Protection of Personal Data

Web Site Visitor Clarification Text
Cookie Policy
Privacy Policy
Personal Data Protection and Processing Policy
Personal Data Retention and Disposal Policy
Contact Form Clarification Text
Commercial Electronic Message Approval Form
Data Owner Application Form

WEB SITE VISITOR CLARIFICATION TEXT ACCORDING TO THE LAW ON PROTECTION OF PERSONAL DATA NUMBERED 6698

As PHITECH Bilişim Biyoteknoloji Danışmanlık Araştırma Geliştirme Sanayi ve Ticaret Anonim Şirketi (“PHITECH” or “Company”); under the Personal Data Protection Law (“PDPL” or “Law”), we prioritize the security of your data, which we process as the data controller defined on the website www.phitech.bio, and therefore, we aim to enlighten you within the framework of the subject within this Clarification Text.

Your personal data;

In a limited and measured manner, in connection with the purpose that requires them to be processed,

Maintaining the accuracy and most up-to-date version of personal data as you have reported or reported to our website,

We inform you that it will be stored, stored, stored, rearranged, shared with the institutions authorized by law to request this personal data, and under the conditions stipulated by the PDPL, it will be transferred, transferred, classified and processed in other ways listed in the PDPL.

YOUR PROCESSED PERSONAL DATA

The following personal data provided by the Company by the customers themselves may be processed:

ID Data:

Name, surname.

Contact Data:

E-mail address, phone number.

Process Security Data:

IP address information, Device IMEI

Number, Device MAC Address,

Traffic (Connection time / duration,

Communication Amount, etc.),

cookie information.

PURPOSE OF PROCESSING YOUR DATA

Your data is processed by the Law and other secondary regulations under the Law and within the framework of the following purposes and legal reasons:

Contact: We may contact you for various purposes using the personal data you provide to www.phitech.bio. These of examples are sending reminder and warning messages and replying to the messages you have forwarded to us.

Legal Obligations: Your data can be processed, transferred, and stored for the period required by the relevant legislation or for the purpose if required by any legislative provision to which www.phitech.bio is subject.

Dispute Resolution: PHITECH may process your data and share it with the relevant legal authorities to prove that it performs legal actions and fulfills its legal obligations in case of future disputes, and to ensure the resolution of disputes.

Improvement of Services and Customer Satisfaction: Your data is processed to conduct analytical studies to improve your www.phitech.bio experience, evaluate your requests, complaints, and suggestions and take action to increase customer satisfaction and service quality.

LEGAL REASONS FOR THE PROCESSING OF YOUR DATA

Your data is processed on PHITECH in the presence of at least one of the legal reasons specified in the Law. The legal grounds on which the above-mentioned personal data processing purposes are based are as follows:

Communication transactions and related actions are carried out based on the legal reason for the establishment or performance of a contract specified in Article 5/2(c) of the Law.
The data processing activities we carry out to fulfill our legal obligations are based on the legal reason clearly stated in Article 5/2 (ç) of the Law.
The cases where personal data are processed for the resolution of disputes are based on legal grounds for establishing, exercising, or protecting a right specified in Law 5/2(e).
Activities based on the improvement of services and customer satisfaction and communication purposes are carried out based on the legitimate interest legal reason regulated in Article 5/2(f) of the Law.

METHODS OF COLLECTION OF PERSONAL DATA

Within the scope of the services www.phitech.bio offers to you and the above-mentioned data processing purposes, you can send your data electronically, e-mail channels, the spaces, communication, and other forms that have the possibility of all kinds of data return, and on www.phitech.bio can be collected through the relevant analysis tools. In addition, your data is obtained through the cookies used on www.phitech.bio.

TRANSFER OF PERSONAL DATA

Your data may be shared with relevant institutions and organizations to complete the transactions you perform on www.phitech.bio, fulfillment of legal obligations, to be evaluated and managed by PHITECH in other ways. In addition, your data may be shared with PHITECH's business partners, affiliates, and relevant public institutions and organizations, if requested within the scope of the fulfillment of legal obligations, within the framework of the conditions specified in Articles 8 and 9 of the Law.

YOUR RIGHTS

As personal data owners, if you submit your requests regarding your rights to the Company, the Company will conclude the request free of charge as soon as possible and within thirty (30) days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, the fee in the tariff determined by the Personal Data Protection Board will be charged by the Company. In this context:

Learning whether personal data is processed or not,
If personal data has been processed, requesting information about it,
To learn the purpose of processing personal data and whether they are used following the purpose,
Knowing the third parties to whom personal data is transferred in the country or abroad,
Requesting correction of personal data in case of incomplete or incorrect processing and requesting notification of the transaction made within this scope to the third parties to whom the personal data has been transferred,
Requesting the deletion or destruction of personal data if the reasons requiring its processing have disappeared, although it has been processed per the provisions of the law and other relevant laws, and requesting the notification of the transaction made within this scope to the third parties to whom the personal data has been transferred,
Objecting to the emergence of a result against the person himself by analyzing the processed data exclusively through automated systems,
You have the right to demand compensation for the damage in case of loss due to unlawful processing of personal data.

Regarding the processing of your data, you can submit your application in writing by filling out the application form on the Company's website, or by using the registered e-mail (KEP) address, secure electronic signature, mobile signature, or your e-mail address that you have previously informed us and included in our records. You must submit it to.

CONTACT INFORMATION

PHITECH Bilişim Biyoteknoloji Danışmanlık Araştırma Geliştirme Sanayi ve Ticaret Anonim Şirketi

Central Registration System Number: 0729059988900001

Contact Link: info@phitech.bio

Address: Barış Neighborhood Dr. Zeki Acar Street No: 1/Gebze/Kocaeli

COOKIE POLICY

PHITECH Bilişim Biyoteknoloji Danışmanlık Araştırma Geliştirme Sanayi ve Ticaret Anonim Şirketi (“PHITECH” veya “Company ”) use some technologies such as cookies and pixels, web beacons, gifs ("Cookies") to improve your experience, display personal content and collect analytical data on the site during your visit. Technical communication files, called cookies, are small text files that a website sends to the user's computer or mobile phone browser. Cookies, even if they are pseudonymous or do not directly identify a person, are considered personal data if they are combined with other information to make a person identifiable. The use of these technologies is carried out in accordance with the legislation we are subject to, especially the Personal Data Protection Law (“PDPL”) numbered 6698.

The purpose of this Cookie Policy is to www.phitech.bio to inform you about the processing of personal data obtained by site users ("Data Related") during the operation of the website ("Site") during the use of cookies. In this policy, we would like to explain to you what types of cookies we use on our site and how you can control them.

As a company, we may opt out of using the cookies we use on our site, change their types or functions, or add new cookies to our site. Therefore, we reserve the right to change the provisions of this Cookie Policy at any time. Any changes made to the Current Cookie Policy will be published on the site or in any public media but will take effect.

What are the Collection Methods of Your Personal Data and the Legal Reasons for the Processing?

Your personal data is collected by our Company fully or partially automatically, electronically via our Company's websites, primarily www.phitech.bio, your browsers, social media platforms and other methods (channels) that may be added to them in the future. Legal reasons for the processing of your personal data, mandatory for the data controller to fulfill its legal obligations pursuant to Article 5 of the PDPL, mandatory data processing for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject, and it has been made public by the data subject himself. If it is mandatory for the performance of the contract, express consent is collected within the scope of personal data processing conditions.

What are cookies used for and how?

Cookies are small-sized text files that are saved to the visitor's computer or mobile device through the visitor's browser during a visit to a website. Cookies only contain information about the website visit history that takes place on the internet and do not collect any information on the files on the visitors' computer or mobile device.

Cookies may be used to perform the basic functions necessary for the operation of the Site. It can also be used to generate statistics such as the number of users who visited the Site, user type, frequency of visits, user behaviors and habits, from which countries users visited the site, etc.

What Information Is Obtained and Processed Through Cookies?

Transactions related to which site came to the Site and which site was visited after the Site, the geographical locations of the users, the personal information that the user voluntarily gave to the Site and the sites of its business partners, the preferences made on the site, the actions related to the site and the pages of our business partners can be obtained and processed on the social networking sites. Data from different Sites can also be merged and processed.

Your information provided to the Site and its partners' sites may be obtained and processed by the Site or its partners for the purposes set out here.

What are the cookies used on our site?

