Search results

Need for consent

"Thanks for your response, I am now clear that if any form of contract or agreement signed between controller and data subject, it does not require specific consent. Specially if bank has signed account opening forms or product and services forms, then specific consent is not required.1 - With this understanding I have another question, is Bank allowed to share/process data via third parties without specifically mentioning in the form/contract at the time of customer on-boarding, to fulfill the contract? Or bank can share a privacy notice on their website that bank will process your data via third parties?

The bank can share data with third-party processors, but in the privacy notice the bank should mention that data will be shared and for what purpose. The privacy notice should be given with the contract because the data subject should be able to know what data will be processed and how in the contract relationship.

2 - Is it mandatory for the organization/bank to mention the name/region of third-party data processor specially if it is a non-EU state?

The bank should declare if data will be transferred outside the EU and what are the legal basis of data transfers and the destination of data. If the destination is several countries they should write to contact them to know the exact list of countries and the safeguards implemented.

3 - Can any organization mention term "we may share your data to third-party service providers" or it has to be specific by mentioning the service outsourced, name and region of the service provider? And where it has to be clarified at the time of contract or via privacy notice?Thanks and looking forward for your expert opinion"

The privacy notice is the document where all this information should be given. The controller doesn’t need to be specific if third-party processors are different (they may also change), but the data subject is allowed to contact the controller to know who are the processors.

Transferring Risk using Insurance

Yes, in some cases you can transfer the risk to insurance (e.g. for a risk of fire, you can insure your physical assets), however such insurance can only cover a smaller number of your risks. Therefore, you cannot expect to treat all risks through risk transfer using the insurance. 

For the risks for which you use the insurance, you will not need to perform monitoring and review of supplier services.

Confidentiality level in Incident Management Procedure

This kind of procedure is normally classified as 'internal use' because it defines the rules not only for the management of incidents, but also on how employees can identify and report incidents - so due to this nature, it is not necessary for personnel out of the organization to access this procedure.

how to get iso27001 certification if I have soc2 certification already?

An organization Soc2 certified means it is compliant with Trust Service Criteria (TSC), which has a high level of alignment with ISO 27001.
Considering that, most part of the work to achieve ISO 27001 certification will be related to identify and document the evidences required by the standard.

For example, for ISO 27001 risk assessment and risk treatment approach must be documented, and this is not mandatory for TSC.
These articles will provide you a further explanation about Soc2 and ISO 27001:

• List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
• Comparison of SOC 2 and ISO 27001 certification https://advisera.com/27001academy/blog/21/02/02/iso-27001-vs-soc-2/

These materials will also help you regarding ISO 27001:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Contradictions between Toolkits and video tutorials

Please note that ISO 27001:2013 defines as the top-level policy the "Information Security Policy", however the old 2005 revision of ISO 27001 called this document "ISMS Policy".

So, the ISMS Policy and the Information Security Policy are the same document.

Regarding the elements of GDPR included in this Information Security policy, they do not require customization, so a video tutorial with specific GDPR content for filling in the Integrated ISO 27001 & GDPR Information Security Policy is not required. In case you find any differences between the templates and video tutorials, please consider the template as the most updated version.

For more information, see:

• Information security policy - how detailed should it be? https://advisera.com/27001academy/blog/2010/05/26/information-security-policy-how-detailed-should-it-be/
• One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/

What role should person doing Internal Audit have?

An Internal Audit does not need to have an IT Security Job Title or Role.

ISO 27001 does not prescribe job titles or roles for persons performing internal audits. It only requires that internal audits have the proper knowledge, skills, and experience and that to select internal auditors you ensure the objectivity and the impartiality of the audit process, which means that internal auditors are not directly involved in the process being audited (an auditor should not audit his own work).

These articles will provide you a further explanation about the Selection of internal auditors:

• How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
• Qualifications for an ISO 27001 Internal Auditor https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/
• Dilemmas with ISO 27001 & BS 25999-2 internal auditors https://advisera.com/27001academy/blog/2010/03/22/dilemmas-with-iso-27001-bs-25999-2-internal-auditors/

These materials will also help you regarding the Selection of internal auditors:

• ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Are Microsoft Office 365 and Dynamics 365 GDPR compliant?

