Privacy Policy

Dear Visitor, respect for the Privacy Law is particularly important to us.

In particular, the “General Data Protection Regulation” (EU Regulation 2016/679, known by the English acronym “GDPR”) requires us to provide you with the following information on the processing of your Personal Data, pursuant to art. 13 of the aforementioned Regulation.

The “Processing of Personal Data”, in simple terms, is any operation concerning any “information relating to an identified or identifiable natural person”. For example, name and surname, or an e-mail address with a “username” that identifies you (e.g. mariorossi@….), is considered “Personal Data”, and the actions of collection, registration with us and use to send you a communication, they are considered “Processing” operations; so also (again for example) the communication of Personal Data to other organizations and archiving.

Our organization is defined as the “Data Controller”, as a subject who establishes how and for what purposes to process information relating to natural persons.

You, as the “natural person to whom the Personal Data refer”, are defined as the “Data Subject”, and you have the right to receive the following information on who we are, what Personal Data we process, why, how and for how long we process them, and what obligations and rights you have in this regard.

Depending on whether you are a simple Visitor or want to write to us via the contact form, we collect and/or we need you to provide us with some Data, which we need to allow you to browse the Site and/or allow us to reply to you; in the first case (i.e. when you just visit the Site) it is generally information that does not allow you to be identified (and therefore we will only process “Navigation Data”).

The website of the Authority for the Protection of Personal Data contains further information useful for better understanding the subject (see for example: https://www.mca.org.mt/content/data-protection).

The definitions of the terms and expressions used are contained in the Glossary at the bottom of the page. Although not expressly defined here, please refer to the definitions contained in the Terms of Use of the Site; in the event of any conflict between definitions, for the purposes of this Privacy Policy the definitions in the Glossary (at the bottom of the page) prevail over those contained in the Terms of Use of the Site.

