PDPA

1. Data Privacy Commitment

1.1

This Personal Data Protection Policy (‘Policy’) defines the principles and internal procedures that Cellavia must comply with in the processing, protection and storage of personal data within the scope of the Personal Data Protection Law No. 6698 (KVKK) and other relevant legislation.

1.2

Cellavia undertakes to act in accordance with this policy and related procedures to protect all personal data stored within its organisation.

2. Purpose of the Policy

The purpose of this policy is to determine the principles governing the processing, storage, deletion and transfer of personal data processed by Cellavia and to ensure the protection of data subjects' rights.

3. Scope of the Policy

3.

This policy applies to all personal data processed by Cellavia.

3.

Information that does not constitute personal data is excluded from the scope of this policy.

3.

The policy may be updated with the approval of the Board of Directors in accordance with amendments to the KVKK or Cellavia's needs. In case of any conflict, the provisions of the KVKK shall prevail.

4. Definitions

(Definitions such as ‘explicit consent,’ ‘anonymisation,’ ‘information obligation,’ ‘special category personal data,’ ‘data controller,’ ‘committee,’ etc. are retained and interpreted in accordance with Cellavia's specific context.)

5. Basic Principles for the Processing of Personal Data

  • 5.1 Processing in accordance with the law and principles of good faith.
  • 5.2 Taking necessary measures to ensure that data is accurate and up-to-date.
  • 5.3 Processing for specific, explicit, and legitimate purposes.
  • 5.4 Processing data in a manner that is relevant, limited, and proportionate to the purpose.
  • 5.5 Retaining data for the necessary period, deleting, destroying, or anonymising it upon expiry of the period.

6. Conditions for the Processing of Personal Data

6.1 Processing with Explicit Consent:

Data may be processed if the data subject is informed and gives their free consent.

6.2 Situations in Which Processing is Permitted Without Explicit Consent:

  • Legally required situations
  • Practical impossibilities
  • Situations necessary for the establishment or performance of a contract
  • Fulfilling legal obligations
  • Disclosure by the data subject
  • Establishing, exercising or protecting a right
  • When required by legitimate interests

7. Processing of Special Category Personal Data

  • Special category data cannot be processed without explicit consent or legal obligation.
  • Health and sexual life-related data may only be processed by persons bound by a duty of confidentiality for public health or medical diagnosis purposes, etc.
  • Authorisation, access restrictions, and two-factor security measures are implemented.
  • Special protection methods are applied in email and physical transfers.
  • The committee ensures the management of processes and employee training.

8. Retention Period for Personal Data

Personal data is retained only for the purpose and legal retention period. Upon expiry of the period, the data is destroyed or anonymised.

9. Deletion, Destruction and Anonymisation of Data

  • Personal data is deleted, destroyed or anonymised upon the expiry of the purpose for which it was processed.
  • These operations are carried out under the supervision of the Committee.
  • Data is not retained based on the possibility of future use.
  • Destruction operations are carried out in accordance with the ‘Data Retention and Destruction Policy.’

10. Transfer of Personal Data

Personal data may be transferred to third parties within and outside the country in accordance with the KVKK.

10.1 Transfer within Turkey:

Transfer is provided with explicit consent or in exceptional cases.

10.2 Transfer abroad:

  • Compliance with the list of countries deemed to provide adequate protection by the Board is ensured.
  • In other cases, a written commitment and Board approval are required.
  • It is ensured that the recipient individuals/entities act in accordance with the KVKK.

11. Information Obligation

Cellavia informs the data subject in a clear manner prior to collecting personal data regarding the following matters:

  • The identity of the data controller,
  • The purpose of processing personal data,
  • To whom and for what purpose data may be transferred,
  • The method of data collection and the legal basis,
  • The rights of the data subject under Article 11 of the KVKK.

The fulfilment of the information obligation is the joint responsibility of the employee managing the relevant process and the Committee.

Third parties acting as data processors undertake in writing to comply with these obligations before commencing data processing.

12. Rights of the Data Subject

Data subjects may make the following requests from Cellavia:

  • To learn whether their personal data has been processed,
  • To request information about the processing,
  • To learn the purpose of the processing and whether it is being used for that purpose,
  • To learn the persons to whom the data has been transferred within or outside the country,
  • To request the correction of incomplete or incorrect data,
  • Request the deletion, destruction or anonymisation of the data,
  • Request that these actions be communicated to third parties to whom the data has been transferred,
  • Object to any adverse outcome resulting from automated processing,
  • Request compensation for any damage suffered as a result of processing in violation of the KVKK.

Applications may be made to Cellavia via the registered email address or in person. Applications will be resolved free of charge within 30 days. If processing costs arise, the fee determined in accordance with the KVKK may be charged.

13. Data Management and Security

  • All employees may access data only within the scope of their authorisation.
  • Exceeding access limits constitutes grounds for termination of the employment contract for just cause.
  • Data may not be transferred to external devices such as USB drives, and desktop storage is prohibited.
  • The Committee establishes and implements security policies.
  • Only a limited number of personnel may access special category data.
  • All data is considered confidential information.
  • Employees remain bound by confidentiality obligations even after the termination of their employment relationship.

14. Data Breach Response Plan

  • In the event of a personal data breach, employees shall immediately notify the Committee.
  • The Institution shall be notified within 72 hours.
  • The relevant persons shall be notified directly, if possible; otherwise, notification shall be made via the website.
  • The official notification form is filled out at .
  • Records of the breach are kept, and the process is managed transparently.
  • The Committee reviews this plan at regular intervals.

15. Training

  • Cellavia regularly informs its employees about the KVKK, this policy, and internal procedures.
  • Training may be provided online or in person.
  • Comprehensive technical training is provided to employees with access to special category data.

16. Audit

  • Cellavia reserves the right to audit compliance with this policy and relevant legislation.
  • These audits may be conducted with or without notice.
  • The Committee establishes procedures for audits and submits them to management for approval.

17. Violations

  • Employees are required to report any suspicious situations to the Committee.
  • The Committee develops the necessary action plan in response to such reports.
  • When necessary, the Company and relevant parties are informed.

18. Responsibilities

Employees, departments, the Committee, and ultimately management are responsible for the implementation of this policy. The Committee is officially appointed by Company management and oversees all implementations.

19. Policy Changes

This policy may be updated as necessary with management approval. Any changes are communicated to employees via email and published on the website.

20. Effective Date

This policy was approved by Cellavia management on 30/07/2025 and is effective as of that date.