Data Protection Notice

Excelya>Data Protection Notice

Website Data Protection Notice


Excelya Group SAS and its affiliates & subsidiaries (“Excelya”, “we” or “us”) are committed to protecting the rights and freedoms of natural persons regarding the processing of their personal data and to comply with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, (“General Data Protection Regulation” or “GDPR”) and other laws applicable to our corporate group regarding the protection of personal data.

This data protection notice (referred to as the “Notice”) aims to provide you with information concerning how Excelya processes your personal data through Excelya’s website (referred to as the “Website”), including its contact forms.

As required by Turkish Law 6698, a data protection notice is also available in Turkish here.


1. Definitions

The terms and definitions contained in this Notice shall be read and interpreted in the light of the provisions of the GDPR. In order to ensure a transparent and intelligible understanding of this Notice:

  • ‘Data subject’: means an identified or identifiable natural person;
  • ‘Identifiable natural person’ is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to that natural person;
  • ‘Personal data’ means any information relating to an identified or identifiable natural person (data subject);
  • ‘Processing’ means any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  • ‘Controller’ means the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data;
  • ‘Processor’ means a natural or legal person which processes personal data on behalf of the controller;
  • ‘Recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not;
  • ‘Third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
  • ‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.


2. Who is processing your personal data?

Regarding the personal data processing activities covered under this notice, Excelya Group SAS or its affiliates & subsidiaries, determine the purposes and means and act as a controller / controllers. Their contact details and those of the Corporate Data Protection Officer (“DPO”) are:

  • Address: 35 rue de Paris, 92100 Boulogne-Billancourt, France
  • Telephone: +33 (0)1 46 20 74 50
  • Email:


3. Why do we process your personal data and according to which legal bases?

Within the scope of the processing activities covered by this notice, we process your personal data for the following purposes:

• Customer support and inquiries management: To respond to inquiries submitted by you through the Website contact form or Excelya’s contact information. This is done under the legitimate interests pursued by Excelya, in relation to the performance of its business activities and the offering of its services and products (article 6.1.f GDPR).

• Marketing: To manage your subscription to our newsletter and to send you information about Excelya’s services, products, solutions, and/or events. This is done only in those cases where you have given us your consent through the clear affirmative action of writing your email in the relevant field, checking the corresponding data protection acknowledgement checkbox, and clicking on the “subscribe now” button on our Website (article 6.1.a GDPR). We kindly inform you that you may withdraw your consent by unsubscribing from the Newsletter, at any time and at no cost.

• Recruitment: To assess a possible match between your application, including your skills and competences, in relation to those required for vacancies at Excelya or, in some cases, for those of our clients to whom we may provide outsourcing recruitment services. In some cases (e.g. for certain roles such as biostatisticians, SAS programmers, data managers or clinical research associates), this may include carrying out tests during the selection process to assess your skills and competences.

Furthermore, we may also contact you in the future regarding new vacancies at Excelya that may match your skills and competences.

This processing activity is based on: (i) your consent, provided through the clear affirmative action of applying for a vacancy at Excelya or by sending us your CV and checking the data protection acknowledgement checkbox (article 6.1.a GDPR) and (ii) the legitimate interests of Excelya in finding suitable candidates and assessing their fit for its open vacancies and, in some cases, those of its clients (article 6.1.f GDPR).

We kindly inform you that you may withdraw your consent to being contacted for recruitment purposes, at any time.


4. What personal data do we process?

  • Customer support and inquiries management: first name, last name, email, company (optional), job title (optional) and your inquiry.
  • Marketing: email.
  • Recruitment: first name, last name, email, phone number (optional), your message (optional), your CV, information included in your CV (e.g. contact and personal details, work experience and previous roles, skills, education, qualifications, certifications, spoken languages, etc.), test results (where applicable), cover letters / letters of recommendation (optional), other information or documentation you may provide throughout the selection process, internal or external (e.g. references) assessments on your application and your selection process. We kindly ask you to abstain from providing us any sensitive data/special categories of personal data (i.e. personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation) throughout the selection process/-es you may be involved in, unless such disclosure is strictly OPTIONAL in the context of any applicable equal opportunities legislation, promoting workforce diversity and non-discrimination.


