VARİTEKS ORTOPEDİ SANAYİ ANONİM ŞİRKETİ

"PERSONAL DATA PROCESSING INVENTORY"

* This is an English translation. In case of any difference in meaning between the original Turkish text and the English translation, the Turkish text shall apply.

1-) Purpose and Scope

Upon compliance of personal collection, use, storage, sharing, protection, data security, processing and similar activities carried out by our Company depending on the business processes of this inventory with the Regulation on the Protection of Personal Data (KVKK.) No.6698 and the Personal Data Protection Authority, It has been prepared in order to carry out these activities in accordance with the law and to inform our employees, customers, the parties of the contracts with which we will be visiting in the future with our existing contracts, business partners and the public. This inventory will be valid in all business processes of our Company.

2-) Definitions

1-) Explicit consent: Consent on a specific subject, based on information and declared with free will,

2-) Anonymization: Making personal data unidentifiable or unrelated to a natural person, even by matching other data,

3-) Related person: The real person whose personal data is processed,

4-) Personal data: ‘health report, health information, fingerprint, identity information, T.C. identity number, passport number, foreign identity number, address, telephone, e-mail, bank and credit card information, fee etc. contact information, family status, foreign language information, educational information, military service status, etc. "all kinds of information,

5-) Processing of personal data: Obtaining, recording, storing, preserving, changing, reorganizing, disclosing, transferring, taking over personal data by fully or partially automatic means or non-automatic means provided that it is a part of any data recording system. All kinds of operations performed on data, such as making it available, classifying or preventing its use,

6-) Law: Personal Data Protection Law No. 6698 dated 24/3/2016,

7-) Board: Personal Data Protection Board,

8-) Authority: Personal Data Protection Authority,

9-) President: President of the Personal Data Protection Authority,

10-) Data processor: The real or legal person who processes personal data on behalf of the data controller based on the authority given by him,

11-) Relevant user: Except for the person or unit responsible for the technical storage, protection and backup of the data, the persons who process personal data within the organization of the data controller or in line with the authority and instruction received from the data controller,

12-) Data recording system: The recording system in which personal data are structured and processed according to certain criteria,

13-) Recording medium: Any medium containing personal data that is fully or partially automated or processed by non-automatic means provided that it is a part of any data recording system,

14-) Data controller: VARİTEKS Ortopedi Sanayi A.Ş., which determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system,

15-) Recipient group: The real or legal person category to which personal data is transferred by the data controller,

16-) Destruction: Deletion, destruction or anonymization of personal data,

17-) Personal data processing inventory: The personal data processing activities carried out by our company depending on the business processes; This inventory, which is created by associating with the personal data processing purposes, the data category, the recipient group and the data subject group, and is detailed by explaining the maximum time required for the purposes for which the personal data are processed, the personal data foreseen to be transferred to foreign countries and the measures taken regarding data security,

18-) Personal data storage and destruction policy: The policy of our company for determining the maximum period required for the purpose of processing personal data and for deletion, destruction and anonymization,

19-) Periodic destruction: The process of deletion, destruction or anonymization to be carried out ex officio at repetitive intervals specified in the personal data storage and destruction policy in the event that all the conditions for the processing of personal data in the law are eliminated,

20-) Registry: The registry of data controllers kept by the Personal Data Protection Authority.

21-) Contact person: contact person information Registry works while recording Registers legal entities resident in Turkey. The contact person is not authorized to represent the data controller in accordance with the provisions of the Law and Regulation. The contact person ensures the communication about answering the requests of the relevant persons to the data controller.

3-) Our General Principles Regarding the Processing of Personal Data

Our company personal data, but KVKK. and in accordance with the procedures and principles stipulated in other laws. It will comply with the following principles in the processing of personal data.

1-) To comply with the law and the rules of honesty. In accordance with this principle, our Company will act in accordance with the principles stipulated by laws and other legal regulations during the processing of personal data, and will process personal data in accordance with the rules of honesty.

2-) Being accurate and up-to-date when necessary. In accordance with this principle, our Company will process personal data accurately and up-to-date in a manner that will not harm the fundamental rights and freedoms, economic interests and moral integrity of the data subject.

3-) Processing for specific, explicit and legitimate purposes. In accordance with this principle, our Company will only process personal data for legally specific and lawful purposes.

4-) Being connected, limited and measured for the purpose of processing. In accordance with this principle, our Company will process personal data in a sufficient, relevant and limited manner to the extent required by the purpose of processing.

5-) Being kept for the period stipulated in the relevant legislation or required for the purpose of processing. In accordance with this principle, our Company will keep personal data as required by the purpose underlying its processing.

4-) Conditions of processing personal data

1-) Our company will not process personal data without the express consent of the person concerned.

2-) However, in the event of one of the following conditions, personal data may be processed without the explicit consent of the person concerned.

a-) It is clearly stipulated in the laws.

b-) It is mandatory for the person who is unable to disclose his consent due to actual impossibility or whose consent is not legally valid for the protection of himself or another person's life or physical integrity.

c-) It is necessary to process personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract.

