Personal Data Protection Policy

Index Grup Companies Personel Data Protection Policy

1. Scope

a. The purpose of this personal data protection policy ("Policy") is to ensure that INDEX GRUP COMPANIES (İndeks Bilgisayar Sistemleri Mühendislik Sanayi ve Ticaret Anonim Şirketi, Despec Bilgisayar Pazarlama ve Ticaret Anonim Şirketi, Neteks Teknoloji Ürünleri Anonim Şirketi, Datagate Bilgisayar Malzemeleri A.Ş., Teklos Teknoloji Lojistik Hizmetleri A.Ş.), its subsidiaries, affiliates and shareholders ("Index Grup Companies") process personal data of third parties in accordance with the regulations of the Personal Data Protection Law No. 6698 "Law"). Violation of the law will be considered seriously by Index Grup Companies and will be evaluated within the scope of disciplinary procedures. For the purposes of the law, the following definitions will be taken as basis:

  1. Personal Data: means any information relating to an identified or identifiable natural person;
  2. Processing of Personal Data: means any operation performed upon Personal Data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making retrievable, classification or preventing the use thereof, fully or partially through automatic means or provided that the process is a part of any data registry system, through non-automatic means;
  3. Personal Data of Special Nature: means the personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership to associations, foundations or trade unions, health, sexual life, convictions, and security measures, and the biometric and genetic data of individuals;
  4. Data Controller: means the natural person or legal entity that determines purposes and means of the processing of the Personal Data and that is responsible for establishment and management of a data recording system;
  5. Data Processor: means a natural person or legal entity which processes the Personal Data on behalf of and based on the authority given by the Index Grup Companies;
  6. Data Owner: means natural person whose Personal Data is processed;
  7. Data Recording System means the recording system where personal data, used by the Index Grup Companies, is structured and processed according to specific criteria
  8. Board: means the Personal Data Protection Board;
  9. Authority: means the Personal Data Protection Authority;
  10. Law: means the Law on Protection of Personal Data No. 6698 published in the Official Gazette dated 7 April 2016 and numbered 29677.

b. With this Policy, Index Grup Companies aim to inform the Data Owner and its content is as follows:

  1. Content and categories of Personal Data collected by Index Grup Companies; usage and transfer options;
  2. Processing methods of Personal Data;
  3. Retention methods of Personal Data;
  4. Rights of the Personal Data Owners;
  5. Measures taken regarding the protection of Personal Data;

2. Principles Regarding the Processing of Personal Data

a. The purpose of Index Grup Companies is the entirety of the objectives stated in the trade registry.

b. Personal Data that can be collected and processed from customers, employees, dealers and officials of Index Grup Companies in relation to their purpose are listed below and this list can be expanded in line with the purposes of Index Grup Companies:

  1. Identity documents such as identity card, driver's license, passport, residence, identity registration document, marriage certificate and their copies;
  2. Health information such as health reports, blood group reports etc.;
  3. Photo and video recordings taken at events such as meetings, seminars, etc.;
  4. Photo and video recordings taken for security reasons;
  5. Phone number, e-mail address information;
  6. Various information about criminal convictions and security measures, including criminal record;
  7. Any official document certifying the signature of the data owner;

c. Index Grup Companies undertake to process Personal Data only within the framework of the purposes and grounds specified below, with the exception of the exceptions set out in KVKK art. 5(2)(c) for commercial partners;

  1. Use of previously collected data in future processes;
  2. Resolution of commercial disputes;
  3. Saving time;
  4. Transfer of data to foreign or domestic servers in order to ensure data security;
  5. Data backup;
  6. External and internal audit, accounting, tax consultancy;
  7. Execution of internal data transfer;
  8. IT, translation, legal consultancy service;
  9. Planning for future;
  10. Keeping statistics;
  11. Follow up on past work;
  12. Order and control, management, compliance in the workplace;
  13. Archiving data obtained from office activities;
  14. Facilitating the operation of the recruitment process;
  15. Organization of training seminars;
  16. Customer satisfaction, quality control;
  17. Provision of WIFI service,
  18. Marketing, development of new products and services,
  19. Sending congratulatory messages and e-mails on national and religious holidays and special occasions,
  20. Making collections with Virtual Pos.

3. Data Collection Method

Index Grup Companies will collect Personal Data with the following methods:

  1. Electronic mail;
  2. Fax;
  3. Telephone;
  4. SMS;
  5. Postal mail;
  6. Courier;
  7. Website and social media accounts of Index Grup Companies;
  8. Virtual Environments;
  9. Delivery by hand.

