Search results

GDPR and local legislation

Do state authorities have to comply with GDPR? Are there any restrictions?

Yes, all controller entities must comply with the GDPR provisions. There is one exemption for state authorities and these cannot rely on legitimate interest when processing personal data.

How does the GDPR compare to the national laws?

The EU GDPR is called in legal terms “lex generalis” meaning that it can be overwritten by special national laws such as Criminal Code, Tax code, etc.

Which will prevail in a conflict between GDPR and national laws?

If the conflict is between a special national law and the GDPR the national law will prevail.

Does an IP constitutes persoanl data?

Personal data is defined in art. 4 as “means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”. IP is an identification number thus is considered personal data.

Can you please provide an example on what automated decision making means?

A classic example of automated decision making is automated credit checking performed by banks. Basically some algorithm is deployed to calculate the eligibility of a loan based on age, studies, income, gender, etc. to automatically generate a report on the solvability of the potential client.

If you want to find out more about the EU GDPR check out this EU GDPR Foundations Course (https://advisera.com/training/eu-gdpr-foundations-course//)

Certification bodies in Germany

Please note that you can be ISO 27001 certified by any organization recognized as a certification body by an accreditation body. In Germany, the accreditation body is the German National Accreditation Body (Deutsche Akkreditierungsstelle, DAkkS).

From this DAkkS site (https://www.dakks.de/en/content/accredited-bodies-dakks) you can find German certification bodies for ISO 27001.

This search result (https://www.dakks.de/en/content/accredited-bodies-dakks) provided 9 certification bodies in Germany (TÜV SÜD, SGS-TÜV, and DQS among others). Please note that TÜV is a designation, not the name of an organization, i.e., not all organizations named TÜV are related or part of a bigger company.

This article can provide you further information about certification bodies:
- How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/

ISO 9001 and service industry examples

There are scholars that say that everything is a service, that a product can be considered as a physical manifestation of a service or set of services. Some even say that a product is a service avatar.

Some examples of services are:

• Selling cars at a stand;
• Repairing machines;
• Consulting services about implementing ISO 9001; 
• Restaurant services; 
• Hospital services; 
• School services; 
• Banking services.

The following material will provide you information about ISO 9001 and services:

- Should universities implement ISO 9001? - https://advisera.com/9001academy/blog/2015/04/21/should-universities-implement-iso-9001/
- Would hospitals benefit from ISO 9001? - https://advisera.com/9001academy/blog/2015/07/21/would-hospitals-benefit-from-iso-9001/
- How does ISO 9001 help maintain service levels? - https://advisera.com/9001academy/blog/2016/09/13/how-does-iso-9001-help-maintain-service-levels/

Designing IM structure and processes

Designing a process and related roles, responsibilities, documentation, etc. can be treated like designing a service, i.e. in your case – as an item in design/build activity.

Collecting customer requirements and clause connection

I want to know how I can collect the customers’ requirements.

Explicit customer requirements are usually collected in conversations or communications with them. For example, when ordering an item, customers are identifying the product, the quantity, the location and the delivery time. Implicit requirements are requirements taken granted by the general market. They can be quantity per package, for example. Some requirements customers may not know are relevant, it is up to the supplier's commercial to try to understand how and where the product will be used. When we go to the hairdresser to cut our hair, to say that we want to cut our hair is not enough, we have to explain how we want it cut and how much. Those are our requirements as customers.

I want to know how I can connect in practical the following ISO 9001-2015 Clauses: (4.1+4.2) with (6.1.1) with (6.1.2)

There is more than one way to connect those clauses. Note that my approach is not unique nor it may be the best, but this is just how I work, and see it work.

With clause 4.2 organizations determine who are the relevant interested parties and what are their relevant requirements. That is important because these parties affect an organization's business. For example, an organization determines that a regulator is a relevant interested party. The regulator sets rules and can fine the organization if those rules are not followed. One of those rules can be the composition of a product A.(a)

With clause 4.1, the same organization determines as relevant an external issue, the trend to more demanding rules about the composition of product A.(b) The same organization determines as a relevant internal issue the difficulty of controlling the composition of product A due to the use of old production equipment. (c)

When your organization connects those three dots: a+b+c it becomes aware of an important risk (clause 6.1.1). If the regulator increases the requirement for product A composition, the organization will not be able to enforce the regulation.

With this kind of exercise your organization can determine a list of risks and opportunities. Normally, organizations do not have the resources to act upon every risk and opportunity. So, organizations have to classify their risks and opportunities to determine priorities for action. Clause 6.1.2 is about the action plans to manage relevant risks and opportunities. For example, in this case, the action plan could be around revamping the production equipment to improve the ability to control product A composition.

I want to know how I can connect in practical the following ISO 9001-2015 Clauses:(8.1) with (9.1 +9.3)

From clause 8.1 I underline the need to define product/service specifications and the need for process operation settings. Then, there is the need to define and implement product/service and process control. For example, your organization performs quality control every hour, and following that control, decisions are made about acting on the process or on the product/service.

