As a data controller, Türk Hava Yolları Anonim Ortaklığı (hereinafter referred to as “THY”, “Company”, "Turkish Airlines" or “We”), pays the utmost attention to the lawfulness of the processing of personal data of its customers. We have prepared this Turkish Airlines GDPR Privacy Notice (“Privacy Notice”) on the protection and the processing of personal data, in order to ensure compliance with the European Union General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”).
The security of our customers’ personal data is at the forefront of our work. Therefore, in order to prevent any unlawful access to personal data or leak and to ensure the secure retention of personal data relating to our customers, such data are only transferred to trusted business partners and on a minimum level, by taking necessary security measures in accordance with the legislation in force.
Transparency is one of the most important subjects of our personal data protection program. In this respect, We have prepared this Privacy Notice in order to provide our customers with all necessary information while We are processing personal data, e.g. for the purposes of compliance with our legal obligations and to ensure a better customer experience. Detailed information regarding the types of personal data and the purposes for processing personal data are detailed under section 5 of this Privacy Notice.
Another subject that We also pay close attention to is customers’ right to have control over their personal data. We implement measures to ensure that our customers manage their preferences regarding their own personal data and highly respect our customers preferences. This Privacy Notice also describes your data protection rights, including a right to object to specific processing activities which THY carries out. More information about your rights, and how to exercise them, is set out in the “What are Your Rights as Data Subjects?” section.
In summary, data security, transparency and individuals’ right to have control over their personal data are fundamentals for us in ensuring compliance with the GDPR.
This Privacy Notice contains our declarations and explanations concerning the processing of personal data relating to our customers and other natural persons establishing contact with us, excluding our employees, in compliance with the provisions of the GDPR.
This Privacy Notice is prepared in order to provide information concerning which personal data Turkish Airlines processes within the scope of its commercial activities, the purposes for processing, the parties to whom personal data are transferred and the purposes for such transfers.
If you have any concerns about how We process your data, or if you would like to opt-out of direct marketing, based on the laws applicable to you can reach out to:
THY HQ Entity:
+90 212 444 0 849
Türk Hava Yolları A.O. Genel Yönetim Binası, Yeşilköy Mah. Havaalanı Cad. No:3/1 34149 Istanbul, Türkiye
If you live in Germany and have an unresolved concern you can also contact our German DPO:
+49 069 955171 22/53
Turkish Airlines Inc. Hamburger Allee 4 (Westendgate) 60486 FRANKFURT/M
If you contact us by e-mail, communication is unencrypted.
This section covers the source of information and the channels through which personal data are collected:
Personal data processed by our Company differ in accordance with the nature of the legal relationship established with our Company. In this respect, categories of personal data collected by our Company through all channels, including Digital Environments, are as follows:
We may also receive information about you from third parties. In particular:
We process your personal data for the following purposes:
When you book a flight, including booking processes concluded through third parties and other websites, an account through which you may finalize your booking and manage your preferences regarding your flight is created. In this respect, information concerning your identity is processed for the verification of your identity at check-in, baggage delivery and security check points.
Additionally, personal data relating to you may also be processed in the course of benefiting from airport services provided through kiosks such as check-in, seat selection, luggage and cargo.
Within the scope of your flight, We process personal data relating to you within the scope of services concerning your flight for the purposes of conclusion of your flight ticket, check-in processes, preparation of your boarding pass and boarding on the plane.
Personal data relating to you may only be processed for the purposes of providing information regarding the verification of your travel organization, changes to your flight program, opening date and time of check-in and conveying communication concerning reminders of your incomplete reservations.
In certain circumstances, We are required to deliver certain information to our customers regarding our flights. For instance, We may be required to establish communication with you via SMS, e-mail or telephone for the purposes of conveying booking information, confirmation regarding the purchase of your ticket or to provide payment and flight details. Additionally, customers benefiting from services provided through the Application, may also be communicated by way of in app notifications.
In some cases (e.g. for booking a flight) the provision of information is mandatory: if relevant data is not provided, then We will not be able to process your request. When the provision of information is not marked as mandatory (e.g. for direct marketing purposes) it is optional.
Withdrawing consent or otherwise objecting to direct marketing:
Wherever We rely on your consent, you will always be able to withdraw that consent, although We may have other legal grounds for processing your data for other purposes, such as those set out above. You have an absolute right to opt-out of direct marketing or profiling We carry out for direct marketing, at any time. You can do this by following the instructions in the communication where this is an electronic message, or by contacting us using the details set out below.
Due to the global nature of our business, We may transfer your personal data to recipients residing in Türkiye or abroad, in accordance with applicable laws.
Recipients that We may transfer your data to can be listed categorically as follows:
We will only transfer your personal data outside the EEA if suitable safeguards ensure that an appropriate level of protection is in place. Typically, We rely on the following safeguards:
Further information on such transfers or copies of these measures can be obtained via the contact details above.
Third Party Web Sites : Our website may include links to third-party websites, microsites, plug-ins and applications (i.e. booking.com) Please note that clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. Therefore, whenever you make use of these links or microsites or when you leave our website, please read the privacy notice of the third party.
