info@srp-legal.com
Şakayıklı Sokak No:10 | Levent 34330 | İstanbul | Türkiye
 

Legal AlertRegulation on Amendments to the Private Health Insurance Regulation is published in the Official Gazette dated 20.10.2025 and numbered 33053.

22 October 2025

Regulation on Amendments to the Private Health Insurance Regulation (“Regulation”) is published in the Official Gazette dated 20.10.2025 and numbered 33053. The Regulation will enter into force on 01.01.2026.  Pursuant to the Regulation prepared by the Insurance and Private Pension Regulation and Supervision Agency (“SEDDK”), amendments to the Private Health Insurance Regulation published in the Official Gazette dated 23.10.2013 and numbered 28800 are envisaged.  The Regulation aims to strengthen the rights of insured persons under Private Health Insurance, increase the obligations of insurance companies as “data controllers” in line with the Personal Data Protection Law (“KVKK”) regarding the protection of personal data, and introduce changes that will have a direct impact on the processing, storage, and transfer of health data, which is considered “special category of personal data” under KVKK.

  • Pursuant to Article 1 of the Regulation, travel health insurance and sickness insurance have been excluded from the scope of the Private Health Insurance Regulation by the amendment of Article 2 of the Private Health Insurance Regulation.
  • Pursuant to Article 3 of the Regulation, the definitions in Article 4 of the Private Health Insurance Regulation have been amended to include the following: “Permanent data storage device: A device that enables the information sent by or to the insurer, the insured, or the beneficiary to be recorded in a manner that allows it to be reviewed within a reasonable period of time for its intended purpose, copied without alteration, and accessed in its original form, such as short messages, e-mail, the internet, mobile applications, disks, CDs, DVD, memory card, and any other tools or environments established through the Insurance Information and Monitoring Center or e-Government.”
  • Amendments have been made to Regulation Article 4 and Article 5 of the “Private Health Insurance Regulation.” The company’s right to obtain information and request documents was previously subject to obtaining the insured’s written consent. With Regulation Article 4, the written consent requirement has been removed, and it has become standard practice to obtain information about the insured from the “Center” (SGM) or public institutions and organizations in order to conclude the contract.
  • Pursuant to Regulation Article 4, the contract can now be based on declarations only if the insured’s information cannot be accessed for legal or technical reasons. The Regulation prevents the contract from being based on declarations if the insured does not grant access to their health history information. The use of central data systems is primarily envisaged for declaration-based policies.
  • Pursuant to Regulation Article 4, the company is obligated to inform the insured of all campaigns and discounts it offers regarding premiums and to clearly state the discount amount and/or rates in the policy.
  • Pursuant to Regulation Article 9, the provision of information required about insured persons during transition procedures is primarily regulated by the Center. The direct sharing of information essential to transition procedures between companies is prohibited. Data transfer must be carried out through the “Center” (Insurance Information and Monitoring Center). Furthermore, it is prescribed that the lifetime renewal guarantee must continue with the new company, and that information regarding whether this guarantee has been earned by meeting the minimum conditions must also be obtained from the Center.
  • Pursuant to Regulation Article 9, the “Private Health Insurance Regulation” states that the company is obliged to forward the necessary data belonging to the insured person requesting a transfer to another company to the Center within five business days from the date the request is received.
  • Pursuant to Regulation Article 9, it is envisaged that the information required by the “Private Health Insurance Regulation” shall be determined by the Institution and that the company shall not request any additional information or documents from the insured person other than this information.
  • Pursuant to Regulation Article 10, the provision stating that the information to be provided to the insured party regarding the subject matter may be provided “electronically” in accordance with Article 10/2 of the “Private Health Insurance Regulation” has been amended to “via a permanent data storage device” in order to comply with the KVKK.
  • In accordance with Articles 11, 12, and 15 of the Regulation, the terms “Undersecretariat” have been changed to ‘Institution’ and the term “electronically to SBGM” has been changed to “to the Center” to ensure compliance with the KVKK.
  • Article 13 of the Regulation states that information regarding the health status and health history of the insured can be accessed through the Center for the purposes set out in Article 15 of the “Private Health Insurance Regulation” in accordance with Articles 31/A and 31/B of the Insurance Law No. 5684.
  • Article 14 of the Regulation, “Private Health Insurance Regulation,” regulates the protection of personal data and the obligation to maintain confidentiality, and clearly defines the obligation to comply with the Personal Data Protection Law (KVKK). It is envisaged that insurance companies are bound by the Regulation and, consequently, by their obligations arising from the KVKK.
  • In accordance with Article 14 of the Regulation, it is envisaged that the individual’s insurance records and health information will be kept on an individual basis in individual and group contracts, the gathering of personal data is prevented even in group insurances, and the personal data of each insured is regulated to be stored separately and in a traceable manner.
  • Article 14 of the Regulation regulates the data retention period and the obligation to delete, destroy, or anonymize data. Insurance records and health information held by the Center shall be retained for ten years from the termination of the individual’s insurance, and upon expiration of this period, the Center shall delete, destroy, or anonymize this data in accordance with the KVKK.
  • Regulation Article 14 regulates the confidentiality obligation within the scope of protecting health data, which is considered special category data under the KVKK. It is provisioned that all real and legal persons subject to the confidentiality obligation listed in Article 31/A of the Insurance Act No. 5687, who have a confidentiality obligation and secrets about the insured, are responsible for keeping these secrets confidential and that this obligation shall continue even after the termination of the aforementioned status and duties.

You may access the full text of the Regulation from the link below.

T.C. Resmî Gazete

This Legal Alert has been prepared for general information purposes only on current legal issues, and the evaluations contained in this Legal Alert do not constitute legal advice or a legal opinion. It is not possible to impose any liability on SRP-Legal Law Office due to the content of this Legal Alert. It is recommended to obtain the opinion of a legal advisor regarding your questions and enquires within the scope of this Legal Alert.

 

 

<<<
The Personal Data Protection Authority has published a public announcement on the exemption criterion concerning the obligation to register with VERBİS for data controllers whose main activity is the processing of special categories of personal data.