Basic principles for the use of camera drones

You must comply with the General Data Protection Regulation (GDPR) if you use a drone to capture people in a recognisable or identifiable manner, even if that is not your intention. This page explains the basic principles of the GDPR and the specific points of attention for drones.

On this page

Purpose limitation

As a data controller, you may only collect personal data for a legitimate purpose. That purpose must be specific, and must have been described explicitly in advance. The purpose for which you are going to process personal data must be compatible with the purpose for which this data was collected. In other words: you may not suddenly start using the data for a very different purpose.

In addition, the processing of personal data may not conflict with (other) legislation, public order or public morality.

Also see:

  • Article 5, paragraph 1 under b of the GDPR;
  • Article 3, paragraphs 1 and 2 of the Police Data Act.

Legal basis for processing

You must have a good reason to be allowed to process personal data. Article 6 of the GDPR lists six such reasons, the so-called legal bases.

In short, they are:

  1. consent of the data subject;
  2. performance of an agreement;
  3. statutory obligation;
  4. protection of a vital interest of the data subject;
  5. public-law duty;
  6. legitimate interest.

The data processing must be based on (at least) one of these legal bases. Please note: you must be able to clearly explain why you are basing your decision on a legal basis. Some legal bases are not obvious when using camera surveillance and drones. Below you can read how this works.

Vital interest

The legal basis of “protection of a vital interest” will usually not apply to camera surveillance to protect persons and property. It must be essential for someone’s life or health to process the personal data.

Public-law duty

In order to properly fulfil a public-law duty, it may be necessary for an agency to use camera surveillance.

Use necessary?

You must clearly demonstrate the necessity of using a drone. Among other things, you must look at the subsidiarity and proportionality of the processing.

The use of drones is less likely to meet the requirements of subsidiarity and proportionality than the use of static cameras, due to the possibility of flexible use of drones. This means there is a risk of more or greater invasions of people’s privacy.

Necessity: subsidiarity & proportionality

You may only use a drone with a camera if this is necessary for the goal you want to achieve. You must carefully consider the interests of people who are or may be filmed.

Two things are important: first, you must ask in advance whether the goal can be achieved in way that is less drastic for those involved. If so, the processing does not meet the requirement of subsidiarity.

Secondly, you should always ask yourself in advance whether the goal you want to achieve justifies the invasion of people’s privacy. If this is not the case, the processing of personal data is not proportionate.
Also read about conditions for camera surveillance in public places.

If you conclude the processing is necessary, you must regularly check during processing whether this is still the case. You have to decide for yourself how often that is. For example, take into account the risks of processing and changes in circumstances.

Data minimisation and strict retention periods

You are not permitted to use more cameras and to capture more persons and/or places than is strictly necessary for the stated purposes (data minimisation).

Also read the information about the conditions and retention periods for camera surveillance. These also apply to images taken by drones.

Security

It is important that you take security into account when using drones. Consider encryption, security standards and access. Sometimes, it is necessary to perform a data protection impact assessment (DPIA) first. In addition to the general rules for security, there are several things you must pay attention to when it comes to drones.

Some drones are equipped with the ability to send camera images during flight to the base station, where they can be monitored. There is a risk that the images will be intercepted by unauthorised persons.

If the camera images are stored on the drone or the connected equipment, there is a risk that the images will end up in the hands of unauthorised persons, for example, if the drone falls out of the sky prematurely or is taken out of the air.

If the use of drones involves police data, the security requirements of the Police Data Act (Article 4a) also apply.

Duty to provide information

You must inform people who are (potentially) being filmed about the use of drones with a camera before they are filmed (Article 14 in conjunction with Article 13 of the GDPR). This is the duty to provide information.

Informing the data subjects can be difficult in the case of drones. It is, therefore, advisable to inform them in various ways. Examples:

  • signs at the edges of the flying area;
  • a preliminary announcement and information on the website of the data controller and via (social) media;
  • local newsletters or free local papers; 
  • distributing information leaflets on site;
  • making the drones visible and audible by means of, for example, bright colours, (blinking) lights and audio signals.

Information not mandatory in some cases

In some cases, it is not mandatory to notify data subjects. This concerns situations where they are already aware of the cameras, the use of the cameras is prescribed by a law that also provides for appropriate measures, and where the personal data processed must remain confidential.

The obligation to provide information also does not apply if informing data subjects proves impossible or requires a “disproportionate effort” (see Article 14, paragraph 5 under b of the GDPR). However, this may influence the question of whether camera surveillance using drones is proportionate. Not being able to inform data subjects results in a greater invasion of the privacy of those data subjects. This infringement may therefore become disproportionate in relation to the purpose of the processing.

Also read the information about covert camera surveillance (hidden cameras).

Processing responsibility

As with any processing of personal data, it is important to determine who the data controller is. That is the party that has decided to use the drone. This applies to private individuals, but also certainly to governments. An example: if a local authority decides to use a drone and hires a company to fly the drone, the responsibility for what data processing is done with the drone lies with the local authority.

If it concerns police data, please read the information about processing responsibility for police data.