HummingbirdCRM and GDPR Compliance

HummingbirdCRM Ltd have standardised policies and procedures that ensure the data we are processing on behalf of our customers is protected. These policies are maintained by using our inherent knowledge of schools and decades of experience in the education industry, as well as our data protection compliance through our ICO registration.
HummingbirdCRM have robust plans and policies that help us achieve our continual GDPR compliance. We:
Controllers, Processors and Personal Data
GDPR requires Data Controllers (organisations using HummingbirdCRM) and Data Processors (suppliers such as HummingbirdCRM) to ensure that processes and technologies meet specified requirements.
Definitions
Personal Data is any type of data that can be used to directly or indirectly identify an individual. Some examples include a name, address, as well as IP address or username.
A Data Controller is a person, company or other entity that determines the purpose and means of processing personal data.
A Data Processor is a person, company or other entity which processes personal data on the data controller's behalf
The data controller is the person or organisation who determines what data is extracted, what purpose it is used for and who is allowed to process the data. In this context, the organisation is the data controller.
HummingbirdCRM Ltd is the data processor of the data made available in our software products purchased by the school. We are trusted with this personal data but do not control it.
Controllers, Processors and Personal Data
The information from your organisation is held inside the HummingbirdCRM platform, which is hosted within the United Kingdom. It never leaves the European Economic Area (EEA).
Every effort is made to ensure the data held in HummingbirdCRM is secure and our reputable hosting provider (Microsoft Azure) apply a number of robust techniques to ensure the data is kept safe. Many techniques are used to ensure the data is kept safe and secure at the application level (such as industry standard encryption and firewalls) as well as a plethora of techniques that ensure the data is physically secured in their data centres. You can find out more about Microsoft's procedures in their technical documentation.
Subject Access Requests and The Right to be Forgotten
The right of access (commonly referred to as "subject access") gives an individual the right to obtain a copy of their personal data to help them understand how and why you are using their data. In a product provided by HummingbirdCRM Ltd, we provide a means of authorised individuals to supply this directly. For any assistance concerning a Subject Access Request, please get in touch.
The Right to be Forgotten (also known as the "right to erasure") is a right given to an individual under the GDPR to have their personal data erased upon request. If you require assistance with a right to erasure request that concerns HummingbirdCRM, please get in touch.
Can we help further?
If we can assist you further with GDPR compliance surrounding HummingbirdCRM Ltd, please contact the team so we can help.