Search results

DPO role

According to article 27 GDPR company has to appoint an EU representative when the company:

• is offering of goods or services to persons in the EU (whether a payment is requested or not); or

• is monitoring persons’ behavior which takes place inside the EU

• occasional

• does not include large-scale processing of special categories of data (health, political opinion, sex orientation, etc.) or data relating to criminal convictions and offenses

• processing is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope, and purposes of the processing;

• processing is by a public body

You can find more information here:

• Article 27 GDPR: https://advisera.com/eugdpracademy/gdpr/representatives-of-controllers-or-processors-not-established-in-the-union/• Agreement for the Appointment of an EU Representative: https://advisera.com/eugdpracademy/documentation/agreement-for-the-appointment-of-an-eu-representative/

Implementing 17025 from 9001

ISO 17025:2017 has incorporated the relevant clauses of ISO 9001 in clause 8, the Management Requirements for laboratories. A laboratory is therefore allowed to formally implement ISO 17025:2017 according to Option B, if they have an effective ISO 9001 management system that meets the requirements specified in 8.2 to 8.9 of ISO 17025:2017. This means that ISO 9001 is used to cover the clauses 8.2 to 8.9 of ISO 17025:2017. What remains is to implement is Clauses 4 to 7, to supporting the competency of the laboratory to consistently produce valid results. 

The following will assist you confirm that the laboratory has the necessary procedures: ISO 17025 vs. ISO 9001 – Main differences and similarities https://advisera.com/17025academy/blog/2019/07/11/iso-17025-vs-iso-9001-main-differences-and-similarities//

List of mandatory documents required by ISO 17025:2017 https://advisera.com/17025academy/blog/2019/08/30/list-of-mandatory-documents-required-by-iso-170252017/

You can also download for free, the useful Diagram of ISO 17025 Implementation Process https://info.advisera.com/17025academy/free-download/diagram-of-iso-17025-implementation-process

Equipment for start up and shutdown procedure

In our IATF 16949 Toolkit, in folder 16_Procedure_for_Equipment_Maintenance_and_Measuring_Equipment, you can find templates that are related to equipment (start-up and shutdown), especially to Mean Time Between Failure (MTBF) and Mean Time To Repair (MTTR).

External processes

First, ISO 9001:2015 does not requires the use of job descriptions.

I use job descriptions in my work with organizations to describe for each role:

• Authorities;
• Responsibilities;
• Competence requirements. 

If the person handling the external service processes belongs to your organization, and your organization uses job descriptions, then you should use job descriptions. If that person belongs to another organization you can use work instructions, or standard operating procedures to fulfill the same purpose of a job description: stating authorities, responsibilities and competence requirements.

- How to document roles and responsibilities according to ISO 9001 - https://advisera.com/9001academy/blog/2018/02/26/how-to-document-roles-and-responsibilities-according-to-iso-9001/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Procedures and requirements

ISO 9001:2015 gives a lot of freedom in deciding what procedures are required. Please check this article - List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/

Remember, procedures and processes are not the same thing - ISO 9001:2015 process vs. procedure – Some practical examples - https://advisera.com/9001academy/blog/2016/01/19/iso-90012015-process-vs-procedure-some-practical-examples/

Below, you can find more information about document control requirements:

- Some tips to make Document Control more useful for your QMS - https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/
- How to structure quality management system documentation - https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
- Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/

ISO 9001 / 8.3. Design and development of products and services

This procedure for Design and Development of Products and Services should not be considered an external document if your organization performs these processes. According to ISO 9001:2015 an external document is documented information relevant to the quality management system and issued by an external entity such as customers, suppliers, legislators, regulators, standardization bodies, or business partners. As per the information you provide it seems that the design and development is not externalized so it is not considered an external document.

For more information about external documents and design and development in ISO 9001:2015 see the following materials:

- Article - What does external documents control mean in ISO 9001: https://advisera.com/9001academy/blog/2019/02/04/what-does-external-documents-control-mean-in-iso-9001/

-  Article - The ISO 9001 Design Process Explained: https://advisera.com/9001academy/blog/2013/11/05/iso-9001-design-process-explained/

- Book - Managing ISO documentation: a plain English guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/

- Free online training ISO 9001:2015 Foundations Course:  https://advisera.com/training/iso-9001-foundations-course/
 

ISO 9001 / Interested parties

You can use “interested parties” or “stakeholders” interchangeably. More and more the success of organizations depends on investing, on satisfying more than just customers. Sometimes, it is relevant to work with clients' clients, or to work with influencers who act on clients, or to work with regulators who define the constraints of acting.

