TKPAY Privacy Notice

This Privacy Notice explains how Turkish Airlines Electronic Money and Payment Services Inc.  (“TKPAY”, “Company”, “we”, “our”) processes your personal data as a customer, in accordance with the General Data Protection Regulation (“GDPR”) and the Turkish Personal Data Protection Law No. 6698 (“KVKK”).

We process your data lawfully, fairly, and transparently, ensuring compliance with both GDPR and KVKK.

Purposes and Legal Basis for Processing Personal Data

 

Your collected personal data may be processed within the scope of the personal data processing conditions and purposes specified in Article 5 of the KVKK and Article 6 of the GDPR, for the purposes listed below ("Purposes").

 

Categories of Personal Data

Purposes of Personal Data Processing

Legal Basis

Identity, Communication, Customer Transaction, Financial

 

  • Execution of necessary processes for establishing a customer relationship with TKPAY and provision of payment services and Our Company’s products and services to you
  • Receiving, evaluating, and concluding your applications for account opening and Our Company's products and services
  • Verification of your identity and ensuring transaction security within the scope of e-wallet account opening and execution of one-time password (OTP) sending processes
  • Structuring and execution of contract processes
  • Execution of our customer services operations and evaluation of your requests and complaints
  • Execution of your application registration processes, management of your account, and making the application available for your use by ensuring your access to the application

The processing is strictly necessary for the conclusion or performance of a contract (KVKK Art. 5/2 (c)) (GDPR Art. 6(1)(b)).

Identity, Communication, Customer Transaction, Financial, Risk Management

  • Ensuring the security of customer accounts and taking effective security measures, preventing fraud and fraudulent incidents
  • Ensuring the legal, technical, and security of the Company, ensuring the detection of fraudulent transactions, irregularities, and fraud that may occur in your account
  • Prevention of money laundering and financing of terrorism against the Central Bank of the Republic of Türkiye (TCMB), the Revenue Administration (GİB), The Payment and Electronic Money Institutions Association of Türkiye (TÖDEB), and other authorized public institutions and judicial authorities
  • Fulfilling our compliance obligation with the Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions and related secondary legislation
  • Execution of identity determination and identity verification processes and checking the information and documents stipulated in the legislation

 

 

 

 

 

 

 

 

The processing is clearly stipulated in the laws (KVKK Art. 5/2 (a)) (GDPR Art. 6(1)(c)) and is mandatory for the data controller to fulfil its legal obligation (KVKK Art. 5/2 (ç)) (GDPR Art. 6(1)(c)).

  • Improvement, development, and diversification of the services provided by Our Company, execution of business processes and tracking of your transactions
  • Execution of infrastructure, maintenance, repair, analysis, and development processes of the Company systems
  • Ensuring operational security within the scope of execution of Our Company's information systems and transaction security processes
  • Conducting studies to determine customer service standards and related products to be offered
  • Determining or developing strategies for the presentation of products and services
  • Execution of customer satisfaction activities
  • Execution of risk management and auditing activities

The processing is mandatory for our legitimate interests, provided that it does not harm your fundamental rights and freedoms (KVKK Art. 5/2 (f)) (GDPR Art. 6(1)(f))

Identity, Communication, Customer Transaction, Financial, Risk Management, Request and Complaint

  • Storing personal data for the general statute of limitations period for the purpose of serving as evidence in potential disputes that may arise in the future
  • Receiving, evaluating, and concluding your requests and complaints
  • Tracking of litigation and dispute processes

The data processing is mandatory for the establishment, exercise or protection of a right (KVKK Art. 5/2 (e)) (GDPR Art. 6(1)(e) - for legal claims)

Identity, Communication, Customer Transaction, Financial

  • Execution of TKPAY product and service marketing processes, offering customer-specific product and service offers, including profiling and analysis activities, and execution of advertising, campaign, promotion, etc. processes within this scope

Explicit Consent (KVKK Art. 5/1) (GDPR Art. 6(1)(a))

