PRIVACY NOTICE
1. Introduction
This notice (together with our terms of use and any other documents referred to in it) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. We may process your personal data in connection with your visit or use of our websites, applications or online tools (each a “CDP Online Offering”) or our business relationship with you. Please read it carefully to understand how we will treat your personal data.
For the purpose of the General Data Protection Regulation (the “GDPR”), CDP Worldwide, CDP Operations Limited, CDP Worldwide (Europe) gGmbH, CDP Europe -Services GmbH, CDP Worldwide Services GmbH, CDP North America, CDP Worldwide-Japan, Beijing Carbon Disclosure Project Environmental Consulting Co, Carbon Disclosure Project India, Carbon Disclosure Project Latin America and CDP World (Hong Kong) Limited, (“CDP Global System”) each act as data controller/controller and as joint controllers as set out in more detail in clause 9 below. You can find the contact details in Appendix 1 below.
2. Personal data we may collect from you
We may collect and process the following personal data about you:
(a) Your name, job title and professional contact details (phone number, email and office address);
(b) Information that you provide by contacting us or by filling in forms on our sites www.cdp.net and www.cdsb.net (together our “site”). This includes information provided at the time of registering to use our site, subscribing to our service, posting material or requesting further services. We may also ask you for information when you report a problem with our site; if you contact us, we may keep a record of that correspondence
(c) Information that is automatically sent to us by your web browser or device, such as your IP-address, device type, browser type, referring site, sites accessed during your visit, the date and time of each visitor request
(d) If applicable, personal data you provide in ‘Matchmaker’ project intake forms (in respect of city projects seeking finance);
(e) Payment data, such as data necessary for processing payments and fraud prevention, including credit/debit card numbers, security code numbers and other related billing information;
(f) Further information necessarily processed in a project or contractual relationship with CDP or voluntarily provided by you, such as personal data relating to orders placed, payments made, requests, and project milestones;
(g) Personal data collected from publicly available resources or received from third parties.
3. How we store your personal data
We take appropriate measures to ensure that your personal data is kept secure, including preventing it from being accidentally lost or used or accessed in an unauthorised way. We limit access to your personal data to those who have a legitimate business need to view it.
Those processing your personal data will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted through any online means.
4. Where we store your personal data
We predominantly store personal data in our Customer Relationship Management (“CRM”) system which is based in the UK; we also process and store personal data in countries within the European Economic Area (“EEA”) which have the same data protection laws as the United Kingdom.
Countries outside the EEA may have different data protection laws to the United Kingdom. Your personal data will only be transferred or stored outside the EEA where we have a contract in place which gives your personal data protection equivalent to that within the EEA. In this way we make your personal data accessible to staff working for any company within the CDP Global System (namely in North America, Brazil, China, Hong Kong, India and Japan) and to selected third-party service providers for the uses described in this notice. We will not otherwise transfer your personal data outside the EEA.
5. Uses made of your personal data
We use information held about you in the following ways:
(a) To ensure that content from our site is presented in the most effective manner for you and for your computer;
(b) To verify your identity (if you registered for a CDP Online Offering) and to answer and fulfil your specific requests;
(c) To communicate with you about products, services and projects of CDP or business partners, e.g. by responding to inquiries or requests;
(d) To carry out our obligations arising from any contracts entered into between you and us;
(e) To provide you with information, products or services provided you have given your consent;
(f) To ensure compliance with legal obligations (such as record keeping obligations);
(g)To solve disputes, enforce our contractual agreements and to establish, exercise or defend legal claims.
6. Legal basis for data processing
The legal basis for CPD processing data about you is that such processing is necessary for the purposes of:
- CDP exercising its rights and performing its obligations in connection with any contract we make with you (Article 6 (1) (b) GDPR);
- Compliance with CDP’s legal obligations (Article 6 (1) (c) GDPR); and/or
- Legitimate interests pursued by CDP (Article 6 (1) (f) GDPR). Generally, our legitimate interests relate to our mission as an international not for profit organisation in focusing investors, companies and cities on taking urgent action to build a truly sustainable economy.
In some cases, we may ask if you consent to the relevant use of your personal data. In such cases, the legal basis for us processing that data about you may (in addition or instead) be that you have consented (Article 6 (1) (a) GDPR).
