Personal Data Processing and Protection Policy

PERSONAL DATA PROCESSING AND PROTECTION POLICY

CONTENTS

1. Purpose

2. Scope and Application

3. Definitions

4. Processing of Personal Data

a. Principles Followed in Processing Personal Data

b. Purposes of Processing Personal Data

c. Legal Reasons for Processing Personal Data

d. Legal Reasons for Processing Special Personal Data

5. Obligation to Disclose

6. Data Security

a. Technical Measures

b. Administrative Measures

7. Transfer of Personal Data

a. Domestic Transfer

b. International Transfer

8. Personal Data Inventory

9. Roles and Responsibilities

10. Deletion, Destruction and Anonymization of Personal Data

11. Rights of the Data Subject and Exercise of Rights

a. Data Subject Rights

b. Exercise of Rights

c. Evaluation of the Application

d. Our Right to Reject the Application

e. Right to Complain

12. Publication of the Policy, Entry into Force

13. Policy Update

1. Purpose

The main purpose of this Personal Data Protection and Processing Policy (“Policy”) is to: Carex Herbal Products and Kozmetik Sanayi ve Ticaret Ltd. Şti. (“Company”), which is carried out in accordance with the law, Explanations on data processing activities and systems adopted for the protection of personal data To determine the procedures and principles to be followed by data processors due to their relationship with the Company and to ensure transparency towards the people whose data is processed.

The company complies with the Turkish Constitution and the laws to which we are a party regarding the protection and privacy of personal data. including international agreement provisions, the Personal Data Protection Law (“KVKK”) and relevant legislation The company continues its activities in accordance with the protection of personal data and fundamental rights and freedoms. approaches with sensitivity and respects fundamental human rights such as privacy and freedom of thought in all its activities. keeps their rights at the forefront.

2. Scope and Application

This Policy has been prepared in accordance with applicable regulations and international standards. The Company In all data processing activities such as processing, transfer and modification, this Policy is the priority. will apply.

The Company is committed to the protection of personal data and information regarding certain business activities and processes. This Policy also has different policies that address the security of your device. This Policy does not contain additional terms or Unless the Company requests higher standards for the protection of personal data, the Company shall not This Policy does not override the data protection provisions in these other policies. This Policy shall apply to the extent applicable. policies and procedures are implemented.

The provisions of the relevant legislation in force regarding the protection and processing of personal data and this Policy In case of conflict between the provisions of the current legislation, the provisions of the current legislation shall prevail.

3. Definitions

KVKK: Personal Data Protection Law No. 6698

Data Processor: A natural or legal entity that processes personal data on behalf of the data controller based on the authority granted by the data controller. person

Data Controller: The person who determines the purposes and means of processing personal data and systematically collects the data. The person who manages the place where the data is stored (data recording system) Data Owner/Relevant Person: The Company and its affiliates employees, customers, business partners, shareholders of its subsidiaries with whom it has commercial relations, officials, potential customers, prospective employees, interns, visitors, suppliers, business partners employees of the institutions in which he/she works, third parties and personal, including but not limited to those listed here natural persons whose data are processed

Explicit Consent: Consent related to a specific subject, based on information and expressed with free will.

Personal Data: Any information relating to an identified or identifiable natural person.

Special Personal Data: race, ethnic origin, political opinion, philosophical belief, religion, sect of the persons or other beliefs, appearance and dress, membership of associations, foundations or unions, health, sexual life, criminal data related to convictions and security measures, as well as biometric and genetic data

Processing of Personal Data: Processing of personal data, whether fully or partially automated or by any means Obtaining, recording and storing data by non-automatic means, provided that it is part of the registration system, preservation, modification, rearrangement, disclosure, transfer, acquisition, obtaining on data such as making it accessible, classifying it or preventing its use any transaction performed

Anonymization of Personal Data: Personal data cannot be identified, even by matching it with other data. making it impossible to associate it with an identified or identifiable natural person

Deletion of Personal Data: Personal data cannot be accessed or reused by the relevant users in any way. rendered unusable

Destruction of Personal Data: Personal data cannot be accessed or recovered by anyone in any way. the process of making it unserviceable and unusable

Personal Data Protection Board/Board: Personal Data Protection Board

Personal Data Protection Authority/Institution: Personal Data Protection Authority

4. Processing of Personal Data

a. Principles Followed in Processing Personal Data

The Company's policies and procedures are in line with the processing principles set out in the KVKK and relevant legislation. These principles are applied to the data subjects in exercising their rights and in their control over data. We know that these principles are of vital importance and we continue to make these principles the focus of all our processing activities. We are extremely sensitive. Our principles in our personal data processing activities are as follows:

∙ Personal data is processed in a transparent manner and in accordance with the law and the principle of honesty.

