Energy Performance of Buildings (Scotland) Regulations 2025: data protection impact assessment

Data controllers and data processors/sub processors

Data controllers

Organisation: The Scottish Government

Activities:

• Determine EPC Regulations. Regulations make clear only personal data included on an actual EPC and Property Report is the assessor details.
• Regulations are explicit that no personal details are to be included in publicly available extract of the EPC data.

Is the organisation a public authority or body as set out in Part 2, Chapter 2, Section 7 of the Data Protection Act 2018?

• Yes

Lawful basis for processing under UK General Data Protection Regulation (UK GDPR) Article 6 for the collection and sharing of personal data – general processing.

• Building owners required by the Energy Performance of Buildings (Scotland) Regulations 2025 to provide a valid EPC to prospective owners/tenant when selling/letting a property, when a property is constructed, or when required to be displayed (for large public buildings).
• Lodgement data gathered by assessors, to be provided to the EPC Register, allowing it to generate an EPC which then must be stored and publicly accessible.

Lawful basis for processing under UK General Data Protection Regulation (UK GDPR) Article 9 – special category data or Article 10 – criminal convictions data. Include condition from Schedule 1 or 2 of the Data Protection Act 2018.

• No special category data received and processed.

Law enforcement – if any law enforcement processing will take place – lawful basis for processing under Part 3 of the Data Protection Act 2018.

• Regulation 20 requires the Keeper of the EPC Register to disclose energy performance data to an enforcement authority for the purposes of their duty to enforce the regulations.
• Regulation 21 allows the Scottish Ministers to appoint themselves as an enforcement authority for the purposes of the regulations.
• Although not currently planned, if this option is taken up the requirements of Part 3 of the Data Protection Act 2018 in relation to law enforcement processing will be fully considered and complied with, and this DPIA updated.

Legal gateway for any sharing of personal data between organisations

• The Energy Performance of Buildings (Scotland) Regulations 2025.

Data processors and sub processors

Organisation: Ministry of Housing, Communities and Local Government, UK Government.

Activity: Manage the EPC register and the Energy Calculation as a Service to process EPC lodgement data.

Organisation: Assessors.

Activity: Assessors are accredited by Approved Organisations and complete on- site surveys of buildings. Assessors are governed by regulations.

Organisation: Approved Organisations

Activity: Approved Organisations accredit energy assessors and are approved by Scottish Ministers. Approved Organisations must adhere to the Operational Framework and ensure their members, and their members work, meets required standards.

Organisation: Local Authorities

Activity: Every local authority is an enforcement authority for the purposes of these regulations.

Data flows

The data flow is indicated by the fields below moving from the ‘Building owner’ and resulting in ‘Bulk data’.

Building owner

• Valid EPC required by regulations when:
• Selling or letting a property
• Completing a newly constructed building
• Displaying it publicly as part of ongoing

Accredited assessor

• Commissioned to complete on-site survey and will collect property information (lodgement data)
• Retains records of pre-lodgement data (such as photographic evidence) for purposes of

Data Lodged

• The building information that is collected is lodged on the EPC register

Owner/ prospective owner or tenant

• Users can retrieve the EPC from the Scottish EPC register

Bulk data

• Public data extract of EPC data is provided by the Scottish Government.
• Does not include assessor name
• Does not include Green deal information