Publications

Personal Data Protection Board Publishes Principle Decision on the Processing of Personal Data of Accident Victims

Principle Decision on the Processing of Personal Data of Accident Victims (Decision No. 2026/1095) (“Principle Decision“), issued by Personal Data Protection Board (“Board“) on 20 May 2026, provides significant guidance on processing of personal data relating to victims of traffic accidents, workplace accidents and similar incidents. Principle Decision was published in Official Gazette dated 1 July 2026 and numbered 33297.

Principle Decision was adopted following numerous complaints submitted to Personal Data Protection Authority (“Authority“), the competent authority established under Turkish Data Protection Law No. 6698 (“DP Law“), concerning unlawful access to accident victims’ personal data by claims consultancy companies, insurance loss adjusters, lawyers and similar persons or entities. According to the complaints, such personal data had been used to contact accident victims without their request, obtain powers of attorney by promising compensation and, in certain cases, carry out legal or administrative actions on behalf of victims without their knowledge.

A. Legal Framework and Board’s Assessment

In its assessment, the Board first refers to Additional Article 6 of Insurance Law No. 5684 (“Insurance Law“). The Board also expressly refers to the provisions of Circular No. 2026/15, dated 25 June 2026, amending Circular No. 2021/1 on the Implementation of Additional Article 6 of Insurance Law No. 5684. Under this amendment, disputes pending before the Insurance Arbitration Commission have also been brought within the scope of the Circular. The amendment further reiterates that compensation claims may only be pursued and collected by the rightful beneficiary or the persons expressly authorized under the Insurance Law, reinforces the prohibition on the assignment of compensation claims, and explicitly provides that the Insurance and Private Pension Regulation and Supervision Agency (SEDDK) shall file written criminal complaints with the Public Prosecutor’s Office against persons who unlawfully obtain, process or transfer personal data in connection with claims consultancy activities.

These amendments further strengthen the regulatory basis under insurance legislation for the principles and assessments set out by the Board in the Principle Decision. In light of this legislative framework, the Board concludes that insurance compensation claims may only be pursued by persons authorized under the Insurance Law and that pursuing compensation claims through unlawful access to personal data may constitute a violation of the applicable legal framework.

In particular, Principle Decision identifies the following practices as unlawful:

  • accessing accident victims’ personal data without a valid legal basis;
  • using personal data obtained through insurance systems or other sources for the purpose of contacting accident victims;
  • contacting accident victims by telephone or other communication channels without their express request;
  • encouraging accident victims to grant powers of attorney; and
  • using personal data beyond the purposes for which it was processed or disclosing such data to third parties.

Board further states that such activities may give rise not only to administrative sanctions under DP Law but also to criminal liability under Turkish Criminal Code No. 5237 (“TCC“), particularly the provisions governing the unlawful recording, disclosure, dissemination and acquisition of personal data[1].

Principle Decision also reiterates that, pursuant to Article 12 of DP Law, data controllers are required to implement appropriate technical and organizational measures, considering their organizational structure, the nature of the personal data processed and the risks arising from such processing activities. In this respect, Board emphasizes that access to personal data should be restricted in line with assigned duties and authorities and that appropriate organizational and technical safeguards should be implemented to prevent personal data from being used beyond its intended purpose or unlawfully disclosed to third parties.

B. Sectoral Impact of Principle Decision

Principle Decision is not limited to the activities of claims consultancy companies. Rather, it has broader implications for all processing activities involving personal data of accident victims. Accordingly, Principle Decision should be considered by all stakeholders involved in claims management processes.

i. Claims Consultancy Companies, Lawyers and Insurance Loss Adjusters

Board emphasizes that claims consultancy companies, lawyers and insurance loss adjusters may access personal data only within the limits of their statutory duties and based on a legal ground provided under the applicable legislation. Board further notes that, in addition to their obligations under DP Law, these professionals must also comply with the confidentiality and professional secrecy obligations applicable to their respective professions.

In this regard:

  • Claims consultancy companies: Board states that personal data may not be accessed or processed without a valid legal basis. Such activities may result in administrative sanctions under DP Law and criminal liability under TCC. Board also notes that, where appropriate, criminal complaints may be filed with Public Prosecutor’s Office and relevant ministries and bar associations may be informed.
  • Lawyers: Principle Decision does not impose a general restriction on the practice of law. However, Board makes clear that lawyers may access personal data only based on a legal ground recognized under DP Law. Legal services conducted on the basis of personal data obtained unlawfully cannot be regarded as lawful.
  • Insurance loss adjusters: Personal data may be processed only to the extent necessary for the performance of duties arising under insurance legislation. Board further notes that using personal data beyond the scope of such duties or disclosing such data to third parties may give rise to liability under both DP Law and TCC. Principle Decision also reminds insurance loss adjusters that they remain subject to the confidentiality and professional secrecy obligations applicable to information and documents obtained during the course of their duties.

ii. Assessment for Insurance Companies and Automotive Ecosystem

Although Principle Decision is not directed specifically at insurance companies or businesses operating within automotive sector, it establishes important principles for processing activities carried out in connection with claims management processes. Against this background, the following observations set out our assessment of the implications of Principle Decision for insurance and automotive sectors.

  • Personal data processed during claims management processes should be used solely for claims handling, claims assessment, repair management and compliance with applicable legal obligations. Personal data obtained during such processes should not be used for purposes incompatible with the original purpose of processing.
  • Sharing claims-related or customer information held by insurance companies or other participants in claims management processes with third parties seeking to contact accident victims may create significant legal risks under Principle Decision. Accordingly, where personal data is shared with claims consultancy companies, call centers, referral companies or other third-party service providers, including those involved in fleet leasing, operational leasing or vehicle subscription models, the scope of such data sharing and the parties’ respective capacities and obligations under DP Law should be clearly defined in the relevant contractual arrangements.
  • Organizations should also ensure that employees with access to such personal data receive regular training on their duties and responsibilities, data security obligations and applicable confidentiality requirements. Similarly, communications with data subjects should be carried out only where supported by appropriate legal grounds under the applicable legislation.
  • Where personal data collected in connection with replacement vehicles, towing, roadside assistance, minor repairs, windscreen replacement or similar services is intended to be used for purposes other than providing the relevant service, such processing activities should be structured in compliance with the transparency requirements and legal bases under DP Law, as well as the requirements arising under legislation governing commercial electronic communications.

In this respect, Principle Decision once again highlights the need to comply with data security obligations under DP Law, ensure that personal data is processed only for specified and legitimate purposes, and observe confidentiality and professional secrecy obligations arising under the applicable legislation.

Click here to access the full text of the Principle Decision. (Only available in Turkish)

[1] Articles 136 (Unlawful Disclosure or Acquisition of Personal Data) and 137 (Aggravated Circumstances) of TCC.

Subscribe

Within the scope of the Privacy Notice, which sets out the details regarding the processing of my personal data, I give my explicit consent to receive invitations and informational communications regarding events, conferences, seminars, and meetings organized by or attended by Moroğlu Arseven.

Get In Touch

You can contact us via our contact information or fill out the form below.

Privacy Notice
Approve