The Personal Data Protection Board’s Principle Decision Regarding the Accommodation Sector
THE PERSONAL DATA PROTECTION BOARD’S PRINCIPLE DECISION REGARDING THE ACCOMMODATION SECTOR
Introduction
The Personal Data Protection Board (“Board”), as a result of its assessments regarding the customary practice in the hotel industry of obtaining photocopies of guests’ Turkish ID cards, has adopted a Principle Decision on the matter. With the decision published in the Official Gazette dated 06.11.2025 and numbered 2025/2120, it has been ruled that the said practice is unlawful under the Personal Data Protection Law No. 6698 (“Law”), and it has been decided that this practice must be discontinued.
This decision of the Board introduces significant changes both in terms of the protection of personal data and the legal obligations of accommodation facilities.
Practices Prior to the Decision
As is known, as a customary practice, many accommodation facilities obtain photocopies of identity documents such as Turkish ID cards or passports during guest check-in. Although businesses maintain this practice as a security measure regarding guests staying at their facilities and aim to protect their interests, particularly in matters such as payment tracking during reservations, lost property, theft, or legal disputes, there is no obligation or right granted to operators under the legislation in this regard. Moreover, as also emphasized by the Board in its principle decision, records kept in this manner constitute personal data processing. Therefore, such processing is subject to the criteria and conditions set forth in the Law.
Assessments Made Within the Scope of the Principle Decision
The Board began its examination by first reviewing the legal bases of the procedures currently applied in the accommodation sector. In this context, the provisions of the Identity Notification Law No. 1774 and the Regulation on the Implementation of the Identity Notification Law were examined.
Within this framework, it has been observed that the relevant law and regulation impose an obligation on businesses operating in the accommodation sector to record the identity information of their visitors. Articles 5 and 23 of the Regulation on the Implementation of the Identity Notification Law, which regulate the details of this obligation, require businesses both to record the identity information of guests staying at their facilities and to verify the recorded identity information with an official document.
In light of these regulations, the Board concluded that the personal data processing activities carried out by recording the name, surname, and Turkish ID number of guests receiving accommodation services are lawful pursuant to Article 5, paragraphs (a) and (c) of the Law, on the grounds that such processing is “explicitly prescribed by law” and “necessary for the data controller to fulfill its legal obligation.”
However, in practice, the obtaining of photocopies of guests’ identity documents by accommodation service providers goes beyond merely verifying and recording the data with official documents. Indeed, identity documents contain information beyond what is legally required. As stated in the Board’s decision, especially older identity documents may include special categories of personal data such as religious affiliation or blood type. Therefore, the Board has stated that obtaining photocopies of identity documents, going beyond the recording of the required information, cannot be based on the legal grounds set forth in the Law. In our opinion as well, while recording only the necessary information is sufficient, obtaining photocopies of identity documents is incompatible with the principle of proportionality under the Law.
For all these reasons, within the scope of the principle decision, the Board has decided that (i) the practice of accommodation facilities obtaining photocopies of guests’ identity documents is unlawful, (ii) such practice must be discontinued, and (iii) personal data that have already been unlawfully processed in this manner must be destroyed.
Impact of the Principle Decision on Accommodation Facilities
Although it may be argued by accommodation facilities that obtaining such documents is important for legal evidence and security, and that it serves to protect the interests of businesses in the event of potential disputes; as clearly set out by the Board in its principle decision, when the protected interests of businesses are weighed against the violated rights of individuals, it is beyond doubt that discontinuing such practices is more appropriate in terms of public interest.
In this context, with the principle decision, all accommodation service providers must immediately cease the practice of obtaining photocopies of official documents such as identity cards. In addition, if photocopies previously obtained in this manner are still being stored, they must be destroyed retrospectively.
Conclusion and Evaluation
With the Board’s Principle Decision in question, it has been clearly established that the long-standing customary practice in the accommodation sector of obtaining photocopies of identity documents is contrary to Law No. 6698; and it has been clarified that businesses should limit themselves to recording only the identity information required by legislation (name, surname, Turkish ID number, etc.). In this framework, it is of importance for accommodation facilities to align both their existing practices and their internal policies and procedures with the Law, secondary legislation, and Board decisions.
Practices to the contrary may give rise to various sanction risks, including administrative fines, before the Board. Therefore, it is of great importance for businesses to review their personal data processing activities by taking this Principle Decision into account and to promptly take the necessary compliance steps in order to mitigate legal risks.
Sincerely,
Atabay Law Office