Personal Data Protection and Processing

COVALENT LABS İLAÇ VE KOZMETİK ANONİM ŞİRKETİ
PERSONAL DATA PROTECTION AND PROCESSING POLICY

VERSION: 1.0
Effective Date: 18 / 12 / 2025

INTRODUCTION

1.1 General Statement

Covalent Labs İlaç ve Kozmetik Anonim Şirketi ("Company") attaches the utmost importance to protecting individuals' fundamental rights and freedoms in the processing and protection of personal data, in particular the right to privacy and data protection as recognised in the Charter of Fundamental Rights of the European Union (notably Articles 7 and 8). In this context, the Company ensures that personal data are processed and protected lawfully and responsibly in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679 — "GDPR") and other applicable EU and national law, and operates on this basis in all planning and activities.

The Company does not treat personal-data protection and processing solely as a matter of legal compliance; it places respect for the individual at the core of its approach. Acting on that principle, the Company implements all necessary administrative and technical measures to ensure the lawful protection and processing of personal data.

1.2 Purpose of the Policy

The purpose of this Personal Data Protection and Processing Policy ("Policy") is to inform data subjects about the procedures and principles the Company follows to protect and process personal data that are processed wholly or partly by automated means or form part of any filing system, in line with the objectives and principles of the GDPR. The Policy aims to ensure full compliance with applicable law in the Company's personal-data processing activities and to protect data subjects' rights to privacy and data security.

1.3 Scope

This Policy has been prepared for and applies to the following natural-person data-subject groups (where applicable): Job Applicant, Third Party (Reference), Company Official, Supplier, Supplier Representative, Customer, Customer Representative, Company Shareholder/Partner, Service Provider, Member, Shareholder/Partner, Electronic Visitor. The Policy will be published on the Company's website so that data subjects can be informed about their rights and the Company's processing practices. This Policy does not apply to legal persons. For the Company's employees, a separate "Personal Data Processing Policy for Employees" will apply.

This Policy applies where the Company processes personal data of the above-mentioned data-subject groups wholly or partly by automated means or as part of any filing system. If the information does not constitute "personal data" as defined below, or if the Company's processing does not occur by the means described, this Policy will not apply.

1.4 Definitions

For the purposes of this Policy, the following terms shall have the meanings set out below:

  • Consent: Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data concerning them.
  • Making Public: The act of making information publicly available. Under the GDPR framework, processing of personal data made public by the data subject may be subject to specific considerations.
  • Information/Transparency Obligation: The obligation of the data controller to provide data subjects with information about who processes their personal data, for what purposes, on what legal basis, and to which recipients the data may be disclosed.
  • Data Processor (Data Handler): A natural or legal person who processes personal data on behalf of the data controller under the controller's authority.
  • Data Controller: A natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the filing system.
  • Data Subject / Personal Data Owner: The natural person to whom the personal data relate.
  • Deletion/Erasure: The removal of personal data so that they are no longer accessible to data users.
  • Destruction: The rendering of personal data permanently inaccessible and irrecoverable.
  • Anonymisation: The process by which personal data are irreversibly masked, altered, aggregated or transformed such that the data can no longer be linked to an identifiable natural person.
  • Processing of Personal Data: Any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • Special Categories of Personal Data (Sensitive Data): Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, health data, data concerning a person's sex life or sexual orientation, or criminal convictions and offences, as defined in the GDPR.
  • Supervisory Authority: The independent public authority established under the GDPR in each Member State (referred to in this Policy as "Supervisory Authority" or "Data Protection Authority").
  • Filing System: Any structured set of personal data which are accessible according to specific criteria.
  • Data Category: A class of personal data grouped by common features or the group(s) of data subjects concerned.

1.5 Entry into Force

This Policy, adopted by Covalent Labs İlaç ve Kozmetik Anonim Şirketi on 18/12/2025, is published on the Company's website at https://www.covalentlabs.com.tr/tr-TR/ana-sayfa/ for access by data subjects.

PROTECTION OF PERSONAL DATA

2.1 Security of Personal Data

The Company implements appropriate technical and organisational measures to ensure personal data are securely stored and to prevent unlawful processing and unauthorised access, in accordance with the GDPR's security principle. Measures taken to ensure personal-data security are detailed in the Company's Data Retention and Erasure Policy.

