Privacy Checklist for Drone Operators
Before every flight, ask:
- [ ] Is personal data being collected? (faces, license plates, thermal signatures, etc.)
- [ ] Do I have legal basis? (consent, contract, legitimate interest documented)
- [ ] Have I notified people? (privacy notice, signage, announcement)
- [ ] Am I minimizing data? (only capture what's necessary)
- [ ] Is data encrypted? (storage + backup + transmission)
- [ ] What's retention period? (defined deletion date set)
- [ ] Who can see footage? (client only? Public? Documented)
- [ ] Can I prove compliance? (documented consent, retention logs, security measures)
FAQ: Privacy & Drones in Sweden
Q: Can I publish drone photos on Instagram if faces are visible?A: Only if:
- You have explicit written consent from everyone identifiable
- OR faces are so small/blurred they're not identifiable
- OR the image is of property/landscape with no identifiable people
A: They have right to:
- Request deletion of footage containing them
- File complaint with IMY against you
- Sue for damages
A: In Sweden, essentially NO without explicit consent + business justification:
- GDPR bans facial recognition without high-bar justification
- IMY is particularly strict on this in Sweden
- Fine for unauthorized facial recognition: 10,000-50,000 EUR+
A: Depends on purpose:
- Event footage for client: 2-5 years typical (client deliverable window)
- Security monitoring: 1-2 years per agreement
- Real estate photos: 6 months (after sale)
- No ongoing purpose: Delete immediately after stated use
A: GDPR applies equally:
- If you capture identifiable people, you're processing personal data
- If you share footage publicly (YouTube, Instagram), you're sharing personal data
- You still need consent + documented retention policy
A: YES. Thermal data is considered highly sensitive under GDPR:
- Reveals occupancy + activity patterns
- Can identify people indoors (heat signatures)
- Requires explicit consent (not just reasonable notice)
- Should be deleted immediately after use
- Cannot be archived long-term without strong justification
A: MmowW provides:
- Privacy notice templates (GDPR-compliant language)
- Consent documentation (record consent, signatures digital)
- Retention tracking (automatic deletion reminders)
- Data minimization guides (what to collect vs. avoid)
- Breach reporting (automated IMY notification draft)
- Audit logs (who accessed footage, when, why)
Next Steps: Privacy-Compliant Drone Operation
- Define your operation (what personal data will be collected?)
- Establish legal basis (consent? contract? legitimate interest?)
- Draft privacy notice (use MmowW template or IMY guidance)
- Get consent (written, documented, before filming)
- Implement security (encryption, password protection)
- Set retention period (document when data deleted)
- Document everything (keep proof of compliance)
- Monitor GDPR updates (IMY publishes new guidance regularly)
- IMY (Swedish Data Authority): imy.se (GDPR guidance)
- Transportstyrelsen: transportstyrelsen.se (operational rules + privacy guidance)