ID Copies in Turkish Hotels: To Keep or Not to Keep?

In this weekly digest, we examine a recent decision by the Turkish Data Protection Authority on the conflict between Turkey’s identity notification requirements and its data protection laws. Is keeping copies of identification documents necessary, or does it go too far? What steps should companies in the hospitality sector take next? Here’s what hospitality companies need to know.

The Turkish Personal Data Protection Authority published Key Decision number 33102 in the Official Gazette on the 9th of December. It addresses the contradiction between two different laws and sets up legal practice for hospitality and accommodation companies in Turkey.

This legal review was a reaction to the common practice of storing photocopies of visitors' Turkish Identity Cards.

The Authority analyzed the legal issue between the Data Protection Law No. 6698 and the Law No. 1774 on Identity Notification. Under the Data Protection Law, organizations cannot process personal data without a valid legal basis, such as consent or a statutory obligation. Such information must be stored and handled in a way that respects data subject rights, including the right to privacy.

On the other hand, Law No. 1774 stipulates that an entity providing accommodation services, be it free of charge or for a fee, must record the identity and entry-exit information of citizens and foreign visitors.

Basically, it means that any hotel, guesthouse, or motel processes and stores large volumes of personal data from visitors, as it is required by the Law on Identity Notification.

The Authority reviewed legal obligations stipulated by both laws and determined that collection of name, surname, ID numbers, and identity details is necessary for compliance with Law No. 1774. Yet, the practice of obtaining a photocopy of national IDs isn’t covered by this law, as the guest identity could be visually verified via identity card.

Therefore, storing copies of identification documents is unnecessary for the purposes of the Law on Identity Notification. Even more, it violates principles of the Data Protection Law, as the organization processes more personal data than is necessary for business processes. As a result, such practice creates additional data security risks.

It is a major decision for many Turkish businesses. Tourism revenue in Turkey reached USD 24.3 billion. The number of foreign visitors was forecasted to set an all-time high in 2025 and reach 65 million. It means that accommodation and hospitality businesses should swiftly react to changes in data protection practices to avoid financial fees.

Based on our experience, many companies struggle with data sprawl, where sensitive information is scattered across multiple locations. Copies of ID documents may be stored on local servers or cloud services. Employees may also save them on endpoints, personal laptops, or desktop folders. To meet the new requirements, the first critical step is to locate sensitive data and all its copies.

Risk Monitor, the Next-Gen DLP system developed by SearchInform, addresses this issue. It can scan all storage locations and devices to identify a wide range of sensitive information. The Next-Gen DLP system uses in-built policies to analyze file content and determine particular types of data, be it ID scans, financial records, or plain text with ID numbers.