To ensure compliance with applicable law and internal policies, the Company has established a Personal Data Protection Management System and formed a Personal Data Protection Committee responsible for overseeing the implementation of this Policy and related policies.

2.2 Audits

The Company conducts and commissions audits as necessary to verify the establishment, adequacy and continuity of the security measures described above. The Personal Data Protection Committee is responsible for monitoring and auditing the measures taken to secure personal data.

2.3 Confidentiality

The Company ensures that data controllers and data processors do not disclose personal data in violation of applicable law or this Policy and do not use personal data for purposes other than those permitted, by taking all reasonable administrative and technical measures proportionate to available technologies and implementation costs. The Company organises awareness and training activities on the GDPR and this Policy for its employees and requires confidentiality agreements to be signed as part of employment on-boarding where appropriate.

2.4 Unauthorized Disclosure of Personal Data

If personal data processed by the Company are obtained by others through unlawful means, the Company shall take the necessary steps to notify the affected data subjects and the competent Supervisory Authority within the timeframes and procedures required by applicable law and will take remedial measures. Where required by the Supervisory Authority, and to the extent necessary, such incidents may also be made public by means deemed appropriate by the Supervisory Authority.

2.5 Respect for Data Subjects' Legal Rights

The Company respects data subjects' legal rights arising from this Policy and applicable data-protection law and takes necessary measures to protect those rights.

2.6 Protection of Special Categories of Personal Data

The Company recognises that special categories of personal data (sensitive data) such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health data, sex life and sexual orientation, biometric and genetic data, criminal convictions and related security measures are particularly sensitive and may lead to discrimination or harm if disclosed. Accordingly, the Company processes such data only where lawful under the GDPR and takes heightened safeguards and additional protective measures. The Company maintains a separate policy and procedures for the security of special categories of personal data.

PROCESSING AND TRANSFER OF PERSONAL DATA

3.1 General Principles for Processing and Transfers

The Company processes personal data in accordance with the GDPR and the principles set forth in this Policy. In particular, the Company adheres to the following principles:

3.1.1 Lawfulness, Fairness and Transparency

The Company processes personal data lawfully, fairly and in a transparent manner in relation to the data subject. In doing so, the Company considers the interests and reasonable expectations of data subjects and takes care to avoid outcomes that data subjects would not reasonably expect. The Company ensures transparency regarding processing activities and fulfils information and warning obligations.

3.1.2 Accuracy and, Where Necessary, Up-to-dateness

The Company takes reasonable steps to ensure personal data are accurate and, where necessary, kept up to date, taking into account the nature of the processing, the purposes and the risks to data subjects. The Company provides channels for data subjects to request correction and updates of their information.

3.1.3 Purpose Limitation

The Company determines and documents the purposes for which personal data are processed and ensures that those purposes are legitimate, relevant and limited to what is necessary for the processing purposes. Personal data will not be further processed in a manner incompatible with those purposes without a lawful basis.

3.1.4 Data Minimisation and Proportionality

The Company processes only the personal data that are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. The Company does not collect personal data for hypothetical future needs without establishing a lawful basis for such processing.

3.1.5 Storage Limitation

The Company retains personal data no longer than necessary for the purposes for which the personal data are processed, in accordance with applicable law. Where retention is no longer required, data are erased, destroyed or anonymised in accordance with the Company's Data Retention and Erasure Policy.

3.2 Lawful Bases for Processing

The Company shall not process personal data without a lawful basis under the GDPR. Personal data may be lawfully processed where at least one of the lawful bases under Article 6 GDPR applies, including, as appropriate:

3.2.1 Legal Requirement

Processing is necessary for compliance with a legal obligation to which the Company is subject.

3.2.2 Vital Interests

Processing is necessary to protect the vital interests of the data subject or another natural person where the data subject is incapable of giving consent.

3.2.3 Performance of a Contract

Processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract.

3.2.4 Consent

Processing is based on the data subject's freely given, specific, informed and unambiguous consent where required.

