PERSONAL DATA PROTECTION AND PROCESSING POLICY
The Law on the Protection of Personal Data No. 6698 ("the Law") entered into force on April 7, 2016; the purpose of this Garenta Transportation Solutions Inc. Personal Data Processing and Protection Policy ("the Policy") is to ensure the compliance of Garenta Transportation Solutions Inc. ("Garenta" or "the Company") with the Law and to determine the principles to be followed in fulfilling the obligations of the Company regarding the protection and processing of personal data.
The Policy determines the conditions for processing personal data and sets out the main principles adopted by the Company in processing personal data. In this context, the Policy covers all personal data processing activities carried out by the Company within the scope of the Law, all data subjects whose data are processed by the Company, and all personal data processed. Matters regarding the processing of personal data of Company employees are not included in this Policy, but are regulated separately in the Garenta Transportation Solutions Inc. Employee Personal Data Processing and Protection Policy. The definitions of the terms used in the Policy are given in ANNEX-1.
The Policy has been published on the Company's website and is open to the public. In case of a conflict between the provisions of this Policy and the current legislation, especially the Law, the provisions of the legislation shall apply.
The Company reserves the right to amend the Policy in parallel with legal regulations. The current version of the Policy is available on the Company's website.
The data subjects within the scope of the Policy are all natural persons, excluding Company employees, whose personal data are processed by the Company. In this context, the general categories of data subjects are as follows:
| DATA SUBJECT CATEGORIES | DESCRIPTION |
| Customer | Refers to natural persons who benefit from the products and services offered by the Company. |
| Potential Customer | Refers to natural persons who show interest in using the products and services offered by the Company and have the potential to become a customer. |
| Visitor | Refers to natural persons who visit the Company's stores, campus, and website. |
| Job Applicant | Refers to natural persons who apply for a job at the Company by submitting a CV or through other means. |
| Third Parties | Refers to natural persons other than the data subject categories listed above and Company employees. |
The data subject categories are listed for general information purposes. The fact that a data subject does not fall within the scope of any of these categories does not eliminate their status as a data subject as defined in the Law.
Your personal data and special categories of personal data may be processed by the Company for the following purposes, in accordance with the personal data processing conditions set forth in the Law and relevant legislation:
| MAIN PURPOSES | SUB-PURPOSES |
| Execution of Company's Internal Operations | Planning, Auditing, and Execution of Information Security Processes; Establishment and Management of Information Technology Infrastructure; Planning and Execution of Employee Access Authorizations to Information Systems; Event Management; Tracking of Financial and Accounting Affairs; Planning and Execution of Business Activities' Efficiency/Productivity and Appropriateness Analysis Activities; Planning and Execution of Business Activities; Planning and Execution of Access Authorizations for Business Partners and Suppliers to Information Systems; Planning and Execution of Business Continuity Activities; Planning and Execution of Corporate Communication Activities; Planning and Execution of Corporate Sustainability Activities; Planning and Execution of Corporate Governance Activities; Planning and Execution of Logistics Activities; Planning and Execution of Production and Operation Processes; Planning and Tracking of Construction Works. |
| Activities with Legal, Technical and Administrative Outcomes | Planning and Execution of Emergency Management Processes; Planning and Execution of Occupational Health and Safety Processes; Execution of Credit Processes Risk Management; Calculation of Personal Insurance Policy Premiums and Creation of the Policy; Management and Supervision of Relations with Subsidiaries; Initiation of the Damage Process and Completion of the Damage File; Tracking of Legal Affairs; IT and Operational Audit Studies of Group Companies; Providing Information to Authorized Institutions Arising from Legislation; Creation and Tracking of Visitor Records; Planning and Execution of the Company's Production and Operational Risk Processes; Execution of Corporate and Partnership Law Transactions; Ensuring the Security of Company Operations; Ensuring the Security of Company Campuses and Facilities; Planning and Execution of the Company's Financial Risk Processes; Ensuring the Security of Company Assets and Resources; Planning and Execution of Company Audit Activities; Issuance of Insurance Policies; Various Application Requests from Partners, their 1st Degree Relatives and Board Members; Planning and Execution of Necessary Operational Activities to Ensure the Execution of Company Activities in Compliance with Company Procedures and Relevant Legislation; Ensuring the Accuracy and Currency of Data. |
