whenever deemed necessary.

Roles and Responsibilities of the KVK Committee
1. The Committee must inform the Board of Directors on the Personal Data Protection legislation and relevant developments.
2. The Committee is responsible for ensuring that the policies and procedures of Almer Kimya İlaç Ltd. Şti.are up-to-date and that data processing audits are carried out in accordance with the planned schedule and comply with the applicable legislation.
3. The Committee acts together with all relevant personnel on personal data protection issues
4. The main roles and responsibilities of the Committee are as follows:
  1. Provide information and advice on personal data protection legislation and compliance to Almer Kimya İlaç Ltd. Şti., related partners and the suppliers providing support services.
  2. Provide information and advice to the personnel of Almer Kimya İlaç Ltd. Şti.regarding their obligations under personal data protection legislation.
  3. Observe the compliance of the data processing activities of Almer Kimya İlaç Ltd. Şti.with the personal data protection legislation.
  4. Contribute to development and maintenance of the personal data protection policy and related procedures and processes of Almer Kimya İlaç Ltd. Şti..
  5. Assign responsibilities within the Almer Kimya İlaç Ltd. Şti.in the context of compliance with personal data protection legislation.
  6. Provide necessary training and awareness for all personnel involved in personal data processing.
  7. Monitor compliance with personal data protection legislation by conducting regular audits and report it to the Board of Directors.
  8. Give information and advice for personal data protection impact analysis reports.
  9. Cooperate and liaise with the KVK Board.
  10. Act as the contact point and representative of Almer Kimya İlaç Ltd. Şti.before the KVK Board and give information and advice to the Board when necessary.
  11. Observe compliance with the Information Security Policywithin Almer Kimya İlaç Ltd. Şti. and provide information and advice to the relevant parties when necessary.
  12. Develop a formal procedure for notifying the Board on information securityincidents and investigations.
  13. Contribute to the business continuity plan.
  14. Give information and advice on keeping corporate records.
  15. Determine the scale the personal data is collected, held and used by Almer Kimya İlaç Ltd. Şti.and the conditions of their storage in accordance with information security standards.
  16. Perform observation and evaluation of compliance, sanity, security practices and other controls that may be necessary for protection of personal data.
  17. Identify and implement the controls to ensure the confidentiality, integrity and accessibility of personal data, and propose additional controls that may be required.
  18. Report the potential risk issues regarding personal data inAlmer Kimya İlaç Ltd. Şti. and its relevant recommendations to the Board of Directors.
5. The KVK Committee has the authority to access all systems of Almer Kimya İlaç Ltd. Şti.concerning the collection, processing and storage of personal data. In performing its duties, the KVK Committee may ask all staff to cooperate, including access to systems and records. If this cooperation is not achieved, the Committee reports the issue to the Board of Directors.
All Almer Kimya İlaç Ltd. Şti. employees who process personal data are responsible for complying with the Personal Data Protection legislation.
A personal data protection representative from the Operations, Corporate Marketing and Human Resources departments shall be assigned to the KVK Committee to manage and fulfill the daily responsibilities of the unit in compliance with this policy.
The Human Resources department is responsible for the necessary notification and training to ensure that all personnel know their responsibilities in the field of personal data protection and have the necessary awareness.
Almer Kimya İlaç Ltd. Şti. employees are obliged to ensure the accuracy and timeliness of all personal data provided by or related to them to Almer Kimya İlaç Ltd. Şti..

Risk Assessment

Objective: Almer Kimya İlaç Ltd. Şti. is aware of the risks associated with the processing of certain types of personal data.

Almer Kimya İlaç Ltd. Şti. has a procedure in place to assess the risks the processing of personal data may impose on individuals. This assessment is performed taking into consideration the third parties that process the data on behalf of Almer Kimya İlaç Ltd. Şti., which manages the risks determined as a result of the assessment in a way that does not constitute a violation of this policy.

If a particular type of data processing activity is likely to pose a high risk to personal rights and freedoms due to its structure, context, and objectives, Almer Kimya İlaç Ltd. Şti. shall manage potential risks by conducting an impact analysis prior to the data processing activity. A single assessment can be used for multiple data processing activities with similar risks.

