Skip to main content

SunExpress Protection of Personal Data Announcement

Table of Contents

  1. Controller
    2. Scope, Purpose and Legal Basis of the Processing of Personal Data
    2.1. Sale of Tickets and Ancillary Products and Services
    2.1.1. Sale of Tickets
    2.1.2. The sale of Air Cairo tickets
    2.1.3. Ancillary Products and Services
    2.2. Use of our Website
    2.2.1. Provision of the Website and Creation of Log Files
    2.2.2. Use of the services offered on our website and non-consent-based marketing in general
    2.2.3. Marketing activity purposes based on your consent
    2.2.4. Newsletter
    2.3. Use of the App
    2.3.1 iOS Users of our App
    2.3.2 Android Users of our App
    2.3.3 Categories of Personal Data processed by the SunExpress App
    2.3.4 Your personal data processed by our analytical support tool Google Firebase
    2.3.5 Salesforce Marketing SDK
    2.4. SunExpress Your Benefit (Loyalty Programme)
  2. Consent
    4. Our Legitimate Interests in the Processing of Personal Data
    5. Other Processing Obligations
    6. The Obligation to Specify Personal Data
    7. Use of Cookies
    8. Information Regarding Commercial Electronic Messages under the Laws of the Republic of Türkiye
    9. Transfer of Personal Data
    9.1 Data Recipients
    9.2 The Rules of Transferring Personal Data outside of the Republic of Türkiye
    9.3 International Data Transfers under GDPR’
    10. Duration of the Data Processing
    11. Your Rights as the data subject under the KVKK
    12.Further Information for data subjects under the GDPR 17
    12.1. Right to Object according to Art. 21 GDPR
    12.2. Withdrawal of consent
    12.3. Existence of Automated Decision-Making and Profiling
    12.4. Your Rights as the Data Subject
    13. Disclaimer and Limits of this Privacy Notice
    14. Partner Overview

SunExpress takes the protection of your personal data very seriously. In this Privacy Notice, we inform you about the processing of your personal data, including in particular in the following circumstances:

(i) If you purchase a ticket or ancillary services from us and our partners such as travel agencies and tour operators (see Section 2.1.1 Sale of Ticket and 2.1.2. The sale of Air Cairo tickets)
(ii) When you use our website (see in particular Section 2.2. Use of our website) and
(iii) When you use the SunExpress app (the “App”) (see in particular Section 2.3. Use of the App)

  1. Controller

The controller (Art. 4 (7) General Data Protection Regulation (GDPR), Art. 3 (1) (ı) Turkish Data Protection Law No. 6698(KVKK)) for the processing of your personal data is

Güneş Ekspres Havacılık A.Ş.
Yenigöl Mah. Nergiz Sok. No: 84
07230 Muratpaşa-Antalya/Türkiye
Phone: +90 (0)242 310 26 26 (pbx)
Website: https://www.SunExpress.com (“website”)
(hereinafter also referred to as “SunExpress”, “we”, “us”, “our”).

If you need further information about the processing of your personal data in connection with the sale of our products and services as well as the use of our website and App, please contact us:

Data Protection Officer of Güneş Ekspres Havacılık A.Ş.( SunExpress)
E-mail: 
sxs.dpo@sunexpress.com

For our UK travellers, clients and other contacts, we have appointed a UK Representative to ensure that we continuously process your personal data in compliance with applicable UK laws and your statutory rights. You can contact our UK representative at UKrep@sunexpress.com

Your privacy matters to SunExpress as much as it matters to you. Thus, we aim to inform you about SunExpress’ purposes of processing and manner in which your personal data is processed and to whom SunExpress transfers your personal data. Your personal data you share with SunExpress via our website and other electronic communication and sale channels will be processed in accordance with this information.

  1. Scope, Purpose and Legal Basis of the Processing of Personal Data

The processing of your personal data is performed in accordance with the Law No. 6698 on the Protection of Personal Data (“KVKK”), the EU General Data Protection Regulation (Reg. EU 2016/679) (“GDPR”) and local data protection laws, if applicable.

We process your personal data in the following circumstances:

2.1. Sale of Tickets and Ancillary Products and Services

2.1.1. Sale of Tickets

If you buy a flight ticket from us (via the website, the App, our ticket sales offices, customer service centre or through one of our business partner’s such as travel agencies or tour operators), we process your personal data for the following purposes:

  • To enable and administer your booking, reservations, boarding, check-in and flight with us
  • To provide the offers and services requested by you
  • To provide flight safety and security, the protection of life or property of SunExpress guests, SunExpress employees, SunExpress service providers and their employees or SunExpress
  • To handle transactions relevant to baggage damage/loss and irregular flights
  • To meet passenger complaints and demands
  • To prevent fraud, to enable performance of internal audits, the establishment of security as well as the management of legal and other claims

The legal basis for this processing is our contractual obligation to you, in accordance with Art. 6 (1) (b) GDPR and Art. 5 (2) (c) KVKK; the fulfilling of our obligations regarding safety and transportation services Art. 6 (1) (c) GDPR and Art.5(2)(ç)KVKK; and our legitimate interest in accordance with Art. 6 (1) (f) of GDPR, Art. 5 (2) (f) of KVKK.

