GDPR - Frequently Asked Questions
Introduction to this FAQ
Definitions used in this FAQ
FAQs
1. What is Crystal Project’s role under GDPR in relation to the Crystal Platform?
2. What is the Customer’s role under GDPR in relation to the Crystal Platform?
3. Who at Crystal Project can the Customer contact with data protection related queries?
4. What Processing does Crystal Project conduct on behalf of its Customers to provide the Services?
5. How does the Crystal Platform source the Personal Data used for the Assessments and Predictions?
6. Does the Crystal Platform data match Assessments and Predictions?
7. Are User Accounts and Personality Profiles private or publicly viewable?
8. Which lawful basis can Customers apply for Assessments and Predictions which complies with the lawful Processing obligation under GDPR?
9. How can Customers ensure that the use of Assessments and Predictions complies with transparency requirements under GDPR?
10. Are the Personality Profiles a form of profiling?
11. Are the Personality Profiles a form of automated decision making?
12. Does Crystal Project use the Personality Profiles generated by its Customers for its own purposes?
13. Does Crystal Project use sub-Processors for the Services?
14. Where does Crystal Project store Personal Data it holds as a Processor?
15. How long does Crystal Project retain Personal Data it holds as a Processor?
16. What security measures does Crystal Project apply to Personal Data?
17. In the unlikely event of a Personal Data Breach, how will Crystal Project respond?
18. Can Crystal Project assist Customers with GDPR compliance in other ways?
19. Can Customers conduct inspections and audits of Crystal Project’s GDPR practices?
(A) Crystal Project and the Customer entered into the Services Agreement (defined below) whereby Crystal Project agrees to provide certain Subscription Service which may require Crystal Project to process Customer Personal Data as a processor on behalf of the Customer.
(B) This Data Processing Agreement (“DPA”) sets out the terms, requirements, and conditions on which Crystal Project will process Customer Personal Data when providing its Subscription Service (as defined below).
With Customers based all over the world, including the EU and UK, we understand how important it is for our Customers to ensure compliance with the GDPR (including the UK GDPR). This FAQ explains Crystal Project’s approach to data protection and privacy generally and how we collaborate with our Customers to ensure compliance with the GDPR.
The Crystal Platform is a SaaS platform that provides on-demand Personality Profiles, insights, and coaching for our Customers. Personality Profiles can be created in two ways: (1) Assessments – personality types are assessed using traditional personality questionnaires (i.e. DISC, Strengths, Myers-Briggs, Enneagram); and (2) Predictions – personality types are predicted using machine-learning-enabled analysis of text samples (e.g. person’s writing style), job experience, and other publicly available data.
This FAQ is not intended to be contractual in nature or legally binding unless otherwise expressly stated. The terms of this FAQ apply to the exclusion of any terms and conditions (express or implied by law or otherwise) which our Customers may seek to introduce or rely upon unless we otherwise agree in writing.
Controllers determine how and why Personal Data is Processed. Processors Process Personal Data on behalf of, and under the instructions of, the Controller.
Our Customers are Controllers of the Personal Data Processed for Assessments and Predictions and we act as a Processor on behalf of our Customers in providing the Services. This is because we, Crystal Project, and the Crystal Platform, only Process the Personal Data collected and used for Assessments and Predictions when instructed to do so by our Customers (including via the Users) for the purpose of providing our Services.
Crystal Project acts as a Controller for certain Personal Data of Users to allow Crystal Project to, for example, manage and maintain User Accounts. Crystal Project may also act as Controller in relation to very limited data about Assessment Respondents who are Users when those Users choose to publicly publish their own ‘verified’ Personality Profiles and the Crystal Project then uses those Personality Profiles for its own communication purposes. Our Privacy Policy (crystalknows.com) has more information on how we Process and use Personal Data when we act as Controller.
Controllers determine how and why Personal Data is Processed. Processors Process Personal Data on behalf of, and under the instructions of, the Controller. Our Customers are Controllers of the Personal Data Processed for Assessments and Predictions.
For further information about Crystal Project’s data related and privacy practices, please email [email protected]. We also have a dedicated information security resource who ensures our adherence to the GDPR.
The table below sets out subject matter and duration of the Processing by Crystal Project on behalf of its Customers, the nature and purpose of the Processing, and the types of Personal Data Processed and categories of Data Subjects.
