Turkish Airlines Gift Card Privacy Notice 

Introduction 

As a data controller, Türk Hava Yolları Anonim Ortaklığı (hereinafter to be referred to as “THY”, the “Company” or “We”) pays the utmost attention to the lawfulness of the processing of personal data of its customers. We have prepared this Privacy Notice (the “Privacy Notice”) within a project that the transparent processing of personal data of our customers who purchase, send or use Turkish Airlines Gift Cards (“Gift Card”) in order to ensure compliance with with the Article 10 of Law on Protection of Personal Data numbered 6698 (“Law”) primarily and EU General Data Protection Regulation (“GDPR”) to ensure that your personal data is processed in a transparent manner. 

For more detailed information about the processing of your personal data, you may read the THY Privacy Notice on the Processing and Protection of Personal Data published on https://www.turkishairlines.com/en-tr/legal-notice/privacy-policy/index.html. 

For more detailed information about GDPR you may read the GDPR Privacy Notice published on https://www.turkishairlines.com/en-tr/legal-notice/gdpr-privacy-notice. 

1. How Do We Collect Your Personal Data? What Is the Legal Basis for Processing Your Personal Data? 

Your personal data can be collected within services we provide with THY Gift Card processes via printed forms and online channels digitally. As per the Law, personal data can only be processed in the presence if at least one of the conditions set forth under the Law and/or required by international legislation. In this respect, as Turkish Airlines, we may rely on different legal bases, in particular the basic principles of Art. 4 of the Law and Art. 5 and Art 6 of the GDPR, only if one or more conditions that are stipulated under Law are present. 

• For purposes which are required by law (According to Art.5/(1a) Law, Art. 6/(1), Subparagraph 1(c) GDPR) 
• The necessity to establish a contractual relationship with you and to perform our obligations under a contract (According to Art. 5/(1c) Law , Art. 6/(1), Subparagraph 1(b) GDPR) 
• Complying with obligations under national and international regulations (Art. 5/(1ç) of Law, Art. 6 (1c) GDPR); 
• Our legitimate interests provided that such interests do not have a negative impact on our customers’ fundamental rights and freedoms (Art. 5/(1f) Law, Art. 6 (1f) GDPR). 

2. Which Personal Data Do We Collect and Process? 

General information on your personal data processed by THY are as follows: 

• Identification Information: Name-surname and government identification number. 
• Contact Information: E-mail address, mobile phone and adress information within the limitation of sending printed card. 
• Payment Information: Credit/Bank card information, financial e-ticket and payment information. 
• Gift Card Information: Gift Card Number, PIN and operation information. 
• Request/complaint Management Information: Evaluation information we have provided from you about our services. 

3. Why Do We Process Your Personal Data? 

We process personal data for the following purposes: 

• Performing of Gift Card operations and enabling you to benefit from our services, 
• Management of customer relations, 
• Provision of information regarding products and services, 
• Conducting of financial and accounting operations, 
• Establishment of information technologies infrastructures and execution and auditing of information security processes and operations, 
• Management and conclusion of your requests and complaints, 
• Prevention of forgery and fraud, 
• Execution of activities in accordance with the legislation, 
• Ensuring compliance with the national and international legislation to which THY is subjected and fulfilling the obligations arising from the relevant legislation. 

4. To Whom We Transfer Your Personal Data and Why 

We take care to process your personal data in accordance with the principles of “need to know” and “need to use” by ensuring the necessary data minimization. The establishment and operation of digital infrastructures makes it necessary to stream data with different stakeholders, and the personal data we process must be transferred to third parties for certain purposes. 

Your personal data can be transferred to the third parties that provide and serve within the scope of the Project limited to the fulfillment of the purposes specified in this Privacy Notice within the framework of the terms and purposes of personal data processing specified in accordance with Article 8 and 9 of the Law and Art. 44 seq. GDPR 

Recipients that we may transfer your data are: 

Our business partners or suppliers residing within borders of EU or abroad: To the companies that we receive services within the scope of the Gift Card in line with the realization of the stated objectives and limited to the fulfillment of these objectives. 

We will only transfer your personal data outside the EEA if suitable safeguards ensure that an appropriate level of protection is in place. Typically, We rely on the following safeguards: 

• Adequacy Decision of the EU Commission, currently: Recipients in Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the United Kingdom (updated list and further information is available under https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en) 
• Standard Contractual Clauses: Other recipients (further information is available under https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en) 
• Exceptions under Art. 49 GDPR: Other recipients. 

Further information on such transfers or copies of these measures can be obtained via the contact details below. 

5. Notification About Commercial Electronic Messages 

Your personal data may be processed in order to provide information about our services, to promote our goods and services and to inform you about our campaigns in accordance with the Regulation of Regulation on Commercial Communication and Commercial Electronic Messages Numbered 6563. In accordance with the relevant legislation, your commercial electronic mail permissions must be recorded in the Message Management System (IYS), and within this scope, the contact address (phone number or e-mail address), permission date, communication channel, recipient type and permission source data will be shared with the IYS. You can visit https://iys.org.tr for detailed information about IYS. 

6. How Long to We Store your Data? 

THY is subject to legal obligations on data retention periods under Turkish law, European Law and depending on the country in which you live or which law applies, national laws of a country (for example, USA, Germany, Italy, Spain, Switzerland, etc.). As THY, as a global company, has locations in different countries and the applicable laws change thereafter, the retention periods may therefore vary from country to country. 

Your personal data are deleted as soon as they are no longer needed for the specified purposes. However, We must sometimes continue to store your data until the retention periods and deadlines set by the legislator or supervisory authorities, up to 30 years which may arise from the Turkish Commercial Code, Tax Code, Turkish Code of Obligations and depending on other applicable European Laws and national laws of a EU-Country. We may also retain your data until the statutory limitation periods have expired (but up to 30 years in some cases), if this is necessary for the establishment, exercise, or defense of legal claims. After that, the relevant data are routinely deleted or anonymized. 

Where We process personal data for marketing purposes or with your consent, We process the data until you ask us to stop and for a short period after this (to allow us to implement your requests). We also keep a record of the fact that you have asked us not to send you direct marketing or to process your data so that We can respect your request in future. 

7. What are Your Rights as Data Subjects? 

As data subjects, you are entitled to a number of rights under Article 11 of the Law in relation to your personal data. We would like to inform you about the rights that you are entitled to and the ways you may use them. 

Under Art. 11 of the Law you are entitled to the following rights: 

• Learn whether data relating you is being processed. 
• Request further information if personal data relating to you has been processed. 
• Learn the purpose for the processing of personal data and whether data are being processed in compliance with such purpose. 
• Learn the third-party recipients to whom the data are disclosed within the country or abroad. 
• Request rectification of the processed personal data which is incomplete or inaccurate and request such process to be notified to third persons to whom personal data is transferred. 
• Request deletion or destruction of personal data in the event that the data is no longer necessary in relation to the purpose for which the personal data was collected, despite being processed in line with the Law and other applicable laws and request such process to be notified to third persons to whom personal data is transferred. 
• Object to negative consequences that you experienced as a result of analysis of the processed personal data by solely automatic means. 
• Demand compensation for the damages that you have suffered as a result of an unlawful processing operation. 

If you are a passenger subject to GDPR, please find more detailed information on: https://www.turkishairlines.com/en-pl/legal-notice/gdpr-privacy-notice/. 

You can easily use your rights mentioned above and easily communicate the related requests to us via contact information below. Data subjects’ requests concerning the above-listed rights shall be concluded by us within thirty days at the latest, in accordance with the limitations provided by the Law. In principle, data subject requests shall be concluded free of charge. However, THY reserves its right to demand a fee from the tariff specified by the Turkish Personal Data Protection Board, in case the request requires additional costs. 

Our Company may request certain information from the data subject in order to determine that the applicant is in fact the data subject, and additional questions can be directed to the applicant to clarify matters regarding the applications. 

If you reside in the European Union and are subject to GDPR, please visit GDPR Privacy Policy page for more information about your rights under the GDPR. If you believe that We have failed to comply with data protection regulations when processing your personal data, you can lodge a complaint with the competent supervisory authority in accordance with Art. 77 GDPR. 

The competent supervisory authority can be identified according to the list provided under: https://edpb.europa.eu/about-edpb/board/members_en. 

Further information on your rights are available under: https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/my-rights_en. 

Data Controller and Contact Information: 

If you have any concerns about how We process your data, or if you would like to opt-out of direct marketing, based on the laws applicable to you can reach out to: 

Turkish Airlines Head Quarter Entity: 

• https://www.turkishairlines.com/tr-tr/bilgi-edin/musteri-iliskileri/geribildirim/ 
• +90 212 444 0 849 
• Türk Hava Yolları A.O. Genel Yönetim Binası, Yeşilköy Mah. Havaalanı Cad. No:3/1 34149 Istanbul, Türkiye 

If you live in Germany and have an unresolved concern you can also contact our German DPO: 

• https://www.turkishairlines.com/tr-tr/bilgi-edin/musteri-iliskileri/geribildirim/ 
• +49 069 955171 22/53 
• Turkish Airlines Inc. Hamburger Allee 4 (Westendgate) 60486 FRANKFURT/M 

If you contact us by e-mail, communication is unencrypted.