PERSONAL DATA PROTECTION POLICY AND DISCLOSURE STATEMENT PURPOSE OF THE PERSONAL DATA PROTECTION POLICY
This Personal Data Protection Policy (“Policy”) defines the approach of Roya Yapı Sanayi Ticaret Anonim Şirketi (“Roya Yapı”) regarding the protection of personal data and includes the following definitions:

• Personal Data: Any information relating to an identified or identifiable natural person.
• Processing of Personal Data: Any operation performed on personal data, whether automated or not, including the collection, recording, storage, preservation, alteration, retrieval, disclosure, transfer, reception, organization, classification, or any other operation that renders the data accessible or prevents its use.
• Special Categories of Personal Data: Data relating to a person’s race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, attire, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.
• Data Controller: Any company of Roya or a real or legal person who determines the purposes and means of processing personal data, and is responsible for establishing and managing the data recording system.
• Data Processor: Any company of Roya or a real or legal person processing personal data on behalf of and based on the authority granted by the Data Controller.
• Data Subject: The natural person to whom personal data pertains.
• Data Recording System: The data recording system used by any Roya company in which personal data is processed according to certain criteria.
• Board: The Personal Data Protection Board.
• Authority: The Personal Data Protection Authority.
• Law: The Personal Data Protection Law published in the Official Gazette dated April 7, 2016, and numbered 29677.
The Policy details Roya’s:
• Collected Personal Data:
- Content and Categories
- Usage: How the data is used
- Disclosure: Persons and institutions within Turkey and abroad to whom the data may be shared
• Processing Methods: How personal data is processed
• Storage Conditions: Conditions under which personal data is stored
• Rights of Data Subjects: Rights of individuals regarding their personal data
• Protective Measures: Measures taken to protect personal data
The Policy aims to provide clarity to data subjects regarding these matters in the context of Roya’s activities.
PERSONAL DATA COLLECTED BY ROYA AND THEİR PROCESSİNG PURPOSES
In relation to Roya’s objectives, personal data of customers, employees, and authorized individuals may be collected and processed, including but not limited to:

• Identity documents such as ID cards, driver's licenses, passports, residence permits, civil registry extracts, and marriage certificates, including their copies;
• Health information such as medical reports and blood group certificates;
• Biometric and genetic data such as photographs, videos, and fingerprints;
• Contact information including phone numbers and email addresses;
• Criminal records and various information related to criminal convictions and security measures, including police records;
• Any official document verifying signatures.
Roya's purposes and legal grounds for processing personal data are summarized below, and Roya is committed to not processing personal data outside these purposes and grounds. The purposes for processing personal data are as follows:
• For commercial partners:
- Except for the exceptions regulated under KVKK Article 5(2)(c),
- Use of previously obtained data in future processes;
- Resolution of commercial disputes;
- Time-saving;
- Ensuring data security by transferring data to servers located abroad or domestically;
- Data backup;
- External and internal audits, accounting, tax consultancy;
- Group internal data transfer;
- IT, translation, and legal consultancy services;
- Future planning;
- Statistical record-keeping;
- Monitoring of past activities;
- Ensuring order, control, management, and compliance at the workplace;
- Archiving data obtained from office activities;
- Facilitating the recruitment process.
DATA COLLECTION METHODS
Roya will collect Personal Data through the following methods:
• Email
• Fax
• Telephone
• Mail
• Courier
• In-person delivery
PROCESSING AND TRANSFER CONSENT
Domestic Processing and Transfer: The processing and transfer of Personal Data within the country by Roya to third parties and entities can only occur with the explicit consent of the data subject. In the absence of explicit consent, processing and transfer will only take place under the following conditions:
• Explicitly stipulated by laws;
• Necessary for the protection of the life or physical integrity of a person who is unable to express consent due to physical impossibility or whose consent is not legally valid;
• Necessary for the processing of Personal Data directly related to the establishment or performance of a contract with the parties to the contract;
• Necessary for Roya or other Data Controllers to fulfill their legal obligations;
Made public by the data subject themselves;
• Necessary for the establishment, exercise, or protection of a right;
• Necessary for processing data for the legitimate interests of Roya or other Data Controllers, provided that it does not harm the fundamental rights and freedoms of the data subject.
Processing and Transfer of Special Categories of Personal Data: The processing and transfer of special categories of personal data are only possible with the explicit consent of the data subjects. In the absence of explicit consent, processing and transfer will only occur under the following conditions:
• Personal data not related to health and sexual life can be processed without the explicit consent of the data subject, as stipulated by the laws.
