With the digitalization of education, more and more academic institutions, certifying bodies, and companies are acquiring exam supervision software.
The growing popularity of proctoring programs leads to conversations surrounding privacy and data processing. This type of software, like any other, must comply with the privacy regulations in force in each country or territory. The European Union, for example, is governed by the GDPR.
The difference between the GDPR and other privacy laws in the world is its broad scope and its focus on data protection. Other laws may have a more specific local scope, apply to particular sectors, or focus on other aspects.
The GDPR goes beyond mere information security, establishing a system to comprehensively protect users’ rights.
What is GDPR?
The GDPR, or General Data Protection Regulation, is a unified regulation that defines the rights of citizens and the obligations of organizations that process their personal data. It was adopted in 2016, although it did not come into force until two years later, on May 25, 2018.
The GDPR was established with the goal of strengtheningsecurity, privacy, andtransparency through measures that overcome the obstacles that blocked the harmonization proposed by Directive 95/46/EC of the European Parliament and the Council, which was repealed when replaced by the GDPR.
What is personal data?
The GDPR defines personal data as any information that can be associated with an identifiable natural person. In the educational context, examples include names, grades, email addresses, or exam identifiers, as well as any information related to these, such as exam content, attendance records, etc.
GDPR data classification: special categories
Within the European General Data Protection Regulation, special categories of data are established, which may have stricter obligations. For example, information about health, race, political opinions, sexual orientation, or religious beliefs are considered sensitive data.
How does the GDPR protect exam takers?
The regulation in question protects all natural persons in the European Union, regardless of their nationality and whether the data is managed, processed, and/or stored from within or outside the EU.
That is, in addition to regulating data processing by companies, organizations, and public administrations established in the EU, it also applies to data controllers and processors located outside the EU who handle personal information of residents of the Member States.
The distinction is that the controller sets the means and purposes for data processing, while the processor carries out the actual processing as instructed by the controller.That being said, exam supervision systems that monitor students in the European Union must comply with the GDPR. Other examples in the education sector would be academic institutions or cloud service providers.
The 8 GDPR rights
The GDPR grants the following rights to individuals whose personal data is processed:
| 1. Right to be informed. This right allows data subjects to know what will be done with their data to have more control over it and make informed decisions. On the other hand, it requires compliance with transparency requirements through clear and understandable privacy policies. | 2. Right of access. EU residents have the right to know if their data is being used and to access it to find out aspects such as the purposes, sources, or the existence of automated decisions. | 3. Right to rectification. Guarantees the right to correct incorrect personal information and complete incomplete data. | 4. Right to erasure (“right to be forgotten”). Data subjects can ask for their data to be deleted in certain cases: if it is no longer necessary or is being processed illegally, if the applicant withdraws consent or has exercised the right to object, and if they gave consent online as a minor. Note: deletion may be subject to legal or contractual obligations that require certain data to be retained. |
| 5. Right to restriction of processing. Data subjects can ask for the processing of their data to be restricted when they challenge the accuracy of the data, the processing is unlawful, or the data is no longer needed. They can also request it when they have exercised the right to object. | 6. Right to data portability. Allows data to be obtained in a structured, commonly used, and machine-readable format for reuse or transfer, provided that the processing is based on consent or a contract, is automated, and the data subjects themselves provided the data. Note: portability is not always applicable if the information includes third-party data. | 7. Right to object. Residents of the Member States can object to the processing of their personal data based on two legal grounds: the legitimate interest of the controller or a third party, or the performance of a task in the public interest or in the exercise of official authority. | 8. Right not to be subject to a purely automatic decision. Guarantees the right of a person to demand human intervention in decision-making that concerns them. This right specifically applies to decisions that have legal or significant effects on the data subject. |
GDPR obligations
The European General Data Protection Regulation obligates all companies and organizations, regardless of whether they act as controllers or processors of the personal data of European residents, to comply with the following obligations:
| Ensure that the purpose of data collection is justified and only collect data that is necessary for the intended purposes. | Guarantee the accuracy and updating of the collected personal data and delete it when it has served its purpose. | Respect the rights of data subjects, informing them how and for what purpose their data is processed, and also allowing them to exercise these rights. |
| Verify that the legal basis is adequate for the processing of personal data and, in the case of needing consent, request it prior to data processing. | Ensure secure processing of personal data. | Maintain a record of personal data processing activities of European Union residents. The GDPR also requires notification of security breaches to supervisory authorities within a maximum of 72 hours. |
The role of the Data Protection Officer
In the following cases contemplated by the regulation, a Data Protection Officer (DPO) must be appointed:
- When a public authority or body carries out the data processing, except in the case of courts.
- When the main activities of the controller or processor involve regular and systematic monitoring on a large scale.
- When the controller or processor carries out large-scale processing of sensitive personal data or information related to criminal offenses and sentences.
According to the European General Data Protection Regulation, the role of Data Protection Officer (DPO) can be performed by an internal employee or externally by a professional or company with knowledge in law and data protection.
Its main functions are to monitor compliance with the GDPR, advise employees and the organization, and serve as the point of contact with the supervisory authority.
Do you want to stay on top of the latest trends in eLearning, EdTech, and Human Resources?
Fill out the form to receive our weekly newsletter with industry insights from our experts.
GDPR: countries of application
The GDPR is a regulation of the European Union and, as such, is directly applicable in all its Member States. These countries are Germany, Austria, Belgium, Bulgaria, Cyprus, Croatia, Denmark, Slovakia, Slovenia, Spain, Estonia, Finland, France, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, the Czech Republic, Romania, and Sweden.
