In this Privacy Policy we, us, our and “data controller” means TGA and/or Republic of Türkiye Ministry of Culture and Tourism, Türkiye Tourism Promotion and Development Agency (TGA). This Privacy Policy applies to all online visitors and users of TGA websites* and social media pages. We undertake our statutory duties to promote Turkish culture and tourism under the brand GoTurkiye.
GDPR: EU General Data Protection Regulation
Data Processor: The natural person or legal entity that process data on behalf of the data controller with the authority given by the data controller,
Data Controller: The person who defines the purpose and the means of processing personal data and responsible of the data recording system management,
Data Subject: A natural person, includes but not limited to an employee, customer, business partners, stakeholders, authorities, leads, candidate for recruitment, intern, visitors, suppliers, employee of business partners, third parties of the TGA and its affiliates with whom they have a commercial relationship, whose data is processed,
Explicit Consent: Consent that is related to a specific issue based on information and expressed with free will,
Personal Data: Any information related to a natural person whose identity is known or identifiable,
Sensitive Personal Data: Biometric and genetic information related with race, ethnicity, political or philosophical opinions, religion, sect or other believes, appearance, union memberships, health, sex life, convictions, and security measures etc.
Processing of Personal Data:Any kind of operation performed on data such as obtaining, recording, storing, preservation, modification, reorganization, disclosure, transfer, takeover, making available, classification or preventing the use of personal data in fully or partially automated or non-automated ways, provided that it is part of any data recording system,
Anonymization of Personal Data:Rendering the data in such a way that it can no longer be associated with an identified or identifiable person even when the personal data is matched with other data,
Deletion of Personal Data:Deleting or rendering the personal data in such a way that it is no longer accessible or reusable for the users,
Destruction of Personal Data:Rendering the personal data to make it inaccessible, unrecoverable and not useable by anyone,
Data Protection Authority:Concerned Data Protection Authority established in the one of the European Union Member State
This Policy has been prepared in line with the regulations in force and international standards. The TGA will primarily apply this Policy in all its data processing activities such as data processing, transfer, and amendment.
The TGA also has different policies that address the protection of personal data and ensuring information security in relation to certain business activities and processes. This policy does not override the data protection terms in different policies of the TGA unless it contains additional terms or requires a higher standard for the protection of personal data. This Policy is implemented along with such other policies and procedures as appropriate.
If there is a conflict between the provisions of the relevant legislation in force on the protection and processing of personal data and the provisions of this Policy, the provisions of the legislation in force will apply primarily.
We process personal data in line with following legal grounds:
Based on that legal reasons TGA collects personal data over TGA’s websites, mobile websites, social media accounts and cookies.
TGA does not rely on the legal reason of the explicit consent in the presence of another legal reason.
TGA categorizes the data subject groups whose personal data are processed in personal data processing processes and activities related to these processes as follows:
Online visitors: TGA collect and process IP address, port info, starting, and ending time of the service given, type of the service, the amount of data transferred and if available subscriber ID information in accordance with the Law numbered 5651 (“Internet Law”).
Users: Account information (name, last name, e-mail address, location (country), direct marketing opt-in/opt-out choice, alternative login option with Facebook or Google (e-mail address).
Party of Training Agreement: TGA collect and process name, last name, tittle, e-mail address, location of organization and details of needs regarding training through an entry form in the scope of agreement between parties.
TGA process online visitor’s personal data based on the Internet Law. It is compulsory for website owners to collect and keep abovementioned information in order to combat illegal online content. If you register TGA’s website as a user and plan a trip to Türkiye, we may use your name and e-mail address to send you necessary information about your visit. If you (visitor or user) click opt-in/agree button on the webpage or mobile webpage for direct marketing, TGA could send you marketing e- mails.
The type of personal information that TGA collects may include your name, contact details, your views and opinions about TGA services. If you use this website, information is recorded about your visit for web personalization, research and statistical and reporting purposes as well as to allow us to improve the website, product and services.
Whenever you interact with us, you may be asked to provide us with necessary information. For example:
Some of our products or services may require you to create an account or register certain information (your name, address, email address, date of birth, location, contact details, applicable device ID(s) relating to the devices you are using to access and receive particular applications and services, interests and account and marketing preferences) in order to use a particular product or service.
If you contact us via written communications or via our website(s), email, or our social media channels), we may keep information about the particular communication, including your name, the service(s) you request, the reason why you contacted us, and the advice we gave you so we can track the resolution of any user request and enhance.
When you visit us at a public event, such as a trade show or exhibition or participate in one of our surveys, competitions or prize draws, we may ask for information, such as your business card, name, contact details, interests and marketing preferences.
When you use our services or other platforms, we may receive content that you choose to upload, such as product reviews, comments, photos or details of your preferences that you choose to tell us about.Information we collect from social networks
If you use any of our social network pages or applications or you use one services that allow interaction with social networks, we may receive information relating to your social network accounts:
If you log-in to one of our websites, s or services using your social network account, we may receive basic details from your social network profile, such as name, last name, e-mail etc., which may depend on your social network accounts privacy settings. We may also receive additional information from your profile if you give us permission to access it.
