Piyo: "Wait, if I film with my drone, am I collecting personal data? Could I be breaking privacy laws?" Poppo: "Excellent question! Yes, drone footage is often personal data. Sweden's privacy laws (GDPR + IMY) are strict. Let me explain what you need to do to stay compliant."

Privacy Checklist for Drone Operators

Before every flight, ask:

  • [ ] Is personal data being collected? (faces, license plates, thermal signatures, etc.)
  • [ ] Do I have legal basis? (consent, contract, legitimate interest documented)
  • [ ] Have I notified people? (privacy notice, signage, announcement)
  • [ ] Am I minimizing data? (only capture what's necessary)
  • [ ] Is data encrypted? (storage + backup + transmission)
  • [ ] What's retention period? (defined deletion date set)
  • [ ] Who can see footage? (client only? Public? Documented)
  • [ ] Can I prove compliance? (documented consent, retention logs, security measures)

FAQ: Privacy & Drones in Sweden

Q: Can I publish drone photos on Instagram if faces are visible?

A: Only if:

  • You have explicit written consent from everyone identifiable
  • OR faces are so small/blurred they're not identifiable
  • OR the image is of property/landscape with no identifiable people
Publishing without consent = GDPR violation; IMY can fine you 5,000-20,000 EUR.

Q: What if someone in the crowd is unhappy about being filmed?

A: They have right to:

  • Request deletion of footage containing them
  • File complaint with IMY against you
  • Sue for damages
You must have consent documented to defend yourself.

Q: Can I use facial recognition on drone footage?

A: In Sweden, essentially NO without explicit consent + business justification:

  • GDPR bans facial recognition without high-bar justification
  • IMY is particularly strict on this in Sweden
  • Fine for unauthorized facial recognition: 10,000-50,000 EUR+
Even if you have footage, processing it for face ID is separate violation.

Q: How long can I keep drone footage?

A: Depends on purpose:

  • Event footage for client: 2-5 years typical (client deliverable window)
  • Security monitoring: 1-2 years per agreement
  • Real estate photos: 6 months (after sale)
  • No ongoing purpose: Delete immediately after stated use
Define retention policy in writing before filming.

Q: What if I'm just a hobbyist flying my drone?

A: GDPR applies equally:

  • If you capture identifiable people, you're processing personal data
  • If you share footage publicly (YouTube, Instagram), you're sharing personal data
  • You still need consent + documented retention policy
"It's just a hobby" doesn't exempt you from privacy law.

Q: Does thermal imaging require extra privacy protections?

A: YES. Thermal data is considered highly sensitive under GDPR:

  • Reveals occupancy + activity patterns
  • Can identify people indoors (heat signatures)
  • Requires explicit consent (not just reasonable notice)
  • Should be deleted immediately after use
  • Cannot be archived long-term without strong justification
Thermal = highest privacy risk for drones.

Q: How does MmowW help with privacy compliance?

A: MmowW provides:

  • Privacy notice templates (GDPR-compliant language)
  • Consent documentation (record consent, signatures digital)
  • Retention tracking (automatic deletion reminders)
  • Data minimization guides (what to collect vs. avoid)
  • Breach reporting (automated IMY notification draft)
  • Audit logs (who accessed footage, when, why)

Cost: kr67/drone/month (includes privacy compliance features)

Next Steps: Privacy-Compliant Drone Operation

  1. Define your operation (what personal data will be collected?)
  2. Establish legal basis (consent? contract? legitimate interest?)
  3. Draft privacy notice (use MmowW template or IMY guidance)
  4. Get consent (written, documented, before filming)
  5. Implement security (encryption, password protection)
  6. Set retention period (document when data deleted)
  7. Document everything (keep proof of compliance)
  8. Monitor GDPR updates (IMY publishes new guidance regularly)

Contact for questions:
  • IMY (Swedish Data Authority): imy.se (GDPR guidance)
  • Transportstyrelsen: transportstyrelsen.se (operational rules + privacy guidance)
  • Published: April 9, 2026 | Authority: IMY (Integritetsmyndigheten) + Transportstyrelsen | Law: GDPR (EU 2016/679) + Swedish Filming Act + Swedish Aviation Act