3.2.5 Public Interest or Official Authority

Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Company (where applicable).

3.2.6 Legitimate Interests

Processing is necessary for the purposes of legitimate interests pursued by the Company or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. The Company takes additional safeguards where processing is based on legitimate interests.

3.3 Processing of Special Categories of Personal Data

As a rule, the Company does not process special categories of personal data (sensitive data) except where one of the conditions under Article 9 GDPR applies. Such conditions may include:

3.3.1 Explicit Consent

The data subject has given explicit consent to the processing for specified purposes, except where EU or Member State law provides that the prohibition may not be lifted by the data subject.

3.3.2 Legal Obligation or Rights in Employment Context

Processing is necessary for carrying out obligations and exercising specific rights of the Company or of the data subject in the field of employment, social security and social protection law, insofar as authorised by EU or Member State law.

3.3.3 Vital Interests

Processing is necessary to protect the vital interests of the data subject or another person where the data subject is physically or legally incapable of giving consent.

3.3.4 Data Manifestly Made Public by the Data Subject

Processing relates to personal data made manifestly public by the data subject.

3.3.5 Establishment, Exercise or Defence of Legal Claims

Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.

3.3.6 Health and Public-Health Purposes

Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of an employee, the provision of health or social care or treatment, or the management of health-care systems and services, based on EU or Member State law or pursuant to contract with a health professional subject to confidentiality obligations.

3.4 Transfers of Personal Data

The Company may transfer personal data to third parties only to the extent necessary for the purposes set out in this Policy and only in compliance with the GDPR.

For transfers of personal data outside the European Economic Area (EEA), the Company will rely on the appropriate mechanisms under Chapter V of the GDPR, such as:

  • an adequacy decision adopted by the European Commission (Article 45 GDPR);
  • appropriate safeguards (Article 46 GDPR), such as standard contractual clauses adopted or approved by the Commission, binding corporate rules, or other approved safeguards;
  • specific derogations for specific situations (Article 49 GDPR), where none of the above mechanisms are applicable (e.g., the data subject's explicit consent, performance of a contract, important public interest, etc.).

Where appropriate safeguards are relied upon, the Company will ensure the safeguards are documented and implemented, and data subjects are informed about transfers and safeguards.

CATEGORIES OF PERSONAL DATA AND DATA SUBJECT GROUPS

4.1 Categories of Personal Data

The Company processes personal data classified into the following categories:

  • Identity: Data relating to data subjects' identity, such as name, national identification number (where applicable), date of birth, gender, marital status, signature, tax identification number, foreign identity number, identity-document details (serial no., document no., record no., issuing authority, etc.), internet access logs, etc.
  • Contact: Telephone number, address, e-mail address, residence information, postal code, social-media identifiers, address number and other contact details enabling communication.
  • Professional/Work Experience: Information and documents concerning previous employers, positions held, titles, sectoral experience and professional qualifications.
  • Visual and Audio Records: Photographs and other recordings of data subjects outside the scope of physical premises security.
  • Employment-Related Information: Information relevant to personnel records: driving licence, military service status, tax office, tax identification number, taxpayer type, profession, workplace information, job position/title, etc.
  • Financial: Records and documents related to any financial relationship between the Company and the data subject, including receivables/payables, bank-account details (IBAN, account number, bank name, branch code), SWIFT, shareholding, payment-card information (card number, expiry date), bank details, etc.
  • Security & Access: Technical data for information-security purposes, such as IP address, session information, passwords (stored securely), log records and similar technical data.
  • Biometric Data: Unique biometric identifiers used for identification or verification (e.g., fingerprint, retina, palm, facial-scan data), which constitute special categories of personal data where used for identification.
  • Health Data: Records relating to physical or mental health, use of health services, diagnoses, treatments, reports, tests and analyses (special category).
  • Legal/Case Records: Data related to litigation, enforcement, investigations, contracts, powers of attorney, signature circulars, complaints, claims and other legal obligations.
  • Customer Transaction Data: Personal data relating to the use, orders, invoices, requests, complaints, deliveries and transaction history of products or services.

