ExperienceLab (“ExperienceLab” “we” or “us”) is a customer experience design organisation and we take our data protection and privacy responsibilities seriously.
Our website may provide links to third party websites. ExperienceLab is not responsible for the conduct of third-party companies linked to the website and you should refer to the privacy notices of these third parties about how they may handle your personal information.
ExperienceLab is owned and operated by Serco Limited (00242246), with its registered office at Serco House, 16 Bartley Wood Business Park, Bartley Way Hook, Hampshire, RG27 9UY.
We are the Controller of personal data we receive from clients and corporate customer employees and Service Users.
Due to the nature of our business, there will be occasions where we are the Controller (ultimately responsible for the personal data we gather and use) or the Processor (acting on behalf of a Client or another party who is the Controller) in relation to your personal data. This will be explained to you when your personal information is collected and processed.
The “Client” is the ExperienceLab client or corporate customer who commissioned an experience design project or booked our lab-hire services. The Client will be a Controller of any Research Participant personal information the Client receives from ExperienceLab in connection with the commissioned research project.
There may also be times where we work in partnership with a research partner and we will each be a Controller of your personal information, this will be explained to you at the time of the project.
If you have any questions about who may be the Controller and responsible for your personal information, please contact email@example.com.
We may collect personal data about you when:
• The personal data is provided to us by you (e.g. when you contact us by email or telephone);
• The personal data is collected when you contract with us to deliver our services;
• The personal data is collected when participating in research (e.g. through an interview or survey);
• The personal data is received by us from third parties who provide it to us (e.g. law enforcement agencies, your employer);
• The personal data is received by us from Clients, business partners or suppliers (e.g. research partners for a project, partner recruitment agencies, payment providers);
• The personal data has been made public by you (e.g. contacting ExperienceLab via a social media platform);
• The personal data is collected via our IT systems (e.g. our website); and
• The personal data is created by us, such as records of your communications with ExperienceLab.
The categories of personal information about you which we may collect and use, depending on our relationship and interactions with you, includes:
• Personal details: title, full name, home address (current and historic), telephone and mobile numbers, email address, gender, date of birth, age, signature.
• Employment details: role, business activities, current employer, work-related social media profile details, business contact details (e.g. contact numbers, business address, work email address).
• Family and Friends Information: family and dependents, emergency contacts.
• Internal Identifiers: participant identification numbers, Client numbers.
• Financial Details: purchase transaction history, financial, bank or credit card information.
• Research Data: opinions and views collected when participating in research, including audio and video recordings, informed consent to participate in research and agreement to terms and conditions.
• Correspondence: details of referrals, quotes and other general contact and correspondence with you.
• Incident History: health and safety accidents, security incidents, accident information, complaints communications.
• Website Access Details: your computers unique identifier (e.g. IP Address), general location, the date and time you accessed the Website, the original site you may have come through e.g. Google.
• Special Category Data: health status, racial or ethnic origin, political views, religious or similar beliefs, sex life or sexual orientation and trade union membership.
Data protection and privacy laws requires organisations to have a “legal basis” or “lawful ground” to collect and handle your personal information. We will only collect, use and share your personal information where we are satisfied that we have an appropriate legal basis to do so.
Research Participants: Participation in research projects run by ExperienceLab is completely voluntary, however the lawful basis for processing your personal data is determined by the Controller (please refer to section 2 above). If you have any questions, please speak to the designated contact person on the project or a member of our team on the day, or contact our Data Protection Champion using the details in section 12.
The purposes for which we may use your personal data and the legal bases we rely on to perform such processing are set out below:
Where necessary for the performance of a contract with you, or take steps linked to a contract:
• To fulfil our contractual obligations to you; or
• To exercise our legal rights with respect to our contract with you.
Where you give us consent:
• On occasions we may ask for your consent, we will use your personal information for the purposes which we explain at the time
For purposes which are required by law:
• In response to requests from government law enforcement authorities conducting an investigation; or
• Other processing necessary to comply with professional, legal and regulatory obligations that apply to our business.