You can find more information about interested parties here:

- How to determine interested parties and their requirements according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015/
- Free webinar – ISO 9001:2015 clause 4 – Context of the organization, interested parties, and scope – https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/
- Enroll for free course – ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- Book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Data usage

It depends on your internal privacy policy mostly.

The Company should establish a clear policy to obtain sick leave (who has the right, requirements, documentation, how many days, etc.) and to ensure that HR department does not handle employees’ medical information more than necessary (i.e. medical certificates, death certificates, pregnancy certificates, etc.). Therefore, if your employer answered your question and shared the email with the HR department and medical service, for example, it could be justified, because those people already knew your data. Your data could be shared also with your legal office if your employer considers it a potential legal claim. Other cases should be considered an infringement of your rights (such as if your employer shares your email with other colleagues of your same level or department).

You can find more information in our article:How the GDPR could impact your HR department: https://advisera.com/eugdpracademy/blog/2018/02/22/how-the-gdpr-could-impact-your-hr-department/  

Compliance checklist and mapping controls

ISO 27001 can help you with ca 50% of GDPR compliance, while PCI DSS is more focused on protecting credit card transactions so it is not as helpful with GDPR.

While the GDPR provides you guidance on what needs protecting but does not provide guidelines, the PCI DSS and ISO 27001 details clearly what you need to reach those security standards.

Here you can find some useful documentation to map controls and check the documentation:

• Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/
• Free Whitepaper What is EU GDPR and how can ISO 27001 help? https://info.advisera.com/27001academy/free-download/what-is-eu-gdpr-and-how-can-iso-27001-help
• EU GDPR & ISO 27001 Integrated Documentation Toolkit: https://advisera.com/eugdpracademy/eu-gdpr-iso-27001-integrated-documentation-toolkit/ 
• Free Whitepaper on GDPR Checklist of mandatory documents: https://info.advisera.com/eugdpracademy/free-download/checklist-of-mandatory-documentation-required-by-eu-gdpr
• PCI-DSS vs. ISO 27001 Part 1 – Similarities and Differences: https://advisera.com/27001academy/knowledgebase/pci-dss/
• PCI-DSS vs. ISO 27001 Part 2 – Implementation and Certification: https://advisera.com/27001academy/knowledgebase/pci-dss/

SGA

Antes de hacer la RAI y matriz legal entiendo que ya cuenta con el apoyo de la dirección que es quien proporciona los recursos necesarios para llevar a cabo el proyecto de implementación de la norma. Así mismo es igualmente importante que antes de la matriz de aspectos e impactos haya definido claramente el alcance del sistema de gestión ambiental que va a delimitar el sistema, así como otrs elementos como la política ambiental. 

Otro de los nuevos requisitos de la norma ISO 9001:2015 es determinar el contexto de la organización y de las partes interesadas, y esto es mejor llevarlo a cabo antes de la evaluación de los aspectos ambientales, y nos va a ayudar en la identificación de los riesgos y las oportunidades, que pueden derivar de ese contexto. 

En la matriz de los aspectos ambientales y impactos tiene que considerar el ciclo de vida de su producto o servicio, para poder analizar de forma correcta dónde están dichos aspectos ambientales y su impacto, es decir en qué proceso o procesos, para que una vez evaluados los aspectos ambientales significativos pueda llevar las acciones necesarias específicas para cada actividad. Para poder evaluar cada uno de los aspectos encontrados lo puede hacer mediante una serie de criterios y asignando una puntuación, como puede ser la severidad, probabilidad, etc. También deberá de identificar aquellos riesgos asociados a los aspectos ambientales así como las oportunidades y realizar las acciones oportunas para mitigar dichos riesgos. 

Estos serían los primeros pasos a seguir, pero en estos materiales puede obtener más información sobre la implementación de ISO 14001:

- Artículo - Lista de paasos para la implementación de la ISO 14001: https://advisera.com/14001academy/es/knowledgebase/lista-de-pasos-para-la-implementacion-de-la-iso-14001/

- Webinar gratuito - Identificación y evaluación de los aspectos ambientales: https://advisera.com/14001academy/es/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/

- Curso Fundamentos ISO 14001:2015: https://advisera.com/training/es/course/curso-fundamentos-iso-14001/

- Libro - The ISO 14001 companion: https://advisera.com/books/the-iso-14001-2015-companion/