Newsletters
Türkiye’s personal data watchdog has ordered hotels and other similar accommodation providers to stop taking and storing photocopies of guests' identity documents, finding that this common practice breaches the country’s data protection law.
The decision, adopted by the Personal Data Protection Board (KVKK) on Nov. 6 and published in the Official Gazette on Dec. 9, focuses on photocopies of Turkish national ID cards but is framed around how all accommodation providers handle identity documents for both local and foreign guests.
Türkiye’s tourism and hospitality sector routinely processes large amounts of personal data because it offers services directly to individuals. For years, many hotels, from five star resorts to small guesthouses, have asked incoming guests to hand over their identity documents, then recorded their details and kept photocopies in their files.
Under existing rules, accommodation operators must still collect and register basic guest information. The Identity Reporting Law requires hotels, motels, guesthouses, daily rental properties and similar establishments to keep daily records of “everyone, local or foreign” who stays there, including their identity and their arrival and departure dates, and to keep these registers ready for inspection by the police or the gendarmerie, the rural law enforcement force.
In addition, tax rules oblige businesses to issue invoices that contain limited information such as the customer’s name, address and tax number, so hotels may lawfully process those details as well.
The board underlined that these obligations remain in place and that it is lawful for accommodation providers to ask guests to show an official identity document, such as a Turkish ID card or another valid official document like a passport for foreign visitors, and to check that the information in their system matches what appears on the document.
The new principal decision draws a clear line between checking and recording necessary information, which the law requires, and taking photocopies of the entire identity document, which the Board now defines as unlawful.
The KVKK pointed out that when a hotel takes a photocopy of a Turkish ID card and files it, it inevitably stores more personal data than it actually needs in order to fulfil its legal duties. The Board described this as “excessive data processing” and stressed that there is no specific legal provision that authorises hotels to make and keep such copies.
The decision also recalls that older-style Turkish ID cards may display special categories of personal data, such as a person’s religion or blood type. Because these are recognized as “sensitive personal data” under Turkiye’s Personal Data Protection Law, storing copies of such documents without a clear legal ground breaches the stricter rules that apply to sensitive information.
For that reason, the board concluded that keeping photocopies of Turkish ID cards for accommodation purposes is not compatible with the law.
Although hotels must now stop copying ID documents, the underlying registration system for guests will continue.
Accommodation operators are still required to ask guests for their basic identity details and to enter those details into their electronic systems. These records, which include name, surname, national ID or passport number and arrival and departure dates, continue to be transmitted to the police or the gendarmerie in line with the Identity Reporting Law and its implementing regulation, so that law enforcement can see who is staying where and keep those records.
The board stressed that asking guests to show an official identity document in order to verify those details remains both lawful and necessary. What must change is the additional step of making and storing a photocopy of the whole document for the hotel’s own files.
The principal decision not only covers future practices but also addresses the status of existing photocopies already held by hotels and similar businesses.
Accommodation providers that have previously collected photocopies of Turkish ID cards for accommodation purposes must now treat those copies as unlawful personal data. Under Article 7 of the Personal Data Protection Law, they are required to erase, destroy or anonymise such data so that it can no longer be linked to identifiable individuals.
The decision also reminds hotel operators that they must take “all necessary technical and administrative measures” to prevent unlawful processing, unauthorized access and loss of personal data. These duties are part of their ongoing obligation to secure the personal information they hold about guests.
The board warns that it may impose administrative sanctions under Article 18 of the law, including financial penalties, if inspections or complaints reveal that accommodation providers continue to keep or create ID photocopies in breach of the new principle decision.
For international visitors, the ruling affects a familiar step during hotel check-in. Guests will still be asked to present their passport or another valid identity document so that staff can type in and verify basic details, which will continue to be shared electronically with law enforcement as before.
However, accommodation businesses are now required to end the routine practice of taking and filing photocopies of the entire identity document, whether it is a Turkish ID card or another official document used to prove identity at check-in. According to the board, verifying identity and recording the data that specific laws require is sufficient, while storing a full copy of the document itself goes beyond what those laws allow.
3 min read
