PRIVACY POLICY

In this Privacy Policy we, us, our and “data controller” means TGA and/or Republic of Türkiye Ministry of Culture and Tourism, Türkiye Tourism Promotion and Development Agency (TGA). This Privacy Policy applies to all online visitors and users of TGA websites* and social media pages. We undertake our statutory duties to promote Turkish culture and tourism under the brand GoTurkiye.

1. DEFINITIONS

GDPR: EU General Data Protection Regulation

Data Processor: The natural person or legal entity that process data on behalf of the data controller with the authority given by the data controller,

Data Controller: The person who defines the purpose and the means of processing personal data and responsible of the data recording system management,

Data Subject: A natural person, includes but not limited to an employee, customer, business partners, stakeholders, authorities, leads, candidate for recruitment, intern, visitors, suppliers, employee of business partners, third parties of the TGA and its affiliates with whom they have a commercial relationship, whose data is processed,

Explicit Consent: Consent that is related to a specific issue based on information and expressed with free will,

Personal Data: Any information related to a natural person whose identity is known or identifiable,

Sensitive Personal Data: Biometric and genetic information related with race, ethnicity, political or philosophical opinions, religion, sect or other believes, appearance, union memberships, health, sex life, convictions, and security measures etc.

Processing of Personal Data:Any kind of operation performed on data such as obtaining, recording, storing, preservation, modification, reorganization, disclosure, transfer, takeover, making available, classification or preventing the use of personal data in fully or partially automated or non-automated ways, provided that it is part of any data recording system,

Anonymization of Personal Data:Rendering the data in such a way that it can no longer be associated with an identified or identifiable person even when the personal data is matched with other data,

Deletion of Personal Data:Deleting or rendering the personal data in such a way that it is no longer accessible or reusable for the users,

Destruction of Personal Data:Rendering the personal data to make it inaccessible, unrecoverable and not useable by anyone,

Data Protection Authority:Concerned Data Protection Authority established in the one of the European Union Member State

2. SCOPE AND PURPOSE OF THE PRIVACY POLICY

This Policy has been prepared in line with the regulations in force and international standards. The TGA will primarily apply this Policy in all its data processing activities such as data processing, transfer, and amendment.

The TGA also has different policies that address the protection of personal data and ensuring information security in relation to certain business activities and processes. This policy does not override the data protection terms in different policies of the TGA unless it contains additional terms or requires a higher standard for the protection of personal data. This Policy is implemented along with such other policies and procedures as appropriate.

If there is a conflict between the provisions of the relevant legislation in force on the protection and processing of personal data and the provisions of this Policy, the provisions of the legislation in force will apply primarily.

This Privacy Policy explains:
• Methods of collecting personal data and legal grounds,
• Data subject categorization
• The category of personal data processed in relation to these groups of persons (Data Categories) and sample data types,
• Personal data processing processes and purposes,
• Technical and administrative measures taken to ensure the security of personal data,
• Personal data sharing, - Personal data retention periods,
• Marketing and research information, - Data subjects rights, - Cookies and cookie management

3. METHODS OF COLLECTING PERSONAL DATA AND LEGAL GROUNDS

We process personal data in line with following legal grounds:

• explicit consent of data subject,
• If it is clearly stipulated in laws,
• If it has been made public by the person concerned,
• If it requires on processing personal data of the parties subject to a contract / agreement, due to the execution of a contract / agreement.
• Processing personal data for legitimate purposes without violating the fundamental rights and freedoms of the data subject.

Based on that legal reasons TGA collects personal data over TGA’s websites, mobile websites, social media accounts and cookies.

TGA does not rely on the legal reason of the explicit consent in the presence of another legal reason.

4. DATA SUBJECT CATEGORIZATION

TGA categorizes the data subject groups whose personal data are processed in personal data processing processes and activities related to these processes as follows:

• Online visitors, who just visited TGA’s website and mobile website Gizli Bilgi içermektedir. Confidential Information!
• Users, who opened an account on TGA’s webpage and mobile webpage.

5. THE PERSONAL DATA THAT TGA COLLECTS AND PROCESSES

Online visitors: TGA collect and process IP address, port info, starting, and ending time of the service given, type of the service, the amount of data transferred and if available subscriber ID information in accordance with the Law numbered 5651 (“Internet Law”).

Users: Account information (name, last name, e-mail address, location (country), direct marketing opt-in/opt-out choice, alternative login option with Facebook or Google (e-mail address).

Party of Training Agreement: TGA collect and process name, last name, tittle, e-mail address, location of organization and details of needs regarding training through an entry form in the scope of agreement between parties.

