COMPLIANCE · GDPR
GDPR and AI Assessment: Keeping Student Data Compliant
Procurement keeps stalling on data questions. Here is exactly what UK and EU law requires, what the EU AI Act adds, and what to ask any vendor before you sign.
By Eduface · June 2026 · 10 min read
Procurement committees across UK and EU institutions are asking the same question: can we adopt AI assessment tools without creating a data protection liability? The answer is yes, but the vendor matters enormously. Student data is regulated, the framework governing AI systems has grown significantly, and a poorly drafted processor agreement can expose the institution to consequences that extend well beyond a fine. This article sets out what the law requires and what to look for when evaluating tools.
Is AI assessment GDPR-compliant?
Short answer
AI assessment can be fully GDPR-compliant, but compliance depends entirely on how the vendor processes and stores student data. The key requirements: a signed Data Processor Agreement, confirmed data residency within the EEA (or an adequate third country), no use of student data to train AI models, and a documented lawful basis for processing. Institutions remain data controllers and carry ultimate responsibility for due diligence.
What does GDPR require when using AI for student assessment?
Both UK GDPR (retained from EU Regulation 2016/679 via the Data Protection Act 2018) and EU GDPR apply to higher education institutions depending on where they are based. The core obligations are the same in either jurisdiction.
Student data is personal data
Assessment submissions, grades, written work, and oral recordings all constitute personal data under GDPR. In some cases they may qualify as special category data: where submissions relate to disability-related academic adjustments or health conditions, Article 9 of GDPR applies and the lawful basis must be explicitly established, typically through Article 9(2)(g) (substantial public interest) or explicit consent.
Controller and processor responsibilities
Your institution is the data controller. The AI assessment vendor is a data processor. Article 28 of GDPR requires a written Data Processor Agreement specifying what data is processed, for what purpose, under what security conditions, and under whose instruction. Outsourcing processing to a vendor does not transfer controller liability: if a vendor mishandles student data, the institution faces the regulatory consequences.
Lawful basis and Data Protection Impact Assessments
Institutions must identify a lawful basis for using AI in assessment. For most universities, Article 6(1)(e) (task in the public interest) is the most defensible basis. A Data Protection Impact Assessment (DPIA) is also mandatory before deploying any AI system that involves systematic and large-scale processing of personal data. The ICO has published specific guidance on AI and data protection that is binding for UK institutions, and its DPIA templates are a practical starting point.
What does the EU AI Act mean specifically for AI assessment tools?
The EU AI Act (Regulation 2024/1689) introduced a new layer of compliance that operates alongside GDPR rather than replacing it. For institutions using AI in assessment, the relevant provisions are clear and carry real consequences.
High-risk classification under Annex III
Annex III of the EU AI Act explicitly classifies AI systems used for evaluating students in educational and vocational training contexts as high-risk AI. This means any AI tool that contributes to assessment decisions, generates grades, or scores student work falls into the regulated category, regardless of whether a human confirms the grade afterwards.
Article 13: Transparency requirements
High-risk AI systems must be transparent in how they operate. For assessment tools, vendors must provide clear documentation of how their system reaches conclusions. A tool that outputs a grade without explaining the criteria applied does not meet this standard.
Article 14: Mandatory human oversight
Article 14 requires that high-risk AI systems are designed so that a human can review, override, and decide on any output. For assessment, AI-generated grades cannot be released without explicit human approval at the individual submission level. Batch sign-off across an entire cohort without per-submission review does not satisfy Article 14.
UK institutions, note
The EU AI Act is EU law and does not directly apply in the UK post-Brexit. But UK institutions with EU students, EU campuses, or partnerships subject to EU procurement frameworks should treat the EU AI Act obligations as applicable. The UK is developing its own AI regulatory framework, and Ofsted and the ICO have both indicated that human oversight principles will feature prominently.
What questions should you ask any AI assessment vendor?
The answers to these questions determine whether your institution retains control of its data obligations or inadvertently transfers risk to a vendor who cannot absorb it.
Where is student data stored and processed?
It must remain within the EEA, or the vendor must demonstrate transfer adequacy under Article 46. Vague answers about ‘global infrastructure’ should be treated as a red flag.
Does the platform use external AI APIs?
Vendors who route student submissions through OpenAI, Google, Anthropic, or Azure create additional processor relationships you, as controller, must account for. Each sub-processor needs to be auditable and contractually bound.
Is student data used to train the AI models?
This practice is common in consumer AI products and is generally incompatible with GDPR obligations in an educational context. Confirm explicitly, and get it in writing in the DPA.
Is a Data Processor Agreement available?
A reputable vendor should provide a DPA without delay. If a vendor hesitates or proposes data-sharing terms that deviate from standard Article 28 clauses, that is a material concern.
Has the vendor been assessed through a procurement framework?
Jisc/CHEST in the UK or HEAnet in Ireland involves vendor assessment and provides independent validation, saving your institution from repeating every check from scratch.
GDPR compliance checklist for AI assessment tools
The table below summarises the key compliance criteria and shows how Eduface addresses each one. Use it as a template when evaluating any vendor.
Compliance criterion
Why it matters
Eduface
Data residency within the EEA
Required for lawful transfer under GDPR. Processing outside the EEA without an adequacy mechanism is a breach.
Infrastructure on proprietary GPU servers in the Netherlands.
