KVKK Compliance for Insurance Companies and Insurance Brokers in Turkey

Introduction

KVKK compliance for insurance companies and insurance brokers in Turkey is a highly sensitive legal issue because insurance activity is built on personal data. Insurers, insurance brokers, agents, loss adjusters, assistance companies, reinsurance companies, banks selling insurance products, private pension intermediaries, healthcare providers, repair services, actuarial teams, call centers, and digital insurance platforms process large volumes of data every day.

In Turkey, insurance transactions may involve identity information, contact details, policy details, premium information, payment records, bank account data, vehicle information, property details, accident reports, medical records, disability reports, death certificates, beneficiary information, employment data, travel information, criminal or legal records, risk scores, claims documents, expert reports, photographs, call recordings, location data, and digital logs. In health, life, accident, travel, motor, liability, workplace, and private pension-related products, insurance companies may process data that is extremely sensitive.

The main personal data protection law in Turkey is Law No. 6698 on the Protection of Personal Data, commonly known as KVKK. The law applies to personal data processed wholly or partly by automated means, or by non-automated means forming part of a data filing system, and it imposes obligations on data controllers and processors regarding lawful processing, privacy notices, security, retention, data subject rights, and transfers.

Insurance activity is also regulated by sector-specific legislation. Insurance Law No. 5684 regulates principles and procedures relating to the commencement, management, organization, operation, termination, and supervision of activities of parties subject to the insurance sector framework. In addition, the Insurance and Private Pension Regulation and Supervision Authority, commonly known as SEDDK, supervises and regulates the insurance and private pension sector. Its 2024 Annual Report states that insurance agents must obtain a Certificate of Compliance and be registered before commencing activities, while insurance and reinsurance brokers receive operating licenses from the Authority under Insurance Law No. 5684.

Therefore, insurance data protection in Turkey cannot be handled with a generic privacy policy. It requires a sector-specific KVKK compliance model that understands insurance distribution, underwriting, claims handling, health data, broker relations, reinsurance, loss adjustment, customer communications, outsourcing, cross-border transfers, and data retention.

Why Insurance Data Protection Is High-Risk

Insurance companies process personal data to evaluate risk, issue policies, calculate premiums, manage claims, detect fraud, comply with legal duties, communicate with insured persons, and defend legal claims. These purposes may be legitimate and necessary, but the data involved can be deeply personal.

A health insurance file may reveal diagnosis, treatment history, medication use, surgery records, chronic conditions, pregnancy information, psychiatric treatment, disability status, laboratory results, and hospital invoices. A life insurance file may include medical questionnaires, family history, beneficiary information, death records, and financial data. A motor insurance claim may include accident reports, location information, repair records, driver details, injury records, and police reports. A liability insurance file may include litigation documents, expert reports, witness statements, and third-party personal data.

This makes insurance data protection particularly complex. The insured person is not always the only data subject. A single claims file may include the policyholder, insured person, beneficiary, injured third party, driver, passenger, doctor, witness, repair shop employee, expert, lawyer, counterparty, and family members. Insurance companies and brokers must therefore design KVKK compliance around multi-party data flows.

Data Controller and Data Processor Roles in Insurance

The first legal question is whether the relevant party acts as a data controller, data processor, or independent controller. Under KVKK, the data controller determines the purposes and means of processing personal data, while the processor processes data on behalf of the controller based on authorization.

Insurance companies usually act as data controllers for policy issuance, underwriting, claims management, premium collection, legal reporting, fraud prevention, reinsurance arrangements, and customer communications. They determine why personal data is collected, which records are needed, how risks are assessed, how claims are evaluated, and how long files are retained.

Insurance brokers and agents may have more complex roles. An insurance agent acting within the distribution structure of an insurer may process certain data under the insurer’s instructions, but may also act as a controller for its own customer relationship management, accounting records, employee data, marketing activities, and compliance files. Insurance brokers often represent the policyholder or assist in obtaining insurance from multiple insurers; depending on the actual structure, they may act as independent controllers for client advisory and placement activities.

Loss adjusters, assistance service providers, healthcare networks, repair shops, call centers, IT vendors, cloud providers, and document archiving companies may act as processors when they process data on behalf of the insurer. However, some may also be independent controllers for their own legal or professional obligations. Each relationship must be assessed according to the actual data flow, not merely by the title of the contract.