For these purposes, we may collect the following data and data categories from you:

(1) Your contact details (i.e. name, surname, address, telephone and e-mail address and other contact information)
(2) Identification and passport information
(3) Ticket and flight booking details
(4) Information about billing and payment instruments
(5) Your product order information
(6) Information that you have communicated to us in the context of your requests and complaints about our products and services
(7) Information about your use of our website and other communication channels
(8) Your preferences for our products or services or your past choices
(9) Fit for flight status, in case of official restrictions within the scope of fight against any possible pandemics such as Covid-19

We collect this personal data directly from you or via travel agencies , tour operators and other airline business partners.

2.1.2. The Sale of Air Cairo Tickets

You have the opportunity to buy tickets for Air Cairo flights within the scope of destinations determined through our sales channels. If you buy a ticket within this context, as the flight and flight related operations will be carried out by Air Cairo, your below stated personal data you provide during ticketing will be transferred to Air Cairo which is outside the European Union and the Republic of Turkey.

Your personal data is processed within the scope of Art. 6 (1) (b) GDPR and Art. 5 (2) (c) KVKK and depending on legal reason that processing is necessary for the establishment or performance of a contract and within the scope of Art. 46 GDPR and KVKK Article 9(1) will be transferred to Air Cairo which is outside the European Union and the Republic of Turkey. There are agreements between our company and Air Cairo regarding the protection, security and transfer of personal data.

For these purposes, we may process the following data types from you:

(1) Flight date and number
(2) airline code
(3) name and surname
(4) passport number
(5) e-mail address
(6) postal address
(7) phone number
(8) payment details (e. g. bank account details, hashed credit card numbers)
(9) country of residence
(10) customer type (seat only / charter)
(11) seat reservation (if it is applicable)
(12) booked extra luggage (if it is applicable)
(13) booked meals (if it is applicable)

We collect this personal data directly from you.

2.1.3. Ancillary Products and Services

Your personal data may also be processed for making you offers related to your flight, by providing information about additional seats, additional baggage, priority for check-in, boarding and baggage delivery services, food choices and our other ancillary products and services in order to make your flight and journey more comfortable.

We hereby rely on the legal basis of fulfilling our contract with you, or prior to entering into a contract with you, per Art. 6 (1) (b) GDPR, Art. 5(2)(c) KVKK, as well as our legitimate interest Art. 6 (1) (f) GDPR, Art. 5(2)(f) KVKK.

For these purposes, we may process the following data types which have been provided by you in connection with a sale of goods and services:

(1) Your contact data (i.e. telephone number, e-mail address, name and surname)
(2) Your flight data (i.e. ticket and seat number, departure and arrival destinations, flight date and time)

We collect this personal data directly from you or via travel agencies and tour operators.

2.2. Use of our Website

2.2.1. Provision of the Website and Creation of Log Files

We collect and use technical information and information from the requesting computer for purposes related to (network) security (e.g. to be able to combat cyber-attacks) and to ensure the operability of the website.

The legal basis for the temporary storage of the data and the log files is our legitimate interest, Art. 6 (1) (f) GDPR and Art. 5(2) (f) KVKK.

For these purposes, we may process the following data types from you (“technical information”):

(1) Information on the browser type and version
(2) The user’s operating system
(3) The user’s internet service provider
(4) The user’s IP address
(5) Date and time of the access

We collect this data directly from you.

2.2.2. Use of the Services Offered on Our Website and Non-consent-Based Marketing in General

On our website, we offer various services and applications. To render these, we process personal data of the user or of our customer.

In general, SunExpress may use your personal data for the following purposes:

Based on your given consent according to Art. 5(1) KVKK:

  • Transferring your personal data abroad in compliance with KVKK in order to be able to offer you our products and services on the basis of our contractual obligations or under consideration of our legitimate interests and to fulfil our obligations arising from public and flight safety rules or airline regulations in the countries in which the travel occurs

Based on a contractual obligation according to Art. 6(1) (b) GDPR, Art. 5(2) (c) KVKK:

