Search results

Data Privacy Notice & Inventory of Processing Activates

1. Do we need a special privacy notice for all kinds of contact sources (website, email, etc..) or is one enough?

If the personal data collected and the purpose for which it is used are the same you can have just one privacy notice. However, within the notice, you need to mention what are the sources from where you collect the personal data.

2. In the Data Retention Policy - are the retention periods defined within this document?

Retention periods are usually mentioned in local laws such as Tax Law or Labor Law. If you cannot find a retention period is local laws you can establish them yourself taking into account the data minimization principle.

3. In the Inventory of Processing Activities - are there some examples of those processing activities given, or is this maybe covered with the email support - for example, if we ask the expert to give advice for that?

The Inventory of Processing Activates in the GDPR Documentation Toolkit has some comments embedded to help you understand what you need to fill in. Also, there is also a guidance document included in the toolkit. If you decide to purchase the toolkit, depending on the version you buy, you get also some consultancy hours as well as documents reviewed by our experts. More details on the GDPR toolkits may be found at https://advisera.com/eugdpracademy/pricing/ Just click on “See details”.

4. What is the maximum amount of time to respond to data subject requests?

The standard response time to a request is one month however if the request is complex the deadline can be prolonged by 2 more months.

Límites en la determinación de los aspectos ambientales

Efectivamente si el auditor entiende que no se han considerado todos los aspectos ambientales de los procesos incluidos en el alcance de su sistema de gestión ambiental puede elevar una no conformidad. Recuerde que debe de realizar un análisis del ciclo de vida de sus productos o servicios e incluir tanto aquellos procesos que controla como aquellos en los que puede influir, desde la adquisición de las materias primas hasta la eliminación del producto o servicio. 

Los siguientes materiales pueden ayudarle a saber más sobre la identificación y evaluación de aspectos ambientales:

- Artículo: 4 pasos en la identificación y evaluación de aspectos ambientales - https://advisera.com/14001academy/es/knowledgebase/4-pasos-en-la-identificacion-y-evaluacion-de-aspectos-ambientales/
- Artículo: Environmental aspect identification and classification - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/environmental-aspect-identification-and-classification/
- Webinar gratuito - Free webinar - ISO 14001: Identificación y evaluación de aspectos ambientales - https://advisera.com/14001academy/es/webinar/iso-14001-identification-and-evaluation-of-environmental-aspects-free-webinar-on-demand/
- Atienda gratis este curso –  Curso de Fundamentos ISO 14001:2015 - https://advisera.com/training/es/course/curso-fundamentos-iso-14001/
- Libro – The ISO 14001:2015 Companion - https://advisera.com/books/the-iso-14001-2015-companion/

Risk and opportunity in ISO 45001

Probably the best way to present risk and opportunities in a training session would be with examples. Both risk and opportunities are the effect of an uncertain outcome, with a potential negative or positive outcome. For instance, if a supplier notifies you that they will stop making a chemical you use, with the only know replacement chemical being more hazardous to your employees, this is a risk that you will want to try to address (such as finding a new supplier). If a supplier comes to you with a new chemical that they have developed which is less hazardous then this is an opportunity you can choose to go after by seeing if you can indeed use the safer chemical.

You can find out more about these requirements in ISO 45001 in the article: What are the new requirements for risks and opportunities according to ISO 45001?, https://advisera.com/45001academy/blog/2018/04/25/what-are-the-new-requirements-for-risks-and-opportunities-according-to-iso-45001/ 

ISO 9001 Design and Development exemption

Let us consider the possibility of a customer requesting your organization an expert to provide the service X. What the customer expects from your organization is the selection of competent people able to work with them. So, perhaps the service that requires certification is not what the person does for the customer, but the service of identifying the customer's needs and hiring/assigning the right person for the project. 
I find it odd that a company providing engineering consulting services considers clause 8.3 not applicable. If I were in your position and with doubts I would contact one or two certification bodies and ask their opinion. Remember, after all, they are your suppliers, and they want to win a customer. So, they have all the motivation to answer you.

