TABLE OF CONTENTS

I. PREAMBLE

II. OBJECTIVE

III. PRINCIPLES FOR PROCESSING OF PERSONAL DATA

1. Performing personal data processing in compliance with the Law and the Rule of Integrity

2. Ensuring that personal data are correct and updated when needed

3. Processing for specific, clear and legitimate purposes

4. Ensuring that personal data are related, limited and proportionate to the purposes for which they are processed

5. Ensuring that personal data are kept for the time period provided for in the relevant legislation or for the purposes for which they are processed

6. Ensuring that personal data processing is carried out in compliance with all the Basic Principles of Article 4 of the Law based on one or more than one of the Personal Data Processing Requirements as specified in Article 5 of the Law

7. Personal data transfer requirements

IV. REQUIREMENTS FOR PROCESSING OF PERSONAL DATA

1. Identification and processing of personal data

2. Processing of special personal data

3. Transfer of personal data

4. Personal data processing activities in building entrances and network and website users

5. Deletion, disposal, anonymization of personal data

V. OBLIGATIONS OF ASYAPORT LİMAN A.Ş.

1. Obligation to disclose to personal data owner

2. Obligation to respond to applications of personal data owners

3. Obligation to ensure security of personal data

3.1. Taking technical and administrative measures to ensure that data processing is in compliance with the law

3.2. Taking technical and administrative measures to prevent unlawful access to personal data

3.3. Auditing of measures taken on the protection of personal data

3.4. Measures to be taken in case of unauthorized disclosure of personal data

4. Obligation to register with the Data Controllers Registry

VI. ORGANIZATIONAL STRUCTURE WITHIN ASYAPORT LİMAN A.Ş.

ANNEX-1 DEFINITIONS

I. PREAMBLE

With this Policy, the principles adopted and rules to be followed by ASYAPORT LİMAN A.Ş. on the collection, processing, transferring, updating and disposing of personal data within the framework of the Law No. 6698 on the Protection of Personal Data (LPPD) and the relevant international and national legislation has been determined.

II. OBJECTIVE

This Policy is intended to make disclosures about systems adopted by ASYAPORT LİMAN A.Ş. for personal data processing activity and personal data protection and in this context, to inform, in particular, our business partners, current and candidate employees, current and potential customers, company shareholders, visitors and third-parties and people whose personal data are processed by our company and thus, to achieve transparency.

III. PRINCIPLES FOR PROCESSING OF PERSONAL DATA

ASYAPORT LİMAN A.Ş. shall process personal data in accordance with the general principles and provisions provided for in the legislation in order to ensure compliance with the LPPD. In this context, ASYAPORT LİMAN A.Ş. shall act in compliance with the following principles when processing personal data in accordance with the international and national legislation related to the LPPD.

1. Performing personal data processing in compliance with the Law and the Rule of Integrity

ASYAPORT LİMAN A.Ş. shall be obliged to act in compliance with the law and the rule of integrity within the scope of personal data processing activities. In this context, proportionality requirements shall be taken into consideration and shall not be used for purposes other than processing of personal data.

2. Ensuring that personal data are correct and correct when needed

ASYAPORT LİMAN A.Ş. shall be obliged to ensure that any personal data it processes are correct and up-to-date taking into account the fundamental rights and the legitimate interests of personal data owners and to establish the necessary systems to take the necessary measures in this context.

3. Processing for specific, clear and legitimate purposes

ASYAPORT LİMAN A.Ş. is obliged to determine the purposes for which personal data will be processed and to disclose these purposes to data owners before the personal data are processed. Personal data shall not be processed except for legitimate and lawful purposes specified.

4. Being related, limited and proportionate to the purposes of processing

ASYAPORT LİMAN A.Ş. shall process personal data in a manner appropriate to achieve the purposes specified and shall refrain from the processing of personal data that is not related to or necessary for achieving the said purposes.

5. Ensuring that personal data are kept for the time period provided for in the relevant legislation or for the purposes for which they are processed

ASYAPORT LİMAN A.Ş. shall keep personal data only for such a time period provided for in the relevant legislation and laws or as required by the purpose of personal data processing in accordance with Article 138 of the Turkish Penal Code and Articles 4 and 7 of the LPPD. ASYAPORT LİMAN A.Ş. shall first determine whether any time period is provided for in the relevant legislation for retaining of personal data and shall observe the time period if it is provided for in the relevant legislation and if no such time period provided, shall keep personal data for a time period necessary for the purposes for which they are processed. If the said time period expires or reasons for processing of personal data disappear, personal data shall be deleted, disposed or anonymized by ASYAPORT LİMAN A.Ş.

