Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 14001 and recycling

    If your organization currently recycles and switches to non-recycling that means going against the commitments in clause 5.2 of ISO 14001:2015, namely entries:

    • c) – commitment to prevent pollution,
    • d) – commitment to fulfill compliance obligations, and
    • e) – commitment to continual improvement.

    You can find more information about ISO 14001 below:

  • 07.7 - Data Subject Disclosure Form

    Yes, Document 07.7 is for disclosing information to data subjects.

    You can find help in setting the process with the EU GDPR Data Subject Access Request Flowchart https://info.advisera.com/hubfs/EUGRPRAcademy/EUGDPRFreeDownloads/EU_GDPR_Data_Subject_Access_Request_Flowchart_EN.pdf

    You can have more information about how to manage Data Subjects right here:Four main questions for obtaining and managing data subjects’ consent under GDPR: https://advisera.com/eugdpracademy/knowledgebase/four-main-questions-for-obtaining-and-managing-data-subjects-consent-under-gdpr/

    You may also consider enrolling in this online EU GDPR Foundations Course:EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

  • Need for ISO 14001 implementation

    Please consider this article - 6 Key Benefits of ISO 14001 - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/6-key-benefits-of-iso-14001/ Without knowing your organization I might guess that image and credibility among potential clients/consumers and neighborhood, and a more systematic approach to legal and regulatory environmental compliance can be the most important benefits.

    You can find more information about ISO 14001 below:

  • Timeframe of the monitoring of environmental aspects.

    If you want to measure performance you need a benchmark, something that can evidence the impact of the EMS. For example:

    https://www.screencast.com/users/ccruz5284/folders/Default/media/5278de26-f68e-418c-b9a3-519f35a92d7e

    The purpose of the EMS is not to take a “picture” at a certain moment but to promote environmental improvement. So, if you start with 2020 data you will have to wait for 2021 to evidence improvements.

    You can find more information about ISO 14001 below:

  • Mandatory requirement for "effective date"

    No, there is no mandatory requirement to mention "effective date" in any specific forms or procedures along with the form number and revision. ISO 9001:2015 clause 7.5.2 mentions date as an example, not a mandatory requirement.

    Although it is not mandatory it is commonly used in procedures and work instructions, not so common in forms.

    The following material will provide you more information about document control:

  • Statutory & regulatory requirements

    Some organizations provide products or services that need to comply with statutory & regulatory requirements. For example, an organization manufactures a product like curbs for public roads that need to comply with international standards and regulatory requirements to be able to enter in European markets with the CE mark. For example, an organization manufactures textiles for a group of brands that require that suppliers abide by some commitments concerning child labor, sexual harassment and sexual discrimination. These organizations need to know what the statutory & regulatory requirements are, need to surveille any changes, new or updated requirements, need to translate those new or updated requirements into quality management system requirements.

    The following material will provide you more information about statutory & regulatory requirements:

  • SOA controls

    1. What happens in the case where we realize that some SOA controls that were marked as N/A during last years audit could actually be applicable...

    If you think that one or more controls, previously stated as non-applicable, now may be applicable you have to:

    • review the risk assessment and treatment and the list of legal requirements, and update those that will provide the basis by which you will justify the now applicable controls
    • update the SoA to reflect the new status (i.e., state the related controls as applicable and provide justification for their applicability), and have it approved by top management
    • update the risk treatment plan considering these new applicable controls
    • implement the controls, and gather evidence that the new applicable controls are working and achieving defined objectives.

    Basically, you have to perform the risk assessment and treatment again.

    For further information, see:

    2. What impact will it have on our surveillance audit?

    When the SoA is changed, you need to inform the certification body about the changes made, so it can verify if the surveillance audit needs adjustment, either in duration or in the number of required auditors, due to the change in the number of applicable controls. You need to communicate this as soon as possible.

    3. Would we need to recertify before going for the surveillance audit?

    There is no need for re-certification in case of changes in the SoA. During the surveillance audit, the certification auditor will verify if the change had or had not negatively impacted your ISMS, and provide his conclusions in the audit report, and related non-conformities if necessary.

  • Final Presentation of Project Results

    Please note that the project objective is "To implement the Information Security Management System in accordance with the ISO 27001 standard by [date] at the latest."

    Considering that, the presentation is directed to the person which is responsible for the ISMS scope (e.g., the CEO if the ISMS scope covers all the organization, or the department head if the ISMS is restricted to a department).

    As for when the presentation should be held, you should consider a time after the management review, so the persons held responsible for implementing the decisions taken in the management review have time to provide some details about how the decisions will be implemented.

  • Marketing activities to companies

    "Wow. Thank you so much. You are really helping me. So to clarify for my own understanding, I'll take it point by point. 

    1) I can send email to a company who is already a customer and who has agreed to receive marketing messages from me? Please proved the GDPR clause for this point

    Yes, Article 6 par. 1 lett. a GDPR states that: 

    “Processing shall be lawful only if and to the extent that at least one of the following applies: a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;”

    So if your customer has given you consent to process his personal data (email) for one or more specific purposes (providing your services and promoting/marketing) your processing (sending promotional email) will be lawful.

    You can find more information about consent in the new Guidelines adopted by the European Data Protection Board (EDPB) on May 4th 2020: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf

     

    2) The person receiving marketing messages/emails from me must be relevant and connected to my products/services? This means that relevance is important?

    Relevance is important to the extent that the data subject can reasonably expect to receive such kind of communication. If I am the buyer of a company I can reasonably expect to receive offers and promotions from my company’s suppliers. In particular if in our commercial relationship I accepted to receive promotions signing consent.

