KVKK Compliance for Hotels, Tourism Companies, and Travel Agencies in Turkey

Introduction

KVKK compliance for hotels, tourism companies, and travel agencies in Turkey is a critical legal requirement. The tourism and hospitality sector processes large volumes of personal data every day, often from both Turkish citizens and foreign guests. Hotels, resorts, boutique hotels, hostels, holiday villages, travel agencies, tour operators, transfer companies, online booking platforms, destination management companies, medical tourism facilitators, and event tourism businesses collect and use personal data at every stage of the customer journey.

A single guest experience may involve reservation details, passport or identity information, contact data, payment data, room preferences, travel dates, family information, children’s data, health or allergy information, vehicle plate numbers, CCTV footage, Wi-Fi logs, loyalty membership records, spa reservations, restaurant preferences, airport transfer details, complaint records, marketing permissions, and sometimes sensitive information such as health, disability, religion-related preferences, or biometric access data.

Turkey’s main data protection legislation is Law No. 6698 on the Protection of Personal Data, commonly known as KVKK. The law protects fundamental rights and freedoms, especially the right to privacy, and regulates the obligations of natural and legal persons processing personal data. It applies to personal data processed wholly or partly by automated means or by non-automated means forming part of a data filing system.

For tourism businesses, KVKK compliance is not merely a privacy policy on a website. It requires a full compliance program covering check-in procedures, reservation systems, guest registration, identity reporting obligations, booking engines, property management systems, payment providers, online travel agencies, CRM tools, email marketing, CCTV, Wi-Fi, staff training, vendor contracts, retention periods, cross-border data transfers, and data subject rights.

Why Data Protection Matters in the Tourism and Hospitality Sector

Hotels and tourism businesses process data in a highly personal context. A guest’s travel data may reveal where they stay, who they travel with, how much they spend, whether they travel for business, medical treatment, religious tourism, family reasons, conferences, or holidays. Room preferences, meal requests, spa appointments, disability access needs, and health-related requests may reveal sensitive aspects of private life.

Travel agencies may process passport details, visa documents, flight information, hotel bookings, insurance details, emergency contacts, children’s information, and medical declarations. Medical tourism companies may process health records, treatment plans, clinic appointments, photographs, surgical information, and international patient communications. These data categories require careful legal analysis because some may be special categories of personal data under KVKK Article 6, especially health data and biometric data.

The tourism sector is also international by nature. Hotels may use global booking systems, foreign cloud-based property management systems, international hotel group databases, online travel agencies, global CRM systems, foreign payment processors, and overseas customer support teams. Travel agencies may send customer data to airlines, hotels, visa service providers, tour operators, insurance companies, and foreign destination partners. These data flows can trigger cross-border transfer rules under KVKK Article 9.

Personal Data Commonly Processed by Hotels and Tourism Companies

Hotels and accommodation facilities commonly process identity data, including name, surname, Turkish identity number, passport number, nationality, date of birth, signature, and guest registration information. They also process contact data such as phone number, email address, residential address, emergency contact details, and communication preferences.

Reservation and transaction data may include check-in and check-out dates, room type, number of guests, booking channel, special requests, payment method, invoice details, deposit records, minibar charges, restaurant and spa usage, loyalty membership information, cancellation history, complaint records, and guest satisfaction survey responses.

Digital and security data may include IP addresses, Wi-Fi access logs, website cookies, mobile app identifiers, device data, CCTV footage, key card access logs, vehicle plate numbers, and call center recordings. Travel agencies may additionally process flight tickets, visa documents, insurance policies, tour participation lists, transfer details, passport copies where legally justified, and destination-specific documents.

The data controller must identify each data category and processing purpose. Under KVKK, personal data must be processed for specified, explicit, and legitimate purposes, and it must be relevant, limited, and proportionate to those purposes.

Legal Bases for Processing Guest and Traveler Data

Not every processing activity in tourism requires explicit consent. KVKK Article 5 allows personal data to be processed without explicit consent where one of the statutory grounds applies, such as processing expressly provided by law, necessity for contract performance, necessity for compliance with a legal obligation, necessity for establishment or protection of a right, or legitimate interests of the controller provided that fundamental rights and freedoms are not harmed.

For example, a hotel may process reservation data to perform the accommodation contract. It may process invoice data to comply with tax and accounting obligations. It may process identity reporting data because accommodation facilities are subject to identity notification duties. It may process CCTV footage for security and protection of rights where proportionate. It may process complaint records to respond to customer requests and defend legal claims.

