Privacy Policy


The EU General Data Protection Regulation (GDPR) is the most significant piece of European privacy legislation in recent history, replacing that of the 1995 EU Data Protection Directive (European Directive 95/46/EC). It aims to support the rights individuals have on data about themselves which is collected and stored. It also aims to detect, identify and mitigate against data breaches or leaks for all companies in the EU, as well as enforcing the reporting on these issues. This aims to create one uniform policy across the EU regardless of whether the UK is part of the European Union. Any business that deals with EU nationals and business alongside their data must comply with the legislation.

In line with the upcoming changes to European Union data protection law, we updated our privacy policy effective May 25th, 2018. These changes include explaining to you in more detail how we use your information, including your choices, rights, and controls. Your use from that day on will be subject to the new privacy policy.

Cornell Partnership aims to comply with the applicable GDPR regulations as a data processor and controller. Working alongside its employees, clients, candidates and suppliers, it will comply with the GDPR legislation when it takes effect on May 25th.

Cornell Partnership uses Third Party suppliers and software to process, control and manage data. These systems have been audited in line with GDPR commitments and outlined below. In the context of this statement, ‘data subject’ refers to the person or entity submitting data and can include employees, candidates, clients, and other individuals or organisations that Cornell Partnership works with.

Data Collection

Cornell Partnership headhunts and act as third party HR partner for our mandates via a variety of channels, most notably through mapping the market via meetings with our network and by publicly available sources to establish the internal structure within organisations. Data collection and processing is necessary for the performance of the recruitment process with the data subject. The terms that a data subject enters correspond to Cornell Partnership’s terms & conditions, which are made available to them on our website and upon request. By submitting data, the data subject agrees that this data can be processed and stored. We would obtain consent to process and store personal data including but not limited to; name, professional experience, education history, resume, salary information and contact information. This data is necessary to ensure the data subject is suitable for engagements including but not limited to; mandates Cornell Partnership executes and business opportunities with Cornell Partnership. Cornell Partnership reserve the right to contact data subjects who have submitted this data both upon submission and in the future to ensure data is accurate.

Data Retention

Cornell Partnership would keep data on file for a period of 7 years unless otherwise stipulated. Data would be hard erased after this time unless the data subject requests otherwise. Data subjects have the right to request personal data on themselves in a portable format. Data subjects must request their data in writing, by email or letter, stipulating what data they would like to access. The data request would be processed within 7 days. We would send confirmation of this either by email or letter (whichever is most appropriate). If data has been deleted, erased or otherwise irretrievable the subject will also be informed of this.

Data Deletion

Cornell Partnership aims to keep data on file for a period of 7 years unless otherwise stipulated. Data would be hard erased after this time unless the subject of the data requests otherwise. Subjects of data have the right to be forgotten and erased from records upon request. Data subjects must make such requests in writing, by email or letter, stipulating what data they would like erased. The data request would be processed within 7 days. We would send confirmation of this either by email or letter.

Data Portability

GDPR pertains to certain requirements on data controllers for the portability of personal data. The data stored on our database is controlled by the Company. Cornell Partnership permit the portability of data on mobile devices such as mobiles or laptops, as well as advocating home working, under restriction and/or limitations. This is also for the benefit of data subjects. Access to this data can be terminated or limited as and when necessary to prevent data breaches or leaks. Every reasonable step is taken to ensure that Cornell Partnership data accessed outside of our network is secure.

Reporting Data Breaches

As per the GDPR guidelines we would analyse any suspected data breach and report it within 72 hours of becoming aware of the breach. Unless the breach itself is considered low risk, breaches would be reported to the top authorities, which would be the ICO (Information Commissioner’s Office). Once a data breach or leak has been detected then it would be reported to this authority. A data break or leak includes but is not limited to; a lost USB stick, loss or theft of portable devices, or data sent to the wrong person. We have processes and policies in place to avoid any potential data breaches. We train all of our staff on the importance of data security and what their responsibilities are with safeguarding data that Cornell processes.

Internal Policies for GDPR

Cornell Partnership execute a stringent security and access policy for employees that safeguards data and protects the integrity of data. Cornell Partnership also ensures this doesn’t impact business functions and data subject or data subject experiences. We have a data security policy, confidentiality policy, password policy and a policy to target Bring Your Own Devices (BYOD). These policies aim to mitigate any instance of data breach or leaks and employees are trained in maintaining data security.

IT policies for GDPR

Cornell Partnership outsource our IT system maintenance and management to a Third-Party. This Third Party supplier is responsible for safeguarding the network and terminals with access to the network. They manage the anti-virus on the machines, encryption and security updates to mitigate against data breaches and leaks. The data this Third Party can access is limited to the minimum needed to complete their role and they are also bound by a data privacy and confidentiality contract. Cornell Partnership are solely responsible for employee accessibility in granting, limiting or terminating accessibility where necessary.

Cornell Partnership’s Database

Cornell Partnership use a secure system for data processing. As a data controller we rely on a compliant database which applies rigorous security standards – our third-party audits are available upon request.

This statement is provided as of May 2018 for informational purposes to explain Cornell Partnership’s stance on GDPR legislation and compliance. It is subject to change or removal without notice.

For any further information or requests please send an email to


By registering your application you have agreed that the information contained in your application may be used by Cornell Partnership to confirm references, verify educational and professional background, and for any other purpose regarding your application and our recruitment requirements. You agree that your personal details may be held, processed and disclosed to third parties, both electronically and manually, by Cornell Partnership or by our subsidiaries and affiliates for purposes which include Cornell Partnership administration and management of its employees, prospective employees and our business and for compliance with applicable procedures, laws and regulations to which Cornell Partnership is subject, and for the purposes of obtaining confidential feedback from you on the recruitment system process for purposes of future system improvement.

Cornell Partnership can confirm that it is registered with the Information Commissioner’s Office, registration number PZ9556664. In terms of the Data Protection Act 1998 you are entitled to a copy of certain personal data held by us on submission of a written request.