2026-06-07·5 min read·sota.io Team

EU AI Act for EdTech Deep-Dive: Student Profiling, GDPR Art.22 & Minor Data Protection 2026

Post #1575 in the sota.io EU Compliance Series — EU AI Act Sector-Specific Part 2 #4/5

EU AI Act EdTech Deep-Dive: Student Profiling and GDPR Art.22 Compliance

Educational technology sits at the intersection of two of the most demanding EU regulatory frameworks: the EU AI Act (Regulation (EU) 2024/1689) and the GDPR. While our first EdTech sector overview covered the basic Annex III Point 3 scope, this deep-dive addresses the compliance layer that trips most EdTech teams — the convergence of student profiling, GDPR Art.22 automated decision-making, and minor data protection.

With the August 2, 2026 EU AI Act enforcement deadline approaching, educational institutions and the vendors who supply them need to understand not just which AI systems are high-risk, but precisely how the double layer of AI Act obligations and GDPR rights interacts when students — often minors — are the data subjects.

Why EdTech AI Is Uniquely High-Risk

Most software categories have one or two regulatory regimes to navigate. EdTech AI faces four simultaneously:

Regime	Scope	Key Obligation
EU AI Act Annex III Point 3	Admissions, assessment, monitoring AI	Conformity assessment, CE marking, EUDB registration
GDPR Art.22	Automated individual decisions	Right to opt out, human review on request
GDPR Art.8	Children's consent (under 16)	Parental consent, age verification
GDPR Art.35	DPIA for systematic evaluation	DPIA mandatory before deployment

The regulatory exposure compounds because students are:

A vulnerable group — not equal bargaining partners with their institution
Often minors — triggering child data protection provisions
Coerced users — they cannot meaningfully refuse an AI system their school mandates
High-stakes outcomes — admissions, grades, and credentials affect entire life trajectories

This combination pushes EdTech AI from "compliance project" to "fundamental rights risk."

EU AI Act Annex III Point 3: Scope Analysis

Annex III Point 3 designates high-risk AI systems in education and vocational training. The scope is broader than most vendors assume.

What Is Definitively In Scope

Admissions and access determination:

AI systems that rank, score, or filter applicants for educational programmes
Automated interview-to-shortlist pipelines using NLP or video analysis
Predictive admission models that use historical student data to forecast "fit"

Assessment and grading:

Automated essay grading with substantive feedback generation
AI-assisted oral examination scoring
Plagiarism detection when it results in disciplinary action (the action is the trigger, not the detection)

Learning outcome evaluation:

Adaptive learning platforms that formally certify competency levels
AI systems that issue or withhold certificates, badges, or credentials
Systems that determine progression between course levels or academic years

Monitoring during tests:

Proctoring AI that detects prohibited behaviour (gaze tracking, keystroke analysis, room scanning)
Systems that flag anomalies to human invigilators for disciplinary consideration

AI tutors that provide feedback but do not determine grades or credentials
Content recommendation engines in learning management systems
Accessibility tools (text-to-speech, translation) without assessment function
Administrative chatbots (timetable queries, library reservations)

Scope trap: A "learning analytics" dashboard that merely visualises student engagement is likely out of Annex III scope. The same dashboard wired into a teacher's grade-book or progression-decision workflow is almost certainly in scope. The trigger is whether the AI output has legal or similarly significant effect on the student.

GDPR Art.22 grants data subjects the right not to be subject to decisions based solely on automated processing when those decisions produce legal or similarly significant effects. In EdTech, this right is triggered constantly — and regularly violated.

