PROCEDURES TO ENSURE THAT ALL OPERATIONS ARE IN COMPLIANCE WITH REGULATION (EU) 2016/679 ON THE PROTECTION OF NATURAL PERSONS WITH REGARD TO THE PROCESSING OF PERSONAL DATA AND ON THE FREE MOVEMENT OF SUCH DATA

The UAS operator is responsible for complying with any applicable European Union and national rules, in particular, with regard to privacy, data protection, liability, insurance, security and environmental protection.

This GM has the purpose of providing guidance to the UAS operator to help them to identify and describe the procedures to ensure that the UAS operations are in compliance with Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

Description of the procedures established by the UAS operator
to ensure that the UAS operation is in compliance with Regulation (EU) 2016/679

1. Identify the privacy risks1 that the intended operation may create

 

 

 

2. Define your role with respect to personal data collection and processing

  I am the (joint) data controller    I am the (joint) data processor

3. Data protection impact assessment (DPIA)

Have you assessed the need to perform a DPIA: Yes   No

If yes, do you have to perform a DPIA?  Yes   No - If yes, did you perform a DPIA?  Yes   No

4. Describe the measures you are taking to ensure data subjects are aware that their data may be collected6

 

 

 

5. Describe the measures you are taking to minimise the personal data you are collecting or to avoid collecting personal data7

 

 

 

6. Describe the procedure established to store the personal data and limit access to it

 

 

 

7. Describe the measures taken to ensure that data subjects can exercise their right to access, correction, objection and erasure

 

 

 

8. Additional information

 

 

 

Notes:

1. For guidance regarding the identification of the privacy risks of your operation, please check:

      The DR PRO online training course: Module 1 — Privacy risks in context; and

      The DR PRO Privacy-by-Design Guide: Privacy risks and safeguards in drone manufacturing (page 10).

2. For more information about definitions of personal data, please check:

      The DR PRO online training course: Module 2 – What is personal data? and

      The DR PRO Privacy Code of Conduct: 3. Glossary.

‘Data controller’ means that you make decisions about what personal data is collected and how it is collected, processed and stored.

‘Data processor’ means that you follow instructions from another entity on collecting, processing and storing personal data.

For more information about your potential role as data controller or data processor, you can check:

      The DR PRO online training course: Module 2 – Data protection Roles; and

      The DR PRO Privacy Code of Conduct for the responsibilities of data controllers.

3. For more information about when and how to conduct data protection impact assessments please check:

      The DR PRO Data Protection Impact Assessment template

4. For more information about how to inform data subjects about your activities you can check:

      The DR PRO Privacy Code of Conduct: 4.3.2 Act visibly and transparently;

      The DR PRO online training course: Module 3 – Carry out your operation; and

      The DR PRO Pre-flight checklist

5. For more information about the data minimisation principle, please check:

      The DR PRO Privacy Code of Conduct: 4.3.1 Minimise the impact on people’s privacy and data protection;

      The DR PRO Privacy-by-Design Guide: Drone Privacy Enhancing Software Features; and

      The DR PRO online training course: Module 3 – Risk mitigation strategies.

6. For guidance on the secure storage and access to personal data, please check:

      The DR PRO Privacy Code of Conduct: 4.4.2 Handle data securely;

      The DR PRO online training course: Module 2 – How should personal data be handled? and

      The DR PRO Privacy-by-Design Guide: Drone Privacy Enhancing Software Features.

7. For more information about the rights of data subjects, please check:

      The DR PRO Privacy Code of Conduct: 4.3.3 Respect the rights of individuals; and

      The DR PRO online training course: Module 2 – How should individuals be treated?