1.1 Introduction

Letgen Biotechnology Laboratory Products Foreign and Domestic Trade Limited Company (“Company”) attaches utmost importance to protecting the fundamental rights and freedoms of individuals, especially the privacy of private life regulated in Article 20 of the Constitution, in the protection and processing of personal data. In this context, it takes care to protect and process personal data in accordance with the law pursuant to the Personal Data Protection Law No. 6698 (“Law” or “PDPL”), and acts with this understanding in all its planning and activities.

Our Company does not evaluate the protection and processing of personal data, which is the basis of the privacy of private life, only within the scope of compliance with the legislation, but puts the value it gives to people at the basis of its approach. Acting with this awareness, our Company takes all necessary administrative and technical measures to protect and process personal data in accordance with the law.

1.2 Purpose of the Policy

The purpose of the Personal Data Protection and Processing Policy (“Policy”) is to protect the fundamental rights and freedoms of individuals, especially the privacy of private life regulated in Article 20 of the Constitution, to the maximum extent in the protection and processing of personal data processed by fully or partially automatic means or by non-automatic means provided that it is a part of any data recording system, in accordance with the purpose of the Law, and to inform personal data owners (related person) about the obligations of our Company and the procedures and principles it will comply with in accordance with the Law. In line with the purpose of the Policy, it is aimed to ensure full compliance with the legislation in the personal data protection and processing activities carried out by our Company and to protect the right of personal data owners to privacy and data security.

1.3 Scope of the Policy

This Policy; It has been prepared for Employee Candidate, Service Provider Employee, Service Provider Officer, Service Provider, Occupational Safety Specialist, Workplace Doctor, Customer, Customer Employee, Customer Officer, Company Shareholder/Partner, Company Officer, Supplier, Supplier Employee, Supplier Officer, Third Party (Reference Person), provided that they are real persons, and will be applied within the scope of these specified persons. The Company informs these personal data owners about the Law by publishing this Policy on its website. This Policy will not be applied to legal entities, regardless of their title. The “Personal Data Processing Policy for Employees” will be applied for our company employees.

This Policy shall apply to the above-mentioned data subjects in cases where their personal data is processed by our Company wholly or partially through automated means, or by non-automated means provided that they form part of any data recording system. If the data does not fall within the scope of “Personal Data” as defined below, or if the personal data processing activity carried out by our Company is not performed through the methods specified above, this Policy shall not apply.

1.4 Definitions

The concepts used in the implementation of this Policy shall have the meanings set out below:

Explicit Consent	It is consent that is informed, given freely, and expressed with respect to a specific subject.
Publicization	The concept of “making public,” referred to as disclosure, is listed in Article 5 of Law No. 6698 as one of the exceptions to the requirement of obtaining the explicit consent of the data subject for the processing of personal data.
Obligation to Inform	It is the obligation of the data controller to inform data subjects about who processes their personal data, for what purposes, on which legal grounds, and to whom and for what purposes such data may be transferred.
Related User	Persons who process personal data within the data controller organization or in accordance with the authority and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of data.
Destruction	It refers to the deletion, destruction or anonymization of personal data.
Processing of Personal Data	It is any operation performed on data such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of Personal Data, either fully or partially by automatic means or non-automatic means provided that it is part of any data recording system.
Personal Data Protection Board	It is the Personal Data Protection Board.
Relevant Person / Personal Data Owner	It refers to the Employee Candidate, Service Provider Employee, Service Provider Official, Service Provider, Occupational Safety Specialist, Workplace Physician, Customer, Customer Employee, Customer Official, Company Shareholder/Partner, Company Official, Supplier, Supplier Employee, Supplier Official and Third Parties (Reference Person) whose Personal Data (including special personal data) are processed.
Personal Data	It is any information relating to an identified or identifiable natural person.
Organisation	It is the Personal Data Protection Authority consisting of the Board and the Presidency.
Automatic Data Processing	It is a processing activity that is carried out automatically by devices with processors such as computers, phones, watches, etc., without human intervention, within the scope of algorithms prepared in advance through software or hardware features.
Special Personal Data	Data related to race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, dress code, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data are special data.
Record	It is the Registry of Data Controllers.
Company / Our Company	Letgen Biyoteknoloji Laboratuvar Ürünleri İç ve Dış Ticaret Limited Şirketi
Data Processor	A natural or legal person who processes Personal Data on behalf of the data controller based on the authority granted by the data controller.
Data Recording System	It refers to the recording system in which Personal Data is structured and processed according to certain criteria.
Data Category	It is the personal data class of the data subject group or groups in which personal data are grouped according to their common characteristics.
Data Subject Group	It is the relevant person group whose personal data is processed by the data controller.
Data Controller	It is the natural or legal person who determines the purposes and means of processing Personal Data and is responsible for the establishment and management of the data recording system.