    Of course, this would not apply if I were the company HR manager. Why should I receive offers from this supplier? How did they get my email? The aim of GDPR is to not surprise your customers. 

    Article 5 GDPR lists the principles of data processing states at letter b) that data shall be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;” using the HR manager email is incompatible with the marketing purpose of sending offers because that manager has no decision power on your offer. 

    The following letter c in Article 5 GDPR states also that data processing shall be: “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);”

    That is where relevance comes into evidence. Of course, the data controller can estimate that sending offers to all management is relevant and adequate to his purposes, he/she will need to demonstrate such relevance and adequacy. In fact, paragraph 2 GDPR closes Article 5 GDPR affirming that: “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’)”

    If you are able to demonstrate that sending promotional emails to non-relevant persons in your customers’ companies comply with principles of the data processing listed in Article 5 GDPR, you will be free to send these emails. 

     

    3) If I search on the Internet for a company and the relevant person to speak to about what I am selling, openly provides this information and is thus freely available on the public domain, then it is still not compliant to send them an email? This means that information that is in the public domain and openly presented to the public as having that title or role is still not appropriate to send him/her a cold email? Please provide the GDPR clause for this point?

    You need to approach to personal data available on the public domain asking yourself “why those data are available?” Someone presenting him/herself as company CEO is claiming his role, he/she is not asking for receiving unsolicited promotional emails. 

    You can discuss about the company and you can send a cold email, relying on the legitimate interest as a legal basis for data processing. 

    Article 6 par. 1 (f) GDPR states that data processing is lawful when: “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

    Legitimate interest can be a commercial interest. You need to verify those steps:

    1. identify a legitimate interest;
    2. how that the processing is necessary to achieve it; and
    3. balance it against the individual’s interests, rights and freedoms.

    The processing must be necessary. If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply.

     

    4) A further example of public domain information that is freely available is LinkedIn social media which is purpose-built for networking between business individuals. Individuals openly make themselves available to be communicated with. LinkedIn also provides a communication message box to approach a potential customer. Please provide the GDPR clause for this type of communication in social media?

    GDPR is a non-technology related regulation. It aims to protect personal data independently from the means of communication used. You need to apply principles of data processing and lawfulness of processing as proclaimed in Article 5 and 6 GDPR to all means of communications.

    Therefore, you can use your legitimate commercial interest and send a cold message to the relevant person (principle of minimization) of the company to approach a potential customer. You need to apply the three steps verification and be sure that there is not a less intrusive way to contact the potential customer.

     

    5) The only method in which to engage with a person from a company is to send an unsolicited email invitation to the person to ask if I can send them marketing information. Is this not contradictory? because "sending them an offer in order to send them an offer" makes no sense to me. Can you provide the defined and explicit clause in the GDPR to reference the definitions and explanations of this point?

    As I said above, your unsolicited email will lay on the commercial legitimate interest ground-based on Article 6 (f) GDPR. This legal ground allows you to introduce yourself and your company. In order to send to the potential customer promotional emails, you need to act on a different legal ground which is consent under Article 6 (a) GDPR. 

    Remember that Article 83 par. 5 (a) GDPR provides the highest fines for breach of the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9. The fine is up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:

     

    6) If I sell multiple products and services and the person opt-in for certain products/services and opt-out for other products/services. Where or how does the GDPR allow or disallow further promotion to an opt-in customer but opt out for specific product/service? Please provide the GDPR clause for this point?

    Article 21 par 2, 3, 4 GDPR provides your answer. Your customer has the right to object to the processing of personal data for direct marketing purposes at any time. If he/she objects you cannot process his/her data for those purposes. Allowing your customer to opt-out for some products allows you to continue processing for the others. 

    2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

    3. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

    4. At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.

     

    Here you can find the full wording of reported GDPR Articles:

    Article 5 GDPR: https://advisera.com/gdpr/principles-relating-to-processing-of-personal-data/

    Article 6 GDPR: https://advisera.com/eugdpracademy/gdpr/lawfulness-of-processing/

    Article 21 GDPR: https://advisera.com/eugdpracademy/gdpr/right-to-object/

    Article 83 GDPR: https://advisera.com/eugdpracademy/gdpr/general-conditions-for-imposing-administrative-fines/ 

  • Writing quality manual and nominating quality manager when we implement ISO 17025:2017

    Indeed, although ISO 17025:2017 does not specifically require an appointment of a Quality Manager, nor a documented Quality Manual; it does not imply you cannot do so. You can include a quality manual as part of your documented management system and you can nominate a quality manager.

    ISO 17025 specifies general requirements, to ensure competency. Your laboratory must establish a management system that suites your needs, to meet your objectives. In identifying suitable management, authorities and responsibilities, you can have one or more personnel performing the Quality Management functions. Likewise, when you establish processes and documents to meet ISO 17025 mandatory requirements, you could also include information in a quality manual, to describing the organization’s structure, the general requirements of impartiality and confidentiality and other processes that do not specifically require documented procedures. It is also a central place to reference mandatory documented procedures. A Quality Manual is included in the ISO 17025 toolkit. Have a look at the ISO 17025 document template: Quality Manual at https://advisera.com/17025academy/documentation/quality-manual/

    It is important to understand the intent behind the revision, to help you implement ISO 17025 effectively. Have a look at the article ISO/IEC 17025:2005 vs. ISO/IEC 17025:2017 revision: What has changed? at https://advisera.com/17025academy/blog/2019/11/13/iso-17025-2017-vs-iso-17025-2005-key-changes-infographic/
Page 383-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +