DATA RETENTION AND DESTRUCTION POLICY

1. INTRODUCTION

The protection of personal data is among the most important priorities of our Company. The most important pillar of this issue is the protection and processing of the personal data of our employees, customers, potential customers, employee candidates, company shareholders, company officials, visitors, employees, shareholders, and officials of institutions with which we cooperate, and third parties, which are managed by this Policy.

According to the Constitution of the Republic of Turkey, everyone has the right to demand the protection of their personal data. Regarding the protection of personal data, which is a Constitutional right, BİMEKS ÇELİK TİCARET A.Ş. (“BİMEKS ÇELİK”) shows the necessary care for the protection of the personal data of its employees, customers, potential customers, employees, employee candidates, company shareholders, company officials, visitors, employees, shareholders, and officials of the institutions it cooperates with, and third parties, managed by this Policy, and makes this a Company policy.

Your personal data is operated by BİMEKS ÇELİK, operating at "Cevizli Mah. Tugay Yolu Cad. Ofisim İstanbul Plaza A-Blok Kat: 14/61 34846 Maltepe/Istanbul" as the data controller in accordance with the Personal Data Protection Law No. 6698 (“Law No. 6698” or “PDPL”). In this context, necessary administrative and technical measures are taken by BİMEKS ÇELİK for the protection of personal data processed in accordance with the relevant legislation.

In this Policy, detailed explanations will be given regarding the basic principles adopted by BİMEKS ÇELİK in the processing of personal data, listed below:

• Processing personal data in accordance with the law and good faith,

• Keeping personal data accurate and, when necessary, up to date,

• Processing personal data for specific, explicit, and legitimate purposes,

• Processing personal data relevantly, limitedly, and proportionately to the purpose for which they are processed,

• Retaining personal data for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed,

• Enlightening and informing personal data subjects,

• Establishing the necessary system for personal data subjects to exercise their rights,

• Taking necessary measures in the preservation of personal data,

• Acting in accordance with the relevant legislation and the PDP Board regulations when transferring personal data to third parties in line with the requirements of the processing purpose,

• Showing necessary sensitivity to the processing and protection of special categories of personal data.

1.1. PURPOSE OF THE PERSONAL DATA RETENTION AND DESTRUCTION POLICY

The main purpose of this Policy is to make explanations about the personal data processing activity carried out in accordance with the law by BİMEKS ÇELİK and the systems adopted for the protection of personal data, and in this context, to ensure transparency by informing the persons whose personal data is processed by our Company, primarily our customers, potential customers, employees, employee candidates, company shareholders, company officials, visitors, employees, shareholders, and officials of the institutions we cooperate with, and third parties.

1.2. SCOPE AND AMENDMENT OF THE POLICY

This Policy relates to all personal data of our customers, potential customers, employees, employee candidates, company shareholders, company officials, visitors, employees, shareholders, and officials of institutions with which we cooperate, and third parties, which are processed automatically or non-automatically as part of any data recording system.

The scope of application of this Policy to the groups of personal data subjects categorized above may be the entirety of the Policy (e.g., Active customers who are also our Visitors); or it may be only certain provisions (e.g., Only our Visitors).

1.3. APPLICATION OF THE POLICY AND RELEVANT LEGISLATION

The relevant legal regulations in force regarding the processing and protection of personal data will primarily find an area of application. In the event of an inconsistency between the legislation in force and the Policy, the legislation in force will apply.

The Policy is created by concretizing and organizing the rules set forth by the relevant legislation within the scope of BİMEKS ÇELİK practices. Our company carries out its necessary systems and preparations to act in accordance with the effective periods stipulated in the PDPL.

2. MATTERS REGARDING THE PROCESSING OF PERSONAL DATA

Our company, in accordance with Article 20 of the Constitution and Article 4 of the PDPL, engages in personal data processing activities concerning the processing of personal data; in compliance with the law and good faith; accurate and up-to-date when necessary; pursuing specific, explicit, and legitimate purposes; and in a relevant, limited, and proportionate manner connected to the purpose. Our company retains personal data for the period stipulated in the laws or required by the purpose of processing personal data.