Assessments | Predictions | Users who complete Assessments | |
Categories of Data Subject |
Assessment Respondents – The Crystal Platform allows Users to run Assessments by sending email invitations and unique links to any third party selected by the User. When a person (e.g. recipient of the invitation) completes the Assessment given to them within a unique link, they are considered an Assessment Respondent. |
Prediction Respondent – The Crystal Platform provides functionality for Users to generate Predictions for individuals based on text analysis. When a Prediction is completed in relation to a particular individual, that individual is considered a Prediction Respondent. |
Users who are Assessment Respondents |
Types of Personal Data used |
The Assessments generally use and Process very limited amounts and categories of Personal Data as outlined below. |
The Predictions generally use and Process very limited amounts and categories of Personal Data as outlined below. The Predictions mainly use and analyse Personal Data that is of a corporate, business or professional nature (e.g. the types of information available on a LinkedIn profile) rather than Personal Data that is of a sensitive nature or related to the Prediction Respondent’s private life outside of their profession. The Predictions only Process Personal Data that is publicly available or uploaded by the User. |
The Assessments generally use and Process very limited amounts and categories of Personal Data as outlined below. |
Subject Matter of Processing by Crystal Project on behalf of Customer |
To provide the Services to and on behalf of the Customer. |
To provide the Services to and on behalf of the Customer. |
To provide the Services to and on behalf of the Customer. |
Purpose of Processing by Crystal Project on behalf of Customer |
To provide the Services to and on behalf of the Customer. |
To provide the Services to and on behalf of the Customer. |
To provide the Services to and on behalf of the Customer. |
Nature of Processing by Crystal Project on behalf of Customer |
All Processing required to provide the Services including in particular: (a) analysis of Assessment responses using predictive statistical models; and (b) hosting, maintenance, and deletion of User Accounts holding the Personality Profiles of Assessment Respondents. |
All Processing required to provide the Services including in particular: (a) analysis of text samples, based on writing style and content within the samples, and related Personal Data using natural language processing technology; (b) the collection and analysis of Back End Data when requested by the Customer; and (c) hosting, maintenance, and deletion of User Accounts holding the Personality Profiles of Prediction Respondents. |
All Processing required to provide the Services including in particular: (a) analysis of Assessment responses using predictive statistical models; and (b) hosting, maintenance, and deletion of User Accounts holding the Personality Profiles of Assessment Respondents. |
Duration of Processing by Crystal Project on behalf of Customer |
Please see the section below on data retention. |
Please see the section below on data retention. |
Please see the section below on data retention. |
In general terms, when we are acting as a Processor, we only Process Personal Data in accordance with the reasonable instructions of the Controller unless the law says otherwise. The contracts we have in place with our Customers sets out the instructions from our Customers. Any additional or alternative instructions will be jointly agreed between us and our Customers in writing.
Assessments
The majority of the Personal Data used for Assessments is collected by the Customer directly from the Respondent when it asks a Respondent to complete an Assessment.
Predictions
(a) Back End Data
Back End Data (described above) is aggregated and returned via API by our sub-Processor. Our current sub-processor used for data collection is People Data Labs. Customers can read more about People Data Labs’ data sourcing here: https://docs.peopledatalabs.com/docs/data-sources. The link explains that People Data Labs uses public data sources (e.g. open-sourced datasets, publicly available data, governmental public records) and validates the source and accuracy of all data before adding it to its data-sets.
Back End Data is used for Predictions when Customers use the Crystal Chrome Extension in Gmail, Outlook, Salesforce, HubSpot, and the Crystal dashboard. Customers using the Crystal Chrome Extension on LinkedIn have the option to turn Back End Data enrichment on or off for all Users in the account, depending on their own needs and preferences.
(b) Client-Side Text Samples
On websites with available text samples (including job titles, experiences, bios, etc), the Crystal Chrome Extension uses a client-side predictive model to immediately generate a Predicted Profile without sending any of the text samples to Crystal Platform servers. When a client-side profile is generated, the Crystal Platform links to an identifier of the profile created by the User to the Crystal Platform (e.g. email address or LinkedIn URL for the Prediction Respondent). Crystal Project does directly not scrape or copy profiles from any website or social network.
(c) Server-Side Text Samples
On the Crystal Platform dashboard, Users may upload a text sample in the form of a raw text or PDF file in order to generate a Predicted Profile. In this case, the text sample is sent to Crystal Platform servers for back-end analysis, but none of the original text sample is saved (similar to client-side analysis). In this case, the User may associate a unique identifier with the Predicted Profile.
(d) Connected Accounts
When Users use the Crystal Platform they may grant us with access to third-party applications (e.g. Gmail, Outlook or LinkedIn), which we refer to as Connected Accounts. The Crystal Platform does not have access to email content with Connected Accounts, and the only information that it transmitted from such Connected Accounts to Crystal Project is the email address of Users for authentication purposes (this data is for User authentication purposes, and none of it is used for generating Predicted Profiles).
