Information Security Policy

Index Grup Companies Personel Data Projection Policy

1. Scope

a. The purpose of this personal data protection policy ("Policy") is to ensure that INDEX GRUP COMPANIES (İndeks Bilgisayar Sistemleri Mühendislik Sanayi ve Ticaret Anonim Şirketi, Despec Bilgisayar Pazarlama ve Ticaret Anonim Şirketi, Neteks Teknoloji Ürünleri Anonim Şirketi, Datagate Bilgisayar Malzemeleri A.Ş., Teklos Teknoloji Lojistik Hizmetleri A.Ş.), its subsidiaries, affiliates and shareholders ("Index Grup Companies") process the personal data of third parties in accordance with the regulations of the Law on the Protection of Personal Data No. 6698 (the "Law"). Violation of the law will be considered serious by Index Grup Companies and will be evaluated under the scope of the disciplinary procedures. For the purposes of the Law, the following definitions shall prevail:

  1. Personal Data: Any information about an identified or identifiable natural person;
  2. Processing of Personal Data: Any action performed on data such as obtaining, recording, storing, keeping, modifying, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data entirely or partially through automated means, or by non-automated means provided it is part of a data storage system.
  3. Sensitive Personal Data: Biometric and genetic data and data of persons relating to race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, clothing, membership of association, foundation or trade union, health, sexual life, criminal conviction and security measures.
  4. Data Controller: A natural or legal person who identifies the purposes and means of processing personal data and is responsible for the establishment and management of the data record system.
  5. Data Processor: A natural or legal third person who processes Personal Data, based on the powers granted by Index Grup Companies, on behalf of said companies;
  6. Data Owner: The natural person whose personal data is processed.
  7. Data Storage System: The storage system where Personal Data used by Index Grup Companies are structured and processed according to certain criteria;
  8. Board: Personal Data Protection Board;
  9. Institution: Personal Data Protection Authority;
  10. Law: It refers to the Law on the Protection of Personal Data No. 6698 issued on the Official Gazette dated April 7, 2016 and numbered 29677.

b. With this Policy, Index Grup Companies intend to inform the Data Owner and its content is as follows:

  1. Contents and categories of Personal Data collected by Index Grup Companies; usage and transfer options;
  2. Methods of processing of Personal Data;
  3. The ways in which Personal Data are stored;
  4. Rights of the Personal Data Owners;
  5. Measures taken for the protection of Personal Data;

2. Principles on the Processing of Personal Data

a. The purpose of Index Grup Companies is the whole of the purposes stated in their trade registries.

b. Personal Data that may be collected from customers, employees, dealers and delegated persons of Index Grup Companies in relation to the purposes thereof and that can be processed are listed below and this list may be expanded in line with the purposes of Index Grup Companies:

  1. Identity documents such as identity card, driver's license, passport, residence, identity register copy and marriage certificate, and any copies thereof;
  2. Health information such as health reports or blood type reports;
  3. Photos and video recordings taken at events such as meetings and seminars;
  4. Photos and video recordings taken for security reasons;
  5. Phone number, e-mail address information;
  6. Various information about criminal conviction and security measures, including criminal record;
  7. Any official document confirming the signature of the data owner;

c. Index Grup Companies undertake, for commercial partners, to process Personal Data only within the framework of the following purposes and grounds, excluding the exceptions set out in Article 5(2)(c) of the LPPD;

  1. Use of previously obtained data in future transactions;
  2. Resolution of commercial disputes;
  3. Saving time;
  4. Transferring data to international or domestic servers for the purpose of ensuring data security;
  5. Backing up data;
  6. External and internal audit, accounting, tax consultancy;
  7. Conducting internal data transfer;
  8. IT, translation, legal consultancy services;
  9. Future planning;
  10. Keeping statistics;
  11. Follow-up of past works;
  12. Ensuring order and control, management and compliance in the workplace;
  13. Archiving the data obtained from office activities;
  14. Facilitating the operation of the recruitment process;
  15. Organizing training seminars;
  16. Customer satisfaction, quality control;
  17. Providing WiFi services,
  18. Marketing and developing new products and services,
  19. Sending congratulatory messages and e-mails on national and religious holidays and special days,
  20. Collecting via Virtual Pos.

3. Data Collection Method

Index Grup Companies shall collect Personal Data using the following methods:

  1. E-mail;
  2. Fax;
  3. Phone;
  4. SMS;
  5. Mail;
  6. Courier;
  7. Index Grup Companies' website and social media accounts;
  8. Virtual Environments;
  9. Personal Delivery.