  • Providing you with the offers and services requested by you
  • Supporting you throughout the transactions you perform on our website via Live Chat
  • Administering the Loyalty Programme which may be carried out from time to time
  • Ensuring that members of the Loyalty Programme which may be carried out from time to time can set up and manage their accounts effectively,
  • Rewarding members of the Loyalty Programme which may be carried out from time to time with free flights, SunExpress your benefits points, and flights and extra SunExpress services which can be paid with issued SunExpress your benefits points
  • Execution of agency applications, transactions with agencies, tour operators and business partners
  • Communicating with you in order to assist and resolve your complains or claims about SunExpress services that you shared via our Customer Service Center or social media
  • As part of the SunPriority Package you will purchase, to provide priority for you for check-in, boarding and baggage delivery services on certain flights

Based on legitimate interests according to Art. 6(1) (f) GDPR, Art. 5(2) (f) KVKK:

  • Providing special flight and service offers
  • Creating, listing, reporting, verifying, analysing and evaluating databases, producing statistical information
  • Analysing how you use our website and other communication and sales channels, making your communication channels unique to you for better service, contacting you through the communication channels that you have shared directly with us or through the service providers
  • Investigating and improving our products and services and your personal choice possibilities related to these, promoting our services or related products, maintaining promotional commercial communication about new products, providing special flight offers, advantageous flight change offers and other information that you may find interesting
  • Contacting you directly or through the company from which we obtain the service after you fly with us, regarding customer satisfaction surveys to collect your valuable feedback to help us improve and optimize your future experiences. You can always choose not to receive these surveys by clicking the opt-out link in any survey email
  • The provision of flight safety and security, the protection of life or property of SunExpress, SunExpress employees, SunExpress service providers and their employees or SunExpress guests
  • The prevention of fraud, the performance of internal audits, the establishment of security as well as the management of legal and other claims
  • Supporting you throughout the transactions you perform on our website via Live Chat
  • Tracking your boarding pass sequence number via systems provided by selected Airport Operators to ensure proper flight operations in terms of flight punctuality and regularity

Based on the legal obligations according to Art. 6(1) (c) GDPR, Art. 5(2) (a), Art. 5(2) (ç) KVKK:

  • The fulfilment of legal obligations including compliance with the rules to which SunExpress is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in SunExpress

For these purposes, we may collect the following data types from you:

  1. Your name, surname, address, telephone and e-mail address and other contact information
  2. Identification and passport information
  3. Ticket and flight booking details, boarding pass sequence number
  4. Information about billing and payment instruments
  5. Your product order information
  6. Your personal interests
  7. Information that you have communicated to us in the context of your requests and complaints about our products and services
  8. Information about your use of our website and other communication channels
  9. Your preferences for our products or services or your past choices
  10. Fit for flight status, in case of official restrictions within the scope of any fight against any possible pandemic like Covid-19

The described services may also be offered through our other sales channels to you.

We may also use your e-mail address, in general, for our interest in advertising purposes if

  • we have obtained your e-mail address in connection with the sale of goods or services;
  • we use your e-mail address for direct advertising of our own similar goods or services; and
  • you have not objected to this use.

You can object to such use at any time, without costs arising by virtue thereof, other than transmission costs pursuant to the basic rates. For this, we rely on your legitimate interest in direct marketing, Art. 6 (1) (f) GDPR and Art. 5(2) (f) KVKK.

2.2.3. Marketing Activity Purposes Based on Your Consent

With your consent, we aim to improve your customer experience with us. This may happen in the following ways:

  • Sending direct-mailings, newsletters (see in more detail section 2.2.4. Newsletter), commercial messages and personalized offers of SunExpress and its business partners such as hotels or car rentals which may be carried out from time to time through the communication channels you have chosen
  • Sharing your anonymized data with our business partners and offering you exclusive and personalized offers of our business partners
  • Contacting you directly or through the company from which we obtain the service, to conduct satisfaction surveys related to your newsletter and/or loyalty program membership and market research through your chosen communication channels. The results of these surveys or research may be analyzed for statistical purposes.
  • Investigating and improving our products and services and your personal choice possibilities related to these, promoting our services or related products, maintaining promotional commercial communication about new products, providing special flight offers, advantageous flight change offers and other information that you may find interesting
  • Assigning you to specific customer segments which are fictional characters representing customer groups to provide you a better service with tailored products and individual services. To facilitate this, we may use your preferences and your past booking data (bookings such as for tickets and ancillaries as well as accompanying travelers, your location, preferred language, age, demographic data, etc.) for matching this data with our predefined customer segments in our database
  • Analysing our advertising; Analysing your website usage and responses to our messages in various communication channels such as newsletters, marketing notifications, SMS, or push notifications to design the optimum tailor-made channel mix for you in accordance with the prior informed consent you have either directly shared with us, or over our service providers including cookies, UTM-parameter-set links, and URL analysis where we analyze the medium, source, campaign, ad content, and your keyword choice, as well as relevant technical data like how you access our website. Cookies you might accept in this regard help our systems and above mentioned service providers put you into customer segments with the purpose of providing you only with campaigns and offers, which could be interesting for you

Where we process personal data for marketing purposes, including to gain a better understanding of our user’s needs, or to continually improve the website, we do so with your explicit consent, Art. 6 (1) (a) GDPR and Art. 5(1) KVKK . You can revoke your consent any time by, e.g. disabling Cookies, and in general by contacting our data protection officer as indicated above. For more information on how you may withdraw your consent, please see Section 3. Consent and Section 7. Use of Cookies and our Cookie and Tracking Tool Policy.

