Protection of Personal Data (GDPR)

Enerfip, in the context of its activity as a European provider of crowdfunding services, processes the personal data of its clients, investors who are natural persons and directors or beneficial owners of Project Holders

As part of the entry into force on 25 May 2018 of Regulation EU 2016/679 of the European Parliament and of the Council of 27 April 2016 (the "General Data Protection Regulation"), Enerfip ("the ECSP") wished to clarify its internal personal data processing policy. The terms used in the procedure have the meaning given to them by the General Data Protection Regulation, and in the Service Provision Agreement signed with investors. Taking into account the nature, scope, context and purposes of the processing carried out by Enerfip and the risks to the rights and freedoms of natural persons, Enerfip implements appropriate technical and organisational measures to ensure and be able to demonstrate that the processing is carried out in accordance with this Regulation. These measures shall be reviewed and updated as necessary.

Processing of personal data by Enerfip

Enerfip ensures that the processing of personal data carried out by Enerfip is:

  • necessary for the provision of the crowdfunding service provided by Enerfip to Investors and Project Holders; or

  • made compulsory by the legal or regulatory rules to which Enerfip is subject; or

  • consented to by acceptance of the privacy policy

Map of personal data processed

Enerfip collects, with the consent of individual investors, personal data concerning them.


Enerfip collects the IP address of visitors to its site

Registered investor

Enerfip collects the first name, last name, e-mail address and password of registered investors;

Approved Investor

In accordance with regulations concerning the fight against money laundering and the financing of terrorism, Enerfip collects identification information from Approved Investors. Two proofs of identity are therefore collected (national identity card or passport in particular and in accordance with the list provided by our Payment Service Provider). In some cases, a proof of residence less than three months old is also collected from Investors in the context of fundraising reserved for local residents of the project, subject to the specifications of the Commission de Régulation de l'Energie

In accordance with the obligations to which it is subject as a European provider of crowdfunding services, Enerfip collects, in the financial questionnaire, information relating to the financial situation, knowledge, experience and financial objectives of the Approved Investor

In accordance with the obligations relating to subscription forms and the keeping of the Issuers' registers when it carries out this optional service, Enerfip collects information relating to the investment of Approved Investors.

Managers and beneficial owners of Project Holders

In order to provide Project Holders with the service of a European provider of crowdfunding services, Enerfip collects (i) proof of identity, proof of address and a curriculum vitae from the Project Holder's manager, (ii) proof of identity and proof of address from persons holding, directly or indirectly, more than 25% of the capital or voting rights of the Project Sponsor or exercising, by other means, a power of control over the management, administrative or executive bodies or over the general meeting of partners or shareholders of the Project Sponsor.

Enerfip obtains the investor's consent to the processing of their personal data (request to tick the "Yes" box to the question "Do you authorise Enerfip to collect certain personal data as defined in our Privacy Policy below?

Enerfip ensures that the consent of investors is obtained in a free, informed and unambiguous manner

Proof of this consent is automatically archived by Enerfip in the client's personal space (nominative for Investors, or linked to an IP address for Visitors).

Security of processing

Enerfip implements appropriate technical and organisational measures to guarantee a level of data security appropriate to the risk, and in particular:

  • Secure physical storage of personal data (secure archive room with badge access);

  • Secure electronic storage of personal data (server);

  • Securing access to personal data (checking and limiting authorisations: limiting access to software, setting up passwords, securing access via VPN) ;

  • encryption of stored data (laptops)

  • Periodic modification of passwords;

  • regular hacking tests of the IT system;

  • for data stored in the cloud, annual verification of the service provider's compliance with regulations;

Enerfip carries out an internal audit once a year to assess the security of the personal data collected;


In its capacity as a European provider of crowdfunding services, Enerfip has chosen not to hold the funds invested by Investors, and to do so uses its Payment Service Provider (or Banking Partner).

In this context, Enerfip subcontracts certain data processing to its Banking Partner. The Banking Partner therefore has access to certain personal data of investors (surnames, first names, address, e-mail, proof of identity and the IP address used during their last investment).

Enerfip, in its capacity as data controller, and the Banking Partner, in its capacity as subcontractor, comply with the obligations applicable under the regulations.

Enerfip ensures that the Banking Partner has the technical and organisational resources that comply with the requirements of the regulations and guarantee the protection of the rights of Enerfip's customers.

Provision of information to persons whose personal data is collected

Each investor is provided with:

  • the identity and contact details of Enerfip in its capacity as data controller;

  • Enerfip's contact details, in particular the e-mail address;

  • the purposes of the processing carried out, namely the provision of the service of a European provider of crowdfunding services, the proposal to open an "EnerJ" savings account for minors or a legal entity Investor Savings Account, compliance with the legal and regulatory obligations incumbent on European providers of crowdfunding services;

  • the recipients of the personal data processed by Enerfip, in particular (i) the project sponsors of the subscriptions made by investors, (ii) Enerfip's Banking Partner, as part of the monitoring of cash flows linked to fundraising, as well as, where applicable, and in the event of extinctive management, (iii) certain Enerfip service providers (server manager, customer service management provider, e-mailing service providers) and (iv) in the event that Enerfip is no longer able to carry out its activities, the third party that takes over these activities.

