Türkiye’s 2026 KVKK Decision on Acview

Türkiye’s Personal Data Protection Authority has issued a new principle decision addressing the processing of accident victims’ personal data.

The decision, dated 20 May 2026 and numbered 2026/1095, was announced on 1 July 2026. It responds to complaints that accident victims were being contacted without requesting such contact by claims consultancy businesses, “insurance tracking” operations, lawyers, and in some cases people presenting themselves as lawyers despite not appearing on bar records.

The immediate target is clear: unlawful access to accident-related personal data and its use to approach victims for business.

But the compliance implications are broader.

The decision reinforces an important operational rule for organizations across the accident-response ecosystem:

Access to personal data for one legitimate accident-related purpose does not create a general right to reuse, share or commercialize that data for another purpose.

For insurers, insurance experts, healthcare providers, repair networks, assistance providers, intermediaries and other organizations that can access accident-related information, the decision should trigger a review of who can access the data, why they can access it, what they can export or share, and whether those activities can be demonstrated through logs and controls.

What happened?

The Personal Data Protection Authority said it had received numerous reports and complaints concerning accident victims being contacted without their request by organizations operating under descriptions such as:

  • claims consultancy;
  • insurance tracking services;
  • lawyers;
  • and persons presenting themselves as lawyers despite apparently not being registered as such.

The concern was not simply that unwanted calls were being made.

The underlying question was more fundamental:

How did these parties obtain information showing that a particular person had recently been involved in an accident?

An accident can generate a substantial data trail across multiple organizations and systems. Depending on the incident, that may include:

  • name and contact information;
  • identity information;
  • vehicle and licence plate data;
  • accident reports;
  • photographs and video;
  • location information;
  • insurance and claims information;
  • repair records;
  • police or administrative records;
  • and, in some cases, health or injury information.

The Authority’s decision focuses on the risk that information legitimately available somewhere in this chain is accessed, extracted or disclosed without an appropriate legal basis and then used for unrelated commercial solicitation.

The most important compliance message: purpose matters after access is granted

The decision expressly recognizes that accident victims’ personal data may need to be processed for legitimate purposes such as:

  • judicial or administrative investigations;
  • managing medical treatment;
  • repairing damaged vehicles;
  • and carrying out insurance-related processes.

The problem is therefore not the existence of accident-related data processing itself.

The problem arises when data obtained for those purposes moves outside the purpose and legal conditions that justified the processing.

For example, an employee may legitimately need access to an accident file to administer a claim. That does not automatically mean the employee may export the victim’s contact details and provide them to a third-party claims business.

A healthcare provider may need information about an accident to provide treatment. That does not automatically allow the same information to be repurposed for unrelated referrals or commercial outreach.

An insurance expert may access personal data while carrying out legally recognized professional duties. The decision makes clear that this access must remain connected to those duties and does not permit unauthorized disclosure to third parties.

This is a practical application of a wider KVKK principle:

A lawful entry point into a dataset is not a blank cheque for every later use of that data.

What the decision says about insurance experts

The decision specifically distinguishes legitimate activities of insurance experts from unauthorized secondary use.

According to the Authority, insurance experts may process personal data within the framework of their legal duties, including activities connected with:

  • damage assessment;
  • reporting;
  • and the management of compensation processes.

However, the data entrusted to them must be used only for the purposes required by those duties.

The decision also emphasizes that they must:

  • avoid sharing the data with unauthorized third parties;
  • implement appropriate technical and administrative security measures;
  • and comply with professional confidentiality obligations.

This is an important distinction.

The decision does not treat all access to accident information as suspicious. It instead asks whether the person accessing the data:

  1. has a legitimate role in the process;
  2. has an applicable KVKK processing condition;
  3. is using the data within the scope of that role;
  4. and is preventing unauthorized onward use.

An insurance expert who needs an accident file to perform an assigned assessment is therefore in a very different position from someone using access to accident data to build or supply a commercial prospect list.

The decision goes beyond privacy notices and consent forms

One of the most important parts of the decision is operational.

The Authority says that data controllers holding or processing accident victims’ personal data should implement measures including:

  • employee training and awareness;
  • access restrictions based on the principle of minimum necessary access;
  • role-based access controls;
  • and logging and monitoring mechanisms.

This makes the decision particularly relevant to information security and access governance.