Within the User Accounts there is a clear differentiation on the dashboard between “verified” user profiles (e.g. Assessment Personality Profiles) from “predicted” profiles (e.g. Prediction Personality Profiles). The Crystal Platform provides Users the option to associate their own Assessment Personality Profiles with their unique identifiers (email address, LinkedIn profile URL) by setting their profile to Public or Private.
Personality Profile of Users
Within the profile privacy settings of each User Account, each User has the option make their own Personality Profile viewable to themselves only (Private), their team, their company (e.g. the Customer), or Public for everyone. We recommend that Customers inform Users of this functionality so that Customers and Users can set their privacy settings before publishing a Personality Profile.
A User’s privacy settings can be updated at any time by the User, and team admins can also set them on behalf of their team members.
The User’s profile contains all of the User’s own completed assessment results, along with associated insights like “energizers”, “stressors”, and “natural tendencies.”
Personality Profiles for Assessment Respondents
Only the User who sends the Assessment invitation to the Assessment Respondent and specific individuals on the User’s team have access to the Assessment results of the Assessment Respondent. We recommend that our Customers issue their Users with guidance on sharing of Personality Profiles among teams to ensure compliance with the Customer’s own internal policies and procedures.
Personality Profiles for Prediction Respondents
Prediction Profiles are only available to the User who created them and their team admin if applicable.
We understand that our Customers, as Controllers, have responsibility under GDPR to Process Personal Data lawfully, and in compliance with a lawful basis. The responsibility for selecting the appropriate lawful basis sits with the Customer as the Controller but to assist, we have set out our legitimate interests assessment for Assessments and Predictions when we, Crystal Project, use our Crystal Platform for our own Processing purposes.
Before relying on the lawful basis of legitimate interests, the Controller needs to assess:
Purpose Test
The Personality Profiles are typically used by Users to improve communications and relationships with the Respondents with the intention of:
Necessity Test
Controllers also need to demonstrate that the Processing is necessary for the purposes of the legitimate interest identified. The UK and EU data protection regulators have commentated that this does not mean that it has to be absolutely essential, but it must be a targeted and proportionate way of achieving the legitimate interest.
We deem the Processing to be targeted and proportional as:
Balancing Test
The Balancing Test requires Controllers to take into account: (a) the data protection and privacy rights of Data Subject, (b) the fundamental rights of Data Subject and (c) the more general interests of Data Subject, and ensure that such rights/interests do not override the Controller’s interests.
We have considered the following in relation to the Balancing Test:
We are of the view that legitimate interests can be relied on when the three Tests are applied and balanced among one another.
We understand that our Customers, as Controllers, have responsibility under GDPR to take appropriate measures to provide certain privacy information relating to Processing to Data Subjects in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
Assessments
Assessment Respondents willingly provide all Personal Data provided in Assessments and therefore we expect that our Customers make their Assessment Respondents aware, at the time of sending the invitation, of the purpose of the Assessments (e.g. personality test) and how the Customer will use the Personality Profile generated from the Assessments (e.g. to tailor communications appropriately).
We recommend that our Customers, as the Controllers of Personal Data used for Assessment purposes, also consider: (a) sending Assessment Respondents a copy of the Customer’s relevant privacy notice alongside the invitation to the Assessment; and (b) inform the Assessment Respondent on the privacy setting that will be applied to their Personality Profile once generated (e.g. viewable only by User who sent the invite, or viewable by others in the User’s team).
Predictions
As noted above, the Predictions only use publicly available information alongside an identifier (e.g. email address) or text samples uploaded by the User.
We recommend that our Customers, as the Controllers of Personal Data used for Prediction purposes, update their public facing privacy notice (e.g. as available on their website) to let individuals know that that the Customer conducts Processing related to Predictions. Where Customers are conducting Predictions for existing contacts (e.g. existing customers, existing potential customers) the Customer may have already issued the Prediction Respondent with a privacy notice which details the possibility of the Customer conducting Predictions. The Customer could also choose, in accordance with its own data prediction related policies and procedures, to reach out to individuals with a copy of the Customer’s privacy notice after conducting the Prediction (e.g. for Predictions conducted on individuals where there is no existing relationship). We recommend outlining in the Customer’s privacy notice that Personality Profiles as created by predictions are only viewable by the individual User who generates them.
Profiling is a form of automated Processing of Personal Data to evaluate certain things about an individual, therefore the Personality Profiles are a form of profiling. Profiling is not however a form of non-compliance with the GDPR, and the European Data Protection Board’s Guidance on profiling outlines that the lawful basis of legitimate interests can be used for profiling so long as the tests are met.