We may receive information about interactions with the content posted to your profile or feed. To get more information and details about how you can control access to your social network profile, please view the privacy policy and other guidance available on your social networks website.Information we collect when you use websites, products, services from usIn order to improve and provide a better user experience, some of our websites and services provide us with information about your use of them, including:
Details of your usage patterns, the content that you view and interact with including information on the services and applications you are using in-device to personalize services to your specific needs. Service, product or server logs, which hold technical information about your use of our service, product or websites, such as your IP address (to determine your location/country of origin), device ID(s) etc.
Interests and preferences that you specify during set up or registration of any product or service.
As the data controller, the TGA is obliged to prevent and protect personal data from being illegally processed or accessed when processing personal data. For this reason, the TGA has taken all technical and administrative measures regarding data security, including the additional measures required to protect sensitive personal data. In this context, the measures taken by TGA are listed below.
Technical MeasuresWe use generally accepted standard technologies and operational security methods, including the standard technology called Secure Socket Layer (SSL), to protect the personal information collected. However, due to the nature of the Internet, information can be accessed by unauthorized persons over networks without the necessary security measures. We take technical and administrative measures to protect your data from risks such as destruction, loss, tampering, unauthorized disclosure or unauthorized access, depending on the current state of technology, the cost of technological implementation, and the nature of the data to be protected. Within this scope, we conclude data security agreements with the service providers we work with.
Ensuring Cyber Security:
We use the cyber security products to ensure personal data security, but our technical measures are not limited to this. The first line of defense against attacks from environments such as the Internet is established through measures such as firewall and gateway. However, almost every software and hardware are subjected to a Gizli Bilgi içermektedir. Confidential Information! number of installation and configuration operations. Considering that some of the commonly used software, especially older versions, may have documented security vulnerabilities, unused software and services are removed from the devices. Therefore, such unused software and services are primarily preferred because of their ease of deletion rather than keeping them up to date. The patch management and software upgrades ensure that the software and hardware work properly and that the security measures taken for the systems are sufficient to check regularly.Access Restrictions:
Access rights to systems containing personal data are restricted and reviewed regularly. Within this scope, employees are granted access rights to the extent necessary for their work and duties and their powers and responsibilities, and access to related systems is provided by using username and password. When creating these passwords and passwords, combinations of uppercase and lowercase letters, numbers and symbols are preferred instead of numbers or letter sequences related to personal information that can be easily guessed. Accordingly, the access authorization and control matrix are established.Encryption:
In addition to using strong passwords and passwords, limiting the number of password entry attempts to protect against common attacks such as the use of brute force algorithm (BFA), ensuring that passwords and passwords are changed periodically, and administrator account and admin privileges are opened only for use when needed. and for employees who have been dismissed from the Data controller, access is restricted without delay, such as deleting an account or closing entries.Antivirus Software:
In order to protect against malware, products such as antivirus, antispam, which regularly scans the information system network and detect hazards are used, and the required files are regularly scanned. If personal data will be obtained from different internet sites and/or mobile application channels, it is ensured that the connections are made via SSL or more secure way.Monitoring of Personal Data Security:
Checking which software and services are operating in information networks, determining whether there is any infiltration or non-infiltration in IT networks, Keeping the transaction transactions of all users regularly (such as log records), Security problems as fast as possible reporting. A formal reporting procedure is also set up for employees to report security weaknesses in systems and services or threats using them. Evidence is collected and stored securely in the event of undesired events such as information system crash, malicious software, decommissioning attack, missing or incorrect data entry, violations of privacy and integrity, abuse of information system.Ensuring the Security of Personal Data Environments:
If personal data is stored on the devices of the responsible persons or in the media, physical security measures are taken against threats such as theft or loss of these devices and papers. The physical environments Gizli Bilgi içermektedir. Confidential Information! containing personal data are protected against external risks (fire, flood, etc.) by appropriate methods and the entrances / exits to these environments are controlled.If personal data is in electronic form, access between network components can be restricted or separated to prevent personal data security breach. For example, if personal data is being processed in this area by limiting it to a specific portion of the network in use, which is reserved for this purpose, the available resources can be reserved for the security of this limited area, not the entire network.
Measures at the same level are also taken for paper media, electronic media and devices containing personal data of the TGA located outside the TGA campus. As a matter of fact, although personal data security violations frequently occur due to theft and loss of devices containing personal data (laptop, mobile phone, flash disk, etc.), personal data to be transmitted by e-mail or mail is also sent carefully and with adequate precautions. Sufficient security measures are also taken in case employees provide access to the information system network with their personal electronic devices.
The use of access control authorization and / or encryption methods is applied in case of loss or theft of devices containing personal data. In this context, the password key is stored only in the environment accessible to authorized persons and unauthorized access is prevented.
