Search results

ISO 17025 accredited labs and services

You asked

Are there any sorts of items that don't necessarily need to be sent out on a regular basis?"

Yes, certain equipment need not be calibrated by an external ISO 17025 calibration laboratory. Furthermore, the frequency of external calibration can vary.

Based on your knowledge of your method, if a particular piece of equipment could influence the results, it must be calibrated. You need a certificate with reported uncertainty. This is so that you can be confident that the method performance is still valid (as per validation studies) and that the measurement uncertainty of the device and contribution to the uncertainity of the test result is known.  If there was no confidence in the consistent performance of equipment, there is no confidence in the validity of the test results. To ensure valid results and metrological traceability of measurements, there needs to be an unbroken chain of calibrations and known controlled contribution of uncertainty of a device to the overall Measurement uncertainty of the test method.

For more information and important reference links, have a look at a similar Q&A at https://community.advisera.com/topic/re-calibration-time/

Data protection

You need to write: "Personal data will be processed for the provision of the service and for the following legal obligation (i.e., for bookkeeping purposes) and in compliance with the requirements of EU Regulation 2016/679 (EU GDPR) for more information about how we process your data and rights of data subjects, please consult our privacy notice at our store."You should have a privacy notice for your customer data in your store (or on your website, if you have one).

Here you can find more information about privacy notice.

• Four main questions for obtaining and managing data subjects’ consent under GDPR: https://advisera.com/eugdpracademy/knowledgebase/four-main-questions-for-obtaining-and-managing-data-subjects-consent-under-gdpr/
• Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/

If you need to understand how to implement EU GDPR compliance in your organization, you may consider enrolling in our free EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/

Preparing procedure on Meteorological Traceability

Typically, a laboratory will not have a procedure specifically for Meteorological Traceability. For a laboratory to confirm metrological traceability, a number of processes are involved where certain processes must be documented (mandatory by ISO 17025). For example, methods, procedures and supporting documentation, such as instructions, standards, manuals, and reference data must be kept up to date (clause 7.2) and a calibration programme (clause 6.4) is mandatory. These requirements from different clauses are typically linked via your Quality Manual.  An Equipment and Calibration Procedure ican be used to document how Meteorological Traceability is confirmed. Alternatively depending on the size of your laboratory, it may be included in the Method Validation and Quality Assurance Procedure.

Let’s look at the ISO 17025 requirement – that is to establish and maintain (i.e. confirm) metrological traceability of its measurement results”  What traceability does is ensure that on an ongoing basis the measurements accurately represent the specific quantity subject to measurement, within the stated uncertainty of the measurement. This is achieved through an unbroken metrological traceability chain to an international measurement standard or a national measurement standard. Simply stated a laboratory ensures metrological traceability for a measurement result by having equipment (used for the method) calibrated by laboratories conforming to ISO 17025 and or using reference materials with certified values where the reference material producers conforming to ISO 17034.

The following elements must be in place present to meet clause 6.5 requirements to ensure metrological traceability:

• a documented measurement procedure,
• quality measurement control
• suitable (performance) calibrated standards
• documented method measurement uncertainty
• defined calibration intervals,
• technical competence

For more information, have a look at

The article: What does ISO 17025:2017 require for laboratory measurement equipment and related procedures? at https://advisera.com/17025academy/blog/2019/07/25/iso-17025-measurement-requirements-of-the-standard/
The ISO 17025 toolkit document template: Equipment and Calibration Procedure at https://advisera.com/17025academy/documentation/equipment-and-calibration-procedure/
The ILAC P10:07/2020 ILAC Policy on Metrological Traceability of Measurement Results  available from https://ilac.org/publications-and-resources/

Auditing according to section 8.2.2

Basically yes, but of course in accordance with Records management (requirement 4.2.5) and 8.3 Control of non-conforming product. 

ISO 27001 Mapping to CSA CCM Matrix

The Cloud Control Matrix can be found on the Cloud Security Alliance site: https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4/

This matrix contains the mapping between ISO 27001 and the CSA alliance cloud security domains.

