Search results

Use of shall and must

Yes, the use of the word "must" is an accepted term in your documentation. In the English language, both "shall" and "must" are verbal expressions that indicate that something is mandatory.  ISO International Standards, like ISO 17025, used for conformity assessment contain requirements and use "shall" to describe a mandatory requirement. For example, the laboratory shall document the competence requirements for each function.

ISO standards only use the word "must" to refer to an obligation on the user of the document (e.g ISO 17025) due to a country -unique condition or law, or law of nature;, not a requirement of the ISO standard. For example, all buildings in the active seismic area of Los Angeles must be earthquake-resistant.

This is by agreement of definitions in terms of an ISO directive.

In the English language "must" is typically used in everyday speech as a command, necessity or request. That is the reason why "must" is used in a procedure to instruct the user on what is necessary to comply with, so the laboratory can meet a mandatory ISO 17025 "shall "requirement.  For example, The laboratory manager must retain the records for determining the competence requirements.

IF you wish, you can define the use of the word “must” in your quality manual or procedures as a mandatory instruction to fulfil the ISO 17025 “shall” requirements.

Note too, that anywhere in your documents, you state something “is” or somethings “are” then this is also an mandatory expectation that needs to be met in terms of assessment  during internal auditing and for accreditation, i.e. the evidence “must” be available.

For more information on ISO 17025, see the White paper Clause-by-clause explanation of ISO 17025:2017 at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025

Recruitment

"1. Do applicants have to submit a declaration of consent so that recruiters can process their data for the application process? This is a recruiter who does not hire applicants himself, but rather places what is known as direct placement with an employer.

Yes, collecting the data of applicants is data processing so the recruiter needs to provide a privacy notice and ask consent.

2. Can the recruiter request a driver card and a copy of the driver's license from the applicant if he wants to refer him to a haulage company? The recruiter wants to check the validity of the documents. The recruiting process takes place exclusively online.The recruiter is the person responsible within the meaning of the GDPR. In the first step, he searches for applicants in his own name. This is a job for a professional driver and a direct placement. The applicant will be hired by the shipping company. How do you behave correctly as a recruiter in this case?

The recruiter is responsible for all the selection periods, while the hiring company will become the data controller of data of the selected applicant. Therefore, if there is a need to verify some requirements in order to make the job, the recruiter can ask for evidence of that documents because it is necessary to carry on the selection. The recruiter shall make clear in the privacy notice that a copy of personal documents may be required for certain job positions.

3. Recruiting takes place online only. The applicant would have to send the documents such as ADR license, driver card and driver's license by email. Is the following clause sufficient to process this applicant's data: "With this declaration I consent to the collection, storage and processing of personal data about me as part of my application process and being transmitted to potential employers?" Submit customers? Does this declaration of consent have to explicitly mention that the driver's license will be processed? It is a job advertisement for a professional driver.

The statement is sufficient for all personal data collected through the application process. You don’t have to expressly mention the driver’s license, the reference is to all personal data collected (documents included). Potential employers are the correct definition, better than customers.

4. Can the recruiter request a copy of the applicant's identity card? The recruiter needs the ID number and series in order to conclude an employment contract with the candidate. How should the recruiter behave GDPR-correctly in this case? The intermediary has no personal contact with the applicant. The applicant would have to send the data by email.

Yes, the recruiter can request all documents that are necessary to identify and select the candidate. In some fields, it can be required the criminal conviction statement. As mentioned before, the recruiter shall inform the applicant about what data and documents will be required in order to prepare the job contract or to forward it to the hiring employer.  

5. How should the recruiter behave if the applicant sends him an unsolicited copy of his ID or a copy of his driver's license by email?

It depends. If the driver's license or the ID copy is necessary, the recruiter shall inform that data will be processed for the hiring process, if data are not necessary, the recruiter shall inform the applicant that those documents are not required and will be deleted.

6. Can the recruiter ask for the same candidate data as the employer? The recruiter does not hire the candidates himself.

Yes.

7. The recruiter is looking for suitable candidates for more than 6 months. The application process takes longer than 6 months. When do the applicant data have to be deleted in this case? The job advertisement is z. B. online for 8 months. When does the 6 month deletion period for applicant data start counting?

At the end of the call for the application period, so after the 8 months.

8. How long do you have to keep the recruitment contract between the customer (the potential employer) according to the GDPR?

The GDPR does not fix data retention periods, it depends, the hiring of a candidate for data of not-selected applicants and longer for the hired candidate (if any) in order to have evidence of compliance with the recruiting contract between the recruiter, the agency, and the employer.

9. How long should I keep the employment contract between the candidate and the recruiter? This is not an employment contract. The placement is free of charge for the applicant. The recruiter receives the commission from the agent.

Terms of data retention may be fixed by law or depending on the purpose of processing. If the commission is paid from the agent, the recruiter can store the agreement until the terms of legal proceeding from the agent or the applicant are expired (just to have the evidence that the applicant had been hired). This term varies in each Member State.

10. I observe with various recruiters that you immediately note in the job advertisement that the applicant should send his résumé including a copy of his driver's license and a copy of his driver's card. Is this allowed? The recruiter is not an employer in this case.

