Contents

Introduction to this FAQ

Definitions used in this FAQ

FAQs

1.    What is Crystal Project’s role under GDPR in relation to the Crystal Platform? 
2.    What is the Customer’s role under GDPR in relation to the Crystal Platform? 
3.    Who at Crystal Project can the Customer contact with data protection related queries? 
4.    What Processing does Crystal Project conduct on behalf of its Customers to provide the Services? 
5.    How does the Crystal Platform source the Personal Data used for the Assessments and Predictions?
6.    Does the Crystal Platform data match Assessments and Predictions? 
7.    Are User Accounts and Personality Profiles private or publicly viewable? 
8.    Which lawful basis can Customers apply for Assessments and Predictions which complies with the lawful Processing obligation under GDPR?  
9.    How can Customers ensure that the use of Assessments and Predictions complies with transparency requirements under GDPR?  
10.    Are the Personality Profiles a form of profiling? 
11.    Are the Personality Profiles a form of automated decision making? 
12.    Does Crystal Project use the Personality Profiles generated by its Customers for its own purposes? 
13.    Does Crystal Project use sub-Processors for the Services?  
14.    Where does Crystal Project store Personal Data it holds as a Processor?
15.    How long does Crystal Project retain Personal Data it holds as a Processor? 
16.    What security measures does Crystal Project apply to Personal Data?
17.    In the unlikely event of a Personal Data Breach, how will Crystal Project respond? 
18.    Can Crystal Project assist Customers with GDPR compliance in other ways? 
19.    Can Customers conduct inspections and audits of Crystal Project’s GDPR practices?

Introduction to this FAQ

With Customers based all over the world, including the EU and UK, we understand how important it is for our Customers to ensure compliance with the GDPR (including the UK GDPR). This FAQ explains Crystal Project’s approach to data protection and privacy generally and how we collaborate with our Customers to ensure compliance with the GDPR.

The Crystal Platform is a SaaS platform that provides on-demand Personality Profiles, insights, and coaching for our Customers. Personality Profiles can be created in two ways: (1) Assessments – personality types are assessed using traditional personality questionnaires (i.e. DISC, Strengths, Myers-Briggs, Enneagram); and (2) Predictions – personality types are predicted using machine-learning-enabled analysis of text samples (e.g. person’s writing style), job experience, and other publicly available data.

This FAQ is not intended to be contractual in nature or legally binding unless otherwise expressly stated. The content of the FAQ is provided for general information only and is not intended to amount to legal or other advice.

Definitions used in this FAQ 

• Personality Profiles means the personality profiles created for Respondents, being the results of the Assessments and/or Predictions.
• Crystal Platform means the particular edition and elements of the Crystal applications, tools and platform subscribed to by Customer under a contract, and developed, operated, and maintained by Crystal Project, accessible via www.crystalknows.com or another designated URL, and any ancillary online or offline products and services provided to Customer by Crystal, to which Customer is being granted access pursuant to the relevant contract between the parties.
• Crystal Project means Crystal Project, Inc. and any entity which directly or indirectly controls, is controlled by, or is under common control with Crystal Project, Inc. References to us, we, our are references to Crystal Project.
• Customer means the person or entity who has purchased the Services and identified in the applicable statement or order form as our customer.
• Controller, Data Subject, Personal Data, Personal Data Breach, Processing, Processor, Special Categories of Personal Data, each have the meanings given to them by the GDPR.
• GDPR means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) and (ii) the GDPR as it forms part of the law of the United Kingdom by virtue of Section 3 of the European Union (withdrawal) Act 2018.
• Respondent means a Prediction Respondent and an Assessment Respondent, together or individually.
• Services means the provision of access to, and use of, the Crystal Platform by way of subscription, including the ability to use the available tools for Assessments and Predictions.
• User Accounts means the account held by an individual User on the Crystal Platform by way of individual user identification and password.
• User(s) means Customer's employees, representatives, consultants, contractors or agents who are authorized to use the Service for the benefit of the Customer and who have been supplied User Accounts by Customer (or by Crystal Project at Customer’s request).

1. What is Crystal Project’s role under GDPR in relation to the Crystal Platform? 

Controllers determine how and why Personal Data is Processed. Processors Process Personal Data on behalf of, and under the instructions of, the Controller.

