Board’s Principle Decision on Discontinuing the Practice of Copying Guests’ Identity Documents in the Tourism and Hospitality Sector

The Personal Data Protection Board (“Board”) adopted the “Principle Decision on the Recording of Photocopies of the Republic of Türkiye Identity Cards of Persons Receiving Accommodation Services in the Tourism and Hospitality Sector” (“Decision”) on 6 November 2025, and the Decision was announced by being published in the Official Gazette dated 9 December 2025 and numbered 33102. The full Turkish text of the Decision is available here.

With the Decision, it was stated that, pursuant to Article 2 of the Identity Reporting Law No. 1774 and Article 5 of the Regulation on the Implementation of the Identity Reporting Law, it is a legal obligation for accommodation providers to record the identity information of guests (e.g. name, surname, Turkish ID number) and to keep such information available for inspection by authorities; and that, in this context, the processing of said identity information is based on the legal grounds set out in Article 5/2/a of the Law No. 6698 on the Protection of Personal Data (“Law”), namely “explicitly envisaged by laws”, and in subparagraph (ç), namely “being mandatory for the data controller to fulfil its legal obligation”, and therefore constitutes a lawful personal data processing activity. In addition, it was assessed that the processing of information such as the customer’s name, surname and room number for the purpose of invoicing the accommodation service, pursuant to the Tax Procedure Law No. 213, is also lawful within the scope of the condition of “explicitly envisaged by laws”.

However, the Board determined that, while requesting guests to present their Turkish identity documents is reasonable and necessary to verify the accuracy of identity information by comparing it against an official document, the practice of taking and recording photocopies of such documents is contrary to the Law. In its proportionality assessment, the Board concluded that merely showing the identity document is sufficient for verification purposes, and that taking photocopies nevertheless constitutes “processing more data than necessary” and lacks any legal basis. Regarding the protection of special categories of personal data, the Board emphasized that old-type identity cards include information such as religion and blood type, which fall within Article 6 of the Law. The Board further noted that taking and retaining photocopies of these documents breaches the conditions for processing special categories of personal data set out in the same article.

Given these, Decision set forth that data controllers operating in the tourism and hospitality sector must cease the practice of taking photocopies of guests’ identity documents and must destroy identity card photocopies belonging to guests who received services prior to the publication of the Decision, in accordance with Article 7 of the Law. Otherwise, administrative sanctions may be imposed on data controllers pursuant to Article 18 of the Law.

Given that the practice of taking photocopies of identity documents, which has been a matter of debate in the tourism and hospitality sector, entails serious risks in terms of personal data security and the principle of proportionality, the Board has clarified this issue via this Decision. This Decision, which affects a broad field of service, has been published on the website of the Personal Data Protection Authority to inform the public, sector representatives and the relevant data controllers. In doing so, the Board has once again underlined the data minimisation principle and emphasised the importance of proportionality assessments in personal data processing activities.

 

Elif Aksöz Bayraktar, Senior Associate
Zeynep Arslan, Legal Intern