Paper documents containing personal data are also stored in a locked and accessible environment only, and unauthorized access to these documents is prevented.
If any personal data is obtained by others by unlawful means, the TGA shall inform the Personal Data Protection Committee and the data subjects of this fact as soon as possible pursuant to article 12 of the Personal Data Protection Law. if they see necessary, the Personal Data Protection Committee may announce this situation at the website or in by any other means.
Storage of Personal Data in the Cloud:
In the event that personal data is stored in the cloud, it is necessary for the TGA to assess whether the security measures taken by the cloud storage service provider are adequate and appropriate. In this context, two-step authentication control is applied for knowing, backing up, synchronizing the personal data stored in the cloud and providing remote access if necessary. During the storage and usage of the personal data in the said systems, it is provided to be encrypted with cryptographic methods, to be encrypted and sent to the cloud environments, and to the use of individual encryption keys where possible for the personal data, in particular for each cloud solution received. When the cloud service relationship ends, all copies of the encryption keys, which may be used to make personal data available, are destroyed. Access to data storage areas with personal data is logged and improper access or access attempts are instantly communicated to those concerned.Information Technology Systems Procurement, Development and Maintenance:
Security requirements are taken into consideration when determining the requirements related to the procurement, development or improvement of new systems by the TGA.Backing up of Personal Data:
In case of personal data being damaged, destroyed, stolen or lost due to any reason, the TGA makes use of the backed-up data as soon as possible. The backed up personal data is accessible only by the system administrator, and data set backups are excluded from the network.Personal data processing activities carried out by TGA are audited by information security systems, technical systems and legal methods. Policies and procedures regarding personal data security are determined and regular controls are conducted within this scope.
The Data Processor acts only in accordance with the instructions of the Data controller, the purpose and scope of the data processing specified in the agreement, the Personal Data Protection and other legislation,
The Data Processor acts in accordance with the Personal Data Retention and Destruction Policy,
The Data Processor is obliged to keep any data confidential indefinitely in relation to the personal data processed,
The protection of personal data is also accepted by the top management, a special Committee (the Personal Data Protection Committee) has been established and started to work. A management policy regulating the working rules of the TGA’s KVK Committee has been put into effect within the TGA and the duties of the KVK Committee have been explained in detail.
In general, we do not share or disclose information about you to third parties without your consent unless TGA is required to or authorized by laws.
We may use other third-party service providers including data analytics providers who process information on our behalf, consultants, marketing agencies, Professional advisers, Ministries or business partners with whom TGA has a formal relationship with.
Our service providers are required to only process data in line with this Policy.
If you request or agree to receive information or newsletters from one of our business partners, we may provide that third party with your details so that they can contact you and/or respond to your request.
We prepare anonymous data for a number of purposes. The information may be shared with our partners, advertisers, media and public as you cannot be identified from this information.
3. Direct Marketing communicationsWhen you provide us with contact details, you may be given the opportunity to opt-in to receiving various newsletters and other communications from us.
You can change your marketing communication preferences at any time.
If you use more than one e-mail address to contact us on, you will need to unsubscribe separately for each email address.
Please note that we may send you important information about our products and services that you are using or have used including essential software updates, changes to applicable terms and conditions and/or other communications or notifications as may be required to fulfil our legal obligations arising from the Law on the regulation.
TGA has a detailed Cookie Policy and provide you very effective cookie management regarding cookies we use. For more details see please our Cookie Policy
5.Links to third party sitesSome of our websites may contain links to other third-party websites that are not operated by us. We are not responsible for the content, security or privacy practices of those third-party websites. Please view the privacy and cookie policies displayed on those third-party websites.
TGA has a Personal Data Retention Policy, which has been prepared in accordance with the DPL. We keep personal data following periods:
We may use your information to create user group profiles or segment data and to otherwise create anonymous, aggregated statistics about the use of our websites, products and services which we may share with third parties and/or make available to the public. In order to create user group profile, instead of sharing personal data directly with our providers, we use pseudonymization. We do not make microtargeting.
You are entitled (in the circumstances and under the conditions, and subject to the exceptions, set out in applicable law) to:
Applications and requests regarding personal data can be sent via the Data Subject Application Form,,
to the Republic of Türkiye Ministry of Culture and Tourism, Türkiye Tourism Promotion and Development Agency.
In order to operate this process in the most effective way, it should be clearly and understandably indicated in their request which right is wished to be used and the details of the requested transaction.
The subject of the request should be about the data subject itself. If the application is made on behalf of someone else, the person making the request should rely on a specially documented authorization for the requested transaction (power of attorney). Unauthorized applications will be ignored.
Applications are evaluated as soon as possible, and at the latest within 30 days from the date of receipt of the application.
During the evaluation process, additional information and documents can be requested if required, and a fee may be charged for fulfilling the request in cases that comply with the relevant legislation.
TGA takes all necessary administrative and technical measures in order to conclude the applications made by the data subject effectively and in accordance with the law and the principle of honesty.