THY is subject to legal obligations on data retention periods under Turkish law, European Law and depending on the country in which you live or which law applies, national laws of a country (for example, USA, Germany, Italy, Spain, Switzerland, etc.). As THY, as a global company, has locations in different countries and the applicable laws change thereafter, the retention periods may therefore vary from country to country.
Your personal data are deleted as soon as they are no longer needed for the specified purposes. However, We must sometimes continue to store your data until the retention periods and deadlines set by the legislator or supervisory authorities, up to 30 years which may arise from the Turkish Commercial Code, Tax Code, Turkish Code of Obligations and depending on other applicable European Laws and national laws of a EU-Country. We may also retain your data until the statutory limitation periods have expired (but up to 30 years in some cases), provided that this is necessary for the establishment, exercise or defence of legal claims. After that, the relevant data are routinely deleted or anonymized.
Where We process personal data for marketing purposes or with your consent, We process the data until you ask us to stop and for a short period after this (to allow us to implement your requests). We also keep a record of the fact that you have asked us not to send you direct marketing or to process your data so that We can respect your request in future.
Our company acts in accordance with the principles stated below in all data processing activities. “lawfulness, fairness and transparency”, “purpose limitation”, “data minimisation”, “accuracy”, “storage limitation”, “integrity and confidentiality” and “accountability”.
As Turkish Airlines, We utilize technologies such as cookies, pixels, GIFs (“Cookies”) to improve your user experience during your use of our websites and applications. The use of these technologies is in accordance with the Law and other related regulations that We are subjected to.
For further information regarding cookies, please refer to the Türk Hava Yolları Anonim Ortaklığı Cookie Privacy Notice located at https://www.turkishairlines.com/en-tr/legal-notice/privacy-policy/cookies
Your personal data may be processed while your use of Digital Platforms to manage and operate the Website, to perform activities for optimizing and improving the user experience related to the Website and Application, to detect in what ways the Website is being used, to support and enhance the use of location based tools, to manage your online accounts and to inform you about the services offered near you.
In case you desire to benefit from the offered product and services, your personal data will be processed only to make you get such product and services.
When you visit our company premises, your visual data may be obtained via CCTV and may be preserved only for a period necessary to fulfill the following purposes. With the use of CCTV, prevention and detection of any criminal act incompatible with the law and company policies, maintaining the security of company premises and equipment located within the premises, protection of visitors’ and workers’ well-being is pursued. All necessary technical and administrative measures will be taken by us regarding the security of your personal data obtained via CCTV.
Under the GDPR you are entitled to the following rights (further information is available under https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/my-rights_en):
Under the GDPR or national laws, these rights may be limited, for example if fulfilling your request would reveal personal data about another person, where they would infringe the rights of a third party (including our rights) or if you ask us to delete information which We are required by law to keep or have compelling legitimate interests in keeping. Relevant exemptions are included in the GDPR or in applicable national laws. We will inform you of relevant exemptions We rely upon when responding to any request you make.
In order to exercise these rights please contact the above mentioned contact addresses. Please specify which individual rights according to Art. 15 et seq. you want to exercise. For this purpose, We may have to confirm your identity before responding to your request. Please provide the following details so that We can identify you:
If you send us a copy of your ID, please black out all other information apart from your first and last name and address. When sending copies of the ID card, it must be clear that this is a copy. Therefore, please make a note on the copy of the ID as following: “This is a copy”.
In order to be able to process your request, as well as for identification purposes, please note that We will use your personal data in accordance with Art. 6 para. 1 (f) of the GDPR as legal obligation.
If you believe that We have failed to comply with data protection regulations when processing your personal data, you can lodge a complaint with the competent supervisory authority in accordance with Art. 77 GDPR. The competent supervisory authority can be identified according to the list provided under: https://edpb.europa.eu/about-edpb/board/members_en.
In Germany, the competent supervisory authority is „Der Hessische Beauftragte für Datenschutz und Informationsfreiheit“, which can be found under: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html).
As indicated above, you have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data based on Article 6 (1) (e) or (f) of the GDPR, including profiling based on those provisions.
We shall no longer process the personal data unless We demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing.
If you object to processing for direct marketing purposes, your personal data shall no longer be processed for such purposes.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.
We take all appropriate technical and organizational measures to safeguard your personal data and to mitigate risks arising in connection with unauthorized access, accidental data loss, deliberate erasure of or damage to personal data.
In this respect our Company;
We reserve the right to make changes to this Privacy Notice in order to provide accurate and up-to-date information concerning practices and regulations relating to the protection of personal data. Data subjects will be informed by appropriate means in the event of a substantial change to the Privacy Notice.
You can use the documents below to examine the translations of this page in other languages.
Bulgarian | Croatian | Czech | Danish | Dutch | Estonian | Finnish | Greek | Hungarian | Latvian | Lithuanian | Polish | Romanian | Slovak | Slovenian | Swedish