New regulation on collection, storage and sharing of insurance data – Commentary

Insurance data
Collection of insurance data
Sharing of insurance data
Using insurance data
Responsibility of centers and member organizations
Information requests and data subject rights

The Regulation on Collection, Storage and Sharing of Insurance Data (the regulation), issued by the Insurance and Private Pension Regulation and Supervision Authority (the authority) within the scope of the Insurance Law No. 5684, was published in the Official Gazette on 18 October 2022 and entered into force on the same day. The regulation determines the scope, form, procedures and principles regarding the processing, sharing and transfer of insurance data.

Insurance data

The regulation defines insurance data and regulates the principles regarding the processing and sharing of insurance data.

According to the regulation, insurance data is all the data that is the basis for risk assessment, including data on:

  • insurance contracts;
  • the insured party to the insurance contract;
  • insurance companies;
  • the insured;
  • the beneficiaries;
  • other third parties who directly or indirectly benefit from the insurance contract; and
  • incorrect insurance practices.

Within the framework of the above definition, it should be said that most of the insurance data will fall under the definition of “personal data” as defined in the Personal Data Protection Law No. 6698. However, some data (ie, data related to the insurance company) cannot be defined as personal data.

Collection of insurance data

Collection of insurance data is regulated in a way that insurance companies and related public institutions and organizations will transfer insurance data to the database to be created by the Insurance Information and Monitoring Center (the centre) within the framework of the Regulation. These institutions and organizations are obliged to keep this information up to date.

Sharing of insurance data

The regulation also regulates the general principles regarding the sharing of insurance data. Accordingly, insurance data may be shared based on the protocols signed between the center and the insurance, reinsurance and pension companies (member organizations), and based on the authority’s approval (depending on the shared party), with whomever the center shares data. According to the regulation, data sharing within the scope of these protocols will be possible through related platforms or communication channels, such as short messages, mobile applications and call centers.

According to the regulation, the data in the database can be accessed in a limited way by authorized users who are:

  • the authority that supervises the member organizations;
  • the special organizations’ officials;
  • insurance agents;
  • insurance and reinsurance brokers;
  • insurance experts; and
  • other persons and organizations.

In addition, the content fields will be determined by the center in line with the approval of the authority. It will be at the discretion of the center to limit or remove access for the authorized users who violate the access rules.

Regarding the sharing of data with third parties, the regulation also provides that the center will make available to other interested persons those deemed appropriate by the authority from the policy or damage data related to insurance contracts, provided that the necessary identity verification is provided, or the right ownership is proven.

Using insurance data

The regulation also regulates the purposes for which insurance data will be used. Accordingly, insurance data may be used for the following purposes:

  • contributing to public oversight, control and economic security in the insurance sector and to the planning of health services financing;
  • following insurance practices to ensure the unity of practice in insurance branches;
  • following up compulsory insurances;
  • contributing to the prevention of wrong insurance practices;
  • working through increasing insurance rates;
  • ensuring the production of reliable statistics on the insurance sector; and
  • calculating the insurance score.

However, the principles regarding the data usage of the center are also determined in the regulation. In this context, the center regulates that insurance data will be used to obtain data on motor vehicle operators and drivers, match them with the general database and share them with public institutions and organizations within the scope of the relevant legislation.

Responsibility of centers and member organizations

Within the scope of the regulation, the responsibility of the center and member organizations and the obligation to provide information are regulated in the following ways:

  • The center is responsible for creating a secure infrastructure for data sharing.
  • In case of any damage caused by sharing the transferred data with third parties, the center may have recourse to the relevant parties.
  • In cases where the explicit consent or approval of the data subject is sought for the data contained and shared in the general database (after obtaining the explicit consent or consent of the data owner and fulfilling the obligation of disclosure), the responsible entities are:
    • interlocutor member organizations;
    • the association of insurance, reinsurance and pension companies of Turkey and its subsidiaries;
    • the surveillance center;
    • the catastrophe insurance union;
    • the agricultural insurance union;
    • institutions and organizations operating in the insurance and private pension fields (special organization);
    • authorized users; and
    • other institutions and organizations that are the addressee of the data subject.
  • The explicit consent or approval of the data owner is not sought in the recording of data belonging to the persons and organizations that are party to the wrong insurance practices in the general database and are sharing these data with the institutions and organizations within the framework of the relevant legislation.
  • All institutions and organizations involved in data sharing and their employees cannot use the information and documents related to the insurance data that they hold within the scope of their duties in any way, either during or after their duties. They also cannot make them available to third parties.

Information requests and data subject rights

Data subjects will be able to request information from the center regarding their own data, which are excluded from incorrect insurance practices and contained in the database. Regarding these information requests, the center is obliged to respond to requests within 15 days, while reserving the right to a one-time extension of 15 days. Accordingly, the center is obliged to respond to requests for insurance data within 30 days from the date of the request at the latest, including the one-time extension period.

The regulation also regulates that data subjects who think that the data in the database are incomplete or incorrect can apply to the center for the change of the data. Accordingly, the data owner’s applications about changing the data in the database are reviewed; the center then decides whether to forward the requests to the relevant member organizations within a definite period of 10 days. The member organizations to which the application is submitted examines this request within a definite period of 10 days and conveys its decision regarding the acceptance or rejection of the request to the centre. On the other hand, the centre, informs the data subject about the application within 10 days from the date of the member organizations’ decision or the expiry of the 10-day definite period.

Finally, the regulation provides that, during the personal data processing activities carried out within the scope of the regulation, it is mandatory to comply with the procedures and principles set forth in the Personal Data Protection Law No. 6698 and the enacted legislation that is based on it.

For further information on this topic please contact Burak Özdağistanli or Ebru Gümüş at Özdağıstanli Ekici Attorney Partnership by telephone (+90 216 230 07 48) or email ([email protected] or [email protected]). The Özdagistanli Ekici Attorney Partnership website can be accessed at www.ozdagistanliekici.com.

.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button
DRAGONINKHOUSE