When Art.22 Applies in EdTech

The "similarly significant effects" threshold is met by:

EdTech Decision	Art.22 Applicable?
Automated rejection from a university programme	Yes — legal effect on access to education
AI-generated grade submitted as final mark	Yes — significant effect on academic record
Proctoring AI detecting "cheating" → automatic fail	Yes — disciplinary consequence
Adaptive platform recommending next module	No — advisory only, no binding effect
AI identifying a student as "at risk of dropping out" (informational only)	Borderline — if triggers resource allocation decisions, likely yes

The Three Lawful Bases Under Art.22(2)

Fully automated decisions with significant effects are prohibited unless:

Necessary for a contract — e.g., the student enrolled on an automated assessment platform where AI grading was an explicit contractual term
Authorised by EU or Member State law — national educational laws may authorise automated assessment in specific contexts
Explicit consent of the data subject — problematic in EdTech because of power imbalance; regulators are increasingly sceptical that student consent is truly voluntary

Practical reality: For most EdTech applications, lawful basis under Art.22(2) is difficult to establish cleanly. The safest path is not fully automating decisions with significant effects — always inserting a human review step.

Art.22(3) Safeguards (Mandatory Even With Lawful Basis)

Even if you can establish a lawful basis:

Provide suitable measures to safeguard the data subject's rights
Give students the right to obtain human intervention
Allow students to express their point of view
Allow students to contest the decision

This is not optional fine print. GDPR enforcement authorities have issued fines for Art.22 violations where the algorithmic decision was technically lawful but the safeguard mechanisms were absent or impractical.

When your EdTech product is used in primary or secondary schools, most of your users are children. GDPR Art.8 sets the consent age for information society services at 16 (or as low as 13 where Member States exercise the permitted derogation).

The Age Verification Problem

Art.8 requires "reasonable efforts" to verify age and obtain parental consent. For EdTech deployed institution-wide:

School-mediated deployment (institution buys the tool, assigns it to all students): The legal basis is typically public task (Art.6(1)(e)) or contract (Art.6(1)(b)), not consent. Art.8 may not apply directly, but the spirit — protecting minors — still informs proportionality of data processing.
Direct-to-student products (students sign up independently): Art.8 applies fully. Age gates without verification are insufficient.

Special Category Data in EdTech

Students' learning difficulties, mental health data, and disability accommodations are special category data under GDPR Art.9. AI systems trained on this data to personalise learning require:

An explicit processing basis under Art.9(2)
For minors: heightened consideration of Art.9(2)(a) explicit consent — which requires parental involvement
DPIAs are mandatory (see Art.35 below)

Common EdTech special category data:

Dyslexia/dyspraxia flags used to adjust UI
ADHD indicators used to adjust pacing
Mental health risk scores from engagement patterns
Physical disability information informing accessibility modes

EU AI Act Art.4: AI Literacy in Educational Contexts

Art.4 obliges providers and deployers to ensure a sufficient level of AI literacy among staff involved in operating AI systems. For EdTech, this creates a layered obligation:

EdTech vendors (providers): Must train their staff on AI literacy, and must provide materials that enable their deployers (schools) to do the same
Educational institutions (deployers): Must train teachers, administrators, and staff who use AI tools in any assessment, admissions, or monitoring capacity

In practice, Art.4 creates a documentation and training obligation that most EdTech procurement processes are not yet tracking. Schools will increasingly require AI literacy certification from vendors as part of tendering.

Art.9 Risk Management System for EdTech Providers

Providers of high-risk AI systems in Annex III scope must implement a continuous risk management system under Art.9.

Minimum Risk Management Requirements for EdTech

Risk identification:

Identify all reasonably foreseeable misuse scenarios (e.g., teachers over-relying on AI grades, proctoring AI producing false positives for neurodivergent students)
Document risks specific to vulnerable user groups — minors and students with disabilities require explicit attention
Map the student population demographics against known model biases (performance disparities by language, socio-economic background, disability status)

Risk evaluation:

Assess probability and severity of harm for each identified risk
Explicit treatment required for risks that are "low probability, high severity" (e.g., wrongful exam failure leading to admission denial)
For systems used with minors: apply a higher severity multiplier to all risks

Risk mitigation:

