Malta University Holding Company Ltd and Subsidiaries – Data Privacy Notice
This Data Privacy Notice is a statement of the practices of the Malta University Holding Company (‘MUHC’) and its subsidiaries in connection with the processing of personal data and the steps taken by the MUHC to protect personal data and safeguard an individual’s right to privacy. In this document, any reference to MUHC refers to MUHC Group and all and any of its subsidiaries.
This Data Privacy Notice explains the following:
- How and why we collect and use personal data.
- The purpose and legal basis for processing personal data.
- How we store and secure personal data.
- Details of third parties with whom we share personal data.
- Your rights under data protection law.
- How and why we collect and use personal data
The data we collect from you will be used by MUHC Group in accordance with the purposes outlined in this Privacy Notice. We collect personal data via website forms, written application forms and documents, email and phone enquiries, studies and surveys. We also collect/share information from/with third parties such as: University of Malta; the Malta Further and Higher Education Authority, Jobsplus; the National Statistics Office; Identity Malta; and agents; and any other third party as is necessary to fulfil our functions and duties at law.
We process data relating to students; clients; and participants which make used of the services provided by the MUHC Group as detailed in the table below. Personal data and special categories of personal data may also be collected directly from students/clients/participants who avail of specific services offered by the Group such as training courses, use of sports facilities, selling/hiring of merchandise, leisure activities and surveys as part of consultancy assignments. If you provide MUHC Group with your data for these purposes, then specific information on data protection will be provided at the point of collection.
|Purpose for processing personal data||Category||Legal basis for processing|
|Application||Administrative||Necessary to carry out the objects and functions under the M&A of MUHC. Performance of a contract. Statutory requirements.|
|Enrolment and Registration||Administrative||Necessary to carry out the objects and functions under the M&A of MUHC. Performance of a contract. Statutory requirements.|
|Administration of your education.||Administrative||Necessary to carry out the objects and functions under the M&A of MUHC. Performance of a contract. Statutory requirements.|
|Administration of MUHC policies.||Administrative|
|Administration and provision of MUHC email address and IT services.||Administrative|
|Administration and provision of Library services.||Administrative|
|Provision of data required by statutory entities such as the Malta Further and Higher Education Authority; Jobsplus; the National Statistics Office; and any other entity as necessary and required.||Administrative|
|The provision of data to Identity Malta to support visa applications for international students.||Administrative|
|Face-to-Face and Online synchronous teaching and learning (hybrid learning).||Academic||Necessary to carry out the objects and functions under the M&A of MUHC.|
|Audio and Video recording of MUHC classes, including lectures, tutorials, seminars, workshops and practicals.||Academic||Necessary to carry out the objects and functions under the M&A of MUHC.|
|Academic assessment and supervision and monitoring of attendance, including remote assessment and supervision.||Academic||Necessary to carry out the objects and functions under the M&A of MUHC.|
|Graduation and granting of awards, certification, including online ceremonies.||Academic||Necessary to carry out the objects and functions under the M&A of MUHC.|
|Processing of appeals, complaints and disciplinary issues.||Academic||Necessary to carry out the objects and functions under the M&A of MUHC.|
|Administration of training programmes .||Academic||Necessary to carry out the objects and functions under the M&A of MUHC.|
|Administration of placements.||Academic||Necessary to carry out the objects and functions under the M&A of MUHC.|
|Surveys, submission forms and student feedback.||Academic||Necessary to carry out the objects and functions under the M&A of MUHC.|
|The provision of medical, counselling and disability and equality services||Student and Employee Services||Consent or explicit consent. Vital interests of the individual. Necessary to carry out the objects and functions under the M&A of MUHC. Performance of a contract. Statutory requirement – Disability and Equality legislation.|
|The use of sports and recreational facilities.||Services to the public||Consent or explicit consent. Vital interests of the individual. Necessary to carry out the objects and functions under the M&A of MUHC. Performance of a contract. Statutory requirement – Disability and Equality legislation.|
|The provision of booking services for accommodation.||Services to the public||Consent or explicit consent. Vital interests of the individual. Necessary to carry out the objects and functions under the M&A of MUHC. Performance of a contract. Statutory requirement – Disability and Equality legislation.|
|If necessary due to a medical emergency.||Duty of Care||Vital interests of the individual. Statutory requirement.|
|The protection of vital interests.||Duty of Care||Vital interests of the individual. Statutory requirement.|
|The protection of public health.||Duty of Care||Vital interests of the individual. Statutory requirement.|
|Processing and recovery of fees and payments||Financial||Necessary to carry out the objects and functions under the M&A of MUHC.|
|The administration of CCTV for security purposes.||Health & Safety Protection of Assets||Legitimate interest of the MUHC. Statutory requirement.|
|Provision of a safe environment for educational and administrative activities.||Health & Safety Protection of Assets||Necessary to carry out the objects and functions under the M&A of MUHC.|
|Vetting for placements on specific courses.||Academic Legal||Statutory requirement. Legal claims.|
|For the purposes of criminal investigations.||Legal||Statutory requirement. Legal claims.|
|Exercise or defence of legal claims.||Legal||Statutory requirement. Legal claims.|
|Provide information about MUHC Group events and activities.||Communication and Promotion||Necessary to carry out the objects and functions under the M&A of MUHC. Legitimate interest of the MUHC.|
|Retention of academic, financial and other data of archival value in the public interest.||Archives||Necessary to carry out the objects and functions under the M&A of MUHC.|
We collect personal data for the purposes of recruitment and for the formation and administration of contracts of employment and employee relationships, which also includes the formation and administration of service contracts with consultants engaged by MUHC Group. The detailed privacy notice for staff will be available on MUHC servers and will be provided to new members of staff with their contract of employment. Additional data may be collected from staff when they register to use other services within MUHC.