Where necessary for ExperienceLab’s legitimate interests or those of a third party::
• To deliver our services in service design, user research and digital design, including:
o conducting interviews, observations or collecting survey information from Research Participants,
o conducting in-person or remote workshops, focus groups or co-design sessions with Research Participants and Clients
o carrying out usability testing on digital services in our lab space, in Client offices or an appropriate space for the Research Participants, and
o creating user research insights and reports based on research data for our Clients;
• To manage our relationship with you including any enquiries, complaints and feedback;
• For security purposes, including managing access to research materials, authenticating your identity and recording visits to our business premises;
• For promotional purposes;
• For accounting, auditing and risk management purposes;
• To support business and administrative functions;
• For health and safety purposes;
• For staff training purposes;
• To monitor compliance with internal business policies;
• For business management and analysis purposes and to improve the efficiency and quality of service delivered to our Clients;
• To prevent, investigate and/or report fraud, misrepresentation, security incidents or crime, in accordance with applicable law;
• To manage the security of our networks and property and ensure appropriate use, including monitoring access to our web platform and IT systems;
• In connection with a business transaction such as merger, restructuring or sale of the business; or
• We will use personal information in connection with legal claims, compliance, regulatory and investigative purposes as necessary (including disclosure of such information in connection with legal process or litigation).
Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.
Where we need to use your personal information for any other purpose, we will let you know at the time of collection or as required or permitted by law.
How do we justify our legitimate interests?
A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests. We have undertaken balancing tests for the data processing we carry out based on our legitimate interests. You can obtain information on our balancing tests by contacting us on the details in section 13 below.
Special category information is certain kinds of personal data that is particularly sensitive and requires higher levels of protection. We may collect certain types of special category information, as set out in section 5, from time to time, primarily in the following scenarios:
• Such personal information specifically forms part of the scope of our research;
• You provide details about your health and/or disability, so we can provide additional support and assistance when attending our offices; or
• You choose to share such information in your communications with us or in your research responses;
Where we do collect and handle special category personal information, we will only handle that information in accordance with applicable law, including where:
• We have your explicit consent;
• Processing is necessary for the establishment, exercise or defence of legal claims; or
• Processing is necessary for reasons of substantial public interest.
Less commonly, we may process this type of information where it is needed to protect your vital interests (or someone else’s vital interests) and you are not capable of giving your consent, or where you have already made the information public.
We will only disclose personal information to a third party in limited circumstances, or where we are permitted to do so by law. We may share your personal information with Clients, research partners and third parties as described below:
• If you are a Research Participant, we will collect your responses from a research session, anonymise them where appropriate, and provide them to the Client who commissioned the research, subject to an appropriate data sharing arrangement between the parties (please refer to section 2 for more details).
• With a research partner, who will also be a Controller, where the research is conducted in accordance with a partnership arrangement (as applicable);
• Other organisations within the Serco group of companies, where they have commissioned the work as a Client or where such disclosure is necessary to provide our services or to manage our business;
• With our Research Participant recruitment agency partners and suppliers, in order to confirm your participation in the research project, schedule research sessions for us or a Client, and on occasion facilitate payment of any incentive owed to you;
• With third parties who help manage our business and deliver services (e.g. payment service providers, debt collectors, IT support service providers, business development contractors, marketing companies) and our professional advisors (e.g. law firms, insurers, auditors, brokers). These third parties have agreed to confidentiality restrictions and use any personal information we share with them or which they collect on our behalf solely for the purpose of providing the contracted service to us;
• Third parties approved by you (e.g. when you request your data to be transferred); and
• Government, regulatory and law enforcement bodies where we are required in order:
o to comply with our legal obligations;
o to exercise our legal rights (e.g. pursue or defend a claim); and
o for the prevention, detection and investigation of crime.
We may transfer your personal information to third parties in connection with a reorganisation, restructuring, merger, acquisition, sale or transfer of assets, or in the event there is an operational or management change of the business.
Our services are offered on a global basis. The personal information that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area (“EEA”) (for example, in the USA). It may also be processed by workers operating outside the EEA who work for us or for one of our service providers.
We will take appropriate steps to ensure that transfers of personal data are in accordance with applicable law and carefully managed to protect your privacy rights and interests. To this end, we will:
• When transferring personal data to a Client or third parties outside the EEA:
o put in place binding corporate agreements, which will include the standard contractual clauses approved by the European Commission for transferring personal information outside the EEA, to ensure that your information is safeguarded; or
o ensure that the country in which your personal information will be handled has been deemed “adequate” by the European Commission or the company is registered and compliant with a European Commission approved privacy shield scheme.
• Carefully validate any requests for information from law enforcement or regulators before disclosing the information.
• In the limited circumstances that information is transferred within Serco Group companies, ensure such transfers are covered by an intra-group data sharing agreement entered into be all relevant entities within Serco Group, which contractually obliges each member to ensure that personal information receives an adequate and consistent level of protection.
If you would like further information about the global handling of your personal information, please contact us at firstname.lastname@example.org.
