Personal Data Protection and Processing Policy

PERSONAL DATA PROTECTION AND PROCESSING POLICY

The Purpose and Scope of the Policy

This Personal Data Protection and Processing Policy (“Policy”) has been prepared in order to provide information about the personal data processing activities carried out within the scope of Ünsped Global Lojistik Tic. A.Ş. (“UGL” or “Company”) operations and the set of rules and principles based on these activities.

This Policy covers all natural persons whose personal data is processed by UGL, except for employees of the Company. Information about legal entities and legal entities is not covered by the Policy.

Definitions Covered by the Policy

The definitions contained in this Policy are used as indicated below. It will be accepted that the definitions not mentioned here are used as defined primarily in the Law on the Protection of Personal Data No. 6698 and the secondary regulations established under this Law.

"Explicit Consent”	Consent to a particular issue, based on information and disclosed by free will.
“Employee”	Depending on the employment contract or power of attorney agreement with the company and its subsidiaries, the natural person who has an employer- employee relationship.
"Electronic Media”	Environments where personal data can be created, read, modified and written with electronic devices.
“Non-Electronic Media”	All written, printed, visual, etc. other environments other than electronic media.
"Contact Person”	The real person whose personal data is being processed.
“Destruction”	Personal data deletion, destruction or has been rendered anonymous.
“Law”	Law No. 6698 on the Protection of Personal Data.
"LPPD”	Law No. 6698 on the Protection of Personal Data.
"Recording Media”	Any environment where there is personal data that is fully or partially automated or processed in non-automated ways, provided that it is part of any data recording system.
"Personal Data”	All kinds of information about certain or identifiable natural persons.
"Inventory of Personal Data Processing”	The personal data processing activities that data officers carry out depending on their business processes, purposes and legal reason for processing personal data, data category, maximum period of storage of personal data is required for the purposes for which they were processed by associating the transferred recipient group and the data subject with the contact group, personal data that is supposed to be transferred to foreign countries and the inventory they detail by explaining the measures taken regarding data security.
"Anonymization of Personal Data”	Anonymization of personal data within the scope of this policy from time to time in a manner to cover any other data changes in regulations of personal data is in no way identity even be paired with a specific or identifiable natural person cannot be linked to the process of making.
"Processing of Personal Data”	All kinds of operations performed on data such as acquisition, recording, storage, preservation, modification, reorganization, disclosure, transfer, inheritance, making it available, classification or prevention of its use of personal data in ways that are fully or partially automated or that are not automated, provided that they are part of any data recording system.
"Deletion of Personal Data”	Deletion of personal data within the scope of this Policy is the process of making personal data inaccessible and unavailable again for the relevant users in any way, including changes that may be made to the Regulation from time to time.
"Destruction of Personal Data”	The destruction of personal data within the scope of this Policy is the process of making personal data inaccessible, irretrievable and reusable by no one in any way, including changes that may be made to the Regulation from time to time.
“Board”	Personal Data Protection Board.
“Institution”	Personal Data Protection Authority.
“Personal Data of a Special Nature”	Race, ethnic origin, political opinion, philosophical belief, religion and sect, or other beliefs, costume and clothing, Association or trade union membership, health, sexual life, criminal convictions and security measures with data on genetic and biometric data of persons.
"Periodic Destruction”	If all the conditions for processing personal data contained in the law have disappeared, the deletion, destruction or anonymization process specified in the personal data retention and destruction policy will be performed by us at intervals specified in the law.
“Policy”	This Policy and all other policies that may be adopted in the future.
"Data Officer”	A natural or legal person responsible for the establishment and management of a data registration system that determines the purposes and means of processing personal data.
“Data Officer Contact Person”	The Data Controller is a natural person notified by the Company at the time of registration in the Register of Data Controllers in order to ensure communication with the Organization regarding its obligations under the Law and secondary regulations to be issued on the basis of this Law. As of the effective date of this Policy, Serkan Ayverdi has been selected to be registered with VERBIS as the Data Officer Contact Person.
“Regulation”	The Regulation on the Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28.10.2017.

Implementation and Updating

This Policy was put into effect on [12.09.2019]. The Company has the right to update the Policy by publishing the most up-to-date version on the website at any time it deems necessary, especially legislative updates. For this reason, the relevant persons should check the most current version of the Policy by entering the website at any time they want to receive information about the Policy.