For these purposes, we may collect the data categories referred to in Section 2.1.1. and Section 2.1.2. and information about your online activities and technical data in relation to online marketing.

2.2.4. Newsletter

You can subscribe via our website to our newsletter, which contains regular offers and information from SunExpress, special offers for accommodation, special sales and promotions, including exclusive offers of our business partners and personalized offers (e. g. in video format).

We analyse usage behaviour using Cookies and similar technologies to optimize communication and to understand how the newsletter is received as well as to personalize our newsletter, e.g. by observing openings, clicks and retention time.

The legal basis for the processing of your personal data is your consent according to Art. 6 (1) (a) GDPR and Art. 5(1) KVKK. You can withdraw your consent at any time by clicking the“Unsubscribe“ link within each newsletter and no more newsletters will be sent to you. For more information on consent and how you may withdraw your consent in more details, please see Section 3. Consent, Section 7. Use of Cookies and our Cookie and Tracking Tool Policy.

For these purposes of our newsletter, we may collect the following categories of data from you:

  1. Your contact details (such as email address, title, name, surname, country of residence, citizenship)
  2. Your preferences (such as preferred language of newsletter, preferred departure airport)
  3. Technical data in relation to the newsletter (such as IP-address of the computer at the time of registration, date and time of registration, delivery of the email, opening of the email, time of opening and clicks, click behaviour within the email)

We collect this personal data directly from you on a voluntary basis.

We employ the Salesforce Marketing Cloud server for our newsletter management. The Salesforce servers are located in the EU. We have chosen Salesforce for their high standard and contractual obligation that all personal data will be handled in accordance with data protection regulations

2.3. Use of the App

The SunExpress App is currently available for iOS and Android systems. In connection with our App, the processing of your data may take place. Additionally, you should take the following specifics into account:

2.3.1 iOS Users of our App

You may find detailed information on how your personal data is processed at https://apps.apple.com/tr/app/sunexpress/id1524475114 and in the Apple Privacy Policy that you may reach from

https://www.apple.com/legal/privacy/en-ww/.

2.3.2 Android Users of our App

Android users of our App can find more information at:

https://policies.google.com/privacy?hl=en-US.

2.3.3 Purposes and Categories of Personal Data Processed by the SunExpress App

We process personal data from you for the following purposes:

  • App Functionality / Provision and App Security
  • Account Information / Register and log in to user account
  • Enable and administer your bookings (incl. further (ancillary) products and services), reservations and check-ins
  • Developer Communications
  • Identifying the user / User Authentication
  • For Tracking Services
  • Analytic Purposes
  • Communication and Notifications you want to receive (e. g. location based services, campaign notifications, flight notification, general notices, subscription to get flight information)
  • performance of loyalty program (e. g. SunExpress your benefits)

SunExpress is the Data Controller for any processing of personal data within the SunExpress your benefits programme. The processing of personal data is performed in accordance with the General Data Protection Regulation (Reg. EU 2016/679) (“GDPR”) and the Turkish Law on the Protection of Personal Data No. 6698 (“KVKK”).

On the SunExpress your benefits webpage, SunExpress collects your personal data for the following purposes:

  • Administering the loyalty programme,
  • Ensuring that members can set up and manage their accounts effectively,
  • Rewarding members with flights, Points, free flights and extra SunExpress services,

based on a contractual obligation according to Art. 6 (1)(b) GDPR, Art. 5 (2)(c) KVKK;

  • Usage for personalized content on sunexpress.com
  • Sending direct mailings, newsletters with personalized offers,

based on your given consent according to Art. 6 (1)(a) GDPR, Art. 5 (1) KVKK.

For these purposes, we may collect and process the following data from you:

  • Your name, surname, and contact information such as your e-mail address, phone number, and postal address,
  • Date of birth,
  • Ticket and flight booking details,
  • Loyalty number
  • Purchases of ancillaries, purchases from affiliated trademarks, and data regarding the usage of points,
  • Number of travellers,
  • Personal interests such as preferred seat, preferred meal, departure airport, travel partner, booking channel, and connection between families.

