For further information,
please contact:

Senior Associate

Senior Partner

Legal Alerts

Special Legal Protection for Insurance Data

Legal Alerts
Fintech
General

Recent developments 

The Regulation on the Collection, Maintenance and Disclosure of Insurance Data (the “Regulation“) was published in Official Gazette No. 31987 dated 18 October 2022 and entered into force through its publication. The Regulation sets out the procedures and principles regarding collecting insurance data from related institutions and organizations, as well as maintaining, processing and disclosing insurance data. You may access the Regulation here (in Turkish).

What does the Regulation say?

The Regulation mainly covers the following areas:

  • The concept of insurance data and a general database: The Regulation defines insurance data as all data relating to the insurers and insurance companies party to the insurance contract, the insured, beneficiaries and other third parties who directly or indirectly benefit from the insurance contract, and all data that is essential for risk assessment, including insurance malpractices. The Regulation stipulates that such data must be collected from private legal entities, public institutions and organizations, professional organizations with public institution status and their supervisory institutions, and other information centers established by the relevant legislation, by the Insurance Information and Surveillance Center (the “Center“). The collected data will be kept in the general database. Relevant institutions and organizations are obliged to transfer the data to general database upon the request of the Center.
  • Obligations of member organizations: Insurance, reinsurance and pension companies are defined as the member institutions. Member institutions, with which the Center shares data in line with the limited access authorization granted to them, are obliged to (i) become a member of the Center and keep the general database up to date, (ii) put in place the policies with the reference number received from the Center, (iii) transfer production data to the Center simultaneously, (iv) create a file with the reference number received from the Center for all notifications received, (v) report damage data to the Center within the specified period, and (vi) provide the Center with complete information and documents related to the damage from the notification to the finalization of the payment.
  • Arbitration system data: The Insurance and Private Pension Regulatory and Supervisory Authority (the “Authority“) determines the procedures and principles regarding the disclosure of insurance data with the arbitration system and the recording of arbitration data in the general database.
  • Disclosure of insurance data:
    • The Center shares insurance data with member institutions within the framework of Article 31/B of the Insurance Law No. 5684.
    • Disclosure of data with institutions, organizations and data centers other than member institutions is carried out through relevant platforms or communication tools such as text messages and call centers as per the protocols executed by the Center with the approval of the Authority.
    • The Center may disclose the data in a way not to be associated with an identified or identifiable natural person.
    • Unless otherwise regulated in other legislations, the insurance malpractices data kept in the general database cannot be disclosed to persons other than member organizations, eligible organizations defined in the Regulation and other organizations determined by the Authority.
    • Insurance experts can access the relevant data during their assignment to damage file until the final expertise report is saved in the Center’s systems, with exceptions specified in the Regulation.
    • The limitations on authorized users accessing the general database are determined by the Center based on the approval of the Authority. The Center may limit, remove (for persisting violations) or immediately suspend (in urgent and important situations) the access authorizations of authorized users who violate the access rules.
    • It is possible to disclose policy and damage data related to insurance contracts with other relevant persons, provided that the purpose of use is notified and necessary authentication is carried out or the ownership right is ensured.
  • Use of insurance data: Insurance data is used for purposes such as contributing to public surveillance, supervision and economic security in the insurance sector and planning the financing of health services, monitoring insurance practices, ensuring unity of practice in insurance branches, monitoring compulsory insurance, contributing to the prevention of insurance malpractices, conducting studies to increase insurance coverage rates, ensuring the production of reliable statistics on the insurance sector and calculating the insurance score. The Regulation also specifies the data usage purposes of the Center.
  • Activities of the Center:
    • The Center calculates the insurance score. The procedures and principles for the calculation is determined by the Authority.
    • The Center is responsible for developing scoring methods for measurement of data maturity of the data provided by member institutions; preparing the reports specified in the Regulation to be submitted to the Authority or upon the request of member institutions, eligible institutions and authorized users; reporting of unlawful practices specified in reports to the Authority; conducting studies to inform the relevant subjects and testing the implementation of the technical infrastructure. The Center is also responsible for remedying systemic errors or malfunctions in the data systems, ensuring the security of the recorded data.
  • Liability and obligation to provide information:
    • Member organizations, eligible organizations and authorized users are obliged to provide all information requested by the Center in an accurate, complete, consistent and timely manner and create the infrastructure required for data transfer. If any damage occurs due to the failure to fulfill the obligations or the disclosure of data to third parties, the Center may the compensation paid to the relevant parties.
    • In cases where the explicit consent or approval of the data subject is sought, the member organization, eligible organization and authorized user or other institutions and organizations that are the addressee of the data subject are responsible for obtaining explicit consent or approval and fulfilling the notice requirement. Explicit consent or approval is not sought in transactions regarding data belonging to persons and organizations that are parties to insurance malpractices.
    • If a member institution fails to fulfill the obligation to provide information, the financial structure of the company is deemed to be weakened in a way that jeopardizes the rights and interests of the insured in accordance with Article 11/1(i) of the Regulation on the Financial Structure of Insurance, Reinsurance and Pension Companies.
    • All employees of institutions and organizations involved in data disclosure are under a confidentiality obligation.
  • Requests for insurance data:
    • Data subjects’ requests for information on their own data recorded in the general database, excluding data on insurance malpractices, must be responded to by the Center within 15 days.
    • Upon the application of a data subject who claims that their data in the general database is incomplete or inaccurate, the Center will forward the request to the relevant member organization within 10 days, and the relevant member organization will notify the Center of whether it accepts the request and will correct the data, or rejects the request with justifications.
  • Protection of personal data: Personal data processing activities within the scope of the Regulation must comply with Law No. 6698 on Protection of Personal Data and its procedures and principles.
  • Transition schedule: The Center will publish a transition calendar for both branches and member organizations, in a way that addresses obligations regarding production data and damage data. The transition calendar may be extended for a maximum of one year if deemed necessary.

Conclusion

The Regulation addresses insurance data processing in detail; determines the obligations of member institutions, eligible institutions and other authorized users; and regulates the activities of the Center and its relationship with the Authority. Accordingly, the procedures and principles determined by the Center and the Authority should be taken into account in the collection, maintenance and disclosure of insurance data.