Membership and Purchase Activities

LEGAL NOTICE ON PERSONAL DATA PROCESSING AND PROTECTION

DURING MEMBERSHİP AND PURCHASE ACTIVITIES

1. Information Related to Data Controller

We, as DD PHARMA KOZMETİK DIŞ TİCARET LİMİTED ŞİRKETİ (Tax ID: 2720697185) ("DD Pharma" or "COMPANY"), located at Maslak Mah. Taşyoncası Sok. T4 Apt. No: 1 U/B 139 Sarıyer/İstanbul, are extremely sensitive to the security of your personal data. With this awareness, we attach great importance to the processing and preservation of personal data belonging to individuals with whom the Company interacts, in accordance with the Law on the Protection of Personal Data numbered 6698 ("Law" or "DPL"), secondary regulations (regulations, communiqués, etc.) issued and to be issued in accordance with the Law, and binding decisions taken and to be taken by the Personal Data Protection Board. With full awareness of our responsibility as defined in the Law as the "Data Controller", we process your personal data and take all necessary technical and administrative measures to ensure an adequate level of security in order to prevent the unlawful processing of personal data, prevent unauthorized access to personal data and ensure the preservation of personal data within the limits prescribed by the legislation."

2. Processed Personal Data Categories and Types

Personal Identifying Information	Name, surname, date of birth, Turkish identity number
Contact Information	Phone number,address, e-mail address, invoice address
Process Security and Risk Management	IP address, user/member information, site login and exit information, log records, data being processed on the purpose of preventing commercial, technical and administrative risks
Finance ve Marketing	Credit card and payment information
Customer Processes	Invoice, customer ID.

Data types marked in red above are provided for the realization of the membership process while the remaining data are provided during the purchasing activity. If and when a purchasing activity does not take place or data owner does not make it public voluntarily, purchase related data will not be provided.

3. Personal Data Collection Methods and the Activity from Which it is Obtained

As the Company, we collect your personal data automatically through electronic methods.

Data Category	Process Obtained
Identity, Communication, Transaction Security and Risk Management, Finance, Customer Transactions	By automatic method; In order to become a member of the Site and to carry out transactions (purchasing activity etc.) in the continuation of membership activities.

4. Purposes and Legal Reasons for the Processing Personal Data

As the Company, we process your personal data for the purposes and legal reasons described below.

Data	Processing Purposes	Legal Reason
Identity	· Realization of membership processes, · Ensuring the security of data controller, · Performance of the Site business and business continuity, · Follow-up of requests and complaints, · Receiving suggestions for improving business processes, · Execution of service operation processes and logistic activities	Art. 5/2-c-f of the DPL; processing of personal data belonging to the parties of a contract is mandatory provided that it is directly related to the conclusion or performance of that contract and processing of personal data is mandatory for the legitimate interests of the controller, provided that such processing shall not violate the fundamental rights and freedoms of the data subject.
Contact
Process Security and Risk Management	· Ensuring workplace safety and data controller operations, · Ensuring business continuity	Art. 5/2-a-f of DPL; Data transfer is mandatory for the legitimate interests of the data controller, provided that it is clearly stipulated in the laws and does not violate the fundamental rights and freedoms of the data subject.
Finance and Marketing	· Ensuring the security of data controller operations, · Execution of sales operations, · Carrying out return processes and providing a secure shopping infrastructure, · To be able to carry out product/service procurement processes and finance and accounting processes and to carry out activities in accordance with the legislation, · Managing and developing after-sales services	Art. 5/2/c-ç of DPL; Provided that it is directly related to the establishment or performance of a contract, transfer of personal data belonging to the parties of the contract is mandatory for the data controller to fulfill its legal obligations.
Customer Transactions	· Ensuring the security of data controller operations, · Ensuring business continuity, · Execution of product/service procurement processes and finance and accounting processes.	Art. 5/2/a-c-ç of DPL; Transfer It is mandatory to transfer personal data of the parties of the contract, provided that it is clearly stipulated in the laws, it is directly related to the establishment or performance of a contract, and the date transfer is mandatory for the data controller to fulfill its legal obligation.

In addition, personal data in the category of identity and contact data, processed within the scope of sendinginformative commercial electronic messages for advertising, campaigns and promotions related to the product and service marketing and strategic marketing activities will be processed based on the legal reason of your explicit consent in Article 5/1 of the Law.

5. Transfer of Personal Data and Purposes of Transfer

Transferred Person/Organization

Transfer Purposes

Legal Reasons

Company affiliates and/or partners, suppliers, service provider business partners authorized as data processor.

Carrying out business and business continuity activities, ensuring the security of data controller operations, receiving suggestions for the improvement of the Site, carrying out information security processes.

With reference to Art 8/2 of DPL;

Provided that it is directly related to the establishment or performance of a contract, it is necessary to transfer personal data belonging to the parties of the contract, and provided that it does not violate the fundamental rights and freedoms of the person concerned, the data transfer is mandatory for the legitimate interests of the data controller.

Public institutions and organizations and judicial authorities by law to receive information

Conducting legal reports, carrying out regulatory and audit activities, constituting complaints and legal proceedings.

6. Right of the Related Person/Data Subject

You may apply to the Company at any time;

· to learn whether personal data related to you are/have being processed,

· if it is processed, to request information with regard to processing,

· to learn purposes of the processing and whether your personal data has been used for the intended purpose

· to know the third parties within or outside the country, to whom your personal data are transferred,

· to request correction of the personal data if the data is processed incompletely or inaccurately,

· to request deletion or destruction of the personal data under the conditions set forth in Article 7 of the Law No. 6698 on Personal Data Protection,

· to request notifying third persons to whom the personal data are transferred, about the processes completed within the scope of Art 11/d-e of the Law,

· to object to negative consequences about you that are concluded as a result of analysis of the processed personal data exclusively by automatic means,

· to claim indemnification if you suffered damage due to illegal processing of your personal data.

