PRINCIPLE DECISION OF THE PERSONAL DATA PROTECTION BOARD ON NOT COLLECTING PHOTOCOPIES OF GUESTS’ IDENTITY CARDS IN TOURISM FACILITIES

March 16, 2026

The practice of collecting photocopies of identity cards belonging to customers within the scope of tourism activities will be evaluated within the framework of the Law on the Protection of Personal Data No. 6698 (“Law”) and the Principle Decision of the Personal Data Protection Authority (“Authority”).

In common practice within the tourism and hospitality sector, it has been customary to obtain photocopies of the Turkish identity cards of individuals staying at accommodation facilities. The Authority has assessed this widespread practice within the scope of the applicable legislation and has issued a Principle Decision on the matter.

Accommodation facilities process certain personal data because, pursuant to the legislation to which they are subject, they are obliged to:

  • record guests’ name, surname, Turkish ID number, and arrival–departure information, and
  • verify identity information by comparing it with an official identity document.

In addition, within the scope of the Tax Procedure Law, certain information such as the name, surname, tax office, and tax identification number of the person making the payment is processed in order to issue invoices.

According to the Principle Decision dated 06.11.2025 and numbered 2025/2120 regarding the Recording of Photocopies of Turkish Identity Cards of Persons Receiving Accommodation Services in the Tourism and Hospitality Sector, in summary:

Pursuant to the Law on Identity Notification No. 1774 and the Regulation on the Implementation of the Law on Identity Notification, the processing of personal data carried out by recording the identity information of guests (name, surname, and Turkish ID number) in accommodation facilities is performed within the scope of the conditions of “being explicitly stipulated by law” and “being necessary for the data controller to fulfill its legal obligations.” Therefore, such processing activity is lawful.

Furthermore, requesting the Turkish identity card from guests in order to verify the information they provide is also lawful and consistent with the nature of the service.

However, it is important to emphasize that the processing of personal data carried out by taking and recording photocopies of Turkish identity cards requested from guests for verification purposes does not have a legal basis and also results in the processing of excessive personal data.

For this reason, taking photocopies of guests’ Turkish identity cards and recording them constitutes unlawful data processing.

Moreover, since older versions of Turkish identity cards include fields such as blood type and religion, recording such documents may also result in the unlawful processing of special categories of personal data.

Under the Tax Procedure Law No. 213, invoices must contain certain mandatory information. Therefore, requesting such information from guests constitutes lawful personal data processing, as it arises from statutory obligations.

Following its assessment, the Board concluded that:

  • Data controllers operating in the tourism and hospitality sector must terminate the practice of collecting photocopies of Turkish identity cards from guests staying at accommodation facilities.
  • Data controllers who recorded photocopies of Turkish identity cards belonging to individuals receiving accommodation services prior to the publication of the Principle Decision must destroy such documents in accordance with Article 7 of the Law.

The Board further decided, by unanimous vote, to inform the public and sector representatives that the aforementioned measures constitute administrative and technical safeguards that data controllers must adopt to ensure the lawful processing of personal data under the Law.

It was also stated that, if non-compliance with these requirements is detected, administrative action will be taken against the relevant data controllers pursuant to Article 18 of the Law, and the Principle Decision would be published in the Official Gazette and on the Authority’s website.

Under the Law, recording the relevant personal data is lawful since it is explicitly stipulated by law and necessary for the data controller to fulfill its legal obligations. However, although verifying guest information through an official identity document constitutes a legal obligation, there is no provision in the applicable legislation allowing the collection and storage of photocopies of identity cards.

Therefore, the collection of identity card photocopies does not have a legal basis.

Furthermore, in cases where guests use older versions of Turkish identity cards that contain information such as religion and blood type, the processing of special categories of personal data may also occur.

In such cases, storing photocopies of identity cards would constitute a violation of Article 5 of the Law, and for guests using older identity cards, it may also lead to a violation of Article 6 of the Law.

Accordingly, pursuant to the summarized Principle Decision:

  • Accommodation facilities may request guests’ identity cards solely for verification purposes.
  • Photocopies of identity documents must not be taken.
  • Photocopies of Turkish identity cards that were previously collected and recorded under earlier practices must be destroyed in accordance with Article 7 of the Law.

Since engaging in activities contrary to the Principle Decision may lead to administrative fines under Article 18 of the Law, we recommend that accommodation facilities:

  • terminate the practice of recording photocopies of guests’ identity cards, and
  • destroy existing records accordingly.

Kind regards,

DKND Law Firm