Contents

Introduction to this FAQ

Definitions used in this FAQ

FAQs

1.    What is Crystal Project’s role under GDPR in relation to the Crystal Platform? 
2.    What is the Customer’s role under GDPR in relation to the Crystal Platform? 
3.    Who at Crystal Project can the Customer contact with data protection related queries? 
4.    What Processing does Crystal Project conduct on behalf of its Customers to provide the Services? 
5.    How does the Crystal Platform source the Personal Data used for the Assessments and Predictions?
6.    Does the Crystal Platform data match Assessments and Predictions? 
7.    Are User Accounts and Personality Profiles private or publicly viewable? 
8.    Which lawful basis can Customers apply for Assessments and Predictions which complies with the lawful Processing obligation under GDPR?  
9.    How can Customers ensure that the use of Assessments and Predictions complies with transparency requirements under GDPR?  
10.    Are the Personality Profiles a form of profiling? 
11.    Are the Personality Profiles a form of automated decision making? 
12.    Does Crystal Project use the Personality Profiles generated by its Customers for its own purposes? 
13.    Does Crystal Project use sub-Processors for the Services?  
14.    Where does Crystal Project store Personal Data it holds as a Processor?
15.    How long does Crystal Project retain Personal Data it holds as a Processor? 
16.    What security measures does Crystal Project apply to Personal Data?
17.    In the unlikely event of a Personal Data Breach, how will Crystal Project respond? 
18.    Can Crystal Project assist Customers with GDPR compliance in other ways? 
19.    Can Customers conduct inspections and audits of Crystal Project’s GDPR practices?

(A) Crystal Project and the Customer entered into the Services Agreement (defined below) whereby Crystal Project agrees to provide certain Subscription Service which may require Crystal Project to process Customer Personal Data as a processor on behalf of the Customer. 

(B)  This Data Processing Agreement (“DPA”) sets out the terms, requirements, and conditions on which Crystal Project will process Customer Personal Data when providing its Subscription Service (as defined below).

Introduction to this FAQ

With Customers based all over the world, including the EU and UK, we understand how important it is for our Customers to ensure compliance with the GDPR (including the UK GDPR). This FAQ explains Crystal Project’s approach to data protection and privacy generally and how we collaborate with our Customers to ensure compliance with the GDPR.

The Crystal Platform is a SaaS platform that provides on-demand Personality Profiles, insights, and coaching for our Customers. Personality Profiles can be created in two ways: (1) Assessments – personality types are assessed using traditional personality questionnaires (i.e. DISC, Strengths, Myers-Briggs, Enneagram); and (2) Predictions – personality types are predicted using machine-learning-enabled analysis of text samples (e.g. person’s writing style), job experience, and other publicly available data.

This FAQ is not intended to be contractual in nature or legally binding unless otherwise expressly stated. The terms of this FAQ apply to the exclusion of any terms and conditions (express or implied by law or otherwise) which our Customers may seek to introduce or rely upon unless we otherwise agree in writing.

Definitions used in this FAQ 

• Personality Profiles means the personality profiles created for Respondents, being the results of the Assessments and/or Predictions.
• Crystal Platform means the particular edition and elements of the Crystal applications, tools and platform subscribed to by Customer under a contract, and developed, operated, and maintained by Crystal Project, accessible via www.crystalknows.com or another designated URL, and any ancillary online or offline products and services provided to Customer by Crystal, to which Customer is being granted access pursuant to the relevant contract between the parties.
• Crystal Project means Crystal Project, Inc. and any entity which directly or indirectly controls, is controlled by, or is under common control with Crystal Project, Inc. References to us, we, our are references to Crystal Project.
• Customer means the person or entity who has purchased the Services and identified in the applicable statement or order form as our customer.
• Controller, Data Subject, Personal Data, Personal Data Breach, Processing, Processor, Special Categories of Personal Data, each have the meanings given to them by the GDPR.
• GDPR means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) and (ii) the GDPR as it forms part of the law of the United Kingdom by virtue of Section 3 of the European Union (withdrawal) Act 2018.  
• Respondent means a Prediction Respondent and an Assessment Respondent, together or individually.
• Services means the provision of access to, and use of, the Crystal Platform by way of subscription, including the ability to use the available tools for Assessments and Predictions.
• User Accounts means the account held by an individual User on the Crystal Platform by way of individual user identification and password.
• User(s) means Customer's employees, representatives, consultants, contractors or agents who are authorized to use the Service for the benefit of the Customer and who have been supplied User Accounts by Customer (or by Crystal Project at Customer’s request).
  