1.5 Enforcement of the Policy

The Policy, which was prepared by Letgen Biotechnology and entered into force on 08/02/2022, is published on the Company’s website (www.letgenbio.com) and made available to relevant persons.

2. PROTECTION OF PERSONAL DATA

2.1 Security of Personal Data

Our Company takes all kinds of administrative and technical measures to ensure the appropriate level of security in order to securely store personal data in accordance with the Law and to prevent the unlawful processing and access of personal data. The administrative and technical measures taken regarding the security of personal data are regulated in detail in our Company’s Personal Data Storage and Destruction Policy.

Our Company has established a “Personal Data Protection Management System” to ensure that actions are taken in accordance with the Law and other legislation, and has established a Personal Data Protection Committee within its organization to ensure the implementation of the Policy and other related policies within this scope.

2.2 Audit

Our Company carries out and has the necessary audits carried out in order to ensure the establishment of data security described above and the regularity and continuity of the measures taken. The Personal Data Protection Committee audits the measures taken for the security of personal data.

2.3 Confidentiality

Our Company takes all necessary administrative and technical measures, according to technological possibilities and application costs, to ensure that the relevant data controllers and data processors do not disclose the personal data they have to others in violation of the Law and Policy provisions and do not use them for purposes other than processing. In this context, information and training activities are carried out for company employees about the Law and Policy, and confidentiality agreements are signed as part of the recruitment processes of the relevant employees.

2.4 Unauthorized Disclosure of Personal Data

If the personal data processed by our Company is obtained by others through unlawful means, our Company will carry out the necessary procedures to notify the relevant person and the PDPL Board within the periods determined by the PDPL Board. If deemed necessary by the PDPL Board, this situation will be announced on the PDPL Board’s website or by another method deemed appropriate by the PDPL Board.

2.5 Observing the Legal Rights of Relevant Persons

Our Company observes all legal rights of relevant persons regarding the implementation of the Policy and the Law and takes all necessary measures to protect these rights.

2.6 Protection of Special Categories of Personal Data

The data of individuals regarding their race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or union membership, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data are special categories of personal data. Our Company is aware that special categories of personal data are data that may cause the relevant person to be victimized or discriminated against if learned by others, and therefore takes the necessary measures determined by the Board with sensitivity to protect such personal data processed in accordance with the law. Within this framework; It has a systematic, clearly defined, manageable and sustainable separate policy (Security Policy for Special Categories of Personal Data) and procedure.

3. PROCESSING AND TRANSFER OF PERSONAL DATA

3.1 General Principles in Processing and Transferring Personal Data

Personal data is processed by our Company in accordance with the procedures and principles stipulated in the Law and this Policy. Our Company complies with the following principles when processing personal data.

3.1.1 Compliance with the Law and Honesty Rules

Our Company processes personal data in accordance with the relevant legislation and the requirements of the rule of honesty and uses it within these limits. In accordance with the principle of compliance with the rule of honesty, our Company takes into account the interests and reasonable expectations of the relevant persons while trying to achieve its goals in data processing. It acts in a way that prevents the emergence of results that the relevant person does not expect and does not need to expect. In accordance with the principle, it also ensures that the data processing activity in question is transparent for the relevant person; acts in accordance with information and warning obligations.

