The Personal Data Protection Board Published a Principal Decision on the Recording of Photocopies of Turkish Identity Cards of Individuals Receiving Accommodation Services in the Tourism and Hospitality Sector

12/11/2025

All News
  • Home Page
  • |
  • News
  • |
  • The Personal Data Protection Board Published a Principal Decision on the Recording of Photocopies of Turkish Identity Cards of Individuals Receiving Accommodation Services in the Tourism and Hospitality Sector
The Personal Data Protection Board (“Board”) published its Principal Decision dated 6 November 2025 and numbered 2025/2120 on the Recording of Photocopies of Turkish Identity Cards of Individuals Receiving Accommodation Services in the Tourism and Hospitality Sector (“Principal Decision”) in the Official Gazette dated 9 December 2025 and numbered 33102, as well as on the website of the Personal Data Protection Authority (“Authority”)
With the Principal Decision, the Board states, in summary, that obtaining photocopies of Turkish identity cards from individuals accommodated in accommodation facilities (“Accommodation Facilities”) within the scope of activities in the tourism and hospitality sector constitutes excessive data processing and therefore violates the Personal Data Protection Law No. 6698 (“KVKK”), and that such practices must be terminated. In this context, the Board clarifies the limits of Accommodation Facilities’ obligations regarding identity verification and registration under the Identity Reporting Law No. 1774 (“Identity Reporting Law”) in terms of personal data processing.


I. Evaluations Regarding the Principal Decision and Implementation of the Principal Decision:

In its assessment within the Principal Decision, the Board states that the data processing activity implemented by Accommodation Facilities in the form of recording identity information consisting of name, surname, and Turkish ID number pursuant to the Identity Reporting Law constitutes a lawful data processing activity, as it is explicitly stipulated by law and necessary for the data controller to fulfill its legal obligation.

Regarding the scope of personal data processing implemented for the purpose of fulfilling a legal obligation, the Board emphasizes that, for the identity verification and registration obligation imposed by the Identity Reporting Law, it is sufficient for Accommodation Facilities to record only the specified information and to request the identity document for verification purposes. Additionally, the Board further notes that obtaining and recording a photocopy of the identity document results in the processing of data beyond the requirements of the legal obligation.

Accordingly, the Board concludes that the recording of photocopies of Turkish identity cards is a data processing activity that exceeds the scope of the legal obligation under the Identity Reporting Law, lack of a legal basis, and is therefore unlawful under the KVKK.

The Board also states that recording the old form of identity cards, which contains information such as religion and blood type, would constitute a violation of the KVKK provisions on the protection of special categories of personal data.

Finally, The Board states that the personal data requested from the customers for invoicing purposes due to purchasing of an accommodation service in the tourism and hospitality sector will also be lawful on the legal basis of being ‘explicitly stipulated in laws,’ providing that such processing is strictly limited to the requirements set forth in the Tax Procedure Law No. 213 (“VUK”).


II. Conslusion

In summary, within the scope of the Principle Decision, data controllers operating in the tourism and hospitality sector may process personal data by requesting the Turkish Identity Card from guests, recording the required information and verifying its accuracy, and returning the card after the verification. It is stated that any processing activity exceeding this limit would be unlawful. In this regard, as also stated by the Board in the Principal Decision, Accommodation

Providers are required to:
  • cease the practices of obtaining photocopies of Turkish ID cards; and
  • in compliance with the KVKK, destroy any photocopies or related documents that were recorded prior to the publication of the Principal Decision.
If Accommodation Facilities fail to cease the practice of obtaining photocopies of identification documents and/or fail to carry out the required destruction of the existing documents, they may face administrative and judicial sanctions under the KVKK, due to the failure to implement necessary administrative and technical measures and the failure to destroy personal data that must be eliminated.

You may access the full Turkish text of the Principal Decision published by the Authority here.


