Dear Potential Customer,

Pursuant to Law No. 6698 on the Protection of Personal Data ("PDPL"), we hereby inform you that the personal data obtained from you by TVF İFM Gayrimenkul İnşaat ve Yönetim Anonim Şirketi (“IFC” or the “Company”) in connection with the procurement of products/services provided by the commercial enterprise you are working with will be recorded, stored, preserved, and shared with legally authorized institutions. Furthermore, such data may be transferred to third parties and companies under the conditions prescribed by the PDPL, ensuring their accuracy, maintaining their most up-to-date status, and processing them in a manner that is relevant, limited, and proportionate to the purposes detailed below.

1. Definitions Regarding the PDPL

For the purposes of the implementation of PDPL, the following terms shall have the meanings set forth below:

• Anonymization: The process of rendering personal data impossible to associate with an identified or identifiable natural person, even by matching it with other data.
• Data Subject: The natural person whose personal data is processed.
• Personal Data: Any information relating to an identified or identifiable natural person.
• Processing of Personal Data: Any operation performed on personal data, whether wholly or partially automated or non-automated as part of a data recording system, such as collection, recording, storage, retention, modification, reorganization, disclosure, transfer, acquisition, making available, classification, or prevention of its use.
• Board: The Personal Data Protection Board.
• Authority: The Personal Data Protection Authority.
• Data Processor: A natural or legal person who processes personal data on behalf of the Data Controller, based on the authority granted by the Data Controller.
• Data Recording System: A recording system in which personal data is structured and processed according to specific criteria.
• Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.
• Sensitive Personal Data: Personal data related to an individual’s race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and attire, association, foundation or trade union membership, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data.

2. What is Personal Data?

Personal data refers to any information that identifies you or makes you identifiable. In this context, any information associated with you, including but not limited to your primary identification details such as your name, surname, Turkish Identification Number, as well as your address, phone number, and bank account details, is considered “Personal Data.” Furthermore, pursuant to Article 6 of the PDPL, data related to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, membership in associations, foundations, or trade unions, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data are classified as “Sensitive Personal Data.”

3. Personal Data That May Be Processed, Purpose of Processing, and Legal Grounds

In this context, IFC, in compliance with the PDPL, collects and retains the Personal Data specified below. The Personal Data processed by IFC can be detailed as follows:

4. Method of Collecting Personal Data

Your personal data is collected before the establishment of a contractual relationship with our company, based on your interest, requests, and expectations regarding the products or services we offer. This collection is conducted for the purposes of quotation, promotion, marketing activities, communication, and customer relationship management. In this process, your personal data is processed through various methods, either fully or partially automated or non-automated as part of a data recording system, based on the information and documents you provide. The collection may occur verbally, in writing, or electronically.

5. How Is the Security of Personal Data Ensured?

IFC places great importance on protecting the confidentiality and security of personal data. In this regard, necessary technical and administrative security measures are implemented to safeguard personal data against unauthorized access, damage, loss, or disclosure. Accordingly, system controls, data access controls, secure data transfer controls, business continuity controls, and other necessary corporate security measures are applied. Additionally, sensitive personal data is processed in compliance with the adequate measures determined by the Authority.

6. Do We Transfer Your Personal Data to Third Parties and/or Abroad?

(i) Your personal data may be shared in compliance with Article 8 of the PDPL and other relevant legislation under the following circumstances:

• With Authorized Public Institutions and Organizations for the purposes of ensuring compliance with legal regulations, conducting finance and accounting processes, providing information to authorized persons, institutions, and organizations, and monitoring and managing legal affairs.
• With Lawyers engaged by IFC through contractual agreements for the purpose of monitoring and managing legal affairs and executing contractual processes.
• With Business Partners, such as audit firms, to ensure the continuity of activities carried out within the scope of IFC's business partnership plans.

Your personal data will be shared only to the extent necessary for achieving the above-mentioned purposes.

(ii) We sign standard contracts with the parties who we transfer your personal data in the place of personal data transfer abroad.

7. What Are Your Rights as a Data Subject and How Can You Submit a Request?

i. Your Rights Regarding Your Personal Data

We would like to inform you that you have the following rights concerning the personal data processed within IFC:

• To learn whether your personal data is being processed,
• To request information if your personal data has been processed,
• To learn the purpose of processing your personal data and whether it is used in accordance with its purpose,
• To learn the identity of third parties to whom your personal data has been transferred within the country, if applicable, and which data has been transferred,
• To request the correction of your personal data if it is incomplete or inaccurate,
• To request that third parties to whom your personal data has been transferred be informed of any corrections, deletions, or destructions of your data,
• To request the deletion or destruction of your processed personal data in the event that the reasons requiring its processing no longer exist or if your personal data has become outdated,
• To object to any outcome that arises against you as a result of the exclusive analysis of your processed personal data through automated systems,
• To request compensation for damages in the event that you suffer harm due to the unlawful processing of your personal data.

You may submit your requests regarding these rights through the application procedures specified below.

ii. Application

You may submit your requests regarding your personal data by completing the application form available on our website and delivering it in writing via hand delivery, postal mail, or courier to the address specified in the last section, through notary services, via secure electronic signature or mobile signature to our registered electronic mail (KEP) address, or by sending an email to kvkk@ifm.gov.tr from the email address you have previously provided to us and is registered in our system.

IFC will respond to requests as soon as possible and within a maximum of thirty (30) days free of charge, depending on the nature of the request. However, if the fulfillment of your request incurs a cost, we may charge you the fees specified in the tariff determined by the Personal Data Protection Board.

Following the evaluation of your request, IFC may either accept or reject the request by providing a justification. The response will be provided in writing or electronically to the applicant. If the request is accepted, IFC is obliged to fulfill the requirements of the request immediately.

iii. Data Controller Identity Information

The term IFC used in this document refers to TVF İFM Gayrimenkul İnşaat ve Yönetim Anonim Şirketi, a company established in Türkiye, whose details are provided below. This document has been prepared for the data subjects whose personal data is processed under the responsibility of the company specified below.