Protection of Personal Data and Privacy Policy
In this Privacy Policy, the terms “we,” “us,” “our,” and “data supervisor” refer to the Republic of Türkiye and/or the Republic of Türkiye, The Ministry of Culture and Tourism, Türkiye Tourism Promotion and Development Agency (TGA).
All online visitors and users of GoTürkiye websites*, mobile applications, and social media pages are subject to this Privacy Policy.
In order to promote Turkish culture and tourism, we undertake our legal duties under the ”GoTürkiye” brand.
The Scope and Purpose of the Privacy Policy
This Privacy Policy describes the following:
– Methods of collecting personal data and legal justification,
– Categorization of data owners,
– The personal data category (data categories) and sample data types generated in regard to these groups of people
– Processes and objectives for processing personal data,
– Technical and administrative protections put in place to protect personal data,
– Personal data sharing,
– Retention periods for personal data,
– Marketing and research data,
– Data owners’ rights,
– Cookies and cookie management
Methods of Collecting Personal Data and Legal Grounds
We process personal data on the basis of legal grounds stated below:
– If there is the express consent of the data subject,
- In case of having explicit consent from you,
- If the provisions of the Republic of Türkiye’s laws and regulations necessitate processing (Law on the Türkiye Tourism Promotion and Development Agency, Turkish Code of Obligations, Mercantile Law, Tax Procedure Law, etc.)
- If it is required for the fulfilment of the contract, we have signed with you or your organization,
- • In the event that we need to process your personal data to comply with our legal responsibilities,
- • In case your personal data has been publicized by you,
- In the event that it is required for the usage or protection of our legal or contractual rights as a company,
- If the processing of your personal data is required for our legitimate purposes and does not jeopardize your basic rights and freedoms.
Türkiye Tourism Promotion and Development Agency gathers personal data for these legal purposes via Türkiye Tourism Promotion and Development Agency’s websites, mobile websites, social media accounts, and cookies.
Categorization of Data Subject
Türkiye Tourism Promotion and Development Agency categorises the data subject groupings whose personal data is processed and their actions connected to these procedures in personal data processing processes as follows:
– Online visitors who have recently visited Türkiye Tourism Promotion and Development Agency’s website and mobile website;
– Users who have opened an account on Türkiye Tourism Promotion and Development Agency’s website and mobile website.
Personal Data Collected and Processed by Türkiye Tourism Promotion and Development Agency
Online visitors: In accordance with Law No. 5651 (“Internet Law”), Türkiye Tourism Promotion and Development Agency collects and processes IP addresses, port information, the start and end time of the service provided, the kind of service, the quantity of data transferred, and, if applicable, subscriber identifying information.
Users: Account information (name, surname, email address, location (country), preferences for direct marketing, alternative login option with Facebook or Google (email address).
Processes and Purposes of Personal Data Processing
Türkiye Tourism Promotion and Development Agency processes web visitors’ personal data in compliance with The Internet Law. Website owners are obligated to gather and store the above-mentioned information in order to counteract illicit internet content. We may use your name and e-mail address to provide you with the required information on your visit to Türkiye if you register as a user on Türkiye Tourism Promotion and Development Agency’s website and plan a trip to Türkiye. Türkiye Tourism Promotion and Development Agency may send you e-mails, either directly or indirectly, for corporate satisfaction research, survey studies, promotion, celebration, for making a wish, getting approval, and other related reasons if you click the join/accept button on the web page or mobile web page for direct marketing and commercial electronic advancements (visitor or user).
Personal information gathered by GoTürkiye may include your name, contact information, and your thoughts and opinions regarding GoTürkiye services. When you use this website, information about your visit is recorded, which allows us to enhance the website, products, and services, as well as for web customization, research, statistical and reporting purposes.
Information that is provided by you
You may be requested to give us information each time you contact us. For example:
In order to utilize a certain product or service or to acquire definite information, some of our goods or services may need you to set up an account (your name, address, email address, date of birth, location, contact information, valid device IDs related to the devices you use to access and retrieve certain applications and services, interests and account and marketing preferences).
We may save some information about your communication, including your identity, the service(s) you have requested, and the purpose for contacting us if you communicate with us by written communication: our website(s), e-mail, or social media channels. We may monitor and enhance the answer to every user request based on the advice we provide you and ourselves.
