GDPR Compliance Statement

1. Introduction

ScenarioLab Ltd is committed to full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This GDPR Compliance Statement outlines how we meet our legal obligations when handling personal data through our website, interactive training games, and related services.

This document supplements our Privacy Policy and provides transparency about our data protection practices, controls, and responsibilities.

2. Our Commitment to GDPR Principles

ScenarioLab Ltd adheres to all six core principles of UK GDPR. Personal data must be:

1. Processed lawfully, fairly and transparently
   We explain how data is used and ensure processing has a valid legal basis.
2. Collected for specified, explicit, and legitimate purposes
   We do not use data in ways that are incompatible with the purposes for which it was collected.
3. Adequate, relevant, and limited to what is necessary
   We collect only the minimum data required to deliver and improve our services.
4. Accurate and kept up to date
   We update or correct data when requested.
5. Stored only as long as necessary
   Retention periods are defined and data is securely deleted when no longer needed.
6. Processed securely
   We implement strong technical and organisational measures to protect data.

These principles guide all processing conducted by ScenarioLab Ltd.

3. Lawful Basis for Processing

ScenarioLab Ltd processes personal data under one or more of the following lawful bases:

3.1 Contract

To deliver the training services users or organisations have purchased or been granted access to.

3.2 Legitimate Interests

For activities such as:

• Analytics and platform performance
• Improving the training experience
• Preventing abuse or misuse

Legitimate interests are always balanced against user rights.

3.3 Legal Obligation

Where required to comply with UK law (e.g., financial reporting or regulatory enquiries).

3.4 Consent

Used only for optional activities, such as receiving marketing updates.

Consent is freely given and may be withdrawn at any time.

4. Data Subject Rights

Under UK GDPR, individuals have the right to:

• Access their personal data
• Rectify inaccuracies
• Erase data where applicable
• Restrict processing
• Object to certain types of processing
• Request data portability
• Withdraw consent when processing relies on it

Requests can be made via email, and ScenarioLab Ltd will respond within statutory timeframes (usually one month).

5. Data Minimisation & Purpose Limitation

We only process data necessary for:

• Delivering interactive training modules
• Recording training progress and outcomes
• Supporting compliance reporting
• Providing analytics to improve the learning experience
• Maintaining platform functionality and security

Performance metrics (such as hints used, completion times, and scene interactions) are used solely for training analytics, platform optimisation, and reporting back to organisations where applicable.

6. Data Security Measures

We take data security seriously and apply the following controls:

• Encryption (in transit and at rest)
• Role-based access control
• Multi-factor authentication for internal systems
• Secure, audited cloud hosting
• Continuous logging and monitoring
• Regular internal reviews and updates
• Least-privilege access principles

Only authorised personnel with a legitimate business need may access personal data.

7. International Data Transfers

If personal data is transferred outside the UK (for example, if cloud service providers store data in international regions), ScenarioLab Ltd ensures:

• Transfers occur only to jurisdictions with adequate protection or
• We implement Standard Contractual Clauses (SCCs) or equivalent safeguards

Details on specific providers can be provided upon request.

8. Data Breach Management

ScenarioLab Ltd follows a structured incident response plan.

In the event of a personal data breach:

1. Immediate Assessment
   We identify the nature, scope, and severity of the breach.
2. Containment
   Steps are taken to protect affected systems and prevent further impact.
3. Notification
   If legally required, we notify:
   • The Information Commissioner's Office (ICO) within 72 hours
   • Affected individuals without undue delay
4. Review & Prevention
   We document the breach, analyse what happened, and implement measures to prevent recurrence.

9. Data Retention

ScenarioLab Ltd retains personal data only for as long as necessary to fulfil operational, contractual, or legal obligations. Examples include:

• Training performance data: retained for training history or certification
• Contact details: retained while accounts remain active
• Logs & diagnostic data: retained for operational and security purposes
• Legal records: retained as required by law

Upon expiry of the retention period, data is securely deleted or anonymised.

10. Roles & Responsibilities

ScenarioLab Ltd's responsibilities:

• Ensuring GDPR compliance
• Providing privacy information
• Handling data subject requests
• Maintaining records of processing
• Implementing security controls
• Training staff on data protection

Users and clients are responsible for:

• Providing accurate information
• Using the platform lawfully
• Protecting their login credentials

11. Policy Review

This GDPR Statement is reviewed at least annually or whenever:

• Regulations change
• We update key systems or processes
• New products or data-handling operations are introduced

The latest version will always be publicly available.