6. Ensuring that personal data processing is carried out in compliance with all the Basic Principles of Article 4 of the Law based on one or more than one of the Personal Data Processing Requirements as specified in Article 5 of the Law

As a rule, personal data shall be processed in accordance with one or more than one of the requirements specified in Article 5 of the LPPD, ASYAPORT LİMAN A.Ş. shall determine whether personal data processing activities carried out by the Company's business units are carried out based on one or more than one of these requirements, and personal data processing activities that do not meet one or more than one of these requirements shall not be included in the processes. In addition to ensuring that personal data processing activities are carried out based on one or more than one of the personal data processing requirements, all personal data processing activities shall be carried out in compliance with the principles specified in Article 4 of the LPPD and in Section III of the Policy and shall incorporate the said principles. Personal data processing activities shall be performed by observing the special provisions provided for in the LPPD on the processing and transfer to third-parties and abroad of special personal data, and personal data processing activities shall be carried out by fulfilling the special requirements required by the law in such cases in addition to those mentioned above.

IV. REQUIREMENTS FOR PROCESSING OF PERSONAL DATA

1. Identification and processing of personal data

Pursuant to the LPPD, personal data is defined as “any and all information concerning an identified or identifiable real person. The concept of personal data is not only information that defines and identifies persons such as name, surname, place of birth, date of birth, but also all physical, social, cultural, economic and psychological information of the persons.

In addition to identity information of person, any and all information that makes a person defined or identifiable, such as citizenship number, tax number, passport number, social security number, driver's license number, license plate, home address, business address, e-mail address, telephone number, fax number, resume, photograph, video, genetic details, blood group, criminal background and criminal record, are personal data and fall into the scope of the Law on the Protection of Personal Data.

According to this definition, ASYAPORT LİMAN A.Ş. business partners, employees and customers, including third-parties, shall determine whether any information they have collected are covered by the concept of personal data and shall process these data in accordance with the rules specified in the LPPD.

Processing of personal data covers all types of actions carried out on data such as obtaining personal data through means that are fully or partially automated or that are non-automated, subject to being part of any data recording system, recording, storing, maintaining, altering, rearranging, disclosing, transferring, making obtainable, classifying or preventing the use of personal data.

Pursuant to the LPPD, ASYAPORT LİMAN A.Ş. shall process personal data only with the express consents of the persons concerned. However, personal data can be processed without seeking for such express consent in the event of the existence of any of the following.

- If the processing is clearly provided for in the applicable law,

- Any circumstance that is mandatory to protect life or body integrity of any person(s) who is unable to disclose his/her consent due to actual impossibility or whose consent is not considered legally valid or any other person,

- If the processing of personal data of contracting parties is necessary, provided that the processing is directly related to the execution or performance of a contract,

- In circumstances where it is mandatory for the data controller to fulfil his/her legal obligation,

- Making of personal data public by the relevant person,

- If the processing is compulsory in order to establish, exercise or protect a right,

- If the processing is mandatory for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the person concerned are not damaged.

2. Processing of special personal data

Certain personal data are considered as special data within the scope of the Law, and ASYAPORT LİMAN A.Ş. shall not process such data without the express consent of the person concerned or without the presence of the exceptions set out in paragraph three of Article 6 of the Law. Express consent refers to obtaining a detailed consent from the person whose personal data will be collected after making a disclosure to the said person about the purposes for which the data are collected.

The LPPD considers data on a person's race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, costume and attire, membership to any association, foundation or trade union, health, sexual life, criminal conviction and security measures as special data.

When processing personal data, ASYAPORT LİMAN A.Ş. shall also take adequate measures as specified by the Personal Data Protection Board.

3. Transfer of personal data

ASYAPORT LİMAN A.Ş. shall be able to transfer personal data to third-parties with the express consent of the relevant data owner for legitimate personal data processing purposes, provided that ASYAPORT LİMAN A.Ş. takes the necessary security measures. However, ASYAPORT LİMAN A.Ş. shall be able to transfer data which can be processed without express consent and data on health and sexual life to third-parties without express consent, subject to compliance with the limitations provided for in the LPPD.