If the impact analysis shows that Almer Kimya İlaç Ltd. Şti. is about to start a data processing activity that may pose a high risk to personal rights and freedoms, the approval of the KVK Committee is sought regarding this issue. The KVK Committee, if deemed necessary, shall obtain an opinion from the KVK Board on the matter.

The systems and controls implemented in accordance with the system adopted by Almer Kimya İlaç Ltd. Şti. pursuant to the Information Security Policy are applied in risk management.

Data Processing Principles

All personal data processing activities must be performed in accordance with the following data protection principles. The policies and procedures of Almer Kimya İlaç Ltd. Şti. intend to ensure compliance with these principles:

Lawfulness and conformity with rules of bona fides
Accurate and, where necessary, up to date
Being processed for specific, explicit and legitimate purposes.
Being relevant with, limited to and proportionate to the purposes for which they are processed.
Being retained for the period stipulated by relevant legislation or the purpose for which they are processed.
- Personal data is processed lawfully, fairly and transparently.

Accordingly, Almer Kimya İlaç Ltd. Şti. shall include confidentiality notices in the data collection channels and related forms regarding the personal data processing activities it performs. The KVK Committee shall determine the areas where these notifications which include clear and understandable information about the type of data to be processed by Almer Kimya İlaç Ltd. Şti., the data subjects and the purpose of processing shall be posted and announced. These notifications include:

Identity and contact details of Almer Kimya İlaç Ltd. Şti. as the data controller,
Types of personal data processed,
Purpose of processing the personal data
Personal data collections methods,
Legal reasons which constitute the basis of processing the personal data
the envisaged period for which the personal data shall be stored,
Rights of data subject,
Third parties the data may be shared with

Personal data can be processed only for specific, explicit and legitimate purposes.
- The justifications/purposes of personal data processing are specified in the personal data inventory, and the personal data shall not be used for any other purpose without another legal justification or explicit consent of the data subject.
- In the event that conditions arise which require the use of personal data for purposes other than those specified in the personal data inventory, the relevant personnel / unit shall notify the KVK Committee about this necessity. The KVK Committee checks appropriateness of the new purpose and, if necessary, ensures that the data subject is informed of the new purpose and the new data processing activity.
Personal data must be appropriate, relevant and processed in proportion to the purpose for which they are processed.
- The KVK Committee is responsible for ensuring that no personal data that is not explicitly required for processing purposes is collected and processed.
- All electronic and physical data collection forms and data collection mechanisms in the information systems shall be implemented provided that they are approved by the KVK Committee.
- The KVK Committee checks that the processed data is appropriate and relevant through the personal data inventory which is updated annually.
- The KVK Committee shall ensure that all internal audit / external audit to be carried out on an annual basis and all data processing methods are appropriate and relevant.
- The KVK Committee shall be responsible for discontinuation of data processing activity and for safe destruction of processed data in accordance with the Storage and Disposal Procedure in respect of personal data which it finds to be inappropriate or not relevant or excessive for the purpose of processing.
Personal data must be accurate and up to date.
- The accuracy and currency of the data held for a long time shall be reviewed.
- The Human Resources Department manager is responsible for training of all personnel on collection and retention of accurate and up to date data.
- The employees are responsible that their data retained for processing purposes is accurate and up to date.
- The employees / customers and other related persons shall inform Almer Kimya İlaç Ltd. Şti.to update the personal data processed. Upon such notification, it is the responsibility of the relevant unit to correct and update such record.
- Based on its assessment on the data inventory on the type, storage time and amount of the data processed, the KVK Committee may instruct the relevant unit to review the accuracy or currency of certain data.
Personal data must be processed in such a way that identifies the data subject only on condition that such identification is necessary for the purpose of processing.
- In case personal data needs to be stored for longer than necessary due to reasons such as back-up etc. the personal data must be encrypted or anonymized / masked to protect individuals’ status and freedom in cases of data security vulnerability.
- Processing of the personal data beyond the periods determined pursuant to the personal data storage and destruction procedure shall be subject to written approval of the KVK Committee.

