Partner
Analysis & trends
Amendment to the Regulation on Private Health Insurance
The Regulation Amending the Regulation on Private Health Insurance (the “Amendment Regulation”) was published in Official Gazette No 33053 on 20 October 2025, introducing amendments to the Regulation on Private Health Insurance (the “Regulation”). Under the Amendment Regulation, the requirement to obtain written consent for the processing of health data has been removed, with all personal data processing activities conducted within the scope of the Regulation being made subject to the provisions of the Law on the Protection of Personal Data No 6698 (“LPPD”) and the relevant secondary legislation. In addition, the Amendment Regulation introduces significant provisions concerning the processing of personal data and the confidentiality obligations applicable to relevant parties.
REMOVAL OF THE WRITTEN CONSENT REQUIREMENT
With the Amendment Regulation, the requirement to have written consent for processing health data under private health insurance has been removed. All data processing activities in this area are now directly governed by the LPPD framework. The health data of the relevant individuals may now be processed without the previously required written consent under the Regulation, provided that one of the legal bases for processing special categories of personal data set out in Article 6(3) of the LPPD is met.
DATA-SHARING FRAMEWORK
Previously, under the Regulation, the health data of individuals could not be shared with any individuals or legal entities, other than the Insurance Information and Monitoring Centre (the “Centre”) and certain other authorities, without the explicit consent of the insured.
Under the Amendment Regulation, such data transfers are now subject to the general data processing and transfer principles of the LPPD. Accordingly, data sharing may be carried out in accordance with the general data processing and transfer principles set out in that law.
RETENTION PERIOD AND DATA DESTRUCTION OBLIGATION
Under the Amendment Regulation, insurance records and health information retained by the Centre must be preserved for 10 years following the termination of the insured person’s coverage. At the end of this period, the data must be deleted, destroyed or anonymized ex officio in accordance with the LPPD.
CONFIDENTIALITY OBLIGATION
Under a new provision introduced by the Amendment Regulation, all individuals and legal entities listed in Article 31/A of Insurance Law No 5684 are subject to a confidentiality obligation that continues even after the termination of the relevant duty or position.
CONCLUSION
The Amendment Regulation ensures that the provisions of the Regulation are aligned with the expanded conditions for processing and transferring special categories of personal data introduced by the 2024 amendments[1] to the LPPD. Accordingly, the requirement to obtain explicit consent for the provision of private health insurance services has been abolished, and personal data processing activities are now subject to the data processing conditions set out in the LPPD. These changes reflect a more comprehensive approach that balances sectoral needs with the regulatory objectives of safeguarding personal data. The Amendment Regulation enters into force on 1 January 2026. Companies processing health data within the scope of private health insurance are therefore expected to review and update their LPPD documentation, including information notices, explicit consent forms and other relevant materials, in accordance with the amended provisions of the Regulation and to ensure their readiness for implementation by the effective date.