Türk Hava Yolları Anonim Ortaklığı (hereinafter referred to as “THY”, “Company”, "Turkish Airlines" or “We”), pays the utmost attention to the lawfulness of the processing of personal data of its customers. The Turkish Airlines GDPR Privacy Notice (“Privacy Notice”) herein has been prepared in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”) to ensure that the personal data of our customers that are buying tickets, making reservations or during similar operations at our ticket sale offices, check-in counters at airports, agencies, web sites, mobile applications, call centers or joining survey and similar evaluation processes; is processed in a transparent manner.
In this respect, as a data controller we provide you information on which personal data we process and for what purposes, the third parties we share your data with, your rights and methods that you may use to contact us.
This Privacy Notice also describes your data protection rights, including a right to object to some of the processing which THY carries out. More information about your rights, and how to exercise them, is set out in the “What rights do I have?” section.
2. How Do We Collect Your Personal Data?
Your personal data can be collected via our ticket sale offices, check-in counters at airports, agencies, web sites, mobile applications, call centers or joining survey and similar evaluation processes and GDSs. Your personal data may only be collected and processed in accordance with applicable laws.
3. Which Personal Data Do We Collect & Process?
We collect and process personal that we receive from you, including:
- Identity and Contact Information: Personal data such as name, surname, identification number, passport information and contact information (such as e-mail address), phone and mobile phone number or social media contact information that you have provided to us while creating accounts, making plane ticket reservations or applying for exclusive services offered by THY and its partners.
- Flight Information: Reservation or ticket information or other information related to your flights such as your medical condition or your meal preferences if needed.
- Advance Passenger Information (“API”): Personal data relating to your name, nationality, birth date, gender, type and number of your travel documents including its date of validity, and its issuing country.
- Evaluations and requests: Information regarding your assessments, complaints and requests relating to our services.
- Payment Information: Credit/Debit card information, bank account information, IBAN information, balance and receivable information and other financial data.
- Membership Program Information: If you are a member, information regarding Miles&Smiles and Turkish Airlines Corporate Club membership programs.
We may also receive information about you from third parties. In particular:
- API: When you make a booking through a travel agency or another airline company they may send us your name, nationality, date of birth, gender as well as the type, number, issuing country and date of validity of your travel documents.
- Flight information: When you make a booking through a travel agency or another airline company, they will send us your reservation or ticket information, or other information related to your flights such as your medical condition or your meal preferences.
4. Why Do We Process Your Personal Data and What Is the Legal Basis for This Use?
We process your personal data for the following purposes:
- To fulfil a contract, or take steps linked to a contract we have with you. This includes:
- Management of flight reservations and other related services: Performing operational transactions such as flight booking, taking payments, issuing flight tickets, check-in transaction regarding baggage and cargo transportation, flight card preparation, customer claims, boarding and other services related to your flight.
- Communication: Informing our customers regarding our regular operations such as establishing communication with you via SMS, e-mail or telephone for the purposes of conveying booking information, confirmation regarding the purchase of your ticket or to provide payment and flight details.
- Membership Programs: In case you are a member, in particular Miles&Smiles, Turkish Airlines Corporate Club, carrying out the necessary work to take advantage of related loyalty program services and carrying out the relevant business processes.
- As required to conduct our business and pursue our legitimate interests, in particular:
- Evaluations of Request and Opinions: Receiving opinion, complaint and evaluations of our customers on our services through written/online form and surveys and evaluating them.
- Fraud prevention: we monitor customers' actions to prevent, investigate and/or report things such as fraud, terrorism, misrepresentation, security incidents or crime, in accordance with applicable laws.
- Service Customization: Offering, proposing and introducing the programs, services and products to the related persons and performing the activities for the customization of them according to the usage habits and needs of the related persons.
- Usage Information: In order to provide better service to our customers and to customize our services for you, your usage habits on our web site and applications may be followed. In addition, in order to provide service only, the information such as IP address, device model etc., regarding to the devices which you display on our website or use our applications may be processed. Where required by law, the marketing and advertising activities carried out through targeting and profiling are carried out only if you have given your consent.
- For purposes which are required by law:
- Legal Obligations: Ensuring compliance with the national and international legislation to which THY is subjected and fulfilling the obligations arising from the relevant legislation. In response to requests by government or law enforcement authorities conducting an investigation.
- Where you give us consent:
- Marketing activities: Where required by law, we will send you with your consent direct marketing in relation to our relevant products and services, or other products and services provided by us, our affiliates and carefully selected partners
- Cookies: we place cookies and use similar technologies in accordance with our Cookies Notice and the information provided to you when those technologies are used
- Other occasions: on other occasions where we ask you for consent, we will use the data for the purpose which we explain at that time such as when collecting information in relation to your medical condition or religious beliefs.
In some cases (e.g. for booking a flight) the provision of information is mandatory: if relevant data is not provided, then we will not be able to process your request. When the provision of information is not marked as mandatory (e.g. for direct marketing purposes) it is optional.
