Turk Ekspres Havacilik ve Turizm A.S.
Privacy Statement
Turk Ekspres Havacilik ve Turizm A.S. provides this privacy statement to describe how we may collect, use, share, and otherwise process your personal information, as an employee of one of our corporate clients or other individual to whom we offer or provide our services – travel, meetings and events, and related products and services -- via our websites, mobile applications, email communications or other online and offline means.
GBT travelers: If you are an employee or traveler of a corporate client of American Express Global Business Travel (GBT), we act as a data processor on behalf of GBT with respect to our collection and processing of your personal information. The remainder of this Privacy Statement does not apply to you; your information is governed by the GBT Privacy Statement https://www.amexglobalbusinesstravel.com/privacy-statement/ For questions about your personal information, you may contact GBT as directed in its Privacy Statement or contact us here: info@turkekspres.com.tr
Summary of key points
| What information we collect |
We collect information about you in connection with your registration, use, purchase, or inquiries about our services. |
| How we use your information |
We use your information to provide our services, process payments, operate our websites and mobile applications, market products and services, create business insights and comply with law. |
| How we share your information |
We may have a contract with your employer or travel sponsor, who is our corporate client, and we share your information with them, as well as with our affiliates, travel suppliers and vendors to book travel arrangements and provide our services. We do not sell or share information with third parties so that they can independently market their own products or services directly to you. |
| How we protect and store your information |
We maintain reasonable administrative, technical, and physical security measures to protect your personal information from unauthorized access and use. |
| Marketing and your choices |
We use your information for marketing, and respect your choices about how we communicate marketing to you. |
| International transfers |
We transfer your information outside of your home country as permitted by law. To protect your information, international transfers will be made under appropriate data transfer agreements and other protections. |
| Your rights |
You have the right to be informed of whether we are processing your information and to access, correct, delete or object, upon request and free of charge, to our use of your information, to the extent required by applicable law. |
| Changes |
We will tell you about material changes to this privacy statement by posting it on our website before it goes into effect and, where appropriate, communicating directly to you about the change. |
| Questions |
If you have questions about this Privacy Statement, please contact us at info@turkekspres.com.tr |
What information we collect
Account Information – If you contact us, register with us or receive services from us, we collect information about you. This may include your name, email address, phone numbers, employer, and physical addresses. We may also require passport number, gender and date of birth for travelers. If we book travel for your travel companions, we may collect similar information about them. Account information goes into your traveler profile, which is where we store the information necessary to book your travel and provide you with our services. You may choose to provide more information in your traveler profile, including frequent traveler credentials, government identifiers and emergency contact information.
Travel Information – If you book travel with us, we collect the details of your travel (such as arrival and departure location, airline, hotel and car rental) and any other information needed to complete your bookings. We may also collect special categories of information to provide accessibility, meal preferences or other requested services.
Payment Information – To pay for bookings and other transactions through our services, we collect payment card information and other details necessary to process payments.
Device Data – We collect information about how you access our services, including your computer's IP address and information that can be derived from it (such as internet provider and general geographic location), your device's unique identifier and other technical information. We also collect information about how you use our websites and mobile applications.
How we use your information
Provide you with travel products and services – We use your information to book your travel, organize meetings and events, prepare itineraries and invoices, communicate with you about your travel or our products and services, provide customer service, and manage your account.
Provide our products and services to corporate clients – We use your information to comply with our agreements with your employer or travel sponsor, communicate about our products and services, and help them ensure compliance with their policies.
Process payments – We use your information to process transactions and provide you with related customer service.
Operate websites and mobile applications – We use device data to monitor and improve the performance and content of our services, provide updates, analyze trends and usage in connection with our services, and measure whether our ads and offers are effective.
Operate and improve our business – We use your information for compliance with our company policies and procedures, for accounting and financial purposes, to detect or prevent fraud or criminal activity, to perform, analyze and improve our business and services, and otherwise as required by law.