A company may have privacy notices, policies and contractual clauses, but still face significant risk if:

  • hundreds of employees can search accident records without a business need;
  • customer records can be exported without approval;
  • shared administrator accounts make individual actions impossible to trace;
  • third-party call centres receive excessive datasets;
  • access rights remain active after employees change roles;
  • or the company cannot determine who viewed or downloaded a victim’s records.

The decision therefore points toward a basic control model:

Need to know → minimum access → controlled use → monitored activity → accountable sharing.

What organizations should review now

The decision directly addresses practices within the insurance and accident-claims environment, but its control expectations may be relevant to other organizations that hold or receive accident-related information.

The degree of relevance will depend on the organization’s actual role, data flows and legal basis.

Organization Main issue to review
Insurers and claims administrators Internal access, claim-file exports, downstream sharing and third-party access.
Insurance experts and expert companies Use of data strictly within professional duties and prevention of unauthorized onward disclosure.
Hospitals and healthcare providers Separation of treatment-related use from unrelated referrals, marketing or commercial use.
Vehicle repair networks Limiting customer and accident data to repair and related operational purposes.
Towing and roadside assistance providers Collection minimization, staff access and sharing of victim contact or location information.
Call centres and outsourced service providers Whether access is limited to documented instructions and whether activity is monitored.
Claims consultancies and intermediaries Provenance of accident leads and the legal condition relied on for processing.
Law firms and legal service providers Source of accident-victim data, authority to act and use of information within the relevant mandate.

This does not mean that every organization in these sectors is automatically subject to the same processing conditions.

It means that organizations should be able to answer a basic question:

Why does this person or system have access to this accident victim’s data, and can we demonstrate that the subsequent use remains within that purpose?

A practical accident-data flow review

A useful response to the decision is not to begin by rewriting every privacy notice.

Start with the data flow.

1. Identify where accident-related data enters the organization

Document the main sources.

These may include:

  • the individual;
  • an insurer;
  • an insurance expert;
  • law enforcement or another public authority;
  • a hospital;
  • a repair business;
  • an assistance provider;
  • an intermediary;
  • a business partner;
  • an API or shared industry platform.

For each source, record the data categories received and the reason for receiving them.

2. Identify who can access the data internally

Do not rely only on job titles.

Check the actual systems.

A claims file may technically be accessible to employees in:

  • operations;
  • customer service;
  • sales;
  • finance;
  • IT administration;
  • management;
  • outsourced support;
  • or external service providers.

The correct question is not simply, “Who normally uses the system?”

It is:

Who can technically view, search, download, export or copy the data today?

3. Review the legal condition for each processing activity

Different stages of the same accident process may rely on different processing conditions under KVKK.

Organizations should avoid the assumption that because one stage is lawful, every later use is also lawful.

Review separately:

  • collection;
  • internal access;
  • analysis;
  • sharing;
  • referral;
  • contacting the individual;
  • retention;
  • and deletion.

Where health or other special-category personal data is involved, the requirements under Article 6 of the KVKK must also be assessed.

The correct legal basis should be identified for the actual activity. Organizations should not automatically default to consent where another lawful condition applies, nor assume that consent cures an otherwise excessive or incompatible processing operation.

4. Test whether the purpose has changed

This is where many accident-data risks are likely to appear.

Ask:

  • Was the data collected to process a claim but later used for sales?
  • Was it obtained for medical treatment but later shared for a commercial referral?
  • Was it accessed for damage assessment but then passed to an unrelated intermediary?
  • Was a victim’s telephone number extracted from an operational system to make an unsolicited business approach?
  • Was data supplied to a vendor for one service and then used by that vendor for its own purposes?

A change in purpose may require a separate legal analysis.

The original reason for having the data does not automatically justify the new use.

5. Review access controls against actual job needs

The Authority specifically refers to the principle of minimum authorization and role-based access.

Organizations should therefore test whether:

  • users receive only the permissions required for their role;
  • sensitive fields are restricted where full access is unnecessary;
  • bulk exports are limited;
  • privileged access is separately controlled;
  • access is removed when responsibilities change;
  • inactive accounts are disabled;
  • and third-party access is time-limited and monitored.

For higher-risk datasets, organizations should also consider whether particularly sensitive actions require additional approval or authentication.

6. Make sure logs are useful, not merely present

The decision expressly identifies logging and tracking mechanisms as relevant security measures.