It is common practice for platform providers to be given the role of Processor and for their customers to be given the role of Controller. This is because the platform provider is simply offering a service or product for purchase and the customer is then deciding to use that service or product for its own business purposes and deciding how it will use the platform for those business purposes e.g. deciding what data to use or upload to the platform, deciding how long to use the platform for, etc. This will be the scenario for the majority of the service provider/supplier contracts that organisations enter into with, for example, CRM providers, hosting providers, software providers, etc.

Our Customers are Controllers of the Personal Data Processed for Assessments and Predictions and we act as a Processor on behalf of our Customers in providing the Services.

We have a data processing agreement that we enter into with our Customers which sets our respective obligations as set-out under Article 28 of the GDPR. 

Crystal Project acts as a Controller for certain Personal Data of Users to allow Crystal Project to, for example, manage and maintain User Accounts. Crystal Project may also act as Controller in relation to very limited data about Assessment Respondents who are Users when those Users choose to publicly publish their own ‘verified’ Personality Profiles and the Crystal Project then uses those Personality Profiles for its own communication purposes. Our Privacy Policy (crystalknows.com) has more information on how we Process and use Personal Data when we act as Controller. 

2. What is the Customer’s role under GDPR in relation to the Crystal Platform?

Controllers determine how and why Personal Data is Processed. Processors Process Personal Data on behalf of, and under the instructions of, the Controller.

It is common practice for platform providers to be given the role of Processor and for their customers to be given the role of Controller. This is because the platform provider is simply offering a service or product for purchase and the customer is then deciding to use that service or product for its own business purposes and deciding how it will use the platform for those business purposes e.g. deciding what data to use or upload to the platform, deciding how long to use the platform for,, etc. This will be the scenario for the majority of the service provider/supplier contracts that organizations enter into with, for example, CRM providers, hosting providers, software providers, etc.

Our Customers are Controllers of the Personal Data Processed for Assessments and Predictions and we act as a Processor on behalf of our Customers in providing the Services.

We have a data processing agreement that we enter into with our Customers which sets our respective obligations as set-out under Article 28 of the GDPR. 

3. Who at Crystal Project can the Customer contact with data protection related queries?

For further information about Crystal Project’s data related and privacy practices, please email hello@crystalknows.com. We also have a dedicated information security resource who ensures our adherence to the GDPR.

4. What Processing does Crystal Project conduct on behalf of its Customers to provide the Services?

The table below sets out subject matter and duration of the Processing by Crystal Project on behalf of its Customers, the nature and purpose of the Processing, and the types of Personal Data Processed and categories of Data Subjects.

In general terms, when we are acting as a Processor, we only Process Personal Data in accordance with the reasonable instructions of the Controller unless the law says otherwise. The contracts we have in place with our Customers sets out the instructions from our Customers. Any additional or alternative instructions will be jointly agreed between us and our Customers in writing.

5. How does the Crystal Platform source the Personal Data used for the Assessments and Predictions?

Assessments

The majority of the Personal Data used for Assessments is collected by the Customer directly from the Respondent when it asks a Respondent to complete an Assessment.

Predictions

(a) Back End Data

Back End Data (described above) is aggregated and returned via API by our sub-Processors. We currently use the following sub-Processors for data collection:

• People Data Labs.  Customers can read more about People Data Labs’ data sourcing here: https://docs.peopledatalabs.com/docs/data-sources. The link explains that People Data Labs uses public data sources (e.g. open-sourced datasets, publicly available data, governmental public records) and validates the source and accuracy of all data before adding it to its data-sets.  
• Coresignal: Customers can read more about Coresignal’s data sourcing here: https://coresignal.com/data-transparency/. The link explains that Coresignal uses public data sources (e.g. open-sourced datasets, publicly available data, governmental public records) and validates the source and accuracy of all data before adding it to its data-sets. Customers can read about Coresignal’s privacy policy here: https://coresignal.com/privacy-policy/

Guidance from the Dutch Data Protection Authority - The Autoriteit Persoonsgegevens (“AP”)

Crystal Project is aware that the AP has issued specific guidance on data scraping activities, which guidance has been considered for the Crystal Platform. Data scraping is generally defined as any automated collection and recording of information from the internet. It is sometimes incorrectly assumed that the guidance from the AP prohibits data scraping altogether.

• Lawful basis:
  
  Legitimate interests if the lawful basis that Crystal Project relies on when it uses the Crystal Platform to conduct Personality Profiles. We have included a copy of our legitimate interests assessment within this FAQ (Section 8).
  
  The AP’s view is that ‘legitimate interests’ is likely to be the lawful basis under GDPR that organisations may be able to potentially use to lawfully scrape personal data. This makes sense, as it is difficult to obtain consent from data subjects when information is collected from internet sources.
  
  It is however noted, the AP take the general view that ‘commercial interests’ are unlikely to qualify as a potential ‘legitimate interest’ under the GDPR. The European Commission (EC) has previously written to the AP confirming that the EC is of the opinion that such a strict interpretation is not in line with the GDPR, the guidelines of the Article 29 Working Party/EDPB and the case law of the European Court of Justice (CJEU). The EC has invited the AP to change its views, but to date, the AP has indicated that that it stands by its position until the CJEU rules otherwise.
• Privacy notices and transparency: 
  
  The AP also note in their guidance that data scraping almost always scrapes personal data, meaning businesses are required to be compliant with Article 5(1) of the GDPR. Article 5(1)(a) requires personal data to be processed lawfully, fairly and in a transparent manner in relation to the data subject. This is not a novel point, and whenever personal data is collected privacy notices should be provided to relevant data subjects unless an exemption applies. This FAQ provides more detail on transparency at Section 9. 

(b) Client-Side Text Samples

On websites with available text samples (including job titles, experiences, bios, etc), the Crystal Chrome Extension uses a client-side predictive model to immediately generate a Predicted Profile without sending any of the text samples to Crystal Platform servers. When a client-side profile is generated, the Crystal Platform links to an identifier of the profile created by the User to the Crystal Platform (e.g. email address or LinkedIn URL for the Prediction Respondent). Crystal Project does directly not scrape or copy profiles from any website or social network.

(c) Server-Side Text Samples

On the Crystal Platform dashboard, Users may upload a text sample in the form of a raw text or PDF file in order to generate a Predicted Profile. In this case, the text sample is sent to Crystal Platform servers for back-end analysis, but none of the original text sample is saved to the Crystal Platform (similar to client-side analysis). In this case, the User may associate a unique identifier with the Predicted Profile.

(d) Connected Accounts

When Users use the Crystal Platform they may grant us with access to third-party applications (e.g. Gmail, Outlook or LinkedIn), which we refer to as Connected Accounts. The Crystal Platform does not have access to email content with Connected Accounts, and the only information that it transmitted from such Connected Accounts to Crystal Project is the email address of Users for authentication purposes (this data is for User authentication purposes, and none of it is used for generating Predicted Profiles).

6. Does the Crystal Platform data match Assessments and Predictions?

Within the User Accounts there is a clear differentiation on the dashboard between “verified” user profiles (e.g. Assessment Personality Profiles) from “predicted” profiles (e.g. Prediction Personality Profiles). The Crystal Platform provides Users the option to associate their own Assessment Personality Profiles with their unique identifiers (email address, LinkedIn profile URL) by setting their profile to Public or Private.

7. Are User Accounts and Personality Profiles private or publicly viewable?

Personality Profile of Users

Within the profile privacy settings of each User Account, each User has the option make their own Personality Profile viewable to themselves only (Private), their team, their company (e.g. the Customer), or Public for everyone. We recommend that Customers inform Users of this functionality so that Customers and Users can set their privacy settings before publishing a Personality Profile.

A User’s privacy settings can be updated at any time by the User, and team admins can also set them on behalf of their team members.

The User’s profile contains all of the User’s own completed assessment results, along with associated insights like “energizers”, “stressors”, and “natural tendencies.”

Personality Profiles for Assessment Respondents

Only the User who sends the Assessment invitation to the Assessment Respondent and specific individuals on the User’s team have access to the Assessment results of the Assessment Respondent. We recommend that our Customers issue their Users with guidance on sharing of Personality Profiles among teams to ensure compliance with the Customer’s own internal policies and procedures.

Personality Profiles for Prediction Respondents

Prediction Profiles are only available to the User who created them and their team admin if applicable. 

8. Which lawful basis can Customers apply for Assessments and Predictions which complies with the lawful Processing obligation under GDPR?  

We understand that our Customers, as Controllers, have responsibility under GDPR to Process Personal Data lawfully, and in compliance with a lawful basis. The responsibility for selecting the appropriate lawful basis sits with the Customer as the Controller but to assist, we have set out our legitimate interests assessment for Assessments and Predictions when we, Crystal Project, use our Crystal Platform for our own Processing purposes.

Before relying on the lawful basis of legitimate interests, the Controller needs to assess:

1. Purpose Test: is the Controller pursuing a legitimate interest?
2. Necessity Test: is the intended Processing necessary for that purpose?
3. Balancing Test: do the Data Subject’s right and interests override the legitimate interest of the Controller?

