The guide highlights the widespread use of drones in the civil sphere and the exponential growth in the use of these unmanned aircraft. Article 26 of Royal Decree 1,036/2017, 15 December, which regulates the civil use of remotely piloted aircraft, establishes the obligation to adopt the measures necessary to ensure compliance with the provisions on the protection of personal data and protection of privacy. The guide advises operators of drones on how to comply with the provisions of the GDPR and Spain's domestic legislation – Organic Law 3/2018 where they register or process images, videos, sound, biometric data, geolocation or telecommunications, among others, related to identified or identifiable persons.
The guide includes recommendations for different types of operations that can be carried out with drones, classifying them according to data processing as follows.
- operations that lack, or do not make use of, devices for capturing images, sound or any other type of personal information, such as recreational or sporting uses
- the use of drones for the inspection of infrastructures, the preparation of terrain plans or other video services for cinema, television or advertising, in which unintentional capture of personal data may occur.
- the use of drones for the purpose of processing personal data.
The guide offers the following recommendations that should be considered prior to using a drone:
- assessing the need to conduct a data protection impact assessment (DPIA)
- carrying out a risk analysis even in those cases in which a DPIA is not mandatory
- not to publish on the internet any images that show individuals or private spaces such as homes, gardens or terraces)