Türkiye United States France
Türkiye United States France

Personal Data Protection and Processing

COVALENT LABS İLAÇ VE KOZMETİK ANONİM ŞİRKETİ

PERSONAL DATA PROTECTION AND PROCESSING POLICY

VERSION: 1.0 Effective Date: 18 / 12 / 2025

INTRODUCTION

1.1 General Statement

1.2 Purpose of the Policy

The purpose of this Personal Data Protection and Processing Policy ("Policy") is to inform data subjects about the procedures and principles the Company follows to protect and process personal data that are processed wholly or partly by automated means or form part of any filing system, in line with the objectives and principles of the GDPR. The Policy aims to ensure full compliance with applicable law in the Company's personal-data processing activities and to protect data subjects' rights to privacy and data security.

1.3 Scope

1.4 Definitions

Consent: Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data concerning them.

Making Public: The act of making information publicly available. Under the GDPR framework, processing of personal data made public by the data subject may be subject to specific considerations.

Information/Transparency Obligation: The obligation of the data controller to provide data subjects with information about who processes their personal data, for what purposes, on what legal basis, and to which recipients the data may be disclosed.

Data Processor (Data Handler): A natural or legal person who processes personal data on behalf of the data controller under the controller's authority.

Data Controller: A natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the filing system.

Data Subject / Personal Data Owner: The natural person to whom the personal data relate.

Deletion/Erasure: The removal of personal data so that they are no longer accessible to data users.

Destruction: The rendering of personal data permanently inaccessible and irrecoverable.

Anonymisation: The process by which personal data are irreversibly masked, altered, aggregated or transformed such that the data can no longer be linked to an identifiable natural person.

Processing of Personal Data: Any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Special Categories of Personal Data (Sensitive Data): Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, health data, data concerning a person's sex life or sexual orientation, or criminal convictions and offences, as defined in the GDPR.

Supervisory Authority: The independent public authority established under the GDPR in each Member State (referred to in this Policy as "Supervisory Authority" or "Data Protection Authority").

Filing System: Any structured set of personal data which are accessible according to specific criteria.

Data Category: A class of personal data grouped by common features or the group(s) of data subjects concerned.

:

:

:

:

:

:

1.5 Entry into Force

This Policy, adopted by Covalent Labs İlaç ve Kozmetik Anonim Şirketi on 18/12/2025, is published on the Company's website at www.covalentlabs.com.tr for access by data subjects.

PROTECTION OF PERSONAL DATA

2.1 Security of Personal Data

2.2 Audits

The Company conducts and commissions audits as necessary to verify the establishment, adequacy and continuity of the security measures described above. The Personal Data Protection Committee is responsible for monitoring and auditing the measures taken to secure personal data.

2.3 Confidentiality

The Company ensures that data controllers and data processors do not disclose personal data in violation of applicable law or this Policy and do not use personal data for purposes other than those permitted, by taking all reasonable administrative and technical measures proportionate to available technologies and implementation costs. The Company organises awareness and training activities on the GDPR and this Policy for its employees and requires confidentiality agreements to be signed as part of employment on-boarding where appropriate.

2.4 Unauthorized Disclosure of Personal Data

If personal data processed by the Company are obtained by others through unlawful means, the Company shall take the necessary steps to notify the affected data subjects and the competent Supervisory Authority within the timeframes and procedures required by applicable law and will take remedial measures. Where required by the Supervisory Authority, and to the extent necessary, such incidents may also be made public by means deemed appropriate by the Supervisory Authority.

2.5 Respect for Data Subjects' Legal Rights

The Company respects data subjects' legal rights arising from this Policy and applicable data-protection law and takes necessary measures to protect those rights.

2.6 Protection of Special Categories of Personal Data

The Company recognises that special categories of personal data (sensitive data) such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health data, sex life and sexual orientation, biometric and genetic data, criminal convictions and related security measures are particularly sensitive and may lead to discrimination or harm if disclosed. Accordingly, the Company processes such data only where lawful under the GDPR and takes heightened safeguards and additional protective measures. The Company maintains a separate policy and procedures for the security of special categories of personal data.

PROCESSING AND TRANSFER OF PERSONAL DATA

3.1 General Principles for Processing and Transfers

The Company processes personal data in accordance with the GDPR and the principles set forth in this Policy. In particular, the Company adheres to the following principles:

3.1.1 Lawfulness, Fairness and Transparency

The Company processes personal data lawfully, fairly and in a transparent manner in relation to the data subject. In doing so, the Company considers the interests and reasonable expectations of data subjects and takes care to avoid outcomes that data subjects would not reasonably expect. The Company ensures transparency regarding processing activities and fulfils information and warning obligations.

3.1.2 Accuracy and, Where Necessary, Up-to-dateness

The Company takes reasonable steps to ensure personal data are accurate and, where necessary, kept up to date, taking into account the nature of the processing, the purposes and the risks to data subjects. The Company provides channels for data subjects to request correction and updates of their information.

3.1.3 Purpose Limitation

The Company determines and documents the purposes for which personal data are processed and ensures that those purposes are legitimate, relevant and limited to what is necessary for the processing purposes. Personal data will not be further processed in a manner incompatible with those purposes without a lawful basis.

