1. Introduction of the Data Controller
As a data controller, Türk Hava Yolları Anonim Ortaklığı (hereinafter referred to as “THY”, “Company”, "Turkish Airlines" or “We”), pays the utmost attention to the lawfulness of the processing of personal data of its customers. We have prepared this The Turkish Airlines GDPR Privacy Notice (“Privacy Notice”) on the Protection and the Processing of Personal Data, in order to ensure compliance with the European Union General Data Protection Regulation (“GDPR”) (Regulation (EU) 2016/679).
The security of our customers’ personal data is at the forefront of our work. Therefore, in order to prevent any unlawful access to personal data or leak and to ensure the secure retention of personal data relating to our customers, such data are only transferred to trusted business partners and on a minimum level, by taking necessary security measures in accordance with the legislation in force.
Transparency is one of the most important subjects of our personal data protection program. In this respect, we have prepared this Notice in order to provide our customers with all possible information while we are processing personal data for the purposes of compliance with our legal obligations and to ensure a better customer experience. Detailed information regarding the types of personal data and the purposes for processing personal data are detailed under heading (5) of this Privacy Notice.
Another issue that we also pay close attention to is customers’ right to have control over their personal data. We implement measures to ensure that our customers manage their preferences regarding their own personal data and highly respect our customers preferences. This Privacy Notice also describes your data protection rights, including a right to object to some of the processing which THY carries out. More information about your rights, and how to exercise them, is set out in the “What are Your Rights as Data Subjects?” section.
Data security, transparency and individuals’ right to have control over their personal data are fundamentals for us in ensuring compliance with the GDPR. In this respect, detailed information regarding the processing of your personal data are presented to your attention within this Notice.
2. Contact Information
If you have any concerns about how we process your data, or if you would like to opt-out of direct marketing, based on the laws applicable to you can reach out to:
THY HQ Entity:
+90 212 444 0 849
Türk Hava Yolları A.O. Genel Yönetim Binası, Yeşilköy Mah. Havaalanı Cad. No:3/1 34149 Istanbul, Türkiye
If you live in Germany and have an unresolved concern you can also contact our German DPO:
+49 069 955171 22/53
Turkish Airlines Inc. Hamburger Allee 4 (Westendgate) 60486 FRANKFURT/M
If you contact us by e-mail, communication is unencrypted.
3. How Do We Collect Your Personal Data?
This Privacy Notice contains our declarations and explanations concerning the processing of personal data relating to our customers and other natural persons establishing contact with us, excluding our employees, in compliance with the provisions of the GDPR.
We reserve the right to make changes to this Privacy Notice in order to provide accurate and up-to-date information concerning practices and regulations relating to the protection of personal data. Additionally, data subjects will be informed by appropriate means in the event of a substantial change to the Privacy Notice.
This Privacy Notice is prepared in order to provide information concerning which personal data Turkish Airlines processes within the scope of its commercial activities, the purposes for processing, the parties to whom personal data are transferred and the purposes for such transfers. This Privacy Notice covers the following channels through which personal data are collected:
- Call center, booking offices, check-in counters, kiosks, inflight entertainment system, requests and complaints, boarding checkpoints, surveys, fairs and events; by verbal, written or electronic environments, wholly or partly by automated and non-automated means,
- Turkish Airlines and Miles&Smiles Special Passenger Program website and mobile applications,
- Agencies authorized to sell Turkish Airlines products and services and sales channels on the web, social media, passenger and customer conversations, SMS channels, business intelligence, contracted merchants, business/program partners and other airlines; by verbal, written or electronic environments, wholly and partly by automated and non-automated means.
- If you request to receive service from these channels; The website located at turkishairlines.com (“Website”); software and applications provided through computers or other smart devices (“Application”); social media accounts administered by persons authorized to provide services on behalf of Turkish Airlines (“Social Media”), instant messaging applications ("Messaging Platforms") that mediate the service provided by Turkish Airlines such as WhatsApp Business, Telegram, Facebook Messenger, WeChat, BiP etc and other channels shall be referred to as (“Digital Platforms”).
