Data Processsing Disclosure Statement For Camera Recordings

Stoneline Building Products Industry Joint Stock Company (hereinafter referred to as “the Company” or “Stoneline”) processes personal data at building and facility entrances and within premises in accordance with the Constitution of the Republic of Turkey, the Personal Data Protection Law (“KVKK”), and other relevant regulations. As the data controller under KVKK, Stoneline conducts security surveillance activities in its buildings and facilities, including monitoring via security cameras and tracking the entry and exit of visitors, subcontractors, and their vehicles.

CAMERA MONITORING AND RECORDING ACTIVITIES IN BUILDING AND FACILITY ENTRANCES

Stoneline processes personal data using visual recording systems to ensure legal, technical, and commercial business security at its facilities.

1.1 Legal Basis and Method of Collecting Data through Camera Monitoring

Camera monitoring and recording activities conducted by Stoneline comply with the Private Security Services Law No. 5188 and its associated regulations. These activities are carried out for legitimate purposes in compliance with KVKK Articles 5 and 6.

1.2 Compliance with Data Protection Laws

To ensure security, Stoneline processes personal data through camera monitoring within the scope of applicable laws and KVKK’s personal data processing conditions.

1.3 Notification of Monitoring Activities

Stoneline provides notice regarding camera monitoring activities, as required under KVKK Article 10. Notifications are made through various means, such as signs or QR codes at monitored areas, ensuring transparency and safeguarding the rights of data subjects.

1.4 Purpose and Scope of Monitoring Activities

In compliance with KVKK Article 4, personal data is processed only for specific, clear, and legitimate purposes. The purposes of camera monitoring are limited to the following:

• Managing recruitment processes for job applicants

• Fulfilling contractual and legal obligations for employees

• Ensuring compliance with regulations

• Maintaining physical security

• Conducting operational management and audits

• Ensuring occupational health and safety

• Business continuity management

• Enhancing customer satisfaction

• Organizing and managing events

• Risk management

• Protecting the security of operations

• Informing authorized persons, institutions, or organizations

• Conducting administrative operations

Monitoring is limited to areas and times necessary for security purposes. No surveillance is conducted in areas where privacy could be violated, such as dressing rooms, restrooms, etc.

1.5 Data Security Measures

Stoneline implements technical and administrative measures to ensure the security of personal data obtained through camera monitoring, in line with KVKK Article 12.

1.6 Retention Period for Camera Data

Data collected through camera recordings is retained for 10 years.

1.7 Data Sharing Practices

Access to data is restricted to authorized employees, and disclosures are made only to public authorities in accordance with legal requirements under KVKK Articles 8 and 9. Access is granted under confidentiality agreements.

TRACKING VISITORS AND SUBCONTRACTORS

To ensure security, Stoneline processes personal data regarding visitor entries and exits. Data, including names and surnames, is collected during visits to the premises, with notifications provided through text or other visible methods. Data is stored for legitimate purposes in physical or electronic systems and may be shared with authorized public authorities if required by law.

PURPOSES, CATEGORIES, AND RETENTION PERIODS FOR DATA PROCESSING

In compliance with KVKK Article 10, Stoneline informs data subjects about the categories of processed data, processing purposes, and retention periods.

DELETION, DESTRUCTION, AND ANONYMIZATION OF PERSONAL DATA

Stoneline deletes, destroys, or anonymizes personal data in compliance with Turkish Penal Code Article 138 and KVKK Article 7 when the reasons for processing no longer exist. This may occur voluntarily or upon request from the data subject.

4.1 Methods for Deletion and Destruction

• Physical Destruction: Non-automated data is irreversibly destroyed.

• Secure Deletion from Software: Digital data is deleted permanently using secure methods.

• Deletion by Specialists: Data may be securely deleted by experts.

4.2 Anonymization Methods

Anonymization ensures data cannot be associated with an identifiable person, even when combined with other datasets. Common methods include:

• Masking: Removing identifying details.

• Aggregation: Summarizing data into non-identifiable formats.

• Data Derivation: Generalizing specific data points.

• Shuffling: Disassociating data points from individuals.

RIGHTS OF DATA SUBJECTS UNDER KVKK ARTICLE 11

Data subjects have the following rights under KVKK:

• Inquire whether their data is processed

• Request information about processed data

• Understand the purpose of processing and its compliance

• Know the third parties to whom data is transferred

• Request correction of incorrect or incomplete data

• Demand deletion or destruction of data when processing reasons cease to exist

• Object to outcomes based solely on automated processing

• Seek compensation for damages resulting from unlawful processing

Requests can be submitted using the Data Subject Request Form. Stoneline will respond within 30 days, free of charge unless processing requires additional costs, in which case fees may apply as per the tariff set by the Personal Data Protection Board.