Proctoring in the application process: Admissibility under data protection law according to the GDPR

How companies can use proctoring in a legally compliant manner.
Categories:
,
Picture of Aristotelis Zervos

Aristotelis Zervos

Aristotelis Zervos, Editorial Director at 2B Advice, combines legal and journalistic expertise in Data protectionIT compliance and AI regulation.

„Proctoring“ refers to digital exam supervision, in which applicants are monitored via webcam and microphone during an online test. The aim is to prevent cheating. Proctoring is used to ensure that candidates do not use unauthorized aids or AI at home. Providers of such software often advertise the GDPR compliance of this monitoring. In practice, however, applicants must first agree to the use of the camera (and usually additional software). In theory, consent can be refused, but this raises the question of whether the application will still be considered. This article examines whether and under what conditions proctoring is permissible under data protection law in the context of application procedures and provides practical recommendations for compliant use.

Data protection risks associated with proctoring

In a proctored online test, extensive personal data In addition to video and audio recordings of the candidate, screen content, input data (e.g., keyboard and mouse movements), and ID data (e.g., by showing an ID card in front of the camera) are often recorded. Some proctoring tools interfere deeply with the system: they can read browser history, change device settings, or monitor running programs. Such functions allow insights into very personal areas (e.g., home furnishings, private files).

From a data protection perspective, these are significant intrusions into the Privacy and the right to Informational self-determination. There is a risk that even sensitive data within the meaning of Art. 9 GDPR be recorded; for example, biometric data (facial features, eye movements for identity verification) or details from the home environment that may indicate ethnic origin, religion, or health. Such an intrusion is considered highly risky for the rights of those affected under data protection law and may constitute a Data protection impact assessment (Art. 35 GDPR) may be necessary.

In addition, the voluntary nature of participation is coming under pressure: applicants are in their private homes and can hardly escape surveillance if they want to take part in the selection process. This situation raises key questions about the admissibility and legal basis of data processing.

For the Processing The processing of personal data in the application process generally involves several Legal basis the GDPR The following section lists the standards that are relevant for the use of proctoring and the pitfalls involved.

Pre-contractual measure (Art. 6(1)(b) GDPR)

One could consider whether proctoring monitoring is a necessary part of the application process under Art. 6(1)(b). GDPR can be supported (data processing for contract initiation or pre-contractual measures). Although a recruitment test is generally considered to be part of the pre-contractual process, digital monitoring of this test is not „necessary“ in the strict sense of the word in order to carry out the application process. The purpose, namely to determine the suitability of applicants, could also be achieved without video surveillance. For example, through an unsupervised test (with a residual risk of cheating) or through an on-site test. Proctoring is an optional organizational measure and not an indispensable part of the selection process. Thus, Art. 6 (1) (b) GDPR as a rule, as the legal basis.

This view is consistent with data protection assessments, according to which the application process itself may fall under Article 6(b), but accompanying monitoring measures that serve only to control the examination do not.

Legitimate interest of the company (Art. 6 para. 1 lit. f GDPR)

Another option is to invoke the legitimate interest of the controller (the company) pursuant to Art. 6(1)(f). GDPR. The company undoubtedly has a legitimate interest in ensuring equal opportunities and fairness in the test and in preventing fraud. This interest has also been recognized by courts as an important purpose, for example, to ensure equal treatment of examinees and the Integrity of examination results. The Higher Administrative Court (OVG) of North Rhine-Westphalia (decision of March 4, 2021 – 14 B 278/21) held that Video surveillance of online examinations in higher education to be permissible in order to prevent cheating. It even considered this to be a measure in the public interest. The Higher Administrative Court of Schleswig-Holstein (decision of March 3, 2021 – 3 MR 7/21) also assessed video surveillance as proportionate and appropriate, as no less severe measures were apparent.

Nevertheless, caution is advised. In the case of Art. 6 lit. f GDPR The interests of the company must be weighed against the fundamental rights of the applicants, in particular the right to Privacy and Informational self-determination. The intensity of intervention through proctoring is high: applicants are observed in their homes and may even be recorded. This imbalance has a negative effect on the assessment. Unlike universities (which act in a sovereign capacity with a public educational mandate), private employers find it difficult to assert an overriding interest that outweighs the strong personal rights of those affected. In addition, there are usually alternatives (in-person examinations), which means that the Necessity relativizes the measure. In practice, data protection authorities warn that justification under Art. 6(1)(f) is risky. The balance is likely to tip in favor of the applicants, meaning that action taken solely on this basis would be legally contestable.

Consent of applicants (Art. 6(1)(a) GDPR)

So the only viable option that remains is: the Consent the applicant pursuant to Art. 6(1)(a) GDPR. In fact, proctoring providers and some companies advertise that candidates can voluntarily consent, thereby legitimizing data processing. In principle, the Consent a valid legal basis if it meets the requirements of GDPR corresponds to: i.e., if it is voluntary, informed, specific, and explicit. However, it is precisely this voluntariness in the application process that is the sticking point (see next section).

Without a valid Consent the use of proctoring is not permitted. As already explained, neither contractual necessity nor legitimate interest are sufficient grounds. Use in compliance with data protection regulations should therefore be based on the applicants giving their active consent in advance and receiving all relevant information (scope of monitoring, purpose, duration, recipients, software technology, etc.). Transparency is essential here: Candidates must know exactly what they are getting into, including any automated evaluations by AI algorithms. However, the latter is difficult, as the functioning of proprietary proctoring algorithms is often opaque. Nevertheless, the Berlin Data Protection Commissioner, for example, demands that the criteria for automated evaluation also be disclosed.

