Chapter 1 – Introduction

This privacy policy ("Privacy Policy") has been prepared in accordance with the General Data Protection Regulation (EU Regulation 2016/679, hereinafter "GDPR") and the Data Protection Act (Chapter 586 of the Laws of Malta, hereinafter "DPA"), and is intended to inform users ("Data Subjects") about the processing of personal data by Omniversity Edutech Ltd, operating as Yhank Institute ("Data Controller", "we", "us", "our").

This policy applies exclusively to personal data collected through the Institute's official website (https://www.yhank.com) and its subdomains, in connection with browsing, information requests, and other online interactions with the site.

1.1 Purpose of this policy

The purpose of this document is to ensure that the processing of personal data is carried out in a lawful, correct and transparent manner, in compliance with the principles enshrined in art. 5 of the GDPR and by the national provisions in force. In addition, the information meets the requirements of art. 13 of the GDPR and art. 12 of the DPA, which impose on the Data Controller the obligation to inform the data subject about the use of their data.

1.2 Subject matter of the policy

This policy only covers the processing of personal data carried out during interaction with the Institute's website, including public sections, contact forms, and tracking and analysis tools.

In the event that the interaction with the Institute involves further processing – for example, enrolment in courses, the signing of training contracts, or other regulated activities – specific additional information will be provided regarding the processing of data relating to these activities.

For information relating to the “first contact”, also consult the information “First Contact“

1.3 Scope

This policy applies to:

Users who visit the website (Visitors).
People who interact through contact forms (Data Subjects).
Prospective students who require prior information.
Individuals who consent to receive promotional or informational communications.

1.4 Reference regulatory sources

This policy is based on the following regulatory references:

GDPR – Regulation (EU) 2016/679, Articles 5, 6, 13, 14, 21 and 25 thereof.
Data Protection Act (Cap. 586) of the Republic of Malta, and the directives of the Information and Data Protection Commissioner (IDPC).
Guidelines of the European Data Protection Board (EDPB).
MFHEA Guidelines on Public Information and Data Processing by Accredited Bodies.
Principles of lawfulness, transparency, minimization and accountability applicable to processing.

Chapter 2 – Data Controller and contacts

Pursuant to Article 4, paragraph 7 of the GDPR and Section 2 of the Data Protection Act (Cap. 586), the Data Controller is the entity that determines the purposes and means of the processing of personal data.

The data controller of the data collected through this website is:

Omniversity Edutech Ltd
(trade name: Yhank Institute)

Registered office: Dragonara Business Centre 5th Floor, TRIQ ID-DRAGUNARA, SAN GILJAN, STJ 3141, Malta.
Registration number: C 108859.
VAT number: MT31185926.
Official website: https://www.yhank.com.
Institutional email: info@yhank.com.
Privacy Email: privacy@yhank.com.
Phone: +356 9902 8644

2.1 Data Protection Officer (DPO)

In accordance with Article 37 of the GDPR and Article 10 of the Data Protection Act, the Data Controller has appointed a Data Protection Officer (DPO), as an entity obliged or in any case voluntarily committed to ensuring transparent governance that complies with European and national regulations.

The DPO can be contacted at the following addresses:

Data Protection Officer (DPO)
Email: dpo@yhank.com
(indicate any telephone number or PEC if available)

The DPO acts as a point of contact between the data subject and the Controller regarding the exercise of the rights provided for by the GDPR (Articles 15–22) and the DPA.

Chapter 3 – Types of data processed

When browsing the Institute's website and interacting with online forms, Omniversity Edutech Ltd – Yhank Institute collects and processes different categories of personal data, which are distinguished between data provided directly by the data subject and data acquired automatically through digital tools.

3.1 Data provided voluntarily by the user

This data is collected when the user fills in online forms, sends emails or contacts the Data Controller via digital channels. They may include:

Identification data: name, surname, gender, date of birth.
Contact data: email, phone number, IP address, country of residence.
Academic or professional data: level of study, qualification, interest in specific courses.
Content of communications: text of messages sent via the contact form or email.
Communication preferences: whether you have requested newsletters or updates on courses and events.