  

1. What is Crystal Project’s role under GDPR in relation to the Crystal Platform? 

Controllers determine how and why Personal Data is Processed. Processors Process Personal Data on behalf of, and under the instructions of, the Controller.

Our Customers are Controllers of the Personal Data Processed for Assessments and Predictions and we act as a Processor on behalf of our Customers in providing the Services. This is because we, Crystal Project, and the Crystal Platform, only Process the Personal Data collected and used for Assessments and Predictions when instructed to do so by our Customers (including via the Users) for the purpose of providing our Services.  

Crystal Project acts as a Controller for certain Personal Data of Users to allow Crystal Project to, for example, manage and maintain User Accounts. Crystal Project may also act as Controller in relation to very limited data about Assessment Respondents who are Users when those Users choose to publicly publish their own ‘verified’ Personality Profiles and the Crystal Project then uses those Personality Profiles for its own communication purposes. Our Privacy Policy (crystalknows.com) has more information on how we Process and use Personal Data when we act as Controller. 

2. What is the Customer’s role under GDPR in relation to the Crystal Platform?

Controllers determine how and why Personal Data is Processed. Processors Process Personal Data on behalf of, and under the instructions of, the Controller. Our Customers are Controllers of the Personal Data Processed for Assessments and Predictions. 

3. Who at Crystal Project can the Customer contact with data protection related queries?

For further information about Crystal Project’s data related and privacy practices, please email [email protected]. We also have a dedicated information security resource who ensures our adherence to the GDPR.

4. What Processing does Crystal Project conduct on behalf of its Customers to provide the Services?

The table below sets out subject matter and duration of the Processing by Crystal Project on behalf of its Customers, the nature and purpose of the Processing, and the types of Personal Data Processed and categories of Data Subjects.

In general terms, when we are acting as a Processor, we only Process Personal Data in accordance with the reasonable instructions of the Controller unless the law says otherwise. The contracts we have in place with our Customers sets out the instructions from our Customers. Any additional or alternative instructions will be jointly agreed between us and our Customers in writing.

5. How does the Crystal Platform source the Personal Data used for the Assessments and Predictions?

Assessments

The majority of the Personal Data used for Assessments is collected by the Customer directly from the Respondent when it asks a Respondent to complete an Assessment.

Predictions

(a) Back End Data

Back End Data (described above) is aggregated and returned via API by our sub-Processor. Our current sub-processor used for data collection is People Data Labs.  Customers can read more about People Data Labs’ data sourcing here: https://docs.peopledatalabs.com/docs/data-sources. The link explains that People Data Labs uses public data sources (e.g. open-sourced datasets, publicly available data, governmental public records) and validates the source and accuracy of all data before adding it to its data-sets.  

Back End Data is used for Predictions when Customers use the Crystal Chrome Extension in Gmail, Outlook, Salesforce, HubSpot, and the Crystal dashboard. Customers using the Crystal Chrome Extension on LinkedIn have the option to turn Back End Data enrichment on or off for all Users in the account, depending on their own needs and preferences.  

(b) Client-Side Text Samples

On websites with available text samples (including job titles, experiences, bios, etc), the Crystal Chrome Extension uses a client-side predictive model to immediately generate a Predicted Profile without sending any of the text samples to Crystal Platform servers. When a client-side profile is generated, the Crystal Platform links to an identifier of the profile created by the User to the Crystal Platform (e.g. email address or LinkedIn URL for the Prediction Respondent). Crystal Project does directly not scrape or copy profiles from any website or social network.

(c) Server-Side Text Samples

On the Crystal Platform dashboard, Users may upload a text sample in the form of a raw text or PDF file in order to generate a Predicted Profile. In this case, the text sample is sent to Crystal Platform servers for back-end analysis, but none of the original text sample is saved (similar to client-side analysis). In this case, the User may associate a unique identifier with the Predicted Profile.

(d) Connected Accounts

When Users use the Crystal Platform they may grant us with access to third-party applications (e.g. Gmail, Outlook or LinkedIn), which we refer to as Connected Accounts. The Crystal Platform does not have access to email content with Connected Accounts, and the only information that it transmitted from such Connected Accounts to Crystal Project is the email address of Users for authentication purposes (this data is for User authentication purposes, and none of it is used for generating Predicted Profiles).

