Search results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Question about GDPR Article 27

    I hope your week is going well.

    We have bought several of your products and love everyone of them.  We had a question about GDPR article 27.  We are working with one of our customers on their GDPR annual audit and one of the questions that is asked for Article 27 is: "Is your organisation established outside of the European Union"?

    This customer is US Based, but has a corporation established in both the UK and Ireland.  They do all of their EU business from either the UK or the Ireland companies and have "Data Champions" in place at each company in the UK and Ireland.  Since they have a corporate entity in the EU, are they allowed to answer the "Is your organisation established outside of the European Union" question "No"?

    If the US company has an office or a branch in Ireland or in the UK can be considered established in the EU and therefore answering “NO” is the right choice. In fact, recital 22 of the Preamble of GDPR states that “[e]stablishment implies the effective and real exercise of activities through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.”

    The Guidelines on the territorial scope of the GDPR adopted by the European Data Protection Board (EDPB) on 16th November 2018 states that: “In order to determine whether an entity based outside the Union has an establishment in a Member State, both the degree of stability of the arrangements and the effective exercise of activities in that Member State must be considered in the light of the specific nature of the economic activities and the provision of services concerned. This is particularly true for undertakings offering services exclusively over the Internet. The threshold for “stable arrangement” can actually be quite low when the center of activities of a controller concerns the provision of services online. As a result, in some circumstances, the presence of one single employee or agent of the non-EU entity may be sufficient to constitute a stable arrangement if that employee or agent acts with a sufficient degree of stability.”

    This means that if the EU business of your US client is carried through the UK and the Irish branch, that organizations can be considered as a stable arrangements and the company can be considered as established in the EU.

    Here you can find more information:
    Guidelines on the territorial scope of the GDPR  https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_3_2018_territorial_scope_en.pdf

    What is the EU GDPR and why is it applicable to the whole world? https://advisera.com/eugdpracademy/knowledgebase/what-is-the-eu-gdpr-and-why-is-it-applicable-to-the-whole-world/
    You can also consider enrolling in this free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

  • Evaluation criteria for environmental aspects

    First, why do we use evaluation criteria? To segment significant aspects from the non-significant aspects. Why? Because resources are scarce, we should focus our attention and resources on those aspects where we can get the most improvement leverage. There is no other reason for developing evaluation criteria. So, any criteria that help your organization doing that is acceptable. Some organizations start with simple criteria like gravity, frequency/probability and ability to control or influence and then, with time, evolve to include other criteria like economic outcomes.
    So, if you are starting, I recommend a simple approach.

    Please check this information below with more detailed answers:

  • Monitoring integrity issues in QMS

    As far as I understand your question, integrity issues can be integrated into a QMS through the risk-based approach:

    • Determining risks
    • Evaluate risks
    • Develop action plans to deal with the most critical (prevention, response and simulation)

    You can find more information below:

  • Privacy Policy

    "Dear Sir/MadamI need your advice regarding the belowAs a data processor , is it required to create a privacy policy

    From your question, I understand that you are asking me if the processor has to inform data subjects about data processing through the privacy notice under Article 13 GDPR. 

    The purpose of a Privacy notice is to provide to data subject all the information about data processing. In fact, Article 13 GDPR requires that the controller inform the data subjects about what kind of data is processed, the purposes of the processing, if there are any data transfer, and all the information that needs to be provided by the controller to the data subjects. Privacy notice is mandatory.

    The privacy policy, instead, is an internal document from the management that shows how the organization processes personal data and sets rules on processing, access data, data retention period, and so on. The privacy policy is considered one of the organizational measures to be taken by both processors and controllers. It is mandatory under Article 24 (2) GDPR when proportionate in relation to processing activities.

    What is data processor obligation regarding data subject right"

    As a processor, you need to establish processes that allow the controller to fulfill its obligation towards data subjects. This means that if the controller receives a request to exercise the right of erasure (right to be forgotten) and request you to erase the data of the data subject, you need to comply with such request.