| Customer-Related Processes and Operations | Tracking of Credit Payment Transactions; Planning and Execution of Post-Sale Support Services Activities; Planning and Execution of Product and Service Sales Processes; Tracking of Contract Processes and Legal Demands; Planning and Execution of Customer Relationship Management Processes. |
| Financial Operations | Banking Transactions; Making Damage Payments; Making Damage Payments to Individuals; Collection of Personal Insurance Policy Premiums; Collection of Policy Premiums; Pricing of Insurance Policies. |
| Strategy Planning & Business Partner/Supplier Management | Management of Relations with Business Partners and/or Suppliers; Planning and Execution of External Training Activities; Execution of Strategic Planning Activities. |
| Marketing Operations | Planning and Execution of Processes to Create and Increase Loyalty to the Products and Services Offered by the Company; Planning and Execution of Market Research Activities for the Sale and Marketing of Products and Services; Planning and Execution of Marketing Processes of Products and Services; Planning and Execution of Customer Satisfaction Activities. |
Your personal data, categorized below, are processed by the Company in accordance with the personal data processing conditions set forth in the Law and relevant legislation.
| PERSONAL DATA CATEGORIZATION | DESCRIPTION |
| Identity Information | All information about the person's identity found in documents such as driver's license, identity card, residence permit, passport, lawyer's ID, marriage certificate. |
| Contact Information | Information for contacting the data subject, such as phone number, address, and e-mail. |
| Customer Information | Information obtained and generated about the data subject as a result of our commercial activities and the operations carried out by our business units within this framework. |
| Family Members and Relative Information | Information about the data subject's family members and close relatives processed in connection with the products and services we offer or to protect the legal interests of the Company and the data subject. |
| Customer Transaction Information | Information such as records related to the use of our products and services, as well as the instructions and requests necessary for the customer to use the products and services. |
| Physical Space Security Information | Personal data related to records and documents such as camera recordings and fingerprint records taken at the entrance to and during the stay in a physical space. |
| Transaction Security Information | Your personal data processed to ensure our technical, administrative, legal, and commercial security while conducting our commercial activities. |
| Financial Information | Personal data processed related to all kinds of financial results, information, documents, and records created according to the type of legal relationship our Company has established with the data subject. |
| Job Applicant Information | Personal data processed about individuals who have applied to work at our Company or who have been considered as job applicants in line with the human resources needs of our Company and in accordance with commercial customs and fairness rules, or who are in a working relationship with our Company. |
| Legal Action and Compliance Information | Personal data processed within the scope of determining and tracking our legal receivables and rights, fulfilling our debts, and ensuring compliance with our legal obligations and the Company's policies. |
| Audit and Inspection Information | Personal data processed within the scope of our Company's legal obligations and compliance with company policies. |
| Sensitive Data | Personal data related to individuals' race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress, membership in associations, foundations or trade unions, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data are special categories of personal data. |
| Marketing Information | Personal data processed for the purpose of marketing our products and services by customizing them according to the data subject's usage habits, preferences, and needs, as well as the reports and evaluations created as a result of this processing. |
| Request/Complaint Management Information | Personal data related to the receipt and evaluation of any request or complaint directed to our Company. |
| Reputation Management Information | Information collected to protect our Company's commercial reputation and information related to the evaluation reports and actions taken in this regard. |
| Event Management Information | Personal data processed to take necessary legal, technical, and administrative measures against events that occur to protect our Company's commercial rights and interests, as well as the rights and interests of our customers. |
Your personal data are processed by the Company in accordance with the principles of personal data processing set forth in Article 4 of the Law.
Compliance with these principles is mandatory for every personal data processing activity:
Processing personal data in compliance with the law and good faith: The Company acts in compliance with laws, secondary regulations, and general principles of law when processing your personal data. It pays attention to processing personal data in a limited manner for the purpose of processing and takes into account the reasonable expectations of the data subject.