6. Does the Crystal Platform data match Assessments and Predictions?

Within the User Accounts there is a clear differentiation on the dashboard between “verified” user profiles (e.g. Assessment Personality Profiles) from “predicted” profiles (e.g. Prediction Personality Profiles). The Crystal Platform provides Users the option to associate their own Assessment Personality Profiles with their unique identifiers (email address, LinkedIn profile URL) by setting their profile to Public or Private.

7. Are User Accounts and Personality Profiles private or publicly viewable?

Personality Profile of Users

Within the profile privacy settings of each User Account, each User has the option make their own Personality Profile viewable to themselves only (Private), their team, their company (e.g. the Customer), or Public for everyone. We recommend that Customers inform Users of this functionality so that Customers and Users can set their privacy settings before publishing a Personality Profile.

A User’s privacy settings can be updated at any time by the User, and team admins can also set them on behalf of their team members.

The User’s profile contains all of the User’s own completed assessment results, along with associated insights like “energizers”, “stressors”, and “natural tendencies.”

Personality Profiles for Assessment Respondents

Only the User who sends the Assessment invitation to the Assessment Respondent and specific individuals on the User’s team have access to the Assessment results of the Assessment Respondent. We recommend that our Customers issue their Users with guidance on sharing of Personality Profiles among teams to ensure compliance with the Customer’s own internal policies and procedures.

Personality Profiles for Prediction Respondents

Prediction Profiles are only available to the User who created them and their team admin if applicable. 

8. Which lawful basis can Customers apply for Assessments and Predictions which complies with the lawful Processing obligation under GDPR?  

We understand that our Customers, as Controllers, have responsibility under GDPR to Process Personal Data lawfully, and in compliance with a lawful basis. The responsibility for selecting the appropriate lawful basis sits with the Customer as the Controller but to assist, we have set out our legitimate interests assessment for Assessments and Predictions when we, Crystal Project, use our Crystal Platform for our own Processing purposes.

Before relying on the lawful basis of legitimate interests, the Controller needs to assess:

1. Purpose Test: is the Controller pursuing a legitimate interest?
2. Necessity Test: is the intended Processing necessary for that purpose?
3. Balancing Test: do the Data Subject’s right and interests override the legitimate interest of the Controller?

Purpose Test

The Personality Profiles are typically used by Users to improve communications and relationships with the Respondents with the intention of:

• enhancing the skills and effectiveness of personnel and teams e.g. team collaboration, leadership development and talent acquisition;
• enhancing sales, business opportunities and business growth through more effective marketing and customer success; and
• enhancing other key business functions that rely on communication skills.

Necessity Test

Controllers also need to demonstrate that the Processing is necessary for the purposes of the legitimate interest identified. The UK and EU data protection regulators have commentated that this does not mean that it has to be absolutely essential, but it must be a targeted and proportionate way of achieving the legitimate interest.

We deem the Processing to be targeted and proportional as: 

• It is proportionate to understand the personalities of personnel, customers and potential customers to tailor communications appropriately.
• The analysis conducted by the Crystal Platform would be exceptionally difficult (if not almost impossible) and time consuming to replicate by other means.
• The detail in the Personality Profiles of a Respondent or User is a broadly described cohort by reference to a generic personality type.
• The Personality Profiles describe a small aspect of a Respondent or User e.g. their personality type with reference to 16 generic personality types.

Balancing Test

The Balancing Test requires Controllers to take into account: (a) the data protection and privacy rights of Data Subject, (b) the fundamental rights of Data Subject and (c) the more general interests of Data Subject, and ensure that such rights/interests do not override the Controller’s interests. 

We have considered the following in relation to the Balancing Test: 

