Burak Özdağıstanli Ebru Gümüş November 25 2022 New regulation on collection, storage and sharing of insurance data Özdağıstanli Ekici Attorney Partnership | Tech, Data, Telecoms & Media - Turkey Burak Özdağıstanli, Ebru Gümüş Tech, Data, Telecoms & Media Insurance dataCollection of insurance dataSharing of insurance dataUsing insurance dataResponsibility of centres and member organisationsInformation requests and data subject rightsThe Regulation on Collection, Storage and Sharing of Insurance Data (the regulation), issued by the Insurance and Private Pension Regulation and Supervision Authority (the authority) within the scope of the Insurance Law No. 5684, was published in the Official Gazette on 18 October 2022 and entered into force on the same day. The regulation determines the scope, form, procedures and principles regarding the processing, sharing and transfer of insurance data.Insurance dataThe regulation defines insurance data and regulates the principles regarding the processing and sharing of insurance data.According to the regulation, insurance data is all the data that is the basis for risk assessment, including data on:insurance contracts;the insured party to the insurance contract;insurance companies;the insured;the beneficiaries;other third parties who directly or indirectly benefit from the insurance contract; andincorrect insurance practices.Within the framework of the above definition, it should be said that most of the insurance data will fall under the definition of "personal data" as defined in the Personal Data Protection Law No. 6698. However, some data (ie, data related to the insurance company) cannot be defined as personal data.Collection of insurance dataCollection of insurance data is regulated in a way that insurance companies and related public institutions and organisations will transfer insurance data to the database to be created by the Insurance Information and Monitoring Center (the centre) within the framework of the Regulation. These institutions and organisations are obliged to keep this information up to date.Sharing of insurance dataThe regulation also regulates the general principles regarding the sharing of insurance data. Accordingly, insurance data may be shared based on the protocols signed between the centre and the insurance, reinsurance and pension companies (member organisations), and based on the authority's approval (depending on the shared party), with whomever the centre shares data. According to the regulation, data sharing within the scope of these protocols will be possible through related platforms or communication channels, such as short messages, mobile applications and call centres.According to the regulation, the data in the database can be accessed in a limited way by authorised users who are:the authority that supervises the member organisations;the special organisations' officials;insurance agents;insurance and reinsurance brokers;insurance experts; andother persons and organisations.In addition, the content fields will be determined by the centre in line with the approval of the authority. It will be at the discretion of the centre to limit or remove access for the authorised users who violate the access rules.Regarding the sharing of data with third parties, the regulation also provides that the centre will make available to other interested persons those deemed appropriate by the authority from the policy or damage data related to insurance contracts, provided that the necessary identity verification is provided, or the right ownership is proven.Using insurance dataThe regulation also regulates the purposes for which insurance data will be used. Accordingly, insurance data may be used for the following purposes:contributing to public oversight, control and economic security in the insurance sector and to the planning of health services financing;following insurance practices to ensure the unity of practice in insurance branches;following up compulsory insurances;contributing to the prevention of wrong insurance practices;working through increasing insurance rates;ensuring the production of reliable statistics on the insurance sector; andcalculating the insurance score.However, the principles regarding the data usage of the centre are also determined in the regulation. In this context, the centre regulates that insurance data will be used to obtain data on motor vehicle operators and drivers, match them with the general database and share them with public institutions and organisations within the scope of the relevant legislation.Responsibility of centres and member organisationsWithin the scope of the regulation, the responsibility of the centre and member organisations and the obligation to provide information are regulated in the following ways:The centre is responsible for creating a secure infrastructure for data sharing.In case of any damage caused by sharing the transferred data with third parties, the centre may recourse to the relevant parties.In cases where the explicit consent or approval of the data subject is sought for the data contained and shared in the general database (after obtaining the explicit consent or consent of the data owner and fulfilling the obligation of disclosure), the responsible entities are:interlocutor member organisations;the association of insurance, reinsurance and pension companies of Turkey and its subsidiaries;the surveillance centre;the catastrophe insurance union;the agricultural insurance union;institutions and organisations operating in the insurance and private pension fields (special organisation);authorised users; andother institutions and organisations that are the addressee of the data subject.The explicit consent or approval of the data owner is not sought in the recording of data belonging to the persons and organisations that are party to the wrong insurance practices in the general database and are sharing these data with the institutions and organisations within the framework of the relevant legislation.All institutions and organisations involved in data sharing and their employees cannot use the information and documents related to the insurance data that they hold within the scope of their duties in any way, either during or after their duties. They also cannot make them available to third parties.Information requests and data subject rights Data subjects will be able to request information from the centre regarding their own data, which are excluded from incorrect insurance practices and contained in the database. Regarding these information requests, the centre is obliged to respond to requests within 15 days, while reserving the right to a one-time extension of 15 days. Accordingly, the centre is obliged to respond to requests for insurance data within 30 days from the date of the request at the latest, including the one-time extension period.The regulation also regulates that data subjects who think that the data in the database are incomplete or incorrect can apply to the centre for the change of the data. Accordingly, the data owner's applications about changing the data in the database is reviewed; the centre then decides whether to forward the requests to the relevant member organisations within a definite period of 10 days. The member organisations to which the application is submitted examines this request within a definite period of 10 days and conveys its decision regarding the acceptance or rejection of the request to the centre. On the other hand, the centre, informs the data subject about the application within 10 days from the date of the member organisations' decision or the expiry of the 10-day definite period.Finally, the regulation provides that, during the personal data processing activities carried out within the scope of the regulation, it is obligatory to comply with the procedures and principles set forth in the Personal Data Protection Law No. 6698 and the enacted legislation that is based on it.For further information on this topic please contact Burak Özdağıstanli or Ebru Gümüş at Özdağıstanli Ekici Attorney Partnership by telephone (+90 216 230 07 48) or email ([email protected] or [email protected]). The Özdağıstanli Ekici Attorney Partnership website can be accessed at www.ozdagistanliekici.com.