However, explicit consent may be required for optional or non-essential processing. Examples include sending promotional emails or SMS messages, using guest photographs for advertising, processing health or allergy information beyond what is necessary for the service, using non-essential advertising cookies, sharing data with third-party commercial partners, or transferring data abroad under limited exceptional circumstances where no other transfer mechanism is available.

Guest ID Records and the 2025 KVKK Principle Decision

Identity processing is one of the most important issues for hotels in Turkey. Accommodation facilities have legal obligations to identify and report guests under Turkish identity notification legislation. However, this does not mean that hotels may collect unlimited identity documents or store copies of ID cards without legal basis.

The Turkish Personal Data Protection Board issued an important Principle Decision dated 6 November 2025 and numbered 2025/2120 concerning the recording of photocopies of Turkish identity cards of persons receiving accommodation services in the tourism and hospitality sector. The Authority stated that, due to complaints and reports that accommodation facilities were taking photocopies of guests’ Turkish identity cards, the Board decided that data controllers in tourism and hospitality must stop taking such photocopies and must destroy previously recorded ID card photocopies in accordance with Article 7 of KVKK.

This decision is highly significant for hotels and accommodation businesses. The Board’s approach reflects the principles of data minimization and proportionality. Hotels may need to verify identity and record legally required guest information, but taking and storing full ID card photocopies may exceed what is necessary. A third-party English summary of the same decision states that the Board considered the collection of Turkish ID card photocopies by accommodation facilities excessive and unlawful because it goes beyond the legal obligation under identity reporting rules.

In practice, hotels should review check-in procedures immediately. Reception staff should request ID presentation for verification and record only the legally required information in the system. They should avoid photocopying, scanning, photographing, or storing identity cards unless a clear and specific legal basis exists. Previously stored ID card copies should be identified and destroyed under KVKK Article 7 where no valid retention basis remains.

Reservation Systems, Online Booking Platforms, and OTAs

Hotels often receive reservations through their own websites, call centers, travel agencies, online travel agencies, global distribution systems, corporate clients, event organizers, and third-party booking platforms. Each channel creates a data flow.

The hotel must determine whether it acts as a data controller, joint controller, or recipient in each reservation flow. A hotel usually acts as a data controller for guest data used to provide accommodation services. An online travel agency may also act as an independent data controller for its own platform operations, marketing, payment handling, and customer account management. In some cases, a technology provider may act as a data processor if it processes reservation data only on behalf of the hotel.

Contracts with booking engines, online travel agencies, channel managers, property management systems, and reservation software providers should regulate personal data responsibilities. Key issues include data categories, processing purposes, security measures, sub-processors, retention, breach notification, and international transfers.

Travel Agencies and Tour Operators

Travel agencies and tour operators process personal data not only for hotel reservations but also for flights, transfers, tours, visas, travel insurance, event participation, destination services, and customer support. These businesses may need to share traveler data with airlines, hotels, transport providers, museums, guides, consulates, insurance providers, destination management partners, and foreign suppliers.

A travel agency must identify the legal basis for each transfer. For example, transferring passenger names and passport data to an airline may be necessary for performance of the travel contract. Sharing traveler details with a hotel may be necessary for accommodation booking. Sending passport documents to a visa service provider may require a clear legal basis and strict security measures. Using customer data later for marketing is a separate processing purpose and should not be assumed to be automatically lawful.

Travel agencies should also avoid collecting documents earlier than necessary or retaining passport and visa files indefinitely. Travel documents often contain extensive personal data and should be protected with stronger access controls.

Privacy Notices for Hotels and Travel Agencies

KVKK Article 10 requires the data controller to inform data subjects at the time personal data is obtained. The notice must include the identity of the controller, processing purposes, transfer recipients and transfer purposes, method and legal basis of collection, and data subject rights under Article 11.

For hotels, the privacy notice should explain reservation processing, check-in procedures, identity reporting, accommodation services, payment and invoicing, guest relations, complaint management, CCTV, Wi-Fi, loyalty programs, marketing, legal obligations, data transfers, retention periods, and rights of guests.

For travel agencies, the notice should explain booking services, ticketing, accommodation arrangements, transfers, visa support, travel insurance, tour organization, foreign supplier transfers, customer support, payment processing, marketing communications, and data retention.

The notice should be accessible at the time of data collection. Hotels should provide notices at online booking, check-in, reception, Wi-Fi login, CCTV areas, loyalty enrollment, and marketing subscription points. Travel agencies should provide notices when receiving reservation forms, passport details, payment data, visa documents, or tour registration information.