We may ask for information such as your business card, name, contact information, interests, and marketing preferences when you visit us at a public event such as a trade fair or exhibition, or when you participate in one of our surveys, contests, or prize draws.
We may receive content you choose to submit, such as product reviews, comments, images, or details of your preferences that you choose in order to notify us when you use our services or our other platforms.
Information We Gather from Social Networks
We may obtain information about your social network accounts if you use any of our social networking pages or applications or if you utilize a service that permits interaction with social networks.
We may obtain basic information from your social network profile, such as your first name, last name, email address, and so forth, depending on the privacy settings of your social network account if you use your social network account to log in to one of our websites, sites, or services. We may get data regarding interactions with content posted to your profile or feed.
Please review the privacy policy and other instructions accessible on your social network’s website for further information and specifics on how you can control access to your social network profile.
Information we collect when you use websites, products, services and applications of our own
Some of our websites and services gather information about your usage in order to provide and develop a better user experience, such as:
– Information about your usage patterns, content you view and engage with, and the services and applications you use on the device, in order to customize your services to your particular needs.
– Technical information regarding your usage of our service, product, or website, such as your IP address (to detect your location/country of origin), device ID(s).
– The interests and preferences you specify when installing or registering a product or service.
- How the personal information that you provide to us or we obtain is used?
We may use the information for the purposes mentioned below:
– To construct and administer its users’ product and service buyer databases, which contains basic account information you provide to us, applicable device IDs, relevant product or service usage information, and product and service buyer preference information.
– So as to be able to merge many databases into a single database or connect them to different databases in order to better manage your accounts.
– To conduct surveys and get to know your opinions on our products and services.
– To process and make your searches and information requests facilitated when you contact us regarding our websites and services.
– To conduct competitions and other promotional offers across all platforms, contact winners, and present prizes to winners.
If you have given your consent or we are permitted to do so under applicable law, we might use your information to provide you with product and service updates, newsletters, and other communications about current and/or new products and services via mail, email, telephone, in-device messaging, and/or short message (SMS).
– We may use the information we gather or you provide us to personalize our services, content, recommendations, and advertisements.
– We may use your information to construct user group profiles or segment data, as well as to compile anonymous, consolidated statistics about how our websites, mobile applications, goods, and services are used, which we may share with third parties or make publicly accessible.
– We may use your information to enhance our goods, services, and processes, as well as to improve recommendations, adverts, and other communications, as well as to learn more about the preferences of product and service consumers in general.
– When you provide public product reviews, reviews, or other content to our websites or services, we may link to or display these materials elsewhere, including them in our own adverts.
– We may connect or combine information we acquire from different channels whenever you contact us in order to deliver more efficient product and service support and to provide you with better, personalized services, content, marketing, and advertising.
Technical and Administrative Measures put in place to ensure the security of personal data
Technical Measures
To protect the personal information we collect, we utilize widely recognized standard technologies and operational security measures, including the standard technology known as Secure Socket Layer (SSL). However, owing to the nature of the internet, unauthorized users can access information over networks without taking the appropriate security precautions. Depending on the current level of technology, the cost of technological implementation, and the nature of the data to be protected, we take technical and administrative steps to protect your data against risks such as destruction, loss, tampering, unauthorized disclosure or access. We make data security agreements with the service providers we engage in this regard.
- Assuring Cyber Security: We utilize cyber security products to protect personal information, but our technological safeguards are not merely limited to this. Measures like firewalls and gateways provide the initial line of security against threats from settings like the Internet. Almost all software and hardware, on the other hand, goes through a series of installation and setup procedures. Because certain regularly used software, particularly older versions, may have documented security flaws, unused software and services are deleted from devices. As a result, rather than keeping them up to date, such unwanted software and services are selected solely because of their simplicity of uninstallation. Patch management and software updates guarantee that the software and hardware are up to date and that the security mechanisms are sufficient for frequent checks.
