Privacy and Data Processing Policy

This Policy outlines our procedures for handling Personal Data. It is subject to periodic amendments or updates, so please review it regularly for any changes. As a provider of Executive Search, Coaching, Leadership, and Board Services, Cornerstone’s operations are grounded in trust, confidentiality, and privacy principles. Beyond mere compliance, we adhere to the Values and Principles outlined by the Association of Executive Search Consultants, accessible at https://www.aesc.org/about-us/our-standards. At Cornerstone, we prioritize the protection of your privacy. Recognizing the significance of safeguarding personal data, we uphold our responsibility to our clients, candidates, and all Cornerstone International Group member offices. We are dedicated to ensuring that all personal data handled within Cornerstone remains secure, private, and protected, establishing a foundation for compliance with the General Data Protection Regulation (GDPR) and other relevant data protection laws.

Collection of Personal Data: We gather or receive Personal Data through various channels, including:

●  Data provided directly to us includes information you provide when contacting us, requesting to be added to our candidate database, or submitting a job application. It encompasses interactions via email, phone calls, business card exchanges, or other communication methods.
●  In-person interactions: Personal Data may be gathered during face-to-face meetings, conferences, visits by sales representatives, or events we participate in.
●  Collaborations: Personal Data may be exchanged when engaging in research or consultancy projects with us.
●  Collaborations: Personal Data may be exchanged when engaging in research or consultancy projects with us.
●  Relationship data: Personal Data is collected as part of our ongoing relationship with you, such as when providing services to you or your employer.
●  Publicly shared data: We collect Personal Data that you choose to share publicly, including through social media platforms.
●  App-related information: Personal Data is collected when downloading or utilizing any of our Apps.
●  Site-related information: Personal Data is gathered when visiting our Sites or utilizing features available on or through them.
●  Registration particulars: When registering to use any of our Sites, Apps, or services, Personal Data is obtained.

We handle various categories of Personal Data, including your personal information (e.g., name), demographic details (e.g., age), contact information (e.g., address), consent records, purchase and payment details, site and app usage information, details about your employer (if applicable), interactions with our content or advertising, as well as any feedback or opinions you share with us.

Here’s a breakdown of the types of Personal Data we process about you:

● Personal details include your given name(s), preferred name, and photograph.

● Demographic information: Gender, date of birth/age, nationality, salutation, title, and language preferences.

● Contact details: Address, phone number, email address, details of Personal Assistants (if applicable), messenger app details, online messaging details, and social media details.

● Expertise: Records of your professional history, qualifications, experience, participation in professional events, language abilities, and other relevant skills.

● Consent records: Details of any consent you’ve given, including the date, means of consent, and related information.

●  Purchase details: Records of service purchases and prices.

●  Payment details: Invoice records, billing address, payment method, bank account or credit card details, and related information.

● Data related to our Sites and Apps: Device type, operating system, browser type and settings, IP address, language settings, usage statistics, location data, and technical communication information.

● Employer details: Information about your employer if you interact with us professionally.

● Views and opinions: Any feedback or opinions you provide to us, whether sent directly or posted publicly on social media platforms.

We do not seek to collect or otherwise Process Sensitive Personal Data in the ordinary course of our business. Where it becomes necessary to Process your Sensitive Personal Data for any reason, we rely on one of the following legal bases:

●  Background checks: We, or a third party service provider acting on our behalf, or on behalf of one of our clients, may Process your Sensitive Personal Data where the Processing is required for the purposes of background checks in the context of executive search services;
●  Compliance with applicable law: We may Process your Sensitive Personal Data where the Processing is required or permitted by applicable law (e.g., to comply with our diversity reporting obligations);
●  Detection and prevention of crime: We may Process your Sensitive Personal Data where the Processing is necessary for the detection or prevention of crime (e.g., the prevention of fraud);
●  Establishment, exercise or defense of legal claims: We may Process your Sensitive Personal Data where the Processing is necessary for the establishment, exercise or defense of legal claims; or
●  Consent: We may Process your Sensitive Personal Data where we have, in accordance with applicable law, obtained your express consent prior to Processing your Sensitive Personal Data (this legal basis is only used in relation to Processing that is entirely voluntary – it is not used for Processing that is necessary or obligatory in any way).

