The Law on Protection of Personal Data No. 6698 (the “DPL”) has entered into force on April 7, 2016 in Turkiye to (i) protect the fundamental rights and freedoms, particularly the protection of private life, in processing of personal data and (ii) regulate the obligations and principles and procedures to be followed by real and legal persons processing personal data.
The DPL is applicable to all real persons whose personal data are processed as well as real and legal entities processing personal data.
On the other hand, it would be helpful to specifically evaluate data processing activities of insurance companies processing many personal data including sensitive data such as health data due to the nature of their services, which are under the obligation to provide information in scope of the Insurance Law No. 5684 (“Insurance Law”) and which often have affiliation with foreign entities with an emphasis on their secrecy and confidentiality obligations . Also, there are many insurance companies which are affiliates of multinational companies and reinsurance may also result in cross-border transfer of many personal data.
This article evaluates certain current issues and special occasions concerning data processing activities of companies active in the insurance sector from the DPL perspective.
One of the most controversial issues in the field of processing of personal data in the insurance sector is processing of sensitive personal data. In practice, especially the requirements for explicit consent must be evaluated diligently in respect of health and life insurances.
Pursuant to Article 6 of the DPL, race, ethnicity, political view, philosophical belief, religion, sect or other beliefs, appearance and dress, membership to associations, foundations or unions, health, sexual health, criminal convictions, security measures, biometric and genetic data are defined as sensitive personal data.
In principle, sensitive personal data cannot be processed without the relevant person’s explicit consent.
On the other hand, persons under the secrecy obligation or competent authorities or institutions can process health data without the relevant person’s explicit consent for the purposes of protection of public health, protective medicine, medical diagnosis, treatment and care services, healthcare services, financial planning and management for healthcare services. However, it is still controversial whether insurance companies can process health data without explicit consent in scope of this exception.
According to Article 31/A of the Insurance Law stipulating their secrecy obligations:
shall not disclose (except for disclosures to be made to competent public authorities) or use, to their own benefit or others’ benefit, the secrets they learnt due to their title or duty, belonging to the (i) persons and institutions operating in scope of the Insurance Law, (ii) their affiliates or establishments, and (iii) persons related to insurance agreements. This obligation shall continue even after the termination of their title and duty.
The scope and legal nature of this secrecy obligation are controversial in Turkish law. According to the referred article, all information and document exchange can be made between insurance companies, reinsurance companies and retirement companies, provided that a confidentiality agreement is executed and only for risk assessment purposes. Therefore, under the Insurance Law, personal information qualified as secret may be revealed and shared subject to certain rules.. On the other hand, the Personal Data Protection Board (“Board”) practices appear to seek a more definite obligation to keep secret in scope of DPL.
As a matter of fact, certain Turkish academics take the view that private health and life insurance companies cannot be listed among the authorized authorities and institutions and persons under the secrecy obligation from data protection perspective. Those who defend opinion argue that if the counter argument is accepted, the following may occur:
Therefore, it is stressed that private health and life insurance companies must process health data based on the relevant individual’s explicit consent.
That said, as underlined by Turkish academics and the Board, free will is the essence in giving explicit consent, and explicit consent should not be conditional. Especially the nature of health and life insurance services may necessitate making explicit consent conditional. On one side, this is evaluated as a prerequisite of providing the service in practice, and on the other side it creates a structure damaging the free will set forth when giving explicit consent.
In addition, the Board decisions indicate that obtaining explicit consent of the data subject when providing services requiring processing of sensitive personal data is not considered as the explicit consent is conditional for providing the relevant personal data.
Indeed, in the decision no. 2021/389 dated 20.04.2021 concerning an incident where an insurance company compelled the data subject who engaged in a private pension agreement to tick a checkbox for processing their personal data to access their policy information, the Board decided that the data subject’s personal data must be processed for execution and performance of the insurance agreement, and considering that the processing relied by the data controller on a legal ground other than explicit consent, it would not be possible to say that the service was made conditional to explicit consent. The Board deemed appropriate to obtain explicit consent for a processing purpose which does not rely on explicit consent given the specifics of the service. On the other hand, established precedents of the Board indicate that requesting explicit consent may be misleading for data subjects in situations which are not subject to explicit consent (in other words which can rely on a different legal ground). In this regard, the Board imposed sanctions to certain data controllers in the past.
