Personal Data Protection Policy

The Board of Directors and the management of UPS Hızlı Kargo Taşımacılığı A.Ş. (hereinafter shall be referred to as “UPS”) undertake to comply with the Constitution of Republic of Türkiye with respect to personal data protection as well as the principles and rules stipulated by the Law no. 6698 on Protection of Personal Data (LPPD) and other legislation, and to protect the rights and freedoms of individuals whose data are processed by UPS. To that end, the Board of Directors has adopted a written personal data protection policy and system that will be implemented and developed.

Scope
The provisions of the policy cover all the information systems and sub-information, contracts, and peripheral and physical areas, included in the processes of personal data processing in the fields of activity and scope of business of UPS, as well as the systems developed and arrangements made for them. This policy is applicable to all UPS units, the company personnel providing support services, the visitors, third parties, trainees, and contracted employees.

Objectives of the Personal Data Protection Policy and System
The objective of the Personal Data Protection Policy and system is to ensure that UPS establishes and fulfils its own standards in management of personal data, to determine and support organizational targets and obligations, establish control mechanisms that are in compliance with the acceptable risk level of UPS, fulfil any requirements imposed on UPS pursuant to the international conventions, the Constitution, laws, agreements and occupational rules in the field of personal data protection, and to protect, to the greatest extent possible, the interests of individuals.

UPS shall comply with the legislation on personal data protection as well as the data protection principles. The data protection principles adopted by UPS include the following:

1. Processing personal data only when explicitly required for legitimate corporate objectives,
2. Processing personal data for these objectives to the minimum extent required and avoiding processing any data more than what is required,
3. Providing explicit information to individuals about by whom and how their personal data are used,
4. Processing only relevant and appropriate personal data,
5. Processing personal data in accordance with the equity and law,
6. Taking inventory of the categories of personal data processed by UPS,
7. Ensuring that the personal data are accurate and, if necessary, up-to-date,
8. Retaining personal data only for a period required by legal regulations, or the legal obligations or legitimate corporate interests of UPS,
9. Respecting the rights of data subjects with respect to their personal data, including the right of access,
10. Keeping all the personal data secure,
11. Transferring personal data to abroad only when sufficient protection is ensured,
12. Applying the exceptions allowed by the legislation,
13. Establishing and implementing the personal data protection system for application of the policy,
14. When necessary, determining the internal and external stakeholders that are party to the personal data protection system, and to what extent they are included in the personal data protection system of UPS,
15. Determining the officer(s) with special authorizations and responsibilities in relation to the personal data protection system.

Notifications
UPS informs the Personal Data Protection Board (“PDP Board”) about the fact that it is a data controller and about which categories of personal data it processes in such capacity. UPS determines all the categories of personal data processed by it in the personal data inventory.

Notification is made pursuant to the procedures and methods to be determined by the PDP Board, and UPS keeps a copy of such notification.

When necessary, notifications are repeated periodically.

In order to detect any potential changes that may arise in the notification made to the PDP Board, UPS’ data processing operations and any changes in the same are reviewed on an annual basis, and when necessary, the PDP Board is informed accordingly.

UPS’ disciplinary regulations shall be applicable to any act breaching this policy, committed by any UPS department, company officer providing support services, trainees, and contracted employees, and if such breach constitutes an offense or misdemeanour, the relevant authorities shall be notified of the situation as soon as possible.

The solution partners of UPS that have or may potentially have access to personal data and all third parties working with UPS are invited to read and comply with this policy. No third party may have access to the personal data processed by UPS without executing a written confidentiality agreement that imposes obligations as strict as at least those of UPS with respect to protection of personal data and includes UPS’ inspection right in this respect.

Explicit consent refers to the consent in relation to a specific matter, which is given upon being informed and of one’s own free will.

Anonymization means rendering it impossible for personal data to be associated in any manner, even by being matched with other data, with a natural person who is identified or identifiable.

Data subject (relevant person) means the natural person whose personal data are processed.

Personal data means any kind of information about an identified or identifiable natural person.

Special category of personal data means data relating to race, ethnic origin, political opinion, philosophic belief, religion, sect or other beliefs, appearance, membership to associations, foundations or unions, health, sexual life, criminal convictions and security measures as well as biometric and genetic data of people.

