ARTICLE
9 July 2026

Turkish DPA’s Principle Decision On Personal Data Of Accident Victims: Key Implications For The Insurance Sector

KST LAW

Contributor

KST LAW is an independent Istanbul based full service corporate law firm in cooperation with Kinstellar.

We provide legal services relevant to all aspects of business in a wide variety of sectors. We operate to the highest international standards in managing cross border transactions or investments and providing practical and creative solutions to legal or regulatory issues.

KST LAW is proud to have an exceptional client base consisting some of the largest Turkish conglomerates, sector leaders in Turkey, multi-nationals, investment or private equity funds and financial institutions.

The Turkish Personal Data Protection Authority has issued a principle decision addressing unlawful access to personal data of accident victims, particularly in road traffic cases. This decision establishes critical data security obligations for insurance companies, adjusters, and claims handlers, emphasizing the need for robust technical and organizational measures to prevent unauthorized access and disclosure of sensitive information processed during post-accident claims handling.
Turkey Privacy
KST LAW are most popular:
  • within Government, Public Sector and Strategy topic(s)
  • in Turkey

July 2026 – In its Principle Decision published in the Official Gazette on 1 July 2026, the Turkish Personal Data Protection Authority (“Turkish DPA”) addresses the unlawful access to and the use of personal data relating to accident victims, particularly those involved in road traffic accidents.

Although the Decision was prompted by complaints regarding compensation consultancy firms, its implications extend beyond those entities. In its Decision, the Turkish DPA reiterates the data security obligations of insurance companies, insurance adjusters, and other stakeholders involved in claims handling.

Background

The Turkish DPA notes that it has received numerous complaints from individuals who were contacted by telephone immediately after being involved in road traffic accidents. In many cases, callers claimed to represent lawyers or compensation consultancy firms, offered assistance in pursuing compensation claims, and appeared to possess detailed information about accidents that had not yet become publicly available. According to the Turkish DPA, these circumstances give rise to serious concerns regarding unlawful access to personal data processed during post-accident claims handling.

Key Takeaways from the Decision

  • The Turkish DPA emphasises that personal data processed following road traffic accidents may be processed for purposes required by insurance activities, such as the assessment of compensation claim files, liability investigations, expert assessments, medical treatment processes, vehicle repairs, and the administration of compensation claims.
  • The Turkish DPA also states that any unauthorised access to, or disclosure of such personal data may trigger legal consequences, including administrative sanctions under Turkish DP Law, criminal liability under the Turkish Penal Code for the unlawful obtaining or dissemination of personal data, and where necessary, criminal complaints filed with the Public Prosecutor’s Office.
  • The Turkish DPA also reiterates that data controllers must implement and maintain adequate technical and organisational measures to ensure the security of personal data, including:
    • preventing unauthorised access and unlawful processing;
    • implementing adequate technical and organisational measures;
    • restricting access authorisations;
    • continuously monitoring data security.
  • The Turkish DPA also specifically addresses insurance adjusters, emphasising that they may process personal data only to the extent necessary for the performance of duties expressly arising under the applicable legislation.

Practical Implications for Insurance Companies

The Decision demonstrates that the Turkish DPA is focusing not only on the initial collection of personal data processing but also on how such data is accessed, shared, and protected throughout the insurance claims ecosystem. Accordingly, insurance companies should consider reviewing their existing governance and security framework, particularly in relation to:

  • access rights to claims files and claims management systems;
  • employee authorisation mechanisms,
  • regularly monitoring access logs,
  • data-sharing processes with insurance adjusters, assistance providers, repair networks, and other third parties; and
  • the adequacy of confidentiality and data security provisions incorporated into third-party agreements.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More