4.2 Data Subject Groups

Only natural persons benefit from the protections under this Policy and applicable data-protection law. The data-subject groups covered by this Policy are:

  • Job Applicant: Natural persons who have applied for a job with the Company or submitted CVs or related information to the Company.
  • Third Party (Reference): Individuals nominated as references by job applicants who are not otherwise related to the Company.
  • Company Official: Natural persons authorised to act on behalf of the Company.
  • Supplier: Natural persons supplying goods or services to the Company.
  • Supplier Representative: Natural persons authorised by suppliers or legal persons to act on their behalf.
  • Customer: Natural persons who enter into purchase agreements with the Company for goods or services.
  • Customer Representative: Natural persons authorised by customers (natural or legal persons) to act on their behalf.
  • Company Shareholder/Partner: Individuals who are shareholders of Covalent Labs İlaç ve Kozmetik Anonim Şirketi.
  • Service Provider: Natural persons (or representatives of legal entities) who provide services to the Company and are independent from the Company.
  • Member: Natural persons who register as members in the Company's mobile application to obtain services on an ongoing basis and engage in loyalty-type activities.
  • Shareholder/Partner: Natural persons who are shareholders of the Company or their representatives.
  • Electronic Visitor: Natural persons who visit the Company's website but are not registered members or customers.

Physical-Premises Processing Activities
To ensure safety at its buildings and facilities, the Company records entry/exit logs and monitors common areas via CCTV. Notice is provided in areas subject to CCTV monitoring.

Records of internet access provided at Company premises are retained in accordance with applicable law on electronic communications and lawful disclosure obligations and may be shared with competent public authorities where required.

METHODS OF PERSONAL DATA COLLECTION

5.1 Methods of Collection

The Company collects personal data for the purposes set out in Article 6.1 below, by automated or non-automated means and by any verbal, written or electronic channels, including but not limited to:

  • Paper documents and physical records;
  • E-mail;
  • System logs and other automated systems.

PURPOSES OF PROCESSING PERSONAL DATA

6.1 Mapping of Data-Subject Groups to Data Categories and Processing Purposes

The purposes for which the Company processes the categories of personal data listed above for each data-subject group are set out below. (A natural person may belong to only one data-subject group for the purposes of this mapping.)

Job Applicant
Data Categories: Identity, Contact, Professional Experience, Visual and Audio Records, Employment-Related Information
Processing Purposes: Processing for recruitment, selection and placement of candidates/trainees/interns; management of application processes; human-resources planning; execution and oversight of business activities; communication.

Third Party (Reference)
Data Categories: Identity, Contact
Processing Purposes: Processing for recruitment and selection processes, management of application procedures, human-resources planning, execution and oversight of business activities, and reference-check processes.

Company Official
Data Categories: Identity, Contact, Legal/Case Records
Processing Purposes: Execution of employment contracts and compliance with legal obligations; human-resources planning; lawful conduct of activities; assignment processes; contract management; financial and accounting operations; legal case management; procurement and supply-chain management; supplier reconciliations; sales processes and after-sales support; operational oversight and audits; invoicing; management of access rights; reporting to authorised persons, institutions and bodies; corporate governance.

Supplier
Data Categories: Identity, Contact, Financial, Employment-Related Information, Legal/Case Records
Processing Purposes: Financial and accounting operations; procurement processes; supply-chain management; contract management; legal case management; supplier reconciliations; production and operational processes; regulatory compliance; business continuity; communications; operational oversight and audits; after-sales support; sales processes and invoicing; tax compliance; reporting to authorised persons, institutions and bodies.

Supplier Representative
Data Categories: Identity, Contact
Processing Purposes: Financial and accounting operations; legal case management; procurement processes; contract management; supply-chain management; supplier reconciliations; regulatory compliance; business continuity; production and operational processes; communications; operational oversight and audits; after-sales support; sales processes and invoicing.

Customer
Data Categories: Identity, Financial, Contact, Legal/Case Records
Processing Purposes: Operational activities and audits; financial and accounting operations; legal case management; regulatory compliance; after-sales support; sales processes; invoicing; communications; tax compliance; reporting to authorised persons and institutions.