Processing of personal data means any operation performed on the data, such as obtaining, recording, storage, preservation, alteration, reorganization, disclosure, transfer, takeover, making available or classifying, or precluding the use of the personal data, by fully or partly automated means, or by non-automated means provided that they are part of a data recording system.

LPPD is the Law No. 6698 on Protection of Personal Data.

PDP Board refers to the Personal Data Protection Board.

PDP Authority refers to the Personal Data Protection Authority.

Data Processor means a natural or legal person who processes personal data on behalf of and based on the authority granted by the data controller.

Data recording system refers to a recording system where personal data are processed by being structured according to certain criteria.

Data controller means a natural or legal person who determines the aims and tools for/with which personal data will be processed and who is responsible for the establishment and management of the data recording system.

Pursuant to LPPD, UPS is the data controller. All the personnel, mainly those in the Senior Management and those acting as managers and auditors, are responsible for development and promotion of accurate practices in processing of personal data within UPS as well as all the other obligations in this respect as specified in their individual job definitions. The PDP Committee has been established as the unit in charge of management of personal data protection system, and ensuring and documentation of compliance with the LPPD and other applicable legislation, and reports to the Board of Directors within this scope.

PDP Committee
The members of PDP Committee are appointed by the board of directors, based on their specialization and experiences in the legislation on personal data protection and the relevant practices, and they directly report to the Board of Directors.

Duties and Responsibilities of PDP Committee
The Committee shall inform the Board of Directors about the legislation on Personal Data Protection and the relevant developments. The Committee is responsible for ensuring that UPS’ policies and procedures are up-to-date and the data processing inspections are carried out in line with the relevant schedule, and that these are in compliance with the applicable legislation. The Committee acts in cooperation with all the relevant personnel in personal data protection matters.

The main duties and responsibilities of the Committee are listed below:

• To provide information and advice about the legislation on personal data protection and the compliance matters to UPS, its relevant partners, and its suppliers providing support services.
• To provide information and advice to UPS personnel about their obligations stipulated by the legislation on personal data protection.
• To observe compliance of data processing operations of UPS with the legislation on personal data protection.
• To provide support to development and maintenance by UPS of the personal data protection policy as well as the relevant procedures and processes.
• To determine the responsibilities within UPS in the context of compliance with the legislation on personal data protection.
• To ensure that any necessary training is provided for and necessary awareness is raised among all the personnel taking role in personal data processing operations.
• To observe the compliance with the legislation on personal data protection through regular inspections and report the results thereof to the Board of Directors.
• To act in cooperation and in liaison with the PDP Board.
• To appoint the responsible persons who will serve as the contact person and representative of UPS toward the PDP Board.
• To develop an official procedure for reporting to the Board of personal data breaches and the relevant investigations.
• To provide assistance in the process of business continuity plan.
• To provide information and advice about retention of corporate records.
• To provide information about to what extent the personal data are collected, stored and used within UPS and to ensure the conditions required to retain them in accordance with the applicable legislation.
• To perform any surveillance and assessments about compliance, reasonableness, security practices, and other controls that may be necessary in relation to protection of personal data.
• To determine and implement any controls for ensuring confidentiality, integrity and accessibility of personal data, and suggest any additional controls that may be necessary.
• To suggest, as an agenda item to the Board of Directors, the matters that potentially pose a risk on personal data within UPS and its proposals in this respect.

The PDP Committee has authority to inspect all the systems of UPS related to collection, processing and retention of personal data. During performance of its duties, the PDP Committee may request cooperation, including access to the systems and records, from all the personnel. If such cooperation is not ensured, the Committee reports the situation to the Board of Directors.

All the UPS personnel that process personal data are obliged to act in accordance with the legislation on Protection of Personal Data.

The Human Resources department is responsible for making the necessary notifications and provision of the necessary training required to ensure that all the personnel have the knowledge and necessary awareness about their responsibilities with respect to protection of personal data.

UPS’ personnel are obliged to ensure that all the personal data that are provided by them to UPS or relate to them are accurate and up-to-date.