ExperienceLab takes precautions including administrative, technical and physical measures to safeguard your personal information against loss, theft and misuse, as well as against unauthorised access, modification, disclosure, alteration and destruction. We protect your personal information using a variety of security measures including:
• Password protected access;
• Data back-up;
• Secure, encrypted cloud-based services;
• Placing confidentiality requirements on employees and service providers;
• Providing employee training to ensure that your personal data in handled correctly;
• Destroying or permanently anonymising personal information if it is no longer needed for the purposes it was collected; and
• Secure physical storage units for hard copy files with appropriate security restrictions, preventing damage, and unauthorised access to your personal information.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our website; any transmission is at your own risk. Once we have received your information, we have in place robust procedures and security features to try to prevent unauthorised access.
Below are the general criteria we use to determine how long we will keep your personal information, where upon we will either delete or anonymise your personal data:
Data collected through ExperienceLab’s Lab hire (where ExperienceLab is a Processor):
Participant data in the form of notes will be handed over to our Client at the end of the research and removed from the lab premises. Any digital data gathered at the request of the Client will be stored on our data servers locally and deleted after a period of 3 months unless otherwise expressly requested by the Client.
Other Research Data and General Personal Data:
Unless otherwise stated, ExperienceLab will generally retain your personal data in accordance with any applicable limitation period (as set out in applicable law) plus one (1) year, to allow reasonable time for review and deletion/anonymisation of the personal information held. This will usually be seven (7) years following the expiry of our business or participant relationship with you.
We are required by law (for the purpose of complying with regulatory, tax, accounting requirements etc.) to retain certain information for a period following the expiry of our relationship with you.
In specific circumstances we may store your personal information for longer periods of time so that we have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to your personal information or dealings.
You have legal rights in connection with personal information. Under certain circumstances, by law you have the right to:
• Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
• Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
• Request erasure of your personal information (commonly known as the “right to be forgotten”). This enables you to ask us to delete or remove personal information in limited circumstances, where: (i) it is no longer needed for the purposes for which it was collected; (ii) you have withdrawn your consent (where the data processing was based on consent); (iii) following a successful right to object (see Object to processing); (iv) it has been processed unlawfully; or (v) to comply with a legal obligation to which the ExperienceLab is subject.
We are not required to comply with your request to erase personal information if the processing of your personal information is necessary for several reasons, including: (i) for compliance with a legal obligation; or (ii) for the establishment, exercise or defence of legal claims.
• Object to processing of your personal information by us or on our behalf which has our legitimate interests as its legal basis for that processing, if you believe your fundamental rights and freedoms outweigh our legitimate interests. If you raise an objection, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms. You can object at any time to your personal information being processed for direct marketing (including profiling).
• Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, but only where: (i) its accuracy is contested, to allow us to verify its accuracy; (ii) the processing is unlawful, but you do not want it erased; (iii) it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise or defend legal claims; or (iv) you have exercised the right to object, and verification of overriding grounds is pending.
We can continue to use your personal information following a request for restriction, where: (i) we have your consent; (ii) to establish, exercise or defend legal claims; or (iii) to protect the rights of another natural or legal person.
• Request the transfer of your personal information. You can ask us to provide your personal information to you in a structured, commonly used, machine readable format, or you can ask to have it transferred directly to another Controller, but in each case only where: (i) the processing is based on your consent or on the performance of a contract with you; and (ii) the processing is carried out by automated means.
• Obtain a copy, or reference to, the personal data safeguards used for transfers outside the European Union. We may redact data transfer agreements to protect commercial terms.
• Withdraw consent to processing where the legal basis for processing is solely justified on the grounds of consent.
Please note, to ensure security of personal information, we may ask you to verify your identity before proceeding with any such request.
We reserve the right to charge a fee where permitted by law, for instance if your request is manifestly unfounded or excessive.
If you would like to exercise any of these rights, please submit your requests to the Data Protection Champion (DPC) at ExperienceLab.
Data Protection Champion
56-58 Southwark Street, London, SE1 1UN
Telephone: 020 3910 7710
Alternatively contact the Data Protection Officer (DPO) via the details set out below.
Subject to legal and other permissible considerations, we will make every effort to honour your request promptly and inform you if we require further information in order to fulfil your request.
We may not always be able to fully address your request, for example if it would impact the duty of confidentiality we owe to others, or if we are legally entitled to deal with the request in a different way.
Data Protection Officer
11 Bartley Wood Business Park
Alternatively, please email email@example.com or call +44 (0)1256 745900.
We would be happy to address any concerns you have about your data privacy directly, and we encourage you to contact us in the first instance with your queries. However, you have a right to lodge a complaint with the Information Commissioner’s Office (https://ico.org.uk/concerns/ or telephone: 0303 123 1113) who will then investigate your complaint accordingly.