As BİMED Teknik Aletler Sanayi ve Ticaret Anonim Şirketi (“BIMED”), it is our priority to process the personal data of real persons, including our customers, visitors to our websites or facilities, real person suppliers and real person employees of our suppliers, employee candidates, former employees and current employees (collectively referred to as “Individuals”) in accordance with the Law on the Protection of Personal Data Numbered 6698 (hereinafter referred to as “LPPD”) in force in Turkey and to ensure the effective use of the rights of the relevant persons, that is, Individuals, especially the secondary legislation that takes its legal basis and the decisions taken by the Personal Data Protection Board (collectively referred to as “Data Protection Legislation” within this policy). For this reason, we process, store and transfer all personal data belonging to the Individuals, in short, we obtain during our activities in accordance with BIMED’s Personal Data Processing Storage and Destruction Policy (“Policy”). The protection of personal data and the observance of the fundamental rights and freedoms of individuals whose personal data are collected are the basic principles of our policy regarding the processing of personal data. Therefore, we carry out all our activities in which personal data are processed by observing the rights of privacy, confidentiality of personal information, confidentiality of communication, freedom of thought and belief. For the purpose of protecting personal data, we take all administrative and technical protection measures required by the nature of the data in accordance with the Data Protection Legislation and current technology. This Policy describes the methods we follow for the processing, storage, transfer and deletion or anonymization of personal data processed during our human resources, trade, promotion, marketing, security and similar activities within the framework of the principles mentioned in the LPPD


All kinds of personal data processed by BIMED and belonging to Individuals are covered by this Policy. Our policy is implemented in activities for the processing of all personal data processed by BIMED and has been handled and prepared in accordance with the Data Protection Legislation and international standards in this field.


This section briefly describes the definitions and abbreviations in the Policy.
Personal Data: It means any information about the identified or identifiable real person.
Personal Data Subject (Relevant Person): It means the real person whose personal data is processed.
Processing of Personal Data: It means any process carried out on data such as obtaining, recording, storing, storing, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data in whole or in part by automatic means or by non-automatic means provided that it is part of any data recording system.
Data Processor: It means the natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.
Data Controller: It means the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
Explicit Consent: It means the consent to a particular subject, based on information and free will, in a clear, unwavering manner, limited to that process. Anonymization: It means the making of personal data that cannot be associated with an identified or identifiable real person under any circumstances, even if it is matched with other data.
Employee: It means BIMED personnel.
Sensitive Personal Data: It means the data related to race, ethnic origin, political thought, philosophical belief, religion, sect, or other beliefs, health information, fingerprint, disguise and clothing, association, foundation or trade union membership, health, sexual life, criminal conviction, and security measures and biometric and genetic data.

Data Protection Committee

The Data Protection Committee within the BIMED organization is responsible for preparing, developing, executing and updating this Policy. The Committee shall evaluate this Policy in terms of timeliness and development needs when necessary. It is the responsibility of the Data Protection Committee to publish the prepared document within the institution and on the website.

The Personal Data We Have

The main personal data of Individuals processed by BIMED may be defined as follows.

a. Identification data, for example your name, photo, gender, date of birth, identification number;

b. National or other identity documents, such as your national identity/passport, information on any visa application, driver’s license, national health system number (or equivalent);

c. Contact information, such as your home address, personal phone numbers and email addresses, emergency contact and/ or contact information of your closest relative;

d. Information about your profession and business, such as your title/ duty, workplace or places, contract clauses, performance, evaluation, training and career development records, any complaint procedure records you are involved in, disciplinary records, holiday/annual leave information you request and use, all other leave information you request and use, and disease records;

e. Information about professional qualifications, achievements and/or skills, for example academic/professional qualifications, education, CV/ resume and languages you know. This includes all competencies required for your business, such as your driving licence class or criminal record and/or professional organization memberships;

f. Information about financial data, such as bank account information, tax information and payments made to you by BIMED, including salary, bonus, overtime and other variable payment elements, costs and BIMED allowances;

g. Other information required for the administration of payments made to you or made by you, such as any credit information you receive, any contributions made before or through salary/fee payment and any additions to your income and any deductions from your income;

h. Information about your use of BIMED systems, devices and goods, such as the identity of your computer and/or mobile phone or other devices, mobile or fixed phone numbers, user ID, IP addresses, registration files, software and hardware inventories, data collected for the purpose of controlling and ensuring the security of website traffic through cookies, information about access to BIMED facilities, call center records and CCTV records;

i. Business travel and accommodation information;

j. Health and safety information, such as occupational accident records, personal injury claim information (affecting BIMED), medical documents, fitness for work assessments or other occupational health reports, and results of drug and alcohol testing; and

k. Information about your past and/or prospective and/or current employer. The personal data we have and summarized above, the purposes of processing, the periods, the groups of persons whose data are processed, the recipients to whom the data are transferred and whether they are transferred abroad are all formatted in an inventory content together with the security measures taken and recorded in the Data Controllers Registered Information System VERBIS by the Data Controller BIMED. These records are open to the public and can be accessed at https://verbis.kvkk.gov.tr


As Data Controller in accordance with the LPPD, our legal obligations within the scope of the protection and processing of personal data are listed below:

Our Disclosure Obligation

As Data Controller, it has the following obligations when collecting personal data:

➢ The purpose for which your personal data will be processed;

➢ Information about our identity and the identity of our representative, if any;

➢ To whom and for what purpose your processed personal data can be transferred;

➢ The way we collect data and the legal reason;

➢ Informing the relevant persons whose data is processed about your rights arising from the law.

