GDPR Policy

Auren Institute

January 2026

General Data Protection Regulation (GDPR) Compliance Statement

1. Introduction

Auren Institute (hereinafter referred to as “the Institute”, “we”, “our”, or “us”) is committed to ensuring the protection, confidentiality, and lawful processing of personal data. This commitment is embedded within our governance, operational processes, and digital infrastructure.

The Institute processes personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), as well as any applicable national data protection laws. This statement outlines the principles, practices, and safeguards adopted to ensure full compliance.

2. Data Protection Principles

In line with Article 5 of the GDPR, Auren Institute ensures that all personal data is:

• Processed lawfully, fairly, and transparently in relation to data subjects
• Collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes
• Adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed
• Accurate and, where necessary, kept up to date, with reasonable steps taken to rectify or erase inaccurate data
• Retained only for as long as necessary for the purposes for which it is processed
• Processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing, accidental loss, destruction, or damage

3. Categories of Personal Data

The Institute may collect and process the following categories of personal data, as applicable:

• Personal identification data (e.g. name, surname)
• Contact details (e.g. email address, telephone number)
• Professional and organisational information (e.g. job title, employer)
• Educational and learning data (e.g. enrolments, course progress, assessment outcomes, certifications)
• Financial and transactional data (where applicable)
• Technical data (e.g. IP address, browser type, usage data through cookies and analytics tools)

4. Purpose of Processing

Personal data is processed strictly for legitimate and defined purposes, including:

• Provision and administration of educational programmes and training services
• Management of learner access to digital platforms and learning management systems
• Communication with learners, clients, and stakeholders
• Issuance and verification of certificates and academic records
• Compliance with legal, regulatory, and accreditation requirements
• Quality assurance, monitoring, and continuous improvement of services
• Marketing and promotional communications, subject to appropriate consent

5. Legal Basis for Processing

The Institute relies on the following legal bases for processing personal data:

• Performance of a contract – where processing is necessary for the delivery of services
• Compliance with legal obligations – including regulatory and statutory requirements
• Legitimate interests – including service improvement, system security, and business operations, provided such interests do not override the rights of data subjects
• Consent – where required, particularly in relation to marketing communications

6. Data Sharing and Third-Party Processors

Personal data may be disclosed to carefully selected third parties where necessary for operational and compliance purposes. These may include:

• Learning management system and platform providers
• Payment processing service providers
• IT infrastructure and cloud service providers
• Accreditation, certification, and regulatory bodies
• Professional advisors, including legal and audit services

All third-party processors are subject to contractual obligations to ensure compliance with GDPR and appropriate data protection safeguards.

7. International Data Transfers

Where personal data is transferred outside the European Economic Area (EEA), the Institute ensures that appropriate safeguards are implemented, including:

• European Commission adequacy decisions
• Standard Contractual Clauses (SCCs)
• Equivalent legally recognised transfer mechanisms

8. Data Security and Technical Measures

Auren Institute implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

• Encryption of data in transit and, where applicable, at rest
• Role-based access controls and authentication protocols
• Secure cloud-based infrastructure
• Regular system monitoring, updates, and vulnerability management
• Data backup and disaster recovery procedures
• Staff training and awareness on data protection obligations

9. Data Subject Rights

In accordance with GDPR, data subjects are entitled to exercise the following rights:

• Right of access to personal data
• Right to rectification of inaccurate or incomplete data
• Right to erasure (“right to be forgotten”), subject to legal limitations
• Right to restriction of processing
• Right to data portability
• Right to object to processing based on legitimate interests or direct marketing
• Right to withdraw consent at any time, where processing is based on consent

Requests to exercise these rights will be handled in accordance with GDPR timelines and requirements.

10. Data Retention

Personal data is retained only for the duration necessary to fulfil the purposes for which it was collected, including:

• Contractual and service delivery requirements
• Legal and regulatory obligations
• Audit and quality assurance processes

Retention periods are subject to periodic review to ensure continued compliance.

11. Governance and Accountability

Auren Institute maintains internal policies, procedures, and controls to demonstrate accountability and compliance with GDPR. These include:

• Documented data protection policies and procedures
• Data processing records (where applicable)
• Risk assessments and data protection impact considerations
• Ongoing review and monitoring of data protection practices

12. Contact Information

For any queries relating to this GDPR Compliance Statement or the processing of personal data, data subjects may contact:

Email: info@aureninstitute.com
Registered Address: 92, No. 1, St Edward Street, Qormi QRM 2136, Malta

13. Continuous Compliance

The Institute adopts a continuous improvement approach to data protection, ensuring that policies, systems, and practices are regularly reviewed and updated in response to regulatory developments, technological changes, and operational requirements.

Conclusion

Auren Institute recognises that the protection of personal data is a fundamental obligation and a critical component of organisational integrity. Through structured governance, robust controls, and a commitment to best practice, the Institute ensures that personal data is managed responsibly, securely, and in full compliance with applicable data protection legislation.