Protection of Personal Data

ASİLKAR FAST CARGO TRANSPORTATION TRADE JOINT STOCK COMPANY

GENERAL PERSONAL DATA PROTECTION POLICY

INTERLOCUTOR:

Natural persons whose personal data are processed by Asilkar Fast Cargo Transportation Trade Joint Stock Company

PREPARED AND APPROVED BY:

Asilkar Fast Cargo Transportation Trade Joint Stock Company

Contents

1. ENTRANCE

2. AIM

3. SCOPE

4. DEFINITIONS

5. GENERAL PRINCIPLES ON PROCESSING PERSONAL DATA

6. CONDITIONS FOR PROCESSING PERSONAL DATA

7. CONDITIONS FOR PROCESSING SPECIAL NATURE PERSONAL DATA

8. COMPANY'S OBLIGATION TO DISCLOSE

9. OBTAINING EXPLICIT CONSENT

10. ISSUES RELATED TO THE PROTECTION OF PERSONAL DATA

11. PROTECTING THE RIGHTS OF THE RELEVANT PERSON AND EVALUATION OF THEIR REQUESTS

12. CASES WHERE THE RELEVANT PERSON CANNOT EXERCISE HIS RIGHTS IN WHOLE OR PARTIALLY

13. EXERCISE OF RIGHTS BY THE RELEVANT PERSON AND APPLICATION FORM TO THE DATA CONTROLLER

14. TRANSFER OF PERSONAL DATA AND PROCESSING BY THIRD PARTIES

15. DATA TRANSFER TO THIRD PARTIES IN Türkiye

16. DATA TRANSFER TO THIRD PARTIES LOCATED ABROAD

17. STORAGE PERIOD OF PERSONAL DATA

18. STORAGE AND DESTRUCTION OF PERSONAL DATA

19. CONTROL

20. WHAT NEEDS TO BE DONE TO ENFORCE THE POLICY AND KEEP IT UP TO DATE

1. ENTRANCE

Asilkar Fast Cargo Transportation Trade Joint Stock Company ("Company") attaches utmost importance to protecting the fundamental rights and freedoms of individuals, particularly the right to privacy as stipulated in Article 20 of the Constitution, in the protection and processing of personal data. In this context, in accordance with Law No. 6698 on the Protection of Personal Data ("Law" or "PDPL"), it is committed to the legal protection and processing of personal data, and acts with this care in all its planning and operations.

Our company doesn't consider the protection and processing of personal data solely within the scope of regulatory compliance; it places great value on people at the heart of its approach. This policy sets forth the principles to be adopted and implemented by the company regarding the processing and protection of personal data.

2. AIM

In order to ensure compliance with the Personal Data Protection Law No. 6698, the Personal Data Protection Board decisions and secondary legislation regarding the processing and protection of personal data, the company aims to carry out its activities in accordance with legal regulations and to inform the persons whose personal data is processed in a transparent and accurate manner.

3. SCOPE

This policy covers all activities related to personal data processed by the company and applies to such activities.

4. DEFINITIONS

Explicit Consent	It is consent regarding a specific subject, based on information and expressed with free will.
Publicization	The concept of publicity, which means “making known to everyone”, is listed as one of the exceptions to the “necessity of obtaining the explicit consent of the natural person whose personal data is processed” required for the processing of personal data in Articles 5 and 6 of Law No. 6698.
Anonymization	It is the process of making personal data incapable of being associated with an identified or identifiable natural person, even by matching it with other data.
Obligation to Disclose	It is the data controller's obligation to inform the persons whose personal data he processes, about who can process these data, for what purposes and on what legal grounds, and to whom and for what purposes they can be transferred.
Related User	Persons who process personal data within the data controller organization or in accordance with the authority and instructions received from the data controller, excluding the person or unit responsible for the technical storage, protection and backup of data.
Destruction	It refers to the deletion, destruction or anonymization of personal data.
Processing of Personal Data	It is any operation performed on data such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of Personal Data, either fully or partially by automatic means or non-automatic means provided that it is part of any data recording system.
Personal Data Protection Board/Board	It is the Personal Data Protection Board.
Organisation	It is the Personal Data Protection Authority consisting of the Board and the Presidency.
Contact Person	These are real persons whose personal data are processed.
Personal Data	It is any information relating to an identified or identifiable natural person.
Automatic Data Processing	It is a processing activity that is carried out automatically by devices with processors such as computers, phones, watches, etc., without human intervention, within the scope of algorithms prepared in advance through software or hardware features.
Special Personal Data	Data related to race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, dress code, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data are special data.
Record	It is the Registry of Data Controllers.
Company / Our Company	Asilkar Fast Cargo Transportation Trade Joint Stock Company
Data Processor	A natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.
Data Recording System	It refers to the recording system in which Personal Data is structured and processed according to certain criteria.
Data Controller	It is the natural or legal person who determines the purposes and means of processing Personal Data and is responsible for the establishment and management of the data recording system.
Data Category	It is the personal data class that refers to the data subject group or groups in which personal data are grouped according to their common characteristics.

