You can find our obligations under KVKK, our data processing principles, our retention-destruction policy, and ways to exercise your rights in this text.
PERSONAL DATA PROTECTION AND PROCESSING POLICY
1. Introduction
1.1. Introduction * According to the Constitution of the Republic of Turkey, everyone has the right to demand the protection of their personal data. This right includes being informed about their personal data, accessing it, requesting its correction or deletion, and learning whether it is being used for its intended purpose. * Personal Data Protection Law No. 6698 (“KVKK" or "Law“) The protection of the fundamental rights and freedoms of individuals in the processing of personal data and the obligations of real and legal persons who process personal data and the procedures and principles they must comply with are regulated. * Protection of personal data,HeraBiyo Biotechnology Research and Consulting Ltd. Company (“HeraWater" or "Company”) is among their top priorities. In order to inform personal data owners,HeraWaterPersonal Data Protection and Processing Policy (“Politics“) The principles adopted by our Company in carrying out personal data processing activities within the framework of this Law and the basic principles adopted in terms of the compliance of our Company’s data processing activities with the regulations in the KVKK are explained. * Since HeraBiyo's core business is to develop personalized health solutions based on genetic and epigenetic data, the protection of genetic and health data, especially Special Personal Data, is a responsibility that requires high sensitivity for our Company.With the awareness of our responsibility in this context, your personal data is processed and protected within the scope of this Policy. 1.2. Purpose and Scope * The main purpose of this Policy is,HeraWaterTo make statements regarding the personal data processing activities carried out by our company in accordance with the law and the systems adopted for the protection of personal data, and to ensure transparency by informing the persons whose personal data are processed by our company in this context. * This Policy relates to all personal data processed by our Company, either fully or partially automatically or non-automatically, provided that it is part of any data recording system. 1.3. Definitions The definitions used in this Policy are listed below: * Explicit Consent:Consent based on informed consent and expressed freely on a specific matter. * Worker: HeraWaterThe employee is a natural person. * Contact Person:The natural person whose personal data is processed. * Related User:Persons who process personal data within the data controller organization or in accordance with the authority and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of data. * Related Person Application Form:The application form that the relevant person, whose personal data is processed within the company, will use when applying for their rights explained in Article 11 of the Law. * Kanun ya da KVKK:Personal Data Protection Law No. 6698. * Personal Data:Any information relating to an identified or identifiable natural person. * Personal Data Processing Inventory:The inventory in which data controllers create a detailed account of their personal data processing activities, which they carry out in connection with their business processes, by relating the purposes and legal basis of processing personal data, data category, recipient group to which the data is transferred, and the data subject group, and by explaining the maximum retention period required for the purposes for which personal data is processed, personal data intended to be transferred to foreign countries, and the measures taken regarding data security. * Processing of Personal Data:Any operation performed on personal data, such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data, either fully or partially by automatic means or non-automatic means provided that it is part of any data recording system. * Board:Personal Data Protection Board. * Organisation:Personal Data Protection Authority. * Special Personal Data:Individuals' race, ethnic origin, political views, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or unions,data regarding health, sexual life, criminal convictions and security measures with biometric and genetic data. * Policy: HeraWaterPersonal Data Protection and Processing Policy. * Data Processor:A natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller. * Data Controller:The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system. * Data Controllers Registry (VERBIS):Data controllers registry kept by the Presidency under the supervision of the Personal Data Protection Board. 1.4. Implementation of the Policy and Relevant Legislation * Relevant applicable legal regulations regarding the processing and protection of personal data will be the primary application. In the event of any inconsistency between the applicable legislation and the Policy, our Company acknowledges that the applicable legislation will prevail. * The policy is the implementation of the rules laid down by the relevant legislationHeraWaterIt was created by concretizing and organizing within the scope of its applications.
