Privacy Notice on the Protection and the Processing of Personal Data
Turkish Airlines (hereinafter referred to as “Company” or “We”), has the utmost sensitivity on the lawful processing of its customers personal data.
We have prepared The Türk Hava Yolları Anonim Ortaklığı Privacy Notice on the Protection and the Processing of Personal Data, in order to ensure compliance with national and international legislation in effect, in particular the Law on the Protection of Personal Data (the “Law”) and the European Union General Data Protection Regulation (“GDPR”). For more detailed information about GDPR you may read the GDPR Privacy Notice published on https://www.turkishairlines.com/en-tr/legal-notice/gdpr-privacy-notice
The security of our customers’ personal data is at the forefront of our work. Therefore, in order to prevent any unlawful access to personal data or leak and to ensure the secure retention of personal data relating to our customers, such data are only transferred to trusted business partners and on a minimum level, by taking necessary security measures in accordance with the legislation in force.
Transparency is one of the most important subjects of our personal data protection program. In this respect, we have prepared this Notice in order to provide our customers with all possible information while we are processing personal data for the purposes of compliance with our legal obligations and to ensure a better customer experience. Detailed information regarding the types of personal data and the purposes for processing personal data are detailed under the “For Which Purposes Do We Process Your Personal Data?” heading.
Another issue that we also pay close attention to is customers’ right to have control over their personal data. We implement measures to ensure that our customers manage their preferences regarding their own personal data and highly respect our customers preferences. In this regard, you may convey your requests to us by communication channels listed under section “The Exercise of Rights by the Data Subjects”, and detailed explanations regarding the matter are provided within the section named “Rights of the Data Subjects”.
Data security, transparency and individuals’ right to have control over their personal data are fundamentals for us in ensuring compliance with the Law. In this respect, detailed information regarding the processing of your personal data are presented to your attention within this Notice.
1. How do we obtain your personal data?
This Notice contains our declarations and explanations concerning the processing of personal data relating to our customers and other natural persons establishing contact with us, excluding our employees, in compliance with the provisions of the Law and the GDPR.
We reserve the right to make changes to this Notice in order to provide accurate and up-to-date information concerning practices and regulations relating to the protection of personal data. Additionally, data subjects will be informed by appropriate means in the event of a substantial change to the Notice.
This Notice is prepared in order to provide information concerning which personal data Turkish Airlines processes within the scope of its commercial activities, the purposes for processing, the parties to whom personal data are transferred and the purposes for such transfers. This Notice covers the following channels through which personal data are collected:
Call center, booking offices, check-in counters, kiosks, inflight entertainment system, requests and complaints, boarding checkpoints, surveys, fairs and events; by verbal, written or electronic environments, by automatic and non-automatic means,
Turkish Airlines and Miles&Smiles Special Passenger Program website and mobile applications,
Agencies authorized to sell Turkish Airlines products and services and sales channels on the web, social media, passenger and customer conversations, SMS channels, business intelligence, contracted merchants, business/program partners and other airlines; by verbal, written or electronic environments, by automatic and non-automatic means.
If you request to receive service from these channels; The website located at turkishairlines.com (“Website”); software and applications provided through computers or other smart devices (“Application”); social media accounts administered by persons authorized to provide services on behalf of Turkish Airlines (“Social Media”), instant messaging applications (“Messaging Platforms”) that mediate the service provided by Turkish Airlines such as WhatsApp Business, Telegram, Facebook Messenger, WeChat, BiP etc and other channels shall be referred to as (“Digital Platforms”).
2. Which personal data do we process?
Personal data processed by our Company differ in accordance with the nature of the legal relationship established with our Company. In this respect, categories of personal data collected by our Company through all channels, including Digital Environments, are as follows:
Identification Information (personal data provided in the course of creating an account on our Website or Application, reserving a seat on a plane or benefiting from privileged services offered by Turkish Airlines and its business partners such as name, surname, identification and passport number etc.)
Contact Information (personal data provided in the course of creating an account on our Website or Application, reserving a seat on a plane or benefiting from privileged services offered by Turkish Airlines and its business partners such as e-mail address, phone number, mobile phone number, social media contact information, address etc.)
Location Data (location data collected by way of location-based tools such as airport directions, map view, Turkish Airlines Lounge, nearest car parking space)
Advance Passenger Information (“API”) (personal data relating to name, nationality, date of birth, gender, the type and number of travel documents, date of issue and expiry as well as the issuing authority)
Information Relating to Family and Relatives (identification information, contact information, information regarding profession and education etc. relating to data subject’s children spouse etc.)