Ensuring personal data is accurate and up-to-date: The Company takes care to ensure that the personal data it processes is up-to-date and conducts the necessary checks in this regard. Data subjects have the right to request the correction or deletion of inaccurate and outdated data.
Processing personal data for specific, explicit, and legitimate purposes: The Company determines the purposes of data processing before each personal data processing activity and ensures that these purposes are not unlawful.
Ensuring personal data is relevant, limited, and proportionate to the purpose for which it is processed: The data processing activity of the Company is limited to the personal data necessary to achieve the collection purpose, and necessary steps are taken to avoid processing personal data that is not related to this purpose.
Retaining personal data only for the period required by legislation or for the purpose of processing: When the purpose of personal data processing ceases to exist or the period specified in the legislation expires, the personal data is deleted, destroyed, or anonymized by the Company.
Your personal data is processed by the Company if at least one of the personal data processing conditions specified in Article 5 of the Law exists.
The explanations of the above-mentioned conditions are as follows:
Existence of explicit consent of the data subject: In cases where other data processing conditions do not exist, the personal data of the data subject may be processed by the Company in accordance with the general principles specified in Heading 3.1, provided that the data subject gives their consent with sufficient information about the personal data processing activity, with their free will, without hesitation, and limited to that specific transaction.
The personal data processing activity is explicitly provided for in the laws: In this case, personal data may be processed by the Company without the explicit consent of the data subject within the framework of the relevant legal regulation.
Personal data processing is mandatory because it is not possible to obtain explicit consent due to factual impossibility: The personal data of a data subject who is unable to express their consent or whose consent is not considered legally valid will be processed by the Company if the processing of personal data is mandatory for the protection of the life or physical integrity of the data subject or a third person.
The personal data processing activity is directly related to the establishment or execution of a contract: If it is necessary to process the personal data of the parties to a contract established or already signed between the data subject and the Company, the personal data processing activity will be carried out.
The personal data processing activity is mandatory for the data controller to fulfill its legal obligation: The Company processes personal data for the purpose of fulfilling its legal obligations set forth in the current legislation.
Personal data has been made public by the data subject: Personal data that has been made public by the data subject in any way and is thus open to everyone can be processed by the Company without the explicit consent of the data subjects, limited to the purpose of the public disclosure.
The processing of personal data is mandatory for the establishment, exercise or protection of a right: The Company may process the personal data of data subjects without their explicit consent in a situation of compulsion.
The processing of data is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject: Personal data may be processed by the Company provided that the balance of interests between the Company and the data subject is maintained. In this context, the Company first determines the legitimate interest it will gain from the processing activity. It evaluates the possible impact of the personal data processing on the rights and freedoms of the data subject and, if it believes that the balance has not been disturbed, carries out the processing activity.
Article 6 of the Law lists special categories of personal data in a limited manner. These are: individuals' race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress, membership in associations, foundations or trade unions, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data. The Company may process special categories of personal data by taking additional measures determined by the Personal Data Protection Board in the following cases:
Existence of explicit consent of the data subject: In cases where other data processing conditions do not exist, the special categories of personal data of the data subject may be processed by the Company in accordance with the general principles specified in Heading 3.1 and by taking additional security measures, provided that the data subject gives their consent with sufficient information about the personal data processing activity, with their free will, without hesitation, and limited to that specific transaction.
The personal data processing activity is explicitly provided for in the laws: In this case, special categories of personal data may be processed by the Company within the framework of the relevant legal regulation.
Personal data has been made public by the data subject: Personal data that has been made public by the data subject in any way and is thus open to everyone can be processed by the Company without the explicit consent of the data subjects, limited to the purpose of the public disclosure and in accordance with the will of public disclosure.
Personal data processing is mandatory because it is not possible to obtain explicit consent due to factual impossibility: The special categories of personal data of a data subject who is unable to express their consent or whose consent is not considered legally valid will be processed by the Company if the processing of special categories of personal data is mandatory for the protection of the life or physical integrity of the data subject or a third person.
Mandatory for the establishment, exercise or protection of a right: The Company may process the special categories of personal data of data subjects without their explicit consent in a situation of compulsion.
