top of page

Personal Data Protection and Processing Policy

I. DATA PRIVACY COMMITMENT

1.1. While this Personal Data Protection and Processing Policy (“Policy”), Asnak Lojistik Teknolojileri Anonim Şirketi (the “Company”) fulfills its obligations to protect personal data in accordance with the provisions of the relevant legislation, in particular the Law on the Protection of Personal Data No. 6698 (“KVKK”). and determines the principles to be followed within the Company and/or by the Company when processing personal data.

1.2. The Company undertakes to act in accordance with this Policy and the procedures to be applied in accordance with the Policy in terms of personal data within its own body.

II. PURPOSE OF THE POLICY

The main purpose of this Policy is to make explanations regarding the personal data processing activities carried out by the Company in accordance with the law and the systems adopted for the protection of personal data, and to protect personal data, which is a constitutional right, by informing the identified and/or identifiable natural persons whose personal data are processed by the Company. to ensure transparency.

III. SCOPE OF THE POLICY

3.1. This Policy is implemented in the activities carried out for the processing and protection of all personal data managed by the Company.

3.2. This Policy; All personal data belonging to third parties, which are processed automatically by the Company or by non-automatic means, provided that it is a part of any data recording system, especially of our employee candidates, employees, partners, officials, visitors, officials and/or employees of the institutions and organizations we cooperate with. is related.

3.3. This Policy does not apply to data that does not qualify as personal data.

3.4. This Policy may be amended from time to time with the approval of the Company's Board of Directors, if required by personal data protection legislation or when deemed necessary by the Company's Data Controller or the Committee.

IV. DEFINITIONS

The definitions in this Policy have the following meanings;

“Explicit Consent” means the consent expressed by the data owner/relevant person on the basis of being informed about the processing of their personal data and with free will.

“Constitution” The Constitution of the Republic of Turkey, dated 7 November 1982 and numbered 2709, published in the Official Gazette dated 9 November 1982 and numbered 17863

“Employee Candidate” refers to real persons who have applied for a job to the Company by any means or have opened their CV and related information to the Company's review.

“Employees and Officials of the Institutions with which we are in Cooperation” means the employees of the institutions and organizations with which the Company has all kinds of relations, and the authorities of these institutions and organizations.

“Destruction” refers to the deletion, destruction or anonymization of personal data.

“Recording Medium” refers to any recording medium containing personal data that is fully or partially automated or processed by non-automatic means, provided that it is a part of any data recording system.

“Personal Data(s)” means any information relating to an identified or identifiable natural person (within the scope of this Policy,  The term “Personal Data” is defined below as appropriate _cc781905-5cde-3194-bb3b- 136bad5cf58d_“Special Quality Personal Data”).

“Personal Data Inventory” means the personal data processing activities carried out by the Company in connection with its business processes; It refers to the inventory, which is created by associating personal data processing purposes, data category, transferred recipient group and data subject group, by detailing the maximum time required for the purposes for which personal data is processed, the personal data envisaged to be transferred to foreign countries and the measures taken regarding data security.

"Personal Data Processing" - Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available the Personal Data by fully or partially automatic or non-automatic means provided that it is a part of any data recording system refers to any operation performed on data, such as classifying or preventing its use. 

“Anonymization of Personal Data” means that personal data cannot be associated with an identified or identifiable natural person in any way, even if it is matched with other data.

“Deletion of Personal Data” means the process of making personal data inaccessible and unusable for the relevant users in any way.

“Destruction of Personal Data” means the process of making personal data inaccessible, unrecoverable and unusable by anyone in any way.

“Committee” means the committee responsible for the implementation of this Policy and the procedures to be applied in accordance with the Policy.

“Board” means the Personal Data Protection Board.

“Institution” means the Personal Data Protection Authority.