3.1.2 Being Accurate and Up-to-Date When Necessary

Our Company ensures that the personal data it processes is accurate and up-to-date, taking into account the fundamental rights and legitimate interests of the relevant persons. In this context, it carefully considers issues such as determining the sources from which the data is obtained, confirming its accuracy, and evaluating whether it needs to be updated. In accordance with its active due diligence obligation, our Company always keeps channels open to ensure that the information of the personal data owner is accurate and up-to-date. Keeping personal data accurate and up-to-date is necessary for the protection of the fundamental rights and freedoms of the relevant person, as well as protecting the interests of our Company.

3.1.3 Being Processed for Specific, Clear and Legitimate Purposes

Our Company clearly and precisely determines the purpose of data processing and ensures that this purpose is legitimate. The legitimacy of the purpose means that the personal data processed by our Company is related to the work it does or the service it provides and is necessary for them. Our Company does not process data for purposes other than these purposes. In this respect, it shows sensitivity to compliance with the principle of clarity and explicitness in legal transactions and texts in which personal data processing purposes are explained.

3.1.4 Being Relevant, Limited and Measured to the Purpose for Which They Are Processed

Our Company pays attention to ensuring that the processed personal data is suitable for the realization of the determined purposes and avoids processing data that is not related to the realization of the purpose or is not needed. Our Company does not collect or process personal data for purposes that do not currently exist and are expected to occur later. In order to process data to meet potential needs that may arise later, it fulfills the processing conditions regulated in the Law as if it were starting processing for the first time. In addition, it keeps the processed data limited to what is necessary for the realization of the purpose. Within the scope of the principle of proportionality, it establishes a reasonable balance between data processing and the purpose desired to be achieved.

3.1.5 Being Stored for the Period Stipulated in the Relevant Legislation or Necessary for the Purpose for Which They Are Processed

Our Company complies with these periods if there is a period stipulated in the relevant legislation for the storage of data; otherwise, it stores personal data only for the period necessary for the purpose for which they are processed. If there is no valid reason for our Company to store personal data for a longer period, the data in question is deleted, destroyed or anonymized. The procedures regarding the storage and destruction of personal data are regulated in detail in our Company’s Personal Data Storage and Destruction Policy.

3.2 Conditions for Processing Personal Data

Our Company does not process personal data without the explicit consent of the relevant person. Personal data can only be processed without seeking the explicit consent of the relevant person if one of the following conditions exists:

3.2.1 Explicitly Stipulated in the Laws

Our Company may process personal data without seeking the explicit consent of the relevant person in cases explicitly stipulated by the laws.

3.2.2 It is Mandatory for the Protection of the Life or Bodily Integrity of the Person Who is Unable to Express His/Her Consent Due to Actual Impossibility or Whose Consent is Not Legally Valid, or of Another Person

Our Company may process personal data without seeking explicit consent in order to protect the life or bodily integrity of individuals in cases where consent cannot be expressed or is not valid.

3.2.3 Provided That It Is Directly Related to the Establishment or Performance of a Contract, It Is Necessary to Process the Personal Data of the Parties to the Contract

If it is necessary to process the personal data of the parties to the contract directly related to the establishment or performance of a contract, our Company may process the personal data of the relevant persons without seeking explicit consent, limited to this purpose, as required by the ordinary course of life.

3.2.4 It is Mandatory for Our Company to Fulfill Its Legal Obligation

Our Company may process the personal data of the relevant person without seeking explicit consent in cases where it is mandatory in order to fulfill its legal obligations as a data controller.

3.2.5 Being Publicized by the Relevant Person Himself/Herself

Our Company; It may process the personal data of the relevant persons that are publicized by themselves, in other words, disclosed to the public in any way, limited to the purpose of publicity, since it is accepted that the legal interest to be protected in the processing of such data, which has become known to everyone, has disappeared.