The company relies on the legal processing grounds set forth in the KVKK in its data processing activities. Furthermore, honesty In accordance with its rule, the Company takes into account the reasonable expectations of the relevant persons. In its communication with the relevant persons, the Company is open and uses understandable language and is always in an easily accessible position.

∙ Personal data is processed only for specified, clear and legitimate purposes.

The company determines the purpose of the data processing activity before processing data. Data is processed only after the first processing for additional purposes compatible with the processing purpose. For each additional purpose, compliance with the first purpose is international It is determined according to the criteria accepted in the system. Our company informs the relevant persons about the purposes of data processing. informs by observing the principle of transparency.

∙ Personal data are linked, limited and proportionate to the purpose for which they are processed.

Our company processes the amount of data required for the purpose of data processing. Data, data privacy, and security It is obtained by the most appropriate method. In our processing activities, the rights and interests of the relevant persons are taken into account. and disproportionate interference with their freedoms shall be avoided.

∙ Personal data is accurate and up-to-date where necessary.

The company ensures that data is up-to-date in all processing activities. Incomplete, incorrect or inaccurate data will be reported as soon as possible. are destroyed or corrected within a reasonable time. The Company checks the up-to-dateness of the data at regular intervals.

∙ Personal data is kept for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed. is done.

Once the data processing purposes are eliminated, the data is deleted, destroyed or anonymized as soon as possible. is made available.

∙ Personal data is processed to ensure appropriate security.

Our company implements data security as a core principle. We follow best practices in this regard and implement necessary administrative procedures. and takes technical measures.

∙ The company demonstrates its compliance with other principles of KVKK.

Our company observes the principle of accountability in all processing activities.

b. Purposes of the Company's Processing of Personal Data

The purposes for which personal data is processed by the Company are as follows:

• Ensuring the Security of Data Controller Operations

• Conducting the Selection and Placement Processes of Employee Candidates / Interns / Students

• Conducting the Application Process of Employee Candidates

• Fulfillment of Employment Contract and Legislative Obligations for Employees

• Execution of Employee Benefits and Benefits Processes

• Carrying out activities in accordance with legislation

• Execution of Finance and Accounting Affairs

• Execution of Assignment Processes

• Planning Human Resources Processes

• Conducting/Supervising Business Activities

• Execution of After-Sales Support Services for Goods/Services

• Execution of Company/Product Processes, Audit, Execution of Goods/Service Sales Processes

• Ensuring the Security of Data Controller Operations

• Providing Information to Authorized Persons, Institutions and Organizations

• Execution of Contract Processes

• Conducting Occupational Health and Safety Activities

• Carrying out advertising / campaign / promotion processes, carrying out sponsorship activities,

• Carrying out activities aimed at customer satisfaction

c. The Company's Legal Reasons for Processing Personal Data:

When processing personal data, the Company relies on one of the legal processing conditions in Article 5 of the KVKK. The conditions for processing personal data, i.e., legal compliance, are listed in a limited number in the Law. The conditions cannot be extended. The Company relies on the following legal grounds when processing personal data:

• Existence of the explicit consent of the relevant person,

• It is clearly foreseen in the laws,

• Belonging to the parties to a contract, provided that it is directly related to the establishment or execution of a contract. the processing of personal data is necessary,

• It is mandatory for the data controller to fulfill its legal obligations,

• For the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the relevant person. data processing is mandatory.

Our company does not rely on the legal basis of explicit consent in the event of another legal reason.

d. Legal Reasons for Processing Special Personal Data

Disclosure of special personal data such as a person's religion, race, belief, health and sexual life These are data that would expose a person to discrimination if they are not disclosed. Special categories of personal data are defined in Article 6 of the KVKK. It cannot be processed without the existence of the limited legal reasons listed in Article 12.

In this context, the Company collects special personal data other than health or sexual life;

• It is processed based on the explicit consent of the relevant person and legal reasons. Health and sexual life the data is;

• Explicit consent of the relevant person,

Protection of public health, preventive medicine, medical diagnosis by persons under the obligation of confidentiality, execution of treatment and care services, planning and management of health services and their financing It operates based on legal reasons for its purposes.

