KVKK Principle Decision on the Use of ID Photocopies in the Tourism Sector
1. Introduction
The Personal Data Protection Board ("Board") examined the issue upon increasing complaints regarding data controllers in the tourism and hotel sector requesting and recording photocopies of Turkish Identity Cards from guests. Consequently, the Board determined the legal boundaries of data processing activities in the sector with the Principle Decision No. 2025/2120 published in the Official Gazette dated December 9, 2025 ("Decision").
You may access the relevant Decision here.
2. Evaluation within the Scope of Legislation
2.1. Data Processing under the Identity Notification Law
Under Law No. 1774 on Identity Notification and the relevant regulation, it is a legal obligation for accommodation facilities such as hotels, motels, and hostels to record guests' identity information (name, surname, T.C. identity number, etc.) and keep them ready for inspection by general law enforcement agencies. In this context, the recording of identity information is lawful based on the conditions of "It is expressly provided for by the laws" and "It is mandatory for the data controller to perform its legal obligation" under Article 5 of the Law on Protection of Personal Data No. 6698 ("Law").
2.2. Data Processing under the Tax Procedure Law
For the purpose of invoicing the accommodation service, the processing of information such as the customer's name, surname, and room number pursuant to Tax Procedure Law No. 213 is also evaluated as lawful within the scope of the condition "It is expressly provided for by the laws."
3. Determination of Violation and Unlawfulness
The Board found the practice of "taking ID photocopies", which goes beyond legal obligations, to be unlawful based on the following grounds:
• Breach of the Principle of Proportionality: It is natural to view the identity document to verify the accuracy of identity information; however, taking a photocopy of the document instead of processing the information into the system results in "excessive data processing." There is no legal basis for this operation.
• Violation of Special Categories of Personal Data: Old identity cards, which are still in use, contain special categories of personal data (sensitive data) such as religion and blood type. Taking photocopies of these documents constitutes a violation of the processing conditions for special categories of personal data regulated under Article 6 of the Law.
4. Decision Taken by the Board and Obligations
As a result of its evaluation, the Board has taken the following decisions which are binding for data controllers:
• Cessation of Practice: Data controllers operating in the tourism and hotel sector must immediately cease the practice of taking photocopies of guests' T.C. identity documents.
• Destruction of Existing Documents: Photocopies of T.C. identity documents taken and recorded prior to the publication of the Decision must be destroyed in accordance with Article 7 of the Law.
• Administrative Sanction Warning: Administrative action will be taken pursuant to Article 18 of the Law against data controllers who do not act in accordance with the specified points and fail to take necessary administrative/technical measures.
5. Conclusion
Data controllers and data processors operating in the tourism and hotel sector must immediately stop the practice of taking ID photocopies/scans during customer registration processes, inform their personnel regarding this matter, and securely destroy ID photocopies found in their retrospective archives.
For more information and assistance, please feel free to contact us.
The Personal Data Protection Board ("Board") examined the issue upon increasing complaints regarding data controllers in the tourism and hotel sector requesting and recording photocopies of Turkish Identity Cards from guests. Consequently, the Board determined the legal boundaries of data processing activities in the sector with the Principle Decision No. 2025/2120 published in the Official Gazette dated December 9, 2025 ("Decision").
You may access the relevant Decision here.
2. Evaluation within the Scope of Legislation
2.1. Data Processing under the Identity Notification Law
Under Law No. 1774 on Identity Notification and the relevant regulation, it is a legal obligation for accommodation facilities such as hotels, motels, and hostels to record guests' identity information (name, surname, T.C. identity number, etc.) and keep them ready for inspection by general law enforcement agencies. In this context, the recording of identity information is lawful based on the conditions of "It is expressly provided for by the laws" and "It is mandatory for the data controller to perform its legal obligation" under Article 5 of the Law on Protection of Personal Data No. 6698 ("Law").
2.2. Data Processing under the Tax Procedure Law
For the purpose of invoicing the accommodation service, the processing of information such as the customer's name, surname, and room number pursuant to Tax Procedure Law No. 213 is also evaluated as lawful within the scope of the condition "It is expressly provided for by the laws."
3. Determination of Violation and Unlawfulness
The Board found the practice of "taking ID photocopies", which goes beyond legal obligations, to be unlawful based on the following grounds:
• Breach of the Principle of Proportionality: It is natural to view the identity document to verify the accuracy of identity information; however, taking a photocopy of the document instead of processing the information into the system results in "excessive data processing." There is no legal basis for this operation.
• Violation of Special Categories of Personal Data: Old identity cards, which are still in use, contain special categories of personal data (sensitive data) such as religion and blood type. Taking photocopies of these documents constitutes a violation of the processing conditions for special categories of personal data regulated under Article 6 of the Law.
4. Decision Taken by the Board and Obligations
As a result of its evaluation, the Board has taken the following decisions which are binding for data controllers:
• Cessation of Practice: Data controllers operating in the tourism and hotel sector must immediately cease the practice of taking photocopies of guests' T.C. identity documents.
• Destruction of Existing Documents: Photocopies of T.C. identity documents taken and recorded prior to the publication of the Decision must be destroyed in accordance with Article 7 of the Law.
• Administrative Sanction Warning: Administrative action will be taken pursuant to Article 18 of the Law against data controllers who do not act in accordance with the specified points and fail to take necessary administrative/technical measures.
5. Conclusion
Data controllers and data processors operating in the tourism and hotel sector must immediately stop the practice of taking ID photocopies/scans during customer registration processes, inform their personnel regarding this matter, and securely destroy ID photocopies found in their retrospective archives.
For more information and assistance, please feel free to contact us.
Download PDF
e.copur@lbfpartners.com