3.2.6 Data Processing is Mandatory for the Establishment, Use or Protection of a Right

Our Company may process the personal data of the relevant persons without seeking explicit consent in cases where data processing is mandatory for the use or protection of a legally legitimate right.

3.2.7 It Is Mandatory to Process Data for the Legitimate Interests of Our Company, Provided That It Does Not Harm the Fundamental Rights and Freedoms of the Relevant Persons

Our Company may process the personal data of the relevant persons in cases where it is mandatory to process personal data in order to ensure the legitimate interests of the relevant persons, provided that it does not harm the fundamental rights and freedoms protected under the Law and Policy. Our Company shows the necessary sensitivity in complying with the basic principles regarding the protection of personal data and in ensuring the balance of interests between our Company and personal data owners. Legitimate interest means; It is a legitimate, effective, specific and currently existing interest that can compete with the fundamental rights and freedoms of the relevant person. Our Company takes additional protective measures to ensure that the rights of the relevant person are not harmed. A reasonable balance is ensured between the interests of our Company and the fundamental rights and freedoms of the relevant person.

3.3 Conditions for Processing Special Categories of Personal Data

Our Company does not process special categories of personal data without the explicit consent of the relevant person. Special categories of personal data can only be processed without seeking the explicit consent of the relevant person if one of the following conditions exists:

3.3.1 Explicitly Stipulated in the Laws

Special categories of personal data other than the health and sexual life of the relevant person may be processed without seeking the explicit consent of the relevant person in cases explicitly stipulated by the laws.

3.3.2 For the Purpose of Protecting Public Health, Preventive Medicine, Medical Diagnosis, Treatment and Care Services, Planning and Management of Health Services and Financing

Special categories of personal data regarding the health and sexual life of the relevant person may be processed by persons or authorized institutions and organizations under the obligation of confidentiality for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

3.4 Conditions for Transferring Personal Data

Our Company may transfer personal data to third parties by taking the necessary security measures, based on one or more of the personal data processing conditions specified below and limited to them, in accordance with Article 8 of the Law:

The explicit consent of the data subject,
There is a clear regulation in the laws regarding the transfer of personal data,
When the transfer of personal data is mandatory to protect the life or physical integrity of the data subject or another person, and the data subject is unable to give consent due to actual impossibility or their consent is not deemed legally valid,
When it is necessary to transfer the personal data of the parties to a contract, provided that it is directly related to the establishment or performance of that contract,
When the transfer of personal data is mandatory for our Company to fulfill its legal obligation,
When personal data has been made public by the data subject,
When the transfer of personal data is mandatory for the establishment, exercise, or protection of a right,
When the transfer of personal data is mandatory for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the data subject.
Special categories of personal data may be transferred on a limited basis and subject to adequate safeguards, based on one of the following conditions:
The explicit consent of the data subject,
If the special categories of personal data concern matters other than the data subject’s health and sexual life, there must be an explicit provision in the law regarding their transfer.
If the special categories of personal data concern the data subject’s health and sexual life, such data may be transferred by persons under a duty of confidentiality or by authorized institutions and organizations for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, and the planning and management of healthcare services and their financing.

3.4.1 Conditions for Transferring Personal Data Abroad

Our Company may transfer personal data abroad based on the explicit consent of the data subject, in accordance with Article 9 of the Law, while taking the necessary security measures.

However, if one of the conditions set out in Article 5(2) and Article 6(3) of the Law exists, and without prejudice to the provisions of international agreements to which Türkiye is a party, our Company may transfer personal data without seeking the explicit consent of the data subject only to foreign countries declared by the DPA Board to have adequate protection, or, in the absence of adequate protection, to foreign countries where the data controllers in Türkiye and in the relevant foreign country have committed in writing to provide adequate protection and have obtained the DPA Board’s permission.