Data Officer within the Scope of Personal Data Processing Activities

Within the scope of the Law, Ünsped Global Lojistik Tic. A.Ş., determines the purposes and means of data processing in relation to the personal data it processes while carrying out its company operations and activities. In this context, the Company provides information about the purposes and how it processes personal data by enlightening the relevant people on the channels through which it collects personal data.

Similarly, the Company is responsible for the establishment and management of the data registration system in which the personal data in question are processed. Therefore, the Company acts as the data controller in terms of most of the personal data it processes within the scope of the Law.

In some cases, the Company does not determine the purposes and means of personal data processing; it may process personal data on the instructions of another company. In this case, the Company acts as a data processor in accordance with the Law, and this Policy is intended only to inform the relevant persons about the Company's personal data processing activities in which it acts as a data controller.

Personal Data Processing Activities and Purposes

1 Processing of Personal Data of Visitors

During visit to company building and location as a visitor, to ensure the safety of the building, for visitors records to be kept properly, for the prevention and detection of crime, if necessary, personal data processing activities are performed in order to give information to the relevant authorities.

These personal data processing activities:

By keeping camera records within the scope of camera (CCTV) monitoring activities inside and outside the building,
Within the scope of ensuring internet access for visitors, by keeping internet access records,
Keeping records of entry and exit of visitors,

a) Keeping camera records

Monitoring activities are carried out with cameras inside and outside the company. These cameras are located in some locations inside and outside the building, in places that see the turnstiles at the entrance to the security office. In these areas, people are informed about the warning signs related to monitoring.

The company carries out monitoring activities with a camera for the following purposes and keeps the necessary records:

To help prevent and detect crime;
Facilitate the identification, arrest and trial of those who commit crimes and disrupt public order;
To help ensure the safety of public safety and buildings;
To help identify actions that may result in the initiation of a disciplinary investigation against employees.

The images recorded through the camera system in question will be stored as evidence or for a maximum of 3 months from the date of receipt, unless they need to be kept for a longer period of time to investigate the crime or are not required under legal legislation.

The camera images may be shared with authorized institutions and organizations in order to help prevent and identify the crime, facilitate the identification, arrest and trial of those who commit crimes and disrupt public order, and fulfill our legal obligation, if necessary or if there is a legal request. Responsibility for the operation of cameras within the company, its management and all other issues related to the camera operating system are monitored by the Purchasing and Administrative Affairs Directorate.

By keeping the camera records the processing of personal data, the company's personal data processing activities required to fulfil legal obligations in order for the company to protect the legal rights of use and processing personal data in the provision of security and crime prevention activities and the implementation of the company's legitimate interests is carried out on the basis of a finding of legal reasons.

b)Keeping records of Internet access

Some personal data of visitors is processed when it comes to connecting to the Company's Internet network as a guest user.

This personal data is the name and surname of the person, log records related to internet usage, MAC ID, IP information, mobile phone number, user name, password information. This information is not disclosed to any third party outside the Company, except that it is shared with authorized institutions and organizations in order to fulfill our legal obligation in the event of a legal request.

The specified personal data are processed in order to carry out the activities in accordance with the legislation, to provide information to authorized persons / institutions and organizations, to provide access to the Internet network to visitors as guest users and to ensure information security if necessary or if there is a legal request.

Keeping records of Internet access and personal data processed electronically based on legal reasons specified in the Law No. 5651 on the Regulation of Publications Made on the Internet And On Combating Crimes Committed Through These Publications, clearly foreseeing the personal data processing activity and for fulfillment of our legal obligations under the Regulation on Internet Mass Use Providers.(Official Gazette Date and Number: 11.04.2017, 30035) and for the provision of an access right to you by providing internet access to you as a visitor is.

The personal data processed within this scope are kept for two years, which is the legal period.

c) Keeping records of visitor entry and exit

If people come to the Company as visitors, some of their personal data is processed.

These personal data are the name, surname, name of the company where he works, the reason for the visit and the visit information in the form of the person visited. This information is not disclosed to any third party outside the Company, except that it is shared with authorized institutions and organizations in order to fulfill our legal obligation in the event of a legal request.

The specified personal data are processed for the purposes of conducting activities in accordance with the legislation, creating and tracking visitor records, ensuring physical space security, ensuring Company fixtures, employees, building security, and providing information to authorized persons/ institutions and organizations.

Personal data are processed in a physical environment based on the legal reasons that the Company has a legitimate interest in keeping visitor entry and exit records, fulfilling our legal obligations and ensuring the safety of the Company's buildings and employees.

