1. Introduction
This notice (together with our terms of use and any other documents referred to in it) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read it carefully to understand how we will treat your personal data.
For the purpose of the General Data Protection Regulation (the "GDPR"), CDP Worldwide and CDP Operations Limited of Level 3, 71 Queen Victoria Street, London, EC4V 4AY act as joint data controllers. We are committed to protecting and respecting your privacy.
2. Personal data we may collect from you
We may collect and process the following personal data about you:
(a) your name, job title and professional contact details (phone number, email and office address);
(b) information that you provide by filling in forms on our sites www.cdp.net and www.cdsb.net (together our "site"). This includes information provided at the time of registering to use our site, subscribing to our service, posting material or requesting further services. We may also ask you for information when you report a problem with our site;
(c) if applicable, personal data you provide in 'Matchmaker' project intake forms (in respect of city projects seeking finance);
(d) if you contact us, we may keep a record of that correspondence; and
(e) details of your visits to our site and the resources you access.
3. Personal data we may collect from other sources
We may collect and process personal data from external sources including:
(a) publicly available sources such as Google;
(b) companies within the CDP group and CDP North America, Inc. (an independent affiliate); and
(c) third parties including our partners, investor signatories and supply chain members.
4. How we store your personal data
We take appropriate measures to ensure that your personal data is kept secure, including preventing it from being accidentally lost or used or accessed in an unauthorised way. We limit access to your personal data to those who have a legitimate business need to view it.
Those processing your personal data will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted through any online means.
5. Where we store your personal data
We predominantly store personal data in our Customer Relationship Management system which is based in the UK, but your personal data may be transferred or stored in countries within the European Economic Area ("EEA") which have the same data protection laws as the United Kingdom.
Countries outside the EEA may have different data protection laws to the United Kingdom your personal data will only be transferred or stored outside the EEA where we have a contract in place which gives your personal data protection equivalent to that within the EEA. In this way we make your personal data accessible to staff working for any company within the CDP group (including in Germany, Brazil, China, Hong Kong, India and Japan) and CDP North America, Inc, and to select third-party service providers for the uses described in this notice. We will not otherwise transfer your personal data outside the EEA.
6. Uses made of your personal data
We rely on our legitimate interests (or those of a third party) as the lawful basis for collecting and using your personal data. Our legitimate interests relate to our mission as an international not for profit organisation in focusing investors, companies and cities on taking urgent action to build a truly sustainable economy.
We use information held about you in the following ways:
(a) to ensure that content from our site is presented in the most effective manner for you and for your computer;
(b) to provide you with information, products or services that you request from us or which we feel may interest you, unless you have requested that you are not contacted for such purposes;
(c) to carry out our obligations arising from any contracts entered into between you and us;
(d) to allow you to participate in interactive features of our service, when you choose to do so; and
(e) to notify you about changes to our service.
7. Disclosure of your personal data
We may disclose your personal data to:
(a) any member of the CDP group and to CDP North America, Inc.;
(b) organisations that receive responses to our information requests including our investor signatories and supply chain members;
(c) organisations that receive the personal data provided in 'Matchmaker' project intake forms (in respect of city projects seeking finance) including investors, project developers, engineering firms and non-profit organisations;
(d) third parties, including our partners, and other organisations that are aligned with our mission;
(e) our external third-party service providers;
(f) if we are under a duty to disclose or share your personal data to comply with any legal obligation, or to enforce or apply our terms of use and other agreements; or to protect the rights, property, or safety of CDP, our customers, or others. This includes exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction.
8. How long we keep your personal data
We will hold your personal data for as long as necessary to fulfil the purposes we collected it for. To determine the appropriate retention period we consider the amount, the nature and sensitivity of the personal data, the potential risks of harm from unauthorised use or disclosure, the purposes and whether we can achieve those purposes by other means. We will delete it if we identify it as no longer being needed or if you send us a written request to do so.
9. Your rights
Under the GDPR you have several important rights. In summary, these include rights to:
(a) access your personal data;
(b) require us to correct any mistakes in your information which we hold;
(c) request the erasure of personal data concerning you in certain situations;
(d) request the data to be transferred to a third party in certain situations;
(e) object at any time to processing of personal data concerning you for direct marketing;
(f) object in certain other situations to our continued processing of your personal data;
(g) otherwise restrict our processing of your personal data in certain circumstances; and
(h) claim compensation for damages caused by our breach of any data protection laws.
For further information on these rights, including the circumstances in which they apply, see the Guidance from the UK Information Commissioner's Office (ICO) on individual rights under the GDPR.
If you would like to exercise any of the above rights, please contact us using our contact details below, providing enough information to identify you including proof of your identity and address and letting us know the information to which your request relates.
10. How to complain
We hope that we can resolve any query or concern you raise about our use of your personal data.
The GDPR also gives you right to lodge a complaint with a supervisory authority, in particular in the European Union (or EEA) state where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in the UK is the Information Commissioner who may be contacted at ico.org.uk/concerns or telephone: 0303 123 1113.
11. Changes to our privacy notice
Any changes we may make to our privacy notice in the future will be posted on this page and, where appropriate, notified to you by e-mail.
12. Contact
Questions and requests regarding this privacy notice should be addressed to [email protected].