ASYAPORT LİMAN A.Ş. shall take the necessary administrative and technical measures in order to transfer any data it will transfer without express consent in accordance with the limitations in the LPPD.

ASYAPORT LİMAN A.Ş. shall be able to transfer personal data to countries which have been declared to have adequate protection by the Personal Data Protection Board or if no such protection exists, to countries which the data controllers in Türkiye and in the relevant countries have committed an adequate protection in writing and to which the Personal Data Protection Board has permitted such transfer.

4. Personal data processing activities in building entrances and network and website users

ASYAPORT LİMAN A.Ş. process personal data for the purposes of monitoring through surveillance cameras and follow-up of visitor entrance/exit in the building and facilities of ASYAPORT LİMAN A.Ş. in order to provide security.

The personal data processing activity is carried out by ASYAPORT LİMAN A.Ş. through the use of surveillance cameras and recoding of visitor entrance/exit.

In this context, ASYAPORT LİMAN A.Ş. acts in accordance with the Constitution, the LPPD and other relevant legislation.

Camera records of our visitors are taken through the cameras and surveillance system in the entrances of the buildings, facilities and within the facilities of ASYAPORT LİMAN A.Ş.

Monitoring activities via surveillance cameras carried out by ASYAPORT LİMAN A.Ş. are intended to improve the quality of, and to ensure the reliability of, the service provided, to ensure the safety of ASYAPORT LİMAN A.Ş., its customers and third-parties and to protect the interests of customers relating to the service they receive.

Monitoring activities via surveillance cameras carried out by ASYAPORT LİMAN A.Ş. for security purposes are performed in accordance with the provisions of the LPPD and the Law on Private Security Services and the relevant legislation.

Records recorded and stored in digital media are accessible only by limited number of employees of ASYAPORT LİMAN A.Ş.

ASYAPORT LİMAN A.Ş. takes the necessary administrative and technical measures to ensure the security of personal data obtained as a result of the monitoring activities via surveillance cameras in accordance with Article 12 of the LPPD.

Other than the recording by surveillance cameras specified above, ASYAPORT LİMAN A.Ş. processes personal data for the follow-up of visitor entrance/exit in the buildings and facilities of ASYAPORT LİMAN A.Ş. for security purposes and for the purposes specified in this Policy.

Visitors are provided with access to the Internet for the duration they spend within the buildings and facilities of ASYAPORT LİMAN A.Ş. for security purposes and for the purposes specified in this Policy. In this case, log records related to their access to the Internet are recorded according to the mandatory provisions of the Law No. 5651 and the legislation enacted in accordance with this Law, and these records are processed only if requested by authorized public institutions or organizations or in order to fulfil the relevant legal obligations during auditing processes to be carried out within ASYAPORT LİMAN A.Ş.

Only a limited number of employees have access to the log records obtained.

ASYAPORT LİMAN A.Ş. records any internet activities on web-sites it owns through technical means in order to ensure that persons visiting these web-sites achieve their purposes of visiting the web-sites, to display those customized contents and to engage in online advertising activities.

5. Deletion, disposal, anonymization of personal data

Any personal data shall be deleted, disposed or anonymized upon its own decision of ASYAPORT LİMAN A.Ş. or upon the request of the owner of the personal data if the reasons requiring the processing of the personal data disappear, despite the fact that the same have been processed as provided for in Article 138 of the Turkish Penal Code and Article 7 of the LPPD.

In this context, ASYAPORT LİMAN A.Ş. takes the necessary technical and administrative measures in order to fulfil its obligations related thereto, develops the necessary mechanisms in this regard, trains and appoints the relevant business units to ensure them to comply with these obligations and raises their awareness.

V. OBLIGATIONS OF ASYAPORT LİMAN A.Ş.

1. Obligation to disclose to personal data holder

ASYAPORT LİMAN A.Ş. shall enlighten personal data owners on the following matters during the acquisition of personal data:

- Identity of data controller and data representative, if any;

- Purpose for which personal data will be processed;

- To whom and for what purposes personal data may be transferred;

- Method and legal grounds for collection of personal data;

- Rights of personal data owner under Article 11 of the LPPD;

In accordance with this obligation, ASYAPORT LİMAN A.Ş. publishes the disclosure text it has prepared on its web-sites and designs appropriate processes to enlighten data owners during data collection activities.

2. Obligation to respond to applications of personal data owners

Personal data owners may apply to and request information from ASYAPORT LİMAN A.Ş. in writing using the application form attached herewith or sending their requests to “medloglojistik.gemicilik@hs03.kep.tr” KEP address in accordance with the LPPD or using other methods to be determined by the Personal Data Protection Board.

