Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Assistance with the toolkit

    "Dear Alessandra,
    Thanks for your help so far.
    Regarding my previous questions and your respective answers, I have marked with the same numbers those that still need some clarification or where further doubts have arisen in the meantime.

    Can I simply include the Privacy Notices in the Privacy Policy? In fact, as far as I see, all the websites only have two links at the bottom of each page "Privacy Notice" and "Terms of services".
    In the Privacy Notice template at point 1, what is the Personal Data Protection Policy I should link to? Is it already included in the Privacy Policy template?

    On the side note of the same point it is written "If your company has multiple data processing activities, you will need to develop different notices based on this template, which will differ depending on the processing activity and the categories of personal data collected.
    For example, one Notice might be written for mailing purposes, and a different one for shipping purposes."

    May I include all processing activities in only one Privacy Notice, by simply listing them all there and including this in the Privacy Policy for simplicity?

    Or maybe, in section 2 of the Privacy Policy, in each subsection I can add a Privacy Notice specific to that topic. I am thinking of that solution since you say:
    "If they subscribe to a newsletter you will need to add this info, if you have an e-commerce, you may need to develop a privacy notice linked to the general terms of sale you have because the data processing of clients will be different from the website users."

    Sorry, but I find this really difficult to work out.

     

    If your activity is based on the website, despite the different channels you acquire clients, it makes sense to publish the privacy policy and the terms of use, because you will process most of the data through your website or digital instruments.

    However, there are some organizations that mix local activities and digital activities, so they need a privacy policy that set general rules about how the organization processes data and privacy notice for the website because the processing of data of clients/website visitors is different from the individuals that enter the local brick and mortar shop and purchase goods (i.e., navigation data will not be processed).

    The aim of the two documents are different: the privacy policy set the rules that your business follow in data processing, the privacy notice is specific for each kind of processing. Art. 12 GDPR requires the data Controller inform the data subject in a clear, concise and trasparent way for any data processing.

    So you need to publish them as separate documents.

    Personal data protection policy is another template that is part of the EU GDPR Toolkit which is suit to bring all the organization to EU GDPR compliance.

    Here you can see the EU GDPR Toolkit and all the documentation included:

    EU GDPR Documentation Toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/

     

    Also, in section 4 of the Privacy Notice template, I see I am supposed to insert a "Data Retention Policy" link. Again, wouldn't it easier and more common to have this included in the Privacy Policy, too (maybe as a dedicated section)? By the way, isn't it section 2g of the privacy policy? If not, where exactly in the privacy policy should I place it?
    By the way, I cannot see any template for that. Maybe I am just supposed to write something like "We are going to keep data X for ...years, data Y for ...years, etc." Right?

     

    You need to inform the data subject about data retention periods in your notice (or policy, depending on the solution you prefer). The Data Retention Policy, however, is another document, which helps larger organizations to set rules about data retention periods for all data processed (also paper-based documents, like contracts, invoices, etc.) Here you can find the template, it is not part of the Website Toolkit that you purchased which has been developed to help data controllers to make the website compliant to EU GDPR, so it is focused on data processing through the website:

    EU GDPR document template: Data Retention Policy: https://advisera.com/eugdpracademy/documentation/data-retention-policy/

     

    Similarly, I cannot see any Data Subject Access Request Form in the toolkit. Is there anything standard I can find online and not subject to copyright?

     

    Documents related to Data subjects rights are included in our EU GDPR Documentation Toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ 

     

    Regarding the CCPA, I don't have such a high turnover, nor I manage contacts of so many people from California. Therefore, as far as I can see, I do not have to comply with it.

    Sorry, I probably used the terms wrongly, but also think that part of my question was misunderstood and unanswered, as I was actually saying that the survey is outside my website (hosted in Google Surveys), and I was actually asking whether the relative privacy notice can be included in the privacy policy of the website for simplicity. Then I would link to the privacy policy from the Google survey. Again, I do not have experience of websites having more than a Privacy Policy and a Terms of services in their footer. Nothing such as privacy notices seems to me to be present. Am I wrong? Does that make sense?
    Also, what about the second part of my question? ("Should I place this link in all the emails I send to my leads and clients?", I mean the link to the website privacy policy containing the privacy notice related to newsletter and email contact.)

     

    Ok for the CCPA, I agree it seemed hard that from the situation you described the CCPA applied to your case.

    Yes, you can include the data processing of the survey in the privacy policy of the website and yes, you can insert the link on your privacy policy in your email (you can add in your email signature).

