PRIVACY POLICY
WHO ARE WE AND HOW YOU CAN CONTACT US
Contact details of the Data Controller: BBN Hava Yolları ve Taşımacılık Anonim Şirketi (BBN Airlines), registration number: 348620-5, address: Sultan Selim Mah. Hümeyra Sok. Pasha Plaza Blok No:2 İç Kapı No:5 Kağıthane/Istanbul, Türkiye (hereinafter “We”, “Ours”, “Company”) process the personal data of its’ customers, potential customer, employees, candidates to employees, suppliers, partners etc. (hereinafter – you, your) personal data in accordance with the provisions of the legal acts regulating the legal protection of personal data and applying the highest technical and legal standards of protection and taking all necessary measures to prevent possible breaches of personal data protection. This Privacy Policy (hereinafter referred to as the “Privacy Policy“) sets out the basic rules for the collection, processing and storage of your personal data and other information related to you, the scope, purposes, sources, recipients of your personal data and your rights as a personal data subject and other important aspects of your use of the Company’s services. This information is important, so we hope you will read it carefully.
As used in this Privacy Policy, the term “personal data” (the “Personal Data”) means any information about you relating to you as a natural person, a data subject whose identity is known or can be directly or indirectly identified through the use of certain data (e.g. name, surname, personal identification number, address, telephone number, etc.).
In processing the personal data, we responsibly comply with the Law on Protection of Personal Data No. 6698 (the “Law”), applicable regulations and communiques, the decisions of the Personal Data Protection (the “KVKK”) Board of Türkiye and other directly applicable legal acts regulating the protection of personal data, as well as instructions from competent authorities.
In the event that you provide us with personal information other than your own (for example, identifying another person as a beneficiary), please inform them of this Privacy Policy and its contents.
If the user of the services is a legal entity, this Privacy Policy applies to natural persons whose personal data is transferred to us by a legal entity. The user must duly comply with Article 10 of the Law to inform data subjects (managers, beneficiaries, representatives, etc.) about the transfer of their personal data to the Company.
If you have any questions regarding this Privacy Policy or requests regarding the processing of your personal data, please contact us by email [email protected].
By visiting the Company’s websites and / or using the information contained therein and / or our services, you acknowledge and confirm that you have read and understood this Privacy Policy.
TO WHOM THE PRIVACY POLICY APPLIES
This Privacy Policy applies to our website https://bbnairlines.aero/ (regardless of which device you are using) and any service provided by the Company or other activities of the Company where personal data is being process.
This Privacy Policy does not apply to links to other entities websites provided on our websites; therefore, we recommend that you read the personal data processing rules applied on such websites.
WHAT PRINCIPLES DO WE COMPLY TO?
When processing your personal data, we:
- comply with current and applicable legislation, including the Law;
- we will process your personal data in a lawful, fair and transparent manner;
- we will collect your personal data for specified, clearly defined and legitimate purposes and will not continue to process it in a way incompatible with those purposes, except to the extent permitted by law;
- take all reasonable steps to ensure that personal data which are inaccurate or incomplete, having regard to the purposes for which they are processed, are rectified, supplemented, suspended or destroyed without delay;
- we will keep them in such a form that your identity can be established for no longer than is necessary for the purposes for which the personal data are processed;
- we will not disclose personal data to third parties except as provided in the Privacy Policy or applicable law;
- ensure that your personal data is processed in such a way as to ensure the appropriate security of personal data through appropriate technical or organizational measures, including protection against unauthorized or unlawful processing of personal data and against unintentional loss, destruction or damage. Contact details is [email protected].