Identity, Communication

  • Processing for the purpose of sending commercial electronic messages about TKPAY products and services, such as campaigns, marketing, promotions, and similar commercial purposes, to the communication addresses you share with TKPAY, and sharing with 3rd parties from whom service is received during the sending of messages

 

 

To Whom and for Which Purposes Personal Data May Be Transferred

 

Your collected personal data may be transferred to the recipients specified below, in line with the fulfilment of the Purposes, within the scope of the data processing conditions regulated in Article 5 of the Law and in compliance with the rules regarding the transfer of personal data specified in Article 8 of the Law  (also considering GDPR requirements for transfer to third parties).

 

Categories of Transferred Data

Transferred Organizations

Legal Basis and Purpose of Transfer

 

Identity, Communication, Customer Transaction, Financial, Risk Management

 

 

 

 

 

 

 

 

 

 

Legally authorized public institutions and legally authorized private organizations and judicial authorities [Central Bank of the Republic of Türkiye (TCMB), Revenue Administration (GİB), The Payment and Electronic Money Institutions Association of Türkiye, etc.]

Based on the legal reason that it is clearly stipulated in the laws and mandatory for the data controller to fulfil its legal obligation (KVKK Art. 5/2 (a, ç) and Art. 8/1; GDPR Art. 6(1)(c))

  • Fulfilment of legal reporting and information requests
  • Execution of legal auditing activities
  • Fulfilment of our obligations arising from the legislation
  • Execution of risk analysis/management activities

 

Payment transaction service providers and other financial institutions

Based on the legal reason that the processing is strictly necessary for the conclusion or performance of a contract  (KVKK Art. 5/2 (c) and Art. 8/1; GDPR Art. 6(1)(b)) and also Standard Contractual Clauses under the GPDR

  • Provision of technical systems related to payment services to you

 

Service Providers ("(Support organizations receiving services, external service providers, information technology infrastructure service providers, consultancy companies, independent audit companies, call centre companies, companies providing customer care services, storage/archiving companies, etc. 3rd party service providers)")

Based on the legal reason that the processing is mandatory for our legitimate interests, provided that it does not harm your fundamental rights and freedoms (KVKK Art. 5/2 (f) and Art. 8/1; GDPR Art. 6(1)(f)) and also Standard Contractual Clauses under the GPDR

  • Provision of Company products and services to you
  • Execution of our business activities

Based on the legal reason that the processing is strictly necessary for the conclusion or performance of a contract 

  • Execution of our customer services operations and evaluation of your requests and complaints

Group Companies and shareholders 

Based on the legal reason that the processing is mandatory for our legitimate interests, provided that it does not harm your fundamental rights and freedoms (KVKK Art. 5/2 (f) and Art. 8/1; GDPR Art. 6(1)(f)) and also Standard Contractual Clauses under the GPDR

  • Execution of our business activities.
  • "Tracking and execution of legal processes."
  • Execution of risk analysis/management activities

 

Methods of Personal Data Collection

 

Your personal data is collected electronically within the scope of fulfilling the Purposes stated above, via Turkish Airlines mobile application and/or website, internal systems, our call centre, our feedback form, or the TKPAY website.

 

Rights of the Data Subject

 

The rights you have pursuant to Article 11 of the Law (KVKK), which are also consistent with the rights of the data subject under the GDPR (Articles 12-22), are as follows:

 

You can submit your applications regarding the rights listed above to TKPAY by providing feedback via the Personal Data Feedback Form available on www.tkpay.com or by sending an e-mail to destek@tkpay.com with the information specified below.

 

Your applications will be concluded free of charge as soon as possible and within thirty days at the latest, depending on the nature of your request; however, if the process requires an additional cost, a fee may be requested from you according to the tariff determined by the Personal Data Protection Board.

 

Name (Mandatory)

 

Surname (Mandatory)

 

E-mail Address (Mandatory)

 

Phone Number

 

TR Identity / Passport Number

 

Miles&Smiles Membership Number

 

Subject