Our company, pursuant to Articles 20 of the Constitution and 5 of the PDPL, processes personal data based on one or more of the conditions set out in Article 5 of the PDPL regarding the processing of personal data.

Our company acts in accordance with the regulations stipulated regarding the processing of special categories of personal data, in compliance with Article 6 of the PDPL.

Our company acts in accordance with the regulations stipulated in the law and put forward by the PDP Board regarding the transfer of personal data, in compliance with Articles 8 and 9 of the PDPL.

2.1. PROCESSING PERSONAL DATA IN ACCORDANCE WITH THE PRINCIPLES STIPULATED IN THE LEGISLATION

2.1.1. Processing in Accordance with the Law and Good Faith

Our company acts in accordance with the principles brought by legal regulations and the general rule of trust and good faith in the processing of personal data. In this context, our Company takes proportionality requirements into account in the processing of personal data and does not use personal data outside its required purpose.

2.1.2. Ensuring Personal Data is Accurate and, When Necessary, Up to Date

Our company ensures that the personal data it processes is accurate and up to date, taking into account the fundamental rights and its own legitimate interests of the personal data subjects. It takes the necessary measures in this direction.

2.1.3. Processing for Specific, Explicit, and Legitimate Purposes

Our company determines the legitimate and lawful purpose of processing personal data clearly and definitively. Our company processes personal data limited to and as necessary for the service it provides. The purpose for which personal data will be processed by our Company is put forward before the personal data processing activity even begins.

2.1.4. Being Relevant, Limited, and Proportionate to the Purpose for which they are Processed

Our company processes personal data in a manner suitable for achieving the determined purposes and refrains from processing personal data that is not related to the realization of the purpose or is not needed. For instance, a personal data processing activity is not conducted to meet possible subsequent needs.

2.1.5. Retaining for the Period Stipulated in the Relevant Legislation or Necessary for the Purpose for which they are Processed

Our company retains personal data only for the time specified in the relevant legislation or the time required for the purpose for which they are processed. In this context, our Company first determines whether a period is stipulated for the storage of personal data in the relevant legislation; if a period is determined, it acts in accordance with this period, and if no period is determined, it stores personal data for the time required for the purpose for which they are processed. Upon the expiration of the period or the disappearance of the reasons requiring its processing, personal data is deleted, destroyed, or anonymized by our Company.

2.2. PROCESSING PERSONAL DATA BASED ON AND LIMITED TO ONE OR MORE OF THE PERSONAL DATA PROCESSING CONDITIONS SPECIFIED IN ARTICLE 5 OF THE PDPL

The protection of personal data is a Constitutional right. Fundamental rights and freedoms may only be restricted by law, depending solely on the reasons stated in the relevant articles of the Constitution, without touching their essence. Pursuant to the third paragraph of Article 20 of the Constitution, personal data may only be processed in cases stipulated by law or with the explicit consent of the person. In this direction and in accordance with the Constitution, our company processes personal data only in cases stipulated by law or with the explicit consent of the person.

The explicit consent of the personal data subject is only one of the legal bases that enable personal data to be processed lawfully. Apart from explicit consent, personal data may also be processed in the presence of one of the other conditions listed below. The basis of the personal data processing activity may be only one of the conditions specified below, and more than one of these conditions may be the basis of the same personal data processing activity. If the processed data is special category personal data; the conditions below apply.

Although the legal bases for the processing of personal data by our Company vary, the general principles stated in Article 4 of the PDPL are complied with in all types of personal data processing activities.

(i) Presence of the Explicit Consent of the Personal Data Subject

One of the conditions for processing personal data is the explicit consent of the owner. The explicit consent of the personal data subject should be disclosed based on information regarding a specific subject and with free will.

In order for personal data to be processed based on the explicit consent of the personal data subject, explicit consent is obtained from customers, potential customers, and visitors through relevant methods.