7. Disclosure of your personal data
We disclose your data only if the legal conditions are fulfilled, in particular Article 6 GDPR. In accordance with these provisions, a transfer is permissible in particular if
- it is necessary for the performance of a contract with you;
- it is necessary to fulfil a legal obligation;
- processing is necessary for the purposes of our legitimate interests;
- you have given your consent.
Sometimes the recipients to whom we transfer your personal data are located in countries in which applicable laws do not offer the same level of data protection as the laws of your home country. In such cases, we take measures to implement appropriate and suitable safeguards for the protection of your personal data. In particular, we transfer personal data to external recipients in such countries only if the recipient has (i) entered into EU Standard Contractual Clauses with CDP, or (ii) implemented Binding Corporate Rules in its organization.
Provided the legal requirements have been met, we may disclose your personal data to:
(a) other companies within the CDP Global System or third parties – e.g. our business partners or suppliers - in connection with your use of the CDP Online Offerings or our business relationship with you;
(b) organisations that receive responses to our questionnaires including our investor signatories and supply chain members;
(c) organisations that receive the personal data provided in ‘Matchmaker’ project intake forms (in respect of city projects seeking finance) including investors, project developers, engineering firms and non-profit organisations;
(d) third parties, including our partners, and other organisations that are aligned with our mission;
(e) our external third-party service providers which process such data only for the purpose of such services; and
(f) if we are under a duty to disclose or share your personal data to comply with any legal obligation, or to enforce or apply our terms of use and other agreements; or to protect the rights, property, or safety of CDP, our customers, or others. This includes exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction.
8. How long we keep your personal data
We will hold your personal data for as long as necessary to fulfil the purposes we collected it for. To determine the appropriate retention period we consider the amount, the nature and sensitivity of the personal data, the potential risks of harm from unauthorised use or disclosure, the purposes and whether we can achieve those purposes by other means. We will delete your data if they are no longer being needed for the purposes for which they were collected or to comply with our legal obligations such as retention obligations under tax or commercial laws.
9. Joint activities and website visits
Data controllers are joint controllers where your personal data is shared with another controller in the CDP Global System for any of the following activities (joint activities):
(a) disclosure related activities to companies, cities states and regions;
(b) marketing, newsletters, and other communication activities;
(c) investor and supply chain member activities;
(d) non-disclosure related activities including, contracts with third parties; and
(e) adding and accessing personal data in the CRM system.
As far as non-joint activities are concerned, CDP Worldwide is responsible for the data processing by the CDP Online Offering (data controller in the sense of Article 4 (7) GDPR).
10. Responsibilities for joint activities
The responsibilities of the parties are set out in Appendix 2 below.
Under Article 26 (3) and Article 32 (4) GDPR, each of the joint controllers can be held liable for the entire damage. If one joint controller is held liable, Article 82 (5) GDPR applies.
11. Social media features
We use the following social media plug-ins ("plug-ins"):
- Tweet button, powered by Twitter Inc., 795 Folsom St., Suite 600, San Francisco, CA 94107, USA;
- Share Button on LinkedIn, operated by LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, United States.
- YouTube Plugin, powered by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
All social media links and plug-ins (YouTube plugin) are indicated with the brand names of the respective providers Google, Twitter, and LinkedIn ("Provider"). We use the so-called two-click solution. This means that when you visit our site, no personal data is passed on to the providers of the plug-ins. We give you the opportunity to communicate directly with the provider of the plug-in via the button. Only if you click on the marked box and thereby activate it, the plug-in provider will receive the information that you have accessed the corresponding website of our online offer.
If you interact with the plug-in, e.g. by playing an imbedded YouTube video, the data will be transferred directly from your browser to the Provider and saved by the Provider.
For more information on the purpose and scope of data collection, processing and use, please refer to the privacy statements below:
12. Your rights
Under the GDPR you have several important rights. In summary, these include rights to:
(a) access your personal data;
(b) require us to correct any mistakes in your information which we hold;
(c) request the erasure of personal data concerning you in certain situations;
(d) request the data to be transferred to a third party in certain situations;
(e) object at any time to processing of personal data concerning you for direct marketing;
(f) object in certain other situations to our continued processing of your personal data;
(g) otherwise restrict our processing of your personal data in certain circumstances; and
(h) claim compensation for damages caused by our breach of any data protection laws.
