Drones equipped with cameras capture vast amounts of visual data. When that data includes identifiable people, you're subject to GDPR (General Data Protection Regulation). The Dutch Data Protection Authority (AP - Autoriteit Persoonsgegevens) enforces strict rules. This guide explains your obligations.
Consent Management (Best Practices)
Consent Form Template
Use this for commercial operations involving identifiable people:`` DRONE FILMING CONSENT FORM Event/Operation: [Name] Date: [Date] Location: [Address] I consent to having my image/likeness recorded by drone during the above event. I understand:
- Filming is for the purpose of [specify: event coverage/documentation/promotional use]
- My data will be retained for [specify: 30 days/as agreed]
- I may withdraw consent by contacting [name, email, phone]
- I have the right to request access to my data or deletion
Best practice:
- Use for all commercial operations (weddings, events, filming)
- Collect signatures before flights
- Keep signed forms on file (2+ years minimum)
- Reference form in incident response if questioned by AP
Data Breach Notification
If hacked or data accidentally shared, you must notify AP and affected people.
Mandatory Notification Steps
- Assess severity – Is breach serious? (Names/faces leaked = yes; aerial photos of buildings = no)
- Notify AP within 72 hours – https://www.autoriteitpersoonsgegevens.nl (report form)
- Notify affected people – Email/letter explaining:
- What data was compromised
- What you're doing to fix it
- How they can protect themselves
- Document response – Keep records (AP may investigate)
Notification Example
` INCIDENT NOTIFICATION We experienced a data breach affecting your drone video footage from [date]. Details:
- Type of data: Video file (identifiable faces)
- Who accessed: Unknown third party (hacker)
- When discovered: [date]
- Actions taken: Videos deleted, storage encrypted, contractor notified
Your rights:
- You may request deletion (write to [email])
- You may file complaint with Autoriteit Persoonsgegevens
- You may seek damages if harmed
We sincerely apologize. ``
Penalties for GDPR Violations
| Violation | Fine | Notes |
|---|---|---|
| Flying without notification | up to €7,800 per violation (Wet luchtvaart) | First offense; more severe if repeated |
| No consent (when required) | €15,000-75,000 | Deliberate violation worse |
| Data breach (unreported) | €20,000-100,000+ | Failure to notify AP within 72 hours |
| Excessive data collection | up to €7,800 per violation (Wet luchtvaart) | Filming more than necessary |
| No retention policy | €5,000-30,000 | Keeping data indefinitely |
| Unauthorized sharing | €25,000-100,000+ | Selling/sharing data without permission |
Piyo's Beginner Path
You're just starting and want to comply with privacy rules.- Get basic understanding: Read this guide + AP's official guidance (1 hour)
- For each operation:
- Document purpose (write it down: "Wedding footage capture")
- Notify people (announcement or signage)
- Get consent if possible (signed forms for commercial work)
- Minimize data (capture only what you need)
- Delete timely (30-90 day policy)
- Keep records: Save consent forms, retention policies, notifications
- Annual review: Update policies annually (AP updates guidance regularly)
Poppo's Expert Path
You're scaling and need enterprise-grade compliance.- Hire Data Protection Officer (DPO) – External consultant (costs vary — consult relevant providers for current pricing)
- Conduct formal DPIAs – For every operation type (varies — check with relevant providers each)
- Implement technical controls:
- Encrypted storage (cloud provider with EU data centers)
- Access logging (who views data, when)
- Automatic deletion (timers, retention policies)
- Incident response system (breach notification protocol)
- Develop privacy-by-design procedures:
- All new services: DPIA before launch
- Client contracts: standardized DPA clauses
- Employee training: annual GDPR update
- Maintain compliance evidence:
- Document all DPIA assessments
- Keep consent forms (7 years minimum)
- Log all data processing activities
- Record breach investigations (if any)
Common Questions
"Can I record drone footage from public space (street, park)?"
Legally: Yes, public places = lower privacy expectations. However, if identifiable people visible, GDPR still applies (you need consent or legitimate interest). Practical: If faces/identifying features visible, treat as private data requiring consent."Can I use drone footage for promotional purposes without consent?"
No. If using for ads/marketing, you absolutely need explicit consent (or legitimate interest, hard to justify). Commercial use = higher privacy expectation."What's the difference between Dutch privacy law and GDPR?"
GDPR is EU-wide regulation. Netherlands has no separate national privacy law (GDPR is the standard). AP enforces GDPR in Netherlands."Can I share drone video with insurers/contractors?"
Only with DPA in place. If you're data processor (acting for client), you must have Data Processing Agreement defining what can be shared, how it's protected."What if I anonymize drone footage (blur faces)?"
Anonymization is legal solution. If you can't identify people in footage, GDPR doesn't apply. However, true anonymization (impossible to re-identify) is technically difficult. Safe approach: assume data is identifiable until proven otherwise."Do I need consent for overhead agricultural photos (no people visible)?"
No. If no identifiable people in photos, GDPR doesn't apply. However, landowner privacy considerations exist (depends on context)."What if someone asks me to delete drone footage?"
Key Resources
- AP Guidance on Drones – https://www.autoriteitpersoonsgegevens.nl/drone-privacy (official AP rules)
- GDPR Text – https://gdpr-info.eu (full regulation with commentary)
- AP Data Processing Agreements – https://www.autoriteitpersoonsgegevens.nl/dpa-templates (ready-made forms)
- Dutch Privacy Law (AAA) – Information about Dutch Administrative Appeals (appeals process if AP fines you)
What MmowW Does for You
MmowW automates privacy compliance:Consent form generation – Auto-populated, signable via app DPIA templates – Pre-formatted for common operations Data retention reminders – Automatic deletion timers Notification procedures – Incident response checklist Compliance calendar – Privacy policy review reminders Audit trail – Logs of all data access, deletions
Cost: €6.08/drone/monthFAQ
Q: Is facial recognition allowed on drone footage?A: Only with explicit consent. Facial recognition = special category data (high risk). AP strongly discourages without compelling public interest.
Q: Can I use thermal imaging without consent?A: Thermal imagery is less identifying (can't see faces clearly), but still captures personal space (people's homes). Consent/legitimate interest still required.
Q: What's AP's stance on drones in general?A: AP views drones as privacy-sensitive (report published 2023: drones require "careful consideration" of privacy). Compliance expected, violations actively prosecuted.
Q: Do I need AP approval before flying?Contact MmowW for privacy compliance consulting.