PRIVACY NOTICE

1. Introduction
2. Personal data we may collect from you
3. How we store your personal data
4. Where we store your personal data
5. Uses made of your personal data
6. Legal basis for data processing
7. Disclosure of your personal data
8. How long we keep your personal data
9. Joint activities
10. Social media features
11. Your rights
12. How to complain
13. Changes to our privacy notice
14. Contact

1. Introduction

This notice sets out the basis on which any personal data we collect from you or from third parties or other sources, or that you provide to us, will be processed by us. Please read it carefully to understand how we will treat your personal data.

For the purposes of the European Union (EU) General Data Protection Regulation 2016/679 (the “GDPR”) and the UK GDPR (as defined in section 3(10) of the UK’s Data Protection Act 2018), CDP Worldwide, CDP Operations Limited, CDP Europe AISBL, CDP Worldwide (Europe) gGmbH, CDP Europe-Services GmbH, CDP Worldwide-Services GmbH, CDP North America, Inc., CDP Worldwide-Japan, Beijing Carbon Disclosure Project Environmental Consulting Co. Limited, Carbon Disclosure Project India, CDP Operations India Private Limited, Carbon Disclosure Project Latin America and CDP Worldwide (Hong Kong) Limited, (each a company within the “CDP Global System”) each act as data controller/controller and/or as joint controllers as set out in more detail in clause 9 below. In this notice “we”, “our” and “us” means those companies within the CDP Global System acting as a controller in relation to the processing of your personal data. You can find the contact details for each company in Appendix 1.

A ’controller’ is responsible for deciding how we hold and use personal information about you and is required under the GDPR to notify you of the information contained in this privacy notice.

Where we refer in this Notice to ‘GDPR’ this includes the relevant equivalent provisions of the UK GDPR.

Back to top ↑

2. Personal data we may collect from you

We may collect the personal data of data subjects including individuals within the following categories of data subjects:

(i) Officers, employees and other representatives of investors and supply chain members on whose behalf the CDP Global System seeks disclosure from companies;

(ii) Officers, employees and other representatives of companies, cities, states and regions from which the CDP Global System seeks disclosure;

(iii) Officers, employees and other representatives of policymakers, NGOs, grant funders and other companies and organisations that otherwise work with the CDP Global System;

(iv) Officers, employees and other representatives of our suppliers and service providers and their agents, employees and representatives; and

(v) Visitors to our sites.

We may collect and process the following personal data about you:

(a) First and last name;

(b) Company/organisation name and type;

(c) CRM company number;

(d) Office address;

(e) Nationality;

(f) Country of residence;

(g) Function/department;

(h) Work telephone number;

(i) Work email address;

(j) Social media accounts;

(k) Gender;

(l) Photograph;

(m) Biography; and

(n) CDP event attendances,

(o) Information that you provide by contacting us or by filling in forms on our sites www.cdp.net and www.cdsb.net (together our “site”) or our online applications or online tools made available on the site (each a “CDP Online Offering”). This includes information provided at the time of registering to use our site, subscribing to or registering as a user of any of our services on our site, or posting material or requesting further services on our site. We may also ask you for information when you report a problem with our site; if you contact us, we may keep a record of that correspondence;

(p) Information that is automatically sent to us by your web browser or device, such as your IP-address, device type, browser type, referring site, sites accessed during your visit, the date and time of each visitor request;

(q) If applicable, personal data you provide in ‘Matchmaker’ project intake forms (in respect of city projects seeking finance);

(r) Payment data, such as data necessary for processing payments and fraud prevention, including credit/debit card numbers, security code numbers and other related billing information;

(s) Further information necessarily processed in a project or contractual relationship with CDP or voluntarily provided by you, such as personal data relating to orders placed, payments made, requests, and project milestones; and

(t) Personal data collected from publicly available resources (where our use of such public domain data for that purpose may reasonably be expected) or received from third parties.

Back to top ↑

3. How we store your personal data

We take appropriate measures to ensure that your personal data is kept secure, including preventing it from being accidentally lost or used or accessed in an unauthorised way. We limit access to your personal data to those who have a legitimate business need to view it.

Those processing your personal data will do so only in an authorised manner and are subject to a duty of confidentiality.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted through any online means.

Back to top ↑

4. Where we store your personal data

We predominantly store personal data in our Customer Relationship Management (“CRM”) system which is based in the UK; we also process and store personal data in countries within the European Economic Area (“EEA”) which have the same data protection laws as the United Kingdom.

Countries outside the UK/EEA may have different data protection laws to the UK/EEA. For certain countries outside the UK/EEA, such as South Korea, the UK/EU have already determined a comparable level of data protection so that data transmission to these countries does not require any special approval or agreement.