Likewise, in the decision no. 2020/667 dated 30.09.2020 concerning an incident where a data subject applied to the insurance company to request the renewal of the health policy issued in their family’s name and the insurance company requested for explicit consent, the Board reached the conclusion that the acts subject to the complaint are not in breach with the DPL as the health insurance policy bears sensitive personal data and requires explicit consent in this regard. The Board’s assessment may also mean that requesting explicit consent can be allowed as a prerequisite for processing health data in particular to the relevant policies. However, this interpretation is not compliant to the general principles regarding explicit consent.
In light of these explanations, it may be recommendable for insurance companies to proceed with obtaining explicit consent of data subjects in order to mitigate the risks in respect of private health and life insurances. On the other hand, there is always a risk that the data subject may withdraw their explicit consent, and the Board currently has no precedents which may be considered in all situations yet. The Board has no clear guidance yet, and the current practice among the insurance companies is still to proceed by obtaining explicit consent.
However, a legislative amendment may be introduced soon, and the relevant articles of the DPL may change. In brief, based on the amendment studies known to the sector, it is understood that the distinction between health and sexual life data and other sensitive personal data may be removed and other legal grounds in addition to explicit consent may be added to the DPL for processing of such data. It is known that the current DPL provisions handling the explicit consent exemptions quite narrowly is suggested to be removed. As a replacement, with the amendment study, it is aimed that all sensitive personal data including health data can be processed in the circumstances below without seeking explicit consent:
In light of the above-explained studies and regulation proposals, the practice concerning the data processing activities subject to explicit consent may change soon. In scope of the prospective regulations, an exemption regarding explicit consent broader than EU General Data Protection Regulation (“GDPR”) may come into force. Although GDPR has similar health data processing rules to the DPL, the regulation concerning insurance companies under GDPR may differ among member countries based on the authority granted by the GDPR. For instance, in the Netherlands, insurance companies or financial service providers acting as insurance agencies shall be exempt from the restrictions concerning the processing of health data in case of processing these data for the purposes of assessing the insured risk or implementing or managing the policy or supporting its implementation, as long as the insured does not have any objections. In Belgium, on the other hand, an amendment proposal has been made earlier to allow insurance companies to process health data, but this proposal has been withdrawn.
According to Article 9 of the DPL, in principle, sensitive and non-sensitive data can be transferred abroad subject to the data subject’s explicit consent. Exceptions to this rule are as follows: (i) transfer to jurisdictions providing sufficient protection, a list of which would be determined by the Board, and (ii) the Board’s permission for the transfer abroad. That said, the Board has not issued any adequacy decisions (i.e., any list of jurisdictions providing sufficient protection). Furthermore, the permission procedure for cross-border data transfer is quite tiring and long for companies. Also, the cross-border data transfer must be subject to explicit consent until the permission procedure is completed and the cross-border transfer is allowed.
Cross-border transfer of personal data may stand out as a standard procedure settled in all processes of all companies acting as part of a group companies. This is also applicable to similar insurance companies. Also, sharing of data especially between the insurance companies and their reinsurers in abroad must be treated sensitively. In light of the current legislation, explicit consent is required for such transfers when the relevant specific transfers are permitted by the Board.
On the other hand, as per Article 7.3(g) of the Action Plan dated 23 March 2021 projecting the study calendar about the Economy Reforms, announced on 12 March 2021 and conducted in coordination of the Ministry of Treasury and Finance, relevant amendments are expected to be made to the DPL based on the international transfer provisions of the GDPR. These recommendations indicate that the principles concerning the determination of the states providing sufficient protection, the assurances to which the transfer to states lacking sufficient protection will be subject, and the rules regulating the data transfer in case there are no proper assurances. In this regard, it may also be said that the data transfer to abroad may also change soon. In scope of the projected rules, the contractual conditions set out by the Board may be agreed mutually by the recipient and the transferor and notified to the Board as an adequate assurance for such transfers.
According to Article 12 of the DPL, all data controllers must take all necessary technical and administrative measures to ensure data security. Data controllers are under the obligation to ensure the data processors take these measures as well.
The Board’s decision no. 2018/10 dated 31.01.2018 must be considered in respect of personal data particularly in scope of health insurances and life insurances. The decision regulates the additional security measures concerning the processing of sensitive personal data such as health date. In light of the decision, a separate systematic, clear, manageable, and sustainable policy and procedure must be formed concerning the security of sensitive personal data. Also, the additional administrative measures to be taken for persons who have access to these data, the measures for the electronic and physical environments in which these data are processed, retained and accessed from as well as the measures that must be considered when transferring such data are explained in detail.