Mandatory for public health protection, preventive medicine, medical diagnosis, treatment and care services, as well as for the planning, management, and financing of health services, by persons or authorized institutions and organizations under the obligation of confidentiality: The Company may process the special categories of personal data of data subjects without their explicit consent in a situation of compulsion.
Mandatory for the fulfillment of legal obligations in the fields of employment, occupational health and safety, social security, social services, and social assistance: The Company may process the special categories of personal data of data subjects without their explicit consent in a situation of compulsion.
For foundations, associations, and other non-profit organizations or unions established for political, philosophical, religious, or trade union purposes, limited to their field of activity and provided that they are not disclosed to third parties, in compliance with the legislation and their purposes: The Company may process the special categories of personal data of data subjects without their explicit consent in a situation of compulsion, when the data concerns current or former members and affiliates, or persons who have a regular relationship with these organizations and unions.
The Company may transfer personal data domestically or abroad in accordance with Articles 8 and 9 of the Law and additional regulations determined by the Personal Data Protection Board.
Transfer of personal data to third parties within the country: Your personal data may be transferred by the Company if at least one of the data processing conditions in Articles 5 and 6 of the Law, explained in Heading 3 of this Policy, exists and the main principles regarding data processing are complied with.
Transfer of personal data to third parties abroad: Personal data may be transferred abroad by our Company in accordance with Article 9 of the Law and the principles set out in this Policy, by taking technical and administrative measures as explained below.
(i) Transfer based on an adequacy decision adopted for the relevant country, international organization, or sectors within the country: Personal data may be transferred abroad by the Company if one of the conditions set forth in Articles 5 and 6 of the Law exists and there is an adequacy decision adopted by the Board for the country, international organization, or sectors within the country to which the data will be transferred. The adequacy decision is adopted by the Board and published in the Official Gazette. The Board may also seek the opinion of relevant institutions and organizations when necessary. The adequacy decision is evaluated at least every four years. As a result of the evaluation or in other cases deemed necessary, the Board may amend, suspend, or revoke the adequacy decision with prospective effect.
(ii) In the absence of an adequacy decision: Provided that one of the personal data processing conditions set forth in Articles 5 and 6 of the Law exists, and the data subject has the possibility to exercise their rights and can apply for an effective legal remedy in the country to which the data will be transferred, the data may be transferred abroad by the Company if one of the following appropriate safeguards is provided by the parties:
If there is a non-international contract concluded between public institutions and organizations or international organizations in a foreign country and public institutions and organizations or professional organizations with the status of a public institution in Turkey, and the Board authorizes this transfer, the data may be transferred abroad by the Company.
If there are binding corporate rules that include provisions on the protection of personal data within a group of companies engaged in joint economic activity and approved by the Board, the data may be transferred abroad by the Company.
If there is a standard contract published by the Board that includes issues such as data categories, purposes of data transfer, data recipients and recipient groups, technical and administrative measures to be taken by the data recipient, and additional measures taken for special categories of personal data, and the Board is informed about this standard contract within the legal period, the data may be transferred abroad by the Company.
If there is a written undertaking that includes provisions to provide appropriate protection and the Board authorizes this transfer, the data may be transferred abroad by the Company.
(iii) Transfer based on exceptional circumstances: In the absence of an adequacy decision and if one of the appropriate safeguards cannot be provided, personal data may be transferred abroad by the Company on an exceptional basis if one of the following circumstances exists:
The data subject gives explicit consent to the transfer, provided that they have been informed about the possible risks.
The transfer is mandatory for the performance of a contract between the data subject and the data controller or for the implementation of pre-contractual measures taken at the request of the data subject.
The transfer is mandatory for the establishment or performance of a contract to be concluded between the data controller and another natural or legal person in favor of the data subject.
The transfer is mandatory for a superior public interest.
The transfer of personal data is mandatory for the establishment, exercise, or protection of a right.
The transfer of personal data is mandatory for the protection of the life or physical integrity of
The transfer is made from a public or open register to persons with a legitimate interest, provided that the conditions required for access to the register in the relevant legislation are met and the transfer is requested by the person with a legitimate interest.