To provide for adequate protection your personal data will otherwise only be transferred or stored outside the UK/EEA where we have a contract in place applying (i) for transfers from EU/EEA countries to non-EU/EEA countries the EU Standard Contractual Clauses for the Transfer of Personal Data to Third Countries pursuant to Commission Decision 2021/914 of 4 June 2021 (“SCCs”), and (ii) for transfers from the UK to non-UK countries the SCCs amended as may be recommended by the UK Information Commissioner’s Office, which contract gives your personal data protection equivalent to that within the UK/EEA. In this way we make your personal data accessible to staff working for any company within the CDP Global System and to our partner organisations, stakeholders and third-party service providers for the uses described in this notice in the United States of America, Brazil, China, Hong Kong, India, Indonesia, Japan, South Korea, Taiwan and Turkey. We will not otherwise transfer your personal data outside the UK/EEA.

Back to top ↑

5. Uses made of your personal data

We use information held about you in the following ways and in accordance with the legal basis set out in section 6 below:

(a) Disclosure related activities - legal basis; legitimate interests -our legitimate interests relate to our work as an international not for profit organisation in collecting environmental data to help reduce climate change.

Adding contacts to the CRM system, sending disclosure-related communications to contacts of disclosing and prospective disclosing companies, cities, states, regions and other organisations; entering into contracts with disclosing entities; registering contacts as dashboard / online response system users; communications related to reporter services, setting science-based targets and other such activities.

(b) Investor related activities - legal basis; legitimate interests -our legitimate interests relate to our work as an international not for profit organisation in collecting environmental data to help reduce climate change.

Adding contacts to the CRM system, targeting new investors (e.g. to become investor signatories or supply chain members), sales of corporate and subnational government reported environmental data and account related activities.

(c) Supply chain member activities - legal basis; legitimate interests -our legitimate interests relate to our work as an international not for profit organisation in collecting environmental data to help reduce climate change.

Adding contacts to the CRM system, entering into contracts with supply chain members, delivering member benefits, sharing supplier contacts with members, and other communications with members and prospective members.

(d) Communication activities - legal basis; legitimate interests -our legitimate interests relate to our work as an international not for profit organisation in collecting environmental data to help reduce climate change.

Sending out newsletters, media releases, details of available reports and guidance materials, and updates to organisations; sending invitations to participate in events, campaigns, consultations and initiatives, sending questionnaires and survey forms, organising/hosting events, including using third party platforms for online events and other such activities.

(e) Non-disclosure activities - legal basis; legitimate interests -our legitimate interests relate to our work as an international not for profit organisation in collecting environmental data to help reduce climate change.

Non-disclosure related processing activities including entering into and performing contracts with third parties including country partners, project partners, accredited solutions providers, and grant funders; sharing personal data under such contracts for the performance of the contract; conduct of online learning courses; seeking donors and grant funders; HR and employee activities; systems administration, account activities, and technical support; on-line activities.

(f) To ensure that content from our site is presented in the most effective manner for you and for your computer; - legal basis; legitimate interests -our legitimate interests relate to our work as an international not for profit organisation in collecting environmental data to help reduce climate change.

(g) To verify your identity (if you registered for a CDP Online Offering) and to answer and fulfil your specific requests; - legal basis; legitimate interests -our legitimate interests relate to our work as an international not for profit organisation in collecting environmental data to help reduce climate change.

(h) To communicate with you about products, services and projects of CDP or its partner organisations, e.g. by responding to inquiries or requests; - legal basis; legitimate interests -our legitimate interests relate to our work as an international not for profit organisation in collecting environmental data to help reduce climate change.

(i) To carry out our obligations arising from any contracts entered into between you and us; -legal basis; performance of a contract with you

(j) To provide you with information, products or services provided you have not withdrawn your consent; -legal basis; performance of a contract with you

(k) To ensure compliance with legal obligations (such as record keeping obligations); -legal basis; to fulfil a legal obligation

(l) To solve disputes, enforce our contractual agreements and to establish, exercise or defend legal claims; legal basis- to fulfil a legal obligation.

Where we need to use your personal data for another reason, other than for the purpose for which we collected it, we will only use your personal information where that reason is compatible with the original purpose.

Should it be necessary to use your personal data for a new purpose, we will notify you and communicate the legal basis which allows us to do so before starting any new processing.

In some circumstances we may anonymise the personal data so that it can no longer be associated with you, in which case we may use such information without further notice to you.

If you refuse to provide us with certain information when requested, we may not be able to perform the contract we have entered into with you. Alternatively, we may be unable to comply with our legal or regulatory obligations.

We may also process your personal information without your consent, in accordance with this notice, where we are legally required or permitted to do so.

We do not process your personal data to make any decisions based on exclusively automated processing, including profiling, which has a legal effect with regard to you or which materially adversely affects you in a similar manner.