4. CATEGORIES OF PERSONAL DATA AND GROUPS OF DATA SUBJECTS

4.1 Categories of Personal Data

Personal data are processed by our Company categorized as follows:

Identity	Data containing information on the identity of personal data subjects: Full name, Turkish ID number, marital status, parents’ full names, place and date of birth, and other identity details, and copies of driving licenses, national ID cards, and passports containing such information; tax number, social security number, signature information, etc.
Contact	Contact information of personal data subjects: Phone number, address, email address, registered email address (KEP), fax number, etc.
HR/Personnel	Data processed to obtain information that will form the basis for protecting the personnel rights of personal data subjects: CV, title information; employment entry/exit records; social security/retirement information, payroll information, asset declaration information, information in disciplinary investigation and performance evaluation reports, etc.
Legal Transaction	Data processed within the scope of determining and pursuing the Company’s legal receivables and rights, fulfilling its debts, and legal obligations: Power of attorney information, court and administrative authority decisions, information in correspondence with judicial authorities, information in case files, etc.
Finance	Personal data processed regarding information, documents, and records showing the outcome of any financial relationship established by the Company with personal data subjects, and bank account information, credit information, balance sheet information, financial profile, assets and insurance information, etc.
Professional Experience	Diplomas, transcripts, education/course/certification information, driver’s license information, foreign language proficiency, reference information, etc., recorded during recruitment and thereafter.
Visual and Audio Records	Photographs, camera and audio recordings that can be obtained outside the scope of physical premises security, and other documents to which these data are transferred: Photos attached to forms, video interview and meeting recordings, etc.
Location	Personal data that generally indicate the location of the data subject: Place of leave usage, etc.
Transaction Security	Personal data processed regarding the technical, administrative, legal, and commercial security of both the personal data subject and the Company during Company operations: IP address information, website access (traffic) data, internet access logs, password and passcode information, etc.
Family Members and Relatives Information	Refers to identity and contact data related to the employee’s family members.
SPECIAL CATEGORIES OF PERSONAL DATA
Criminal Convictions and Security Measures	Documents containing information on criminal convictions and security measure decisions regarding personal data subjects: Criminal record checks.
Health Information	Health data belonging to personal data subjects: Examination information, medical reports, disability status, medical leaves, blood type information, etc.

4.2 Groups of Data Subjects

Only natural persons can benefit from the protection of this Policy and the Law. The personal data subjects within this scope are grouped as follows:

Job Applicant	Natural persons who have applied for a job with our Company by any means or who have made their CV and related information available for our Company’s review.
Customer	Natural persons who procure services by establishing a service contract relationship with our Company.
Customer Representative	Natural person representatives of legal entities or natural persons who procure services by establishing a service contract relationship with our Company.
Customer Employee	Identified/identifiable employees of natural or legal persons who procure services by establishing a service contract relationship with our Company.
Service Provider	Natural persons who are independent of our Organization, who are not included in the Customer and Supplier groups, but with whom our Organization has a business relationship or cooperation and who provide services to our Company.
Service Provider Employee	Natural person employees of natural or legal persons who are independent of our Organization, who are not included in the Customer and Supplier groups, but with whom our Organization has a business relationship or cooperation and who provide services to our Company.
Service Provider Representative	Natural person representatives of natural or legal persons who are independent of our Organization, who are not included in the Customer and Supplier groups, but with whom our Organization has a business relationship or cooperation and who provide services to our Company.
Company Shareholder/Partner	Persons who are shareholders of Letgen Biotechnology Laboratory Products Domestic and Foreign Trade Limited Company.
Occupational Physician	Natural persons, or natural person employees or representatives of legal entities, who provide medical services under the service agreement concluded with our Company.
Occupational Safety Specialist	Natural persons, or natural person employees or representatives of legal entities, who provide occupational health and safety consultancy services under the service agreement concluded with our Company.
Company Representative	Refers to natural persons legally authorized to act on behalf of our Company.
Supplier	Natural persons who provide inputs or products to our Company to offer a product or service.
Supplier Representative	Representatives of natural or legal persons who provide inputs or products to our Company to offer a product or service.
Supplier Employee	Identified/identifiable employees of natural or legal persons who provide inputs or products to our Company to offer a product or service.
Third Parties (Reference Person)	Natural persons indicated as references during job applications by Job Applicants and who have no relationship with our Company.

