Ban on ID Card Photocopies in Hotel Check-Ins in Turkey: Impact of the Personal Data Protection Authority’s Principle Decision

I. Introduction

With its Principle Decision on “Recording Photocopies of the Turkish Identity Cards of Persons Receiving Accommodation Services in the Tourism and Hospitality Sector”, published in the Official Gazette dated 9 December 2025 and numbered 33102, the Turkish Personal Data Protection Authority (“Authority”) examined the long-standing practice of obtaining ID Card Photocopies in Hotel Stays in Turkey, from guests during check-in, which has been applied almost uniformly by data controllers in the tourism and hospitality sector. In this Principle Decision, the Authority concluded that there is no legal basis for recording ID card photocopies and therefore decided that obtaining ID card photocopies is contrary to the law.

The fact that this practice – which many accommodation facilities consider a routine and almost “mandatory” procedure – has been reassessed by the Authority under the Law on the Protection of Personal Data No. 6698 (“Law” or “KVKK”) has significant implications for all data controllers in the sector. In line with this Principle Decision, data controllers operating hotels and other tourism facilities are now required to re-examine the compliance of their guest registration processes and databases with the Law and to initiate new compliance measures.

II. Content and Reasoning of the Principle Decision on ID Card Photocopies in Hotel Stays in Turkey

2.1. Prohibited Transactions and the Ban on ID Card Photocopies in Hotel Stays in Turkey

In the Principle Decision, it is expressly stated that data controllers operating in the tourism and hospitality sector must put an end to the practice of obtaining photocopies of Turkish ID cards from guests staying at their facilities and storing these photocopies. Accordingly, taking a physical photocopy of the guest’s ID card, scanning it into digital format or, in any way, saving its visual image into systems is considered a personal data processing activity that is contrary to the KVKK.

With this Principle Decision, the Authority not only introduces a prohibition regarding future data processing activities, but also requires that ID card photocopies obtained prior to the publication date of the Principle Decision be destroyed in accordance with the applicable legislation. In this context, hotels and other accommodation facilities must identify all ID card photocopies kept both in physical archives and in digital systems and must carry out deletion and destruction procedures in line with the company’s personal data retention and destruction policies.

2.2. Legal Grounds and Reasoning of the ban on ID Card Photocopies in Hotel Stays in Turkey

The legal reasoning of the Principle Decision is essentially based on a combined interpretation of the provisions of the KVKK and the provisions of the Law on Identity Reporting No. 1774 and its implementing Regulation. Article 5 of the KVKK sets out the conditions for processing personal data in a numerus clausus manner and provides that data processing is only lawful where it relies on certain legal grounds, such as being expressly provided for by law, being necessary for the performance of a contract, or being mandatory for the fulfilment of a legal obligation. Article 6, on the other hand, subjects the processing of special categories of personal data to stricter conditions.

Under the Law on Identity Reporting and the relevant Regulation, accommodation facilities are required to record guests’ identity information and their check-in/check-out dates in the accommodation register or electronic systems and to keep this information available for inspection by the competent authorities. However, there is no provision in the said legislation that allows for obtaining photocopies of identity documents or storing such photocopies. Based on this, the Authority concludes that obtaining ID card photocopies cannot be interpreted as “a requirement of a legal obligation explicitly provided for by law”.

Furthermore, obtaining a photocopy of an identity document leads to processing a broader scope of data than is necessary for fulfilling the identity verification and registration obligation. In particular, in older style identity documents, information such as religion and other special categories of personal data is included; therefore, obtaining an ID card photocopy creates additional risks under Article 6 of the KVKK. For these reasons, the Authority considers the practice of obtaining ID card photocopies to be a data processing activity with no legal basis, and incompatible with the principles of data minimization and processing data that is relevant, limited and proportionate to the purposes for which they are processed.

2.3. Scope of the Identity Verification Obligation After the Principle Decision

While the Principle Decision prohibits the recording of ID card photocopies, it does not abolish the identity verification obligation of accommodation facilities arising from the Law on Identity Reporting. In other words, hotels and other tourism enterprises will continue to request that guests present their identity documents and will remain obliged to record the mandatory information contained in these documents in the accommodation register or electronic systems.

In this framework, following the Principle Decision, the following practices remain lawful and obligatory:

Requesting that guests present their identity documents and checking the information on these documents,
Recording in the accommodation register the identity information required by the relevant legislation (for example, name, surname, Turkish ID number, and dates of arrival and departure),
Keeping these records available for inspection by the competent authorities.

III. Compliance Obligations for Tourism and Accommodation Facilities

3.1. Updating Guest Check-In Procedures

Following the Principle Decision, the first step is to review guest check-in procedures and to immediately discontinue all practices that involve obtaining ID card photocopies. Reception procedures, check-in forms, guest registration cards and the hotel software used (PMS, etc.) must be revised accordingly, and any fields or instructions that request ID card photocopies must be removed.

It is crucial to inform front office staff and other employees involved in the guest registration process that the identity verification obligation is limited to the presentation of the identity document and the recording of the necessary identity information, and that under no circumstances may ID card photocopies be requested. In addition, privacy notices and personal data processing disclosures must be updated, taking into account that ID card photocopies are no longer processed.

3.2. Identification and Destruction of Existing ID Card Photocopies

The Principle Decision does not only introduce a forward-looking prohibition; it also makes the destruction of previously obtained ID card photocopies mandatory in accordance with the legislation. Therefore, as a first step, accommodation facilities must inventory ID card photocopies held both in physical archives and in digital environments. File folders, archive rooms, scanned document files, images uploaded into PMS systems and e-mail attachments must all be included in this review.

ID card photocopies identified in this process must be deleted, destroyed or anonymised in accordance with the company’s personal data retention and destruction policy, and the date and scope of these operations must be documented.

3.3. Review of Internal Documentation and Contractual Relationships

For the compliance process to be complete, not only actual practices but also internal documentation and contractual relationships with data processors must be reviewed. The personal data inventory, retention and destruction policies, KVKK compliance procedures and employee instructions should be updated, taking into account that ID card photocopies are no longer processed.

In addition, contracts concluded with data processors such as hotel software providers, external archiving companies or similar service providers should be examined to identify any provisions referring to ID card photocopies, and such provisions should be amended where necessary. In this way, both the data controller (the accommodation facility) and the data processors will be aligned with the Principle Decision, thereby reducing potential legal and administrative risks.

IV. Conclusion

The Principle Decision of the Personal Data Protection Authority dated 9 December 2025 explicitly characterises a long-standing practice in the tourism and hospitality sector – obtaining and storing photocopies of guests’ Turkish identity cards – as an unlawful personal data processing activity under the KVKK.

Following this Principle Decision, hotel and accommodation facility operators must promptly review their guest check-in procedures, databases, internal documentation and relationships with data processors and complete their compliance efforts. Terminating all procedures based on obtaining ID card photocopies, destroying photocopies that have been stored in the past and properly documenting these steps are of critical importance for reducing potential administrative sanction risks.