TABLE OF CONTENTS

1.Objective

2.Scope and Application

3.Definitions

a. Principles for Processing Personal Data

b.   Purposes of Processing Personal Data

c. Legal Grounds for Processing Personal Data

d. Legal Grounds for Processing Sensitive Personal Data

5.Disclosure Obligation

6.Data Security

a. Technical Measures

b. Administrative Measures

7.Transfer of Personal Data

    a.   Domestic Transfer

    b. Transfer Abroad

8.Personal Data Inventory

9.Roles and Responsibilities

10.Deletion, Destruction and Anonymisation of Personal Data

11.Rights of the Relevant Person and Exercise of Rights a. Related Person Rights b. Exercise of Rights c. Evaluation of the Application d. Our Right to Reject the Application e. Right of Complaint

12.Publication of the Policy, Effectiveness

13.Updating the Policy

—

1. Objective

The main purpose of this Personal Data Protection and Processing Policy (“Policy”) is to explain the personal data processing activities carried out by TCT Lojistik Anonim Şirketi (“Company”) in accordance with the law and the systems adopted for the protection of personal data, to determine the procedures and principles to be followed by the persons who process data due to their relationship with the Company and to ensure transparency towards the persons whose data are processed.

The Company carries out its activities in accordance with the Law on the Protection of Personal Data (“KVKK”) and related legislation, primarily the provisions of the Constitution of the Republic of Turkey and international conventions to which we are a party, regarding the protection and confidentiality of personal data. The Company approaches the protection of personal data and fundamental rights and freedoms with sensitivity and focuses on fundamental human rights such as privacy of private life and freedom of thought in all its activities.

2. Scope and Application

This Policy has been prepared in accordance with applicable regulations and international standards. The Company will primarily apply this Policy in all data processing activities such as data processing, transfer and modification.

The Company also has different policies that address the protection of personal data and the provision of information security in relation to certain business activities and processes. This Policy does not override the data protection requirements in these different policies of the Company, unless it contains additional requirements or requires a higher standard for the protection of personal data. This Policy is implemented together with such other policies and procedures to the extent appropriate.

In the event of a conflict between the provisions of the applicable legislation on the protection and processing of personal data and the provisions of this Policy, the provisions of the current legislation shall prevail.

3. Definitions

KVKK Law No. 6698 on the Protection of Personal Data

GDPR European Union General Data Protection Regulation

Data Processor: Natural or legal person who processes personal data on behalf of the data controller based on the authorisation granted by the data controller

Data Controller: The person who determines the purposes and means of processing personal data and manages the place where the data is kept systematically (data recording system)

Data Owner/Related Person: Employees, customers, business partners, shareholders, shareholders, officials, potential customers, candidate employees, interns, visitors, suppliers, employees of the institutions with which the Company and the Company’s subsidiaries have commercial relations, third parties and real persons whose personal data are processed, including but not limited to those listed here.

Explicit Consent: Consent on a specific subject, based on information and expressed with free will

Personal Data: Any information relating to an identified or identifiable natural person

Sensitive Personal Data: data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data

Processing of Personal Data: Any operation performed on personal data such as obtaining, recording, storing, retaining, modifying, reorganising, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system

Anonymisation of Personal Data: Making personal data not to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data

Deletion of Personal Data: Making personal data inaccessible and non-reusable in any way for the relevant users

Destruction of Personal Data: The process of making personal data inaccessible, unrecoverable and non-reusable by anyone in any way

KVK Board / Board: Personal Data Protection Board

KVK Institution/Institution: Personal Data Protection Authority

4. Processing of Personal Data

a. Principles for Processing Personal Data

The Company’s policies and procedures are implemented in parallel with the processing principles in the KVKK and the relevant legislation. We know that these principles are of vital importance in the exercise of the rights of the relevant persons and their control over the data, and we are extremely sensitive to make these principles our focal point in all our processing activities. Our principles in our personal data processing activities are as follows;

Personal data are processed in accordance with the law and good faith and in a transparent manner.