5. METHOD AND LEGAL BASIS FOR COLLECTING PERSONAL DATA

5.1 Method of Collecting Personal Data

For the purposes set out in Article 6.1, our Company collects personal data, in whole or in part by automated or non-automated means, in any verbal, written, or electronic medium, through but not limited to the following channels:

Documents,
Verbal Communication,
Physical Examination,
System-based
Email,
Telephone,
Mail,
Fax, etc.

5.2 Legal Basis for Collecting Personal Data

Our Company collects personal data on the basis of one of the following legal grounds pursuant to Articles 5 and 6 of the Law:

The explicit consent of the data subject,
Explicitly stipulated by law;
The personal data being made public by the data subject,
Provided that it is directly related to the establishment or performance of a contract, processing personal data of the parties to the contract is necessary,
It is mandatory for our Company to fulfill its legal obligation,
It is mandatory for the establishment, exercise, or protection of a right,
Provided that it does not harm the fundamental rights and freedoms of the data subject, processing is mandatory for our Company’s legitimate interests.

6. PURPOSES OF PROCESSING PERSONAL DATA

6.1 Mapping the Processing Purposes to Personal Data Categories for Groups of Data Subjects

The mapping of processing purposes to the personal data categories of the groups of data subjects defined and scoped above is presented below: (Natural persons may be included in only one group.)

Job Applicant

Data Categories: Identity, Contact, Professional Experience, Visual and Audio Records, HR/Personnel

Third Parties (Reference Person)

Data Categories: Identity, Contact

Processing Purposes: Processed for the purposes of conducting employee/intern recruitment and placement processes, managing job application processes of candidates, conducting/overseeing business activities, planning human resources processes, conducting employee/intern recruitment and placement processes, managing job application processes of candidates, conducting/overseeing business activities, planning human resources processes, and conducting reference processes.

Company Shareholder/Partner

Data Categories: Identity, Contact, Finance, Legal Transaction

Processing Purposes: Processed for the purposes of conducting activities in compliance with legislation, carrying out finance and accounting affairs, following and conducting legal affairs, fulfilling tax obligations, conducting/overseeing business activities, providing information to authorized persons, institutions and organizations, and conducting management activities.

Company Representative

Data Categories: Identity, Contact

Processing Purposes: Processed for the purposes of fulfilling employment/legislative obligations for employees, conducting audit/ethics activities, managing access authorizations, conducting activities in compliance with legislation, carrying out invoicing activities, conducting finance and accounting affairs, managing assignment processes, following and conducting legal affairs, planning human resources processes, conducting/overseeing business activities, conducting procurement processes for goods/services, conducting sales processes for goods/services, conducting after-sales support services, performing customer reconciliations, managing contract processes, ensuring the security of movable property and resources, carrying out supply chain management processes, performing supplier reconciliations, providing information to authorized persons, institutions and organizations, and conducting management activities.

Customer

Data Categories: Identity, Contact, HR/Personnel, Finance, Legal Transaction

Processing Purposes: Processed for the purposes of conducting activities in compliance with legislation, carrying out invoicing activities, conducting finance and accounting affairs, managing loyalty processes for companies/products/services, following and conducting legal affairs, conducting communication activities, conducting/overseeing business activities, managing business continuity activities, conducting logistics activities, conducting goods/services sales activities, carrying out after-sales support activities, conducting goods/services sales processes, managing customer relationship processes, conducting activities relating to customer satisfaction, performing customer reconciliations, conducting marketing analysis studies, managing contract processes, conducting strategic planning activities, fulfilling tax obligations, and providing information to authorized persons, institutions and organizations.

Customer Representative