5. GENERAL PRINCIPLES ON PROCESSING PERSONAL DATA

Compliance with Law and the Rules of Integrity	Our company processes and uses personal data in accordance with relevant legislation and the requirements of the principle of integrity. It acts to prevent the emergence of consequences that the data subject does not expect, and should not have expected. In accordance with this principle, it ensures the transparency of such data processing activities and complies with its obligations to inform and warn.
Being Accurate and Up-to-Date When Necessary	Our company ensures that the personal data it processes is accurate and up-to-date, taking into account the fundamental rights and legitimate interests of personal data owners. In this context, we carefully consider such issues as identifying the sources from which data is obtained, verifying its accuracy, and assessing whether it needs to be updated. In accordance with our duty of care, our company always maintains open channels to ensure that personal data owners' information is accurate and up-to-date.
Processing for Specified, Explicit and Legitimate Purposes	Our Company clearly and precisely determines the purpose of data processing and ensures that this purpose is legitimate. A legitimate purpose means that the personal data our Company processes is related to and necessary for the business it conducts or the service it offers. Our Company does not process data for purposes other than those specified. Therefore, we are meticulous in adhering to the principles of clarity and specificity in legal acts and texts explaining the purposes of processing personal data.
Being Relevant, Limited and Proportionate to the Purpose for Which They Are Processed	Our company ensures that the personal data processed is suitable for achieving the designated purposes and avoids processing personal data that is not relevant or necessary to achieve the purpose. Our company does not collect or process personal data for purposes that do not already exist or are intended to be realized later. To process data to meet potential needs that may arise later, it complies with the personal data processing requirements stipulated in the Law, as if it were starting processing for the first time. Furthermore, it limits the data processed to only what is necessary to achieve the purpose. Within the scope of the principle of proportionality, it establishes a reasonable balance between data processing and the intended purpose.
Storage for the Period Stipulated in the Relevant Legislation or Necessary for the Purpose for which they are Processed	If applicable legislation specifies a data retention period, our Company complies with these periods; otherwise, we retain personal data only for the period necessary for the purpose for which it is processed. If there is no valid reason for our Company to retain personal data further, the data in question will be deleted, destroyed, or anonymized. Procedures for the storage and destruction of personal data are detailed in our Company's Personal Data Storage and Destruction Policy.

6. CONDITIONS FOR PROCESSING PERSONAL DATA

Personal data can only be processed by the company within the scope of the procedures and principles specified below.

In order for personal data processing to be carried out lawfully, the processing activity must in any case meet the following three elements: Compliance with general principles, reliance on one of the data processing conditions, and informing the relevant person.