 We may need to forward such data of yours collected for the purposes mentioned above to third parties to be able to carry out the operations of the loyalty programme. These recipients can be categorized as follows:

  • Service providers,

         o Transport

         o Marketing

         o IT

         o Payment Services

         o Credit Agencies

        o Affiliate Marketing Platforms (If you purchase from the affiliated trademarks that are announced and hyperlinked on our website.)

  • Governmental authorities.

If you resign from the programme, or freeze your account and do not reactivate it within 12 months, your personal data on interests such as preferred seat, preferred meal, departure airport, travel partner, booking channel will be deleted. Other personal data will be retained for the period during which legal claims may be brought by and against SunExpress, or SunExpress is legally required to retain such data.

  • For Advertising and Marketing Purposes / Advertising and Marketing development
  • For Product Personalization / Personalization

as described in this Section 2.3.

The legal basis for the processing where the processing is essential to our services or any technically necessary operation is to fulfil our contract with you or steps prior to the contract Art. 6 (1) (b) GDPR, and Art. 5(2)(c) KVKK, as well as our legitimate interest as per Art. 6 (1) (f) GDPR and Art.5(2)(f) KVKK. Where the processing is not essential to our services to you or the technical execution, it will be based on your consent in line with Art. 6 (1) (a) GDPR and Art. 5(1) KVKK.

For these purposes, we may collect the following data categories from you:

(1) Contact (i.e. details such as name, email address, address and phone number or other contact information)
(2) IP address
(3) Search history
(4) User ID
(5) Device ID and
(6) E-mail device ID
(7) Device platform
(8) App settings
(9) Crash data and other diagnostic data
(10) Approximate location
(11) Location
(12) Nationality
(13) Birth date
(14) Gender
(15) Payment information
(16) In-App messages
(17) Usage data
(18) Product interaction
(19) Purchase history
(20) Passenger security check documents / records for boarding plane

2.3.4 Your Personal Data Processed by Our Analytical Support Tool Google Firebase

In order to optimize our service to you, our App uses Firebase SDK, a Google Product.

In general, Firebase is a development environment for developers. It contains various tools and services that the developer can use for rapid programming.

The relevant entity for access from the European Union is Google Ireland Limited, located at Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (“Google”). Google utilizes the data collected to track and examine the use of the SunExpress App, to prepare reports on its activities and share them with us.

Google may also use the data collected to contextualize and personalize the ads of its own advertising network. Please note, that Google is a controller under the GDPR with its own obligations towards you. For further information on how your data is protected, you can visit the Privacy Policy available at https://policies.google.com/privacy and https://firebase.google.com/support/privacy?hl=en.

The following services of Firebase are integrated into the App:

a)Firebase Google Analytics: Google Analytics uses the data to provide analytics and attribution information to allow us to improve your user experience if you have consented to do so. The following data is collected for analytical purposes:

  1. User activity
  2. Top Countries
  3. Users by App version
  4. App releases overview
  5. App stability overview
  6. Average engagement time
  7. User retention
  8. User activity by cohort
  9. Views by page title and screen class
  10. Event count
  11. Conversions by event name
  12. Users by device model

Firebase Google Analytics collects certain events for Android and iOS (unless otherwise stated) which are triggered by your interactions with our App.

The following parameters are collected by default with every event, including our custom events:

  • language
  • page_location
  • page_referrer
  • page_title
  • screen_resolution

Our complete event list include the following:

  • user_engagement
  • screen_view
  • session_start
  • app_update
  • os_update
  • first_open
  • purchase
  • dynamic_link_app_open
  • dynamic_link_first_open
  • app_remove

A detailed explanation of the mentioned events is provided by Google: https://support.google.com/firebase/answer/9234069?hl=en

This data is retained for no longer than 14 months. Google Analytics retains certain advertising identifier associated data.

Your usage data will not be connected to your full IP address during this process. We have activated the IP anonymizing function offered by Google, which will automatically delete the last 8 digits (type IPv4) or the last 80 bits (type IPv6) of your IP address.

  1. b) Firebase Crashlytics:Firebase Crashlytics is a real time crash reporting tool by Google, which helps us to prioritize and fix most pervasive crashes based on the impact on our users. The following data is collected for App functionality purposes:
  2. Crashlytics Installation UUIDs
  3. Crash traces
  4. Breakpad minidump formatted data (NDK crashes only)

Firebase Crashlytics retains crash stack traces, extracted minidump data, and associated identifiers (including Crashlytics Installation UUIDs) for up to 90 days.

2.3.5 Salesforce Marketing SDK

With our Salesforce SDK provided by our Salesforce Marketing Cloud located in the EU and your consent we process your

  • Device number
  • Device platform
  • Device Language
  • App Settings in order to understand which kind of notifications a user wants to receive: Location based services; Campaign notification; flight notification; general notices; subscription to get flight information
  • email device id (if a user is logged in)

interacting with Firebase for analytics purposes.