Back to top ↑

6. Legal basis for data processing

The legal basis for CDP processing data about you is that such processing is necessary for the purposes of:

• CDP exercising its rights and performing its obligations in connection with any contract we make with you (Article 6 (1) (b) GDPR);
• Compliance with CDP’s legal obligations (Article 6 (1) (c) GDPR); and/or
• Legitimate interests pursued by CDP provided that those interests do not override any of your own interests, rights and freedoms which require the protection of your personal data. (Article 6 (1) (f) GDPR). Generally, our legitimate interests relate to our mission as an international not for profit organisation in focusing investors, companies and cities on taking urgent action to build a truly sustainable economy and include processing for marketing, business development, statistical and management purposes.

In some cases, we may ask if you consent to the relevant use of your personal data. In such cases we will request such consent from you separately, and the legal basis for our processing that data about you may then (in addition or instead) be that you have consented (Article 6 (1) (a) GDPR). In such cases you have the right to withdraw your consent to processing for such specific purposes. To withdraw a consent, please contact us using the contact details below (section 15). Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

Please note that we may process your personal data on more than one lawful ground depending on the specific purpose for which we are using your data.

Back to top ↑

7. Disclosure of your personal data

We disclose your data only if the legal conditions are fulfilled, in particular Article 6 GDPR. In accordance with these provisions, a transfer is permissible in particular if

• it is necessary for the performance of a contract with you;
• it is necessary to fulfil a legal obligation;
• processing is necessary for the purposes of our legitimate interests;
• you have given your consent.

Sometimes the recipients to whom we transfer your personal data are located in countries in which applicable laws do not offer the same level of data protection as the laws of your home country. In such cases, we take measures to implement appropriate and suitable safeguards for the protection of your personal data as described in section 4 (Where We Process Your Personal Data).

Provided the legal requirements have been met, we may disclose your personal data to:

(a) other companies within the CDP Global System or third parties – e.g. our partner organisations or suppliers - in connection with your use of the CDP Online Offerings or our business relationship with you;

(b) organisations that have contracted with us to receive responses to our questionnaires including our investor signatories and supply chain members;

(c) if you are the representative of a supply chain member, we may disclose your personal data to your suppliers including to facilitate supplier / supply chain member engagement and communications and if you are the representative of a supplier we may disclose your personal data to our supply chain member and investor signatories including to facilitate supplier / supply chain member for engagement and communications;

(d) organisations that receive the personal data provided in ‘Matchmaker’ project intake forms (in respect of city projects seeking finance) including investors, project developers, engineering firms and non-profit organisations;

(e) third parties, including our partner organisations, and other organisations that are aligned with our mission;

(f) our external third-party service providers which process such data only for the purpose of such services. The activities carried out by third-party service providers include: IT and data storage services, professional advisory services, administration services, marketing services and banking services; and

(g) if we are under a duty to disclose or share your personal data to comply with any legal obligation or the requirements of any regulator, or to enforce or apply our contract with you or our terms of use and other agreements; or to protect the rights, property, or safety of CDP, our customers, or others. This includes exchanging information with other companies and organizations for the purposes of fraud protection, compliance with anti-money laundering requirements, and credit risk reduction.

Back to top ↑

8. How long we keep your personal data

We will hold your personal data for as long as necessary to fulfil the purposes for which we collected it. To determine the appropriate retention period we consider the amount, the nature and sensitivity of the personal data, the potential risks of harm from unauthorised use or disclosure, the purposes, whether we can achieve those purposes by other means. Once the purpose for collecting the personal data has been achieved, the data will be deleted unless the law permits us to continue storing it for specific purposes, including the defence of legal claims.

Back to top ↑

9. Joint activities

Data controllers are joint controllers where your personal data is shared with another controller in the CDP Global System which may include in relation to for any of the following activities (joint activities):

(a) disclosure-related activities to companies, cities states and regions;

(b) marketing, newsletters, and other communication activities;

(c) investor and supply chain member activities;

(d) non-disclosure related activities including contracts with third parties; and

(e) adding and accessing personal data in the CRM system.

As far as non-joint activities are concerned, CDP Worldwide is responsible for the data processing by the CDP Online Offering where that processing is a non-joint activity of CDP Worldwide (data controller in the sense of Article 4 (7) GDPR).

The responsibilities of those companies within the CDP Global System acting as joint controllers in relation to any joint activities are set out in Appendix 2.

Under Article 26 (3) and Article 32 (4) GDPR, each of the joint controllers can be held liable for the entire damage. If one joint controller is held liable, Article 82 (5) GDPR applies.