Below you can find the different types of cookies we use on our Site. Cookies used on our site can generally be classified as follows:

Required Cookies: These cookies are essential to ensure that your System works properly and allows you to browse our Site and use our features. Examples of this include remembering previous actions (for example, previously entered text) when going back to a page in the same session. These cookies do not recognize you as a separate person and do not identify you. If you do not accept these cookies/permissions, this may affect the performance of the Site.
Through to the "Google Analytics cookie", we can learn a lot about how you use our Site. Google Analytics provides us with the information we need to improve the experience of our Site and provide you with content that you find most useful. Google Analytics cookies record detailed information about which pages you visit on our Site, how much time you spend on our Site, where and how you reach our Site, and what content you click on. Through to the information provided by Google Analytics, we can determine the areas that need to be improved by examining the flow on our Site and provide you with a much better experience. Google Analytics cookies do not collect and/or store users' personal information. Therefore, this information cannot be used to make individuals identifiable and/or to identify them.

Duration of the Cookie We Use

In terms of duration, we may use session cookies on our Site. These cookies are temporary cookies that remain on your device until the time you leave our Site.

Managing Your Choices Regarding Cookies

The help function in the menu list of your internet browser you are using can explain how you can instruct your browser not to accept new Cookies, how your browser can inform you when a new cookie is sent, or how to disable Cookies. For more detailed information on this subject, please contact the relevant browser service provider directly or review their cookie policies. The said deactivation will be saved via a Cookie on your computer, smartphone or tablet, in your browser where the rejection was made and will not be associated with your user account. For this reason, deactivation must be carried out separately for each of your devices and for each browser. We would like to remind you that if your browser automatically deletes Cookies after you close the browser, the Cookies for withdrawal (deactivation function) will also be deleted.

You can also use tools such as Ghostery, Webwasher, Bug-Nosys or AdBlock to block tracking pixels on our online channels.

Transfer of Your Personal Data

Your personal data is mandatory by our Company for the data controller to fulfill its legal obligation specified in Articles 8 and 9 of the PDPL, data processing is mandatory for the establishment, exercise or protection of a right, provided that it does not harm the fundamental rights and freedoms of the data subject, In the event that data processing is necessary for the legitimate interests of the controller, express consent may be transferred to authorized public institutions and organizations for the above-mentioned purposes, especially for the fulfillment of legal obligations of our Office and the pursuit of legal affairs, in accordance with the personal data processing conditions.

Compliance with Legal Regulations

The Site and its Company business partners do not act for any purpose other than as set forth herein, which is not lawful. This application is updated in the face of legal developments and is adapted to the shape and scope determined by law.

What Are Your Rights as Data Related?

Data subjects in accordance with Article 11 of the Personal Data Protection Law;

To find out if personal data has been processed,
Requesting information about personal data if it has been processed,
To learn the purpose of processing personal data and whether they are used in accordance with their purpose,
To know the third parties to whom personal data are transferred at home or abroad,
Request correction of personal data in case of incomplete or inaccurate processing and to request notification of the transaction carried out within this scope to third parties to whom the personal data are transferred,
Request the deletion or destruction of personal data in case of elimination of the reasons requiring its processing, even though it has been processed in accordance with the Provisions of the Personal Data Protection Law and other relevant laws, and to request that the transaction carried out within this scope be notified to the third parties to whom the personal data are transferred,
Objecting to the emergence of a result against the person himself by analyzing the processed data exclusively through automated systems,
In case of damages due to the unlawful processing of personal data, they have the right to request compensation for the damages.

If you submit your requests for these rights to us by the methods specified in the "Contact Application Form" document at www.phitech.bio, your applications will be evaluated and finalized as soon as possible and within 30 (thirty) days at the latest. Although it is essential that no fees are charged in relation to the requests, the Company reserves the right to charge fees at the fee tariff determined by the Personal Data Protection Board.

The Data Revered agrees, declares and undertakes that if it makes a request that results in the unavailability of any personal data by the Company, it may not be able to fully benefit from the operation of the Site and that any responsibility arising in this context will be its own.

CONTACT INFORMATION

PHITECH Bilişim Biyoteknoloji Danışmanlık Araştırma Geliştirme Sanayi ve Ticaret Anonim Şirketi

Central Registration System Number: 0729059988900001

Contact Link: info@phitech.bio

Address: Barış Neighborhood Dr. Zeki Acar Street No: 1/Gebze/Kocaeli

PRIVACY POLICY

As PHITECH Bilişim Biyoteknoloji Danışmanlık Araştırma Geliştirme Sanayi ve Ticaret Anonim Şirketi (“PHITECH” or “Company”), we respect and attach great importance to the protection of the data and privacy of our visitors who visit www.phitech.bio (“Website”). By the relevant legal legislation, the company has adopted the principle of showing the utmost care in protecting the information and privacy of our visitors and acting sensitively in this regard. Please take a few moments to review this Privacy Policy of www.phitech.bio.

During the visit of our visitors to the website, the personal data recorded by some automatic or non-automatic methods and shared by us in the electronic environment will be used primarily to ensure that their requests are fulfilled and then to provide you with a better service as being PHITECH. In addition, the provisions of the PHITECH Privacy Policy will be deemed to be expressly accepted by entering and using this Site only, and these provisions are valid only for this site and will not be valid for links directed through the Site.

When this Website is visited, some personal data must be obtained directly or indirectly to provide the necessary services. All data, including the personal data of our visitors, will not be shared in any way without their consent, except for public institutions and authorities that are not required to perform the service or are authorized to request information as stipulated by the provisions of the legal legislation. Because, except for authorized units of www.phitech.bio, only users related to personal data can access and make changes to this data. Other visitors and third parties can't access or change this data given to the Website.

In this direction, our main priority is to protect all information about our visitors from unauthorized access, misuse, and changes, and to ensure the complete confidentiality of our visitors' information.

These data of our visitors are kept safe by our Site. However, these data can be used to communicate with the user via mail, e-mail, telephone, and other technological communication channels.

Our visitors undertake that the data subject to this Privacy Policy is complete, accurate, and up-to-date. The Company shall not be liable for any direct or indirect material/moral damages that may arise due to our visitors's failure to provide complete, accurate, and up-to-date information. Our visitor accepts, declares, and undertakes these issues in advance.

Our company reserves the right to make changes in the Privacy Policy to keep its privacy and data protection principles up-to-date and per the provisions of the said legislation.

PHITECH BİLİŞİM BİYOTEKNOLOJİ DANIŞMANLIK ARAŞTIRMA GELİŞTİRME SANAYİ VE TİCARET ANONİM ŞİRKETİ

PERSONAL DATA PROTECTION AND PROCESSING POLICY

CHAPTER 1– INTRODUCTION

Login

According to the Constitution of the Republic of Turkey, everyone has the right to demand the protection of their personal data. This right includes being informed about the personal data about the person, accessing these data, requesting their correction or deletion and learning whether they are used for their purposes.

Personal Data Protection Law numbered 6698 (“PDPL” or “Law”) regulates the protection of fundamental rights and freedoms of individuals in the processing of personal data, the obligations of natural and legal persons who process personal data, and the procedures and principles to be followed.

Protection of personal data is among the most important priorities of PHITECH Bilişim Biyo Teknoloji Danışmanlık Research Development Industry and Trade Joint Stock Company (“PHITECH” or “Company”). In order to inform personal data owners, the principles adopted in the conduct of personal data processing activities carried out by our Company within the framework of PHITECH Personal Data Protection and Processing Policy (“Policy”) and the basic principles adopted in terms of compliance of our Company's data processing activities with the regulations in the PDPL are explained. With the awareness of our responsibility in this context, your personal data is processed and protected within the scope of this Policy.

Purpose and Scope

main purpose of this Policy is to make explanations about the personal data processing activity carried out by PHITECH in accordance with the law and the systems adopted for the protection of personal data, in this context, to provide transparency by informing the persons whose personal data are processed by our company.

This Policy; It relates to all personal data processed by our company fully or partially automatically or non-automatically provided that it is a part of any data recording system.

Definitions

definitions used in this Policy are as follows:

Open Consent:	Consent on a particular subject, based on information and expressed with free will.
Worker:	PHITECH Employee is a real person.
Related person:	The natural person whose personal data is processed.
Related User:	Persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of the data.
Relevant Person Application Form:	The application form that the person whose personal data is processed within the company will benefit from when using their applications regarding their rights explained in Article 11 of the Law.
Law or PDPL:	Personal Data Protection Law numbered 6698.
Personal Data:	Any information relating to an identified or identifiable natural person.
Personal Data Processing Inventory:	Personal data processing activities carried out by data controllers depending on their business processes; The inventory, which is created by associating the personal data processing purposes and legal reason, data category, transferred recipient group and data subject group, by explaining the maximum storage period required for the purposes for which personal data is processed, personal data foreseen to be transferred to foreign countries, and the measures taken regarding data security.
Processing of Personal Data:	Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or using personal data completely or partially by automatic or non-automatic means provided that it is a part of any data recording system. Any operation performed on the data, such as blocking.
Board:	Personal Data Protection Board.
Institution:	Personal Data Protection Authority.
Special Qualified Personal Data:	Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, costume and clothing, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.
Policy:	PHITECH Personal Data Protection and Processing Policy.
Data Processor:	The natural or legal person who processes personal data on behalf of the data controller based on the authority given by him.
Data Controller:	The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
Data Controllers Registry (VERBIS):	Registry of data controllers kept by the Presidency under the supervision of the Personal Data Protection Board.

