Privacy Policies

View Data Privacy and Confidentiality Policy
 

View Cookies Policy

DATA PRIVACY AND CONFIDENTIALITY POLICY

1. PURPOSE AND SCOPE

1. This Policy provides information about how the Science Based Targets initiative, SBTi Services Limited and their affiliates (“SBTi”):

1.1 collects, handles and uses personal data;
1.2 handles confidential information; and
1.3 approaches data security.

2. This Policy applies to SBTi and its affiliates, including all employees, consultants, contractors, trainees, fellows, secondees, and any other individuals providing services to SBTi and/or any of its affiliates, including those engaged via employers of record.
 

PERSONAL DATA

2. CONTROLLER AND DATA PROTECTION MANAGER

2.1 This Policy applies to data processing by SBTi and its affiliates. SBTi has the following registered address:

• 66 Lincoln’s Inn Fields, London, WC2A 3LH

2.2 SBTi has appointed a Data Privacy Manager (DPM) who is responsible for overseeing questions in relation to this Policy. If you have any questions about this Policy, including any requests to exercise your legal rights, please contact SBTi’s DPM (Section 10).

3. TYPES OF PERSONAL DATA COLLECTED BY THE SBTI

3.1 Personal data means any information about an individual from which that individual can be identified (directly or indirectly) from that data alone or in combination with other identifiers that SBTi can reasonably access. 

3.2 SBTi may collect, use, store and transfer different kinds of personal data about you which is categorized as follows:

• 3.2.1 Identity Data includes first name, last name, any previous names, username or similar identifier, marital status, title, date of birth and gender.
• 3.2.2 Contact Data includes billing address, delivery address, email address and telephone numbers.
• 3.2.3 Financial Data includes bank account and payment card details.
• 3.2.4 Transaction Data includes details about payments to and from you and other details of products and services you have purchased from SBTi.
• 3.2.5 Technical Data Includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, device ID and other technology on the devices you use to access SBTi.
• 3.2.6 Profile Data includes your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses.
• 3.2.7 Usage Data includes information about how you interact with and use SBTi website, products and services.
• 3.2.8 Marketing and Communications Data includes your preferences in receiving marketing from SBTi and SBTi third parties and your communication preferences.

4. HOW YOUR PERSONAL DATA IS COLLECTED

4.1 SBTi use different methods to collect data from and about you including through:

4.1.1 Your interactions with SBTi. You may give SBTi your personal data by filling in online forms or by corresponding with SBTi by post, phone, email or otherwise. This includes, but is not limited to, personal data you provide when you:

• apply for SBTi products or services;
• interact with the SBTi validation portal;
• subscribe to any services or publications;
• request marketing to be sent to you;
• respond to a consultation or call for evidence; or
• provide feedback or contact SBTi. 

4.1.2 Automated technologies or interactions. As you interact with the website or portal, SBTi will automatically collect Technical Data about your equipment, browsing actions and patterns. SBTi collects this personal data by using cookies, server logs and other similar technologies or analysis services. 

5. BASIS FOR USE OF YOUR PERSONAL DATA

5.1 UK GDPR requires SBTi to have a legal basis for collecting and using your personal data. SBTi may rely on one or more of the following legal bases:

5.1.1 Consent. SBTi relies on consent where it has obtained your active agreement to use your personal data for a specified purpose, for example if you subscribe to an email newsletter.

5.1.2 Performance of a contract with you. Where SBTi needs your personal data to perform the contract SBTi are about to enter into or have entered into with you.

5.1.3 Legitimate interests. SBTi may use your personal data where it is necessary to conduct SBTi’s business and pursue legitimate interests, for example to prevent fraud and enable SBTi to give you the best and most secure customer experience. SBTi will consider and balance any potential impact on you and your rights (both positive and negative) before processing your personal data for SBTi’s legitimate interests. SBTi will not use your personal data for activities where SBTi’s interests are overridden by the impact on you (unless SBTi has your consent or are otherwise required or permitted to by law).

5.1.4 Legal obligation. SBTi may use your personal data where it is necessary for compliance with a legal obligation. SBTi will identify the relevant legal obligation when SBTi relies on this legal basis.