The Company relies on the legal processing reasons in the KVKK in its data processing activities. It also observes the reasonable expectations of the relevant persons in accordance with the rule of honesty. The Company uses a clear and understandable language in its communication with the relevant person and is always in an easily accessible position.

Personal data are processed only for specific, explicit and legitimate purposes.

The Company determines the purpose of the processing activity prior to data processing activities. Data shall only be processed for additional purposes that are compatible with the initial purpose of processing. For each additional purpose, compliance with the initial purpose is determined according to internationally recognised criteria. Our company informs the relevant persons about the purposes of data processing by observing the principle of transparency.

Personal data are relevant, limited and proportionate to the purpose for which they are processed.

Our company processes the amount of data required for the purpose of data processing. The data is processed in the most appropriate method for data privacy and security.

Personal data is accurate and up-to-date when necessary.

The Company ensures that the data is up to date in all processing activities. Incomplete, inaccurate or incorrect data are destroyed or corrected as soon as possible. The Company checks the currency of the data at regular intervals.

Personal data are retained for the period stipulated in the relevant legislation or required for the purpose for which they are processed.

Data are deleted, destroyed or anonymised as soon as the purpose of data processing is no longer required.

Personal data are processed in a way to ensure appropriate security.

Our company applies data security as the main principle. It takes necessary administrative and technical measures by following the best practices in this direction.

The Company demonstrates that it ensures compliance with other principles of KVKK and/or GDPR.

Our company observes the principle of accountability in all processing activities.

b. The Company’s Purposes of Processing Personal Data

The purposes of processing personal data processed by the Company are as follows:

• Execution of Emergency Management Processes
• Execution of Information Security Processes
• Execution of Employee Candidate / Intern / Student Selection and Placement Processes
• Execution of Application Processes of Employee Candidates
• Execution of Employee Satisfaction and Loyalty Processes
• Fulfilment of Labour Contract and Legislative Obligations for Employees
• Execution of Fringe Benefits and Benefits Processes for Employees
• Conducting Audit / Ethics Activities
• Execution of Training Activities
• Execution of Access Authorisations
• Execution of Activities in Accordance with the Legislation
• Execution of Finance and Accounting Affairs
• Execution of Company / Product / Service Loyalty Processes
• Ensuring Physical Space Security
• Execution of Assignment Processes
• Follow-up and Execution of Legal Affairs
• Execution of Internal Audit / Investigation / Intelligence Activities
• Execution of Communication Activities
• Planning Human Resources Processes
• Execution / Supervision of Business Activities
• Execution of Occupational Health / Safety Activities
• Receiving and Evaluating Suggestions for Improvement of Business Processes
• Execution of Business Continuity Ensuring Activities
• Execution of Logistics Activities
• Execution of Goods / Service Procurement Processes
• Execution of Goods / Services After Sales Support Services
• Execution of Goods / Service Sales Processes

c. The Company’s Legal Reasons for Processing Personal Data:

When processing personal data, the Company relies on one of the legal processing conditions in Article 5 of the KVKK. The conditions for the processing of personal data, i.e. the cases of compliance with the law, are listed in a limited number in the Law and these conditions cannot be expanded. The Company relies on the following legal grounds when processing personal data:

• Existence of the explicit consent of the data subject,
• Explicitly stipulated in the laws,
• It is necessary to process personal data belonging to the parties to the contract, provided that it is directly related to the establishment or performance of a contract,
• It is mandatory for the data controller to fulfil its legal obligation,
• Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.
• Our company does not rely on the legal reason of explicit consent in the presence of another legal reason.

d. Legal Grounds for Processing Sensitive Personal Data

Sensitive personal data are data that may expose the person to discrimination in case of disclosure such as religion, race, belief, health and sexual life. Sensitive personal data cannot be processed without the existence of limited legal reasons listed in Article 6 of the KVKK.

• In this context, the Company processes personal data of special nature other than health or sexual life;
• The explicit consent of the person concerned is processed based on legal grounds. Data related to health and sexual life;
• Explicit consent of the data subject,

It is processed by persons under the obligation to keep secrets based on the legal grounds that it is for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.

