1.PURPOSE

As MED MARINE Pilotage and Tug Services Construction. Industry and Trade Inc. (“MED MARINE”), we adopt the primary goal of ensuring that the personal data of real persons (hereinafter collectively referred to as “Persons”), including our customers, visitors to our websites or facilities, our real person suppliers and our suppliers’ real person employees, potential employees, former employees and current employees, are processed in accordance with the legislation in force in Turkey, primarily the Law on the Protection of Personal Data No. 6698 (“KVKK”), secondary legislation whose legal basis is KVKK and the decisions of the Personal Data Protection Board (hereinafter collectively referred to as the “KVKK”), and that the persons whose personal data are processed are able to exercise their rights effectively.

Within this scope, we process, store and transfer all personal data belonging to the Persons, especially the personal data we obtain during our activities, in accordance with the MED MARINE Personal Data Storage and Destruction Policy (“Policy”).

Protecting personal data and observing the fundamental rights and freedoms of the Persons whose personal data is processed is the fundamental principle of our policy regarding the processing of personal data. Therefore, all our activities in which personal data is processed are carried out by protecting the rights of privacy, confidentiality of personal information, confidentiality of communication, and freedom of thought and belief. In order to protect personal data, we take all administrative and technical protection measures required by the nature of the data in accordance with the Personal Data Protection Law and the latest technology. This Policy explains our methods of processing, storing, transferring and deleting or anonymizing personal data during our human resources, trade, promotion, marketing, security, social responsibility and similar activities in accordance with the principles stipulated in the Personal Data Protection Law No. 6698.

2. SCOPE

This Policy covers all personal data of the Persons processed by MED MARINE. Our policy applies to all personal data processing activities owned or managed by MED MARINE and is handled and prepared by taking into account the Personal Data Protection Law and relevant international standards.

3. DEFINITIONS AND ABBREVIATIONS

This section briefly explains the definitions and abbreviations used in this Policy.

Personal Data: It refers to any information related to an identified or identifiable natural person.
Personal Data Owner (Relevant Person): It refers to the natural person whose personal data is processed.
Processing of Personal Data: It refers to any operation performed on data, such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data, either fully or partially by automatic means or non-automatic means provided that it is part of any registration system.

Data Processor: It refers to the natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.
Data Controller: Refers to the natural or legal person who determines the purposes and means of processing personal data, and is responsible for the establishment and management of the data recording system.

Explicit Consent: Refers to the consent given on a specific matter, based on the information provided and with free will, which is clear beyond doubt and limited to a specific transaction only.

Anonymization: Making personal data in no way associable with an identified or identifiable natural person, even if matched with other data,

Employee: Refers to the MED MARINE employee.
Special Personal Data: Data related to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, health, fingerprints, attire, association, foundation or union membership, health, sexual life, criminal conviction and security measures of individuals, as well as biometric and genetic data;

4. DUTIES AND RESPONSIBILITIES

4.1 Data Protection Committee

MED MARINE Data Protection Committee is responsible for drafting, developing, implementing and updating this Policy. It reviews this Policy for its currency and, if necessary, for development requirements. The Data Protection Committee is responsible for publishing the prepared document on the corporate portal.

4.2 Personal Data We Possess

The main personal data of the Persons processed by MED MARINE can be defined as follows.

Identity information: for example, your name, photograph, gender, date of birth, ID number;

National or other identity documents: for example, your national identity card/passport, information regarding your visa application, your driver's license, your national health system number (or equivalent);
Contact information: for example, your residential address, your personal telephone numbers or e-mail addresses, contact information of your emergency contact and/or your closest relative;
Information about your profession or work: such as your title/position, place of work or places of work, clauses in your employment contract, performance, appraisal, training and career development records, records of any grievance procedures in which you have been involved, information on holiday/annual leave you have requested and taken, any other leave you have requested and taken and sickness records;

Information about professional qualifications, achievements and/or skills: such as academic/vocational qualifications, education, CV/personal history and languages ​​you know. This also includes any qualifications required for your work, such as your driving licence class or criminal record and/or membership of professional associations;

Financial Data: such as bank account details, tax information and information about payments made to you by MED MARINE, including wages, bonuses, overtime pay and other variable payment items granted by MED MARINE, expenses and travel allowances;
Other information necessary for the management of payments made to or by you: for example, information on any loans you have taken out and any contributions made before or through wage/salary payment (for example, union membership fees) and any additions to your income and any deductions;

Information on your use of MED MARINE systems, devices and property; for example, the identity of your computer and/or mobile phone or other devices, mobile or landline serial numbers, user ID, IP addresses, log files, software and hardware inventories, data collected to monitor and ensure the security of the website through cookies, information on access to MED MARINE facilities, call centre records and CCTV recordings;

Information on business travel and accommodation;

Health and safety information: for example, records of work accidents, information on personal injury claims (affecting MED MARINE), medical documents, fitness for work certificates or other professional health reports and the results of drug and alcohol tests; and

Information on your former and/or potential and/or current employer.
Your personal data summarized above, the purposes and conditions of processing, the groups of persons whose personal data are processed, the recipients to whom the data is transferred, whether the data is transferred abroad or not, and the security measures taken have been compiled into an inventory and recorded in the Data Controllers Registry Information System (VERBİS) by the Data Controller MED MARINE. These records are open to the public and can be accessed at https://verbis.kvkk.gov.tr/.