The personal data processed in this context are stored for six months from the end of the visit.

2 Processing of Personal Data of Candidates during Recruitment Processes

As a candidate, personal data can be processed in order to apply for a job that we have published or to conduct recruitment processes within the scope of the information provided for applying for a job in fields such as IŞKUR candidate database, career sites.

Personal data can be transmitted directly by you to our Company, as well as candidate applications can be transmitted to the Company electronically or physically through career sites, IŞKUR candidate database, our business partners, where we receive support in recruitment processes.

According to the position referenced in this context, the application instantly in interviews and recruitment, name, surname, contact information, military status, gender, date of birth, educational information, past work experiences, owned certificates, driver's license information, foreign language and references that are available, computer programs, scholarships and participation in seminars and courses that you have taken all the information given by the candidate in the form of projects in the resume, work preferences, information about the company intended to work, the earliest date to start work, salary expectations, whether or not previously apply for any position in a company, the information whether you may work on night, hobbies, previous knowledge of why you left from work, the availability of any relative at our firm, information, travel information, whether the company you choose to work with the departments given by the candidate in the job interview in and all such personal data specified above are processed.

Some positions are physically fit to work on the only candidate in the recruitment process in order to assess whether health information and legal obstacles to work in the position in question in order to determine whether a case of criminal convictions/criminal record information can be recorded. These data are processed only for the specified purposes and are not used for other purposes.

The processing of personal data of candidates in the recruitment processes is carried out on the basis of legal reasons that the candidate has a legitimate interest in creating the necessary human resources to ensure that the candidate can exercise his right to apply and that the Company can continue its activities. In the absence of these legal reasons, personal data is processed based on the legal reason of “explicit consent” if the candidate gives explicit consent to the personal data processing activity.

3 Processing of Personal Data of Employees of Suppliers and Business Partners, as well as Officials

Due to the fact that the data belonging to legal entities are not considered personal data, these data are not included in the scope of this Policy. However, the personal data of the supplier companies that receive services within the scope of the supply of goods and services, as well as the business partners with whom we cooperate in order to carry out the Company's activities / operations, as well as employees and officials of the group companies are processed within the scope of our usual operational processes.

Personal data of supplier and partner employees and their officials are processed for the purpose of carrying out the usual operational processes, ensuring the supply of goods and services, To be able to make accommodation and transportation plans for company visits if necessary, organization and event management, planning and execution of occupational health and safety processes, to be able to evaluate the suitability for the job, establishing communication in order to be able to carry out business processes, planning and execution of business activities, conducting communication with dealers, conducting financial and accounting affairs, execution of sales processes of products and services, execution of the processes of shipment of products, execution of import and export processes of products, execution of contract processes, planning and execution of audit, investigative and intelligence activities, conducting supplier research and quotation receiving processes, conducting risk inquiries in order to register a supplier, reporting on suppliers and business partners, providing information to authorized institutions and organizations, conducting activities in accordance with the legislation, and for fulfilling of our obligations arising from legislation.

As part of the contract signing processes with suppliers and business partners, personal data belonging to the signature authorities are also processed in the company's signature circulars.

Principles of Personal Data Processing

The company informs its employees and takes all necessary administrative/technical measures starting from the moment when personal data is collected in accordance with the Law, until the moment of its destruction in order to comply with the five main principles mentioned below in all the operations it performs on personal data:

Compliance with the law and the rules of honesty,
Being accurate and up-to-date when necessary,
Processing for specific, explicit and legitimate purposes,
Being limited and restrained in connection with the purpose for which they are processed,
Preservation for as long as required by the relevant legislation or for the purpose for which they were processed.

In this context, when processing personal data as a Company, we act in accordance with the legislation and within the framework of good faith rules. In this context, the relevant persons are informed about the personal data processing activities through the disclosure texts on the relevant channels and compliance with the principles of processing personal data for certain clear and legitimate purposes and being limited and restrained in connection with these purposes is ensured. Personal data is deleted, destroyed or anonymized when the purpose of processing is eliminated.

Terms of Personal Data Processing

The terms of personal data processing are set out in Articles 5 and 6 of the Law. The Company takes into account the data processing requirements contained in Article 5 of the Law when processing personal data that is not of a special nature, and in Article 6 of the Law when processing personal data that is of a special nature.

