PRIVACY NOTICE

1. Introduction
2. Personal data we may collect from you
3. How we store your personal data
4. Where we store your personal data
5. Uses made of your personal data
6. Legal basis for data processing
7. Disclosure of your personal data
8. How long we keep your personal data
9. Joint activities and website visits
10. Responsibilities for joint activities
11. Social media features
12. Your rights
13. How to complain
14. Changes to our privacy notice
15. Contact

1. Introduction

This notice (together with our terms of use and any other documents referred to in it) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. We may process your personal data in connection with your visit or use of our websites, applications or online tools (each a “CDP Online Offering”) or our business relationship with you. Please read it carefully to understand how we will treat your personal data.

For the purpose of the General Data Protection Regulation (the “GDPR”), CDP Worldwide, CDP Operations Limited, CDP Worldwide (Europe) gGmbH, CDP Europe -Services GmbH, CDP Worldwide Services GmbH, CDP North America, CDP Worldwide-Japan, Beijing Carbon Disclosure Project Environmental Consulting Co, Carbon Disclosure Project India, Carbon Disclosure Project Latin America and CDP World (Hong Kong) Limited, (“CDP Global System”) each act as data controller/controller and as joint controllers as set out in more detail in clause 9 below. You can find the contact details in Appendix 1.

Back to top ↑

2. Personal data we may collect from you

We may collect and process the following personal data about you:

(a) Your name, job title and professional contact details (phone number, email and office address);

(b) Information that you provide by contacting us or by filling in forms on our sites www.cdp.net and www.cdsb.net (together our “site”). This includes information provided at the time of registering to use our site, subscribing to our service, posting material or requesting further services. We may also ask you for information when you report a problem with our site; if you contact us, we may keep a record of that correspondence

(c) Information that is automatically sent to us by your web browser or device, such as your IP-address, device type, browser type, referring site, sites accessed during your visit, the date and time of each visitor request

(d) If applicable, personal data you provide in ‘Matchmaker’ project intake forms (in respect of city projects seeking finance);

(e) Payment data, such as data necessary for processing payments and fraud prevention, including credit/debit card numbers, security code numbers and other related billing information;

(f) Further information necessarily processed in a project or contractual relationship with CDP or voluntarily provided by you, such as personal data relating to orders placed, payments made, requests, and project milestones;

(g) Personal data collected from publicly available resources or received from third parties.

Back to top ↑

3. How we store your personal data

We take appropriate measures to ensure that your personal data is kept secure, including preventing it from being accidentally lost or used or accessed in an unauthorised way. We limit access to your personal data to those who have a legitimate business need to view it.
Those processing your personal data will do so only in an authorised manner and are subject to a duty of confidentiality.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted through any online means.

Back to top ↑

4. Where we store your personal data

We predominantly store personal data in our Customer Relationship Management (“CRM”) system which is based in the UK; we also process and store personal data in countries within the European Economic Area (“EEA”) which have the same data protection laws as the United Kingdom.

Countries outside the EEA may have different data protection laws to the United Kingdom. Your personal data will only be transferred or stored outside the EEA where we have a contract in place which gives your personal data protection equivalent to that within the EEA. In this way we make your personal data accessible to staff working for any company within the CDP Global System (namely in North America, Brazil, China, Hong Kong, India and Japan) and to selected third-party service providers for the uses described in this notice. We will not otherwise transfer your personal data outside the EEA.

Back to top ↑

5. Uses made of your personal data

We use information held about you in the following ways:

(a) To ensure that content from our site is presented in the most effective manner for you and for your computer;

(b) To verify your identity (if you registered for a CDP Online Offering) and to answer and fulfil your specific requests;

(c) To communicate with you about products, services and projects of CDP or business partners, e.g. by responding to inquiries or requests;

(d) To carry out our obligations arising from any contracts entered into between you and us;

(e) To provide you with information, products or services provided you have given your consent;

(f) To ensure compliance with legal obligations (such as record keeping obligations);

(g)To solve disputes, enforce our contractual agreements and to establish, exercise or defend legal claims.

