- within Privacy topic(s)
- with readers working within the Oil & Gas industries
- within Privacy, Government, Public Sector and Finance and Banking topic(s)
An important development has occurred regarding the protection of personal data in the tourism and hospitality sector. The Personal Data Protection Board (KVKK) announced in its Principle Decision dated 06.11.2025 that taking photocopies of Turkish ID cards during accommodation is unlawful. This decision is critical for both businesses and guests in terms of data security, and the key points are summarized below.
KVKK published its Principle Decision numbered 2025/2120 on 06.11.2025. This decision includes significant legal assessments regarding the practice of taking ID card photocopies in accommodation facilities and directly affects data processing activities.
Under the Identity Notification Law No. 1774 and its implementing regulation, accommodation facilities are obliged to keep records of guests' identity information (name, surname, Turkish ID number) and arrival/departure details on a daily basis and make them available for inspection by law enforcement authorities.
With this decision, KVKK confirmed that requesting an ID card to verify identity is lawful. However, even for verification purposes, taking and recording a photocopy of the ID card constitutes excessive data processing and lacks any legal basis. Therefore, recording photocopies of guests' ID cards is considered an unlawful data processing activity under KVKK.
The decision also highlights that old ID cards contain sensitive personal data such as religion and blood type. If data controllers record photocopies of these IDs, they would also violate Article 6 of KVKK, which regulates the processing of special categories of personal data.
Additionally, the decision states that processing personal data for invoicing purposes in the tourism and hospitality sector is permissible.
CONCLUSION:
As a result of this decision, data controllers must pay attention to the following points:
- Photocopies of ID cards obtained before the publication of the decision must be destroyed in accordance with Article 7 of KVKK. Updating and effectively implementing data destruction policies is crucial during this process.
- The practice of taking photocopies of Turkish ID cards from guests in accommodation facilities must be discontinued.
- Identity verification should be carried out by collecting only the necessary identity details (name, surname, Turkish ID number). No physical or digital copy of the document should be taken.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