A log that exists but cannot answer basic investigation questions may provide limited protection.

Organizations should consider whether they can determine:

  • which user accessed a record;
  • what information was viewed;
  • whether information was edited;
  • whether a file was downloaded or exported;
  • when the activity occurred;
  • whether unusually large numbers of records were accessed;
  • and whether the activity was consistent with the user’s role.

Monitoring should be proportionate to the risk and should itself be implemented in compliance with applicable data protection requirements.

The objective is not indiscriminate employee surveillance.

The objective is to make access to sensitive operational data accountable.

7. Review third-party and vendor access

Accident-related data frequently moves across organizational boundaries.

A controller may have appropriate internal controls but still create risk by providing excessive or poorly controlled access to:

  • outsourced claims handlers;
  • call centres;
  • technology providers;
  • repair networks;
  • consultants;
  • assistance providers;
  • or other intermediaries.

Review:

  • what data the third party receives;
  • why it receives it;
  • whether the dataset is limited to what is necessary;
  • whether the third party may use the data for its own purposes;
  • whether subcontractors are involved;
  • what access controls apply;
  • what logging is available;
  • and what happens to the data when the service ends.

Contractual language matters, but contracts should reflect the real operational data flow.

A contractual prohibition on secondary use is of limited value if the technical environment still allows unrestricted copying and export.

Accident data can become more sensitive when datasets are combined

Not every accident record contains special-category personal data.

However, accident processes can easily involve health information, including:

  • injuries;
  • diagnoses;
  • treatment details;
  • disability information;
  • medical reports;
  • and other health-related records.

Health data is special-category personal data under the KVKK and requires additional attention under the applicable Article 6 framework and relevant security requirements.

Organizations should therefore avoid treating “accident data” as one uniform data category.

A vehicle repair file containing a name, telephone number and licence plate presents a different risk profile from a claim file containing medical records, permanent disability information and detailed financial calculations.

Access controls should reflect that difference.

Does the decision ban all contact with accident victims?

No.

The decision should not be read as a general prohibition on every communication following an accident.

The key issues are:

  • how the person’s data was obtained;
  • whether there is a valid processing condition;
  • whether the data is being used for a legitimate and compatible purpose;
  • whether any disclosure was authorized and lawful;
  • and whether the organization has complied with its wider KVKK obligations.

A company should therefore not conclude that obtaining a telephone number somehow makes outreach lawful.

Equally, the decision does not say that every organization involved in an accident process is prohibited from contacting the individual.

The legal and operational context matters.

Does the decision mean consent is always required?

No.

The Authority itself recognizes that accident-related personal data may be processed under applicable legal conditions for activities such as investigations, treatment, repair and insurance processes.

The correct question is therefore not simply:

“Do we have consent?”

It is:

“What is the applicable processing condition for this specific activity, and are we remaining within its scope?”

Where no applicable processing condition exists, the activity should not proceed merely because the organization happens to possess the data.

What about hospitals?

The decision is not a hospital-sector principle decision.

However, it expressly recognizes treatment as one of the legitimate contexts in which accident victims’ data may be processed.

For healthcare organizations, the practical implication is therefore mainly one of purpose separation.

Data available for treatment should not automatically flow into unrelated:

  • marketing;
  • lead-generation;
  • referral;
  • or other commercial processes.

Because health data may also be involved, hospitals and healthcare providers should conduct a separate assessment under the KVKK rules governing special-category personal data.

What about towing, roadside assistance and repair providers?

These sectors are not the principal target of the decision.

However, they can sit close to the point where accident information is first generated and may receive:

  • names;
  • telephone numbers;
  • vehicle information;
  • locations;
  • accident details;
  • and information about insurers or claims.

Where such organizations act as data controllers or processors, their actual role should be assessed.

Particular attention should be given to onward sharing.

A towing company receiving a victim’s telephone number to coordinate vehicle recovery should not assume that the same data can be passed to unrelated businesses for sales or lead-generation purposes.

What about media organizations?

The decision should not be treated as a general ruling on media reporting about accidents.

Media processing can raise separate questions involving freedom of expression, journalistic activity, public interest and the specific circumstances of publication.

The 2026 accident-victim decision is primarily concerned with unlawful access to and use of personal data within accident and insurance-related processes.

Its general lessons on purpose limitation and unauthorized disclosure may still be relevant, but the decision should not be mechanically applied as though it created a new universal rule for accident reporting.

