General Data Protection Regulation Compliance Process Is Expected to Be Completed
According to Presidential Annual Program, efforts to align the Personal Data Protection Law ("KVKK") with the General Data Protection Regulation ("GDPR") are expected to be finalized in 2026. The harmonization with the GDPR will directly affect both public institutions and private sector. Public institutions, the harmonization will reinforce the principles of transparency and accountability in date processing activities. Government agencies will be required to adopt more structured documentation and justification mechanisms for data processing operations. For private sector companies the upcoming alignment will introduce stricter supervision in areas such as user consent, data retention policies, and data breach notification procedures.
In addition, AI-based data processing technologies will be aligned with EU Artificial Intelligence Act, which is planned to enter into force in the same period. It was also stated that new regulations will be introduced to strengthen national cybersecurity, in line with the EU Network and Information Security Directive. In addition, secondary legislation will be developed in the field of cybersecurity, taking into account international frameworks.
Furthermore, it was announced that a legal framework for the sharing of public data will be established, and a national open data portal will be launched to promote data transparency and accessibility. This convergence aims to ensure that machine learning and automated decision-making technologies operate within a lawful, transparent, and accountable framework. This aims to enable Turkey's digital data ecosystem to meet international security standards and to further strengthen institutional data protection practices.
Change in the Private Health Insurance Regulation Aligns Sector Practices with the KVKK
With the amendment published in the Official Gazette No. 33035 dated 20 October 2025, the Private Health Insurance Regulation ("Regulation") has been substantially revised to ensure closer alignment with the KVKK and to clarify how personal data of insured individuals must be processed and safeguarded by insurance institutions and healthcare providers.
Under the revised framework, all personal data processing activities within the insurance ecosystem must comply with the principles and obligations set forth under the KVKK, including lawfulness, purpose limitation, data minimization, accuracy, and storage limitation.
In both individual and group insurance contracts, the insured's records and health information are now required to be kept on a data subject basis, meaning each insured person's file must be individually identifiable and traceable. Such data may be retained for no longer than ten (10) years after the termination of the insurance coverage, following which the data controller must delete, destroy, or anonymize the data ex officio in line with the KVKK and secondary legislation on data retention and destruction.
Health data—which constitutes a special category of personal data under the KVKK— may only be accessed and processed by authorized personnel and exclusively for the limited purposes of (i) risk assessment, (ii) claims calculation, and (iii) determining renewal guarantees. This restriction reinforces the principle of purpose limitation and aims to reduce unnecessary or excessive access to health records by insurance personnel or third parties.
Pursuant to Article 4 of the Regulation, additional changes have been made concerning data collection and data sharing mechanisms. Under the amended Article 5, insurance companies are now explicitly authorized to obtain information and request documents directly from (i) healthcare providers treating the insured, (ii) the Insurance Information and Monitoring Center ("Center"), and (iii) relevant public institutions and organizations, provided that such processing is carried out within the boundaries of the applicable legislation and the KVKK's legal bases.
The revised Article further provides that insurance companies should establish private health insurance contracts based on the information lawfully obtained from these entities rather than through direct reliance on explicit consent. This approach indicates a shift toward legal-obligation and contract-performance grounds as lawful bases under the KVKK, aligning sectoral practice with the general data protection framework.
In addition, insurers may pose written questions regarding the insured's health history or other relevant matters necessary for underwriting or claims purposes. The policyholder, the insured, and any authorized representative are required to provide accurate and complete answers, ensuring data accuracy and integrity.
Finally, all natural and legal persons who have access to the insured's confidential data—such as authorized representatives, officers, and employees of insurance institutions—remain bound by strict confidentiality obligations under both the Insurance Law and the KVKK. These obligations emphasize the continuing duty to maintain the confidentiality and security of health data throughout its lifecycle, including storage, sharing, and destruction stages.
BTK has published a draft regulation
The Information and Communication Technologies Authority ("BTK") published a draft regulation aimed preventing the misuse of domain name systems ("DNS") and strengthening cybersecurity. under the "Draft Regulation Amending the Internet Domain Names Regulation", collecting of users' data through fraudulent websites, the distribution of malware, DNS based traffic redirection, and the use of unsolicited emails to spread harmful content shall be deemed misuse of the DNS.
The Data Protection Authority Draws Attention to Cybersecurity Awareness
October is celebrated worldwide as a "Cybersecurity Awareness Month". In this context, The Data Protection Authority ("DPA") emphasized the importance of cyber awareness for ensuring personal data protection and information security, reminding individuals and organisations of their responsibilities in safeguarding data. The DPA emphasized the importance of taking basic cyber security measures such as using strong passwords and authenticator (MFA), being cautious of suspicious e-mails, ensuring that devices have antivirus protection, paying attention to documents visible on screens in crowded, and taking care in the storage of data.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
