Protection of Personal Data

PİSSARDE COSMETIC INDUSTRY AND TRADE. A.Ş COMPANY PERSONAL DATA
CONSERVATION AND PROCESSING POLICY 2022
PART 1
1.1. INTRODUCTION

Protection of personal data, PİSSARDE KOZMETIK SAN. VE TİC. Inc. Company’s
(“PİSSARDE” or “Company”) is among the most important priorities and is in force in this regard.
It strives to comply with all applicable laws and regulations. In this PİSSARDE
Company’s Personal Data Protection and Processing Policy (“Policy”)
In the execution of personal data processing activities carried out by our company
principles adopted and the data processing activities of our Company
Adopted in terms of compliance with the regulations in the Law on the Protection of
the basic principles are explained so that our Company informs the personal data owners.
provides the necessary transparency. With full awareness of our responsibility in this context, personal
Your data is processed and protected within the scope of this Policy.

1.2 Kapsam

This Policy; Wholly or partially automatic
or by non-automatic means, provided that they are part of any data recording system.
regarding all personal data processed. Regarding the protection of personal data of our employees
The activities carried out by PİSSARDE, on the other hand, are written in parallel with the principles in this Policy.
PİSSARDE Employees are under the Protection and Processing of Personal Data Policy.
is managed. By our company, PİSSARDE employee candidates or PİSSARDE
Personal data processing activities carried out for the employees of the Group Companies
for details, respectively, at https://www.pissarde.com. located at PİSSARDE. Worker
Candidates’ Personal Data Protection and Processing Policy and PİSSARDE Community
Employees can be accessed from the Personal Data Protection and Processing Policy.

1.3 Implementation of the Policy and Relevant Legislation Processing and protection of personal data
The relevant legal regulations in force on the subject will primarily find application.
In case of incompatibility between the current legislation and the Policy,
Our company accepts that the current legislation will find an application area. policy, relevant
by concretizing the rules set forth by the legislation within the scope of Company practices,
organizes.

1.4 Enforcement of the Policy The effective date of this Policy is 01.01.2022.

SECTION 2
ISSUES RELATING TO THE PROTECTION OF PERSONAL DATA

2.1. Ensuring the Security of Personal Data Our company complies with Article 12 of the Law.
unlawful disclosure, access, transfer or other
In order to prevent security deficiencies that may occur in different ways, the data to be protected
takes the necessary measures according to its nature. In this context, our Company collects Personal Data
required in accordance with the guidelines published by the Protection Board (“Board”).
takes administrative measures to ensure the level of security, makes inspections or
is making.

2.2. With the Law on the Protection of Private Personal Data, some personal data are legally enforced.
because of the risk of causing victimization or discrimination of persons when committed in violation of
special attention has been given. These data are; race, ethnicity, political thought, philosophical belief, religion, sect
or other beliefs, dress, association, foundation or union membership, health, sexual life,
data on criminal convictions and security measures, as well as biometric and genetic data.
In accordance with the law, determined by PİSSARDE as “special quality” with the Law.
We are sensitive about the protection of sensitive personal data processed. This
In this context, technical and administrative information taken by PİSSARDE for the protection of personal data.
measures are carefully applied in terms of special quality personal data and PİSSARDE
necessary controls are provided. Regarding the processing of special categories of personal data
Detailed information can be found in 3.3 of this Policy. In the section (“Processing of Special Categories of Personal Data”)
place is given.

2.3. Awareness of Business Units on the Protection and Processing of Personal Data
Increasing and Controlling PİSSARDE, the unlawful processing of personal data,
to prevent unlawful access to data and to protect personal data
Providing the necessary trainings to the business units in order to increase the awareness of
provides regulation. Protection of personal data of PİSSARDE employees
Necessary systems are established to raise awareness about
works with consultants if heard. In this direction, our company attends the relevant trainings,
evaluates participation in seminars and information sessions and
It updates and renews its trainings in parallel with the updating of the legislation.

CHAPTER 3
MATTERS REGARDING THE PROCESSING OF PERSONAL DATA

3.1. Processing of Personal Data in Compliance with the Principles Established in the Legislation

3.1.1. Processing in Compliance with the Law and the Rule of Integrity PİSSARDE, in the processing of personal data
Acting in accordance with the principles brought by legal regulations and the general rule of trust and honesty
is doing. In this context, personal data is collected to the extent required by our Company’s business activities and
limited to these.

3.1.2. Ensuring Personal Data Are Accurate and Up-to-Date When Necessary PİSSARDE
takes the necessary measures to ensure that the data is accurate and up-to-date throughout the period of processing, and
necessary to ensure the accuracy and up-to-dateness of personal data for certain periods.
establish mechanisms.