How to complain
We hope that we can resolve any query or concern you raise about our use of your personal data.
The GDPR also gives you the right to lodge a complaint with the competent data protection authority. A list and contact details of local data protection authorities is available here:
https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080
For the United Kingdom
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
e-mail: dpo@ico.org.uk
Website: https://ico.org.uk
Changes to our privacy notice
Any changes we may make to our privacy notice in the future will be posted on this page and, where appropriate, notified to you by e-mail. Latest Privacy Notice February 2021.
Contact
Questions and requests regarding this privacy notice should be addressed to
Outside European Union (or EEA): privacy@cdp.net or
European Union (or EEA): datenschutz@cdp.net
APPENDIX 1
Controllers:
CDP Worldwide, 4th Floor, 60 Great Tower Street, London EC3R 5AZ, UK
Affiliates:
CDP Operations Limited, 4th Floor, 60 Great Tower Street, London EC3R 5AZ, UK;
CDP Worldwide – Services GmbH, all of WeWork, Potsdamer Platz -Kemperplatz 1, 10785 Berlin, Germany;
CDP Worldwide - Japan, GINZA ISHII Building, 5F 6-14-8, Ginza Chuo-Ku, Tokyo, 104 -0061, Japan;
Beijing Carbon Disclosure Project Environmental Consulting Co. Limited, Room 025, 1/F, Jingshi Law Firm Building, No.37 Dongsihuan Mid Rd, Chaoyang District, Beijing, 100025 China;
Carbon Disclosure Project India, 906 Chiranjiv Tower, 9th Floor, 43 Nehru Place, New Delhi 110019;
CDP Operations India Private Limited, 906 Chiranjiv Tower, 9th Floor, 43 Nehru Place, New Delhi 110019; Carbon Disclosure Project Latin America, Rua Dr. Mauricio de Lacerda, 30; CEP 04303-190 -Sao Paulo/ SP, Brazil;
CDP Worldwide (Hong Kong) Limited, 9/F Asia Orient, 33 Lockhart Road, Wanchai, Hong Kong;
Non- Affiliates:
CDP Europe AISBL, Avenue des Arts 6-9, 1210 Bruxelles, Belgium;
CDP Worldwide (Europe) gemeinnützige GmbH, c/o WeWork Potsdamer Platz, Kemperplatz 1, 10785 Berlin, Germany;
CDP Europe - Services GmbH, c/o WeWork Potsdamer Platz, Kemperplatz 1, 10785 Berlin, Germany;
CDP North America, Inc. 127 W 26th Street, Suite 300, New York, NY 1001, USA.
APPENDIX 2
Processing activities
Providing information (Articles 13, 14 GDPR)
Right of access, rectification, erasure, data portability, objection (Articles 15-17, 20, 21 GDPR)
Commissioning sub-processors, Records of processing activities, Determination of security measures (Articles 28, 30, 32, 24 GDPR)
Notification of data breaches (Articles 33, 34 GDPR)
CENTRALISED ACTIVITIES IN UK
CDP Worldwide and CDP Operations Limited
Coordination of the worldwide process for disclosure as follows:
a) Disclosure related activities
adding contacts to CRM, sending disclosure-related e-mails to companies, cities, states and regions.
CDP Worldwide
CDP Worldwide
CDP Worldwide
CDP Worldwide
b) Investor related activities
adding contacts to CRM, targeting new investors (e.g. to become signatories or members), and account related activities.
CDP Operations
CDP Operations
CDP Operations
CDP Operations
c) Supply chain member and reporter services activities
receiving contact lists from members, entering into contracts with suppliers and sharing supplier contacts with members.
CDP Operations
CDP Operations
CDP Operations
CDP Operations
d)Communication activities
Sending out newsletters and updates to
organisations; hosting on-line events, including using third party platforms and other such activities.
CDP Worldwide
CDP Worldwide
CDP Worldwide
CDP Worldwide
e) Non-disclosure activities
all other activities including contracts with third parties; HR and employee activities; systems administration and account activities;
on-line activities including carried out by CDSB.