- Access Restrictions: Access to systems that hold personal data is limited and evaluated on a regular basis. Employees are given access privileges to the degree that they are required for their occupations, tasks, authority, and responsibilities, and access to the appropriate systems is granted via a user name and password. Instead of numbers or letter sequences that may be easily guessed concerning personal information, upper- and lower-case letters, numerals, and symbol combinations are preferable when constructing passwords. As a result, a matrix for access permission and control is established.
- Enciphering: In addition to using strong passwords, it protects against common attacks such as the use of brute-force algorithms (BFA), limits the number of login attempts, and ensures that passwords and are changed on a regular basis, and administrator records and privileges special to administrators are merely opened for use when asked, and access is instantly restricted, for instance, deleting an account or closing logins for employers who have been removed from the data controller.
- Antivirus Software: To defend against malicious software, antivirus and antispam programs are used to scan the information system network and detect threats, and the essential files are checked on a regular basis. Connections are made with SSL or more securely if personal data is to be gathered from several websites and/or mobile application channels.
- Monitoring Personal Data Security: It identifies which software and services are operating in information networks, assesses whether or not there is infiltration of IT networks, maintains all users’ transactions on a regular basis (such as log records), and notifies security problems as promptly as possible. Employees can also report security flaws in systems and services, as well as threats that exploit such flaws, using a formal reporting method. In unfavourable occurrences such as a system crash, malware, a denial-of-service attack, incomplete or inaccurate data entry, breaches of confidentiality and integrity, and information system misuse, evidence is securely collected and saved.
- Ensuring the Security of Personal Data Medium: If personal data is kept on the responsible persons’ devices or media, physical security measures are implemented to protect against dangers such as theft or loss of these devices and documents. Physical environments holding personal data are secured from external threats (fire, flood, etc.) using suitable means, and access/exit to these settings is restricted.
- If personal data is stored in electronic form, access between network components may be limited or cut off to prevent a compromise of personal data security. For instance, if personal data is processed by restricting it to a specific section of the network that is in use in this area and is protected for this purpose, the available resources may be allocated for the security of this restricted area rather than the entire network.
- The same measures are applied for paper media, electronic media and equipment carrying corporate personal data placed outside the company campus. While most breaches of personal data security occur as a result of the theft or loss of equipment carrying personal data (laptop, mobile phone, USB disk, etc.), personal data supplied by e-mail or post are also delivered with care and necessary measures. Proper security measures are also implemented on the occasion that workers use personal electronic devices to access the information system network.
- Access control authorisation and/or encryption methods are employed in the event of the loss or theft of equipment storing personal data. In this case, the password key is kept in a secure location that only authorized people may access, preventing unauthorized access.
- Personal data-containing paper documents are solely kept in a protected and inaccessible setting, and unauthorized access to them is therefore avoided.
- In the event that personal data is unlawfully accessed by others, the company will promptly inform the Personal Data Protection Board and contact person, as required by Article 12 of The Law on the Protection of Personal Data. Should the Personal Data Protection Committee deem necessary, they may make an announcement on their website or through other means.
- Storage of Personal Data in the Cloud: When storing personal data in the cloud, the Company must determine if the cloud storage service provider’s security procedures are effective and sufficient. Two-step authentication control is applied to know, back up, synchronize and remotely access personal data stored in the cloud. Personal data is encrypted with cryptographic methods, encrypted and delivered to cloud environments, and when feasible, separate encryption keys are used for each cloud solution purchased for personal data during storage and usage in the aforementioned systems. All copies of encryption keys that may be used to make personal data available are erased when the cloud service connection terminates. Access to data storage locations containing personal data is recorded, and any unauthorized access or attempts are immediately reported to the proper authorities. Individual encryption keys are utilized for personal data wherever feasible, notably for each cloud solution obtained.
- Procurement, development, and maintenance of information technology systems: When assessing the company’s demands for new system supply, development, or upgrade, security considerations are taken into account.
- Backing-up Personal Data: In the event that personal data is lost or corrupted for whatever reason, the Institution restores operations as quickly as possible using the backed-up data, as long as the procedures established to maintain business continuity are followed. Only the system administrator has access to backed-up personal data, and dataset backups are maintained in the network.
Administrative Measures
- All of our company’s operations were thoroughly examined in all business divisions, and a process-based personal data processing inventory was produced as a consequence of these investigations. The inventory’s hazardous areas are identified, and the required legal and technological precautions are implemented on a constant basis. (For example, the documentation required by the Personal Data Protection Authority were created by taking into account the hazards identified in this inventory.)