As far as is possible to know Microsoft Office 365 and Dynamics 365 claim to be GDPR compliant and take steps in order to assure their compliance. There is no GDPR certification so it is not possible to know if Microsoft is fully compliant.

Here you can find their commitment: https://www.microsoft.com/en-ww/trust-center/privacy/gdpr-overview

If you want to know more about the EU GDPR, you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course// 

GDPR con 2 Ragioni Sociali

In parte, oltre ad indicare nell’informativa privacy che i dati raccolti saranno trattati da due titolari (o da un titolare e un responsabile), è necessario anche che il rapporto di contitolarità sia definito da un accordo contrattuale tra le due società che descriva i ruoli e le responsabilità (nel caso di rapporto titolare/responsabile sarà necessaria la nomina a responsabile ai sensi dell’art. 28 GDPR). Naturalmente, tale accordo non andrà pubblicato, ma è necessario che vi sia per dimostrare l’accountability.

Per ulteriori informazioni, vedi:

• Il GDPR dell’UE: controllori a confronto con processori – Quali sono le differenze? https://advisera.com/eugdpracademy/it/knowledgebase/il-gdpr-dellue-controllori-a-confronto-con-processori-quali-sono-le-differenze/

Se vuoi saperne di più sul GDPR, puoi prendere in considerazione l'iscrizione al nostro corso di formazione online gratuito:

• EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//  

• Assistance with the toolkit

  "Dear Alessandra,
  Thanks for your help so far.
  Regarding my previous questions and your respective answers, I have marked with the same numbers those that still need some clarification or where further doubts have arisen in the meantime.

  Can I simply include the Privacy Notices in the Privacy Policy? In fact, as far as I see, all the websites only have two links at the bottom of each page "Privacy Notice" and "Terms of services".
  In the Privacy Notice template at point 1, what is the Personal Data Protection Policy I should link to? Is it already included in the Privacy Policy template?

  On the side note of the same point it is written "If your company has multiple data processing activities, you will need to develop different notices based on this template, which will differ depending on the processing activity and the categories of personal data collected.
  For example, one Notice might be written for mailing purposes, and a different one for shipping purposes."

  May I include all processing activities in only one Privacy Notice, by simply listing them all there and including this in the Privacy Policy for simplicity?

  Or maybe, in section 2 of the Privacy Policy, in each subsection I can add a Privacy Notice specific to that topic. I am thinking of that solution since you say:
  "If they subscribe to a newsletter you will need to add this info, if you have an e-commerce, you may need to develop a privacy notice linked to the general terms of sale you have because the data processing of clients will be different from the website users."

  Sorry, but I find this really difficult to work out.

   

  If your activity is based on the website, despite the different channels you acquire clients, it makes sense to publish the privacy policy and the terms of use, because you will process most of the data through your website or digital instruments.

  However, there are some organizations that mix local activities and digital activities, so they need a privacy policy that set general rules about how the organization processes data and privacy notice for the website because the processing of data of clients/website visitors is different from the individuals that enter the local brick and mortar shop and purchase goods (i.e., navigation data will not be processed).

  The aim of the two documents are different: the privacy policy set the rules that your business follow in data processing, the privacy notice is specific for each kind of processing. Art. 12 GDPR requires the data Controller inform the data subject in a clear, concise and trasparent way for any data processing.

  So you need to publish them as separate documents.

  Personal data protection policy is another template that is part of the EU GDPR Toolkit which is suit to bring all the organization to EU GDPR compliance.

  Here you can see the EU GDPR Toolkit and all the documentation included:

  EU GDPR Documentation Toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/

   

  Also, in section 4 of the Privacy Notice template, I see I am supposed to insert a "Data Retention Policy" link. Again, wouldn't it easier and more common to have this included in the Privacy Policy, too (maybe as a dedicated section)? By the way, isn't it section 2g of the privacy policy? If not, where exactly in the privacy policy should I place it?
  By the way, I cannot see any template for that. Maybe I am just supposed to write something like "We are going to keep data X for ...years, data Y for ...years, etc." Right?