4. Which Personal Data Do We Collect & Process?
Personal data processed by our Company differ in accordance with the nature of the legal relationship established with our Company. In this respect, categories of personal data collected by our Company through all channels, including Digital Environments, are as follows:
- Identity and Contact Information: Personal data such as name, surname, identification number, passport information and contact information (such as e-mail address), phone and mobile phone number or social media contact information that you have provided to us while creating accounts, making plane ticket reservations or applying for exclusive services offered by THY and its partners. For more detailed information about processing of Identity/Passport Information you may read the “Turkish Airlines Protection of Personal Data Announcement for the Processing of Identity/Passport Information” published on https://www.turkishairlines.com/en-tr/legal-notice/privacy-policy/processing-of-identity-passport-information/
- Flight Information: Reservation or ticket information or other information related to your flights such as your medical condition or your meal preferences if needed.
- Advance Passenger Information (“API”): Personal data relating to your name, nationality, birth date, gender, type and number of your travel documents including its date of validity, and its issuing country.
- Location Data (location data collected by way of location-based tools such as airport directions, map view, Turkish Airlines Lounge, nearest car parking space)
- Information Relating to Family and Relatives (identification information, contact information, information regarding profession and education etc. relating to data subject’s children spouse etc.)
- Customer Process Information (personal data recorded in channels such as call centers, credit card statements, box office receipts, customer instructions including reservation, purchase, cancellation, postponement and other changes relating to an instruction or request attributable to a person)
- Process Security Information (information relating to website password etc. provided in the course of benefiting from products and services offered in digital environments)
- Risk Management Information (such as results and records of various query provided by public institutions relating to the data subject, records of security checks concerning whether you prohibited from boarding on a plane, records of address recording system, IP tracking records)
- Request/Complaint Management Information (such as information and records collected in relation with requests and complaints concerning our products or services and information contained within reports regarding the conclusion of such requests by our business units)
- Financial Information (credit/debit card information, bank account information, IBAN information, balance information, credit balance information and other financial information)
- Physical Environment Security Information (entry/exit logs in Company’s physical environments, visit information, camera and voice records)
- Legal Procedure and Compliance Information (information provided within information requests and decisions of judicial and administrative authorities)
- Audit and Inspection Information (information relating to all kinds of records and processes concerning the exercise of our legal claims and rights associated with the data subject)
- Special Categories of Personal Data (special categories of personal data processed limited to the circumstances expressly envisaged under the laws and where required for the Company’s operations for example to provide you with assistance or facilities appropriate to your medical needs during your trip, to accommodate your requests, to ensure safety on board to comply with legal requirements. Where your religion or health status could be inferred from meal preferences, we will not use it in any other way other than to fulfil your meal request.)
- Marketing Information (such as reports and evaluations containing information indicating preferences, taste, usage and travel habits attributable to the data subject and used for the purposes of marketing, targeting information, cookie records, data generated within data enrichment operations, records of surveys, satisfaction surveys, information and evaluations obtained as a result of campaigns and direct marketing activities.)
- Audio Visual Information (photographs, camera and voice records etc.)
- Membership Program Information: If you are a member, information regarding Miles&Smiles and Turkish Airlines Corporate Club membership programs.
We may also receive information about you from third parties. In particular:
- API: When you make a booking through a travel agency or another airline company they may send us your name, nationality, date of birth, gender as well as the type, number, issuing country and date of validity of your travel documents.
- Flight information: When you make a booking through a travel agency or another airline company, they will send us your reservation or ticket information, or other information related to your flights such as your medical condition or your meal preferences.
5. Why Do We Process Your Personal Data and What Is the Legal Basis for This Use (purpose of the processing)?
We process your personal data for the following purposes:
- To fulfil a contract, or take steps linked to a contract we have with you. (According to Art. 6/(1), Subparagraph 1(b) GDPR) This includes:
- Management of flight reservations and other related services:
When you book a flight, including booking processes concluded through third parties and other websites, an account through which you may finalize your booking and manage your preferences regarding your flight is created. In this respect, information concerning your identity is processed for the verification of your identity at check-in, baggage delivery and security check points. Additionally, personal data relating to you may also be processed in the course of benefiting from airport services provided through kiosks such as check-in, seat selection, luggage and cargo.
- Managing flight operations and establishing communications concerning services provided within your flight program
Within the scope of your flight, we process personal data relating to you within the scope of services concerning your flight for the purposes of conclusion of your flight ticket, check-in processes, preparation of your boarding pass and boarding on the plane. Personal data relating to you may only be processed for the purposes of providing information regarding the verification of your travel organization, changes to your flight program, opening date and time of check-in and conveying communication concerning reminders of your incomplete reservations.