If you provide Sensitive Personal Data to us, you must ensure that it is lawful for you to disclose such data to us, and you must ensure a valid legal basis applies to the Processing of those Sensitive Personal Data.

We utilize Personal Data for the following purposes:

●  Providing our Sites, Apps, and services to you
●  Operating our business effectively
●  Communication with you
●  Managing our IT systems
●  Ensuring health and safety standards
●  Financial management activities
● Conducting surveys for feedback
● Ensuring the security of our premises and systems
●  Conducting necessary investigations
●  Compliance with applicable laws
●  Enhancing the functionality of our Sites, Apps, and services
●  Establishment, exercise, and defense of legal claims
●  Handling recruitment and job applications

The purposes for which we Process Personal Data, by applicable law, and the legal bases on which we conduct such Processing are as follows:

Executive Search / Board Search

Our Services Include:

●   Maintaining and managing a candidate database
●   Conducting executive and board searches and assessments
●   Presenting candidates to clients for specific mandates
●   Administering tests such as psychometric assessments
●   Providing leadership consulting services, including personal coaching
●   Conducting statistical analysis
●   Offering career advisory services
●   Fulfilling other requests, you may have from time to time

Legal Basis:

●  We have a legitimate interest in conducting these activities to provide executive search services, provided such interest does not override your fundamental rights or freedoms.
●  Where applicable, we obtain your prior consent for voluntary Processing, excluding obligations.

Leadership Assessment / Coaching

Our Services Encompass:

●   Arranging and conducting leadership consulting exercises
●   Administering tests, including psychometric assessments
●   Providing board and executive search and assessment services
●   Offering leadership consulting services
●   Conducting statistical analysis
●   Providing career advisory and coaching services
●   Meeting other requests, you may have from time to time

Legal Basis:

●   We have a legitimate interest in conducting these activities to provide leadership consulting services, provided such interest does not override your fundamental rights or freedoms.
●   In specific cases, we seek your prior consent for background searches.

Our Recruitment Process Involves:

●  Recruitment activities
●  Advertising positions
●  Conducting interviews
●  Analyzing suitability for the relevant position
●  Maintaining records of hiring decisions
●  Providing offer details
●  Recording acceptance details

Legal Basis:

● The Processing is necessary to comply with legal obligations, particularly concerning employment law.
● We have a legitimate interest in conducting these activities to facilitate recruitment and manage job applications, provided such interest does not infringe upon your fundamental rights or freedoms.
● In cases of voluntary Processing, we obtain your prior consent, excluding obligations.

We undertake the operation and management of our Sites, Apps, and services, which includes:

● Providing content to you
● Displaying advertising and other relevant information

● Communicating and engaging with you through our Sites, Apps, or services

● Notifying you of any changes to our Sites, Apps, or services

Legal Basis:

● Processing is necessary to fulfill any contractual obligations with you or take steps before entering into a contract with you.
● We have a legitimate interest in conducting these activities to provide our Sites, Apps, or services to you, provided such interest does not infringe upon your fundamental rights or freedoms.

● In cases of voluntary Processing, we obtain your prior consent, excluding obligations.

We engage in communication and marketing activities by:

● Contacting you through various channels such as email, telephone, text message, social media, post, or in-person to provide news and information tailored to your interests is always subject to obtaining your prior opt-in consent as required by law. This ensures you have complete control over how we communicate, empowering you to decide what information you receive and through which channels. You are personalizing our Sites, products, and services to enhance your experience.

● We are maintaining and updating your contact information as needed.

● We are obtaining your prior opt-in consent where required.

● You are facilitating and documenting your choice to opt out or unsubscribe, where applicable.

Legal Basis:

● Processing is necessary to fulfill contractual obligations or to take steps before entering into a contract with you.

● We have a legitimate interest in conducting these activities to communicate with you, while ensuring compliance with applicable laws and regulations, provided such interest does not infringe upon your fundamental rights or freedoms. This reassures you that our data processing practices are legal and designed to protect your rights and freedoms, fostering a sense of security and trust in our services. In cases of voluntary Processing, we obtain your prior consent, excluding obligations.

Management and Operation of Systems:

We oversee and operate our communications, IT, and security systems, which include:

● Maintaining and managing these systems to ensure their efficiency and functionality
● Conducting audits, including security audits, and monitoring these systems for performance and security purposes

Legal Basis:

● Processing is necessary to fulfill legal obligations.
● We have a legitimate interest in conducting these activities to maintain a secure environment at our premises, provided such interest does not infringe upon your fundamental rights or freedoms.
● Processing is necessary to protect the vital interests of any individual.