Back to top ↑

6. Legal basis for data processing

The legal basis for CPD processing data about you is that such processing is necessary for the purposes of:

• CDP exercising its rights and performing its obligations in connection with any contract we make with you (Article 6 (1) (b) GDPR);
• Compliance with CDP’s legal obligations (Article 6 (1) (c) GDPR); and/or
• Legitimate interests pursued by CDP (Article 6 (1) (f) GDPR). Generally, our legitimate interests relate to our mission as an international not for profit organisation in focusing investors, companies, cities and governments on building a truly sustainable economy.

In some cases, we may ask if you consent to the relevant use of your personal data. In such cases, the legal basis for us processing that data about you may (in addition or instead) be that you have consented (Article 6 (1) (a) GDPR).

Back to top ↑

7. Disclosure of your personal data

We disclose your data only if the legal conditions are fulfilled, in particular Article 6 GDPR. In accordance with these provisions, a transfer is permissible in particular if

• it is necessary for the performance of a contract with you;
• it is necessary to fulfil a legal obligation;
• processing is necessary for the purposes of our legitimate interests;
• you have given your consent.

Sometimes the recipients to whom we transfer your personal data are located in countries in which applicable laws do not offer the same level of data protection as the laws of your home country. In such cases, we take measures to implement appropriate and suitable safeguards for the protection of your personal data. In particular, we transfer personal data to external recipients in such countries only if the recipient has (i) entered into EU Standard Contractual Clauses with CDP, or (ii) implemented Binding Corporate Rules in its organization.

Provided the legal requirements have been met, we may disclose your personal data to:

(a) other companies within the CDP Global System or third parties – e.g. our business partners or suppliers - in connection with your use of the CDP Online Offerings or our business relationship with you;

(b) organisations that receive responses to our questionnaires including our investor signatories and supply chain members;

(c) organisations that receive the personal data provided in ‘Matchmaker’ project intake forms (in respect of city projects seeking finance) including investors, project developers, engineering firms and non-profit organisations;

(d) third parties, including our partners, and other organisations that are aligned with our mission;

(e) our external third-party service providers which process such data only for the purpose of such services; and

(f) if we are under a duty to disclose or share your personal data to comply with any legal obligation, or to enforce or apply our terms of use and other agreements; or to protect the rights, property, or safety of CDP, our customers, or others. This includes exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction.

Back to top ↑

8. How long we keep your personal data

We will hold your personal data for as long as necessary to fulfil the purposes we collected it for. To determine the appropriate retention period we consider the amount, the nature and sensitivity of the personal data, the potential risks of harm from unauthorised use or disclosure, the purposes and whether we can achieve those purposes by other means. We will delete your data if they are no longer being needed for the purposes for which they were collected or to comply with our legal obligations such as retention obligations under tax or commercial laws.

Back to top ↑

9. Joint activities and website visits

Data controllers are joint controllers where your personal data is shared with another controller in the CDP Global System for any of the following activities (joint activities):

(a) disclosure related activities to companies, cities states and regions;

(b) marketing, newsletters, and other communication activities;

(c) investor and supply chain member activities;

(d) non-disclosure related activities including, contracts with third parties; and

(e) adding and accessing personal data in the CRM system.

As far as non-joint activities are concerned, CDP Worldwide is responsible for the data processing by the CDP Online Offering (data controller in the sense of Article 4 (7) GDPR).

Back to top ↑

10. Responsibilities for joint activities

The responsibilities of the parties are set out in Appendix 2.

Under Article 26 (3) and Article 32 (4) GDPR, each of the joint controllers can be held liable for the entire damage. If one joint controller is held liable, Article 82 (5) GDPR applies.

