Introduction to this FAQ
Definitions used in this FAQ
FAQs
1. What is Crystal Project’s role under GDPR in relation to the Crystal Platform?
2. What is the Customer’s role under GDPR in relation to the Crystal Platform?
3. Who at Crystal Project can the Customer contact with data protection related queries?
4. What Processing does Crystal Project conduct on behalf of its Customers to provide the Services?
5. How does the Crystal Platform source the Personal Data used for the Assessments and Predictions?
6. Does the Crystal Platform data match Assessments and Predictions?
7. Are User Accounts and Personality Profiles private or publicly viewable?
8. Which lawful basis can Customers apply for Assessments and Predictions which complies with the lawful Processing obligation under GDPR?
9. How can Customers ensure that the use of Assessments and Predictions complies with transparency requirements under GDPR?
10. Are the Personality Profiles a form of profiling?
11. Are the Personality Profiles a form of automated decision making?
12. Does Crystal Project use the Personality Profiles generated by its Customers for its own purposes?
13. Does Crystal Project use sub-Processors for the Services?
14. Where does Crystal Project store Personal Data it holds as a Processor?
15. How long does Crystal Project retain Personal Data it holds as a Processor?
16. What security measures does Crystal Project apply to Personal Data?
17. In the unlikely event of a Personal Data Breach, how will Crystal Project respond?
18. Can Crystal Project assist Customers with GDPR compliance in other ways?
19. Can Customers conduct inspections and audits of Crystal Project’s GDPR practices?
With Customers based all over the world, including the EU and UK, we understand how important it is for our Customers to ensure compliance with the GDPR (including the UK GDPR). This FAQ explains Crystal Project’s approach to data protection and privacy generally and how we collaborate with our Customers to ensure compliance with the GDPR.
The Crystal Platform is a SaaS platform that provides on-demand Personality Profiles, insights, and coaching for our Customers. Personality Profiles can be created in two ways: (1) Assessments – personality types are assessed using traditional personality questionnaires (i.e. DISC, Strengths, Myers-Briggs, Enneagram); and (2) Predictions – personality types are predicted using machine-learning-enabled analysis of text samples (e.g. person’s writing style), job experience, and other publicly available data.
This FAQ is not intended to be contractual in nature or legally binding unless otherwise expressly stated. The content of the FAQ is provided for general information only and is not intended to amount to legal or other advice.
Definitions used in this FAQ
Controllers determine how and why Personal Data is Processed. Processors Process Personal Data on behalf of, and under the instructions of, the Controller.
It is common practice for platform providers to be given the role of Processor and for their customers to be given the role of Controller. This is because the platform provider is simply offering a service or product for purchase and the customer is then deciding to use that service or product for its own business purposes and deciding how it will use the platform for those business purposes e.g. deciding what data to use or upload to the platform, deciding how long to use the platform for, etc. This will be the scenario for the majority of the service provider/supplier contracts that organisations enter into with, for example, CRM providers, hosting providers, software providers, etc.
Our Customers are Controllers of the Personal Data Processed for Assessments and Predictions and we act as a Processor on behalf of our Customers in providing the Services.
We have a data processing agreement that we enter into with our Customers which sets our respective obligations as set-out under Article 28 of the GDPR.
Crystal Project acts as a Controller for certain Personal Data of Users to allow Crystal Project to, for example, manage and maintain User Accounts. Crystal Project may also act as Controller in relation to very limited data about Assessment Respondents who are Users when those Users choose to publicly publish their own ‘verified’ Personality Profiles and the Crystal Project then uses those Personality Profiles for its own communication purposes. Our Privacy Policy (crystalknows.com) has more information on how we Process and use Personal Data when we act as Controller.
Controllers determine how and why Personal Data is Processed. Processors Process Personal Data on behalf of, and under the instructions of, the Controller.
It is common practice for platform providers to be given the role of Processor and for their customers to be given the role of Controller. This is because the platform provider is simply offering a service or product for purchase and the customer is then deciding to use that service or product for its own business purposes and deciding how it will use the platform for those business purposes e.g. deciding what data to use or upload to the platform, deciding how long to use the platform for,, etc. This will be the scenario for the majority of the service provider/supplier contracts that organizations enter into with, for example, CRM providers, hosting providers, software providers, etc.
Our Customers are Controllers of the Personal Data Processed for Assessments and Predictions and we act as a Processor on behalf of our Customers in providing the Services.
We have a data processing agreement that we enter into with our Customers which sets our respective obligations as set-out under Article 28 of the GDPR.
For further information about Crystal Project’s data related and privacy practices, please email hello@crystalknows.com. We also have a dedicated information security resource who ensures our adherence to the GDPR.
