Flightradar24 receives reprimand for violating aircraft data privacy rights

Swedish privateness regulator IMY issued a reprimand in opposition to Flightradar24 AB on June 30, 2025, discovering the favored flight monitoring service violated plane homeowners’ information privateness rights in the course of the interval from Might 25, 2018, to June 22, 2021.

In accordance with the choice doc issued by the Swedish Authority for Privateness Safety (IMY), Flightradar24 processed private information in violation of Articles 12(2) and 12(6) of the Basic Knowledge Safety Regulation. The corporate maintained a routine observe of requesting private registration certificates from plane homeowners who sought to have their flight information faraway from the general public monitoring web site.

The investigation originated from 4 separate complaints filed throughout a number of European international locations. Three complainants particularly requested erasure of their plane information from www.flightradar24.com, citing privateness issues about their motion patterns being publicly accessible by means of plane registration numbers.

Technical violations recognized

IMY decided that plane registration numbers can represent private information underneath particular circumstances. The authority famous that nationwide plane registers containing proprietor data, mixed with Flightradar24’s printed information, allow identification of particular person plane homeowners.

In accordance with the choice, Flightradar24 processes numerous kinds of plane information together with ICAO 24-bit addresses, place coordinates, latitude, longitude, altitude, velocity, course, and squawk codes. The corporate operates a community of over 30,000 sign receivers worldwide that seize ADS-B transponder indicators broadcast by plane.

The service maintains roughly 282,000 lively plane in its database and serves 30 million month-to-month customers. Plane routinely transmit these indicators for air site visitors security functions, however the public accessibility of this aggregated information raises privateness issues for personal plane homeowners.

Case particulars reveal procedural failures

In criticism 3 from Denmark, a helicopter proprietor and firm CEO contacted Flightradar24 by means of his skilled electronic mail handle and offered documentation proving his company function. The complainant said that he was the one pilot of the helicopter, which was registered to his firm however used solely for his enterprise transportation.

Regardless of this clear identification, Flightradar24 requested extra registration certificates documentation. IMY concluded that the complainant had sufficiently recognized himself by means of various means, making the certificates request pointless underneath Article 12(6) of GDPR.

Flightradar24 had beforehand blocked the complainant’s plane utilizing a HEX code offered by the helicopter proprietor. Nonetheless, when the plane was transferred and re-registered in Denmark, it obtained a brand new HEX code, inflicting it to reappear on the monitoring web site roughly one yr later.

The corporate’s blocking process includes flagging particular plane in its database so that they can’t be recognized by registration quantity. When blocked plane seem on the web site, solely normal mannequin data like “Cessna 172” or “Piper PA28” is displayed with out figuring out particulars.

Authorized foundation established regardless of violations

IMY concluded that Flightradar24 maintains professional enterprise pursuits underneath Article 6(1)(f) of GDPR for accumulating and publishing plane information. The authority acknowledged the service’s worth for aviation trade analysis, accident investigations, and media reporting.

In accordance with the choice, information from Flightradar24 has been utilized in quite a few prison investigations, notably these associated to drug smuggling. In Might 2021, the corporate offered information to Ukrainian police by way of Swedish authorities for the investigation into Iran’s taking pictures down of flight PS752 in Tehran.

The Swedish Accident Investigation Authority obtained essential information from Flightradar24 relating to a July 8, 2021 crash in Örebro. The small plane lacked a black field, however Flightradar24’s 9 information factors proved important for the investigation.

Regardless of establishing professional processing grounds, IMY decided that the corporate’s information topic request dealing with procedures violated transparency and facilitation necessities. The authority famous that Flightradar24 obtained solely 10 to twenty erasure requests in the course of the related interval, representing a minimal proportion of complete tracked plane.

Enforcement patterns replicate broader tendencies

This enforcement motion aligns with latest European privateness authority actions concentrating on information processing transparency. Stockholm courts upheld a €5.4 million penalty against Spotify for insufficient information entry responses in June 2025.

Swedish authorities additionally imposed 45 million kronor in fines on pharmacy chains Apoteket and Apohem for transferring delicate well being information to Meta by means of monitoring pixels in September 2024.

The advertising and marketing expertise sector faces rising scrutiny over information assortment practices, notably relating to consent mechanisms and automated decision-making frameworks. Privateness advocates proceed difficult administrative enforcement gaps throughout European jurisdictions.

IMY ordered Flightradar24 to adjust to particular complainant requests inside one month of the choice changing into closing. For criticism 3, the corporate should stop processing plane information publication to stop complainant identification.

Concerning complaints 1 and a couple of, Flightradar24 should implement measures guaranteeing correct dealing with of erasure requests in line with Articles 12 and 17 of GDPR. The corporate can not routinely require registration certificates when various identification strategies suffice.

The authority famous that plane from complaints 1 and three now seem on the Federal Aviation Administration’s Limiting Plane Knowledge Displayed (LADD) Program blocking checklist. Nonetheless, IMY emphasised the significance of guaranteeing correct GDPR compliance procedures no matter FAA blocking standing.

Flightradar24 should reveal that continued processing serves compelling professional grounds that override particular person privateness pursuits. The corporate can not merely depend on blanket registration certificates necessities when dealing with information topic requests.

Business implications for monitoring companies

The choice establishes necessary precedent for location monitoring companies throughout numerous transportation sectors. In accordance with IMY’s evaluation, plane registration numbers parallel car identification numbers by way of potential private information classification.

The authority referenced the Court docket of Justice’s Gesamtverband Autoteile-Handel judgment, which decided that VIN numbers represent private information when cheap identification means exist. This precept extends to any monitoring system the place object identifiers can hyperlink to particular person homeowners by means of accessible registers.

Advertising and marketing professionals using location-based promoting and monitoring applied sciences ought to consider their information minimization practices. The choice means that even publicly transmitted indicators could require privateness safety measures when mixed with figuring out data from different sources.

The European Knowledge Safety Board’s steering emphasizes that data controllers must implement privacy by design principles relatively than reactive compliance measures. Firms can not assume that technical information assortment routinely offers adequate authorized foundation for processing.

Timeline

• Might 25, 2018: GDPR enters into power, establishing the regulatory framework
• January 2019: Preliminary complaints filed in opposition to flight monitoring practices
• March 7, 2021: Complainant 1 contacts Flightradar24 requesting plane blocking
• 2021: Complainants 2 and three submit erasure requests to Flightradar24
• June 22, 2021: Finish of investigation interval for GDPR violations
• March 25, 2025: IMY relaxes GDPR record-keeping requirements for smaller businesses
• June 30, 2025: IMY points closing determination in opposition to Flightradar24
• July 2025: One-month compliance deadline for remedial measures

Key terminology defined

GDPR (Basic Knowledge Safety Regulation): The European Union’s complete information safety regulation that entered into power on Might 25, 2018. This regulation establishes strict necessities for the way organizations acquire, course of, and retailer private information of EU residents. Beneath GDPR, people have particular rights together with entry to their information, rectification of inaccuracies, and erasure of non-public data. The regulation applies to any group processing EU residents’ information, no matter the place the group is positioned, and violations may end up in fines as much as €20 million or 4% of world annual turnover.

Plane registration numbers: Distinctive alphanumeric identifiers assigned to particular person plane by nationwide aviation authorities. These codes encompass a rustic prefix adopted by extra characters particular to every plane. Whereas historically thought of technical identifiers, the Swedish Authority for Privateness Safety decided these numbers can represent private information when mixed with data from nationwide plane registers that hyperlink registration numbers to particular person homeowners or operators.

Private information: Any data regarding an recognized or identifiable pure particular person underneath GDPR Article 4(1). This contains direct identifiers like names and oblique identifiers reminiscent of location information, on-line identifiers, or distinctive codes that may be linked to people by means of extra data. The idea encompasses each goal and subjective data, offered it pertains to a particular particular person by means of content material, function, or impact. Knowledge turns into private when cheap means exist to determine people, both by the information controller or third events.

