Privacy Policy - Students' Onboarding - OPIT - Open Institute of Technology

Privacy Policy – Students’ Onboarding

Latest update: May 2023

Dear Student,

Privacy Law (in particular EU Regulation 2016/679, the “General Data Protection Regulation” – hereinafter referred to as “GDPR”, as per English acronym) requires us, to provide you with the following information on the processing of your Personal Data, pursuant to Articles 13 e 14 of the GDPR.

“The “Processing of Personal Data”, in simple terms, is any operation concerning any “information relating to an identified or identifiable natural person”.

For example, your first and last name, or an email address with a “user name” that identifies you (e.g. johndoe@….), is considered “Personal Data” and the act of collecting it and registering it with us is considered ‘Processing’. This information is provided by Open Institute of Technology in its capacity as Data Controller (hereinafter also simply the “Company” or “Data Controller”), as this entity determines the purposes and means of the processing; persons under our direct authority (e.g. our employees) must comply with the Privacy Policy.

You, as the “natural person to whom the Personal Data relates”, are defined as a “Data Subject”, and are entitled to receive the following information about who we are, what Personal Data we process, why, how and for how long we process it, and what obligations and rights you have in this respect. Definitions of the terms and expressions used can be found at the end (the Glossary).

Who are we (“Data Controller”)?
Shield Higher Education Limited, an enterprise duly incorporated under the Laws of Malta, with registered offices in Level 5, Carolina Court, Giuseppe Cali Street, Ta’Xbiex, XBX 1425, Malta, Company Registration Number C-102836, VAT Number MT29530419, duly represented by Mr. Riccardo Ocleppo, and owner of the commercial brand “OPIT – Open Institute of Technology (hereinafter also just “OPIT“, or “Company“, or ” Data Controller“).
What categories of Personal Data do we process?
We process common personal data (e.g. first name and surname, fiscal codes, telephone numbers, address, email, images, other documents necessary to verify the requirements of the specific training selected etc.) of Students that have entered or are willing to enter into a Contract with Open Institute of Technology to the minimum extent necessary to achieve each of the Purposes set out below. Contracts and related Data Processing activities which do not expressly refer to this Privacy Policy do not fall within the scope of application of the following provisions.
Why do we process Personal Data (Purpose) and on what is the Processing (Legal Basis) of each category of Data based?
#	Purpose	Categories of Personal Data	Legal Basis
1	Enter into and perform the Contract and any consequent and/or related activities (e.g., sending technical, contractual and organizational communications and information) on the basis of the requirement for its fulfilment, or in order to take steps at the request of the data subject prior to entering into a contract	Common	The need to make the Site available in compliance with the Terms of Use (Article 6 § 1.b GDPR)
2	Marketing (with regard to products and/or services similar to those purchased by the Student, by sending communications to the e-mail address provided in the Contract), on the basis of Data Controller’s legitimate interest, consisting in the strengthening of the commercial relationship with the Student (art. 6 § 1.f GDPR)	Common	Your consent (art. 6 § 1.a GDPR), freely given and revocable at any time moment through the banner and the extended Cookie Policy
3	Assess Student satisfaction, e.g. by sending to the students satisfaction questionnaires, based on its own legitimate interest in assessing the quality of the products and services provided (Art. 6 § 1.f GDPR)	Common	The need to adopt pre-contractual measures on your request (art. 6 § 1.b GDPR)
4	Comply with obligations under applicable legislation and/or orders issued by authorities, on the basis of the need to fulfil legal obligations (art. 6 § 1.c GDPR)	the Common	The need to fulfill legal obligations (art. 6 § 1.c GDPR)
5	To establish, exercise and/or defend a right in the competent courts, on the basis of our legitimate interest in defending one of our rights against the Data Subject and/or the need to pursue this purpose in court (art. 6 § 1.f GDPR)	Municipalities	Our legitimate interest in defending our right (art. 6 § 1.f GDPR)
To whom we disclose the Data (Categories of Recipients) ?
The following categories of persons, to the minimum extent necessary to achieve each Purpose, on the basis of Applicable Law and/or a contractual agreement with the Data Controller: a) subjects required to perform the Contract or related to some other contract, acting as Data Processor or as autonomous Data Controllers (e.g. IT services suppliers, bankers, delivery services, commercial agency, accountants, tax and fiscal experts, lawyers, etc.); b) natural persons authorised by the Data Controller, bound to confidentiality obligations or under legal duty of confidentiality; c) possible partners involved in realising the training programmes; recruitment agencies, companies and professionals interested in selecting personnel; Professionals, Companies and institutions for allowing them to attend educational and experiential courses or training held outside OPIT; d) in the case of persons who are the recipients of sponsorships and grants (for example, scholarships covering the costs of attending the courses in part or in total) from third parties, the latter may be given personal data regarding the participants and their training programme; e) public Administrations or organisations, if and to the extent required by the Applicable Law or their orders, or in order to exercise, defend or assess a right in court, or defence of the State, its security or the prevention and investigations of offences.