    Here you can find more information:

    You can also consider enrolling in this free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

  • Implementation of the ISO 27001

    1 - For instance, would it be sufficient for us to adjust certain procedures we already have because of this? Besides creating new ones that are required of course.

    ISO 27001 and ISO 13485 share some common requirements, and procedures related to them can be integrated into single documents with minor adjustments, like document control, internal audit, and management review.

    2 - Is integrating ISO 27001 into our Quality Management System possible?

    ISO 27001 and ISO 13485 share some common requirements, it is perfectly possible to integrate them.

    For further information, see:

    3 - Does a gap analysis exist between ISO 13485 and ISO 27001 and if so, has it already been made?

    A direct gap analysis is not available, but you can use these references to have this information:

    4 - Is this kind of information also addressed extensively in your toolkit?

    I'm assuming you are referring to information related to integration.

    Considering that, common demand is for integration between ISO 27001 and ISO 22301, and this is the information provided in the toolkit.

    However, by buying the toolkit you will have our support, through questions sent to our experts, or by means of online meetings, where you can solve your doubts related to this and other related issues.

  • Requirements for medical device implant

    If you are asking what requirements are applicable for implantable medical device, here they are:

    Most of the implantable devices need to be sterile, then requirements 7.5.5 Particular requirements for sterile medical devices and 7.5.7 Particular requirements for validation of processes for sterilization and sterile barrier systems are applicableImplantable medical devices do not need installation and service so requirements 7.5.3 Installation activities and 7.5.4 Servicing activities are not applicable

    All other requirements are applicable.

    For more information on what is ISO 13485, please see the following articles:

    • What is ISO 13485? - https://advisera.com/13485academy/what-is-iso-13485/
    • Six key benefits of ISO 13485 implementation - https://advisera.com/13485academy/knowledgebase/six-key-benefits-of-iso-13485-implementation/
    • Checklist of ISO 13485 implementation and certification steps - https://advisera.com/13485academy/knowledgebase/checklist-of-iso-13485-implementation-and-certification-steps/

    • Vendor Reviews

      I work for ***, which provides software and services to help companies do webinars. I'm trying to figure out if certain companies that we use their services need to be on our Vendor Log, and if we need to perform periodic vendor reviews for them, etc. It is clear to me that our Key Vendors and all vendors who interface with our software would need to be included. But what about companies like ***, who helps us manage our social accounts? It is not clear to me where the line is in cases like this. Thanks very much.
    • Test methods and measuring equipment

      About measurement systems analysis; The IATF 16949: 2016 standard requires the following requirements.

      7.1.5.1.1 Measurement systems analysis 

      Statistical studies shall be conducted to analyze the variation present in the results of each type of inspection, measurement, and test equipment system identified in the control plan. The analytical methods and acceptance criteria used shall conform to those in reference manuals on measurement systems analysis. Other analytical methods and acceptance criteria may be used if approved by the customer. 

      Records of customer acceptance of alternative methods shall be retained along with results from alternative measurement systems analysis (see Section 9.1.1.1). 

      Note: Prioritization of MSA studies should focus on critical or special product or process characteristics

      So as you know, an MSA study must be carried out for each type of instrument specified in the control plan. 
      In other words, MSA is not required if measurement equipment is not defined in the control plan. If any automotive customer, in customer-specific requirements, is stated that there is an obligation to do MSA studies once a year; then MSA studies must be done once a year. 
      But if there is no such request; as long as the measurement device does not change, malfunction or the device is changed; MSA is not required every year.

      Briefly,

      • MSA should be for every type of measuring instrument included in the control plan. Better have an MSA plan prepared.
      • It is recommended to start with the critical product and process characteristics.
      • There are also many methods for MSA. There is no only Gauge RR study, there are bias, linearity, stability, short method, ANOVA, GRR, attribute methods, destructive methods, etc..  
      • The correct MSA method should be chosen according to the type of measurement system.

      For more information, please see the following article:

      How to Establish Measurement System Analysis According to IATF 16949 https://advisera.com/16949academy/blog/2017/11/08/how-to-establish-measurement-system-analysis-according-to-iatf-16949/
       

Page 264-vs-13485 of 1130 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +