GM1 UAS.SPEC.050(1)(a)(iv) Responsibilities of the UAS Operator
CAA ORS9 Decision No. 16
PROCEDURES TO ENSURE THAT ALL OPERATIONS ARE IN COMPLIANCE WITH REGULATION (EU) 2016/679 AS RETAINED (AND AMENDED IN UK DOMESTIC LAW) UNDER THE EUROPEAN UNION (WITHDRAWAL) ACT 2018, HEREAFTER REFERRED TO AS UK REGULATION (EU) 2016/679 ON THE PROTECTION OF NATURAL PERSONS WITH REGARD TO THE PROCESSING OF PERSONAL DATA AND ON THE FREE MOVEMENT OF SUCH DATA
The UAS Operator is responsible for complying with UK law and regulations in particular, with regard to privacy, data protection, liability, insurance, security and environmental protection.
This GM helps the UAS Operator to identify and describe the procedures to ensure that the UAS operations are in compliance with UK Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
For further information on data-protection responsibilities, see the ICO (Information Commissioner’s Office) Website, here. The following table is included as an example of how an operator may ensure their data-protection responsibilities are complied with.
|
Considerations for operators to discharge data-protection responsibilities |
|---|
|
1. Identify the privacy risks that the intended operation may create |
|
|
|
2. Define your role with respect to personal data collection and processing |
|
|
|
3. Data protection impact assessment (DPIA) |
|
Have you assessed the need to perform a DPIA: Yes If yes, do you have to perform a DPIA? Yes |
|
4. Describe the measures you are taking to ensure data subjects are aware that their data may be collected |
|
|
|
5. Describe the measures you are taking to minimise the personal data you are collecting or to avoid collecting personal data |
|
|
|
6. Describe the procedure established to store the personal data and limit access to it |
|
|
|
7. Describe the measures taken to ensure that data subjects can exercise their right to access, correction, objection and erasure |
|
|
|
8. Additional information |
|
|
I am the (joint) data controller