With its Principal Decision dated 6 November 2025 and numbered 2025/2120 (“Principal Decision”), the Personal Data Protection Board (“Board”) assessed the practice of accommodation providers operating in the tourism and hospitality sector obtaining photocopies of guests’ Turkish ID cards, within the framework of the Personal Data Protection Law numbered 6698 (“Law”). The Principal Decision was published in the Official Gazette on 9 December 2025.

In its assessment, the Board took into account the widespread adoption of this practice across the sector, the fact that it has been subject to complaints and notifications, and the determination that such practice is inconsistent with the principles of proportionality and data minimization governing the processing of personal data. The Principal Decision aims to ensure that personal data processing practices within accommodation facilities are brought into compliance with the Law.

As a first step, the Board examined the applicable legislative framework and acknowledged that, pursuant to the Identity Notification Law numbered 1774, accommodation facilities are under an obligation to verify guests’ identity information and record certain data. However, the Board explicitly stated that this obligation does not include or justify the collection or retention of identity documents by way of photocopying or duplication. In this context, it was underlined that the identity notification obligation cannot be interpreted as requiring the reproduction of identity documents in their entirety.

According to the Board, during the provision of accommodation services, the recording of information such as the guest’s name, surname, Turkish ID number, and dates of arrival and departure in the systems prescribed under the relevant legislation constitutes a lawful personal data processing activity. Moreover, the presentation and visual inspection of an identity document for the purpose of verifying the accuracy of such information is considered a necessary and proportionate measure. At this point, the Board drew a clear legal distinction between examining an identity document and copying and storing it.

Another critical aspect emphasized in the Board’s assessment concerns the variation in the scope of data processed depending on the type of identity document. Old-type Turkish identity cards include information such as religion, blood type, marital status, and family details, which bear no relevance to the provision of accommodation services. The processing of such data through photocopying identity cards therefore results in unnecessary and disproportionate data processing. Similarly, although such information does not physically appear on the new chip-enabled Turkish ID cards, the photocopying or scanning of these cards was considered to entail increased risks related to biometric data and electronic data security.

In this context, the Board highlighted that the practice of obtaining ID card photocopies may lead to the processing of data that is entirely irrelevant to accommodation services, thereby indirectly infringing the protection regime applicable to special categories of personal data under Article 6 of the Law. Given that data such as religious belief and blood type are explicitly classified as special categories of personal data, any processing of such data without a valid legal basis gives rise to serious legal risks for data controllers.

By contrast, where an identity document is merely presented and visually examined solely for identity verification purposes, without any recording, copying, or duplication, such practice does not result in the processing of special categories of personal data and is therefore considered lawful.

The Board’s assessment was not limited to identity notification obligations but also addressed justifications based on invoicing and financial legislation. In this respect, the Board expressly stated that, although identity information may be required for the issuance of invoices or similar financial documents pursuant to the Tax Procedural Law numbered 213 and related secondary legislation, this requirement does not necessitate the photocopying of identity documents. The Board emphasized that recording only the data required under the relevant legislation is sufficient and that copying identity documents cannot be regarded as a natural or mandatory component of invoicing obligations.

Accordingly, the Board stated that accommodation facilities must cease the practice of obtaining identity document photocopies, and that any such photocopies previously collected must be destroyed in compliance with the Law. It was further underlined that identity data processing activities must be strictly limited to the scope and purpose permitted by the applicable legislation, and that non-compliant practices may result in administrative sanctions for data controllers.

In conclusion, Principal Decision clearly demonstrates that certain long-standing practices within the tourism and hospitality sector are no longer considered valid under personal data protection law. The Principal Decision provides accommodation facilities with a clear roadmap for restructuring their data processing activities and achieving full compliance with the Law.

Should you have any questions regarding this matter or require further information, please feel free to contact us.

Best regards,
DT Law