- Establishing communication with our customer and customer relationship management
In certain circumstances, we are required to deliver certain information to our customers regarding our flights. For instance, we may be required to establish communication with you via SMS, e-mail or telephone for the purposes of conveying booking information, confirmation regarding the purchase of your ticket or to provide payment and flight details. Additionally, customers benefiting from services provided through the Application, may also be communicated by way of in app notifications.
- Membership Programs: In case you are a member, in particular Miles&Smiles, Turkish Airlines Corporate Club, carrying out the necessary work to take advantage of related loyalty program services and carrying out the relevant business processes.
- As required to conduct our business and pursue our legitimate interests (According to Art. 6/(1), Subparagraph 1(f) GDPR), in particular:
- Requests and Evaluations: Personal data relating to you may be processed for the purposes of taking necessary actions in order to provide responses to questions, requests or complaints conveyed by our customers through Digital Environments or by other written and verbal channels. Opinions of our customers are of great importance for us. Therefore, we may process personal data while evaluating the responses provided by our customers to questions within customer satisfaction surveys, in order to evaluate the quality of our services.
- Fraud prevention: We monitor customers' actions to prevent, investigate and/or report things such as fraud, terrorism, misrepresentation, security incidents or crime, in accordance with applicable laws.
- Establishing information technologies infrastructure and executing and auditing information security processes and operations: Personal data relating to you may be processed for the purposes of ensuring compliance with internal policies and procedures related to information security, management of information technologies systems as well as improving and optimizing such systems, ensuring the accessibility and reliability of such infrastructure and systems by way of back-ups and tests, improving products and services provided including statistical analysis and research on systems and programs regarding ticketing and travel operations.
- Conducting financial and accounting operations: Personal data relating to you may be processed for the purposes of complying with obligations to inform including identification and verification of identity and the prevention of fraudulent transactions, receiving payments and where deemed necessary, reimbursement.
- Service Customization: Offering, proposing and introducing the programs, services and products to the related persons and performing the activities for the customization of them according to the usage habits and needs of the related persons.
- Usage Information: In order to provide better service to our customers and to customize our services for you, your usage habits on our web site and applications may be followed. In addition, in order to provide service only, the information such as IP address, device model etc., regarding to the devices which you display on our website or use our applications may be processed. Where required by law, the marketing and advertising activities carried out through targeting and profiling are carried out only if you have given your consent.
- For purposes which are required by law (According to Art. 6/(1), Subparagraph 1(c) GDPR) (legal obligations):
- Ensuring compliance with the national and international legislation to which THY is subjected and fulfilling the obligations arising from the relevant legislation. In response to requests by government or law enforcement authorities conducting an investigation.
- In such cases, it may be required to comply with commercial or tax-related retention requirements or to fulfill safety-related requirements. For more information about retention periods, see "How long will you retain my data?"
- Transfers to immigration authorities or Federal Police Offices (Advanced Passenger Information or Passenger Data regulations)
- Where you give us consent(According to Art. 6/(1), Subparagraph 1(a) GDPR):
- Marketing activities: Where required by law, we will send you with your consent direct marketing in relation to our relevant products and services, or other products and services provided by us, our affiliates and carefully selected partners
- Other occasions: On other occasions where we ask you for consent, we will use the data for the purpose which we explain at that time such as when collecting information in relation to your medical condition or religious beliefs.
In some cases (e.g. for booking a flight) the provision of information is mandatory: if relevant data is not provided, then we will not be able to process your request. When the provision of information is not marked as mandatory (e.g. for direct marketing purposes) it is optional.
Withdrawing consent or otherwise objecting to direct marketing:
Wherever we rely on your consent, you will always be able to withdraw that consent, although we may have other legal grounds for processing your data for other purposes, such as those set out above. You have an absolute right to opt-out of direct marketing, or profiling we carry out for direct marketing, at any time. You can do this by following the instructions in the communication where this is an electronic message, or by contacting us using the details set out below.
Relying on our legitimate interests:
We have carried out balancing tests for all the data processing we carry out on the basis of our legitimate interests, which we have described above. You can obtain information on any of our balancing tests by contacting us using the details set out later in this Privacy Notice.
6. To Whom, Why and Where We Transfer Your Personal Data?
Under certain circumstances, we may transfer your personal data to third parties residing within borders or abroad, in accordance with applicable laws.
Third parties that we may transfer your data can be listed categorically as follows:
- Our business partners or suppliers residing within borders or abroad: Security firms, ground operation service providers at airports, transportation service providers for ground handling services and other additional related services, global distribution systems, partner airlines including but not limited to member airlines of the Star Alliance that will provide you services during connecting flights.
- Loyalty Programme related services: Please see full list below: https://www.turkishairlines.com/en-tr/miles-and-smiles/program-partners/index.html
- Group companies: Certain services offered by THY are carried out by our affiliates, within this context, your personal data may be shared with our relevant affiliates.
- Suppliers: Your personal data will also be shared with third party service providers, in particular, third party providers of website hosting, software, maintenance, call centers, security firms, and transportation service providers.
- Government authorities such as civil aviation or custom authorities and/or law enforcement officials authorized by national or international legislations; e.g. to enforcement agencies, executive or judicial bodies in relation to ongoing investigations or when travelling to United States of America, to United States National Security Council etc.
- In the event that the business is sold or integrated with another business, your details will be disclosed to our advisers and any prospective purchaser’s adviser and will be passed to the new owners of the business.
Where information is transferred from inside the EEA to outside the EEA (e.g. Turkey), and where this is to a stakeholder or vendor in a country that is not subject to an adequacy decision by the EU Commission, data is adequately protected by EU Commission approved standard contractual clauses or a vendor's Processor Binding Corporate Rules.
Information on EU standard contractual clauses is available on the European Union website:
Third Party Web Sites: Our website may include links to third-party websites, microsites, plug-ins and applications (i.e. booking.com) Please note that clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. Therefore, whenever you make use of these links or microsites or when you leave our website, please read the privacy notice of the third party.
7. How long will you retain my data?
THY is subject to legal obligations on data retention periods under Turkish law, European Law and depending on the country in which you live or which law applies, national laws of a country (for example, USA, Germany, Italy, Spain, Switzerland, etc.). As THY, as a global company, has locations in different countries and the applicable laws change thereafter, the retention periods may therefore vary from country to country.
Your personal data are deleted as soon as they are no longer needed for the specified purposes. However, we must sometimes continue to store your data until the retention periods and deadlines set by the legislator or supervisory authorities, up to 30 years which may arise from the Turkish Commercial Code, Tax Code, Turkish Code of Obligations and depending on other applicable European Laws and national laws of a EU-Country. We may also retain your data until the statutory limitation periods have expired (but up to 30 years in some cases), provided that this is necessary for the establishment, exercise or defence of legal claims. After that, the relevant data are routinely deleted..
Where we process personal data for marketing purposes or with your consent, we process the data until you ask us to stop and for a short period after this (to allow us to implement your requests). We also keep a record of the fact that you have asked us not to send you direct marketing or to process your data so that we can respect your request in future.
8. Principles relating to personal data privacy
Our company acts in accordance with the principles stated below in all data processing activities. “Acting in accordance with the law and in good faith”, “Authenticity and Being Up-to-date”, “Processing for specific, clear and legitimate purposes”, “Being relevant, limited and proportionate with the purposes”, “Retention as stated in the related law or as long as necessary for the relevant purpose”
As Turkish Airlines, we utilize technologies such as cookies, pixels, GIFs (“Cookies”) to improve your user experience during your use of our websites and applications. The use of these technologies is in accordance with the Law and other related regulations that we are subjected to.
For further information regarding cookies, please refer to the Türk Hava Yolları Anonim Ortaklığı Cookie Privacy Notice located at https://www.turkishairlines.com/en-tr/legal-notice/privacy-policy/cookies
10. Use of digital platforms
Your personal data may be processed while your use of Digital Platforms to manage and operate the Website, to perform activities for optimizing and improving the user experience related to the Website and Application, to detect in what ways the Website is being used, to support and enhance the use of location based tools, to manage your online accounts and to inform you about the services offered near you.
In case you desire to benefit from the offered product and services, your personal data will be processed only to make you get such product and services.
