The principal decision by the Turkish Personal Data Protection Authority’s (“DPA”), dated November 6, 2025, and numbered 2025/2120 (“Decision”) has been published on the Official Gazette on December 9, 2025.

The principal decisions are issued by the DPA in circumstances where, following an investigation initiated upon complaint or ex officio, the DPA identifies that the violation in question reflects a broader and recurring compliance problem. With the principal decisions, the DPA addresses the problem, explains its interpretation of the law, and provides clear guidance for controllers and processors to follow. The principal decisions carry binding effect, meaning that all relevant actors are required to align their practices with the standards and expectations set out by the DPA.

According to the Decision, there have been large number of complaints made to the DPA, with regards to accommodation facilities requesting and retaining the copies of the identity cards of the guests. Consequently, the DPA has resolved to take a principal decision on this matter with the aim of putting an end to this practice by way of informing the tourism and hospitality sector on this matter.

Within the Decision, it is stipulated that the requirement to record identity information of guests is explicitly regulated in the regulations that accommodation facilities are required to comply with. Therefore, recording activity of the identity information is in accordance with the data processing requirements set forth under the Turkish Personal Data Protection Law No. 6698 (“DPL”).

On the other hand, while requesting ID cards for identification purposes is legally permissible, copying ID cards and retaining their copies results in excessive data processing and lack any legal basis. Additionally, since old-type Turkish ID cards — which are still in circulation— contain special categories of personal data, copying and retaining the copies of IDs also constitute unlawful processing.

In the light of all these matters the DPA has decided that (i) the data controllers operating in the tourism and hospitality sector are required to refrain from collecting copies of guests’ ID cards; and (ii) any data controller who previously retained ID card copies obtained from data subjects before the publication of the Decision must destroy these documents in accordance with the DPL.

The DPA further underlined that these are the administrative and technical measures which must be taken by the data controllers pursuant to Article 12 of the DPL. Therefore, non-compliance with the Decision may result in administrative fine.

In conclusion, although the mentioned practice already evaluated as unlawful prior to the Decision due to lack of explicit obligation under the applicable legislation to obtain or retain copies of ID cards, and it continued largely out of habit, the Decision serves as a clear and definitive reminder to the tourism and hospitality sector regarding their obligations to decisively bring this outdated practice to an end.

Authors: Burak Özdağıstanli, Sümeyye Uçar, Maral Baymak