All personal data protection operations shall be carried out in accordance with the following data protection principles. UPS’ policies and procedures aim at ensuring compliance with these principles:

• being compliant with the law and the principle of honesty;
• being accurate and, when necessary, up-to-date;
• being processed for specific, clear and legitimate purposes;
• being related, limited and proportionate to the purpose for which they are processed;
• being stored only for the time designated by relevant legislation or necessitated by the purpose for which data are collected.

The personal data are processed transparently and in accordance with the law and the principle of honesty. Accordingly, UPS includes information disclosure texts/privacy notices in the data collection channels and the relevant media, in relation to the personal data processing operations it performs. UPS determines the media where these texts/notices, which include explicit and comprehensible information about which data of whom are processed for which purposes, will be published and announced. These texts/notices include the following:

• As the data controller, UPS’ identity and contact details,
• Types of personal data that are processed,
• Purposes of processing of personal data,
• Prescribed period for retention of personal data,
• Rights of the data subject,
• Third parties with whom the data can be shared.

Personal data can only be processed for specific, clear and legitimate purposes. The reasons/purposes for processing of personal data are determined in the inventory of personal data, and such data may not be used for any purposes other than those specified, without any other legal justification or explicit consent of the data subject.

In the event that any condition arises requiring use of any particular personal data for the purposes other than those specified in the inventory of personal data, the relevant personnel/department shall notify the PDP Committee of this situation. The PDP Committee inspects whether or not the new purpose is appropriate, and if necessary, ensures that the data subject is informed about the new purpose and the new data processing operation./p>

Personal data should be appropriate and relevant, and be processed in a way limited to the specified purpose.

UPS is obliged to ensure that personal data that are not evidently necessary for the purpose of the processing are not collected and processed.

Periodically, UPS inspects whether or not the data processed are appropriate and relevant based on the inventory of personal data.

UPS inspects whether or not all the data processing methods are appropriate and relevant, through an internal/external audit to be performed/procured to be performed annually.

UPS is responsible for ceasing the data processing operations related to the personal data that are detected to be not appropriate or relevant, or to be in excess of what is required with regard to the purpose of the processing, and for safe destruction of the data already processed, in accordance with the retention and destruction procedure.

Personal data should be accurate and up-to-date.

Accuracy and up-to-datedness of the data retained for a long period should be reviewed. The head of the Human Resources department is responsible for provision of training to all the personnel about collection and retention of personal data accurately and in an up-to-date manner. The sole responsibility for the accuracy and up-to-datedness of the data kept in relation to personnel rests with the relevant personnel.

The relevant department of UPS shall be responsible for correcting and updating the personal data processed in relation to personnel/customers and other data subjects.

The PDP Committee may instruct the relevant department to review the accuracy or up-to-datedness of specific data upon an assessment to be performed by it in relation to the type, retention period and quantity of data processed, based on the data inventory.

Personal data shall be processed only when necessary for the purpose of the data processing. In the event that the personal data are retained for a period exceeding the required time due to Back-up and similar requirements, such personal data should be encrypted or anonymized/masked for protection of the rights and freedoms of the individuals in the case of data security vulnerabilities. Processing of personal data after expiry of the terms specified in accordance with the Retention and Destruction Policy shall be subject to the written approval of the PDP Committee.

Data subjects shall have the following rights in relation to the data processing operations performed at and the records kept by UPS:

To be informed of whether or not their personal data are processed, and if their personal data are processed, to request information thereon,

To learn the purpose of processing of their personal data and whether or not the same is used for the intended purpose,

To be informed about third parties, both in Türkiye and overseas, to whom their personal data are transferred,

To request correction of their personal data processed in an incomplete or erroneous manner,

To request deletion or destruction of their personal data in absence of a legal reason or basis requiring the processing thereof in compliance with LPPD or this policy,

To demand that the correction or deletion procedures performed upon their request be communicated to third parties to whom their personal data are transferred,

To object to any result to their detriment arising from analysis of the processed data solely through automatic systems,

To request recovery of damages in the case they incur any loss due to unlawful processing of their personal data.

Data subjects may request to have access to their personal data and exercise the aforementioned rights. Such requests shall be responded to within 30 days. The procedures for receipt, forwarding and finalization of the requests shall be carried out in accordance with the Request Management Procedure.