Rights of the Data Subjects

Data subjects shall have the following rights with respect to data processing activities and records at the Almer Kimya İlaç Ltd. Şti. facilities:

Learn whether or not personal data relating to him is processed;
If personal data relating to him has been processed, request information about its processing;
Learn the purpose of processing of your personal data and whether data is used in accordance with their purpose;
Know the third parties in the country or abroad to whom personal data has been transferred;
Request rectification of personal data if it is processed incomplete or incorrect;
Request erasure or destruction of his personal data in case there is no legal justification for processing under the KVKK or this policy;
request that the correction or deletion processes carried out upon his request is communicated to third parties that have received personal data;
Object to occurrence of any result that is detrimental to you in person as a result of analysis of your personal data exclusively through automated systems;
Claim compensation of his damages in case he incurs damage due to illegal processing of his personal data;

Data subjects are entitled to submit their claims regarding their abovementioned rights to Almer Kimya İlaç Ltd. Şti. in accordance with the application procedures provided for in the Communiqué on the Procedures and Principles of Application to the Data Controller. In this context, the requests can be submitted by completing the “Application Form” published on the website, personally confirming identification and mailing the application form to “Saraykent Sanayi Bölgesi 60.Cad No:31 Kahramankazan/Ankara” via registered letter or notary public or e-mail the application form to almer@hs03.kep.tr with confirmed identity.

In this case, Almer Kimya İlaç Ltd. Şti. shall conclude the request as soon as possible depending on the nature of the request or within no later than 30 (thirty) days. However, if the operation necessitates additional cost item, Almer Kimya İlaç Ltd. Şti. shall be entitled to claim the fee listed in the tariff designated by the Personal Data Protection Board. The processes for receiving, forwarding and finalizing the requests are carried out in accordance with the Request Management Procedure.

Data access rights and contact information of the data subjects shall be provided in the privacy statements and the web site of Almer Kimya İlaç Ltd. Şti. for data subjects to send their requests.

Regardless of the job descriptions, all personnel of Almer Kimya İlaç Ltd. Şti. shall be obliged to guide the data subjects about the correct application method for data subject access requests made to them. The KVK Committee shall inform and train all Almer Kimya İlaç Ltd. Şti. personnel on what to do about the requests received from data subjects.

Obtain Explicit Consent

Almer Kimya İlaç Ltd. Şti. considers the consent given in the form of written/verbal statement or explicit verification action of the data subject as explicit consent provided that it is given on a specific data processing activity based on information and free will and provided that it shows the free will for processing of his personal data. The explicit consent is obtained in writing or systematically in such a way that can be proved. The data subject is entitled to revoke the explicit consent at any time.

Explicit consent can be obtained by having the data subject sign the explicit consent form template or by including the elements contained in this template in the agreement to be executed with the data subject or electronic form used for this purpose.

In case the data processing activity based on an explicit consent is to be continuous or to be repeated, the relevant unit keeps the list of the persons whose explicit consents have been obtained. The explicit consent forms or other relevant means of evidence for data processing based on explicit consent shall be stored by the relevant unit.

Data Security

All personnel are responsible for ensuring that the data processed by Almer Kimya İlaç Ltd. Şti. which is under their responsibility is kept safe and not disclosed to a third party unless a confidentiality agreement is signed.

Personal data shall be accessible only by those who need to access such data. The access is provided in accordance with the Access Management Procedure.

Data security shall be provided in accordance with the Information Security Policy of Almer Kimya İlaç Ltd. Şti. and the related documents.

The information security incidents related to personal data shall be notified to the KVK Board and the data subject as soon as possible and no later than within 72 hours after the incident is identified by the KVK Committee.