5. LEGAL OBLIGATIONS

Our legal obligations as the Data Controller regarding the protection and processing of personal data in accordance with the KVKK are listed below:

5.1 Our Obligation to Inform

As the Data Controller, we are obliged to inform the persons whose data is processed during the collection of personal data about the following:

The purpose for which your personal data will be processed
Information about our identity and our representative, if any
To whom and for what purpose your processed personal data may be transferred
Our data collection method and the legal reason behind it
Your rights under the Law.
Due to our obligation to inform, as MED MARINE, we attach importance to ensuring that this Policy, which is open to the public, is clear, understandable and easily accessible.

5.2 Our Obligation to Ensure Data Security

As the Data Controller, we take the administrative and technical measures stipulated in the Personal Data Protection Law in order to ensure the security of the personal data in our possession. In this context, our obligations include preventing personal data from being processed in violation of the law and company policies/rules, preventing access to personal data in violation of the law and company rules, storing and keeping personal data under appropriate conditions, and carrying out the data destruction process in accordance with the law and company policies/rules. In case of any violation of the rules, we apply the necessary sanctions and internal disciplinary rules.

. PROCESSING OF PERSONAL DATA

6.1 Our Principles Regarding the Processing of Personal Data

By fulfilling our obligation to inform, we process personal data transparently and in accordance with the rules of honesty.

We take the necessary measures in our data processing procedures to ensure that the processed data is accurate and up-to-date. We provide Personal Data Owners with the opportunity to update their existing data and to contact us to correct any errors in their processed data.
As MED MARINE, we process personal data in line with our legitimate purposes in order to carry out our activities in accordance with the legislation and the requirements of ordinary commercial life, with a clearly defined scope and content.

We process personal data in a limited and cautious manner in connection with the purpose we have clearly and precisely determined. We avoid processing irrelevant or non-necessary personal data. Therefore, we do not process personal data of a special nature unless required by law, or if we need to process such personal data, we obtain the explicit consent of the relevant persons in this regard.
The legislation includes a number of regulations requiring various personal data to be stored for certain periods. Therefore, we store the processed personal data for the period stipulated in the relevant legislation or as long as it is necessary for the purposes of processing personal data. When the storage period stipulated in the law expires or when the purpose of processing no longer exists, we delete, destroy or anonymize personal data. 6.2 Purposes of Processing Your Personal Data

We process your personal data for the following purposes:

To carry out our corporate activities
To ensure that our legal obligations are fulfilled as required or foreseen by legal regulations
To evaluate job applications
To communicate with persons who have a contractual relationship with MED MARINE
To support the training, development and career processes of our employees
To ensure compliance management
To ensure dealer/supplier management
To manage call center processes
To ensure corporate communication
To protect the rights of our employees
To send newsletters, engage in marketing activities or make notifications via e-mail
To ensure physical and digital media security
6.3 Processing of Special Personal Data

We process special personal data in cases prescribed by law and by taking administrative and technical measures prescribed by the Personal Data Protection Board or by obtaining the explicit consent of the relevant persons.

6.4 Exceptional Cases Where Explicit Consent is Not Required for Processing Personal Data

We may process personal data without obtaining the explicit consent of the relevant persons in the exceptional cases specified below:

If it is expressly provided for by law.

If it is mandatory for the protection of the life or physical integrity of the person who is unable to give his/her consent due to a de facto impossibility or whose consent is not legally valid, or of another person.
If it is necessary to process personal data belonging to the parties to a contract, provided that it is directly related to the establishment or performance of a contract.
If it is mandatory for the data controller to fulfill its legal obligation,
If the relevant person has shared the data with the public,
If data processing is necessary for the establishment, exercise or protection of a right,
If data processing is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the relevant person.

7. TRANSFER OF PERSONAL DATA

We are careful to allow access to personal data only to those who need this access to perform their duties and jobs and to third parties who have a legitimate purpose for this access. In all cases where we allow third parties to access personal data, we will implement appropriate measures to ensure that the data is used in accordance with this policy and that the confidentiality and integrity of the data is protected. The personal data we process may be recorded in the automatic data processing systems that MED MARINE uses to effectively carry out its activities, and may be processed by MED MARINE's legal entity local and global companies and affiliates and service providers who are data processors with confidentiality obligations from whom MED MARINE purchases services under a service contract, with the knowledge and explicit consent of the relevant persons, and may be transferred abroad within the limits stipulated in the Personal Data Protection Law. Your personal data will not be disclosed to third parties under any circumstances other than those specified above.

Data transfer is not made via portable memory sticks except in mandatory cases. In mandatory cases, this transfer is made under the supervision of the responsible persons. Sealed envelopes and cabinets are used for the security of data to be transferred on paper. MED MARINE, as the Data Controller, is obliged to take the necessary technical and administrative measures in this regard.