1 Conditions for Processing Personal Data that are not of a Special Nature

The requirements for the processing of personal data that are not of a special nature are specified in Article 5 of the Law as stated below:

Clearly stipulated in the laws,
A person who is unable to disclose his consent due to actual impossibility or whose consent is not legally valid must be required to protect the life or body integrity of himself or someone else,
It is necessary to process personal data belonging to the parties to the contract, provided that it is directly related to the establishment or performance of a contract,
Data processing activity is mandatory in order for the Company to fulfill its legal obligations,
Personal data is made public by the relevant person himself,
Data processing is mandatory for the establishment, use or protection of a right,
Data processing is mandatory for the legitimate interests of the Company,
In the absence of at least one of the above-mentioned data processing conditions, the explicit consent of the relevant person must be obtained.

Examples of the specified data processing conditions are given in the following table:
Data Processing Requirement	Example
Clearly stipulated in the laws	Keeping personal information belonging to the employee within the scope of the Labor Code.
Actual impossibility	Processing of the identity information of an unconscious patient into the hospital system.
Establishment or performance of the contract	Saving the address information of the person so that the purchased product can be sent.
Legal liability of the data controller	Sharing the information requested from the court.
Publicization	In order to be contacted, the person must publish their contact information on the website.
Establishment, protection, use of the right	Entering user name and password information into the system in order to provide internet access to guest users.
Legitimate interests	For security purposes, visitors' first and last name information should be checked and recorded in a notebook.

In the absence of at least one of them, explicit consent is obtained from the relevant persons for the processing of personal data.

2 Terms of Processing of Personal Data That are of a Special Nature

Special personal data qualified in the law as race, ethnic origin, political opinion, philosophical belief, religion, sect, or other beliefs, costume and clothing, Association or trade union membership, health, sexual life, criminal convictions and security measures, such as biometric and genetic data. The conditions required for the processing of such special qualified personal data are set forth in Article 6 of the Law as stated below:

Explicit provision in the law for special qualified data other than health and sexual life,
For information about health and sexual life, the processing of these data by persons or authorized institutions and organizations under the obligation to keep secrets based on one of the reasons: protection of public health, preventive medicine, medical diagnostics, treatment and maintenance services, planning and management of health services and their financing.
In the absence of at least one of the above-mentioned data processing conditions, the explicit consent of the relevant person must be obtained.

Examples of the specified data processing conditions are given in the following table:
Data Processing Requirement	Example
Clearly stipulated in the laws	Keeping the employee's union information in the personal file in accordance with the relevant legislation.
Processing of data by persons or authorized institutions and organizations based on one of the reasons: protection of public health, preventive medicine, medical diagnostics, treatment and maintenance services, planning and management of health services and their financing	Keeping periodic health reports by the workplace physician.

In the absence of at least one of them, explicit consent is obtained from the relevant persons for the processing of personal data.

Personal Data Sharing

The personal data processed by the Company may be transferred to third parties within the framework of the principles set out in the Law. In this context, personal data is shared in Turkey with the following parties and for the following purposes:

With UGL for the purposes of execution of reporting processes, follow-up and management of proposal and contract processes, execution of order, production, inventory and operation processes of products and services ,monitoring and execution of logistics activities, conducting the selection and evaluation processes of potential business partners and suppliers and conducting preliminary research in this context, monitoring and enforcement of audit, legal and regulatory compliance processes.
Purchase of goods and services to the Company, with consultants, suppliers and business partners from whom we buy goods and services for the purpose of conducting procurement processes,
With legally authorized public institutions and organizations and persons for the purposes of conducting activities in accordance with the legislation, tracking and conducting legal affairs, providing information to authorized persons / institutions and organizations.

Within the framework of these personal data shares personal data is shared with the specified parties based on one or more of the reasons like establishment, protection, exercise of a right, legal obligation of the data controller, legal reasons of legitimate interest

Measures Taken for the Storage of Personal Data and Data Security

Your personal data may be stored by the Company in accordance with the following periods:

The periods stipulated in all legislation in force and Company subject to;
Until the purposes of processing your personal data are eliminated;
For the period necessary for us to offer our products and services.

In the event that none of these periods are available to continue the personal data processing activity, the personal data is deleted, destroyed or anonymized by the Company.

However, the company prevents unlawful processing of personal data, and prevents unlawful access to data and takes measures to ensure the safe storage of the necessary technical and administrative data.