Implement technical controls (confidence thresholds, uncertainty quantification, automated escalation to human reviewers)
Implement organisational controls (mandatory human review for high-stakes decisions, appeal procedures)
Document mitigation measures in the technical documentation (Art.11)

Residual risk documentation:

Identify risks that cannot be mitigated
Justify why residual risks are acceptable given the benefits
Include residual risk disclosure in instructions for use (Art.13(3)(d))

Art.10: Data Governance for Student Data

Art.10 mandates that training, validation, and testing datasets for high-risk AI systems meet quality standards. For EdTech AI, this creates specific obligations:

Bias and Fairness Requirements

Student datasets are notoriously biased. Historical grading data reflects:

Gender bias in marking (well-documented in STEM and humanities)
Socio-economic bias (students from lower-income backgrounds systematically underperform on contextless assessments)
Language bias (non-native speakers penalised by NLP models)
Disability bias (neurodivergent students penalised by time-normalised metrics)

Art.10(5) explicitly requires training data to be examined for possible biases. For EdTech:

Document bias audit methodology
Report bias metrics disaggregated by gender, nationality, and disability status
Implement bias correction or adjust confidence thresholds accordingly
Reassess after each model update

Minimum Data Quality Standards

Requirement	EdTech Implementation
Relevant, representative, and free of errors	Validate dataset composition; remove data from students who did not consent to their data being used for training
Appropriate statistical properties	Ensure demographic diversity in training cohorts; minimum 5% representation for any protected characteristic
Take into account relevant characteristics	Explicitly audit for language, disability, and socio-economic factors
Examine for possible biases	Mandatory pre-deployment bias audit; annual re-audit

Art.13: Transparency and Information for Schools

EdTech vendors must provide schools (as deployers) with comprehensive instructions for use under Art.13. This is not a terms-of-service obligation — it is a detailed technical briefing document.

Required Information Under Art.13(3)

For EdTech providers, the instructions must include:

The intended educational purpose and scope of the system
The level of accuracy and the known or foreseeable circumstances that may affect accuracy — including demographic performance differences
Relevant characteristics and technical capabilities, including limitations and contraindications
Specific guidance on human oversight measures — Art.14 compliance requires that deployers know how to provide oversight, not just that they should
Data requirements and data quality criteria
Expected lifetime of the system and maintenance schedules — relevant for schools planning multi-year procurement
Any known or foreseeable risks to students, particularly minors

Critical disclosure for Art.22 compliance: Instructions must explicitly state which outputs are binding (triggering Art.22 protections) versus advisory.

Art.14: Human Oversight — the HITL Design Problem in EdTech

Art.14 requires that high-risk AI systems be designed to enable effective human oversight. For EdTech, this is where most vendors underestimate the compliance complexity.

The "Automation Bias" Problem

Research consistently shows that when humans are presented with AI recommendations, they defer to them — even when the recommendations are wrong. A UI that shows a teacher "AI Grade: 62/100" alongside a student essay will produce grades closer to 62/100 than the teacher's independent assessment, regardless of the AI's accuracy.

Art.14(4) requires that the human responsible for oversight be able to:

Understand the AI system's capabilities and limitations
Remain aware of the tendency to over-rely on AI outputs (automation bias)
Correctly interpret the output
Decide not to use the output or override it

This imposes UI and UX design obligations that most EdTech vendors do not currently meet. Compliant designs:

Show AI uncertainty alongside AI output (confidence ranges, not just point estimates)
Require explicit teacher confirmation before AI output is committed to the grade record
Provide one-click override with a prompted but optional reason field
Log override decisions for audit purposes
Include teacher-facing documentation on known model weaknesses

HITL Requirements for Proctoring AI

For exam proctoring systems, Art.14 requires:

Human review of every automated flag before any disciplinary action is taken
Clear escalation path for contested flags
Disclosure to students that human review is part of the process (Art.13 transparency)
Logging of every flag and the human decision outcome (Art.12 record-keeping)

Art.26: Deployer Obligations for Schools and Universities

When an educational institution purchases and deploys an Annex III EdTech AI system, they become a deployer under the EU AI Act and take on obligations under Art.26.