Yes, it is allowed. You can process all data that are needed to process the application.

11. Can I ask for a photo of the applicant?"

Yes if it is necessary or useful for the application, i.e., for some position it is required.

Here you can find more information about HR department and GDPR compliance:

• How the GDPR could impact your HR department https://advisera.com/eugdpracademy/blog/2018/02/22/how-the-gdpr-could-impact-your-hr-department/ 
• Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/

If you want to learn how personal data are processed under the EU GDPR you may consider enrolling in our free training EU GDPR Foundations course: https://advisera.com/training/eu-gdpr-foundations-course/

Conformio – adding responsibilities

During the development of your documents through the templates wizards, you will be asked to define some responsibilities for specific tasks, and based on how you want to implement ISO 27001 you can decide which steps to assign to specific departments/roles.

For example, the Finance head can be assigned when a specific task requires money or that something is bought. A more specific example is the training and awareness plan, where you can define the HR manager as responsible.

The main point is that ISO 27001 does not prescribe which activities assign to specific roles, so it leaves organizations free to define them as they see best for them.

These articles will provide you a further explanation about roles and responsibilities:

• How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/
• Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/

Rules for visitors

Please note that section 3.4 of the "Procedure for working in secure areas" covers the access of visitors. You can edit the first paragraph of this section to explain the general rules for visitor access to common areas.

Additionally, you should also consider defining a visitor profile in the Access Control Policy, since this policy is referred to in section 3.4.

This article will provide you a further explanation about access control:

• How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/

Departments Involved in ISO 27001

For organizations up to 50 employees, it is better to include all organization in the Information Security Management System, because the effort to separate what is in from what is out of your ISMS will not be worthy.

Considering that, all departments included in your Information Security Management System scope need to be listed in Conformio.

These articles will provide you a further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

These materials will also help you regarding scope definition:
- How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Next steps for certification

Once templates are completed, they need to be approved and implemented (i.e., you need to ensure that everyone complies with policies and procedures), and the defined records need to be created and stored.

Once you have the records, you need to perform an internal audit and management review, starting any corrective measures deemed necessary.

During this time, you need to choose your certification body and make the arrangements for the certification audit.

These articles will provide you a further explanation about certification:

- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/
- Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/

These materials will also help you regarding certification process:
- ISO 27001/ISO 22301: The certification process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/
- Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/

Can I perform blood testing in my LAB with ISO 17025 accreditation?

If you're referring to human blood testing, the answer is no. Any human blood testing falls under medical pathology testing and requires for the laboratory to be ISO 15189 compliant and in most situations (depending on national legislation) accredited.

Typically veterinary labs are 17025 accredited and animal blood testing falls within their scope of work.

MDR and Contract Manufacturer

The main question here is who certified the medical devices (in your case dental instruments). Who has the CE certificate? You mentioned that you do not sell by your own name. In that case, the comment from the EU Ar company is right. EU AR can be a representative only for the products and the company that puts the products on the market.

If I understand your situation correctly, you are outsourced production for the company that puts dental instruments on the market. In that case, you do not need an EU representative. 

Yes, on the label you can state that *** is a contract manufacturer or a place of production (using the white factory symbol).

GDPR Compliance questions

I agree with you, the organizational side can make the difference in increasing compliance and awareness about security and GDPR requirements. Setting an access policy determining the level of confidentiality of documents and persons allowed to access or modify them is a good security measure.

Another organizational measure is to set the rules of data processing for your employees with a data protection policy and also an IT security policy in order to define some technical aspect like software that is not allowed in your organization's IT system.

Thinking about the storage you mentioned, keeping all data on your laptop can expose you to a data breach in case the laptop stops working or something happens to data, so that if you decide to follow this path implement some backup solution.

Another approach is to keep data on cloud setting access levels to your employees and increase the possibility to work from anywhere. In this case, consider installing a VPN in order to protect access and navigation and, of course, set access levels for your employees.   

Here you can find some information about starting the compliance process:

• 9 steps for implementing GDPR https://advisera.com/articles/9-steps-for-implementing-gdpr/
• How cybersecurity solutions can help with GDPR compliance: https://advisera.com/eugdpracademy/blog/2017/11/27/how-cybersecurity-solutions-can-help-with-gdpr-compliance/
• Privacy, cyber security, and ISO 27001 – How are they related?: https://info.advisera.com/27001academy/free-download/privacy-cyber-security-and-iso-27001

If you want to learn how personal data are processed under the EU GDPR you may consider enrolling in our free training EU GDPR Foundations course: https://advisera.com/training/eu-gdpr-foundations-course/

Document for monitoring

I’m assuming you are referring to an ISO 27001 certified information security management system.

Considering that, you should consider looking at these templates:

• Measurement Report (it summarizes the objectives for your ISMS, the measurement method, the frequency of measurement, and the results.): https://advisera.com/27001academy/documentation/measurement-report/
• Management Review Minutes (it documents the results of management review): https://advisera.com/27001academy/documentation/management-review-minutes/

These articles will provide you a further explanation about measurement and management review:

• How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/
• Why is management review important for ISO 27001 and ISO 22301? https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/