Start-up company MagicAI is developing an AI system that will be part of a medical device that detects skin cancer. To take measures against potential bias in its AI system, the IT Team decides to collect data about users' ethnic origin, nationality, and gender.
Which would be the most appropriate legal basis for this processing under the GDPR, Article 9 (Processing of special categories of personal data)?
Article 9 of the GDPR outlines strict conditions for processing special categories of personal data, which includes data revealing racial or ethnic origin. While options B, C, and D might seem relevant, they don't fully align with the core purpose of MagicAI's data collection.
Here's why option A is the most appropriate:
Scientific Research: MagicAI aims to improve the accuracy and fairness of its AI system by understanding how it performs across different ethnicities, nationalities, and genders. This directly ties into scientific research aimed at improving healthcare and reducing bias in medical technology.
It's important to note that even with 'scientific research' as the legal basis, MagicAI must still adhere to strict safeguards, such as:
Data Minimization: Collecting only the data absolutely necessary for the research.
Purpose Limitation: Using the data solely for the defined scientific purpose.
Appropriate Security Measures: Protecting the data against unauthorized access or disclosure.
Ethical Review: Ideally, obtaining ethical approval for the research project.
GDPR Article 9 - Processing of special categories of personal data
GDPR Recital 159 - Conditions for processing special categories of data for scientific research purposes
IAPP CIPP/E textbook, Chapter 2: Key Data Protection Principles (specifically, sections on special categories of data)
Since blockchain transactions are classified as pseudonymous, are they considered to be within the material scope of the GDPR, or outside of it?
According to the GDPR, the material scope of the regulation covers the processing of personal data wholly or partly by automated means, or by non-automated means if the data forms part of a filing system or is intended to form part of a filing system (Article 2(1)). Personal data is defined as any information relating to an identified or identifiable natural person (data subject) (Article 4(1)). An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Article 4(1)). Therefore, pseudonymous data, such as blockchain transactions that use public keys or other identifiers, may still fall within the definition of personal data if the data subject can be identified or re-identified by using additional information or means (Recital 26).
The GDPR also applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the European Union, regardless of whether the processing takes place in the European Union or not (Article 3(1)). The GDPR also applies to the processing of personal data of data subjects who are in the European Union by a controller or processor not established in the European Union, where the processing activities are related to the offering of goods or services to such data subjects in the European Union or the monitoring of their behaviour as far as their behaviour takes place within the European Union (Article 3(2)). Therefore, the territorial scope of the GDPR covers both controllers and processors established in the European Union, and controllers and processors not established in the European Union but targeting or monitoring data subjects in the European Union.
In this scenario, blockchain transactions are classified as pseudonymous data, which may still be considered as personal data under the GDPR if the data subjects can be identified or re-identified. Therefore, such transactions are within the material scope of the GDPR, as they involve the processing of personal data by automated means. However, the GDPR only applies to such transactions to the extent that they include data subjects in the European Union, either by having a controller or processor established in the European Union, or by offering goods or services to or monitoring the behaviour of such data subjects. Therefore, the answer is C.
The European Data Protection Board (EDPB) recommends measures to supplement transfer tools, in order to ensure compliance with the European Union (EU) level of personal data protection. According to these recommendations, what additional actions should be taken when a transfer to a third country is based upon an adequacy decision?
Which of the following elements does NOT need to be presented to a data subject in order to collect valid consent for the use of cookies?
According to the EDPB Guidelines 05/2020 on consent under Regulation 2016/6791, valid consent for the use of cookies must meet the following conditions:
* It must be freely given, which means that the data subject must have a genuine choice and the ability to refuse or withdraw consent without detriment.
* It must be specific, which means that the data subject must give consent for each distinct purpose of the processing and for each type of cookie.
* It must be informed, which means that the data subject must receive clear and comprehensive information about the identity of the controller, the purposes of the processing, the types of cookies used, the duration of the cookies, and the possibility of withdrawing consent.
* It must be unambiguous, which means that the data subject must express their consent by a clear affirmative action, such as clicking on an ''I agree'' button or selecting specific settings in a cookie banner.
* It must be granular, which means that the data subject must be able to consent to different types of cookies separately, such as essential, functional, performance, or marketing cookies.
Therefore, a ''Cookies Settings'' button is not a necessary element to collect valid consent for the use of cookies, as long as the data subject can exercise their choice and preference through other means, such as a cookie banner with different options. However, a ''Cookies Settings'' button may be a good practice to enhance transparency and user control, as it allows the data subject to access and modify their consent settings at any time.
On the other hand, a ''Reject All'' cookies button is a necessary element to collect valid consent for the use of cookies, as it ensures that the data subject can freely refuse consent without detriment. A list of cookies that may be placed and information on the purpose of the cookies are also necessary elements to collect valid consent for the use of cookies, as they ensure that the data subject is informed and can give specific consent for each type of cookie.
Since blockchain transactions are classified as pseudonymous, are they considered to be within the material scope of the GDPR or outside of it?
Gilberto
6 days agoTesha
18 days agoGolda
20 days agoCatarina
1 months agoRuthann
1 months agoLouisa
2 months agoEsteban
2 months agoAhmad
2 months agoFernanda
2 months agoClarence
2 months agoMerissa
3 months agoPhil
3 months agoLinsey
3 months agoAlida
3 months agoWillodean
3 months agoJosephine
4 months agoErinn
4 months agoVeronique
4 months agoWayne
4 months agoJill
4 months agoHector
5 months agoFlorencia
5 months agoRaelene
6 months agoJoesph
7 months agoFidelia
7 months agoHyun
7 months agoMireya
7 months ago