Withdrawing consent or otherwise objecting to direct marketing:
Wherever we rely on your consent, you will always be able to withdraw that consent, although we may have other legal grounds for processing your data for other purposes, such as those set out above. You have an absolute right to opt-out of direct marketing, or profiling we carry out for direct marketing, at any time. You can do this by following the instructions in the communication where this is an electronic message, or by contacting us using the details set out below.
Relying on our legitimate interests:
We have carried out balancing tests for all the data processing we carry out on the basis of our legitimate interests, which we have described above. You can obtain information on any of our balancing tests by contacting us using the details set out later in this Privacy Notice.
5. To Whom, Why and Where We Transfer Your Personal Data?
Under certain circumstances, we may transfer your personal data to third parties residing within borders or abroad, in accordance with applicable laws.
Third parties that we may transfer your data can be listed categorically as follows:
- Our business partners or suppliers residing within borders or abroad: Security firms, ground operation service providers at airports, transportation service providers, global distribution systems, partner airlines including but not limited to member airlines of the Star Alliance that will provide you services during connecting flights.
- Loyalty Programme related services: Please see full list below: https://www.turkishairlines.com/en-tr/miles-and-smiles/program-partners/index.html
- Group companies: certain services offered by THY are carried out by our affiliates, within this context, your personal data may be shared with our relevant affiliates. Please see full list below: http://investor.turkishairlines.com/en/turkishairlines/group-companies
- Suppliers: Your personal data will also be shared with third party service providers, in particular, third party providers of website hosting, software, maintenance, call centers, security firms, transportation service providers.
- Government authorities such as civil aviation or custom authorities and/or law enforcement officials authorized by national or international legislations; e.g. to enforcement agencies, executive or judicial bodies in relation to ongoing investigations or when travelling to United States of America, to United States National Security Council etc.
- In the event that the business is sold or integrated with another business, your details will be disclosed to our advisers and any prospective purchaser’s adviser and will be passed to the new owners of the business.
Where information is transferred from inside the EEA to outside the EEA (e.g. Turkey), and where this is to a stakeholder or vendor in a country that is not subject to an adequacy decision by the EU Commission, data is adequately protected by EU Commission approved standard contractual clauses, an appropriate Privacy Shield certification or a vendor's Processor Binding Corporate Rules.
6. How long will you retain my data?
THY is subject to legal obligations on data retention periods under Turkish law.
Your personal data are deleted as soon as they are no longer needed for the specified purposes. However, we must sometimes continue to store your data until the retention periods and deadlines set by the legislator or supervisory authorities, up to 30 years which may arise from the Turkish Commercial Code, Tax Code, Turkish Code of Obligations, etc. We may also retain your data until the statutory limitation periods have expired provided that this is necessary for the establishment, exercise or defence of legal claims. After that, the relevant data are routinely erased.
Where we process personal data for marketing purposes or with your consent, we process the data until you ask us to stop and for a short period after this (to allow us to implement your requests). We also keep a record of the fact that you have asked us not to send you direct marketing or to process your data so that we can respect your request in future.
7. What are Your Rights as Data Subjects?
Under the GDPR you are entitled to the following rights:
- Learn whether data relating you is being processed.
- Request further information if personal data relating to you has been processed.
- Learn the purpose for the processing of personal data and whether data are being processed in compliance with such purpose.
- Request a copy of your personal data we hold.
- Learn to which third-party recipients your data is disclosed.
- Request rectification of the processed personal data which is incomplete or inaccurate and request such process to be notified to third persons to whom personal data is transferred.
- Request deletion or destruction of personal data in the event that the data is no longer necessary in relation to the purpose for which the personal data was collected, despite being processed in line with the Law and other applicable laws and request such process to be notified to third persons to whom personal data is transferred.
- Obtain the personal data you provided to us for a contract or with your consent in a structured, machine readable format, and to ask us to share (port) this data to another controller.
- Object to negative consequences that you experienced as a result of analysis of the processed personal data by solely automatic means.
- Object to the processing of your personal data in some circumstances (in particular, where we don’t have to process the data to meet a contractual or other legal requirement, or where we are using the data for direct marketing purposes).
- If you have unresolved concerns, you have the right to complain to an EU data protection authority where you live, work or where you believe a breach may have occurred.
Under the GDPR, these rights may be limited, for example if fulfilling your request would reveal personal data about another person, where they would infringe the rights of a third party (including our rights) or if you ask us to delete information which we are required by law to keep or have compelling legitimate interests in keeping. Relevant exemptions are included in the GDPR. We will inform you of relevant exemptions we rely upon when responding to any request you make.
In most cases we will not charge a fee for your requests. However, where the request is manifestly unfounded or excessive, we may charge a reasonable fee based on the administrative costs generated by your request.
8. Contact Information
If you have any concerns about how we process your data, or if you would like to opt-out of direct marketing, based on the laws applicable to you can reach out to:
THY HQ ENTITY
+90 212 444 0 849
EU REPRESENTATIVE DETAILS:
+49 069 955171 22/53
Turkish Airlines Inc. Hamburger Allee 4 (Westendgate) 60486 FRANKFURT/M
If you live in Germany and have an unresolved concern you can also contact our German DPO:
+49 069 955171 22/53
Turkish Airlines Inc. Hamburger Allee 4 (Westendgate) 60486 FRANKFURT/M