6. PERSONAL DATA PROCESSING PROCESSES AND PURPOSES

TGA process online visitor’s personal data based on the Internet Law. It is compulsory for website owners to collect and keep abovementioned information in order to combat illegal online content. If you register TGA’s website as a user and plan a trip to Türkiye, we may use your name and e-mail address to send you necessary information about your visit. If you (visitor or user) click opt-in/agree button on the webpage or mobile webpage for direct marketing, TGA could send you marketing e- mails.

The type of personal information that TGA collects may include your name, contact details, your views and opinions about TGA services. If you use this website, information is recorded about your visit for web personalization, research and statistical and reporting purposes as well as to allow us to improve the website, product and services.

Information provided by you

Whenever you interact with us, you may be asked to provide us with necessary information. For example:

Some of our products or services may require you to create an account or register certain information (your name, address, email address, date of birth, location, contact details, applicable device ID(s) relating to the devices you are using to access and receive particular applications and services, interests and account and marketing preferences) in order to use a particular product or service.

If you contact us via written communications or via our website(s), email, or our social media channels), we may keep information about the particular communication, including your name, the service(s) you request, the reason why you contacted us, and the advice we gave you so we can track the resolution of any user request and enhance.

When you visit us at a public event, such as a trade show or exhibition or participate in one of our surveys, competitions or prize draws, we may ask for information, such as your business card, name, contact details, interests and marketing preferences.

When you use our services or other platforms, we may receive content that you choose to upload, such as product reviews, comments, photos or details of your preferences that you choose to tell us about.Information we collect from social networks

If you use any of our social network pages or applications or you use one services that allow interaction with social networks, we may receive information relating to your social network accounts:

If you log-in to one of our websites, s or services using your social network account, we may receive basic details from your social network profile, such as name, last name, e-mail etc., which may depend on your social network accounts privacy settings. We may also receive additional information from your profile if you give us permission to access it.

We may receive information about interactions with the content posted to your profile or feed. To get more information and details about how you can control access to your social network profile, please view the privacy policy and other guidance available on your social networks website.Information we collect when you use websites, products, services from usIn order to improve and provide a better user experience, some of our websites and services provide us with information about your use of them, including:

Details of your usage patterns, the content that you view and interact with including information on the services and applications you are using in-device to personalize services to your specific needs. Service, product or server logs, which hold technical information about your use of our service, product or websites, such as your IP address (to determine your location/country of origin), device ID(s) etc.

Interests and preferences that you specify during set up or registration of any product or service.

• How the personal information that you provide to us or we collect is used:

We may use information for the following purposes:Create and manage customer database(s) of its users including basic account information, applicable device ID(s), related product or service usage information and customer preference information you provide us. We may consolidate several databases into one or otherwise link separate databases to manage your accounts more effectively.

Ask for your opinions about our products and services and conduct surveys. Facilitate and process your searches and requests for information when you contact us about our websites and services.

Hold competitions and other promotional offers across all platforms, contact winners and to fulfil prizes to winners.

We may use your information to provide you with product and service updates, newsletters and other communications about existing and/or new products and services by post, email, telephone, in-device messaging and/or text message (SMS), if you have provided your consent or we are permitted to do so under applicable law.

We may use the information we collect, or you share with us to personalize our services, content, recommendations and adverts.

We may use your information to create user group profiles or segment data and to otherwise create anonymous, aggregated statistics about the use of our websites, products and services which we may share with third parties and/or make available to the public.

We may use your information to improve our products, services and applications and develop recommendations, advertisements and other communications and learn more about customers' shopping preferences in general.

Where you have uploaded product reviews, comments or content to our websites or services and made them publicly visible, we may link to or publish these materials elsewhere including in our own advertisements.

We may link or combine the information that we collect from the different sources to allow us to provide more seamless customer support whenever you contact us and to provide you with better, personalized services, content, marketing and adverts.

7. TECHNICAL AND ADMINISTRATIVE MEASURES TAKEN TO ENSURE THE SECURITY OF PERSONAL DATA

As the data controller, the TGA is obliged to prevent and protect personal data from being illegally processed or accessed when processing personal data. For this reason, the TGA has taken all technical and administrative measures regarding data security, including the additional measures required to protect sensitive personal data. In this context, the measures taken by TGA are listed below.

Technical Measures

We use generally accepted standard technologies and operational security methods, including the standard technology called Secure Socket Layer (SSL), to protect the personal information collected. However, due to the nature of the Internet, information can be accessed by unauthorized persons over networks without the necessary security measures. We take technical and administrative measures to protect your data from risks such as destruction, loss, tampering, unauthorized disclosure or unauthorized access, depending on the current state of technology, the cost of technological implementation, and the nature of the data to be protected. Within this scope, we conclude data security agreements with the service providers we work with.

