1. Introduction

1.1 Preamble

Regulation (EU) 2016/679, the General Data Protection Regulation (GDPR), sets the legal framework for processing personal data. The GDPR strengthens the rights and obligations of data controllers, processors, and data subjects.

For a clear understanding of this policy:

• The “Data Controller” is the International Health Research Institute Ltd.
• The “Institute” refers to the International Health Research Institute Ltd.
• A “Processor” is any entity processing personal data on behalf of the controller.
• The “Platform” means the website www.ihri.edu.eu and all associated sites.
• The “User” means any person browsing or using the Platform.
• “Data Subjects” are identifiable individuals whose personal data is collected.

1.2 Purpose

This policy fulfills our obligation to provide transparent information about how we process personal data related to Users of the Platform, in line with our legal and ethical responsibilities.

1.3 Scope

This policy applies to anyone who browses the Platform, uses our services, or interacts with the Institute. By providing personal data, the User acknowledges they have read and understood this Policy.

1.4 Evolution

This policy may be amended to reflect changes in law or practice. The current version is always available on our Platform. We invite Users to consult it regularly.

1.5 Identity and contact details of the data controller

The International Health Research Institute Ltd, located at Level One, Triq Dun Karm, Birkirkara BKR 9037 Malta, is the data controller. We have appointed a Data Protection Officer (DPO): Nicole Foster.

2. Legal Basis for Processing

2.1 Legal Basis for General Personal Data (Article 6 GDPR)

All processing of personal data is based on a lawful ground as defined in Article 6 of the GDPR. We link each processing activity to its specific legal basis in Section 3.

2.2 Legal Basis for Special Category Data (Article 9 GDPR)

As a health research institute, we may process special category data, including health data. Such processing is prohibited by default under the GDPR but is permitted when a specific condition is met. Our legal basis for processing health data will be one of the following under Article 9(2) of the GDPR:

• (a) The data subject has given explicit consent to the processing of those personal data for one or more specified purposes.
• (i) Processing is necessary for reasons of public interest in the area of public health.
• (j) Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1).

Any processing of health data is subject to enhanced security and confidentiality measures.

3. Purposes of Processing and Their Legal Bases

We process your personal data for specific purposes, each linked to a clear legal basis.

4. Categories of Personal Data Processed

The Institute may collect and process the following data:

• User account credentials: username and email address.
• Identity and contact details: title, name, address, phone number, email, date and place of birth, nationality, photo, copy of identity card.
• Professional life: CV, cover letter, transcripts, degrees, letters of recommendation.
• Academic status: transcripts, diplomas, school records.
• Special Category Data: Health information, medical history, genetic data, or other sensitive data provided by you with explicit consent for specific research purposes.

5. Recipients of the Data

We share personal data only when necessary and in accordance with the law. Recipients may include:

• Internal Recipients: Authorised administrative staff, teaching staff, and researchers who require access.
• Third-Party Recipients:
  • Partner foreign universities for joint programmes or exchanges.
  • The Malta Further & Higher Education Authority (MFHEA) for accreditation and reporting.
  • Third-party IT service and platform maintenance providers.
  • Government bodies or law enforcement where required by law.

All third-party processors are bound by contractual data processing agreements to ensure they protect your data to GDPR standards.

6. Duration of Data Retention

We adhere to the GDPR's "storage limitation" principle by not keeping personal data longer than necessary. Our standard retention periods are as follows:

7. International Data Transfers

As an international organisation, we may transfer your personal data to countries outside the European Economic Area (EEA), for example, to partner universities. When we do so, we ensure your data is protected by implementing appropriate safeguards as required by Chapter V of the GDPR. These safeguards include:

• Transferring data to countries that the European Commission has deemed to provide an adequate level of protection for personal data.
• Using Standard Contractual Clauses (SCCs) approved by the European Commission.

8. Cookies

Our Platform uses cookies, which are small files stored on your computer.

• Necessary Cookies: These are essential for the website to function correctly.
• Performance Cookies (e.g., Google Analytics): These help us understand how users interact with our site so we can improve it. These are only used with your consent.

You can manage your cookie preferences at any time via the cookie manager on our Platform or through your browser settings.

9. Security

We are committed to the security of your personal data. We implement reasonable and appropriate administrative, technical, and organisational measures to prevent unauthorised access, disclosure, alteration, or destruction. We apply enhanced security safeguards for special category data, including encryption and access controls.