TNFD Secretariat Limited (hosted by GFI PMO Limited):

Company Privacy Statement

We are committed to ensuring that your privacy is protected. Please read the following Privacy Statement carefully to ensure you are aware of how we use and protect your Personal Information.

  1. Introduction and Purpose

This Statement will apply to any personal information which the TNFD Secretariat (“we“, “us“, “our“) collects or otherwise receives about third parties (“you“), including when you contact us, use our website ‘’ (the “website“) or otherwise engage with us, including when you fill an online form to sign up to our mailing list.

We will only use personal information which is provided to us, or otherwise obtained by us, from which you can be identified (“Personal Information“) as set out in this Statement.  

In this Statement, “TNFD Secretariat“, “we“, “us” and “our” refer to the TNFD Secretariat Limited, hosted by GFI PMO Ltd, registered in England and Wales with registered address International House, 24 Holborn Viaduct, London, EC1A 2BN and with company registration number 13559729. For the purpose of the applicable data protection legislation, GFI PMO Ltd is deemed to be the “data controller” in respect of any Personal Information that you provide to us or we otherwise obtain about you. If you have any questions about the ways in which we use your Personal Information, do not hesitate to contact us by emailing [email protected] and we will do our best to assist.

  1. How do we collect your Personal Information?
  • You contact us, by sending us an email or by using our website. There are a number of different ways in which you engage with us via our website including when you visit or make an enquiry through the website, when you report a problem with our website, create a log in or subscribe to our mailing list to receive our newsletter.
  • You provide us with Personal Information when we meet you at conferences and other events in which we participate.
  • We gather your information from a third party. For example, our business partners, other stakeholders, in addition to advertising networks, consumer research agencies, governmental agencies, analytics providers and search engine providers. We rely on our data collection and occasionally use hubspot (CRM system) insights to enhance the data we have using domains.
  • We also collect information about you through the use of cookies and tracking technologies (including using Google Analytics) when you visit the website.   
  1. What categories of Personal Information do we collect and process?
  • Your name and title;
  • Your contact details, such as your home and/or work address, home and/or work email address, home and/or work telephone number, website and social media contact information, and your contact preferences;
  • Your organisation’s name;
  • Your professional activities (including the primary industry you work in) and job title; and
  • The views and feedback that you provide during our consultation processes.

We also automatically collect certain limited information about your device and your visits to our website (“Technical Personal Information“). Technical Personal Information may include:

  • Device data: We may collect information about the type of device or platform you use (such as a computer or mobile device) to access our website, the operating system and choice of web browser.
  • Location data: Your use of our website may generate geographical data, such as the location and time zone setting of a device, the domain name or the internet protocol (IP) address used to connect your device to the internet.
  • Log data about your visit: Your use of our website automatically generates information about your visit which we may collect. This can include the full uniform resource locators (URL) clickstream to, through and from our site (including date and time) products you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page.

Some of the Technical Personal Information set out above will be collected by cookies and tracking technologies (including using Google Analytics) that we use on our website.

  1. How do we use your Personal Information and what lawful basis do we rely on to do so?
What is our purpose for using your Personal Information?What lawful basis do we rely on to use your Personal Information?    
To present you with customised content and tailored opportunities to engage with TNFD when you create a profile  Our legitimate business interests to provide you with present you with customised content and tailored opportunities to engage with TNFD
To provide you with our services, such as learning and capacity building opportunities when you sign up to the TNFD Forum  Our performance of the Terms of Reference with you
To better understand how users access and use our services   For website operational and performance purposes  Our legitimate interests to maintain and improve the operation and performance of our website and to optimise your user experience
To publish on our website the views and feedback you provide to us during our public consultation process, for the purposes of transparency and credibility of each TNFD Framework  Our legitimate business interests to ensure the transparency and credibility of each TNFD Framework
To provide you with newsletters, updates and information (including on event and webinars) and invitations to participate in surveys and consultations  Our legitimate business interest to keep you up to date with our business activities
  1. How long do we retain your Personal Information?

We will retain your Personal Information for as long as necessary for the purposes identified in this Statement, including where we have a legitimate business interest to process it. Following this period, we will securely delete or anonymise your Personal Information, unless we are required to retain a copy of such information under applicable law.

We may need to keep your Personal Information for longer where it is necessary to: (i) establish, bring or defend legal proceedings or comply with a legal or regulatory requirement; or (ii) preserve records to be able to deal with internal or external audits.

  1. Other parties who may have access to your Personal Information

We may share your Personal Information with selected third parties where we have your explicit consent to do so or it is necessary for: (i) the provision of information or other services you have requested, (ii) us to comply with our legal obligations; or (iii) our legitimate business interests.

