2.          PEGASUS PRIVACY POLICY (PEGASUS GENERAL RULES SECTION 2)
       

2.1.         General

2.1.1.      Your privacy is very important for us. We are also aware of the importance of your privacy for you. With this aim, the Pegasus Privacy Policy aims to inform you of how and for which purposes your personal data may be processed and shared with third parties. This Policy covers information on our entire operations. You can submit specific inquiries through communication channels described in Paragraph 2.7.

2.1.2.      We will use the personal data you submit to Pegasus through the Pegasus Communication Channels or other communication and sales channels in accordance with the Pegasus Privacy Policy. We will make available to you the Pegasus Privacy Policy, or specific privacy notices where appropriate, before you use these channels.

2.1.3.      All changes to the Pegasus Privacy Policy are announced and updated on the Pegasus Website and the Pegasus Mobile Applications. You will be deemed to have read and accepted the latest version of the Pegasus Privacy Policy each time you use our Website or our Mobile Applications, including any amendments to date. Therefore, we recommend that you review the Pegasus Privacy Policy and update announcements each time you visit our Website or use our Mobile Applications.  

2.1.4.      You will also be deemed to have reviewed the content of the Pegasus Privacy Policy in effect as of the date of transaction, whenever you purchase or use any product or service offered by Pegasus through any sales channel.

2.2.    Data Controller
2.2.1.      Pegasus Hava Taşımacılığı A.Ş. (“Pegasus”), with headquarters located at AEROPARK, Yenişehir Mahallesi, Osmanlı Bulvarı No: 11/A Kurtköy 34912 Pendik Istanbul, Türkiye, acts as a data controller as per the provisions of the Law No. 6698 on the Protection of Personal Data (“PDP Law”) and other applicable national and international law on the protection of personal data, in relation to your personal data processed within the context of the Pegasus Privacy Policy and other Pegasus privacy notices.

2.2.2.      In this context, your personal data is recorded, updated and maintained to the extent permitted by the purpose of processing, shared with third parties in Turkey and abroad and otherwise processed as stipulated by the law, by Pegasus or on its behalf as the data controller, in each case subject to the applicable law and the rules stipulated in this Policy.

2.3.      How We Collect Your Personal Data

2.3.1.      Pegasus may obtain your personal data through:

a.     The Pegasus Website, the Pegasus Mobile Applications, the Pegasus Call Center, Airport Ticket Sales Offices, airport check-in counters and aircraft boarding control points,

b.     Travel Agents authorized to sell Pegasus products and services, other airlines selling tickets for Pegasus scheduled flights based on airline cooperation agreements and tour operators contracted for charter flights,

c.     Fly & Watch, our in-flight entertainment system,

d.     Pegasus social media accounts and instant messaging applications used for guest services,

e.     Notifications received from public authorities and bodies, real persons or private law legal entities,

in each case in written, verbal, electronic form and using automatic or non-automatic processing methods.

2.3.2.   Whenever a transaction is made with Pegasus on behalf of another passenger or service recipient, Pegasus may process the personal data relating to both the person carrying out the transaction and the person on whose behalf the transaction is made. In this case, Pegasus may communicate with the passenger or service recipient directly about their flight or services.

2.4.     Categories of Personal Data We Use
2.4.1.      Pegasus may process the following categories of personal data either based on your consent, or without your consent if any other legal purposes listed in Paragraph 2.5 below apply.

a.       Identification and Passport Information: Your name and surname, birth date, Turkish ID number, whenever passport declaration is required your passport information including bearer identification, issuing country, passport number and passport expiry date, and identification information covered in other travel documentation requiring control as per applicable travel rules.   

b.       Contact Information: Your e-mail address, telephone number, only if you have disclosed it to us for communication purposes your residence address, your social media contact information and all other contact information you disclose to Pegasus.

c.       Travel, Product & Service Information: Your passenger name record (“PNR”), your advanced passenger information (“API”) derived from PNR and travel documents information submitted to us prior to your entry to your destination. PNR and API content includes contractual transactions (such as reissue, ticket cancellation, refund), records regarding product or service purchase (such as excess baggage allowance, seat selection), travel information (such as delay/flight cancellation, check-in and boarding information), sales channel data (such as website, call center, travel agent), transaction date and times, special service requests (“SSR”) optionally sought from us regarding our services (such as wheelchair) and additional identification information required for check-in (such as Turkish ID Number for domestic flights and passport and visa information for international flights), in each case from ticketing until the completion of the last flight included in the PNR.

