Introduction

As a data controller, Türk Hava Yolları Anonim Ortaklığı (hereinafter to be referred to as “THY”, the “Company” or “We”) pays the utmost attention to the lawfulness of the processing of personal data of its customers. We have prepared this Privacy Notice (the “Privacy Notice”) within a project that neutralization process to be made by donating the carbon footprints resulting from your Turkish Airlines flights to various projects (“Carbon Offset Project”) in order to ensure compliance with the Article 10 of Law on Protection of Personal Data numbered 6698 (“Law”) and EU General Data Protection Regulation (“GDPR”) to ensure that your personal data is processed in a transparent manner.

For more detailed information about the processing of your personal data, you may read the THY Privacy Notice on the Processing and Protection of Personal Data published on https://www.turkishairlines.com/en-tr/legal-notice/privacy-policy/index.html.

For more detailed information about GDPR you may read the GDPR Privacy Notice published on https://www.turkishairlines.com/en-tr/legal-notice/gdpr-privacy-notice.

Your personal data can be collected within services we provide with Carbon Offset Project via website, mobile app and/or Turkish Airlines’ online channels digitally.

As per the Law, personal data can only be processed in the presence if at least one of the conditions set forth under the Law and/or required by international legislation. In this respect, as Turkish Airlines, we may rely on different legal bases, in particular the basic principles of Art. 4 of the Law and Art. 5 and Art 6 of the GDPR, only if one or more conditions that are stipulated under Law are present.

• The necessity to establish a contractual relationship with you and to perform our obligations under a contract (According to Art. 5/(1c) Law , Art. 6/(1), Subparagraph 1(b) GDPR)
• Complying with obligations under national and international regulations (Art. 5/(1ç) of Law, Art. 6 (1c) GDPR)
• Our legitimate interests provided that such interests do not have a negative impact on our customers’ fundamental rights and freedoms (Art. 5/(1f) Law, Art. 6 (1f) GDPR).
• For purposes which are required by law (According to Art.5/(1a) Law, Art. 6/(1), Subparagraph 1(c) GDPR)

General information on your personal data processed by THY are as follows:

• Identity and Contact Information: Name, surname, adress, e-mail adress.
• Flight Information: Flight number, destination information, passenger class, flight dates information.
• Payment Information: Credit/debit card information, bank account information.
• Request/complaint Management Information: Evaluation information we have provided from you about our services.
• Other: Company information, username, password information.

We process personal data for the following purposes.

• Performing operations within Carbon Offset Project,
• Management of customer relations,
• Provision of information regarding products and services,
• Establishment of information technologies infrastructures and execution and auditing of information security processes and operations,
• Management and conclusion of your requests and complaints,
• Fulfillment of our obligations arising from national and international legislations applicable to our Company.

We take care to process your personal data in accordance with the principles of “need to know” and “need to use” by ensuring the necessary data minimization. The establishment and operation of digital infrastructures makes it necessary to stream data with different stakeholders, and the personal data we process must be transferred to third parties for certain purposes.

Your personal data can be transferred to the Co2nsensus Ltd. that provide and serve within the scope of the Project limited to the fulfillment of the purposes specified in this Privacy Notice within the framework of the terms and purposes of personal data processing specified in accordance with Article 8 and 9 of the Law and Art. 44 seq. GDPR

Recipients that we may transfer your data are:

Our business partners or suppliers residing within borders of EU or abroad: To the companies that we receive services within the scope of the Project in line with the realization of the stated objectives and limited to the fulfillment of these objectives.

We will only transfer your personal data outside the EEA if suitable safeguards ensure that an appropriate level of protection is in place. Typically, We rely on the following safeguards:

• Adequacy Decision of the EU Commission, currently: Recipients in Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the United Kingdom (updated list and further information is available under https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en)
• Standard Contractual Clauses: Other recipients (further information is available under https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en)
• Exceptions under Art. 49 GDPR: Other recipients.

Further information on such transfers or copies of these measures can be obtained via the contact details below.

Your personal data may be processed in order to provide information about our services, to promote our goods and services and to inform you about our campaigns in accordance with the Regulation of Regulation on Commercial Communication and Commercial Electronic Messages Numbered 6563. In accordance with the relevant legislation, your commercial electronic mail permissions must be recorded in the Message Management System (IYS), and within this scope, the contact address (phone number or e-mail address), permission date, communication channel, recipient type and permission source data will be shared with the IYS. You can visit https://iys.org.tr for detailed information about IYS.

THY is subject to legal obligations on data retention periods under Turkish Law, European Law and depending on the country in which you live or which law applies, national laws of a country (for example, USA, Germany, Italy, Spain, Switzerland, etc.). As THY, as a global company, has locations in different countries and the applicable laws change thereafter, the retention periods may therefore vary from country to country.

Your personal data are deleted as soon as they are no longer needed for the specified purposes. However, we must sometimes continue to store your data until the retention periods and deadlines set by the legislator or supervisory authorities, up to 30 years which may arise from the Turkish Commercial Code, Tax Code, Turkish Code of Obligations and depending on other applicable European Laws and national laws of a EU-Country. We may also retain your data until the statutory limitation periods have expired (but up to 30 years in some cases), if this is necessary for the establishment, exercise, or defense of legal claims. After that, the relevant data are routinely deleted or anonymized.

Where we process personal data for marketing purposes or with your consent, we process the data until you ask us to stop and for a short period after this (to allow us to implement your requests). We also keep a record of the fact that you have asked us not to send you direct marketing or to process your data so that We can respect your request in future.

As data subjects, you are entitled to a number of rights under Article 11 of the Law in relation to your personal data. We would like to inform you about the rights that you are entitled to and the ways you may use them.

Under Art. 11 of the Law you are entitled to the following rights:

• Learn whether data relating you is being processed.
• Request further information if personal data relating to you has been processed.
• Learn the purpose for the processing of personal data and whether data are being processed in compliance with such purpose.
• Learn the third-party recipients to whom the data are disclosed within the country or abroad.
• Request rectification of the processed personal data which is incomplete or inaccurate and request such process to be notified to third persons to whom personal data is transferred.
• Request deletion or destruction of personal data in the event that the data is no longer necessary in relation to the purpose for which the personal data was collected, despite being processed in line with the Law and other applicable laws and request such process to be notified to third persons to whom personal data is transferred.
• Object to negative consequences that you experienced as a result of analysis of the processed personal data by solely automatic means.
• Demand compensation for the damages that you have suffered as a result of an unlawful processing operation.

If you are a passenger subject to GDPR, please find more detailed information on: https://www.turkishairlines.com/en-pl/legal-notice/gdpr-privacy-notice/.

You can easily use your rights mentioned above and easily communicate the related requests to us via contact information below. Data subjects’ requests concerning the above-listed rights shall be concluded by us within thirty days at the latest, in accordance with the limitations provided by the Law. In principle, data subject requests shall be concluded free of charge. However, THY reserves its right to demand a fee from the tariff specified by the Turkish Personal Data Protection Board, in case the request requires additional costs.

Our Company may request certain information from the data subject in order to determine that the applicant is in fact the data subject, and additional questions can be directed to the applicant to clarify matters regarding the applications.

If you reside in the European Union and are subject to GDPR, please visit GDPR Privacy Policy page for more information about your rights under the GDPR. If you believe that we have failed to comply with data protection regulations when processing your personal data, you can lodge a complaint with the competent supervisory authority in accordance with Art. 77 GDPR.

The competent supervisory authority can be identified according to the list provided under: https://edpb.europa.eu/about-edpb/board/members_en.

Further information on your rights are available under: https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/my-rights_en.