- Information security systems, technological systems, and legal techniques are used to audit personal data processing operations carried out by our company. Personal data security policies and procedures are established, and frequent checks are conducted within this framework.
- To suit our information technology demands, our company may use external service providers periodically. We guarantee that these non-data processing service providers will at the very least comply with our Company’s security procedures. In this situation, a formal contract is signed with the data processor that includes at least the points given below:
- The Data Processor only operates in line with the data controller’s instructions, the contract’s purpose and scope of data processing, The Protection of Personal Data, and other legislation.
- The Data Processor adopts the Personal Data Protection and Disposal Policy.
- The Data Processor is required to maintain all types of data concerning the processed personal data secret for an indefinite period of time.
- In the case of a data breach, the Data Processor is required to notify the Data Controller promptly.
- Our company can do or have performed the necessary audits on the Data Processor’s systems holding personal data, as well as on-site examinations of the reports and the service provider.
- Our company will use the appropriate technological and administrative precautions to protect personal data, and
- The categories and types of personal data provided to the Data Processor are also described in a separate article as long as the structure of the connection between the Data Processor and us is adequate.
- Personal data is reduced as much as possible within the framework of the data minimization principle, as emphasized in the company’s directives and publications. Personal data that is not necessary, outdated, or serves no purpose is not collected and, if it was collected during the previous period of the Personal Data Protection Law, it is erased in full compliance with the Personal Data Storage and Disposal Policy.
- In technological concerns, specialized specialists are employed.
- Our company has included confidentiality and data security measures in the Employment Contracts that our workers must sign throughout the recruitment process, and we have urged that they be followed. Employees are informed and instructed on the legislation governing the protection of personal data on a regular basis, and they take the required steps to comply with it. Employees’ roles and duties were examined, and job descriptions were changed.
- The technical measures implemented are reported to the authorized person on a regular basis, and risk factors are assessed and appropriate technology solutions are attempted to be generated.
- For storage spaces, security systems are utilized, and the technical measures taken are reported to the appropriate person regularly as a consequence of internal controls. Risk concerns are re-evaluated, and necessary technology solutions are developed. Supplier firms keep files/printouts stored in the physical environment and, thereafter, delete them according to established processes.
- Senior management has also agreed to protect personal data, and a special committee (Personal Data Protection Committee) has been constituted and work has commenced. Within the organization, a management policy governing the working norms of the Protection of Personal Data Committee has been established, and the Protection of Personal Data Committee’s responsibilities have been thoroughly defined.
- Employees are given personal data security training and awareness activities.
- Data security roles, responsibilities, and job descriptions have been established to ensure that workers and contractors are aware of and perform their information security duties.
- Employees who do not follow the security policy, key concepts, and processes face disciplinary action.
- Personal Data Sharing
Generally, unless necessary or allowed by law, we do not share or disclose information about you to third parties without your consent.
We may use other third-party service providers, such as service providers, consultants, marketing agencies, professional consultants, ministries, or business partners with whom we have an official relationship with GoTürkiye, to process the information on our behalf, store and archive data at home and/or abroad, and provide information technology support (server, hosting, software, cloud computing, etc.).
Only the processing of data in compliance with this policy is required of our service providers.
We may share your information with one of our business partners if you request or agree to receive information or newsletters from them; therefore, they can contact you and/or respond to your request.
We may use and/or disclose your information for the following reasons:
(i) Can be shared with government entities and law enforcement agencies to prevent fraud, to comply with relevant laws, rules, and court orders, and to respond to legitimate legal information demands from these institutions. Based on the Internet Law, the Türkiye Tourism Promotion and Development Agency may disclose traffic statistics with the police department and Information and Communication Technologies Authority.
(ii) In order to implement or protect the terms and conditions of any of our websites, products, or services, or to enforce our legal rights against third parties (including professional advisers).
(iii) In conjunction with a corporate event such as a restructure, merger, commercial acquisition, or bankruptcy, it may be shared with a third-party buyer or seller, as well as their and our professional advisers.
