- within International Law topic(s)
The Regulation Amending the Regulation on Private Health Insurance ("Amending Regulation"), concerning the Regulation on Private Health Insurance ("Regulation"), was published in the Official Gazette dated 20 October 2025 and numbered 33053.
With the Amending Regulation, the obligations under the Personal Data Protection Law No. 6698 ("DP Law") in the insurance sector have been comprehensively restructured at the legislative level.
The key highlights of the amendments are set out below:
- Article 2 of the Regulation has been amended to expand the scope of exclusions: whereas previously only travel health insurance was excluded, the amendment now also excludes sickness insurance from the scope of the Regulation.
- Prior to the amendment, insurance companies were entitled under Article 5 of the Regulation to obtain information and documents from healthcare providers, the Insurance Information and Monitoring Center ("Center"), and public institutions and organizations, provided that the insured's written consent was obtained. Following the amendment, the requirement to obtain such written consent from the insured has been removed. In addition, the process of obtaining information has been established as a fundamental principle for insurance companies, and the procedure for data collection during the assessment phase of concluding private health insurance contracts has been redefined.
- Another amendment under Article 5 concerns the conditions governing access to the insured's medical history. In the previous version, access restrictions were based on cases where the insured did not grant the insurance company authorization to access their medical information. The revised provision removes this reference entirely and instead provides that access may only be restricted due to legal or technical reasons. Accordingly, the access restriction previously dependent on the insured's discretion has been repealed.
- With the amendments made to the provisions on the protection of
personal data under Article 16 of the Regulation;
- The previous rule requiring the insured person's written consent for storing insurance records and health information individually was revised, removing the "written consent" requirement. It now expressly provides that such information is to be kept on an individual basis, regardless of whether the policy is individual or group.
- Prior to the Amending Regulation, insurance companies were allowed to share health information, insurance records, and other data with third parties other than the Center and other competent authorities only with the insured's explicit consent. This provision was repealed and replaced with a requirement that all personal data processing activities be carried out in compliance with the DP Law and its secondary legislation. Accordingly, the previous explicit consent-based transfer model has been replaced with a broader data processing and compliance framework based on the DP Law.
- It is stipulated that personal data within the scope of insurance records and health information held by the Center shall be retained for a period of 10 years from the termination of insurance coverage, and that upon the expiration of this period, such data shall be deleted, destroyed, or anonymized in accordance with the provisions of the DP Law.
- While the scope of the duty of confidentiality is maintained, it is explicitly stipulated that this duty shall remain valid even after the termination of the insurer's status and duties.
The Amending Regulation will enter into force on 1 January 2026.
You can access the full text of the Amendment Regulation via this link. (Only in Turkish)
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
