A photo of an insurance policy

“Regulation on Collection, Storage and Sharing of Insurance Data” (“Regulation”) which is prepared by the Insurance and Private Pension Regulation and Supervision Authority (“Authority”) within the scope of the Insurance Law No. 5684 (“Law”) was published in the Official Gazette on October 18, 2022 and entered into force in the same day. The Regulation determines the scope, form, procedures, and principles regarding the processing, sharing, and transfer of insurance data

  • Insurance Data

The Regulation basically defines insurance data and regulates the principles regarding the processing and sharing of insurance data.

According to the Regulation, insurance data is all data that is the basis for risk assessment, including data on insurance contracts, the insured party to the insurance contract and insurance companies, the insured, beneficiaries and other third parties who directly or indirectly benefit from the insurance contract, and incorrect insurance practices.

Within the framework of the above definition, we would like to point out that most of the insurance data will fall under the definition of personal data defined in the Personal Data Protection Law No. 6698, however, some data (i.e., data related to the insurance company) cannot be defined as personal data.

  • Collection of Insurance Data

It is regulated that insurance companies and related public institutions and organizations will transfer insurance data to the database (“Database”) to be created by the Insurance Information and Monitoring Center (“Center”) within the framework of the Regulation and that the said institutions and organizations are obliged to keep this information up to date.

  • Sharing of Insurance Data

The Regulation also regulates the general principles regarding the sharing of insurance data. Accordingly, insurance data may be shared based on the protocols signed between the Center and the insurance, reinsurance, and pension companies (“Member Organizations”), and the Authority’s approval, depending on the shared party, with whom the Center shares data. According to the Regulation, data sharing within the scope of these protocols will be possible through related platforms or communication channels such as short messages, mobile applications, and call centers.

According to Regulation, limited access to the data in the Database recognized the authority of the Member Organizations and the Special Organizations’ officials, insurance agents, insurance and reinsurance brokers, insurance experts and other persons and organizations (“Authorized Users”) may access, and content fields will be determined by the Center in line with the approval of the Authority. It will be at the discretion of the Center to limit or remove the access authorization of the Authorized Users who violate the access rules.

Regarding the sharing of data with third parties, the Regulation also regulates that the Center will make available to other interested persons those deemed appropriate by the Authority from the policy or damage data related to insurance contracts, provided that the necessary identity verification is provided, or the right ownership is proven.

  • Using Insurance Data

The Regulation also regulates the purposes for which insurance data will be used. Accordingly, insurance data may be used for the following purposes;

  • Contributing to public oversight, control, and economic security in the insurance sector and to the planning of health services financing,
  • To follow the insurance practices, to ensure the unity of practice in insurance branches,
  • To follow up the compulsory insurances,
  • Contributing to the prevention of wrong insurance practices,
  • Work through increasing insurance rates,
  • To ensure the production of reliable statistics on the insurance sector,
  • Calculating the insurance score

However, the principles regarding the data usage of the Center are also determined in the Regulation. In this context, it is regulated by the Center that insurance data will be used to obtain data on motor vehicle operators and drivers and to match them with the general Database and to share them with public institutions and organizations within the scope of the relevant legislation.

  • Responsibility of the Center and Member Organizations

Within the scope of the Regulation, the responsibility of the Center and Member Organizations and the obligation to provide information are regulated. According to this;

  • The Center is responsible for creating a secure infrastructure for data sharing.
  • In case of any damage caused by sharing the transferred data with third parties, the Center may recourse to the relevant parties.
  • In cases where the explicit consent or approval of the data subject is sought for the data contained and shared in the general Database, the interlocutor Member Organizations, the Association of Insurance, Reinsurance and Pension Companies of Turkey and its subsidiaries, after obtaining the explicit consent or consent of the data owner and fulfilling the obligation of disclosure, Surveillance Center, Catastrophe Insurance Union, Agricultural Insurance Union, institutions and organizations operating in the insurance and private pension fields (“Special Organization”), Authorized User and other institutions and organizations that are the addressee of the data subject are responsible.
  • The explicit consent or approval of the data owner is not sought in the recording of the data belonging to the persons and organizations party to the wrong insurance practices in the general Database and sharing these data with the institutions and organizations within the framework of the relevant legislation.
  • All institutions and organizations involved in data sharing and their employees cannot use the information and documents related to the insurance data they hold within the scope of their duties in any way, either during their duties or after their duties, and cannot make them available to third parties.
  • Information Requests and Data Subject Rights in Insurance Data

Data subjects will be able to request information from the Center regarding their own data, which are excluded from incorrect insurance practices and contained in the Database. Regarding these information requests, the Center is obliged to respond to the requests received by it within 15 (fifteen) days, with reserving the right to a one-time extension of 15 (fifteen) days. Accordingly, the Center is obliged to respond to requests for insurance data received by it within 30 (thirty) days from the date of the request at the latest, including the one-time extension period.

The Regulation also regulates that data subjects who think that the data in the Database are incomplete or incorrect can apply to the Center for the change of the data. Accordingly, the data owner’s applications about changing the data in the Database; is reviewed by the Center and decides to forward the requests to the relevant Member Organizations within a definite period of 10 (ten) days. The Member Organizations to which the application is submitted examines this request within a definite period of 10 (ten) days and conveys its decision regarding the acceptance or rejection of the request to the Center. On the other hand, the Center, informs the data subject about the application within 10 (ten) days from the date of the Member Organizations’ decision or the expiry of the 10 (ten) day definite period.

Finally, it is regulated that in the personal data processing activities carried out within the scope of the Regulation, it is obligatory to comply with the procedures and principles set forth in the Personal Data Protection Law No. 6698 and the legislation enacted based on it.

Authors: Burak Özdağıstanli, Ebru Gümüş