• Ensuring Cyber Security:

   We use the cyber security products to ensure personal data security, but our technical measures are not limited to this. The first line of defense against attacks from environments such as the Internet is established through measures such as firewall and gateway. However, almost every software and hardware are subjected to a Gizli Bilgi içermektedir. Confidential Information! number of installation and configuration operations. Considering that some of the commonly used software, especially older versions, may have documented security vulnerabilities, unused software and services are removed from the devices. Therefore, such unused software and services are primarily preferred because of their ease of deletion rather than keeping them up to date. The patch management and software upgrades ensure that the software and hardware work properly and that the security measures taken for the systems are sufficient to check regularly.

• Access Restrictions:

   Access rights to systems containing personal data are restricted and reviewed regularly. Within this scope, employees are granted access rights to the extent necessary for their work and duties and their powers and responsibilities, and access to related systems is provided by using username and password. When creating these passwords and passwords, combinations of uppercase and lowercase letters, numbers and symbols are preferred instead of numbers or letter sequences related to personal information that can be easily guessed. Accordingly, the access authorization and control matrix are established.

• Encryption:

  In addition to using strong passwords and passwords, limiting the number of password entry attempts to protect against common attacks such as the use of brute force algorithm (BFA), ensuring that passwords and passwords are changed periodically, and administrator account and admin privileges are opened only for use when needed. and for employees who have been dismissed from the Data controller, access is restricted without delay, such as deleting an account or closing entries.

• Antivirus Software:  

  In order to protect against malware, products such as antivirus, antispam, which regularly scans the information system network and detect hazards are used, and the required files are regularly scanned. If personal data will be obtained from different internet sites and/or mobile application channels, it is ensured that the connections are made via SSL or more secure way.

• Monitoring of Personal Data Security:

  Checking which software and services are operating in information networks, determining whether there is any infiltration or non-infiltration in IT networks, Keeping the transaction transactions of all users regularly (such as log records), Security problems as fast as possible reporting. A formal reporting procedure is also set up for employees to report security weaknesses in systems and services or threats using them. Evidence is collected and stored securely in the event of undesired events such as information system crash, malicious software, decommissioning attack, missing or incorrect data entry, violations of privacy and integrity, abuse of information system.

• Ensuring the Security of Personal Data Environments:

  If personal data is stored on the devices of the responsible persons or in the media, physical security measures are taken against threats such as theft or loss of these devices and papers. The physical environments Gizli Bilgi içermektedir. Confidential Information! containing personal data are protected against external risks (fire, flood, etc.) by appropriate methods and the entrances / exits to these environments are controlled.

If personal data is in electronic form, access between network components can be restricted or separated to prevent personal data security breach. For example, if personal data is being processed in this area by limiting it to a specific portion of the network in use, which is reserved for this purpose, the available resources can be reserved for the security of this limited area, not the entire network.

Measures at the same level are also taken for paper media, electronic media and devices containing personal data of the TGA located outside the TGA campus. As a matter of fact, although personal data security violations frequently occur due to theft and loss of devices containing personal data (laptop, mobile phone, flash disk, etc.), personal data to be transmitted by e-mail or mail is also sent carefully and with adequate precautions. Sufficient security measures are also taken in case employees provide access to the information system network with their personal electronic devices.

The use of access control authorization and / or encryption methods is applied in case of loss or theft of devices containing personal data. In this context, the password key is stored only in the environment accessible to authorized persons and unauthorized access is prevented.

Paper documents containing personal data are also stored in a locked and accessible environment only, and unauthorized access to these documents is prevented.

If any personal data is obtained by others by unlawful means, the TGA shall inform the Personal Data Protection Committee and the data subjects of this fact as soon as possible pursuant to article 12 of the Personal Data Protection Law. if they see necessary, the Personal Data Protection Committee may announce this situation at the website or in by any other means.

• Storage of Personal Data in the Cloud:

  In the event that personal data is stored in the cloud, it is necessary for the TGA to assess whether the security measures taken by the cloud storage service provider are adequate and appropriate. In this context, two-step authentication control is applied for knowing, backing up, synchronizing the personal data stored in the cloud and providing remote access if necessary. During the storage and usage of the personal data in the said systems, it is provided to be encrypted with cryptographic methods, to be encrypted and sent to the cloud environments, and to the use of individual encryption keys where possible for the personal data, in particular for each cloud solution received. When the cloud service relationship ends, all copies of the encryption keys, which may be used to make personal data available, are destroyed. Access to data storage areas with personal data is logged and improper access or access attempts are instantly communicated to those concerned.