WHAT PERSONAL DATA, FOR WHAT PURPOSE AND BASIS DO WE PROCESS
| The purpose of the processing of personal data. Why we process personal data? | The categories of processed personal data. What kind of categories of personal data we process? | On what legal basis do we process personal data? | The period of processing |
| Administration of our website | When you visit our website, data about your browsing is collected using cookies. We use necessary/technical cookies to ensure the proper functioning of the Website and/or other third-party cookies to improve your browsing experience (i.e., to consider your needs, to improve the website continuously and to make offers that suit your interests). | Data using cookies and similar technologies related to Internet browsing, etc., are collected (processed) in accordance with the Guidance on Cookie Practices published by KVKK Authority and, where applicable, KVKK Board Decision 2022/229 (March 10, 2022) and in accordance with Article 6 Part 1. a) of the GDPR. i.e., with your consent (except for strictly necessary cookies). |
You can find more information about cookies and their storage terms on our website |
| Responding to your general enquiries or requests for information | Our website or other public business channels provide communication channels, where you can contact us to consult us on issues that concern you. We will accept, review, and respond to all your messages. If you contact us by e-mail, regular mail, or phone, we may process the following personal data of yours: name, surname, e-mail, postal address, and the text of the correspondence and/or attached documents. This data will be processed for the administration of your enquiry. Please note that we may need to contact you to respond to your enquiry, so be sure to provide accurate contact information. | All personal data you provide when communicating with us is used only for the purposes of reviewing and responding to messages, administering (managing) communication flows and providing you with a response. We will process the said personal data in accordance with Article 5(2)(f) of the Law, based on our legitimate interest in responding to your inquiries and providing necessary support when you contact us by e-mail, mail, or phone. | Communication with you will be handled until the enquiry is fully processed and stored for one year from the date of the last communication with you, unless there is another legitimate purpose for storing it longer (e.g., a business contract with you has been concluded and communication material can be considered as proof of negotiation). |
| Drawing up and executing contracts for the purchase and sale of services | We may process your name, surname, contact information, position in the company you represent, signature, and other information required for negotiations, contract conclusion, and contract performance. | We will process in accordance with Article 5/2(c) of the Law, to conclude and perform a contract to which you are a party, as well as Article 5/2(ç) of the Law, to comply with our legal obligations (e.g., retention of contracts and accounting records in accordance with tax and commercial laws), and Article 5/2(f) of the Law, based on our legitimate interests, such as establishing, exercising, or defending legal claims, provided that your fundamental rights and freedoms are not harmed. | Contracts and accounting documents (in physical and electronic form) are kept for 10 years from the date of full performance of the contract. |
| Onboarding and due diligence procedure for counterparties | Depending on whether a counterparty is a natural person or a legal entity, and if the latter, depending on your status in the company, we may process the following personal data:
Name, surname, date of birth, nationality, occupation, valid ID/passport number, data on whether the client is a politically exposed person, residential and registered address details, phone number, e-mail address, bank information (account number), relationship with the third party (if the third party will make payment), source of funds/wealth (if payment will be made in cash), signature, role/position in the company, occupation, information about reputation from public sources. We also process personal data collected within provided copies of documents: Identity Card or Passport; Official documents of authorities verifying the identity and the place of residence; Documentation proving the source of funds/wealth; Articles of Association authorizing the representative of a legal entity; Certificate of Incorporation or its equivalent; Certificate of Directors or copy of CEO (or other principal management body) appointment document. |
Personal data for onboarding and due diligence is processed in accordance with:
– Article 5(2)(ç) of the Law – to fulfill our legal obligations, including compliance with national and/or international sanctions regulations. – Article 5(2)(f) of the Law – based on our legitimate interests, in order to meet the requirements related to the prevention of money laundering and terrorist financing, anti-corruption, anti-bribery, and anti-fraud, and to maintain our legitimacy, reliability, and reputation before our counterparties and competent authorities. – Article 5(2)(f) of the Law – based on our legitimate interest to protect our business interests and defend or enforce legal claims (If you get involved in a dispute with us or we need to otherwise defend, enforce, exercise, and uphold our rights or legitimate interests, we collect, use and store the data that is necessary for the specific case). |
We will process your personal data collected during the onboarding and due diligence process for 5 years after the completion of onboarding and due diligence, unless longer storage of personal data and related documents will be required by applicable laws, legal regulations, or institutional/state authorities, or will be necessary for the defense in the judicial process.
For more details of personal data processing for onboarding and due diligence please check the Onboarding and Due Diligence Privacy Notice |
| Selection of candidates for employees (recruiting) | Considering the requirements of the position applied we may collect, assess, and store the following personal data about you: name, surname, age or date of birth, your e-mail address, phone number, address of the place of residence, information on language proficiency, computer skills, information about expected salary, educational background, profession, working experience and projects you have been involved with, attended courses, training sessions, seminars, development of qualification, licenses held, accumulated hours on A/C and other information regarding flights (for pilots and cabin crew), social media accounts, pictures and other information that you may wish to provide in your CV, motivation letter, interviews, also our remarks and assessment of your suitability to perform the duties of a particular position. | We will process the said personal data in accordance with:
– Article 5(1) of the Law, i.e., with your consent to have a common and coordinated policy on the selection of personnel and human resources management. Article 5(1) of the Law, i.e., with your consent to the further sharing of your data within all Avia Solutions Group companies, or you provide your candidacy information for future opportunities. |
We use a global web-based application provided by Avia Solutions Group with servers located abroad to collect job applications. To ensure the protection of the personal data in the context of cross-border transfers, we implement the Standard Contractual Clauses issued by the Turkish Personal Data Protection Board and submit the required filings to the Turkish Personal Data Protection Authority.