“KVK Regulations” The Law No. 6698 on the Protection of Personal Data and other relevant legislation on the protection of personal data, binding decisions, policy decisions, provisions, instructions and applicable international agreements on data protection and all other applicable laws and regulations issued by regulatory and supervisory authorities, courts and other official authorities. means any kind of legislation.

“KVK Procedures” refers to the procedures approved by the Company's board of directors and determining the obligations that the Company, employees, committee and data controller must comply with within the scope of this Policy.

“Special Quality Personal Data” refers to the data about the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, costume and clothing, membership to associations, foundations or unions, health, sexual life, criminal convictions and security measures. refers to biometric and genetic data.

“Periodic Destruction” means the deletion, destruction or anonymization process that will be carried out ex officio at repetitive intervals in case all personal data processing conditions disappear.

“Data Processor” refers to the natural or legal person who processes personal data within the organization of the data controller or in line with the authorization and instruction received from the data controller.

“Data Owner/Relevant Person” means all natural persons whose personal data are processed by or on behalf of the Company. “Data Controller” refers to the natural or legal person who processes personal data by specifying the processing purposes and ways of processing, and who is responsible for establishing and managing the data recording system.

“Data Controller Officer” refers to the employee selected from the Committee, who manages the Company's relations with the Personal Data Protection Authority and is appointed by the decision of the board of directors.

“Visitor” refers to natural persons who have entered and/or visited the physical premises of the Company for various purposes.

V. PROTECTION OF PERSONAL DATA

In accordance with Article 20 of the Constitution, everyone has the right to demand the protection of their Personal Data. With this Policy, the Company; In accordance with Article 12 of the KVKK, it takes the necessary administrative and technical measures to prevent the unlawful processing of personal data, to prevent unlawful access to personal data and to ensure the preservation of personal data, and to carry out the necessary inspections and have them done. The main measures taken by the Company regarding "data security" in accordance with Article 12 of the KVKK are listed below.

By analyzing the personal data processed by the company, the risks that may arise regarding the protection of this data are determined.

All activities carried out by the company have been analyzed in detail by all business units and departments, and as a result of this analysis, a personal data inventory has been created.

Personal data processing activities carried out by the company are audited by information security systems, technical systems and legal methods.

Company employees are informed that the personal data they learn will not be disclosed to others in violation of the provisions of the KVKK and relevant legislation and will not be used for purposes other than processing, and that this obligation will continue after they leave their duties, and necessary commitments are taken from them in this direction.

The company has added provisions regarding confidentiality and data security in the employment contracts to be signed during the recruitment processes of its employees, and within this scope, employees are constantly informed about the measures to be taken within the scope of personal data protection law and relevant legislation, and their awareness is increased. In addition, the violation of the KVKK by the employees has been added to the Company's disciplinary procedures as a separate item.

Suppliers, service providers, subcontractors and other third party business partners with whom the Company has relations are informed about the personal data protection law and taking necessary measures in accordance with this law, and these issues are contractually charged.

The contracts concluded by the Company were examined in terms of KVKK and necessary revisions and additions were made.

Necessary audits are/are carried out by the Company in order to ensure continuity in the protection of personal data and taking the necessary measures in accordance with this law, and the result of this audit is reported to the Data Committee and/or the Data Controller. According to the report results, the missing points are changed and/or improved by the Data Committee and/or the Data Controller.

Necessary technical measures are taken by the Company to ensure the protection of personal data and are regularly reported to the person concerned. After reviewing the report, the relevant people work to produce the necessary technological solutions.

The company uses software with virus protection systems and firewalls and installs backup programs for the safe keeping of personal data.

The personal data stored in the Electronic Recording Environment are limited to the access of the relevant users, and the authorizations are reviewed regularly. Files stored in the Physical Recording Environment are kept in locked archive cabinets within the Company and then destroyed according to the determined procedures.

In the event that the personal data processed by the Company in accordance with the law is obtained by others illegally and the data security is violated, a data breach response plan has been prepared, which stipulates that this situation is reported to the Data Owner and the Board as soon as possible.

