Search results

Clinical Evaluation Plan

We at Advisera recommend the Clinical evaluation plan as it is in our Documentation toolkit. The Clinical evaluation plan template is designed in accordance with the requirements stated in the MDR, Article 61 and Annex 14, and MEDDEV 2.7.1, rev 4. 

Consider the fact that both the Clinical evaluation plan and the Clinical valuation report should be documents that can be read independently, so all relevant information should be there - a complete description of the product, all its characteristics, indications, contraindications, risks, etc. - for the auditor to understand completely what kind of product it is without looking at other documents from the Technical Documentation. 

According to the MDR, documents from the domain of clinical evaluation are checked by another auditor, and not by the one who conducts the audit directly with a manufacturer.

Questions for GDPR

"I'm wondering if you could help me out with a couple of questions related to GDPR and controllers?

Our company has clients who have personal data that our system collects from their employees and visitors to their premises. The clients have access to the data that our system collects. We (the company) determine the why and how data is collected, however the clients can see the data and even create reports from the personal data. Is this considered a controller to controller relationship, or would it be a controller to processor relationship? (i.e. is the client a controller because they are collecting personal data from employees and visitors?)

I assume that your system provides a service to your clients and while providing the service processes personal data of employees and visitors (i.e., an access control software installed on premises). If this is the case, you are the data processor because you are providing the means for the data controller (your client) to process personal data of the employees and visitors for its own purposes (in our example, of access control software to guarantee safety).
In fact, Article 28 GDPR states that the data processor is who processes personal data on behalf of the data controller. 

A second question we have is related to standard contractual clauses. Personal data that our clients collect is transferred to our servers located in Canada. Are SCCs required for the transfer of personal data from the EU/EEA to us for processing?"

If your organization falls in the scope of The Canadian Personal Information Protection and Electronic Documents Act ("the Canadian Act") (and further emendments) you can benefit of the adequacy decision of the European Commission (https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32002D0002) and you can proceed with data transfer according the Article 45 GDPR without implementing the Standard Contractual Clauses. 
Here you can find the list of countries with adequacy decision: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en 

Here you can find more information about the difference between controller and processor and about the data transfer:
EU GDPR controller vs. processor – What are the differences? https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/
3 steps for data transfers according to GDPR https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/

If you need to understand how to implement EU GDPR compliance, you may consider enrolling in our EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/

Qms in oil exploration and production

Some examples could be:

" XYZ Company located in ABC performing the management of subsidiaries involved in natural gas, gas condensate and oil production, transportation, processing and storage."

" XYZ Company located in ABC performing the construction of new facilities for the gas supply system; expansion, renovation,  maintenance and repairs of acilities;  design  field development projects; ; prospecting, geological exploration, and development of gas, gas condensate and oil fields; supply and sales of natural gas; power generation; sales of natural gas."

For more information about the scope you can see the following materials:

- What clauses can be excluded in ISO 9001:2015? - https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/2015/
- How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
- Enroll for free in the course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Nonconformance Finding (ISO9001 Audit)

First, ISO 9001:2015 promotes the process approach. So, I will use the auditor’s shoes focusing my attention only on processes and clauses.

There are no mandatory requirements for procedures (please check this article - List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/ ). So, the non-existence of procedures is not in itself a reason to issue a non-compliance). The auditor may expect that, but it is not in the standard, period.

Compliance with ISO 9001 will be assessed by translating ISO 9001 clauses 4.4.1, 8.2, and 8.4, for example, into a set of requirements. For example, which processes cross the sales and purchasing departments? Are those processes effective? What indicators are used to assess effectiveness? Are they measured, are they evaluated, are decisions made? For example, about clause 8.2 I as an auditor would start with orders received from clients and would ask for evidence of what ISO 9001 requires, same for clause 8.4 for deliveries from suppliers. For example, about clause 8.4.1 the audit can ask for:

• Which controls are applied?
• Which criteria are applied?
• Which records from suppliers qualification, selection, and performance monitorization

Revisione

I’m assuming that by the inspector you mean certification auditor.

