1. Introduction of the Data Controller

As a data controller, Türk Hava Yolları Anonim Ortaklığı (hereinafter to be referred to as “THY”, the “Company” or “We”) pays the utmost attention to the lawfulness of the processing of personal data of its customers. We have prepared this Turkish Cargo GDPR Privacy Notice (the “Privacy Notice”) in order to ensure compliance with the European Union General Data Protection Regulation (“GDPR”) (Regulation (EU) 2016/679).

The security of our customers’ personal data is at the forefront of our work. Therefore, in order to prevent any unlawful access to personal data or leak and to ensure the secure retention of personal data relating to our customers, such data are only transferred to trusted business partners and on a minimum level, by taking necessary security measures in accordance with the legislation in force.

Transparency is one of the most important subjects of our personal data protection program. In this respect, we have prepared this Notice in order to provide our customers with all necessary information while we are processing personal data for the purposes of compliance with our legal obligations and to ensure a better customer experience. Detailed information regarding the types of personal data are detailed under heading (4) and the purposes for processing personal data are detailed under heading (5) of this Privacy Notice.

Another subject that we also pay close attention to is customers’ right to have control over their personal data. We implement measures to ensure that our customers manage their preferences regarding their own personal data and highly respect our customers’ preferences. This Privacy Notice also describes your data protection rights, including a right to object to specific processing activities which THY Cargo carries out. More information about your rights, and how to exercise them, is set out in the “What Are Your Rights as Data Subjects?” section.

Data security, transparency and individuals’ right to have control over their personal data are fundamentals for us in ensuring compliance with the GDPR. In this respect, detailed information regarding the processing of your personal data are presented to your attention within this Notice.

2. Contact Information

If you have any concerns about how we process your data, or if you would like to opt-out of direct marketing, based on the laws applicable to you can reach out to:

THY HQ Entity:

https://www.turkishairlines.com/tr-tr/bilgi-edin/musteri-iliskileri/geribildirim/
+90 212 444 0 849
Türk Hava Yolları A.O. Genel Yönetim Binası, Yeşilköy Mah. Havaalanı Cad. No:3/1 34149 Istanbul, Türkiye

If you live in Germany and have an unresolved concern you can also contact our German DPO:

https://www.turkishairlines.com/tr-tr/bilgi-edin/musteri-iliskileri/geribildirim/
+49 069 955171 22/53
Turkish Airlines Inc. Hamburger Allee 4 (Westendgate) 60486 FRANKFURT/M
If you contact us by e-mail, communication is unencrypted.

3. How Do We Collect Your Personal Data

This Privacy Notice contains our declarations and explanations concerning the processing of personal data relating to our customers and other natural persons establishing contact with us, excluding our employees, in compliance with the provisions of the GDPR.

We reserve the right to make changes to this Privacy Notice in order to provide accurate and up-to-date information concerning practices and regulations relating to the protection of personal data. Additionally, data subjects will be informed by appropriate means in the event of a substantial change to the Privacy Notice.

Our Company collects your personal data through the agencies authorized for sale of Turkish Cargo products and services, sales offices, Turkish Cargo website, social media accounts, e-mail, mail, CCTV, cookies and other communication channels, in audio, electronic or written form, in accordance with the conditions for processing of personal data as specified in the Law, for the purposes as set forth in this Privacy Notice.

4. Which Personal Data Do We Collect and Process?

Personal data which are processed by our Company may differ in accordance with the nature of the legal relationship established with our Company. In this respect the categories of personal data collected by our Company through all channels are as follows:

• Identification Information: name-surname, signature, ID card and passport information;
• Contact Information: e-mail address, business phone number and contact address details;
• Customer process information: IATA code or account code, customer code, call center records, customer instructions and records, customer application forms and customer process information which vary according to the nature of the service;
• Process security information: information on website passwords and pins which are created by your party during your utilization of the products or services which are offered on the digital mediums;
• Financial information: credit/debit card details, bank account details, IBAN details, balance information and other financial information;
• Physical environment security information: entry/exit logs in Company’s physical environments, visit information.
• Legal procedure and compliance information: personal information in the requests for information and decisions of judicial and administrative authorities;
• Audit and inspection information: information on all kinds of records and processes concerning the exercise of our legal claims and rights associated with the data subject;
• Marketing information: personal data and evaluations generated in consequence of surveys, satisfaction surveys, campaigns and direct marketing activities;
• Request/complaint management information: information and records gathered in relation to the requests and complaints made to our Company regarding our products and services which are associated with the data subject, as well as information in the reports regarding the conclusion of such requests/complaints by our relevant business units;
• Audio and visual data: photographs, camera and call center voice records.

5. Why Do We Process Your Personal Data and What Is the Legal Basis for This Use (Purpose of the Processing)?

We process your personal data according to the legal basis indicated below;

• To fulfill a contract, or take steps linked to a contract we have with you. (According to Art. 6/(1), Subparagraph 1(b) GDPR).
• As required to conduct our business and pursue our legitimate interests (According to Art. 6/(1), Subparagraph 1(f) GDPR).
• For purposes which are required by law (According to Art. 6/(1), Subparagraph 1(c) GDPR) (legal obligations).
• Where you give us consent (According to Art. 6/(1), Subparagraph 1(a) GDPR): If this is the case, personal data will be processed limited to the scope of your freely given explicit consent. You may revoke your explicit consent at any time.

We process your personal data for the following purposes:

• Planning and execution of the sales processes of cargo services
• Performance of communications regarding the services provided within the scope of cargo activities
• Conducting of the after-sale support services regarding the Goods/Services
• Contacting our customers and management of customer relations
• Personalization and improvement of your customer experience
• Provision of information regarding products and services
• Management and conclusion of your requests and complaints
• Administration of operations concerning emergencies and case management
• Fulfillment of our obligations arising from legislations applicable to our Company and provision of information to the competent authorities and organizations as per the legislation
• Conducting of financial and accounting operations
• Establishment of information technologies infrastructures and execution and auditing of information security processes and operations
• Prevention of fraud and counterfeiting
• Specification of access authorizations for business partners and suppliers
In some cases (e.g. booking a cargo service) the provision of information is mandatory: if relevant data is not provided, then we will not be able to process your request. When the provision of information is not marked as mandatory (e.g. for direct marketing purposes) it is optional.

6. To Whom, Why and Where We Transfer Your Personal Data?

Under certain circumstances, we may transfer your personal data to recipients residing within borders of Turkey or abroad, in accordance with applicable laws.

Recipients that we may transfer your data to can be listed categorically as follows:

• Our business partners or suppliers residing within borders of Turkey or abroad: Security firms, ground operation service providers at airports, transportation service providers for ground handling services and other additional related services, global distribution systems, partner airlines including but not limited to member airlines of the Star Alliance that will provide you services during connecting flights.
• Group companies: Certain services offered by THY are carried out by our affiliates, within this context, your personal data may be shared with our relevant affiliates.
• Suppliers: Your personal data will also be shared with service providers, in particular, providers of website hosting, software, maintenance, call centers, security firms, and transportation service providers.
• Government authorities such as civil aviation or custom authorities and/or law enforcement officials authorized by national or international legislations: e.g. to enforcement agencies, executive or judicial bodies in relation to ongoing investigations etc.
• In the event that the business is sold or integrated with another business, certain pieces of your details may be disclosed to our advisers and any prospective purchaser’s adviser and may be passed to the new owners of the business.

We will only transfer your personal data outside the EEA if suitable safeguards ensure that an appropriate level of protection is in place. Typically, we rely on the following safeguards:

• Adequacy Decision of the EU Commission, currently: Recipients in Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay (updated list and further information is available under https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en)
• Standard Contractual Clauses: Other recipients (further information is available under https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en)
• Exceptions under Art. 49 GDPR: Other recipients.

Further information on such transfers or copies of these measures can be obtained via the contact details above.

• Third Party Web Sites: Our website may include links to third-party websites, microsites, plug-ins and applications (i.e. booking.com). Please note that clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. Therefore, whenever you make use of these links or microsites or when you leave our website, please read the privacy notice of the third party.

7. How Long Will You Retain My Data?

THY is subject to legal obligations on data retention periods under Turkish law, European Law and depending on the country in which you live or which law applies, national laws of a country (for example, USA, Germany, Italy, Spain, Switzerland, etc.). As THY, as a global company, has locations in different countries and the applicable laws change thereafter, the retention periods may therefore vary from country to country.

Your personal data are deleted as soon as they are no longer needed for the specified purposes. However, we must sometimes continue to store your data until the retention periods and deadlines set by the legislator or supervisory authorities, up to 30 years which may arise from the Turkish Commercial Code, Tax Code, and Turkish Code of Obligations and depending on other applicable European Laws and national laws of a EU-Country. We may also retain your data until the statutory limitation periods have expired (but up to 30 years in some cases), provided that this is necessary for the establishment, exercise or defence of legal claims. After that, the relevant data are routinely deleted or anonymized.

Where we process personal data for marketing purposes or with your consent, we process the data until you ask us to stop and for a short period after this (to allow us to implement your requests). We also keep a record of the fact that you have asked us not to send you direct marketing or to process your data so that we can respect your request in future.

8. Principles Relating to Personal Data Privacy

Our company acts in accordance with the principles stated hereby in all data processing activities; “lawfulness, fairness and transparency”, “purpose limitation”, “data minimisation”, “accuracy”, “storage limitation”, “ integrity and confidentiality” and “accountability”.

9. Use of Cookies

As Turkish Airlines, we utilize technologies such as cookies, pixels, GIFs (“Cookies”) to improve your user experience during your use of our websites and applications. The use of these technologies is in accordance with the Law and other related regulations that we are subjected to.

For further information regarding cookies, please refer to the Turk Hava Yollari Anonim Ortakligi (Turkish Airlines Incorporated Company) Cookies Information Text located at https://www.turkishcargo.com.tr/en/privacy-policy

10. Use of CCTV (Closed Circuit Television)

When you visit our company premises, your visual and audial data may be obtained via CCTV and may be preserved only for a period necessary to fulfill the following purposes. With the use of CCTV, prevention and detection of any criminal act incompatible with the law and company policies, maintaining the security of company premises and equipment located within the premises, protection of visitors’ and workers’ well-being is pursued. All necessary technical and administrative measures will be taken by us regarding the security of your personal data obtained via CCTV.

11. What Are Your Rights as Data Subjects?

Under the GDPR you are entitled to the following rights (further information is available under https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/my-rights/what-are-my-rights_en):

• Right to withdraw consent (Art. 7 GDPR)
• Right of access (Art. 15 GDPR)
• Right to rectification (Art. 16 GDPR)
• Right to erasure (Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object (Art. 21 GDPR)

Under the GDPR or national laws, these rights may be limited, for example if fulfilling your request would reveal personal data about another person, where they would infringe the rights of a third party (including our rights) or if you ask us to delete information which we are required by law to keep or have compelling legitimate interests in keeping. Relevant exemptions are included in the GDPR or in applicable national laws. We will inform you of relevant exemptions we rely upon when responding to any request you make.

In order to exercise these rights please contact the above mentioned contact addresses. Please specify which individual rights according to Art. 15 et seq. you want to exercise. For this purpose we may have to confirm your identity before responding to your request. Please provide the following details so that we can identify you:

• Name
• Postal address
• E-mail address and optionally: customer number or booking code or ticket number

If you send us a copy of your ID, please black out all other information apart from your first and last name and address. When sending copies of the ID card, it must be clear that this is a copy. Therefore, please make a note on the copy of the ID as following: “This is a copy”.

In order to be able to process your request, as well as for identification purposes, please note that we will use your personal data in accordance with Art. 6 para. 1 (f) of the GDPR as legal obligation.

If you believe that we have failed to comply with data protection regulations when processing your personal data, you can lodge a complaint with the competent supervisory authority in accordance with Art. 77 GDPR. The competent supervisory authority can be identified according to the list provided under: https://edpb.europa.eu/about-edpb/board/members_en. In Germany, the competent supervisory authority is „Der Hessische Beauftragte für Datenschutz und Informationsfreiheit“, which can be found under: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html).

12. Automated Individual Decision Making and Profiling

According to GDPR provisions, you have the right not to be subjected to any decision making based on automated processing only, including profiling, which would have legal effect on you, or which would significantly affect you. However, as THY, we do not perform automated individual decision making and profiling.

13. Data Security

We take all appropriate technical and organizational measures to safeguard your personal data and to mitigate risks arising in connection with unauthorized access, accidental data loss, deliberate erasure of or damage to personal data.

In this respect our Company;

• Ensures data security by utilizing protection systems, firewalls and other software and hardware containing intrusion prevention systems against virus and other malicious software,
• Access to personal data within our Company is carried out in a controlled process in accordance with the nature of the data and within the framework of the authority on the basis of unit / role / practice on a strict need-to-know basis,
• Ensures the conduct of necessary audits to implement the provisions of the GDPR, in accordance with Article 32 of the GDPR,
• Ensures the lawfulness of the data processing activities by way of internal policies and procedures,
• Applies stricter measures for access to special categories of personal data,
• In case of external access to personal data due to procurement of outsourced services, our Company obliges the relevant third party to undertake to comply with the provisions of the GDPR,
• It takes necessary actions to inform all employees, especially those who have access to personal data, about their duties and responsibilities within the scope of the GDPR.

Bosnian | Bulgarian | Czech | Danish | Dutch | Estonian | Finnish | French | German | Greek | Hungarian | Irish | Italian | Latvian | Lithuanian | Maltese

Polish | Portuguese | Romanian | Slovak | Slovenian | Spanish | Swedish