Marketing and your choices
We may use personal information to tell you about our products and services or those from related businesses (such as restaurants, consumer products, tours, and entertainment), to help us determine whether you may be interested in new products or services, and to present advertising content that is tailored to your interests, location or itinerary (with your consent or as permitted by law).
We may send you marketing on our websites or mobile applications, and through email and other channels, in accordance with applicable law and your choices. You have choices about how we market to you. If you’d like us to stop sending you marketing messages, you can follow the instructions in our communications or update your traveler profile at any time.
We also send you messages that are essential for our services; for example, we communicate with you about your travel, to service your account, to fulfill your requests, or otherwise as required by law. Some of these service messages contain information presented to you as part of our service relationship with your employer or travel sponsor (for example, messages that help you comply with their travel policies). If you opt out of marketing messages, you will continue to receive these service messages.
How we share your information
Your employer or travel sponsor – Our services to you may be provided under the terms of service agreements with your employer or travel sponsor. We share your information with them to allow them to manage their business travel needs and assure compliance with their company travel policies. At the request of your employer or travel sponsor, we may also share information with their vendors.
Affiliates – We may share information within our corporate family to the extent permitted by law to allow them to provide, analyze and improve their and our products and services.
Travel suppliers and other travel service providers – We share information with travel suppliers (for example, airlines and hotels) and travel service providers (for example, ticket distribution systems and travel application providers), and the vendors for both, as necessary to book your travel and provide travel-related services to you and your employer. We do not sell information to third parties so that they can independently market their own products or services directly to you.
Vendors – We share information with vendors that perform functions on our behalf, such as other travel agencies, meeting and event planners, visa and passport service providers, mobile application and software developers, and vendors who provide IT support, data hosting, marketing and communications services, and collections. These vendors access information only as necessary to perform their functions, as instructed in our contracts with them.
Business insights – We may combine data from many people to create aggregated statistics that do not identify you personally. We use this data to understand business trends and insights, and we may share them with third parties.
Business transfers – If we negotiate or complete a transaction involving all or part of the business (for example, a reorganization, merger, sale or acquisition), we may disclose information to third parties involved in the transaction to the extent permitted by law.
As required or permitted by law – We may disclose information to regulatory authorities, courts, and government agencies where we believe doing so would be permitted or required by law, regulation or legal process, or to defend the interests, rights or property of Turk Ekspres Havacilik & Turizm A.S. or others.
We may also share personal information with other parties as directed by you or subject to your consent.
How we protect and store your information
We maintain reasonable administrative, technical, and physical security measures to protect your information from unauthorized access and use. We retain your information only as long as needed to provide our Services and for legitimate business purposes, unless we are required by law or regulation or for litigation and regulatory investigations to keep it for longer periods of time.
International transfers
We may transfer your information to jurisdictions outside of your home country for the purposes described here, including to countries that may not provide the same level of data protection as your home country. To protect the information, transfers will be made in accordance with appropriate data transfer agreements and other protections. Regardless of where we process your information, we protect it in the manner described in this Privacy Statement and in accordance with applicable law.
Your rights
If you have created an online account with us and would like to update the information you have provided to us, you can access your account to view and make changes or corrections to your information. You may also have the right to be informed of whether we are processing your information and to access, correct, delete or object, upon request and free of charge, to our use of your information. To exercise these rights, please contact us at: info@turkekspres.com.tr. We will try to comply with your request as soon as reasonably practicable. Please note that we may need to retain certain information for recordkeeping, to complete any transactions you began before your request, or for other purposes as permitted by law.
Changes
We may change this Privacy Statement from time to time as our business changes or legal requirements change. If we make material changes to this Privacy Statement, we will post a notice on our website before the changes go into effect, and notify you as otherwise required by applicable law.