The provision of such data is optional, but necessary to receive a response or access certain services (e.g. request for information on courses, orientation, events).

3.2 Data collected automatically

When accessing the website, the computer system automatically acquires certain technical information, collected for statistical, security or functional purposes, through cookies or other tracking tools (see Chapter 9).

These include:

IP address and approximate geographic location.
Type of device, browser and operating system used.
Date and time of access, duration of the session.
Pages visited, movements and interactions on the page.
Referrer URL (site of origin).

These data are used in aggregate and/or anonymous form, unless there is an express identification of the user through other data (e.g. form filling).

3.3 Special data (special categories of data pursuant to Art. 9 GDPR)

In general, the site does not collect or process special categories of personal data (e.g. data on health, religious beliefs, political opinions, racial or ethnic origin).

If, in exceptional circumstances (e.g. request for support for students with disabilities), such data are collected, express written consent will be requested and specific information will be provided pursuant to art. 9 GDPR and Sections 3 and 7 of the DPA.

Chapter 4 – Purposes of processing and legal bases

The processing of personal data by Omniversity Edutech Ltd – Yhank Institute is based on solid legal bases consistent with the principles of lawfulness, fairness and transparency (art. 5 GDPR). The data is processed exclusively for the determined, explicit and legitimate purposes indicated in this section.

4.1 Site Navigation and Security

Purpose: To allow the user to browse the website, ensuring the correct technical functioning and security of the platform (firewall, backup, intrusion detection systems, etc.).
Legal basis:
- Art. 6(1)(f) GDPR – Legitimate interest of the Data Controller to maintain the integrity of the site and prevent unlawful access.
- Article 7(1)(c) DPA – Measures necessary for the protection of the computer system.

4.2 Handling requests via contact form

Purpose: To respond to requests for information sent via form or email (courses, admission procedures, events, partnerships).
Legal basis:
- Art. 6(1)(b) GDPR – Execution of pre-contractual measures at the request of the data subject.
- Art. 6(1)(f) GDPR – Legitimate interest of the Data Controller to communicate with users interested in its training services.

For information relating to the “first contact”, also consult the information “First Contact“

4.3 Sending newsletters, invitations and updates on educational and institutional activities

Purpose: To send promotional, informative or institutional communications relating to courses, open days, webinars or initiatives of the Institute.
Legal basis:
- Art. 6(1)(a) GDPR – Explicit consent of the data subject.
- Art. 9 DPA – Lawful processing only with prior consent if the content concerns special categories of data (e.g. support for vulnerable students).

4.4 Legal and regulatory requirements

Purpose: To comply with legal obligations, regulations or EU legislation, including requests from competent authorities (e.g. MFHEA, IDPC).
Legal basis:
- Art. 6(1)(c) GDPR – Compliance with legal obligations to which the Data Controller is subject.
- Chap. 586, sections 7–8 – Obligations of cooperation and documentation towards national authorities.
- Defence in court and prevention of abuse
Purpose: Ascertainment, exercise or defence of a right of the Data Controller in court. prevention of fraudulent or improper use of the site.
Legal basis: Art. 6(1)(f) GDPR – Legitimate interest in the protection of the rights and operational security of the Institute.

4.6 Statistical analysis and improvement of services

Purpose: Aggregate monitoring of web traffic and user interactions to improve content, accessibility and institutional communication.
Legal basis:
- Art. 6(1)(f) GDPR – Legitimate interest in improving its information and promotional services.
- Only with prior consent for the use of analytical cookies and non-anonymized profiling (see Chapter 9).

Chapter 5 – Processing methods and security measures

The processing of personal data by Omniversity Edutech Ltd – Yhank Institute is carried out in accordance with the principles of data integrity, confidentiality and availability, adopting appropriate technical and organizational measures to prevent its loss, unlawful use, unauthorized access or undue disclosure.