Knowledge erasure requests: Formal requests by people to have their private information deleted from a company’s techniques underneath GDPR Article 17. Also called the “proper to be forgotten,” this permits information topics to acquire deletion of their private data when processing is now not needed, consent is withdrawn, or information has been unlawfully processed. Organizations should reply to legitimate erasure requests inside one month and reveal compelling professional grounds in the event that they refuse deletion.

IMY (Swedish Authority for Privateness Safety): Sweden’s nationwide information safety authority liable for implementing GDPR and different privateness laws inside Swedish jurisdiction. As Flightradar24’s lead supervisory authority underneath GDPR’s one-stop-shop mechanism, IMY coordinates with different European information safety authorities on cross-border circumstances. The authority has powers to situation reprimands, orders, and administrative fines for GDPR violations, with latest notable circumstances together with enforcement actions in opposition to Spotify and Swedish pharmacy chains.

ADS-B (Computerized Dependent Surveillance-Broadcast): A surveillance expertise utilized in aviation the place plane routinely broadcast their place, altitude, velocity, and different flight data by way of radio indicators. These transponder indicators are deliberately unencrypted and publicly receivable to allow air site visitors management and collision avoidance techniques. Whereas designed for security functions, the open nature of ADS-B indicators permits third-party receivers to gather and mixture flight monitoring information, elevating privateness issues for personal plane operators.

Article 12(6): A selected GDPR provision permitting information controllers to request extra data to substantiate an information topic’s id when cheap doubts exist in regards to the particular person making a rights request. This text permits organizations to ask for verification earlier than processing entry, rectification, or erasure requests, however solely when real uncertainty about id exists. Controllers can not routinely demand in depth documentation with out demonstrating particular causes for doubting the requestor’s id.

Cross-border processing: Knowledge processing actions that happen throughout a number of EU member states, both by means of institution in a number of international locations or by monitoring information topics in numerous jurisdictions. Beneath GDPR’s one-stop-shop mechanism, a lead supervisory authority handles circumstances involving cross-border processing, coordinating with different related authorities. This method goals to make sure constant enforcement whereas lowering compliance complexity for organizations working throughout Europe.

Professional curiosity: A authorized foundation for processing private information underneath GDPR Article 6(1)(f) when processing is important for professional pursuits pursued by the controller or third events, offered particular person rights do not override these pursuits. Organizations should conduct a balancing check weighing their professional pursuits in opposition to potential hurt to information topics. This foundation usually applies to enterprise actions like fraud prevention, direct advertising and marketing, or analysis, however requires cautious evaluation of necessity and proportionality.

Registration certificates: Official paperwork issued by aviation authorities proving plane possession, registration particulars, and technical specs. These certificates include data linking plane registration numbers to particular homeowners or operators. Within the Flightradar24 case, the corporate routinely requested these paperwork to confirm complainants’ identities earlier than processing erasure requests, however IMY decided this observe violated GDPR necessities when various identification strategies have been out there.

Abstract

Who: Swedish Authority for Privateness Safety (IMY) took enforcement motion in opposition to Flightradar24 AB, a flight monitoring service, following complaints from personal plane homeowners in Sweden, Germany, and Denmark.

What: IMY issued a reprimand for GDPR violations associated to improper dealing with of information erasure requests and extreme id verification necessities. The corporate routinely requested registration certificates with out demonstrating cheap doubts about complainant id.

When: The violations occurred between Might 25, 2018, and June 22, 2021, with the ultimate regulatory determination issued on June 30, 2025. Compliance measures should be applied inside one month of the choice changing into closing.

The place: The case concerned cross-border processing supervised by IMY because the lead authority, with cooperation from information safety authorities in Poland, Germany, Slovakia, Netherlands, Latvia, Italy, France, Denmark, Hungary, Portugal, Austria, Finland, Spain, and Cyprus.

Why: The enforcement motion addresses elementary privateness rights relating to location monitoring and motion sample information. Plane homeowners sought to stop public identification by means of flight monitoring web sites, however Flightradar24’s procedural necessities created obstacles to exercising these rights underneath GDPR.