5. Obligation to Disclose

Communiqué on the Procedures and Principles to be Followed in Fulfilling the Company's KVKK and Disclosure Obligations The company is obliged to inform the relevant persons in accordance with the relevant law. If personal data is obtained from the relevant person, He/she personally or through authorized persons informs the relevant persons at the time of obtaining the data. If the data is not obtained from the relevant person, the obligation to inform shall be within a reasonable period of time. If the data will be used for communication purposes with the relevant person, at the time of the first communication, if the data will be transferred, at the latest at the first communication time. The obligation to inform is fulfilled during the transfer.

The Company's contact persons must at least include the Company's legal entity and address information, and the information on which personal data is processed. the purpose for which the processed data will be processed, to whom and for what purposes the processed data can be transferred, personal data collection informs you about the method and legal reason, as well as your rights listed in Article 11 of the KVKK.

When the purpose of processing personal data changes, a separate information must be provided for this purpose before the data processing activity. obligation is fulfilled.

6. Data Security

The Company, as the data controller in the processing of personal data, is liable for any unlawful processing of personal data. We are obligated to prevent access to and safeguard your personal data. Therefore, the Company All technical and technical data security measures, including any additional measures required to protect data administrative measures have been taken. The measures taken by our company in this context are listed below.

∙ Technical Measures

∙ Administrative Measures

7. Transfer of Personal Data

a. Domestic Transfer

Our company transfers personal data to third parties based on the data processing conditions in Articles 5 and 6 of the KVKK. The company takes all necessary security measures in its data transfer activities. In this context, The recipient groups to which our company transfers data are as follows:

- Suppliers

- Business Partners

- Authorized Public Institutions and Organizations

b. International Transfer

In accordance with Article 9 of the KVKK, the Company transfers data abroad by meeting one of the following conditions.

• The explicit consent of the relevant person,

• The country to which personal data will be transferred must have the status of a “safe country” and provide adequate protection. The rights and obligations of the Company and the recipient party regarding the transfer are regulated and adequate protection is ensured in writing. commitment and the approval of the Board.

8. Personal Data Inventory

The Company has prepared a data inventory with the details stipulated by the Law regarding the personal data processed within the scope of KVKK. The company's data inventory includes the following details:

• Business processes in which personal data is used,

• Category of personal data,

• Processed personal data,

• Processed special personal data,

• The purpose and legal basis of the processing activity, • Domestic recipients of personal data,

• Whether personal data is transferred abroad, • Personal data retention periods

If there is a change in the Company's processing activities, the Personal Data Inventory is updated. The Company, The information in the Personal Data Inventory and any updates to the Data Controllers Registry The Company notifies the relevant person within the framework of its obligation to inform as stated in Article 5 of this Policy. The information to be provided is consistent with the information disclosed to the Registry.

9. Roles and Responsibilities

Our company's roles and responsibilities regarding the processing of personal data are as follows:

• The Quality Assurance Department informs the relevant persons such as customers, subcontractors, suppliers, etc., whose data is processed under this Policy. responsible for reporting.

• The Quality Assurance Department ensures that this Policy is implemented by the parties that process data on behalf of the Company, such as employees and suppliers. Informing about the Policy, ensuring that the data processors in question comply with the Policy through regular checks. responsible for its implementation.

• The Quality Assurance Department is responsible for updating this Policy. The Unit is the company's IT department. makes the necessary improvements by considering the needs of the systems and, when necessary, implements the Policy executes the updating process.

• Quality Assurance Department

• The relevant unit is authorized to approve updates to this Policy.

• Quality Assurance Department Determining the sanctions for violations of the policy and responsible for its implementation.

10. Deletion, Destruction and Anonymization of Personal Data

• Reasons for processing personal data in accordance with Article 7 of the KVKK and other relevant legislation. In case of disappearance, upon the Company's decision, periodic control and/or personal request of the relevant person data is deleted, destroyed or made anonymous.

• The Company may not retain personal data for longer than necessary in connection with the reason for obtaining personal data. The Company will not store personal data once the reasons for processing are eliminated. or in the first periodic destruction operation following the date on which the anonymization obligation arose deletes, destroys or anonymizes personal data.

• The Company has prepared a Storage and Destruction Policy to determine the procedures and principles in this direction. Personal the retention period for each category of data, the legal obligations under which the Company is obliged to retain the data The criteria used for storage and destruction periods, including the period of storage and destruction, are set out in this Storage and Destruction Policy. This Storage and Destruction Policy applies to the Personal Data specified in Article 8 of this Policy. It is arranged in accordance with the inventory.

