Privacy Notice

Effective Date: 23 January 2026

Disclaimer

This Privacy Notice is provided in both English and Bahasa Malaysia. In the event of any inconsistency or discrepancy between the English and Bahasa Malaysia versions, the English version shall prevail.

Preamble

This Privacy Notice sets out how Metropolitan College (“the College”, “we”, “our”, or “us”) collects, processes, uses, discloses, and protects personal data in accordance with the Personal Data Protection Act 2010 (PDPA) and the Personal Data Protection (Amendment) Act 2024.

The College is committed to maintaining the confidentiality, integrity, and security of personal data obtained in the course of providing educational, academic, administrative, and related services.

 

Part 1: Interpretation

Personal Data
Any information relating directly or indirectly to an identifiable individual.

Sensitive Personal Data
Includes, but is not limited to, biometric data, health information, religious beliefs, political opinions, and criminal records.

Data Controller
Metropolitan College, which determines the purposes and means of processing personal data.

 

Part 2: Categories of Personal Data Collected

The College may collect and process the following categories of personal data:

• Identity Data: Name, NRIC/passport number, date of birth
• Contact Data: Email address, telephone number, residential address
• Academic Data: Educational background, enrolment details, academic records
• Employment Data: Employment history (where applicable)
• Financial Data: Payment details, billing and transaction information
• Biometric Data: Facial images, fingerprints (where required and permitted by law)
• Technical Data: IP address, browser type, device identifiers
• Other Information: Any data voluntarily provided through applications, forms, or correspondence

 

Part 3: Purpose of Processing

Personal data is processed for the following purposes:

• To process student admissions, enrolments, and academic administration
• To provide educational programmes, student services, and support
• To communicate academic, administrative, and operational information
• To process payments, fees, and financial transactions
• To comply with legal, regulatory, and accreditation requirements
• For marketing, events, and promotional communications (with consent)
• For internal record-keeping, audits, analytics, and service improvement

 

Part 4: Source of Personal Data

Personal data may be collected from:

• Direct interactions (online forms, applications, emails, phone calls, website usage)
• Third parties (parent companies, partners, regulatory bodies, service providers)
• Automated technologies (cookies and tracking tools on the website)

 

Part 5: Disclosure of Personal Data

The College may disclose personal data to:

• Subsidiaries, affiliated entities and business partners.
• Service providers (IT systems, payment processors, academic platforms, marketing services)
• Professional advisors and auditors
• Government, regulatory, or law enforcement authorities (where required by law)
• Overseas recipients with adequate data protection safeguards

 

Part 6: Cross-Border Transfers

Personal data may be transferred outside Malaysia only where:

• The receiving country has adequate data protection laws; or
• Appropriate contractual or organisational safeguards are in place to protect the data

 

Part 7: Data Subject Rights

Under the PDPA, individuals have the right to:

• Access and correct their personal data
• Withdraw consent at any time
• Request deletion of personal data (subject to legal obligations)
• Object to processing for direct marketing or where it causes distress
• Request data portability, where technically feasible
•  

Requests may be submitted to the College’s Data Protection Officer (DPO).

Upon receiving a valid request, the College will respond within 30 business days, which may include:

• Deleting personal data where legally permissible
• Providing a copy of personal data in a structured and accessible format

 

Part 8: Security Measures

The College implements appropriate technical and organisational measures to protect personal data, including:

• Encryption and secure data storage
• Access control and authentication mechanisms
• Regular security reviews and staff training

 

Part 9: Data Retention

Personal data is retained only for as long as necessary to fulfil the purposes for which it was collected or as required by applicable laws. Data that is no longer required will be securely deleted or anonymised.

 

Part 10: Data Breach Notification

In the event of a personal data breach that may result in significant harm, the College will notify:

• The Personal Data Protection Commissioner (within 72 hours), and
• Affected individuals as soon as practicable

 

Part 11: Consequences of Not Providing Personal Data

Failure to provide required personal data may result in:

• Inability to process applications or enrolments
• Inability to provide educational or administrative services
• Non-compliance with legal or regulatory obligations

 

Part 12: Cookies and Tracking Technologies

The College’s website uses cookies and similar technologies to enhance user experience and website functionality. Users may manage cookie preferences through their browser settings.

 

Part 13: Appointment of Data Protection Officer (DPO)

The College has appointed a Data Protection Officer to oversee compliance with data protection laws. Email: dpo@metro.edu.my

 

Part 14: Updates to This Privacy Notice

This Privacy Notice may be updated from time to time to reflect changes in legislation, technology, or institutional practices. Updates will be published on the College’s website with a revised effective date.

 

Part 15: Contact Information

Metropolitan College (Formerly known as Metropoint College)

Owned by Metropoint College Sdn Bhd

Email: info@metro.edu.my
Phone: 07-2217501
Website: metro.edu.my
Address: 28-01, City Square, Jalan Wong Ah Fook, 80000 Johor Bahru, Johor, Malaysia