The following documents are not mandatory for ISO 27001 and templates for them are not included in the toolkit to avoid the unnecessary administrative effort to manage documents. You should ask for clarification from the auditor about the need for these documents:
- Organization chart
- Integrated System Manual (or equivalent)
- Context analysis
- Continuity Plan

The following are the documents required by ISO 27001, and templates for them can be found in the toolkit as follows:
- Information Security Policy, located in folder 4 General Policies
- Applicability statement, located in folder 6 Applicability of Controls (Statement of Applicability)
- Risk analysis, located in folder 5 Risk Assessment and Risk Treatment (Risk Assessment Table)
- Management Review, located in folder 11 Management Review (Management Review Minutes) 
- Internal Audit Report, located in folder 10 Internal audit

Please note that although the documents are nearly 90% complete, they still need to be customized by the customer for use in the organization (e.g., Information Security Policy), or the activities related to them need to be performed so results can be recorded (e.g., for Management Review, and Audit Report). 

These are the documents required by ISO 27001 only if specific controls are deemed applicable in the SoA, and they can be found in the toolkit as follows:
- Asset List, located in folder 8 Annex A Security Controls >> A.8 Asset Management
- Disaster Recovery, located in folder 8 Annex A Security Controls >> A.17 Business Continuity

These articles will provide you a further explanation about ISO 27001 mandatory documents:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
- Is the ISO 27001 Manual really necessary? https://advisera.com/27001academy/blog/2014/02/03/is-the-iso-27001-manual-really-necessary/

Statement of Applicability

If you understand that multiple controls are needed to decrease risk to an acceptable level, then you can add multiple controls next to each risk in the Risk Treatment Table.

Regarding the Statement of Applicability, please note that all controls related to risks need to be documented in the Risk Treatment Table, not only those you consider the most important. 

These articles will provide you a further explanation about risk assessment and treatment:

- ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

By the way, included in your toolkit you have access to video tutorials that can help you fill in the Risk Treatment Table. This tutorial will show you how additional controls are added.

Non-conforming work

Nonconforming work is an event when an aspect of the laboratory’s activities or results of this work (outcome or actual test results) deviated from what was supposed to happen. It can happen when ever there is a deviation from the laboratory’s own procedures or agreements with a customer. For example, equipment performance was not verified (as required in a procedure) , or incorrect sample storage meant a sample could not be tested.  Another example would be if environmental conditions are found to be out of specified limits and the sample analysis was delayed. This means that even if the sample is stable and the results are not affected, this is still a nonconforming event (work) because the existing control of a risk (temperature) failed and an objective of turnaround time, for example, or customer satisfaction is affected.

For further information on dealing with nonconformances, see the Article Corrective actions principles and root cause analysis in ISO 17025 at https://advisera.com/17025academy/blog/2020/11/04/corrective-actions-principles-and-root-cause-analysis-in-iso-17025/

and the Toolkit ISO 17025 templates: 

• Complaint, Nonconformity and Corrective Action Procedure at https://advisera.com/17025academy/documentation/complaint-nonconformity-and-corrective-action-procedure
• Corrective Action Report (CAR) at https://advisera.com/17025academy/documentation/corrective-action-report-car

Control procedure

Writing a new procedure covering the specifics for information security-related documents is acceptable to fulfill ISO 27001 criteria.

Another possibility is you adjust your current document to define the specification for information security. For example, you can write:

• “QMS documents are approved by [job title responsible for QMS], and ISMS documents are approved by [job title responsible for ISMS]
• Information Classification levels are applicable only to ISMS documents
• Permission for retrieving records are applicable only to ISMS documents

FDA

1. Does the EU has also an emergency use authorization as FDA does for medical devices, specifically ventilators?

Yes, the EU also has a strategy rescue stockpile of medical equipment for COVID-19. All details you can find on the following link: https://ec.europa.eu/commission/presscorner/detail/en/ip_20_476  

2. Are you familiarized with the process for EUA Authorization of the FDA?

Yes, we are familiar with the information that can be found on the Internet. Feel free to ask what interests you.

Verifying customers' identity

"Should we be verifying customers' identity via email when the email they are contacting us from is the same email they used to purchase a product from us?"

I assume you are asking if you need to verify the identity of the customer when he/she contacts you in order to excersice the data subject's rights. The answer is yes, you need to be sure that the indivual requesting to access, delete, modify personal data is the legitimate data subjects. 

Here you can find more information about data subjects rights:
Four main questions for obtaining and managing data subjects’ consent under GDPR: https://advisera.com/eugdpracademy/knowledgebase/four-main-questions-for-obtaining-and-managing-data-subjects-consent-under-gdpr/
Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/

If you want to understand how to implement GDPR compliance in your organization, you can consider enrolling in our free EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/