• The detail in the Personality Profile of a Respondent or User is a broadly described cohort by reference to a generic personality type.
• The Personality Profile describes a small aspect of a Respondent or User e.g. their personality type with reference to 16 generic personality types.
• The Predictions would not appear to override any privacy rights or fundamental rights as the Personal Data that is used is minimal, generally of a corporate nature (e.g. it is Personal Data related to the Data Subject’s profession rather than being of a private nature), is not Special Categories of Personal Data, and is publicly available, and therefore the Respondent does not, it can be reasonably assumed, have an expectation of privacy in relation to such information.
• The Assessments would not appear to override any privacy rights or fundamental rights as the Personal Data that is used is minimal, the questions asked under the Assessments are high-level and general statements (and therefore the questions asked are not specific to the individual’s private life and are not intrusive), the Respondent’s answer to the statement is given by selecting a multiple choice list of answers (being a sliding scale between 'strongly agree' to ‘strongly disagree) without any additional information being captured, and the information is willingly provided by the Respondent.  
• The Assessments and Predictions are in the beneficial interests of the Respondent and/or User. They allow the Customer to interact with and communicate with the Respondent on terms which are likely to be welcomed by the Respondent. They also allow Users to better understand their own personalities and preferences, and to better understand their strengths and weaknesses.
• Only the assumptions and determinations of the Crystal Platform, as based on the data, is disclosed to Customers and Users rather than the specific data itself.
• The text samples used for the Predictions are not stored by Crystal Project or the Crystal Platform.
• The Crystal Platform does not target children or other vulnerable individuals as it uses the limited Personal Data of adults only.
• The Processing is not of any nature that a Personal Data Breach could jeopardise the health or safety of any individuals, or otherwise cause them any substantial harm (e.g. there is no risk of ID fraud).
•  Within the User Accounts there is a clear differentiation on the dashboard between “verified” user profiles (e.g. Assessment Personality Profiles) from “predicted” profiles (e.g. Prediction Personality Profiles).
• Personality Profiles of Respondents can be privately held by Customers. 
  
  Overall Assessment

We are of the view that legitimate interests can be relied on when the three Tests are applied and balanced among one another.

9. How can Customers ensure that the use of Assessments and Predictions complies with transparency requirements under GDPR?

We understand that our Customers, as Controllers, have responsibility under GDPR to take appropriate measures to provide certain privacy information relating to Processing to Data Subjects in a concise, transparent, intelligible and easily accessible form, using clear and plain language.

Assessments

Assessment Respondents willingly provide all Personal Data provided in Assessments and therefore we expect that our Customers make their Assessment Respondents aware, at the time of sending the invitation, of the purpose of the Assessments (e.g. personality test) and how the Customer will use the Personality Profile generated from the Assessments (e.g. to tailor communications appropriately).

We recommend that our Customers, as the Controllers of Personal Data used for Assessment purposes, also consider: (a) sending Assessment Respondents a copy of the Customer’s relevant privacy notice alongside the invitation to the Assessment; and (b) inform the Assessment Respondent on the privacy setting that will be applied to their Personality Profile once generated (e.g. viewable only by User who sent the invite, or viewable by others in the User’s team).

Predictions

As noted above, the Predictions only use publicly available information alongside an identifier (e.g. email address) or text samples uploaded by the User.

We recommend that our Customers, as the Controllers of Personal Data used for Prediction purposes, update their public facing privacy notice (e.g. as available on their website) to let individuals know that that the Customer conducts Processing related to Predictions. Where Customers are conducting Predictions for existing contacts (e.g. existing customers, existing potential customers) the Customer may have already issued the Prediction Respondent with a privacy notice which details the possibility of the Customer conducting Predictions. The Customer could also choose, in accordance with its own data prediction related policies and procedures, to reach out to individuals with a copy of the Customer’s privacy notice after conducting the Prediction (e.g. for Predictions conducted on individuals where there is no existing relationship). We recommend outlining in the Customer’s privacy notice that Personality Profiles as created by predictions are only viewable by the individual User who generates them.

10. Are the Personality Profiles a form of profiling?

Profiling is a form of automated Processing of Personal Data to evaluate certain things about an individual, therefore the Personality Profiles are a form of profiling. Profiling is not however a form of non-compliance with the GDPR, and the European Data Protection Board’s Guidance on profiling outlines that the lawful basis of legitimate interests can be used for profiling so long as the tests are met.

11. Are the Personality Profiles a form of automated decision making?

Personality Profiles are not a form of automated decision making. Automated decision making is the Process of making a decision by automated means without any human involvement.

12. Does Crystal Project use the Personality Profiles generated by its Customers for its own purposes?

Crystal Project does use aggregated, anonymized personality data for back-end processes like training its machine learning algorithms, improving profile accuracy, and creating population-level personality reports for marketing purposes.

No data is automatically transferred from Customer’s systems to the Crystal Platform, and this has to be manually uploaded by the User to the Crystal Platform. The only direct transmission is when the User provides us with access to Connected Accounts and in this instance, the Crystal Platform does not have access to email content with Connected Accounts, and the only information that it transmitted from such Connected Accounts to Crystal Project is the email address of Users for authentication purposes.

Once the Personality Profile is generated, Crystal Project does not store the text sample on its systems and the text sample is not stored on the Crystal Platform.

Crystal Project does not sell or make Personality Profiles available to third parties for marketing or other purposes.

