CUSTOMER ACCESS REQUEST POLICY

Purpose

This document sets out our policy for responding to Customer access requests under the GDPR (General Data Protection Regulation). This document explains the rights of the data Customer in relation to a data Customer access request and Cornerstone Performance’s responsibilities when dealing with that request.

Individual Rights

An individual has the right to know what information is held about them. The GDPR provides a framework to ensure that personal information is handled properly. This information must be:

1. Processed fairly, lawfully and in a transparent manner
2. Processed for specific, legitimate and lawful purposes

• Adequate, relevant and not excessive

1. Accurate and up to date
2. Not kept for longer than necessary
3. Processed in line with an individual’s rights

• Secure
• Not transferred other than in accordance with agreed terms and conditions

Cornerstone Performance’s policy on providing information

Cornerstone Performance is committed to meeting all reasonable requests for access in accordance with GDPR, whilst protecting Cornerstone Performance’s intellectual property and respecting the ethos of honest, confidential feedback which forms part of Cornerstone Performance’s reputation.

How do you make a Customer access request?

A Customer access request is a written request for personal information held about you by Cornerstone Performance. You have the right to see what personal information we hold about you. You are entitled to be given confirmation as to whether we hold or process your personal information, and if so you are entitled to access all your personal information as well as details of:

1. The purposes for which we process your personal data;
2. The categories of your personal data we process;

• The recipients, or categories or recipient to whom personal data has been or will be disclosed, in particular recipients in third countries or who are international organizations;

1. How long we expect to store your data;
2. Where you did not give us the personal data, the source from which we collected the personal data; and
3. Whether we use any automated decision making in relation to the processing of your personal data.

You are entitled to have any mistakes in your personal data rectified, and to have the data deleted if you would no longer like us to store or process your personal data, or to request the restriction of our processing of your personal data.

If you are not satisfied with how we have stored or processed your personal data, you have a right to lodge a complaint with us, by contacting us.

What is personal information?

Personal data is information which relates to an individual or refers to the individual. Data refers to an individual if that individual can be identified such as by using their name, identification number, location data or factors specific to the individual such as physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

What do we do when we receive a Customer access request?

Verifying your identity – if we have cause to doubt your identity, we will ask for information to verify it. For example, we may ask you for a piece of information held in your records that you might reasonably be expected to know. We cannot disclose personal information to anyone other than the individual in question.

Collating information – we will gather any manual or electronically held information and identify any information provided by a third party or which identifies a third party.

Third parties – before sharing information that relates to third parties, we will, where possible, anonymize or edit the information that might affect another party’s privacy. We may also summarize information rather than provide a copy of the whole document. The GDPR requires us to provide information, not documents.

Our response to the requestor

Once any queries around the information requested have been resolved, copies of the information will be sent to you electronically wherever possible or, if this is not technically possible, by post.

Do we charge a fee?

No, we do not charge a fee for fair request of your data. We will provide a copy of the information to you at no charge in compliance with the GDPR rules. However, If your data Customer access requests are excessive or manifestly unfounded we may charge a reasonable fee to cover the administrative costs involved in dealing with your request. In extreme circumstances, we reserve the right to refuse your requests.

What is the timeframe for responding to Customer access requests?

Upon receiving a customer request, we have sixty (60) days starting from when we received the information necessary to identify you, to identify the information you requested, and provide you with the information (or explain why we were unable to provide the information) in compliance with the GDPR rules. Wherever possible, we will aim to complete the request in advance of the deadline.