Sales, Finance, Corporate Audit, and Vendor Management:

We engage in the following activities:

●  Sales operations
●  Financial management
●  Corporate audits
●  Corporate audits
●  Vendor management

Legal Basis:

●  We have a legitimate interest in conducting these activities to manage and operate the financial aspects of our business, provided such interest does not infringe upon your fundamental rights or freedoms.
●  In cases of voluntary Processing, we obtain your prior consent, excluding obligations.

We disclose Personal Data to various entities for legitimate purposes, including:

● Legal and regulatory authorities
● External advisors
● Processors
● Parties involved in legal proceedings
● Parties involved in investigating, detecting, or preventing criminal offenses
● Purchasers of our business services
● Third-party providers of advertising, plugins, or content used on our Sites or Apps

Additionally, Personal Data may be shared with other entities within the International Cornerstone Group for legitimate business purposes and site or app operations by applicable law.

We also disclose Personal Data to:

● You and your appointed representatives
● Legal and regulatory authorities for compliance reporting
● External professionals such as accountants, auditors, consultants, and lawyers
● Third-party Processors worldwide, subject to contractual confidentiality obligations
● Relevant parties, regulatory bodies, government authorities, law enforcement agencies, or courts for legal claims or criminal investigations
● Third-party acquirers or successors in the event of business transfers or reorganizations
● Third-party providers of advertising, plugins, or content used on our Sites or Apps, with your consent.

When engaging third-party Processors, they are contractually bound to follow our instructions and protect the confidentiality and security of Personal Data, as required by law.

We transfer Personal Data to recipients in other countries, particularly from the European Economic Area (EEA) to recipients outside the EEA. When transferring Personal Data from the EEA to a non-EEA recipient in a jurisdiction without adequate data protection measures, we use Standard Contractual Clauses to ensure protection.

Due to the global nature of our operations, Personal Data is transferred within the Cornerstone International Group and to third parties as outlined in Section (G) of this Policy. This means personal data may be transferred to countries with laws and data protection standards different from those in your location.

If exemptions or derogations apply, such as for legal claims, we may rely on them accordingly. However, Standard Contractual Clauses are used if no exemptions or derogations apply and Personal Data is transferred from the EEA to non-EEA recipients without adequate protections. You have the right to request a copy of our Standard Contractual Clauses.

Please note that if you transfer Personal Data directly to a Cornerstone entity outside the EEA, we want to make it clear that we are not responsible for that transfer. However, we will process your Personal Data in accordance with this Policy once we receive it, ensuring its protection.

We have implemented robust technical and organizational security measures to safeguard your personal data. We are committed to ensuring that any Personal Data you transmit to us is sent securely.

These security measures are designed to protect your Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, unauthorized access, and other unlawful or unauthorized forms of Processing in compliance with applicable law.

However, it’s important to note that the Internet is an open system; therefore, the transmission of information via the Internet is not entirely secure. While we take all reasonable precautions to protect your Personal Data, we cannot guarantee the security of data transmitted over the Internet. Any transmission of Personal Data is done at your own risk, and you are responsible for ensuring that such data are sent securely.

We take every reasonable step to maintain the accuracy and currency of your Personal Data, promptly correcting any inaccuracies that may arise.

Specifically, we ensure that:

● Your Personal Data processed by us are accurate and, if necessary, regularly updated.

● We promptly correct or erase any inaccurate Personal Data processed by us, considering the purposes for which they are processed.

Periodically, we request your confirmation regarding the accuracy of your Personal Data.

We take every reasonable step to limit the volume of your Personal Data that we Process to what is necessary.

Specifically, we ensure that the Personal Data we process is limited to what is reasonably required for the purposes outlined in this Policy.

We take all reasonable measures to ensure that your Personal Data is retained only for as long as necessary for lawful purposes.

To determine the duration of retention, we consider the following criteria:

1. We retain Personal Data as long as we maintain an ongoing relationship with you or as necessary for the lawful purposes outlined in this Policy.

2. We also consider any applicable limitation periods under the law and an additional two-month period after that to address any potential legal claims that may arise after the limitation period. In the event of legal claims, we may continue to process Personal Data for additional periods as required.