• Information Technology Systems Procurement, Development and Maintenance:

  Security requirements are taken into consideration when determining the requirements related to the procurement, development or improvement of new systems by the TGA.

• Backing up of Personal Data:

  In case of personal data being damaged, destroyed, stolen or lost due to any reason, the TGA makes use of the backed-up data as soon as possible. The backed up personal data is accessible only by the system administrator, and data set backups are excluded from the network.

Administrative Measures

• All activities carried out by TGA have been analyzed in detail in all business units and as a result of this analysis, a process-based personal data processing inventory has been prepared. Risky areas in this inventory are identified and necessary legal and technical measures are taken continuously. (For example, the documents to be prepared within the scope of KVKK have been prepared considering the risks in this inventory)

Personal data processing activities carried out by TGA are audited by information security systems, technical systems and legal methods. Policies and procedures regarding personal data security are determined and regular controls are conducted within this scope.

1. From time to time, TGA may provide services from external service providers to meet information technology needs. In this case, we ensure that these Data Processing external service providers meet at least the security measures provided by TGA. In this case, a written agreement is signed with the Data Processor and the contract includes at least the following points:

The Data Processor acts only in accordance with the instructions of the Data controller, the purpose and scope of the data processing specified in the agreement, the Personal Data Protection and other legislation,

The Data Processor acts in accordance with the Personal Data Retention and Destruction Policy,

The Data Processor is obliged to keep any data confidential indefinitely in relation to the personal data processed,

1. In the event of any data violation, the Data Processor is obliged to inform the Data controller of it immediately,
2. TGA will perform or have the necessary audits performed on the Data Processors systems containing personal data, and may review the reports and service provider on the spot; o TGA will take the necessary technical and administrative measures for the security of personal data; and
3. Furthermore, as long as the nature of the relationship between the Data Processor and us, is suitable, the categories and types of the personal data transferred to the Data Processor are also specified in a separate article. Gizli Bilgi içermektedir. Confidential Information!
4. As emphasized in the guidelines and publications of the Authority, personal data is reduced as much as possible within the framework of the data minimization principle, and personal data that is not required, outdated and does not serve a purpose are not collected and if collected in the previous period of the Personal Data Protection Law, a data in accordance with the Personal Data Retention and Disposal Policy is destroyed.
5. The employees specialized in technical issues are employed.
6. TGA has set provisions on confidentiality and data security in the Employment Agreements to be signed during the recruitment process of its employees and requests that the employees comply with these provisions. The employees are regularly informed and trained about the personal data protection law and taking necessary measures in accordance with this law. The roles and responsibilities of the employees have been revised and their job descriptions have been revised.
7. Technical measures are taken in accordance with technological developments, and the measures taken are periodically checked, updated and renewed.
8. The access authorizations are limited and reviewed regularly.
9. The technical measures taken are regularly reported to the authorized person, and the issues that constitute risk are reviewed and efforts are made to produce the necessary technological solutions.
10. Software and hardware including virus protection systems and firewalls are installed.
11. The backup programs are used to ensure the safe storage of personal data.
12. Security systems are used for storage areas, technical measures taken are periodically reported to the person concerned as a result of internal controls, risk issues are re-evaluated, and necessary technological solutions are produced. The files/printouts stored in the physical environment are stored by the supplier companies and then disposed of in accordance with the established procedures.

The protection of personal data is also accepted by the top management, a special Committee (the Personal Data Protection Committee) has been established and started to work. A management policy regulating the working rules of the TGA’s KVK Committee has been put into effect within the TGA and the duties of the KVK Committee have been explained in detail.

Personal data transferring

In general, we do not share or disclose information about you to third parties without your consent unless TGA is required to or authorized by laws.

We may use other third-party service providers including data analytics providers who process information on our behalf, consultants, marketing agencies, Professional advisers, Ministries or business partners with whom TGA has a formal relationship with.

Our service providers are required to only process data in line with this Policy.

If you request or agree to receive information or newsletters from one of our business partners, we may provide that third party with your details so that they can contact you and/or respond to your request.

We may use and/or disclose information about you to:

• Government bodies and law enforcement agencies to prevent fraud, to comply with applicable laws, regulations and court orders and to comply with valid legal information requests from such bodies. To that extent TGA could share traffic data with law enforcement and the Turkish Information Technologies and Communication Authority based on the Internet Law.
• Third parties (including professional advisors) to enforce or defend our legal rights or the terms and conditions of any of our websites, products or services
• A third-party purchaser or seller, and its and our professional advisors, in connection with a corporate event such as a reorganization, merger, business acquisition or insolvency situation
1. Based on the commercial electronic message approval, the commercial electronic message is shared with the service provider in order to promote, advertise and offer benefits and opportunities in line with travel preferences,

Anonymous statistics

We prepare anonymous data for a number of purposes. The information may be shared with our partners, advertisers, media and public as you cannot be identified from this information.

