Privacy Notice on the Protection and the Processing of Personal Data

Defy (hereinafter referred to as “Company” or “We”), has the utmost sensitivity on the lawful processing of its customers personal data.

We have prepared Defy Privacy Notice on the Protection and the Processing of Personal Data, in order to ensure compliance with national and international legislation in effect, in particular the Law on the Protection of Personal Data (the “Law”) and the European Union General Data Protection Regulation (“GDPR”). For more detailed information about GDPR you may read the GDPR Privacy Notice published on.

The security of our customers’ personal data is at the forefront of our work. Therefore, in order to prevent any unlawful access to personal data or leak and to ensure the secure retention of personal data relating to our customers, such data are only transferred to trusted business partners and on a minimum level, by taking necessary security measures in accordance with the legislation in force.

Transparency is one of the most important subjects of our personal data protection program. In this respect, we have prepared this Notice in order to provide our customers with all possible information while we are processing personal data for the purposes of compliance with our legal obligations and to ensure a better customer experience. Detailed information regarding the types of personal data and the purposes for processing personal data are detailed under the “For Which Purposes Do We Process Your Personal Data?” heading.

Another issue that we also pay close attention to is customers’ right to have control over their personal data. We implement measures to ensure that our customers manage their preferences regarding their own personal data and highly respect our customers preferences. In this regard, you may convey your requests to us by communication channels listed under section “The Exercise of Rights by the Data Subjects”, and detailed explanations regarding the matter are provided within the section named “Rights of the Data Subjects”.

Data security, transparency and individuals’ right to have control over their personal data are fundamentals for us in ensuring compliance with the Law. In this respect, detailed information regarding the processing of your personal data are presented to your attention within this Notice.

How do we obtain your personal data?

This Notice contains our declarations and explanations concerning the processing of personal data relating to our customers and other natural persons establishing contact with us, excluding our employees, in compliance with the provisions of the Law and the GDPR.

We reserve the right to make changes to this Notice in order to provide accurate and up-to-date information concerning practices and regulations relating to the protection of personal data. Additionally, data subjects will be informed by appropriate means in the event of a substantial change to the Notice.

This Notice is prepared in order to provide information concerning which personal data Defy processes within the scope of its commercial activities, the purposes for processing, the parties to whom personal data are transferred and the purposes for such transfers.

Necessity to establish a contractual relationship with you and to perform our obligations under a contract (provision of airline transport services and other related services) iii) complying with

obligations under national and international regulations and iv) our legitimate interests provided that such interests do not have a negative impact on our customers’ fundamental rights and freedoms.

In addition to the above-listed conditions for processing personal data, we may request you to explicitly consent to the processing of your personal data. If this is the case, personal data will be processed limited to the scope of your freely given explicit consent. You may at any time revoke your explicit consent.

Transfer of personal data

Your personal data may be shared with parties who provide product or service to us or on behalf of our company and with our suppliers and business partners that we get support for the establishment, execution and termination of our relationship, including the parties collaborating with us for the purposes of providing products and services to you. Your personal data may also be shared with public institutions and private persons authorized by law within the scope of their authorization. In such cases, our company takes all precautionary measures to ensure that the parties carry processing and transfer activities in accordance with the rules stated in this Notice and other related law.

Personal data may be shared with group companies, business partners, public institutions and private persons authorized by law pursuant to conditions and purposes of processing personal data as stated under Article 8 and 9 of the Law, and may be transferred abroad, limited with the stated purposes and in accordance with the principles and procedures stated under Article 9 of the Law and decisions of the Personal Data Protection Board.

Your personal data may only be transferred abroad where;
● your explicit consent is obtained, or
● where your explicit consent is not obtained but one or more data processing condition(s) which stated in the Law are met,
● the transferred country found to be offering adequate protection by the Personal Data Protection Board decision or;
● Within the scope of the provisions in the relevant laws.
● in case of the protection in the transferred country found to be inadequate, a written undertaking to provide adequate protection between our Company and the Data Controller that the data are being transferred to have been reached and the approval of the Personal Data Protection Board have been obtained.

