Menu
Airplane wing with a red tip against a clear blue sky. Below, there is an expanse of ocean meeting a sandy coastline, with some white clouds near the coast. The horizon divides the blues of the sky and sea, creating a serene aerial scene.

IMY reprimands Flightradar24 for unlawful handling of aircraft owners’ data

, , , , , , , ,

Swedish data protection authority IMY has reprimanded Flightradar24 AB for processing aircraft-related data in ways that violated Articles 12(2) and 12(6) of the GDPR during the period from May 25, 2018 to June 22, 2021. IMY found that registration numbers broadcast by aircraft can amount to personal data when combined with national aircraft registers that link registrations to owners. Flightradar24 collected ADS‑B signals — including ICAO 24‑bit addresses, position, altitude, speed and squawk codes — from a global network of over 30,000 receivers and published aggregated data about roughly 282,000 active aircraft to about 30 million monthly users.

The decision arose from four complaints across Europe where private aircraft owners requested erasure of their aircraft data. IMY identified procedural failures: Flightradar24 routinely requested official registration certificates even when complainants had provided sufficient alternative proof of identity, contrary to Article 12(6). In one case, a Danish helicopter owner who contacted the service using his professional email and supplied documentation showing his corporate role was still asked for additional certificates; IMY concluded such blanket requests were unnecessary and obstructed the right to erasure.

IMY accepted that Flightradar24 may rely on legitimate interests under Article 6(1)(f) for publishing flight data, given the service’s value for aviation research, accident investigations and law enforcement uses. The authority nonetheless required the company to improve transparency and facilitation of data subject requests under Articles 12 and 17, and to demonstrate compelling legitimate grounds if it refused erasure. IMY ordered Flightradar24 to comply with specified complainant requests within one month after the decision becomes final and to stop routinely demanding registration certificates when other reasonable identification methods suffice.

The decision sets an important precedent for tracking services and companies processing movement or location-linked identifiers. IMY referenced court guidance equating identifiers such as vehicle identification numbers with potential personal data when public registers permit identification, and stressed that controllers must design processing with privacy protections rather than relying on reactive measures. The case underlines the need for proportional verification procedures and proper handling of erasure requests to balance operational interests with individuals’ privacy rights.

  • Save

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Share via
Facebook
Twitter
LinkedIn
Mix
Pinterest
Tumblr
Skype
Buffer
Pocket
VKontakte
Parler
Xing
Reddit
Line
Flipboard
MySpace
Delicious
Amazon
Digg
Evernote
Blogger
LiveJournal
Baidu
MeWe
NewsVine
Yummly
Yahoo
WhatsApp
Viber
SMS
Telegram
Facebook Messenger
Like
Email
Print
Copy Link
Copy link
CopyCopied