5.1 Processing methods

Personal data are processed both in digital format and, where strictly necessary, in paper format, using automated and non-automated tools, always in compliance with the principles of:

Lawfulness, fairness and transparency (Art. 5.1.a GDPR),
Limitation of purpose and storage (art. 5.1.b-c-e),
Data minimization (art. 5.1.c),
Accuracy and updating (art. 5.1.d),
Integrity and confidentiality (art. 5.1.f).

The processing is carried out by specially authorised and trained internal personnel, or by external parties formally designated as Data Processors pursuant to Article 28 of the GDPR.

5.2 Technical and organisational security measures

The Institute has implemented a personal data protection system by default and by default (art. 25 GDPR) and adopts measures proportionate to the specific risk for each processing activity, including:

Authentication and authorization systems for access to confidential information.
HTTPS protocol with SSL certificate for all website connections.
Encryption of data during transmission and, where applicable, at rest.
Periodic backup and disaster recovery systems to ensure business continuity.
Documented procedures for the management of security incidents and data breaches, with possible notification to the IDPC (Information and Data Protection Commissioner) within the legal deadlines (art. 33–34 GDPR).
Access control and tracking through system logs.
Regular updates of software, antivirus, firewalls and security patches.
Periodic staff training on privacy risks, secure use of data and prevention of unauthorized access.

5.3 Protection in cloud environments and digital infrastructures

The hosting of the site and the data collected online is entrusted to European suppliers compliant with the GDPR (e.g. AWS Europe – Dublin region). Any data transfers to non-EU countries take place exclusively:

on the basis of adequacy decisions of the European Commission (Art. 45 GDPR), or
through Standard Contractual Clauses (SCCs) approved by the Commission (art. 46 GDPR), and only after verification of the equivalence of the guarantees offered.

Chapter 6 – Data retention period

The personal data collected by Omniversity Edutech Ltd – Yhank Institute are stored for a limited period, defined according to the purposes for which they were collected, in compliance with the principle of storage limitation (art. 5(1)(e) GDPR) and the sectoral provisions in force on educational, administrative and tax matters.

6.1 General retention criteria

The Data Controller retains personal data:

only for the time strictly necessary to achieve the purposes for which they were collected.
or, if required, until the expiry of the legal terms provided for by legislative, accounting, tax or regulatory obligations (e.g. MFHEA, IDPC).
After that, the data is anonymized or securely deleted.

When determining the duration, the nature of the data, the purpose of the processing, the principle of proportionality, and the legitimate interest in document retention are taken into account.

6.2 Specific duration for each treatment

Purpose of the processing	Retention period
Site navigation and technical logs	Up to 30 days, unless extended for anti-fraud activities
Contact forms / enquiries	24 months from receipt, unless a formal relationship is established
Sending newsletters / promotional communications	Until you revoke your consent (opt-out)
Legislative, tax or regulatory compliance	10 years, unless further obligations are imposed by authorities
Retention of Proof of Consent	5 years from the termination of processing based on consent
Web statistics and anonymized data	Unlimited, if without identifying elements

6.3 Conservation in education

If users become enrolled students or initiate formal admission or certification procedures, the specific rules provided by the MFHEA and other regulatory authorities will apply:

Academic data: up to 40 years old (including records of exams, admission, degrees awarded).
Support, career and counselling data: 10 years from the end of the training relationship.
Tax and administrative documents: 10 years from the termination of the relationship.

These periods ensure traceability, rebuilding of the training experience and preservation of qualifications, in accordance with MFHEA requirements and audit standards.

Chapter 7 – Communication and dissemination of personal data

The personal data collected by Omniversity Edutech Ltd – Yhank Institute is not subject to indiscriminate dissemination. However, they may be communicated to third parties within the limits of the purposes indicated in this policy and in compliance with the principles of proportionality, necessity and security.

7.1 Persons authorised to process

Personal data may be processed by internal staff of the Institute, expressly authorized by the Data Controller, as persons in charge or delegate, and duly trained in privacy and data protection.