CDP Worldwide
CDP Worldwide
CDP Worldwide
CDP Worldwide
1. Activities carried out in Europe
a) Supply chain member and reporter services activities
receiving contact lists from members, entering into contracts with suppliers and sharing contacts with members.
CDP Europe-Services GmbH
CDP Europe-Services GmbH
CDP Europe-Services GmbH
CDP Europe-Services GmbH
b) Investor related activities
adding contacts to CRM, targeting new investors (e.g. to become signatories or members), and account related activities.
CDP Worldwide (Europe) gGmbH (Climetrics:
CDP Europe-Services GmbH)
CDP Worldwide (Europe) gGmbH (Climetrics:
CDP Europe-Services GmbH)
CDP Worldwide (Europe) gGmbH (Climetrics:
CDP Europe-Services GmbH)
CDP Worldwide (Europe) gGmbH (Climetrics:
CDP Europe-Services GmbH)
c) Communication activities
Sending out newsletters and updates to
organisations; hosting on-line events, including using third party platforms and other such activities.
CDP Worldwide (Europe) gGmbH
CDP Worldwide (Europe) gGmbH
CDP Worldwide (Europe) gGmbH
CDP Worldwide (Europe) gGmbH
d) Non-disclosure activities
all other activities including contracts with third parties;
CDP Worldwide (Europe) gGmbH
CDP Worldwide (Europe) gGmbH
CDP Worldwide (Europe) gGmbH
CDP Worldwide (Europe) gGmbH
2. Activities carried out in North America
a) Supply chain member and reporter services activities
receiving contact lists, entering into contracts with suppliers and sharing contact information with members.
CDP NA
CDP NA
CDP NA
CDP NA
b) Investor related activities
adding contacts to CRM, targeting new investors (e.g. to become signatories or members), and account related activities.
CDP NA
CDP NA
CDP NA
CDP NA
c) Communication activities
Sending out newsletters and updates to
organisations; hosting on-line events, including using third party platforms and other such activities.
CDP NA
CDP NA
CDP NA
CDP NA
d) Other disclosure and non-disclosure activities
all other disclosure related activities including adding contacts to CRM, sending out disclosure related emails and all other non-disclosure activities including, contracts with third parties.
CDP NA
CDP NA
CDP NA
CDP NA
3. Activities carried out in India
a) Supply chain member and reporter services activities
receiving contact lists, entering into contracts with suppliers and sharing contact information with members.
CDP Operations India Private Limited
CDP Operations India Private Limited
CDP Operations India Private Limited
CDP Operations India Private Limited
b) Investor related activities
adding contacts to CRM, targeting new investors (e.g. to become signatories or members), and account related activities.
CDP Operations India Private Limited
CDP Operations India Private Limited
CDP Operations India Private Limited
CDP Operations India Private Limited
c) Communication activities
Sending out newsletters and updates to
organisations; hosting on-line events, including using third party platforms and other such activities.
Carbon Disclosure Project India
Carbon Disclosure Project India
Carbon Disclosure Project India
Carbon Disclosure Project India
d) Other disclosure and non-disclosure activities
all other disclosure related activities including adding contacts to CRM, sending out disclosure related emails and all other non-disclosure activities including contracts with third parties.
Carbon Disclosure Project India
Carbon Disclosure Project India
Carbon Disclosure Project India
Carbon Disclosure Project India
4. Activities carried out in South America
a) Supply chain member and reporter services activities
receiving contact lists, entering into contracts with suppliers and sharing contact information with members.
Carbon Disclosure Project Latin America
Carbon Disclosure Project Latin America
Carbon Disclosure Project Latin America
Carbon Disclosure Project Latin America
b) Investor related activities
adding contacts to CRM, targeting new investors (e.g. to become signatories or members), and account related activities
Carbon Disclosure Project Latin America
Carbon Disclosure Project Latin America
Carbon Disclosure Project Latin America
Carbon Disclosure Project Latin America
c) Communication activities
Sending out newsletters and updates to
organisations; hosting on-line events, including using third party platforms and other such activities.
