All Collections
Data and Security
Your data and Student CRM (Start here)
Processing, Personal Data and Data Subjects statement
Processing, Personal Data and Data Subjects statement

We process personal data in accordance with GDPR, DPA and PECR

Dom Yeadon avatar
Written by Dom Yeadon
Updated over a week ago

Dated: 1 May 2020

Data Harvesting processes data in accordance with the relevant legislation, including the General Data Processing Regulation (GDPR), the Data Protection Act 2018 (DPA) and The Privacy and Electronic Communications Regulations (PECR).

This is our Processing, Personal Data and Data Subjects statement


The Subject matter regarding the processing of data is the execution of the following services by Data Harvesting as the Data Processor (online recruitment services provided to authorised users to support them in carrying out their duties to engage with and recruit individuals who may wish to study at the university) as follows:

The university is the Data Controller and uses Data Harvesting’s online software solution ‘Student CRM’ as Software as a Service (SaaS).

Data Harvesting provides its SaaS solution to educational establishments for recruiting students to university via enquiries, events, applications, interviews, both directly and via approved third parties, such as agents or partners.


The data shall be processed for as long as Data Harvesting is commercially engaged to provide Student CRM as a service to the university.


The Student CRM solution provides the university’s users with tools to carry out processing of the personal data of students and others by automated and manual execution, including the instruction of Data Harvesting to process data on the university’s behalf.

Such processing includes:

  • data capture in web forms

  • storing, amending and deleting parts of or all of that data in the solution

  • storing uploaded documents

  • downloading

  • transmitting data to authorised third parties such as mailing houses for fulfilment, or to agents for application management

  • booking and recording attendance at events

  • broadcasting of messages via email, SMS and other channels

  • reporting and planning


The purpose is to recruit new students each year to study at the university.


Personal data includes:

  • data capture in web forms

  • name

  • address

  • nationality

  • domicile

  • email

  • telephone

  • DOB

  • previous qualifications

  • education history

  • health

  • gender

  • criminal convictions

  • personal enquiries


  • Students

Primarily the Personal Data processed in Student CRM comprises Data Subjects who have enquired about studying at the university, or have applied to study at the university or are currently studying at the university or who previously studied at the university.

Additionally the following other categories of personal data may be processed:

  • Agents

  • Alumni

  • Apprentices

  • Business contacts

  • Employees

  • Enquirers

  • Parents

  • Partners

  • School students

  • Siblings

  • Student Ambassadors

  • Teachers

  • Users

  • Visitors


When the university (as Data Controller) instructs Data Harvesting (as Data Processor) to permanently delete/destroy their data stored in the system, we follow our Exit Plan. This ensures that the correct data is identified for deletion/destruction and can’t be recovered afterwards.

Only the university’s data is affected, that is the tenant specific data (ie: students, users, courses, branding, settings, documents, etc for the university). As logical separation is maintained by use of discriminator IDs, strict coding standards and encapsulated data access control code, this enforces logical separation during the deletion/destruction process.

The Exit Plan covers the following items:

PURPOSE OF THIS PLAN - Purpose of this Exit Management Plan is to describe to both Customer and Supplier the procedure and process that will be followed in the event of a completed and receipted Notice of Services Termination. A Notice of Services Termination can be served by either Customer or Supplier.

DEFINITIONS - definition of terms in the agreement.

DURATION - Broad time frame from trigger (ie: notice given etc) to completion.

ASSETS - Names and descriptions of the five data assets involved.

EXIT PROCESSES - Commenced following receipted Notice of Services Termination.

STAKEHOLDERS - Both parties complete names, contact details, and roles in the project.

TIMINGS - Both parties agree the timings of seven milestones.

RESTRICT SYSTEM ACCESS - This ensures that no changes are made to the data stored in the Supplier’s systems. Five process steps to follow.

ASSET TRANSFER PROCESSES - This ensures that assets in the Supplier’s system are transferred to the Customer. Five process steps to follow.

SERVICE CLOSEDOWN PROCESSES - After the service closedown the client will no longer have access to DH team for Customer service, support, project management or account management. Six process steps to follow.

EXIT PLAN UPDATES - Weekly progress email communications from Supplier to Customer, reporting on progress against the Exit Plan.

RISKS - register of risk, impact and mitigation.

For more information: please contact

Did this answer your question?