Customer Representative
Data Categories: Identity
Processing Purposes: Operational activities and audits; financial and accounting operations; legal case management; regulatory compliance; after-sales support; sales processes; invoicing.

Company Shareholder/Partner
Data Categories: Contact, Financial, Identity
Processing Purposes: Financial and accounting operations; legal case management; regulatory compliance; tax compliance; reporting to authorised persons and institutions.

Service Provider
Data Categories: Contact, Identity, Legal/Case Records
Processing Purposes: Financial and accounting operations; legal case management; regulatory compliance; supply-chain management; tax compliance; communications; reporting to authorised persons and institutions.

Member
Data Categories: Contact, Security & Access, Identity, Biometric Data, Health Data, Customer Transaction Data
Processing Purposes: Information-security management; customer-relationship management; loyalty and retention activities; communications; after-sales support; sales processes; customer-satisfaction activities; marketing, promotion and campaign management; tracking requests and complaints; website membership registration; audits and ethics processes; management of access rights; contract management; marketing and personalisation of products and services; production and operations; delivering skin-analysis services; providing diagnostic/assessment services arising from analysis results; generation of personalised skin-care recommendations; tracking skin-health development; informing data subjects of analysis results; delivery of skin-analysis and follow-up services; personalisation of products and services.

Shareholder/Partner
Data Categories: Identity, Contact
Processing Purposes: Legal case management; management of access rights; regulatory compliance; reporting to authorised persons and institutions; corporate governance.

Electronic Visitor
Data Categories: Customer Transaction Data, Identity, Contact
Processing Purposes: Customer-relationship management; communications; production and operations; tracking requests and complaints; customer-satisfaction activities.

6.2 Online Processing Activities

Traffic data of online visitors to the Company's website are processed automatically for information-security purposes. The retention of such data may also be subject to national rules on the retention of internet traffic and related obligations. Detailed information on website processing is published on the Company's website.

6.3 Communications Channels

Communications via call centres, post, e-mail and similar channels may be recorded and monitored by the Company for the purposes of operational management, oversight and complaint/request tracking. Data subjects are expected to use these channels primarily for business-related communication.

PURPOSES AND RECIPIENTS OF PERSONAL DATA TRANSFERS

7.1 Purposes of Transfers

The Company transfers personal data only for the purposes set out in Articles 3 and 6 above and only to the extent necessary to fulfil those purposes. Typical transfer purposes include: ensuring lawful conduct of operations; financial and accounting operations; sales and after-sales support; operational continuity and business continuity activities; records retention and archiving; supply-chain management; tax compliance; ensuring the security of data-controller operations; information-security processes; provision of skin-analysis and follow-up services; assignment and deployment processes; communications; customer-relationship management; customer-satisfaction activities; complaint handling; reporting to authorised persons and institutions; and corporate governance.

7.2 Recipients

The Company may disclose personal data, limited to the data categories and data-subject groups required for the relevant purpose, to the following categories of recipients:

  • Authorised persons and public authorities;
  • Business partners (e-invoice or e-billing service providers, tax authorities where required, AI service providers, legal counsel, certified public accountants, commercial register, notaries, courts and judicial bodies, administrative authorities, cloud and hosting providers).

Where recipients act as data processors, the Company ensures that appropriate contractual guarantees are in place in line with Article 28 GDPR.

ERASURE AND RETENTION PERIODS

8.1 Erasure and Destruction

Subject to applicable legal retention obligations, the Company erases, destroys or anonymises personal data it processes when the purposes for which the data were processed cease to apply, in accordance with the Company's Data Retention and Erasure Policy. Erasure means the rendering of personal data inaccessible and unusable for data users. Destruction means the permanent and irreversible rendering of personal data irrecoverable. Anonymisation means transforming personal data so that they can no longer be associated with an identifiable natural person, even if combined with other data.

8.2 Retention Periods

The Company retains personal data in accordance with statutory retention periods provided by law and, where no statutory period exists, for as long as necessary to fulfil the processing purpose in accordance with the Company's Data Retention and Erasure Policy. After expiry of the retention period, personal data are periodically erased, destroyed or anonymised.