Personal Data Categories Processed in Insurance

Insurance companies and brokers commonly process identity data such as name, surname, Turkish identity number, passport number, date of birth, nationality, gender, signature, and customer number. Contact data may include address, phone number, email address, emergency contact, workplace address, and communication preferences.

Financial data may include bank account information, IBAN, credit card-related payment records, premium amounts, installment plans, refund records, compensation payments, income information, tax information, and debt records. Policy data may include insurance type, coverage, exclusions, insured risk, policy start and end dates, beneficiary details, insured property, vehicle plate number, building information, travel route, workplace risk, and insured amount.

Claims data may include accident reports, photographs, expert reports, medical documents, repair invoices, police reports, witness statements, court files, settlement records, correspondence, and compensation calculations. Health and life insurance may involve health data, disability records, medical reports, death certificates, and information concerning family members. These may fall within special categories of personal data under KVKK Article 6.

Digital insurance platforms may also process IP addresses, device IDs, cookies, mobile app data, location data, online quotation forms, chatbot records, call center recordings, e-signature logs, and authentication data.

Health Data and Special Categories of Personal Data

Health data is one of the most important KVKK issues in insurance. KVKK classifies data concerning health, biometric data, genetic data, criminal conviction and security measure data, and other sensitive categories as special categories of personal data. Special categories may be processed only under the conditions listed in Article 6 and with adequate safeguards.

Insurance companies frequently need health data for life, health, accident, travel, disability, critical illness, workers’ compensation, liability, and medical expense products. However, the need for health data does not remove KVKK obligations. The insurer must identify the legal basis, inform the data subject, limit processing to the necessary purpose, restrict access internally, protect records securely, and define retention periods.

For example, a private health insurer may need medical invoices and treatment records to assess a reimbursement claim. A life insurer may need medical questionnaire answers for underwriting. A travel insurer may need medical documents to evaluate an emergency health claim abroad. These may be legitimate insurance purposes, but they do not justify unlimited collection of all medical history. The data collected must be relevant, limited, and proportionate.

Legal Bases for Processing Insurance Data

Not every insurance data processing activity requires explicit consent. Under KVKK Article 5, personal data may be processed without explicit consent where one of the legal bases applies, such as processing expressly provided by law, necessity for contract performance, necessity for legal obligation, necessity for establishment or protection of a right, or legitimate interests of the controller provided that fundamental rights and freedoms are not harmed.

In insurance, processing identity, contact, risk, premium, and policy data may often be necessary for concluding or performing an insurance contract. Retaining accounting and tax records may be based on legal obligations. Processing claims documents may be necessary for contract performance, assessment of rights, and legal defense. Fraud prevention may be based on legitimate interest or protection of rights, depending on the structure.

However, explicit consent may still be required for certain processing activities. These may include processing health data where no other Article 6 condition applies, optional marketing, transfer to unrelated commercial partners, use of sensitive data for profiling beyond necessary insurance assessment, publication of claim stories for promotional purposes, or certain international transfers where other mechanisms are not available.

The safest approach is to prepare a processing inventory that maps each insurance activity to its legal basis. A single broad consent form should not be used to justify all policy, claims, marketing, health, and transfer activities.

Privacy Notices for Insurance Companies and Brokers

KVKK Article 10 requires the data controller to inform data subjects at the time personal data is obtained. The privacy notice must include the identity of the controller, the purpose of processing, transfer recipients and purposes, method and legal basis of collection, and Article 11 rights. The Communiqué on the Obligation to Inform further provides that the notice must be clear, plain, and intelligible; that explicit consent and informing must be performed separately where consent is used; and that the legal basis under Articles 5 and 6 must be explicitly stated.

Insurance privacy notices should be tailored to the sector. A proper notice should explain quotation, policy issuance, underwriting, premium collection, risk assessment, claims handling, fraud prevention, customer support, legal reporting, reinsurance, assistance services, expert review, healthcare provider communications, repair service communications, litigation management, data transfers, retention, and data subject rights.

Insurance brokers and agents should have their own privacy notices where they act as controllers. They should not rely entirely on the insurer’s notice if they process customer data for their own advisory, comparison, marketing, accounting, or client management purposes.