The lead-generation risk is bigger than buying a list

Organizations often think of unlawful lead generation as purchasing a spreadsheet from an obviously questionable source.

The real risk can be more subtle.

A lead may originate from:

  • an employee with excessive system access;
  • a contractor exporting operational records;
  • an intermediary using data obtained for another service;
  • a shared industry system;
  • an improperly configured API;
  • screenshots sent through messaging applications;
  • a business partner quietly reusing customer information;
  • or a former employee retaining access or downloaded files.

This means organizations should review not only where they buy leads.

They should review where commercially useful data can leak out of legitimate operational processes.

A practical six-question test

For any workflow involving accident victims’ personal data, ask:

  1. Source: Where did the data come from?
  2. Purpose: Why was it originally obtained?
  3. Legal condition: What KVKK processing condition applies to this specific activity?
  4. Access: Who actually needs access?
  5. Sharing: Who receives the data, and why?
  6. Evidence: Can we demonstrate the above through documentation, permissions and logs?

An organization that cannot answer these questions may have a governance problem even before a complaint or incident occurs.

What should organizations do now?

The decision does not necessarily require every organization to launch a new standalone compliance programme.

A targeted review may be more useful.

Priority 1: Find uncontrolled access

Identify systems containing accident, claim, treatment, repair or related victim information.

Review:

  • broad user permissions;
  • shared accounts;
  • unrestricted search;
  • bulk export capabilities;
  • unmanaged downloads;
  • and dormant access.

Priority 2: Trace onward sharing

Map which external parties receive accident-related information.

Confirm:

  • the purpose;
  • the legal basis;
  • the minimum data required;
  • and the contractual and technical controls.

Priority 3: Investigate lead-generation channels

Where an organization receives accident-related prospects, require a clear answer to:

How was this person identified as an accident victim?

A generic statement such as “partner data,” “public information” or “industry source” should not be accepted without further validation.

Priority 4: Strengthen detection

Use logging and proportionate monitoring to identify unusual behaviour such as:

  • repeated searches unrelated to assigned cases;
  • mass record access;
  • unusual downloads;
  • access outside expected responsibilities;
  • or repeated exports of contact information.

Priority 5: Preserve accountability

Document:

  • processing purposes;
  • applicable legal conditions;
  • access decisions;
  • vendor roles;
  • retention periods;
  • and incident escalation procedures.

The objective is to be able to demonstrate that access to accident-related data is controlled rather than assumed.

A broader lesson for KVKK compliance

The significance of this decision extends beyond accidents.

Many personal-data incidents begin with information that was originally collected lawfully.

The failure happens later.

An employee accesses more data than necessary.

A vendor reuses information for another purpose.

An operational database becomes a marketing source.

A legitimate recipient shares information with an unauthorized party.

This is why practical KVKK compliance cannot stop at privacy notices and consent forms.

Organizations also need to control:

  • identity and access management;
  • role design;
  • system permissions;
  • exports;
  • third-party access;
  • logs;
  • employee behaviour;
  • and secondary uses of data.

The 2026 accident-victim decision is a useful reminder that privacy compliance and security governance meet at the point of access.

Conclusion

Türkiye’s new principle decision is primarily a response to the unlawful acquisition and use of accident victims’ personal data, particularly where victims are approached by claims-related businesses or other parties without a valid basis.

But the decision’s practical importance is wider.

Organizations holding accident-related data should be able to demonstrate that:

  • access is tied to a legitimate role;
  • processing remains within an applicable legal condition and defined purpose;
  • unauthorized onward sharing is prevented;
  • permissions follow the principle of minimum necessary access;
  • important activity is logged and reviewable;
  • and employees and service providers understand the limits on secondary use.

The most useful response is therefore not simply to add another sentence to a privacy notice.

It is to examine the actual route that accident data takes through people, systems, vendors and commercial processes.

Kooch Cybersecurity & Compliance helps organizations assess KVKK data flows, access controls, processing purposes and operational compliance gaps. A targeted KVKK gap analysis can help identify where documented privacy practices and real system behaviour do not match.

Sources / References

  • Kişisel Verileri Koruma Kurumu — Public announcement concerning the Personal Data Protection Board’s Principle Decision dated 20 May 2026 and numbered 2026/1095 on the processing of accident victims’ personal data.
Masoud Salmani