Turkish Airlines Privacy Notice for the Processing of Identity/Passport Information

1. Introduction.

As a data controller Türk Hava Yolları Anonim Ortaklığı (hereinafter referred to as “THY”, “Turkish Airlines” or “We”) pays the utmost attention to the lawfulness of the processing of personal data relating to its customers and business partners.

This THY Privacy Notice for the Processing of Identity/Passport Information (“Privacy Notice”) has been prepared in accordance with the primarily Turkish Personal Data Protection Law no. 6698 (the “Law”) and EU General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”) to ensure that personal data are processed in a transparent manner and under your full control.

Specifically, We would like to inform you with respect to processing of your personal data collected in order to provide travel services to our esteemed customers, conducting transactions such as ticketing, baggage/found goods, boarding and checking the validity of identity/passport/visa/resident permits etc. as We are obliged to verifying your identity, evaluating your requests, complaints and claims making transactions such as insurance or other payment/compensation/transfer/membership, ensuring customer satisfaction. In this respect, We provide you with information on which personal data We process, for what purposes and how long, the third parties your data are shared with, your rights and ways to contact us in this Privacy Notice.

Data processing is conducted in accordance with the principles of “lawfulness, fairness and transparency”, “purpose limitation”, “data minimisation”, “accuracy”, “storage limitation”, “integrity and confidentiality”, “data subject’s control over personal data” and “accountability”.

We reserve the right to update this Privacy Notice at any time and will provide you with a new Privacy Notice if any substantial updates are made thereto. From time to time We may also notify you in other ways about processing of your personal data.

You may read the Turkish Airlines Privacy Notice on the Processing and Protection of Personal Data published on: https://www.turkishairlines.com/en-tr/legal-notice/privacy-policy/index.html for more detailed information about processing of your personal data. You may read the Turkish Airlines GDPR Privacy Notice published on: https://www.turkishairlines.com/en-tr/legal-notice/gdpr-privacy-notice for more detailed information about GDPR.

2. Which Personal Data We Process and How Do We Collect Your Personal Data?

Your personal data processed within the scope of the processing of Identity/Passport Information by THY are as follows:

  • Identity Information: Name, surname, government identification number, passport information.
  • Contact Information: E-mail address, phone and mobile phone number, address information.
  • Advanced Passenger Information (“API”): Name, nationality, birth date, gender, type and number of your travel documents and their date of validity and issuing country.
  • Customer Process Information: personal data recorded by channels such as call centers (CDR), invoice, release form, customer instructions.
  • Other Information: Special permission document within the scope of circulars issued by Republic of Turkey Ministry of Interior and personal data requested pursuant to national and international rules of civil aviation.

Your personal data can be collected at our offices, desks, check-in counters via printed documents and/or through electronic or online systems dedicated to this purpose and are processed in accordance with the provisions of national/international legislation, in particular the basic principles of Art. 4 of the Law and Art. 5 GDPR, only if one or more conditions that are stipulated by Law/GDPR are present. If We obtain your identity/passport image, those records are used only limitedly for the purpose of fulfilment of the belove-mentioned obligations and to provide information/documents to the competent public institutions, organizations and regulatory authorities in the country of destination upon their request. Those records are processed in accordance with data minimization (Art. 5(1)(c) GDPR) and data security principles (Art. 32 GDPR). They are deleted upon the end of operational processes and legal obligations.

3. For Which Purposes Do We Process Your Personal Data?

Your personal data are being processed in compliance with GDPR as well as other relevant laws and especially with the Law for the following purposes:

  • Preparation of the necessary records and documents for carrying out flight operations in accordance with the provisions of national/international legislation and aviation rules;
  • Complying with the rules determined by the civil aviation authorities;
  • Fulfilling either verbal or written instructions given by the destination country supervisors/authorities, to make relevant examinations and confirmations on travel documents of our passengers (such as passport validity, period, visa dates, residence permit etc) and to keep records of these examinations;
  • Fulfilling obligations prescribed by law such as verifying, reporting, record keeping, provision of information, tax liabilities, international sanctions and other obligations;
  • Complying with security, baggage/found goods procedures such as detecting/tracking/delivery;
  • Making transactions such as insurance compensation payments/other payments/compensation/transfer/membership;
  • Ensuring customer satisfaction;
  • Making necessary arrangements and providing information regarding your trip, and to receive your requests, complaints and opinions.

No automated decision-making, including profiling, within the meaning of Art. 22 GDPR is carried out. If this changes, We will notify you additionally and meet the requirements prescribed by GDPR.

4. What Is Our Legal Basis for Processing of Your Personal Data?

Under the Law personal data can only be processed if at least one of the conditions set forth under Art. 5 and 6 of the Law and/or required by international legislation, as well as Art. 6 GDPR is present.

In this respect, as THY, We may rely on different legal bases under the GDPR and Law, including:

  • If you give us consent as provided by Art. 5(1) Law and Art. 6(1)(a) GDPR. If this is the case, personal data will be processed limited to the scope of your freely given explicit consent. You may withhold or at any time revoke your explicit consent;
  • If it is necessary to establish a contractual relationship and/or to perform our obligations under a contract (provision of airline transport services and other related services etc.) as provided by Art. 5(2)(c) Law and Art. 6(1)(b) GDPR;
  • Where it is explicitly permitted by any Law provided by Article 5 (2) (a) of the Law ;
  • Compliance with legal obligations provided by 5 (2) (ç) Law and Art. 6(1)(c) GDPR;
  • As required to conduct our business and pursue our legitimate interests if such interests do not have a negative impact on our customers’ fundamental rights and freedoms as provided by 5 (2) (f) Law and Art. 6(1)(f) GDPR;
  • Where it is necessary for the institution, usage, or protection of a right provided by Article 5 (2) (e) of the Law.

5. How Do We Keep Personal Data Secure and How Long Do We Store Them?

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, accessed in an unauthorized way, altered or disclosed. In addition, We limit access to your personal data to those employees, agents, contractors and other third parties on a need-to-know basis. They will only process your personal data on our specific instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach if We are legally required to do so.

THY, as a global company, has locations in different countries and the applicable laws change thereafter, the retention periods may therefore vary from country to country. THY is subject to legal obligations on data retention periods under Turkish law, European Law and depending on the country in which you live or which law applies, national laws of a country (for example, USA, Germany, Italy, Spain, Switzerland, etc.).

Your personal data are deleted as soon as they are no longer needed for the specified purposes and legal retention periods expire. Click for detailed information about storage period.

6. To Whom We Transfer Your Personal Data And Why?

Under certain circumstances for the above listed purposes, We may transfer your personal data that We process to third parties, residing within borders of Turkey or abroad, in accordance with the provisions of national and international law, particularly Art. 8 and 9 of the Law as well as Art. 44 seq. GDPR. Types of third parties We may transfer your personal data to are as follows:

  • Our business partners or suppliers within borders of Turkey or abroad: Security firms, ground operation service providers at airports, transportation service providers for ground handling services and other additional related services, call centers firms, partner airlines including but not limited to member airlines of the Star Alliance that will provide you services during connecting flights, insurance companies etc.
  • Group companies: Certain services offered by THY are carried out by our affiliates, within this context, your personal data may be shared with our relevant affiliates. You may find more detailed information regarding our group companies by opening the following link: https://www.turkishairlines.com/en-tr/press-room/about-us/index.html;
  • Government authorities and/or law enforcement officials: Your personal data can be shared with government authorities and/or law enforcement officials if required by law and in compliance with applicable laws.
  • Public and private bodies and institutions authorized by national and international law or national: National and international aviation authorities such as Directorate General of Civil Aviation, International Air Transport Association, The Office of Foreign Assets Control, Bureau of Industry and Security, Transportation Security Administration, payment facilities, banks and financial institutions etc. We will only transfer your personal data outside the EEA in exceptional circumstances, if suitable safeguards ensure that an appropriate level of protection is in place. Typically, We rely on the following safeguards:

We will only transfer your personal data outside the EEA in exceptional circumstances, if suitable safeguards ensure that an appropriate level of protection is in place. Typically, We rely on the following safeguards:

2. Standard Contractual Clauses: Other recipients (further information is available under https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en) except for situations to which Art. 49 GDPR applies:
2.1. you have explicitly consented to the proposed transfer, after being informed of the possible risks of such transfer due to the absence of an adequacy decision and appropriate safeguards;
2.2. the transfer is necessary for the performance of a contract between the data subject and THY;
2.3. the transfer is necessary for the conclusion or performance of a contract concluded in your interest;
2.4. the transfer is necessary for important reasons of public interest and/or other conditions mentioned in Art. 49 GDPR.
3. Exceptions under Art. 49 GDPR: Other recipients.

Further information on such transfers or copies of these measures can be obtained via the contact details in the Privacy Notice below.

7. What are Your Rights as Data Subject?

Under Art. 11 of the Law you are entitled to the following rights:

  • Learn whether data relating to you are being processed;
  • Request further information if personal data relating to you have been processed;
  • Learn the purpose for the processing of personal data and whether data are being processed in compliance with such purpose;
  • Learn the third-party recipients to whom the data are disclosed within the country or abroad;
  • Request rectification of the processed personal data which is incomplete or inaccurate and request such process to be notified to third persons to whom personal data are transferred;
  • Request deletion or destruction of personal data in the event that the data are no longer necessary in relation to the purpose for which personal data were collected, despite being processed in line with the Law and other applicable laws and request such process to be notified to third persons to whom personal data are transferred;
  • Object to negative consequences that you experienced as a result of analysis of the processed personal data by solely automatic means;
  • Demand compensation for the damages that you have suffered as a result of an unlawful processing operation;

If you are subject to GDPR, please find more detailed information on https://www.turkishairlines.com/en-pl/legal-notice/gdpr-privacy-notice/

In order to easily exercise your rights listed above and send us your relevant requests you may contact us through our contact information below. We will respond you in the shortest time possible, based on the nature of your request and within 30 days at the latest. As a general rule, responses to data subject requests are given free of charge; however, we reserve the right to charge you according to the tariff to be determined by the Personal Data Protection Board in case the request requires additional costs.

8. Data Controller and Contact Information:

If you want to exercise your rights as a data subject, have any concerns about how We process your data, would like to communicate requests or opt-out of direct marketing, based on the laws applicable to you, you can reach out to:

THY Head Quarter Entity:

- Türk Hava Yolları A.O. Genel Yönetim Binası Yeşilköy Mah. Havaalanı Cad. No:3/1 34149 Istanbul, Türkiye

- +90 212 444 0 849; +90 212 463 63 63

- https://www.turkishairlines.com/tr-tr/bilgi-edin/musteri-iliskileri/geribildirim/

OTHER LANGUAGES

You can use the documents below to examine the translations of this page in other languages.

Bulgarian | Croatian | Czech | Danish | Dutch | Estonian | Finnish | Greek | Hungarian | Latvian | Lithuanian | Polish | Romanian | Slovak | Slovenian | Swedish