Data Protection
Ⅰ. Introduction
e-Nabız is a platform that stores individuals health data in a centralized system, providing both healthcare providers and insurance companies with quick and easy access to this information. However, this situation brings with it risks related to the protection of personal data. The use of e-Nabız records by insurance companies in the processes of policy issuance and evaluation of insurance claims carries significant responsibilities in terms of data security and privacy protection. Therefore, when insurance companies process data from e-Nabız records to determine the scope of policies or to identify pre-existing conditions excluded from coverage, they must meticulously conduct this process within the framework of the Personal Data Protection Law No. 6698 ("KVKK") and relevant secondary legislation.
This article will thoroughly discuss how e-Nabız records can be used by insurance companies in policy evaluations, how to manage data deletion requests, and the obligations of insurance companies in this process.
ⅠⅠ. Processing of e-Nabız Records and Insurance Activities
As is well known, the e-Nabız system is a platform that stores individuals health histories and current health statuses digitally, allowing healthcare providers to access this information. The data contained in this system is extremely important for insurance companies as it provides them with the opportunity to obtain information about the health status of the data subject. Moreover, insurance companies can use e-Nabız records during the issuance of an insurance policy to identify pre-existing conditions of the data subject before the policy's effective date.
Pursuant to Article 6 of the KVKK titled "Conditions for processing of special categories of personal data" data related to individuals health is classified as special categories of personal data, and as a rule, the processing of such data is prohibited. However, special categories of personal data may be processed under the third paragraph of Article 6 only if one of the following conditions is met;
- The explicit consent of the data subject,
- It is explicitly stipulated by laws,
- It is necessary to protect the life or physical integrity of the individual who is unable to provide consent due to physical impossibility or whose consent is not legally valid, either for their own protection or that of another person,
- It concerns personal data made public by the data subject, and the processing aligns with the purpose of the disclosure,
- It is necessary for the establishment, exercise, or protection of a legal right,
- It is required by persons or authorized institutions under an obligation of confidentiality for the protection of public health, preventive medicine, medical diagnosis, treatment, nursing services, and the planning, management, and financing of healthcare services,
- It is necessary to fulfill legal obligations in the fields of employment, occupational health and safety, social security, social services, and social assistance,
- It is conducted by foundations, associations, or other non-profit organizations established for political, philosophical, religious, or trade union purposes, in accordance with their governing laws and objectives, limited to their area of activity, and without disclosing the data to third parties, provided it is for the benefit of their current or former members or individuals who regularly interact with these organization,
In light of this regulation, it is crucial to determine the basis on which insurance companies process health data obtained from e-Nabız.
At this point, we would like to refer to the decision of the Personal Data Protection Board ("Board") dated 03.09.2020 and numbered 2020/667, concerning explicit consent obtained from data subjects by insurance companies for the purpose of processing personal data. In the case addressed by the decision, the data subject requested action against the data controller, alleging that the data controller sought explicit consent to renew the insurance policy, which was contrary to the KVKK. The Board, in its decision, stated;
"In this context; as the health insurance policy contains health data that qualifies as special categories of personal data, and since the processing of the health data in the policy cannot be carried out under paragraph 3 of Article 6 of the Law, processing can only be conducted with the explicit consent of the data subject, and therefore, the request to obtain explicit consent from the data subject does not constitute a violation of the Law"
In conclusion, it is evident that insurance companies can process special categories of personal data only with explicit consent and that requesting explicit consent for processing such data is not in violation of the KVKK.
Given this, it should be noted that it is mandatory for insurance companies to obtain the explicit consent of the data subject for the processing of e-Nabız records.
ⅠⅠI. The Concept of Data Erasure and Insurance Practices
As stated above, there is no doubt that insurance companies can process special categories of personal data only if the data subject has provided explicit consent. However, if the data subject withdraws their explicit consent and/or requests the deletion of their personal data, the manner in which insurance practices will proceed becomes a matter of concern.
During the policy and/or provision processes, insurance companies exclude certain conditions from coverage based on e-Nabız records lawfully processed with explicit consent. There is no issue with deleting the data of data subjects who have requested the deletion of e-Nabız records if there are no conditions excluded from coverage based on these records.