Personal data may be processed with the explicit consent of the data subject after the obligation to inform the data subject has been fulfilled. Explicit consent is obtained in accordance with the provisions of the Personal Data Protection Law. In cases where the processing of personal data without explicit consent is envisaged under the Personal Data Protection Law, personal data may be processed without the explicit consent of the data subject, but only after informing the data subject. These cases are as follows (Article 5/2):

Clearly Provided in Laws	Our company processes personal data without obtaining the express consent of the person concerned, in cases where it is expressly provided for by law.
When it is necessary for a person who is unable to express his consent due to a physical impossibility or whose consent is not recognized as legally valid to protect his own life or the bodily integrity of another person.	Our company processes personal data without explicit consent to protect the life or physical integrity of individuals in cases where consent cannot be explained or is not valid.
Processing of Personal Data of the Parties to a Contract is Necessary, Provided That It Is Directly Related to the Establishment or Performance of a Contract	If it is necessary to process personal data of the parties to a contract in direct relation to the establishment or execution of a contract, our company processes the personal data of the relevant person, limited to this purpose, in accordance with the normal course of life, without obtaining the express consent of the relevant person.
It is mandatory for our company to fulfill its legal obligations.	Our company processes the personal data of the relevant person without obtaining explicit consent when it is necessary to fulfill its legal obligations as a data controller.
Made Public by the Relevant Person Himself	Our company may process the personal data of the data subjects that have been made public by them, in other words, disclosed to the public in any way, for limited purposes.
Data Processing is Necessary for the Establishment, Exercise or Protection of a Right	Our company processes the personal data of the relevant persons without obtaining their explicit consent in cases where data processing is necessary for the exercise or protection of a legitimate right.
Data Processing is Necessary for the Legitimate Interests of Our Company, Provided That It Does Not Harm the Fundamental Rights and Freedoms of Personal Data Owners	Our Company may process the personal data of data subjects where processing personal data is necessary to ensure its legitimate interests, provided that it does not harm the fundamental rights and freedoms of the data subjects. Our Company demonstrates due diligence in complying with the fundamental principles of personal data protection and ensuring a balance between the interests of our Company and the data subjects. A legitimate interest is a legitimate, effective, specific, and already existing interest that competes with the fundamental rights and freedoms of the data subject. Our Company implements additional safeguards to prevent harm to the rights of data subjects. A reasonable balance is maintained between our Company's interests and the fundamental rights and freedoms of the data subject.

7. CONDITIONS FOR PROCESSING SPECIAL NATURE PERSONAL DATA

Special personal data can only be processed by the company within the scope of the procedures and principles specified below.

In order for the processing of special categories of personal data to be carried out lawfully, the processing activity must in any case meet the following three elements: Compliance with general principles, reliance on one of the data processing conditions, and informing the relevant person.

Sensitive personal data may be processed with the explicit consent of the data subject after the obligation to inform the data subject has been fulfilled. Consent is obtained in accordance with the provisions of the Personal Data Protection Law. In cases where the processing of special personal data without explicit consent is envisaged under the Personal Data Protection Law, personal data may be processed without the explicit consent of the data subject, but only after informing the data subject. These cases are as follows (Article 6/2):

Clearly Provided in Laws	Our company processes special personal data without obtaining the express consent of the person concerned, in cases where it is expressly provided for by law.
When it is necessary for a person who is unable to express his consent due to a physical impossibility or whose consent is not recognized as legally valid to protect his own life or the bodily integrity of another person.	Our company processes special personal data without obtaining explicit consent to protect the life or physical integrity of individuals in cases where consent cannot be explained or is not valid.
Made Public by the Relevant Person Himself	Our company may process, for limited purposes, the special personal data of the data subjects that have been made public by them, in other words, disclosed to the public in any way.
Data Processing is Necessary for the Establishment, Exercise or Protection of a Right	Our company processes the special personal data of the data subjects without obtaining their explicit consent in cases where data processing is necessary for the exercise or protection of a legitimate right.
It is necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, and the planning, management and financing of health services by persons under the obligation of confidentiality or authorized institutions and organizations.	Our Company processes the special personal data of the relevant persons without obtaining their explicit consent if it is necessary for the purposes of protecting public health, carrying out preventive medicine, medical diagnosis, treatment and care services, and planning, management and financing of health services by persons under the obligation of confidentiality or by authorized institutions and organizations.
It is mandatory to fulfill legal obligations in the fields of employment, occupational health and safety, social security, social services and social assistance.	Our company processes the special personal data of the relevant persons without obtaining their explicit consent if it is necessary to fulfill legal obligations in the fields of employment, occupational health and safety, social security, social services and social assistance.