   

  You need to inform the data subject about data retention periods in your notice (or policy, depending on the solution you prefer). The Data Retention Policy, however, is another document, which helps larger organizations to set rules about data retention periods for all data processed (also paper-based documents, like contracts, invoices, etc.) Here you can find the template, it is not part of the Website Toolkit that you purchased which has been developed to help data controllers to make the website compliant to EU GDPR, so it is focused on data processing through the website:

  EU GDPR document template: Data Retention Policy: https://advisera.com/eugdpracademy/documentation/data-retention-policy/

   

  Similarly, I cannot see any Data Subject Access Request Form in the toolkit. Is there anything standard I can find online and not subject to copyright?

   

  Documents related to Data subjects rights are included in our EU GDPR Documentation Toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ 

   

  Regarding the CCPA, I don't have such a high turnover, nor I manage contacts of so many people from California. Therefore, as far as I can see, I do not have to comply with it.

  Sorry, I probably used the terms wrongly, but also think that part of my question was misunderstood and unanswered, as I was actually saying that the survey is outside my website (hosted in Google Surveys), and I was actually asking whether the relative privacy notice can be included in the privacy policy of the website for simplicity. Then I would link to the privacy policy from the Google survey. Again, I do not have experience of websites having more than a Privacy Policy and a Terms of services in their footer. Nothing such as privacy notices seems to me to be present. Am I wrong? Does that make sense?
  Also, what about the second part of my question? ("Should I place this link in all the emails I send to my leads and clients?", I mean the link to the website privacy policy containing the privacy notice related to newsletter and email contact.)

   

  Ok for the CCPA, I agree it seemed hard that from the situation you described the CCPA applied to your case.

  Yes, you can include the data processing of the survey in the privacy policy of the website and yes, you can insert the link on your privacy policy in your email (you can add in your email signature).

   

  Sorry, but I have found the answer not clear. Do you mean that I should use "us" or that I can simply erase the section speaking about a DPO?

  
  You can erase the mention in section c) Data Protection Officer, but in paragraph “Your Rights” you need to say “As a data subject, you can contact us at” usually you can insert an email address like privacy@yourwebsitedomain.com

   

  Thanks for clarifying this. But I would need an answer also to the second part of my question: is encryption to be listed here if I only have an SSL certificate? (I do not know whether there are other ways to do encryption.)
  If that was not clear enough, I meant that I have an SSL certificate, which I believe has to do with the so-called "encryption". However, I am not sure whether this is enough to state that I am doing encryption. Could you, please, explain?

  Also, you mentioned that access control has to do with password management (that I believe means how I would protect the passwords of my clients), and that it may be not my case since I own a small business. However, I might want to allow my clients to store their credit card data on my website instead of entering them every time. That would require a login with a username and password.
  So, in that case, I believe that I should keep the phrase "access control" in that section. Can you please confirm that?

   

  SSL Certificate is encryption of navigation data, but what about your database? Your harddisk? Data on your computer? Are they encrypted? If not, you can state that connection is encrypted through SSL protocol, you need to verify with your hosting provider if they offer encryption of data, also with your cloud system (for example, data stored on personal Google Drive, not on G-suits, are not encrypted). Does your newsletter provider do the encryption of the mailing list? As you can see, encryption is a wider theme than SSL protocol.

   

  I have checked if the link to the tutorials was together with the link to the toolkit in the same email, but no I could not find it. Would you be so kind to send me that link?
  For the rest, I understand I can erase all: Confidentiality levels and the footer (including the version number of the privacy policy and the license agreement for the template), as I do not need them."

   

  My colleague has sent you the link to the video tutorial.

   

   

• export to PDF of internal audit report

  The exported Internal Audit Report in Conformio consists of these details: 

  • Date of the audit
  • Status 
  • Scope audit 
  • Criteria 
  • Internal Audit Team 
  • Main internal auditor 
  • Team member
  • Audit trail 
  • Observations 
  • Identified Nonconformities (if any)
  • Nonconformity Status (if any)
  • Other comments 
  • Created by 
  • Delivered to 

  It will be delivered on one page, with the organization logo in the header and title "Internal Audit Report". 
  The checklist and references/evidence are not available in the exported Internal Audit Report. Checklists cannot be exported.