We will process your personal information for the recruiting process from the time you submit your application until the selection process is complete. When you are unsuccessful in your application for a concrete position and you consent to further sharing your data within all Avia Solutions Group companies, or you provide your candidacy information for future opportunities, your personal data will be stored for 2 years from the end of the selection process for the position you applied for or from receiving the data. For more details of personal data processing for the selection of candidates, please check the Privacy notice (https://careers.aviasg.com/en/candidate-privacy-policy ). |
| Video surveillance (for the safety of individuals and property) | Image and other objects relating to personal data | Video recording and storing is processed in accordance with Article 5(2)(f) of the Law, i.e., our legitimate interest to protect the safety of property and individuals and to have evidential material for incident or fraud investigation. | Video records are stored for up to 30 days. |
| Providing news, promotions, newsletters, information about products and invitations to events (direct marketing) | When we obtain your explicit consent, we will use your e-mail address and/or telephone number for direct marketing.
When you are our customer and have not objected to direct marketing of similar services or products, we will process your e-mail address. |
Personal Data for direct marketing is processed in accordance with Article 5(1) of the Law, i.e., with your consent or Article 5(2)(f) of the Law, i.e., our legitimate interest to offer you similar goods/services to ones you have purchased from us and to get your feedback about purchased goods/services. | Your data will be used for direct marketing purposes for 3 years after your consent is obtained or until you withdraw your consent. We consider you to be our customer: 3 years after your order or purchase of our product or service. |
Please be additionally advised that if you do not provide personal data, the provision of which to the Company is necessary to ensure compliance with the requirements of legal acts and / or the conclusion and / or performance of the contract, we will not be able to provide you with services or conclude another transaction.
We also particularly note that when your contact details are processed for direct marketing, you may at any time refuse our newsletters or other promotional messages by clicking on a link in our outgoing newsletters and/or messages or by writing to [email protected].
Please know that “Legitimate interest” means our interest to enhance our services, products, to manage the processes of businesses and activities. We consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests.
Be informed as well that we will retain your personal data for as long as necessary to achieve and fulfil the purposes following the terms set out in this Privacy Policy, unless longer storage of personal data and related documents is required by applicable laws and regulations or is required for the defense of the Company’s legitimate interests in judicial, other public institutions, etc. We ensure and take all necessary measures to avoid storing outdated or unnecessary personal data about you.
HOW DO WE PROTECT YOUR DATA?
We responsibly implement appropriate organizational and technical personal data security measures intended for the protection of personal data against accidental or unlawful destruction, alteration and disclosure as well as against any other unlawful processing. The security measures we implement include the protection of personnel, information, IT infrastructure, internal and public networks as well as office buildings and technical equipment.
In the event of a personal data breach of security that could seriously jeopardize your rights or freedoms and determine the circumstances under which unauthorized access to personal data has been obtained, we will immediately inform you about it.
TO WHOM IS YOUR DATA ARE DISCLOSED
We may share some of your personal data with the following categories of third parties:
- any Avia Solutions Group company (listed at https://aviasg.com/en/the-group/general-contacts) for the purposes set out in this Privacy Policy (for example, for the purposes of performance of contracts and the management of relationships with customers, onboarding and due diligence of the counterparty, whistleblowing policy, recruitment);
- representatives acting on our behalf with respect to the promotion of our services in particular territories;
- companies providing data centers, hosting, cloud, site administration and related services, software developers, providing, maintaining and developing companies, companies providing information technology infrastructure services, companies providing communication services;
- credit and debit card companies used to facilitate payment transactions related to the provision of our services, banks and other credit and/or payment companies;
- our professional advisors, auditors, lawyers and/or financial advisers;
- our other service providers (data processors) or our subcontractors (for example, recruiters, lectors, etc.).
- notaries, if the contract concluded with you requires a notarial form;
- judicial officers, entities providing legal s and/or debt recoveries services, subrogator of claim right;
- companies providing advertising and marketing services;
- companies providing archiving, physical and / or electronic security, asset management and/or other business services;
- in accordance with the laws to state institutions, establishments, etc.;
- law enforcement authorities at their request or on our own initiative if there is a suspicion that a criminal offense has been committed, as well as courts and other dispute resolution bodies; tax administrators
- in the event of a company restructuring, transfer / acquisition and / or business transfer / acquisition, to a third party acquiring the business and processing personal data for the same purposes as specified in this Privacy Policy and/or doing the due diligence by our and/or their legal and/or financial advisors, etc.
DATA TRANSFER OUTSIDE THE REPUBLIC OF TÜRKIYE
As a general rule, your personal data will be processed within the borders of the Republic of Türkiye. However, in certain cases, your personal data may be transferred to countries outside Türkiye.