Data subjects may personally deliver their requests to our head office by filling in the PDPL Application Form, or send them, via notary public or registered letter with return receipt, to the address “MERKEZ MAHALLESİ, AYAZMA CAD. PAPIRUS PLAZA, B Blok, NO: 37/44, 34406, KAĞITHANE-ISTANBUL” with confirmation of identity, or send them by e-mail to the following registered e-mail address: upskargo@hs03.kep.tr.

You can access the data subject application form here.

All the UPS’ personnel, no matter what their job definition involves, is obliged to provide guidance to the data subjects on the accurate means of application in relation to the data subject’s requests for access that were submitted to them. UPS’ personnel should be informed and trained about the required course of action upon receipt of requests filed by data subjects.

When a data subject grants their consent on specific data processing operations, after being duly informed thereon and by acting of their own free will, revealing their desire for processing of the data that belong to them, as shown by written/verbal statements or explicit affirmative conduct, UPS deems this as an explicit consent. Explicit consent shall always be taken in writing for special categories of personal data. Data subject is entitled to withdraw their explicit consent at any time.

Explicit consent may be taken through the signing of the explicit consent form template by the data subject or inclusion of the content of this template in the contract to be executed with, or in the electronic form to be filed by the data subject. Explicit consent related to the personal data routinely processed, which pertain to the personnel, prospective personnel and customers, is taken through the relevant contract or forms.

In the case that the data processing operation based on the explicit consent will be performed continuously or repeatedly, the relevant department shall keep a single list of the persons whose explicit consents have been taken. The relevant department shall be responsible for keeping this list accurate and up-to-date. The relevant department shall keep the explicit consent forms or other evidential items related to the data processing operation based on explicit consent.

Each personnel is responsible for ensuring that the personal data that are processed by UPS and are under their responsibility are kept in a secure manner.

Security of personal data shall be ensured in accordance with the PDP Policy of UPS and the auxiliary documents thereof.

UPS shall report any data security incidents related to personal data to the PDP Board and the data subject as soon as possible.

8.1 Sharing of personal data with third parties is allowed only when it is done in compliance with the law and the equity. Accordingly, in order for personal data to be shared, fulfilment of at least one of the following requirements is sought:

• Where the explicit consent of the data subject has been taken.
• Where it is expressly prescribed by the laws.
• Where it is mandatory for the protection of life or bodily integrity of a person who is incapable of giving their consent due to physical impossibility or whose consent is legally invalid, or of another person.
• Where the processing of personal data belonging to parties to a contract to which UPS is or will become party is necessary, provided that it is directly related to entering into or performing such contract.
• Where it is mandatory for UPS to fulfil its legal obligation.
• Where such data are made public by the data subject themselves.
• Where the data processing is mandatory for the establishment, exercise or protection of the rights of UPS.
• Where it is obligatory to process data for the legitimate interests of UPS, provided that the fundamental rights and freedoms of the data subject are not infringed.

Personal data can only be transferred to abroad provided only that the aforementioned requirements are met, the target country has adequate protection, and the data subject grants explicit consent on such transfer. For transferring personal data to abroad, the list of countries that have adequate protection as determined by the PDP Board shall be taken into consideration. Regarding transfer of personal data to abroad, the PDP Board provides any necessary permissions and notifications pursuant to the LPPD and the applicable legislation.

In the case that there is a regular data-sharing relation without any legal reason or obligation, a Letter of Undertaking on LPPD is signed with the relevant party to determine the conditions of such data sharing. The Letter of Undertaking on LPPD shall include, at minimum, the following:

• Purpose(s) of the sharing;
• Potential third party receivers or the receiver type and the access right terms;
• Categories of data to be shared (to be limited to the minimum categories necessary for the specified purposes);
• General principles of processing of the data;
• Data security measures;
• Period of retention for the shared data;
• Rights of the data subject and the procedures on response to the requests for access, applications and complaints;
• Review of expiry of the validity term of the data sharing contract, and
• Responsibilities and sanctions arising from failure to comply with the contract or from individual breaches of the personnel.