Key Deployer Obligations

Fundamental rights impact assessment (Art.27): Public educational institutions (schools, state universities) that are public authorities are legally required to conduct a FRIA before deploying any Annex III high-risk AI system. See the dedicated FRIA section below.

Use within intended purpose: Schools must use the EdTech AI only as described in the provider's Art.13 instructions. Deploying a plagiarism detection tool as a general surveillance system, for example, would take the institution outside the provider's conformity assessment scope.

Human oversight: Schools must assign qualified personnel to perform the human oversight functions described in the provider's instructions. "Qualified" means Art.4 AI literacy — staff who understand automation bias and know how to critically evaluate AI outputs.

Data governance: Deployers remain data controllers (or joint controllers) under GDPR. The school's data protection obligations are not delegated to the EdTech vendor.

Incident reporting: If the AI system causes a serious incident (Art.73 definition) involving a student, the deploying institution has reporting obligations alongside the provider.

Art.27: Fundamental Rights Impact Assessment for Educational Institutions

Art.27 is unique to Annex III high-risk AI systems when deployed by public bodies. For most public schools and universities across the EU, it is mandatory. The FRIA is distinct from the GDPR DPIA and must be conducted separately.

FRIA Scope for EdTech

The FRIA must assess impacts on:

Non-discrimination (including disparate impact on different demographic groups of students)
Privacy and data protection
Dignity (particularly relevant for invasive proctoring tools)
The rights of the child (UNCRC framework is explicitly mentioned in the recitals)
The right to education (Article 14 EU Charter)
Freedom of thought, conscience, and religion (relevant for monitoring systems)

FRIA Minimum Content

Section	Required Content
Description	Intended use within the institution, populations affected, decision types
Fundamental rights	Explicit analysis per right listed above
Safeguards	How each identified risk is mitigated
Human oversight	Description of oversight measures and responsible persons
Post-deployment monitoring	How the institution will monitor for adverse impacts

The FRIA must be consulted with the Data Protection Officer (if one is required under GDPR) and kept available for inspection by market surveillance authorities.

Under GDPR Art.35, a Data Protection Impact Assessment is mandatory when processing is "likely to result in a high risk" to data subjects. For EdTech AI, mandatory DPIA triggers include:

Systematic evaluation of personal aspects — any student profiling or assessment AI qualifies
Processing on a large scale — institution-wide deployment qualifies even at a single large school
Special categories of data — disability, mental health, or learning difficulty data
Vulnerable data subjects — students are explicitly listed in WP29/EDPB guidance as a vulnerable group

DPIA and AI Act Conformity Assessment: The Overlap

The DPIA and the EU AI Act conformity assessment (Art.43) both require risk analysis, but they are not interchangeable:

Aspect	DPIA (GDPR Art.35)	Conformity Assessment (AI Act Art.43)
Perspective	Data subject rights and privacy	Product safety and AI-specific risks
Conducted by	Data controller (school)	Provider (EdTech vendor)
Scope	All data processing	AI system in Annex III scope
Output	DPIA report	Technical file + CE marking
Timing	Before processing commences	Before placing on market

Both are required. They can share common inputs (bias audits, risk assessments) but must produce separate outputs.

Developer Checklist: 30 Steps to EdTech AI Compliance

Phase 1: Scope Classification (Steps 1-5)

Map your AI features against Annex III Point 3. Does any AI output influence admissions, grading, credentialing, or test monitoring? If yes, you are in scope.
Check the "significant effect" threshold for each AI feature. For each AI output, ask: if a student received this output and disagreed, could they mount a legal or institutional challenge? If yes, Art.22 applies.
Identify your minor-user population. What percentage of your users are under 16? Document the age distribution.
Identify special category data. Audit what learning difficulty, disability, or mental health data flows through your system.
Classify yourself: provider, deployer, or both? EdTech vendors building the AI are providers. Schools deploying it are deployers. Many large EdTech companies are both (building and self-deploying).

