Data Privacy (KVKK)

No More ID Photocopies at Hotels: Turkey Aligns with EU Data Protection Standards

December 9, 2025 7 min read Turkish Trade Lawyers

KVKK's New Ruling Ends a Common Practice in the Hospitality Sector

Summary

Turkey's Personal Data Protection Authority (KVKK) has officially prohibited hotels and accommodation providers from photocopying or scanning guests' ID cards and passports. The ruling, published in the Official Gazette on December 9, 2025, marks a significant step toward aligning Turkish data protection practices with EU standards under the GDPR.

What Happened?

On November 6, 2025, the Personal Data Protection Board issued Decision No. 2025/2120, an official "Principle Decision" (İlke Kararı) addressing a long-standing practice in Turkey's tourism and hospitality sector.

Key points of the decision:

  • Hotels, motels, pensions, hostels, and short-term rental properties can no longer photocopy or scan guests' Turkish ID cards (T.C. Kimlik Kartı) or passports
  • Accommodation providers must destroy all previously collected ID photocopies in accordance with Article 7 of Law No. 6698
  • Visual verification of ID documents remains permitted—staff may view the document to confirm identity
  • Recording guest information (name, ID number, check-in/check-out dates) in registration systems remains mandatory under the Identity Notification Law (Law No. 1774)
  • Non-compliance will result in administrative fines under Article 18 of the KVKK

Why Did KVKK Take This Step?

The Board cited several reasons for the decision:

1. Excessive Data Processing

Photocopying an ID card captures far more information than necessary for guest registration—including photographs, parents' names, blood type, and religious information (on older cards). This violates the data minimization principle.

2. No Legal Basis

While Turkish law requires hotels to record guest information and report it to authorities (GİKS system), no law mandates photocopying the ID document itself. The practice had become customary but lacked legal foundation.

3. Security Risks

Stored ID photocopies create significant data breach risks. If stolen or leaked, this information can be used for identity theft, fraud, or other criminal activities.

4. High Volume of Complaints

KVKK received numerous complaints from citizens concerned about their personal data being unnecessarily collected and stored by accommodation providers.

GDPR Comparison: How Does the EU Handle This?

Turkey's new ruling closely mirrors the approach taken in EU member states under the General Data Protection Regulation (GDPR).

The Data Minimization Principle

GDPR Article 5(1)(c) establishes that personal data must be: "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed".

This principle directly prohibits collecting more data than needed—and ID photocopies typically contain far more information than required for hotel registration.

EU Enforcement Examples

Country Authority Action
Spain AEPD Fined a hotel €30,000 for scanning a guest's passport without proper legal basis (Case PS/00078/2021)
Spain AEPD Fined a hotel in Cantabria €1,500 for insisting on photocopying a guest's ID card.
Spain AEPD Issued official guidance in June 2025 stating that ID photocopies violate the data minimization principle

What This Means for Hotels in Turkey

Immediate Actions Required:
  • Stop photocopying – Cease all ID/passport photocopying immediately
  • Update procedures – Modify check-in processes to visual verification only
  • Destroy archives – Properly dispose of all previously collected ID photocopies per KVKK guidelines
  • Train staff – Ensure front desk personnel understand the new requirements
  • Update privacy notices – Revise your KVKK disclosure texts (aydınlatma metni)

What Remains Unchanged

  • Hotels must still verify guest identity by viewing the original document
  • Guest information must still be recorded in the hotel system
  • GİKS (Genel Bilgi Sistemi) notifications to authorities continue as before
  • Billing-related data processing remains lawful under Tax Procedure Law (Law No. 213)

Penalties for Non-Compliance

Hotels that continue photocopying ID documents face:

  • Administrative fines under KVKK Article 18 (ranging from TRY 47,303 to TRY 9,460,793 for 2025)
  • Individual complaints from guests to KVKK
  • Reputational damage in an increasingly privacy-conscious market

A Step Toward EU Alignment

This decision demonstrates Turkey's continued effort to harmonize its data protection framework with EU standards. For international hotel chains and European companies operating in Turkey, this creates a more consistent compliance environment across jurisdictions.

The core message is clear: collect only what you need, and protect what you collect.

KVKK Data Privacy Hotel Compliance GDPR Turkey Hospitality

Turkish Trade Lawyers

Expert legal counsel for international trade, corporate law, and dispute resolution in Turkey. We provide comprehensive solutions tailored to your business needs.

Need KVKK Compliance Assistance?

Our data protection experts can help your hospitality business achieve full compliance.

Get Expert Advice

Related Articles

KVKK Checklist

Hotel ID Photocopy Ban: Compliance Checklist

Interactive checklist for hotels to ensure compliance with the new KVKK decision No. 2025/2120.

 Contract Law

What Are the Most Important Contracts for a Business to Have?

A legal analysis of essential contracts including NDAs that protect your business data.