ç-) It is mandatory for our company to fulfill its legal obligation.

d-) The person concerned has been made public by himself.

e-) Data processing is mandatory for the establishment, use or protection of a right.

f-) Data processing is mandatory for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the data owner.

5-) Conditions of processing special quality personal data

1-) Data on the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures Special quality personal data such as biometric and genetic data will not be processed without the express consent of the person concerned.

2-) Of special quality personal data, personal data other than health and sexual life can only be processed without the explicit consent of the person concerned in cases stipulated by the law.

3-) Data on health and sexual life can be processed without the explicit consent of the data owner, provided that adequate measures are taken by the Personal Data Protection Authority and in the following cases.

a-) Protection of public health,

b-) Preventive medicine,

c-) Medical diagnosis,

d-) Carrying out treatment and care services,

e-) Planning and management of health services and financing,

4-) Adequate measures determined by the Personal Data Protection Authority will be taken regarding the processing of special quality data.

6-) Purposes of Processing Personal Data,

1-) Personal data provided or to be provided by our company in accordance with the law may be processed within the scope of our business processes described below.

a-) Human Resources business processes, Labor Law practices,

b-) Legal, Administrative and Financial business processes,

c-) Preparation activities and signing processes of contracts,

d-) Our supplies and service offerings,

e-) Our communication activities, training activities,

f-) Sharing business and information with our Group Companies,

g-) Sectoral associations, foundations etc. activities,

ğ-) Replies to articles from public institutions and organizations,

h-) Our other legal business processes and activities,

7-) Transfer of Personal Data,

1-) Our company will not transfer the personal data processed without the express consent of the person concerned.

2-) Personal data;

a-) It is clearly stipulated in laws,

b-) It is obligatory for the protection of the life or physical integrity of the person who is unable to disclose his consent due to actual impossibility or whose consent is not legally valid,

c-) It is necessary to process personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,

ç-) It is mandatory for our company to fulfill its legal obligation,

d-) The person concerned is made public by himself,

e-) Data processing is mandatory for the establishment, use or protection of a right.

f-) Provided that it does not harm the fundamental rights and freedoms of the data owner, in cases where data processing is necessary for the legitimate interests of our Company, it may be transferred without the express consent of the data subject.

3-) Provided that adequate precautions are taken, regarding the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress and dress, membership of associations, foundations or trade unions, criminal conviction and security measures, data and special quality personal data in the form of biometric and genetic data can only be transferred without seeking the explicit consent of the person concerned, in cases stipulated by law. Personal data related to health and sexual life can only be transferred without seeking the express consent of the relevant person for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing. Adequate measures determined by the Board will also be taken for the transfer of special quality data.

4-) The provisions of other laws regarding the transfer of personal data are reserved.

5-) Personal data processed by our company

a-) Our Company officials and employees in the departments of manager, financial affairs, law, HR, IT,

b-) Authorized public institutions or organizations,

c-) Persons obliged to keep secrets such as lawyers and inspectors when necessary in terms of our business processes,

d-) Relevant educational institutions in compulsory and necessary training,

e-) Suppliers, manufacturers, shipping, logistics, courier and cargo companies that will take part in our production, sales and supply business processes,

f-) Banks and financial companies and institutions,

g-) It can be transferred to persons, institutions and organizations that will take part in our legal business processes, such as insurance companies, to the extent and time required by the job.

8-) Transfer of personal data abroad

1-) Our company cannot transfer personal data abroad without the express consent of the person concerned.

2-) Personal data and special quality personal data that can be processed without the express consent of the personal data owner can only be transferred to foreign countries declared by the "Board" after determining that sufficient protection is available. In the absence of adequate protection, our Company and the data controllers in the relevant foreign country may be transferred abroad without the express consent of the relevant person, provided that they undertake sufficient protection in writing and the Board has permission.

3) The Company's personal data, without prejudice to the provisions of international conventions, Turkey or related person's interest, in a serious condition will suffer, but considering the views of relevant public institutions or organizations "Board" can import flour Courtesy abroad.

4-) Our company KVKK regarding the transfer of personal data abroad. and will comply with the provisions of other laws.

9-) Our company's lighting obligation

1-) During the acquisition of personal data, by the person authorized by our Company as the data controller, to the relevant persons;

a-) The identity of the data controller and, if any, its representative,

b-) The purpose for which personal data will be processed,

c-) To whom and for what purpose the processed personal data can be transferred,

ç-) The method and legal reason for collecting personal data,

d-) KVKK. will give information about other rights listed in Article 11.

2-) Our company is KVKK. It has prepared "Clarification Texts" within the scope of Article 10 (Annex-2 / A, 2 / B, 2 / C, 2 / D). The issues that require the explicit consent of the data owner are explained in the Clarification Texts. KVKK if the data owner does not give explicit consent. The personal data that can be processed and transferred in accordance with the provisions of this Personal Data Processing Inventory are explained in Articles 4 and 5.