- iv) Regarding the commercial electronic message approval, it is shared with the commercial electronic message service provider in order to promote and advertise the commercial electronic message, as well as to offer benefits and opportunities based on travel preferences.
Anonymous Statistics
For a variety of reasons, we prepare anonymized data. Because this information cannot be used to identify you, it may be shared with our partners, marketers, the media, and the general public.
- Direct Marketing Communications
When you give us your contact information, you may be given the option of receiving numerous newsletters and other messages from us.
You can change your marketing communication preferences at any time.
In case of contacting us using more than one e-mail address, you will need to unsubscribe from each one separately.
Please be aware that we may send you essential information about the products and services we use or used by you, such as significant software updates, adjustments to applicable terms and conditions, and/or other communications or notices that may be required to fulfil our legal obligations under the regulations.
- Cookies and Cookie Management
Türkiye Tourism Promotion and Development Agency has a thorough Cookie Policy and offers you highly efficient cookie management for the cookies we use. For further information, please check our Cookie Policy.
- Links to Third Party Websites
Some of our websites may have links to other non-affiliated third-party websites. These third-party websites’ content, security, and privacy practices are not within our control. Please read the privacy and cookie policies for these third-party websites before proceeding.
Retention Periods for Personal Data
Türkiye Tourism Promotion and Development Agency has got a Personal Data Retention Policy in compliance with Data Loss Prevention standards (DLP). We keep personal data for the following periods:
– In accordance with Internet Law, we preserve online visitor traffic data for two years.
– We retain users’ login information until they close their accounts.
– In line with the Commercial Communications and Commercial Electronic Communications Regulation, we maintain acceptance, opt-out, and other records of commercial electronic messages for one year.
– Please check our Cookie Policy for information on the retention periods of personal data processed by cookies.
Profiling
We may use your information to develop user group profiles or segment data, as well as anonymous, aggregated statistics on how our websites, products, and services are used, which we may share with third parties and/or make public. Instead of exchanging personal information with our suppliers directly, we establish a user group profile using nicknames. We do not do microtargeting.
Data Owners’ Rights
(Subject to limits, and subject to relevant law’s terms and restrictions) You have the following rights:
– Inquiring about the personal information that the Türkiye Tourism Promotion and Development Agency processes about you. This right entitles you to learn if Türkiye Tourism Promotion and Development Agency contains personal data about you and, if so, to request a copy of such data.
To request the correction of your personal data. This allows you that if your personal data is incorrect or incomplete, you have the right to have it corrected.
– To object to the processing of your personal data.
– The right to request that your personal data be erased, including if such data is no longer required to fulfil the purposes.
– Request the restriction of the processing of your personal data.
– The right to request personal data portability: you have the option of requesting a copy of the personal data you provide to Türkiye Tourism Promotion and Development Agency in a structured, commonly used, and machine-readable format, or the right to request that Türkiye Tourism Promotion and Development Agency forward such personal data to another data controller.
– To know the third parties to whom personal data is transferred in the country or abroad.
– Objecting to the appearance of a conclusion that is against the individual by examining solely the data processed by automated methods, including profiling.
– To claim compensation for losses incurred as a result of the wrongful processing of personal data.
You have the right to withdraw your permission to the processing of your personal data if it is based on your consent.
If you believe your data privacy rights have been violated despite Türkiye Tourism Promotion and Development Agency’s efforts to protect your personal data, Türkiye Tourism Promotion and Development Agency encourages data subjects to first contact Türkiye Tourism Promotion and Development Agency to resolve any complaints. Data owners have the right to file a complaint with the relevant Türkiye Tourism Promotion and Development Agency at any time.
If you would like to get in touch with us about your requests,
In case of a written request:
You can hand deliver a wet-signed copy of the “Personal Data Protection Law Application Form” from our website (https://tga.gov.tr/) together with a document proving your identity. Alternatively, you can demonstrate that you are allowed to apply for the rights indicated in Article 11 and submit the application by proxy with a notarized power of attorney. You can also use a notary public to send it to the given address: “Esentepe Mahallesi Büyükdere Cad. No:127 Astoria AVM B Blok Kat:4 34394 Şişli – İstanbul”
In case of an electronic request:
You can sign the Personal Data Protection Form Application Form with an electronic or mobile signature and send it to our Company’s Registered Electronic Mail (KEP) address using a “secure electronic signature” certificate provided in the Electronic Signature Law No. 5070. Alternatively, you may e-mail it to dataprivacy@tga.gov.tr using the e-mail address you previously provided to our company and recorded in our databases.