Members of the Public and MUHC
We collect data from members of the public in order to respond to enquiries, process transactions, administer services and accept bookings for events. We may add your personal data to a relevant mailing list if you have made an enquiry in relation to a service and opted in to receive communications or if a transaction has taken place. In the event that we do record your data on a mailing list you will be provided with the opportunity to opt out from the outset of engagement. Moreover, in all our communications with you we will only send you information relevant to your initial enquiry or transaction.
Information on internet traffic is collected routinely by MUHC. This technical information is used to ensure the smooth running of the computer network at MUHC and for statistical or administrative purposes. It is not used to gather identifiable personal information on individual website visitors, except in so far as this is permitted by law and may be necessary in order to prevent or detect problems or offences in relation to the operation of the website.
This information is used for the sole purpose of statistical information gathering and demographics relating to the MUHC’s websites, and enables us to determine general visitor patterns and pathways within our pages. This statistical data is then fed back into future design and usability modifications made to MUHC’s web pages.
CCTV and Access Controls
CCTV cameras are in operation on some of the MUHC offices/facilities in order to provide enhanced protection for students, clients, staff and visitors. For further information please see the MUHC CCTV Code of Practice Privacy Statement.
Personal data is collected directly from individuals when accessing MUHC-controlled facilities via an Access Control System provided by the landlord. This system is employed to provide a safe and secure environment at MUHC. Data processed by the system is also collected from other secure systems under the control of MUHC. Only the minimum and necessary data is processed for the purposes of the system. For further information please see the MUHC Access Control System Privacy Statement.
Photographs or videos of staff, students and the general public who are present at MUHC events and activities are frequently taken at MUHC events, including online events. may be shared on MUHC’s website or social media accounts. Where the use of photographs or video may not be reasonably expected by individuals MUHC will seek consent to publish photographs or video where it is practical to do so. Individuals have the right to object to the use of their image and should contact the event organiser in the first instance or the MUHC liaison officer with the Data Protection Office.
- The purpose and legal basis for processing personal data.
In order for the use of personal data to be lawful, it should be processed on the basis of a legal basis as set out under Articles 6 and 9 GDPR.
MUHC will ensure that your data is processed fairly and lawfully in keeping with the principles of data protection and will process personal data under various legal bases depending on the purpose for which the data is collected.
Specific information on the legal basis for processing your personal data will also be provided at the point of collection of personal data. These may include:
- Where the processing of personal data is a statutory function of MUHC under the Education Act Cap. 327 of the Laws of Malta.
- Where MUHC is required to process personal data by law.
Where the processing of personal data is necessary for the formation of a contract with you.
Where the processing of personal data is not related to the official functions of the MUHC we may sometimes process personal data based on legitimate interests e.g. for the administration of events, purchasing of tickets, gift shop purchases and the use of our services.
Generally, when processing special categories of personal data MUHC will seek explicit consent for the processing of data except where another condition applies e.g. employment law, legal claims or medical diagnosis.
- How we store and secure your data
Any data we collect from you will be stored confidentially and securely as required by the MUHC’s Data Protection Policy, Information Systems Security Policy and IT and Network Code of Conduct. The MUHC is committed to ensuring that processing of MUHC-controlled data is performed in a secure manner.
In keeping with the data protection principles, we will only store your data for as long as is necessary and in accordance with the MUHC Records Management Policy and Records Retention Schedule.
