I. INTRODUCTION
This information note has been prepared in accordance with the Personal Data Protection Board’s Principle Decision No. 2026/1095, dated May 20, 2026, and the Public Announcement regarding this decision, dated July 1, 2026. The primary purpose of this document is to detail the legal obligations of data controllers involved in legal proceedings and to comprehensively analyze the severe penalties they may face in the event of potential violations.
The aforementioned legal regulations and the Board’s decision are centered on preventing the exploitation of the vulnerable and defenseless situation in which victims of traffic accidents, workplace accidents, or similar adverse events find themselves. In particular, the primary focus of these newly enacted measures is to address entities operating without authorization under names such as “claims consulting firms” or similar designations, which unlawfully obtain personal data belonging to accident victims and use it for their own benefit.
In this context, the text comprehensively addresses the rules aimed at preventing unlawful access to and processing of victims’ personal data. It also clearly sets out the mandatory boundaries that data controllers—such as insurance companies, healthcare institutions, and experts—must observe to ensure compliance with the law.
II. ANALYSIS
An examination of the complaints and reports submitted to the Personal Data Protection Authority reveals that victims of workplace accidents, traffic accidents, or similar adverse events have become a target audience contacted without their explicit consent. It has been observed that these contacts are generally made by representatives of “claims adjustment firms” or unauthorized individuals posing as attorneys; victims are promised compensation in exchange for a power of attorney, and authorization is obtained unfairly by exerting psychological pressure on them. In some cases, it has even been determined that unauthorized transactions were carried out on behalf of the victims without any instructions, and that personal data—such as accident reports—was accessed through illegal means. Given the widespread nature of these systemic violations, the adoption of the aforementioned Principle Decision by the Board has become a legal necessity.
The actions addressed in the Council’s decision not only constitute a violation of personal data but also clearly contravene the mandatory provisions of the Lawyers’ Act No. 1136. Under the law, the authority to seek redress before judicial authorities and to conduct legal proceedings is exclusively granted to attorneys registered with the bar association; unauthorized individuals and companies engaging in these activities are in violation of the prohibitions on intermediation and advertising. Furthermore, pursuant to the Insurance Act No. 5684, compensation claims may only be paid to the rightful claimant or to the attorney acting as the claimant’s official representative.
Any contract entered into for the transfer of these claims to claims adjustment companies is legally void.
The unlawful acquisition and use of personal data belonging to accident victims, in circumvention of relevant legislation, may give rise to criminal liability under Articles 135, 136, and 137 of the Turkish Penal Code (TCK), depending on the manner in which the act was committed and whether the legal elements of the crime are present. Since the unauthorized acquisition and transfer of data may constitute offenses under Articles 136 and 137 of the Turkish Penal Code (TCK), it is noted that criminal complaints may be filed with the Public Prosecutor’s Office against the parties involved. Furthermore, complaints may be filed with the Board under Law No. 6698 against companies, attorneys, and experts who operate beyond the limits of their legal authority and without relying on a legitimate processing condition. With regard to attorneys, bar association disciplinary proceedings and the prohibition on soliciting business under the Attorney’s Act may come into play; for insurance experts and other professionals, disciplinary or licensing sanctions arising from specific legislation may also be applicable.
The data processing activities of insurance experts, however, must be strictly limited to the management of damage assessment and claims settlement processes, within the clear boundaries defined by the Insurance Act No. 5684, the Personal Data Protection Act No. 6698, and secondary legislation. Experts are obligated to never share this sensitive data—which they process based on legitimate grounds such as explicit legal provisions or the fulfillment of a contract—with unauthorized third parties under any circumstances, and to strictly adhere to their professional duty of confidentiality. Otherwise, any unauthorized transfer will result not only in severe administrative penalties but also in criminal liability under the Turkish Penal Code (TCK).
Although the processing of data belonging to accident victims for the purposes of judicial proceedings or medical treatment following an accident is considered lawful, data controllers must conduct these activities strictly in accordance with the legal framework and the intended purpose. Pursuant to Article 12 of Law No. 6698, data controllers are required to take all necessary technical and administrative measures—taking into account their organizational structures and risks—to prevent unlawful processing and unauthorized access to data, and to ensure the security of the data. The Law also explicitly stipulates that employees involved in data processing may not disclose the information they have learned to others, and that this duty of confidentiality continues even after they leave their positions.
In this regard, one of the primary measures that must be taken is for data controllers to organize training sessions for their employees on data security and protection. At the same time, adopting the principle of least privilege for data access, ensuring role-based access controls, and establishing monitoring mechanisms are legal requirements. Any individual, institution, or organization that fails to comply with these mandatory rules and administrative measures specified in the Board’s Decision on Principles will be subject to administrative fines pursuant to Article 18 of Law No. 6698; furthermore, depending on the nature of the violations, criminal investigations and disciplinary proceedings will be initiated.
It is possible for the same incident to violate different legally protected values under the Personal Data Protection Law (KVKK), criminal law, insurance legislation, and professional rules. Therefore, the imposition of an administrative sanction does not automatically preclude a criminal investigation, nor does the conduct of a criminal investigation automatically preclude the Board’s administrative oversight.
III. CONCLUSION AND EVALUATION
This Principle Decision issued by the Personal Data Protection Board represents a critical step taken to prevent the activities of unauthorized individuals and institutions that exploit the vulnerable situations of accident victims. The Board has addressed the issue comprehensively, not only within the framework of data protection legislation but also in light of the Attorney’s Act, the Insurance Act, and the Turkish Penal Code, thereby clarifying that violations such as the unlawful acquisition of data and the assignment of claims are subject to both severe administrative and criminal penalties.
This decision imposes a strict oversight obligation on insurance companies, healthcare institutions, experts, service providers, call centers, and other data controllers that process personal data as part of their operations to review their data inventories and authorization matrices in light of the Principle Decision; to train staff; to restrict access permissions on a role-based basis; and to ensure data security. Failure to comply with the technical and administrative measures specified in the Decision will not only result in severe administrative fines for data controllers but also pave the way for criminal investigations and professional disciplinary proceedings; therefore, it is crucial for all stakeholders to promptly review their data security policies and operate in accordance with the Decision.