Marketing Communications and İYS

Tourism businesses often send campaign emails, SMS messages, loyalty offers, birthday discounts, early booking campaigns, honeymoon packages, spa promotions, and destination offers. Marketing is not automatically lawful merely because a person stayed at a hotel or booked a tour.

Promotional communications require analysis under both KVKK and Turkish commercial electronic communication rules. The Turkish Message Management System, known as İYS, is a centralized system through which commercial electronic message approvals are collected and individuals can view, control, and exercise rejection rights through one platform. The Ministry of Trade states that İYS allows citizens to see all approvals from one point and provides legal security for service providers in managing permission processes.

Hotels and travel agencies should separate service communications from marketing. A reservation confirmation, check-in reminder, flight update, transfer notification, or invoice email is different from a promotional campaign. Marketing permissions should be collected separately, recorded properly, synchronized with opt-out systems, and respected across CRM platforms.

CCTV and Security Camera Recording

Hotels, resorts, travel offices, and tourism facilities frequently use CCTV for security, guest safety, incident investigation, theft prevention, access control, and protection of property. Camera footage is personal data when identifiable persons are recorded.

CCTV must comply with KVKK principles. Cameras should be placed only where necessary, such as entrances, reception areas, corridors, parking areas, cash desks, luggage rooms, and common security-sensitive areas. Cameras should not be placed in guest rooms, bathrooms, changing rooms, spa treatment rooms, massage rooms, private rest areas, or other areas where guests and employees have a high expectation of privacy.

Hotels should use visible camera warning signs and provide a detailed CCTV privacy notice. The notice should explain the purpose of recording, controller identity, legal basis, retention period, access rights, transfer recipients, and data subject rights. CCTV footage should be retained only for a limited period unless an incident or legal claim requires longer retention.

Wi-Fi, Internet Access, and Digital Logs

Hotels and tourism businesses often provide guest Wi-Fi. Guest internet access may involve IP addresses, MAC addresses, login times, room numbers, device identifiers, session logs, and user credentials. These records may be personal data under KVKK.

Hotels should inform guests about Wi-Fi data processing at the login stage. The Wi-Fi portal should not be used to collect unnecessary marketing consent through confusing or bundled checkboxes. If Wi-Fi access is conditional on accepting marketing communications, the validity of consent may be challenged because consent must be freely given.

Wi-Fi logs should be retained only for legally required or necessary periods. Access should be limited to authorized IT or security personnel. If Wi-Fi services are provided by a third-party vendor, the hotel should sign a data processing agreement and assess whether logs are stored in Turkey or abroad.

Loyalty Programs and Guest Profiling

Hotel chains and travel agencies often use loyalty programs to track stays, spending, preferences, destinations, family travel habits, restaurant choices, spa use, feedback, and campaign responses. Loyalty programs may improve service quality, but they can also create profiling risks.

Guests should be clearly informed about how loyalty data is processed. If the program involves personalized marketing, behavioral profiling, third-party partners, or international group databases, additional consent or transfer mechanisms may be required. The guest should be able to join the accommodation service without being forced into unnecessary profiling unless the loyalty program is clearly optional.

Hotel groups operating internationally should be especially careful. Sharing guest profiles with foreign group companies or global CRM systems may constitute a cross-border transfer under KVKK Article 9.

Health, Allergy, Disability, and Special Request Data

Hotels and tourism companies may process health-related or sensitive data in several contexts. Guests may provide allergy information, disability access needs, dietary restrictions, medical assistance requests, spa health forms, pregnancy-related requests, emergency medical information, or medical tourism records.

Health data is a special category of personal data under KVKK Article 6. Processing special categories of data requires one of the legal grounds listed in Article 6 and adequate safeguards.

Hotels should not collect health information unless necessary. If a guest voluntarily provides allergy information to ensure safe food service, the hotel should use it only for that purpose, restrict access to relevant staff, and delete it when no longer needed. Spa and wellness facilities should not retain health questionnaires indefinitely. Medical tourism agencies processing patient data should apply a much higher compliance standard, including specific privacy notices, strong confidentiality, secure transfer channels, and careful vendor controls.

Children’s Personal Data in Tourism

Hotels and travel agencies frequently process children’s data. Family reservations may include children’s names, ages, passport details, birth dates, room arrangements, meal plans, club participation, emergency contacts, medical needs, and activity permissions.

Children’s data should be handled with special care. Only necessary data should be collected. Kids club registrations, child activity forms, and babysitting services should not collect excessive information. Photos or videos of children should not be used in advertising or social media without proper consent from parents or legal representatives and, where appropriate, consideration of the child’s own interests.

