Technological developments have led to significant changes in risk assessment and premium determination processes in the insurance sector. In particular, data collected through telematics devices used in vehicle insurances enable personalised premium offers by analysing driver behaviour. However, this practice brings along various legal problems in terms of personal data protection legislation.
Telematics data are data collected through devices placed in vehicles or mobile applications that provide information about the behaviour of the driver. This data includes:
- Speed
- Braking pattern
- Acceleration pattern
- Manoeuvring patterns
- Travel distances and times
- Location information
Pursuant to Law No. 6698 on the Protection of Personal Data (KVKK), personal data is defined as ‘any information relating to an identified or identifiable natural person’. Whether a data is personal data or not is evaluated within the scope of the concrete case. In this context, telematic data meets the definition of personal data and is accepted as personal data.
Although telematic data containing location information does not fall into the category of special categories of personal data within the scope of Article 6 of the LPPD, it can be considered as highly sensitive data.
Telematic data; insurance companies use these data for specific purposes such as risk assessment, pricing, damage management and it is seen that these data are processed and taken as basis for insurance policies.
The data processing activities carried out by insurance companies are evaluated as follows within the scope of the LPPD:
In order to process telematic data within the scope of Article 5 of the LPPD:
– Explicit Consent: Insurance companies must obtain explicit consent from the insured for the collection and processing of telematics data. This consent must be informed, related to a specific subject and based on free will.
– Performance of the Contract: Pursuant to Article 5/2(c) of the LPPD, telematic data may be processed provided that it is directly related to the conclusion or performance of the contract. However, when the precedent decisions of the Personal Data Protection Board are examined, it is emphasised that data processing must be an essential element of the contract.
– Legitimate Interest: Within the scope of Article 5/2(f) of the LPPD, it is possible to process data for the legitimate interest of the data controller. Insurance companies may claim legitimate interest for accurate risk assessment and fair determination of premiums. However, a balance of interest test is required.
Within the scope of data processing activities by insurance companies, data must be processed in accordance with the principle of ‘being relevant, limited and proportionate to the purpose for which they are processed’ as per Article 4/2(c) of the LPPD. Insurance companies should not collect telematic data that is not necessary for risk assessment.
In the precedent decisions of the Court of Cassation, it is stated that the data used by insurance companies in risk assessment should be limited and appropriate for the purpose, and the decisions of the Personal Data Protection Board refer to the principle of data minimisation.
Again, in the European Data Protection Board’s guidance dated 2020, the importance of the principles of transparency and accountability in the processing of telematic data is emphasised. In the case law of the Court of Justice of the European Union, the necessity to protect the right to privacy in the processing of location data is emphasised.
In this context, in order for insurance companies to carry out their data processing activities in accordance with the LPPD, clear and layered clarification texts should be prepared for telematic data processing activities, which is a technical issue, an opt-in system should be established for the collection of telematic data, which is not mandatory, data retention periods should be clearly determined and data should be deleted at the end of these periods, and telematic data to be used for statistical analyses should be anonymised.
The use of telematic data in determining insurance premiums enables a fairer and more personalised risk assessment in the insurance sector. However, in order for this practice to be compliant with the LPPD and GDPR, a meticulous approach must be taken in terms of data minimisation, transparency, data subject rights and data security. For a lawful telematic data processing system, it is of great importance to take technical and administrative measures, to comply with the basic principles of data protection legislation and to ensure that the rights of the data subject can be effectively exercised.
