The PDR logo

Privacy Notice

PDR is a design and innovation research institution set up by Cardiff Metropolitan University in 1994. Cardiff Metropolitan University’s Privacy Statement can be found here.

The following Notice describes how your data is managed by PDR in accordance with data protection legislation - the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA18).


Cardiff Metropolitan University is the Data Controller and is committed to protecting the rights of individuals in line with the GDPR and the DPA18. The University’s Data Protection information can be found here: University Structure & Governance Data Protection (

Data Protection Contact

Cardiff Metropolitan University’s Information and Data Compliance Officer can be contacted via the following routes (if you have any further queries regarding the processing of your data):

Telephone: 02920 20 5758.

Email: and/or


By means of this notice, PDR wishes to notify you of the following:

  • The Personal Data and Special Category Data PDR collects;
  • Why PDR collects and processes this data;
  • Who has access to this data and who PDR shares the data with;
  • The legal basis for processing Personal and Special Category Data;
  • Technical and organisational measures to ensure Personal Data remains secure;
  • Retention periods; and
  • General information.

Personal Data Collected

Date of Birth

Email Address(es)


Hospital Number

Interview Records

Job Title


Phone Number

Registration Forms

Special Category Data Collected

(Please note: Special Category Data is personal data that needs more protection because it is sensitive)

Biometric data including audio recordings and photographs

Conditions that affect one’s ability to use a computer



Medical Scan Data

PDR collects this information across four different areas: A Policy Group, Business Development, a User Centered Design Group, and a Surgical and Prosthetic Design (SPD) Group. For more information about each area, please see the PDR Website.

What PDR uses your personal data for

PDR collects your data for the purpose of carrying out research to design, test and improve products and services, for private, public and third sector clients.

When people are invited to take part in research, PDR must ensure that individuals meet the criteria for the research, and that a wide range of people are being included.

During the research, PDR collects data to ensure an accurate record of what happened and what was said, is recorded. This is important for data analysis and drawing conclusions.

PDR also collects data for the purpose of; business development, commercial work, and EU projects.

Sharing Information with Other Organisations

No third parties will have access to your Personal Data unless the law allows them to do so.

If PDR shares information with other organisations, the data within that information is anonymised and therefore not subject to any data protection legislation.

PDR’s Legal Basis for Processing Your Personal Data

In order to process your personal data, PDR must ensure that we are compliant with the one of the ‘Lawful Bases’ for processing under Article 6 of the GDPR. This means that we must have a lawful reason for using/storing personal information for the purposes outlined in the “What PDR uses your personal data for” section of this notice.

Article 6.1 (a) – Consent

PDR may rely on your explicit consent in order to use your personal information. If and when PDR ask for this consent, you will be fully informed of the reasons why we need your data and you will have the right to withdraw that consent at any time.

Article 6.1(b) – Performance of a Contract

The processing of your data may be necessary in order to fulfil the requirements of a contract PDR have in place with you or with a third party organisation.

Article 6.1(f) – Legitimate Interests

PDR can process certain personal data if it is in your legitimate interests to do so or it is in the legitimate interests of a third party. This lawful basis would only be used if there is no other legal reason for processing your data and your legitimate interests outweigh the necessity to keep the personal data protected.

Security of Processing

As the Controller, Cardiff Metropolitan University has implemented technical and organisational measures to ensure personal data processed remains secure, however absolute security cannot be guaranteed. Should you have a concern about a method of data transmission, the University will take reasonable steps to provide an alternate method. For more information about IT security at Cardiff Metropolitan University, and keeping your data safe, please click here.

Retention of Personal Data

The data collected during research will be held for a maximum of 12 months following completion of the research.

PDR will hold summarised data, your name, and a record of consent for a maximum of 3 years.

Any data relating to EU projects will be retained for 5 years.

Ultimately, all data will be retained securely by the University in accordance with its Records Management Policy.[WS1] After the expiration of retention periods, data shall be securely deleted.


Cardiff Metropolitan University has a Data Protection Policy, which can be found here.

If you wish to make a complaint about the way your personal data has been processed you can find details of how to do so here.