(ii) Being Explicitly Stipulated in the Laws

The personal data of the data subject may be processed lawfully if explicitly stipulated in the law.

(iii) Inability to Obtain Explicit Consent of the Data Subject Due to Actual Impossibility

The personal data of the data subject may be processed if it is mandatory to process personal data to protect the life or bodily integrity of the person or another person who is unable to disclose their consent due to actual impossibility or whose consent is not granted legal validity.

(iv) Being Directly Related to the Establishment or Performance of a Contract

Personal data processing is possible if the processing of personal data belonging to the parties to a contract is necessary, provided that it is directly related to the establishment or performance of a contract.

(v) The Company Fulfilling its Legal Obligation

The personal data of the data subject may be processed if the processing is mandatory for our Company to fulfill its legal obligations as a data controller.

(vi) The Personal Data Subject Making their Personal Data Public

If the data subject has made their personal data public themselves, the relevant personal data may be processed.

(vii) Bir Hakkın Tesisi, Kullanılması veya Korunması için Veri İşlemenin Zorunlu Olması

The personal data of the data subject may be processed if data processing is mandatory for the establishment, exercise, or protection of a right.

(viii) Data Processing is Mandatory for the Legitimate Interest of Our Company

The personal data of the data subject may be processed if it is mandatory for the legitimate interests of our Company, provided that it does not harm the fundamental rights and freedoms of the personal data subject.

2.3. PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA

Special categories of personal data consist of data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dressing, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data. Our Company acts with maximum sensitivity in compliance with the regulations stipulated under the PDPL regarding the processing of personal data determined as "special categories" by the PDPL.

In accordance with the PDPL, special categories of personal data are processed by our Company in the following cases, provided that adequate measures determined by the PDP Board are taken:

• If there is explicit consent of the personal data subject, or
• If there is no explicit consent of the personal data subject:

- Special categories of personal data other than the health and sexual life of the personal data subject, in cases stipulated by laws,

- Special categories of personal data relating to the health and sexual life of the personal data subject, only by persons under the obligation of confidentiality or authorized institutions and organizations for the purposes of protection of public health, preventive medicine, medical diagnosis, treatment and care services, and the planning and management of health services and their financing.

2.4. TRANSFER OF PERSONAL DATA

In line with lawful personal data processing purposes, our Company may transfer the personal data and special categories of personal data of the personal data subject to third parties (third-party companies, group companies, third-party natural persons) by taking the necessary security measures. In this regard, our Company acts in accordance with the regulations stipulated in Article 8 of the PDPL.

2.5. BUILDING AND FACILITY ENTRANCES, PERSONAL DATA PROCESSING ACTIVITIES CARRIED OUT WITHIN THE BUILDING AND FACILITY, AND WEBSITE VISITORS

For the purpose of ensuring security, our Company conducts personal data processing activities intended for monitoring via security cameras and tracking guest entries and exits in the buildings and facilities of our Company.

Personal data processing activities are carried out by our Company through the use of security cameras and the recording of guest entries and exits. In this context, our Company acts in accordance with the Constitution, the PDPL, and other relevant legislation.

Video records of our visitors are captured via the camera monitoring system at the entrances of and within the buildings and facilities of our Company. Within the scope of surveillance activities via security cameras, our Company aims to increase the quality of the service provided, ensure its reliability, ensure the security of the company, customers, and other persons, and protect the interests of customers regarding the services they receive.

Our Company acts in accordance with the regulations set forth in the PDPL when conducting camera surveillance activities for security purposes. The camera surveillance activity carried out by our Company is maintained in accordance with the Law on Private Security Services and the relevant legislation.

Only a limited number of Company employees have access to the records captured and stored in the digital environment.

In accordance with Article 12 of the PDPL, necessary technical and administrative measures are taken by our Company to ensure the security of personal data obtained as a result of camera surveillance activities.

In addition to the camera recordings specified above, our Company conducts personal data processing activities intended for tracking guest entries and exits in our Company buildings and facilities for the purpose of ensuring security and for the purposes specified in this Policy.

