The Personal Data Protection Board (“Board”) published its Principle Decision number 2025/2120 titled “Principle Decision on the Recording of Copies of Turkish ID Cards of Individuals Receiving Accommodation Services in the Tourism and Hospitality Sector” (“Principle Decision”) in the Official Gazette dated 9 December 2025. Within the scope of the Personal Data Protection Law number 6698 (“DP Law”), the Board reviewed the practice of collecting copies of Turkish ID cards from guests staying at accommodation facilities in the tourism and hospitality sector.
With respect to the Principle Decision, the Board concluded that tourism and hospitality establishments may lawfully process guests’ identity information limited to name, surname and Turkish ID number, without obtaining explicit consent, if it remains strictly confined to the statutory scope. In this context, the Board held that such processing may be based on the following legal grounds:
- provided that it is expressly stipulated by the law pursuant to Article 5/2(a) of the DP Law, in accordance with the obligations arising from the Identity Notification Law and the relevant secondary legislation, and
- provided that it is mandatory for the data controller to fulfil its legal obligations pursuant to Article 5/2(ç) of the DP Law.
However, the Board explicitly found that tourism and hospitality businesses’ practice of collecting and storing copies of Turkish ID cards or national identity cards is unlawful. In this assessment, the Board relied on the following grounds:
- even when carried out for verification purposes, the practice constitutes “excessive data processing” and violates the principle of proportionality;
- old national identity cards contain special categories of personal data, such as religion and blood type, and processing these data through photocopies does not comply with the protection regime set out under Article 6 of the DP Law; and
- collecting copies does not establish a mandatory method for identity verification, as verification of personal data accuracy can be achieved by requesting and checking the Turkish ID card without retaining a copy.
Accordingly, the Principle Decision requires tourism and hospitality businesses to refrain from collecting copies of Turkish ID cards or national identity cards and obliges data controllers that have previously obtained such documents to erase or destroy the relevant records in accordance with Article 7 of the DP Law.
In addition, the Principle Decision clarifies the scope of personal data that may be processed for invoicing purposes. In accordance with Articles 230 and 240 of the Tax Procedure Law, personal data such as name, surname, title, address, tax office, account number, room number, room fee and issuance date may be processed as mandatory invoice elements.
Finally, the Board held that the collection of ID card copies constitutes a breach of the technical and administrative measures obligation under Article 12 of the DP Law and underlined that the continuation of this practice may give rise to administrative fines pursuant to Article 18 of the DP Law (with the expected upper limit for 2026 being approximately TRY 17,092,242).
Please see this link for full text of the Pricipled Decision (only available in Turkish)