During the retention periods mentioned above, we limit the processing of your data to storage and security maintenance, except when necessary for legal claims or compliance with the law.

Upon conclusion of the retention periods, we either permanently delete or destroy the relevant Personal Data or anonymize it.

Under applicable law, you may have several rights regarding the processing of your Personal Data, including:

● You have the right to choose not to provide us with your Personal Data. However, please note that this may affect our ability to provide you with the full benefits of our Sites, Apps, or services.
● The right to access your Relevant Personal Data and request information about its nature, processing, and disclosure.
● The right to request the correction of any inaccuracies in your Relevant Personal Data.
● The right to request the erasure or restriction of processing of your Relevant Personal Data on legitimate grounds.
● The right to have certain Relevant Personal Data transferred to another controller, where applicable.
● If we process your relevant personal data based on your consent, we have the right to withdraw that consent.
● The right to lodge complaints with a Data Protection Authority.

Additionally, subject to applicable law, you may have the right to:

● Object to processing your Relevant Personal Data based on public interest or legitimate interests or for direct marketing purposes.

To exercise or inquire about these rights, please use the contact details provided in Section (R) below. Please note:

● You may need to provide evidence of your identity to exercise these rights.
● We will reasonably investigate your request before taking any action, especially if it requires establishing additional facts regarding compliance with applicable law.

We process Personal Data through the use of Cookies and similar technologies. When you visit one of our Sites or use an App, we may place Cookies on your device or access Cookies already stored on your device, subject to obtaining your consent where required by applicable law. Cookies gather information about your device, browser, and, sometimes, your preferences and browsing behavior. We process personal data collected via cookies and similar technologies using the same policy as this document.

More information on all aspects of cookies can be found on www.allaboutcookies.org. Please note that Cornerstone International Group has no affiliation with, and is not responsible for, this third-party website

We process Personal Data to contact you through various channels such as email, telephone, direct mail, or other communication formats, providing information about our Sites, Apps, or services that may interest you. Additionally, we tailor content to your usage of our Sites, Apps, or services. Using the contact details you’ve provided or other appropriate means, we may send you information about upcoming promotions and other relevant updates, always subject to obtaining your prior opt-in consent as required by applicable law.

You can unsubscribe from our promotional email list at any time by clicking the unsubscribe link in the promotional emails we send or by requesting to unsubscribe via email to info@cornerstone-group.com. Please note that processing your unsubscribe request may take up to 3 weeks, during which you may still receive communications from us. However, after unsubscribing, we will cease sending further promotional emails, though, in certain circumstances, we may still contact you regarding any Sites, Apps, or services you’ve requested.

There are several Cornerstone entities that act as Controllers for this Policy. For this Policy, the relevant controllers are Cornerstone Member Firms, with contact details available at www.cornerstone-group.com . Alternatively, you may contact us by emailing info@cornerstone-group.com.

Definitions

● “App” refers to any application we make available, including those distributed via third-party stores or marketplaces.

● “Adequate Jurisdiction” denotes a jurisdiction officially designated by the European Commission as providing adequate protection for Personal Data.
● “Cookie” signifies a small file placed on your device when visiting a website, including our Sites. This term encompasses similar technologies like web beacons and clear GIFs.

● “Controller” refers to the entity determining how and why Personal Data are Processed, with primary responsibility for complying with data protection laws in many jurisdictions.

● “Data Protection Authority” is an independent public authority overseeing compliance with data protection laws.

● “EEA” stands for the European Economic Area.

● “GDPR” denotes the General Data Protection Regulation (EU) 2016/679.

● “Personal Data” includes information about any individual, directly or indirectly identifiable, such as a name, identification number, or other specific factors.

● “Process,” “Processing,” or “Processed” covers any action taken with Personal Data, whether automated or not, including collection, storage, use, disclosure, and deletion.

● “Processor” refers to any person or entity Processing Personal Data on behalf of the Controller.

● “Relevant Personal Data” denotes Personal Data for which we are the Controller.

● “Sensitive Personal Data” includes information about race or ethnicity, political opinions, religious beliefs, health, and other sensitive categories.

● “Standard Contractual Clauses” refers to template transfer clauses approved by the European Commission or a Data Protection Authority.

● “Site” encompasses any website operated by us or on our behalf.