5.1. Protection of Private Personal Data

Special Quality Personal Data, due to the risk of causing victimization and discrimination of individuals when processed unlawfully, is given special importance in accordance with the KVKK and is carefully and carefully protected by the Company. The Company carries out the necessary activities to ensure the security of Special Quality Personal Data and takes the necessary technical and administrative measures in order to comply with the legal requirements and the adequate measures specified by the Board in order to ensure that these data are processed in accordance with the KVKK Regulations.

VI. PRINCIPLES OF PERSONAL DATA PROCESSING

The company, pursuant to Article 4 of the KVKK; Processes personal data in accordance with the law and honesty rules regarding the processing of personal data, accurately and, when necessary, for current, specific, clear and legitimate purposes, in connection with the purpose, in a limited and measured manner:

6.1. Processing of Personal Data in Compliance with Law and Integrity Rules

Personal Data is processed by the Company in accordance with the law and the rules of honesty and on the basis of proportionality. In this context, the Company does not use personal data other than for the purpose for which it is processed, taking into account the proportionality requirements in the processing of personal data.

6.2. Taking Necessary Precautions to Keep Personal Data Accurate and Up-to-Date When Necessary

In order for the Personal Data to be complete, accurate and up-to-date, the Company takes the necessary measures, taking into account the fundamental rights of the personal data owners and their own legitimate interests, and updates the relevant Personal Data in case the Data Owner requests a change in the Personal Data.

6.3. Processing of Personal Data for Specific, Legitimate and Clear Purposes

Before the Personal Data is processed, the purpose for which the Personal Data will be processed is determined by the Company. The Company processes Personal Data as much as is necessary for and in connection with the service it provides. In this context, the Data Owner is informed within the scope of KVK Regulations and Explicit Consent is obtained when necessary.

6.4. Personal Data Being Related to the Purpose for which they are Processed, Limited and Measured

The Company processes Personal Data only in exceptional cases within the scope of KVK Regulations (Articles 5.2 and 6.3 of the KVKK) or for the purpose within the scope of the Explicit Consent from the Data Owner (Article 5.1 and Article 6.2 of the KVKK) and in accordance with the principle of proportionality. The Company avoids the processing of Personal Data that is not related to the realization of the purpose and is not needed.

6.5. Retention of Personal Data as Necessary and Deletion Afterward

6.5.1. The Company retains Personal Data for as long as required by the relevant legislation or for the purpose for which they are processed. If the Company wishes to retain Personal Data for a longer period than required by the relevant legislation or the purpose of Personal Data Processing, the Company acts in accordance with the obligations set forth in the KVK Regulations.

6.5.2. Personal Data is deleted, destroyed or anonymized after the period required for the purpose of Personal Data Processing has expired. In this case, the third parties to whom the Company transfers Personal Data are also provided to delete, destroy or anonymize the Personal Data.

6.5.3. The Data Controller and the Committee are responsible for the operation of the processes of Deletion, Destruction and Anonymization of Personal Data. In this context, the necessary procedure is established by the Data Controller and the Committee.

VII. PROCESSING PERSONAL DATA

Personal Data can only be processed by the Company in accordance with Articles 5 and 6 of the KVKK, within the scope of the procedures and principles set forth below.

7.1. Open Consent

7.1.1. Personal Data is processed after the notification to be made within the framework of fulfillment of the Information Obligation to the Data Owner and if the Data Owner gives Explicit Consent.

7.1.2. Before the Explicit Consent is obtained within the framework of the Disclosure Obligation, the Data Owner is informed of their rights.

7.1.3. The Explicit Consent of the Data Owner is obtained in accordance with the KVK Regulations. Explicit Consent is provably retained by the Company for the required period of time within the scope of KVK Regulations.

