Regulation On Private Health Insurance Aligned With The Personal Data Protection Law

The Regulation on Private Health Insurance ("Regulation") has been amended by the Regulation on the Amendment of the Regulation on Private Health Insurance, published in the Official Gazette dated 20 October 2025 and numbered 33053.

The Regulation has been aligned with the Personal Data Protection Law No. 6098 ("Law") through these amendments. The amendments will enter into force on 1 January 2026.

The key changes regarding the protection of personal data under the Regulation are as follows:

• It is explicitly stated that personal data processing activities within the scope of the Regulation must comply with the Law.
• In both individual and group contracts, the insured's records and health data are kept on an individual basis.
• The insurance records and health information retained by the Insurance Information and Monitoring Center ("Center") may be stored for 10 years following the termination of the insurance coverage. Once this period expires, the Center will automatically delete, destroy, or anonymize the personal data. Although the period was clearly introduced for the Center, it seems likely that insurance companies will also adopt this period as their retention period.
• Before the amendment, it was stipulated that the insured person's health information could be communicated to the Center with their consent, but after the amendment, the explicit provision regarding consent is repealed.
• Data concerning the insured's health status and medical history may be processed only by authorized persons, through the Center, and solely for purposes such as (i) risk assessment, (ii) compensation calculation, and (iii) determining renewal guarantee conditions.
• All natural and legal persons who have access to confidential information regarding the insured and who are subject to confidentiality obligations under the Insurance Law (for example, managers, officers, and employees of insurance institutions) are required to maintain the confidentiality of such information. It is also explicitly stated that the confidentiality obligation continues even after the termination of their duties.

Insurance companies and their employees bear significant responsibility for ensuring that the personal data of insured persons are processed in accordance with the law. Therefore, it is of great importance that data processing activities are carried out in compliance with the Law and the Regulation that the necessary technical and administrative measures are implemented, and that employees are regularly informed and trained on these obligations.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.