Implementation of the Policy and Related Legislation

Relevant legal regulations in force on the processing and protection of personal data will find application first. In case of inconsistency between the current legislation and the Policy, our Company accepts that the applicable legislation will find an area of application.

The policy is formed by concretizing and arranging the rules set forth by the relevant legislation within the scope of PHITECH practices.

SECTION 2- ISSUES REGARDING THE PROTECTION OF PERSONAL DATA

Ensuring the Security of Personal Data

In accordance with Article 12 of the Law, our company takes the necessary measures according to the nature of the data to be protected in order to prevent the unlawful disclosure, access, transfer or security deficiencies that may occur in other ways.

takes administrative measures to ensure the required level of security, carries out inspections or has them done, in accordance with the guidelines published by the Personal Data Protection Board (“Board”). The results of these audits are reported to the relevant department within the scope of the internal operation of the Company and necessary activities are carried out to improve the measures taken.

In case the processed personal data is obtained by others through illegal means, our Company operates the system that ensures that the relevant personal data owner and the Board are notified as soon as possible.

Observing the Rights of the Data Owner

out the necessary channels, internal functioning, administrative and technical regulations in accordance with Article 13 of the PDPL in order to evaluate the rights of the personal data owners and to provide the necessary information to the personal data owners.

Detailed information on the rights of data owners is given in Section 10 of this Policy .

Protection of Private Personal Data

Data determined as special quality by law; Data related to race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data.

Our company acts sensitively in the protection of special quality personal data processed in accordance with the law. In this context, the technical and administrative measures taken by our Company for the protection of personal data are carefully implemented in terms of special quality personal data and necessary audits are provided within PHITECH .

Detailed information on the processing of special categories of personal data can be found in 3.3 of this Policy . It is included in the section.

Raising Awareness and Supervision of Business Units on the Protection and Processing of Personal Data

Our company provides necessary trainings and seminars to business units and business partners in order to prevent the illegal processing of personal data, to prevent illegal access to personal data, and to raise awareness about protecting personal data.

of PHITECH Necessary systems are established to raise the awareness of current employees of business units and new employees of the business unit, business partners on the protection of personal data, and professional people are worked with in case of need.

The results of the training conducted by our company to raise awareness on the protection and processing of personal data are reported to the relevant department. Accordingly, our company evaluates the participation in the relevant trainings, seminars and information sessions and carries out the necessary audits or has them done. Our company updates and renews its trainings in parallel with the updating of the relevant legislation.

SECTION 3 – MATTERS REGARDING THE PROCESSING OF PERSONAL DATA

Our company, in accordance with Article 20 of the Constitution and Article 4 of the PDPL; (i) in accordance with the law and the rules of good faith, (ii) accurate and up-to-date when necessary; (iii) for specific, explicit and legitimate purposes; (iv) in a purpose-related, limited and measured manner; (v) to be kept for the period required by the relevant legislation or for the purpose for which they are processed; operates in accordance with the principles of personal data processing.

Our company processes personal data in accordance with Article 20 of the Constitution and Article 5 of the PDPL, based on one or more of the conditions in Article 5 of the PDPL regarding the processing of personal data.

Our company acts in accordance with the regulations stipulated for the processing of personal data of special nature in accordance with Article 6 of the PDPL.

Our company acts in accordance with the regulations stipulated in the law and set forth by the Board regarding the transfer of personal data in accordance with Articles 8 and 9 of the PDPL.

Processing of Personal Data in Compliance with the Principles Established in the Legislation

Rule of Integrity

Our company; acts in accordance with the principles introduced by legal regulations and the general rule of trust and honesty in the processing of personal data. In this context, our Company processes personal data to the extent required by the purpose and to a limited extent, taking into account the proportionality requirements in the processing of personal data.

Ensuring Personal Data Is Accurate and Up-to-Date When Necessary

Our company; It ensures that the personal data it processes are accurate and up-to-date, taking into account the fundamental rights of personal data owners and their own legitimate interests. In this direction, it takes the necessary measures and establishes appropriate mechanisms.

Processing for Specific, Explicit, and Legitimate Purposes

Our company clearly and precisely determines the purpose of processing personal data, which is legitimate and lawful. Our company processes personal data within the scope of purposes related to the service it provides.

Being Related to the Purpose for which they are Processed, Limited and Measured

Our company processes personal data in a way that is suitable for the realization of the determined purposes and avoids the processing of personal data that is not related to the realization of the purpose or that is not needed.

Retention for the Time Required for the Purpose of Processing or Envisioned in the Relevant Legislation

Our company retains personal data for the period specified in the relevant legislation or for the period required for the purpose for which they are processed. In this context, our Company first determines whether a period is foreseen for the storage of personal data in the relevant legislation, if a period is determined, it acts in accordance with this period. Personal data is deleted, destroyed or anonymized by our Company in the event that the period expires or the reasons requiring its processing are eliminated.

Terms of Processing Personal Data

Protection of personal data is a constitutional right. Fundamental rights and freedoms can only be limited by law, without prejudice to their essence, depending on the reasons specified in the relevant articles of the Constitution. Pursuant to the third paragraph of Article 20 of the Constitution, personal data can only be processed in cases stipulated by the law or with the explicit consent of the person. Our company processes personal data within the framework of these rules.

The basis of the personal data processing activity can be only one of the conditions stated below, or more than one of these conditions can be the basis of the same personal data processing activity.

Although the legal bases for the processing of personal data by our company differ, we act in accordance with the general principles specified in Article 4 of the Law No. 6698 (See Section 3.1.) in all kinds of personal data processing activities.

Finding the Explicit Consent of the Personal Data Owner

One of the conditions for the processing of personal data is the explicit consent of the owner. The explicit consent of the personal data owner should be disclosed on a specific subject, based on information and free will.

At least one of the conditions in (b), (c), (d) (e), (f), (g) and (h) of this title is sought for the purpose of processing for the purposes of obtaining personal data ; If one of these conditions is not met, these personal data processing activities are carried out by our Company based on the express consent of the personal data owner for these processing activities.

Explicitly Provided in Laws

The personal data of the data owner can be processed in accordance with the law if the processing of personal data is expressly stipulated in the law.

Failure to Obtain the Explicit Consent of the Person Related to the Cause of Actual Impossibility

The personal data of the data owner may be processed if it is necessary to process the personal data of the person who is unable to express his or her consent due to actual impossibility or whose consent cannot be validated, in order to protect the life or bodily integrity of himself or another person.

Direct Concern with the Establishment or Performance of the Contract

It is possible to process personal data if it is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract.

Fulfilling the Company's Legal Obligation

Personal data of the data subject may be processed if the processing is necessary for our company to fulfill its legal obligations as a data controller.

Making Personal Data Public by Personal Data Owner

If the personal data of the data owner has been made public by himself, the relevant personal data may be processed for the purpose of making it public.

Mandatory Data Processing for the Establishment or Protection of a Right

If data processing is necessary for the establishment, exercise or protection of a right, the personal data of the data owner may be processed.

Obligatory Data Processing for the Legitimate Interest of Our Company

Provided that it does not harm the fundamental rights and freedoms of the personal data owner, the personal data of the data owner may be processed if data processing is necessary for the legitimate interests of our Company.

Processing of Private Personal Data

PDPL; Special categories of personal data are processed in the following cases, provided that adequate measures to be determined by the Board are taken:

Explicit consent of the personal data owner or
If the personal data owner does not have explicit consent;

categories of personal data other than health and sexual life, in cases expressly stipulated by law,
Special categories of personal data related to health and sexual life are processed by persons or authorized institutions and organizations that are under the obligation of confidentiality, for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

and Informing the Personal Data Owner

Our company informs the personal data owners during the acquisition of personal data in accordance with Article 10 of the Law. In this context; Persons concerned are informed about who, as the data controller, the personal data is processed, for what purposes, with whom it is shared, with what methods it is collected, and the legal reason and the rights of data owners within the scope of processing their personal data. Detailed information on this subject is given in Chapter 10 of this Policy .

Article 20 of the Constitution states that everyone has the right to be informed about the personal data concerning them. Accordingly, in Article 11 of the Law, “requesting information” is also listed among the rights of the personal data owner. In this context, our company provides the necessary information in case the personal data owner requests information in accordance with the 20th article of the Constitution and the 11th article of the KVK Law. Detailed information on this subject is given in Chapter 10 of this Policy .

