Data Protection Policy

SHIP GLOBAL LOJİSTİK A.Ş

PERSONAL DATA PROTECTION AND PROCESSING POLICY

1. INTRODUCTION

As the data controller, the protection of personal data belonging to its employees and other real persons with whom it interacts is of great importance for SHIP GLOBAL LOGISTICS INC. ("Company"), residing at Alsancak Mahallesi 1476 Sok. No.2/62 Kordon/IZMIR.

The process managed by this Policy and other written policies within our Company for the processing and protection of personal data and the targeted goal is; the processing and protection of the personal data of our employees, employee candidates, interns, visitors, employees of the institutions we cooperate with, and third parties in accordance with the law.

Basic principles adopted by our Company:

• Processing personal data in accordance with the law and good faith
• Keeping personal data accurate and, when necessary, up-to-date
• Processing personal data for specific, explicit, and legitimate purposes
• Processing personal data relevantly, limitedly, and proportionately to the purpose for which they are processed
• Retaining personal data for the period stipulated in the relevant legislation or required for the purpose for which they are processed
• Informing and enlightening data subjects
• Establishing the necessary infrastructure for data subjects to exercise their rights
• Taking necessary measures for the protection of personal data
• Special regulation of the processing and protection of special categories of personal data

2. PURPOSE OF THE POLICY

The main purpose of this Policy is to make explanations regarding the personal data processing activity carried out legally by our Company and the systems adopted for the protection of personal data, and to provide transparency by informing our employees, employee candidates, shareholders/partners, potential product or service buyers, interns, supplier employees, supplier authorities, persons receiving products or services, visitors, and other persons with whom we cooperate.

3. MATTERS REGARDING THE PROCESSING OF PERSONAL DATA

Personal data is processed within our Company in line with legitimate and lawful personal data processing purposes, based on and limited to one or more of the personal data processing conditions specified in Article 5 of the KVKK (Personal Data Protection Law).

Legal basis for processing personal data:

• Being stipulated in the legislation to which the Company is subject
• Being directly related to the establishment or performance of a contract
• Being necessary for the Company to fulfill its legal obligations
• Having been made public by the data subject
• Being mandatory for the establishment, exercise, or protection of a right
• Legitimate interest, provided it does not harm the fundamental rights and freedoms of the data subject
• Explicit consent of the data subject

4. TRANSFER OF PERSONAL DATA

Our Company may transfer personal data to third parties in line with lawful personal data processing purposes by taking necessary security measures.

• If there is a clear regulation in the laws regarding the transfer of personal data
• Being related to the establishment or performance of a contract
• If it is mandatory to fulfill a legal obligation
• If it is mandatory for the establishment, exercise, or protection of a right
• If it is mandatory for legitimate interests
• If explicit consent of the data subject has been obtained

Mobile information will not be shared with third parties or affiliates for marketing or promotional purposes. All the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.

5. MEASURES FOR THE PROTECTION OF PERSONAL DATA

Our Company; takes necessary technical and administrative measures to ensure the appropriate level of security to prevent unlawful processing of personal data it processes, to prevent unlawful access to data, and to ensure the retention of data, in accordance with Article 12 of the KVKK.

Technical Measures:

• Risks and vulnerabilities targeting IT systems are identified through penetration tests
• Risks are continuously monitored with information security incident management
• Access and authorization are carried out through security policies
• Firewalls and intrusion prevention systems are used
• Encryption is done using secure protocol (HTTPS)
• Secure record-keeping (logging) systems are used
• Data backup programs are used

Administrative Measures:

• Employees are trained on personal data protection
• A personal data inventory has been created
• Disciplinary regulations containing data security provisions are in place
• Confidentiality agreements are signed
• Periodic audits are conducted

6. RIGHTS OF THE DATA SUBJECTS

Data subjects have the following rights:

• To learn whether personal data is processed or not
• To request information if personal data has been processed
• To learn the purpose of processing personal data and whether they are used appropriately for their purpose
• To know the third parties to whom personal data is transferred domestically or abroad
• To request correction of personal data if it is incomplete or incorrectly processed
• To request the deletion or destruction of personal data when the reasons requiring its processing disappear
• To object to the occurrence of a result against the person by analyzing the processed data exclusively through automated systems
• To request compensation for the damage arising from the unlawful processing of personal data