A Key Decision by the Personal Data Protection Authority for the Recording of ID by Hotels has been newly issued in the Official Gazette dated December 9, 2025 and numbered 33102. Take a look at the full text from here. That is a key decision that will shape all standards and principles applicable to hotels and accommodation providers.
Introduction
A Key Decision by the Personal Data Protection Authority (hereinafter as the Authority) for the Recording of ID by Hotels was published in the Official Gazette dated December 9, 2025 and numbered 33102. The decision contains significant benchmarks for the promotion of data privacy in Turkey.
What is the main administrative body for data protection in Turkey?
The Personal Data Protection Authority is established with a view to ensuring the protection of personal data and developing awareness in line with the fundamental rights related with privacy and freedom stated in the Constitution.
What is the right to privacy in Turkey?
The right to respect for private life is enshrined in the Turkish Constitution. Article 20 provides that everyone has the right to respect for their private and family life and establishes the principle that the confidentiality of private and family life is protected, subject to the conditions and limitations set out by law.
For more information about the protection of the right to privacy see our article on The Right to Data Privacy and Respect for Private Life
What is Turkish data protection law?
The Personal Data Protection Law No. 6698 constitutes the principal legal framework governing the protection of personal data in Türkiye. The primary purpose of the Law, as set out in Article 1, is to regulate the processing of personal data by safeguarding the fundamental rights and freedoms of individuals—particularly the right to privacy—and by establishing the principles, obligations, and procedures applicable to natural and legal persons engaged in personal data processing activities.
What is the meaning of processing of personal data?
In accordance with Article 2 of the Law No. 6698, “processing of personal data” means any operation which is performed on personal data, wholly or partially by automated means or non-automated means which provided that form part of a data filing system, such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization, preventing the use thereof.
Overview of A Key Decision by the Personal Data Protection Authority
A Key Decision by the Personal Data Protection Authority for the Recording of ID by Hotels has been newly issued in the Official Gazette dated December 9, 2025 and numbered 33102. The Board Decision No. 2025/2120 and dated 06/11/2025 developed significant principles for the hospitality sector in which personal data are processed most intensively, due to its nature of providing services directly to individuals. Upon notification and complaint received by the Authority and in connection with informing the sector and ensuring uniform practice, the Board Decision was made by analyzing two different competing interests pursued by two different Law texts.
Pursuant to Article 5 of Law No. 6698, Personal data may not be processed without the explicit consent of the data subject. However, pursuant to the second paragraph of the same article, personal data may be processed without explicit consent in the presence of one of the following conditions:
a) Explicitly stipulated by laws,
b) Where it is mandatory for the protection of the life or physical integrity of the data subject or another person, and the data subject is unable to express consent due to actual impossibility or where consent is not legally valid,
c) Where it is necessary for the establishment or performance of a contract, provided that it is directly related to the contract,
ç) Where it is mandatory for the data controller to fulfill its legal obligation,
d) Where the personal data have been made public by the data subject,
e) Where data processing is mandatory for the establishment, exercise, or protection of a legal right,
f) Where data processing is mandatory for the legitimate interests of the data controller, provided that it does not violate the fundamental rights and freedoms of the data subject.
Pursuant to Article 2 of Law No. 1774 on Identity Notification, hotels, motels, inns, pensions, guesthouses, boarding houses, camps, camping sites, holiday villages and similar facilities; private health institutions; rest and recreation facilities; public or private social facilities; as well as places where individuals stay temporarily or permanently, whether free of charge or for a fee, are obliged to record and notify the identity and entry–exit information of Turkish citizens and foreigners accommodated therein, in accordance with the procedure and principles set forth by law.
A Key Decision by the Personal Data Protection Authority
Taking all this into account, the Authority concludes that requesting information such as name, surname, Turkish ID number, and identity details from individuals receiving accommodation services is necessary for compliance with Law No. 1774. Nonetheless, it is noted by the Board that such requirement does not cover request and record of a photocopy of the Turkish Identity Card, as a part of an additional personal data processing activity.
Despite that the visual verification of the identity card without copying or recording it may be sufficient to pursue the aim described by the Law, the practice of obtaining a photocopy of the Turkish Identity Card results in the processing of more personal data than necessary and creates additional risks in terms of data security. Therefore, such practice is considered proportionate by the Board within the meaning of the Law No. 6698.
In conclusion, according to the a Key Decision by the Personal Data Protection Authority, the processing of personal data through the recording or storage of identity card photocopies does not meet the conditions set forth under Article 5 of Law No. 6698, particularly the requirement of being “explicitly stipulated by law” or “mandatory”.
Conclusion
In short, a Key Decision by the Personal Data Protection Authority for the Recording of ID by Hotels has been newly issued by the Board. The present article has already established that the new decision is made by the Board as a benchmark for the protection of data privacy associated with IDs. The Board underlines that the practice of keeping a photocopy of the Turkish Identity Card results in the processing of more personal data than necessary and creates additional risks in terms of data security; therefore it is found incompatible with the Law.
Attorney Büşra Dereli
