As a data controller, Türk Hava Yolları Anonim Ortaklığı (hereinafter referred to as “THY”, “Turkish Airlines” or “We”), pays the utmost attention to the lawfulness of the processing of personal data relating to its customers.
The THY GDPR Privacy Notice for Miles & Smiles (“Privacy Notice”) has been prepared in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”) to ensure that personal data of our customers are processed in a transparent manner during processes within the scope of the Miles&Smiles Program (“Miles&Smiles”).
Specifically, We would like to inform you with respect to processing of your personal data collected. In this respect, We provide you with information on which personal data We process, for what purposes and how long, the third parties your data are shared with, your rights and ways to contact us.
Data processing is conducted in accordance with the principles of “lawfulness, fairness and transparency”, “purpose limitation”, “data minimization”, “accuracy”, “storage limitation”, “integrity and confidentiality”, “data subject’s control over personal data” and “accountability”.
We reserve the right to update this Privacy Notice at any time and will provide you with a new Privacy Notice if any substantial updates are made thereto. From time to time We may also notify you in other ways about processing of your personal data.
You may read the Turkish Airlines GDPR Privacy Notice published on: https://www.turkishairlines.com/en-tr/legal-notice/gdpr-privacy-notice for more detailed information about GDPR.
Your personal data processed within the scope of the processing of Identity/Passport Information by THY are as follows:
Your personal data can be collected within services We provide with Miles&Smiles program via THY`s online channels, documented forms, sales offices, check-in counters, kiosks, call center, internet service provided inside the plane and IFE, member feedback, admission points to the plane, authorized travel agencies for the sale of THY products and services, GDSs, online sales channels, evaluation activities, program partners and other airlines verbally, in a written form or digitally. In any case, your personal data may only be collected and processed in accordance with the provisions of national/international legislation, in particular the basic principles of Art. 5 GDPR, only if one or more conditions that are stipulated by GDPR are present.
Your personal data are being processed in compliance with GDPR as well as other relevant laws for the following purposes:
We may provide you with more specific notice for some of the processing described above and, if We require your consent, We will ask for it at the time We collect your personal data.
No automated decision-making, including profiling, within the meaning of Art. 22 GDPR is carried out. If these changes, THY will notify you additionally and meet the requirements prescribed by GDPR.
Under GDPR personal data can only be processed if at least one of the conditions set forth Art. 6 GDPR is present.
In this respect, as THY, We may rely on different legal bases under the GDPR, including:
If We require you to provide personal data to comply with legal or contractual obligations, then provision of such data is mandatory. If such data are not provided, then We will not be able to enter into a relationship with you.
In all other cases, the provision of requested personal data is optional. If you do not provide the relevant personal data in these circumstances, the consequences will be clearly explained to you at that time.
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, accessed in an unauthorized way, altered or disclosed. In addition, We limit access to your personal data to those employees, agents, contractors and other third parties on a need-to-know basis. They will only process your personal data on our specific instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach if We are legally required to do so.
THY is subject to legal obligations on data retention periods under Turkish law, European Law and depending on the country in which you live or which law applies, national laws of a country (for example, USA, Germany, Italy, Spain, Switzerland, etc.). As THY, as a global company, has locations in different countries and the applicable laws change thereafter, the retention periods may therefore vary from country to country.
Your personal data are deleted as soon as they are no longer needed for the specified purposes. However, We must sometimes continue to store your data until the retention periods and deadlines set by the legislator or supervisory authorities, up to 30 years which may arise from the Turkish Commercial Code, Tax Code, Turkish Code of Obligations and depending on other applicable European Laws and national laws of a EU-Country. We may also retain your data until the statutory limitation periods have expired (but up to 30 years in some cases), if this is necessary for the establishment, exercise, or defense of legal claims. After that the relevant data are routinely deleted or anonymized.
If We process personal data for marketing purposes or with your consent, We process the data until you ask us to stop and for a short period after this to allow us to implement your requests. We also keep a record of the fact that you have asked us not to send you direct marketing or to process your data so that We can respect your request in future.
Under certain circumstances for the above listed purposes We may transfer your personal data that We process to third parties, residing within borders of Turkey or abroad, in accordance with the provisions of national and international law, Art. 44 seq. GDPR. Types of third parties We may transfer your personal data to are as follows:
Your personal data are generally processed in Turkey, Germany and other European countries.
We will only transfer your personal data outside the EEA in exceptional circumstances if suitable safeguards ensure that an appropriate level of protection is in place. Typically, We rely on the following safeguards:
2.1. you have explicitly consented to the proposed transfer, after being informed of the possible risks of such transfer due to the absence of an adequacy decision and appropriate safeguards;
2.2. the transfer is necessary for the performance of a contract between the data subject and THY;
2.3. the transfer is necessary for the conclusion or performance of a contract concluded in your interest;
2.4. the transfer is necessary for important reasons of public interest and/or other conditions mentioned in Art. 49 GDPR.
Further information on such transfers or copies of these measures can be obtained via the contact details in the Privacy Notice below.
Under the GDPR you are entitled to the following rights:
You have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data based on Art. 6 (1) (e) or (f) GDPR, including profiling based on those provisions. We shall no longer process the personal data unless We demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.
If personal data are processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing. If you object to processing for direct marketing purposes, your personal data shall no longer be processed for such purposes.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.
Under the GDPR or national laws these rights may be limited, for example, if fulfilling your request would reveal personal data about another person, if it would infringe on the rights of a third party (including our rights) or if you ask us to delete information which We are required by law to keep or have compelling legitimate interests in keeping. Relevant exemptions are included in the GDPR or in applicable national laws. We will inform you of relevant exemptions We rely upon when responding to any request you make.
If you believe that We have failed to comply with data protection regulations when processing your personal data, you can lodge a complaint with the competent supervisory authority in accordance with Art. 77 GDPR. The competent supervisory authority can be identified according to the list provided under: https://edpb.europa.eu/about-edpb/board/members_en.
The competent supervisory authority in Germany is „Der Hessische Beauftragte für Datenschutz und Informationsfreiheit“, which can be found under: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html.
Further information on your rights are available under: https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/my-rights_en.
Please find more detailed information in Turkish Airlines GDPR Privacy Notice.
If you want to exercise your rights as a data subject, have any concerns about how We process your data, would like to communicate requests or opt-out of direct marketing, based on the laws applicable to you, you can reach out to:
THY Head Quarter Entity:
- +90 212 444 0 849; +90 212 463 63 63
- Türk Hava Yolları A.O. Genel Yönetim Binası, Yeşilköy Mah. Havaalanı Cad. No:3/1 34149 Istanbul, Türkiye
If you live in Germany and have an unresolved concern you can also contact our German DPO:
- +49 069 955171 22/53
- Turkish Airlines Inc. Hamburger Allee 4 (Westendgate) 60486 FRANKFURT/M
If you contact us by e-mail, communication may be unencrypted.
You can use the documents below to examine the translations of this page in other languages.