7.2 Data processors

For organisational, technological or institutional reasons, some processing is entrusted to external parties, who act as Data Processors pursuant to Article 28 of the GDPR, subject to a formal contract. These parties are required to ensure adequate security measures and to comply with this policy.

By way of example, the following may fall into this category:

IT providers (hosting, cloud, email services, backup).
Providers of software for educational, didactic or CRM management.
Technical, legal or tax consultants appointed by the Institute.
Partner institutions for cooperation or international mobility projects, in compliance with the contractual clauses.

An updated list of Data Processors can be requested by writing to: privacy@yhank.com

7.3 Communication to independent third-party controllers

The data may be communicated, where necessary, to third parties acting as independent data controllers, such as:

Public authorities, regulatory or judicial bodies (e.g. MFHEA, IDPC, tax authorities), solely for regulatory obligations or lawful inspections.
Academic institutions or external partner bodies in the context of joint study programmes, mobility or co-supervision, subject to informed consent.
Banks and financial intermediaries, in the case of payment or reimbursement transactions.

All recipients of personal data are bound to comply with the data protection regulations and the purposes indicated by the Data Controller.

7.4 Dissemination of personal data

Personal data are not disseminated, i.e. they are not made accessible in public form, unless explicitly consented to by the data subject or legal obligation.

The following are excluded from this prohibition:

Mandatory publications for administrative or academic transparency (e.g. lists of graduates, scholarship notices, calls), in compliance with the principles of minimization and purpose.
Institutional initiatives in which the data subject has given his or her explicit consent, such as the publication of testimonials, interviews or multimedia content.

Chapter 8 – Data transfer to third countries or international organisations

8.1 General principle (Art. 44 GDPR)

Any transfer of personal data to countries or international organizations outside the European Union or European Economic Area takes place in strict compliance with Chapter V of the GDPR (art. 44–50) and the national instruments provided for in the DPA.

8.2 Countries with an adequacy decision (Art. 45 GDPR)

When the transfer takes place to countries recognized by the European Commission as having an adequate protection regime (e.g. United Kingdom, Switzerland, Japan, commercial Canada, United States with Data Privacy Framework...) no further legal adjustment is necessary.

8.3 Standard Contractual Clauses (SCCs) (Art. 46 GDPR)

In the case of transfers to countries not covered by adequacy decisions:

The Standard Contractual Clauses (SCCs) modernized by the European Commission in June 2021 are adopted.
SCCs are chosen according to the role they play (Module 1, 2 or 3) and supplemented, if necessary, by additional technical and organisational measures (e.g. end-to-end encryption, audit trail) to comply with the principle of "substantial equivalence" deriving from judgments such as Schrems II.

8.4 Binding Corporate Rules (BCRs) and Other Mechanisms

When Yhank Institute operates in corporate groups, it may adopt Binding Corporate Rules (BCRs) authorized by EU authorities, or recognized codes of conduct and certification mechanisms (Articles 47, 46 GDPR).

8.5 Exceptions (Art. 49 GDPR)

Only in specific and limited cases (e.g. express authorization of the interested party, transfer necessary for the performance of a contract) an extraordinary transfer is allowed without further guarantees, and only if strictly necessary.

8.6 Additional Rules Under the Data Protection Act (Ch. 586)

Article 10 DPA: The Maltese Minister, in consultation with the IDPC, may impose limitations or conditions on transfers in the absence of an adequacy decision.
Subsidiary Legislation S.L. 586.12 (August 2023): guarantees the effectiveness of the rights of the parties involved in transfers through SCCs or other instruments, even if they are not contractual parties, making these guarantees directly enforceable.

8.7 Information to the data subject

During the data collection phase, the Institute clearly informs the data subject:

any transfer to third countries (the recipient country or organisation will be specified).
the guarantees provided (e.g. SCC, BCR, adequacy).
of the related exercisable rights (access, complaint, direct effect of SL 586.12).