Travel agencies organizing school trips, youth camps, sports tours, or student programs should implement heightened safeguards. Lists containing children’s passports, health declarations, emergency contacts, and travel itineraries should be shared only with authorized persons and protected against unauthorized access.

Cross-Border Transfers in Tourism and Hospitality

Tourism is inherently international, so cross-border data transfers are common. Hotels may transfer guest data to foreign parent companies, global reservation systems, loyalty program operators, cloud property management systems, international call centers, online travel agencies, payment processors, and foreign marketing tools. Travel agencies may transfer traveler data to foreign hotels, airlines, consulates, tour operators, insurance companies, and destination partners.

KVKK Article 9 was amended in 2024. Under the amended system, personal data may be transferred abroad if one of the processing conditions under Articles 5 or 6 exists and there is an adequacy decision. If no adequacy decision exists, transfers may be possible through appropriate safeguards such as standard contracts, binding corporate rules, or written commitments approved by the Board. Standard contracts must be notified to the Turkish Personal Data Protection Authority within five business days after signature.

Hotels and tourism companies should map all foreign transfers. They should identify which systems store data abroad, which vendors have access from abroad, whether foreign group companies receive guest data, whether booking engines transfer data internationally, and whether standard contracts or other safeguards are required.

Data Processing Agreements With Vendors

Hospitality businesses rely on many vendors: property management software providers, channel managers, online booking systems, payment processors, spa management tools, restaurant POS systems, housekeeping platforms, Wi-Fi vendors, CCTV providers, security companies, CRM tools, email marketing platforms, cloud storage providers, call centers, accounting firms, and travel suppliers.

Where a vendor processes personal data on behalf of the hotel or travel agency, a data processing agreement should be signed. The agreement should regulate processing instructions, confidentiality, security measures, sub-processors, breach notification, deletion or return of data, audit rights, cross-border transfers, and liability.

Vendor contracts are especially important where guest data is processed in cloud systems or by foreign providers. A hotel cannot outsource compliance entirely to its software vendor. Under KVKK Article 12, data controllers must take necessary technical and organizational measures, and where data is processed by another person on behalf of the controller, the controller is jointly responsible with that person for security measures.

Data Security Obligations

KVKK Article 12 requires data controllers to take all necessary technical and organizational measures to provide an appropriate level of security, prevent unlawful processing, prevent unlawful access, and protect personal data.

For hotels and tourism companies, practical security measures include role-based access in reservation systems, strong passwords, multi-factor authentication for administrative panels, encrypted storage of sensitive documents, secure payment processing, restricted access to passport and ID data, secure Wi-Fi systems, logging of staff access, staff confidentiality undertakings, secure disposal of printed forms, vendor due diligence, and periodic audits.

Reception desks are a major risk point. Printed guest lists, passport copies, rooming lists, and payment documents should not be left openly accessible. Staff should be trained not to share guest room numbers, guest identity, travel companions, or booking details with unauthorized persons. VIP guest information, celebrity stays, medical tourism guests, and family travel data require heightened confidentiality.

Data Breach Notification

Data breaches in the hospitality sector may involve hacked reservation systems, exposed guest databases, leaked passport information, unauthorized staff access, stolen laptops, misdirected booking emails, ransomware attacks, insecure Wi-Fi logs, or vendor incidents.

Under KVKK Article 12, if processed personal data is obtained by others unlawfully, the data controller must notify the data subject and the Personal Data Protection Board within the shortest time.

Hotels and travel agencies should prepare a breach response plan. The plan should define who investigates the incident, who contacts vendors, who preserves logs, who assesses notification duties, who communicates with affected guests, and who implements remedial measures. Tourism businesses serving foreign guests may also need multilingual communication strategies and may need to consider foreign regulatory or contractual notification duties.

Retention and Deletion

Hotels and travel agencies must retain certain records for legal, tax, accounting, contract, identity reporting, dispute, and operational reasons. However, KVKK requires personal data to be stored only for the period required by law or by the processing purpose and to be erased, destroyed, or anonymized when processing reasons no longer exist.

Retention rules should be defined for reservation records, identity records, invoices, payment records, guest complaints, CCTV footage, Wi-Fi logs, passport files, marketing permissions, loyalty records, travel documents, visa files, tour lists, and children’s activity records.

The 2025 Board principle decision is especially important for retention because it requires hotels that previously recorded Turkish identity card photocopies for accommodation purposes to destroy those documents under Article 7 of KVKK.