     

    Sorry, but I have found the answer not clear. Do you mean that I should use "us" or that I can simply erase the section speaking about a DPO?


    You can erase the mention in section c) Data Protection Officer, but in paragraph “Your Rights” you need to say “As a data subject, you can contact us at” usually you can insert an email address like privacy@yourwebsitedomain.com

     

    Thanks for clarifying this. But I would need an answer also to the second part of my question: is encryption to be listed here if I only have an SSL certificate? (I do not know whether there are other ways to do encryption.)
    If that was not clear enough, I meant that I have an SSL certificate, which I believe has to do with the so-called "encryption". However, I am not sure whether this is enough to state that I am doing encryption. Could you, please, explain?

    Also, you mentioned that access control has to do with password management (that I believe means how I would protect the passwords of my clients), and that it may be not my case since I own a small business. However, I might want to allow my clients to store their credit card data on my website instead of entering them every time. That would require a login with a username and password.
    So, in that case, I believe that I should keep the phrase "access control" in that section. Can you please confirm that?

     

    SSL Certificate is encryption of navigation data, but what about your database? Your harddisk? Data on your computer? Are they encrypted? If not, you can state that connection is encrypted through SSL protocol, you need to verify with your hosting provider if they offer encryption of data, also with your cloud system (for example, data stored on personal Google Drive, not on G-suits, are not encrypted). Does your newsletter provider do the encryption of the mailing list? As you can see, encryption is a wider theme than SSL protocol.

     

    I have checked if the link to the tutorials was together with the link to the toolkit in the same email, but no I could not find it. Would you be so kind to send me that link?
    For the rest, I understand I can erase all: Confidentiality levels and the footer (including the version number of the privacy policy and the license agreement for the template), as I do not need them."

     

    My colleague has sent you the link to the video tutorial.

     

     

  • export to PDF of internal audit report

    The exported Internal Audit Report in Conformio consists of these details: 

    • Date of the audit
    • Status 
    • Scope audit 
    • Criteria 
    • Internal Audit Team 
    • Main internal auditor 
    • Team member
    • Audit trail 
    • Observations 
    • Identified Nonconformities (if any)
    • Nonconformity Status (if any)
    • Other comments 
    • Created by 
    • Delivered to 

    It will be delivered on one page, with the organization logo in the header and title "Internal Audit Report". 
    The checklist and references/evidence are not available in the exported Internal Audit Report. Checklists cannot be exported.  

  • Inspection and dock audit template and minimum criteria to satisfy IATF requirements

    1. Is there a template for receiving inspection and dock audit?
    There is no template for receiving inspection and dock audit.

    Receiving inspection should be done according to the technical drawing of the product received. A number of samples, measured values, and specifications, visual result, certificate check result, packaging, labeling, weight, etc controls should be found on the relevant form. As you know dock audit is ‘’ a quick, final inspection of finished products before they are sealed, boxed, and approved for shipping. It is a visual inspection typically performed by quality control inspectors on the shipping dock of a warehouse shortly before the product is loaded onto a freight truck for delivery.

    So, if it covers the above topics, you can use your own list of questions for dock audit and receiving inspection.

    2. What is the minimum criteria to satisfy IATF requirements?

    Dock audit is not a requirement for IATF 16949:2016, but you should do it if you have a customer's specific requirement. Receiving inspection should be made and should be measured according to the technical drawing of the product received, and if necessary, results such as appearance, weight, quantity, certificate control, etc.

  • Cyber Awareness Training

    1 - How to start ? What have to be done the first?

    Please note that there is no ideal or logical order to start viewing the training, so you can watch them according to your preference, or simply follow the sequence on which they are provided.

    One tip could be for you to start with the videos about topics you are already familiar with, so you can understand the structure of the presentation. This way you can have a better experience when watching videos on topics new to you.

    2 - How to start auditing the company on Information Security?

    The internal audit can be performed by the organization's own employees, provided they have the competence and do not audit their own work. Or you can contract a third party to perform the audit.

    As for choosing a third party to perform the audit, you should consider at least these criteria.

