New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

IAPP CIPP-E Exam - Topic 3 Question 108 Discussion

Actual exam question for IAPP's CIPP-E exam
Question #: 108
Topic #: 3
[All CIPP-E Questions]

Start-up company MagicAI is developing an AI system that will be part of a medical device that detects skin cancer. To take measures against potential bias in its AI system, the IT Team decides to collect data about users' ethnic origin, nationality, and gender.

Which would be the most appropriate legal basis for this processing under the GDPR, Article 9 (Processing of special categories of personal data)?

Show Suggested Answer Hide Answer
Suggested Answer: A

Article 9 of the GDPR outlines strict conditions for processing special categories of personal data, which includes data revealing racial or ethnic origin. While options B, C, and D might seem relevant, they don't fully align with the core purpose of MagicAI's data collection.

Here's why option A is the most appropriate:

Scientific Research: MagicAI aims to improve the accuracy and fairness of its AI system by understanding how it performs across different ethnicities, nationalities, and genders. This directly ties into scientific research aimed at improving healthcare and reducing bias in medical technology.

It's important to note that even with 'scientific research' as the legal basis, MagicAI must still adhere to strict safeguards, such as:

Data Minimization: Collecting only the data absolutely necessary for the research.

Purpose Limitation: Using the data solely for the defined scientific purpose.

Appropriate Security Measures: Protecting the data against unauthorized access or disclosure.

Ethical Review: Ideally, obtaining ethical approval for the research project.


GDPR Article 9 - Processing of special categories of personal data

GDPR Recital 159 - Conditions for processing special categories of data for scientific research purposes

IAPP CIPP/E textbook, Chapter 2: Key Data Protection Principles (specifically, sections on special categories of data)

by Wilson at Jun 11, 2025, 11:40 AM

Limited Time Offer

25%

Off

Get Premium CIPP-E Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Elza
3 months ago
Totally agree with B, it’s all about public interest!
upvoted 0 times
...
Reynalda
3 months ago
I think A is more appropriate for research purposes.
upvoted 0 times
...
Narcisa
3 months ago
Wait, can they really collect that data without consent?
upvoted 0 times
...
Lashawn
3 months ago
C makes sense for preventive medicine, right?
upvoted 0 times
...
Willetta
4 months ago
Option B seems like the best fit for public health.
upvoted 0 times
...
Joni
4 months ago
I’m leaning towards option A because it seems like collecting data for scientific purposes aligns with the goal of improving medical devices, but I’m not completely confident.
upvoted 0 times
...
Antonio
4 months ago
I feel like we went over a similar question in class, and I think the substantial public interest might be the right choice, but I’m second-guessing myself.
upvoted 0 times
...
Charlesetta
4 months ago
I think option C might be relevant since it mentions preventive medicine, but I can't recall if it specifically covers data collection for AI systems.
upvoted 0 times
...
Amina
5 months ago
I remember we discussed how processing for public interest could apply in healthcare contexts, but I'm not entirely sure if that's the best fit here.
upvoted 0 times
...
Katy
5 months ago
Okay, I've got it. Since they're collecting the data as part of a medical device that detects skin cancer, I believe option C, "processing necessary for purposes of preventive or occupational medicine," is the most appropriate legal basis.
upvoted 0 times
...
Adelaide
5 months ago
I'm a bit unsure on this one. The data they're collecting seems relevant for the scientific purpose of developing an unbiased AI system, but I'm not sure if that fully aligns with option A. I'll have to think this through.
upvoted 0 times
...
Ressie
5 months ago
Hmm, I think the key here is that they're collecting the data to prevent bias in the AI system. So I'm leaning towards option B, "processing necessary for reasons of substantial public interest."
upvoted 0 times
...
Gaston
5 months ago
This seems like a tricky one. I'll need to carefully review the GDPR Article 9 requirements to determine the most appropriate legal basis.
upvoted 0 times
...
Elliot
8 months ago
Haha, are they gonna use this data to make the AI system detect skin cancer based on your zodiac sign too? Gotta catch 'em all, I guess!
upvoted 0 times
Denise
8 months ago
Haha, that would be interesting! But hopefully they stick to the necessary data for medical purposes.
upvoted 0 times
...
Mindy
8 months ago
C) Processing necessary for purposes of preventive or occupational medicine.
upvoted 0 times
...
Rupert
8 months ago
A) Processing necessary for scientific or statistical purposes.
upvoted 0 times
...
...
Victor
9 months ago
Hmm, I don't know. Aren't they just trying to cover their butts in case of a lawsuit? Option D seems more like it.
upvoted 0 times
...
Dean
9 months ago
I agree, option A is the way to go. Collecting this data is essential for the proper development of the AI system and to ensure it doesn't discriminate.
upvoted 0 times
Markus
8 months ago
C) Processing necessary for purposes of preventive or occupational medicine.
upvoted 0 times
...
Kerry
8 months ago
A) Processing necessary for scientific or statistical purposes.
upvoted 0 times
...
...
Matthew
9 months ago
Processing necessary for scientific or statistical purposes is the most appropriate legal basis here. The AI system is being developed for medical purposes, and collecting data on ethnicity, nationality, and gender is crucial to ensure the system is unbiased and accurate.
upvoted 0 times
Nada
7 months ago
B) Processing necessary for reasons of substantial public interest.
upvoted 0 times
...
Thea
7 months ago
C) Processing necessary for purposes of preventive or occupational medicine.
upvoted 0 times
...
Whitney
8 months ago
A) Processing necessary for scientific or statistical purposes.
upvoted 0 times
...
...
Mi
9 months ago
But wouldn't A) Processing necessary for scientific or statistical purposes also be a valid option in this case?
upvoted 0 times
...
Karon
9 months ago
I agree with Alease, collecting data for medical purposes seems to align with that option.
upvoted 0 times
...
Alease
9 months ago
I think the most appropriate legal basis would be C) Processing necessary for purposes of preventive or occupational medicine.
upvoted 0 times
...

Save Cancel