Customer Process Information (personal data recorded in channels such as call centers, credit card statements, box office receipts, customer instructions including reservation, purchase, cancellation, postponement and other changes relating to an instruction or request attributable to a person)
Process Security Information (information relating to website password etc. provided in the course of benefiting from products and services offered in digital environments)
Risk Management Information (results and records of various query provided by public institutions relating to the data subject, records of security checks concerning whether you prohibited from boarding on a plane, records of address recording system, IP tracking records etc.)
Financial Information (credit/debit card information, bank account information, IBAN information, balance information, credit balance information and other financial information)
Physical Environment Security Information (entry/exit logs in Company’s physical environments, visit information, camera and voice records etc.)
Legal Procedure and Compliance Information (information provided within information requests and decisions of judicial and administrative authorities etc.)
Audit and Inspection Information (information relating to all kinds of records and processes concerning the exercise of our legal claims and rights associated with the data subject)
Special Categories of Personal Data (special categories of personal data processed limited to the circumstances expressly envisaged under the laws and where required for the Company’s operations and upon your explicit consent such as data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect and other beliefs, dress and appearance, memberships to associations, organizations and unions, health and sexual life, criminal convictions and security measures, as well as biometric and genetic data.)
Marketing Information (reports and evaluations containing information indicating preferences, taste, usage and travel habits attributable to the data subject and used for the purposes of marketing, targeting information, cookie records, data generated within data enrichment operations, records of surveys, satisfaction surveys, information and evaluations obtained as a result of campaigns and direct marketing activities etc.)
Request/Complaint Management Information (information and records collected in relation with requests and complaints concerning our products or services and information contained within reports regarding the conclusion of such requests by our business units etc.)
Audio Visual Information (photographs, camera and voice records etc.)
3. For which purposes do we process your personal data?
As per the Law, personal data can only be processed in the presence of at least one of the conditions set forth under Articles 5 and 6 of the Law and/or required by international legislation. In this respect, as Turkish Airlines, we process personal data relating to our customers for the purposes of providing services (provision of airline transport and other related services) in particular, complying with obligations under national and international regulations and our legitimate interests provided that such interests do not have a negative impact on our customers’ fundamental rights and freedoms.
In addition to the above-listed conditions for processing personal data, we may request you to explicitly consent to the processing of your personal data. If this is the case, personal data will be processed limited to the scope of your freely given explicit consent. You may at any time revoke your explicit consent.
In this regard, personal data will be processed by Turkish Airlines, within the framework of national and international legislation, in accordance with the conditions for processing personal data set forth under Articles 5 and 6 of the Law and within the scope of the below-listed purposes:
Management of travel reservations and the provision of our services
When you book a flight, including booking processes concluded through third parties and other websites, an account through which you may finalize your booking and manage your preferences regarding your flight is created. In this respect, information concerning your identity is processed for the verification of your identity at check-in, baggage delivery and security check points.
Additionally, personal data relating to you may also be processed in the course of benefiting from airport services provided through kiosks such as check-in, seat selection, luggage and cargo.
Managing flight operations and establishing communications concerning services provided within your flight program
Within the scope of your flight, we process personal data relating to you within the scope of services concerning your flight for the purposes of conclusion of your flight ticket, check-in processes, preparation of your boarding pass and boarding on the plane.
Personal data relating to you may only be processed for the purposes of providing information regarding the verification of your travel organization, changes to your flight program, opening date and time of check-in and conveying communication concerning reminders of your incomplete reservations.
Establishing communication with our customer and customer relationship management.
Establishing Communication Concerning Our Operations
In certain circumstances, we are required to deliver certain information to our customers regarding our flights. For instance, we may be required to establish communication with you via SMS, e-mail or telephone for the purposes of conveying booking information, confirmation regarding the purchase of your ticket or to provide payment and flight details. Additionally, customers benefiting from services provided through the Application, may also be communicated by way of in app notifications.
Please be noted that the electronic messages transmitted for the purposes stated above, or for other similar service information and excluding messages transmitted for marketing purposes shall not require the consent of the recipient as per the Article 6 of the Regulation on Commercial Communication and Commercial Electronic Messages and may be transmitted to you by Turkish Airlines without obtaining your consent.
Requests and Evaluations
Personal data relating to you may be processed for the purposes of taking necessary actions in order to provide responses to questions, requests or complaints conveyed by our customers through Digital Environments or by other written and verbal channels.
Opinions of our customers are of great importance for us. Therefore, we may process personal data while evaluating the responses provided by our customers to questions within customer satisfaction surveys, in order to evaluate the quality of our services.
Personalization and improvement of your customer experience
In order to provide a personalized customer experience, we may process personal data for the purposes of customization of our products or services in accordance with your taste, preference and needs. In this regard, information concerning your previous flights, information provided within the scope of processes and communications and where deemed necessary, information obtained as a result of segmentation activities conducted upon your explicit consent may be processed for the purposes of estimating your preferences regarding your flights and presenting customized offers.