2. Matters Regarding the Protection of Personal Data
2.1. Ensuring the Security of Personal Data * In accordance with Article 12 of the Law, our Company takes the necessary measures according to the nature of the data to be protected in order to prevent the unlawful disclosure, access, transfer or other security deficiencies that may occur in personal data. * In this context, our Company has been appointed to the Personal Data Protection Board (“Board") takes technical and administrative measures and carries out inspections or has them carried out to ensure the necessary level of security within its own organization in accordance with the guidelines published byHeraBiyo meticulously implements the encryption, access restrictions and bioinformatics system security measures required by the industry, especially during the processing of genetic raw data and clinical information.The results of these audits are reported to the relevant department within the scope of the Company's internal operations and necessary actions are taken to improve the measures taken. * If the processed personal data is obtained by others through illegal means, our Company operates a system that ensures that this situation is reported to the relevant personal data owner and the Board as soon as possible. 2.2. Observance of the Data Owner's Rights * Our company carries out the necessary channels, internal operations, administrative and technical arrangements in accordance with Article 13 of the KVKK to evaluate the rights of personal data owners and to provide the necessary information to personal data owners. * Detailed information regarding the rights of data owners is included in Section 10 of this Policy. 2.3. Protection of Special Personal Data * Data determined as special by law; race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or unions,Data on health, sexual life, criminal convictions and security measures with biometric and genetic data. * Our companyHeraWaterprocessed in accordance with the law bygenetic and health dataWe act with utmost sensitivity in protecting special personal data such as: * In this context, the technical and administrative measures taken by our Company to protect personal data are implemented with care in terms of special personal data.HeraWaterNecessary inspections are carried out within the company.The processing of these data is carried out by personnel under the obligation of confidentiality, within the framework of express consent or legal obligations specified in the Law. * Detailed information regarding the processing of special categories of personal data is provided in Section 3.3 of this Policy. 2.4. Increasing Awareness and Supervision of Business Units Regarding the Protection and Processing of Personal Data * Our company organizes the necessary training and seminars for its business units and business partners in order to prevent the unlawful processing of personal data, unlawful access to personal data, and to raise awareness about ensuring the protection of personal data. * HeraBiyo’nunNecessary systems are established to raise awareness of current employees of business units, newly incorporated employees and business partners regarding the protection of personal data, and professional people are employed when necessary.It is mandatory for personnel working in the fields of genetic data processing, Artificial Intelligence and Bioinformatics to receive periodic data security and ethics training. * The results of training conducted by our company to raise awareness about the protection and processing of personal data are reported to the relevant department. To this end, our company evaluates participation in relevant training, seminars, and information sessions and conducts or arranges for the necessary audits. Our company updates and renews its training programs in line with the updates of relevant legislation.
3. Matters Regarding the Processing of Personal Data
Our Company, in accordance with Article 20 of the Constitution and Article 4 of the Personal Data Protection Law, processes personal data in accordance with the principles of: (i) compliance with the law and the rules of honesty, (ii) accuracy and, where necessary, up-to-date data, (iii) pursuing specific, clear, and legitimate purposes, (iv) in a purpose-related, limited, and proportionate manner, and (v) retention for the period stipulated in relevant legislation or necessary for the purpose of processing. In accordance with Article 20 of the Constitution and Article 5 of the Personal Data Protection Law, our Company processes personal data based on one or more of the conditions stipulated in Article 5 of the Personal Data Protection Law regarding the processing of personal data. Our Company complies with the regulations stipulated in Article 6 of the Personal Data Protection Law regarding the processing of special personal data. In accordance with Articles 8 and 9 of the Personal Data Protection Law, our Company complies with the regulations stipulated in the law and established by the Board regarding the transfer of personal data. 3.1. Processing of Personal Data in Accordance with the Principles Stipulated in the Legislation 3.1.1. Compliance with Law and the Rule of Honesty * Our company acts in accordance with the principles introduced by legal regulations and the general rule of trust and honesty in the processing of personal data. * In this context, our Company processes personal data.proportionalityTaking into account the requirements, personal data is processed to the extent and in a limited manner required for the purpose.Particularly in the processing of genetic and clinical data, the principle of data minimization is taken as basis. 