University’s use of a monitoring program for online exams Summary Our remarks On 30 April 2020, the Danish DPA received a telephone • This decision thus serves as an example of the inquiry regarding the IT University’s (hereinafter ”ITU”) great importance of carrying out a concrete intention to monitor students’ computers during assessment of the risk for the data subjects in a home exam using a monitoring program called connection with certain processing operations, and ProctorExam. The program would record video, audio, that it can be demonstrated that the processing and screen activity, as well as browser search history fulfills the principles of Article 5 of the GDPR. on students’ computers during the three-hour exam. • Information on the processing of personal data To monitor compliance with the applicable rules, the must be clear, accessible, and transparent, with a recordings would be conducted through a Google method of delivery tailored to the specific group of Chrome web browser extension. data subjects. The Danish Data Protection Agency’s • For processing operations that are likely to result in decision a high risk to the individual’s rights and freedoms, it is essential to assess the potential risks before The Danish DPA did not criticize ITU’s processing of undertaking any processing activities. personal data and concluded that the processing was in compliance with GDPR, Article 5 of (principles for processing of personal data), Article 6(1) (lawful processing), and Section 11(1) of the Danish Data Protection Act (processing of personal identity numbers by public authorities for identification purposes). The DPA further concluded that the ITU’s processing for the use of ProctorExam complied with GDPR, Article 5(1) (f) (principle of integrity and confidentiality), Article 32 (security of processing), and Article 35 (data protection impact assessment). Published: 26-01-2021, Journal number: 2020-432-0034 Tags: 01 Legal basis for processing and principles for processing 126