Risks and Opportunities in the HIRA register

Risks and opportunities in the ISO 45001:2018 standard are looking at top level risks rather than individual risks posed by specific job functions. For instance, a top-level risk may be posed by a supplier of a chemical notifying you that they will no longer make this chemical after a certain date. This is not the risk from a direct hazard, but rather a risk to future processing. These do not need to be recorded in the HIRA register (in fact the ISO standard does not use this term) and you can keep records in any fashion you see fit.

You can find out more about the new risk and opportunities requirements in ISO 45001 in the article: What are the new requirements for risks and opportunities according to ISO 45001?, https://advisera.com/45001academy/blog/2018/04/25/what-are-the-new-requirements-for-risks-and-opportunities-according-to-iso-45001/

Design and development

what type of documents do I need to fulfil the requirements of clause 8.3

Answer:

Please check this article about the mandatory documents required by ISO 9001:2015 - List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/ there you can check that only records are mandatory. However, I recommend that organizations develop a procedure about the good design and development practices that need to be followed and authorities and responsibilities.
 

can I have any such formats for Planning, input, controls, outputs and changes?"

Answer:

Yes, you can have a format for each topic, or for two or more topics simultaneously.
 

The following material will provide you more information about design and development:

- The ISO 9001 Design Process Explained - https://advisera.com/9001academy/blog/2013/11/05/iso-9001-design-process-explained/
- Procedure for Design and Development - https://advisera.com/9001academy/documentation/procedure-design-development/
- Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book – (where I use the process approach this way) - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Supplier Security

Based in your attached document, I'm assuming you are referring to a document similar to a "Confidentiality Statement" (the term “Order data protection agreement” does not exist in the standard, nor it is a common term).

Considering that, please note that for ISO 27001, you only have to implement a "Confidentiality Statement", or similar document like the ”Order Data Protection Agreement”, or any other type of control, if:
- the results of risk assessment require the implementation of such document
- there are legal requirements (e.g., laws and contracts) which require the implementation of such document
- there is a top management decision for implementation of such document

If none of the above mentioned situations occur, then you do not need to implement a "Confidentiality Statement", or ”Order Data Protection Agreement”.

Considering our toolkit, we have a "Confidentiality Statement" template, located on folder 08 Annex A Security Controls >> A.7 Human Resource Security, that you can evaluate if it can fulfill your needs. It contains the minimum required for compliance with the standard (for further security you should consider seeking expert legal advice because we are not legal experts).

Regarding your document, it seems fine as a "Confidentiality Statement", with more clauses than our "Confidentiality Statement", but again we recommend you to seek legal advice.

Another way to handle this situation is by including a security clause in your service agreement with those parties working with you.

This article will provide you a further explanation about control selection and security clauses:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- What to consider in security terms and conditions for employees according to ISO 27001 https://advisera.com/27001academy/blog/2018/05/23/what-to-consider-in-security-terms-and-conditions-for-employees-according-to-iso-27001/

Quality control statement

I don’t know if I understand correctly your question. Organizations have the authority to decide what makes sense to include in a SOP. So, there is no compulsory requirement to add a quality control statement.

The following material will provide you more information about documentation:

- How to structure quality management system documentation - https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
- List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
- Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/

Identification of justifications for SoA

https://advisera.zendesk.com/attachments/token/0Sa3NH86A9WJA1S9njTfJrTuc/?name=image001.png

When the justification for control applicability is related to risk assessment results, you can identify the Id of the related risks (e.g., results of last risk assessment ID 32, ID 17, and ID 23). As for contractual or legal obligation, you can identify the name of the obligation (e.g., name of the law or ID of the contract), and the clauses related to the control.

Included in the toolkit you bought you also have access to a video tutorial that can help you fill the Statement of Applicability.

This article will provide you a further explanation about Statement of Applicability:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

ISO 9001 and non-conformities

No, the non-conformity can only be closed after checking a representative sample, after the closing date of your project and concluding that the non-conformity was removed.

The following material will provide you more information about the closing nonconformities:

- How to deal with nonconformities in an ISO 9001 certification audit - https://advisera.com/9001academy/blog/2015/06/09/how-to-deal-with-nonconformities-in-an-iso-9001-certification-audit/
- Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book – (where I use the process approach this way) - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/