Clause 9.1.1 is about planning when to gather information about the process and product performance. For example, someone will monthly collect data about product/service defects, or process productivity. Clause 9.1.3 is about looking into monthly data information and making decisions about the process.

Clause 9.3 is about stepping back, seeing the whole picture about process performance, and connecting with the context, making decisions about the quality management system. For example, what needs to be improved, what is working, and what resources are needed.

The following material will provide you information about the context and the risk-based approach:

- ISO 9001 – How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- Free Whitepaper - Case study for ISO 9001:2015 transition in a construction company - https://info.advisera.com/9001academy/free-download/case-study-for-iso-9001-2015-transition-in-a-construction-company
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Requirements for tenders for ISO 45001 and 14001

ISO 45001:2018 has some requirements for procurement, contained in clause 8.1.4. For general procurement, you need a process to make sure that products and services meet the needs of the OHSMS. For contractors specifically, you need to coordinate the process to identify any hazards and control any OH&S risks that affect wither your organization or the contractor so that you can have the OHSMS requirements met by the contractor. For outsourcing, you need to control these functions to be consistent with legal requirements so as to achieve the outcomes needed for the OHSMS.

ISO 14001:2015 does not include any specific requirements for procurement or purchasing. However, in both cases you will need to ensure that any tenders include information necessary to maintain the EMS and OHSMS requirements; in other words let your suppliers know what they need to know to give you what you want to meet your requirements for all management system standard.

For some more information about outsourcing and ISO 14001, see the article: How to manage outsourced suppliers in line with ISO 14001:2105, https://advisera.com/14001academy/blog/2017/07/11/how-to-manage-outsourced-suppliers-in-line-with-iso-140012105/

Ignoring EU GDPR principles

A controller must ensure the processing of personal data complies with all six of the following general principles:

1. Lawfulness, fairness, and transparency - Personal data must be processed lawfully, fairly and in a transparent manner;

2. Purpose limitation - Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (with exceptions for public interest, scientific, historical or statistical purposes);

3. Data minimization - Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

4. Accuracy - Personal data must be accurate and, where necessary, kept up to date. Inaccurate personal data should be corrected or deleted;

5. Retention - Personal data should be kept in an identifiable format for no longer than is necessary (with exceptions for public interest, scientific, historical or statistical purposes); and

6. Integrity and confidentiality - Personal data should be kept secure.

If you want to find out more about the EU GDPR check out this EU GDPR Foundations Course (https://advisera.com/training/eu-gdpr-foundations-course//)

Design and development requirement

The outsourced agency also performs the design and producing prototypes. In addition, they also perform the verification and validation activities.Even then, will 8.3 is applicable to us?

OK, the most critical issue is, who decides the what the product will be? Some companies go to a fair or an exhibition and see final products in a “shelf” and they buy the right to manufacture that product. In this case clause 8.3 is not applicable but you have to define the points below. Some companies order the development of a product, even if the order is with turnkey delivery clause 8.3 is applicable. In your case, if your organization is of the second case, clause 8.3 is applicable as a special case of clause 8.4:

- Define a specification for the product
- I do not know if you monitor the D&D
- Define your approval of a final version
- Define how your organization receives the required information about specifications for clients, specifications for buying materials, development of manufacturing process, development of quality control plan, development of packaging, …

Human resource procedure

First of all, you need to know that even if the standard includes requirements about how to deal with human resources it does not require the creation of a human resources procedure.

If you decide to write an HR procedure aligned with the requirements of ISO 9001:2015, you will need to consider the following: 

- Requirements of Clause 7.1.2 (People): This clause requires your organization to determine the people that you need for operating the processes of your QMS and to determine the people needed to achieve conformity of products and services. 

- Requirements of Clause 7.2 (Competence): This clause states most of requirements for the HR procedure in the ISO 9001:2015 including four sub-clauses, which are  a 4-step process:

1. Determine the competence of the people needed to perform the activities that can affect the performance and effectiveness of the QMS.

2. Ensure people are competent through education, training or experience.

3. Acquire competence

4. Retain documented evidence to show that people are competent. This could include the job description that listed the competencies and all of the training records collected for an employee to show how to perform tasks associated with his position. 

The following material will provide you information about the HR procdure:

- ISO 9001 – How to create an ISO 9001:2015 human resources audit checklist - https://advisera.com/9001academy/blog/2019/02/28/how-to-create-an-iso-90012015-human-resources-audit-checklist/

- Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/

- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ Quote 

Including working procedures in IMS manual and procedures

No, working procedures can be standalone documents.

Normally, a manual is a very general document presenting the system and pointing to procedures and other documents. Then, each procedure points to any working procedure. A kind of cascading. But some organizations follow another approach. Please check the two approaches in this article: https://advisera.com/27001academy/blog/2014/02/03/is-the-iso-27001-manual-really-necessary/