6. DISCLOSURES OF PERSONAL DATA

6.1 SBTi will only share your personal information with third parties if:

• you have given express consent;
• disclosure is required to assert, exercise or defend legal claims and there is no reason to assume that you have
• an overriding legitimate interest in not disclosing your data;
• disclosure is a legal obligation; or
• legally permissible and required for the performance or settlement of contractual relationships with you.

6.2 SBTi requires all third parties to respect the security of your personal data and to treat it in accordance with the law. SBTi do not allow SBTi third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with SBTi instructions.

6.3 SBTi may disclose personal data internally within SBTi group for the purposes of providing shared services within SBTi group, or as otherwise notified at the time of collection, subject to the principles set out in this Policy.

7. DATA SECURITY

7.1 SBTi has put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed.

7.2 SBTi limits access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on SBTi instructions and are subject to a duty of confidentiality.

7.3 SBTi has put in place procedures to deal with any suspected personal data breach and will notify you and/or any applicable regulator of a breach where SBTi is legally required to do so.

8. DATA RETENTION

8.1 SBTi will only retain your personal data for as long as reasonably necessary to fulfill the purposes SBTi collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. 

8.2 SBTi may retain your personal data for a longer period in the event of a complaint or if SBTi reasonably believes there is a prospect of litigation in respect to SBTi’s relationship with you.

8.3 To determine the appropriate retention period for personal data, SBTi considers the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which SBTi process your personal data and whether this purpose can be achieved through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

8.4 By law SBTi has to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for a period after they cease being customers.

9. YOUR LEGAL RIGHTS

9.1 You have a number of rights under data protection laws (Data Protection Act 2018 (DPA 2018) and UK GDPR) in relation to your personal data. You have the right to:

• Request access to your personal data (commonly known as a "subject access request").  A subject access request enables you to receive a copy of the personal data SBTi holds about you and to check that SBTi is lawfully processing it.
• Request correction of the personal data that SBTi holds about you. This enables you to have any incomplete or inaccurate data SBTi holds about you corrected, though SBTi may need to verify the accuracy of the new data you provide.
• Request erasure of your personal data in certain circumstances (commonly known as the “right to be forgotten)”. This enables you to ask SBTi to delete or remove personal data where there is no good reason for SBTi continuing to process it. You also have the right to ask SBTi to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where SBTi may have processed your information unlawfully or where SBTi are required to erase your personal data to comply with local law. Note, however, that SBTi may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
• Object to processing of your personal data where SBTi are relying on a legitimate interest (or those of a third party) as the legal basis for that particular use of your data (including carrying out profiling based on SBTi legitimate interests). In some cases, SBTi may demonstrate compelling legitimate grounds to process your information which override your right to object.
• Object any time to the processing of your personal data for direct marketing purposes.
• Request the transfer of your personal data to you or to a third party. SBTi will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for SBTi to use or where SBTi used the information to perform a contract with you.
• Withdraw consent at any time where SBTi are relying on consent to process your personal data. However, this withdrawal will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, SBTi may not be able to provide certain products or services to you. SBTi will advise you if this is the case at the time you withdraw your consent.
• Request restriction of processing of your personal data. This enables you to ask SBTi to suspend the processing of your personal data in one of the following scenarios:
  • If you want SBTi to establish the data's accuracy;
  • Where SBTi’s use of the data is unlawful but you do not want SBTi to erase it;
  • Where you need SBTi to hold the data even if SBTi no longer requires the data as you need it to establish, exercise or defend legal claims; or
  • You have objected to SBTi’s use of your data but SBTi needs to verify whether there are overriding legitimate grounds to use it.

9.2 You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, in special circumstances where there is an unfounded, unnecessarily repetitive or extremely excessive request to access your personal data, SBTi may charge a reasonable fee. Alternatively, SBTi could refuse to comply with your request in these circumstances.

9.3 SBTi may need to request specific information from you to confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. SBTi may also contact you to ask you for further information in relation to your request to speed up the response.

9.4 SBTi will try to respond to all legitimate requests within one month of the initial submission. Occasionally it could take longer than a month if your request is particularly complex or you have made a number of requests. In this case, SBTi will notify you of the specific reason(s) for the delay and keep you updated.