In accordance with our disclosure obligation, BIMED takes care that this Policy, which is open to the public, is clear, understandable and easily accessible.

Our Obligation to Ensure Data Security

As Data Controller, we take the administrative and technical measures stipulated in the Data Protection Legislation to ensure the security of the personal data in our possession. In this context, it is our obligation to prevent the processing of personal data contrary to the law and company policy/rules and to access personal data contrary to the law and company rules, to ensure that the data are stored and maintained under appropriate conditions, and to carry out the data destruction process in accordance with the law and company policy/rules. In case of non-compliance with the rules, the necessary sanctions and internal disciplinary rules are applied by us.

Our Principles for Processing Personal Data

➢ We process personal data in accordance with the rules of honesty and in a transparent manner by fulfilling our obligation to disclose.

➢ We take the necessary measures in our data processing procedures to ensure that the data processed is accurate and up-to-date. We also allow the Personal Data Subject to update his/her existing data and, if any, to contact us to correct the errors in his/her processed data.

➢ As BIMED, we process personal data within the scope and content of our legitimate purposes determined to continue our activities within the framework of the legislation and the ordinary flow of commercial life.

➢ We process personal data in a limited and moderate manner in connection with the purpose for which we clearly and precisely determine. We avoid the processing of personal data that are not relevant or need not be processed. Therefore, unless there is a legal requirement, we do not process personal data of a special nature or we obtain explicit consent from the relevant persons when we need to process it.

➢ Many regulations in the legislation require the storage of various personal data for a certain period of time. For this reason, we store the personal data we process for as long as required by the relevant legislation or for the purposes of processing personal data. In the event that the retention period stipulated in the legislation expires or the purpose of processing disappears, we delete, destroy or anonymize personal data.

Purposes of Processing Personal Data

We process personal data for the purposes listed below:

➢ Providing Information to Authorized Persons, Institutions and Organizations

➢ Execution of Human Resources Activities

➢ Execution of Occupational Health / Safety Activities

➢ Conduct of Internal Audit/Investigation / Intelligence Activities

➢ Execution of Contract Processes

➢ Execution of Finance and Accounting Works

➢ Execution of Customer Relationship Management Processes

➢ Execution of Supplier Relationship Management Processes

➢ Conducting Sales / Marketing/Business Development Activities

➢ Execution of Logistics Activities ➢ Ensuring Physical and Digital Environment Security

Processing of Sensitive Personal Data

Personal data of special nature are processed by us in cases stipulated by law and by taking administrative and technical measures stipulated by the Personal Data Protection Board or by obtaining the explicit consent of the relevant persons.

Exceptional Circumstances in which Explicit Consent is Not sought in Processing Personal Data

In the following exceptional cases, we may process personal data without obtaining explicit consent from the relevant persons:

➢ It is expressly stipulated in the law;

➢ The person who is unable to explain his/her consent due to the actual impossibility or whose consent is not legally valid is obligatory for the protection of his/her life or the integrity of another person;

➢ The processing of personal data belonging to the parties to a contract is necessary, provided that it is directly related to the establishment or performance of a contract;

➢ Mandatory in order for the data controller to fulfill its legal obligation;

➢ Being publicized by the person concerned;

➢ Data processing is mandatory for the establishment, exercise or protection of a right;

➢ Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the person concerned.


We take care to allow access to personal data only to persons who need to access it in order to perform their duties and duties and to third parties with a legitimate purpose to access it. Whenever we allow third parties access to your personal data, we will apply appropriate measures to ensure that the data is used in a manner consistent with this policy and that the confidentiality and integrity of the data are protected. Within the limits stipulated in the Data Protection Legislation, the personal data we process may be recorded, processed and transferred abroad within the knowledge and explicit consent of the relevant persons by local and global companies with different legal personalities of BIMED and BIMED, their affiliates and service providers in the position of data processor where they purchase services through a service agreement. Your personal data will not be disclosed in any way to third parties other than those listed above.

Except in mandatory cases, no data transfer is performed with memory stick. This transfer is made under the guidance of the responsible persons when necessary. Closed envelopes and locked cabinets are used for the security of the data to be transferred in paper format. As Data Controller, it is the responsibility of BIMED to take the necessary technical and administrative measures in this regard.