5. Disclosure Obligation

The Company is obliged to inform the relevant persons in accordance with the KVKK and the Communiqué on the Procedures and Principles to be followed in the Fulfilment of the Obligation to Inform. If personal data is obtained from the data subject, the Company informs the data subjects personally or by persons authorised by the Company at the time of obtaining the data. If personal data is not obtained from the data subject, the obligation to inform is fulfilled within a reasonable period of time, if the data will be used for communication with the data subject, at the time of the first communication, if the data will be transferred, at the latest at the time of the first transfer.

The Company informs the relevant persons at least about the legal entity and address information of the Company, the purpose for which personal data will be processed, to whom and for what purposes the processed data can be transferred, the method and legal reason for collecting personal data, and the rights listed in Article 11 of the KVKK.

When the purpose of personal data processing changes, the obligation to inform is fulfilled separately for this purpose before the data processing activity.

6. Data Security

As the data controller in the processing of personal data, the Company is obliged to prevent unlawful processing and access to personal data and to ensure their protection. For this reason, the Company has taken all technical and administrative measures regarding data security, including additional measures required for the protection of special categories of personal data. In this context, the measures taken by our company are listed below.

• Technical Measures
• Administrative Measures

7. Transfer of Personal Data

a. Domestic Transfer

Our company transfers personal data to third parties based on the data processing conditions in Articles 5 and 6 of the KVKK. The Company takes all necessary security measures in data transfer activities.

b. Transfer Abroad

Pursuant to Article 9 of the LPPD, the Company transfers data abroad by fulfilling one of the following conditions.

Explicit consent of the data subject,

The country to which the personal data will be transferred has the status of “safe country” and provides adequate protection, the rights and obligations of the Company and the recipient party regarding the data transfer are regulated and adequate protection is undertaken in writing and the Board’s permission is obtained.

8. Personal Data Inventory

The Company has created a data inventory with the details stipulated by the Law regarding the personal data processed within the scope of KVKK. The Company’s data inventory includes the following details:

• Business processes where personal data is used,
• Category of personal data,
• Personal data processed,
• Special categories of personal data processed,
• Purpose and legal grounds for the processing,
• Domestic recipients of personal data,
• Whether personal data is transferred abroad,
• Retention periods for personal data

In case of a change in the processing activities of the Company, the Personal Data Inventory is updated. The Company shall notify the Registry of Data Controllers of the information contained in the Personal Data Inventory and updates, if any. The information to be provided by the Company to the relevant person within the framework of the disclosure obligation mentioned in Article 5 of this Policy is compatible with the information disclosed to the Registry.

9. Roles and Responsibilities

The relevant unit is responsible for the notification of this Policy to the relevant persons such as customers, subcontractors, suppliers whose data are processed.

The relevant unit is responsible for informing the parties who process data on behalf of the Company, such as employees and suppliers, about the Policy, and for the implementation of the Policy by the data processors in question through regular checks.

The relevant unit is responsible for updating this Policy. The unit makes the necessary improvements by considering the needs of the Company’s information processing systems and carries out the process of updating the Policy when necessary.

The relevant unit is authorised to approve updates to this Policy.

The relevant unit is responsible for determining and implementing sanctions for violations of the Policy.

10. Deletion, Destruction and Anonymisation of Personal Data

• Pursuant to Article 7 of the KVKK and other relevant legislation provisions, personal data shall be deleted, destroyed or anonymised upon the Company’s decision, periodic control and / or upon the request of the person concerned, if the reasons for processing personal data disappear.
• The Company shall not store personal data for longer than necessary in connection with the reason for obtaining personal data. The Company deletes, destroys or anonymises personal data in the first periodic destruction process following the date on which the obligation to delete, destroy or anonymise personal data arises with the disappearance of the reasons for processing.
• The Company has prepared a Storage and Destruction Policy to determine the procedures and principles in this direction. The retention period for each category of personal data, the criteria used in the retention and destruction periods, including the legal obligations that the Company has to store the data, are specified in this Retention and Destruction Policy. This Retention and Destruction Policy is organised in accordance with the Personal Data Inventory specified in Article 8 of this Policy.
• The Company acts in accordance with the principles set out in section 4/a of this Policy, the technical and administrative measures set out in Article 6, the Retention and Destruction Policy, the provisions of the relevant legislation and the decisions of the Board in the deletion, destruction or anonymisation of personal data.