8.8 Responsibility of the Owner

In addition to the adoption of the measures, the Data Controller:

Monitors the correctness of the SCCs and any regulatory changes in the recipient countries.
Regularly reviews the measures taken to verify their adequacy and effectiveness.
Keeps the transfer logs required by the DPA and GDPR up to date.

Chapter 9 – Cookies and Tracking Technologies

9.1 Definition of cookies

Cookies are small text files that the website sends and stores on the user's device while browsing. The next time you access the site, cookies are read again to recognize your device and improve the user experience.

Cookies can be:

Technical: necessary for the operation of the site.
Analytical: useful for statistical purposes, including through third-party services.
Profiling: aimed at creating user profiles for sending advertising messages in line with preferences.

9.2 Types of cookies used by the site

The Yhank Institute website uses the following categories of cookies:

Type	Function	Legal basis	Need for consent
Technical cookies	Enable essential functions (e.g. login, user session, security)	Art. 6(1)(f) GDPR – Legitimate interest	Unsolicited
Anonymized analytical cookies (e.g. Google Analytics with masked IP)	Site Performance Measurement	Art. 6(1)(f) GDPR	Not required, if anonymized
Non-anonymized analytical cookies	Detailed statistics related to user behavior	Art. 6(1)(a) GDPR – Consent	Requisite
Profiling and marketing cookies (e.g. Facebook Pixel, LinkedIn Insight)	Personalized advertising, remarketing	Art. 6(1)(a) GDPR – Consent	Requisite

9.3 Consent Management

When the site is opened, a cookie banner is displayed, which allows:

to accept or reject all categories of non-essential cookies.
to access an extended Cookie Policy with detailed information.
to change or withdraw consent at any time through the "Cookie management" link at the bottom of each page.

Consent is recorded and documented for 12 months, after which it will be requested again.

9.4 Third-Party Services

The site may integrate third-party cookies and tracking tools, including:

Google Analytics – Anonymous or pseudonymized statistics and reports.
Facebook Pixel / Meta Ads – Conversion tracking.
LinkedIn Insight Tag – Audience analysis for B2B activities.
Hotjar or similar tools – UX analysis and heatmaps (with prior consent).

The use of these tools is governed by the respective privacy policies, accessible from the extended Cookie Policy.

9.5 Your rights

The user may at any time:

Configure your browser to block cookies.
Remove those already installed.
Exercise the rights provided for by the GDPR (access, opposition, deletion) also in relation to data collected through third-party cookies.

Failure to consent to profiling cookies does not affect site navigation or access to institutional content in any way.

Chapter 10 – Rights of the Data Subject

As a subject whose personal data is processed (so-called data subject pursuant to Article 4, paragraph 1, no. 1 GDPR), the user has the right to exercise at any time the rights recognized by EU Regulation 2016/679 and the Maltese Data Protection Act.

10.1 Right of access (Art. 15 GDPR)

The interested party has the right to obtain:

Confirm whether or not personal data concerning him or her is being processed.
Access to such data.
Information on the purposes of the processing, the categories of data processed, the recipients, the retention period, the origin of the data (if not collected directly), any transfer outside the EU.
A copy of the personal data being processed.

10.2 Right to rectification (Art. 16 GDPR)

The data subject may request the correction of inaccurate data or the completion of incomplete data concerning him/her.

10.3 Right to erasure ("right to be forgotten") (Art. 17 GDPR)

The data subject has the right to have his or her personal data erased if:

They are no longer necessary for the purposes for which they were collected.
Consent has been withdrawn and there is no other legal basis.
The data subject objects to the processing (see § 10.6).
The data are processed unlawfully.
The data must be deleted to comply with a legal obligation.

Exclusions: the right does not apply when the processing is necessary, for example, to comply with legal obligations or for the exercise of a right in court.

10.4 Right to restriction of processing (Art. 18 GDPR)

The data subject may obtain the limitation of processing, in the presence of one of the following conditions:

Disputes the accuracy of the data (for the time necessary for verification).
The processing is unlawful but opposes erasure.
Data are no longer necessary but they need them for the defense of a right.
He has exercised opposition and awaits the verification of the prevalence of rights.