4. Permission to Process and Transfer

a.Domestic Processing and Transfer:

Explicit consent of the data subject is required for Index Grup Companies to be able to process the Personal Data of data subjects domestically or to transfer them to natural and legal third persons, and if there is no explicit consent, it may only take place in the presence of the following conditions:

  1. If such is clearly required by law;
  2. It is required for the protection of the life or physical integrity of the person who is unable to express their consent due to physical impossibility or whose consent is not considered legally valid or of another person;
  3. If the processing of Personal Data belonging to the parties to a contract is necessary, provided it is directly related to the establishment or performance of the contract;
  4. It is required for Index Grup Companies to be able to fulfill their legal obligations;
  5. Is made public by the data subject;
  6. If data processing is mandatory for the establishment, exercise or protection of a right;
  7. Data processing is mandatory for the legitimate interests of Index Grup Companies and/or other Data Controller, without prejudice to the fundamental rights and freedoms of the data subject.

b. Processing and Transfer of Sensitive Personal Data:

  1. Index Grup Companies may only process and transfer sensitive Personal Data domestically with the express consent of the Data Owner.
  2. Personal Data that are not related to health and sexual life may be processed without the explicit consent of the data subject in cases set out in the law.
  3. Personal data related to health and sexual life can only be processed by persons or authorized institutions and organizations who are bound by the obligation of confidentiality for the purpose of protecting public health, preventive medicine, conducting medical diagnosis, treatment and care services, as well as planning and managing health services and financing, without seeking express consent of the data subject.

c. Overseas Personal Data Processing and Transfer:

  1. Index Grup Companies may process and transfer Personal Data abroad only with the express consent of the Data Owners.
  2. Index Grup Companies may transfer Personal Data abroad without the express consent of the Data Owner if the conditions specified in 4.a and 4.b above are present, and also;
    • If there is adequate protection in the foreign country where the Personal Data will be transferred;
    • If there is not sufficient protection and if Index Grup Companies and data controllers in the relevant foreign country undertake to provide adequate protection in writing and if the Board gives permission, Index Grup Companies may transfer Personal Data abroad.
  3. Without prejudice to international agreement provisions, in cases where the interests of Turkey or of the relevant Data Subject would be seriously damaged, Index Grup Companies may only transfer said data abroad with the permission of the Board after obtaining the opinion of the relevant public institution or organization.

5. Security of Personal Data

a. Index Grup Companies shall ensure the security of Personal Data for realizing the following purposes and shall take all necessary technical and administrative measures to ensure the appropriate level of security to provide for these purposes:

  1. To prevent unlawful processing of personal data,
  2. To prevent unlawful access to personal data,
  3. To ensure the protection of Personal Data.

b. If the Personal Data is processed by another natural or legal person on behalf of Index Grup Companies, they are jointly responsible with said Data Processors for taking the measures specified in 5.a of this Policy.

c. Index Grup Companies are required to carry out or procure the necessary inspections to ensure the implementation of the provisions of the Law in their own institution or organization.

d. Index Grup Companies and Data Processors may not disclose the Personal Data they acquired to others in contravention of the provisions of the Law and may not use it outside the purpose of processing. This obligation survives the expiration of their duties.

e. Index Grup Companies shall notify the Data Owner and the Board within 72 hours if the Personal Data processed are obtained by others by unlawful means. The Board may, if necessary, announce this situation on its website or by any other method it deems appropriate.

6. Data Owner's Rights

a. Everyone has the following rights by virtue of consulting Index Grup Companies.

  1. Learn whether their Personal Data has been processed;
  2. If their Personal Data have been processed, request information in that regard;
  3. Learn the purpose of processing the Personal Data and whether these are used in line with the purpose;
  4. Know the third persons to whom the Personal Data have been transferred in Turkey and abroad;
  5. If Personal Data entered are incomplete or inaccurate, request correction thereof;
  6. Request deletion or destruction of Personal Data within the framework of article 7 of the Law;
  7. Request notification of actions taken under 6.a.v and to the third persons to whom the Personal Data are transferred;
  8. Object to a consequence arising against the Data Owner as a result of the analysis of the processed Personal Data exclusively through automated systems, and
  9. Request indemnification in case of incurring damage due to unlawful processing of personal data.

b. To be able to exercise the rights specified in 6.a., such requests must be submitted in writing upon completing and signing the Application Form that can be found on our website using the following means of communication together with information that will enable the identification of the data subjects in relation to Personal Data:

  1. Completing the application form and delivering a copy thereof with wet signature to Ayazağa Mah. Mimar Sinan Sok. No:21 Seba Office Boulevard, D Blok Kat:1 No:11 Sarıyer İstanbul either in person or via registered mail or notary,
  2. Filling out the application form, signing it with "secure electronic signature" within the scope of the Electronic Signature Law No. 5070 and sending the form using the registered e-mail to
  3. Filling out the application form and sending it to the e-mail address using either mobile signature or the e-mail address previously notified to Index Grup Companies by the data subject and registered in the system of Index Grup Companies.

7. Measures for Keeping Personal Data Accurate and Current

Index Grup Companies shall keep Personal Data accurate and up-to-date using the following methods:

  1. Daily backups;
  2. Firewall;
  3. Antivirus programs;
  4. Restrictions on encryption systems and authorizations in virtual media access;
  5. Card, key or password access systems for rooms and cabinets
  6. Privacy agreements and confidentiality commitments.
  7. Backups in different physical locations for disaster recovery

8. Changes to the Policy on the Protection of Personal Data

Index Grup Companies may make changes to this Policy to the extent required for the activities or if legally required. The amended text of the Policy will become effective once it is shared on Index Grup Companies shall also notify customers, employees, authorized persons and relevant persons by e-mail about the changes to be made.