3. Direct Marketing communications

When you provide us with contact details, you may be given the opportunity to opt-in to receiving various newsletters and other communications from us.

You can change your marketing communication preferences at any time.

If you use more than one e-mail address to contact us on, you will need to unsubscribe separately for each email address.

Please note that we may send you important information about our products and services that you are using or have used including essential software updates, changes to applicable terms and conditions and/or other communications or notifications as may be required to fulfil our legal obligations arising from the Law on the regulation.

4. Cookies and Cookie Management

TGA has a detailed Cookie Policy and provide you very effective cookie management regarding cookies we use. For more details see please our Cookie Policy

5.Links to third party sites

Some of our websites may contain links to other third-party websites that are not operated by us. We are not responsible for the content, security or privacy practices of those third-party websites. Please view the privacy and cookie policies displayed on those third-party websites.

8. PERSONAL DATA RETENTION PERIODS

TGA has a Personal Data Retention Policy, which has been prepared in accordance with the DPL. We keep personal data following periods:

• We keep online visitors traffic data 2 years based on the Internet Law.
• We keep login info of users until he/she close his/her account..
• We keep opt-in, opt-out records for 1 year from the date of withdraw and other records regarding commercial electronic messages for 1 year based on the Bylaw on Commercial Communications and Commercial Electronic Messages.
• For retention periods of personal data processed by cookies, see please our Cookie Policy.
• Within a reasonable time following providing the service.

9. PROFILING

We may use your information to create user group profiles or segment data and to otherwise create anonymous, aggregated statistics about the use of our websites, products and services which we may share with third parties and/or make available to the public. In order to create user group profile, instead of sharing personal data directly with our providers, we use pseudonymization. We do not make microtargeting.

10. DATA SUBJECTS’ RIGHTS

You are entitled (in the circumstances and under the conditions, and subject to the exceptions, set out in applicable law) to:

• Request access to the personal data that TGA process about you. This right entitles you to know whether TGA hold personal data about you and, if TGA do, to obtain information on and a copy of that personal data.
• Request a rectification of your personal data: this right entitles you to have your personal data be corrected if it is inaccurate or incomplete.
• Object to the processing of your personal data.
• Request the erasure of your personal data, including where such personal data would no longer be necessary to achieve the purposes.
• Request the restriction of the processing of your personal data.
• Request portability of your personal data: You can request a copy in a structured, commonly used and machine-readable format of personal data that you have provided to TGA, or request TGA to transmit such personal data to another data controller.
• To know the third parties to whom his/her personal data are transferred in country or abroad.
• To object to the occurrence of a result against the person himself/herself by analyzing the data processed solely through automated systems, including profiling
• To claim compensation for the damage arising from the unlawful processing of his/her personal data.

a. Exercises of Rights of the Data Subject

Applications and requests regarding personal data can be sent via the Data Subject Application Form,,

• By sending your signature and photocopy of identity to the Esentepe Mahallesi Büyükdere Cad. No:127 Astoria AVM B Blok Kat:4 34394 Şişli – İstanbul or
• By signing with a secure electronic signature or mobile signature and sending it to the [email protected].
• By signing with a secure electronic signature or mobile signature, sending it to the [email protected] via registered electronic mail (KEP) or,
• By applying in person to the Esentepe Mahallesi Büyükdere Cad. No:127 Astoria AVM B Blok Kat:4 34394 Şişli – İstanbul with a valid identity document,.

to the Republic of Türkiye Ministry of Culture and Tourism, Türkiye Tourism Promotion and Development Agency.

In order to operate this process in the most effective way, it should be clearly and understandably indicated in their request which right is wished to be used and the details of the requested transaction.

The subject of the request should be about the data subject itself. If the application is made on behalf of someone else, the person making the request should rely on a specially documented authorization for the requested transaction (power of attorney). Unauthorized applications will be ignored.

b. Evaluation of the Application

Applications are evaluated as soon as possible, and at the latest within 30 days from the date of receipt of the application.

During the evaluation process, additional information and documents can be requested if required, and a fee may be charged for fulfilling the request in cases that comply with the relevant legislation.

TGA takes all necessary administrative and technical measures in order to conclude the applications made by the data subject effectively and in accordance with the law and the principle of honesty.