Insurance Brokers, Agents, and Distribution Networks

Insurance distribution creates complex data flows. Agents, brokers, banks, call centers, online comparison platforms, and digital intermediaries may collect personal data before the insurer even issues a policy. In these cases, the data subject should be informed at the point of collection.

Agents and brokers must also control internal access. Sales personnel should not access all client files without need. Health-related proposals should be restricted. Policy documents should not be sent through unsecured channels. Customer lists should not be used for unrelated marketing without legal basis.

SEDDK’s 2024 Annual Report shows the practical importance of distribution channels: by the end of 2024, written premiums were channeled through agents, brokers, and banks in significant proportions, with agents accounting for the largest share reported in the annual data. This means that KVKK compliance in insurance must cover not only insurers’ headquarters but also distribution networks.

Claims Handling and Third-Party Data

Claims handling is one of the most data-intensive insurance processes. A motor accident file may include not only the insured driver but also passengers, pedestrians, other vehicle owners, witnesses, police officers, doctors, mechanics, and lawyers. A workplace accident claim may include employee health data, employer records, witness statements, occupational safety documents, and expert reports. A health claim may include hospital invoices, diagnosis, treatment, and doctor reports.

Insurers must ensure that claims data is collected only to the extent necessary. Claims teams should avoid requesting excessive medical history, unrelated financial records, or irrelevant personal documents. Where data concerning third parties is collected, the insurer should assess how the obligation to inform can be fulfilled, whether exceptions apply, and whether the transfer is necessary for the claim.

Claims files should be subject to strict access control. Not every employee, broker, or service provider should access sensitive claim documents. Health claims, bodily injury claims, death claims, and litigation files should have stronger confidentiality controls.

Reinsurance and Cross-Border Transfers

Reinsurance is common in the insurance sector and may require the transfer of policy, portfolio, risk, and claims data to reinsurance companies or intermediaries. In some cases, reinsurers may be located abroad. International insurance groups may also transfer data to parent companies, regional hubs, global actuarial teams, fraud units, claims platforms, or cloud infrastructure.

KVKK Article 9 was amended in 2024 and now establishes a structured framework for transfers abroad. Personal data may be transferred abroad if one of the processing conditions under Articles 5 or 6 exists and there is an adequacy decision; in the absence of adequacy, transfers may be possible through appropriate safeguards such as standard contracts, binding corporate rules, or written commitments approved by the Board, and standard contracts must be notified to the Authority within five business days after signature.

For insurance companies, this means international transfers must be mapped carefully. Reinsurance transfers, global claims platforms, foreign assistance companies, overseas medical assistance providers, international call centers, foreign cloud systems, actuarial software, and group compliance tools should all be reviewed under Article 9. Where health data is transferred abroad, the risk is higher because special category data is involved.

Data Processing Agreements With Service Providers

Insurance companies rely on many service providers: brokers, agents, loss adjusters, repair shops, assistance companies, hospitals, laboratories, call centers, archive companies, IT vendors, cloud providers, payment providers, legal advisors, actuarial consultants, fraud detection tools, and document management systems.

Where a provider processes personal data on behalf of the insurer, a data processing agreement should be signed. KVKK Article 12 states that if personal data is processed by another natural or legal person on behalf of the data controller, the controller is jointly responsible with that person for taking necessary security measures.

A strong insurance DPA should cover processing instructions, confidentiality, security measures, special category data safeguards, sub-processors, breach notification, deletion or return, audit rights, international transfers, and liability. For healthcare providers and claims experts, additional confidentiality provisions should be included.

Data Security Obligations

KVKK Article 12 requires data controllers to take all necessary technical and organizational measures to prevent unlawful processing, prevent unlawful access, and ensure protection of personal data. Controllers and processors must not disclose personal data unlawfully or use it outside the processing purpose, and this obligation continues after their term ends.

For insurance companies and brokers, technical measures should include encryption, role-based access control, multi-factor authentication, secure document management, logging, secure backups, data loss prevention, endpoint protection, secure email, vulnerability testing, and restricted access to health data. Organizational measures should include confidentiality undertakings, staff training, access authorization procedures, vendor due diligence, clean desk rules, incident response procedures, data retention policies, and periodic audits.