3.1.3. Processing for Specific, Explicit and Legitimate Purposes
clearly reveals its objectives and, again, in line with its business activities,
operates for related purposes.

3.1.4. Being Relevant, Limited and Measured to the Purpose for which they are Processed PİSSARDE
collects only in the quality and extent required by the business activities and for the determined purposes.
works on a limited basis.

3.1.5. For the period foreseen in the relevant legislation or required for the purpose for which they are processed.
Preservation
It preserves it for the minimum period stipulated in the legal legislation to which the activity is subject.
In this context, our Company primarily provides a period of time for the storage of personal data in the relevant legislation.
determines whether or not it is foreseen, and if a period is determined, it is suitable for this period.
is behaving. If there is no legal period, personal data is necessary for the purpose for which they are processed.
is stored for the given time. Personal data at the end of the specified retention periods
in accordance with the periodic destruction periods or the data subject application and the determined destruction
methods (deletion and/or destruction and/or anonymization).

3.2. Conditions of Processing of Personal Data Except for the express consent of the personal data owner, personal data
The basis of the data processing activity may be only one of the conditions stated below.
more than one condition may also be the basis of the same personal data processing activity. operand
In case the data is special quality personal data, title 3.3 of this Policy (“Special Quality Personal Data”)
“Processing of Personal Data”) will be applied.

I.      Explicit Consent of the Personal Data Owner One of the conditions for the processing of personal data
one is the explicit consent of the data subject. The explicit consent of the personal data owner to a specific issue
should be disclosed on the basis of information and free will. place below
In case of existence of personal data processing conditions, the explicit consent of the data owner is required.
personal data can be processed without
ii.     Explicitly Provided in Laws The personal data of the data owner is expressly stipulated in the law.
If it is foreseen, in other words, regarding the processing of personal data in the relevant law.
If there is an express provision, the existence of this data processing condition is mentioned.
can be done.
iii.     Failure to Obtain the Explicit Consent of the Related Person Due to the Cause of Actual Impossibility Actual Impossibility
incapable of expressing his or her consent due to
life or body of the person himself or another person who cannot be recognized
If the processing of personal data is necessary to protect its integrity, the data
personal data of the owner can be processed.

iv.    Being Directly Related to the Establishment or Performance of the Contract To which the data owner is a party
provided that it is directly related to the conclusion or performance of a contract,
If the processing of personal data is necessary, this condition has been fulfilled.
can be counted.
v.    Fulfilling the Legal Obligation of the Company
In case the processing is necessary for the fulfillment of its obligations, the data owner
personal data can be processed.
vi.    Making Personal Data Public by the Personal Data Owner
If it has been made public, the relevant personal data will be limited to the purpose of making it public.
can be processed.
vii.    Obligatory Data Processing for the Establishment or Protection of a Right Establishment of a right,
If data processing is necessary for the use or protection of data, the personal data of the data owner
data can be processed.
viii.    Obligatory Data Processing for the Legitimate Interest of Our Company Personal data owner
Data for the legitimate interests of our Company, provided that it does not harm fundamental rights and freedoms.
Personal data of the data owner may be processed if it is necessary to process it.

3.3. Processing of Special Quality Personal Data Special quality personal data Our Company
in accordance with the principles set forth in this Policy and to be determined by the Board.
By taking all necessary administrative and technical measures, including the following methods,
processed in the presence of conditions:

(i) Special categories of personal data, excluding health and sexual life, are clearly stated in the law.
In other words, in the law to which the related activity is subject, personal data
express consent of the data subject in case there is an express provision regarding the processing
can be processed without a call. Otherwise, the special categories of personal data
For the processing, the explicit consent of the data owner will be obtained.

(ii) Personal data of special nature regarding health and sexual life, protection of public health,
preventive medicine, medical diagnosis, treatment and care services, health
secrecy for the purpose of planning and managing its services and financing
by persons or authorized institutions and organizations under the obligation of
may be processed without consent. Otherwise, the special quality personal
In order for the data to be processed, the explicit consent of the data owner will be obtained.

3.4. Disclosure of Personal Data Owner PİSSARDE, Article 10 of the Law and secondary
informs the personal data owners in accordance with the legislation. In this context, PİSSARDE,
By whom, as the data controller, for what purposes personal data is processed, which
with whom it is shared for the purposes, by what methods it is collected and the legal reason and data
regarding the rights of the owners within the scope of the processing of their personal data.
informs people.