The table below sets out subject matter and duration of the Processing by Crystal Project on behalf of its Customers, the nature and purpose of the Processing, and the types of Personal Data Processed and categories of Data Subjects.
Assessments | Predictions | Users who complete Assessments | |
Categories of Data Subject |
Assessment Respondents – The Crystal Platform allows Users to run Assessments by sending email invitations and unique links to any third party selected by the User. When a person (e.g. recipient of the invitation) completes the Assessment given to them within a unique link, they are considered an Assessment Respondent. |
Prediction Respondent – The Crystal Platform provides functionality for Users to generate Predictions for individuals based on text analysis. When a Prediction is completed in relation to a particular individual, that individual is considered a Prediction Respondent. |
Users who are Assessment Respondents |
Types of Personal Data used |
The Assessments generally use and Process very limited amounts and categories of Personal Data as outlined below. |
The Predictions generally use and Process very limited amounts and categories of Personal Data as outlined below. The Predictions mainly use and analyse Personal Data that is of a corporate, business or professional nature (e.g. the types of information available on a LinkedIn profile) rather than Personal Data that is of a sensitive nature or related to the Prediction Respondent’s private life outside of their profession. The Predictions only Process Personal Data that is publicly available or uploaded by the User. |
The Assessments generally use and Process very limited amounts and categories of Personal Data as outlined below. |
Subject Matter of Processing by Crystal Project on behalf of Customer |
To provide the Services to and on behalf of the Customer. |
To provide the Services to and on behalf of the Customer. |
To provide the Services to and on behalf of the Customer. |
Purpose of Processing by Crystal Project on behalf of Customer |
To provide the Services to and on behalf of the Customer. |
To provide the Services to and on behalf of the Customer. |
To provide the Services to and on behalf of the Customer. |
Nature of Processing by Crystal Project on behalf of Customer |
All Processing required to provide the Services including in particular: (a) analysis of Assessment responses using predictive statistical models; and (b) hosting, maintenance, and deletion of User Accounts holding the Personality Profiles of Assessment Respondents. |
All Processing required to provide the Services including in particular: (a) analysis of text samples, based on writing style and content within the samples, and related Personal Data using natural language processing technology; (b) the collection and analysis of Back End Data when requested by the Customer; and (c) hosting, maintenance, and deletion of User Accounts holding the Personality Profiles of Prediction Respondents. |
All Processing required to provide the Services including in particular: (a) analysis of Assessment responses using predictive statistical models; and (b) hosting, maintenance, and deletion of User Accounts holding the Personality Profiles of Assessment Respondents. |
Duration of Processing by Crystal Project on behalf of Customer |
Please see section 15 below on data retention. |
Please see section 15 below on data retention. |
Please see section 15 below on data retention. |
In general terms, when we are acting as a Processor, we only Process Personal Data in accordance with the reasonable instructions of the Controller unless the law says otherwise. The contracts we have in place with our Customers sets out the instructions from our Customers. Any additional or alternative instructions will be jointly agreed between us and our Customers in writing.
Assessments
The majority of the Personal Data used for Assessments is collected by the Customer directly from the Respondent when it asks a Respondent to complete an Assessment.
Predictions
(a) Back End Data
Back End Data (described above) is aggregated and returned via API by our sub-Processors. We currently use the following sub-Processors for data collection:
Guidance from the Dutch Data Protection Authority - The Autoriteit Persoonsgegevens (“AP”)
Crystal Project is aware that the AP has issued specific guidance on data scraping activities, which guidance has been considered for the Crystal Platform. Data scraping is generally defined as any automated collection and recording of information from the internet. It is sometimes incorrectly assumed that the guidance from the AP prohibits data scraping altogether.
(b) Client-Side Text Samples
On websites with available text samples (including job titles, experiences, bios, etc), the Crystal Chrome Extension uses a client-side predictive model to immediately generate a Predicted Profile without sending any of the text samples to Crystal Platform servers. When a client-side profile is generated, the Crystal Platform links to an identifier of the profile created by the User to the Crystal Platform (e.g. email address or LinkedIn URL for the Prediction Respondent). Crystal Project does directly not scrape or copy profiles from any website or social network.
(c) Server-Side Text Samples
On the Crystal Platform dashboard, Users may upload a text sample in the form of a raw text or PDF file in order to generate a Predicted Profile. In this case, the text sample is sent to Crystal Platform servers for back-end analysis, but none of the original text sample is saved to the Crystal Platform (similar to client-side analysis). In this case, the User may associate a unique identifier with the Predicted Profile.
(d) Connected Accounts
When Users use the Crystal Platform they may grant us with access to third-party applications (e.g. Gmail, Outlook or LinkedIn), which we refer to as Connected Accounts. The Crystal Platform does not have access to email content with Connected Accounts, and the only information that it transmitted from such Connected Accounts to Crystal Project is the email address of Users for authentication purposes (this data is for User authentication purposes, and none of it is used for generating Predicted Profiles).
Within the User Accounts there is a clear differentiation on the dashboard between “verified” user profiles (e.g. Assessment Personality Profiles) from “predicted” profiles (e.g. Prediction Personality Profiles). The Crystal Platform provides Users the option to associate their own Assessment Personality Profiles with their unique identifiers (email address, LinkedIn profile URL) by setting their profile to Public or Private.
Personality Profile of Users
Within the profile privacy settings of each User Account, each User has the option make their own Personality Profile viewable to themselves only (Private), their team, their company (e.g. the Customer), or Public for everyone. We recommend that Customers inform Users of this functionality so that Customers and Users can set their privacy settings before publishing a Personality Profile.
A User’s privacy settings can be updated at any time by the User, and team admins can also set them on behalf of their team members.
The User’s profile contains all of the User’s own completed assessment results, along with associated insights like “energizers”, “stressors”, and “natural tendencies.”
Personality Profiles for Assessment Respondents
Only the User who sends the Assessment invitation to the Assessment Respondent and specific individuals on the User’s team have access to the Assessment results of the Assessment Respondent. We recommend that our Customers issue their Users with guidance on sharing of Personality Profiles among teams to ensure compliance with the Customer’s own internal policies and procedures.
Personality Profiles for Prediction Respondents
Prediction Profiles are only available to the User who created them and their team admin if applicable.
We understand that our Customers, as Controllers, have responsibility under GDPR to Process Personal Data lawfully, and in compliance with a lawful basis. The responsibility for selecting the appropriate lawful basis sits with the Customer as the Controller but to assist, we have set out our legitimate interests assessment for Assessments and Predictions when we, Crystal Project, use our Crystal Platform for our own Processing purposes.
Before relying on the lawful basis of legitimate interests, the Controller needs to assess:
Purpose Test
The Personality Profiles are typically used by Users to improve communications and relationships with the Respondents with the intention of:
Necessity Test
Controllers also need to demonstrate that the Processing is necessary for the purposes of the legitimate interest identified. The UK and EU data protection regulators have commentated that this does not mean that it has to be absolutely essential, but it must be a targeted and proportionate way of achieving the legitimate interest.
We deem the Processing to be targeted and proportional as:
Balancing Test
The Balancing Test requires Controllers to take into account: (a) the data protection and privacy rights of Data Subject, (b) the fundamental rights of Data Subject and (c) the more general interests of Data Subject, and ensure that such rights/interests do not override the Controller’s interests.
We have considered the following in relation to the Balancing Test:
We are of the view that legitimate interests can be relied on when the three Tests are applied and balanced among one another.
We understand that our Customers, as Controllers, will wish to ensure compliance with the transparency requirements placed on Controllers under GDPR. As our Customers will know, Controllers are to take appropriate measures to provide certain privacy information relating to Processing to Data Subjects in a concise, transparent, intelligible and easily accessible form, using clear and plain language. This privacy information is usually provided in a document referred to as a Privacy Notice or Privacy Policy. To ensure that your existing Processing practices comply with GDPR, it is likely that you already have Privacy Notices in place.
To provide some further assistance, this Section 9 outlines what privacy information is usually contained in a Privacy Notice and how Privacy Notices could be made available to Respondents by Customers.
The GDPR outlines what ‘privacy information’ should be given in a privacy notice and this includes:
There may be additional ‘privacy information’ required by your local laws.
Customers may wish to, at their discretion, inform an Assessment Respondent on the privacy setting that will be applied to their Personality Profile once generated (e.g. viewable only by User who sent the invite, or viewable by others in the User’s team). Customer’s may also wish to, at their discretion, outline in the Customer’s privacy notice that Personality Profiles as created by predictions are only viewable by the individual User who generates them.
To ensure that your existing business practices comply with GDPR, it is likely that you already have Privacy Notices in place, and as would be the case each time you work with a new supplier or begin new types of Processing, Customers may wish to check whether their Privacy Notices are already fit for purpose or if they need updating. For example, your existing Privacy Notice may already refer to Personal Data being used to create personality profiles or you might conclude that your Privacy Notice needs to be updated to include this.
There are a number of examples of ways in which Privacy Notices or privacy information can be made available to Respondents, but we appreciate that you may have your own practices:
Profiling is a form of automated Processing of Personal Data to evaluate certain things about an individual, therefore the Personality Profiles are a form of profiling. Profiling is not however a form of non-compliance with the GDPR, and the European Data Protection Board’s Guidance on profiling outlines that the lawful basis of legitimate interests can be used for profiling so long as the tests are met.
