Energy Company Obligation (ECO4) supplier grant awards: privacy notice

This notice sets out how we will use your personal data for the purpose of awarding grants to energy suppliers in respect of the Energy Company Obligations (ECO4) Scheme. It is made under Articles 13 and/or 14 of the UK General Data Protection Regulation (UK GDPR). --- This privacy notice sets out how the Department for Energy Security & Net Zero (DESNZ) will use your personal data for the purpose of awarding grants to energy suppliers in respect of the Energy Company Obligations (ECO4) Scheme. It is made under Articles 13 and/or 14 of the UK General Data Protection Regulation (UK GDPR). As part of grant administration, DESNZ is expected to follow the Government Functional Standards for Grants. Furthermore, DESNZ is expected to follow legislation relating to sanctions and terrorist financing, which necessitates appropriate due diligence and monitoring. ## 1. Your data As part of grant administration process, we may process the following personal data: * names and contact details of contacts at grant recipient organisations * names and contact details of directors at the recipient organisation As part of the application, we will process data related to the organisation, its directors and significant shareholders provided by a commercially available due diligence screening tool and open sources, such as, but not limited to: * Company Registries * published media * published Sanctions lists * published debarment and enforcement notices and/or lists The data collected, may include such personal information as: * names of directors and shareholders of the recipient organisation * names of directors and significant shareholders of companies connected, by common control, to the recipient organisation * dates of birth of directors * nationality of directors * partial or full addresses of directors * media presence of directors or significant shareholders * published criminal offence data of directors or significant shareholders * published sanctions information * published disqualifications * published breaches of social, environmental or regulatory obligations ## 2. Purpose The purpose(s) for which we are processing your personal data is to support: * the prevention, investigation and detection of fraud * compliance with Sanctions legislation * assessment and management of financial risks * monitoring the progress and operational delivery of the project * effective administration of public funds ## 3. Legal basis of processing The legal basis for processing your personal data is that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller under Article 6(1)(e) of the UK GDPR, such as: * the exercise of a function of the Crown, a Minister of the Crown, or a government department for the assessment of potential awarding of grant funding and subsequent monitoring thereafter ### 3.1 Criminal Offence Data The processing by us of personal data relating to criminal convictions and offences or related security measures is not carried out under official authority, but is authorised as necessary for reasons of substantial public interest for the exercise of a function of the Crown, a minister of the Crown or a government department. ### 3.2 Appropriate Policy Document (APD) Some of the Schedule 1 conditions for processing criminal offence data require DESNZ to have an Appropriate Policy Document (APD) in place, setting out and explaining our procedures for securing compliance with the principles in Article 5 and policies regarding the retention and erasure of such personal data. The DESNZ Appropriate Policy Document (APD) that sets out how we will protect special category and criminal convictions personal data in accordance with the requirements of Article 9 and 10 of the UK General Data Protection Regulation (‘UK GDPR’) and Schedule 1 of the Data Protection Act 2018 (‘DPA 2018’). DESNZ Appropriate Policy Document - <https://www.gov.uk/government/publications/desnz-processing-special-category-data-and-criminal-offence-data/appropriate-policy-document> ## 4. Recipients Data may be shared with other governmental departments and bodies for the purposes of administering the grant award. This may include, but is not limited to: * HM Treasury * National Audit Office * Office of Gas and Electricity Markets (Ofgem) As part of our IT infrastructure, your personal data will be stored on systems provided by our data processors - Microsoft and Amazon Web Services. This does not mean we actively share your personal data with these entities; rather, they are technical service providers who host infrastructure supporting our IT systems. Jeremy Benn Associates are contracted to manage the online platform for grants. ## 5. Retention Your personal data may be kept by us for a period of up to 6 years following the closure of the ECO4 scheme. ## 6. Automated decision making Your personal data will not be subject to automated decision making. ## 7. Your rights You have the right to: * request information about how your personal data are processed, and to request a copy of that personal data * request that any inaccuracies in your personal data are rectified without delay * request that any incomplete personal data are completed, including by means of a supplementary statement * request that your personal data are erased if there is no longer a justification for them to be processed * in certain circumstances (for example, where accuracy is contested) request that the processing of your personal data is restricted * object to the processing of your personal data where it is processed for direct marketing purposes * object to the processing of your personal data ## 8. International transfers Your personal data will only be processed in the UK. ## 9. Contact details The data controller for your personal data is the Department for Energy Security and Net Zero (DESNZ). Contact the DESNZ DPO: DESNZ Data Protection Officer Department for Energy Security and Net Zero 3-8 Whitehall Place London SW1A 2EG Email dataprotection@energysecurity.gov.uk If you are unhappy with the way we have handled your personal data, please write to the department’s Data Protection Officer in the first instance using the contact details above. ## 10. Complaints If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an UK independent regulator. Contact the Information Commissioner's Office (ICO): Email icocasework@ico.org.uk Contact form [https://ico.org.uk/mak...](https://ico.org.uk/make-a-complaint/data-protection-complaints/data-protection-complaints/) Telephone 0303 123 1113 Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts. ## 11. Updates to this notice If this privacy notice changes in any way, we will place an updated version on this page. Regularly reviewing this page ensures you are always aware of what information we collect, how we use it, and under what circumstances we will share it with other parties. The ‘last updated’ date at the bottom of this page will also change. If these changes affect how your personal data is processed, we will take reasonable steps to let you know. Last updated: 18 March 2026