Transfer of Personal Data

Our company can transfer the personal data and special quality personal data of the personal data owner to third parties (business partner companies, third real persons) by taking the necessary security measures in line with the personal data processing purposes in accordance with the law. Accordingly, our company acts in accordance with the regulations stipulated in Article 8 of the PDPL.

Transfer of Personal Data

In line with the legitimate and lawful personal data processing purposes of our company, personal data may be transferred to third parties based on one or more of the personal data processing conditions specified in Article 5 of the Law listed below, in a limited manner, by taking all necessary security measures, including the methods prescribed by the Board. can transfer:

If the personal data owner has express consent,

If there is a clear regulation in the law regarding the transfer of personal data,

If it is necessary for the protection of the life or physical integrity of the personal data owner or someone else, and the personal data owner is unable to express his consent due to actual impossibility or if his consent is not legally valid;
If it is necessary to transfer the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,
If personal data transfer is mandatory for our company to fulfill its legal obligation,
If the personal data has been made public by the personal data owner, limited to the purpose of making it public,
If personal data transfer is necessary for the establishment, exercise or protection of a right,
If personal data transfer is necessary for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the personal data owner.

In addition to the above, personal data may be transferred to foreign countries declared to have adequate protection by the Board (" Foreign Country with Sufficient Protection ") in case of any of the above conditions. In the absence of sufficient protection, it can be transferred to foreign countries where the data controllers in Turkey and the relevant foreign country undertake an adequate protection in writing in line with the data transfer conditions stipulated in the legislation and where the Board has permission (“ Foreign Country where the Data Controller Undertaking Adequate Protection is Available ”).

Transfer of Private Personal Data

Our company, by showing due diligence, by taking all necessary administrative and technical measures and adequate measures prescribed by the Board; In accordance with the legitimate and lawful personal data processing principles, the personal data owner may transfer the sensitive data of the personal data owner to third parties in the following cases.

Explicit consent of the personal data owner or
If the personal data owner does not have express consent;

Special categories of personal data other than the health and sexual life of the personal data owner, in cases stipulated by the laws,
Persons or authorized institutions and organizations that are under the obligation to keep confidential, only for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing. can be transferred by

In addition to the above, personal data may be transferred to Foreign Countries with Sufficient Protection in the presence of any of the above conditions. In the absence of sufficient protection, it can be transferred to Foreign Countries where the Data Controller Undertaking Adequate Protection is in line with the data transfer conditions stipulated in the legislation.

SECTION 4 – PURPOSE OF PROCESSING PERSONAL DATA PROCESSED BY OUR COMPANY

At our company, personal data is processed in accordance with the general principles specified in the Law, based on and limited to at least one of the personal data processing conditions specified in Articles 5 and 6 of the Law on the Protection of Personal Data No. 6698. The processed personal data categories can be accessed from the 5th section of this policy.

Purposes of processing personal data;

Execution of Emergency Management Processes
Execution of Information Security Processes
Execution of Employee Candidate / Intern / Student Selection and Placement Processes
Execution of Application Processes of Employee Candidates
Execution of Employee Satisfaction and Loyalty Processes
Fulfillment of Employment and Legislation Obligations for Employees
Execution of Benefits and Benefits Processes for Employees
Conducting Audit / Ethical Activities
Conducting Educational Activities
Execution of Access Authorizations
Execution of Activities in Compliance with the Legislation
Execution of Finance and Accounting Affairs
Providing Physical Space Security
Execution of Assignment Processes
Follow-up and Execution of Legal Affairs
Carrying out Internal Audit / Investigation / Intelligence Activities
Execution of Communication Activities
Planning of Human Resources Processes
Execution / Supervision of Business Activities
Execution of Occupational Health / Safety Activities
Execution of Goods / Services Procurement Processes
Execution of Goods / Services After-Sales Support Services
Execution of Good / Service Sales Processes
Execution of Customer Relationship Management Processes
Execution of Activities for Customer Satisfaction
Organization and Event Management
Conducting Marketing Analysis Studies
Execution of Advertising / Campaign / Promotion Processes
Execution of Risk Management Processes
Execution of Storage and Archive Activities
Execution of Contract Processes
Execution of Sponsorship Activities
Execution of Strategic Planning Activities
Follow-up of Requests / Complaints
Ensuring the Security of Movable Property and Resources
Execution of Wage Policy
Execution of Marketing Processes of Products / Services
Ensuring the Security of Data Controller Operations
Execution of Investment Processes
Execution of Talent / Career Development Activities
Providing Information to Authorized Persons, Institutions and Organizations
Execution of Management Activities
and Tracking Visitor Records

SECTION 5 – OWNERS OF PERSONAL DATA PROCESSED BY OUR COMPANY AND CATEGORIZATION OF PERSONAL DATA

Although the personal data of the personal data subject categories listed below are processed by our company, the scope of application of this Policy is applicable to our customers, potential customers, employees, employee candidates, company shareholders, company officials, visitors, employees, shareholders and officials of the institutions we cooperate with, and third parties. limited to individuals.

While the categories of persons whose personal data are processed by our Company are within the scope specified above, persons outside of these categories may also direct their requests to our Company within the scope of PDPL; requests of these persons will also be evaluated within the scope of this Policy.

The concepts of customer, potential customer, visitor, third party, employee, employee candidate, shareholder and board member, natural persons in the institutions we cooperate with, and third parties related to these persons, which are within the scope of this Policy, are explained below:

Personal Data Owner Category	Description
Customer:	Real persons who use or have used the products and services offered by our Company, regardless of whether they have any contractual relationship with our Company.
Potential Customer:	Real persons who have requested or been interested in using our products and services or have been evaluated in accordance with commercial practices and honesty rules that they may have.
Supplier:	Regardless of whether there is a contractual relationship or not, persons, officials, partners and employees whose personal data are obtained, who provide products or services to the Company within the scope of commercial activities carried out by the Company.
Visitor:	Real persons who have entered the physical campuses owned by our company for various purposes or visited our websites.
Third Party:	eg Family Members and relatives) or other natural persons not covered by this Policy, who are related to these persons in order to ensure the security of commercial transactions between our Company and the above-mentioned parties or to protect the rights of the said persons and to obtain benefits .
Worker:	Natural persons who have worked or are working in our company.
Employee Candidate :	Real persons who have applied for a job in our company by any means or have opened their CV and related information to our company's review.
Company Shareholder:	The shareholders of our company are real persons.
Company official:	Members of our company's board of directors and other authorized real persons.
Employees, Shareholders and Officials of the Institutions We Cooperate With:	Real persons, including shareholders and officials of these institutions, working in institutions (such as but not limited to business partners, suppliers) with which our company has any business relationship.

The following table details the above-mentioned categories of personal data and the description of the data within these categories:

PERSONAL DATA CATEGORY	DESCRIPTION
Credential:	name , surname , mother-father's name, mother's maiden name, date of birth, identity card serial no , TR identity no .
Communication information:	address number , e-mail address, contact address, registered e-mail address (KEP), telephone number .
Family Members and Close Information:	e.g. spouse, mother, father, child), relatives and other persons who can be reached in case of emergency, which are processed in order to protect the legal and other interests of the Company and the personal data owner, regarding the services provided by PHITECH .
Customer Transaction Information:	Billing information, such as demand information.
Physical Space Security Information:	Information such as entry and exit registration information of real persons, camera recordings.
Transaction Security Information:	IP address information, Website login and exit information, Password and password information, etc.
Financial Information:	Information such as balance sheet information, financial performance information, credit and risk information, and asset information.
Legal Action and Compliance Information:	Information regarding the determination and follow-up of our legal receivables and rights, and the performance of our debts, as well as our legal obligations and compliance with our Company's policies.
Audit and Inspection Information:	Information on the execution of our company's operational and compliance audit activities.
Special Qualified Personal Data:	Data on people's health, genetic data, criminal convictions and security measures.
Request/Complaint Management Information:	to PHITECH information on the receipt and evaluation of any request or complaint lodged.

SECTION 6 – ENSURING THE SECURITY AND CONFIDENTIALITY OF PERSONAL DATA

In accordance with Article 12 of the Law, our company takes all necessary technical and administrative measures to ensure the appropriate level of security in order to prevent the unlawful processing of personal data it processes and illegal access to personal data, and to ensure the preservation of personal data.

