
Türkiye’s Personal Data Protection Authority has issued a new principle decision addressing the processing of accident victims’ personal data.
The decision, dated 20 May 2026 and numbered 2026/1095, was announced on 1 July 2026. It responds to complaints that accident victims were being contacted without requesting such contact by claims consultancy businesses, “insurance tracking” operations, lawyers, and in some cases people presenting themselves as lawyers despite not appearing on bar records.
The immediate target is clear: unlawful access to accident-related personal data and its use to approach victims for business.
But the compliance implications are broader.
The decision reinforces an important operational rule for organizations across the accident-response ecosystem:
Access to personal data for one legitimate accident-related purpose does not create a general right to reuse, share or commercialize that data for another purpose.
For insurers, insurance experts, healthcare providers, repair networks, assistance providers, intermediaries and other organizations that can access accident-related information, the decision should trigger a review of who can access the data, why they can access it, what they can export or share, and whether those activities can be demonstrated through logs and controls.
The Personal Data Protection Authority said it had received numerous reports and complaints concerning accident victims being contacted without their request by organizations operating under descriptions such as:
The concern was not simply that unwanted calls were being made.
The underlying question was more fundamental:
How did these parties obtain information showing that a particular person had recently been involved in an accident?
An accident can generate a substantial data trail across multiple organizations and systems. Depending on the incident, that may include:
The Authority’s decision focuses on the risk that information legitimately available somewhere in this chain is accessed, extracted or disclosed without an appropriate legal basis and then used for unrelated commercial solicitation.
The decision expressly recognizes that accident victims’ personal data may need to be processed for legitimate purposes such as:
The problem is therefore not the existence of accident-related data processing itself.
The problem arises when data obtained for those purposes moves outside the purpose and legal conditions that justified the processing.
For example, an employee may legitimately need access to an accident file to administer a claim. That does not automatically mean the employee may export the victim’s contact details and provide them to a third-party claims business.
A healthcare provider may need information about an accident to provide treatment. That does not automatically allow the same information to be repurposed for unrelated referrals or commercial outreach.
An insurance expert may access personal data while carrying out legally recognized professional duties. The decision makes clear that this access must remain connected to those duties and does not permit unauthorized disclosure to third parties.
This is a practical application of a wider KVKK principle:
A lawful entry point into a dataset is not a blank cheque for every later use of that data.
The decision specifically distinguishes legitimate activities of insurance experts from unauthorized secondary use.
According to the Authority, insurance experts may process personal data within the framework of their legal duties, including activities connected with:
However, the data entrusted to them must be used only for the purposes required by those duties.
The decision also emphasizes that they must:
This is an important distinction.
The decision does not treat all access to accident information as suspicious. It instead asks whether the person accessing the data:
An insurance expert who needs an accident file to perform an assigned assessment is therefore in a very different position from someone using access to accident data to build or supply a commercial prospect list.
One of the most important parts of the decision is operational.
The Authority says that data controllers holding or processing accident victims’ personal data should implement measures including:
This makes the decision particularly relevant to information security and access governance.
A company may have privacy notices, policies and contractual clauses, but still face significant risk if:
The decision therefore points toward a basic control model:
Need to know → minimum access → controlled use → monitored activity → accountable sharing.
The decision directly addresses practices within the insurance and accident-claims environment, but its control expectations may be relevant to other organizations that hold or receive accident-related information.
The degree of relevance will depend on the organization’s actual role, data flows and legal basis.
This does not mean that every organization in these sectors is automatically subject to the same processing conditions.
It means that organizations should be able to answer a basic question:
Why does this person or system have access to this accident victim’s data, and can we demonstrate that the subsequent use remains within that purpose?
A useful response to the decision is not to begin by rewriting every privacy notice.
Start with the data flow.
Document the main sources.
These may include:
For each source, record the data categories received and the reason for receiving them.
Do not rely only on job titles.
Check the actual systems.
A claims file may technically be accessible to employees in:
The correct question is not simply, “Who normally uses the system?”
It is:
Who can technically view, search, download, export or copy the data today?
Different stages of the same accident process may rely on different processing conditions under KVKK.
Organizations should avoid the assumption that because one stage is lawful, every later use is also lawful.
Review separately:
Where health or other special-category personal data is involved, the requirements under Article 6 of the KVKK must also be assessed.
The correct legal basis should be identified for the actual activity. Organizations should not automatically default to consent where another lawful condition applies, nor assume that consent cures an otherwise excessive or incompatible processing operation.
This is where many accident-data risks are likely to appear.
Ask:
A change in purpose may require a separate legal analysis.
The original reason for having the data does not automatically justify the new use.
The Authority specifically refers to the principle of minimum authorization and role-based access.
Organizations should therefore test whether:
For higher-risk datasets, organizations should also consider whether particularly sensitive actions require additional approval or authentication.
The decision expressly identifies logging and tracking mechanisms as relevant security measures.
A log that exists but cannot answer basic investigation questions may provide limited protection.