Below please find the main technical and administrative measures taken by the Company regarding data security:

Network security and application security are provided.
Closed system network is used for personal data transfers via the network.
Key management is implemented.
Security measures are taken within the scope of procurement, development and maintenance of information technology systems.
Disciplinary regulations containing data security provisions are available for employees.
Training and awareness-raising activities carried out for employees on data security.
An authorization matrix has been created for employees.
Access logs are kept regularly.
Corporate policies on access, information security, use, storage and destruction have been prepared and started to be implemented.
Confidentiality commitments are made.
The powers of employees who have changed their duties or left their jobs in this field are being removed.
Current anti-virus systems are used.
Firewalls are used.
Signed contracts contain data security provisions.
Personal data security policies and procedures have been established.
Personal data security issues are reported quickly.
Personal data security is monitored.
Necessary security measures are taken regarding the entry and exit of physical environments containing personal data.
Physical environments containing personal data may have external risks (fire, flood, etc.) against which security is provided.
The security of the environments containing personal data is ensured.
Personal data is reduced as much as possible.
Personal data is backed up and the security of the backed up personal data is also ensured.
User account management and authorization control system are being implemented and their monitoring is also being carried out.
Periodic and/or random inspections are carried out and carried out in-house.
Log records are kept in such a way that there is no user intervention.
If personal data of a special nature is to be sent via electronic mail, it is necessarily sent in encrypted form and using a KEP or corporate mail account.
Secure encryption/cryptographic keys are used for private personal data and are managed by different units.
Intrusion detection and prevention systems are used.
Cyber security measures have been taken and their implementation is constantly monitored.
Encryption is performed.
Specially qualified personal data transferred on portable memory, CD, DVD media are encrypted and transferred.
Extra security measures are taken for personal data transferred via paper and the relevant documents are sent in a confidentiality-grade document format.

Apart from the ones mentioned here, special technical and administrative measures are also taken by the Company, taking into account the nature of personal data and the degree of confidentiality it requires.

Rights Related to Personal Data

The Company has the title of data controller for the processing of your personal data. For this reason, the relevant persons may apply to the Company regarding the processing of their personal data regarding the following rights:

Find out if your personal data has been processed – You can get information from us about whether we have processed your personal data.
If we are processing your personal data, you have the right to request information about it – You have the right to receive information about how we process your personal data.
You have the right to find out the purpose of processing your personal data and whether it is used for its intended purpose – You have the right to receive information about whether we use your personal data for the purpose of obtaining it.
Knowing the third parties to whom we transfer your personal data -if any - at home or abroad – If there are third parties to whom we transfer your personal data, you can get information about them from us.
If your personal data has been processed incompletely or incorrectly, you can contact us to request correction of them and to request us to inform the third parties to whom we have transferred the personal data of the transaction made in this context - if any - You can contact us to correct the personal data that you think we have processed incompletely or incorrectly. In this case, we will update your data at your request. In cases where we transfer personal data to third parties, we also inform third parties to correct the data.
Processed in accordance with the law and related regulations, although in the event of the disappearance of the reasons requiring processing your personal data erased or destroyed, and in this context, requesting that it be a transaction -if you have - ask them to inform you that your personal data are transferred to third parties – you have the right to request that your personal data be erased or destroyed. Please inform us if the reason requiring us to process your personal data has disappeared. If we cannot fulfill this request, we will inform you about the reason (for example, we have a legal obligation that requires us to store your personal data).
If there are situations where a result arises against you by analyzing your personal data that we process exclusively through automated systems, to object to these – If you believe that the result obtained in cases where your personal data is analyzed exclusively through automated systems is against you, you have the right to contact us about it. Upon a positive assessment of his objection, we will ensure that the relevant result is corrected.
In case you suffer damage due to illegal processing of your personal data, do not request to be compensated for your loss – If you incur a loss due to unlawful processing of your personal data, you have the right to demand compensation for your loss.

You can always contact us to get more information about the scope of your rights and to exercise your rights. If you submit your request for your rights to us, we will finalize your application as soon as possible and no later than thirty days, taking into account the nature of your request. You can start this process with the link below.

/LPPD/LPPD APPLICATION FORM

11. Questions Related to the Policy

This Policy has been prepared in order to inform the relevant persons about all issues related to the processing of your personal data. However, it is one of the general principles of the Company to answer all questions related to personal data in a transparent and understandable way within the scope of this Policy.

Therefore, if you have any questions about the Policy you can send an e-mail kvkk@ugl.com.tr address.