During restriction, data is retained but not used except for legal reasons.

10.5 Right to portability (Art. 20 GDPR)

If the processing is based on consent or contract and carried out by automated means, the data subject may request to:

Receive personal data in a structured, commonly used and machine-readable format.
Pass them on to another owner, even directly, if technically possible.

10.6 Right to object (Art. 21 GDPR)

The interested party may object at any time:

To processing based on the legitimate interest of the Data Controller.
To processing for direct marketing or profiling purposes.

In the event of opposition, the data will no longer be processed unless the Data Controller demonstrates overriding legitimate reasons (e.g. exercise of a right).

10.7 Right not to be subject to automated decision-making (Art. 22 GDPR)

The data subject has the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects or significantly affects him/her, unless explicitly consented to or contractually necessary.

10.8 Methods of exercising rights

The above rights can be exercised free of charge, except for manifestly unfounded or excessive requests, by sending a communication to: privacy@yhank.com or to the DPO: dpo@yhank.com

The Data Controller will provide feedback within 30 days, which can be extended by a further 60 days in complex cases, informing the data subject of the reasons for any extension.

10.9 Complaint to the supervisory authority

The data subject has the right to lodge a complaint with the competent national supervisory authority in the event of an alleged violation of his or her rights:

Office of the Information and Data Protection Commissioner (IDPC)
Floor 2, Airways House, High Street, Sliema SLM 1549 – Malta

https://idpc.org.mt/
idpc.info@idpc.org.mt

Chapter 11 – Changes to this Notice

11.1 Principle of continuous updating

Omniversity Edutech Ltd – Yhank Institute reserves the right to modify, update or supplement this Privacy Policy at any time, in whole or in part, at its own discretion or as a result of:

regulatory updates on the protection of personal data (national or EU).
indications from the competent authorities (e.g. IDPC, EDPB, MFHEA).
internal organisational or technological changes that affect the way in which personal data is processed.
of the evolution of the services offered online or offline through the institutional website.

11.2 Methods of communicating changes

In the event of substantial changes to this policy, the Data Controller undertakes to:

Publish the new version with the update date clearly visible on the website.
Inform users who have already registered or been contacted, where possible, through the available contact details (e.g. email, reserved area).
To allow you to review changes before they take effect, in particular where the changes relate to a purpose, legal basis or recipient.

We encourage you to review this section regularly to stay informed of any updates.

11.3 Last Revised Date

The latest version of this Privacy Policy was approved and published on 21 June 2025. Any new version completely replaces the previous one.

Chapter 12 – Further information and contact

12.1 Additional Information

This policy applies exclusively to the processing of personal data carried out through the official website of the https://www.yhank.com Institute and its subdomains, and does not cover other websites that may be consulted by the user through external links.

In the event of activation of contractual, educational or other relationships with Yhank Institute (e.g. enrollment in courses, participation in events, international mobility, collaborations), additional dedicated and specific information may be provided pursuant to Articles 13–14 of the GDPR, which supplement this Policy.

In particular, enrolled students or candidates will receive information relating to the processing:

academic data.
of the personal file.
sensitive data in case of special educational needs (SEN).
of any transfer to partner institutions, tutors or foreign universities.

12.2 Contact for Support and Information

For any information, clarification or request relating to this Privacy Policy or the exercise of the rights provided for by the law, the user may contact:

Data Controller

Omniversity Edutech Ltd – Yhank Institute

Dragonara Business Centre 5th Floor, TRIQ ID-DRAGUNARA, SAN GILJAN, STJ 3141, Malta.
Email: privacy@yhank.com
Website: www.yhank.com

Data Protection Officer (DPO)

Email: dpo@yhank.com

Requests will be managed in compliance with the deadlines provided for by the GDPR and the Maltese DPA, ensuring adequate support to the data subject even in the pre-contractual or information phase.