Search results

Recommendations regarding EU-US Privacy Shield

What recommendations would you suggest for a small/medium-sized business in light of the recent decision by the ECJ regarding the EU-US Privacy Shield?

The recent decision of the European Court of Justice (ECJ) has a huge impact on data transfer between the US and the EU. You cannot transfer data based on the decision of adequacy of the US Privacy Shield. Therefore, you need to find another legal ground for data transfer. Standard Contractual Clauses can be a solution.

The European Data Protection Board (EDPB) issued a FAQ on the implication on GDPR compliance of the ECJ solution and stated that the data controller must take additional measure to ensure the same level of protection of personal data assured by GDPR: https://edpb.europa.eu/news/news/2020/european-data-protection-board-publishes-faq-document-cjeu-judgment-c-31118-schrems_en

The main issue is that the US data controllers are forced to comply with US law which prevails over Standard Contractual Clause and Binding Corporate Rules (which is a solution for large companies and in some case medium-sized companies).

The EDPB concluded stating that the data controller should consider storing or processing data elsewhere than the US. 

You can find more information about data transfer here:

• 3 steps for data transfers according to GDPR: https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/

You can consider enrolling in our free EU GDPR Foundations Course

• EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

• OBS recommendations

  Now I understand your context much better.

  First, find a way of incorporating your own QMS’s definition of OBS in your internal audit procedure and how to handle them, to avoid an NC during the 3rd part audit.

  Second, with findings raised in your internal audit, you identified several “fruits” that you want to improve, but in your second question I believe you identified two important root causes that can help improve your QMS situation (I use the term root cause here as important NC):

  • QMS did not fully implement
  • Employees not fully aware of QMS and ISO 9001 req's

  You could have raised these two NCs making the 18 findings as evidence that support their existence.

  While your organization has to close those 18 findings, what can also be done to improve implementation and employee’s awareness about QMS and ISO 9001 req's? Employees don’t need to know everything about QMS and ISO 9001 req's, try to make a matrix about the relationship of employees, or groups of employees, or departments and QMS and ISO 9001 req's. Who can influence them? Whom they trust? What can be the benefits for them with certification? Please check if you can find any ideas here:

  • Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
  • What are the benefits of ISO 9001 for your employees? - https://advisera.com/9001academy/blog/2016/06/14/what-are-the-benefits-of-iso-9001-for-your-employees/"
     

• Competence, Training & Awareness

  Your organization must be consistent. If your organization considers eco-friendly design solutions capabilities to be relevant, either to your business or to the relationship with the environment, then it makes perfect sense that this is an internal competence. In that case, that competence will be assessed in that clause.

  You can find more information in the following links:

  • ISO 14001 Competence, Training & Awareness: Why are they important for your EMS? - https://advisera.com/14001academy/blog/2014/11/26/iso-14001-competence-training-awareness-important-ems/
  • Enroll for free in this course – ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
  • Book – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

• Implementing QMS in a small factory

  Smaller organizations (up to 50 employees) usually implement the standard in up to 8 months. When using our Documentation Toolkit, normally: companies of up to 10 employees - usually implement the standard in up to 3 months and companies of up to 50 employees - usually implement the standard in up to 6 months.

  You can find detailed information about how to plan and implement a quality management system in the following links:

  • Checklist of ISO 9001 implementation & certification steps - https://advisera.com/9001academy/knowledgebase/checklist-of-iso-9001-implementation-certification-steps/
  • ISO 9001 Implementation diagram - https://info.advisera.com/9001academy/free-download/iso-9001-implementation-diagram
  • Free webinar on demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
  • Free webinar on demand - How to use a Documentation Toolkit for the implementation of ISO 9001 - https://advisera.com/9001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-9001-free-webinar-on-demand/
  • Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
  • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

• Becoming a better-accredited auditor

  If you are already a certified auditor, you can try to become better by performing more audits and reflecting about what went well and what can be improved. You can look for training to become lead auditor or improve areas where are your weak points.

