The introduction of the GDPR will increase the pressure on professional drone operators to ensure they comply with the legislation and avoid potential fines. The GDPR may apply if you are collecting personal data. A recording or other information you collect through a drone will contain personal data if one of the following is true:
- A person’s face is clearly visible. However, if there are individuals in the distance and the faces are blurred, it is unlikely to be considered personal data.
- The person can be identified in another way – from the location, visible address numbers, car plate numbers, time of day, specific clothing, etc.
- It shows details about the person’s bodily characteristics, behavior, private life or his or her professional activities.
- It is used when making decisions on how to treat, act towards or evaluate that person.
- It focuses on or targets a particular person, especially if for a prolonged period of time.
DroneRules.eu has identified 8 guiding principles for professional operators to keep in mind to support compliance with the GDPR when they collect personal information.
- Inform: Whenever you capture or record any information about a person, especially clear images of their face, inform them about it. Draft a public privacy statement to provide further transparency.
- Listen: Ask people what you can and cannot do with their information and comply with their wishes at any point in time. Get acquainted with the data protection rights people have.
- Minimise: Always think about what kind of drone to use and how so that you capture the least amount of data about people in the area of your operation. Anonymise data where possible. Blurring faces, house and car numbers may help you alleviate your GDPR obligations.
- Respect: Ensure that people can exercise their rights to object to data collection processing, change their mind about it or have their data removed. Remember, people also have the right to access their data, receive a copy of their data and correct it.
- Limit: The purpose for which you use the data to the purpose you originally stated and limit the storage of the personal data to the minimum period required.
- Protect: Provide adequate security for the personal data and do not share it with third parties without informing individuals and ensuring data will be protected with its recipients. Share only anonymized data if possible.
- Assess: Act responsibly and plan your activities with privacy in mind (privacy-by-design). If your activities pose a high risk to the rights of people on the ground, conduct a data protection impact assessment (DPIA). See DroneRules.eu resources for guidance and templates.
- Demonstrate: Document your flight and the steps you have taken to make it proportionate and privacy-aware. Ensure that you can demonstrate that you have a lawful basis for your activities, e.g. consent from data subjects.
Following these principles will considerably reduce your risks when collecting and processing personal information via a drone. Find more information, including handbooks, templates and other resources on our website.
The article was originally published on DroneRules.eu and has been republished on Geoawesomeness.