• Personal data related to health and sexual life can only be processed without the explicit consent of the data subject if it is necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of healthcare services and financing, by individuals or authorized institutions and organizations bound by confidentiality obligations.
Processing and Transfer Abroad: Roya can process and transfer the personal data of data subjects abroad, in relation to its commercial partners and employees, only with the explicit consent of the data subject. Without explicit consent, this can only occur under the following conditions:
• In the presence of the conditions mentioned in points a and 4.b above, and in addition:
• In the foreign country where the personal data will be transferred:
• If there is adequate protection as determined and announced by the Board;
• If there is no adequate protection, the data controllers in Turkey and in the relevant foreign country must provide written assurance of adequate protection and obtain permission from the Board.
• Additionally, personal data can be transferred abroad, subject to international treaty provisions, in cases where serious harm would be caused to the country or the data subject’s interests. Such transfers can only be made with the consent of the Board after consulting the relevant public institution or organization.
CHANGES TO THE PERSONAL DATA PROTECTION POLICY
Roya may make changes to this Policy from time to time as required by operational needs or legal obligations. Such changes will become effective upon being posted on the Policy page of the website at http://royayapi.com.tr/. Additionally, customers, employees, and officials will be notified of changes via email.
INFORMATION TEXT ON THE PROCESSING AND PROTECTION OF PERSONAL DATA
At Roya, we prioritize the privacy and security of your personal data. With this Information Text (“Information Text”), we, as the Data Controller, would like to inform you about the processing of your personal data in accordance with the Law No. 6698 on the Protection of Personal Data (“KVKK”) and the Law No. 6563 on the Regulation of Electronic Commerce (“ETK”), as well as other applicable legislation (“Legislation”). For detailed information on the purposes of processing your personal data, you can access the Roya Personal Data Protection Policy at “http://royayapi.com.tr/”.
YOUR PROCESSED PERSONAL DATA, PROCESSING PURPOSES, AND LEGAL BASIS
Your identity data (name, surname), contact data (mobile phone number, email address), and location and transaction security information (consent records, IP address, pixel tags, clickstream, traffic data) will be processed by Roya under Article 5/2 of the KVKK based on the following legal reasons: (i) "explicitly stipulated by laws," (ii) "necessary for the establishment or performance of a contract," and (iii) "necessary for the establishment, exercise, or protection of a right." These will be processed within the scope of the purposes outlined below:
• In case you request products/services within the real estate portfolio of Roya, the necessary work will be carried out to provide you with offers, convey information according to your request, fulfill your request, and communicate with you within this scope.
• Ensuring that our company complies with all applicable legal regulations and fulfills administrative and legal obligations.
• Managing the relationships between our company, our subsidiaries, our business partners, and third parties with whom we have business relations, ensuring their legal and commercial security, following legal processes, and establishing, exercising, and protecting rights arising from legislation.
If your collected personal data is processed under Article 5/1 of the KVKK with your explicit consent, Roya may process them for the following purposes:
• Identifying potential buyers/tenants for properties in Roya's portfolio and conducting targeted marketing activities for these potential customers.
• Determining our company's commercial and business strategies, managing customer services/relationships, evaluating your satisfaction, and conducting statistical studies in this context.
• With your consent, contacting you through communication channels regarding properties in Roya's portfolio and providing information for promotional and marketing purposes via phone, SMS (short message), email, and digital channels, as well as transferring data and information.
• Keeping statistics related to customers to increase efficiency in sales, marketing, and customer services.
PARTIES TO WHOM YOUR PERSONAL DATA IS TRANSFERRED AND PURPOSES OF TRANSFER
In accordance with the fundamental principles outlined in the KVKK and under KVKK Article 8/1, if your explicit consent is obtained, your personal data processed by Roya may be transferred for the purposes mentioned above, in cases where your explicit consent is required. The data may be transferred to individuals and institutions residing domestically, from whom Roya receives services and products, or with whom Roya has a confidentiality obligation, as well as to its suppliers, service providers, and business partners, for the purpose of fulfilling services or contracts. In addition, within the scope of the activities mentioned above, your personal data may be transferred to legally authorized public institutions and authorized private persons in accordance with KVKK Article 8/2. Furthermore, in line with the realization of the aforementioned purposes, and in accordance with KVKK Article 8/1, if your explicit consent is obtained, your data may be shared with Roya's business partners and suppliers located abroad, from whom services are received through a contract, and who are bound by confidentiality obligations, in accordance with KVKK Article 9/1, if your explicit consent is obtained.