11. Rights and Exercise of Rights of the Person concerned

a. Related Person Rights

Relevant persons have the following rights regarding their personal data processed in accordance with Article 11 of the KVKK:

• To learn whether personal data is processed or not,
• If personal data has been processed, to request information on the nature of this information and to learn to whom it has been disclosed,
• To learn the purpose of processing personal data and whether they are used in accordance with their purpose,
• To know the third parties to whom personal data are transferred domestically or abroad and to request notification of the transaction made in this direction to third parties,
• In case of incomplete or incorrect processing of personal data, to request their correction and notification of this to third parties,
• To request the deletion or destruction of personal data in the event that the reasons requiring its processing disappear, although it has been processed in accordance with the provisions of the relevant law,
• Objecting to a result that is unfavourable to oneself,
• In case of damage due to unlawful processing of personal data, to demand compensation for the damage.

b. Exercise of Rights

• Applications and requests regarding personal data can be made via the Data Subject Application Form,
• Burç İstanbul Business Centre Gökevler Mah. 2312 Sok. No.18J D:12-13-14 Esenyurt/Istanbul or by sending to,
• By signing with secure electronic signature or mobile signature and sending it to …….. e-mail address or,
• By signing with secure electronic signature or mobile signature, sending it to the Company’s KEP Address address via registered electronic mail (KEP) or,
• By applying to TCT Logistics Incorporated Company in person with a valid identity document

can be forwarded.

Within the scope of legal obligations regarding the procedures and principles of application to the data controller, the relevant persons should include their name, surname, signature if the application is in writing, T.R. Identity number if they are a citizen of the Republic of Turkey, nationality if they are foreigners, passport (or ID) number, residential or business address for notification, e-mail address and fax number, if any, and finally the subject of the request. In addition, identity-verifying documents and information and documents related to the subject of the request should be attached to the application.

In order to operate the process in the most effective way, the right to use the subject of the request and the details of the requested transaction should be clearly and understandably stated.
The subject of the request must be related to the person concerned. If the application is made on behalf of someone else, the person making the request must be based on a specially documented authorisation (power of attorney) for the requested transaction. Unauthorised applications will not be evaluated.

c. Evaluation of the Application

The applications are evaluated and returned as soon as possible and within 30 days at the latest from the date of receipt of the application.

During the evaluation process, additional information and documents may be requested if necessary, and a fee may be charged for the fulfilment of the request in accordance with the relevant legislation.

The Company takes all necessary administrative and technical measures to finalise the applications to be made by the relevant person effectively, in accordance with the law and the rule of honesty.

d. Rejection of the Application

Application;

If the application is not made in accordance with the above procedure,

When the application contains a request contrary to the legislation in force,

Where the application is not justified or is an abuse of right,

Processing of personal data subject to the application for purposes such as research, planning and statistics by anonymising them with official statistics,

Processing of personal data publicised by the data subject himself/herself.

It is rejected in the presence of one of the other cases falling within the scope of Article 28 of the KVKK. If the application is rejected, the Company notifies the relevant person of the rejection by explaining the reason.

The relevant person has the right to file a complaint to the Board when his/her application to the Company is rejected or when he/she finds the answer given by the Company inadequate or when the Company fails to respond within 30 days.

The relevant person may exercise his/her right of complaint within 30 days from the date he/she learns the Company’s response and in any case within 60 days from the date of application.

6. Publication of the Policy and Enforcement

This Policy enters into force on …..

The current version of this Policy is published at ….

7. Updating the Policy

This Policy is updated for … months or … years in accordance with the … (e.g. quality document) procedure.

The cancelled old copies of this Policy are cancelled with the approval of … (unit, person status, e.g. quality unit manager) and kept by … (unit, person status, e.g. archive officer) for […] years. Policies whose retention period expires shall be destroyed by … (unit, person status) by issuing a report.