Carbon Disclosure Project Latin America
Carbon Disclosure Project Latin America
Carbon Disclosure Project Latin America
Carbon Disclosure Project Latin America
d) Other disclosure and non-disclosure activities
all other disclosure related activities including adding contacts to CRM, sending out disclosure related emails and all other non-disclosure activities including contracts with third parties.
Carbon Disclosure Project Latin America
Carbon Disclosure Project Latin America
Carbon Disclosure Project Latin America
Carbon Disclosure Project Latin America
5. Activities carried out in China
a) Supply chain member and reporter services activities
receiving contact lists, entering into contracts with suppliers and sharing contact information with members.
Carbon Disclosure Project Environmental Consulting
Carbon Disclosure Project Environmental Consulting
Carbon Disclosure Project Environmental Consulting
Carbon Disclosure Project Environmental Consulting
b) Investor related activities
adding contacts to CRM, targeting new investors (e.g. to become signatories or members), and account related activities.
Carbon Disclosure Project Environmental Consulting
Carbon Disclosure Project Environmental Consulting
Carbon Disclosure Project Environmental Consulting
Carbon Disclosure Project Environmental Consulting
c) Communication activities
Sending out newsletters and updates to
organisations; hosting on-line events, including using third party platforms and other such activities.
Carbon Disclosure Project Environmental Consulting
Carbon Disclosure Project Environmental Consulting
Carbon Disclosure Project Environmental Consulting
Carbon Disclosure Project Environmental Consulting
d) Other disclosure and non-disclosure activities
all other disclosure related activities including adding contacts to CRM, sending out disclosure related emails and all other non-disclosure activities including contracts with third parties.
Carbon Disclosure Project Environmental Consulting
Carbon Disclosure Project Environmental Consulting
Carbon Disclosure Project Environmental Consulting
Carbon Disclosure Project Environmental Consulting
6. Activities carried out in Japan
a) Supply chain member and reporter services activities
receiving contact lists, entering into contracts with suppliers and sharing contact information with members.
CDP Worldwide Japan
CDP Worldwide Japan
CDP Worldwide Japan
CDP Worldwide Japan
b) Investor related activities
adding contacts to CRM, targeting new investors (e.g. to become signatories or members), and account related activities.
CDP Worldwide Japan
CDP Worldwide Japan
CDP Worldwide Japan
CDP Worldwide Japan
c) Communication activities
Sending out newsletters and updates to
organisations; hosting on-line events, including using third party platforms and other such activities.
CDP Worldwide Japan
CDP Worldwide Japan
CDP Worldwide Japan
CDP Worldwide Japan
d) Other disclosure and non-disclosure activities
all other disclosure related activities including adding contacts to CRM, sending out disclosure related emails and all other non-disclosure activities including contracts with third parties.
CDP Worldwide Japan
CDP Worldwide Japan
CDP Worldwide Japan
CDP Worldwide Japan
7. Activities carried out in Asia Pacific Region
a) Supply chain member and reporter services activities
receiving contact lists, entering into contracts with suppliers and sharing contact information with members.
CDP Worldwide (Hong Kong) Ltd
CDP Worldwide (Hong Kong) Ltd
CDP Worldwide (Hong Kong) Ltd
CDP Worldwide (Hong Kong) Ltd
b) Investor related activities
adding contacts to CRM, targeting new investors (e.g. to become signatories or members), and account related activities.
CDP Worldwide (Hong Kong) Ltd
CDP Worldwide (Hong Kong) Ltd
CDP Worldwide (Hong Kong) Ltd
CDP Worldwide (Hong Kong) Ltd
c) Communication activities
Sending out newsletters and updates to
organisations; hosting on-line events, including using third party platforms and other such activities.
CDP Worldwide (Hong Kong) Ltd
CDP Worldwide (Hong Kong) Ltd
CDP Worldwide (Hong Kong) Ltd
CDP Worldwide (Hong Kong) Ltd
d) Other disclosure and non-disclosure activities
all other disclosure related activities including adding contacts to CRM, sending out disclosure related emails and all other non-disclosure activities including contracts with third parties.
CDP Worldwide (Hong Kong) Ltd
CDP Worldwide (Hong Kong) Ltd
CDP Worldwide (Hong Kong) Ltd
CDP Worldwide (Hong Kong) Ltd