Please note that in countries outside Türkiye, the level of personal data protection may differ from that provided under Turkish law. We carefully evaluate the conditions under which such data will be processed and stored after being transferred abroad.
If the Personal Data Protection Board of Türkiye has issued an adequacy decision regarding a country or an international organization, your personal data may be transferred to that country or organization in accordance with the same level of protection provided within Türkiye.
In cases where there is no adequacy decision, we take all necessary measures to ensure the secure transfer of your personal data, including signing a Standard Contractual Clause (SCC) approved by the Personal Data Protection Board of Türkiye. In certain cases, we may ask for your explicit consent before transferring your data outside Türkiye.
DO WE APPLY AUTOMATED DECISION-MAKING OR PROFILING?
As a rule, we do not use fully automated decision-making processes, including profiling, that produce legal effects or significantly affect the individual, within the meaning of the Law on Protection of Personal Data No. 6698, when initiating or executing contractual relationships. Should we apply such procedures in specific cases, we will inform you separately, in accordance with our legal obligations.
RIGHTS GUARANTEED TO YOU
We guarantee the implementation of these rights and the provision of any related information at your request or in case of your query:
- know (be informed) about the processing of your personal data;
- to get access to your personal data which are processed by the Data Controller;
- request correction or addition, adjustment of your inaccurate, incomplete personal data;
- require the destruction of personal data when they are no longer necessary for the purposes for which they were collected;
- request the destruction of personal data if they are processed illegally or when you withdraw your consent to the processing of personal data or do not give such consent, when is necessary;
- disagree with the processing of personal data or withdraw the previously agreed consent;
- request to provide, if technically possible, the provision of your personal data in an easily readable format according to your consent or for the purpose of performing the contract, or request the transfer of data to another data controller.
In order to exercise your rights, please send us the request by email [email protected].
Upon receipt of your request, we may ask you to provide proof of your identity or other identifying information to ensure that we are exercising your rights as a data subject and to prevent unauthorised disclosure of personal data or information to others who are not entitled to it. If we are unable to identify you, we will not be able to exercise your rights as a data subject.
We provide information about the processing of your personal data free of charge. If your request is unfounded, repetitive or disproportionate, we may charge a fee commensurate with our administrative costs.
Upon receipt of your request, we will respond to you within 30 calendar days of receipt of your claim and the due date for submission of all documents necessary to prepare the answer.
If we think we need to, we will stop processing your personal data, except for storage, until your application is resolved. If you have legally waived your consent, we will immediately terminate the processing of your personal data and within no more than 30 calendar days, except in the cases provided for in this Privacy Policy and in the cases provided for by law when further processing of your personal data is binding on us by the legislation in force, the legal obligations we are facing, court judgements or binding instructions from the authorities. The response will be provided in the same way as your request was received.
By refusing to comply with your requirement, we will clearly indicate the grounds for such refusal.
If you disagree with our actions or the response to your request regarding your personal data, you may file a complaint with the Personal Data Protection Authority (KVKK). You can find more information on the KVKK website: www.kvkk.gov.tr. In all cases, we recommend that you contact us before making a formal complaint so that we can find the right solution.
WHAT HAPPENS IF OUR BUSINESS CHANGES HANDS?
We may, from time to time, expand or reduce the scope of our business operations, which may involve the sale and/or transfer of control of all or part of our business. Any personal data that you have provided will, where it is relevant to any part of our business that is being transferred, be transferred along with that part, and the new owner or newly controlling party will, under the terms of this notice, be permitted to use that data only for the same purposes for which it was originally collected by us.
LINKS TO OTHER WEBSITES
Our website may contain links to other websites, which we do not operate. We have no control over how your data is collected, stored, or used by other websites, and we advise you to check their privacy policies before providing any data to them.
SOCIAL NETWORKS
When you visit social networks, your personal data is processed by a specific social network, and we start processing your personal data when you visit BBN Airlines on social networks. Through various social media channels, we want to introduce you to our wide range of services/products and exchange ideas and opinions with you on important topics.
Your personal data provided on the social network is processed for the following purposes:
- communicate with our social network visitors;
- respond to visitor inquiries;
- obtaining statistical information;
- conducting customer surveys, marketing campaigns, market analysis, lotteries, competitions or similar actions or events;
- if necessary, defending the legitimate interests of the Company in institutions and in other cases.