7.1.4. The Data Controller and the Committee are obliged to ensure that the Disclosure Obligation is fulfilled in terms of all Personal Data Processing processes and that Explicit Consent is obtained and retained when necessary. All department employees that Process Personal Data are obliged to comply with the instructions of the Data Controller Representative and the Committee, this Policy and the KVK Procedures annexed to this Policy.

7.2. Processing of Personal Data without Explicit Consent

7.2.1. In cases where the Processing of Personal Data is foreseen without the Explicit Consent within the scope of the KVK Regulations (Article 5.2 and Article 7.3 of the KVKK), the Company may process the Personal Data without applying the Explicit Consent of the Data Owner. In case the Personal Data is processed in this way, the Company processes the Personal Data within the limits set by the KVK Regulations.

In this context:

7.2.1.1. Personal Data may be processed by the Company without Explicit Consent in order to protect the life or physical integrity of the Data Owner and/or a person other than the Data Owner, who is unable to express his or her consent due to actual impossibility or whose consent is not legally valid.

7.2.1.2. If the conditions are directly related to the establishment, implementation, performance or termination of a contract, the Personal Data of the parties to the contract may be processed by the Company without the Explicit Consent of the Data Owner.

7.2.1.3. If the Processing of Personal Data is mandatory for the Company to fulfill its legal obligation, Personal Data may be processed by the Company without the Explicit Consent of the Data Owner.

7.2.1.4. Personal Data made public by the Data Owner may be processed by the Company for the purpose of making it public, without obtaining the Explicit Consent as a limit.

7.2.1.5. If the processing of Personal Data without express consent is the only possible way for the establishment, exercise or protection of a right, Personal Data may be processed by the Company within the knowledge of the Data Controller without obtaining Explicit Consent.

7.2.1.6. Provided that it does not harm the fundamental rights and freedoms of the Data Owner, Personal Data may be processed by the Company without Explicit Consent, if data processing is necessary for the Company's legitimate interests.

VIII. PROCESSING OF SPECIAL QUALITY PERSONAL DATA

8.1. Special Quality Personal Data can only be processed if the Explicit Consent of the Data Owner is available or if it is expressly required by law in terms of Sensitive Personal Data other than sexual life and personal health data.

8.2. Personal Data related to health and sexual life can only be processed without express consent for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing. Therefore, until otherwise stipulated in the KVK Regulations, personal health data and sexual life data can only be processed by the Company physician, who is under the scope of Explicit Consent or under the obligation to keep secrets.

8.3. Adequate precautions determined by the Board are taken while Processing Special Quality Personal Data.

8.4. In any case that requires the Processing of Special Quality Personal Data, the Data Controller is informed by the relevant employee.

8.5. If it is not clear whether a data is Special Quality Personal Data or not, the opinion of the Data Controller is taken by the relevant department.

IX. DELETING, DESTROYING AND ANNOUNCEMENT OF PERSONAL DATA

9.1. Although the personal data has been processed in accordance with the provisions of the relevant law in line with the regulation of Article 138 of the Turkish Penal Code No. 5237 and Article 7 of the KVKK, in case the reasons requiring processing are eliminated, by the Company ex officio and/or the Data Owner in this direction. In case of a request, the relevant Personal Data is deleted, destroyed or anonymized. Situations where Personal Data needs to be deleted, destroyed or anonymized are followed up by the Data Controller and the Committee.

9.2. In cases where the Company has the right and/or obligation to preserve personal data in accordance with the provisions of the relevant legislation, the right not to fulfill the Data Owner's request is reserved.

9.3. The Data Controller and the Committee are responsible for the operation of the Deletion, Destruction and Anonymization processes. In this context, the necessary procedure is established by the Data Controller and the Committee.