How to fill out "Appendix 1 - List of Legal, Official, Contractual and Other Requirements

Here is a practical example of how to fill the List of Legal, Official, Contractual and Other Requirements template:

Consider that, a customer named Jon has a service level agreement with your company which defines, on clause 32-b, that access to all information provided by the customer to information system ABC is restricted to customer personnel only. In this case, the person responsible for system ABC is responsible to ensure compliance of the system to this requirement. Then your document would be like this:

Interested party: Customer Jon
Requirement: Clause 32-b (Information provided to system ABC are restricted to customer's personnel)
Document: Service level agreement
Person responsible for compliance: System ABC administrator
Deadline: when system ABC is made available for customer use
Besides Service Level Agreements, you should consider laws and regulations applicable to the locations where you operate the same way described in the example (i.e., identifying interested party, requirement, document, etc.). For the identification of specific requirements for your organization we recommend you seek expert legal advice. 

Regarding the example for the ISMS scope, it can be defined in terms of information, location or process to be protected, and here are some examples:

• The ISMS scope is the customer and Research and Development data of organization ABC.
• The ISMS scope is the Headquarters of organization ABC.
• The ISMS scope is the software and development process of organization ABC.

By the way, included in your toolkit you have access to a video tutorial that can help you develop the scope, with real data examples.

IEC 62366-1 question

No, this standard ISO 62366-1 is applicable for all types of medical devices. 

Guidance for dealing with "old" devices

Your guidance is MDR itself. It means that if you are a class I device, that from 26th May 2021. you need to be in compliance with the MDR, The only excuse for that is the implementation of the UDI number, which must be applied until May 2025, as stated in Article 123 Entry into force and date of application.  

For more information, see:
 
EU MDR Article 123 Entry into force and date of application https://advisera.com/13485academy/mdr/entry-into-force-and-date-of-application/

Erasure request refusal

1. Hello, I have contacted a company that manages a messaging app I used in the past to request information about exercising my right to erasure (Article 17(1) GDPR), since they say they're GDPR compliant. In particular, my question to them was about having my messages/posts (private and public) deleted when they close my account. They say they would refuse to delete these messages, since they argue that would interfere with other users' right to free expression and information (Article 17(3)(a)), as there would be gaps in the conversations potentially leading to misinterpretations or the lack of important context.

My questions to you are:

Are the messages and posts I sent through the app considered personal data under GDPR to the extent that the app would have to delete them under request?

The right to be forgotten or the right to erasure is not an absolute right, it depends on the data controller’s retention schedule which must be based on one of the six legal grounds for processing personal data (storage is a data processing operation).

Related to your question, yes, messages and posts that you submitted through the app are considered to be personal data.

You can find more details at this link:

• Six legal bases to process data according to GDPR https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/

2. Is the exception in Article 17(3)(a) a valid ground for refusing this request in this case?

In my opinion, Art 17 (3) (a), that specifies that right to be forgotten does not apply when exercising freedom of expression is not a valid ground for refusing your request in this case, is not a valid ground for refusing your request in this case. This article should be invoked only when the processing of personal data is done solely for journalistic purposes, or for the purposes of academic, artistic, or literary expression. The data controller could take technical and organizational measures to fulfill your request, such as anonymizing your identifiers – name, surname, username, nickname, etc. For example, they could change your username to something like anonymous_user and modify all your posts/comments and answers to your posts/comments. If they cannot do this, it would mean that the data controller is in breach of Art 25 GDPR, Data protection by design and by default, which states that “the controller shall, […], implement appropriate technical and organizational measures, […], in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.”

You can find more details at these links:

• Data subject rights according to GDPR https://advisera.com/eugdpracademy/knowledgebase/8-data-subject-rights-according-to-gdpr/  
• EU GDPR Article 25 – Data protection by design and by default https://advisera.com/eugdpracademy/gdpr/data-protection-by-design-and-by-default/ 
• EU GDPR Article 17 –Right to erasure (‘right to be forgotten’) https://advisera.com/eugdpracademy/gdpr/right-to-erasure-right-to-be-forgotten/

To learn more about the right to be forgotten, see this free online training: GDPR Foundations Course https://advisera.com/training/eu-gdpr-foundations-course/  

Identifying Assets

This is a valid approach, but you need to be careful to not make your asset register unnecessarily complex.

For example, a data loss risk is applicable to all these assets, and with your approach, you will need to create this risk for each asset.

In this case, you may use an asset called “customer data” and include this data loss risk only once and use the specific assets only to specific risks (e.g., SQL injection risk is applicable only to “Customer data in SQL database”).

This will prevent a risk to be repeated only because it also applies to multiple forms that information can be.

This article will provide you with a further explanation about the asset register:

• How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/