8. COMPANY'S OBLIGATION TO DISCLOSE

In accordance with Article 10 of the Personal Data Protection Law and the Communiqué on the Procedures and Principles to be Followed in Fulfilling the Obligation to Disclose, our Company informs data subjects when collecting personal data. In this context, we clarify the identity of the Company representative, if any, the purposes for which personal data will be processed, to whom and for what purposes the processed personal data may be transferred, the method and legal basis for collecting personal data, and the rights of personal data subjects.

9. OBTAINING EXPLICIT CONSENT

Our company processes personal data only with the explicit consent of the data subject, unless it relies on one of the processing conditions listed in Article 5/2 or Article 6/2. We never obtain explicit consent from the data subject when one of the conditions listed in Article 5/2 or Article 6/2 is present, thus avoiding misleading the data subject.

Even if personal data is processed based on the condition of explicit consent, the company shall in any case fulfil its obligation to inform; it shall carry out the processes of obtaining explicit consent and providing information as separate processes.

Explicit consent is obtained through explicit consent texts in written/printed or electronic form.

10. ISSUES RELATED TO THE PROTECTION OF PERSONAL DATA

Our Company takes all necessary administrative and technical measures to ensure an appropriate level of security to securely store personal data in accordance with the Law and to prevent unlawful processing of personal data and unlawful access to personal data. These administrative and technical measures are detailed in our Company's Personal Data Storage and Destruction Policy.

Our Company regularly carries out “compliance activities with the Personal Data Protection Law” to ensure compliance with the regulations in the Law and other legislation.

Our company takes all necessary administrative and technical measures, taking into account technological possibilities and implementation costs, to ensure that relevant data controllers and data processors do not disclose their personal data to others in violation of the Law and Policy, or use it for purposes other than those intended. In this context, information and training regarding the Law and Policy are conducted. Confidentiality agreements are signed by relevant employees as part of the recruitment process, and other data controllers and data processors are required to sign confidentiality and commitment agreements.

If personal data processed by our Company is obtained by others through unlawful means, our Company will take the necessary steps to notify the relevant person and the Personal Data Protection Board within the timeframes determined by the Personal Data Protection Board. If deemed necessary by the Personal Data Protection Board, this will be announced on the Personal Data Protection Board's website or by another method deemed appropriate by the Personal Data Protection Board.

Our Company observes all legal rights of the relevant persons regarding the implementation of the Policy and the Law and takes all necessary measures to protect these rights.

Data related to a person's race, ethnic origin, political views, philosophical beliefs, religion, sect or other beliefs, appearance and dress code, membership in associations, foundations or unions, health, sexual life, criminal convictions, security measures, as well as biometric and genetic data, constitute special personal data. Our company is aware that special personal data, if learned by others, could cause the person concerned to be victimized or discriminated against. Therefore, it diligently takes adequate measures, as determined by the Board, to protect such legally processed personal data.

11. PROTECTING THE RIGHTS OF THE RELEVANT PERSON AND EVALUATION OF THEIR REQUESTS

Our company responds to the following requests from the relevant person whose personal data it holds, in accordance with the KVKK regulations:

· To learn whether personal data is processed by the company,

· Requesting information about it if it has been processed,

· To learn the purpose of processing and whether they are used in accordance with their purpose,

· To know the third parties to whom personal data is transferred, either domestically or abroad,

· To request correction of personal data if it is processed incompletely or incorrectly,

· Request notification to third parties to whom personal data has been transferred if correction or destruction procedures have been carried out by the Company,

· Requesting the deletion, destruction or anonymization of personal data by the company when the reasons for processing personal data are eliminated

· To object to the emergence of a result against the person himself/herself by analyzing the processed data exclusively through automated systems,

· To request compensation for damages in case the relevant person suffers damage due to unlawful processing of personal data.