9.4. The Company does not store Personal Data considering the possibility of its use in the future.

X. TRANSFERRING PERSONAL DATA AND PROCESSING PERSONAL DATA BY THIRD PARTIES

The Company may transfer Personal Data to a third natural or legal person (“Service Provider”) in accordance with the KVK Regulations. In this case, the Company ensures that the third parties to which it transfers Personal Data also comply with this Policy. In this context, necessary protective regulations are added to the contracts concluded with the third party. The item to be added to the contracts concluded with third parties to whom all kinds of Personal Data are transferred is obtained from the Data Controller. Each employee is obliged to go through the process in this Policy in case of Personal Data transfer. In the event that the third party to whom Personal Data is transferred requests a change in the item conveyed by the Data Controller, the employee immediately notifies the Data Controller of the situation.

10.1. Transfer of Personal Data to Third Parties in Turkey

10.1.1. Personal Data may be transferred by the Company to third parties in Turkey, without the express consent of the Data Owner in exceptional cases specified in Article 5.2 and Article 6.3 of the KVKK, or on the condition of obtaining the Explicit Consent of the Data Owner in other cases (Article 5.1 and Article 6.2 of the KVKK).

10.1.2. Company employees and Data Controller are jointly responsible for ensuring that the transfer of Personal Data to third parties in Turkey complies with the KVK Regulations.

10.2. Transfer to Third Parties Located Abroad

10.2.1. Personal Data may be transferred by the Company to third parties abroad, without Explicit Consent in exceptional cases specified in Article 5.2 and Article 6.3 of the KVKK, or on the condition of obtaining the Explicit Consent of the Data Subject in other cases (Article 5.1 and Article 6.2 of the KVKK).

10.2.2. In case the Personal Data is transferred without express consent in accordance with the KVK Regulations, one of the following conditions must also exist in terms of the foreign country to which it will be transferred:

➢ The foreign country to which the Personal Data is transferred has the status of countries with adequate protection by the Board (for the list, please follow the current list of the Board),

➢ If the foreign country where the transfer will take place is not included in the safe countries list of the Board, the Company and the Data Controllers in the relevant country make a written commitment to ensure adequate protection and obtain permission from the Board. 9.2.3. Company employees and Data Controller are jointly responsible for ensuring that the transfer of Personal Data to third parties abroad complies with the KVK Regulations.

XI. LIGHTING OBLIGATION OF THE COMPANY

11.1. The Company informs the Data Owner prior to the Processing of Personal Data in accordance with Article 10 of the KVKK. In this context, the Company fulfills its Disclosure Obligation during the acquisition of Personal Data. The notification to be made to the Data Owner within the scope of the Disclosure Obligation includes the following elements, respectively:

11.1.1. Identity of the Data Controller and his representative, if any,

11.1.2. For what purpose the Personal Data will be processed,

11.1.3. To whom and for what purpose the Processed Personal Data can be transferred,

11.1.4. Method and legal reason for collecting Personal Data,

11.1.5. Rights of Data Subjects.

11.2. In accordance with Article 20 of the Constitution of the Republic of Turkey and Article 11 of the KVKK, the Company provides the necessary information in case the Data Owner requests information.

11.3. If requested by the Data Owner, the Company notifies the Data Owner of the Personal Data processed by the Data Owner.

11.4. The employee who follows the relevant process and the Data Controller are jointly responsible for ensuring that the required Disclosure Obligation is fulfilled before the Processing of Personal Data. In this context, the necessary KVK Procedure is created by the Data Controller and the Committee in order to report each new processing process to the Data Controller.

11.5. In case the Data Processor is a third party other than the Company, the third party must be committed before starting Personal Data Processing with a written contract that the third party will act in accordance with the obligations stated above. In cases where third parties transfer Personal Data to the Company, the item to be added to the contracts is obtained from the Data Controller. Each employee is obliged to go through the process in this Policy in case Personal Data is transferred to the Company by a third party. In case the third party transferring the Personal Data requests a change in the item conveyed by the Data Controller, the employee immediately notifies the Data Controller to the Data Controller.

