TAŞIMACIM YAZILIM TEKNOLOJİLERI AS
POLICY ON PROCESSING AND SECURITY OF SPECIAL CATEGORIES OF PERSONAL DATA

INTRODUCTION

Purpose of the Policy

As Tasimacim Transportation Logistics Brokerage Services Limited Company (hereinafter referred to as “Tasimacim” or “Company”), we process special categories of personal data and ensure the security of such data in accordance with the Personal Data Protection Law No. 6698 and the relevant legislation. This Policy on Processing and Security of Special Categories of Personal Data (“Policy”) has been prepared in accordance with the decision of the Personal Data Protection Board dated 31/01/2018 and numbered 2018/10 (“Board Decision”) regarding the “Adequate Measures to be Taken by Data Controllers in the Processing of Special Categories of Personal Data” in order to determine the measures we take as a data controller for the processing of special categories of personal data. This Policy and Tasimacim’s Personal Data Security Policy (“Security Policy”) are complementary to each other, and the Security Policy should be examined for issues not mentioned in this Policy. Tasimacim, as the data controller, shall act in accordance with this Policy while processing, sharing with third parties and storing in data recording media the personal data of special nature.

Scope of the Policy:

This Policy covers our activities to ensure the appropriate level of security of special categories of personal data that we have acquired and may acquire belonging to the following persons:

• Our company’s employees, employee candidates, former employees, and interns,
• Representatives, proxies and shareholders of our Company and our group companies,
• Employees, representatives, and agents of our business partners
• Health professionals with whom we co-operate,
• Employees, representatives, and agents of our suppliers,
• Our customers and potential customers,
• Employees of public/private institutions and organisations, Members and managers of the associations we are in co-operation with,
• Other natural persons.

Changes and Updates in the Policy:

Within the framework of this Policy, Tasimacim shall take necessary administrative and technical measures to process the special categories of personal data of the persons mentioned in Article 2 in accordance with the personal data protection legislation and to ensure the security of such data. This Policy may be amended and updated by the relevant units at any time in line with the changes in the law or relevant legislation or in the activities of Tasimacim.

PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA

General Principles Regarding the Processing of Sensitive Personal Data

Tasimacim is obliged to comply with the general principles specified in the KVK Law regarding the processing of personal data. In this context, Tasimacim will act in accordance with the following principles when processing special categories of personal data:

• Processing personal data in accordance with the law and good faith,
• Ensuring that personal data is accurate and up to date, when necessary,
• Processing personal data for specific, explicit, and legitimate purposes,
• Processing personal data in connection with the purpose for which they are processed, in a limited and measured manner,
• Preservation for the period stipulated in the relevant legislation or required for the purpose for which they are processed.

Conditions for Processing Special Categories of Personal Data

Tasimacim is obliged to process special categories of personal data in accordance with the conditions specified in Article 6 of the KVK Law together with the general principles mentioned above. In this context, Tasimacim may carry out special categories of personal data processing activities based on one of the following conditions:

• Obtaining the explicit consent of the data subject for the processing of special categories of personal data or,

• Except for personal data relating to health and sexual life, the processing of special categories of personal data should be stipulated in the law

Transfer of Special Categories of Personal Data

Tasimacim may share sensitive personal data with third parties in accordance with the data processing conditions specified in Articles 8 and 9 of the KVK Law. During the transfer of sensitive personal data to third parties, Tasimacim shall take the security measures specified in the Board Decision. In this context, Tasimacim may transfer special categories of personal data

• in cases where it transfers sensitive personal data by e-mail, it uses an encrypted corporate e-mail address or Registered Electronic Mail (KEP) account,
• in cases where it transfers data between servers in different physical environments, it transfers data by setting up a VPN between servers or by sFTP method,
• in cases where the document is transferred on paper, it takes the necessary precautions against risks such as theft, loss or access by unauthorised persons and sends the document in the format of “confidential documents”.

Preservation of Special Categories of Personal Data

Tasimacim maintains special categories of personal data in accordance with the general principles and processing conditions mentioned above in detail. Regarding the environments where special categories of personal data are stored and/or accessed, Tasimacim shall take the security measures specified in the Board Decision. In this context, Tasimacim,

• preserves sensitive personal data using cryptographic methods and keeps cryptographic keys in secure and different environments,
• transaction records of all actions performed on sensitive personal data are securely logged,
• continuously monitors the security updates of the environments where sensitive personal data are located, regularly performs the necessary security tests, and records the test results,
• In cases where sensitive personal data is accessed through a software, user authorisations of this software are made,
• if remote access to sensitive personal data is required, at least two-stage authentication system is provided.
• If the environments where sensitive personal data are processed, stored and/or accessed are physical environments, measures are taken against electrical leakage, fire, flood, theft, etc. Physical security of these environments is ensured and unauthorised entries and exits are prevented.

PROCESSING OF PERSONAL DATA OF SPECIAL NATURE BY EMPLOYEES

Tasimacim takes the following measures specified in the Board Decision for its employees who process special categories of personal data:

• Personnel are provided with the necessary training and awareness activities to ensure the security of personal data, not to disclose and share them unlawfully.
• A confidentiality agreement is concluded with the employees.
• Personnel are authorised to access servers where personal data are stored according to the department and job role, they work in. The scope and duration of these authorisations are clearly defined.
• Authorisation checks are carried out periodically. In the event that employees change their duties or leave their jobs, their authorisation to access data is removed and the inventory given to them is taken back.

PERSONAL DATA SECURITY POLICY

Tasimacim has established the Personal Data Security Policy in accordance with the technical and administrative measures specified in the Personal Data Security Guide published on the website of the Authority in order to ensure the security of all personal data it processes, including personal data of special nature. This Special Categories of Personal Data Security Policy includes the technical and administrative measures taken by the Company to ensure the appropriate level of security in order to ensure the lawfulness of the personal data processed, to prevent unlawful access and to ensure its preservation.