Organizations should consider whether they can determine:
Monitoring should be proportionate to the risk and should itself be implemented in compliance with applicable data protection requirements.
The objective is not indiscriminate employee surveillance.
The objective is to make access to sensitive operational data accountable.
Accident-related data frequently moves across organizational boundaries.
A controller may have appropriate internal controls but still create risk by providing excessive or poorly controlled access to:
Review:
Contractual language matters, but contracts should reflect the real operational data flow.
A contractual prohibition on secondary use is of limited value if the technical environment still allows unrestricted copying and export.
Not every accident record contains special-category personal data.
However, accident processes can easily involve health information, including:
Health data is special-category personal data under the KVKK and requires additional attention under the applicable Article 6 framework and relevant security requirements.
Organizations should therefore avoid treating “accident data” as one uniform data category.
A vehicle repair file containing a name, telephone number and licence plate presents a different risk profile from a claim file containing medical records, permanent disability information and detailed financial calculations.
Access controls should reflect that difference.
No.
The decision should not be read as a general prohibition on every communication following an accident.
The key issues are:
A company should therefore not conclude that obtaining a telephone number somehow makes outreach lawful.
Equally, the decision does not say that every organization involved in an accident process is prohibited from contacting the individual.
The legal and operational context matters.
No.
The Authority itself recognizes that accident-related personal data may be processed under applicable legal conditions for activities such as investigations, treatment, repair and insurance processes.
The correct question is therefore not simply:
“Do we have consent?”
It is:
“What is the applicable processing condition for this specific activity, and are we remaining within its scope?”
Where no applicable processing condition exists, the activity should not proceed merely because the organization happens to possess the data.
The decision is not a hospital-sector principle decision.
However, it expressly recognizes treatment as one of the legitimate contexts in which accident victims’ data may be processed.
For healthcare organizations, the practical implication is therefore mainly one of purpose separation.
Data available for treatment should not automatically flow into unrelated:
Because health data may also be involved, hospitals and healthcare providers should conduct a separate assessment under the KVKK rules governing special-category personal data.
These sectors are not the principal target of the decision.
However, they can sit close to the point where accident information is first generated and may receive:
Where such organizations act as data controllers or processors, their actual role should be assessed.
Particular attention should be given to onward sharing.
A towing company receiving a victim’s telephone number to coordinate vehicle recovery should not assume that the same data can be passed to unrelated businesses for sales or lead-generation purposes.
The decision should not be treated as a general ruling on media reporting about accidents.
Media processing can raise separate questions involving freedom of expression, journalistic activity, public interest and the specific circumstances of publication.
The 2026 accident-victim decision is primarily concerned with unlawful access to and use of personal data within accident and insurance-related processes.
Its general lessons on purpose limitation and unauthorized disclosure may still be relevant, but the decision should not be mechanically applied as though it created a new universal rule for accident reporting.
Organizations often think of unlawful lead generation as purchasing a spreadsheet from an obviously questionable source.
The real risk can be more subtle.
A lead may originate from:
This means organizations should review not only where they buy leads.
They should review where commercially useful data can leak out of legitimate operational processes.
For any workflow involving accident victims’ personal data, ask:
An organization that cannot answer these questions may have a governance problem even before a complaint or incident occurs.
The decision does not necessarily require every organization to launch a new standalone compliance programme.
A targeted review may be more useful.
Identify systems containing accident, claim, treatment, repair or related victim information.
Review:
Map which external parties receive accident-related information.
Confirm:
Where an organization receives accident-related prospects, require a clear answer to:
How was this person identified as an accident victim?
A generic statement such as “partner data,” “public information” or “industry source” should not be accepted without further validation.
Use logging and proportionate monitoring to identify unusual behaviour such as:
Document:
The objective is to be able to demonstrate that access to accident-related data is controlled rather than assumed.
The significance of this decision extends beyond accidents.
Many personal-data incidents begin with information that was originally collected lawfully.
The failure happens later.
An employee accesses more data than necessary.
A vendor reuses information for another purpose.
An operational database becomes a marketing source.
A legitimate recipient shares information with an unauthorized party.
This is why practical KVKK compliance cannot stop at privacy notices and consent forms.
Organizations also need to control:
The 2026 accident-victim decision is a useful reminder that privacy compliance and security governance meet at the point of access.
Türkiye’s new principle decision is primarily a response to the unlawful acquisition and use of accident victims’ personal data, particularly where victims are approached by claims-related businesses or other parties without a valid basis.
But the decision’s practical importance is wider.
Organizations holding accident-related data should be able to demonstrate that:
The most useful response is therefore not simply to add another sentence to a privacy notice.
It is to examine the actual route that accident data takes through people, systems, vendors and commercial processes.
Kooch Cybersecurity & Compliance helps organizations assess KVKK data flows, access controls, processing purposes and operational compliance gaps. A targeted KVKK gap analysis can help identify where documented privacy practices and real system behaviour do not match.