Purpose Test

The Personality Profiles are typically used by Users to improve communications and relationships with the Respondents with the intention of:

• enhancing the skills and effectiveness of personnel and teams e.g. team collaboration, leadership development and talent acquisition;
• enhancing sales, business opportunities and business growth through more effective marketing and customer success; and
• enhancing other key business functions that rely on communication skills.

Necessity Test

Controllers also need to demonstrate that the Processing is necessary for the purposes of the legitimate interest identified. The UK and EU data protection regulators have commentated that this does not mean that it has to be absolutely essential, but it must be a targeted and proportionate way of achieving the legitimate interest.

We deem the Processing to be targeted and proportional as: 

• It is proportionate to understand the personalities of personnel, customers and potential customers to tailor communications appropriately.
• The analysis conducted by the Crystal Platform would be exceptionally difficult (if not almost impossible) and time consuming to replicate by other means.
• The detail in the Personality Profiles of a Respondent or User is a broadly described cohort by reference to a generic personality type.
• The Personality Profiles describe a small aspect of a Respondent or User e.g. their personality type with reference to 16 generic personality types.

Balancing Test

The Balancing Test requires Controllers to take into account: (a) the data protection and privacy rights of Data Subject, (b) the fundamental rights of Data Subject and (c) the more general interests of Data Subject, and ensure that such rights/interests do not override the Controller’s interests. 

We have considered the following in relation to the Balancing Test: 

• The detail in the Personality Profile of a Respondent or User is a broadly described cohort by reference to a generic personality type.
• The Personality Profile describes a small aspect of a Respondent or User e.g. their personality type with reference to 16 generic personality types.
• The Predictions would not appear to override any privacy rights or fundamental rights as the Personal Data that is used is minimal, generally of a corporate nature (e.g. it is Personal Data related to the Data Subject’s profession rather than being of a private nature), is not Special Categories of Personal Data, and is publicly available, and therefore the Respondent does not, it can be reasonably assumed, have an expectation of privacy in relation to such information.
• The Assessments would not appear to override any privacy rights or fundamental rights as the Personal Data that is used is minimal, the questions asked under the Assessments are high-level and general statements (and therefore the questions asked are not specific to the individual’s private life and are not intrusive), the Respondent’s answer to the statement is given by selecting a multiple choice list of answers (being a sliding scale between 'strongly agree' to ‘strongly disagree) without any additional information being captured, and the information is willingly provided by the Respondent.  
• The Assessments and Predictions are in the beneficial interests of the Respondent and/or User. They allow the Customer to interact with and communicate with the Respondent on terms which are likely to be welcomed by the Respondent. They also allow Users to better understand their own personalities and preferences, and to better understand their strengths and weaknesses.
• Only the assumptions and determinations of the Crystal Platform, as based on the data, is disclosed to Customers and Users rather than the specific data itself.
• The text samples used for the Predictions are not stored by Crystal Project or the Crystal Platform.
• The Crystal Platform does not target children or other vulnerable individuals as it uses the limited Personal Data of adults only.
• The Processing is not of any nature that a Personal Data Breach could jeopardise the health or safety of any individuals, or otherwise cause them any substantial harm (e.g. there is no risk of ID fraud).
•  Within the User Accounts there is a clear differentiation on the dashboard between “verified” user profiles (e.g. Assessment Personality Profiles) from “predicted” profiles (e.g. Prediction Personality Profiles).
• Personality Profiles of Respondents can be privately held by Customers. 
  
  Overall Assessment

We are of the view that legitimate interests can be relied on when the three Tests are applied and balanced among one another.

9. How can Customers ensure that the use of Assessments and Predictions complies with transparency requirements under GDPR?

We understand that our Customers, as Controllers, will wish to ensure compliance with the transparency requirements placed on Controllers under GDPR. As our Customers will know, Controllers are to take appropriate measures to provide certain privacy information relating to Processing to Data Subjects in a concise, transparent, intelligible and easily accessible form, using clear and plain language. This privacy information is usually provided in a document referred to as a Privacy Notice or Privacy Policy. To ensure that your existing Processing practices comply with GDPR, it is likely that you already have Privacy Notices in place. 

To provide some further assistance, this Section 9 outlines what privacy information is usually contained in a Privacy Notice and how Privacy Notices could be made available to Respondents by Customers.  

