AI proctoring and exam surveillance: is AI monitoring allowed?
Adopted 2026-06-20 · ≈ 1 min read · 
edited by Dirk Baaijen
AI proctoring (online exam surveillance) detects prohibited behaviour during tests and therefore falls under Annex III: high-risk. If the system infers emotions, it is even banned (Art. 5). The GDPR also requires a legal basis, proportionality and usually a DPIA — especially for minors.
Short answer: AI proctoring — software that remotely supervises online tests — detects prohibited behaviour by students and therefore falls under Annex III of the AI Act: high-risk. If the system also infers emotions or "engagement", that is outright banned in educational institutions (Art. 5). And the GDPR requires a valid legal basis, proportionality and usually a DPIA — extra strict for minors.
Why proctoring is high-risk
Annex III designates AI that "detects prohibited behaviour during tests" as high-risk. That is exactly what proctoring does: facial, gaze and sound analysis to flag "suspicious" behaviour. The high-risk requirements therefore apply: human oversight (a human assesses the flag, the system doesn't decide), data quality and bias examination, transparency and logging.
The prohibited line
Some proctoring tools claim to measure "engagement" or stress via emotion recognition. In education that is banned (Art. 5). The line is hard: behaviour detection can be high-risk (allowed with safeguards), inferring emotions is banned. See prohibited AI practices.
The GDPR sets the standard
Proctoring is intrusive: continuous observation, often of minors, in the private home environment. The GDPR requires a valid legal basis (consent in an educational relationship is usually not freely given), strict proportionality (is there a less intrusive alternative?), data minimisation and a DPIA. Regulators and courts have repeatedly scrutinised proctoring.
What to do
- Test proportionality first: could a less intrusive form of assessment work?
- Classify the system and rule out emotion recognition.
- Build in human oversight on every flag — no automatic accusation.
- Run a DPIA and inform students (and parents) in advance.
- See the broader framework in AI in education.
Proctoring is the sharpest example of education AI: high-risk, close to a ban, and heavily regulated under the GDPR. Start with whether it is proportionate — not with which tool.
Sources
- https://eur-lex.europa.eu/eli/reg/2024/1689/oj
Regulation (EU) 2024/1689 (AI Act): Annex III (detecting prohibited behaviour during tests) high-risk; Art. 5 bans emotion recognition in education. - https://eur-lex.europa.eu/eli/reg/2016/679/oj
General Data Protection Regulation (GDPR): legal basis, proportionality and DPIA for monitoring.
Read next
AI in education: what does the AI Act mean for schools and trainers?
AI that determines access to education, evaluates learning outcomes or monitors exam behaviour falls under Annex III and is high-risk. Emotion recognition in education is banned. The GDPR (often minors' data) and the AI-literacy duty also apply.
AI in the workplace: the guide for employers and HR
AI in recruitment, workforce management and monitoring largely falls under the AI Act (Annex III, high-risk) and the GDPR, with one hard ban: emotion recognition at work. This guide brings together what applies to employers and where to start.
Monitoring employees with AI: what is allowed and what isn't?
AI monitoring of employees quickly clashes with the rules: emotion recognition at work is banned (Art. 5), performance monitoring can be high-risk (Annex III), and the GDPR requires a legal basis, transparency and proportionality. Continuous, intrusive monitoring is legally risky.