THY Privacy Notice for Customer Verification

  1. Introduction.

As a data controller Türk Hava Yolları Anonim Ortaklığı (hereinafter referred to as “THY”, “Turkish Airlines” or “We”) pays the utmost attention to the lawfulness of the processing of personal data relating to its customer who are members (“User”) of its customer loyalty program Miles&Smiles.

The Turkish Airlines Customer Verification Process  Privacy Notice  (“Privacy Notice”) has been prepared in accordance with the primarily Article 10 of the Turkish Personal Data Protection Law No. 6698 (the “Law”) and the EU General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”) for the transparent processing of personal data to be processed for the purpose of verifying the identities of Users in their transactions to be carried out on their Miles&Smiles account.

Click to get more detailed information about the processing of your personal data. Click to get more detailed information within the scope of GDPR.

  1. Which Personal Data We Process and How Do We Collect Your Personal Data?

General information on your personal data processed by THY is as follows:

  • Identity Information: Name, surname, title, Turkish citizenship ID and/or passport information (passport number and image, date of birth, place of birth, signature, nationality, mother's name, father's name, citizenship information, gender, maiden name, ID serial number, ID sequence number, marital status, ID expiry date), Miles&Smiles number,
  • Visual Records: Photograph, video records,
  • Evaluations and requests: Information regarding your assessments, complaints and requests relating to identity verification processes,
  • Biometric Data: Facial recognition information.

Your personal data can be collected within services we provide with Miles&Smiles program via THY Mobile application specifically dedicated to account security purposes in accordance with the provisions of national/international legislation, in particular the basic principles of Art. 4 of the Law and Art. 5 GDPR, only if one or more conditions that are stipulated by Law/GDPR are present.

  1. For Which Purposes Do We Process Your Personal Data? [1]

Your personal data are being processed for the following purposes:

  • To ensure the security of transactions in your Miles&Smiles account and to prevent fraudulent transactions,
  • To evaluate your complaints and requests related to identity verification, to optimize the processes requiring confirmation,
  • To ensure the legal and technical security of User transactions and monitoring them for security purposes,
  • To detect the fraudulent transactions and irregularities that may occur in User accounts, and to ensure account security,
  • To carry out the internal audit / investigation activities regarding account transaction security.
  1. What Is Our Legal Basis for Processing Your Personal Data?

Under the Law personal data can only be processed if at least one of the conditions set forth under Art. 5 and Art.6 of the Law and/or required by international legislation, as well as Art. 6 GDPR.

  • Within the scope of Article 5(1) of the Law and Article 6(1)(a) of the GDPR, your biometric data are processed based on your consent for taking an ID image with OCR, scanning an ID chip with NFC, and taking an ID card image in order to ensure the security of your Miles&Smiles account transactions and to verify your ID.
  • Your other personal data are processed to fulfill of the legal obligation to evaluate your requests and complaints regarding the verification processes of your Miles&Smiles account provided by Article 5(2) (ç) Law and Art. 6(1)(c) GDPR,
  • As required to conduct our business and pursue our legitimate interests arising from the security of User accounts if such interests do not have a negative impact on your fundamental rights and freedoms as provided by 5 (2) (f) Law and Art. 6(1)(f) GDPR.
  1. How Do We Keep Personal Data Secure and How Long Do We Store Them?

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, accessed in an unauthorized way, altered or disclosed. In addition, We limit access to your personal data to those employees, agents, contractors and other third parties on a need-to-know basis. They will only process your personal data on our specific instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach if We are legally required to do so.

 THY, as a global company, has locations in different countries and the applicable laws change thereafter, the retention periods may therefore vary from country to country. THY is subject to legal obligations on data retention periods under Turkish law, European Law and depending on the country in which you live or which law applies, national laws of a country (for example, USA, Germany, Italy, Spain, Switzerland, etc.).

Your personal data will be deleted when the data is no longer needed for the specified purposes and legal retention periods expire. Click for detailed information about storage period.

  1. To Whom We Transfer Your Personal Data and Why?

Under certain circumstances for the above listed purposes We may transfer your personal data that We process to third parties, residing within borders of Turkey in accordance with the provisions of national and international law, particularly Art. 8 and 9 of the Law as well as Art. 44 seq. GDPR.

Types of third parties We may transfer your personal data to are as follows:

  • Group companies: certain services offered by THY are carried out by our affiliates, within this context, your personal data may be shared with our relevant affiliates (i.e THY Teknoloji ve Bilişim Inc.). You may find more detailed information regarding our group companies by opening the following link: https://www.turkishairlines.com/en-tr/press-room/about-us/index.html;
  • Government authorities and/or law enforcement officials: your personal data can be shared with government authorities law enforcement officials and/or executive or judicial bodies (e.g. authorized public and private bodies) if required by law in compliance with applicable laws and/or in relation to ongoing investigations.
  1. What are Your Rights as Data Subject?

As data subject, you are entitled to a number of rights under Art. 11 of the Law and Art. 15 seq. GDPR in relation to your personal data. We would like to inform you about the rights you are entitled to and the ways you may exercise them.

Under Art. 11 of the Law you are entitled to the following rights:

  • Learn whether data relating to you are being processed by us;
  • Request further information if personal data relating to you have been processed by us;
  • Learn the purpose for the processing of personal data and whether data are being processed in compliance with such purpose;
  • Learn the third-party recipients to whom the data are disclosed within the country or abroad;
  • Request rectification of the processed personal data which is incomplete or inaccurate and request such process to be notified to third persons to whom personal data are transferred;
  • Request deletion or destruction of personal data in the event that the data are no longer necessary in relation to the purpose for which personal data were collected, despite being processed in line with the Law and other applicable laws and request such process to be notified to third persons to whom personal data are transferred;
  • Object to negative consequences that you experienced as a result of analysis of the processed personal data by solely automatic means;
  • Demand compensation for the damages that you have suffered as a result of an unlawful processing operation;

If you are subject to GDPR, please find more detailed information on https://www.turkishairlines.com/en-pl/legal-notice/gdpr-privacy-notice/

  1. Data Controller and Contact Information:

In order to easily exercise your rights listed above and send us your relevant requests you may contact us through our contact information below.

We will respond you in the shortest time possible, based on the nature of your request and within 30 days at the latest. As a general rule, responses to data subject requests are given free of charge; however, we reserve the right to charge you according to the tariff to be determined by the Personal Data Protection Board in case the request requires additional costs.

THY Head Quarter Entity:

[1] No automated decision-making, including profiling, within the meaning of Art. 22 GDPR is carried out. If this changes, THY will notify you additionally and meet the requirements prescribed by GDPR.