11. Use of CCTV (Closed Circuit Television)
When you visit our company premises, your visual and audial data may be obtained via CCTV and may be preserved only for a period necessary to fulfill the following purposes. With the use of CCTV, prevention and detection of any criminal act incompatible with the law and company policies, maintaining the security of company premises and equipment located within the premises, protection of visitors’ and workers’ well-being is pursued. All necessary technical and administrative measures will be taken by us regarding the security of your personal data obtained via CCTV.
12. What are Your Rights as Data Subjects?
Under the GDPR you are entitled to the following rights:
- Learn whether data relating you is being processed.
- Request further information if personal data relating to you has been processed.
- Learn the purpose for the processing of personal data and whether data are being processed in compliance with such purpose.
- Request a copy of your personal data we hold.
- Learn to which third-party recipients your data is disclosed.
- Request rectification of the processed personal data which is incomplete or inaccurate and request such process to be notified to third persons to whom personal data is transferred.
- Request deletion or destruction of personal data in the event that the data is no longer necessary in relation to the purpose for which the personal data was collected, despite being processed in line with the Law and other applicable laws and request such process to be notified to third persons to whom personal data is transferred.
- Obtain the personal data you provided to us for a contract or with your consent in a structured, machine readable format, and to ask us to share (port) this data to another controller.
- Object to negative consequences that you experienced as a result of analysis of the processed personal data by solely automatic means.
- Object to the processing of your personal data in some circumstances (in particular, where we don’t have to process the data to meet a contractual or other legal requirement, or where we are using the data for direct marketing purposes).
- If you have unresolved concerns, you have the right to complain to an EU data protection authority where you live, work or where you believe a breach may have occurred.
Under the GDPR, these rights may be limited, for example if fulfilling your request would reveal personal data about another person, where they would infringe the rights of a third party (including our rights) or if you ask us to delete information which we are required by law to keep or have compelling legitimate interests in keeping. Relevant exemptions are included in the GDPR. We will inform you of relevant exemptions we rely upon when responding to any request you make.
THY provides a free copy of the personal data undergoing processes (for the first data request). However, where the request is manifestly unfounded or excessive, we may charge a reasonable fee based on the administrative costs generated by your request.
If you want to exercise your rights, please specify which individual rights according to Art. 15 et seq. you want to exercise. For this purpose we have to identify you in terms if personal identity. Please provide the following details so that we can identify you:
- Postal address
- E-mail address and optionally: customer number or booking code or ticket number
If you send us a copy of your ID, please black out all other information apart from your first and last name and address.
When sending copies of the ID card, it must be clear that this is a copy. Therefore, please make a note on the copy of the ID as following: “This is a copy”.
In order to be able to process your request, as well as for identification purposes, please note that we will use your personal data in accordance with Art. 6 para. 1 (c) of the GDPR as legal obligation.
You also have the right to complain to a EU- Data Protection Regulator. The relevant supervisory authority for THY in the EU is Germany as EU-Country. In Germany, following supervisory authority is responsible:
the Officer for Data Protection and Freedom of Information of the State of Hesse Postfach 3163 65021 Wiesbaden
13. The right to object to processing of personal data (Article 21 of the GDPR)
You have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data based on Article 6 (1) (e) or (f) of the GDPR, including profiling based on those provisions.
We shall no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing.
If you object to processing for direct marketing purposes, your personal data shall no longer be processed for such purposes.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.
14. Data security
We take all appropriate technical and organizational measures to safeguard your personal data and to mitigate risks arising in connection with unauthorized access, accidental data loss, deliberate erasure of or damage to personal data. In this respect our Company;
- Ensures data security by utilizing protection systems, firewalls and other software and hardware containing intrusion prevention systems against virus and other malicious software,
- Access to personal data within our company is carried out in a controlled process in accordance with the nature of the data and within the framework of the authority on the basis of unit / role / practice,
- Ensures the conduct of necessary audits to implement the provisions of the GDPR, in accordance with Article 32 of the GDPR,
- Ensures the lawfulness of the data processing activities by way of internal policies and procedures,
- Applies stricter measures for access to special categories of personal data,
- In case of external access to personal data due to procurement of outsource services, our Company obliges the relevant third party to undertake to comply with the provisions of the GDPR,
- It takes necessary actions to inform all employees, especially those who have access to personal data, about their duties and responsibilities within the scope of the GDPR.