Within the framework of the general data processing principles and conditions in Articles 8 and 9 of the Law, the Company may transfer data to the parties categorized in the table below:
| RECIPIENT CATEGORIES | SCOPE | PURPOSE OF TRANSFER |
| Business Partner | Parties with whom the Company has established a business partnership within the framework of contractual relationships during its commercial activities. | Sharing personal data limited to the purpose of fulfilling the business partnership objectives. |
| Supplier | Parties that provide services based on the instructions received from the Company and the contract between them, to ensure the continuity of the Company's commercial activities. | Transfer limited to the receipt of services provided by the supplier. |
| Subsidiary | Companies that are subsidiaries of the Company. | Transfer of personal data limited to the execution of commercial activities that require the participation of the subsidiaries. |
| Legally Authorized Public Institution | Public institutions and organizations that are legally authorized to request information and documents from the Company. | Sharing personal data limited to the purpose of the information request of the relevant public institutions and organizations. |
| Legally Authorized Private Institution | Private legal entities that are legally authorized to request information and documents from the Company. | Data sharing limited to the purpose requested by the relevant private legal entities within the scope of their legal authority. |
According to Article 10 of the Law, data subjects must be informed about the processing of personal data before or at the latest at the time of processing.
Based on the above-mentioned article, the Company, as the data controller, has established the necessary internal structure to ensure that data subjects are informed in every case of personal data processing activity.
In this context;
For the purpose of processing your personal data, refer to Section 2.2. of the Policy.
For the parties to which your personal data are transferred and the purpose of the transfer, refer to Section 4 of the Policy.
To review the conditions for the processing of your personal data that can be collected through various channels in physical or electronic environments, refer to Sections 3.2 and 3.3. of the Policy.
We would like to inform you that as a data subject, you have the following rights under Article 11 of the Law:
To learn whether your personal data is being processed,
To request information if your personal data has been processed,
To learn the purpose of processing your personal data and whether it is used in accordance with its purpose,
To know the third parties to whom your personal data is transferred domestically or abroad,
To request the correction of your personal data if it is incomplete or incorrectly processed, and to request that this procedure be notified to third parties to whom your personal data has been transferred,
To request the deletion or destruction of your personal data if the reasons for its processing have disappeared, despite being processed in accordance with the Law and other relevant legislation, and to request that this procedure be notified to third parties to whom your personal data has been transferred,
To object to an outcome against you that arises from the analysis of the processed data exclusively through automatic systems,
To demand compensation for damages if you have suffered damage due to the unlawful processing of your personal data.
You can send your requests regarding your above-mentioned rights to our Company by filling out the Garenta Transportation Solutions Inc. Data Subject Application Form, which you can obtain from the Company's website.
Your requests will be processed free of charge as soon as possible and at the latest within thirty days; however, if the operation requires an additional cost, you may be charged a fee in accordance with the tariff determined by the Personal Data Protection Board. The Company, during the evaluation of the applications, first determines whether the applicant is indeed the rights holder.
In addition, the Company may request detailed and additional information if it deems it necessary to better understand the request. Responses to the requests of data subjects are given in writing or electronically.
In case of rejection of the request, the reasons for the rejection will be explained to the data subject.
If the reasons for processing personal data processed in accordance with the Law and other relevant legislation have disappeared, the personal data will be deleted, destroyed, or anonymized by the Company, ex officio or upon the request of the data subject, in accordance with the instructions published by the Board.
According to Article 28 of the Law, since the following cases are not included in the scope of the Law, data subjects cannot exercise their rights regarding the following matters:
(1) Processing of personal data by natural persons exclusively within the scope of activities related to themselves or their family members living in the same house, provided that they are not given to third parties and compliance with data security obligations is ensured.
(2) Processing of personal data for purposes such as official statistics, research, planning, and statistics, by anonymizing them.
(3) Processing of personal data for artistic, historical, literary, or scientific purposes or within the scope of freedom of expression, provided that it does not harm national defense, national security, public safety, public order, economic security, the confidentiality of private life, or personal rights and does not constitute a crime.
(4) Processing of personal data within the scope of preventive, protective, and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order, or economic security.