Additionally, the GDPR applies to foreign organizations that provide services to EU citizens or monitor their behavior. The GDPR is not limited to Europe; it applies wherever the data of individuals who are part of the European Union is processed.
Therefore, any entity (both European and non-EU) that processes the data of individuals from these countries must comply with the regulation. If the data is collected in the EU but transferred outside of it, the protection offered will accompany the rights.
The GDPR in Spain
In Spain, the General Data Protection Regulation is complemented by the Organic Law 3/2018 of December 5, onProtection of Personal Data and Guarantee of Digital Rights (LOPDGDD):
- Adapting the Spanish legal system to Regulation (EU) 2016/679 of the European Parliament and of the Council.
- Guaranteeing the digital rights of citizens in accordance with the mandate established in Article 18.4 of the Constitution.
The LOPDGDD introduced specific obligations regarding minors and parental consent, relevant in the field of educational proctoring.
The Spanish Data Protection Agency is responsible for guaranteeing compliance with data protection regulations in Spain, with investigative, corrective, and authorization or consultative powers, among others.
A recent example of a sanction is the fine of more than 10 million euros that the AEPD imposed for deploying facial recognition systems in Spanish airports, infringing Article 35 of the GDPR; a resolution that, on the other hand, would be appealed based on the principle of proportionality.
Does the GDPR have equivalents in the world?
There is no equivalent as such, since each country or region establishes its own regulations based on its specific characteristics. The GDPR, for the moment, is unique, but efforts surrounding data protection are increasing globally. Here are some examples:
United States
In the United States, there is no single data protection law. These are applied by sector, and in the case of education, it is FERPA (1974) that protects students’ personal information, with subsequent amendments.
However, there are projects like the ADPPA (American Data Privacy and Protection Act) in development. States have also created their own regulations. In California, for example, the CCPA (California Consumer Privacy Act), which came into force in 2020, applies.
Canada
In Canada, on one hand, there is PIPEDA (Personal Information Protection and Electronic Documents Act, 2000), which regulates the processing of personal information by the private sector.
The Privacy Act (1983), on the other hand, protects the personal information of Canadians regarding data processing by the federal government.
It is important to mention that some Canadian provinces have complementary laws, which complicates cross-border data management.
South Africa
The POPIA (Protection of Personal Information Act) came into force in the country in 2021. This regulation applies to organizations and requires them to implement technical and organizational measures to ensure the protection of information.
Furthermore, it prohibits the transfer of personal data if the receiving country or entity does not offer similar protection, or if there is no consent from the individual. This regulation is similar to the GDPR in that it regulates international data transfers.
India
In India, the law that replaced previous laws on digital data protection in 2023 applies: the Digital Personal Data Protection Act (DPDP Act).
This law grants rights similar to those of the GDPR, such as access, rectification, and erasure, but with differences in sanctions and regulatory control.
Brazil
The LGPD, Brazil’s General Data Protection Law, which came into force in 2020, is inspired by the European Union’s GDPR. As with the General Data Protection Regulation, it concerns entities that process the data of people in its area of application, regardless of their location.
The LGPD, in line with the European GDPR, also requires the designation of a Data Protection Officer and the notification of security breaches.
Does SMOWL proctoring comply with the GDPR?
The General Data Protection Regulation is mandatory within the EU. Therefore, all companies with a legal presence or operations in Europe that process personal data are subject to it.
Data protection authorities, for their part, can supervise compliance within their jurisdiction at all times and impose substantial sanctions if it is not respected. These sanctions can involve fines of up to €20 million or 4% of the company’s annual global turnover.
Smowltech, as a company based in San Sebastián (Spain), strictly complies with the GDPR, maintaining encryption, retention, and deletion policies in accordance with the regulation. Otherwise, it would not have been eligible to receive funding from the European Union.
Compliance with one of the most demanding data protection frameworks globally makes SMOWL a competitive tool for supervising digital exams in other countries outside the EU.
Beyond the borders of the European Union, SMOWL adheres to the applicable privacy laws in each country, such as the FERPA and CCPA regulations in the United States.
Smowltech also holds the ISO/IEC 27001 certification, an international information security standard that guarantees best practices in privacy and security.
For more information, you can check our privacy policy. If you have any concerns or questions about it or the treatment of the data we gather, feel free to reach out to us:
User Support Center
Portuetxe Kalea, 53 B, 20018 DONOSTIA/SAN SEBASTIÁN, GIPUZKOA
FAQ – GDPR
When did GDPR go into effect?
The General Data Protection Regulation was approved in 2016 but did not come into force until May 25, 2018. From that date, organizations processing personal data covered by the regulation had to comply with its requirements.
Why was the GDPR introduced?
The GDPR was introduced to strengthen security, privacy, and transparency and to overcome obstacles that blocked the harmonization proposed by the regulation it replaced, the Directive 95/46/EC of the European Parliament and the Council.
Who does GDPR apply to?
The GDPR applies to data controllers and processors handling personal data of citizens of the European Union. Companies outside the EU must also comply if they process personal information of citizens of any EU Member State.
Is GDPR applicable in the US?
The GDPR does not apply directly within the US as a law, but it applies to any organization, including US companies, that handles the personal data of the EU’s citizens.
How does GDPR affect US companies?
US companies must comply with the GDPR if they process personal data of the European Union’s citizens. Even without an EU location, processing Member State citizens’ data makes them subject to the regulation’s requirements.
Updated on