Technical Measures Taken to Ensure Legal Processing of Personal Data

The technical measures taken by our company to ensure the legal processing of personal data are listed below:

Network security and application security are provided.
A closed system network is used for personal data transfers via the network.
Key management is implemented.
Security measures are taken within the scope of procurement, development and maintenance of information technology systems.
An authorization matrix has been created for employees.
Access logs are kept regularly.
The authorizations of employees who have a change in duty or quit their job in this field are removed.
Current anti-virus systems are used.
Firewalls are used.
Personal data security is monitored.
Personal data is backed up and the security of the backed up personal data is also ensured.
User account management and authorization control system are implemented and these are also followed.
Log records are kept without user intervention.
Secure encryption is used for sensitive personal data and is managed by different units.
Intrusion detection and prevention systems are used.
Penetration test is applied.
Cyber security measures have been taken and their implementation is constantly monitored.
Encryption is done.

Administrative Measures Taken to Ensure Legal Processing of Personal Data

Administrative measures taken by our company to prevent unlawful access to personal data are listed below:

Training and awareness activities are carried out periodically for employees on data security.
The obligation to inform the relevant persons is fulfilled.
Institutional policies on access, information security, use, storage and destruction have been prepared and started to be implemented.
Confidentiality commitments are made.
The signed contracts contain data security provisions.
Personal data security policies and procedures have been determined.
Personal data security issues are reported quickly
Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.
The security of environments containing personal data is ensured.
Personal data is reduced as much as possible.
Existing risks and threats have been identified.
In-house periodic and/or random audits are conducted and made.
Protocols and procedures for special quality personal data security have been determined and implemented.
Awareness of data processing service providers on data security is provided.

SECTION 7 – DELETING, DESTROYING AND ANNOUNCEMENT OF PERSONAL DATA

Your data stored under the law; shall be retained for the maximum period specified in the relevant legislation or required for the purpose for which they are processed, and possibly for the legal statute of limitations. Even though it has been processed in accordance with the provisions of the relevant law as regulated in Article 138 of the Turkish Penal Code and Article 7 of the Law, in the event that the reasons for its processing disappear, ex officio or upon your request, the personal data published in the Official Gazette No. 30224 and dated 28.10.2017 It will be deleted, destroyed or anonymized under the conditions determined by the Regulation on the Deletion, Destruction or Anonymization of Personal Data and the PHITECH Personal Data Retention and Destruction Policy prepared in accordance with this regulation .

SECTION 8 – THIRD PARTIES TO WHICH PERSONAL DATA IS TRANSFERRED BY OUR COMPANY AND THE PURPOSE OF THE TRANSFER

Our company notifies the personal data owner of the groups of persons to whom personal data is transferred in accordance with Article 10 of the Law.

our company in accordance with Articles 8 and 9 of the Law can be transferred to the following categories of persons:

To PHITECH business partners,
To PHITECH customers,
To PHITECH shareholders,
Legally authorized public institutions and organizations,
Legally authorized private legal persons.

Persons to whom Data Transfer can be made	Definition	Data Transfer Purpose
Business partner	It defines the parties with which our company establishes business partnerships for purposes such as sales, promotion and marketing of our company's products and services, after-sales support, and execution of joint customer loyalty programs.	Limited to ensure the fulfillment of the purposes for which the business partnership was established.
Customer	It defines the real or legal persons to whom the Company provides services and products while carrying out its commercial activities.	Limited to ensure the supply of products and services offered by our company to its customers.
Our Shareholders	Our shareholders, who are authorized to design strategies and audit activities related to our Company's commercial activities in accordance with the provisions of the relevant legislation.	In accordance with the provisions of the relevant legislation, limited to the purposes of designing the strategies and auditing of our Company's commercial activities.
Legally Authorized Public Institutions and Organizations	Public institutions and organizations authorized to receive information and documents from our Company in accordance with the provisions of the relevant legislation.	Limited to the purpose requested by the relevant public institutions and organizations within their legal authority.
Legally Authorized Private Law Persons	Private law persons authorized to receive information and documents from our Company in accordance with the provisions of the relevant legislation.	Limited to the purpose requested by the relevant private legal persons within their legal authority.

SECTION 9 – RIGHTS OF PERSONAL DATA OWNERS; METHODOLOGY FOR THE USE AND ASSESSMENT OF THESE RIGHTS

Our company informs the personal data owner of the rights of the personal data owner in accordance with Article 10 of the Law and guides the personal data owner on how to use these rights. carries out the necessary channels, internal functioning, administrative and technical regulations.

RIGHTS OF THE DATA SUBJECT AND THE USE OF THESE RIGHTS

Rights of Personal Data Owner

Personal data owners have the following rights:

Learning whether personal data is processed or not,
If personal data has been processed, requesting information about it,
Learning the purpose of processing personal data and whether they are used in accordance with its purpose,
Knowing the third parties to whom personal data is transferred at home or abroad,
Requesting correction of personal data in case of incomplete or incorrect processing and requesting notification of the transaction made within this scope to the third parties to whom the personal data has been transferred,
Requesting the deletion or destruction of personal data in the event that the reasons requiring its processing have disappeared, although it has been processed in accordance with the provisions of the PDPL and other relevant laws, and requesting the notification of the transaction made within this scope to the third parties to whom the personal data has been transferred,
Objecting to the emergence of a result against the person himself by analyzing the processed data exclusively through automated systems,
To request the compensation of the damage in case of loss due to unlawful processing of personal data.

Circumstances in which the Personal Data Owner cannot assert his rights

the following cases are excluded from the scope of the Law pursuant to Article 28 of the PDPL, personal data owners cannot claim their rights listed in 9.1.

Processing personal data for purposes such as research, planning and statistics by making it anonymous with official statistics.
Processing of personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or does not constitute a crime.
Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security.
Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution proceedings.

Pursuant to article 28/2 of the Law; In the cases listed below, personal data owners cannot claim their other rights listed in 9.1., except for the right to demand the compensation of the damage:

The processing of personal data is necessary for the prevention of crime or for criminal investigation.
Processing of personal data made public by the personal data owner.
Personal data processing is required by the authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions for the execution of supervisory or regulation duties and for disciplinary investigation or prosecution based on the authority granted by the law.
The processing of personal data is necessary for the protection of the economic and financial interests of the State with regard to budgetary, tax and financial matters.

Exercise of Personal Data Owner's Rights

Personal data owners 9.1 of this section. Requests for the rights listed under the title www.phitech.bio They will be able to fill in the "Relevant Person (Personal Data Owner) Application Form" located at the address and submit it to the Company using the methods determined by the Board. The method of application to be made in this form is also explained in detail.

It is not possible to make a request by third parties on behalf of personal data owners. In order for a person other than the personal data owner to make a request, there must be a special power of attorney issued by the personal data owner on behalf of the person to apply.

Right of Personal Data Owner to Complain to the Board

PDPL, the personal data owner, the response given is insufficient or the application is not answered in due time; Complaints may be made to the Board within thirty days from the date our company learns of the answer, and possibly within sixty days from the date of application.

PHITECH'S ANSWER TO APPLICATIONS

Our Company's Response Procedure and Time to Applications

Personal data owner, 9.1 of this section. In the event that he/she submits his/her request to our Company in accordance with the procedure in the section titled, our Company will conclude the relevant request free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request.

However, if the process requires a separate cost, our Company will charge the applicant the fee in the tariff determined by the Board.

Information Our Company May Request from the Applicant Personal Data Owner

Our company may request information from the person concerned in order to determine whether the applicant is the owner of personal data.

Our company may ask questions about the personal data owner's application in order to clarify the issues in the personal data owner's application.

Our Company's Right to Refuse the Application of the Personal Data Owner

Our company may reject the application of the applicant in the following cases by explaining the reason:

Processing personal data for purposes such as research, planning and statistics by making it anonymous with official statistics.
Processing of personal data for art, history, literature or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or does not constitute a crime.
Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security.
Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution proceedings.
The processing of personal data is necessary for the prevention of crime or for criminal investigation.
Processing of personal data made public by the personal data owner.
Personal data processing is required by the authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions for the execution of supervisory or regulation duties and for disciplinary investigation or prosecution based on the authority granted by the law.
The processing of personal data is necessary for the protection of the economic and financial interests of the State with regard to budgetary, tax and financial matters.
The possibility of the personal data owner's request to prevent the rights and freedoms of other persons
Making requests that require disproportionate effort.
The requested information is publicly available.
Existence of one of the situations outside the scope of the law.

PHITECH BİLİŞİM BİYOTEKNOLOJİ DANIŞMANLIK ARAŞTIRMA GELİŞTİRME SANAYİ VE TİCARET ANONİM ŞİRKETİ

PERSONAL DATA RETENTION AND DISPOSAL POLICY

LOGIN

Aim

This Personal Data Retention and Destruction Policy (“Policy”), Personal Data Protection Law numbered 6698 (“PDPL” or “Law”) and Personal Data Enforcement, which came into force after being published in the Official Gazette dated 28 October 2017, which constitutes the secondary regulation of the Law. To fulfill our obligations pursuant to the Regulation on the Deletion, Destruction or Anonymization (“Regulation”), to make explanations about the personal data processing activity and systems adopted for the protection of personal data within the framework of the legislation on personal data, and to inform the data subjects about the maximum necessary for the purpose for which your personal data is processed. It has been prepared by PHITECH Bilişim Biyoteknoloji Danışmanlık Araştırma Geliştirme Sanayi Ve Ticaret Anonim Şirketi (“PHITECH” or “Company”) in order to inform you about the principles of determining the retention period and the processes of deletion, destruction and anonymization.