12. CASES WHERE THE RELEVANT PERSON CANNOT EXERCISE HIS RIGHTS IN WHOLE OR PARTIALLY

The provisions of this Policy and the Law will not apply in the following cases:

Personal data shall be processed by natural persons within the scope of activities related to themselves or their family members living in the same residence, provided that they are not disclosed to third parties and that data security obligations are complied with.

Processing of personal data for purposes such as research, planning and statistics by making them anonymous with official statistics,

Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defense, national security, public safety, public order, economic security, privacy of private life or personal rights or does not constitute a crime,

Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security,

Processing of personal data by judicial authorities or enforcement authorities in connection with investigation, prosecution, trial or execution proceedings.

Provided that it is in accordance with and proportionate to the purpose and fundamental principles of this Policy and the Law, Article 10, which regulates the data controller's obligation to inform, Article 11, which regulates the rights of the data subject, excluding the right to claim compensation for damages, and Article 16, which regulates the obligation to register with the Data Controllers Registry, will not apply in the following cases:

Personal data processing is necessary for the prevention of crime or for the investigation of crime,

Processing of personal data made public by the relevant person,

When personal data processing is necessary for the execution of supervisory or regulatory duties or disciplinary investigation or prosecution by authorized public institutions and organizations and professional organizations with the status of public institutions, based on the authority granted by law,

The processing of personal data is necessary to protect the economic and financial interests of the State regarding budgetary, tax and financial matters.

13. EXERCISE OF RIGHTS BY THE RELEVANT PERSON AND APPLICATION FORM TO THE DATA CONTROLLER

Requests and applications regarding the implementation of the Law can be submitted in writing to the address "İkitelli OSB Mahallesi Giyim Sanatkarları 1A Blok Sokak No: 1 A Blok/420 Başakşehir İstanbul" by filling out the relevant person application form on our website (cargox.com), or sent through a notary, or electronically using registered electronic mail (KEP), secure electronic signature or mobile signature to cargoxkargo.00merkezkamu@hs02.kep.tr or info@cargox.com. can be forwarded to the address.

In requests and applications,

Name, surname and signature if the application is in writing,

For citizens of the Republic of Turkey, their Turkish ID number, for foreigners, their nationality, passport number or ID number, if any,

Residence or workplace address for notification,

E-mail address, telephone and fax number, if any, for notification,

The subject of the request must be present.

Information and documents related to the subject must be attached to the application.

Our company will process requests included in the application free of charge as quickly as possible and within thirty days at the latest, depending on the nature of the request. However, if the process requires additional costs, a fee determined by the Board may be charged.

Our Company may accept or reject the request, explaining the reason, and will notify the relevant person in writing or electronically. If the request is accepted, our Company will act promptly and notify the relevant person. If the application is found to be a mistake on our part, the fee will be refunded to the relevant person.

In cases where the application is rejected, the response is found insufficient or the application is not responded to in a timely manner, the relevant person has the right to lodge a complaint with the Board within thirty days from the date on which he/she learns of the response and, in any case, within sixty days from the date of application.

14. TRANSFER OF PERSONAL DATA AND PROCESSING BY THIRD PARTIES

The Company may transfer personal data to a third party, natural or legal person, in accordance with the Personal Data Protection Law regulations. In this case, the Company ensures that third parties to whom it transfers personal data also comply with the Law and this policy. Necessary protective regulations are added to the contracts concluded with third parties.

15. DATA TRANSFER TO THIRD PARTIES IN Türkiye

Personal data may be transferred to third parties located in Turkey without obtaining explicit consent in exceptional cases specified in Article 5 of the KVKK and Article 6 of special personal data, and with the condition of obtaining explicit consent in other cases. Company employees and the data controller representative are jointly responsible for ensuring that this transfer complies with the KVKK.

16. DATA TRANSFER TO THIRD PARTIES LOCATED ABROAD

Our company may transfer personal data abroad if one of the conditions specified in Articles 5 and 6 are met and if there is an adequacy decision regarding the country to which the transfer will be made, the sectors within the country, or international organizations.