5. Who is your personal data disclosed to?

  • Customer support and inquiries management: Excelya group companies for internal administrative or commercial purposes and to adequately respond to your inquiries.
  • Marketing: Excelya group companies for internal administrative or commercial purposes.
  • Recruitment:
    • Excelya group companies: (i) for internal administrative purposes, including managing our internal candidate database and (ii) to adequately manage the selection process and assess your application and/or work preferences for open vacancies at Excelya.
    • Entities and professionals specialised in recruitment: including recruitment and headhunting agencies and external head-hunters.
    • Referees and references: individuals you may have included within your references or past colleagues or employers to seek references concerning your application.
    • Clients: in some cases, we may provide outsourcing recruitment services to our clients concerning their vacancies.

Outside out the aforementioned cases, your personal data will not be disclosed to any third parties, except where such disclosure is necessary (i) for compliance with a legal obligation or (ii) for the establishment, exercise or defence of legal claims.


6. Are there any transfers to third countries?

As a general rule, your personal data is processed and stored within the European Economic Area (EU member states, Iceland, Liechtenstein and Norway). However, in some cases, some companies of the Excelya group are established outside of the European Economic Area. Where personal data is transferred to third countries, Excelya will ensure that an adequate mechanism and appropriate safeguards, including appropriate technical and organizational measures, are in place. These mechanisms and safeguards may include:

  • Adequacy decisions under article 45 GDPR;
  • binding corporate rules (“BCRs”) under article 47 GDPR;
  • standard data protection clauses (“SCCs”) under article 46.2 GDPR;
  • approved codes of conduct under article 46.2 GDPR;
  • approved certification mechanisms under article 46.2 GDPR;
  • exceptionally, derogations and safeguards under article 49 GDPR.


7. For how long will we process and store your personal information?

  • Customer support and inquiries management: for as long as necessary to adequately respond to your request or inquiry and for internal statistical purposes.
  • Marketing: until you unsubscribe to the newsletter or request the erasure of your personal data.
  • Recruitment: throughout the duration of the selection process. However, in case you submit an open application for no concrete vacancy or if you have not been selected for a position you have applied to, your personal data will be stored for two (2) years, from the moment your application was received or the selection process that you applied for finished. This retention period may be further extended, where you provide us with a renewed consent.

Outside out the aforementioned cases, your personal data will be stored, for as long as necessary: (i) for compliance with a legal obligation or (ii) for the establishment, exercise or defence of legal claims.


8. What are your rights concerning your personal data?

As foreseen in the GDPR, you have and can exercise the following rights concerning your personal data:

  • Right of access: to obtain confirmation as to whether or not your personal data is being processed, and, where it is the case, to be provided with (i) information on the processing of your personal data and (ii) a copy of the personal data being processed.
  • Right to rectification: to request the rectification of inaccurate data concerning you. Taking into account the purposes of the processing, you may also request to have incomplete personal data completed, including by means of providing a supplementary statement.
  • Right to erasure: to obtain the erasure of personal data concerning you without undue delay, where: (i) it is no longer necessary in relation to the purposes for which it was collected or processed or (ii) there are no other legitimate grounds for the processing. However, the right to erasure may not be applicable in certain cases, according to article 17.3 GDPR.
  • Right to restriction: to obtain the restriction of your personal data, under certain circumstances. This shall entail that, except for storage, your personal data can only be processed: (i) with your consent, (ii) for the establishment, exercise or defence of legal claims, (iii) for the protection of the rights of another natural or legal person or (iv) for reasons of important public interest.
  • Right to data portability: to receive personal data concerning you, which you have provided us, in a structured, commonly used and machine-readable format. This also encompasses the right to transmit such data to another controller. This right may be exercised when relying on consent or the performance of a contract as a legal basis.
  • Right to object: on grounds relating to your particular situation, you may object, at any time, to the processing which is based on the performance of a task carried out in public interest or on legitimate interests pursued by us. When you object to the processing, we shall no longer process your personal data unless: (i) it is possible to demonstrate compelling legitimate grounds for the processing, (ii) for the establishment, exercise or defence of legal claims or (iii) when the processing is necessary for the performance of a task carried out for reasons of public interest.
  • Right to withdraw your consent: at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

In order to exercise your rights regarding your personal data, you may do so by contacting our Data Protection Officer (“DPO”) by e-mail at

Lastly, you also have the right to lodge a complaint with a supervisory authority, in particular, in the Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of your personal data infringes the GDPR.


9. Updates to this notice

We may update this Notice to accurately reflect any changes. We recommend that you check this page regularly to stay informed of any changes to this Notice or any of our other notices and policies.