Last updated on October 2, 2025
No, under the EU General Data Protection Regulation (GDPR) and related national laws, processing special categories of personal data and intrusive monitoring require a lawful basis and strict proportionality; universities must conduct Data Protection Impact Assessments (DPIAs), adopt minimisation measures, obtain informed consent where required, provide alternative assessment arrangements for students who object, and document legal justifications; data retention, storage location, third‑party processors and cross‑border transfers must comply with GDPR; failure to meet these standards can trigger supervisory authority fines and orders to stop processing, so institutions should publish clear policies and safeguards before deploying proctoring tools.
7/12/2023