    • Experience and skills
    • Reputation
    • Understanding your industry

    These articles will provide you a further explanation about internal audit:

    • How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
    • Qualifications for an ISO 27001 Internal Auditor <a href="https://advisera.com/27001academy/?p=4390&icn=free-blog-27001&ici=top-qualifications-for-an-iso-27001-internal-auditor-txt
      • " class="content-link Link" target="_blank">https://advisera.com/27001academy/?p=4390&icn=free-blog-27001&ici=top-qualifications-for-an-iso-27001-internal-auditor-txt
    • 5 criteria for choosing an ISO 22301 / ISO 27001 consultant <a href="https://advisera.com/27001academy/blog/2013/03/25/5-criteria-for-choosing-a-iso-22301-iso-27001-consultant/?icn=free-blog-27001&ici=top-5-criteria-for-choosing-an-iso-22301-iso-27001-consultant-txt
      • " class="content-link Link" target="_blank">https://advisera.com/27001academy/blog/2013/03/25/5-criteria-for-choosing-a-iso-22301-iso-27001-consultant/?icn=free-blog-27001&ici=top-5-criteria-for-choosing-an-iso-22301-iso-27001-consultant-txt

    These materials will also help you regarding internal audit:

    • ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
    • Free online training ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/
      •

    • ISO 22301 Toolkit - BIA questionnaire questions

      Thank you for the answer. How to approach BIA analysis when some processes, e.g. related to IT or sales are maintained as part of services shared by a related company? The critical processes in my organization require them to function. In your opinion, should they do the BIA on their own or fill in my questionnaire?

      In situations like these, to comply with ISO 22301 you should fill out your BIA questionnaires only stating on which third parties you depend upon and for which activities.

      You do not need to know the details on how to ensure they can properly support your processes, because with the information you identify in the BIA you can define business continuity capabilities as continuity clauses in the contracts or service agreements you have with them.

      By the way, included in your toolkit you have access to a video tutorial that can help you fill in the BIA. 

    • Questions regarding GDPR

      "I have two questions:Are there GDPR awareness training videos available? I am looking for a 30-1hr video for our employees which explains the guiding principles and responsibilities on organizations and their personnel.

      You can enrol in our free online training EU GDPR Foundations Course - the course has couple of hours of videos, but you can watch only the ones you consider appropriate: https://advisera.com/training/eu-gdpr-foundations-course//  

      Further, you can watch the security awareness training videos which are much shorter and have also some videos on privacy: https://advisera.com/training/awareness-session/security-awareness-training/

      In the paragraph below taken from the GDPR regulations. It refers to (commercial organizations). Could you elaborate on the intended definition of commercial organisation?

      The effect of such a decision is that personal data can flow from the EU (and Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary. In others words, transfers to the country in question will be assimilated to intra-EU transmissions of data.The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay as providing adequate protection."

      It refers to all organizations which are bond by GDPR (companies, sole traders, freelancers, non-profit, associations, political parties, etc) GDPR does not apply to data transfer among individuals in their private life/domestic activities.

      Here you can find more information about GDPR applicability:

      • Is the GDPR applicable to our company? https://advisera.com/eugdpracademy/knowledgebase/who-needs-to-be-gdpr-compliant-an-easy-explanation/

      • Timeline for updating documents

        For medical devices class I there is no strictly defined how often updates need to be done. And this is not about some time limit, but about the fact that these documents change depending on the situation. 

        The most common reason for changing the Clinical Evaluation is some risk that has arisen, or if something has happened to the competition so this is the input to you as well. It is expected that clinical evaluation. The clinical evaluation for Class I medical devices generally changes every 3-5 years. 

        In risk management, the situation is a little different. Every complaint you receive must be analyzed to see if it is already covered by your risk analysis. Any change of supplier, change of machine, change of production conditions, and even organizational changes must be analyzed and assessed how these situations affect the risks. This means that there will be a period that you will not change the risk analysis for a year, and then again there may be a period in which you will change the risk analysis several times within 6 months for example.

      • Question about records

        Records are types of documents that provide “proof of existence“, prove that certain process has been done. You need to record all the mandatory records which are directly required by the standard. You can see the List of mandatory documents and records required by ISO 13485:2016 in the following article:

        Of course, if some requirements are not applicable to you, then you do not need to generate these records. For example, if your product is not sterile, then you do not need to have records of sterilization and sterilization validation in your quality management system.

        The purpose of the List of records is to have in one place all your records, to know which record version is currently valid. On that list, there should be all records that you provide within your quality management system: both mandatory records required by the standard, but also any other record that you generate during the execution of your processes, which is proof that some process has been done. This list guarantees the exactness of entered data and prevents unauthorized entry, changes, and destruction of such records.

        If by CAPA you mean the records Corrective/preventive action request from our toolkit, that this record needs to be on the List of records.

        More information on document management you can find on the following links:

Page 175-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +