Personal Data Protection and Processing Policy

Personal Data Protection and Processing Policy

1. INTRODUCTION
DeltaPV İlaç Danışmanlık Sağlık Ürün. ve Hiz. Tic. A.Ş. (“DeltaPV or the Company”) is a contract pharmacovigilance services organization which provides pharmacovigilance services.

DeltaPV places importance on processing and protection of personal data in accordance with the laws. In this context, the Personal Data Protection and Processing Policy has been drawn up. The policy aims at informing all-natural persons whose personal data are processed by DeltaPV except for DeltaPV employees.

DeltaPV places importance on processing and protection of personal data in accordance with the laws and, in this context, aims at informing all-natural persons whose personal data are processed by DeltaPV with this Personal Data Protection and Processing Policy.

Unless otherwise stated, the Company acts as the data controller in the following personal data processing processes.

In cases where there is a conflict between the Turkish language in which the policy is prepared and any translation, the Turkish text should be taken into consideration.

2. DEFINITIONS
Explicit Consent: Freely given, specific and informed consent.
Personal Data: All the information relating to an identified or identifiable natural person.
Processing of Personal Data: Any operation performed upon personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making retrievable, classification or preventing the use thereof, fully or partially through automated means, or through non-automated means provided that the process is a part of any data registry system.
Law: Law No. 6698 on the Protection of Personal Data.
Board: Personal Data Protection Board.
Authority: Personal Data Protection Authority.
Data Subject: Natural person, whose personal data are processed.
Data Controller “Data controller” refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data registry system.
Data Processor: “Data processor” refers to the natural or legal person who processes personal data on behalf of the data controller upon his/her authorization.

The definitions contained in the Law and secondary regulations shall apply with regard to the definitions not included herein.

3. MODES AND PURPOSES OF PROCESSING PERSONAL DATA
When DeltaPV collect personal data directly from its websites, visitors, customers, suppliers, business partners or employee candidates, often act as a data controller.

However, when personal data is collected from patients, reporters, consumers, healthcare professionals, DeltaPV usually acts as a data processor. DeltaPV’s customers, which are data controllers, can fulfill their obligations under the relevant pharmacovigilance and health legislation through Company, which acts as a data processor.

In cases where DeltaPV acts as a data processor under contracts with customers, processes personal data on behalf of the customers in order to fulfill pharmacovigilance services. In these cases, the data controller is the customers on behalf of which data are directly processed.

Where DeltaPV acts as a data processor, the customers determine the purposes and means of processing your personal data according to their legal obligations as a data controller and business requirements.

For example, in case of collecting data from reporters in adverse event reporting, DeltaPV acts as a data processor. The customer, who has rights on the medicine/product related to an adverse event reporting, decides a how to use data collected under an adverse event as the data controller.

3.1. Website Visitors
Personal data collected through the contact form or similar forms on website (https://www.deltapv.com/) are used in order to perform administrative and operational processes in accordance with your purpose to send the relevant form to DeltaPV. Cookies may be used from time to time on website. With regard to the use of cookies, please refer to Cookie Policy on the website.

3.2. Employee Candidates
DeltaPV provides pharmacovigilance services for the pharmaceutical industry. In this context, job applications are received from website or career websites or directly from you. Personal data that you have submitted to DeltaPV for job applications are used only to conduct the employee candidate/intern selection and placement processes, to plan human resources processes and evaluate whether you have necessary qualifications for the relevant job.

3.3. Customer, Supplier and Business Partner Information
For the management of customer, supplier and business partner relationships and contracts, DeltaPV can use the name, surname and contact information of suppliers, business partners and customer employees. These data obtained are used to conclude or perform contracts with these persons, to fulfill legal obligations, to exercise, protect and establish a right or for the Company’s legitimate interests and are not shared with third parties except for these purposes.

In this context, your personal data can be processed to conduct financial and accounting works, conduct customer relations management processes, conduct contract processes, conduct communication activities, conduct audits/ethics activities, conduct product/service production and operations processes, conduct advertising/campaign/promotional processes, conduct training activities, plan and perform regulatory compliance and pharmacovigilance services processes, and provide information to authorized persons/institutions and organizations.

3.4. Visitor Logs
If you use the Internet service provided by DeltaPV, DeltaPV, as the party providing the Internet, should take necessary measures to prevent access to the contents, the subject of which constitutes a crime, and to keep access records relating to the use of Internet in accordance with the Law No. 5651 on Regulating Broadcasting in the Internet and Fighting Against Crimes Committed through Internet Broadcasting. Therefore, in cases where DeltaPV provides Internet access to you, your information such as MAC ID, IP number and logs related to your use of Internet are processed as part of legal obligations and retained for the legal period in accordance with the legislation.

Your logs are kept for the purpose of creating and managing the information technology infrastructure, providing information to authorized persons/institutions and organizations, creating and monitoring visitor records, conducting information security processes and conducting activities in accordance with the legislation.

3.5. Patients, Consumers, Reporters, Healthcare Professionals
DeltaPV enters into pharmacovigilance service contracts that require the processing of personal data related to the customers, patients and their medicines. In this context, data of special nature such as health data and other personal data may be processed. These data are usually the data that are clearly stipulated to be processed under adverse event reporting in the legislation.

Usually, the name, surname and contact information of healthcare professionals and reporters, who report adverse events, can be processed.

DeltaPV acts as a data processor for the personal data and processes as part of the provision of pharmacovigilance services to the customers. In this context, DeltaPV provides support to its customers for them to fulfill their legal obligations in the framework of pharmacovigilance legislation and guidelines on Good Pharmacovigilance Practices.

When doing so, the use of medicines, their side effects and their interactions with other medicines are monitored and authorized institutions and organizations are informed in this context. These data processing activities are carried out for the purposes of public health protection and preventive medicine.

In this context, DeltaPV usually processes your personal data for the purposes of planning and conducting pharmacovigilance service processes, carrying out activities in accordance with the legislation, conducting audits/ethics activities, monitoring requests/complaints, providing information to authorized persons/institutions and organizations, conducting communication activities, protecting public health and performing activities of preventive medicine.

4. PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA
DeltaPV processes your personal data in accordance with the principles stated below:
• Being Processed in Compliance with the Laws and the Rules of Bona Fides: DeltaPV acts in accordance with the principles laid down by laws and other legal regulations in the processing of personal data. When Company processes personal data in accordance with the rules of bona fides, it pays attention to processing the required amount of data by taking into account the interests and reasonable expectations of the data subject.
• Being Accurate and Up-to-Date, Where Necessary: Keeping personal data accurate and up-to-date is of importance for protection of the fundamental rights and freedoms of the data subject. DeltaPV pays attention to ensuring that personal data are accurate and up-to-date. In accordance with this principle, data subjects are entitled to request correction or erasure of their data which are not accurate and up-to-date.
• Being Processed for Specific, Explicit and Legitimate Purposes: The Company clearly and precisely determines the purpose of processing personal data and pays attention to the compliance of these purposes with the laws.
• Being Relevant, Limited and Proportionate to the Purposes for which They are Processed: The Company pays attention to ensuring that the data processed fit for achievement of the purposes determined. It avoids the processing of personal data that is irrelevant to or unnecessary for achievement of the purposes.
• Being Retained for the Period of Time Stipulated by Relevant Legislation or Required for the Purposes for which They are Processed: The Company retains personal data for the period of time required for the purposes for which they are processed as required by the “principle of purpose limitation” and take all necessary technical and administrative measures to provide an appropriate level of security in order to ensure the retention of personal data. However, personal data are erased, destroyed or anonymized upon the disappearance of the purposes for which personal data are processed or the expiration of the period of time stipulated by the legislation.

5. LIGHTINING OBLIGATION
Under Article 10 of the Law, when collecting personal data, the data controller or the person authorized by the data controller is obliged to inform the data subjects about the following:
a) identity of the data controller and (if any) its representative,
b) for which purpose the personal data will be processed,
c) to whom and for which purpose the processed personal data may be transferred,
d) the means and the legal reasons of collection of personal data,
e) the data subjects’ rights relating to personal data.

DeltaPV has prepared this Policy within the scope of this obligation, and for data processing activities for which it acts as the data controller, it provides further information to the data subjects persons through information forms containing the above information. Within this scope, in case that the personal information is not collected from the data subject, DeltaPV fulfills its obligation to inform the data subject as follows:
a) within a reasonable time period after obtaining the personal data,
b) if the personal data are to be used for communication with the data subject, at the time of the first communication,
c) if the personal data are to be transferred, at the latest when the personal data are first transferred.

On the other hand, in cases that DeltaPV acts as the data processor, the primary responsibility for the obligation specified in the Law is on the data controllers. The obligation to inform the data subjects especially within the scope of the provision of pharmacovigilance services is therefore on the clients of DeltaPV who are data controllers.

6. LEGAL GROUNDS
6.1. Personal Data not Being of Special Nature
DeltaPV may process your personal data other than personal data being of special nature based on one or more of the following legal grounds:
• Being Explicitly Provided by Laws: There may be cases which are clearly regulated by laws with regard to the processing of personal data. For example, DeltaPV may use some of your personal data to issue invoices under business relationship.
• Physical Incapability: Where it is mandatory for the protection of the life or physical integrity of the data subject or another person who is physically or legally incapable of giving consent, personal data may be processed without explicit consent.
• Conclusion or Performance of Contract: During or after signing of a contract as part of the relationship between you and company, DeltaPV can process some of your personal data for fulfillment of contractual obligations.
• Legal Obligations: DeltaPV has legal obligations to be fulfilled under the applicable legislation, especially the pharmacovigilance legislation. For example, when DeltaPV performs pharmacovigilance services or where it must legally inform authorized public institutions, your personal data is processed based on this legal ground.
• Anonymizing: Some of your data may be made available to the public by you.
• Establishment, Exercising or Protection of a Right: When you apply for a job at company, DeltaPV can process your personal data so that you can exercise your application and claim rights when you request information. In such examples, your data are processed on the basis of the legal grounds stated herein.
• Legitimate Interests: In some cases, processing of your personal data may be required in order to fulfill legitimate interests in relation to the activities of Company.
• Explicit Consent: Company assesses whether the purpose of personal data processing activity is primarily based on one of the above legal grounds; if such purpose does not meet at least one of the legal grounds other than explicit consent, your explicit consent is obtained for the continuation of the data processing activity. You can always withdraw your explicit consent you have given to DeltaPV.
6.2. Personal Data of Special Nature
Personal data of special nature are your data relating to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership to associations, foundations or trade-unions, health, sexual life, convictions and security measures, and biometric and genetic data.

Your data of special nature may be processed, especially health data, in order to provide pharmacovigilance services. However, you may sometimes need to provide DeltaPV your data of special nature such as your health data pursuant to the legislation in order to assess your eligibility for job as part of your job application. In such cases, the legal grounds on which based in relation to your personal data of special nature are as follows:
• Personal data, excluding those relating to health and sexual life, may be processed without seeking explicit consent of the data subject, in the cases provided by laws.
• Personal data relating to health and sexual life may only be processed, without seeking explicit consent of the data subject, by any persons or authorized institutions and organizations that have confidentiality obligations, for the purposes of protecting public health, conducting preventive medicine, medical diagnosis, treatment and care services, and planning and managing healthcare services as well as their financing.

DeltaPV processes the personal data you have shared with it by taking adequate measures as determined by the Board. If the said legal grounds are not met, DeltaPV processes your data upon obtaining your explicit consent. You can always withdraw your explicit consent you have given to us.

7. TRANSFER OF PERSONAL DATA
Your personal data may be transferred at home and abroad for the purposes specified in the Policy in accordance with the Law and the rules determined by the Board. DeltaPV may transfer your personal data to the customers and business partners such as DeltaMed and marketing authorization holders, to suppliers to carry on activities, to authorized public institutions and organizations and third parties, based on one or more of the legal grounds mentioned in Section 6 of this Policy.

Since DeltaPV is a Company operating as a pharmacovigilance service provider, may sometimes need to share your personal data to medicine license/marketing authorization holders, third parties with which medicine license/marketing authorization holders enter into a contract, licensors or global head office of medicine license/marketing authorization holders, and Turkish Medicines and Medical Devices Agency (“TMMDA”) in order to perform services or legal obligations hereunder. In cases where such medicine license/marketing authorization holders and/or related third parties are located abroad, DeltaPV shares your personal data with them in accordance with the Law and criteria determined by the Board. Where necessary, it obtains commitments and necessary approvals from the Board in relation to the sharing of personal data.

8. CONFIDENTIALITY OF YOUR PERSONAL DATA
DeltaPV takes a number of necessary technical and administrative measures to prevent the unlawful processing of and unlawful access to your personal data and to ensure that these data are retained securely. Also, in the event that your personal data are transferred to third parties under a business relationship, DeltaPV regulate issues relating to the sharing with necessary means to ensure the security of your personal data. The administrative and technical measures are primarily taken hereunder are as follows:
• Controls and authorizations of access to the registry and information systems of the Company are made and each user is required to use a unique password.
• It attempts to prevent any security gaps with the use of anti-virus and firewall programs.
• Regulations are made for electronic devices allocated to employees and the use of personal data contained in these devices is limited.
• Awareness trainings are organized for employees who process personal data within the working period. Employees are also informed about their duties and responsibilities.
• In case of a data breach, this shall be notified to the data subject and the Board as soon as possible.
• Detailed data transfer contracts are entered into with the parties to which personal data are shared, and responsibilities are regulated.
• Databases and used systems are protected by firewall and intrusion prevention programs.
• Inspections are carried out in order to implement the measures mentioned herein, within the Company.