3.1.2. Ensuring that Personal Data is Accurate and Up-to-Date When Necessary * Our company ensures that the personal data it processes is accurate and up-to-date, taking into account the fundamental rights of personal data owners and their legitimate interests. To this end, we take the necessary measures and establish appropriate mechanisms. * Keeping datasets accurate and up-to-date is vital for the accuracy and reliability of clinical analysis results. 3.1.3. Processing for Specific, Clear and Legitimate Purposes * Our company clearly and precisely determines the legitimate and lawful purpose of processing personal data. * Our company processes personal dataPolygenic Risk Score (PRS) analysis, personalized medicine and healthcare solutionsIt is processed within the scope of the purposes related to providing. 3.1.4. Being Relevant, Limited and Proportionate to the Purpose for Which They Are Processed * Our company processes personal data in a manner suitable for achieving the specified purposes and avoids processing personal data that is not relevant or needed to achieve the purpose. * Genetic data (WGS, SNP, Methylation) is processed only for limited purposes of PRS modeling and individual reporting.Data processing is directly related to and proportionate to the purpose determined. 3.1.5. Storage for the Period Stipulated in the Relevant Legislation or Necessary for the Purpose for which they are Processed * Our company retains personal data for the period specified in the relevant legislation or as long as necessary for the purpose for which they are processed. * In this context, our Company first determines whether a period is stipulated in the relevant legislation for the storage of personal data, if a period is specified, it acts in accordance with this period, and if no period is specified, it retains personal data for the period necessary for the purpose for which they are processed. * In case the period expires or the reasons requiring processing are eliminated, personal data is deleted, destroyed or disposed of by our Company.It is anonymized and included in the data pool for R&D purposes. 3.2. Conditions for Processing Personal Data * The protection of personal data is a constitutional right. Fundamental rights and freedoms may be restricted only by law, without prejudice to their essence, and solely for the reasons specified in the relevant articles of the Constitution. Pursuant to the third paragraph of Article 20 of the Constitution, personal data may only be processed in cases stipulated by law or with the individual's explicit consent. Our company processes personal data in accordance with these rules. * The basis for personal data processing may be only one of the conditions specified below, or more than one of these conditions may be the basis for the same personal data processing activity. * Although the legal bases for the processing of personal data by our Company vary, all personal data processing activities are carried out in accordance with the general principles set out in Article 4 of Law No. 6698 (See Section 3.1). a) Explicit Consent of the Personal Data Owner: One of the conditions for processing personal data is the data subject's explicit consent. The data subject's explicit consent must be specific, informed, and freely given. For the processing purpose related to the reasons for obtaining personal data, at least one of the conditions set out in (b), (c), (d) (e), (f), (g) and (h) of this title is required; if one of these conditions is not present, our Company carries out these personal data processing activities based on the explicit consent of the personal data owner for these processing activities. b) Explicitly Provided in Laws: The data owner's personal data may be processed in accordance with the law if the processing of personal data is clearly provided for by law. c) Inability to Obtain the Explicit Consent of the Person Concerned Due to Actual Impossibility: If the processing of personal data is necessary to protect the life or physical integrity of the person or another person who is unable to give his consent due to a de facto impossibility or whose consent cannot be validated, the personal data of the data owner may be processed. d) Direct Interest in the Establishment or Execution of the Contract: Processing of personal data is possible if it is necessary to process personal data of the parties to the contract, provided that it is directly related to the establishment or execution of a contract.(E.g. Providing analysis and reporting services.) e) Fulfillment of the Company's Legal Obligations: The personal data of the data owner may be processed if processing is necessary for our company to fulfill its legal obligations as the data controller. f) Personal Data Owner's Making His/Her Personal Data Public: If the data owner has made his/her personal data public, the relevant personal data may be processed within the framework of the purpose of publicity. g) Data Processing is Necessary to Establish or Protect a Right: If data processing is necessary for the establishment, exercise or protection of a right, the data subject's personal data may be processed. h) Data Processing is Mandatory for the Legitimate Interest of Our Company: Personal data of the data owner may be processed if data processing is necessary for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the personal data owner.(E.g., ensuring information security, increasing platform performance.) 