3.1.4 Data Minimisation and Proportionality

The Company processes only the personal data that are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. The Company does not collect personal data for hypothetical future needs without establishing a lawful basis for such processing.

3.1.5 Storage Limitation

The Company retains personal data no longer than necessary for the purposes for which the personal data are processed, in accordance with applicable law. Where retention is no longer required, data are erased, destroyed or anonymised in accordance with the Company's Data Retention and Erasure Policy.

3.2 Lawful Bases for Processing

The Company shall not process personal data without a lawful basis under the GDPR. Personal data may be lawfully processed where at least one of the lawful bases under Article 6 GDPR applies, including, as appropriate:

3.3 Processing of Special Categories of Personal Data

As a rule, the Company does not process special categories of personal data (sensitive data) except where one of the conditions under Article 9 GDPR applies. Such conditions may include:

3.4 Transfers of Personal Data

The Company may transfer personal data to third parties only to the extent necessary for the purposes set out in this Policy and only in compliance with the GDPR.

  • an adequacy decision adopted by the European Commission (Article 45 GDPR);
  • appropriate safeguards (Article 46 GDPR), such as standard contractual clauses adopted or approved by the Commission, binding corporate rules, or other approved safeguards;
  • specific derogations for specific situations (Article 49 GDPR), where none of the above mechanisms are applicable (e.g., the data subject's explicit consent, performance of a contract, important public interest, etc.).

CATEGORIES OF PERSONAL DATA AND DATA SUBJECT GROUPS

4.1 Categories of Personal Data

4.2 Data Subject Groups

METHODS OF PERSONAL DATA COLLECTION

5.1 Methods of Collection

PURPOSES OF PROCESSING PERSONAL DATA

6.1 Mapping of Data-Subject Groups to Data Categories and Processing Purposes

6.2 Online Processing Activities

Traffic data of online visitors to the Company's website are processed automatically for information-security purposes. The retention of such data may also be subject to national rules on the retention of internet traffic and related obligations. Detailed information on website processing is published on the Company's website.

6.3 Communications Channels

Communications via call centres, post, e-mail and similar channels may be recorded and monitored by the Company for the purposes of operational management, oversight and complaint/request tracking. Data subjects are expected to use these channels primarily for business-related communication.

PURPOSES AND RECIPIENTS OF PERSONAL DATA TRANSFERS

7.1 Purposes of Transfers

7.2 Recipients

ERASURE AND RETENTION PERIODS

8.1 Erasure and Destruction

8.2 Retention Periods

The Company retains personal data in accordance with statutory retention periods provided by law and, where no statutory period exists, for as long as necessary to fulfil the processing purpose in accordance with the Company's Data Retention and Erasure Policy. After expiry of the retention period, personal data are periodically erased, destroyed or anonymised.

DATA SUBJECT INFORMATION AND RIGHTS UNDER THE GDPR

9.1 Information to Data Subjects

In accordance with Article 13 GDPR, the Company provides data subjects with the information at the time personal data are collected, including: the identity and contact details of the Company's representative (if any), the purposes of the processing, the legal basis for processing, recipients or categories of recipients of the personal data, the data retention period or criteria used to determine that period, the data subject's rights under the GDPR, and the means by which data subjects can exercise those rights.

9.2 Situations Where This Policy or Certain Provisions May Not Apply

9.3 Data Subject Rights under the GDPR

The Company informs data subjects of their rights under Articles 15–22 and related provisions of the GDPR and provides practical means to exercise those rights. The primary rights include:

  • The right to be informed whether and which personal data concerning them are being processed (access).
  • The right to access the personal data and to receive information about the purposes of processing, categories of personal data, recipients, retention period, and other information.
  • The right to obtain rectification of inaccurate or incomplete personal data.
  • The right to erasure ('right to be forgotten') where the conditions of Article 17 GDPR are met.
  • The right to restriction of processing under Article 18 GDPR.
  • The right to data portability under Article 20 GDPR where processing is based on consent or contract and carried out by automated means.
  • The right to object to processing based on legitimate interests or for direct marketing purposes (Article 21 GDPR).
  • The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them, except as permitted by Article 22 GDPR.
  • The right to seek compensation for damage caused by unlawful processing.

Requests concerning the exercise of these rights may be submitted via the request form available on the Company's website at www.covalentlabs.com.tr and may be delivered in person, by registered mail, by notary, or by secure electronic means where recognized under applicable law (for example, methods providing appropriate authentication such as qualified electronic signatures or national e-ID systems, where available).

Requests may also be sent to the Company at the contact details previously provided by the data subject and stored in the Company's systems, including info@covalentlabs.com.tr, where the Company has previously verified the identity of the requester through its systems.

Supporting documents and evidence relevant to the request should be attached.

Where the Company refuses a request, in whole or in part, or the requester considers the response inadequate, the data subject has the right to lodge a complaint with the competent national Supervisory Authority and/or to seek a judicial remedy in accordance with applicable law. The time limits for lodging a complaint or seeking judicial review are those provided by national law and the GDPR. Where applicable, data subjects will be informed of the competent Supervisory Authority to which complaints may be addressed.