Cookie Settings

1. Data Privacy Commitment

Cellavia commits to acting in accordance with the highest standards of transparency and security in the processing and protection of personal data, in compliance with the Personal Data Protection Law No. 6698 (“KVKK”) and all other relevant legislation.

This policy sets out the basic principles governing how personal data is processed, stored, transferred and protected within Cellavia.

2. Purpose of the Policy

The main purpose of this Policy is to ensure that the processes related to the collection, processing, storage and deletion of personal data processed by Cellavia are managed in a systematic and reliable manner in accordance with the law.

3. Scope of the Policy

The Policy covers all personal data processed by Cellavia, the processes related to the processing of such data, and the rights of data subjects. Information that does not constitute personal data is excluded from the scope of this Policy.

4. Definitions

(All definitions have been revised while preserving the original content: Explicit Consent, Anonymisation, Data Controller, Special Category Personal Data, Committee, etc.)

5. Basic Principles for the Processing of Personal Data

When processing personal data, Cellavia:

  • Acts in accordance with the law and principles of good faith,
  • Takes necessary measures to keep data accurate and up-to-date,
  • Processes data for specific, clear, and legitimate purposes,
  • Keeps processed data limited to the purpose and proportionate to the purpose,
  • Retains data for the period required by applicable legislation.

6. Explicit Consent and Exceptions

(The circumstances requiring explicit consent, legal exceptions, and special conditions for data processing are detailed in accordance with applicable regulations.)

7. Processing of Special Category Personal Data

Cellavia strictly adheres to the principles established by the KVKK and the Board regarding the processing of special category personal data. Data related to health and sexual life may only be processed within the scope of the exceptions specified in the law and by professionals who are bound by confidentiality obligations.

This data is only processed with the explicit consent of the data subject or in the special circumstances specified in the law.

  • Access rights are restricted, user roles are clearly defined, and permissions are periodically reviewed.
  • Data storage areas in electronic and physical environments are protected by advanced security protocols.
  • Transfers are made via encrypted email systems or Registered Electronic Mail (KEP). The ‘confidential document’ procedure is applied for physical transfers.

8. Retention Period for Personal Data

Personal data is retained only for as long as necessary for the purpose of processing and within the time frames specified in the relevant legal regulations. Data whose retention period has expired or whose processing purpose has ceased is deleted, destroyed or anonymised by Cellavia.

9. Deletion, Destruction, and Anonymisation of Data

Cellavia permanently removes or anonymises data when its necessity ceases. The relevant Committee within the Institution is responsible for implementing and monitoring these processes.

All destruction processes are carried out in accordance with the provisions of the KVKK and the ‘Data Storage and Destruction Policy.’

10. Transfer of Personal Data to Third Parties

Personal data

  • is transferred to third parties in Turkey without explicit consent or with explicit consent in the exceptional cases specified in Articles 5 and 6 of the KVKK,
  • and to third parties abroad only to countries with adequate protection or with the approval of the Board and with the explicit consent of the data subject.

Cellavia ensures that every third party to whom it transfers personal data complies with this policy and legal requirements.

11. Information Obligation

Cellavia informs the data subject of the following before collecting personal data:

  • The identity of the data controller,
  • The purposes of processing,
  • The persons or organisations to whom the data will be transferred,
  • The method of collection and the legal basis,
  • The rights of the data subject under Article 11 of the KVKK.

12. Rights of Data Subjects

Data subjects have the following rights under the KVKK:

  • The right to learn whether their personal data has been processed,
  • The right to request information about the processing,
  • The right to learn the purpose of the processing and whether the data is being used in accordance with that purpose,
  • The right to know the third parties to whom the data has been transferred within or outside the country,
  • The right to request the correction of incomplete or incorrect data,
  • The right to request the deletion or destruction of the data within the legal framework,
  • To request that the third parties to whom the data has been transferred be informed,
  • To object to the emergence of a result that is detrimental to them as a result of analysis by automated systems,
  • To request compensation in the event of damage.

Applications can be made via the form on the company's website or from the registered e-mail address.

13. Data Security and Management

  • Cellavia considers all personal data to be ‘confidential information.’
  • Only authorised persons may access this data.
  • Systems are protected by firewalls, antivirus software, and backup solutions.
  • Unauthorised transfer of data to external storage devices such as USB drives is prohibited.
  • Each employee is responsible for the security of the data within their area of responsibility.
  • The Committee is responsible for audits, the implementation of security policies, and training processes.

14. Data Breach Response Plan

When a personal data breach is detected:

  • The Committee is notified immediately,
  • The Board is notified within 72 hours,
  • Relevant individuals are informed directly or via the website,
  • The breach is recorded and managed transparently.

15. Training

All employees are regularly trained on the Personal Data Protection Law and Cellavia policies. Personnel working with special categories of data are provided with more comprehensive and technical training.

16. Audit

Cellavia reserves the right to audit all departments and employees for compliance with this policy. These audits may be conducted with or without notice. The Committee prepares audit reports and submits them to management.

17. Violations

Every employee is obliged to report any possible violations in personal data processing procedures to the Committee. Where necessary, legal notification is made to the Board and the data subject. All violations are recorded.

18. Responsibilities

The Committee, employees, and management are responsible for the implementation of this policy in that order. Any new procedures or changes are implemented by management decision and communicated to all employees.

19. Policy Changes

Cellavia reserves the right to make changes to this policy as deemed necessary. Updated versions are published on the company website and/or communicated to employees.

20. Effective Date

This policy is effective as of 30/07/2025.