Purposes of Processing of Personal Data
The purposes of processing of data within scope of the personal data processing operations performed by UPS under the Data Controllers’ Registry Information System are as follows:

• Execution of Emergency Management Processes
• Performance of Selection and Recruitment of Potential Employees/Trainees/Students
• Performance of Potential Employee Application Processes
• Fulfilment of the Obligations Regarding the Employees arising from the Employment Contracts and Legislation
• Performance of the Benefits and Interests Processes for the Employees
• Performance of Audit / Ethics-Related Activities
• Performance of Training Activities
• Management of Access Authorizations
• Performance of Activities in Accordance with Legislation
• Performance of Financial and Accounting Works
• Performance of Company / Product / Service Loyalty Processes
• Ensuring Security of Physical Spaces
• Performance of Appointment Processes
• Handling and Carrying Out of Legal Affairs
• Performance of Communication Activities
• Planning of Human Resources Processes
• Performance / Audit of Business Activities
• Performance of Occupational Health / Safety Activities
• Performance of Business Continuity Activities
• Performance of Logistics Activities
• Performance of Goods / Services Purchase Processes
• Performance of After-Sales Support Services for Post-Sale of Goods/Services
• Performance of Sales Processes for Goods/Services
• Performance of Production and Operational Processes for Goods/Services
• Performance of Customer Relations Management Processes
• Execution of Activities for Customer Satisfaction
• Organization and Event Management
• Carrying out of Performance Evaluation Processes
• Performance of Storage and Archiving Activities
• Performance of Contractual Processes
• Performance of Strategic Planning Activities
• Handling of Requests / Complaints
• Ensuring Security of Movable Goods and Resources
• Performance of the Supply Chain Management Processes
• Implementation of Wage Policy
• Execution of Marketing Processes of Products / Services
• Ensuring Security of Data Controller’s Operations
• Work and Residence Permit Transactions for Foreign Personnel
• Provision of Information to Authorized Persons / Institutions and Organizations
• Performance of Management Activities
• Creation and Tracking of Visitor Records

Data Subject Categories and Description:

• Potential Employee: Natural persons who have filed a job application with UPS in any manner or allowed UPS to review their resumes and related information.
• Employee: Employees whose personal data are processed within the framework of activities such as events organized by UPS, employee satisfaction activities, human resources activities, inspection activities, activities to ensure security and infrastructure of information technologies, legal compliance activities etc.
• Shareholder Partner: Natural persons who are the shareholders of UPS
  Potential Purchaser of Products or Services: Natural persons who do not have a contractual relation with UPS and whose personal data are obtained through the business relations under the operations performed by UPS’ business units.
• Trainee: Trainees whose personal data are processed within the framework of activities such as events organized by UPS, employee satisfaction activities, human resources activities, inspection activities, activities to ensure security and infrastructure of information technologies, legal compliance activities etc.
• Supplier’s Employee: The employees of the parties providing services to UPS based on a contract during performance of business operations of UPS, in accordance with the orders and instructions of UPS.
• Supplier’s Authorized Representative: The authorized representative of the parties providing services to UPS based on a contract during performance of business operations of UPS, in accordance with the orders and instructions of UPS.
• Customer (Purchaser of Products or Services): Natural persons, regardless of whether or not they have a contractual relation with UPS, whose personal data are obtained through the business relations under the operations performed by UPS’ business units.
• Custody Holder/Guardian/Representative: Persons in the capacity of custody holder, guardian or representative, whose personal data are obtained by UPS.
• Visitor: Natural persons who have entered the physical premises owned by UPS for various reasons or visited our websites.
• Other (3rd Parties): Natural persons who have a relation with UPS in one way or another, but cannot be categorized under the above definitions.

Personal Data Categories and Description:

• Identity Data: Data that contain information about a person's identity; information such as name and surname, Turkish ID number, nationality, place of birth, date of birth, gender, workplace details, registry no., tax ID no., title, biography etc. and documents such as driver’s license, occupational identity certificate, ID card, and passport
• Contact Details: Information such as phone number, address, e-mail address, and fax number etc.
• Transaction Security Information: Your personal data processed to ensure our technical, administrative, legal and commercial security while conducting our activities (e.g. Log records, IP information, identity verification data)
• Information on Customer Transaction: Information such as call centre records, invoices, details of bonds and cheques, information appearing on counter statements, order details, and request details
• Location Information: Location information of the place where the data subject resides
• Personnel Information: Data such as the payroll information of the personnel, details of disciplinary proceedings, records of certificates of commencement-termination of employment, details of declaration of property, curriculum vitae details, and performance assessment reports
• Risk Information: Information processed for the management of commercial, technical and administrative risks
• Potential Employee Information: Information that may be included in the curriculum vitae of the potential employee
• Financial Information: Personal data processed in relation to any information, document and records showing any type of financial result achieved according to the type of the legal relation established between UPS and the data subject, and data such as bank account number, IBAN number, income information, and payable/receivable information
• Information on Legal Transactions: Personal data processed within the scope of the determination and monitoring of our legal receivables and rights, the performance of our obligations, as well as our legal obligations, and compliance with the policies of our Company
• Physical Space Security Information: Personal data regarding records and documents taken when entering the physical space and during the stay in the physical space; video recordings, vehicle information records, and records taken at the security point etc.
• Professional Experience: Information such as diploma information, courses attended, occupational training information, certificates, and academic record information etc.
• Marketing Information: Information obtained through shopping history details, surveys, cookies preferences or campaign efforts
• Audio-Visual Records: Photographs and camera recordings (except the recordings that fall under Physical Space Security Information) and audio recordings
• Information on Philosophical Beliefs, Religion, Sect and Other Beliefs: Information on religion, philosophical belief, sect, and other beliefs
• Membership to Associations, Foundations or Unions: Information on membership to associations, foundations or unions
• Health Information: Disability information, blood type information, personal health information, and information on the devices and prosthesis used etc.
• Criminal Convictions and Security Measures: Information on criminal convictions and security measures
• Biometric Data: Palm print and fingerprint information, retinal scan information, facial recognition information etc.

Categories of Parties With Which Data are Shared:

• Natural persons or private-law legal entities: Private-law legal entities which are authorized to receive information and documents from the Company pursuant to the provisions of relevant legislation
  • Purpose of Sharing: Limited to the purposes requested by the relevant private-law legal entities to the extent permitted by their legal authorities
• Shareholders: Natural persons who are the shareholders of UPS
  • Purpose of Sharing: Limited to the powers of the shareholders
• Business Partners: Parties with whom UPS establishes business partnerships with the objectives such as conducting business operations
  • Purpose of Sharing: Limited to the purpose of achievement of the objectives of establishment of the business partnership
• Affiliates and Subsidiaries: The companies that the Company is a shareholder of
  • Purpose of Sharing: Limited to ensuring performance of the commercial activities of the Company, which also require participation of its affiliates
• Suppliers: The parties providing services to UPS based on a contract within the framework of performance of its business operations, in accordance with the orders and instructions of UPS
  • Purpose of Sharing: Limited to the purpose of ensuring that the services which have been outsourced by the Company from the supplier and which are necessary for the Company to perform its business operations, are provided to the Company
• Legally Competent Public Institutions and Organizations: Public institutions and organizations which are authorized to receive information and documents from the Company pursuant to the provisions of relevant legislation
  • Purpose of Sharing: Limited to the purpose for which data have been requested by the relevant public institutions and organizations within their legal authority

Upon expiry of the period of retention required for the purposes of processing, or upon justified demand of the data subject, the personal data shall be anonymized or deleted or destroyed, in accordance with the Retention and Destruction Policy, in a way that the natural person who is the data subject cannot be identified.

Personal data may not be retained for a period exceeding the time required for the purposes of processing thereof. Classification of the records containing personal data and the relevant retention periods shall be determined pursuant to the Retention and Destruction Policy.

In the event that you have any question about or comments on this Privacy Notice or you want us to update the information belonging to you, or your preferences, please contact us via e-mail by using the email application.

Contact Us By Email

UPS Company Head Office
Contact Person: Global Privacy Officer
55 Glenlake Parkway, NE
Atlanta, GA 30328
United States of America

UPS Türkiye Head Office
Contact Person: Global Privacy Officer
MERKEZ MAHALLESİ, AYAZMA CAD. PAPIRUS PLAZA, B Blok, NO: 37/48, 34406, KAĞITHANE-ISTANBUL Türkiye

Respectfully; UPS HIZLI KARGO TAŞIMACILIĞI A.Ş.
Telephone: 0850 255 00 66