Your Personal Information may be disclosed by us to the following third parties:

  • Third parties which assist us with providing our services to you, including partner organisations, for instance, via secondees they provide to TNFD
  • other service providers including IT suppliers, administration services providers, including our CRM system and platforms used for storing your data;
  • other parties that may be acquired by or merged with us, to which substantially all of our assets are transferred, or as part of a bankruptcy proceeding;
  • public bodies, including regulatory bodies, where we are obliged or permitted by law to do so (this may include the Information Commissioner’s Office); and
  • our professional advisors including lawyers and auditors, including industry associations who may share their membership data with us.
  1. Transfer of your Personal Information overseas

The Personal Information you provide to us will be transferred to and stored on our servers which are located within the UK. However, in processing your Personal Information, it may be transferred to, and stored at, a destination outside the UK. It may also be accessed by staff operating outside the UK who work for us or for one of our suppliers.

We will only share your Personal Information with others outside the UK when we are legally permitted to do so, namely where:

  1. the UK government has decided that the relevant country has adequate protective rules in relation to data protection in place (an “adequacy decision“);
  2. we have entered into the relevant “standard contractual clauses” with the recipient of your personal data (these are a set of obligations about how your data is protected and used); or
  3. we can rely on another basis under the law such as that we have to share the personal data because this is necessary for the purpose of a court case, investigation or to protect our legal rights.

Where any transfer takes place under a written contract, you have the right to request a copy of the parts of that contract which relate to data protection and may do so by contacting us at [email protected].

  1. Your data protection rights

You have a number of rights under data protection laws with regard to the Personal Information we use in relation to you. Under certain circumstances, you may have the right to:

  • Request access to the personal information about you that we process: You have a right to request a copy of the personal information we hold about you;
  • Request for your personal information to be deleted: You have the right to request the deletion or removal of personal information we hold about you where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have successfully exercised your right to object to us holding your personal information, where we may have processed your personal information unlawfully or where we are required to erase your personal information to comply with law. Although we will consider every request for erasure on its merits, we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at that time of your request (such as to resolve disputes and troubleshoot issues);
  • Request us to correct or change your personal information: If you believe the personal information we hold about you is incorrect, you can contact us to request for any incomplete or inaccurate information that we hold about you to be corrected. However, we may need to verify the accuracy of the new information you provide to us;
  • Object to our use of your personal information: You have a right to object to the processing of your personal information where we are using it for the purpose of our legitimate interests. If we agree that your objection is justified we will stop using your personal information for those purposes. Alternatively, we will explain why we still need to use your personal information;
  • Limit or restrict our use of your personal information: You have a right to request us to suspend the processing of your personal information in the following situations:
  • for the period it takes us to rectify any inaccurate personal information in relation to you;
  • where our use of the personal information is unlawful but you do not want us to erase it;
  • where you want to prevent us from deleting your personal information at the end of the retention period in the event that you need it to establish, exercise or defend a legal claim;
  • where you have objected to our use of your personal information, but we need to verify whether we (or a third party) have overriding legitimate grounds to use it.
  • Request the transfer of your personal information to you or to a third party: You have the right to ask us to transfer certain information we hold about you to a third party you have chosen, or directly to you. Where your request is valid, we will provide you with your personal information in a structured, commonly used, machine-readable format.

To exercise any of your rights in relation to our use of your personal information, please contact us by email at [email protected] in writing to TNFD Secretariat, c/o GFI PMO Ltd, International House, 24 Holborn Viaduct, London, EC1A 2BN and we will do our best to assist.

If you have been receiving our email updates but change your mind and decide you don’t want to hear from us, you can unsubscribe by clicking on the ‘unsubscribe’ link at the bottom of any emails you receive from us, or by emailing us at [email protected].

  1. Links

Our website may, from time to time, contain links to other websites of interest. The inclusion of any links does not necessarily imply a recommendation or that we endorse the views expressed within them. If you follow a link to any of these websites, please note that we do not have any control over the nature, content and availability of those sites and they will have their own privacy policies. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites. You should exercise caution and check these policies before you submit any Personal Information to these websites.

  1. Data security

We are committed to ensuring that all reasonable and appropriate steps have been taken to protect your personal data which includes, where appropriate, data storage in a CRM system independent of our website.

Please note that the transmission of information via the internet is not completely secure and, although we will take steps to protect your Personal Information, we cannot guarantee the security of your Personal Information transmitted via the website and any transmission is therefore at your own risk.

  1. Questions and complaints

Should you have any queries or complaints in relation to how we use your Personal Information, please contact us at  [email protected] and we will do our best to assist.

Should you wish to take any complaints or queries further, you have the right to contact the supervisory authority in your country of residence or employment or place of the alleged infringement. The Information Commissioner’s Office (“ICO“) is the UK supervisory authority for data protection issues. You can contact the ICO:

by telephone:

0303 123 1113 or 01625 545 745

or in writing to:

Information Commissioner’s Office (ICO)
Wycliffe House
Water Lane

or via their website:

  1. Changes to this Privacy Statement

This Privacy Statement was last updated on 18 September 2023. Any changes we may make to this Statement in the future will be posted on our website and, where appropriate, notified to you when you next access our website. It is your responsibility to ensure that you are aware of the latest version of this Statement and by continuing to use our website or otherwise engage with us, you will be deemed to have accepted any revised terms.