10. CONTACT DETAILS

10.1 If you have any questions about this Policy or about the use of your personal data or you want to exercise your privacy rights, please contact SBTi’s DPM:

• DPM Email address: SBTI-DPM@sciencebasedtargets.org
• Postal address: 66 Lincoln’s Inn Fields, London, WC2A 3LH

11. COMPLAINTS

11.1 You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK regulator for data protection issues (www.ico.org.uk). 

11.2 In order to seek to resolve your concerns before you approach the ICO, please contact SBTi in the first instance.

12. DUTY TO INFORM SBTI OF CHANGES

12.1 It is important that the personal data SBTi holds about you is accurate and current. Please keep SBTi informed if your personal data changes during your relationship with SBTi, for example a new address or email address.

13. THIRD PARTY LINKS

13.1 SBTi website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. SBTi does not control these third-party websites and are not responsible for their privacy statements. When you leave the SBTi website, SBTi encourages you to read the privacy policy of every website you visit.

CONFIDENTIALITY

14. CONFIDENTIAL INFORMATION

14.1 SBTi keeps certain types of confidential information as part of its operations. Because of the importance of maintaining the confidentiality of certain information, and because effective procedures for maintaining confidentiality require organisation-wide involvement and cooperation, we have implemented this Policy.

14.2 SBTi’s procedures aim to maintain the trust of our clients that commercially sensitive information and other types of confidential information received from them or from other sources will not be revealed to unauthorized parties.

14.3 SBTi maintains robust and effective systems for handling confidential information. Confidential information means any information that has been made available to SBTi by a disclosing party (whether directly or indirectly) that is subject to an obligation of confidentiality. This may be pursuant to contractual confidentiality provisions, or as determined by applicable laws. It may include information that is:

• Stored on databases, computers and transmitted across internal and public networks;
• Stored on removable media such as USB devices, hard disks etc;
• Printed or written on paper, or other physical document;
• Presented using audio-visual media;
• Spoken during telephone calls, meetings or conversations;
• Sent by text or other communication methods.

15. MAINTAINING CONFIDENTIALITY

15.1 SBTi employees shall treat confidential information as confidential both during and after their employment ends. SBTi employees shall therefore:

• Not access or use any confidential information to which they have not been provided access or authorization to use;
• Not disclose, publish, communicate, or make available confidential information to anyone that does not have the authority to know and use the confidential information, except as required to perform their job or otherwise permitted by SBTi;
• Not discuss confidential information in public where it may be overheard;
• In the event of inadvertent disclosure of confidential information, immediately inform their line manager and SBTi’s DPM so that measures can be taken to minimize damage;
• Treat confidential information as confidential both during and after their employment ends;
• Return any confidential information in their possession to SBTi on termination of their employment, and may be required to provide confirmation of doing so on request.

15.2 If any SBTi employee is unsure of the responsibilities, or whether a piece of information should be kept confidential, they should check with their line manager, legal team, or DPM before disclosing or taking any other action.

DATA SECURITY

16. INFORMATION SECURITY

16.1 Data and information security means managing the risks arising from the collection, storage, use, and any possible compromise of the confidentiality, integrity or availability of SBTi’s information assets.

16.2 The following are specific requirements that apply to SBTi’s information security:

• All SBTi’s information assets are to be protected and managed in line with the value of the information and the risks applicable to the asset. The risks must be regularly reviewed as part of an ongoing risk assessment process.
• Client data must be protected from external and internal threats in accordance with best industry practice when designing systems, applications, products and processes.
• Data is to be retained in line with best industry practice and only stored in approved secure locations.
• Adequate resources are to be provided to ensure that client data is protected throughout its entire lifecycle when in the care of SBTi.
• Access to SBTi systems and information assets is to be approved and reviewed on a regular basis by appropriate managers and IT personnel.
• All SBTi employees, contractors or third parties with access to SBTi information shall be required to comply with this Policy.
• All SBTi premises or premises where SBTi data is stored, processed, or transmitted are to be secured against unauthorised digital or physical access.
• Breaches and incidents are to be managed in a documented process. All employees have a responsibility to report security risks, breaches or incidents using the ITSM Service Desk email account.