3.5. Data Processed by PİSSARDE Group Companies
Processing of the activities of PİSSARDE Group Companies by the group principle, target
and in accordance with its strategies, PİSSARDE Group Companies’ rights and
by PİSSARDE Group Companies in order to protect its interests and reputation.
Personal data being processed can also be processed by PİSSARDE. PİSSARDE
Data sharing between Group Companies and PİSSARDE within the scope of the Law.
In case of personal data transfer from the controller to the data controller,
the relevant PİSSARDE Group Company, at the stage of collecting personal data,
It enlightens the person concerned that it can be sent to PİSSARDE.

3.6. Transfer of Personal Data Our company’s legal personal data processing purposes
by taking the necessary security measures in line with the personal data of the personal data owner and
Sensitive personal data to third parties (third party companies, public and private authorities,
third real persons). Our company is in line with this in Article 8 of the Law.
complies with the stipulated regulations.

3.6.1 Transfer of Personal Data Even without the explicit consent of the personal data owner,
required by our Company in case one or more of the specified conditions are present.
with due care and all necessary safety measures, including the methods prescribed by the Board.
Personal data may be transferred to third parties by taking precautionary measures.

• The relevant activities regarding the transfer of personal data are clearly stipulated in the laws,
• With the establishment or performance of a contract, the transfer of personal data by the Company
be directly relevant and necessary,
• In order for our Company to fulfill its legal obligation of transferring personal data,
be mandatory,
• For the purpose of making the personal data public, provided that the personal data has been made public by the data subject.
transferred by our Company in a limited way,
• The transfer of personal data by the Company or the data owner or third party
it is compulsory for the establishment, use or protection of the rights of persons,
• The Company is legitimate, provided that it does not harm the fundamental rights and freedoms of the data owner.
It is mandatory to carry out personal data transfer activities for their interests,
• Those who are unable to express their consent due to actual impossibility or
the life or bodily integrity of the unrecognized person or another person
mandatory for protection. In addition to the above, personal data is deemed sufficient by the Board.
to foreign countries declared to have protection (“Foreign Country with Sufficient Protection”)

can be transferred in the presence of any of the above conditions. adequate protection
in case of absence, in line with the data transfer conditions stipulated in the legislation.
Data controllers in Turkey and in the relevant foreign country must provide an adequate protection in writing.
to foreign countries to which it has committed and authorized by the Board (“Commitment to Adequate Protection”).
Foreign Country where the Data Controller is located”).

3.6.2 Transfer of Special Quality Personal Data Special quality personal data Our Company
in accordance with the principles set forth in this Policy and to be determined by the Board.
By taking all necessary administrative and technical measures, including the following methods,
can be transferred if the conditions exist:

(i) Special categories of personal data, excluding health and sexual life, are clearly stated in the law.
In other words, it is clearly stated in the law regarding the processing of personal data.
In case of a provision, it can be processed without the explicit consent of the data owner. Opposite
In this case, the explicit consent of the data owner will be obtained.
(ii) Personal data of special nature regarding health and sexual life, protection of public health,
preventive medicine, medical diagnosis, treatment and care services, health services
for the purpose of planning and managing the financing of
It can be processed by individuals or authorized institutions and organizations without seeking explicit consent. Opposite
In this case, the explicit consent of the data owner will be obtained. In addition to the above, personal data
In the case of any of the above conditions, foreign countries with protection
can be transferred. In the absence of adequate protection, the data stipulated in the legislation
Data Controller Undertaking Adequate Protection in line with the transfer conditions
It can be transferred to foreign countries.

. 4. SECTION 4
– PERSONAL DATA PROCESSED BY OUR COMPANY
CATEGORIZATION AND PURPOSE OF PROCESSING

Before our company, relevant persons in accordance with Article 10 of the Law and secondary legislation
In line with the personal data processing purposes of our Company, the 5th and 6th paragraphs of the Law
Based on and limited to at least one of the personal data processing conditions specified in Article
The principles set forth in Article 4 of the Law on the processing of personal data.
Personal data is processed in accordance with the general principles set forth in the Law.

5. CHAPTER 5
– STORAGE AND DISPOSAL OF PERSONAL DATA

Our company, the period required for the purpose for which personal data is processed and the subject of the relevant activity.
It is kept in accordance with the minimum periods stipulated in the legal legislation. This
In this context, our company primarily provides a period of time for the storage of personal data in the relevant legislation.
determines whether or not it is foreseen, and if a period is determined, it is suitable for this period.
is behaving. If there is no legal period, personal data is necessary for the purpose for which they are processed.
is stored for the given time. Personal data at the end of the specified retention periods
in accordance with the periodic destruction periods or the data subject application and the determined destruction
methods (deletion and/or destruction and/or anonymization).