Claims documents should not be stored in unsecured shared folders. Medical reports should not be circulated through ordinary email without safeguards. Agents should not download full customer portfolios onto personal devices. Brokers should not keep outdated client documents indefinitely.

Call Centers, Voice Records, and Customer Support

Insurance call centers process voice recordings, complaint records, policy information, claim status, identity verification answers, payment information, and sometimes health data. Call recording may be lawful for proof, quality control, dispute resolution, and customer service, but the data subject must be informed properly.

The Communiqué on the Obligation to Inform expressly recognizes that the obligation may be fulfilled through media such as oral or written statements, voice recordings, and call centers, and it requires clear information on purposes, legal basis, recipient groups, and collection method.

Call center personnel should have limited access. They should not view health claim details unless necessary. Authentication should be proportionate. Call recordings should have defined retention periods. If outsourced call centers are used, DPA and confidentiality clauses are essential.

Marketing, Renewal Offers, and Cross-Selling

Insurance companies and brokers often contact customers for policy renewals, new products, complementary coverage, private pension offers, travel insurance, vehicle insurance, health insurance upgrades, and campaign notifications. These communications must be distinguished from service-related communications.

A policy renewal reminder or claim status update may be part of the service relationship, while a promotional message for a new product is marketing. Marketing communications may require separate commercial communication consent and proper preference management. KVKK consent, commercial electronic communication consent, and insurance contract processing should not be merged into a single unclear approval.

Marketing based on health, life, or claim history should be treated with extreme caution. Using sensitive claim data for targeted marketing may be disproportionate or unlawful unless a valid legal basis and clear transparency exist.

Automated Underwriting, Risk Scoring, and Fraud Detection

Insurance companies increasingly use automated underwriting, actuarial scoring, fraud detection systems, telematics, digital claim assessment, and AI-supported risk models. These systems may analyze age, location, vehicle data, health declarations, claim history, payment behavior, digital logs, or external datasets.

KVKK Article 11 gives data subjects the right to object to a result against themselves arising from analysis of personal data exclusively through automated systems. This may be relevant where an automated system rejects coverage, increases premium, flags fraud, denies a claim, or classifies a customer as high-risk.

Insurers using automated decision tools should provide transparency, human review, accuracy checks, bias monitoring, and appeal mechanisms. Sensitive data should not be used in automated scoring unless legally justified and proportionate.

Retention and Deletion of Insurance Data

Insurance data must often be retained for legal, contractual, regulatory, accounting, tax, claims, reinsurance, fraud, and litigation purposes. However, retention cannot be indefinite without lawful grounds. KVKK Article 7 and the By-Law on Erasure, Destruction or Anonymization require personal data to be erased, destroyed, or anonymized when all processing conditions under Articles 5 and 6 no longer exist; disposal operations must be recorded and those records stored for at least three years, excluding other legal obligations.

Insurance companies should define retention periods for proposals, policies, claim files, medical reports, expert reports, call recordings, payment records, litigation files, fraud investigation records, broker communications, marketing permissions, and rejected applications.

Health data should not be kept longer than necessary. Rejected insurance applications containing medical declarations should be reviewed carefully. Claims files subject to litigation may require longer retention, but closed files with no continuing legal reason should be disposed of according to policy.

Data Subject Rights in Insurance

Data subjects have rights under KVKK Article 11, including the right to learn whether their data is processed, request information, learn processing purposes, know domestic and foreign recipients, request correction, request erasure or destruction under legal conditions, object to adverse automated results, and claim compensation for unlawful processing.

Insurance companies and brokers should establish request procedures. A policyholder may request correction of contact details. An insured person may ask which hospitals received their health data. A beneficiary may ask about claim data. A third-party claimant may request information about their records. A customer may object to automated underwriting or marketing use.

Responses must be managed carefully because insurance files often include third-party data, confidential legal analysis, fraud investigation details, and medical records. Identity verification is essential before disclosing information.

VERBIS and Data Inventory

Data controllers subject to registration must maintain records in the Data Controllers’ Registry. The By-Law on the Data Controllers Registry provides that the registry is kept publicly available under the Board’s supervision and sets procedures for registration.