d.       Loyalty Program Membership Information: If you are a member of our Pegasus BolBol loyalty membership program, your membership and Pegasus BolBol Program transaction data associated with your membership account.

e.       Customer Transaction Information: Information communicated in writing, verbally or electronically within the context of your requests, feedback and complaints regarding our products and services.

f.        Marketing Information: Your choices and past experience regarding our products and services, survey results, cookies records, promotional campaign data and social media user information.

g.       Financial Information: All information regarding invoicing and payment methods (in accordance with PCI DSS, we only record the first six and last four digits of credit card number and credit card bearer name and surname).

h.       Flight Security Information: Article 40, Paragraph 4 of the Turkish Civil Aviation Law No. 2920 stipulates that information regarding persons traveling by air may be collected, recorded, processed, shared in accordance with the PDP Law for the purposes of facilitating travel or conducting security and risk assessment, and such information can be evaluated to introduce measures to ensure flight safety and security. In line with these provisions, and to ensure flight security and to protect the lives and the property of our employees, our service providers and their staff and our guests, we maintain records for unruly passenger events or other events constituting security risk or threat, from the moment our guests start interacting with Pegasus. Such records cover information on passengers concerned, the details and description of the event, security controls applied, witness information and unruly act classification information.

i.        Audiovisual Information: Call center records, and records obtained through voice recorders installed at check-in desks and video recorders installed at specific Pegasus service points with the aim of ensuring the security and wellbeing of those present. Pegasus does not obtain any audiovisual records inside the general areas of the passenger terminals located in airports or inside the aircraft cabin.

j.        Legal Transaction and Compliance Information: Documents and information requested by administrative and judicial bodies, judicial processes initiated by or against Pegasus (such as lawsuits and investigations) and records relating to administrative or judicial processes.

k.       Special Categories of (Sensitive) Personal Data: To carry out its operations, Pegasus does not use special categories of (sensitive) personal data in a regular and comprehensive manner. However; the use of special categories of personal data may be required within the context of health information you disclose to us regarding your use of our products and services, special service requests for passengers with reduced mobility, food allergy and special selection information and HES Code, test and vaccination information necessitated by public health and travel suitability and documentation rules.

2.5.    Lawfulness for Processing and Our Processing Purposes

2.5.1.  Pegasus may process your personal data without your consent if at least one of the following lawful grounds for processing exist.

·       Processing is clearly permitted by law.

·       Processing is necessary to protect the vital interests of the data subject or of another natural person.

·       Processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract.

·       Processing is necessary for compliance with a legal obligation to which the controller is subject.

·       Personal data is publicized by the data subject.

·       Processing is necessary to establish, exercise or protect a legal right.

·       Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

2.5.2.   In this context, Pegasus may process your personal data for the following purposes, without your consent to the extent such processing is based on at least one lawful ground.

a.       Addressing Travel Requirements and Managing Flight Account:

Starting from the ticketing process, your personal data described in Paragraph 2.4 Alinea (a), (b), (c), (f), (g), (h), (i) and (j) will be used for the purposes of executing the terms of the contract of carriage, carrying out ticket sales and all other ticket, product and service transactions, assessing suitability for travel, creating trave records, carrying out boarding, providing support services before, during and after the flight, carrying out communication and notifications regarding the flight, recording contractual transactions (such as reissue, ticket cancellation and refund), carrying out ancillary product/service and special service requests and for emergency response management purposes. To the extent necessary, such data will be used for the said purposes together with other categories of personal data indicated in other Alinea of Paragraph 2.4.

If you are a Pegasus BolBol member, in addition to the above, your membership information and point transactions will be used for managing your membership account and to execute transactions with our loyalty program business partners, in conjunction with your flights associated with your membership account.

Your personal data will be used to address your travel requirements and flight transactions, primarily based on the requirements of the Turkish Civil Aviation Law No. 2920, the applicable civil aviation regulations and international treaties on civil aviation, and also based on the necessity for Pegasus to comply with its legal obligations. Furthermore, the use of such data is also necessary for the establishment and performance of the contract of carriage with our passengers. In specific circumstances, the use of such data may be necessitated by other lawful grounds listed above.

b.       Complaint and Request Management:

Your personal data described in Paragraph 2.4 Alinea (a), (b) and (e) will be used for the purposes of increasing customer satisfaction and managing, resolving, analyzing and reporting all complaints and requests submitted to us through the Pegasus Website, the Pegasus Mobile Applications, the Pegasus  Call Center, Pegasus social media accounts and instant messaging applications, or through the General Directorate of Civil Aviation, Consumer Dispute Councils, competent courts in and outside of Turkey authorized to resolve disputes, alternative dispute resolution channels and official authorities. To the extent necessary, such data will be used for the said purposes together with other categories of personal data indicated in other Alinea of Paragraph 2.4.