The GDPR outlines what ‘privacy information’ should be given in a privacy notice and this includes:

1. The name and contact details of the Controller’s organization.
2. The name and contact details of the Controller’s representative (if applicable).
3. The contact details of the Controller’s data protection officer (if applicable).
4. The purposes of the processing (e.g. to create personality profiles to allow the Customer to tailor communications with the individual appropriately).
5. The lawful basis for the processing (e.g. legitimate interests).
6. The legitimate interests for the processing (if applicable) (e.g. see our legitimate interests assessment).
7. The categories of personal data obtained (if the personal data is not obtained from the individual it relates to).
8. The recipients or categories of recipients of the personal data.
9. The details of transfers of the personal data to any third countries or international organizations (if applicable).
10. The retention periods for the personal data.
11. The rights available to individuals in respect of the processing.
12. The right to withdraw consent (if applicable).
13. The right to lodge a complaint with a supervisory authority.
14. The source of the personal data (if the personal data is not obtained from the individual it relates to).
15. The details of whether individuals are under a statutory or contractual obligation to provide the personal data (if applicable, and if the personal data is collected from the individual it relates to).
16. The details of the existence of automated decision-making, including profiling (if applicable).

There may be additional ‘privacy information’ required by your local laws. 

Customers may wish to, at their discretion, inform an Assessment Respondent on the privacy setting that will be applied to their Personality Profile once generated (e.g. viewable only by User who sent the invite, or viewable by others in the User’s team). Customer’s may also wish to, at their discretion, outline in the Customer’s privacy notice that Personality Profiles as created by predictions are only viewable by the individual User who generates them.

To ensure that your existing business practices comply with GDPR, it is likely that you already have Privacy Notices in place, and as would be the case each time you work with a new supplier or begin new types of Processing, Customers may wish to check whether their Privacy Notices are already fit for purpose or if they need updating. For example, your existing Privacy Notice may already refer to Personal Data being used to create personality profiles or you might conclude that your Privacy Notice needs to be updated to include this. 

There are a number of examples of ways in which Privacy Notices or privacy information can be made available to Respondents, but we appreciate that you may have your own practices:

• As Assessment Respondents willingly provide all Personal Data provided in Assessments Customers could make their Assessment Respondents aware, at the time of sending the invitation, of the privacy information. 
• Customers could update their public facing privacy notice (e.g. as available on their website) to let individuals know that the Customer conducts Processing related to Personality Profiles. 
• Where Customers are conducting Personality Profiles for existing contacts (e.g. existing customers, existing potential customers) the Customer may have already issued the Respondent with a Privacy Notice which details the possibility of the Customer conducting Personality Profiles or Predictions. 
• The Customer could also choose, in accordance with its own data related policies and procedures, to reach out to individuals with a copy of the Customer’s privacy notice after conducting the Prediction (e.g. for Predictions conducted on individuals where there is no existing relationship).

10. Are the Personality Profiles a form of profiling?

Profiling is a form of automated Processing of Personal Data to evaluate certain things about an individual, therefore the Personality Profiles are a form of profiling. Profiling is not however a form of non-compliance with the GDPR, and the European Data Protection Board’s Guidance on profiling outlines that the lawful basis of legitimate interests can be used for profiling so long as the tests are met.

11. Are the Personality Profiles a form of automated decision making?

Personality Profiles are not a form of automated decision making. Automated decision making is the Process of making a decision by automated means without any human involvement.

12. Does Crystal Project use the Personality Profiles generated by its Customers for its own purposes?

Crystal Project does use aggregated, anonymized personality data for back-end processes like training its machine learning algorithms, improving profile accuracy, and creating population-level personality reports for marketing purposes.

No data is automatically transferred from Customer’s systems to the Crystal Platform, and this has to be manually uploaded by the User to the Crystal Platform. The only direct transmission is when the User provides us with access to Connected Accounts and in this instance, the Crystal Platform does not have access to email content with Connected Accounts, and the only information that it transmitted from such Connected Accounts to Crystal Project is the email address of Users for authentication purposes.

Once the Personality Profile is generated, Crystal Project does not store the text sample on its systems and the text sample is not stored on the Crystal Platform.

Crystal Project does not sell or make Personality Profiles available to third parties for marketing or other purposes.

Crystal Project acts as a Controller for certain Personal Data of Users to allow Crystal Project to, for example, manage and maintain User Accounts. Crystal Project may also act as Controller in relation to very limited data about Assessment Respondents who are Users when those Users choose to publicly publish their own ‘verified’ Personality Profiles and the Crystal Project then uses those Personality Profiles for its own communication purposes. Our Privacy Policy (crystalknows.com) has more information on how we Process and use Personal Data when we act as Controller.

