Notice

Evaluation of the Energy Savings Opportunity Scheme (ESOS): privacy notice

Published 1 July 2025

This notice sets out how we will process your personal data, and your information rights. It is made under Articles 13 and/or 14 of the UK General Data Protection Regulation (UK GDPR).

This notice relates to DESNZ processing of the Energy Savings Opportunity Scheme (ESOS) data by DESNZ for the purposes of research and evaluation.

1. Your data

We will process the following personal data:

• first and last name (middle name optional)
• email address (business or personal)
• job title or position
• contact information (business or personal)
• approved professional body register and membership number, where relevant

The personal data relates to:

• the responsible officer contacts for the ESOS participant:

  • Primary Officer
  • secondary contact
  • board directors and / or individuals with management control for ESOS

• the lead assessor who reviewed the ESOS assessment

Your personal data were obtained by us from the Managing Your Energy Savings Opportunity Scheme (MESOS) online notification system, and from any ESOS reports the Environment Agency shares with DESNZ for the purpose of the DESNZ evaluation.

2. Purpose 

The purpose(s) for which we are processing your personal data is to evaluate the impact of ESOS and to inform the development and operation of future government policy.  

3. Legal basis of processing  

The legal basis for processing your personal data under Article 6 of the UK GDPR is:  

1(e) Public task: Regulation 3 of the Energy Saving Opportunity Scheme Regulations 2014, as amended by the Energy Savings Opportunity Scheme (Amendment) Regulations 2023, sets out a public task for the Secretary of State to review the operation and effect of the regulations 2014.

4. Recipients 

Your personal data may be shared by us with contractors [names to be added when appointed] appointed by DESNZ to carry out research for the evaluation.  The data may also be shared with sub-processors [names to be added when appointed] of the contractor(s) where required to undertake evaluation activities.

As part of our IT infrastructure, your personal data will be stored in the UK on systems provided by our data processors - Microsoft and Amazon Web Services. This does not mean we actively share your personal data with these entities; rather, they are technical service providers who host infrastructure supporting our IT systems.

5. Retention  

Your personal data will be kept by us for only as long as required for ESOS evaluation activities. At the latest, DESNZ will securely destroy your personal data 12 months after the compliance date of the subsequent phase. For example, data submitted as part of Phase 3 will be destroyed no later than the 5 December 2028. (It should be noted that other data controllers, such as the Environment Agency, may retain your data for longer).

DESNZ’s contractors will only retain personal data for as long as is required to complete the research activities. At the latest the contractors would securely destroy their copies of your personal data at the end of the evaluation contract(s) which are expected to be no longer than three years.   

6. Automated decision making

Your personal data will not be subject to automated decision making.

7. International transfers

Your personal data will be processed in the UK. [This is subject to confirmation of which supplier is selected].

8. Your rights 

You have the right to request information about how your personal data are processed, and to request a copy of that personal data.  

You have the right to request that any inaccuracies in your personal data are rectified without delay.  

You have the right to request that any incomplete personal data are completed, including by means of a supplementary statement.  

You have the right to request that your personal data are erased if there is no longer a justification for them to be processed.  

You have the right in certain circumstances (for example, where accuracy is contested) to request that the processing of your personal data is restricted.  

You have the right to object to the processing of your personal data where it is processed for direct marketing purposes.  

To exercise your rights please contact the Data Protection Officer using the contact details below.

9. Contact details 

The data controller for your personal data is the Department for Energy Security and Net Zero (DESNZ).

Contact the DESNZ DPO:

DESNZ Data Protection Officer
Department for Energy Security and Net Zero
3-8 Whitehall Place
London
SW1A 2EG

Email dataprotection@energysecurity.gov.uk

If you are unhappy with the way we have handled your personal data, please write to the department’s Data Protection Officer in the first instance using the contact details above.

10. Complaints

If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an UK independent regulator. 

Contact the Information Commissioner's Office (ICO):

Email icocasework@ico.org.uk

Contact form https://ico.org.uk/mak...

Telephone 0303 123 1113

Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.

11. Updates to this notice

If this privacy notice changes in any way, we will place an updated version on this page. Regularly reviewing this page ensures you are always aware of what information we collect, how we use it, and under what circumstances we will share it with other parties. The ‘last updated’ date at the bottom of this page will also change.

If these changes affect how your personal data is processed, we will take reasonable steps to let you know.

Last updated: 1 July 2025