8. STORAGE OF PERSONAL DATA

8.1 Storing personal data for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed

MED MARINE is obliged to store personal data for the period required for the purpose of processing personal data, without prejudice to the storage periods stipulated in the legislation. Personal data is stored for the period stipulated in the legislation or necessary for the purpose for which they are processed. Data is stored in physical (department cabinets, archives) or electronic (server, cloud, etc.) environments. MED MARINE takes the necessary measures to store and protect the data and ensures the security of the environment. Importance is given to protecting data integrity in all digital and physical storage environments. In cases where we process personal data for more than one purpose, the data is deleted, destroyed or stored by anonymizing it when the purposes for which the data is processed are eliminated or upon the request of the relevant person, unless there is a situation preventing the deletion of the data in accordance with the legislation. During the destruction, deletion and anonymization processes, the requirements under the Personal Data Protection Law are observed.

9. DELETION, DESTRUCTION AND ANONYMIZATION OF PERSONAL DATA

9.1 Deletion and Destruction of Personal Data

Personal data is deleted, destroyed and/or anonymized in the following cases:

Any change in the provisions of the Personal Data Legislation,
The situations requiring the processing and storage of personal data no longer exist,
The relevant person does not have explicit consent or withdraws his/her consent and this decision is approved by the data controller,
The maximum period for which personal data must be stored has expired,
The request for destruction of data made by applying to the Personal Data Protection Board is approved by the board.

9.2 Methods to be Applied for Deletion and Destruction of Personal Data

The methods used for deletion and destruction of personal data are specified below. One of the following methods is used depending on the storage format of personal data.

9.2.1 Destruction of Personal Data Stored as Documents;

The responsibility for the secure destruction of data stored as documents and stored in physical environments (cabinet and/or archives) belongs to the managers of the department that processes this data. Such documents are destroyed by cutting, burning, shredding with shredding devices or similar methods in a way that will not allow them to be restored or read. Support can be received from an expert institution in the position of data processor for the destruction of data in this way.

9.2.2 Deletion of Personal Data Stored in Electronic Media;

The responsibility for the secure deletion and destruction of data stored in electronic media belongs to the Information Technologies department. Digitally stored data is deleted in a way that will not allow access by the relevant parties or is destroyed in a way that will not allow reuse. The operations applied to data stored in any physical or electronic environment and destroyed are recorded by the Information Technologies department.

10. RIGHTS OF PERSONAL DATA OWNERS

Personal Data Owners have the following rights over their personal data;

To obtain information on whether their personal data has been processed,
To request information on this process if their personal data has been processed,
To learn the purpose of processing personal data and whether the processed data is used for this purpose,
To be informed about third parties to whom their personal data is transferred domestically and abroad,
To request correction of personal data if it is processed incompletely or incorrectly,
To request deletion or destruction of personal data if the reasons requiring processing of personal data are eliminated,
To request notification of the above-mentioned correction, deletion or destruction processes to third parties to whom personal data is transferred,
To object to the emergence of an adverse result by analyzing the processed data exclusively through automated systems,
To request compensation for damages in case of damages due to unlawful processing of personal data.
10.1 Exercise of Rights Regarding Personal Data

Every person whose data is processed in accordance with the instructions of the data controller MED MARINE has the right to apply to the data controller in accordance with Article 13 of the Personal Data Protection Law in order to exercise their rights under Article 11 of the Personal Data Protection Law. The data controller MED MARINE must accept the application in question within 30 (thirty) days at the latest or reject it by explaining the reason. However, in order for the application in question to be accepted as a duly made application, it must meet all the requirements set out in the Communiqué on the Procedures and Principles of Application to the Data Controller.

In order for the application of the relevant person to be accepted as a valid application:

The relevant person must personally submit the application in writing and in Turkish by presenting their identity document, or
Send it to the registered electronic mail (KEP) address by signing it with a secure electronic signature or mobile signature, or
Send the relevant person's application via the electronic mail address previously notified to MED MARINE and registered in the MED MARINE system, or
The application must be sent via a software or application developed by MED MARINE for the purpose of making applications.

In addition, in order for an application to be accepted and evaluated as a duly made application, it must include all of the following:

The name and surname of the applicant, the wet signature of the relevant person if the application is in writing,
For Turkish citizens, the Turkish Republic identity number; for foreigners, their nationality, passport number and, if applicable, their identity number,
The place of residence or business address for notification,
If applicable, the electronic mail address for notification, telephone and fax number,
The subject of the relevant person's request.
In this context, in order to exercise the rights granted to the relevant persons within the scope of Article 11 of the Law on the Protection of Personal Data, an application containing all the matters stipulated in the Communiqué on the Procedures and Principles of Application to the Data Controller must be sent to MED MARINE by registered mail or in person using the contact and address information specified in this Policy, or by e-mail using a secure electronic signature.

If individuals and other relevant persons have any questions or concerns regarding this Policy or MED MARINE’s other personal data protection practices, or to make any requests regarding their rights, they can contact the Data Protection Committee via kvkk@medmarine.com.tr.