Source: 2022 Annual Report of the Berlin Data Protection Commissioner

Voluntary consent and “genuine” choice

The GDPR places high demands on voluntary Consent, especially where there is an imbalance of power between the controller and the data subject. Recital 43 GDPR emphasizes that in situations where there is a clear imbalance, e.g., between public authorities and citizens or between employers and job applicants, a Consent cannot generally be considered voluntary.

For proctoring, this means that applicants must have a genuine choice as to whether or not to take a supervised online test without this having negative consequences. The supervisory authorities expressly recommend offering alternative testing options. In concrete terms, this can mean offering candidates an equivalent option in the form of an on-site exam, for example at the company or in an assessment center. Only if there is an equivalent alternative can the decision be considered voluntary.

However, there is no real choice if the Consent can be formally refused, but this effectively means the end of the application. Even subtle pressure (e.g., suggesting that participation via proctoring is “recommended”) would rule out voluntary participation. See also the decision of the Thuringian Higher Regional Court of November 17, 2025 (Ref.: 3 U 885/24): Processing The collection of biometric data, which is used for facial recognition and thus for identifying examinees, violates Article 9. GDPR, if there is no real choice.

Conclusion at this point: A data protection-compliant Consent in the application process is possible, but only if voluntary participation is strictly observed. In practice, this requires the employer to offer an equivalent alternative method for the selection process. Only then can the candidates' consent be considered effective. Consent be evaluated that justifies data processing.

Practical recommendations for action

Below you will find some practical measures, to ensure data protection compliance during proctoring:

  • Offer an alternative to proctoring: Provide a genuine choice. For example, you could offer a parallel in-person test under supervision on site or at an assessment center. Clearly communicate that rejecting online proctoring will not have any negative consequences.

  • Consent obtain information: Before the test, obtain explicit Consent of the applicants (preferably recorded in writing or electronically). Ensure that all information is provided in a comprehensible manner: What data is collected (video, audio, screenshots, ID photos, etc.), for what purpose, who receives the data (e.g., a proctoring service provider as a processor), storage period, and rights of the applicants. Point out the right of withdrawal. Candidates should know exactly what they are consenting to.

  • Data minimization and limitation of surveillance: Use the mildest means possible to achieve the purpose (protection against fraud). For example, instead of full recording, live proctoring without permanent storage could be used. Some courts have deemed it sufficient to store recordings only when necessary (in case of irregularities or upon request for evidence preservation). Refrain from using invasive software features that go beyond camera surveillance, such as searching the entire computer or automated facial recognition, unless absolutely necessary. Each additional feature increases the intrusion and makes justification more difficult. Room scan features should be used with great restraint. Applicants should be allowed to keep their background neutral (e.g., virtual background or empty room).

  • Technical and organizational protective measures: Be sure to enter into a data processing agreement (Art. 28) with the proctoring provider. GDPR), which, among other things, Confidentiality, Data security, strict Earmarking and Deletion Check data storage: Recordings/logs should only be kept for as long as necessary (ideally automatic Deletion shortly after completion of the procedure, provided there is no suspicion of fraud). If the service provider is based outside the EU (e.g., in the US), additional measures are required.

AI selection and data protection impact assessment

  • No automated individual decisions: You must not rely solely on an AI evaluation by the proctoring tool to screen out applicants. If the software automatically „fails“ a candidate on suspicion of cheating, this violates the prohibition of automated decisions (Art. 22 GDPRIt is better to check suspicious results manually and decide on a case-by-case basis using human judgment. This makes the process more transparent and legally compliant for applicants.

  • VVT create: Document the entire process in the processing activities directory.

  • Threshold analysis and DSFA: In addition, conduct a threshold analysis to determine whether the use of proctoring in your company is likely to pose a high risk to the rights and freedoms of applicants. If this is the case, a Data protection impact assessment necessary.


Reading tip: What is a threshold analysis and when is it mandatory?

Are you planning to use proctoring in your application process, or do you already use digital selection tests? Then you should act now. The legal requirements are high, and so are the risks if mistakes are made.

Ailance supports you in implementing proctoring solutions GDPR-compliant, practical, and legally secure With our data protection and compliance platform, you can create Transparency about Legal basis, consents, processors, retention periods, and risks. A threshold analysis and structured preparation for a Data protection impact assessment are also included.

We would be happy to accompany you as an external data protection officer (external DPO):

  • Legal assessment of your proctoring setup
  • Review of consent processes and alternative offers
  • Support for VVT, threshold analysis, and DSFA
  • Practical recommendations that also work in everyday job applications


Turn data protection into a competitive advantage in recruiting. Talk to us about Ailance and our services as an external DPO. We can help you safely combine innovation and data protection.

Aristotelis Zervos is Editorial Director at 2B Advice, a lawyer and journalist with profound expertise in data protection, GDPRIT compliance and AI governance. He regularly publishes in-depth articles on AI regulation, GDPR compliance and risk management. You can find out more about him on his Author profile page.

Contact us
Tags:
Share this post :

Popular categories

Newsletter

Subscribe to our data protection newsletter to receive the latest updates, tips and insights straight to your inbox.
Subscribe

Latest posts