CHAPTER 6
– RIGHTS OF PERSONAL DATA OWNERS AND THESE RIGHTS
USING
6.1. Rights of Personal Data Owners Personal data owners have the following rights:

(1) Learning whether personal data is processed or not,
(2) If personal data has been processed, requesting information about it,
(3) The purpose of processing personal data and whether they are used in accordance with the purpose
learning,
(4) To know the third parties to whom personal data is transferred in the country or abroad,
(5) Requesting correction of personal data in case of incomplete or incorrect processing
and to notify the third parties to whom the personal data has been transferred, of the transaction carried out in this context.
don’t want,
(6) Although it has been processed in accordance with the provisions of the law and other relevant laws,
deletion of personal data in the event that the reasons for its processing disappear or
requesting the destruction of the personal data and the process carried out in this context.
requesting people to be notified,

(7) By analyzing the processed data exclusively through automated systems,
to object to the emergence of a result against him,
(8) In case of damage due to unlawful processing of personal data,
don’t demand removal.

6.2. Exercise of Personal Data Owner’s Rights Personal data owners, in section 6.1 (“Personal Data
Data Owner’s Rights”), whose demands regarding the listed rights have been determined by the Board.
methods, to our Company. In this direction, https://www.pissarde.com.tr
From the “PİSSARDE Data Owner Application Form” available at
they can take advantage of.

6.3. Our Company’s Response to Applications Our company is authorized by the personal data owner.
necessary to finalize the applications to be made in accordance with the Law and secondary legislation.
takes administrative and technical measures. Personal data owner, in section 6.1 (“Personal Data
Owner’s Rights”) to our Company in accordance with the procedure.
In the event of a request, our Company will do so as soon as possible and within 30 (thirty) days at the latest, depending on the nature of the request.
will finalize the relevant request free of charge. However, the process also requires a cost.
In the event of an accident, a fee may be charged in accordance with the tariff determined by the Board.

CHAPTER 7
– SPECIAL SITUATIONS WHERE PERSONAL DATA IS PROCESSED

7.1. Building, Facility Entrances and Personal Data Processing Activities within the Building Facility
Website Visitors by PİSSARDE in order to ensure security,
Guest entrance with security camera monitoring activity in PİSSARDE buildings and facilities
Personal data processing activities are carried out for the follow-up of exits.
7.2. PİSSARDE Building, Facility Entrances and Monitoring with Camera Operated Inside
Its activities are carried out by PİSSARDE in order to ensure security in its buildings and facilities.
Camera monitoring activity in accordance with the Law on Security Services and related legislation
is being carried out. PİSSARDE, in order to ensure security in its buildings and facilities,
for the purposes stipulated in the relevant legislation and the personal data processing conditions listed in the Law.
engages in security camera monitoring activities. by PİSSARDE
In accordance with Article 10 of the Law, there are more than one camera surveillance activities.
With this method, the personal data owner is informed. In addition, PİSSARDE Holding is subject to Article 4 of the Law.
In accordance with the article, personal data is processed in a limited and measured way in connection with the purpose
the way it works. Monitoring activity with video camera by PİSSARDE
The purpose of maintaining it is limited to the purposes listed in this Policy. Accordingly, security
monitoring areas, number of cameras and when to monitor, to achieve the security purpose
It is implemented adequately and limitedly for this purpose. one’s privacy
in areas that may result in interference exceeding security objectives (for example,
toilets) are not subject to monitoring. In digital environment with live camera images
Only a limited number of PİSSARDE employees have access to recorded and maintained records.
are available. A limited number of people with access to the records accessed with a confidentiality agreement.
declares that it will protect the confidentiality of the data.

7.3. PİSSARDE Building, Facility Entrances and Guest Entrance Exits
Follow-up by PİSSARDE, to ensure security and for the purposes specified in this Policy,
Personal data for tracking guest entries and exits in PİSSARDE buildings and facilities
processing activity. Names of people who come to PİSSARDE buildings as guests
When obtaining and surnames or hung before PİSSARDE or in other forms of guests
In this context, the personal data owners in question through the texts made available to them.
they are illuminated. The data obtained for the purpose of tracking guest entry-exit is only
For this purpose, the related personal data is processed and the relevant personal data is entered into the data recording system in physical environment.
is recorded.

8. SECTION 8
– PİSSARDE HOLDİNG PROTECTION OF PERSONAL DATA AND
THE RELATIONSHIP OF THE PROCESSING POLICY WITH OTHER POLICIES

PİSSARDE, the personal data related to the principles set forth by this Policy
In addition to the sub-policies for internal use, PİSSARDE
It also creates basic policies for Group Companies. PİSSARDE’s internal policies
principles are reflected in the policies open to the public to the extent that they are relevant.
information and personal data processing activities carried out by PİSSARDE
It is aimed to ensure transparency and accountability.