Additionally, personal data may be processed for the purposes of establishing marketing communications concerning campaigns, publicity, promotion and invitations to events determined upon such segmentation activities.
Notifications regarding products and services
Personal data may be processed upon consent obtained from you, in order to establish marketing communications for providing information concerning our flight or travel products and services. In accordance with your consent, we may also provide information concerning our corporate business partners’ travel and flight campaigns.
Management and conclusion of your requests and complaints
Personal data relating to you may be processed for the purposes of concluding adjustment requests regarding your flight and travel program, requests relating to special assistance required within the airport or requests concerning personal preferences regarding compliments within your flight and the complaints and suggestions for improvement with regards to products and services provided.
Management of operations concerning the management of emergencies and incidents
Personal data relating to persons to inform in case of an emergency or an incident regarding your flight and travel program provided by you, may be processed for the purposes of informing and ensuring support within the scope of processes related to the management of emergencies and incidents.
Complying with obligations to which we are subject in accordance with the related regulations and to provide information to competent authorities and organizations
Personal data relating to you may be processed for the purposes of preparing records and documents required to be prepared in accordance with the relevant legislation, in order to carry out flight operations, complying with the obligations concerning the retention of information, reporting, record keeping, informing, taxation, international sanctions and other obligations.
In this regard, personal data may be processed for the purposes of prevention, detection and investigation of crime including fraud and money laundering, in accordance with our obligations concerning identification and verification of identity.
Within the scope of complying with obligations under international and national civil aviation, personal data relating to you may be processed for the purposes of providing requested information and documentation to competent public institutions and organizations as well as regulatory authorities or allowing such persons and organizations to gain access to requested information or documentation. In such cases, the processing of personal data shall be limited to the legally valid subject and scope of the request.
Conducting financial and accounting operations
Personal data relating to you may be processed for the purposes of complying with obligations to inform including identification and verification of identity and the prevention of fraudulent transactions, receiving payments and where deemed necessary, reimbursement.
Establishing information technologies infrastructure and executing and auditing information security processes and operations
Personal data relating to you may be processed for the purposes of ensuring compliance with internal policies and procedures related to information security, management of information technologies systems as well as improving and optimizing such systems, ensuring the accessibility and reliability of such infrastructure and systems by way of back-ups and tests, improving products and services provided including statistical analysis and research on systems and programs regarding ticketing and travel operations.
Prevention of fraud and counterfeiting
Personal data may be processed for the purposes of preventing fraud and counterfeiting, investigating and reporting due to legal requirements, taking legal actions and carrying out necessary studies.
Specifying access authorizations for business partners and service providers
Within the scope of processes executed with business partners, personal data may be processed for the purposes of enabling access of business partners to required information and documentation within the framework of corporate relations, enabling access of executives and employees of third party service vendors to necessary information and documentation providing outsource services regarding flight planning, travel organization, customer relationship management, research and development.
4. Transfer of personal data
Your personal data may be shared with parties who provide product or service to us or on behalf of our company and with our suppliers and business partners that we get support for the establishment, execution and termination of our relationship, including the parties collaborating with us for the purposes of providing products and services to you. Your personal data may also be shared with public institutions and private persons authorized by law within the scope of their authorization. In such cases, our company takes all precautionary measures to ensure that the parties carry processing and transfer activities in accordance with the rules stated in this Notice and other related law.
Personal data may be shared with group companies, business partners, public institutions and private persons authorized by law pursuant to conditions and purposes of processing personal data as stated under Article 8 and 9 of the Law, and may be transferred abroad, limited with the stated purposes and in accordance with the principles and procedures stated under Article 9 of the Law and decisions of the Personal Data Protection Board.
Your personal data may only be transferred abroad where;
your explicit consent is obtained, or
where your explicit consent is not obtained but one or more data processing condition(s) which stated in the Law are met,
the transferred country found to be offering adequate protection by the Personal Data Protection Board decision or;
in case of the protection in the transferred country found to be inadequate, a written undertaking to provide adequate protection between our Company and the Data Controller that the data are being transferred to have been reached and the approval of the Personal Data Protection Board have been obtained.
5. Retention of personal data
Our company determines the retention periods by taking into consideration of the applicable law and purposes of data processing. In this respect, where applicable, we particularly consider the issues of period of limitation and legal obligations regarding the processing of personal data. Once the purpose for processing personal data ceases, unless another legal reason or basis allowing the retention of the personal data exists, data will be deleted, destroyed or anonymized.
6. Principles relating to personal data privacy
Our company acts in accordance with the principles stated below in all data processing activities. “Acting in accordance with the law and in good faith”, “Authenticity and Being Up-to-date”, “Processing for specific, clear and legitimate purposes”, “Being relevant, limited and proportionate with the purposes”, “Retention as stated in the related law or as long as necessary for the relevant purpose”
7. Use of cookies
As Turkish Airlines, we utilize technologies such as cookies, pixels, GIFs (“Cookies”) to improve your user experience during your use of our websites and applications. The use of these technologies is in accordance with the Law and other related regulations that we are subjected to.