Data Disclosure

Personal data can only be disclosed to third parties in accordance with law and rules of fairness. Accordingly, one of the following conditions is required in order to disclose personal data:
- Explicit consent of the data subject must be obtained.
- It is clearly provided for by the laws.
- It is imperative for the protection of life or bodily integrity of the data subject or of any other person where it is physically impossible for data subject to give explicit consent or where explicit consent of the data subject is not legally valid.
- The processing of personal data of the parties to a contract is necessary, provided that it is directly related to the conclusion or performance of the contract to which Almer Kimya İlaç Ltd. Şti.is or shall become a party.
- it is mandatory for Almer Kimya İlaç Ltd. Şti.to be able to perform its legal obligations.
- the data concerned is made available to the public by the data subject.
- Data processing is necessary for the establishment, exercise or protection of the rights of Almer Kimya İlaç Ltd. Şti..
- Data processing is mandatory for the legitimate interests of Almer Kimya İlaç Ltd. Şti.,provided that this processing shall not violate the fundamental rights and freedoms of the data subject.
Personal data may only be transferred abroad provided that the above conditions are satisfied, and that adequate protection is available in the destination country and that the data subject is explicitly consenting to this transfer.
When transferring the personal data abroad, the list of countries with enough protection as determined by the KVK Board is taken into account.

Where personal data is transferred abroad, the KVK Committee shall obtain the necessary permits from and give the necessary notifications to the KVK Board in accordance with KVKK and the relevant legislation.

All operations concerning disclosure of personal data must be documented in writing, specifying the reasons. These records are audited by the KVK Committee on periodic basis.
In the case data needs to be disclosed on regular basis without a legal basis or legal obligation, a data-disclosure agreement / protocol that specifies the terms of the data-disclosure shall be concluded with the party. The data disclosure agreement / protocol minimum includes the following:
- Purpose or purposes of disclosure;
- Potential third-party recipients or the recipient type and access conditions;
- The data to be disclosed;
- General principles of data processing;
- Data security measures;
- Storage period of disclosed data;
- Data subject’s rights, access requests, and procedures for responding to applications and complaints;
- Reviewing the termination of the data disclosure agreement and
- Liability and sanctions for failing to honor the agreement or individual violation of personnel.

The data disclosure agreements / protocols are submitted to the KVK Committee for approval.

Management of Records

Personal data may not be retained for longer than necessary for processing purposes. The classification of records containing personal data and their storage periods are determined in accordance with the [Labeling and Processing Procedure and Storage and Disposal procedure].

Upon expiry of the period necessary for processing purposes or the rightful request of the data subject, relevant personal data is anonymized or deleted or destroyed in such a way that the data subject cannot be identified and in accordance with the Storage and Destruction Procedure.

Audit

The Personal Data Protection Committee shall ensure that regular audits are performed on the procedures of personal data processing. Accordingly, an in-house audit team or an external audit firm assigned for this purpose shall perform auditing services.

The audit activities shall be carried out annually and the audit results shall be submitted to the Personal Data Protection Committee and the Committee shall make necessary improvements on the outcome of the audit report.

Updating the Policy

Document Ownership and Approval

The KVK Committee is the owner of this document and responsible for regular review of this policy in accordance with the review requirements set out above.

The current version of this document is made available to all Almer Kimya İlaç Ltd. Şti. personnel via QDMS or Intranet system and published via www.almerkimya.com address.

Quality Policy

Enviromental Policy

R&D and Quality Control

PTTEP Policy

Disinfectants

Alcorex

Alfucid

Almerdehyde

Almerdehyde F

Almer Handscrub

Almer S OPA

Aloxil

Dezol

İnterkokask

Povidex Plus

Trokloral

Water Clean

Zovirox

Detergents

Acid Foam

Alfoam

Aquazamiq

Hatch Clean

Ultrafoam

Vitamin & Supporters

Becovit

Carnitin Aminomix

Magnephos D

Pulmomix

Selenex

Supravita

Vitalmax

Ruminants

Almer Glycerine Iode

Dermo Herbalbar

Dermo Iyobar

Dermomix

Povifoam

Proichtyoderm

Proiyoderm

Prokafuderm

Prorivoderm

Prosalis

Prozincoderm

Unicept Acid

Unicept Baz

Insecticides

Alkobil Ec 25

Almite Stop

Blattix Gel

Komodor WG 25

Almer Rod Mum Blok

Almer Rod Pasta

Almer Rod Pellet

Chlorine Neutralizer

Chlor Block