  1. Consent

If you have given us your consent to process your personal data, we hereby inform you that you can withdraw this consent at any time.

  • If you have given your consent on this website or App, please visit the (web) page, on which you originally gave your consent or log in to your registered account in order to withdraw your consent in the settings.
  • If you have given your consent for the newsletter, you can withdraw it by clicking the “Unsubscribe” link directly in the newsletter.
  • If you have given consent for being contacted by phone for marketing-relevant communications, you can withdraw your consent at any time by clicking 

In all other cases or if you have any difficulties with withdrawing your consent on this website, please feel free to contact sxs.dpo@sunexpress.com.

Please note that your withdrawal of consent is only effective for the future and does not affect the legality of data processing that has taken place in the past.

  1. Our Legitimate Interests in the Processing of Personal Data

If Art. 6(1) (f) GDPR and Art. 5(2)(f) KVKK is the legal basis for the processing of data, our legitimate interests include the following points apart from the purposes listed above:

  • Protection of the company against property and non-property damages,
  • Professionalization and improvement (of our products and services),
  • Cost optimisation (control and minimisation).
  1. Other Processing Obligations

If we are required by law to do so, we may process your personal data e.g. in order to comply with retention obligations under commercial or tax law, accountability obligations or to meet requirements under security law. For further information on retention periods, please see Section “Duration of the Data Processing”, Section 10.

  1. The Obligation to Specify Personal Data

According to mandatory legal or contractual requirements, we have indicated the mandatory fields that need to be filled in on our website so that we can perform the contract or service you request.

  1. Use of Cookies

Cookies are text files that are stored in the web browser and / or by the web browser on the user’s computer system. The cookies contain a specific character sequence that enable unique identification of the browser when the website is accessed again. Cookies are stored on the user’s device such as your computer, your mobile phone or your tablet.

We use cookies and similar technologies with which we and third parties can store information on your device or access information already stored in your device (hereinafter “Cookies”), in principle only if you have consented to this. Consent is generally not required if the sole purpose of a Cookie is to carry out the transmission of communication via a public telecommunications network or is strictly necessary so that we can provide the telemedia service explicitly requested by you as a user.

You as the user have full control over the use of non-essential Cookies by specifying your preferences in the Cookie banner.

You have the right to withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of the storage of Cookies or access to information in your device based on your consent before its withdrawal.

This means, if you have selected Cookies that are not strictly necessary, you can withdraw your consent at any time by revising your Cookie settings via the Cookie banner in the footer of our website (“Cookie Settings”) or in the App (“Privacy Settings”).

For further information on the Cookies we use, their purpose and legal basis, please refer to our Cookie and Tracking Tool Policy.

  1. Information Regarding Commercial Electronic Messages under the Laws of the Republic of Türkiye

Establishing Communication Concerning Our Operations

In certain circumstances, we are required to deliver certain information to our customers regarding our flights.

For instance, we may be required to establish communication with you via SMS, e-mail or telephone for the purposes of conveying booking information, confirmation regarding the purchase of your ticket or to provide payment and flight details. Additionally, customers benefiting from services provided through the Application, may also be communicated by way of in app notifications.

Please be noted that the electronic messages transmitted for the purposes stated above, or for other similar service information and excluding messages transmitted for marketing purposes shall not require the consent of the recipient as per the Article 6 of the Regulation on Commercial Communication and Commercial Electronic Messages and may be transmitted to you by SunExpress without obtaining your consent.

Establishing Communication Concerning promotion and marketing

According to the Law No. 6563 on the Regulation of Electronic Commerce, if you have given your communication consent for commercial electronic messages during booking and through any SunExpress channels, you will be deemed to have accepted to receive commercial electronic messages about the promotion of products and services offered by SunExpress and business partners, new products and services, special flight offers, information about your travel or any other information you may find interesting via your contact information you have chosen.

Following the Regulation on Commercial Communication and Commercial Electronic Messages enforced by the Republic of Turkey, it has become a legal obligation for SunExpress to register the consents/ consent withdrawals of the message recipients who are Turkish citizens or who are residents of Turkey to the Message Management System ( IYS) which is the legal basis of sending the commercial electronic messages to the recipients’ electronic communications addresses in order to market, promote own business or to increase its recognition. The personal data to be transferred to the IYS system will be limited only to your e-mail address, the date you gave your consent to receive commercial electronic messages and the source of consent (via the web).