Retention of personal data for the period stipulated in the relevant legislation or
necessary for the purpose for which they are processed

Without prejudice to the retention periods stipulated in the legislation, BIMED is responsible for the period required by the purpose of processing personal data. Personal data are kept for the period stipulated in the legislation or required by its purpose. Data is stored in physical (unit cabinets, archives) or electronic (server, cloud, etc.) environments. While our physical records are kept within our campus, our electronic records are both stored on the servers of our service suppliers located in Turkey and backed up on the local servers in the BIMED campus. The necessary security measures are taken for the storage and storage of the data and the environment security is provided by BIMED. Care is taken not to lose the integrity of the data in all digital and physical storage environments. In cases where we process personal data for more than one purpose, the data are deleted, destroyed or anonymized if there is no obstacle to the deletion of the data upon the request of the person concerned. The requirements of Data Protection Legislation are complied with in terms of destruction, deletion or anonymization.

Erasure and Destruction of Personal Data

Deletion, destruction and/or anonymization process is applied for personal data in the following cases:

➢ There is a change in the provisions of Data Protection Legislation;

➢ Elimination of the conditions requiring the processing and storage of personal data;

➢ If the person concerned does not give explicit consent or withdraws his/her consent and this decision is deemed appropriate by the data controller;

➢ Expiration of the maximum period that requires the storage of personal data;

➢ The request for the destruction of data as a result of an application to the Personal Data Protection Board is deemed appropriate by the board;

Methods Used in the Deletion and Destruction of Personal Data:

The methods used for the deletion and destruction of personal data are given below. One of the following methods is used according to the way personal data is stored.

Destruction of Personal Data Stored as Documents:

As a document, it is the responsibility of the unit managers who process the data to safely destroy the data stored in the physical environment (in cabinets and/or archives). Such documents are destroyed by cutting, burning, chopping with scrap machines or similar methods in a way that cannot be recycled or read. Support can also be obtained from an expert organization in the position of data processor for the destruction of this data as defined.

Deletion of Personal Data Stored in Electronic Media:

In electronic environment, it is the responsibility of the Information Technologies department to reliably delete and destroy. Data stored in digital media are deleted in a way that is not accessible to those concerned or destroyed in such a way that they cannot be reused. Physical or Electronic processes applied to the data stored and destroyed in both media are recorded in the minutes by the Information Technologies unit.


On the Personal Data Subject’s personal data, the owner shall have the rights given below:

➢ To learn whether personal data is processed or not;

➢ To request information if personal data has been processed;

➢ To learn the purpose of processing personal data and whether they are used in accordance with their purpose;

➢ To know the third parties to whom personal data are transferred in Turkey or abroad;

➢ To request the correction of incomplete or incorrect processing of personal data;

➢ To request the deletion or destruction of personal data if the reasons requiring the processing of personal data are eliminated;

➢ To request notification of the correction, deletion or destruction processes mentioned above to third parties to whom personal data are transferred;

➢ To object to an adverse result by analyzing the processed data exclusively through automated systems;

➢ They have the right to claim compensation in case of loss due to unlawful processing of personal data.

Exercise of Rights Regarding Personal Data

Each person whose data is processed in accordance with the instructions of the data controller BIMED has the right to apply to the data controller in accordance with Article 13 of the LPPD in order to exercise his/her rights under Article 11 of the LPPD. The data controller BIMED must reject this application within 30 (thirty) days at the latest, provided that it accepts or explains its justification. However, in order for this application to be accepted as a proper application, it must meet all the elements regulated in the Communiqué on the Procedures and Principles of Application to the Data Controller. In order for the application of any person concerned to be accepted as a valid application;

• In Turkish language, by submitting an identity by the person concerned in person, in writing; or

• Registered electronic mail (KEP) address, secure electronic signature, mobile signature; or

• By using the e-mail address previously notified to BIMED by the relevant person and registered in BIMED’s system; or

• It must be communicated by BIMED through a software or application developed for the purpose of application. Again, in order for an application to be accepted and evaluated as a proper application, all of the following matters must be included.

• Wet signature when the name, surname and application of the person concerned is written;

• Turkish identity number for citizens of the Republic of Turkey, nationality, passport number for foreigners or identity number, if any;

• Residential address or workplace address based on the notification;

• E-mail address, telephone and fax number, if any, subject to notification;

• Subject of the request of the person concerned.

For this reason, in order to exercise the rights granted to the relevant persons pursuant to Article 11 of the LPPD, an application must be sent to BIMED by registered mail using the contact and address information contained in this Policy, by coming in person, via an e-mail address registered in BIMED systems or by using secure electronic signature. Individuals and other relevant persons can contact the Data Protection Committee at kvkk@bimedteknik.com if they have any questions or concerns about this Policy or other personal data protection practices of BIMED or if they have a request regarding their rights.