XII. RIGHTS OF THE DATA SUBJECT

12.1. The Company responds to the below-mentioned requests of the Data Owner, whose Personal Data it holds, in accordance with the KVK Regulations:

12.1.1. Learning whether Personal Data is processed by the company,

12.1.2. Requesting information regarding the processing of Personal Data,

12.1.3. Learning the purpose of processing Personal Data and whether they are used in accordance with its purpose,

12.1.4. Knowing the third parties to whom Personal Data is transferred in the country or abroad,

12.1.5. Requesting correction of Personal Data in case of incomplete or incorrect processing by the Company,

12.1.6. Requesting the Deletion, Destruction or Anonymization of Personal Data by the Company in case the reasons requiring the processing of Personal Data are eliminated, in order to be evaluated within the principles of purpose, duration and legitimacy,

12.1.7. 12.1.5 and 12.1.6. Requesting notification of the transactions made within the scope of the articles to the third parties to whom the personal data has been transferred,

12.1.8. Objecting to this result in case a result against the Data Subject arises in case the processed Personal Data is analyzed exclusively through automated systems,

12.1.9. Requesting the compensation of the damage in case the Personal Data is processed unlawfully and the Owner suffers damage due to this reason.

In cases where the Data Owner wishes to exercise his rights and/or thinks that the Company does not act within the scope of this Policy while processing Personal Data, he/she may submit his/her requests with secure electronic signature to the e-mail address given below and which may change from time to time, or to the following and It can be delivered by hand with documents identifying their identity and a petition with a wet signature to the postal address, which may change from time to time, or send it through a notary public.

Data Supervisor: Asnak Logistics Technologies Joint Stock Company

Email : info@asnak.com

Postal Address: Nidakule Ataşehir Kuzey Barbaros Mahallesi Begonya Sokak No: 3 Kat: 20 34746 Ataşehir / İSTANBUL

12.2. In case the Data Owner submits their requests regarding the rights listed above to the Company in writing, the Company concludes the request free of charge within thirty days at the latest, depending on the nature of the request. In the event that a separate cost arises for the conclusion of the requests by the Data Controller, the fees in the tariff determined by the Personal Data Protection Board may be requested by the Data Controller. The Data Controller accepts the request or rejects it by explaining its reason and notifies the relevant person in writing or electronically. If the request in the application is accepted, the data controller fulfills its requirements. If the application is due to the fault of the Data Controller, the fee will be returned to the relevant person.

XIII. DATA MANAGEMENT AND SECURITY

13.1. The Company appoints a Data Supervisor and forms a Committee to fulfill its obligations under the KVK Regulations, to ensure and supervise the implementation of the KVK Procedures required for the implementation of this Policy, and to make recommendations regarding their operation.

13.2. All employees involved in the relevant process are jointly and severally responsible for the protection of Personal Data in accordance with this Policy and KVK Procedures.

13.3. Personal Data Processing activities are audited by the Company with technical systems according to technological possibilities and application cost.

13.4. Personnel knowledgeable in technical matters related to Personal Data Processing activities are employed.

13.5. Company employees are informed and trained about the protection and legal processing of Personal Data.

13.6. The necessary KVK Procedure is established in order to ensure that the employees who need access to Personal Data in the company have access to the said Personal Data, and the Data Controller and the Committee are jointly responsible for its creation and implementation.

13.7. Company employees can access Personal Data only within the authorization defined for them and in accordance with the relevant KVK Procedure. Any access and processing done by the employee in excess of his/her authority is against the law and is a reason for termination of the employment contract with just cause.

13.8. If the company suspects that the security of the Personal Data of the employee is not adequately ensured or detects such a security gap, it immediately notifies the Data Controller of the situation.

13.9. Detailed KVK Procedure for the security of Personal Data is created by the Data Controller and the Committee.

13.10. Each person assigned a Company device is responsible for the security of the devices allocated to his/her own use.

13.11. Each Company employee or person working within the Company is responsible for the security of the physical files within their area of responsibility.

13.12. In the event that there are security measures requested or to be requested additionally for the security of Personal Data within the scope of KVK Regulations, all employees are obliged to comply with additional security measures and to ensure the continuity of these security measures.