3.3. Processing of Special Personal Data * Since HeraBiyo's core business involves genetic and health data, the highest level of precautions are taken in this area in accordance with Article 6 of the KVKK. * In accordance with the KVKK, our Company processes special personal data in the following cases, provided that adequate measures are taken, as determined by the Board: * Personal data ownerexplicit consentbeOR * If there is no explicit consent of the personal data owner, however; * Special personal data other than health and sexual life,expressly provided for in the lawsin cases, * Sensitive personal data regarding health and sexual life(including Genetic Data) for the purposes of protecting public health, providing preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and their financing,by persons under the obligation of confidentiality or by authorized institutions and organizations, is being processed. ________________ 3.4. Enlightenment and Informing of Personal Data Owners * Our company informs personal data owners during the collection of personal data in accordance with Article 10 of the Law. * In this context, data subjects are informed about who processes personal data, for what purposes, and with whom, as the data controller, for what purposes and with whom it is shared, the methods used to collect it, the legal basis for collection, and the rights of data subjects regarding the processing of their personal data. Detailed information on this matter is provided in Section 10 of this Policy. * Article 20 of the Constitution establishes that everyone has the right to be informed about personal data concerning them. Accordingly, Article 11 of the Law lists the right to "request information" among the rights of personal data owners. In this context, our Company provides the necessary information when a personal data owner requests information, in accordance with Article 20 of the Constitution and Article 11 of the Personal Data Protection Law. Detailed information on this subject is provided in Section 10 of this Policy. 3.5. Transfer of Personal Data Our company takes the necessary security measures in line with the legal personal data processing purposes and protects the personal data of the personal data owner.special categories of personal datamay be transferred to third parties (business partner companies, third parties, etc.). In this regard, our company acts in accordance with the regulations stipulated in Article 8 of the KVKK. 3.5.1 Transfer of Personal Data Our Company may transfer personal data to third parties in line with its legitimate and lawful personal data processing purposes, based on one or more of the personal data processing conditions specified in Article 5 of the Law listed below, in a limited manner, by taking due care and taking all necessary security measures, including the methods prescribed by the Board: * Personal data ownerexplicit consentIf there is, * Laws regarding the transfer of personal dataa clear regulationIf there is, * If it is necessary to protect the life or physical integrity of the personal data owner or someone else and the personal data owner is unable to give his consent due to actual impossibility or if his consent is not legally valid, * If it is necessary to transfer personal data of the parties to the contract, provided that it is directly related to the establishment or execution of a contract, * If personal data transfer is mandatory for our company to fulfill its legal obligations, * Personal data is collected by the personal data owner.made publicin a limited way for the purpose of publicity, * If personal data transfer is mandatory for the establishment, exercise or protection of a right, * If personal data transfer is necessary for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the personal data owner. In addition to the above, personal data may be transferred to foreign countries declared by the Board to have adequate protection ("Foreign Country with Adequate Protection") if any of the above conditions are met. If adequate protection is not provided, personal data may be transferred to foreign countries where the data controllers in Turkey and the relevant foreign country have undertaken, in writing, to provide adequate protection and where the Board has granted its consent ("Foreign Country with a Data Controller Committing to Adequate Protection"), in accordance with the data transfer conditions stipulated in the legislation. 3.5.2 Transfer of Special Personal Data Our company may transfer the personal data owner's special data to third parties in the following cases, by showing due care and taking all necessary administrative and technical measures and adequate measures prescribed by the Board, in accordance with the legitimate and lawful personal data processing principles. * Personal data ownerexplicit consentbeOR * If there is no explicit consent of the personal data owner; * Personal data of a special nature other than the health and sexual life of the personal data ownerprescribed by lawin cases, * Personal data ownersensitive personal data regarding health and sexual life(including Genetic Data) is for the purposes of protecting public health, providing preventive medicine, medical diagnosis, treatment and care services, and planning and managing health services and their financing.It may be transferred by persons under the obligation of confidentiality or by authorized institutions and organizations. In addition to the above, personal data may be transferred to foreign countries with adequate protection if any of the above conditions are met. If adequate protection is not provided, personal data may be transferred to foreign countries where the data controller undertakes adequate protection, in accordance with the data transfer conditions stipulated in the legislation.