10-) Rights of the relevant data owners

1-) Everyone, by applying to our Company, which is the data controller, with the form included in (Annex-3) or with a petition to be created by him / her;

a-) Learning whether personal data is processed,

b-) Requesting information if personal data has been processed,

c-) Learning the purpose of processing personal data and whether they are used appropriately for their purpose,

ç-) To know the third parties to whom personal data is transferred domestically or abroad,

d-) Requesting correction of personal data in case of incomplete or incorrect processing,

e-) KVKK. According to article 7 of the KVKK. and to request the deletion, anonymization or destruction of personal data in case the reasons requiring its processing disappear, although it has been processed in accordance with the provisions of other relevant laws,

f-) Request notification of the transactions made pursuant to paragraphs (d) and (e) of this article to third parties to whom personal data have been transferred,

g-) To object to the occurrence of a result against the person himself by analyzing the processed data exclusively through automated systems,

ğ-) In case of damage due to the unlawful processing of personal data, it has the right to demand the compensation of the damage.

11-) Measures taken within the scope of obligations regarding data security

1-) Our company,

a-) To prevent the personal data collected in accordance with the law from being processed illegally,

b-) To prevent unlawful access to the personal data it processes,

c-) It will take all necessary technical and administrative measures to ensure the appropriate level of security in order to ensure the protection of the personal data it processes.

2-) In the event that personal data are processed by another natural or legal person on its behalf, our company will ensure that these persons take the precautions specified in the first paragraph above and will be jointly responsible with these persons.

3-) KVKK within our company, its subsidiaries and branches. It will carry out the necessary inspections in order to ensure the implementation of these provisions.

4-) Persons who process data with our company, the personal data they learn are KVKK. can not disclose to someone else contrary to the provisions of the provisions and can not use it for purposes other than processing. This obligation will continue after the data processors leave their job.

5-) In the event that personal data processed by our company are obtained by others illegally, our company will notify the relevant person and the "Board" as soon as possible.

11.1-) Technical Measures Taken Our Company will take up-to-date technical measures. According to this,

1-) Personal data in all kinds of physical or electronic personal data recording environments are subject to data confidentiality and our Company ensures that all kinds of digital media and physical environments where personal data are stored are protected in a way to meet the security requirements.

2-) It periodically performs necessary technical checks in order to protect personal data. It provides the security control of the installed systems.

3-) Electronic or non-electronic paper etc. It takes technical and physical security measures to prevent personal data processed on physical environments from leaving the Company and unauthorized access.

4-) It makes risk assessment and takes effective measures to eliminate the risk.

5-) It ensures that the company's employees' access rights to personal data are kept under control.

6-) During the processes of destruction, deletion and anonymization of personal data, it ensures that they are made irreversibly.

7-) New data processing methods are designed taking into account the existing technology data protection requirement until new information technology systems emerge.

11.2-) Taken Administrative Measures, Our company takes administrative measures regarding the collection, storage and disposal processes of personal data, within this scope,

1-) If personal data needs to be shared, it signs contracts with the persons with whom the personal data are shared regarding the protection of personal data and data security.

2-) Employs knowledgeable and experienced personnel about the processing of personal data,

3-) Provides necessary training to its personnel on the legislation on protection of personal data and data security. Unit managers will inform those employed in their units at the beginning of the employment relationship of their obligation to protect data privacy. Employees' obligations regarding data privacy will continue after the termination of the employment relationship.

4-) In order to ensure the security of the personal data it processes, it conducts the necessary audits by the personnel of the relevant units of the company and removes the confidentiality and security weaknesses that arise.

5-) Personal data are subject to data security. Unauthorized access of any employee of our Company, its branches, affiliates or subsidiaries is prohibited. Access to the processed personal data is limited to the personnel required to access it as per the job description, depending on whether the data is of special nature or not and depending on its importance.

6-) Employees of our Company, its branches, affiliates or subsidiaries are prohibited from using personal data for private or commercial purposes, sharing this data with unauthorized persons or making this data accessible by any other method.

7-) In the event that the personal data it processes are obtained by others illegally, it shall notify the relevant person and the "Board" as soon as possible.

11.3-) Keeping fingerprints and camera records. The entrance and exit system can be used with the fingerprint method, which is biometric (special quality) personal data, to the company's offices and facilities, and the explicit consent of the data owner is obtained for this. These fingerprints are securely stored in electronic or other media and the fingerprint information of employees leaving the job is destroyed in time. In our company's offices and facilities, except in places where privacy is high, camera recordings of suppliers, employees and other persons are taken and these records are securely stored for the purpose of ensuring general security and auditing. In places where cameras are available, there is a visible written warning to inform data owners.

12-) Storage, destruction, deletion of Personal Data

The personal data processed by our company is KVKK. And it will keep it in accordance with the provisions of the "Personal Data Retention and Destruction Policy" in the relevant legislation (ANNEX-1-).

13-) Comment Rules

1-) Situations for which there are no provisions in this policy and KVKK of this policy. and other relevant legislation provisions, first of all KVKK. and other relevant legislation provisions are applied.

14-) Effectiveness

1-) VARİTEKS Ortopedi Sanayi A.Ş. Personal Data Processing Inventory "entered into force on 01.01.2018.

2-) If necessary, changes can be made in this Inventory. In case of change, the date of the change and the effective date will be shown in the table attached to the Inventory.

 

x