Privacy Risk Assesment
The Turk Ekspres Board is responsible for the risk management process. We document the risk assessment clearly. Each control gap is reviewed to confirm that there is a control gap and to evaluate potential steps to address that risk. Where possible, a plan is formulated to address the gap and assign a target resolution date. Risk assessments with control gaps is reviewed more frequently so that our management can ensure corrective action is being taken where necessary.
Privacy Risk Documentation
The Turk Ekspres management is aware of organization`s security policy and security requirements enough to discuss and positively reinforce the message to staff, encourage staff awareness, and recognize and address security related issues. The security awareness level of management also includes an overall understanding of how the different areas fit together. Accordingly, managers of staff with privileged access have a solid understanding of the security requirements of their staff, especially those with access to sensitive data. Below is an example of content that is commonly included in general security awareness training;
* Importance of strong passwords and password controls,
* Secure e-mail practices,
* Secure practices for working remotely,
* Avoiding malicious software – viruses, spyware, adware, etc.,
* Secure browsing practices,
* How to report a potential security incident and who to report it to...
Retention Policy
Turk Ekspres` first consideration for data retention is regulatory compliance. What is required to retain and how long. Some of the grouping criteria are as follows as per our company requirement;
* Is the data a temporary record. (Log files, drafts and work copies etc. are temporary categorized records.)
* Is the data a permanent record? Contracts, tax documents or trade secrets etc. are the types of documents that typically need to be retained for a specific number of years.
* Is the data legitimate business data? We have store employees data.
* We store invoice data, payment receipts and many other tax subjected data for a specific number of years as we may have asked to provide a backdated file from tax office.
Data Classification
Individuals data is classified as sensitive data. All of the individuals data are stored in Sabre profiles. We have signed aggrement with the provider.
For more information regarding how Sabre explains their privacy policy please refer to this web site by clicking https://www.sabretravelnetwork.com/forms/coredata.html
Privacy Control and Mechanism
Turk Ekspres` control and monitor mechanism to third parties;
* Turk Ekspres establishes and maintains a visitor access permissions,
* Turk Ekspres maintain and review facility access lists of personnel who have been granted authorized entry/access that contain restricted data or restricted information,
* Turk Ekspres establishes and maintains identification procedures,
* Turk Ekspres monitors for unauthorized physical access at physical entry points,
* Turk Ekspres shall verify the visitor`s authorization at computer center buildings. For the computer center, execute physical access building control by setting a visitor meeting place,
* Either video cameras or access control mechanisms in place will monitor individual physical access to sensitive areas,
* Access to buildings, computer rooms, and sensitive equipment is controlled adequately,
* Turk Ekspres restricts unescorted access to the facility where the information system resides to personnel.
Privacy Compliance and External Suppliers
All contracts with external suppliers for the supply of services to the Turk Ekspres is monitored and reviewed to ensure that information security requirements are being satisfied. Contracts include appropriate provisions to ensure the continued security of information and systems in the event that a contract is terminated or transferred to another supplier or continen. Where the contract is for the supply or management of information services to contract include appropriate provisions covering;
* Change control processes,
* System administration processes,
* Authentication and authorisation mechanisms,
* Time synchronisation,
* Session timeout,
* Logging of privileged Operations
Turk Ekspres Information Security Program to Manage the Risk
* Determine overall strategy and plan for the information security management program,
* Ensure program meets organization`s most critical business needs,
* Develop and document the overall directives and rules that prescibe how the organization protects information,
* Elaborate the complete set of administrative, technical, and physical information security controls used by organization,
* Develop new controls or new ways of implementing controls based on changes to business, IT, and threat landscape,
* Assess all controls to ensure they conform to policy and standards,
* Verify all controls are present and performing as intended,
* Consistently track and measure the efficiency of security processes and implement improvement,
* Ensure a risk evaluation is performed prior to the organization establishing a relationship with a third party.
For instance, 2018 e-mail fraud attack done but our antivirus SOPHOS captured and prevented.