Scope

This Policy; real persons, real persons authorized to represent the legal entity in legal entity clients, potential customers, their employees, employees, employee candidates, product/service buyer officer/employees, supplier representative/employees, physical and virtual visitors and other third parties. This Policy applies to all recording media where personal data owned or managed by the Company is processed, and to activities for the storage and destruction of personal data.

Scope of application of this Policy regarding the persons in the above-mentioned categories may be the whole of the Policy (eg, our Active customers who are also visitors); may also have only some provisions (eg, Our Visitors Only).

In cases where there is no provision for processing, storage and transfer of personal data in this Policy, detailed information on these issues can be accessed from the PHITECH Personal Data Protection and Processing Policy at www.phitech.bio.

In case of conflict between the PDPL and other relevant legislation and the Policy, the legislation in force will find an area of application.

Definitions

definitions used in this Policy are as follows:

Open Consent:	Consent on a particular subject, based on information and expressed with free will.
Worker:	Company employee.
Related person:	The natural person whose personal data is processed.
Related User:	Persons who process personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of the data.
Destruction:	Deletion, destruction or anonymization of personal data.
Law or PDPL:	Law No. 6698 on the Protection of Personal Data.
Recording Media:	Any environment where personal data is processed wholly or partially automatically or by non-automatic means provided that it is a part of any data recording system.
Personal Data:	Any information relating to an identified or identifiable natural person.
Personal Data Processing Inventory:	Personal data processing activities carried out by data controllers depending on their business processes; The inventory, which is created by associating the personal data processing purposes and legal reason, data category, transferred recipient group and data subject group, by explaining the maximum storage period required for the purposes for which personal data is processed, personal data foreseen to be transferred to foreign countries, and the measures taken regarding data security.
Personal Data Protection and Processing Policy:	www.phitech.bio PHITECH Personal Data Protection and Processing Policy.
Relevant Person Application Form:	The application form that the person whose personal data is processed within the company will benefit from when using their applications regarding their rights explained in Article 11 of the Law.
Processing of Personal Data:	Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or using personal data completely or partially by automatic or non-automatic means provided that it is a part of any data recording system. Any operation performed on the data, such as blocking.
Anonymization of Personal Data:	Making personal data incapable of being associated with an identified or identifiable natural person under any circumstances, even by matching with other data.
Deletion of Personal Data:	Making personal data inaccessible and unusable for Relevant Users in any way.
Destruction of Personal Data:	The process of making personal data inaccessible, irretrievable and unusable by anyone in any way.
Board:	Personal Data Protection Board.
Institution:	Personal Data Protection Authority.
Special Qualified Personal Data:	Data on race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, costume and clothing, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.
Periodic Disposal:	The deletion, destruction or anonymization process, which will be carried out ex officio at repetitive intervals and specified in the personal data storage and destruction policy, in case all of the personal data processing conditions in the Law are eliminated.
Policy:	Personal Data Retention and Disposal Policy.
Data Processor:	The natural or legal person who processes personal data on behalf of the data controller based on the authority given by him.
Data Controller:	The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
Data Controllers Registry (VERBIS):	Registry of data controllers kept by the Presidency under the supervision of the Personal Data Protection Board.
Regulation:	Regulation on the Deletion, Destruction or Anonymization of Personal Data, published in the Official Gazette dated 28 October 2017.

PRINCIPLES

The Company acts within the framework of the following principles in the processing, storage and destruction of personal data:

Personal data available or obtained by our company pursuant to article 4 of the PDPL; (i) in accordance with the rules of law and honesty, (ii) accurately and when necessary, up-to-date, (iii) for specific, clear and legitimate purposes, (iv) used in connection with the purpose for which they are processed, limited and measured, and (v) stipulated in the relevant legislation or for the period for which they are processed and for the period determined by the Company in this Policy.
Our company processes personal data and sensitive personal data with the explicit consent of the person concerned or without the explicit consent of the person concerned in cases stipulated in Articles 5 and 6 of the PDPL. Related persons are informed by our Company regarding the personal data processing processes in accordance with Article 10 of the PDPL and necessary information is provided in case the data subject requests information.
Our company clearly and precisely determines the purpose of processing personal data on a legitimate and lawful basis. Accordingly, personal data is processed within the scope of services that are offered or planned to be provided, limited to its legal obligations. The purpose for which personal data is processed is also disclosed before starting the personal data processing activity.
In the deletion, destruction and anonymization of personal data, technical and administrative measures, which are required to be taken within the scope of Article 12 of the Law and specified in Article 5 of this Policy, relevant legislation provisions, Board decisions and this Policy are fully complied with.
All transactions regarding the deletion, destruction and anonymization of personal data are recorded by the Company and these records are kept for at least 3 years, excluding other legal obligations.
Cases where it is necessary to process personal data in order to protect the life and bodily integrity of the person himself or another person, whose life or bodily integrity cannot be recognized, where consent cannot be disclosed due to actual impossibility or the validity of consent cannot be recognized, the personal data of the data subject processing may occur. (For example, recording contact information in the infirmary as a result of an illness in our company.)
PHITECH may process the personal data of the data owner in order to fulfill its legal obligations. (For example, sending documents in response to questions from public institutions such as the Ministry of Health)
The appropriate method of deleting, destroying or anonymizing personal data ex officio is chosen by us. However, upon the request of the Relevant Person, the appropriate method will be chosen by explaining the reason.
In the event that all the conditions for processing personal data in Articles 5 and 6 of the Law are no longer valid, the personal data is deleted, destroyed or anonymized by the Company ex officio or upon the request of the person concerned. In case the Related Person applies to the Company in this regard;
- Requests submitted are finalized within 30 (thirty) days at the latest and the relevant person is informed,
- In case the data subject to the request has been transferred to third parties, this situation is notified to the third party to which the data is transferred and necessary actions are taken before the third parties.

RECORDING ENVIRONMENTS

The personal data of the persons concerned are securely stored by the Company in the environments listed in the table below, in accordance with the relevant legislation, especially the provisions of the PDPL, and in the environments listed in the table below (Table 1), within the framework of international data security principles:

(Table 1: Personal Data Recording Environments Table)

ELECTRONIC ENVIRONMENTS

NON-ELECTRONIC ENVIRONMENTS

These are the environments where the data is kept in other technological devices such as computers and phones:

Servers (Domain, backup, email, database, web, file sharing etc.);
software;
Information security devices;
Personal computers (Desktop, laptop);
Mobile Devices (phone, tablet etc.);
Optical discs and removable memories (CD, DVD, USB, External disk etc.).

Media where data is kept by printing on paper or microfilms:

Paper;
Manual data recording systems (survey forms, visitor logbook);
Written, printed and visual media.

REASONS REQUESTING CONSERVATION AND DISPOSAL

Personal data of the persons concerned are stored and destroyed by the Company in accordance with the Law. In this context, detailed explanations regarding storage and disposal are given below, respectively:

Remarks on Storage

Personal data belonging to the person concerned, within the scope of the personal data processing conditions specified by the Company in Articles 5 and 6 of the Law, in particular ; It is stored securely in electronic or non-electronic media listed above, within the limits specified in the Law and other relevant legislation, in order to (i) maintain commercial activities, (ii) fulfill legal obligations, and (iii) manage customer relations.

The reasons for keeping it are as follows:

Storing personal data because it is clearly stipulated in the legislation,
Storing personal data as it is directly related to the establishment and performance of contracts,
Keeping personal data subject to the fulfillment of any legal obligations that the Company is obliged to comply with,
Storing personal data due to the fact that it has been made public by the person concerned,
Storing personal data in connection with the establishment, exercise or protection of a right,
It is mandatory to keep personal data for the legitimate interests of the Company, provided that it does not harm the fundamental rights and freedoms of individuals,
In terms of storage activities that require the explicit consent of the persons concerned, storage due to the explicit consent of the persons concerned.