13.    Does Crystal Project use sub-Processors for the Services?  

We will use sub-Processors from time to time for the purposes of our Services.

We currently use People Data Labs as our Back End Data provider (US based supplier), and we use AWS as our hosting provider (data centers based in the US).

14.    Where does Crystal Project store Personal Data it holds as a Processor?

Crystal Project currently uses data centers based outwith the UK and the EEA, and which are located in the US.  Therefore, User Accounts and Personality Profiles will be Processed on and stored in these data centers. The data centers are supplied by our sub-Processor Amazon Web Services (AWS) who are a global leader in hosting services.

15.    How long does Crystal Project retain Personal Data it holds as a Processor?

User Accounts, Assessment Profiles and Prediction Profiles can be deleted at any time. 

Customers and users have deletion power: At any point, Users can permanently delete their own individual User Account and any Personality Profiles stored on the User Account whether created by Assessments or Predictions via the settings available on the User Account. Customers can also delete User Accounts.

We can assist with deletion also: Alternatively, Users can request permanent deletion of their User Account and/or removal of specific information (e.g. Assessment Profiles or Production Profile) by contacting Crystal Project’s support team.

The Platform does not retain text samples: Crystal Project and the Crystal Platform does not store any of the text samples after the analysis is conducted.   

At the end of the Services agreement: Upon cessation of the Services, the Customer should contact us in writing and ask for deletion of the User Accounts or we can agree to do this automatically in our data processing agreement. 

Where applicable law, regulation or government requirements prevent Crystal Project from returning or destroying all or part of the User Account, Crystal Project shall not be required to do so.

16.    What security measures does Crystal Project apply to Personal Data?

We have in place administrative, technical and physical measures designed to guard against and minimise the risk of loss, misuse or unauthorised Processing or disclosure of the Personal Data that we hold.

We have outlined below some examples of the measures that we have in place:

1. our personnel have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
2. our personnel receive regular and appropriate training on data protection matters;
3. we maintain written internal policies on data protection and security matters, including: access control, data management, information security roles and responsibilities, operations security;
4. we use anti-malware protections, firewalls and anti-virus protections; 
5. separation of development, staging and production environments;
6. use of back-ups;
7.  use of penetration testing;

17.    In the unlikely event of a Personal Data Breach, how will Crystal Project respond?

We will continue to ensure that the Personal Data we hold is protected through the implementation of the security measures described above. In the unlikely event that a Personal Data Breach is detected, we will comply with the GDPR and notify the relevant Controller of any Personal Data Breach without undue delay.

18.    Can Crystal Project assist Customers with GDPR compliance in other ways?

Data Protection Impact Assessments

For the Processing we do for Customers, we can provide our Customers with reasonable assistance and cooperation (taking into account the nature of the Processing we are carrying out and the information available to us) in relation to any DPIAs. Where we do so, our Customers will cover all of our related costs. For more information on this, please get in touch.

Requests from Data Subjects to exercise their rights under GDPR

If we receive a request from a Data Subject relevant to Personal Data we Process for you, we will inform you as soon as reasonably practicable after receiving the request.

We will provide you with reasonable assistance (insofar as this is possible and taking account of the Processing we are carrying out and the information we have) in connection with requests for exercising Data Subjects’ rights made in relation to Personal Data we Process on your behalf, in so far as required by the GDPR. Where we do so, our Customer will cover all of our related costs.

19.    Can Customers conduct inspections and audits of Crystal Project’s GDPR practices?

We can assist our Customers by making available, on request, information which is reasonably necessary to demonstrate our compliance with this FAQ for the purposes of the GDPR. We may charge separately for this type of assistance.

If you would like to audit or inspect our compliance with this FAQ for the purposes of the GDPR, then you can do so by providing us with at least sixty (60) days’ written notice, subject to the following requirements: (a) the right to audit or inspect will be limited to once per year unless otherwise agreed by us, (b) audits must be conducted during regular business hours and must not unreasonably interfere with our business activities; and (c) we shall not be required to breach any duties of confidentiality owed by us. We may charge separately for this type of assistance.

If a request by you will or may, in our opinion, reasonably infringe data protection or privacy rights or laws, or confidentiality obligations, then we will let you know, and we may be prevented from providing the requested information or from permitting a requested audit or inspection.