Back to top ↑

10. Social media features

We use the following social media plug-ins ("plug-ins") on our site:

• Tweet button, powered by Twitter Inc., 795 Folsom St., Suite 600, San Francisco, CA 94107, USA;
• Share Button on LinkedIn, operated by LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, United States; and
• YouTube Plugin, powered by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

The legal basis for the processing is our legitimate Interests.

All plug-ins are indicated with the brand names of the respective providers: Google, Twitter, and LinkedIn ("Provider"). We use the so-called two-click solution. This means that when you visit our site, no personal data is passed on to the providers of the plug-ins. We give you the opportunity to communicate directly with the provider of the plug-in via the plug-in. Only if you click on the marked box and thereby activate it, will the plug-in provider be informed that you have accessed the corresponding website of our online offer.

If you interact with the plug-in, e.g. by playing an embedded YouTube video, the data will be transferred directly from your browser to the Provider and saved by the Provider.

For more information on the purpose and scope of data collection, processing and use, please refer to the privacy statements below:

• Google: https://policies.google.com/privacy?hl=en-US
• Twitter: https://twitter.com/privacy
• LinkedIn: https://www.linkedin.com/legal/privacy-policy

Our cookies policy can be accessed here

Back to top ↑

11. Your rights

Under the GDPR you have several important rights. In summary, these include rights to:

(a) access your personal data;

(b) require us to correct any mistakes in your information which we hold;

(c) request the erasure of personal data concerning you in certain situations;

(d) request the data to be transferred to a third party in certain situations;

(e) object at any time to processing of personal data concerning you for direct marketing;

(f) object in certain other situations to our continued processing of your personal data;

(g) otherwise restrict our processing of your personal data in certain circumstances; and

(h)The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

If you wish to exercise any of the above rights, please contact us using the contact details below (section 14).

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is an appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

It is important that the personal information we hold about you is accurate and current. Should your personal information change, please notify us of any changes of which we need to be made aware by contacting us, using the contact details below (section 15).

Back to top ↑

12. How to complain

We hope that we can resolve any query or concern you raise about our use of your personal data.

The GDPR also gives you the right to lodge a complaint with the competent data protection authority. A list and contact details of local data protection authorities is available here:

https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080

For the United Kingdom

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

e-mail: [email protected]
Website: https://ico.org.uk

We would, however, appreciate the chance to deal with your concerns before you approach a data protection authority so please contact us in the first instance.

Back to top ↑

13. Changes to our privacy notice

Any changes we may make to our privacy notice in the future will be posted on this page and, where appropriate, notified to you by e-mail.

Back to top ↑

14. Contact

The Parties located outside the territory of the EU/EEA have appointed CDP Worldwide - Services GmbH as their representative in accordance with Art. 27 GDPR.

The Parties located outside the territory of the UK have appointed CDP Worldwide as their representative in accordance with Art. 27 UK GDPR.

Questions and requests regarding this privacy notice should be addressed to

Outside European Union (or EEA): [email protected] or

European Union (or EEA): [email protected]

Back to top ↑

APPENDIX 1

Controllers:

CDP Worldwide, 4th Floor, 60 Great Tower Street, London EC3R 5AZ, UK

CDP Operations Limited, 4th Floor, 60 Great Tower Street, London EC3R 5AZ, UK;

CDP Worldwide – Services GmbH, WeWork, Potsdamer Platz -Kemperplatz 1, 10785 Berlin, Germany;

CDP Worldwide - Japan, GINZA ISHII Building, 5F 6-14-8, Ginza Chuo-Ku, Tokyo, 104 -0061, Japan;

Beijing Carbon Disclosure Project Environmental Consulting Co. Limited, Room 025, 1/F, Jingshi Law Firm Building, No.37 Dongsihuan Mid Rd, Chaoyang District, Beijing, 100025 China;

Carbon Disclosure Project India, 3rd Floor, 315 Sant Nagar, East of Kailash, New Delhi 110065, India;

CDP Operations India Private Limited, Flat No 1203 and 1204, 12th Floor, Chiranjiv Tower, 43 Nehru Place, New Delhi 110019, India;

Carbon Disclosure Project Latin America, Rua Dr. Mauricio de Lacerda, 30; CEP 04303-190 -Sao Paulo/ SP, Brazil;

CDP Worldwide (Hong Kong) Limited, 9/F Asia Orient, 33 Lockhart Road, Wanchai, Hong Kong;

CDP Europe AISBL, Due Ducale 67, 1000 Bruxelles, Belgium;

CDP Worldwide (Europe) gemeinnützige GmbH, c/o WeWork, Potsdamer Platz, Kemperplatz 1, 10785 Berlin, Germany;

CDP Europe - Services GmbH, c/o WeWork Potsdamer Platz, Kemperplatz 1, 10785 Berlin, Germany;

CDP North America, Inc. 127 W 26th Street, Suite 300, New York, NY 1001, USA.

APPENDIX 2