7. What data protection principles and rights should I always respect?


  • Data protection by design and by default – As of January 2018, if you collect or use personal data, you are required to comply with the principle of data protection by design and by default. This means that you, as a drone manufacturer, designer, programmer or other, are required to consider all of the principles and rights in this section even before your drone activity. You should consider what technology to use and how to organise your activities in a way that would ensure you comply with data protection law. By default, you should keep to a minimum:

    • the personal data you collect
    • how much you process it
    • how long you keep it for
    • who can access it.
  • Inform people: Act with respect towards people and inform them of your activities through any channels you decide are appropriate. You should do so in an easy to understand, clear and plain language. In particular, inform them of: 

    • Who you are and how you can be contacted
    • What you are doing and why, e.g. if you are carrying out infrastructure inspections, mapping or research exercises
    • What purposes you will use the personal data for
    • Who you may share the personal data with
    • How long their data will be kept for or how that will be determined
    •  All the rights they have

    Reason for data collection: To collect and use personal data legally, you should have a good reason for doing so. There are a two main ways you can ensure that:  

    • Ask for consent or have an agreement: Whenever possible, ask people for their permission (consent) if you plan on collecting information regarding them. You can also do that as part of a larger agreement or contract you have with them, for example if they hire you to film their wedding or deliver something to their doorstep via a drone.
    • Legitimate or vital interest: If your actions aim to protect a legitimate or vital interest, you could also collect personal data. If you accidentally capture images or other data relating to people in the area of your activities, your actions could still be lawful. 
    • NB. Keep in mind that people have the right to change their mind at any time and you should respect that.   
    • A legitimate interest means an activity that is important for the public, for example, you are conducting research or safety inspections of important electricity or water infrastructure. 
    • A vital interest means that you are trying to protect a person’s life or wellbeing, for example if you are using your drone to find hikers lost in the woods.

    Data minimization: Limit the personal data that you collect by altering the way you use drones, for example by flying at lower or higher altitudes depending on the context. Any information you collect (and retain) should be adequate, relevant and necessary for whatever you are doing. 

    Here is an easy guide to the main things you should consider and three keywords remember: INFORM, LISTEN, MINIMISE

    • Inform: Whenever you capture or record any information about a person, especially clear images of their face, inform them about it.
    • Listen: Ask people what you can and cannot do with their information and comply with their wishes at any point in time. Get acquainted with the data protection rights people have. 
    • Minimise: Always think about how to use drones in a way that captures the least amount of data about people in the area of your operation. Use and share that data as little as possible and always with the permission of people captured in it.
  • Purpose limitation: After you have informed people and they have agreed, only collect and use personal data for the purposes that you planned to. If you want to do something new and different with the data you have, you generally have to inform people of that and get their agreement again.  

    Integrity and confidentiality: Keep personal data as securely as possible. Protect it against unauthorised or unlawful access or damage, using appropriate technology for your activities.  

    Storage limitation: Keep personal data only for as long as necessary. If you have captured personal data that you do not need, apply anonymisation techniques, such as blurring, to images or videos recorded as soon as possible. Delete any personal data which you no longer need.  

    Sharing data: Do not share the personal data you have collected with third parties without the consent of the individual concerned or a legal requirement mandating you to do so. This is also true if you plan on sharing the personal data with a person or a company that is based outside of the European Union. If you do share your data with other companies, make sure that they will also follow all relevant data protection principles.

  • If you have collected personal data accidentally, but still need to retain the footage for some of your other activities, you will have to treat the information very carefully and in accordance with all data protection principles. 

    Remember, when in doubt about what to do, always consult your national data protection authority.

  • Right to object: When you are collecting data without the consent or the agreement of a person, they have the right to object. You should generally respect that decision. 

    Right to change their mind: If people have agreed to you capturing their personal information with your drone, they also have the right to change their mind at any point in time and you should respect their decision. You are protected, though. This will not make your activities up to that point illegal. 

    Right to access: People have a right to know what information you have collected and stored about them, and they have the right to access such information.  

    Right to receive a copy: People have a right to receive or make a copy of their personal data that you have collected.  

    Right to erasure: People have the right to ask you to delete any information you have regarding them and you should generally do so.

  • A Privacy Impact Assessment is a way to assist you with your data protection obligations and in respecting people’s expectations of privacy. If the nature of your commercial activities with drones is likely to result in a high-risk to the rights of individuals, such the systematic monitoring of publicly accessible areas on a large scale, you are required to carry out a data protection impact assessment under the GDPR, which involves the data protection elements of the broader PIA. The assessment should include:

    • A systematic description of how you plan to process personal data and for what purposes, including, if applicable, the legitimate interest you pursue
    • An assessment of the balance between the purpose you pursue and the necessity and proportionality of the data processing
    • An assessment of the risks that could arise to the rights and freedoms of people whose personal data you are processing
    • Measures taken to address these risks (safeguards, security measures, etc.)

    A data protection officer can aid you to prepare the impact assessment. We have also prepared a Privacy Impact Assessment checklist, which is found here.

Download the full PDF version