Unless explicitly stated otherwise, the legal basis for data processing is our legitimate interest in accordance with Article 5(2)(f) of the Law on Protection of Personal Data No. 6698. Our legitimate interests are to be able to answer your messages or questions and analyze our availability on social networks, to present our products and services. To the extent that you wish to enter into a contractual relationship with us with your request, the legal basis for such processing is Article 5(2)(c) of the Law.
If we intend to process your personal data for any other purpose not mentioned above, we will notify you prior to such processing.
Our pages on social networks are managed by specific social networks, so when you visit them, the processing of personal data is based on the social network’s privacy policies. With some social networks, depending on the social network policy, the purposes and scope of the processing, we are considered as joint data controllers.
Currently, we use these social networks:
FB: https://www.facebook.com/bbnairlinesturkiye/
Linkedin: https://tr.linkedin.com/company/bbn-airlines-turkiye
Instagram: https://www.instagram.com/bbnairlinesturkiye/
Youtube https://www.youtube.com/@BBNAirlinesTurkiye/featured
Twitter https://x.com/BbnTurkiye
| Name of the social network and its Privacy Policy | Personal Data we process | Personal Data we process as joint data controllers |
| Facebook
You can read their privacy policy by clicking here: https://www.facebook.com/policy.php |
Your Facebook username, when you comment, react to the publication, share posts, write us messages, your activities on our site, e.g. your page views, duration statistics, query, comment information, and more. | We use statistical information (visits to our website, range of contributions, visits and average video transmission times, information about the countries and cities from which our visitors come, age range, gender). We receive anonymous statistics from Facebook through their service. The data controllers’ agreement can be found here: https://www.facebook.com/legal/terms/page_controller_addendum |
| Instagram
You can read their privacy policy by clicking here: https://help.instagram.com/519522125107875/?helpref=uf_share |
Your Instagram username, when you comment, react to the publication, share posts, share content in the stories section, write us messages, your activities on our site, e.g. your page views, duration statistics, query, comment information, and more. | We use statistical information (visits to our website, range of contributions, visits and average video transmission times, information about the countries and cities from which our visitors come, age range, gender). We receive anonymous statistics from Instagram through their service. The data controllers’ agreement can be found here: https://help.instagram.com/494561080557017/?helpref=hc_fnav |
| LinkedIn
You can read their privacy policy by clicking here: https://www.linkedin.com/legal/privacy-policy |
Your LinkedIn username, when you comment, react to the publication, share posts, write us messages, your location indicated on the personal account, your activities on our site, e.g. your page views, duration statistics, query, comment information, and more. | We use statistical information (visits to our website, range of contributions, visits and average video transmission times, information about the countries and cities from which our visitors come, age range, gender). We receive anonymous statistics from LinkedIn through their service. The data controllers’ agreement can be found here: https://www.linkedin.com/legal/l/dpa |
| Twitter
You can read their privacy policy by clicking here: https://twitter.com/en/privacy |
Your Twitter username, when you tweet, retweet (share) the tweet, quote, mention, write us messages, your activities on our site, e.g. your page views, duration statistics, query, comment information, and more. | We use statistical information (visits to our website, range of contributions, visits and average video transmission times, information about the countries and cities from which our visitors come, age range, gender). We receive anonymous statistics from Twitter through their service. The data controllers’ agreement can be found here: https://gdpr.twitter.com/en/controller-to-controller-transfers.html |
| YouTube
You can read their privacy policy by clicking here: https://www.youtube.com/howyoutubeworks/our-commitments/protecting-user-data/
|
Your YouTube username, when you comment and interact with content. | If you are logged in with YouTube, you agree to YouTube’s terms of use, privacy and cookie policies and to YouTube’s processing of your personal data, over which we have no control. If you are not registered with YouTube, YouTube may still perform statistical analysis of your personal data when you access our YouTube channel and provide us with anonymized statistics on this.
We use statistical information. Processed data types: – Inventory data (e.g. names, addresses), contact data (e.g. e-mail, telephone numbers); – Content data (videos, etc.); – Usage data (e.g. websites visited, interest in content, access times, video views, video likes, comments, purchases, etc.), meta/communication data (e.g. device information, IP addresses). Video Statistics: – Number of subscribers and changes – Watch time data (duration, stoppage time, retention rate) – Demographics (gender distribution, age, places of origin, use of devices, etc.) We receive anonymous statistics from YouTube through their service. The data controllers’ agreement can be found here: https://business.safety.google/controllerterms/ |
CHANGES TO OUR PRIVACY POLICY
We reserve the right to change this Privacy Policy unilaterally from time to time (for example, if the law changes). Any changes will be immediately posted on our websites. We recommend that you check this page regularly to keep up to date.
This Privacy Policy applies from the date it is posted on the Websites. Last review of the Privacy Policy: 16.10.2025.
