Data Security Policy
This Data Security Policy has been prepared by Core Sağlık Hizmetleri Ve Kozmetik Ürünleri İmalat San. A.Ş. (“Company”) in order to explain the principles and measures applied to ensure the confidentiality, integrity, and security of personal data processed through its websites, digital platforms, and business processes.
The Company attaches great importance to the protection of personal data and processes personal data in accordance with the Turkish Personal Data Protection Law No. 6698 (“KVKK”), applicable secondary legislation, and, where applicable, the General Data Protection Regulation (EU) 2016/679 (“GDPR”).
Scope
This Policy covers all personal data processed by the Company, whether obtained electronically or physically, relating to customers, website visitors, business partners, suppliers, employees, and other third parties.
Principles of Data Security
The Company processes personal data in compliance with the following principles:
• Lawfulness, fairness, and transparency
• Accuracy and data minimization
• Processing for specific, explicit, and legitimate purposes
• Storage limitation
• Integrity and confidentiality
Technical Security Measures
The Company implements appropriate technical measures to prevent unlawful access, loss, alteration, disclosure, or destruction of personal data. These measures may include, but are not limited to:
• Secure server infrastructure and firewall systems
• SSL/TLS encryption for data transmission
• Access control mechanisms and authorization levels
• Logging and monitoring of system access
• Regular system updates and vulnerability assessments
• Secure backup and disaster recovery systems
Administrative Security Measures
In addition to technical safeguards, the Company applies administrative measures to ensure data security, including:
• Internal policies and procedures on data protection
• Confidentiality obligations imposed on employees
• Limited access to personal data on a need-to-know basis
• Regular training and awareness programs for employees
• Risk assessments related to personal data processing activities
Data Access and Authorization
Access to personal data is limited to authorized personnel who require such access to perform their duties. Authorization levels are defined according to job roles, and access rights are reviewed periodically.
Data Sharing and Third Parties
Personal data may be shared with third-party service providers, business partners, and suppliers strictly limited to the purposes of processing and in accordance with applicable legislation.
The Company ensures that third parties implement adequate technical and administrative measures to protect personal data and, where necessary, concludes data processing agreements with such parties.
Data Transfers Abroad
In cases where personal data is transferred outside Türkiye, the Company ensures compliance with the relevant provisions of KVKK and, where applicable, GDPR, including obtaining explicit consent or relying on legally permitted transfer mechanisms.
Data Retention and Deletion
Personal data is retained only for the period required by applicable legislation or for the purposes for which it is processed. Upon expiration of the retention period or upon request by the data subject where legally permissible, personal data is deleted, destroyed, or anonymized in accordance with the Company’s data retention and destruction procedures.
Data Breaches
In the event of a personal data breach, the Company takes immediate action to mitigate the impact, prevent further unauthorized access, and comply with applicable notification obligations under KVKK and GDPR.
Rights of Data Subjects
Data subjects may exercise their rights under Article 11 of KVKK and, where applicable, relevant provisions of GDPR, by submitting their requests in writing or through the communication channels specified on the Company’s website.
Policy Updates
The Company reserves the right to update this Data Security Policy in line with legislative changes, technological developments, or operational requirements. Updated versions shall be made available through the Company’s digital platforms.