- within Government, Public Sector and Strategy topic(s)
- in Turkey
July 2026 – In its Principle Decision published in the Official Gazette on 1 July 2026, the Turkish Personal Data Protection Authority (“Turkish DPA”) addresses the unlawful access to and the use of personal data relating to accident victims, particularly those involved in road traffic accidents.
Although the Decision was prompted by complaints regarding compensation consultancy firms, its implications extend beyond those entities. In its Decision, the Turkish DPA reiterates the data security obligations of insurance companies, insurance adjusters, and other stakeholders involved in claims handling.
Background
The Turkish DPA notes that it has received numerous complaints from individuals who were contacted by telephone immediately after being involved in road traffic accidents. In many cases, callers claimed to represent lawyers or compensation consultancy firms, offered assistance in pursuing compensation claims, and appeared to possess detailed information about accidents that had not yet become publicly available. According to the Turkish DPA, these circumstances give rise to serious concerns regarding unlawful access to personal data processed during post-accident claims handling.
Key Takeaways from the Decision
- The Turkish DPA emphasises that personal data processed following road traffic accidents may be processed for purposes required by insurance activities, such as the assessment of compensation claim files, liability investigations, expert assessments, medical treatment processes, vehicle repairs, and the administration of compensation claims.
- The Turkish DPA also states that any unauthorised access to, or disclosure of such personal data may trigger legal consequences, including administrative sanctions under Turkish DP Law, criminal liability under the Turkish Penal Code for the unlawful obtaining or dissemination of personal data, and where necessary, criminal complaints filed with the Public Prosecutor’s Office.
- The Turkish DPA also reiterates that data controllers must implement and maintain adequate technical and organisational measures to ensure the security of personal data, including:
- preventing unauthorised access and unlawful processing;
- implementing adequate technical and organisational measures;
- restricting access authorisations;
- continuously monitoring data security.
- The Turkish DPA also specifically addresses insurance adjusters, emphasising that they may process personal data only to the extent necessary for the performance of duties expressly arising under the applicable legislation.
Practical Implications for Insurance Companies
The Decision demonstrates that the Turkish DPA is focusing not only on the initial collection of personal data processing but also on how such data is accessed, shared, and protected throughout the insurance claims ecosystem. Accordingly, insurance companies should consider reviewing their existing governance and security framework, particularly in relation to:
- access rights to claims files and claims management systems;
- employee authorisation mechanisms,
- regularly monitoring access logs,
- data-sharing processes with insurance adjusters, assistance providers, repair networks, and other third parties; and
- the adequacy of confidentiality and data security provisions incorporated into third-party agreements.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
[View Source]