As Turkish Airlines (hereinafter to be referred to as “THY”, the “Company” or “We”), we pay the utmost attention to the lawful processing of the personal data pertaining to our customers to which we provide Turkish Cargo products and services. We have prepared this Privacy Notice on the Protection and Processing of Personal Data by Turkish Cargo (the “Privacy Notice”) in order to ensure compliance with the applicable national and international legislation, in particular the Law No. 6698 on the Protection of Personal Data (the “Law”) and the European Union General Data Protection Regulation (“GDPR”) (Regulation (EU) 2016/679).

Ensuring the security of the personal data pertaining to our customers is at the forefront of our work. Therefore, in order to prevent any unlawful access to personal data or leakage thereof and to ensure the secure retention of personal data relating to our customers to which we offer Turkish Cargo products and services, such customers’ data are only transferred to trusted business partners, suppliers, legally authorized public institutions and private persons on a minimum level, by taking necessary security measures in accordance with the legislation in force.
Transparency is one of our most important subjects in the field of personal data protection. In this respect, we have prepared this Privacy Notice in order to provide our customers with all necessary information while we are processing personal data for the purposes of compliance with our legal obligations and to ensure a better customer experience. Detailed information regarding the types of personal data and the purposes for processing personal data are elaborated under the sections on “Which Personal Data Do We Process?” and “For Which Purposes Do We Process Your Personal Data?”.

Another subject that we also pay close attention to is the customers’ right to have control over their personal data. We implement measures to ensure that our customers manage their preferences regarding their own personal data and highly respect our customers’ preferences. In this regard, you may convey your requests to our party through the communication channels listed under the section on “The Exercise of Rights by the Data Subjects”, and detailed explanations regarding this matter are provided in the section on “The Rights of the Data Subjects”. The terms used in this Privacy Notice are defined in the section on “Definitions”.

Data security, transparency and individuals’ right to have control over their personal data are fundamentals for us in ensuring compliance with the Law. In this respect, detailed information regarding the processing of your personal data are presented to your attention within this Privacy Notice.

1. How Do We Collect Your Personal Data?

This Privacy Notice contains our statements and explanations concerning the processing of personal data relating to our customers and other natural persons, who come into contact with us, in compliance with the provisions of the national and international legislation, particularly the Law.

We reserve the right to make changes to this Privacy Notice in order to provide up-to-date information concerning practices and legal regulations relating to the protection of personal data. Notwithstanding, data subjects will be informed by appropriate means in the event of a substantial change to the Privacy Notice.

This Privacy Notice has been prepared in order to provide information concerning which personal data Turkish Airlines process within the scope of its commercial activities, the purposes for which such data are processed, the parties to whom personal data are transferred and the purposes for such transfer

Our Company collects your personal data through the agencies authorized for sale of Turkish Cargo products and services, sales offices, Turkish Cargo website, social media accounts, e-mail, mail, CCTV, cookies and other communication channels, in audio, electronic or written form, in accordance with the conditions for processing of personal data as specified in the Law, for the purposes as set forth in this Privacy Notice.

2. Which Personal Data Do We Process?

Personal data which are processed by our Company may differ in accordance with the nature of the legal relationship established with our Company. In this respect, the categories of personal data collected by our Company through all channels, including digital environments, are as follows:

• Identification Information: name-surname, signature, ID card and passport information;
• Contact Information: e-mail address, business phone number and contact address details;
• Customer process information: IATA code or account code, customer code, call center records, customer instructions and records, customer application forms and customer process information which vary according to the nature of the service;
• Process security information: information on website passwords and pins which are created by your party during your utilization of the products or services which are offered on the digital mediums;
• Financial information: credit/debit card details, bank account details, IBAN details, balance information and other financial information;
• Physical environment security information: entry/exit logs in Company’s physical environments, visit information, camera and voice records );
• Legal procedure and compliance information: personal information in the requests for information and decisions of judicial and administrative authorities;
• Audit and inspection information: information on all kinds of records and processes concerning the exercise of our legal claims and rights associated with the data subject;
• Marketing information: personal data and evaluations generated in consequence of surveys, satisfaction surveys, campaigns and direct marketing activities;
• Request/complaint management information: information and records gathered in relation to the requests and complaints made to our Company regarding our products and services which are associated with the data subject, as well as information in the reports regarding the conclusion of such requests/complaints by our relevant business units;
• Audio and visual data: photographs, camera and voice records.