Who are we (“Data Controller”)?
Shield Higher Education Ltd, Company Registration Number C-102836, VAT MT29530419, with registered offices in Level 5, Carolina Court, Giuseppe Cali Street, Ta’Xbiex, XBX 1425, Malta
What are the categories of interested parties to whom this information is addressed?
Visitor: the natural or legal person who uses a device and navigates the public pages of the Site via the Internet or who writes to the Owner through the “Contact” area. For information relating to the “first contact”, also consult the information “First Contact“.
What categories of Personal Data do we process?
“Common” Personal Data (name and surname, e-mail address), to the minimum extent necessary to achieve each of the Purposes indicated below. To allow you to use the Site, we also process Navigation Data, which sometimes do not consist of Personal Data because they do not allow your identification. For more information on the meaning of Navigation Data and under what conditions they form Personal Data, please consult the respective item in the Glossary at the bottom of this statement.
Why do we process Personal Data (Purpose) and on what is the Processing (Legal Basis) of each category of Data based?
#	Purpose	Categories of Personal Data	Legal Basis
1	Analyzing traffic on the Site (e.g. detecting the most visited pages, the number of visitors by hour or day, geographical origin, average connection time, browsers used, visitor origin – from search engines or other sites -, phrases and words searched for, etc.) to understand how it is used and manage it, optimize and improve it, or even just for statistical purposes; solve operational problems (e.g. page loading anomalies); perform monitoring activities to reject and/or prevent cyber attacks and frauds.	Navigation data, anonymous information (which does not allow us to trace your identity)	The need to make the Site available in compliance with the Terms of Use (Article 6 § 1.b GDPR)
2	Send targeted promotional messages (retargeting or advertising on social networks), through third-party services that install profiling cookies	Common	Your consent (art. 6 § 1.a GDPR), freely given and revocable at any time moment through the banner and the extended Cookie Policy
3	Satisfy your requests regarding the Site and our activities (e.g. requests for quotes) received at the addresses on the Site or by other	Common	The need to adopt pre-contractual measures on your request (art. 6 § 1.b GDPR)
4	Fulfill the obligations established by the Applicable Law and/or orders given by	the Common	The need to fulfill legal obligations (art. 6 § 1.c GDPR)
5	Ascertain, exercise and/or defend a right in the competent offices	Municipalities	Our legitimate interest in defending our right (art. 6 § 1.f GDPR)
To whom we communicate the Data (Categories of Recipients) ?
To the minimum extent necessary for the achievement of each of the Purposes, on the basis of the Applicable Law and/or a contractual agreement with the Data Controller, to: a) subjects necessary for the execution of the activities connected and consequent to the management of the Site, who act as of Data Processors (e.g. IT service providers, etc.); b) consultants and/or professionals appointed by us, independent Data Controllers; c) other subjects Authorized by us (e.g. our workers), committed to confidentiality or recipients of a legal obligation to confidentiality; d) public organizations and Authorities, if and within the limits in which this is required by the Applicable Law or by their orders, or for the exercise, assessment and/or defense of a right in court. The Data Controller does not disseminate Personal Data, except in the case in which it is requested, in accordance with the law, by Authorities, information and security bodies or other public entities for purposes of defense or state security or prevention, detection or prosecution of crimes.
Do we transfer Personal Data outside the European Union?
Yes, as follows. The Company’s site is located on servers hosted on EC2 servers of Amazon Web Services EMEA sarl (“AWS Europe”) based in Paris, specifically in the “Ireland (Dublin) eu-west-1” sub-zone. AWS Europe is a Luxembourg company, controlled by Amazon Web Services Inc., a US company based in Seattle (WA); any transfer of Personal Data in the context of the AWS services is carried out on the basis of the Standard Contractual Clauses – pursuant to art. 46 § 3 of the GDPR; for more information see https://aws.amazon.com/it/compliance/data-privacy-faq/. In any case, we ensure that the transfer of Personal Data outside the European Union takes place only to countries that guarantee an adequate level of protection, for which there is an adequacy decision by the European Commission, or on the basis of one of the other guarantees provided for by chapter V of the GDPR. For further information, also consult the “First Contact” disclosure.
Do we perform automated decision-making processes and/or profiling activities?
We carry out profiling activities only through profiling cookies (see the extended Cookie Policy).
How long do we keep the Data?
The maximum storage time for the Personal Data collected through the form will not exceed two years, unless you ask us to delete them beforehand or the applicable legislation requires us to keep them for a longer period or allows it to protect our rights and/or legitimate interests.
Does the Site use Cookies?
Yes. To find out more and to view our policy in this regard, you can consult the extended Cookie Policy.
Are you obliged to provide us with Personal Data?
Due to the functioning of the Internet, you cannot refuse the communication of Browsing Data. You can refuse the installation of Profiling Cookies, through the “banner” and the extended Cookie Policy. You are not obliged to write to us through the addresses on the Site, but if you want to do so, you must communicate the Personal Data we request from you.
What happens if you refuse to communicate your data?
If you refuse to communicate the Data for the purpose n. 3, we will not be able to respond to your requests. Refusal to install Profiling Cookies has no consequences.
What rights do you have as an “interested party”?
You, as a person to whom the data refers (“Data Subject”) have the right to: a) access the data held by the Data Controller, and request a copy, except in cases where the exercise of the right harms the rights and freedoms of other natural persons; b) request the rectification of any incomplete or inaccurate data; c) request the deletion of data, subject to the exclusions or limitations established by the Applicable Regulations (e.g. by art. 17 § 3 GDPR); d) request the limitation of processing, where the conditions are met and subject to the exclusions established by art. 18 § 2 GDPR; e) request data portability (i.e. receive them in a structured format, commonly used and readable by an automatic device, in order to be able to transmit them to another Data Controller without impediments), to the extent that the processing is based on consent or on the need to execute a contract where technically possible and except where the exercise of the right harms the rights and freedoms of other natural persons; f) lodge a complaint with the Data Protection Authority of your country, or of the place where the alleged violation occurred. Right to object You can object to the processing based on the legitimate interest of the Data Controller, at any time for reasons connected to your particular situation (e.g. damage to honor, reputation, decency), subject to the demonstration by the Data Controller of a legitimate interest binding and prevailing pursuant to art. 21.1 GDPR, and unless the processing is necessary for the assessment, exercise or defense of a right in court.
Who can you contact with questions or to exercise your rights?
You can contact us at the following e-mail address: privacy@opit.com.

PLEASE NOTE:

the information presented here concerns only the processing carried out on personal data collected through this Site. In the event that you start a relationship with us that goes beyond what is described through the Site, may be further information regarding the processing of personal data.
the last update of this Privacy Policy is from January 2023; we reserve the right to modify the content, in part or completely, also following changes to the Privacy Law; we will publish the updated version of the Privacy Policy on the Website and from that moment it will be binding: you are therefore invited to visit this page regularly.
We do not intentionally collect personal information referring to natural persons who, according to their national legal system of origin, lack the legal capacity to act for the purpose of stipulating contracts. In the event that information on these subjects is recorded, we will delete it in a timely manner, at the request of the interested party or of those who exercise authority over him.

GLOSSARY

“Authority”: the independent public authority established by a State of the European Union, or by the European Union itself, in charge of supervising the application of the Privacy Law (for Malta, the Guarantor for Data Protection personal, https://www.mca.org.mt/content/data-protection).

“Authority”: body or organization, public or private, with administrative, judicial, police, disciplinary, supervisory powers.

“Authorized“: the natural person, placed under the direct authority of the Data Controller, who receives from the latter instructions on the Processing of Personal Data, pursuant to and by effect of art. 29 of the GDPR.

“Privacy Code”: Malta Legislative Decree.

“Committee” or “EDPB”: the European Data Protection Committee, established by art. 68 of the GDPR and governed by articles from 68 to 76 of the GDPR, which replaces the WP29 from 25/5/2018.