Crystal Project acts as a Controller for certain Personal Data of Users to allow Crystal Project to, for example, manage and maintain User Accounts. Crystal Project may also act as Controller in relation to very limited data about Assessment Respondents who are Users when those Users choose to publicly publish their own ‘verified’ Personality Profiles and the Crystal Project then uses those Personality Profiles for its own communication purposes. Our Privacy Policy (crystalknows.com) has more information on how we Process and use Personal Data when we act as Controller.

13.    Does Crystal Project use sub-Processors for the Services?  

We will use sub-Processors from time to time for the purposes of our Services.

We currently use People Data Labs as our Back End Data provider (US based supplier), and we use AWS as our hosting provider (data centers based in the US).

14.    Where does Crystal Project store Personal Data it holds as a Processor?

Crystal Project currently uses data centers based outwith the UK and the EEA, and which are located in the US.  Therefore, User Accounts and Personality Profiles will be Processed on and stored in these data centers. The data centers are supplied by our sub-Processor Amazon Web Services (AWS) who are a global leader in hosting services.

15.    How long does Crystal Project retain Personal Data it holds as a Processor?

At any point, Users can permanently delete their own individual User Account and all Personality Profiles stored on the User Account (whether created by Assessments or Predictions) via the settings available on the User Account. Customers can also delete User Accounts.

Alternatively, Users can request permanent deletion of their User Account and/or data removal by contacting Crystal Project’s support team.

Crystal Project and the Crystal Platform does not store any of the text samples after the analysis is conducted.   
Upon cessation of the Services, the Customer should contact us in writing and ask for deletion of the User Accounts.

Where applicable law, regulation or government requirements prevents Crystal Project from returning or destroying all or part of the User Account, Crystal Project shall not be required to do so.

16.    What security measures does Crystal Project apply to Personal Data?

We have in place administrative, technical and physical measures designed to guard against and minimise the risk of loss, misuse or unauthorised Processing or disclosure of the Personal Data that we hold.

We have outlined below some examples of the measures that we have in place:

1. our personnel have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
2. our personnel receive regular and appropriate training on data protection matters;
3. we maintain written internal policies on data protection and security matters, including: access control, data management, information security roles and responsibilities, operations security;
4. we use anti-malware protections, firewalls and anti-virus protections; 
5. separation of development, staging and production environments;
6. use of back-ups;
7.  use of penetration testing;

17.    In the unlikely event of a Personal Data Breach, how will Crystal Project respond?

We will continue to ensure that the Personal Data we hold is protected through the implementation of the security measures described above. In the unlikely event that a Personal Data Breach is detected, we will comply with the GDPR and notify the relevant Controller of any Personal Data Breach without undue delay.

18.    Can Crystal Project assist Customers with GDPR compliance in other ways?

Data Protection Impact Assessments

For the Processing we do for Customers, we can provide our Customers with reasonable assistance and cooperation (taking into account the nature of the Processing we are carrying out and the information available to us) in relation to any DPIAs. Where we do so, our Customers will cover all of our related costs. For more information on this, please get in touch.

Requests from Data Subjects to exercise their rights under GDPR

If we receive a request from a Data Subject relevant to Personal Data we Process for you, we will inform you as soon as reasonably practicable after receiving the request.

We will provide you with reasonable assistance (insofar as this is possible and taking account of the Processing we are carrying out and the information we have) in connection with requests for exercising Data Subjects’ rights made in relation to Personal Data we Process on your behalf, in so far as required by the GDPR. Where we do so, our Customer will cover all of our related costs.

19.    Can Customers conduct inspections and audits of Crystal Project’s GDPR practices?

We can assist our Customers by making available, on request, information which is reasonably necessary to demonstrate our compliance with this FAQ for the purposes of the GDPR. We may charge separately for this type of assistance.

If you would like to audit or inspect our compliance with this FAQ for the purposes of the GDPR, then you can do so by providing us with at least sixty (60) days’ written notice, subject to the following requirements: (a) the right to audit or inspect will be limited to once per year unless otherwise agreed by us, (b) audits must be conducted during regular business hours and must not unreasonably interfere with our business activities; and (c) we shall not be required to breach any duties of confidentiality owed by us. We may charge separately for this type of assistance.

If a request by you will or may, in our opinion, reasonably infringe data protection or privacy rights or laws, or confidentiality obligations, then we will let you know, and we may be prevented from providing the requested information or from permitting a requested audit or inspection.