New KVKK Ruling: Hotels in Turkey Are Prohibited from Photocopying Guest ID Cards
Date of Decision: November 6, 2025 Decision Number: 2025/2120
In the tourism and hospitality sector, a longstanding practice has finally come under strict scrutiny by the Turkish Personal Data Protection Board (KVKK). For years, it has been common procedure for hotels, resorts, and hostels to take photocopies or digital scans of guests’ ID cards (Kimlik) during check-in.
Following numerous complaints and a comprehensive review process involving major ministries and sector representatives, the KVKK has published a Principal Decision stating that this practice is unlawful.
This article summarizes the legal reasoning behind the decision, the obligations of data controllers (hotel management), and the immediate steps the tourism sector must take to avoid administrative fines.
The Background: Why Was a Principal Decision Needed?
The Personal Data Protection Authority (the Authority) received a significant volume of complaints regarding accommodation facilities requiring photocopies of Turkish Identity Cards from guests.
Recognizing the widespread nature of this issue, the Board drafted a decision and sought opinions from key stakeholders, including:
- Ministry of Culture and Tourism
- Ministry of Trade
- Ministry of Interior
- Union of Chambers and Commodity Exchanges of Turkey (TOBB)
- Hotel Purchasing Managers Association
- Hotel Association of Turkey (TÜROB)
After evaluating the feedback, the Board finalized its decision to standardize data processing in the sector and protect the privacy of individuals.
Legal Analysis: Verification vs. Recording
The core of the decision lies in the distinction between verifying identity and recording excessive data.
1. What is Legally Required?
According to the Identity Reporting Law No. 1774 (Art. 2) and its Regulation (Art. 5), accommodation providers are indeed legally obliged to identify their guests. They must record specific information such as:
- Name and Surname
- T.C. Identity Number
Under the Law on Protection of Personal Data (KVKK) No. 6698, processing this specific text-based data is lawful under Article 5/2-a (“Explicitly foreseen in laws”) and Article 5/2-ç (“Mandatory for the data controller to fulfill their legal obligation”).
2. Why is Photocopying Illegal?
The Board ruled that while viewing the ID card to verify accuracy is permitted, taking a photocopy or scan of the document results in “excessive data processing.”
An ID card contains more data than is required for law enforcement reporting (e.g., photo, blood type, religion in older IDs, chip data). Recording the document itself violates the principle of “Data Minimization.” Since there is no specific provision in the law that explicitly authorizes the copying of the document, this action lacks a legal basis.
The Invoice Argument
Hoteliers often argue that ID data is needed for billing purposes. The Decision addresses this by referencing the Tax Procedure Law No. 213.
While processing personal data for issuing invoices is lawful, it does not justify retaining a copy of the ID card. The information required for a valid invoice can be manually entered into the system without storing a visual copy of the sensitive document.
Essential Takeaways for the Tourism Sector
This Principal Decision imposes immediate and retroactive obligations on all data controllers in the tourism and hotel management sector.
1. Immediate Cessation of Practice
Hotels must stop requesting to photocopy or scan T.C. Identity Cards immediately. Front desk staff should be trained to only visually inspect the ID and manually enter the required data into the identity reporting system (KBS).
2. Destruction of Archives (Retroactive Compliance)
The ruling is not just for future guests. The Board has explicitly ordered that all previously stored photocopies of ID cards must be destroyed in accordance with Article 7 of the KVKK. Data controllers must securely dispose of physical archives and delete digital scans from their servers to comply with the “Regulation on Deletion, Destruction or Anonymization of Personal Data.”
3. Potential Penalties
Failure to comply with this Principal Decision is considered a violation of data security obligations. The Board has announced that administrative action will be taken under Article 18 of the Law No. 6698 against non-compliant businesses. These fines can be substantial, making compliance a financial imperative as well as a legal one.
Conclusion
The KVKK’s decision marks a shift towards stricter privacy standards in Turkey’s tourism industry. While security and law enforcement reporting remain mandatory, the convenience of scanning an ID card can no longer supersede a guest’s right to privacy.
Hotels and accommodation providers must review their check-in procedures and data retention policies immediately to align with Decision No. 2025/2120.
To reach the full decision please click here.
Legal Disclaimer: The information provided in this article is for general informational purposes only and does not constitute legal advice, professional counsel, or a binding legal opinion. While we strive to ensure the accuracy of the content based on the Personal Data Protection Board’s Decision No. 2025/2120, laws and regulations are subject to change and interpretation. Accessing this article does not establish an attorney-client relationship between the reader and Karacabey Legal. We recommend consulting with a qualified attorney regarding your specific legal situation or compliance obligations before taking any action based on this content.