ASYAPORT LİMAN A.Ş. has established and implements the procedures relating to responding to the applications of personal data owners in accordance with Article 13 of the LPPD for the purposes of evaluating the rights of, and making the required disclosures to, personal data owners and relating to other administrative and technical arrangements.

Personal data owners have the following rights;

- To find out whether your personal data has been processed;

- If your personal data has been processed, to request information related thereto;

- To find out the purpose of processing of your personal data and whether or not your personal data is used properly;

- To know about third-parties to whom your personal data is transferred home or abroad;

- If your personal data has been processed in an incomplete and incorrect manner, to request for correction of them;

- To request for deletion or disposition off of your personal data in accordance with the provisions provided for in the relevant legislation;

- To request that any transactions made on your personal data in accordance with the relevant legislation be notified to third-parties to whom your personal data has been transferred;

- To object to the emergence of any consequences against you through the analysis of your personal data processed exclusively by means of automatic systems;

- If you suffer any loss and/or damage due to the unlawful processing of your personal data, to claim indemnification of losses and/or damages you have suffered.

ASYAPORT LİMAN A.Ş. only processes requests transmitted to it via its registered e-mail addresses in writing or signed with secure electronic signature. If the Personal Data Protection Board determines further application methods, ASYAPORT LİMAN A.Ş. will also accept applications made through such methods.

ASYAPORT LİMAN A.Ş. shall respond to any request as soon as possible and within 30 (thirty) days at the latest, depending on the nature of the request. ASYAPORT LİMAN A.Ş. shall accept the applications and take the necessary actions or reject the applications by providing the grounds of its rejection.

If the application of a personal data owner is rejected, he/she finds the response given unsatisfactory or his/her application is not responded, he/she may file a complaint to the Personal Data Protection Board within 30 (thirty) days from the date of receipt of the answer and in any case, within 60 (sixty) days from the date of the application.

ASYAPORT LİMAN A.Ş. shall respond to personal data owners in a timely and justified manner as stipulated by the Personal Data Protection Board in order to prevent complaints.

3. Obligation to ensure security of personal data

ASYAPORT LİMAN A.Ş. ensures that the necessary technical and administrative measures are taken to achieve the appropriate security level for the purposes of preventing illegal processing of, and illegal access to, and protecting, any personal data it processes.

The Personal Data Protection Board shall be able to implement detailed regulations on data security obligations in the future. Therefore, ASYAPORT LİMAN A.Ş. shall exercise due diligence in order to ensure compliance with the obligations in this scope and achieve the security of personal data.

ASYAPORT LİMAN A.Ş. carries out the necessary audits for the functioning of technical and administrative measures to be taken and establishes the systems for the conduct of the said necessary audits. Results of such audits shall be examined by the authorized units within ASYAPORT LİMAN A.Ş. and the necessary measures shall be taken accordingly.

ASYAPORT LİMAN A.Ş. shall be obliged to notify the personal data owner and the Personal Data Protection Board, if required by the legislation, if the personal data of the personal data owner processed are obtained by others by unlawful means. The necessary mechanisms have been established within ASYAPORT LİMAN A.Ş. in this context.

If any situations posing a security risk is identified by ASYAPORT LİMAN A.Ş., measures to eliminate such risk shall be taken with no delay.

3.1.  Taking technical and administrative measures to ensure that data processing is in compliance with the law

All processes related to personal data processing activities carried out by the business units within ASYAPORT LİMAN A.Ş. are analysed and all activities carried out by the business units from the collection to the deletion of personal data are made subject to legal compliance audit.

Personal data processing activities carried out within ASYAPORT LİMAN A.Ş. are audited by technical systems established.

The technical measures taken are reported on a regular basis and any deficiency or illegality is notified to the person concerned upon the discovery thereof and is eliminated.

ASYAPORT LİMAN A.Ş. informs and trains its employees about the personal data protection law and the processing of personal data in compliance with the law.

ASYAPORT LİMAN A.Ş. İncludes in contracts and documents governing the legal relationship between ASYAPORT LİMAN A.Ş. and its business partners, employees and customers, provisions imposing obligations not to process, disclose and use personal data in violation of the provisions in the LPPD.

ASYAPORT LİMAN A.Ş. limits the access to personal data only with the relevant company employee(s) for the purpose of processing.