13.13. Software and hardware including virus protection systems and firewalls are installed in accordance with technological developments in order to keep Personal Data in secure environments at the Company.

13.14. The Company uses backup programs and takes adequate security measures to prevent the loss or damage of Personal Data.

13.15. Documents containing Personal Data at the Company are protected by encrypted (encrypted) systems. In this context, Personal Data is not stored in common areas and on the desktop. Files and folders containing Personal Data, etc. documents are not moved to the desktop or public folder, without the prior written consent of the Data Controller Representative, the information on the Company computers can be transferred to USB, etc. It cannot be transferred to another device, cannot be taken out of the Company.

13.16. The Committee, together with the Board of Directors, takes technical and administrative measures for the protection of all Personal Data in the Company, constantly monitors the developments and administrative activities, prepares the necessary KVK Procedures and submits them to the approval of the Board of Directors, then announces them within the Company and ensures that they are complied with. and is responsible for oversight. In this context, the Committee and the Data Controller organize the necessary trainings to increase the awareness of the employees.

13.17. If a department within the company processes Sensitive Personal Data, this department is informed by the Committee about the importance, security and confidentiality of the Personal Data they process and the relevant department acts in accordance with the Committee's instructions. Only limited employees are authorized to access Sensitive Personal Data and their list and follow-up are done by the Committee.

13.18. All of the Personal Data processed within the Company are considered as “Confidential Information” by the Company.

13.19. Company employees have been informed that their obligations regarding the security and confidentiality of Personal Data will continue after the termination of the business relationship, and a commitment has been received from the Company employees to comply with these rules.

XVI. EDUCATION

14.1. The Company provides its employees with the necessary training on the protection of Personal Data within the scope of the Policy and the KVK Procedures in its annex and the KVKK Regulations.

14.2. In the trainings, the definitions and protection of Special Quality Personal Data are especially mentioned.

14.3. If the Company employee accesses Personal Data physically or on a computer, the Company provides training to the relevant employee regarding these accesses (for example, the accessed computer program).

XV. AUDIT

The Company has the right to regularly and ex officio audit that all employees, departments and contractors of the Company act in compliance with this Policy and KVK Regulations, without any prior notice, and performs the necessary routine audits in this context. The Committee and the Data Controller creates the KVK Procedure regarding these audits, submits it to the approval of the Board of Directors and ensures the implementation of the aforementioned procedure.

XVI. VIOLATIONS

16.1. Each employee of the Company reports to the Committee any business, transaction or action that he or she considers to be contrary to the procedures and principles set forth in the KVK Regulations and this Policy. In this context, the Committee creates an “Incident Response Plan” for the relevant violation in accordance with this Policy and KVK Procedures.

16.2. As a result of the notifications made, the Committee prepares the notification to be made to the Owner or the Institution regarding the violation, taking into account the provisions of the applicable legislation on the subject, especially the KVK Regulations. The Data Controller carries out the correspondence and communication with the Authority.

XVII. RESPONSIBILITIES

Responsibilities within the company are respectively employee, department and Data Supervisor. In this context; The Committee responsible for the implementation of the Policy and the Data Controller are appointed by the company's board of directors with the decision of the board of directors, and changes are made in this context, again in the aforementioned way.

XVIII. CHANGES TO THE POLICY

18.1. This Policy may be changed by the Company from time to time with the approval of the Board of Directors.

18.2. The Company shares the updated Policy text with its employees via e-mail so that the changes it has made on the Policy can be reviewed, or makes it available to the employees and the Data Owner via the web address below.

Related web address: www.asnak.com

XIX. EFFECTIVE DATE OF THE POLICY

This version of this Policy has been approved by the Company's Board of Directors on [.].[.].2020 and entered into force.

Asnak Logistics Technologies Joint Stock Company

Last Update 25.10.2021

bottom of page