In addition, and in accordance with applicable national and European regulations, investors' personal data may be passed on to the public authorities in the context of a specific investigation

  • the period of retention of personal data, i.e. five (5) years, due to the regulatory obligations applicable to Enerfip in its capacity as a provider of crowdfunding services, or the duration of the contract for the provision of investor services, whichever is greater;

  • the existence of rights of access, rectification, deletion, limitation of processing and portability of personal data;

  • the right to lodge a complaint with the CNIL;

  • the fact that the requirement to provide personal data to Enerfip is both contractual and regulatory in nature and that Enerfip will not be able to provide crowdfunding services if this information is not provided;

  • the existence of a certificate of suitability for each subscription containing the elements of the financial questionnaire;

Rights of persons concerned by the processing of personal data

Enerfip is responsible for processing requests for access, rectification, deletion, limitation of processing, portability or opposition from persons whose personal data is collected;

It shall notify each recipient to whom personal data has been communicated of any rectification, erasure or restriction of processing carried out.

Right of access

Enerfip processes requests for access and provides the following information:

  • the purposes of the processing;

  • the categories of personal data concerned;

  • the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients established in third countries or international organisations;

  • where possible, the length of time for which the personal data will be kept or, where this is not possible, the criteria used to determine this length of time;

  • the existence of the right to request from the controller the rectification or erasure of personal data, or a restriction on the processing of personal data relating to the data subject, or the right to object to such processing;

  • the right to lodge a complaint with a supervisory authority;

  • where personal data is not collected from the data subject, any available information as to its source;

  • the existence of an automated recommendation, including profiling and useful information concerning the underlying logic, as well as the importance and the foreseen consequences of this processing for the data subject.

Enerfip ensures that the data subject is provided with a copy of the personal data being processed

Thus, in accordance with the regulations, a user may, on simple request, by any means, obtain a copy of their personal data in our possession set within a period of receipt in accordance with the regulations in force. This type of request is automated

Enerfip requests payment of ten (10) euros for any additional copy requested by the person concerned.

Right of rectification

In accordance with its regulatory obligations, Enerfip regularly updates Investors' personal data

Upon exercise of the right of rectification by the person concerned, Enerfip will rectify inaccurate personal data as soon as possible

Upon provision of a supplementary declaration, Enerfip completes incomplete personal data

Enerfip informs the data subject that his/her right to rectification or completion applies without prejudice to his/her obligation to provide only accurate and complete information to Enerfip, and that Enerfip cannot be held responsible for the possible consequences of the provision of inaccurate information by the Investor, in particular in his/her answers to the financial questionnaire and in the signed subscription forms.

Right to erasure

Enerfip will deal with requests for deletion from data subjects as quickly as possible

In particular, it accepts such requests when the personal data is no longer necessary for the purposes for which it was collected or processed

It informs the data subject that it cannot accept his/her request, with regard to the purposes of the processing, when the contract for the provision of crowdfunding services is still in force, or when the period of five (5) years during which Enerfip is legally obliged to retain the personal data of its customers has not expired.

Right to limit processing

Enerfip ensures that the limitation of the processing of personal data is implemented when:

  • the accuracy of the personal data is contested by the data subject, for a period allowing the controller to verify the accuracy of the personal data;

  • the processing is unlawful and the data subject objects to the erasure of the data and demands instead that its use be restricted;

  • the controller no longer needs the personal data for the purposes of the processing operation, but the data are still necessary for the data subject to establish, exercise or defend legal claims;

  • the data subject has objected to the processing in accordance with Article 21(1) during the verification as to whether the legitimate grounds pursued by the controller override those of the data subject.

Where processing is restricted, Enerfip shall ensure that personal data, with the exception of storage, are only processed with the consent of the data subject or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person, or on important grounds of public interest of the Union or of a Member State.

Enerfip will inform the data subject before the processing restriction is lifted.

Data portability

Enerfip ensures that the personal data relating to an investor is stored on a durable medium

In particular, Enerfip keeps a copy of the answers provided to the financial questionnaire, and of the subscription forms signed by an Investor.

This data is provided to the person concerned on request.

In the event that Enerfip ceases its activity, it will make its best efforts, at the request of the person concerned, to ensure that the personal data is transmitted directly to the persons responsible for taking over Enerfip's activity.

Right to object

When Enerfip receives a request from an investor to object to the processing of his or her data, it informs the investor that it cannot comply with the request, as the data is processed in order to enable the performance of a contract and to comply with legal and regulatory obligations.

When Enerfip receives a request to object to the processing of its data from an Internet user whose data is processed for canvassing purposes, it ensures that this data is no longer processed for these purposes.

Register of processing activities

Enerfip keeps a register of processing activities carried out under its responsibility. This register includes:

  • the name and contact details of the data controller, and of the data controller's representative, as well as all information concerning the joint data controller;

  • the purposes of the processing;

  • a description of the categories of data subjects and categories of personal data;

  • the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organisations;

  • where applicable, transfers of personal data to a third country or to an international organisation;

  • as far as possible, the deadlines for the deletion of the various categories of data;

  • as far as possible, a general description of the technical and organisational security measures referred to in Article 32(1) of the General Data Protection Regulation;

This register is updated twice a year by the Data Protection Officer, who is able to present it to the competent authority in the event of an inspection.

Privacy policy

Enerfip maintains a Privacy policy on its website which is freely available for consultation.

Last updated