Disposal Remarks

Although it is stored in accordance with the provisions of the law and other relevant laws, in the event that the reasons for keeping it disappear, personal data is deleted, destroyed or anonymized by the data controller ex officio or upon the request of the data subject. In this context, in accordance with the Law and the Regulation, the personal data of the persons concerned are deleted, destroyed or anonymized by the Company ex officio or upon request, in the following cases:

Changing or repealing the provisions of the relevant legislation, which is the basis for the processing or storage of personal data,
The disappearance of the purpose that requires the processing or storage of personal data,
Elimination of the conditions requiring the processing of personal data in Articles 5 and 6 of the Law,
In cases where the processing of personal data takes place only on the basis of explicit consent, the data subject withdraws his consent,
The data controller accepts the application made by the data subject regarding the deletion, destruction or anonymization of his personal data within the framework of his rights in subparagraphs (e) and (f) of Article 11 of the Law,
In cases where the data controller rejects the application made by the data subject with the request for the deletion, destruction or anonymization of his personal data, his response is found insufficient or he does not respond within the time stipulated in the Law; Complaining to the Board and approval of this request by the Board,
The absence of any conditions justifying the retention of personal data for a longer period of time, although the maximum period for keeping personal data has passed.

ADMINISTRATIVE AND TECHNICAL MEASURES

Administrative Measures

Administrative measures taken by our company to prevent unlawful access to personal data are listed below:

Training and awareness activities are carried out periodically for employees on data security.
The obligation to inform the relevant persons is fulfilled.
Institutional policies on access, information security, use, storage and destruction have been prepared and started to be implemented.
Confidentiality commitments are made.
The signed contracts contain data security provisions.
Personal data security policies and procedures have been determined.
Personal data security issues are reported quickly
Necessary security measures are taken regarding entry and exit to physical environments containing personal data.
The security of physical environments containing personal data against external risks (fire, flood, etc.) is ensured.
The security of environments containing personal data is ensured.
Personal data is reduced as much as possible.
Existing risks and threats have been identified.
In-house periodic and/or random audits are conducted and made.
Protocols and procedures for special quality personal data security have been determined and implemented.
Awareness of data processing service providers on data security is provided.

Technical Measures

The technical measures taken by our company to prevent unlawful access to personal data are listed below:

Network security and application security are provided.
A closed system network is used for personal data transfers via the network.
Key management is implemented.
Security measures are taken within the scope of procurement, development and maintenance of information technology systems.
An authorization matrix has been created for employees.
Access logs are kept regularly.
The authorizations of employees who have a change in duty or quit their job in this field are removed.
Current anti-virus systems are used.
Firewalls are used.
Personal data security is monitored.
Personal data is backed up and the security of the backed up personal data is also ensured.
User account management and authorization control system are implemented and these are also followed.
Log records are kept without user intervention.
Secure encryption is used for sensitive personal data and is managed by different units.
Intrusion detection and prevention systems are used.
Penetration test is applied.
Cyber security measures have been taken and their implementation is constantly monitored.
Encryption is done.

STORAGE AND DISPOSAL TIMES

Our company first determines whether a period is foreseen in the relevant legislation for the storage of personal data. If a period is stipulated in the relevant legislation, it complies with this period; if a period is not foreseen, it retains the personal data for the period necessary for the purpose for which they are processed. If the purpose of processing personal data has ended and the storage periods determined by the relevant legislation and/or our Company have expired, they can only be stored during the statute of limitations stipulated in the laws in order to constitute evidence in possible legal disputes, to assert the relevant right related to personal data or to establish a defense. Personal data is not stored by our Company, based on the possibility of its use in the future.

The storage and disposal periods on the basis of processes determined by the company are given in the table below (Table 2). Moreover; Personal data-based storage periods for all personal data within the scope of activities carried out in connection with processes are in the Personal Data Processing Inventory; Storage periods on the basis of data categories are recorded in VERBIS .

(Table 2: Storage and Disposal Times by Process)

PROCESS	STORAGE PERIOD	DISPOSAL TIME
Personal Data Related to Customers	10 years from the end of the contract	In the first periodic destruction process following the end of the storage period
Personal Data Regarding Suppliers or Legal Entity Supplier Authorities/Employees	10 years from the end of the contract	In the first periodic destruction process following the end of the storage period
Personal Data Obtained Due to Contract Transactions	10 years from the end of the contract	In the first periodic destruction process following the end of the storage period
All Personal Data Related to Accounting and Financial Transactions	5 years from the year following the year of receipt	In the first periodic destruction process following the end of the storage period
All Personal Data Received from Company Employees and Interns in Other Processes such as Performance of Employment Contract, AGI Payments, Provision of Benefits and Opportunities, and Processes to be Carried out at SGK (excluding data received due to Occupational Health and Safety)	10 years from the end of the contract	In the first periodic destruction process following the end of the storage period
All Personal Data Received by the Occupational Physician and OHS Specialist in accordance with the Occupational Health and Safety Legislation, Relating to the Persons Outsourced Service	15 years from the end of the contract	In the first periodic destruction process following the end of the storage period
Security Camera Images	30 Days From Registration Date	In the first periodic destruction process following the end of the storage period
Personal Data Regarding IP Addresses	6 months from the date of receipt	In the first periodic destruction process following the end of the storage period
Personal Data Regarding Business Partner/Solution Partner/Consultants	10 years from the end of the Employment Relationship	In the first periodic destruction process following the end of the storage period
Personal Data Received from Potential Customers and Suppliers for Business Development	1 year from the date of receipt	In the first periodic destruction process following the end of the storage period
Personal Data Regarding IP Addresses	6 months from the date of receipt	In the first periodic destruction process following the end of the storage period

PERIODIC DISPOSAL AND PERSONAL DATA DESTRUCTION APPLICATION

Periodic Destruction

The Company deletes personal data in the first periodical destruction process following the date on which the obligation to delete, destroy or anonymize personal data for which it is responsible in accordance with the Law, relevant legislation, PHITECH Personal Data Protection and Processing Policy and this Personal Data Retention and Disposal Policy arises, destroy or anonymize.

Pursuant to Article 11 of the Regulation, the Company has determined the period of periodic destruction as 1 year. Accordingly, periodic destruction is carried out by the Company once a year in December.

Personal Data Destruction Application

When the person concerned requests the destruction of his personal data by applying to the Company pursuant to Article 13 of the Law;

If all the conditions for processing personal data have disappeared; The company deletes, destroys or anonymizes the personal data subject to the request with the appropriate destruction method, explaining the reason within 30 (thirty) days from the day it receives the request. In order for the Company to be deemed to have received the request, the person concerned must have made the request in accordance with the Personal Data Processing and Protection Policy. In any case, the company informs the person concerned about the transaction.
If all the conditions for processing personal data have not disappeared, this request may be rejected by the Company by explaining the reason in accordance with the third paragraph of Article 13 of the Law, and the refusal is notified to the relevant person in writing or electronically within thirty days at the latest.

PERSONAL DATA DISPOSAL TECHNIQUES

At the end of the storage period required for the period stipulated in the relevant legislation or for the purpose for which they are processed, personal data is destroyed by the Company ex officio or upon the application of the relevant person, again in accordance with the provisions of the relevant legislation, with the techniques specified below. In this context, all transactions regarding the deletion, destruction and anonymization of personal data are recorded and these records are kept for at least three years, excluding other legal obligations.

The most commonly used deletion, destruction and anonymization techniques by the company are listed below:

Deletion of Personal Data

deleted by the methods in the table below (Table 3) :

(Table 3: Methods of Deletion of Personal Data)

METHOD

EXPLANATION

Safely Delete from Software

While deleting data processed by fully or partially automated means and stored in digital media; Methods for deleting the data from the relevant software are used so that it cannot be accessed and reused in any way for the Relevant Users.

Deletion of relevant data in the software system by issuing a delete command; removing the access rights of the relevant user on the file or the directory where the file is located on the central server; Deleting the relevant rows in databases with database commands or deleting the data in portable media, ie flash media, by using appropriate software can be counted within this scope.

However, if the deletion of personal data will result in the inaccessibility of other data within the system and the inability to use this data, the personal data will also be deemed deleted if the personal data is archived in a way that cannot be associated with the data subject, provided that the following conditions are met.

Being closed to the access of any other institution, organization or person,
Taking all necessary technical and administrative measures to ensure that personal data can only be accessed by authorized persons.

Blackening of Personal Data in Paper Media

It is a method of physically cutting and removing the relevant personal data from the document in order to prevent the non-purpose use of personal data or to delete the data requested to be deleted, or to make it invisible by using fixed ink in a way that cannot be returned and read with technological solutions.

Destruction of Personal Data

is destroyed by the methods in the table below (Table 4):

(Table 4: Personal Data Destruction Methods)

METHOD	EXPLANATION
Physical Destruction	non-electronic Documents kept in the environment are destroyed in a way that they cannot be reassembled with document destruction machines. electronic media, such as melting, burning or pulverizing. Data is rendered inaccessible by processes such as melting, incinerating, pulverizing, or passing through a metal grinder to optical or magnetic media .
De-magnetizing ( degauss )	It is the process of unreadable corruption of the data on the magnetic media by exposing it to a high magnetic field.
overwrite	Random data consisting of 0s and 1s is written at least seven times on magnetic media and rewritable optical media, preventing reading and recovery of old data.