Back to top ↑

11. Social media features

We use the following social media plug-ins ("plug-ins"):

• Tweet button, powered by Twitter Inc., 795 Folsom St., Suite 600, San Francisco, CA 94107, USA;
• Share Button on LinkedIn, operated by LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, United States.
• YouTube Plugin, powered by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

All social media links and plug-ins (YouTube plugin) are indicated with the brand names of the respective providers Google, Twitter, and LinkedIn ("Provider"). We use the so-called two-click solution. This means that when you visit our site, no personal data is passed on to the providers of the plug-ins. We give you the opportunity to communicate directly with the provider of the plug-in via the button. Only if you click on the marked box and thereby activate it, the plug-in provider will receive the information that you have accessed the corresponding website of our online offer.
If you interact with the plug-in, e.g. by playing an imbedded YouTube video, the data will be transferred directly from your browser to the Provider and saved by the Provider.
For more information on the purpose and scope of data collection, processing and use, please refer to the privacy statements below:

• Google: https://policies.google.com/privacy?hl=en-US
• Twitter: https://twitter.com/privacy
• LinkedIn: https://www.linkedin.com/legal/privacy-policy

Back to top ↑

12. Your rights

Under the GDPR you have several important rights. In summary, these include rights to:

(a) access your personal data;

(b) require us to correct any mistakes in your information which we hold;

(c) request the erasure of personal data concerning you in certain situations;

(d) request the data to be transferred to a third party in certain situations;

(e) object at any time to processing of personal data concerning you for direct marketing;

(f) object in certain other situations to our continued processing of your personal data;

(g) otherwise restrict our processing of your personal data in certain circumstances; and

(h) claim compensation for damages caused by our breach of any data protection laws.

Back to top ↑

How to complain

We hope that we can resolve any query or concern you raise about our use of your personal data.

The GDPR also gives you the right to lodge a complaint with the competent data protection authority. A list and contact details of local data protection authorities is available here:

https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080

For the United Kingdom

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

e-mail: [email protected]
Website: https://ico.org.uk

Back to top ↑

Changes to our privacy notice

Any changes we may make to our privacy notice in the future will be posted on this page and, where appropriate, notified to you by e-mail. Latest Privacy Notice February 2021.

Back to top ↑

Contact

Questions and requests regarding this privacy notice should be addressed to

Outside European Union (or EEA): [email protected] or

European Union (or EEA): [email protected]

Back to top ↑

APPENDIX 1

Controllers:

CDP Worldwide, 4th Floor, 60 Great Tower Street, London EC3R 5AZ, UK

Affiliates:

CDP Operations Limited, 4th Floor, 60 Great Tower Street, London EC3R 5AZ, UK;

CDP Worldwide – Services GmbH, all of WeWork, Potsdamer Platz -Kemperplatz 1, 10785 Berlin, Germany;

CDP Worldwide - Japan, GINZA ISHII Building, 5F 6-14-8, Ginza Chuo-Ku, Tokyo, 104 -0061, Japan;

Beijing Carbon Disclosure Project Environmental Consulting Co. Limited, Room 025, 1/F, Jingshi Law Firm Building, No.37 Dongsihuan Mid Rd, Chaoyang District, Beijing, 100025 China;

Carbon Disclosure Project India, 906 Chiranjiv Tower, 9th Floor, 43 Nehru Place, New Delhi 110019;

CDP Operations India Private Limited, 906 Chiranjiv Tower, 9th Floor, 43 Nehru Place, New Delhi 110019; Carbon Disclosure Project Latin America, Rua Dr. Mauricio de Lacerda, 30; CEP 04303-190 -Sao Paulo/ SP, Brazil;

CDP Worldwide (Hong Kong) Limited, 9/F Asia Orient, 33 Lockhart Road, Wanchai, Hong Kong;

Non- Affiliates:

CDP Europe AISBL, Avenue des Arts 6-9, 1210 Bruxelles, Belgium;

CDP Worldwide (Europe) gemeinnützige GmbH, c/o WeWork Potsdamer Platz, Kemperplatz 1, 10785 Berlin, Germany;

CDP Europe - Services GmbH, c/o WeWork Potsdamer Platz, Kemperplatz 1, 10785 Berlin, Germany;

CDP North America, Inc. 127 W 26th Street, Suite 300, New York, NY 1001, USA.

APPENDIX 2