Notice

Renewables Obligation to Exchequer Cost Scheme: due diligence and monitoring privacy notice

Published 22 April 2026

© Crown copyright 2026

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/renewables-obligation-to-exchequer-cost-scheme-due-diligence-and-monitoring-privacy-notice/renewables-obligation-to-exchequer-cost-scheme-due-diligence-and-monitoring-privacy-notice

This privacy notice sets out how the Department for Energy Security & Net Zero (DESNZ) will use your personal data for the purpose of awarding grant payments to energy suppliers in respect of the Renewables Obligation to Exchequer Cost Scheme. It is made under Articles 13 and/or 14 of the UK General Data Protection Regulation (UK GDPR).

As part of grant administration, DESNZ is expected to follow the Government Functional Standards for Grants. Furthermore, DESNZ is expected to follow legislation relating to sanctions and terrorist financing, which necessitates appropriate due diligence and monitoring.

1. Your data

As part of grant administration process, we may process the following personal data:

  • names and contact details of contacts at grant recipient organisations
  • names and contact details of directors at the recipient organisation

As part of the application, we will process data related to the organisation, its directors and significant shareholders provided by a commercially available due diligence screening tool and open sources, such as, but not limited to:

  • company registries
  • published media
  • published sanctions lists
  • published debarment and enforcement notices and lists

The data collected, may include such personal information as:

  • names of directors and shareholders of the recipient organisation
  • names of directors and significant shareholders of companies connected, by common control, to the recipient organisation
  • dates of birth of directors
  • nationality of directors
  • partial or full addresses of directors
  • media presence of directors or significant shareholders
  • published criminal offence data of directors or significant shareholders
  • published sanctions information
  • published disqualifications
  • published breaches of social, environmental or regulatory obligations

2. Purpose

The purpose(s) for which we are processing your personal data is to support:

  • the prevention, investigation and detection of fraud
  • compliance with sanctions legislation
  • assessment and management of financial risks
  • monitoring the progress and operational delivery of the project
  • effective administration of public funds

The legal basis for processing your personal data is that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller under Article 6(1)(e) of the UK GDPR, such as:

The exercise of a function of the Crown, a Minister of the Crown, or a government department for the assessment of potential awarding of grant funding and subsequent monitoring thereafter.

4. Criminal Offence Data

The processing by us of personal data relating to criminal convictions and offences or related security measures is not carried out under official authority, but is authorised as necessary for reasons of substantial public interest for the exercise of a function of the Crown, a minister of the Crown or a government department.

5. Appropriate Policy Document (APD)

Some of the Schedule 1 conditions for processing criminal offence data require DESNZ to have an APD in place, setting out and explaining our procedures for securing compliance with the principles in Article 5 and policies regarding the retention and erasure of such personal data.

The DESNZ APD sets out how we will protect special category and criminal convictions personal data in accordance with the requirements of Article 9 and 10 of the UK GDPR and Schedule 1 of the Data Protection Act 2018 (DPA 2018).

6. Recipients

Data may be shared with other governmental departments and bodies for the purposes of administering the grant award. This may include, but is not limited to:

  • HM Treasury
  • Government Internal Audit Agency (GIAA)
  • National Audit Office
  • Office of Gas and Electricity Markets (Ofgem)

As part of our IT infrastructure, your personal data will be stored on systems provided by our data processors - Microsoft and Amazon Web Services. This does not mean we actively share your personal data with these entities; rather, they are technical service providers who host infrastructure supporting our IT systems.

Jeremy Benn Associates are contracted to manage the online platform for grants.

7. Retention

Your personal data may be kept by us for a period of up to 7 years following the closure of the RO to Exchequer Cost Scheme.

8. Automated decision making

Your personal data will not be subject to automated decision making.

9. International transfers

Your personal data will only be processed in the UK.

10. Your rights

You have the right to:

  • request information about how your personal data are processed, and to request a copy of that personal data
  • request that any inaccuracies in your personal data are rectified without delay
  • request that any incomplete personal data are completed, including by means of a supplementary statement
  • request that your personal data are erased if there is no longer a justification for them to be processed
  • in certain circumstances (for example, where accuracy is contested) request that the processing of your personal data is restricted
  • object to the processing of your personal data where it is processed for direct marketing purposes
  • object to the processing of your personal data

To exercise your rights please contact the Data Protection Officer using the contact details below.  

11.     Contact Details

The data controller for your personal data is the Department for Energy Security and Net Zero (DESNZ).

Contact the DESNZ DPO:

DESNZ Data Protection Officer
Department for Energy Security and Net Zero
3-8 Whitehall Place
London
SW1A 2EG

If you are unhappy with the way we have handled your personal data, please write to the department’s Data Protection Officer in the first instance using the contact details above.

12. Complaints

If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an UK independent regulator.

Contact the Information Commissioner's Office (ICO):

Email icocasework@ico.org.uk

Contact form https://ico.org.uk/mak...

Telephone 0303 123 1113

Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.

13. Updates to this notice

If this privacy notice changes in any way, we will place an updated version on this page. Regularly reviewing this page ensures you are always aware of what information we collect, how we use it, and under what circumstances we will share it with other parties. The ‘last updated’ date at the bottom of this page will also change.

If these changes affect how your personal data is processed, we will take reasonable steps to let you know.

Last updated:   21/04/2026

Back to top