• The Company complies with the provisions of this Policy 4/a regarding the deletion, destruction or anonymization of personal data. the principles in the section, the technical and administrative measures in Article 6, Storage and Destruction Acts in accordance with its Policy, relevant legislative provisions and Board decisions.

Personal data is stored securely in accordance with the provisions of the KVKK, relevant legislation and the Company's Storage and Destruction Policy. It will be destroyed by the most appropriate method. The Company will, upon request of the relevant person, provide the appropriate method and justification. chooses by explaining with.

11. Rights of the Data Subject and Exercise of Their Rights a. Rights of the Data Subject

Data subjects have the following rights regarding their personal data processed in accordance with Article 11 of the KVKK:

• Learning whether personal data is being processed,

• If your personal data has been processed, to request information about the nature of this information and to learn to whom it has been disclosed,

• To learn the purpose of processing personal data and whether they are used in accordance with their purpose,

• Knowing the third parties to whom personal data is transferred, whether domestically or abroad, and the actions taken in this direction request that the transaction be notified to third parties,

• If personal data is processed incompletely or incorrectly, we request that these are corrected and that this is reported to third parties. requesting that the information be notified to the relevant persons,

• Although it has been processed in accordance with the provisions of the relevant law, the reasons requiring processing have been eliminated. Requesting the deletion or destruction of personal data in case of removal of personal data,

• Objection to a result that is detrimental to the person himself/herself,

• To compensate for the damage in case of damage due to unlawful processing of personal data. do not request.

b. Exercise of Rights

Applications and requests regarding personal data can be made through the Data Subject Application Form.

1. By signing with a secure electronic signature or mobile signature, via registered electronic mail (KEP) By sending it to carex@hs01.kep.tr or,

2. In person with a valid ID document, go to Veliköy-Yalıboyu OSB Mah. 84.Sad. No:4 Çerkezköy/TEKİRDAĞ You can submit your application.

Data subjects within the scope of legal obligations regarding the procedures and principles of applying to the data controller, In the application, please provide your name, surname, signature if the application is in writing, and your Turkish ID if you are a citizen of the Republic of Turkey. number, nationality if foreign, passport (or ID number if any), place of residence for notification or business address, if any, e-mail address and fax number for us to use as the basis for notification and finally the subject of the request In addition, identity verification documents and information and documents related to the subject of the request must be included in the application. must be attached to the application.

Which right you want to use regarding the request in order to run the process in the most effective way, Details regarding the transaction must be stated clearly and understandably.

The subject of the request must be related to the person concerned. If the application is being made on behalf of someone else, the person making the request the person must rely on a specifically documented authority for the requested action (power of attorney) required. Unauthorized

applications will not be taken into consideration.

c. Evaluation of the Application

Applications are evaluated as soon as possible and at the latest from the date the application reaches us.

Returns are made within 30 days.

If necessary, additional information and documents may be requested during the evaluation process, in accordance with the relevant legislation. In such cases, a fee may be charged for fulfilling the request.

The company will process the applications made by the relevant person effectively, in accordance with the law and the principle of honesty. takes all necessary administrative and technical measures to finalize the process.

d. Rejection of Application

Application;

• If the application is not made in accordance with the procedure specified above,

• When the application contains a request that is contrary to the current legislation,

• When the application is not based on a justified reason or constitutes an abuse of rights, • Application research, planning and anonymization of personal data with official statistics • Processing of personal data made public by the relevant person for purposes such as statistics, processing.

• In case of any of the other conditions falling within the scope of Article 28 of the KVKK, the application will be rejected. In case of rejection, the Company notifies the relevant person of the rejection, explaining the reason.

e. Right to Complain

In case of applications made to the Company, the person concerned will be notified when his/her application is rejected or the response given by the Company. Right to complain to the Board if the Company finds the response insufficient or does not respond within 30 days exists.

The relevant person shall have 30 days from the date of learning the Company's response and in any case, 60 days from the date of application. may exercise the right to complain within the day.

12. Publication and Entry into Force of the Policy

This Policy shall enter into force on September 25, 2024. This is the current version of this Policy. Published at https://tr.celenesbysweden.com/ and https://tr.bionnex.com/.

13. Policy Update

The company owns this document and the Quality Assurance Unit is responsible for reviewing this procedure.

The old versions of this Policy that are no longer in force will be cancelled with the approval of the Quality Assurance Department. are kept for 10 years by the Quality Assurance Department. Policies that have expired are kept by the Quality Assurance Department. The report is prepared and destroyed.