Our company may transfer personal data abroad in the absence of an adequacy decision, provided that one of the conditions specified in Articles 5 and 6 is met, the data subject has the opportunity to exercise their rights and seek effective legal remedies in the country where the transfer will be made, and one of the appropriate safeguards specified below is provided:

· The existence of binding company rules approved by the Board, which contain provisions regarding the protection of personal data, which the companies within the group of undertakings engaged in joint economic activities are obliged to comply with.

· The existence of a standard contract announced by the Board, which includes matters such as data categories, purposes of data transfer, recipients and recipient groups, technical and administrative measures to be taken by the data recipient, and additional measures taken for special categories of personal data. (The standard contract is notified to the Authority by the data controller or data processor within five business days of its signing.)

· The existence of a written undertaking containing provisions to ensure adequate protection and the Board's approval of the transfer.

In the absence of an adequacy decision and failure to provide any of the appropriate safeguards stipulated in the Law, our Company may transfer personal data abroad only in the event of the existence of one of the following circumstances, provided that it is incidental:

· The data subject gives explicit consent to the transfer, provided that he/she is informed about the possible risks.

· The transfer is necessary for the performance of a contract between the data subject and the data controller or for the implementation of pre-contractual measures taken at the request of the data subject.

· The transfer is necessary for the establishment or performance of a contract between the data controller and another natural or legal person for the benefit of the data subject.

The transfer is necessary for an overriding public interest.

· The transfer of personal data is necessary for the establishment, exercise or protection of a right.

· The transfer of personal data is necessary for the protection of the life or physical integrity of a person who is unable to give his consent due to a de facto impossibility or whose consent is not legally valid, or of another person.

· Transferring information from a registry that is open to the public or to persons with a legitimate interest, provided that the conditions required for accessing the registry in the relevant legislation are met and the person with a legitimate interest requests it.

The safeguards set out in the Law are also provided for subsequent transfers of personal data transferred abroad by our Company and transfers to international organisations.

Without prejudice to the provisions of international agreements, personal data may be transferred abroad by our company only with the permission of the Board, after obtaining the opinion of the relevant public institution or organization, in cases where the interests of Türkiye or the relevant person would be seriously harmed.

17. STORAGE PERIOD OF PERSONAL DATA

According to Law No. 6698, if the reasons requiring processing are eliminated despite having been processed in accordance with the provisions of this law and other relevant laws, personal data shall be deleted, destroyed or anonymized by the company on its own or upon the request of the relevant person.

Deletion is the process of making personal data inaccessible and reusable for the relevant users in any way.

Destruction is the process of making personal data inaccessible, irretrievable and reusable by anyone.

Anonymization is the process of making personal data in no way identifiable with an identified or identifiable natural person, even when matched with other data.

Without prejudice to the provisions of other laws regarding the destruction of personal data, our Company deletes, destroys or anonymizes personal data it has processed in accordance with this Law and other laws, in accordance with the Personal Data Storage and Destruction Policy, ex officio or upon the request of the relevant person, if the reasons requiring processing are eliminated.

18. STORAGE AND DESTRUCTION OF PERSONAL DATA

Personal data is stored for the Company's retention period, if any, as stipulated in the Law or other legislation.

If there is no retention period stipulated in laws and other legislation, personal data is stored in accordance with our Company's Personal Data Storage and Destruction Policy for the period required to achieve the purpose of processing that personal data, and is then deleted, destroyed or anonymized within the framework of periodic destruction periods.

19. CONTROL

Our company conducts and has the necessary audits carried out to ensure compliance with legislation, the establishment of data security and the regularity and continuity of the measures taken.

20. WHAT NEEDS TO BE DONE TO ENFORCE THE POLICY AND KEEP IT UP TO DATE

The Policy, which was prepared by Asilkar Fast Cargo Transportation Trade Joint Stock Company and entered into force on 01/06/2024, will be made available to the relevant persons by publishing it in any media accessible to the relevant persons, with the provisions for international transfers to come into force on 01/09/2024. This policy may be amended by the Company, if deemed necessary, with the approval of the Board of Directors. Even if the policy is amended, the previous version will be retained within the Company.