IYS system is managed by an organization authorized by the Ministry of Trade of the Republic of Turkey. Under the provisions of the Regulation, you will always have the right to withdraw your consent that you have given to receive commercial electronic messages, by following the link in the messages that have been sent to you, as well as via the following means (web, call center, etc.) provided by the IYS system. In this way, the use of your rights as a data subject is made more effective, the possibility of querying your consent through a central platform is provided, and the consent/consent withdrawal options are diversified.

Within the scope of the information described above, we notify you that the organization that operates the  IYS system is authorized to send messages to your e-mail address regarding your consent or withdrawal of your consent. For further information about the IYS system, you can visit the website: “iys.org.tr”.

You can change your communication preferences at any time by following the links in your messages and stop the transmission of such messages through some or all communication channels.

  1. Transfer of Personal Data

9.1 Data Recipients

In order to be able to offer you our products and services (including our Website and App), to provide marketing and fulfil our legal obligations, we may need to transfer your personal data to third parties in or outside SunExpress and, under certain circumstances, also outside of Turkey and the European Union (EU) / European Economic Area (EEA).

If we are required to transfer personal data outside of SunExpress to third parties, we put in place appropriate safeguards.

Recipients can be categorised as follows:

  • Service providers
    • Transport
    • Security Service
    • Catering
    • Marketing
    • Information Technologies
    • Payment services
    • Customer Feedback Services
    • Advisory and consulting services
    • File and data carrier disposal companies
  • Governmental authorities
  • Potential and actual acquirers of SunExpress Sales partners
  • Other airlines performing part of the carriage

Under certain circumstances, we or our service providers are under the statutory obligation to provide personal data to European and international authorities.

9.2 The Rules of Transferring Personal Data outside of the Republic of Türkiye

Your personal data may only be transferred outside of the Republic of Türkiye, where

  • the transferred country found to be offering adequate protection by the Personal Data Protection Board decision
  • In the absence of an adequacy decision, in the presence of one of the appropriate safeguards specified in Law No. 6698 (standard contracts, binding company rules, or letter of undertaking)
  • In the event that one of the appropriate safeguards cannot be provided and in incidental cases, in the presence of explicit consent or in the event that it is mandatory for the performance of a contract between the data subject and the data controller or for the implementation of pre-contractual measures taken upon the request of the data subject, or in the event that it is mandatory for the establishment/performance of a contract between the data controller and another natural or legal person for the benefit of the data subject, or in the event that it is mandatory to transfer personal data for the establishment, exercise or protection of a right
  • provisions in other national and international regulations regarding the transfer of personal data outside of the Republic of Türkiye exist.

9.3 International Data Transfers under the GDPR

Personal data may be transferred to third countries or international organizations. In this regard for your protection and the protection of your personal data, such data transfers are subject to appropriate safeguards pursuant to and in accordance with the statutory requirements (especially the application of EU standard contractual clauses), or an adequacy decision issued by the EU Commission (Art. 45 GDPR).

For information on EU Standard contractual clauses, refer to https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.

The EU Commission provides information about its adequacy decisions under the link:

https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en.

You can request a copy of the applied security measures from sxs.dpo@sunexpress.com.

  1. Duration of the Data Processing

In general, your personal data will be erased as soon as they are no longer needed for the mentioned purposes. Personal data may be retained for the period during which legal claims may be brought against SunExpress (the limitation period). The review of the time periods required for this is carried out through careful consideration, in the course of which we closely examine the necessity of the data processing. Additionally, the personal data will be stored insofar as and for as long as SunExpress is required to do so. The obligations of documentation and retention arise mainly from laws, such as the local commercial, tax and anti-money laundering laws.

If we process your personal data on the basis of your consent, we will usually retain it until you withdraw your consent. Otherwise, we only retain your personal data to the extent necessary to fulfil our contractual and legal obligations or to preserve evidence within the scope of the statutory limitation provisions.

  • g. the Turkish Tax Procedure Law requires applicable taxpayers to retain tax books and related records for five years after the ensuing calendar year (Article 253).
  • In accordance with Article 146 of the Turkish Code of Obligations, we may retain your personal data for 10 years, which is the statutory limitation period
  • g. in Germany, the most important statutory retention obligations result from Sec. 257 of the German Commercial Code (HGB) and Sec. 147 of the German Fiscal Code (AO) and are six and ten years respectively

After expiration of the applicable retention periods, we will securely delete, anonymize or destroy your personal data.

  1. Your Rights as the data subject under the KVKK

Under the KVKK  on the Protection of Personal Data, you have the rights listed below:

(a) Learn whether or not your personal data has been processed
(b) Request information as to the processing if your personal data has been processed
(c) Learn the purpose of processing your personal data and whether such data is used in accordance with this purpose
(d) Know the third parties in the country or abroad to whom your personal data has been transferred
(e) Request rectification in case your personal data is processed incompletely or inaccurately
(f) Request deletion or anonymization of your personal data provided that the purposes for processing your personal data have disappeared
(g) Request notification of the transactions mentioned in points (d) and (e) to the third parties to whom your personal data has been transferred
(h) Object to any result against you that has emerged from the analysis of your personal data exclusively through automated systems
(i) Claim damages if you have suffered any damages due to the unlawful processing of your personal data.

