This notice (together with our terms of use and any other documents referred to in it) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. We may process your personal data in connection with your visit or use of our websites, applications or online tools (each a “CDP Online Offering”) or our business relationship with you. Reference to personal data in this privacy notice shall include reference to sensitive personal data (where applicable).

Please read it carefully to understand how we will treat your personal data.

For the purpose of the General Data Protection Regulation (the “GDPR”) and other applicable laws, we each act as a data controller/controller and/or as joint controllers as set out in more detail in clause 9 below. In this Notice, “we”, “our” and “us” means TCFD Knowledge Hub as operated by CDP Worldwide and CDP Operations Limited (together as “CDP”). You can find the contact details in Appendix 1.




With your consent (where required by applicable laws), we will collect and process the following personal data about you:

Our websites are not intended for minors, and we do not knowingly collect personal data from minors (as defined by applicable laws). If we learn we have collected or received personal data from a minor without parental consent, we will delete it. If you believe we might have any information from or about a minor, please contact us (see below).

If you do not provide personal data marked as mandatory (e.g. by an asterisk on the data collection form) we may not be able to engage or communicate with you or provide our services.



We take appropriate measures as required by applicable law to ensure that your personal data is kept secure, including preventing it from being accidentally lost or used or accessed in an unauthorised way. We limit access to your personal data to those who have a legitimate business need to view it.

Those processing your personal data will do so only in an authorised manner and are subject to a duty of confidentiality.

We also have procedures in place to deal with any actual or suspected data security breach. We will notify you and any applicable regulator of an actual or suspected data security breach where we are legally required to do so.

Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted through any online means.



With your consent (as required by applicable law), we use information held about you in the following ways:

(a)     To ensure that content from our site is presented in the most effective manner for you and for your computer;

(b)       To verify your identity (if you registered for a CDP Online Offering) and to answer and fulfil your specific requests;

(c)        To ensure compliance with legal obligations (such as record keeping obligations); and

(d)       To solve disputes, enforce our contractual agreements and to establish, exercise or defend legal claims.

(e)       Provision of aggregated statistics of visitor data to the Taskforce for Climate-Related Disclosure.

If we wish to use your personal data for purposes other than those stated in this privacy notice, we will obtain your consent where required by applicable laws and regulations.



The legal basis for CDP processing data about you is that such processing is necessary for the purposes of:

In some cases under GDPR, or where required under other applicable laws, we may ask if you consent to use of your personal data in accordance with this Notice. In such cases, the legal basis under GDPR for us processing that data about you may (in addition or instead) be that you have consented (Article 6 (1) (a) GDPR).



We disclose your data only if the legal conditions under applicable laws are fulfilled, in particular Article 6 GDPR where GDPR applies. In accordance with these provisions, a transfer is permissible in particular if

Sometimes the recipients to whom we transfer your personal data are located in other countries, notably Germany and applicable laws of such other countries may not offer the same level of data protection as the laws of your home country. In such cases, we take measures to implement appropriate and suitable safeguards for the protection of your personal data. In particular where GDPR applies, we transfer personal data to external recipients in such countries only if the recipient has (i) entered into EU Standard Contractual Clauses with CDP, or (ii) implemented Binding Corporate Rules in its organisation.

Where the applicable legal requirements have been met, we may disclose your personal data to:

(a)     our external third-party service providers which process such data only for the purpose of such services; and

(b)     if we are under a duty to disclose or share your personal data to comply with any legal obligation, or to enforce or apply our terms of use and other agreements; or to protect the rights, property, or safety of CDP, our customers, or others. This includes exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction.



We will hold your personal data for as long as necessary to fulfil the purposes we collected it for or for such longer periods where required or permitted by applicable law. To determine the appropriate retention period we consider the amount, the nature and sensitivity of the personal data, the potential risks of harm from unauthorised use or disclosure, the purposes and whether we can achieve those purposes by other means. We will delete your data if they are no longer being needed for the purposes for which they were collected or to comply with our legal obligations such as retention obligations under tax or commercial laws.



Under the GDPR and other applicable laws, you have several important rights. In summary, this (as provided by applicable law) may include rights to:

(a)     access and obtain a copy of your personal data, and in some cases information about how we have used it;

(b)       require us to correct any mistakes in your information which we hold;

(c)        request the erasure of personal data concerning you in certain situations;

(d)       request the data to be transferred to a third party in certain situations (to the extent that is permitted under applicable law);

(e)       object at any time to processing of your personal data (We will not use your data for direct marketing);

(f)      withdraw your consent, or otherwise object in certain other situations to our continued processing of your personal data;

(g)        otherwise restrict our processing of your personal data in certain circumstances; and

(h)       claim compensation for damages caused by our breach of any data protection laws.



We hope that we can resolve any query or concern you raise about our use of your personal data. The GDPR and other applicable laws may also give you the right to lodge a complaint with us or with the competent data protection authority.

A list and contact details of local data protection authorities is available here:

Information Commissioner’s Office
Wycliffe House
Water Lane

e-mail: [email protected]

Website: https://ico.org.uk

However, we would encourage you to first contact us should you have any requests for exercising your data subject rights, or for any enquiries and complaints by contacting us using the contact information below.



Any changes we may make to our privacy notice in the future will be posted on this page and, where appropriate, notified to you by e-mail. In case of material changes, we will notify you by email, and obtain your consent to such changes if required to do so by applicable law.



Questions and requests regarding this privacy notice should be addressed to y local CDP Office. Details can be found at Contact us – CDP




CDP Worldwide, 4th floor, 60 Great Tower Street, London EC3R 5AD, UK

CDP Operations Limited, 4th floor, 60 Great Tower Street, London EC3R 5AD, UK;