Again, as per the Information and Communication Security Measures Circular No. 2019/12 published by the Presidency applicable to the businesses serving as a critical infrastructure, certain measures have been deemed proper for mitigating the security risks and ensuring the security of critical data, which may harm the public or der or threaten national security if their privacy, integrity or accessibility is disrupted. These measures especially foresee a requirement to store critical information and data such as health data safely and domestically. Likewise, the Information and Communication Security Guideline dated 10.07.2020 published under the coordination of the Presidency’s Digital Transformation Office Presidency created a comprehensive data security structure with data security monitoring guidelines. Although there is not a specific sanction applicable in scope of the relevant Circular, it would be beneficial for insurance companies to consider the measures for critical data and Digital Transformation Office’s guidelines.
The Board’s decisions about specific cases also indicate that insurance companies are expected to act more prudently and carefully compared to the other companies, and especially to take additional measures in terms of sensitive personal data.
Indeed, in the decision no. 2020/532 dated 09.07.2020 concerning an incident where a data controller accidentally sent status files of 367 persons of its 61 affiliated companies in scope of Automatic Enrolment System (AES) due to an error in the inquiry mechanism picking the status file arising from a system error at the service provider supplying support for the data controller’s information system, the Board stressed that, despite the data breach notification states that the error causing the breach is exceptional and has no direct relationship with the application’s main functions, the system error causing the data breach must have been corrected before the transaction was taken into progress as ‘a business enterprise conducting insurance services must be more careful in terms of information system security’.
In the decision no. 2020/905 dated 24.11.2020 concerning an incident where the test provider containing the website of an insurance company qualified as a data controller was targeted by a cyber-attack, the Board evaluated many measures and reached the conclusion that the data controller failed to show sufficient care in retaining the personal data based on their confidentiality degree. This decision clearly shows that the measures expected to be taken by the companies can be stricter, given the quality and sensitive nature of the processed data.
In this regard, it is extremely important for insurance companies to determine the measures to be taken by themselves, their agencies and all business partners including other support providers by considering the nature of the processed personal data. They also need to regulary monitor whether such measures are taken in practice effectively.
Another novelty bringing data protection law on the agenda of the insurance industry is cyber security policies, which become more common day by day. In practice, cyber security policies cover a wide range of cyber security risks from identity theft to information security losses, misuse of payment instruments to data protection damages. Along being controversial in literature and in practice, wide-range cyber security policies also include a cyber extortion cover. Some insurance companies name these cyber insurances as “commercial cyber security insurances”, and despite many insurance companies set out limitations in the covers of these insurances, the policies may cover the extortions.
Although these policies are not very common in Turkey yet, many global companies benefit from these policies through their affiliates in Turkiye.
In scope of cyber security policies, insurance companies may provide consultancy assistance to evaluate the breach status and risks together with the insureds and require preventive notifications to cover the damages which may be caused by the breaches.
Cyber security policies necessitate certain data to be collected from the insured companies, and it bears a great importance to collect these data lawfully and transfer them to insurance companies in line with the laws. It may also be considerable to request an undertaking from the insured company to cover any potential damages to the insurance companies due to not any breach to regulations about lawful data sharing.
Final Remarks
In light of the explanations above, insurance companies should treat data processing procedures sensitively, and each case would necessitate a unique legal assessment based on the specifics. Given the financial power of insurance companies, potential sanctions which may be imposed as result of data breaches may approach to the upper limits. In this regard, insurance companies are recommended to show utmost care regarding their data processing procedures, data transfer activities and measures taken for data security.
In addition to the above, any sectoral regulations should be considered as the basis underlying data processing activities. In scope of the evaluations under the DPL, data relating to insurance agreements, insured persons, insurance companies, any direct or indirect beneficiaries of the insurance agreement, and third parties and any data relating to risk assessment procedures including false insurance practices are evaluated as insurance data and they are subject to special rules of Insurance and Private Pension Regulation and Supervision Agency and Insurance Information and Monitoring Centre. Insurance companies have liability in terms of collecting the relevant data lawfully and reporting/sharing such data in line with the laws.
Special thanks to Zeynep Berfin Ekinci for her contributions.