Personality Profiles are not a form of automated decision making. Automated decision making is the Process of making a decision by automated means without any human involvement.
Crystal Project does use aggregated, anonymized personality data for back-end processes like training its machine learning algorithms, improving profile accuracy, and creating population-level personality reports for marketing purposes.
No data is automatically transferred from Customer’s systems to the Crystal Platform, and this has to be manually uploaded by the User to the Crystal Platform. The only direct transmission is when the User provides us with access to Connected Accounts and in this instance, the Crystal Platform does not have access to email content with Connected Accounts, and the only information that it transmitted from such Connected Accounts to Crystal Project is the email address of Users for authentication purposes.
Once the Personality Profile is generated, Crystal Project does not store the text sample on its systems and the text sample is not stored on the Crystal Platform.
Crystal Project does not sell or make Personality Profiles available to third parties for marketing or other purposes.
Crystal Project acts as a Controller for certain Personal Data of Users to allow Crystal Project to, for example, manage and maintain User Accounts. Crystal Project may also act as Controller in relation to very limited data about Assessment Respondents who are Users when those Users choose to publicly publish their own ‘verified’ Personality Profiles and the Crystal Project then uses those Personality Profiles for its own communication purposes. Our Privacy Policy (crystalknows.com) has more information on how we Process and use Personal Data when we act as Controller.
We will use sub-Processors from time to time for the purposes of our Services.
We currently use People Data Labs as our Back End Data provider (US based supplier), and we use AWS as our hosting provider (data centers based in the US).
Crystal Project currently uses data centers based outwith the UK and the EEA, and which are located in the US. Therefore, User Accounts and Personality Profiles will be Processed on and stored in these data centers. The data centers are supplied by our sub-Processor Amazon Web Services (AWS) who are a global leader in hosting services.
At any point, Users can permanently delete their own individual User Account and all Personality Profiles stored on the User Account (whether created by Assessments or Predictions) via the settings available on the User Account. Customers can also delete User Accounts.
Alternatively, Users can request permanent deletion of their User Account and/or data removal by contacting Crystal Project’s support team.
Crystal Project and the Crystal Platform does not store any of the text samples after the analysis is conducted.
Upon cessation of the Services, the Customer should contact us in writing and ask for deletion of the User Accounts.
Where applicable law, regulation or government requirements prevents Crystal Project from returning or destroying all or part of the User Account, Crystal Project shall not be required to do so.
We have in place administrative, technical and physical measures designed to guard against and minimise the risk of loss, misuse or unauthorised Processing or disclosure of the Personal Data that we hold.
We have outlined below some examples of the measures that we have in place:
We will continue to ensure that the Personal Data we hold is protected through the implementation of the security measures described above. In the unlikely event that a Personal Data Breach is detected, we will comply with the GDPR and notify the relevant Controller of any Personal Data Breach without undue delay.
Data Protection Impact Assessments
For the Processing we do for Customers, we can provide our Customers with reasonable assistance and cooperation (taking into account the nature of the Processing we are carrying out and the information available to us) in relation to any DPIAs. Where we do so, our Customers will cover all of our related costs. For more information on this, please get in touch.
Requests from Data Subjects to exercise their rights under GDPR
If we receive a request from a Data Subject relevant to Personal Data we Process for you, we will inform you as soon as reasonably practicable after receiving the request.
We will provide you with reasonable assistance (insofar as this is possible and taking account of the Processing we are carrying out and the information we have) in connection with requests for exercising Data Subjects’ rights made in relation to Personal Data we Process on your behalf, in so far as required by the GDPR. Where we do so, our Customer will cover all of our related costs.
We can assist our Customers by making available, on request, information which is reasonably necessary to demonstrate our compliance with this FAQ for the purposes of the GDPR. We may charge separately for this type of assistance.
If you would like to audit or inspect our compliance with this FAQ for the purposes of the GDPR, then you can do so by providing us with at least sixty (60) days’ written notice, subject to the following requirements: (a) the right to audit or inspect will be limited to once per year unless otherwise agreed by us, (b) audits must be conducted during regular business hours and must not unreasonably interfere with our business activities; and (c) we shall not be required to breach any duties of confidentiality owed by us. We may charge separately for this type of assistance.
If a request by you will or may, in our opinion, reasonably infringe data protection or privacy rights or laws, or confidentiality obligations, then we will let you know, and we may be prevented from providing the requested information or from permitting a requested audit or inspection.