Actions to ensure that the activities of each business unit are in compliance with the personal data processing requirements set forth in the LPPD are determined specific to each business unit and the activity carried out by that business unit. Implementing rules are determined specific to business units, and the administrative measures are taken, the procedures are established and the training are provided necessary to ensure the audit of these rules and the continuity of the implementation.

3.2 Taking technical and administrative measures to prevent unlawful access to personal data

ASYAPORT LİMAN A.Ş. takes the necessary administrative and technical measures in order to prevent unlawful acquisition of personal data, disclosure of personal data to third-parties and access to and transfer of personal data.

Technical measures according to technological developments are taken and the measures taken are updated and renewed periodically.

ASYAPORT LİMAN A.Ş. designs and implements access- and authorization-related technical processes in accordance with the legal compliance requirements.

The technical measures taken are periodically reported to the person(s) concerned and technological solutions are produced for matters posing security risks.

Related software and systems are installed, including software and hardware incorporating virus protection systems and firewalls.

Employees of ASYAPORT LİMAN A.Ş. are given training on technical measures and knowledgeable personnel are employed for technical issues.

ASYAPORT LİMAN A.Ş. takes a commitment from its employees that they will not disclose any personal data they have obtained to third-parties in breach of the provisions of the LPPD and will not use the same for any purposes other than the purpose of processing. ASYAPORT LİMAN A.Ş. ensures that this commitment remains in force even after the cease of the employment of the employees.

ASYAPORT LİMAN A.Ş. adds articles that will protect personal data to contracts entered into between ASYAPORT LİMAN A.Ş. and persons to whom personal are transferred.

3.3. Auditing of measures taken on the protection of personal data

ASYAPORT LİMAN A.Ş. designs the necessary audits for the functioning of technical and administrative measures to be taken and establishes the systems for the conduct of the said necessary audits. Results of these audits are reported to the relevant department within the scope of the internal functioning of ASYAPORT LİMAN A.Ş. and the necessary activities are carried out to improve the measures taken.

3.4.  Measures to be taken in case of unauthorized disclosure of personal data

ASYAPORT LİMAN A.Ş. shall be obliged to notify the personal data owner and the Personal Data Protection Board if the personal data of the personal data owner processed are obtained by others by unlawful means. In this context, the necessary internal structure is established.

4. Obligation to register with the Data Controllers Registry

ASYAPORT LİMAN A.Ş. Will, by submitting the application information and documents, register with the Data Controllers Registry within the time period determined and announced by the Personal Data Protection Board before engaging in any data processing activity. The documents to be submitted are as follows:

- Identity and address details of ASYAPORT LİMAN A.Ş., as the data controller, and its representative, if any;

- Purposes for which personal data will be processed;

- Explanations on group(s) of data subjects and data categories of such data subjects;

- Recipients or recipient groups to which personal data can be transferred;

- Personal data allowed to be transferred to other countries;

- Measures taken for personal data security;

- Maximum time period required for the purpose for which personal data are processed.

VI. ORGANIZATIONAL STRUCTURE WITHIN ASYAPORT LİMAN A.Ş.

The ''Personal Data Protection Committee'' or a person responsible for carrying out the actions determined for compliance by the senior management has been appointed within ASYAPORT LİMAN A.Ş. to manage this policy and other policies associated with or related to this policy.

In this context, the following actions are taken by the Committee or the person to be appointed:

- To determine the basic policies related to the processing and protection of personal data and the actions to be taken in order to ensure compliance with the legislation;

- To submit the basic policies and action steps determined to the senior management for approval, to supervise the implementation and ensure the coordination thereof;

- To decide on how the policies related to the processing and protection of personal data will be implemented and how the audit will be carried out and to make the necessary appointments after obtaining the approval of the senior management;

- To identify risks that may occur in personal data processing activities by ASYAPORT LİMAN A.Ş., to ensure that necessary measures are taken and to submit improvement proposals to the senior management for approval;

- To ensure that employees are given training on the protection of personal data and company policies;

- To resolve on the applications of personal data owners at the highest level;

- To make the necessary arrangements within the company in order to ensure that ASYAPORT LİMAN A.Ş. fulfils its obligations under the LPPD;

- To follow developments on the protection of personal data and to provide recommendations to the senior management about what needs to be done related to such developments;

- To manage relations with the Agency and the Board.

ANNEX-1 DEFINITIONS