Search results

Actors considered data subjects in media files?

Names and pictures are personal data, according to Article 4 GDPR – Definitions. By doing media processing of personal data – images, video feeds, and names in credits – you are processing personal data. If you are based in the EU, or if you offer goods and services to people in the EU, according to Article 3 GDPR - Territorial scope – GDPR applies to your personal data processing operations. The first step is to determine your role – controller or processor. If you are a processor, you need a Data Processing Agreement signed with the streaming service providers, where they mandate you to process these films based on their instructions.

If you are a controller, you need a purpose and a legal ground for processing, according to Article 6 GDPR - Lawfulness of processing. The actors and the crew have a contract with the movie production company, so they process their data based on Contractual Obligation, per Article 6.1.b GDPR – contractual obligation. The streaming service providers have a contract with the production company, and you have a contract with the streaming service providers, but the crew and actors are not part of your contract, so you cannot use Contractual Obligation. In my opinion, the best fit for a legal ground for processing would be Legitimate Interest, but in this case, you should perform a Legitimate Interest Assessment and you should inform the actors and the crew.

At Advisera, we have a great resource to help you, an EU GDPR Documentation Toolkit that contains all documents necessary to drive your GDPR-compliance efforts, which also contains templates for privacy notices, data subject access requests, data processing agreements, and so on.

Please check these links:

• EU GDPR Toolkit: https://advisera.com/toolkits/eu-gdpr-documentation-toolkit/
• Article 3 GDPR – Territorial Scope: https://advisera.com/gdpr/territorial-scope/
• Article 4 GDPR – Definitions: https://advisera.com/gdpr/definitions/
• Article 6 GDPR – Lawfulness of processing: https://advisera.com/gdpr/lawfulness-of-processing/
• Article 28 – Processor: https://advisera.com/gdpr/processor/
• EU GDPR controller vs. processor – What are the differences? https://advisera.com/articles/eu-gdpr-controller-vs-processor-what-are-the-differences/
• Key roles defined in EU GDPR: https://advisera.com/articles/key-roles-defined-in-eu-gdpr/
• How to use legitimate interest to comply with EU GDPR – recorded webinar: https://advisera.com/webinars/how-to-use-legitimate-interest-to-comply-with-eu-gdpr-free-webinar-on-demand/

• Purchase (vendors) scorecards

  Of course, you can arrange some of your criteria to score the vendors. Just be aware that you need to establish criteria for the evaluation and selection of suppliers, according to the requirements from the 7.4.1 Purchasing process. 
  So, for example, you can just score it on a scale of 1-3 for the delivery time, price, and certificates that your suppliers have. This means that for price 1 is that you are not satisfied with the price, 2 is that the price is average, and 3 that price is OK for you.   

• Revision of assignment

  First is important to note that, as part of the transition period, an organization can still certify against ISO 27001:2013 until October 31, 2023, so considering you wanted to be certified by this summer, this deadline may give you the extra time you need.

  In case you are not fully compliant with some of your documents, you can postpone their implementation until after the certification audit under the following conditions: (1) if the document is not related to the main part of the standard (clauses 4 to 10), (2) if the related risks are not very high, (3) if you mark related risks as "Accepted" in the Statement of Applicability, and (4) if in the Risk Treatment Plan you define the deadline for the implementation of this document for after the certification audit.For further information, see:

  • ISO 27001 2013 vs. 2022 revision – What has changed? https://advisera.com/27001academy/blog/2022/02/09/iso-27001-iso-27002/

  • Setting up and passing the audit

    1 -Is the setup, documents, actions etc. enough for both entities, or I will have to prepare two different setups?

    Please note that in case these two sites are separated legal entities with different core businesses, then you need to treat them through separate implementations.

    2 -Also do we have to pass an audit to certify both entities or only the regulated body is enough?

    The certification scope can be only one entity or both entities. To make this decision you should consider the requirements of your customers and applicable laws and regulations.

    For further information, see:

    • How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

    This tool can also help you:

    • Tool for defining the ISO 27001 ISMS scope https://advisera.com/insight/chatbot-tool-iso-27001-scope/

  • ISO 9001:2015 Scope

    No, it is not a requirement that all customer-facing products and services have to be included in the scope.

    It may be useful for an organization to exclude products and services from the management system. For example, different requirements from customers, or different requirements from regulation. It’s not a technical decision, it is a management decision.

    For more information about the scope consider the following:

    • What clauses can be excluded in ISO 9001:2015? - https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/
    • Free webinar on demand - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar/
    • Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
    • Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Business Development and Sales - core process?

    Yes, it makes sense, you can put it as a separate company process. 

  • Joint Controllers

    According to article 26 of GDPR, the joint controllers must “determine their respective responsibilities for compliance with the obligations under this Regulation […] by means of an arrangement between them […]  The arrangement referred to in paragraph 1 shall duly reflect the respective roles and relationships of the joint controllers vis-à-vis the data subjects”. So, since you mentioned that joint controllers A and B have such an agreement, the agreement should include each controller’s responsibilities related to each phase of personal data processing. If Company B suffered a data breach, then company B should be held accountable, but it depends a lot on what is exactly written in the data sharing agreement related to responsibilities, who is doing the reporting to the relevant data protection authority, and of course to what was communicated to the data subjects, as requested by Art 26 GDPR: “The essence of the arrangement shall be made available to the data subject.”.

    Please check these links:

    • Article 26 – Joint controllers: https://advisera.com/gdpr/joint-controllers/
    • Article 24 – Responsibility of the controller: https://advisera.com/gdpr/responsibility-of-the-controller/
    • Key roles defined in EU GDPR: https://advisera.com/articles/key-roles-defined-in-eu-gdpr/
    • Implementing 3 main accountability principles under the EU GDPR: https://advisera.com/articles/implementing-3-main-accountability-principles-under-the-eu-gdpr/

  • GSPR

    According to the MDR Article 10, point 9, The quality management system shall address at least the following aspects: 

    b) identification of applicable general safety and performance requirements and exploration of options to address those requirements;

    So there is no direct requirement for the procedure, but as part of your QMS, there must be an explanation for the general safety and performance requirements. 

    For more information, see:

    • EU MDR Article 10 - General obligations of manufacturers https://advisera.com/13485academy/mdr/general-obligations-of-manufacturers/

    • Outsourced development

      Please note that, in a general way, when you have any part of the software development performed by personnel hired by external parties then you have outsourced development, regardless of the level of control your management have over this team, or the organization’s resources they have access to.