3. For Which Purposes Do We Process Your Personal Data? What Is Our Legal Basis For Processing of Your Personal Data?

As per the Law, personal data can only be processed in the presence of at least one of the conditions set forth under Articles 5 and 6 of the Law and/or as required by international legislation. In this respect, as Turkish Airlines, we may rely on different legal bases for processing of our customers’ personal data, including: i) being directly related to the conclusion or fulfillment of a contract (fulfillment of cargo services and the provision of associated services); ii) the fulfillment of our obligations under national and international regulations in force; and iii) our legitimate interests, provided that such interests do not have an adverse impact on our customers’ fundamental rights and freedoms.

In addition to the above-listed conditions for processing personal data, we may request your explicit consent to the processing of your personal data. If this is the case, personal data will be processed limited to the scope of your freely given explicit consent. You may revoke your explicit consent at any time.
In this regard, your personal data will be processed by Turkish Airlines, within the framework of national and international regulation, in accordance with the conditions for processing personal data set forth under Articles 5 and 6 of the Law and within the scope of the below-listed purposes:

• Planning and execution of the sales processes of cargo services
• Performance of communications regarding the services provided within the scope of cargo activities
• Conducting of the after-sale support services regarding the Goods/Services
• Contacting our customers and management of customer relations
• Personalization and improvement of your customer experience
• Provision of information regarding products and services
• Management and conclusion of your requests and complaints
• Administration of operations concerning emergencies and case management
• Fulfillment of our obligations arising from legislations applicable to our Company and provision of information to the competent authorities and organizations as per the legislation
• Conducting of financial and accounting operations
• Establishment of information technologies infrastructures and execution and auditing of information security processes and operations
• Prevention of fraud and counterfeiting
• Specification of access authorizations for business partners and suppliers

4. Transfer of Personal Data

In accordance with the aforelisted purposes, your personal data may be transferred to our suppliers and business partners from which we receive support for the establishment, execution and termination of our relationship with your party. Your personal data may also be transferred to public institutions and private persons authorized by law within the scope of their authorizations. In such cases, our Company takes all precautionary measures to ensure that the parties carry processing and transfer activities in accordance with the rules stated in this Privacy Notice and other related regulations that we are subject to.

Personal data may be transferred to business partners, suppliers, public institutions and private persons authorized by law pursuant to conditions and purposes of processing personal data as stated under Article 8 and 9 of the Law, and may be transferred abroad, limited with the specified purposes and in accordance with the principles and procedures stated under Article 9 of the Law and the decisions of the Personal Data Protection Board.

Your personal data may only be transferred abroad where:

• your explicit consent is obtained; or
• where your explicit consent is not obtained but one or more data processing condition(s) stated in the Law is/are met;
• the transferred country is declared by the Personal Data Protection Board to be offering an adequate level of protection ; or
• in case of the protection in the transferred country found to be inadequate, a written undertaking to provide adequate protection between our Company and the Data Controller that the data are being transferred to have been reached and the approval of the Personal Data Protection Board have been obtained.
• within the scope of the provisions in the applicable laws.

5. Retention of Personal Data

Our company determines the retention periods by taking into account of the applicable law and the purposes for data processing. In this respect, where applicable, we particularly consider the issues of period of limitation in terms of legal obligations regarding the processing of personal data. Once the purpose for processing personal data disappears, unless another legal reason or basis allowing the retention of the personal data exists, data will be deleted, destroyed or anonymized.

6. Principles Relating To Personal Data Processing

Our Company acts in accordance with the following fundamental principles regarding the processing of personal data: “Acting in accordance with the law and in good faith”, “Accuracy and Being Up-to-date”, “Processing for specific, explicit and legitimate purposes”, “Being adequate, relevant and limited to the purposes”, “Retention as stated in the applicable law or as long as necessary for the relevant purpose”.

7. Notification about Commercial Electronic Messages

Your personal data may be processed in order to provide information about our services, to promote our goods and services and to inform you about our campaigns in accordance with the Law No. 6563 on the Regulation of Electronic Commerce and the Regulation on Commercial Communication and Commercial Electronic Messages. In accordance with the applicable legislation, your commercial electronic message permissions shall be registered on the Message Management System (MMS). Within this scope, contact address (phone number or e-mail address), permission date, communication channel, recipient type and permission source data will be shared with the MMS. You can visit https://iys.org.tr for detailed information on MMS.

