GDPR Compliance
Last updated: March 2026
eAI Examiner is committed to protecting the personal data of all users in compliance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”). This page outlines our obligations, your rights, and how we meet GDPR requirements.
1. Data Controller
eAI Examiner acts as the data controller for personal data processed through the platform. When an educational institution subscribes to the Service, the institution may also act as a joint data controller for student and staff data processed within their institutional account.
2. Lawful Basis for Processing
We process personal data under the following lawful bases:
- Legitimate interest — processing necessary to deliver educational assessment services as contracted by the institution (Article 6(1)(f)).
- Consent — explicit consent is obtained before transmitting assessment data to third-party AI providers for automated evaluation (Article 6(1)(a)).
- Contractual necessity — processing required to fulfil the service agreement with the subscribing institution (Article 6(1)(b)).
- Legal obligation — processing required to comply with applicable laws, such as data retention requirements (Article 6(1)(c)).
3. Data Subject Rights
Under the GDPR, data subjects have the following rights regarding their personal data:
Right of Access (Article 15)
You may request a copy of all personal data we hold about you. We will provide this in a structured, commonly used format within 30 days.
Right to Rectification (Article 16)
You may request correction of inaccurate or incomplete personal data without undue delay.
Right to Erasure (Article 17)
You may request deletion of your personal data where the data is no longer necessary for the purposes it was collected, or you withdraw consent.
Right to Data Portability (Article 20)
You may request your data in a structured, machine-readable format (JSON or CSV). We support bulk data export for institutions.
Right to Object (Article 21)
You may object to the processing of your personal data based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds.
Right to Restrict Processing (Article 18)
You may request restriction of processing while we verify the accuracy of your data or evaluate an objection.
4. Data Protection Officer
Our Data Protection Officer (DPO) oversees GDPR compliance and can be contacted for any data protection queries or to exercise your rights:
5. Cross-Border Data Transfers
Assessment data may be transferred to third-party AI providers whose infrastructure is located in the United States or the European Union. We ensure adequate protection through:
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- Data Processing Agreements (DPAs) with all third-party processors.
- Verification that AI providers do not retain submitted data for model training purposes.
6. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of data subjects, eAI Examiner will:
- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach.
- Notify affected data subjects without undue delay when the breach is likely to result in a high risk to their rights and freedoms.
- Notify the subscribing institution's administrator immediately so they can take appropriate measures.
- Document all breaches, including facts, effects, and remedial actions taken, in our internal breach register.
7. How to Exercise Your Rights
To exercise any of your data protection rights, you may:
- Email our DPO at dpo@eai-examiner.com with your request.
- Contact your institution's administrator, who can submit requests on your behalf.
- Lodge a complaint with your local data protection supervisory authority if you believe your rights have not been respected.
We will respond to all data subject requests within 30 days. In complex cases, this period may be extended by an additional 60 days, with prior notification.