(5) Processing of personal data by judicial or enforcement authorities in connection with investigation, prosecution, judgment, or enforcement proceedings.
In accordance with and in proportion to the purpose and fundamental principles of this Law, the data controller's obligation to inform and the data subject's rights regulated in Articles 10 and 11 of the Law, with the exception of the right to demand compensation for damages, are not applied in the following cases:
(1) The processing of personal data is mandatory for the prevention of a crime or for a criminal investigation.
(2) The personal data has been made public by the data subject themselves.
(3) The processing of personal data is mandatory for the execution of audit or regulation obligations or a disciplinary investigation or prosecution by public institutions and organizations authorized by law or professional organizations with the status of a public institution.
(4) The processing of personal data is mandatory for the protection of the economic and financial interests of the State regarding budget, tax, and financial matters.
Our Company takes all necessary technical and administrative measures to ensure the level of security in accordance with Article 12 of the Law.
In this context, our Company takes all necessary (i) administrative and (ii) technical measures, (iii) establishes an internal audit system within the company, and (iv) acts in accordance with the measures stipulated in the Law in case of unlawful disclosure of personal data.
It educates and ensures that Company employees are aware of the right to personal data protection.
Necessary provisions regarding the prevention of unlawful processing of personal data, the prevention of unlawful access to data, and the lawful storage of data are added to the contracts concluded with the persons to whom personal data are legally transferred and with the third parties from whom technical services are received for the storage of personal data, and their compliance with these measures in their own organizations is ensured.
The personal data processing activities carried out by our Company are examined in detail, and in this context, the steps to be taken to ensure compliance with the personal data processing conditions stipulated in the Law are determined.
The practices to be fulfilled to ensure compliance with the Law are determined and regulated by internal policies.
Our Company takes technical measures in line with technological developments regarding the protection of personal data, and the measures taken are updated and renewed in parallel with the developments.
Expert personnel are employed for technical matters.
Regular audits are carried out for the implementation of the measures taken.
Software and systems to ensure security are installed.
Access authority to personal data processed in our Company is limited to the relevant employees in accordance with the determined processing purpose.
In accordance with Article 12 of the Law, the Company audits the functionality of the technical and administrative measures taken within the framework of personal data protection and security and implements practices that will ensure the continuity of the function. The results of this audit are reported to the relevant department within the company's internal operations, and necessary activities are carried out to improve all measures taken.
If personal data processed in accordance with the Law and relevant legislation are obtained unlawfully by others, the Company will inform the Personal Data Protection Board and the relevant data subjects without delay, in accordance with Article 12, paragraph 5 of the Law.
| DEFINITION | |
| Explicit Consent | Consent given with free will with sufficient information about a specific matter. |
| Anonymization | Making personal data impossible to associate with an identified or identifiable natural person, even by matching it with other data. |
| Employee | Natural persons working at the Company. |
| Job Applicant | Natural persons who do not work at the Company but have the status of a job applicant at the Company through various means. |
| Personal Health Data | Any health data related to an identified or identifiable natural person. |
| Personal Data | Any information related to an identified or identifiable natural person. |
| Data Subject | The natural person whose personal data is processed. |
| Processing of Personal Data | Any operation performed upon personal data, such as collection, recording, storage, retention, alteration, re-organization, disclosure, transfer, acquisition, making available, classification or blocking its use, wholly or partly by automatic means or as part of a data recording system by non-automatic means. |
| Law | The Law on the Protection of Personal Data No. 6698, published in the Official Gazette No. 29677 on April 7, 2016. |
| Special Categories of Personal Data | Personal data related to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress, membership in associations, foundations or trade unions, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data. |
| Policy | Garenta Transportation Solutions Inc. Personal Data Processing and Protection Policy. |
| Company | Garenta Transportation Solutions Inc. |
| Business Partners | Persons with whom the Company has established a partnership within the framework of contractual relationships during its commercial activities. |
| Data Subject | The natural person whose personal data is processed. |
| Data Processor | The natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller. |
| Data Controller | The person who determines the purposes and means of personal data processing and manages the location where the data is systematically stored. |