Decision on the Recording of ID Card Photocopies of Individuals Receiving Services in the Tourism and Hospitality Sector Has Been Published

THE POLICY DECISION ON THE RECORDING OF COPIES OF TURKISH IDENTITY CARDS OF INDIVIDUALS RECEIVING SERVICES IN THE TOURISM AND HOSPITALITY SECTOR HAS BEEN PUBLISHED IN THE OFFICIAL GAZETTE

The “Policy Decision on the Recording of Turkish Identity Card Photocopies of Individuals Receiving Services in the Tourism and Hospitality Sector” (“Decision”), adopted by the Personal Data Protection Board (“Board”), was published in the Official Gazette dated 09/12/2025 and numbered 33102. The Decision clearly sets out which data processing activities carried out for identity verification purposes are deemed lawful and which are considered unlawful, and it establishes the obligations which organizations within the sector must comply with.

Activities Considered Lawful Under the Decision

The Board has assessed the following activities as lawful data processing operations when carried out in respect of local or foreign individuals receiving accommodation services at hotels, motels, inns, single-room lodgings, daily rental properties, campsites, holiday resorts, private or public accommodation facilities, private healthcare institutions, rest homes, nursing homes, and religious or charitable organisations:

recording the guest’s name, surname, and identification information; and
requesting the presentation of a Turkish identity card for the purpose of verifying, through an official document, the accuracy of the data processed regarding the guest.

The Board stated that these activities constitute lawful data processing under Article 5(2)(a) of the Personal Data Protection Law (“Law“), on the basis of the condition of “explicitly stipulated by law”.

Activities Considered Unlawful Under the Decision

Although the Board considers it lawful to request the prensetation of a Turkish ID card for identity verification purposes, it has held that:

taking photocopies of the Turkish ID cards,
storing such photocopies, and
storing photocopies of old format ID cards (which contain information such as religion and blood type),

constitute data processing activities exceeding what is necessary and lack any legal basis, and therefore cause to unlawful processing.

The Board further stated that, since old identity cards contain personal data such as an individual’s religion and blood type, recording photocopies of such documents also results in the unlawful processing of special categories of personal data.

Measures Required to be Taken by Data Controllers Under the Decision

In line with the Decision, all data controllers operating in the tourism and hospitality sector must:

immediately cease the practice of obtaining photocopies of Turkish ID cards,
destroy, fully and irreversibly, any photocopies of ID documents belonging to individuals who received accommodation services prior to the publication of the Decision, in accordance with the provisions of the Law,
restructure their identity verification processes to a “presentation-and-check only, without photocopying” model,
provide employees with the necessary information and training;
and update their data processing inventories and privacy notices accordingly.

In this context, if it is determined that the obligations set out above have not been fulfilled, the necessary actions will be taken against the relevant data controllers in accordance with the provisions of the Law.

In conclusion, the Decision brings an end to the widespread practice within the sector and requires accommodation facilities to verify identity solely by means of presentation while irreversibly destroying any ID photocopies currently held. Furthermore, data controllers must redesign and update their existing data processing inventories, procedures, and data retention practices in line with the Decision.

Please feel free to reach out to us, should you have any queries.