When we store your personal data on our systems the data will primarily be stored either on the MUHC premises and secure IT platforms within the European Economic Area (‘EEA’) which are also subject to European data protection requirements.
We may store or share your data outside the EEA in the following circumstances:
- For processing international applications and sharing data with foreign partners.
- When using cloud services for the secure storage of data. Some cloud service providers store data in international data centres e.g. the United States. The MUHC will only use services which are compliant with GDPR and who satisfy the conditions for processing personal data outside the EEA.
- If we are required to do so by law.
- Details of third parties with whom we share personal data
MUHC will only share your data with third parties where necessary for purposes of the processing and where there is a legal basis to do so.
The MUHC may share relevant personal data with the following categories of third parties:
- State or regulatory bodies.
- IT or Cloud service providers that provide essential services to the MUHC e.g. Google and Zoom.
- Firms that provide professional services to the MUHC such as legal firms, banks and auditors.
- Firms that provide archiving and storage and disposal of confidential waste.
- Academic and consultancy partners.
- The Maltese Police Force, Interpol or any other organisation when we are required to do so by law.
When we share your data with the third parties outlined here the MUHC will endeavour only to share the data that is needed, that the data is only processed according to our specific instructions and that the same standards of confidentiality and security are maintained. Once the processing of the data is complete any third parties with whom data was shared will be required to return the data to the MUHC or to destroy it, save where they are required to retain it by law.
One of the functions of the MUHC is the curation of the MUHC Archives, which comprise the MUHC’s administrative, legal and historical records of archival value. The MUHC will process personal data of archival value in accordance with article 6 of the Data Protection Act Cap. 586 of the Laws of Malta, which permits that personal data of archival value in the public interest may be retained. Personal data retained by the MUHC for archival purposes in the public interest will be stored and secured in accordance with the principles of data protection.
- Your Rights under Data Protection Law
Individuals are entitled to certain rights under GDPR. These rights apply to the processing of personal data, which is defined under the GDPR as ‘any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.’
You have the following rights over the way we process your personal data:
Right of Access
You have the right to request a copy of the personal data we are processing about you and to exercise that right easily and at reasonable intervals.
Under article 15 of the GDPR individuals have the right to access their personal data that is under the control of MUHC. Responses to access requests will be issued within one (1) month unless an extension is required.
To access your personal data:
- Complete the Data Access Request Form. Please give as much information as possible about the data you wish to access.
- Send the form to the MUHC Data Protection Officer at firstname.lastname@example.org
You have the right to withdraw your consent where that is the legal basis of our processing.
You have the right to have inaccuracies in personal data that we hold about you rectified.
You have the right to have your personal data deleted where we no longer have any justification for retaining it subject to exemptions such as the use of anonymised data for scientific research.
You have the right to object to processing your personal data if:
- We have processed your data based on a legitimate interest or for the exercise of the public tasks of the MUHC if you believe the processing to be disproportionate or unfair to you.
- The personal data was processed for the purposes of direct marketing or profiling related to direct marketing.
- We have processed the personal data for scientific or historical research purposes or statistical purposes unless the processing is necessary for the performance of a task carried out for reasons of public interest.
You have the right to restrict the processing of your personal data if:
- You are contesting the accuracy of the personal data.
- The personal data was processed unlawfully.
- You need to prevent the erasure of the personal data in order to comply with legal obligations.
- You have objected to the processing of the personal data and wish to restrict the processing until a legal basis for continued processing has been verified.
Where it is technically feasible you have the right to have a readily accessible electronic copy of your data transferred or moved to another data controller if we are processing your data based on your consent and if that processing is carried out by automated means.
For further information regarding your rights contact the MUHC Data Protection Officer at email@example.com
Data Protection Officer
MUHC is required by law to appoint a Data Protection Officer.
The role of the Data Protection Officer is:
- To advise MUHC and its staff what their responsibilities are under GDPR and the Data Protection Act Cap. 586 of the Laws of Malta.
- To monitor compliance with the GDPR and the Data Protection Act and relevant policies.
- To provide training and increase awareness among staff.
- To provide guidance on the completion of Data Protection Impact Assessments.
- To co-operate and act as the contact point with the Information and Data Protection Commission in relation to complaints, investigations, audits and consultations and any other matter relevant to the legislation.
If you have any queries relating to the processing of your personal data or if you wish to make a complaint or escalate an issue relating to any of your rights you can contact the Data Protection Officer at: firstname.lastname@example.org
If you are not satisfied with the information we have provided to you in relation to the processing of your data you can raise a concern with the Information and Data Protection Commission or contact the Commission at: https://idpc.org.mt/contact/