Search results

Appointing the manager of the institution's website

La nomina del responsabile del trattamento dei dati, ai sensi dell’articolo 28 GDPR, è necessaria quando un altro soggetto effettui un trattamento di dati per conto del titolare.Il GDPR considera dati personali anche gli indirizzi IP dei visitatori, pertanto se il gestore del sito effettua anche il servizio di hosting e ospita i dati dei visitatori sui suoi server (o su quelli di un suo fornitore), andrebbe nominato responsabile in ottica di maggiore compliance.

Se invece il sito della scuola è ospitato sui server dell’istituto, il gestore del sito non effettua alcun trattamento per conto della scuola, ma risulta un soggetto autorizzato dal titolare ad aggiornare e fare la manutenzione del sito. In questo caso, sarebbe opportuna inserire una clausola nel contratto di servizio inerente alla riservatezza e al rispetto delle policy interne della scuola in materia di data protection.

Puoi anche trovare ulteriori informazioni qui:Il GDPR dell’UE: controllori a confronto con processori – Quali sono le differenze? https://advisera.com/eugdpracademy/it/knowledgebase/il-gdpr-dellue-controllori-a-confronto-con-processori-quali-sono-le-differenze/  

Puoi considerare l'iscrizione al nostro corso gratuito:

• EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//  

• What should I do to be compliant?

  As you said, the Shrems II decision invalidated the EU-US Privacy Shield, therefore you need to consider using another legal ground to allow personal data transfers among the US and the EU (i.e. the Standard Contractual Clauses (SCC) or the Binding Corporate Rules (BCR)).

  The European Data Protection Board (EDPB) recently published a FAQ sheet on the implication of the Shrems II decision that you can find here: https://edpb.europa.eu/news/news/2020/european-data-protection-board-publishes-faq-document-cjeu-judgment-c-31118-schrems_en

  One of the suggestions made by EDPB is to consider avoiding storing personal data in the US and prefer Cloud Service Providers with servers based in the EU in order to be compliant with GDPR requirements. Please note that the decision applies to the transfer of personal data, not to all data transfers. 

  You might be also required to appoint an EU representative for GDPR compliance. It is a simple procedure with a service agreement, and you can appoint a company, a legal or another individual which can be contacted by the Data Protection Authorities in case of needs.

  Here you can find more information:

  • Full text of EU GDPR (General Data Protection Regulation) https://advisera.com/eugdpracademy/gdpr/
  • 3 steps for data transfers according to GDPR: https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/
  • What is the EU GDPR and why is it applicable to the whole world? https://advisera.com/eugdpracademy/knowledgebase/what-is-the-eu-gdpr-and-why-is-it-applicable-to-the-whole-world/
  • EU GDPR document template: Agreement for the Appointment of an EU Representative https://advisera.com/eugdpracademy/documentation/agreement-for-the-appointment-of-an-eu-representative/

  You can consider enrolling in our free EU GDPR Foundations Course

  • EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

  • ISO 9001 Risk register

    No, it is not mandatory to maintain a risk register. Please check this article - List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/

    Having said that, I recommend organizations to maintain a risk register.

    You can find more information below.

    • How to address risks and opportunities in ISO 9001: https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
    • Does ISO 9001 require a procedure for addressing risks and opportunities?: https://advisera.com/9001academy/blog/2017/10/10/does-iso-9001-require-a-procedure-for-addressing-risks-and-opportunities/
    • For a free preview of an example of the Registry of Key Risks and Opportunities - https://advisera.com/9001academy/documentation/registry-of-key-risks-and-opportunities/
    • Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
       

     

  • Physical hosting in EU data centers for products and processing

    Recently the European Court of Justice (in Shrems II decision) invalidated the adequacy decision of the EU Commission claiming that US Privacy Shield granted an adequate safeguard for data protection in the United States. This means that any data transfer between the EU and the US must be on another legal ground like the Standard Contractual Clauses (SCC) or the Binding Corporate Rules (BCR). 

    The European Data Protection Board (EDPB) recently published a FAQ sheet on the implication of the Shrems II decision that you can find here: https://edpb.europa.eu/news/news/2020/european-data-protection-board-publishes-faq-document-cjeu-judgment-c-31118-schrems_en

    One of the suggestions that arose from EDPB is to consider avoiding storing personal data in the US and prefer Cloud Service Providers with servers based in the EU in order to be compliant with GDPR requirements. Please note that the decision applies to the transfer of personal data, not to all data transfers.

    Here you can find more information:

    • Full text of EU GDPR (General Data Protection Regulation) https://advisera.com/eugdpracademy/gdpr/
    • 3 steps for data transfers according to GDPR: https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/
    • What is the EU GDPR and why is it applicable to the whole world? https://advisera.com/eugdpracademy/knowledgebase/what-is-the-eu-gdpr-and-why-is-it-applicable-to-the-whole-world/

    You can consider enrolling in our free EU GDPR Foundations Course:

    • EU GDPR Foundations Course https://advisera.com/training/eu-gdpr-foundations-course//

    • ISO 9001 Different types of audits

      Answer:

      1. Upstream, and downstream audits are about doing audits along a supply chain upstream or downstream from a reference point

      2. A horizontal audit is when you audit one process across many departments in the organization. A vertical audit is when you audit all the processes used by a department. 

      3. Process audits are another name for horizontal audits

      4. These are the more common types

      You can find more information below

      • ISO 9001 Horizontal audit vs. vertical audit - https://advisera.com/9001academy/blog/2015/03/03/iso-9001-horizontal-audit-vs-vertical-audit/
      • ISO 9001 internal auditor training: Is it for me? - https://advisera.com/9001academy/blog/2015/06/02/iso-9001-internal-auditor-training-is-it-for-me/
      • Free webinar on demand - How to perform an ISO 9001:2015 internal audit - https://advisera.com/9001academy/webinar/how-to-perform-an-iso-9001-2015-internal-audit-free-webinar-on-demand/
      • Free online training ISO 9001:2015 ISO 9001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/ nal-auditor-course/
      • Book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/

    • Disposal of sensitive data

      Please note that ISO 27001 does not provide technical guidance on how to perform data disposal. 

      For technical guidance, you should consider these references:

      • ISO/IEC 27040 Information technology — Security techniques — Storage security https://www.iso.org/obp/ui/#iso:std:iso-iec:27040:ed-1:v1:en
      • NIST 800-88 - Guidelines for Media Sanitization https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final

      These articles can also help:

      • Secure equipment and media disposal according to ISO 27001 https://advisera.com/27001academy/blog/2015/12/07/secure-equipmentand-media-disposal-according-to-iso-27001/
      • 5 practical tips for media disposal according to ISO 27001 https://advisera.com/27001academy/blog/2018/10/22/5-practical-tips-for-media-disposal-according-to-iso-27001/

    • Cleaning validation SOP for orthopedic medical device

      what I am looking for Cleaning validation SOP for orthopedic medical device"

    • ISO 45001 implementation minimal requirements

      There is no set of “minimum requirements” to implement ISO 45001, every requirement in the standard (identified with the work “shall”) needs to be addressed. However, the requirements describe what needs to be done, but do not give details on how to implement them, because they need to be tailored to your organization. For instance,  ISO 45001 does not tell you what OH&S legal requirements you need to meet (since this will be different all over the world), but requires that you have a process to identify your legal requirements, keep up to date with changes to these requirements, and confirm that you meet the requirements.

      You can learn more about the requirements in the whitepaper: Clause-by-clause explanation of ISO 45001:2018, https://info.advisera.com/45001academy/free-download/clause-by-clause-explanation-of-iso-45001