Flightradar24 receives reprimand for violating aircraft data privacy rights

Swedish privacy regulator IMY issued a reprimand against Flightradar24 AB on June 30, 2025, finding the popular flight tracking service violated aircraft owners' data privacy rights during the period from May 25, 2018, to June 22, 2021.

According to the decision document issued by the Swedish Authority for Privacy Protection (IMY), Flightradar24 processed personal data in violation of Articles 12(2) and 12(6) of the General Data Protection Regulation. The company maintained a routine practice of requesting personal registration certificates from aircraft owners who sought to have their flight data removed from the public tracking website.

The investigation originated from four separate complaints filed across multiple European countries. Three complainants specifically requested erasure of their aircraft data from www.flightradar24.com, citing privacy concerns about their movement patterns being publicly accessible through aircraft registration numbers.

Technical violations identified

IMY determined that aircraft registration numbers can constitute personal data under specific circumstances. The authority noted that national aircraft registers containing owner information, combined with Flightradar24's published data, enable identification of individual aircraft owners.

According to the decision, Flightradar24 processes various types of aircraft data including ICAO 24-bit addresses, position coordinates, latitude, longitude, altitude, speed, direction, and squawk codes. The company operates a network of over 30,000 signal receivers worldwide that capture ADS-B transponder signals broadcast by aircraft.

The service maintains approximately 282,000 active aircraft in its database and serves 30 million monthly users. Aircraft automatically transmit these signals for air traffic safety purposes, but the public accessibility of this aggregated data raises privacy concerns for private aircraft owners.

Case details reveal procedural failures

In complaint 3 from Denmark, a helicopter owner and company CEO contacted Flightradar24 through his professional email address and provided documentation proving his corporate role. The complainant stated that he was the only pilot of the helicopter, which was registered to his company but used exclusively for his business transportation.

Despite this clear identification, Flightradar24 requested additional registration certificate documentation. IMY concluded that the complainant had sufficiently identified himself through alternative means, making the certificate request unnecessary under Article 12(6) of GDPR.

Flightradar24 had previously blocked the complainant's aircraft using a HEX code provided by the helicopter owner. However, when the aircraft was transferred and re-registered in Denmark, it received a new HEX code, causing it to reappear on the tracking website approximately one year later.

The company's blocking procedure involves flagging specific aircraft in its database so they cannot be identified by registration number. When blocked aircraft appear on the website, only general model information like "Cessna 172" or "Piper PA28" is displayed without identifying details.

Legal basis established despite violations

IMY concluded that Flightradar24 maintains legitimate business interests under Article 6(1)(f) of GDPR for collecting and publishing aircraft data. The authority recognized the service's value for aviation industry research, accident investigations, and media reporting.

According to the decision, data from Flightradar24 has been used in numerous criminal investigations, particularly those related to drug smuggling. In May 2021, the company provided data to Ukrainian police via Swedish authorities for the investigation into Iran's shooting down of flight PS752 in Tehran.

The Swedish Accident Investigation Authority received crucial data from Flightradar24 regarding a July 8, 2021 crash in Örebro. The small aircraft lacked a black box, but Flightradar24's nine data points proved essential for the investigation.

Despite establishing legitimate processing grounds, IMY determined that the company's data subject request handling procedures violated transparency and facilitation requirements. The authority noted that Flightradar24 received only 10 to 20 erasure requests during the relevant period, representing a minimal proportion of total tracked aircraft.

Enforcement patterns reflect broader trends

This enforcement action aligns with recent European privacy authority activities targeting data processing transparency. Stockholm courts upheld a €5.4 million penalty against Spotify for inadequate data access responses in June 2025.

Swedish authorities also imposed 45 million kronor in fines on pharmacy chains Apoteket and Apohem for transferring sensitive health data to Meta through tracking pixels in September 2024.

The marketing technology sector faces increasing scrutiny over data collection practices, particularly regarding consent mechanisms and automated decision-making frameworks. Privacy advocates continue challenging administrative enforcement gaps across European jurisdictions.

Remedial measures ordered

IMY ordered Flightradar24 to comply with specific complainant requests within one month of the decision becoming final. For complaint 3, the company must cease processing aircraft data publication to prevent complainant identification.

Regarding complaints 1 and 2, Flightradar24 must implement measures ensuring proper handling of erasure requests according to Articles 12 and 17 of GDPR. The company cannot routinely require registration certificates when alternative identification methods suffice.

The authority noted that aircraft from complaints 1 and 3 now appear on the Federal Aviation Administration's Limiting Aircraft Data Displayed (LADD) Program blocking list. However, IMY emphasized the importance of ensuring proper GDPR compliance procedures regardless of FAA blocking status.

Flightradar24 must demonstrate that continued processing serves compelling legitimate grounds that override individual privacy interests. The company cannot simply rely on blanket registration certificate requirements when handling data subject requests.

Industry implications for tracking services

The decision establishes important precedent for location tracking services across various transportation sectors. According to IMY's analysis, aircraft registration numbers parallel vehicle identification numbers in terms of potential personal data classification.

The authority referenced the Court of Justice's Gesamtverband Autoteile-Handel judgment, which determined that VIN numbers constitute personal data when reasonable identification means exist. This principle extends to any tracking system where object identifiers can link to individual owners through accessible registers.

Marketing professionals utilizing location-based advertising and tracking technologies should evaluate their data minimization practices. The decision suggests that even publicly transmitted signals may require privacy protection measures when combined with identifying information from other sources.

The European Data Protection Board's guidance emphasizes that data controllers must implement privacy by design principles rather than reactive compliance measures. Companies cannot assume that technical data collection automatically provides sufficient legal basis for processing.