Turk Ekspres Protection of Personal Information
Turk Ekspres process personal information fairly and lawfully when collecting and using personal information. Our policy regarding protection of personal information is as below;
* Collect and use personal information only with a legal justification,
* Notify persons about how their personal information will be used prior to collecting the information,
* Collect only the personal information needed for a specific business purpose,
* Use personal information in ways that do not have adverse effect on the person concerned unless such use is justified by law,
* Keep personal information accurate and up to date throughout the information lifecycle,
* Comply with Turk Ekspres information security policies and procedures when processing personal information,
* Prevent the misuse of personal informatio for a purpose that is not compatible with the original purpose for which it was collected,
* Keep personal information only as long as necessary for the specific purpose or as required by law.
We develop and maintain processes to ensure we`re handling personal information in accordance with our privacy obligations:
* Address the handling of information throughout the information lifecycle,
* Clearly outline how staff are expected to handle personal information in their everyday duties,
* Promote privacy awareness within our entity by integrating privacy into our induction and regular staff trainin programs,
* Develop and implement a clearly expressed and up to date privacy policy. Ensure our privacy notices are also up to date and consistent with ourprivacy policy,
* Implement risk management processes that allow us to identify, assess and manage privacy risks across our business, including personal information security risks,
*Develop a data breach response plan,
*Monitor and address new security risks and threats.
Türk Ekspres Privacy Notice
As per our work flow we require limited information from individuals.
In order to create a PNR (booking locator) we have to provide some mandatory fields:
* Name - Surname (Mandatory)
* Date of Birth (Optional)
* Title (Optional)
* Passport Information (Mandatory for International flights)
* Turkish ID (Mandatory for Turkish Citizens when travelling within Turkey)
* Credit Card details (Mandatory If payment will be done by traveller)
We keep all those information in the Sabre traveller profile database. Corporate provides all those information in the template list only one time, and we store them in the Sabre profiles. All individual information are secured by Sabre.
Monitoring
* We advise all employees, with whom we are working, confidentiality of the information,
* We train and use reasonable measures to ensure compliance with the privacy and security requirements of this agreement by all employees,
* We ensure new employees complete a privacy and security awareness training,
* We monitor employees` computer terminals and workstation, Email monitoring, Telephone monitoring, Audio and Video monitoring.
Process
* We have systematic process for the reporting and investigation of compliance breaches or potential breaches to enable proactive prevention in the future,
* We encourage all staff members to be proactive and raise compliance issues that are of concern as soon as possible to prevent escalation,
* We enable the gathering of information to facilitate monitoring and reporting of compliance performance within the company,
* We ensure that no staff member is penalised or disadvantaged as a result of reporting a compliance breach.
* We advise all employees, with whom we are working, confidentiality of the information,
* We train and use reasonable measures to ensure compliance with the privacy and security requirements of this agreement by all employees,
* We ensure new employees complete a privacy and security awareness training,
* We monitor employees` computer terminals and workstation, Email monitoring, Telephone monitoring, Audio and Video monitoring.
Turk Ekspres Havacilik & Turizm A.S. companies
The subsidiaries and affiliates of Turk Ekspres Havacilik & Turizm A.S. to which this Privacy Statement applies include:
Ida Havacilik ve Turizm Ltd. Sti
Questions
If you have questions or complaints about Turk Ekspres Havacilik & Turizm A.S. and privacy, please contact us at:
Altunizade Mah. Mahir Iz Cad. No.19 Detay Plaza B Blok Kat 3,
34662 Uskudar / Istanbul, Turkey Telepone: +90 216 3307094
Email: info@turkekspres.com.tr
In most cases, we will ask that you put a complaint in writing. We will investigate your complaint and will generally respond to you in writing within 30 days of receipt. If we fail to respond or if you are otherwise dissatisfied with the response that you receive from us, you may have the right to make a complaint to your regulator.