Personality Profiles are not a form of automated decision making. Automated decision making is the Process of making a decision by automated means without any human involvement.
Crystal Project does use aggregated, anonymized personality data for back-end processes like training its machine learning algorithms, improving profile accuracy, and creating population-level personality reports for marketing purposes.
No data is automatically transferred from Customer’s systems to the Crystal Platform, and this has to be manually uploaded by the User to the Crystal Platform. The only direct transmission is when the User provides us with access to Connected Accounts and in this instance, the Crystal Platform does not have access to email content with Connected Accounts, and the only information that it transmitted from such Connected Accounts to Crystal Project is the email address of Users for authentication purposes.
Once the Personality Profile is generated, Crystal Project does not store the text sample on its systems and the text sample is not stored on the Crystal Platform.
Crystal Project does not sell or make Personality Profiles available to third parties for marketing or other purposes.
Crystal Project acts as a Controller for certain Personal Data of Users to allow Crystal Project to, for example, manage and maintain User Accounts. Crystal Project may also act as Controller in relation to very limited data about Assessment Respondents who are Users when those Users choose to publicly publish their own ‘verified’ Personality Profiles and the Crystal Project then uses those Personality Profiles for its own communication purposes. Our Privacy Policy (crystalknows.com) has more information on how we Process and use Personal Data when we act as Controller.
We will use sub-Processors from time to time for the purposes of our Services.
We currently use People Data Labs as our Back End Data provider (US based supplier), and we use AWS as our hosting provider (data centers based in the US).
Crystal Project currently uses data centers based outwith the UK and the EEA, and which are located in the US. Therefore, User Accounts and Personality Profiles will be Processed on and stored in these data centers. The data centers are supplied by our sub-Processor Amazon Web Services (AWS) who are a global leader in hosting services.
User Accounts, Assessment Profiles and Prediction Profiles can be deleted at any time.
Customers and users have deletion power: At any point, Users can permanently delete their own individual User Account and any Personality Profiles stored on the User Account whether created by Assessments or Predictions via the settings available on the User Account. Customers can also delete User Accounts.
We can assist with deletion also: Alternatively, Users can request permanent deletion of their User Account and/or removal of specific information (e.g. Assessment Profiles or Production Profile) by contacting Crystal Project’s support team.
The Platform does not retain text samples: Crystal Project and the Crystal Platform does not store any of the text samples after the analysis is conducted.
At the end of the Services agreement: Upon cessation of the Services, the Customer should contact us in writing and ask for deletion of the User Accounts or we can agree to do this automatically in our data processing agreement.
Where applicable law, regulation or government requirements prevent Crystal Project from returning or destroying all or part of the User Account, Crystal Project shall not be required to do so.
We have in place administrative, technical and physical measures designed to guard against and minimise the risk of loss, misuse or unauthorised Processing or disclosure of the Personal Data that we hold.
We have outlined below some examples of the measures that we have in place:
We will continue to ensure that the Personal Data we hold is protected through the implementation of the security measures described above. In the unlikely event that a Personal Data Breach is detected, we will comply with the GDPR and notify the relevant Controller of any Personal Data Breach without undue delay.
Data Protection Impact Assessments
For the Processing we do for Customers, we can provide our Customers with reasonable assistance and cooperation (taking into account the nature of the Processing we are carrying out and the information available to us) in relation to any DPIAs. Where we do so, our Customers will cover all of our related costs. For more information on this, please get in touch.
Requests from Data Subjects to exercise their rights under GDPR
If we receive a request from a Data Subject relevant to Personal Data we Process for you, we will inform you as soon as reasonably practicable after receiving the request.
We will provide you with reasonable assistance (insofar as this is possible and taking account of the Processing we are carrying out and the information we have) in connection with requests for exercising Data Subjects’ rights made in relation to Personal Data we Process on your behalf, in so far as required by the GDPR. Where we do so, our Customer will cover all of our related costs.
We can assist our Customers by making available, on request, information which is reasonably necessary to demonstrate our compliance with this FAQ for the purposes of the GDPR. We may charge separately for this type of assistance.
If you would like to audit or inspect our compliance with this FAQ for the purposes of the GDPR, then you can do so by providing us with at least sixty (60) days’ written notice, subject to the following requirements: (a) the right to audit or inspect will be limited to once per year unless otherwise agreed by us, (b) audits must be conducted during regular business hours and must not unreasonably interfere with our business activities; and (c) we shall not be required to breach any duties of confidentiality owed by us. We may charge separately for this type of assistance.
If a request by you will or may, in our opinion, reasonably infringe data protection or privacy rights or laws, or confidentiality obligations, then we will let you know, and we may be prevented from providing the requested information or from permitting a requested audit or inspection.