Data Subject Rights

Guests, travelers, employees, website visitors, loyalty members, and tour participants have rights under KVKK Article 11. These include the right to learn whether personal data is processed, request information, learn processing purposes, know domestic and foreign transfer recipients, request correction, request erasure or destruction under legal conditions, object to adverse automated results, and claim compensation for unlawful processing.

Hotels and tourism companies should create clear request channels. A guest may ask for deletion of marketing data, access to CCTV footage, correction of contact details, information on foreign transfers, or withdrawal of marketing consent. A travel agency customer may ask where passport data was shared. The business must verify identity and respond within the legal framework.

VERBIS and Data Inventory

Hotels, tourism companies, and travel agencies should assess whether they are required to register with VERBIS, the Data Controllers’ Registry Information System. Under KVKK Article 16, data controllers must register before starting processing unless an exemption applies; registry applications include controller identity, processing purposes, data subject groups, data categories, recipient groups, personal data envisaged to be transferred abroad, security measures, and maximum storage periods.

Even where a business is exempt from registration, it should maintain a data inventory. A proper inventory helps align privacy notices, retention periods, vendor contracts, cross-border transfer documentation, and internal procedures.

Practical KVKK Compliance Checklist for Hotels and Travel Agencies

A hotel, tourism company, or travel agency operating in Turkey should:

1. Map all guest, traveler, employee, visitor, and vendor data.
2. Identify legal bases for each processing purpose.
3. Stop taking Turkish ID card photocopies for ordinary accommodation check-in.
4. Destroy previously stored ID card photocopies where no valid legal basis exists.
5. Prepare privacy notices for guests, travelers, employees, website users, and CCTV.
6. Separate marketing consent from service communications.
7. Manage commercial electronic message permissions through compliant systems.
8. Review online booking platforms and OTA data flows.
9. Sign data processing agreements with vendors.
10. Map cross-border transfers and apply Article 9 safeguards.
11. Limit access to reservation, passport, payment, and health data.
12. Secure reception and back-office data handling.
13. Define retention periods for each data category.
14. Prepare CCTV and Wi-Fi privacy notices.
15. Review loyalty and guest profiling practices.
16. Apply stricter safeguards to health, allergy, disability, and children’s data.
17. Create data subject request procedures.
18. Prepare a data breach response plan.
19. Assess VERBIS obligations.
20. Train reception, reservation, sales, IT, security, and management teams.

Common Mistakes in Tourism KVKK Compliance

One major mistake is copying or scanning guest identity cards as a routine check-in practice. After the 2025 Board principle decision, this practice is clearly high-risk and should be terminated for Turkish identity cards in ordinary accommodation services.

Another mistake is using broad privacy notices that do not reflect actual hotel operations. A notice that ignores CCTV, Wi-Fi, loyalty programs, OTAs, payment systems, foreign booking engines, or travel agency transfers will be incomplete.

A third mistake is storing passports, visa documents, ID copies, rooming lists, and health forms indefinitely. A fourth is sharing guest data through unsecured email or messaging applications. A fifth is using global CRM or booking systems without cross-border transfer analysis. A sixth is sending promotional messages to past guests without proper marketing permission.

Hotels also frequently underestimate employee training. Reception, housekeeping, security, spa, restaurant, and call center staff may all access guest data. Without training, even a strong privacy policy may fail in practice.

Conclusion

KVKK compliance for hotels, tourism companies, and travel agencies in Turkey requires a practical, sector-specific, and continuously updated data protection program. Tourism businesses process personal data at every stage of the guest journey, from booking to check-in, accommodation, payment, loyalty, marketing, travel coordination, and post-stay communication.

The most important compliance areas include lawful processing, guest privacy notices, identity reporting, the prohibition on unnecessary ID photocopying, reservation system governance, travel supplier transfers, marketing permissions, CCTV, Wi-Fi logs, loyalty profiling, health and children’s data safeguards, vendor contracts, cross-border transfers, data security, breach response, retention, data subject rights, and VERBIS assessment.

The 2025 Turkish Personal Data Protection Board Principle Decision on Turkish identity card photocopies is particularly important for the hospitality sector. It confirms that accommodation facilities must stop taking Turkish ID card photocopies from guests and must destroy previously recorded photocopies where no valid legal basis remains.

For tourism businesses, data protection is not only a regulatory obligation. It is also part of guest trust, brand reputation, service quality, and international competitiveness. A hotel or travel company that protects guest data properly reduces legal risk, strengthens customer confidence, and builds a more sustainable business in Turkey’s tourism market.