KVKK’s new principle decision redefines personal data protection in the hospitality sector

A long-standing procedure in Türkiye’s accommodation industry officially came to an end as of December 9, 2025. With the Personal Data Protection Board’s (KVKK) decision published in the Official Gazette, hotels are no longer allowed to request photocopies of guests’ ID cards or passports. The regulation establishes a new standard for both data security and guest privacy.

A New Chapter in Personal Data Protection

The new principle decision deems the collection of ID photocopies unlawful, fully eliminating a practice that has been widespread throughout the sector. Guests are still required to present their identification during check-in; however, hotels may now record only basic identity information. Photographs, detailed personal data, and unnecessary elements such as the former “religion” field on old Turkish IDs fall outside the permissible scope of data processing.

The ruling also applies retroactively. Accommodation facilities must securely destroy any ID photocopies stored in their archives. This requirement compels tourism businesses to reassess and update their data retention policies.

The regulation strengthens Türkiye’s alignment with international security and privacy standards in the global tourism industry. By adopting a data protection approach parallel to European practices, the guest experience becomes faster, simpler, and more secure.

In Türkiye’s increasingly digitalized tourism ecosystem, this step marks the beginning of a significant transformation toward trust-based communication models. Hotel processes are now shifting toward a modern, guest-centric structure, free from the obligation to store physical identification documents.