Insurance companies, brokers, and agents should assess VERBIS obligations according to their activities, size, and data categories. Even where an exemption applies, a data inventory remains essential. The inventory should identify data subject groups, data categories, processing purposes, legal bases, recipient groups, foreign transfers, retention periods, and security measures.

For insurance businesses, the inventory should separately map policy data, claims data, health data, broker data, call center records, marketing records, reinsurance transfers, expert reports, and vendor processing.

Data Breach Notification

Insurance data breaches can be serious. Examples include unauthorized access to health claim files, leaked policy databases, ransomware attacks, stolen broker laptops, misdirected emails containing claim documents, exposed call recordings, cloud misconfiguration, or insider access to celebrity or high-profile insured data.

KVKK Article 12 requires the data controller to notify the data subject and the Board within the shortest time if processed data are obtained by others unlawfully. Insurance companies should therefore have a breach response plan covering detection, containment, forensic review, legal assessment, customer notification, Board notification, vendor coordination, fraud monitoring, and remediation.

If brokers, agents, call centers, loss adjusters, or IT vendors detect the breach first, contracts should require immediate notification to the insurer or relevant controller.

Practical KVKK Compliance Checklist for Insurance Companies and Brokers

Insurance companies, brokers, and agents in Turkey should:

1. Prepare a sector-specific personal data inventory.
2. Identify controller and processor roles for insurers, brokers, agents, experts, assistance companies, and vendors.
3. Map policy, proposal, underwriting, claims, reinsurance, marketing, and call center data flows.
4. Identify legal bases under KVKK Articles 5 and 6.
5. Prepare clear privacy notices for policyholders, insured persons, beneficiaries, claimants, brokers, agents, and website users.
6. Separate explicit consent from privacy notices.
7. Apply strict safeguards to health data and other special categories.
8. Review reinsurance and group-company transfers.
9. Map cross-border transfers under Article 9.
10. Use standard contracts or other safeguards where required.
11. Sign data processing agreements with vendors.
12. Limit access to claims and health records.
13. Define retention periods for each insurance file type.
14. Establish data subject request procedures.
15. Implement call center privacy and recording rules.
16. Manage marketing consent and opt-outs separately.
17. Review automated underwriting and fraud scoring systems.
18. Prepare data breach response procedures.
19. Assess VERBIS obligations.
20. Train employees, agents, brokers, claims teams, and service providers.

Common Mistakes in Insurance KVKK Compliance

One common mistake is relying on broad consent forms for all insurance processing. Another is collecting excessive medical data during underwriting or claims assessment. A third mistake is failing to distinguish the roles of insurers, agents, brokers, and loss adjusters.

Insurance businesses also commonly transfer claim files to service providers without proper contracts. Some brokers store customer documents indefinitely. Some call centers record sensitive calls without adequate notice. Some insurers use foreign group platforms, cloud systems, or reinsurance tools without proper Article 9 transfer analysis.

Another frequent mistake is treating third-party claimants as outside the KVKK framework. In reality, injured persons, beneficiaries, witnesses, and other third parties are also data subjects.

Conclusion

KVKK compliance for insurance companies and insurance brokers in Turkey requires a sector-specific and risk-based legal approach. Insurance operations depend on personal data, and many insurance processes involve sensitive information, especially health data, accident data, financial records, claims documents, and beneficiary information.

The most important compliance areas include privacy notices, lawful processing, special category data safeguards, broker and agent roles, claims file governance, reinsurance transfers, data processing agreements, call center records, marketing consent, automated underwriting, retention, data subject rights, VERBIS, security measures, and breach notification.

Insurance Law No. 5684 regulates the Turkish insurance sector and SEDDK supervises insurance and private pension activities, while KVKK imposes general personal data protection obligations on data controllers and processors. For insurers and brokers, the strongest compliance model is one that combines insurance-sector operational realities with KVKK principles of lawfulness, transparency, proportionality, security, purpose limitation, and storage limitation.

A well-designed KVKK compliance program protects insured persons, policyholders, beneficiaries, claimants, and third parties. It also protects insurance companies and brokers from regulatory sanctions, disputes, reputational harm, and operational risk. In the insurance sector, personal data protection is not only a legal obligation; it is an essential part of trust, risk management, and professional credibility.