Depending on your request, our institution will respond to you in a written version or an electronic version as soon as feasible, but no later than thirty days.
Accessibility for everyone
Türkiye Tourism Promotion and Development Agency is working to remove visible barriers for impaired people. The World Wide Web Consortium’s Web Content Accessibility Guidelines (WCAG) 2.1 are used on the Türkiye Tourism Promotion and Development Agency’s website to assist this goal.
*TGA Websites: goturkiye.com, goistanbulturkiye.com, gomesopotamiaturkiye.com, gomarmaraturkiye.com, goblackseaturkiye.com, goaegeanturkiye.com, gomediterraneanturkiye.com, goeasternturkiye.com, gocentralturkiye.com, gosoutheasternturkiye.com, gokonyaturkiye.com, trabzonturkiye.com, goantalyaturkiye.com, gocappadociaturkiye.com, gobodrumturkiye.com, gomarmaristurkiye.com, gogocekturkiye.com, goerzurumturkiye.com, gobalikesirturkiye.com, goedirneturkiye.com, gobursaturkiye.com, gokarsturkiye.com, gosiirtturkiye.com, goalacatiturkiye.com, gobitlisturkiye.com, gobilecikturkiye.com, gonevsehirturkiye.com, gotekirdagturkiye.com, gohatayturkiye.com, goorduturkiye.com, gogiresunturkiye.com, goadanaturkiye.com, gosamsunturkiye.com, gousakturkiye.com, gotokatturkiye.com, gosakaryaturkiye.com, gokocaeliturkiye.com, gosinopturkiye.com, godenizliturkiye.com, gokirklareliturkiye.com, gocankiriturkiye.com, gokastamonuturkiye.com, gomanisaturkiye.com, gokarabukturkiye.com, goyalovaturkiye.com, gogaziantepturkiye.com, gokirikkaleturkiye.com, gosanliurfaturkiye.com, gomardinturkiye.com, goafyonturkiye.com, gorizeturkiye.com, gocanakkaleturkiye.com, goartvinturkiye.com, goeskisehirturkiye.com, gomuglaturkiye.com, goosmaniyeturkiye.com, gokutahyaturkiye.com, gosivasturkiye.com, gokayseriturkiye.com, gopataraturkiye.com, gobartinturkiye.com, godatcaturkiye.com, gomersinturkiye.com, goaydinturkiye.com, gokirsehirturkiye.com, safetourismturkiye.com, sportsturkiye.com, adventureturkiye.com, footballturkiye.com, cultureturkiye.com, artturkiye.com, healthwellnessturkiye.com, gocampingturkiye.com, goweddingsturkiye.com, gogolfturkiye.com, gogastroturkiye.com, religiousturkiye.com, gobluevoyageturkiye.com, gocruisingturkiye.com, gocyclingturkiye.com, goskiingturkiye.com, godivingturkiye.com, slowcity.goturkiye.com, learning.goturkiye.com, shopping.goturkiye.com, fashion.goturkiye.com, ecolife.goturkiye.com, fourseasons.goturkiye.com, meetings.goturkiye.com, gobeachandfun.goturkiye.com, gomountains.goturkiye.com, goplateaus.goturkiye.com, gowaterfalls.goturkiye.com, golakes.goturkiye.com, gorivers.goturkiye.com, gocanyons.goturkiye.com, gocaves.goturkiye.com, goislands.goturkiye.com, nationalparks.goturkiye.com, branding.goturkiye.com, gokayseriturey.com, gohandcraftsturkiye.com, goelazigturkiye.com, gogumushaneturkiye.com, gofestivalsturkiye.com, gounescoturkiye.com, gohealthturkiye.com gowellnessturkiye.com
We reserve the right to modify this privacy policy at any time and for any reason. Any modifications will be reflected in the “Last Updated” date of this Privacy Policy. We will also utilize the pop-up no notify you of relevant changes.