Turkish Airlines GDPR privacy notice for Miles&Smiles

As a data controller, Türk Hava Yolları Anonim Ortaklığı (hereinafter referred to as “THY”, “Turkish Airlines” or “We”), pays the utmost attention to the lawfulness of the processing of personal data relating to its customers.

The THY GDPR Privacy Notice for Miles & Smiles (“Privacy Notice”) has been prepared in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”) to ensure that personal data of our customers are processed in a transparent manner during processes within the scope of the Miles&Smiles Program (“Miles&Smiles”).

Specifically, We would like to inform you with respect to processing of your personal data collected. In this respect, We provide you with information on which personal data We process, for what purposes and how long, the third parties your data are shared with, your rights and ways to contact us.

Data processing is conducted in accordance with the principles of “lawfulness, fairness and transparency”, “purpose limitation”, “data minimization”, “accuracy”, “storage limitation”, “integrity and confidentiality”, “data subject’s control over personal data” and “accountability”.

We reserve the right to update this Privacy Notice at any time and will provide you with a new Privacy Notice if any substantial updates are made thereto. From time to time We may also notify you in other ways about processing of your personal data.

You may read the Turkish Airlines GDPR Privacy Notice published on: https://www.turkishairlines.com/en-tr/legal-notice/gdpr-privacy-notice for more detailed information about GDPR.

Your personal data processed within the scope of the processing of Identity/Passport Information by THY are as follows:

• Identity and contact information : personal data such as name, surname, government identification number, passport information and contact information such as e-mail address, address, phone and mobile phone number or social media contact information that you have provided us with while creating accounts, changing membership status, making plane ticket reservations or applying for exclusive services offered by THY and its partners;
• Flight information : reservation or ticket information or other information related to your flights;
• Advanced passenger information (“API”) : name, nationality, birth date, gender, type and number of your travel documents and their date of validity and issuing country;
• Evaluations and requests : information regarding your assessments, complaints and requests relating to our services;
• Payment information : Credit/Debit card information, bank account information, IBAN information, balance and receivable information and other financial data;
• Membership program information : information regarding Miles&Smiles and THY Corporate Club membership programs (if you are a member), information about being of member, Miles&Smiles Card Status information;
• Special service requests : if you have requested and approved, information about the disease, disability, allergy and special dietary requirements and the information contained in the documents related to them, to provide the service you need during your travel;
• Special discount offers : Information processed in order to benefit from special discounts offered for students, or disabled persons;
• Households and relatives information : households information obtained in case of having a family membership required identity, contact of your relatives in case creating a companion application that allows quick ticketing transactions;
• Fraud prevention : Device ID Information, device name- os, installation ID, IP address, location data, login date, browser type;

Your personal data can be collected within services We provide with Miles&Smiles program via THY`s online channels, documented forms, sales offices, check-in counters, kiosks, call center, internet service provided inside the plane and IFE, member feedback, admission points to the plane, authorized travel agencies for the sale of THY products and services, GDSs, online sales channels, evaluation activities, program partners and other airlines verbally, in a written form or digitally. In any case, your personal data may only be collected and processed in accordance with the provisions of national/international legislation, in particular the basic principles of Art. 5 GDPR, only if one or more conditions that are stipulated by GDPR are present.

Your personal data are being processed in compliance with GDPR as well as other relevant laws for the following purposes:

• to provide miles (“Miles”) from flights with THY and with program partner airlines;
• to introduce a personal security code (“PIN Code”) and a card for each member;
• to design and provide special services to program members via our more than a hundred program partners (https://www.turkishairlines.com/en-int/miles-and-smiles/program-partners/index.html ), operating in a wide range of sectors such as airlines companies, car-rental companies, banks which provide credit cards used to accumulate Miles, hotels, insurance companies, health service providers, tourism companies, organizations which provide shopping and entertainment services, telecommunication companies, educational institutions and energy companies;
• National and international airport authorities and/or Star Alliance may process your biometric data based on your explicit consent for the purpose of providing to the members easy and fast track services at the airports via digital applications. (THY does not process your biometric data);
• to spend Miles at https://www.shopandmiles.com;
• to benefit our Miles&Smiles credit card holder members with Miles in different rates according to the sector;
• to allow our members and their preferred relatives and friends benefit from various advantages (such as award tickets, cabin upgrades, Cash&Miles) with earned Miles&Smiles Miles according to the membership status;
• to perform transactions such as accrual of Miles, transferring Miles, activating Miles that are outdated, paying ticket taxes with Miles and redeeming Miles;
• to enable booking a ticket from the website and mobile applications, to design special campaigns for Miles&Smiles members through various surveys, to offer special opportunities for our members' birthdays, to make celebration cakes, to organize special surprises and services for our members such as valet parking and private driver service;
• to carry out THY My-Pass operations;
• in case you request a Family Membership, to take necessary actions as regards Miles collected by family members. If you create a family membership account, all members within the family can view the account movements of other family members;
• in case you have a RFID baggage card, to inform you by SMS about the status of your baggage at the airport;
• to reward loyal members as a general feature of loyalty programs and to follow on members` behaviors to customize the program according to members` expectations;
• to carry out sales operations and after-sales support services via https://www.shopandmiles.com;
• to carry out customer relationship management operations;
• to prevent, investigate and/or report things such as fraud, terrorism, misrepresentation, security incidents or crime, in accordance with applicable laws;
• to carry out activities in accordance with the legislation.

We may provide you with more specific notice for some of the processing described above and, if We require your consent, We will ask for it at the time We collect your personal data.

No automated decision-making, including profiling, within the meaning of Art. 22 GDPR is carried out. If these changes, THY will notify you additionally and meet the requirements prescribed by GDPR.

Under GDPR personal data can only be processed if at least one of the conditions set forth Art. 6 GDPR is present.

In this respect, as THY, We may rely on different legal bases under the GDPR, including:

• if you give us consent as provided by Art. 6(1)(a) GDPR. If this is the case, personal data will be processed limited to the scope of your freely given explicit consent. You may at any time withdraw your explicit consent e.g. If you decide to withdraw your consent, please be aware of the following implications: Turkish Airlines will cease using your personal data for respective purposes for which you have withdrawn your consent. As a result, we may be unable to provide you with services or features that are dependent on processing your personal data based on consent. E.g. the Miles & Smiles services currently relies on your consent as the legal basis for processing your personal data. However, even after you have withdrawn your consent, we may still retain certain personal data as required or permitted by law, or for other legitimate purposes. Especially, we will maintain documentation, that you have provided consent in the past as the withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
• if it is necessary to establish a contractual relationship and/or to perform our obligations under a contract (airline transport services and other related services etc.) as provided by Art. 6(1)(b) GDPR;
• as provided by law or for purposes which are required by law, such as compliance with legal obligations provided by Art. 6(1)(c) GDPR;
• as required to conduct our business and pursue our legitimate interests if such interests do not have a negative impact on our customers’ fundamental rights and freedoms as provided by Art. 6(1)(f) GDPR.

If We require you to provide personal data to comply with legal or contractual obligations, then provision of such data is mandatory. If such data are not provided, then We will not be able to enter into a relationship with you.

In all other cases, the provision of requested personal data is optional. If you do not provide the relevant personal data in these circumstances, the consequences will be clearly explained to you at that time.

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, accessed in an unauthorized way, altered or disclosed. In addition, We limit access to your personal data to those employees, agents, contractors and other third parties on a need-to-know basis. They will only process your personal data on our specific instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach if We are legally required to do so.

THY is subject to legal obligations on data retention periods under Turkish law, European Law and depending on the country in which you live or which law applies, national laws of a country (for example, USA, Germany, Italy, Spain, Switzerland, etc.). As THY, as a global company, has locations in different countries and the applicable laws change thereafter, the retention periods may therefore vary from country to country.

Your personal data are deleted as soon as they are no longer needed for the specified purposes. However, We must sometimes continue to store your data until the retention periods and deadlines set by the legislator or supervisory authorities, up to 30 years which may arise from the Turkish Commercial Code, Tax Code, Turkish Code of Obligations and depending on other applicable European Laws and national laws of a EU-Country. We may also retain your data until the statutory limitation periods have expired (but up to 30 years in some cases), if this is necessary for the establishment, exercise, or defense of legal claims. After that the relevant data are routinely deleted or anonymized.

If We process personal data for marketing purposes or with your consent, We process the data until you ask us to stop and for a short period after this to allow us to implement your requests. We also keep a record of the fact that you have asked us not to send you direct marketing or to process your data so that We can respect your request in future.

Under certain circumstances for the above listed purposes We may transfer your personal data that We process to third parties, residing within borders of Turkey or abroad, in accordance with the provisions of national and international law, Art. 44 seq. GDPR. Types of third parties We may transfer your personal data to are as follows:

• Our business partners residing within borders Turkey or abroad : e.g. Car rental companies, hotels, ground operation service providers at airports, agencies, transportation service providers, global distribution systems, partner airlines that will provide you services during connecting flights within the scope of mileage accrual , product differentiations, personalized offers and dynamic pricing; mileage redemption (award tickets, cabin upgrades)
• Group companies : Certain services offered by THY are carried out by our affiliates, within this context, your personal data may be shared with our relevant affiliates. You may find more detailed information regarding our group companies by opening the following link: https://www.turkishairlines.com/en-int/press-room/about-us/index.html ;
• Suppliers : e.g. software companies that We procure technical services from, research companies, agencies that perform special campaign service for members, security firms, transportation service providers;
• Countries that the transportation is carried out to and private and public institutions authorized by national or international legislations ; In accordance with national and/or international legislation or civil aviation regulations, the relevant authorities and authorized bodies of the country where your travel takes place from or over its airspace, national and international public institutions that may take decisions that affect THY and/or THY's operations, national and international civil aviation authorities such as Directorate General of Civil Aviation, International Air Transport Association, The Office of Foreign Assets Control, Bureau of Industry and Security, Transportation Security Administration etc. and to United States National Security Council etc. when travelling to or using the airspace of United States of America;
• Government authorities and/or law enforcement officials : Your personal data can be shared with government authorities law enforcement officials and/or executive or judicial bodies (e.g. authorized public and private bodies) if required by law or if required for the protection of our legitimate interests in compliance with applicable laws and/or in relation to ongoing investigations.

Your personal data are generally processed in Turkey, Germany and other European countries.

We will only transfer your personal data outside the EEA in exceptional circumstances if suitable safeguards ensure that an appropriate level of protection is in place. Typically, We rely on the following safeguards:

1. Adequacy Decision of the EU Commission, currently: recipients in Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the United Kingdom (updated list and further information is available under https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en);
2. Standard Contractual Clauses: Other recipients (further information is available under https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en) except for situations to which Art. 49 GDPR applies:

   2.1. you have explicitly consented to the proposed transfer, after being informed of the possible risks of such transfer due to the absence of an adequacy decision and appropriate safeguards;

   2.2. the transfer is necessary for the performance of a contract between the data subject and THY;

   2.3. the transfer is necessary for the conclusion or performance of a contract concluded in your interest;

   2.4. the transfer is necessary for important reasons of public interest and/or other conditions mentioned in Art. 49 GDPR.

3. Exceptions under Art. 49 GDPR: Other recipients.

   Further information on such transfers or copies of these measures can be obtained via the contact details in the Privacy Notice below.

Under the GDPR you are entitled to the following rights:

• Right of access (Art. 15 GDPR);
• Right to rectification (Art. 16 GDPR);
• Right to erasure (Art. 17 GDPR);
• Right to restriction of processing (Art. 18 GDPR);
• Right to data portability (Art. 20 GDPR);
• Right to object (Art. 21 GDPR).

You have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data based on Art. 6 (1) (e) or (f) GDPR, including profiling based on those provisions. We shall no longer process the personal data unless We demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.

If personal data are processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing. If you object to processing for direct marketing purposes, your personal data shall no longer be processed for such purposes.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.

• Right to withdraw consent (Art. 7 GDPR);

Under the GDPR or national laws these rights may be limited, for example, if fulfilling your request would reveal personal data about another person, if it would infringe on the rights of a third party (including our rights) or if you ask us to delete information which We are required by law to keep or have compelling legitimate interests in keeping. Relevant exemptions are included in the GDPR or in applicable national laws. We will inform you of relevant exemptions We rely upon when responding to any request you make.

If you believe that We have failed to comply with data protection regulations when processing your personal data, you can lodge a complaint with the competent supervisory authority in accordance with Art. 77 GDPR. The competent supervisory authority can be identified according to the list provided under: https://edpb.europa.eu/about-edpb/board/members_en.

The competent supervisory authority in Germany is „Der Hessische Beauftragte für Datenschutz und Informationsfreiheit“, which can be found under: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html.

Further information on your rights are available under: https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/my-rights_en.

Please find more detailed information in Turkish Airlines GDPR Privacy Notice.

If you want to exercise your rights as a data subject, have any concerns about how We process your data, would like to communicate requests or opt-out of direct marketing, based on the laws applicable to you, you can reach out to:

THY Head Quarter Entity:

-   https://www.turkishairlines.com/en-int/any-questions/customer-relations/feedback/index.html

-   +90 212 444 0 849; +90 212 463 63 63

-   Türk Hava Yolları A.O. Genel Yönetim Binası, Yeşilköy Mah. Havaalanı Cad. No:3/1 34149 Istanbul, Türkiye

If you live in Germany and have an unresolved concern you can also contact our German DPO:

-   https://www.turkishairlines.com/de-de/any-questions/customer-relations/feedback/index.html

-   +49 069 955171 22/53

-   Turkish Airlines Inc. Hamburger Allee 4 (Westendgate) 60486 FRANKFURT/M

If you contact us by e-mail, communication may be unencrypted.

OTHER LANGUAGES

You can use the documents below to examine the translations of this page in other languages.

Bulgarian | Croatian | Czech | Danish | Dutch | Estonian | Finnish | Greek | Hungarian | Latvian | Lithuanian | Polish | Romanian | Slovak | Slovenian | Swedish