Timeline

• May 25, 2018: GDPR enters into force, establishing the regulatory framework
• January 2019: Initial complaints filed against flight tracking practices
• March 7, 2021: Complainant 1 contacts Flightradar24 requesting aircraft blocking
• 2021: Complainants 2 and 3 submit erasure requests to Flightradar24
• June 22, 2021: End of investigation period for GDPR violations
• March 25, 2025: IMY relaxes GDPR record-keeping requirements for smaller businesses
• June 30, 2025: IMY issues final decision against Flightradar24
• July 2025: One-month compliance deadline for remedial measures

Key terminology explained

GDPR (General Data Protection Regulation): The European Union's comprehensive data protection regulation that entered into force on May 25, 2018. This regulation establishes strict requirements for how organizations collect, process, and store personal data of EU residents. Under GDPR, individuals have specific rights including access to their data, rectification of inaccuracies, and erasure of personal information. The regulation applies to any organization processing EU residents' data, regardless of where the organization is located, and violations can result in fines up to €20 million or 4% of global annual turnover.

Aircraft registration numbers: Unique alphanumeric identifiers assigned to individual aircraft by national aviation authorities. These codes consist of a country prefix followed by additional characters specific to each aircraft. While traditionally considered technical identifiers, the Swedish Authority for Privacy Protection determined these numbers can constitute personal data when combined with information from national aircraft registers that link registration numbers to individual owners or operators.

Personal data: Any information relating to an identified or identifiable natural person under GDPR Article 4(1). This includes direct identifiers like names and indirect identifiers such as location data, online identifiers, or unique codes that can be linked to individuals through additional information. The concept encompasses both objective and subjective information, provided it relates to a specific person through content, purpose, or effect. Data becomes personal when reasonable means exist to identify individuals, either by the data controller or third parties.

Data erasure requests: Formal requests by individuals to have their personal data deleted from an organization's systems under GDPR Article 17. Also known as the "right to be forgotten," this allows data subjects to obtain deletion of their personal information when processing is no longer necessary, consent is withdrawn, or data has been unlawfully processed. Organizations must respond to valid erasure requests within one month and demonstrate compelling legitimate grounds if they refuse deletion.

IMY (Swedish Authority for Privacy Protection): Sweden's national data protection authority responsible for enforcing GDPR and other privacy regulations within Swedish jurisdiction. As Flightradar24's lead supervisory authority under GDPR's one-stop-shop mechanism, IMY coordinates with other European data protection authorities on cross-border cases. The authority has powers to issue reprimands, orders, and administrative fines for GDPR violations, with recent notable cases including enforcement actions against Spotify and Swedish pharmacy chains.

ADS-B (Automatic Dependent Surveillance-Broadcast): A surveillance technology used in aviation where aircraft automatically broadcast their position, altitude, speed, and other flight information via radio signals. These transponder signals are intentionally unencrypted and publicly receivable to enable air traffic control and collision avoidance systems. While designed for safety purposes, the open nature of ADS-B signals allows third-party receivers to collect and aggregate flight tracking data, raising privacy concerns for private aircraft operators.

Article 12(6): A specific GDPR provision allowing data controllers to request additional information to confirm a data subject's identity when reasonable doubts exist about the person making a rights request. This article permits organizations to ask for verification before processing access, rectification, or erasure requests, but only when genuine uncertainty about identity exists. Controllers cannot routinely demand extensive documentation without demonstrating specific reasons for doubting the requestor's identity.

Cross-border processing: Data processing activities that occur across multiple EU member states, either through establishment in multiple countries or by monitoring data subjects in different jurisdictions. Under GDPR's one-stop-shop mechanism, a lead supervisory authority handles cases involving cross-border processing, coordinating with other relevant authorities. This approach aims to ensure consistent enforcement while reducing compliance complexity for organizations operating across Europe.

Legitimate interest: A legal basis for processing personal data under GDPR Article 6(1)(f) when processing is necessary for legitimate interests pursued by the controller or third parties, provided individual rights don't override these interests. Organizations must conduct a balancing test weighing their legitimate interests against potential harm to data subjects. This basis often applies to business activities like fraud prevention, direct marketing, or research, but requires careful assessment of necessity and proportionality.

Registration certificates: Official documents issued by aviation authorities proving aircraft ownership, registration details, and technical specifications. These certificates contain information linking aircraft registration numbers to specific owners or operators. In the Flightradar24 case, the company routinely requested these documents to verify complainants' identities before processing erasure requests, but IMY determined this practice violated GDPR requirements when alternative identification methods were available.

Summary

Who: Swedish Authority for Privacy Protection (IMY) took enforcement action against Flightradar24 AB, a flight tracking service, following complaints from private aircraft owners in Sweden, Germany, and Denmark.

What: IMY issued a reprimand for GDPR violations related to improper handling of data erasure requests and excessive identity verification requirements. The company routinely requested registration certificates without demonstrating reasonable doubts about complainant identity.

When: The violations occurred between May 25, 2018, and June 22, 2021, with the final regulatory decision issued on June 30, 2025. Compliance measures must be implemented within one month of the decision becoming final.

Where: The case involved cross-border processing supervised by IMY as the lead authority, with cooperation from data protection authorities in Poland, Germany, Slovakia, Netherlands, Latvia, Italy, France, Denmark, Hungary, Portugal, Austria, Finland, Spain, and Cyprus.

Why: The enforcement action addresses fundamental privacy rights regarding location tracking and movement pattern data. Aircraft owners sought to prevent public identification through flight tracking websites, but Flightradar24's procedural requirements created barriers to exercising these rights under GDPR.