Audit lawful basis under GDPR Art.6 for every data processing activity. For school-mandated tools, "public task" or "contract" is more appropriate than consent.
Audit Art.22 compliance for each AI-driven decision. If the decision has significant effects and is fully automated, either establish a lawful basis under Art.22(2) or restructure the decision to include mandatory human review.
Implement Art.22(3) safeguards. Regardless of lawful basis: allow students to request human review, express their view, and contest decisions. Document the process.
Implement GDPR Art.8 age verification for any direct-to-student product. For institution-wide deployments, document why Art.8 does not apply or how it is satisfied through the institutional relationship.
Conduct DPIA under Art.35. Mandatory for all Annex III EdTech AI. Start this before any product launch.
Implement Art.25 data protection by design. Minimise student data collection to what is strictly necessary for the AI function.
Review GDPR Art.9 processing basis for any special category data (learning difficulties, disability accommodations, mental health indicators).

Phase 3: EU AI Act Technical Requirements (Steps 13-22)

Register in the EU AI Office database (Art.49). All Annex III high-risk AI providers must register before placing the product on the EU market.
Implement Art.9 risk management system. Document identified risks, evaluated severity, mitigation measures, and residual risk — with specific analysis for minor users.
Conduct bias audit under Art.10(5). Disaggregate accuracy metrics by gender, language background, disability status, and socio-economic proxy variables.
Prepare Art.11 technical documentation. Include architecture, training data description, bias audit results, accuracy metrics, and testing results.
Design Art.14-compliant human oversight UI. Display AI confidence, require explicit human confirmation before AI output is committed, provide one-click override with logging.
Prepare Art.13 instructions for use. Document intended purpose, accuracy levels, limitations, human oversight procedures, and deployment requirements.
Implement Art.12 record-keeping. Log every AI inference that influenced a student outcome, including the human review decision and any override.
Conduct conformity assessment (Art.43). For most Annex III EdTech AI: internal conformity assessment is permitted (Annex III Point 3 does not require notified body involvement unless your system is also a safety component).
Issue EU Declaration of Conformity (Art.47). The provider must sign and maintain this document.
Affix CE marking (Art.48). Required on product and documentation before EU market placement.

Phase 4: Deployer and Institutional Obligations (Steps 23-27)

Conduct FRIA (Art.27) if you are a public educational institution. Consult your DPO. Assess impacts on student rights, with specific attention to minors and the right to education.
Train staff on Art.4 AI literacy. Document training completion for all teachers and administrators who use AI tools in assessment or admissions workflows.
Establish Art.26 oversight procedures. Assign named responsible persons for AI oversight in each assessment or admissions workflow. Define what "meaningful review" means in your institutional context.
Implement student-facing transparency (Art.50 + GDPR Art.13/14). Students must be informed when AI is involved in decisions about them, in plain language appropriate for their age.
Create a student appeal procedure. Combine Art.22(3) GDPR right to contest with the EU AI Act human oversight requirement. Document escalation paths from automated decision to human review to formal appeal.

Phase 5: Ongoing Compliance (Steps 28-30)

Implement post-market monitoring (Art.72). Track accuracy metrics, complaint rates, and appeal outcomes after deployment. Define thresholds that trigger model retraining or withdrawal.
Establish incident reporting readiness (Art.73). Define what constitutes a "serious incident" in your EdTech context (wrongful exam failures, systematic bias discovered post-deployment, data breach affecting student assessments). Implement 15/30-day reporting timelines.
Conduct annual compliance review. Reassess DPIA, bias audit, and FRIA annually or after any significant model update. Update Art.11 technical documentation to reflect changes.

To illustrate how the two regimes interact, consider a university using an AI admissions system:

Scenario: An AI system scores applicants and outputs a ranked list. Students below a threshold are automatically rejected without human review.