2.6. CONDITIONS FOR ERASURE, DESTRUCTION, AND ANONYMIZATION OF PERSONAL DATA

As regulated in Article 138 of the Turkish Penal Code and Article 7 of the PDPL, even if personal data has been processed in accordance with the provisions of the relevant law, such data shall be deleted, destroyed, or anonymized upon our Company's own decision or upon the request of the personal data subject in the event that the reasons requiring its processing cease to exist.

In this context, to fulfill its relevant obligation, our Company takes the necessary technical and administrative measures within the Company, develops the required operational mechanisms, trains the relevant business units to act in accordance with these obligations, and ensures their assignment and awareness.

For the purpose of ensuring security and for the purposes specified in this Policy, internet access can be provided by our Company to Visitors who request it during their stay within our Buildings and Facilities. In this case, the log records regarding your internet access are recorded in accordance with the mandatory provisions of Law No. 5651 and the legislation regulated based on this Law; these records are only processed if requested by authorized public institutions and organizations or to fulfill our relevant legal obligation during internal audit processes within the Company.

Only a limited number of Company employees have access to the log records obtained within this framework. Company employees who have access to the aforementioned records only access them to use these records during requests from authorized public institutions and organizations or audit processes, and share them only with legally authorized persons. The limited number of persons who have access to the records declare via a confidentiality undertaking that they will protect the confidentiality of the data they access.

3. MATTERS REGARDING THE PROTECTION OF PERSONAL DATA

In accordance with Article 12 of the PDPL, our Company takes the necessary technical and administrative measures to provide the appropriate level of security in order to prevent the unlawful processing of the personal data it processes, prevent unlawful access to the data, and ensure the preservation of the data, and conducts or commissions the necessary audits within this scope.

3.1. ENSURING THE SECURITY OF PERSONAL DATA

Our Company takes the necessary legal, technical, and administrative measures regarding data security on the matters specified below, and shows the highest level of attention and care in this regard. The actions and measures taken by our Company to ensure "data security" pursuant to Article 12 of the PDPL are specified below:

• Our Company takes technical and administrative measures according to technological possibilities and application costs to ensure the lawful processing of personal data. Employees are informed that they cannot disclose the personal data they have learned to others in violation of the provisions of the PDPL and cannot use it outside the purpose of processing, and that this obligation will continue after they leave office, and the necessary undertakings are obtained from them accordingly.

• Our Company takes technical and administrative measures according to the nature of the data to be protected, technological possibilities, and application costs to prevent imprudent or unauthorized disclosure, access, transfer, or any other form of unlawful access to personal data.

• Our Company raises awareness among data processing entities, such as business partners and suppliers to whom it has transferred personal data, regarding preventing the unlawful processing of personal data, preventing unlawful access to data, and ensuring the lawful preservation of data.

• The obligations that our Company must comply with as a data controller when processing personal data, and the obligation to comply with the legal, administrative, and technical measures developed in this regard, are contractually imposed on data processing entities with which our Company is in a relationship under various capacities such as suppliers or business partners, in a manner compatible with the nature of the data processing activity they perform.

• Our Company takes the necessary technical and administrative measures according to technological possibilities and application costs to store personal data in secure environments and prevent its destruction, loss, or alteration for unlawful purposes. 

• Our Company conducts or commissions the necessary audits within its own structure in accordance with Article 12 of the PDPL.

• Our Company operates a system that ensures that if the processed personal data is obtained by others through unlawful means, this situation is notified to the relevant personal data subject as soon as possible, in accordance with Article 12 of the PDPL.

3.2. OBSERVING THE RIGHTS OF THE DATA SUBJECT; CREATING CHANNELS TO SUBMIT THESE RIGHTS TO OUR COMPANY AND EVALUATING THE REQUESTS OF DATA SUBJECTS

 

Our Company operates the necessary channels, internal procedures, administrative, and technical regulations in accordance with Article 13 of the PDPL for the evaluation of the rights of personal data subjects and for providing the necessary information to personal data subjects.