17. COMPLIANCE

17.1 SBTi takes breaches or violations of this Policy seriously. Any employees who violate the Policy or who knowingly or negligently allow personnel under their supervision to do so, may be subject to disciplinary action in accordance with SBTi’s disciplinary procedures.

17.2 Confidentiality shall not apply to information which is already public and/or which is required to be made publicly available under regulation or judicial proceedings. Where SBTi is required by law to release confidential information it will endeavour to notify the party concerned unless prohibited by law from doing so.

17.3 Nothing in this Policy is intended to restrict communications or actions that are protected or required by whistleblowing protection legislation such as the Public Interest Disclosure Act 1998, or otherwise disclosing information as permitted or required by law.

18. POLICY REVIEW

18.1 This Policy will be reviewed a year after being signed, or if there are changes to the applicable laws, whichever comes sooner.

INFORMATION ABOUT OUR USE OF COOKIES

Our website uses cookies to distinguish you from other users of our website. Cookies help us to provide you with a good experience when you browse our website and also allows us to improve our site. By continuing to browse the site, you are agreeing to our use of cookies.

This cookie policy describes the cookies we use and explains why we use cookies and how we deal with the information collected. Cookies enable the site to function properly. If you disable the use of cookies you may not experience the full functionality of our website.

This cookie policy (together with our data privacy and confidentiality policy) sets out the basis on which any personal information that we collect from you, or that you provide to us, when using this site will be processed. Please read the following carefully to understand how we use cookies.

What are cookies

Cookies are small text files that are designed to store information on your computer. A cookie file is created when you use our website and is processed by the software of your computer. The resulting text file is placed on your computer and it is accessed by your web browser when you visit the website that originally created the cookie.

Categories and types of cookies

The cookies on our website fall into three categories:

Essential: these cookies help make our website navigable by activating basic functions such as page navigation and access to secure website areas. They cannot be switched off in our systems as they are necessary for the website to function. These cookies do not collect any personally identifiable information.

Functional: these cookies allow our website to remember your preference and choices you make to provide a more personalized online experience, or analyse usage behavior in order to measure and improve performance. 

Marketing: these cookies are used to track visitors across websites. They are used to display ads that are relevant and interesting to the visitor, including on social media platforms. The cookies described below are used to improve our website and do not contain any personal information that would allow us to identify you (such as your name or other contact details).

Within each category, we may use different types of cookies during your visit to our website, which include: 

Session cookies: these are stored temporarily during a browsing session and are deleted from your device when the browser is closed. They are used to ensure your visit to our website is as smooth as possible and allow us to identify your computer as you use the website.

Persistent cookies: these are saved on your computer for a fixed period (usually one year or more ) and are not deleted when the browser is closed. These help us remember you as a visitor each time you use the same computer to visit the website.

Analytics cookies: these allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to continuously improve the way our website works, for example, by ensuring that users can find what they are looking for easily.

Targeting cookies: these record your visit to our website, the pages you have visited and the links you have followed. We will use this information to make our advertisement more relevant to your interests. We may share this information with third parties (like Twitter and LinkedIn) for this purpose.
 

You can find more information about individual cookies we use and the purposes for which we use them in our cookie settings. 

Please note that third parties (including, for example, providers of external services like web traffic analysis services) may also have access to certain cookies, over which we have no control. We suggest you check their website to see how the third-party is using those cookies or block their cookies. 

How to manage or delete cookies

You can change your choices regarding which cookies you accept by visiting the cookie settings function on our website that allows you to refuse the setting of all or some cookies. If you choose not to accept our cookies, then we will only store cookies that are “essential” for the running of our website.

Alternatively, you can manage cookies through your device or browser. Most internet browsers automatically accept cookies unless you change your browser settings. If you wish to restrict, block or delete the cookies which are set by any websites, you can generally do this through your browser settings. If you block cookies completely, many websites may not work properly and some functionality on our website may not work at all. Information on how to remove cookies can be found at: http://www.allaboutcookies.org/manage-cookies.

Updates

We may update this Cookie Policy from time to time, and so you should review it periodically.