Işılay Işık, Associate
Aleyna Katırağ, Trainee Lawyer



Other News
10/21/2025
Obligations of Companies under the Cybersecurity Law
Türkiye’s first binding regulation on cybersecurity — Law No. 7545 on Cybersecurity — came into effect on March 19, 2025. The law introduces both technical and administrative obligations for companies operating in the private sector.
News| Legal Updates
10/1/2025
An Exemption Criterion Has Been Published by the Personal Data Protection Board for Data Controllers Whose Main Activity Is the Processing of Special Categories of Personal Data Regarding the Obligation to VERBİS Registration
The Personal Data Protection Board (“Board”) has updated the exemption criterion specified in its decision dated 06.07.2023 and numbered 2023/1154, which regulates exemptions from the obligation of data controllers to register with the Data Controllers’ Registry Information System (VERBİS), through its decision dated 04.09.2025 and numbered 2025/1572, published today in the Official Gazette (“Update Decision”).
News| Legal Updates
8/1/2025
How Will the Transition to the Electronic Commercial Ledger System (“ETDS”) Take Place?
With the “Communiqué on the Keeping of Commercial Ledgers Not Related to the Accounting of the Enterprise in Electronic Format” (“Communiqué”), published in the Official Gazette dated 14 February 2025 and numbered 32813, the obligation to keep certain commercial ledgers in electronic format has been introduced for specific companies. The aim is to ensure the secure storage of ledgers in a digital environment, facilitate access and auditing, and reduce the need for notary procedures.
News| Legal Updates
6/30/2025
Principle decision on sending verification code via sms has been published by Personal Data Protection Board
In its principle decision dated 10 June 2025 and numbered 2025/1072 (“Principle Decision”), the Personal Data Protection Board (“Board”) set out the principles regarding the processing of personal data in the context of sending verification codes via SMS to data subjects during the provision of products and services. The Principle Decision is published in the Official Gazette dated 26 June 2025 and numbered 32938 and on the official website of the Personal Data Protection Authority.
News| Legal Updates
5/29/2025
Regulation Amending the Regulation on Distance Contracts Published
The “Regulation Amending the Regulation on Distance Contracts” (“Amendment Regulation”), issued by the Ministry of Trade and published in the Official Gazette dated May 24, 2025, and numbered 32909, introduces new provisions regarding consumers’ right of withdrawal in distance sales contracts. These amendments to the Regulation on Distance Contracts (“”), which was originally enacted based on Articles 48 and 84 of the Law No. 6502 on the Protection of Consumers (“Law”), will come into effect on January 1, 2026.
News| Legal Updates
3/19/2025
COMMUNIQUÉS ON CRYPTO ASSET SERVICE PROVIDERS HAVE BEEN PUBLISHED
The Communiqué on the Establishment and Operational Principles of Crypto Asset Service Providers (III-35/B.1) and the Communiqué on the Working Procedures, Principles, and Capital Adequacy of Crypto Asset Service Providers (III-35/B.2), which have been prepared by the Capital Markets Board (“Board”), have been published in the Official Gazette dated March 13, 2025. These communiqués have set out the procedures and principles regarding the establishment, commencement of operations, activities, and suspension of activities of crypto asset service providers.
News| Legal Updates
1/20/2025
New Regulations Introduced in the Classification of Goods and Services for Trademark Applications Under Communiqué No. 2024/2
The Turkish Patent and Trademark Office (“TÜRKPATENT”) has revised the List of Goods and Services for trademark applications. The changes were published in the Communiqué on the Classification of Goods and Services for Trademark Applications No. 2024/2 (“Communiqué”) in the Official Gazette dated 20 December 2024 and numbered 32758, entering into force as of its publication date. This regulation repealed the previous Communiqué No. 2016/2, published in the Official Gazette dated 30 December 2016 and numbered 29934.
News| Legal Updates
11/8/2024
E-Government Lease Agreement Period Begins
The Ministry of Treasury and Finance (“Ministry”) announced that a new service (“Service”) will be introduced for the execution of lease agreements via e-Government and the Service is planned in two phases.

The first phase was introduced via e-Government as of 04.11.2024 and the second phase is expected to be introduced at the end of the year.
News| Legal Updates
10/23/2024
New Regulations Have Been Introduced Regarding Lease Payments in Residential and Workplaces
With the Income Tax General Communiqué published in the Official Gazette No. 32695 on October 17, 2024, and came into effect on the same date, an obligation for certification (providing with documentation) has been introduced in lease payments related to residential and workplaces, along with penalties for violations of this obligation.
News| Legal Updates
10/16/2024
Significant Amendments Made Regarding Work Permit Evaluation Criteria
In accordance with the annex to the Regulation on the Implementation of the International Workforce Law (“Regulation”) published in the Official Gazette dated 02.02.2022 and numbered 31738, the “Work Permit Evaluation Criteria” used by the Ministry of Labor and Social Security (“Ministry”) during the evaluation process of work permit applications have been updated pursuant to Article 22 of the Regulation.
News| Legal Updates
10/15/2024
Amendments Have Been Made to the Regulation on Business Opening and Operating Licenses
The Regulation Amending the Regulation on Business Opening and Operating Licenses (“Amendment Regulation”), which was published in the Official Gazette No. 32688 dated October 10, 2024, and came into effect on the same date, has introduced several changes to the relevant provisions of the Regulation on Business Opening and Operating Licenses (“Regulation”).
News| Legal Updates
10/9/2024
Amendment to the Communiqué on the Protection of the Value of the Turkish Currency No. 32
Communiqué (Communiqué No: 2024-32/70) Amending the Communiqué on the Decree No: 32686 on the Protection of the Value of Turkish Currency (Communiqué No: 32686) published in the Official Gazette dated 08.10.2024 and numbered 2024-32/70), which entered into force on the date of its publication.
News| Legal Updates
Expertise
Sectors
Insights & News
Insights
Covid-19 Legal Guide
Corporate
Contact Us
Subscribe to our Newsletters
All Rights Reserved. © 2020