Anonymization of Personal Data

anonymized by the methods in the table below (Table 5):

METHOD

EXPLANATION

Anonymization Methods That Do Not Ensure Value Distortion

Anonymization methods that do not provide value irregularity, without any change or addition/removal of stored personal data; are the methods of anonymization applied by generalizing any personal data group, replacing each other or removing a certain data or sub-data group from the group.

Variable Extraction: The existing data set is anonymized by subtracting the "high degree descriptive" variables from the variables in the data set created after the data collected by the method of extracting the descriptive data. For example, anonymization is provided by extracting the data groups of names, surnames and place of residence of highly descriptive persons.

Removing Records: In the deregistration method, the data line containing singularity is removed from the records and the stored data is anonymized. For example, if there is only one senior manager in a company, the remaining data can be anonymized by removing the data belonging to this person from the records where the seniority, salary and gender data of the employees at the same level are kept.

Regional Concealment: In the regional concealment method, since a single data creates a rarely visible combination, if it has a determinative quality, hiding the relevant data provides anonymization. For example, if only one person among the relevant data controllers in the reserve list of the company's football team is 65 years old, in a dataset where the information about whether he or she can play football in terms of age, gender and health status is stored together, 'Age:65' is written as 'Unknown' or this part is left blank. will provide anonymization.

Lower and Upper Bound Coding: With the lower and upper bound coding method, the values in a data group containing predefined categories are anonymized by determining a certain criterion and combining them. For example, instead of specifying the seniority years of the personnel working in a workplace, a definition according to the working year in the workplace can be used. According to whether it is less than 5 years, between 5 and 10 years or more than 10 years ; can be expressed as very experienced, experienced or inexperienced and can be anonymized without specifying the specific seniority year.

Generalization: With the data aggregation method, many data are aggregated and personal data is rendered unrelated to any person. For example; revealing that there are as many as Z employees at the age of X without showing the age of the employees one by one.

Global Coding: With the data derivation method, a more general content is created than the content of personal data and it is ensured that personal data cannot be associated with any person. For example; specifying the age instead of the date of birth of the employees, specifying the region of residence instead of the open address.

Anonymization Methods That Provide Value Distortion

Anonymization methods that provide value irregularity create corruption by changing some data in personal data groups, unlike those that do not provide value irregularity. When using these methods, deviations will need to be applied carefully in line with the expected/desired benefit to be obtained. By ensuring that the total statistics are not deteriorated, the expected benefit from the data can be continued.

Adding Noise: The method of adding noise to the data is anonymized by adding some positive or negative deviations to the existing data at a determined rate, especially in a data set where numerical data are predominant. For example, in a data set with weight values (+/−) 3 kg deviation is used to prevent the real values from being displayed and the data is anonymized. The deviation applies equally to each value.

Micro-Aggregation: In the micro-joining method, all data will first be grouped in a meaningful order (from large to small) and the value obtained by taking the average of the groups will be written instead of the relevant data in the current group, thus providing anonymity. For example, for salary information; If two groups are made with a salary of less than or equal to 10,000 TL, the sum of the salaries of the people with a salary of 10,000 or less is divided by the number of people, and this value obtained is written in the salary set of everyone with a salary of less than 10,000 TL.

Data Exchange: In the data exchange method, the values of a variable are exchanged between the pairs selected from the stored data. In this method, which is used for data that can be categorized in general, the aim is to transform the database by exchanging the data of the relevant person with each other.

CONTACT FORM CLARIFICATION TEXT ACCORDING TO THE LAW ON PROTECTION OF PERSONAL DATA NUMBERED 6698

As PHITECH Bilişim Biyoteknoloji Danışmanlık Araştırma Geliştirme Sanayi ve Ticaret Anonim Şirketi (“PHITECH” or “Company”); under the Personal Data Protection Law (“PDPL” or “Law”), we prioritize the security of your data, which we process as the data controller defined on the website www.phitech.bio contact form, and therefore, we aim to enlighten you within the framework of the subject within this Clarification Text.

Your personal data;

In a limited and measured manner, in connection with the purpose that requires them to be processed,

Maintaining the accuracy and most up-to-date version of personal data as you have reported or reported to our website,

We inform you that it will be stored, stored, stored, rearranged, shared with the institutions authorized by law to request this personal data, and under the conditions stipulated by the PDPL, it will be transferred, transferred, classified and processed in other ways listed in the PDPL.

YOUR PROCESSED PERSONAL DATA

The following personal data provided by the Company by the customers themselves may be processed:

ID Data:	Name, surname.
Contact Data:	E-mail address, phone number.
Customer Transaction Data:	Request information.

PURPOSE OF PROCESSING YOUR DATA

Your data is processed by the Law and other secondary regulations under the Law and within the framework of the following purposes and legal reasons:

Contact: We may contact you for various purposes using the personal data you provide to www.phitech.bio. These of examples are sending reminder and warning messages and replying to the messages you have forwarded to us.

Legal Obligations: Your data can be processed, transferred, and stored for the period required by the relevant legislation or for the purpose if required by any legislative provision to which www.phitech.bio is subject.

Dispute Resolution: PHITECH may process your data and share it with the relevant legal authorities to prove that it performs legal actions and fulfills its legal obligations in case of future disputes, and to ensure the resolution of disputes.

Improvement of Services and Customer Satisfaction: Your data is processed to conduct analytical studies to improve your www.phitech.bio experience, evaluate your requests, complaints, and suggestions and take action to increase customer satisfaction and service quality.

LEGAL REASONS FOR THE PROCESSING OF YOUR DATA

Communication transactions and related actions are carried out based on the legal reason for the establishment or performance of a contract specified in Article 5/2(c) of the Law.
The data processing activities we carry out to fulfill our legal obligations are based on the legal reason clearly stated in Article 5/2 (ç) of the Law.
The cases where personal data are processed for the resolution of disputes are based on legal grounds for establishing, exercising, or protecting a right specified in Law 5/2(e).
Activities based on the improvement of services and customer satisfaction and communication purposes are carried out based on the legitimate interest legal reason regulated in Article 5/2(f) of the Law.

METHODS OF COLLECTION OF PERSONAL DATA

Within the scope of the services www.phitech.bio offers to you and the above-mentioned data processing purposes, you can send your data through the contact form on www.phitech.bio, which has the possibility to retrieve data.

TRANSFER OF PERSONAL DATA

YOUR RIGHTS

Learning whether personal data is processed or not,
If personal data has been processed, requesting information about it,
To learn the purpose of processing personal data and whether they are used following the purpose,
Knowing the third parties to whom personal data is transferred in the country or abroad,
Requesting correction of personal data in case of incomplete or incorrect processing and requesting notification of the transaction made within this scope to the third parties to whom the personal data has been transferred,
Requesting the deletion or destruction of personal data if the reasons requiring its processing have disappeared, although it has been processed per the provisions of the law and other relevant laws, and requesting the notification of the transaction made within this scope to the third parties to whom the personal data has been transferred,
Objecting to the emergence of a result against the person himself by analyzing the processed data exclusively through automated systems,
You have the right to demand compensation for the damage in case of loss due to unlawful processing of personal data.

CONTACT INFORMATION

PHITECH Bilişim Biyoteknoloji Danışmanlık Araştırma Geliştirme Sanayi ve Ticaret Anonim Şirketi

Central Registration System Number: 0729059988900001

Contact Link: info@phitech.bio

Address: Barış Neighborhood Dr. Zeki Acar Street No: 1/Gebze/Kocaeli

Commercial Electronic Message Approval Form

I declare that I explicitly approve the delivery of all promotional, campaign related and image enhancing messages and any kinds of commercial electronic messages containing data, audio and video sent for commercial purposes by PHITECH Bilişim Biyoteknoloji Danışmanlık Araştırma Geliştirme Sanayi ve Ticaret Anonim Şirketi (“PHITECH”) via telephone, call centers, fax, automatic call machines, smart voice recorder systems, electronic mail and short message service; keeping and processing communication data shared by me in the service provider’;s information system; recording all the commercial electronic content and other records in order to be shared with Ministry of Customs and Trade by being informed that I am entitled to opt out the delivery of commercial electronic messages by using the exit / reject option to be provided by PHITECH in every electronic message at any time and without any justification within the scope of Law on the Regulation of Electronic Commerce numbered 6563.

Protection of Personal Data

Technical Measures Taken to Ensure Legal Processing of Personal Data

Administrative Measures Taken to Ensure Legal Processing of Personal Data