Your personal data will be used to manage complaints and requests, primarily based on the performance of the contract of carriage, the necessity for Pegasus to comply with its legal obligations and the necessity to establish, exercise and protect the rights for both you and Pegasus. In specific circumstances, the use of such data may be necessitated by other lawful grounds listed above.

c.       Responding to and Managing Passenger Information Requests by Official Authorities:  

Your personal data described in Paragraph 2.4 all Alinea may have to be used by Pegasus, for the purposes of complying with legal obligations under national and international law and international treaties, to respond to lawful requests from the General Directorate of Civil Aviation, Turkish Ministry of Interior General Directorate of Migration Management, Turkish Ministry of Health, competent border authorities in travel destinations, courts, consumer dispute resolution bodies and other administrative and judicial bodies.

Your personal data will be used to responding to and managing requests by official authorities, primarily based on the performance of the contract of carriage, the necessity for Pegasus to comply with its legal obligations and the necessity to establish, exercise and protect the rights for both you and Pegasus. In specific circumstances, the use of such data may be necessitated by other lawful grounds listed above.

d.       Marketing Activities and Customer Satisfaction:

Your personal data described in Paragraph 2.4 all Alinea will be used by Pegasus, for the purposes of defining our marketing strategy, creating databases, carrying-out listing, reporting, verification, analysis and evaluations, producing statistical data, undertaking segmentation, profiling, unification and data enrichment activities aimed at guest experience, conducting analysis on how you use the Pegasus Communication and Sales Channels and to personalize our communication channels for a better service, proposing personalized flight offers and services, conducting research and development on our products and services and your personal choice alternatives regarding these products and services, contacting you directly or through service providers for market research purposes, using the contact information provided to us and conducting commercial marketing communication for promoting our products and services, promoting new services, special flight offers and other information we consider that may be of interest to you.

Your personal data will be used to carry-out marketing activities and to increase guest satisfaction, primarily based on the necessary for the purposes of the legitimate interests pursued by Pegasus. In these cases, we are implementing controls to ensure that the interests and fundamental rights and freedoms of the data subjects are not prejudiced in violation of the applicable law. In specific circumstances, the use of such data may be necessitated by other lawful grounds listed above.

We would like to underline that the commercial marketing communication by e-mail or SMS are sent to you only based on your consent and only through your selected communication media.

e.       Carrying-out Financial Operations:

Your personal data described in Paragraph 2.4 Alinea (a), (b), (c), (d) and (g) will be used for the purposes of financial reporting, control, verification, analysis and assessments, executing payments and/or refunds, meeting tax and similar payment and reporting obligations and implementing protective measures against financial fraud and violation cases.

Your personal data will be used to carrying-out financial operations, primarily based on the performance of the contract of carriage, the necessity for Pegasus to comply with its legal obligations and the necessity to establish, exercise and protect the rights for both you and Pegasus. In specific circumstances, the use of such data may be necessitated by other lawful grounds listed above.

f.        Legal Compliance Review:

Your personal data described in Paragraph 2.4 all Alinea may have to be used by Pegasus, for the purposes of complying with legal obligations regarding travel documentation and controls, illegal immigration, anti-money laundering, fraud and other crime prevention and financial sanctions, ensuring flight safety and security and to protect the lives and the property of our employees, our service providers and their employees and our passengers, preventing financial fraud and violation and ensuring overall legal compliance.

Your personal data will be used for legal compliance review, primarily based on the performance of the contract of carriage, the necessity for Pegasus to comply with its legal obligations and the necessity to establish, exercise and protect the rights for both you and Pegasus. In specific circumstances, the use of such data may be necessitated by other lawful grounds listed above.

2.6.      Third Party Recipients of Personal Data

2.6.1.      Pegasus may transfer your personal data to the following recipients located in Turkey or abroad, either based on your consent, or without your consent if any other lawful basis listed in Paragraph 2.5 below apply.