For further information regarding cookies, please refer to the Türk Hava Yolları Anonim Ortaklığı Cookie Privacy Notice located at https://www.turkishairlines.com/en-tr/legal-notice/privacy-policy/cookies
8. Use of digital platforms
Your personal data may be processed while your use of Digital Platforms to manage and operate the Website, to perform activities for optimizing and improving the user experience related to the Website and Application, to detect in what ways the Website is being used, to support and enhance the use of location based tools, to manage your online accounts and to inform you about the services offered near you.
In case you desire to benefit from the offered product and services, your personal data will be processed only to make you get such product and services.
9. Use of CCTV (Closed Circuit Television)
When you visit our company premises, your visual and audial data may be obtained via CCTV and may be preserved only for a period necessary to fulfill the following purposes. With the use of CCTV, prevention and detection of any criminal act incompatible with the law and company policies, maintaining the security of company premises and equipment located within the premises, protection of visitors’ and workers’ well-being is pursued. All necessary technical and administrative measures will be taken by us regarding the security of your personal data obtained via CCTV.
10. Rights of the data subjects
In accordance with Article 11 of the Law, data subjects are entitled to the following rights:
Learn whether data relating to him/her are being processed;
Request further information if personal data relating to him/her have been processed;
Learn the purpose for the processing of personal data and whether data are being processed in compliance with such purpose;
Learn the third-party recipients to whom the data are disclosed within the country or abroad,
Request rectification of the processed personal data which is incomplete or inaccurate and request such process to be notified to third persons to whom personal data is transferred;
Request deletion or destruction of personal data in the event that the data is no longer necessary in relation to the purpose for which the personal data was collected, despite being processed in line with the Law and other applicable laws and request such process to be notified to third persons to whom personal data is transferred;
Object to negative consequences about him/her that are concluded as a result of analysis of the processed personal data by solely automatic means;
Demand compensation for the damages he/she has suffered as a result of an unlawful processing operation.
11. The exercise of rights by the data subjects
You can easily use your rights mentioned above and easily communicate the related requests to us via contact information below.
Data subjects’ requests concerning the above-listed rights shall be concluded by us within thirty days at the latest, in accordance with the limitations provided by the Law.
In principle, data subject requests shall be concluded free of charge. However, Turkish Airlines reserves its right to demand a fee from the tariff specified by the Board, in case the request requires additional costs.
Our Company may request certain information from the data subject in order to determine that the applicant is in fact the Data Subject, and additional questions can be directed to the applicant to clarify matters regarding the applications.
Türk Hava Yolları Genel Yönetim Binası
Atatürk Havalimanı,
Yeşilköy, 34149 İstanbul
00 90 212 463 63 63
00 90 212 465 21 21
kvkiletisim@thy.com
12. Data security
We take all appropriate technical and organizational measures to safeguard your personal data and to mitigate risks arising in connection with unauthorized access, accidental data loss, deliberate erasure of or damage to personal data.
In this respect our Company;
Ensures data security by utilizing protection systems, firewalls and other software and hardware containing intrusion prevention systems against virus and other malicious software,
Access to personal data within our company is carried out in a controlled process in accordance with the nature of the data and within the framework of the authority on the basis of unit / role / practice,
Ensures the conduct of necessary audits to implement the provisions of the Law, in accordance with Article 12 of the Law,
Ensures the lawfulness of the data processing activities by way of internal policies and procedures,
Applies stricter measures for access to special categories of personal data,
In case of external access to personal data due to procurement of outsource services, our Company obliges the relevant third party to undertake to comply with the provisions of the Law,
It takes necessary actions to inform all employees, especially those who have access to personal data, about their duties and responsibilities within the scope of the Law.
13. Definitions
Explicit consent: Consent that is provided for a specific subject, upon being informed and freely given.
Anonymization: Rendering personal data by no means identified or identifiable with a natural person even by linking with other data.
Related person/Data subject: Refers to the natural person whose personal data are processed.
Personal data: Refers to any information relating to an identified or identifiable natural person.
Special Categories of Personal data: Refers to data that has been subjected to a more stringent protection regime under the Law which may cause the Data Subject to be victimized or discriminated against in cases of disclosure or loss.
Processing of personal data: Refers to any operation that is performed upon personal data such as collection, recording, storage, preservation, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization or blocking its use by wholly or partly automatic means or otherwise than by automatic means which form part of a filing system.
Data recording system: Refers to the registration system in which personal data is configured and processed according to certain criteria.
Data controller: The natural or legal person determining the purposes and means of the processing of personal data and who is responsible for the establishment and management od a data recording system.