The policy is directed towards compliance with the EU’s General Data Protection Regulation (2018) (hereinafter ‘GDPR’), local supplementary legislation and supporting guidance. Therefore this policy is primarily focused on the privacy aspects of the processing of personal data and is intended for visitors and users of the Malta Institute of Taxation (hereinafter the ‘MIT’) website, subscribers, MIT members, MIT students and / or any other third party stakeholders (hereafter referred to as the ‘data subject’).

Under the GDPR processing of personal data includes every aspect of the data lifecycle, from initial collection (whether or not collected from the data subject itself) to data destruction, including data usage, access and transfers.

All processing of personal data shall be in line with the data protection principles of

  • Lawfulness, fairness and transparency;
  • Confidentiality, accuracy and integrity;
  • Data minimisation;
  • Purpose limitation;
  • Storage limitation; and
  • Accountability

In collecting and processing data for the purposes of its operations, the MIT shall act as a data controller.  This  policy is intended to provide information on how these principles are applied to our operations, and includes information on the purpose of data collection, the use of data collection, the rights of data subject and information on retention periods and access to data by third parties.

The management of privacy risks is intended to be an interactive process, with improvements being made to better manage existing and emerging privacy risks on an ongoing basis. For clarifications or queries, please get in touch with the MIT management on


In accordance with the data minimisation principle, only data which is strictly necessary for the purpose for which it is being collected shall be collected by the MIT.   Data is collected for the purposes of

  • subscription to the website and subsequent communication to subscribers who consent to the receipt of such communication
  • enrolment of members and subsequent communication to members
  • enrolment of students for courses, seminars and / or MIT events and communication with same
  • academic progress monitoring which includes performance data, examination and, or assessment results associated with the students
  • marketing, where justified in terms of legitimate interest or where consent for same is obtained.

The number of students’ identification documents shall be processed where students enrol for the MIT’s professional certificate courses.  This is required for appropriate identification of the students.

The MIT photographs its events on a regular basis and uses the photographs for its various markeing efforts, including by posting on social media.  It is in the legitimate interest of the MIT to promote its activities and events.  The MIT notifies its attendees by posting a sign at the venue entrance.  Data subjects may request the MIT not to upload any picture where they are visually identifiable, provided that in such case, the MIT may proceed with publishing the picture once the individual’s identifiable features are obscured.

We endeavour to keep data up to date and accurate, and for this reason request any data subject whose details change to inform us in a timely manner on


Access to data is on a strict ‘need to know’ basis and is stored securely to prevent unauthorised access.

In accordance with the storage limitation principle, personal data is not retained for longer then is needed – this may be a total of five (5) years in the case of students enrolled for professional certificate courses or until consent is withdrawn or membership terminated in cases of website subscription or membership respectively.


Data will not be transferred to external third parties unless there is a legitimate basis to do so. Examiners may access student’s work for examination and / or assignment grading purposes and the MIT may use cloud services in conducting its business.


We use unique identifiers called “Cookies” to collect anonymous, non-personally identifiable information. Cookies are small pieces of code that are saved by your browser.  The cookies include information about your device, browser, area code, zip code, and IP address and are used to provide you with a more customized user experience and improve the design and functionality of our website.

We may share cookies with third Parties to better understand how you use our websites and the type of devices you use to personalize content and deliver relevant advertisements of interest to you. These third parties may collect information about your online activities over time and across different websites when he or she uses our sites.

You may refuse to accept cookies by activating the appropriate setting on your device or browser. However, you may be unable to use certain features of the MIT website dependent on your selection. You can change your cookie settings by reviewing your internet browser’s cookie options. Typically, such information can be found under the browser’s ‘Help’, ‘Preferences’ or ‘Options’ menus.


Data Subjects may exercise numerous rights as set out in the GDPR (especially Chapter III). These include the right to:

  1. withdraw consent (where consent was the basis for processing of personal data);
  2. access information held;
  3. rectify or have rectified inaccurate information;
  4. restrict processing;
  5. object to processing including profiling (for direct marketing this is an absolute right);
  6. have data ported to another service provider; and
  7. have data erased.

Data subject access requests (hereinafter ‘SAR’) are to be addressed to the MIT on  The MIT endeavours to deal with SARs in a timely manner by assessing the SAR on a case by case basis taking into consideration applicable guidance issued by the European Data Protection Board and its legitimate interests.  Subsequently, the MIT will communicate with the data subject on whether the SAR may or may not be satisfied and the reasons for its decision.

Should an individual feel aggrieved by the MIT’s decision they may reach out to the Information and Data Protection Commissioner at


This policy was first created on 28 May 2019

It was updated on 25 July 2019

The policy owner is Malta Institute of Taxation