DATA SUBJECT INFORMATION AND RIGHTS UNDER THE GDPR

9.1 Information to Data Subjects

In accordance with Article 13 GDPR, the Company provides data subjects with the information at the time personal data are collected, including: the identity and contact details of the Company's representative (if any), the purposes of the processing, the legal basis for processing, recipients or categories of recipients of the personal data, the data retention period or criteria used to determine that period, the data subject's rights under the GDPR, and the means by which data subjects can exercise those rights.

9.2 Situations Where This Policy or Certain Provisions May Not Apply

This Policy and certain GDPR provisions may not apply in the following situations to the extent permitted by law:

  • Personal data processed by natural persons solely for personal or household activities and not disclosed to third parties;
  • Personal data processed in anonymised form for research, planning and statistical purposes;
  • Personal data processed for artistic, historical, literary or scientific purposes or in the context of freedom of expression, provided that rights and freedoms are respected and no criminal offence is committed;
  • Personal data processed by public authorities acting within their legally mandated preventive, protective or intelligence functions to safeguard national defence, public security or to perform other tasks under law;
  • Personal data processed by judicial authorities in the context of investigations, prosecutions, trials or enforcement.

In specific limited circumstances and where proportionate and consistent with the objectives of the GDPR, the obligations to provide information (Article 13), the data subject rights (other than the right to seek compensation for damages), and any national registry obligations may be restricted where necessary for the prevention or detection of criminal offences, certain statutory regulatory duties, disciplinary investigations, protection of public finances, or other matters as provided by law.

9.3 Data Subject Rights under the GDPR

The Company informs data subjects of their rights under Articles 15–22 and related provisions of the GDPR and provides practical means to exercise those rights. The primary rights include:

  • The right to be informed whether and which personal data concerning them are being processed (access).
  • The right to access the personal data and to receive information about the purposes of processing, categories of personal data, recipients, retention period, and other information.
  • The right to obtain rectification of inaccurate or incomplete personal data.
  • The right to erasure ('right to be forgotten') where the conditions of Article 17 GDPR are met.
  • The right to restriction of processing under Article 18 GDPR.
  • The right to data portability under Article 20 GDPR where processing is based on consent or contract and carried out by automated means.
  • The right to object to processing based on legitimate interests or for direct marketing purposes (Article 21 GDPR).
  • The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them, except as permitted by Article 22 GDPR.
  • The right to seek compensation for damage caused by unlawful processing.

Requests concerning the exercise of these rights may be submitted via the request form available on the Company's website at https://www.covalentlabs.com.tr/tr-TR/ana-sayfa/ and may be delivered in person, by registered mail, by notary, or by secure electronic means where recognized under applicable law (for example, methods providing appropriate authentication such as qualified electronic signatures or national e-ID systems, where available).

Requests may also be sent to the Company at the contact details previously provided by the data subject and stored in the Company's systems, including info@covalentlabs.com.tr, where the Company has previously verified the identity of the requester through its systems.

Required information to be included with requests and applications:

  • Full name and signature (where the request is written and signed);
  • National identification number for citizens or, for non-citizens, nationality and passport number or other identity number where applicable;
  • Contact address for notification (residence or business address);
  • If available, e-mail address, telephone and fax number for notification;
  • Description of the request and the subject matter of the request.

Supporting documents and evidence relevant to the request should be attached.

The Company shall respond to data-subject requests without undue delay and, in any event, within one month of receipt of the request, in accordance with Article 12–14 GDPR. This period may be extended by two further months where necessary given the complexity and number of the requests, and the Company will inform the requester of any extension within one month of receipt of the request, together with the reasons for the delay.

If responding to a request would impose a manifestly unfounded or excessive burden (e.g., repetitive requests), the Company may charge a reasonable fee or refuse to act, in accordance with GDPR principles, and will inform the requester accordingly.

Where the Company refuses a request, in whole or in part, or the requester considers the response inadequate, the data subject has the right to lodge a complaint with the competent national Supervisory Authority and/or to seek a judicial remedy in accordance with applicable law. The time limits for lodging a complaint or seeking judicial review are those provided by national law and the GDPR. Where applicable, data subjects will be informed of the competent Supervisory Authority to which complaints may be addressed.