4. Purposes of Processing Personal Data Processed by Our Company
Our companyHeraWaterPersonal data is processed in accordance with the general principles set forth in the Law, based on and limited to at least one of the personal data processing conditions specified in Articles 5 and 6 of Law No. 6698 on the Protection of Personal Data. The categories of personal data processed can be accessed in Section 5 of this policy. Purposes of processing personal data; * Conducting Bioinformatics and Polygenic Risk Score (PRS) Analyses * Developing and Providing Personalized Health and Preventive Medicine Solutions * Conducting R&D and Scientific Studies (With Anonymous/Pseudonymous Data)) * Execution of Emergency Management Processes * Execution of Information Security Processes * Conducting the Selection and Placement Process of Candidate Employees / Interns / Students * Conducting the Application Process of Employee Candidates * Execution of Employee Satisfaction and Loyalty Processes * Fulfillment of Employment Contract and Legislative Obligations for Employees * Execution of Employee Benefits and Benefits Processes * Conducting Audit/Ethics Activities * Conducting Training Activities * Execution of Access Authorizations * Carrying out activities in accordance with legislation * Execution of Finance and Accounting Affairs * Ensuring Physical Space Security * Execution of Assignment Processes * Monitoring and Execution of Legal Affairs * Conducting Internal Audit/Investigation/Intelligence Activities * Conducting Communication Activities * Planning Human Resources Processes * Conduct/Supervision of Business Activities * Conducting Occupational Health / Safety Activities * Execution of Goods/Services Purchasing Processes * Execution of After-Sales Support Services for Goods/Services * Execution of Goods/Service Sales Processes * Execution of Customer Relationship Management Processes * Carrying out activities aimed at customer satisfaction * Organization and Event Management * Conducting Marketing Analysis Studies * Execution of Advertising / Campaign / Promotion Processes * Execution of Risk Management Processes * Carrying out storage and archive activities * Execution of Contract Processes * Conducting Sponsorship Activities * Conducting Strategic Planning Activities * Tracking Requests / Complaints * Ensuring the Security of Movable Goods and Resources * Implementation of the Wage Policy * Execution of Marketing Processes of Products / Services * Ensuring the Security of Data Controller Operations * Execution of Investment Processes * Conducting Talent / Career Development Activities * Providing Information to Authorized Persons, Institutions and Organizations * Carrying out management activities * Creating and Tracking Visitor Records
5. Owners of Personal Data Processed by Our Company and Categorization of Personal Data
Our companyHeraWaterWhile the personal data of the personal data owner categories listed below are processed by, the scope of application of this Policy is limited to our customers, potential customers, employees, job candidates, company shareholders, company officials, visitors, employees, shareholders and officials of the institutions we cooperate with and third parties. While the categories of persons whose personal data are processed by our Company are within the scope specified above, persons outside these categories may also direct their requests to our Company within the scope of the KVKK; their requests will also be evaluated within the scope of this Policy. The following clarifies the concepts of customer, potential customer, visitor, third party, employee, candidate employee, shareholder, board member, real persons in institutions we cooperate with, and third parties related to these persons, within the scope of this Policy: * Customer:Regardless of whether there is any contractual relationship with our Company, our Company offersgenetic analysis, PRS calculationand real persons who use or have used the relevant products/services. * Potential Customer:Natural persons who have requested or expressed an interest in using our products and services or who have been assessed in accordance with commercial practices and rules of integrity to be likely to have such an interest. * Supplier:Persons whose personal data are obtained, their officers, partners and employees who provide products or services to the Company (e.g. bioinformatics software, laboratory services) within the scope of commercial activities carried out by the Company, regardless of whether there is any contractual relationship. * Visitor:Natural persons who have entered the physical premises of our company for various purposes or visited our websites/web platform. * Third Person:Third party natural persons (e.g., family members and relatives) who are related to these persons or other natural persons who are not within the scope of this Policy in order to ensure the security of commercial transactions between our Company and the above-mentioned parties or to protect the rights and provide benefits of the said persons. * Worker:Real persons who have worked or are working in our company. * Employee Candidate:Natural persons who have applied for a job in our company by any means or have made their CV and related information available for review by our company. * Company Shareholder:The shareholders of our company are real persons. * Company Official:Member of our company's board of directors and other authorized real persons. * Employees, Shareholders and Officials of the Institutions We Collaborate with:Natural persons working in institutions with which our company has any kind of business relationship (such as, but not limited to, business partners, suppliers, universities, hospitals), including shareholders and officials of these institutions. The above-mentioned personal data categories and the description of the data within these categories are detailed in the following articles:
PERSONAL DATA CATEGORIZATION AND EXPLANATION:
Identity Information:Information such as name and surname, mother-father's name, mother's maiden name, date of birth, identity card serial number, Turkish Republic identity number. Contact Information:Information such as address number, e-mail address, contact address, registered e-mail address (KEP), telephone number. Family Members and Relatives Information: HeraWaterInformation about the personal data owner's family members (e.g. spouse, mother, father, child), relatives and other persons who can be reached in case of emergency, processed in relation to the services offered by the Company or in order to protect the legal and other interests of the Company and the personal data owner. Customer Transaction Information:Invoice information, request information,analysis order and result delivery information like. Physical Space Security Information:Information such as entry and exit registration information of real persons and camera recordings. Transaction Security Information:IP address information, website/web platform login and logout information, password and passcode information, etc. Financial Information:Information such as balance sheet information, financial performance information, credit and risk information, and asset information. Legal Procedures and Compliance Information:Information regarding the determination and pursuit of our legal receivables and rights, the fulfillment of our debts, and compliance with our legal obligations and our Company's policies. Audit and Inspection Information:Information regarding the execution of our company's operational and compliance audit activities. Special Personal Data:People'shealth, genetic data(whole genome sequencing, SNP, methylation data, polygenic risk scores and ethnicity information), data on criminal convictions and security measures. Request/Complaint Management Information: HeraWaterInformation regarding the receipt and evaluation of any requests or complaints directed to .
6. ENSURING THE SECURITY AND CONFIDENTIALITY OF PERSONAL DATA
Our company, in accordance with Article 12 of the Law, is responsible for preventing the unlawful processing of personal data and unlawful access to personal data.any necessary measures to ensure an appropriate level of security to ensure the preservation oftechnical and administrative measuresis taking.The confidentiality and security of Special Personal Data, especially genetic and health data, are ensured with the highest level of protection. 6.1. Technical Measures Taken to Ensure Lawful Processing of Personal Data The technical measures taken by our company to ensure the legal processing of personal data are listed below: * Network security and application securityis provided. * A closed system network is used for personal data transfer via network.(Especially for bioinformatics analysis servers) * Key management is implemented. * Security measures are taken within the scope of information technology systems procurement, development and maintenance. * For employeesauthority matrixhas been created.(Access to Sensitive Data is subject to strict authorizations.) * Access logs are kept regularly. * The authority of employees who change their duties or leave their jobs is immediately revoked. * Firewalls are used. * Personal data security is monitored. * Personal data is backed up and the security of the backed up personal data is also ensured. * User account management and authorization control systems are implemented and monitored. * Log records are kept without user intervention. * Intrusion detection and prevention systems are used. * Cyber security measures have been taken and their implementation is constantly monitored.(Bioinformatics databases and analysis pipelines are specially protected against cybersecurity risks.) 6.2. Administrative Measures Taken to Ensure Lawful Processing of Personal Data The administrative measures taken by our company to prevent unlawful access to personal data are listed below: * Periodically, employees should be informed about data security.education and awareness activitiesis being done.(Especially regarding the ethics and confidentiality of genetic data processing.) * Contact personsobligation to discloseis being fulfilled. * Institutional policies regarding access, information security, usage, storage and destruction have been prepared and implemented. * Confidentiality commitmentsis being done. * The signed contracts include data security provisions. * Personal data security policies and procedures have been determined. * Personal data security issues are reported quickly. * Necessary security measures are taken regarding entry and exit to physical environments containing personal data. * The security of physical environments containing personal data is ensured against external risks (fire, flood, etc.). * The security of environments containing personal data is ensured. * Personal dataanonymized or pseudonymized whenever possibleis being reduced. * Existing risks and threats have been identified. * Periodic and/or random audits are carried out within the institution. * Protocols and procedures for the security of special personal dataare determined and implemented. (Including biological material and genetic raw data management.) * Data processing service providers are made aware of data security.
7. DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA
* Your data stored within the scope of the law will be kept for the maximum period specified in the relevant legislation or necessary for the purpose for which it is processed and, in any case, for the duration of the legal limitation periods. * As regulated in Article 138 of the Turkish Penal Code and Article 7 of the Law, even though the reasons requiring processing are eliminated, personal data may be processed ex officio or upon your request in accordance with the Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette No. 30224 dated 28.10.2017 and prepared in accordance with this regulation.HeraBiyo Personal Data Storage and Destruction Policywill be deleted, destroyed or otherwise processed under the conditions determined bywill be made anonymous. * In particular, genetic raw data can be stored by anonymizing it with strong methods for use in scientific R&D activities once the analysis purposes are over. ________________
8. THIRD PARTIES TO WHICH PERSONAL DATA IS TRANSFERRED BY OUR COMPANY AND THE PURPOSES OF TRANSFER
* Our company notifies the personal data owner of the groups of persons to whom personal data is transferred in accordance with Article 10 of the Law. * Our Company may transfer the personal data it processes in accordance with Articles 8 and 9 of the Law to the following categories of persons: * HeraWaterto business partners, * HeraWaterto its customers, * HeraWaterto its shareholders, * Legally authorized public institutions and organizations, * To legally authorized private law persons. Persons to Whom Data Can Be Transferred Definition Purpose of Data Transfer Business Partner It defines the parties with which our company establishes business partnerships for purposes such as selling, promoting and marketing our company's products and services, after-sales support, and running joint customer loyalty programs while carrying out our company's commercial activities.(E.g., bioinformatics infrastructure providers, clinical laboratories.) Limited to ensure that the purposes for which the business partnership was established are fulfilled. Customer It defines the real or legal persons to whom the Company offers services and products while carrying out its commercial activities. Limited to the purpose of providing the products and services that our company offers to its customers.(For example, communicating the analysis results to the relevant customer.) Our shareholders Our shareholders are authorized to design the strategies and audit activities regarding our Company's commercial activities in accordance with the relevant legislation. Limited to the design of strategies and auditing purposes regarding our Company's commercial activities in accordance with the relevant legislation. Legally Authorized Public Institutions and Organizations Public institutions and organizations authorized to receive information and documents from our Company in accordance with the relevant legislation.((For example, KVKK Institution, Courts, Ministry of Health.) Limited to the purpose requested by the relevant public institutions and organizations within their legal authority. Legally Authorized Private Law Persons Private law persons authorized to receive information and documents from our Company in accordance with the relevant legislation.(E.g. Law firms, auditing companies.) Limited to the purpose requested by the relevant private legal persons within their legal authority. 9. RIGHTS OF PERSONAL DATA SUBJECTS; METHODOLOGY OF EXERCISE AND EVALUATION OF THESE RIGHTS Our Company informs the personal data owner of their rights in accordance with Article 10 of the Law, guides the personal data owner on how to exercise these rights, and carries out the necessary channels, internal operations, administrative and technical arrangements in accordance with Article 13 of the Law to evaluate the rights of personal data owners and to provide the necessary information to personal data owners. a. RIGHTS OF THE DATA OWNER AND EXERCISE OF THESE RIGHTS Rights of Personal Data Owners Personal data owners have the following rights: * Learning whether personal data is being processed, * To request information regarding the processing of personal data, * To learn the purpose of processing personal data and whether they are used in accordance with their purpose, * Knowing the third parties to whom personal data is transferred, either domestically or abroad, * To request correction of personal data if it is processed incompletely or incorrectly and to request that the action taken in this context be notified to third parties to whom personal data has been transferred, * To request the deletion or destruction of personal data in case the reasons requiring processing are eliminated, even though the data has been processed in accordance with the provisions of the KVKK and other relevant laws, and to request that the action taken within this scope be notified to third parties to whom the personal data has been transferred, * To object to the emergence of a result against the person himself/herself by analyzing the processed data exclusively through automated systems, * To request compensation in case of damages due to unlawful processing of personal data. Cases