However, if certain conditions have been excluded from coverage based on e-Nabız records, it is essential to carefully evaluate whether the exclusion status should be maintained and whether the records of insurance companies should be modified upon the deletion request by the data subject.
It should be noted that under the first paragraph of Article 7 of the KVKK, it is explicitly stated that personal data must be erased, destroyed, or anonymized by the data controller ex officio or upon the request of the data subject if the reasons for processing the personal data no longer exist. Additionally, the right to request the erasure of personal data is granted to data subjects under Article 11/1-7 of the KVKK. Therefore, it is clear that insurance companies must erase the data in question if the data subjects who provided explicit consent for the processing of their e-Nabız records withdraw their consent and/or request the erasure of their personal data.
Indeed, the procedures and principles regarding the erasure, destruction, or anonymization of personal data are regulated by the Regulation on the Erasure, Destruction, or Anonymization of Personal Data ("Regulation"). Article 7/1 of the Regulation, in compliance with the KVKK, states "If all conditions for processing personal data, as specified in Articles 5 and 6 of the Law, no longer apply, personal data must be erased, destroyed, or anonymized by the data controller ex officio or upon the request of the data subject."
Article 8 of the Regulation, titled "Erasure of Personal Data" explains "(1) Erasure of personal data refers to making personal data inaccessible and unusable in any way by the relevant users. (2) The data controller is obliged to take all necessary technical and administrative measures to ensure that the erased personal data is inaccessible and unusable for relevant users."
In this context, when special categories of personal data obtained from e-Nabız are erased upon the request of the data subject, the personal data must become inaccessible and unusable, as explicitly stated in Article 8 of the Regulation. Considering that the explicit consent required to obtain such data is no longer valid and that the data subject has requested the erasure of the data, it is concluded that the situation must be brought to a state where e-Nabız data is no longer accessible or used.
Therefore, the records of insurance companies must also be adjusted accordingly. In our opinion, if records indicate that "these exclusions were determined based on e-Nabız records" or "only health data was deleted" such records, even though they may not contain special categories of personal data, will still violate the KVKK if they are not erased because they reference exclusions made based on special categories of personal data obtained from e-Nabız.
For example, if it is assumed that the data subject has granted explicit consent to access e-Nabız records, it was determined that the data subject had a heart condition, this condition was subsequently excluded from coverage, and the data subject requested the deletion of e-Nabız records, all data used to determine the data subject's heart condition must be erased from the insurance company's records, and the insurance company's records must be reverted to their state prior to access to e-Nabız data. Indeed, specific data leading to the conclusion that the data subject had a heart condition through e-Nabız (e.g., the fact that the person had a heart attack, was taking heart medication, etc.) are considered special categories of personal data, and the information that the person has a heart condition is also personal data by itself.
Therefore, since it is no longer possible to process and store the main e-Nabız data indicating that the data subject had a heart condition, it must also be impossible to infer that the condition was excluded from coverage based on e-Nabız data, and indicating that this exclusion was based on e-Nabız data would violate the KVKK.
Finally, the first paragraph of Article 10(d) of the KVKK, which regulates the obligation of the data controller to inform, states that the data controller is obliged to inform the data subject about their rights listed in Article 11. Therefore, it should not be forgotten that insurance companies must also inform the data subject during the data erasure process.
Ⅳ. Conclusion
In conclusion, the use of e-Nabız data by insurance companies in the processes of policy issuance and evaluation is contingent upon obtaining the Explicit Consent of the Data Subject. If the Data Subject withdraws their Explicit Consent or requests the deletion of their personal data, insurance companies are obliged to fulfill these requests in compliance with the KVKK and relevant secondary legislation. In particular, in cases where the Data Subject no longer has Explicit Consent and/or requests the deletion of their data, it should not be possible to make any exclusion decisions based on the special categories of personal data obtained from e-Nabız. Therefore, insurance companies must revise their policy scopes and records in a manner compliant with the KVKK when processing, retracting, or deleting e-Nabız data, and adopt an approach that is fully aligned with data protection regulations.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.