In addition to the above mentioned technical and administrative measures, the following measures are taken in accordance with the Decision No. 2018/10 dated 31.01.2018 of the Personal Data Protection Board (“Decision”) in relation to data of special nature that DeltaPV processes while performing its services as a pharmacovigilance service provider:
• For the security of personal data of special nature, a separate, systematic, manageable and sustainable procedure with clear rules is prepared.
• For employees involved in the processes of processing personal data of special nature,
– Regular training is provided on the legislation on the protection of personal data and security of personal data of special nature;
– Confidentiality agreements are made.
– The authorization scope and period of users who are authorized to access to personal data are clearly defined;
– Periodic authorization controls are carried out;
– The authorization of employees who have a position change or leave the job are immediately removed.
• In electronic media where personal data of special nature are processed, retained and/or accessed,
– Personal data are retained using cryptographic methods;
– Cryptographic keys are stored in secure and different media.
• Transactions of all activities performed on data of special nature are logged securely.
• Security updates for the media where the data of special nature are retained are constantly monitored, necessary security tests are regularly conducted and test results are recorded.
• If the data of special nature are accessed via a software, user authorizations are made for such software, security tests of such software are regularly conducted and test results are recorded.
• At least two-step verification system is provided for remote access.
• Adequate security measures (against electricity leak, fire, flood, theft, etc.) are taken according to the characteristics of the physical media where personal data of special nature are stored and unauthorized entries and exits are prevented.
• If data of special nature are to be transferred via e-mail, these data are encrypted using the corporate e-mail address. However, the methods such as VPN, sFTP are used for the transfer of personal data of special nature.
• If the data of special nature are to be transferred via paper media, necessary measures are taken against risks such as the theft or loss of or unauthorized access to documents and documents are sent in the format of “classified documents”.
• In addition to these measures, other technical and administrative measures are also considered to ensure the appropriate level of security specified in the Personal Data Security Guidance published on the website of the Personal Data Protection Agency.

9. ERASURE, DESTRUCTION OR ANONYMIZING OF YOUR PERSONAL DATA
Despite being legally processed, your personal data are erased, destroyed or anonymized in accordance with the retention and destruction policy prepared by DeltaPV if the reasons that require the processing thereof disappear.

DeltaPV fulfills the said liability in compliance with the provisions of the Regulation on Deletion, Destruction or Anonymization of Personal Data (published in the Official Gazette on 28 October 2017 with no. 30224) as well as the Board’s Guideline on Deletion, Destruction or Anonymization of Personal Data

Deletion of personal data is the process of making personal data inaccessible and irrevocable for Related Users.

For deleting personal data, personal data to be deleted are established first, followed by the identification of related users for each personal data by using the personal data access / authorization matrix. The deletion of personal data is finalized by removing the rights and authorities of related users to access, recover and re-use personal data.

The destruction of personal data is the process of making personal data inaccessible, irreversible and non-reusable for anyone
Anonymization of personal data means disabling the personal data to be associated with a specific or identifiable real person, even if personal data are matched / paired with other data.

DeltaPV takes all required technical and administrative measures for the deletion, destruction or anonymization of your personal data.

10. YOUR RIGHTS FOR YOUR PERSONAL DATA
You have the following rights with respect to your personal data that you share with DeltaPV or are obtained in relation to you from third parties:
• To learn whether your personal data are processed or not, and to request information if your personal data are processed,
• To learn the purpose of processing of your personal data and whether these data are used for intended purposes,
• To request information about third parties to which personal data are transferred at home or abroad, if any,
• To request correction of your personal data if they are incomplete or incorrectly processed or to request erasure or destruction of your personal data, and to request the notification of operations carried out based on such requests, to third parties to which personal data are transferred,
• To object to any result that is to your detriment if your personal data are subject to processing by means of analysis exclusively through automated systems,
• To request compensation for your damage arising from the unlawful processing of your personal data.

You may submit your rights regarding your personal data to DeltaPV by filling in the “Data Subject Application Form” on website (https://www.deltapv.com/). It will be responded to your requests as soon as possible and within a maximum of 30 days.