4. Consent to Processing and Transfer

a.Domestic Processing and Transfer:

The domestic processing of the Personal Data of the Index Grup Companies and their transfer to third natural and legal persons is possible with the explicit consent of the relevant person, and if there is no explicit consent, it will only take place in the presence of the following conditions:

  1. If expressly stipulated in the law;
  2. If it is necessary for the protection of the life or physical integrity of the person himself/herself or someone else, who is unable to express his/her consent due to actual impossibility or whose consent is not legally valid;
  3. In case it is necessary to process Personal Data of the parties to the contract, provided that it is directly related to the conclusion or performance of a contract;
  4. In case it is necessary for Index Grup Companies to fulfill their legal obligations;
  5. In case the person concerned is made public by himself/herself;
  6. If data processing is necessary for the establishment, exercise or protection of a right;
  7. In case data processing is necessary for the legitimate interests of Index Grup Companies and/or other Data Controller, provided that it does not harm the fundamental rights and freedoms of the data owner.

b. Processing and Transfer of the Personal Data of Special Nature:

  1. Index Grup Companies can only process and transfer personal data of special nature with the explicit consent of the Data Owner.
  2. Personal Data that are not related to health and sexual life can be processed without seeking the explicit consent of the person concerned, in cases stipulated by the laws.
  3. Personal Data related to health and sexual life can only be processed for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing, by persons or authorized institutions and organizations under the obligation of confidentiality without seeking the explicit consent of the person concerned.

c. Processing and Transfer of Personal Data Abroad:

  1. Index Grup Companies can only process and transfer Personal Data abroad with the explicit consent of the Data Owners.
  2. Index Grup Companies may transfer Personal Data abroad without the explicit consent of the Data Owner in the presence of the conditions specified in 4.a and 4.b above, and in addition to these;
    • Availability of adequate protection in the foreign country to which the Personal Data will be transferred;
    • In the absence of sufficient protection, Index Grup Companies may transfer Personal Data abroad, provided that Index Grup Companies and data controllers in the relevant foreign country undertake an adequate protection in writing and the Board gives permission.
  3. Without prejudice to the provisions of international agreements, in cases where the interests of Turkey or the relevant Data Owner will be seriously harmed, Index Grup Companies can only transfer abroad with the permission of the Board by taking the opinion of the relevant public institution or organization.

5. Security of Personal Data

a. Index Grup Companies will ensure the security of Personal Data in order to achieve the following purposes and will take all necessary technical and administrative measures to ensure the appropriate level of security to achieve these purposes:

  1. To prevent the unlawful processing of Personal Data;
  2. To prevent unlawful access to Personal Data;
  3. To ensure the preservation of Personal Data.

b. Index Grup Companies are jointly responsible with these other Data Processors for taking the measures specified in section 5.a of this Policy, in case the Personal Data is processed by another natural or legal person on their behalf.

c.Index Grup Companies are obliged to carry out or have the necessary inspections made in their own institution or organization in order to ensure the implementation of the provisions of the Law.

d. Index Group Companies and Data Processors cannot disclose the Personal Data they have obtained to others in violation of the provisions of the Law and cannot use them for purposes other than processing. This obligation will continue after the end of their duties.

e. In case the processed Personal Data is obtained by others illegally, Index Grup Companies shall notify the Data Owner and the Board within 72 hours. If necessary, the Board may announce this situation on its own website or by any other method it deems appropriate.

6. Data Owner's Rights

a. Everyone has the following rights regarding himself/herself by applying to Index Grup Companies.

  1. Finding out whether the Personal Data is processed;
  2. Requesting information on personal data if it has been processed;
  3. Learning the purpose of processing Personal Data and whether they are used in accordance with the purpose;
  4. Knowing the third parties to whom the Personal Data is transferred, in the country or abroad;
  5. Requesting correction of Personal Data in case of incomplete or incorrect processing;
  6. Requesting the deletion or destruction of Personal Data within the framework of Article 7 of the Law;
  7. Requesting notification of the processing made pursuant to sections 6.a.v and to third parties to whom Personal Data is transferred;
  8. Objecting to the emergence of a result against the Data Owner by analyzing the processed Personal Data exclusively through automated systems, and
  9. Requesting the compensation of the damage in case of loss due to unlawful processing of Personal Data.

b.In order to exercise the rights specified in 6.a, the requests must be submitted in written form, by filling in and signing the Application Form, which can be accessed on our website, through the following communication channels, together with the information that will enable the identification of the persons concerned with regard to the Personal Data:

  1. After the application form is filled, a wet signed copy should be sent to the address of Ayazağa Mah. Mimar Sinan Sok. No:21 Seba Office Boulevard, D Blok Kat:1 No:11 Sarıyer İstanbul by hand, by registered mail with return receipt or via a notary public,
  2. The application form should be filled and sent by electronic signature or by e-mail to the e-mail address using the e-mail address previously notified to Index Grup Companies by the relevant person and registered in the system of Index Grup Companies.

7. Precautions Regarding the Accurate and Up-to-Date Retention of Personal Data

Index Grup Companies keep Personal Data accurate and up-to-date with the following methods:

  1. Daily backups;
  2. Firewall;
  3. Antivirus programs;
  4. Encryption systems and restrictions on access to virtual media;
  5. Card, key and password entry systems to rooms and cabinets
  6. Non-disclosure agreements and confidentiality undertakings.
  7. Backups in different physical locations for disaster recovery scenarios

8. Changes To Be Made In The Personal Data Protection Policy

Index Grup Companies can make changes in this Policy to the extent required by the activities or legally required. The aforementioned amended Policy will become valid once its text is shared on the website.