  You can find more information in the following links:

  • ISO 9001:2015 Lead Auditor Training Course - https://advisera.com/training/iso-9001-lead-auditor-course/
  • Book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/

• Corrective action and communication logs

  I see organizations that start a new log every year and I see organizations that continue to use the same log year after year. It is up to each organization. Continuing to use the same log year after year, particularly on a digital format, allow you to easily look for trends.

  Please check this information below with more detailed answer:

  • How to structure ISO 14001 documentation - https://advisera.com/14001academy/blog/2016/11/28/how-to-structure-iso-14001-documentation/
  • Free on-line training – ISO 14001:2015 Foundations- https://advisera.com/training/iso-14001-internal-auditor-course/
  • Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/

• Steps for obtaining CE certification or CE Mark

  First, you need to define under which regulation you want and can certify your medical device: MDD 93/42/EEC or MDR 2017/745. Then you need to define which class your face masks are. Rules to define it, you can find on the following links:

  • EU MDR Annex 8 Classification rules https://advisera.com/13485academy/mdr/classification-rules/
  • Classification rules under the MDD you can find in Annex IX

  Then you need to prepare the Technical documentation. Which documents are necessary to be in Technical file under the MDD you can find in Annex 1. Required technical documentation under the MDR you can fin in the

  • EU MDR Annex 2 Technical documentation https://advisera.com/13485academy/mdr/technical-documentation/
  • EU MDR Annex 3 Technical documentation on post-market surveillance https://advisera.com/13485academy/mdr/technical-documentation-on-post-market-surveillance/
  After you prepare a technical file, you need either to register your device in local authority (if it is class I and do not require Notify body) or you need to certify your medical device with Notify body.

  For more information about MDR, please see the following articles:

  • EU MDR Easy-to-understand basics https://advisera.com/13485academy/what-is-eu-mdr/
  • How can ISO 13485 help with MDR compliance? https://advisera.com/13485academy/blog/2020/03/09/how-can-iso-13485-help-with-mdr-compliance/

  • Requirement for ISO 13485 of procedure of Human resources and another procedure of Infrastructure and working environment

    1. Hi, if we have few employees (8) with many outsourced freelancers, and we don't own the working place, is it required for ISO13485 a procedure of Human resources and another procedure of Infrastructure and working environment?

    According to the ISO 13485:2016 requirement 6.2 Human resources, for all personnel that performs work that affects product quality you need to document competencies, training needed, and description of how you will ensure the awareness of the employees. Therefore, you need a Human resource procedure for your 8 employees, but also for all freelancers because you need to state the criteria how will you choose your freelancers and which competencies freelancers need to have.

    You can see on the following link how our Procedure for Human resource in our ISO 13485:2016 documentation toolkit looks like: https://advisera.com/13485academy/documentation/procedure-for-human-resources-iso-13485-2016/

    2. If it is, why?

    Considering the procedure for infrastructure and working environment, if you do not have a working place, then you can exclude the working environment part. However, if you have computers, mobile phones, and/or cars for your employees, then those elements are your infrastructure. Therefore, you need to make a documented procedure for maintaining this electronic equipment. Your infrastructure is also some server where you make your back-up or cloud service so be sure that it is included as well.

    For more details on managing medical device infrastructure requirements, please read the following article:

    • Managing medical device infrastructure requirements according to ISO 13485:2016 https://advisera.com/13485academy/blog/2017/06/28/managing-medical-device-infrastructure-requirements-according-to-iso-13485/

    You can see on the following link how the Procedure for Infrastructure and work environment in our ISO 13485:2016 documentation toolkit looks like: https://advisera.com/13485academy/documentation/procedure-for-infrastructure-and-work-environment-iso-13485-2016/

  • 6.1.3 (f) and acceptance by top management

    Please note that in the template the risks are accepted by top management on behalf of the risk owners, i.e., the acceptance is made according to what is defined by risk owners, so this approach fulfills clause 6.1.3 (f), and approval of all risk owners is not needed.

    This article will provide you a further explanation about risk owner:

    • Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/

    This material will also help you regarding risk management:

    • Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

  • ISO 14001 questions

    your answers are clear, concise and extremely helpful.  Thank you so much for your help!