Full Compliance with the LPPD: A New Data Protection Framework for Private Health Insurance

The “Regulation Amending the Regulation on Private Health Insurance,” published in the Official Gazette dated 20 October 2025 and numbered 33053, (the “Amendment Regulation”) aims to align the provisions governing the processing and protection of personal health data with the Law on the Protection of Personal Data No. 6698 (“LPPD”) and to strengthen data protection standards within the insurance sector.

Prior to the amendment, it was stipulated that an insured person’s insurance records and health information obtained with written consent would be maintained on an individual basis, and that such information could not be shared with any third party other than the Insurance Information and Monitoring Center and other competent authorities, without the explicit consent of the insured.

The amendment considerably expands the scope of the article and introduces a more rigorous data protection framework by directly referring to the LPPD. Amendment Regulation explicitly stipulates that insurance records and health information must be maintained on an individual basis not only under individual policies but also within group insurance schemes.

Furthermore, the Amendment Regulation explicitly stipulates that all personal data processing activities carried out within its scope must comply with the procedures and principles set forth under the LPPD and the secondary legislation enacted pursuant thereto. Accordingly, the processing of personal health data by insurance companies can no longer solely rely on explicit consent; companies are now required to ensure full compliance with the general principles of the LPPD, particularly in relation to purpose limitation, data retention management, data security, and destruction obligations.

In contrast to the previous version, which did not prescribe a specific retention period for insurance records, the new provision explicitly requires that such records should be retained for ten years, following the termination of the insured person’s coverage and deleted thereafter.

The amendment also redefines the confidentiality obligation, limiting its scope to the persons listed under Article 31/A of the Insurance Law No. 5684. Accordingly, all natural and legal persons who have access to confidential information concerning the insured will remain bound by this confidentiality obligation, even after their title or function has ceased.

In conclusion, the amendment establishes a second layer of compliance requirements in the insurance sector by directly linking the obligations of insurance companies under the LPPD with sector-specific supervisory mechanisms. Insurance companies and intermediaries are therefore recommendedto promptly update their internal policies, operational procedures, and contractual arrangements with external service providers to ensure full compliance with the revised Regulation.