“Communication”: “giving personal data knowledge to one or more specific subjects other than the interested party, the representative of the data controller in the territory of the European Union, the person in charge or his representative in the territory of the European Union, authorized persons, pursuant to article 2-quaterdecies, to the processing of personal data under the direct authority of the owner or manager, in any form, including by making them available, consulting or through interconnection” (as defined in article 2 –ter, paragraph 4, letter a of the Privacy Code).

“Contract“: agreement entered into with the User regarding the provision of Services by the Owner.

“Cookies“: strings of text that the websites visited by users (so-called Publisher, or “first party”, i.e. the Site manager) or different websites or web servers (so-called “third parties”) place and store at the inside the user’s terminal device, so that they are then retransmitted to the same sites on the next visit. For more information, see the extended Cookie Policy.

“Navigation data“: these are the data that the computer systems and software procedures used to operate the site acquire, during their normal operation, and whose transmission is implicit in the use of Internet communication protocols. This is information that is not collected to be associated with identified interested parties, but which by their very nature could, through processing and association with data held by third parties, allow users to be identified. This category of data includes the IP addresses or domain names of the computers used by users who connect to the site, the addresses in URI (Uniform Resource Identifier) notation of the requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the operating system and the user’s IT environment. These data, necessary for the use of web services, are also processed for the purpose of: obtaining statistical information on the use of the services (most visited pages, number of visitors by hour or day, geographical areas of origin, etc.); check the correct functioning of the services offered.

“Personal Data” or “Data”: “any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, with particular reference to an identifier such as a name, an identification number, location data, an online identifier or one or more characteristic elements of his physical identity, physiological, genetic, psychic, economic, cultural or social”, as defined by art. 4, subparagraph 1, no. 1, of the GDPR).

“Recipient”: “the natural or legal person, public authority, service or other body that receives communication of personal data, whether or not it concerns third parties”, as defined by art. 4, subparagraph 1, no. 9, of the GDPR.

“Dissemination”: “giving knowledge of personal data to unspecified subjects, in any form, including by making them available or consulting them” (as defined in article 2-ter, paragraph 4, letter b of the Privacy Code) .

“GDPR”: EU Regulation 2016/679 “relating to the protection of natural persons with regard to the processing of personal data, as well as to the free movement of such data and which repeals Directive 95/46/EC (general regulation on data protection) ”.

“Interested“: “identified or identifiable natural person”, as defined by art. 4, subparagraph 1, no. 1, of EU Regulation 2016/679 (so-called “GDPR”).

“Limitation”: “the marking of stored personal data with the aim of limiting their processing in the future”, as defined in art. 4, subparagraph 1, no. 3, of the GDPR.

“Regulations” or “Regulations“: one or more of the sets of regulations indicated, in this Act, as Privacy Regulations and Applicable Regulations.

“Applicable Law”: any provision, of any rank, pertaining to Maltese law or to that of the European Union, in any way applicable to the Site and/or to the Contract.

“Privacy Law”: EU Regulation 2016/679 (“GDPR”), Malta Legislative Decree and subsequent amendments and/or additions (“Privacy Code”), as well as the provisions adopted by the Supervisory Authority in execution of the tasks established by the GDPR and the Privacy Code, and the additional applicable legislation, of any rank, including the opinions and guidelines drawn up by the Committee.

“Profiling”: “any form of automated processing of personal data consisting in the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning professional performance, economic situation, health , personal preferences, interests, reliability, behavior, location or movements of said natural person “, as defined in art. 4, subparagraph 1, no. 4, of the GDPR.

“Publication”: the action by which the Data Controller communicates information on the Site, without implementing procedures that require the Visitor to view it.

“Responsible”: “the natural or legal person, public authority, service or other body that processes personal data on behalf of the data controller”, as defined by art. 4, subparagraph 1, no. 8, of the GDPR.

“Site”: the web pages displayed at https://www.opit.com, subdomains included.

“Third”: “the natural or legal person, public authority, service or other body that is not the interested party, the data controller, the data processor and the persons authorized to process personal data under the authority directly from the owner or manager”, as defined by art. 4, subparagraph 1, no. 10, of the GDPR.

“Owner“: “the natural or legal person, public authority, service or other body which, individually or together with others, determines the purposes and means of the processing of personal data”, as defined by the ‘art. 4, subparagraph 1, no. 7, of the GDPR.

“Processing”: “any operation or set of operations, performed with or without the aid of automated processes and applied to personal data or sets of personal data, such as the collection, registration, organization, structuring, conservation, the adaptation or modification, extraction, consultation, use, communication by transmission, diffusion or any other form of making available, comparison or interconnection, limitation, cancellation or destruction”, as defined by art. 4, subparagraph 1, no. 2, of the GDPR.

“WP29”: the Working Group for the protection of individuals with regard to the processing of personal data, established by virtue of art. 29 of directive 95/46/EC, whose tasks are set out in art. 30 of directive 95/46/EC and in art. 15 of directive 2002/58/EC