Retention of personal data

Our company determines the retention periods by taking into consideration of the applicable law and purposes of data processing. In this respect, where applicable, we particularly consider the issues of period of limitation and legal obligations regarding the processing of personal data. Once the purpose for processing personal data ceases, unless another legal reason or basis allowing the retention of the personal data exists, data will be deleted, destroyed or anonymized.

Principles relating to personal data privacy

Our company acts in accordance with the principles stated below in all data processing activities. “Acting in accordance with the law and in good faith”, “Authenticity and Being Up-to-date”, “Processing for specific, clear and legitimate purposes”, “Being relevant, limited and proportionate with the purposes”, “Retention as stated in the related law or as long as necessary for the relevant purpose”

Use of digital platforms

Your personal data may be processed while your use of Digital Platforms to manage and operate the Website, to perform activities for optimizing and improving the user experience related to the Website and Application, to detect in what ways the Website is being used, to support and enhance the use of location based tools, to manage your online accounts and to inform you about the services offered near you. In case you desire to benefit from the offered product and services, your personal data will be processed only to make you get such product and services.

Rights of the data subjects

In accordance with Article 11 of the Law, data subjects are entitled to the following rights:
● Learn whether data relating to him/her are being processed;
● Request further information if personal data relating to him/her have been processed;
● Learn the purpose for the processing of personal data and whether data are being processed in compliance with such purpose;
● Learn the third-party recipients to whom the data are disclosed within the country or abroad,
● Request rectification of the processed personal data which is incomplete or inaccurate and request such process to be notified to third persons to whom personal data is transferred;
● Request deletion or destruction of personal data in the event that the data is no longer necessary in relation to the purpose for which the personal data was collected, despite being processed in line with the Law and other applicable laws and request such process to be notified to third persons to whom personal data is transferred;
● Object to negative consequences about him/her that are concluded as a result of analysis of the processed personal data by solely automatic means;
● Demand compensation for the damages he/she has suffered as a result of an unlawful processing operation.

The exercise of rights by the data subjects

You can easily use your rights mentioned above and easily communicate the related requests to us via contact information below. Data subjects’ requests concerning the above-listed rights shall be concluded by us within thirty days at the latest, in accordance with the limitations provided by the Law. In principle, data subject requests shall be concluded free of charge. However, Defy reserves its right to demand a fee from the tariff specified by the Board, in case the request requires additional costs. Our Company may request certain information from the data subject in order to determine that the applicant is in fact the Data Subject, and additional questions can be directed to the applicant to clarify matters regarding the applications.

Data security

We take all appropriate technical and organizational measures to safeguard your personal data and to mitigate risks arising in connection with unauthorized access, accidental data loss, deliberate erasure of or damage to personal data. In this respect our Company;
● Ensures data security by utilizing protection systems, firewalls and other software and hardware containing intrusion prevention systems against virus and other malicious software,
● Access to personal data within our company is carried out in a controlled process in accordance with the nature of the data and within the framework of the authority on the basis of unit / role / practice,
● Ensures the conduct of necessary audits to implement the provisions of the Law, in accordance with Article 12 of the Law,
● Ensures the lawfulness of the data processing activities by way of internal policies and procedures,
● Applies stricter measures for access to special categories of personal data,
● In case of external access to personal data due to procurement of outsource services, our Company obliges the relevant third party to undertake to comply with the provisions of the Law,
● It takes necessary actions to inform all employees, especially those who have access to personal data, about their duties and responsibilities within the scope of the Law.

Definitions

● Explicit consent: Consent that is provided for a specific subject, upon being informed and freely given.
● Anonymization: Rendering personal data by no means identified or identifiable with a natural person even by linking with other data.
● Related person/Data subject: Refers to the natural person whose personal data are processed.
● Personal data: Refers to any information relating to an identified or identifiable natural person.
● Special Categories of Personal data: Refers to data that has been subjected to a more stringent protection regime under the Law which may cause the Data Subject to be victimized or discriminated against in cases of disclosure or loss.
● Processing of personal data: Refers to any operation that is performed upon personal data such as collection, recording, storage, preservation, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization or blocking its use by wholly or partly automatic means or otherwise than by automatic means which form part of a filing system.
● Data recording system: Refers to the registration system in which personal data is configured and processed according to certain criteria.
● Data controller: The natural or legal person determining the purposes and means of the processing of personal data and who is responsible for the establishment and management od a data recording system.