You may send your requests regarding your rights above by applying in writing to our postal address: Yenigöl Mah. Nergiz Sok. No: 84 07230 Muratpaşa/Antalya/Turkey or sending an e-mail to sxs.dpo@sunexpress.com from the e-mail address which is previously notified by you and registered in the SunExpress system.

According to KVKK, the information which is mandatory to be included in the application are;

(a) Name, surname and if the application is made in writing, the signature
(b) Turkish I.D number or nationality along with passport number or foreign identity number, if any
(c) Residential or work address for notification
(d) E-mail address, telephone and fax number for notification, if any
(e) The subject of the request

Your application will be finalized as soon as possible (according to the nature of the request) and at the latest in 30 days.

If your application is not answered at all or in time or the response is found insufficient, you may file a complaint with the Personal Data Protection Board (Art. 14 and 15 KVKK).

Kişisel Verileri Koruma Kurulu
Address : Nasuh Akar Mah. Ziyabey Cad. 1407 Sok. No: 4 06520 Çankaya/Ankara, Türkiye
Telephone : +90 312 216 5000
Website : http://www.kvkk.gov.tr

12.Further Information for data subjects under the GDPR

This section applies for data subjects who use our products and services, website or App under the scope of this Privacy Policy and where the GDPR is applicable.

12.1. Right to Object according to Art. 21 GDPR

You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on point (e) or (f) of Art. 6 (1) GDPR, including profiling based on those provisions.

We will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of you as the data subject or for the establishment, exercise or defence of legal claims.

Where personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.

12.2. Withdrawal of Consent

Where the processing is based on your consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

12.3. Existence of Automated Decision-Making and Profiling

We do not use automated decision-making in the sense of Art. 22 GDPR.

Profiling’ in the sense of Art. 4 (4) GDPR means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to you, in particular to analyse or predict aspects – also across different websites and devices –  concerning personal preferences, interests or behaviour and, if necessary, to create profiles about a person. Profiling may occur via marketing activities. Such marketing activities are carried out exclusively on the basis of your explicit consent pursuant to Art. 6 (1) (a) GDPR. Such activities can lead to marketing user profile lists which may result in a determination of characteristics and interests– also in order to assign the user to target groups – for a more user specific advertising. Profiling may result in difficulties to determine who is processing data, to what extent and economic impacts as conclusions can be drawn about user specific personal preferences, interests and behaviour.

12.4. Your Rights as the Data Subject

Under GDPR you have the rights below, subject to certain limitations under the GDPR:

  • Right of access
  • Right to rectification
  • Right to erasure (“right to be forgotten”)
  • Right to the restriction of processing
  • Right to data portability
  • Right to object as above (see Section 12.1.)

To exercise your rights, you can write an e-mail to sxs.dpo@sunexpress.com. Please note that we may be required to verify your identity in order to be able to process your request relating to any personal data we may hold.

Furthermore, you may file a complaint with any data protection authority of your choice.

The competent EU data protection supervisory authority responsible for us is:

Der Hessische Beauftragte für Datenschutz und Informationsfreiheit
Postfach 3163
65021 Wiesbaden
Phone: +49 611 1408 – 0
E-mail: poststelle@datenschutz.hessen.de

  1. Disclaimer and Limits of this Privacy Notice

This Privacy Notice merely applies to the website of https://www.sunexpress.com and the SunExpress App. Other websites are not covered by this Privacy Notice and may have their own privacy notices.

  1. Partners’ Overview
Partner Legal Name Product URLs Privacy Policy Contact
Flixbus FlixMobility GmbH Bus tickets for transfers between major German cities link link link
Loungepass Priority Pass Limited Access to a number of airport lounges link link link
ParkAero Flughafen Parken GmbH Parking spaces at airport terminals link link link
Rentalcarsconnect (booking.com) Booking.com Transport Ltd Rental Cars link link link
REWE REWE-Markt GmbH Home delivery of groceries link link link
CAT City Air Terminal Betriebsges.m.b.H Tickets for the City airport train in Vienna link link link
Atmosfair atmosfair GmbH Possibility to compensate C02 link link link
ParkVia ParkVia Ltd. Parking Lots at varios destinations (mostly offsite with a shuttle to the airport) link link link

Previous customers of the SunExpress Deutschland GmbH i.L. have the possibility to address their questions related to data protection to: SXD.DPO@Sunexpress.com

This text was revised on 25/03/2024.