No external AI APIs used
Third-party API routing creates undisclosed sub-processors and data-export risks.
No OpenAI, Google, Anthropic, or Azure APIs. All processing on Eduface infrastructure.
Student data not used for model training
Using submission data to improve models requires a separate lawful basis and conflicts with student rights.
Student submissions are never used to train or update AI models.
Human oversight per grade (Art. 14)
High-risk AI under Annex III requires human approval of each output before release.
Every grade requires explicit lecturer approval before students can see it.
Transparent, explainable scoring (Art. 13)
Outputs must be explainable. Black-box grading does not meet the transparency requirement.
Per-criterion breakdown provided for every assessment, visible to lecturers.
Data Processor Agreement available
Article 28 GDPR mandates a written DPA with every processor. Absence is a compliance failure.
DPA available on request for institutional procurement teams.
Framework approval (UK / Ireland)
Independent procurement frameworks validate vendor data and commercial practices.
Approved on Jisc/CHEST (UK) and HEAnet (Ireland).
DPIA support documentation
Institutions must conduct DPIAs before deployment; vendors should support this with documentation.
Technical and security documentation available for institutional DPIA processes.
How does UK GDPR differ from EU GDPR for UK institutions?
UK GDPR is substantively identical to EU GDPR: same definitions, same controller/processor framework, same DPIA obligation for high-risk processing. The supervisory authority is the ICO rather than an EU data protection authority, and the ICO has published specific guidance on AI and data protection that UK institutions must follow.
The key provision for AI assessment is Article 22 of UK GDPR, which restricts solely automated decisions with significant effects on individuals. Assessment grading qualifies, which is why human-in-the-loop design is not optional: it is a legal safeguard. For UK institutions with EU students or EU partner institutions, EU GDPR may also apply. A vendor who meets EU GDPR obligations will satisfy UK GDPR as well.
Can the Jisc/CHEST framework simplify compliant procurement?
Yes. The Jisc/CHEST framework pre-qualifies vendors across commercial and data standards before listing them. Institutions can rely on that prior vetting as part of their own procurement record. This does not replace a DPIA or a finalised DPA, but it substantially reduces what institutions need to verify independently and creates a defensible audit trail. Running full GDPR due diligence on a new AI vendor from scratch can take months when legal, IT, and compliance teams are already stretched.
Eduface is listed on both the Jisc/CHEST framework (UK) and the HEAnet framework (Ireland). Inclusion requires vendors to meet data and procurement standards as a condition of listing.
Frequently asked questions
Where is student data stored when using Eduface?
All student data processed by Eduface is stored exclusively on proprietary GPU servers in the Netherlands, within the EEA. No student data is transmitted to or stored outside the EU. This means data-transfer restrictions under GDPR do not apply, and institutions do not need to rely on adequacy decisions or Standard Contractual Clauses for the processing relationship with Eduface.
Does Eduface use student data to train its AI models?
No. Student submission data is never used to train or improve Eduface’s AI models. This is a firm contractual commitment confirmed in the Data Processor Agreement provided during procurement. It is also a key distinction from AI platforms built on consumer-grade large language models, where training-data use is often the default unless opted out explicitly.
What is a Data Processor Agreement, and does Eduface provide one?
A Data Processor Agreement (DPA) is a legally binding contract required under Article 28 of GDPR whenever an institution engages a third party to process personal data on its behalf. It specifies the nature, purpose, and security conditions of that processing. Eduface provides a DPA on request for institutional procurement teams. Your legal or data protection officer should review and countersign it before any live student data is processed.
Does the EU AI Act apply to AI assessment tools used in universities?
Yes. Annex III of the EU AI Act (Regulation 2024/1689) classifies AI systems used to evaluate students in educational contexts as high-risk AI. This means assessment platforms must meet transparency requirements (Article 13) and mandatory human oversight (Article 14). Institutions should ask vendors to demonstrate conformity with these requirements, not simply assert it.
How can institutions procure AI assessment tools compliantly in the UK?
The most efficient route is to start with the Jisc/CHEST framework, which pre-qualifies vendors against procurement and data standards. This does not replace your DPIA or DPA, but it reduces the due-diligence burden substantially and creates an auditable record. Alongside this, confirm a lawful basis under Article 6 of UK GDPR and ensure the platform supports human oversight of every AI output before grades reach students.
Summary
GDPR compliance for AI assessment comes down to which tools are built with compliance as a foundation rather than an afterthought. Institutions that start from a clear set of criteria, covering data residency, processor agreements, training-data practices, and human oversight, will find the regulatory framework manageable. The Jisc/CHEST and HEAnet frameworks exist to reduce the discovery cost of that process. The obligations are clear. The tools that meet them are identifiable.
1. European Parliament and Council of the EU (2024). Regulation (EU) 2024/1689 (Artificial Intelligence Act). Official Journal of the European Union, L 1689.
2. European Parliament and Council of the EU (2016). Regulation (EU) 2016/679 (General Data Protection Regulation). Official Journal of the European Union, L 119.
3. UK Parliament (2018). Data Protection Act 2018. London: HMSO.
4. Information Commissioner’s Office (2023). Guidance on AI and data protection. ICO.
See how Eduface handles compliance in practice
Request a demo to see the human-in-the-loop workflow, transparent scoring, and data-residency commitments first-hand. Procurement teams can also request the Data Processor Agreement directly.