Do we transfer Personal Data outside the European Union?
For some internal document management activities we use IT services provided by companies established outside the European Economic Area (e.g. USA. In this case, the transfer is carried out on the basis of standard contractual clauses and additional measures to ensure data protection). In any case, we ensure that data transfers are only made to countries that guarantee an adequate level of protection, for which there is an adequacy decision by the European Commission, or on the basis of one of the other guarantees provided for in Chapter V of the GDPR. Further information on transfers of personal data outside the European Economic Area is available by writing to the Data Controller.
How long do we retain the Data?
The maximum period for which Personal Data will normally be retained will be no longer than ten years from the date of termination of the Contract or the last activity in favour of the Student, unless Applicable Law or the assessment, exercise or protection of a right requires it to be retained for a longer period or permits it in order to protect its rights and/or legitimate interests. For marketing purposes we will hold your data until you object to the processing.
Are you obliged to provide us with Personal Data?
The disclosure of Data by the Data Subject is obligatory, to the minimum extent necessary to respond to requests, for the management of the contractual relationship and for the fulfilment of obligations arising from Applicable Legislation. The provision of your data under purposes n. 2 and n. 3 is always optional.
What happens if you refuse to communicate your data?
If you do not provide us with data for contractual purposes we will not be able to provide the services, or we will not be able to guarantee the safe provision of the services. If You refuse (initially or subsequently) the processing for Marketing purposes You will not (or can no longer) be informed about news related to our activities, nor benefit from any promotions, discounts or bonuses.There is no refusal of communication for the purpose n. 5 and 6.
What rights do you have as a “Data Subject”?
You have the right to: a) access the data held by the Controller, and to ask for a copy, unless the exercise of the right violates the rights and freedoms of other natural persons; b) request the rectification of incomplete or inaccurate data; c) request the erasure of the data, subject to the exclusions or limitations established by the Applicable Law; d) request a list of the data processors, with further data useful for their identification; e) request the restriction of processing, if the conditions are met and subject to the exclusions established by the Applicable Law; f) request data portability (i.e. commonly used and machine-readable format, so that they can be transmitted to another Data Controller without hindrance), to the extent that the processing is based on consent or on the need to perform a contract, where technically possible and except where the exercise of the right infringes the rights and freedoms of other natural persons; g) lodge a complaint with the Data Protection Authority of your country, or of the place where the alleged violation occurred. Right to object You can object the processing based on the legitimate interest of the Data Controller, at any time for reasons connected to your particular situation (e.g. damage to honor, reputation, decency), subject to the demonstration by the Data Controller of a legitimate interest binding and prevailing pursuant to art. 21.1 GDPR, and unless the processing is necessary for the assessment, exercise or defense of a right in court.
Who can you contact with questions or to exercise your rights?
You can contact us at the following e-mail address: privacy@opit.com.

PLEASE NOTE:

This privacy policy has been published in the date indicated above; we can modify the content (in whole or in part) also because of changes in the privacy law; we will publish the updated version of the information note (from that moment it will be binding): Data Subject is invited to visit periodically the page which contains this document and/or the relevant section of the website.

GLOSSARY

“Applicable Law”: any provision of laws and regulations, applicable to the processing of personal data through the Site.

“Student”: the individual or entity who enters into the Contract.

“Contact Form”: means any online form provided by us through the Site, composed of one or more pages, through which the Visitor can send information or make requests.

“Contract”: any agreement entered into by a Student with our Company which expressly refers to this Privacy Policy.

“Data Processor“: “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”, as defined in Article 4, sub-paragraph 1, no. 8, of the GDPR and the UK GDPR.

“GDPR“: Regulation (EU) 2016/679 “on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)”.

“Personal Data“: any information relating to an identified or identifiable natural person (“Data Subject“); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Processing“: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Recipient“: means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.

“Restriction of processing“: “the marking of personal data stored with the aim of limiting their processing in the future.

“Supervisory Authority”: the independent public authority in charge of monitoring the application of the privacy law.