Energy Performance of Buildings (Scotland) Regulations 2025: data protection impact assessment
Data protection impact assessment (DPIA) produced as part of our intention to lay updated Energy Performance Certificate (EPC) regulations in October 2025. This DPIA has considered the evidence to understand any potential data protection outcomes from the reform of EPCs.
UK General Data Protection Regulation (UK GDPR) principles
The UK GDPR has seven key principles, and provisions within the Articles that must be considered.
Principle 7.1 Principle 1
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
Description of how you have complied
The Energy Performance of Buildings (Scotland) Regulations 2025 – which creates the legal requirement for an EPC to be made available, in certain circumstances and requires that organisations that accredit and audit EPC assessors must be approved by the Scottish Ministers.
Principle 7.2 Principle 2
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Description of how you have complied
The Energy Performance of Buildings (Scotland) Regulations 2025 require that an EPC must not contain any information or data from which a living individual (other than the person issuing it or that person's employer) can be identified and that for public extracts of the EPC data that any information or data from which a living individual can be identified must not be published.
Principle 7.3 Principle 3
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Description of how you have complied
Only relevant data is collected for the purpose of the Energy Performance of Buildings (Scotland) Regulations 2025. The data collected is defined in the calculation methodology that must be approved by Scottish Ministers.
Principle 7.4 Principle 4
Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate are erased or rectified without delay.
Description of how you have complied
Assessors’ contact information is stored on the Register and is managed and kept up to date by Approved Organisations.
Principle 7.5 Principle 5
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.
Description of how you have complied
EPC register data kept for at least 10 years
Principle 7.6 UK GDPR Articles 12-22 – data subject rights
Description of how you have complied
The regulations allow EPC data to be shared. If an EPC is determined to be incorrect through audit, this should be superseded by an updated EPC. An incorrect EPC is marked not for issue. There is no opt-out of EPC data in Scotland.
Principle 7.7 Principle 6
Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisation measures (“integrity and confidentiality”)
Description of how you have complied
The Keeper of the EPC register is appointed by Scottish ministers and data must be held on secure servers.
Principle 7.8 Transfer of personal data outside of the UK
Description of how you have complied
EPCs are accessed through the Scottish EPC website and public extracts through the Scottish Government’s statistic website. This can be accessed by anyone with internet access. No personal data is shared on public extracts. No Green Deal data is shared on public extracts. On an actual EPC, the assessor’s name is included.
Contact
Email: EPCenquiries@gov.scot