Privacy Policy

Last Updated: 24 March 2026

E&C Group BV ("Company", "we", "us", or "our") is the data controller responsible for the processing of your personal information when you interact with our websites, services, and related activities. Our registered office is located at Spinnerijkaai 43, 8500 Kortrijk, BELGIUM.

We are committed to protecting your privacy. This privacy policy explains how we collect, use, disclose, and safeguard your personal information.

1.    Information we collect

• Personal information you provide to us, such as your name, email address, business contact details, phone number, financial information (e.g., payment details), and any other data you choose to give us.

• Data acquired through the acquisition of Apala Group, which is now known as Apala by E&C. For Apala customer contracts that we are continuing to service, the legal basis is ‘performance of a contract’. For Apala contact and service history data where no direct contract is being continued, our legitimate interests in maintaining customer relationships and improving our services provide the lawful basis for processing, subject to the necessary balancing test. Affected Apala data subjects were notified of this change in March 2026, within one month of the acquisition, in accordance with GDPR Article 14.

• Information collected automatically when you interact with our websites, including details about your device, browser type, IP address, pages visited, time on site, and click behaviour, collected through cookies, web beacons, local storage, and similar tracking technologies. You can manage your cookie preferences through the cookie consent banner on our website.

We use HubSpot as our customer relationship management (CRM) platform and to host our eecc.energy website. When you interact with our website or contact us, HubSpot processes the following information on our behalf as a data processor:

• Contact information you provide through forms (name, email, company, phone, etc.)

• Website behaviour and analytics (pages visited, time on site, click tracking)

• Email engagement data (opens, clicks, replies)

• Communication history with our company

• IP address and device information

HubSpot processes this data to provide and improve our services, respond to your inquiries, send marketing communications (if you've opted in), and manage our customer relationships. HubSpot's privacy practices are outlined in their Privacy Policy, available at HubSpot Privacy Policy.

2.    How we use your information

• To provide and improve our services (based on our legitimate business interests)

• To communicate with you, including sending marketing and promotional messages (with your consent)

• To fulfil and manage your requests, orders, and service contracts (necessary for the performance of our contract)

• To protect our services, prevent fraud, and comply with legal obligations (necessary for compliance with a legal obligation)

• For other legitimate business purposes, such as data analysis to enhance the user experience (our legitimate interests include improving our services and operations, subject to the necessary balancing test to ensure data subject rights are not overridden)

3.    Information sharing and disclosure

• With service providers who assist us in operating our business, such as IT service providers, marketing agencies, and customer support teams. These service providers act as data processors under a Data Processing Agreement with E&C Group BV.

• In connection with the Apala Group acquisition (necessary for our legitimate business interests). Existing Apala customer contracts are being honoured in full. Personal data transferred through the acquisition is processed by E&C America Inc., E&C Group's US entity, under Standard Contractual Clauses. 

• To comply with legal requirements, court orders, or to protect our rights (necessary for compliance with a legal obligation)

4.    International data transfers

• E&C Group BV transfers personal data outside the EEA only where directly necessary for the delivery of services and where appropriate safeguards are in place.

Transfers to the United States

• Where we service client locations or operations in the United States, personal data may be transferred to and processed by E&C America Inc. for the purposes of service delivery and client relationship management. E&C America Inc. also manages data arising from the Apala Group acquisition (now ‘Apala by E&C’) as part of its US operational responsibilities.

• Categories of data transferred include business contact details, energy consumption and procurement data, contract and service history, and financial information where relevant.

• This transfer is protected by Standard Contractual Clauses (SCCs) approved by the European Commission, supported by supplementary measures including encryption, access controls, and regular security assessments.

• US law, including the Foreign Intelligence Surveillance Act (FISA) and National Security Letters (NSLs), permits government authorities to request access to personal data in certain circumstances. E&C has implemented a Government Access Protocol to manage such requests, including challenging unlawful requests and notifying affected individuals where legally permitted.

Transfers to Australia

• Where we service client locations or operations in Australia, personal data may be processed through Microsoft's cloud infrastructure for secure data storage and operational service delivery, including real-time operational data for clients in critical infrastructure sectors.

• Categories of data transferred include business contact details, energy consumption and procurement data, and operational service data.
  
  
• This transfer is protected by Standard Contractual Clauses (SCCs) approved by the European Commission, supported by supplementary measures including encryption, access controls, and regular security assessments.

• Australian law, including the AA Act 2018 and TIA Act 1979, permits government authorities to issue Technical Capability Notices (TCNs) to technology providers including Microsoft. E&C has assessed this risk as part of its Transfer Impact Assessment and implemented mitigating measures, including EU-hosted data architecture, encryption practices, Microsoft's public commitment to challenge unlawful requests, and a Government Access Protocol covering Australian access requests.
•  

Your rights

• EU/EEA residents have the right to request information about international transfer safeguards, object to transfers in certain circumstances, and lodge a complaint with their local supervisory authority.

• To exercise these rights or request further details, please contact our Data Protection Officer at dpo@eecc.energy.

5.    Cookies and tracking technologies

• We use cookies and similar technologies to collect information about how you use our websites, such as pages visited, time on site, and clicks.

• You can manage your cookie preferences and opt-out of non-essential cookies through the cookie consent banner on our websites.

• We also use web beacons, local storage, and other technologies for similar purposes.

• If any of this involves cookie-based advertising or sharing data with ad platforms, we will ensure it is covered by your consent through our cookie management platform.

6.    Data retention and deletion

• We retain your personal information for as long as necessary to fulfil the purposes outlined in this policy, or as required by law:

  • Business contact data: retained for the duration of the relationship plus 2 years
    

  • Contract and service history data: retained for the duration of the contract plus 7 years
    

  • Financial and payroll data: 7 years from the date of the relevant transaction, as required by applicable law

• You can request access to, correction of, or deletion of your personal data by contacting us at the email provided below.

7.    Your privacy rights

• EU/EEA residents have specific rights under the GDPR, such as the right to access, correct, erase, restrict, port, and object to the processing of their personal data. You also have the right to withdraw your consent where processing is based on consent.

• California residents have certain privacy rights, such as the right to know what personal information is collected, the right to opt-out of the sale or sharing of personal information, and the right to delete their personal information.

• Residents of other jurisdictions where we operate may also have specific privacy rights, which we will respect.

• You can exercise your privacy rights by contacting us at the email provided below. If you believe we are unlawfully processing your personal information, you have the right to lodge a complaint with your local data protection supervisory authority.

8.    Data security

• We implement a range of technical and organizational measures to protect your personal information from unauthorized access, disclosure, and misuse, including encryption, access controls, and regular security assessments.

• However, no security measures are perfect, and we cannot guarantee the absolute security of your data.

9.    Automated decision-making and profiling

• We do not engage in any automated decision-making or profiling activities that produce legal effects or similarly significantly affect you.

10.    Changes to this policy

• We may update this privacy policy from time to time. The updated version will be indicated by an updated "Last Updated" date and will be effective 30 days after publication.

• We will notify you of material changes to this policy, either by prominent posting on our website or by direct communication.

11.    Contact us

• If you have any questions or concerns about this privacy policy or our data practices, please contact our Data Protection Officer:

  • Name: Siobhán FitzGerald

  • Email: dpo@eecc.energy

  • Address: E&C Consultants Hispania S.L., Carrer de Pizarro 1, 6º 22, 46004, Valencia, SPAIN