You may exercise your rights listed above through filling out and signing a form that you can obtain from us or , www.ddpharma.com.trand apply to the following address personally or with a notary approved power of attorney:

· Fill in the application form; sign with your wet-ink signature and pass it to “Maslak Mah. Taşyoncası Sok. T4 Apt. No: 1 U/B 139 Sarıyer/İstanbul” by personal application, by certified mail or through a notary public.

· Sign with your electronic signature or mobile signature and send it to ddpharma@hs01.kep.tr by using your Registered Electronic Mail (REM) address or the e-mail address registered to the data recording system of the Company.

If there is a written response to your application, there will be no charge for the first 10 (ten) pages, and a transaction fee of 1 TL will be charged for each page above 10 (ten) pages. If the response to your application is given in a recording medium such as a CD or flash memory, the exigible cost will be no more than the cost of the recording medium.

Your application as a personal data owner, if you want to use or demand the use of your rights mentioned above, the request should be clear and understandable enough, the subject of your request should be related to you or if you are acting on behalf of someone else, you must submit a special power of attorney approved by the notary.

First name, signature, identity number, residence or workplace address, e-mail address, telephone and fax number, and the presence of the requisite elements are obligatory in accordance with the “Notification on the Procedures and Principles of Application to the Data Officer”. Applications that do not include such elements will be rejected by the Company.

The Company reserves the right to make changes in this Notice, due to the Law, secondary regulations and Board decisions. Changes in the Notice and the current text will enter into force immediately as of the date of notification.

LEGAL NOTICE ON E-BULLETIN, MARKETING ACTIVITIES & COMMERCIAL ELECRONIC MESSAGES

As the Data Controller for personal data processing in accordance with the Law Numbered 6698 on the Protection of Personal Data (“DPL” or “Law”) and as the Service Provider in accordance with the Regulation on Commercial Electronic Messages (“Regulation”); “Maslak Mah. Taşyoncası Sok. T4 Apt. No: 1 U/B 139 Sarıyer/İstanbul” DD PHARMA KOZMETİK DIŞ TİCARET LİMİTED ŞİRKETİ (Tax ID: 2720697185) ("DD Pharma" or "COMPANY"), we would like to inform you in accordance with Article 10 of the Law titled “Disclosure Obligation of the Data Controller”.

DD Pharma takes the utmost attention to ensure the confidentiality and security of personal data requested form its users.

This notice/clarification text has been prepared in order to inform about the personal data processed within the scope of DPL and the methods of collection, the legal reasons and purposes of personal data processing, the persons/organizations to whom personal data are transferred and the purposes of transfer, the rights of natural persons whose data are processed and the processes of sending commercial electronic messages.

1. Categories and Types of Personal Data Processed

Personal Identifying Information	Name, surname
Contact Information	Telephone number, e-mail address
Customer Transactions	Records for the use of products and services and information such as the customer’s instructions and requests required for the use of products and services, shopping history information, cookie records, reports and evaluations showing the likes of the person to be used for marketing purposes, shopping habits and preferences of the customer; shopping date, time, amount, shopping content, installment information, payment method and payment details, product reviews, campaign, discount, benefit information etc.
Marketing

2. Personal Data Collection Methods and the Activity from Which it is Obtained

As the Company, we collect your personal data automatically through electronic methods.

Data Category	Process Obtained
Identity, Communication, Customer Transaction and Marketing	By automatic method; By subscribing to DD Pharma E-Bulletin through the form on the website and/or through the areas where commercial electronic messages are allowed to be sent.

3. Purposes and Legal Reasons for the Processing Personal Data

As the Company, we process your personal data for the purposes and legal reasons described below.

Data Category	Processing Purposes	Legal Reason
Identity	Conducting marketing, analysis and modeling studies in order to offer all our products and services offered and brokered on the website to our customers specifically, Conducting marketing, advertising, campaign and promotion processes and contacting you for these purposes, Contacting to get your opinions about products and services, follow-up of requests and complaints, Management of relationships with support service/external service providers, business partner or suppliers, execution of support/external services after the sale of services, Obtaining the approval specified in the Regulation in order to send commercial electronic messages to you.	Art. 5/1 of DPL; Based on obtaining your explicit consent.
Contact
Customer Transaction
Marketing

4. Transfer of Personal Data and Purposes of Transfer

Transferred Person/Organization	Transfer Purposes	Legal Reasons
Company affiliates and/or partners, suppliers, service provider business partners authorized as data processor.	Carrying out business and business continuity activities, ensuring the security of data controller operations, receiving suggestions for the improvement of the Site, carrying out information security processes.	With reference to Art 8/2 of DPL; Provided that it is directly related to the establishment or performance of a contract, it is necessary to transfer personal data belonging to the parties of the contract, and provided that it does not violate the fundamental rights and freedoms of the person concerned, the data transfer is mandatory for the legitimate interests of the data controller or when data transfer is mandatory for the data controller to fulfill its legal obligations.
Public institutions and organizations and judicial authorities by law to receive information	Conducting legal reports, carrying out regulatory and audit activities, constituting complaints and legal proceedings.
Message Management System (“MMS”) and the relevant private legal entities	Law No. 6353 on the Regulation of Electronic Commerce and fulfillment of the obligations of secondary legislation related to the Law.	With reference to Art 8/2 of DPL; It is clearly stipulated in the Law, it mandatory for the data controller to fulfill its legal obligations.

5. Right of the Related Person/Data Subject