If personal data subjects submit their requests regarding the rights listed below to our Company in writing, our Company concludes the request as soon as possible and within thirty days at the latest, depending on the nature of the request. Personal data subjects have the right to:

• Learn whether their personal data is processed or not,

• Request information regarding this if their personal data has been processed,

• Learn the purpose of processing their personal data and whether they are used in accordance with their purpose,

• Know the third parties to whom personal data is transferred domestically or abroad,

• Request the rectification of personal data if it is processed incompletely or inaccurately, and request the notification of the transaction made within this scope to third parties to whom personal data has been transferred,

• Request the erasure or destruction of personal data in the event that the reasons requiring its processing cease to exist, despite being processed in accordance with the PDPL and other relevant law provisions, and request the notification of the transaction made within this scope to third parties to whom personal data has been transferred,

• Object to the occurrence of a result against the person himself/herself by analyzing the processed data exclusively through automated systems,

• Claim compensation for the damage in case of loss due to the unlawful processing of personal data.

Pursuant to paragraph 1 of Article 13 of the PDPL, you must submit your request regarding the exercise of your above-mentioned rights to our Company "in writing" or by other methods determined by the Personal Data Protection Board.

In order to exercise your above-mentioned rights, submitting your request together with the necessary information identifying your identity and your explanations regarding the right you wish to exercise, by also specifying which right mentioned in Article 11 of the PDPL your application relates to, will ensure that your application regarding your request is answered more quickly and effectively.

Within this framework, based on Article 13 of the PDPL, the channels and procedures through which you will submit your application in writing within the scope of exercising your rights in the aforementioned Article 11 are explained below:

You may fill out the form on the Company's website containing your request for the right you wish to exercise from among the rights specified in Article 11 of the PDPL, and personally deliver a signed copy of the form to the address "Cevizli Mah. Tugay Yolu Cad. Ofisim İstanbul Plaza A-Blok Kat: 14/61 34846 Maltepe/Istanbul" together with documents identifying your identity, send it through a notary public or other methods specified in the PDPL, or send the relevant form to the address info@bimekscelik.com with a secure electronic signature.

3.3. PROTECTION OF SPECIAL CATEGORIES OF PERSONAL DATA

Particular importance has been attributed to certain personal data by the PDPL due to the risk of causing victimization or discrimination when processed unlawfully. These data relate to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dressing, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data.

Our Company acts with sensitivity in the protection of special categories of personal data that are determined as "special categories" by the PDPL and processed in accordance with the law. In this context, the technical and administrative measures taken by our Company for the protection of personal data are carefully applied for special categories of personal data, and the necessary audits are provided.

3.4. ENLIGHTENMENT AND INFORMATION OF THE PERSONAL DATA SUBJECT

Our Company enlightens personal data subjects during the acquisition of personal data in accordance with Article 10 of the PDPL. Within this scope, during the collection of personal data, our Company provides clarification to personal data subjects regarding the identity of our Company, the purpose for which personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method and legal reason for collecting personal data, and the rights that the personal data subject has under Article 11 of the PDPL.

Article 20 of the Constitution states that everyone has the right to be informed about personal data concerning themselves. In line with this, "requesting information" is also counted among the rights of the personal data subject in Article 11 of the PDPL. In this context, our Company provides the necessary information in case the personal data subject requests information, in accordance with Article 20 of the Constitution and Article 11 of the PDPL.

In addition, our Company ensures accountability and transparency by announcing to personal data subjects and related parties that it carries out personal data processing activities in accordance with all matters in the PDPL, primarily the rule of "Lawfulness and Good Faith", through various publicly available documents, notably this Policy document. Furthermore, our Company informs the relevant persons through many different methods about its own activities and the matters in the law, especially when it applies for the "explicit consent" of individuals.

Published: 03 July 2026 | Last Updated: 03 July 2026
Contact Us
With over 37 years of experience and a wide product range, Bimeks Çelik meets your steel needs. Please share your material and technical support inquiries with us. Our expert team will get in touch with you shortly to provide support.

E-mail

info@bimekscelik.com