(i)              Business partners with whom we offer products and services or with whom we cooperate under the Pegasus BolBol Loyalty Program,

(ii)             Employees, group companies, service providers, authorized travel agents, other airlines we collaborate with as part of flight networks and partnerships, in each case participating in the delivery and performance of our products and services,

(iii)            Competent official authorities in Turkey and abroad, authorized to seek out information from Pegasus and other persons and entities to the extent imposed on Pegasus by legal obligations,

(iv)           Competent official authorities acting on the grounds of public order, flight security and fulfillment of legal obligations arising from the applicable law where Pegasus operates flights.

2.6.2.      For example, such information may be provided to a competent official authority as per the provisions of the Turkish Civil Aviation Law No. 2920 and the applicable law or may be shared with competent official authorities outside of Turkey in accordance with the international treaties and Turkish national law applicable to our international flights. On the other hand, handling service providers and travel agents are provided access to the Pegasus Reservation and Sales System in accordance with business requirements, to perform our flight operations and related services. These service providers are instructed as data processors to act as per our guidance and privacy protocols. Pegasus BolBol membership information is not transferred to third parties. In addition to the foregoing, authorized personnel of our technical infrastructure and call center service providers have access to our IT systems, subject to our information security access protocols, regarding complaint and request management for all our products and services.

2.6.3.      Pegasus publishes the categories of personal data it uses for its operations, the purpose of use for each category, the relevant data subjects, data retention periods, third-party recipients and information security measures implemented across the organization on the Public Data Controllers Registry (VERBIS) operated by the Presidency of the Turkish Personal Data Protection Board (https://verbis.kvkk.gov.tr/).

2.7.     Data Subject Rights and Application Channels:

2.7.1.      You can always apply to Pegasus to: (a) understand if your personal data is processed; (b) request information on the processing of your personal data, (c) understand the purpose of processing for your personal data and whether these are used in line with this purpose; (d) know third parties to whom your personal data is transferred in Turkey and abroad and to inquire about the appropriate safeguards implemented for cross-border personal data transfers; (e) correct your incomplete or incorrect personal data processed and maintained; (f) request the destruction or anonymization of your personal data subject to the purposes for the processing of your personal data being fully exhausted; (g) have third parties notified of the transactions covered in items (e) and (f), (h) object to the results of any analysis of your personal data exclusively through automatic systems.

2.7.2.      Your applications can be submitted to us in writing and signed, addressed to the Data Protection Officer, at our business headquarters located at AEROPARK, Yenişehir Mahallesi, Osmanlı Bulvarı No: 11/A Kurtköy 34912 Pendik Istanbul, Türkiye or through the Contact Us section of the Pegasus Website. You can submit your applications using the Application Form Template.

2.8.   Electronic Marketing Communication
2.8.1.      Electronic marketing communication and consents required for such communication is regulated by the “Regulation on Commercial Communication and Electronic Marketing Communication”. Commercial electronic marketing communication will be performed based on your contact permissions provided during ticketing, Pegasus BolBol membership registration or any other applicable medium. In this respect, and subject to your consent, you accept to receive commercial electronic marketing communication regarding the promotion of products and services offered by Pegasus and Pegasus’ business partners, new products and services, special flight offers, other information regarding your trip or information Pegasus may consider to be in your interest. You can always choose not to receive such communication for the future on all or part of your contact details through following the options provided in the relevant marketing communication. 

2.8.2.      As per Article 13 of the said regulation, Pegasus is required to maintain consent records for three years following the withdrawal of consent and other records regarding electronic marketing communication for three years as of the record date.

2.8.3.      Furthermore, you may manage electronic marketing communication consents on a single platform through the Communication Management System (İleti Yönetim Sistemi or IYS, accessible through https://iys.org.tr/). Through İYS you may consent to communication by traders, including Pegasus, or withdraw existing consents.

2.9.      Corrections
2.9.1.      If you believe that Pegasus has incorrect or incomplete information on your personal data, please Contact Us as soon as possible. Pegasus will correct the information that is incorrect or incomplete.

2.9.2.     You can access or modify your personal information regarding your Pegasus BolBol membership though the “Edit Profile” tab under the Pegasus BolBol page through the Pegasus Website or the Pegasus Mobile Applications.

2.10.  Security
2.10.1.      The protection of your privacy is important for us. All information you submit to us through the Pegasus Website and the Pegasus Mobile Applications are protected by 128 Bit SSL (Secure Sockets Layer), an encrypted communication tool. Once the relevant information reached us, it is protected according to our security and privacy standards. To benefit from SSL, your web browser must support SSL and your browser options should enable the use of SSL.