8. Use of cookies

As Turkish Airlines, we utilize technologies such as cookies, pixels, GIFs (“Cookies”) to improve your user experience during your use of our websites and applications. The use of these technologies is in accordance with the Law and other related regulations that we are subject to.
For further information regarding cookies, please refer to the “Turkish Cargo Cookie Privacy Notice” at https://www.turkishcargo.com.tr/en/privacy-policy

9. Use of CCTV (Closed Circuit Television)

When you visit our Company premises, your visual and audial data may be obtained via CCTV and may be stored only for a period necessary to fulfill the following purposes; prevention and pursuit of any criminal and anti-social actions incompatible with the law and company policies, maintaining the security of company premises and equipment located within the premises, protection of visitors’ and workers’ well-being. All necessary technical and administrative measures will be taken by our Company regarding the security of your personal data obtained via CCTV.

10. Rights of data subjects
In accordance with Article 11 of the Law, data subjects have the following rights against the data controller:

• Learn whether data relating to him/her are being processed;
• Request further information if personal data relating to him/her have been processed;
• Learn the purpose for the processing of personal data and whether data are being processed in compliance with such purpose;
• Learn the third-party recipients to whom the data are disclosed within the country or abroad,
• Request rectification of the processed personal data which is incomplete or inaccurate
• Request deletion or destruction of personal data pursuant to the conditions which are prescribed under the applicable legislation;
• Request the processes undertaken in consequence of requests for rectification, deletion or destruction are notified to third persons to which personal data are transferred;
• Object to unfavorable consequences about him/her that are concluded as a result of analysis of the processed personal data solely by automatic means;
• Demand compensation for the damages (s)he has suffered as a result of an unlawful processing operation.

11. Exercise of rights by data subjects

Data subjects’ requests, in accordance with the limitations provided by the Law, concerning the above-listed rights shall be concluded by our Company within thirty days at the latest, In order for third parties to make an application on your behalf, the person to make an application on your behalf should hold a special power of attorney which is issued by a notary public on his/her behalf.

In principle, your applications shall be concluded free of charge. However, our Company may charge the fee designated by the Personal Data Protection Board if such is designated thereby.

Our Company may request certain information from the data subject in order to determine that the applicant is in fact the Data Subject, and additional questions can be directed to the applicant to clarify matters regarding the applications.

In order to exercise your aforelisted rights, you may contact us through the following contact details:

Türk Hava Yolları A.O. Genel Yönetim Binası Yeşilköy Mah. Havaalanı Cad. No:3/1 34149 Bakırköy/İstanbul
📞 00 90 212 463 63 63

https://www.turkishairlines.com/tr-tr/bilgi-edin/musteri-iliskileri/

12. Data security

We take appropriate technical and organizational measures to safeguard your personal data and to mitigate risks arising in connection with unauthorized access, accidental data loss, deliberate erasure of or damage to personal data.
In this respect:

• Our Company ensures data security by utilizing protection systems, firewalls and other software and hardware containing intrusion prevention systems against virus and other malicious software;
• Access to personal data within our Company is carried out in a controlled process in accordance with the nature of the data and within the framework of the authority on the basis of unit / role / practice;
• Our Company ensures the conduct of necessary audits to implement the provisions of the Law, in accordance with Article 12 of the Law;
• Our Company ensures the lawfulness of the data processing activities by way of internal policies and procedures;
• Our Company applies more stricter measures for access to special categories of personal data,
• In case of external access to personal data due to procurement of outsourced services, our Company requires the relevant third party to undertake to comply with the provisions of the Law,
• Our Company takes necessary actions to inform all employees, especially those who have access to personal data, about their duties and responsibilities within the scope of the Law.

13. Definitions

• Explicit consent refers to freely given specific and informed consent.
• Anonymization refers to the rendering personal data by no means identified or identifiable with a natural person even by linking with other data.
• Data subject refers to the natural person whose personal data are processed.
• Personal data refers to any information relating to an identified or identifiable natural person.
• Special Categories of Personal data refers to data that has been subjected to a more stringent protection regime under the Law which may cause the Data Subject to be victimized or discriminated against in cases of disclosure or loss.
• Processing of personal data refers to any operation that is performed upon personal data such as collection, recording, storage, preservation, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization or blocking its use by wholly or partly automatic means or otherwise than by automatic means which form part of a filing system.
• Filing system refers to the recording system in which personal data are configured and processed according to certain criteria.
• Data controller refers to the natural or legal person determining the purposes and means of the processing of personal data and who is responsible for the establishment and management of a filing system.