EU AI Act analysis:

Annex III Point 3 in scope (determining access to education)
Art.9 risk management must address false negative risk (qualified students rejected)
Art.14 human oversight is legally required — automatic rejection without human review fails Art.14
CE marking and EU database registration required before deployment

GDPR Art.22 analysis:

Decision based solely on automated processing: yes (no human review)
Legal or similarly significant effect: yes (university admission)
Lawful basis under Art.22(2): unlikely to be established without explicit consent (and student consent is coerced)
Result: Fully automated rejection is unlawful under Art.22

The double-lock: Both regimes independently require human review of each rejection. The AI Act gets there through Art.14 (human oversight design requirement). GDPR gets there through Art.22 (no fully automated significant decisions). Either alone would be sufficient to make automatic rejection unlawful — together, they create a mutually reinforcing compliance floor.

Compliant design: The AI system ranks and scores; a human admissions officer reviews every rejection above the AI's uncertainty threshold; all rejections are logged with the human decision and override rate. Students receive a written explanation on request (Art.22(3)).

EdTech Vendor vs. School: Compliance Responsibility Split

A recurring confusion in EdTech procurement is who is responsible for what:

Obligation	EdTech Vendor (Provider)	School (Deployer)
EU AI Act conformity assessment	Yes — must complete before sale	No
CE marking	Yes	No
EU database registration (Art.49)	Yes	No
FRIA (Art.27)	Only if a public body deploying	Yes if public school/university
DPIA (GDPR Art.35)	If processing data in their infrastructure	Yes as data controller
AI literacy training (Art.4)	Own staff	Yes — teachers and administrators
Student appeal procedure	Must design and enable	Yes — must operate
Incident reporting (Art.73)	Yes — as provider	Yes — as deployer

The compliance responsibility is shared and non-transferable. A contractual clause stating "the school is solely responsible for regulatory compliance" does not transfer the provider's EU AI Act obligations.

August 2026 and Beyond: What Changes

The EU AI Act obligations for Annex III high-risk AI systems are fully applicable from August 2, 2026. For EdTech:

Date	Obligation	Who
August 2, 2026	All Annex III EdTech AI must be CE-marked and registered	Providers
August 2, 2026	Deployers must have AI literacy training documented	Schools/Universities
August 2, 2026	FRIA must be completed before deployment	Public educational bodies
Ongoing	Annual post-market monitoring reports	Providers
Ongoing	DPIA reviews after model updates	Both

Enforcement: The EU AI Act designates national market surveillance authorities. In education, these are likely to be the same authorities that handle consumer product safety. Complaints can come from students (via their national DPA) or from civil society organisations monitoring AI in education.

Conclusion

EdTech AI compliance in 2026 is not a single checkbox — it is a continuous programme integrating EU AI Act technical requirements, GDPR data subject rights, and the special protections owed to minor users. The key insight is the double-lock: GDPR Art.22 and EU AI Act Art.14 both independently prohibit fully automated high-stakes student decisions. Together, they create a robust requirement for meaningful human oversight that no EdTech system can design around.

For EdTech developers: start with the 30-step checklist above, conduct your bias audit early (Art.10 is often the longest-lead item), and design your Art.14-compliant UI before your Art.11 technical documentation — not after.

For educational institutions: your FRIA obligation under Art.27 is not delegated to your vendor. It is your legal obligation as a public body, and it must be completed and consulted with your DPO before any Annex III AI system is deployed at scale.

The August 2026 deadline is a floor, not a ceiling. Students deserve AI systems built with their rights in mind from the start.

Next in this series: Post #1576 — EU AI Act Sector-Specific Compliance Stack Finale: the EU-native toolchain for all high-risk sectors covered in Parts 1 and 2.

EU-Native Hosting

Ready to move to EU-sovereign infrastructure?

sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.

Join the waitlist View pricing