2.10.2.     Pegasus security and privacy standards are in line with the ISO 27001:2017 Information Security Management System. The Pegasus Website is certified with the TRGO Security Seal (Registry No: 2020-0004).

2.10.3.      Each Pegasus BolBol member will have a username and a password. “Username” is unique for each member and cannot be assigned to another user. The “password” is created by and is known only to the member. Members can change their passwords as permitted by membership program rules. Creating and maintaining password security is the obligation of the user. Pegasus does not assume any responsibility in respect of the misuse of passwords. Likewise, it is the passenger’s or his/her agent’s responsibility to maintain the privacy of the PNR produced uniquely for your transactions through different communication and sales channels. Others may access your reservation details if your PNR information is disclosed to third parties.

2.10.4.     Your data is maintained only to the extent necessitated by our business processes or legal obligations. In line with PCI DSS, details of your credit cards are not maintained on our servers.

2.11.     Links
2.10.5.   The Pegasus Website contains links to third-party websites, allowing you to access content prepared by third parties by hyperlinks. Pegasus has no authority on the linked third-party websites and does not assume any responsibility for third-party content. The terms and conditions applicable to the Pegasus Website will not apply to your access and use of third-party websites.

2.10.6.    You are fully responsible for your access, content, use and communication to or through the linked third-party websites. All personal data transfer to be carried out through the linked third-party websites will be subject to the information, other notifications and rules determined and published by the third-party operating the website and acting as the data controller under applicable law.

2.12.    Cookies and Digital Marketing Applications
2.10.7.     Cookies are small information files that are stored on your computer through your web browser when you visit a website. When there is a connection between the web browser and the server, the website uses cookies to remember you. The cookies aim to make life easier for website users.

2.10.8.     There are four different categories of cookies based on their purpose: Session Cookies, Performance Cookies, Functional Cookies, and Publicity and Third-Party Cookies. Session Cookies are temporary cookies that are stored on the user’s browser until the user exits the Pegasus Website. Other cookies are cookies that remain on the user’s browser for as long as the user does not delete them. The cookies’ lifespan varies, depending on the user’s browser settings.

2.10.9.      Besides cookies, pixel and similar file applications and internet-based advertisement, promotion and marketing functions may be used in websites for similar purposes.

2.10.10.     Pegasus uses Session Cookies, Performance Cookies, Functional Cookies and Publicity and Third-Party Cookies on the Pegasus Website.

a)       Session Cookies: This type of cookies is necessary for the smooth functioning of the Pegasus Website. These cookies make it possible to visit the Pegasus Website and to benefit from its features. Session Cookies are used to store the information in the web pages and to avoid the need to re-enter your details.

b)      Performance Cookies: These cookies store information about how often the website is visited, any relevant error messages received, the duration of the visit and the user’s use of the website. This information is used to improve the website performance.

c)       Functional Cookies: These cookies remember the choices the user has made on the website (e.g., city and flight date selections) and facilitates the use of the website by the user. These cookies make it possible for the user to benefit from sophisticated internet features.

d)      Publicity and Third-Party Cookies: For using certain functions, third-party suppliers’ cookies are used on the Pegasus Website (e.g., cookies comprising sharing devices on social media on flight destinations and promotional pages). The Pegasus Website also contains the cookies of the firms carrying-out advertisement tracking.

2.10.11.     Pegasus Internet Site uses both first-party cookies which are placed by the site visited and third-party cookies which are placed by servers, other than the site visited. The different types of first-party cookies used by Pegasus are listed below.

2.10.12.    In general, internet browsers are pre-defined to automatically accept cookies. Browsers can be adjusted to disable cookies or to alert users when a cookie has been sent to their device. Because cookie management varies from browser to browser, further information can be obtained from the relevant browser’s information website. For details on how to delete or disable cookies or for general information on cookies, please see www.allaboutcookies.org.

2.10.13.    You can accept or reject cookies. You can enable or disable cookies by changing the settings of your internet browser. For information on how to change your browser settings and how to delete cookies please see your browser’s instructions. Please bear in mind that when cookies are disables, some of the website’s features will change. Please refer to the websites below for information about disabling third-party cookies:

a.      Mozilla Firefox

b.       Internet Explorer

c.      Google Chrome

d.       Opera

e.      Safari

f.        iOS

2.10.14.    When you visit the Pegasus Website, you can make your choices on cookies upon being prompted by our cookies privacy notification. You can also adjust privacy settings for your Pegasus Mobile Application through your mobile device’s security settings.