in which the Personal Data Owner cannot assert his rights Since the following situations are excluded from the scope of the Law in accordance with Article 28 of the Personal Data Protection Law, personal data owners cannot assert their rights listed in 9.1. in these matters: * Processing of personal data by making them anonymous with official statistics for purposes such as research, planning and statistics. * Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defence, national security, public safety, public order, economic security, privacy of private life or personal rights or does not constitute a crime. * Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security. * Processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial or execution proceedings. Pursuant to Article 28/2 of the Law, personal data owners cannot assert their other rights listed in Article 9.1, except for the right to demand compensation for damages, in the following cases: * Processing personal data is necessary for the prevention of crime or criminal investigation. * Processing of personal data made public by the personal data owner. * The processing of personal data is necessary for the execution of supervisory or regulatory duties or disciplinary investigation or prosecution by authorized public institutions and organizations and professional organizations with the status of public institutions, based on the authority granted by law. * Processing of personal data is necessary to protect the economic and financial interests of the State regarding budgetary, tax and financial matters. Personal Data Owner's Exercise of Rights * Personal data owners may submit their requests regarding their rights listed under heading 9.1 of this section.[Company Web Address]located at the address“Relevant Person (Personal Data Owner) Application Form”They can fill out the form and submit it to the Company using the methods specified by the Board. The application method is also explained in detail in this form. * It is not possible for third parties to make a request on behalf of personal data subjects. For a person other than the personal data subject to make a request, the personal data subject must have a special power of attorney issued for the person making the request. Personal Data Owner's Right to Complain to the Board * In accordance with Article 14 of the Personal Data Protection Law, if the application is rejected, the response is found insufficient or the application is not responded to in a timely manner, the personal data owner may file a complaint with the Board within thirty days from the date on which he/she learns of our Company's response, or within sixty days from the date of application in any case. b. HERABİYO'S RESPONDENCE TO APPLICATIONS i. Our Company's Procedure and Timeframe for Responding to Applications * If the personal data owner submits his/her request to our Company in accordance with the procedure in section 9.1 of this section, our Company will process the request as soon as possible and at the latest, depending on the nature of the request.within thirty dayswill finalize the relevant request free of charge. * However, if the transaction requires an additional cost, our Company will charge the applicant a fee in the tariff determined by the Board. ii. Information Our Company May Request from the Applicant Personal Data Owner * Our company may request information from the relevant person in order to determine whether the applicant is the owner of personal data. * Our company may ask questions to the personal data owner regarding their application in order to clarify the issues included in the personal data owner's application. iii. Our Company's Right to Reject the Application of the Personal Data Owner Our company may reject the applicant's application by explaining the reason in the following cases: * Processing of personal data by making them anonymous with official statistics for purposes such as research, planning and statistics. * Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defence, national security, public safety, public order, economic security, privacy of private life or personal rights or does not constitute a crime. * Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security. * Processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial or execution proceedings. * Processing personal data is necessary for the prevention of crime or criminal investigation. * Processing of personal data made public by the personal data owner. * The processing of personal data is necessary for the execution of supervisory or regulatory duties or disciplinary investigation or prosecution by authorized public institutions and organizations and professional organizations with the status of public institutions, based on the authority granted by law. * Processing of personal data is necessary to protect the economic and financial interests of the State regarding budgetary, tax and financial matters. * The request of the personal data owner may interfere with the rights and freedoms of other persons. * Requests have been made that require disproportionate effort. * The requested information is publicly available information. * One of the situations that are not covered by the law exists.