Search results

Design and development requirement

The outsourced agency also performs the design and producing prototypes. In addition, they also perform the verification and validation activities.Even then, will 8.3 is applicable to us?

OK, the most critical issue is, who decides the what the product will be? Some companies go to a fair or an exhibition and see final products in a “shelf” and they buy the right to manufacture that product. In this case clause 8.3 is not applicable but you have to define the points below. Some companies order the development of a product, even if the order is with turnkey delivery clause 8.3 is applicable. In your case, if your organization is of the second case, clause 8.3 is applicable as a special case of clause 8.4:

- Define a specification for the product
- I do not know if you monitor the D&D
- Define your approval of a final version
- Define how your organization receives the required information about specifications for clients, specifications for buying materials, development of manufacturing process, development of quality control plan, development of packaging, …

Human resource procedure

First of all, you need to know that even if the standard includes requirements about how to deal with human resources it does not require the creation of a human resources procedure.

If you decide to write an HR procedure aligned with the requirements of ISO 9001:2015, you will need to consider the following: 

- Requirements of Clause 7.1.2 (People): This clause requires your organization to determine the people that you need for operating the processes of your QMS and to determine the people needed to achieve conformity of products and services. 

- Requirements of Clause 7.2 (Competence): This clause states most of requirements for the HR procedure in the ISO 9001:2015 including four sub-clauses, which are  a 4-step process:

1. Determine the competence of the people needed to perform the activities that can affect the performance and effectiveness of the QMS.

2. Ensure people are competent through education, training or experience.

3. Acquire competence

4. Retain documented evidence to show that people are competent. This could include the job description that listed the competencies and all of the training records collected for an employee to show how to perform tasks associated with his position. 

The following material will provide you information about the HR procdure:

- ISO 9001 – How to create an ISO 9001:2015 human resources audit checklist - https://advisera.com/9001academy/blog/2019/02/28/how-to-create-an-iso-90012015-human-resources-audit-checklist/

- Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/

- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ Quote 

Including working procedures in IMS manual and procedures

No, working procedures can be standalone documents.

Normally, a manual is a very general document presenting the system and pointing to procedures and other documents. Then, each procedure points to any working procedure. A kind of cascading. But some organizations follow another approach. Please check the two approaches in this article: https://advisera.com/27001academy/blog/2014/02/03/is-the-iso-27001-manual-really-necessary/

ISO 14001 compliance obligations

Each organization is required to be aware of its compliance obligations. Each country has its own compliance obligations. Does your company belong to any business association? Some business associations perform that service of compliance obligations surveillance. Some lawyer societies also perform that service. Or your EMS can have someone with the responsibility of checking any changes in compliance obligations every X month. I use the service of a company that sends me daily information about changes in compliance obligations.

The following material will provide you more information about external documents control:

- Article - What does “external documents control” mean in ISO 9001? - https://advisera.com/9001academy/blog/2019/02/04/what-does-external-documents-control-mean-in-iso-9001/

ISO 9001 QA/QC documents and differences between documents, procedures and records

What are the qa/qc documents means??

QA normally stands for Quality Assurance. For example, when an organization has a procedure about how to buy services or how to treat an order that is quality assurance stuff.

QC normally stands for Quality Control. For example, when an organization has a procedure about how to perform a quality test when receiving raw materials, or a quality plan with what to control, when, by whom, with what monitoring resources, with what specifications, with what records.

What is the difference between documents, procedure, and records."

A procedure gives direction about what is to be done by whom and when. When they are very detailed about the how to do, they are called work instructions or standard operating procedures. An important point about a procedure is that it can become obsolete, when an organization decides to change a practice. 

A record is an evidence that something was done or occurred. They are like a photo stating “this happened”. An important point about records is that they never become obsolete, because no one can change the past. For example, an order received from a customer, a quality control record, a training record, ...

Both procedures and records are documents, a support carrying information.

The following material will provide you information about documents and records:

- ISO 9001 – List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/- New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/- Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/- Free webinar on demand - Free webinar – How to use a Documentation Toolkit for the implementation of ISO 9001 - https://advisera.com/9001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-9001-free-webinar-on-demand/ 

GDPR and surveillance at the workplace

does the data controller have to register surveillance data, or at least the surveillance data of incidents?

Not sure understand what you want to say by surveillance data. If you mean the logs of a security incident you can store and register them an use them in you incident investigation if you want.

do the affected employees have the right to access this surveillance data?

Yes, but only the date concerning them, date relating to other persons should be removed.

does the employer have to inform the employees about all possible surveillance practices it does (or can) carry out?

Yes, you need to inform your employees about the processing activities that their employees is carrying out.  You need to describe the activity, its purpose and its lawful ground in an  Employee Privacy Notice. If you want to find out more about Privacy Notices check out this free webinar Privacy Notices under the EU GDPR (https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/)

How would that happen normally?

For new employees the Privacy Notice could be communicated when they sign the work contract and for the rest it can be either sent via email or uploaded on the intranet so is available to all employees.

in which cases is invasive surveillance (or longer term more or less permanent) surveillance allowed?

 You would need to perform a Legitimate Interest Assessment (LIA) to determine which activities would be infringing upon the rights and freedoms of the employees.

Does the employer have to disclose such cases? Or keep a register of them?

 If the LIA shows that the activity is too intrusive than it should either limit it to what would not be considered intrusive/excessive. Eg. less information could be collected, date could be anonymized, data could be deleted after a shorter period of time etc.

if invasive surveillance is proven, which information can the employee request from the data controller (beginning, end, time period, people involved, decision makers involved, whom it was forwarded to, which kinds of surveillance techniques were employed [electronic, video, audio...], etc.)?

The employees can ask you to provide all information about himself which was collected by the monitoring system such as images, recordings, logs etc. the only limitation regards the information about other individuals which must be removed.

EHS related practical application information

Sir,

Can you please tell me how we can use RAG methodology to rate different criteria while doing  H&S assessment of an organisation.

Request you to share an example in this regard.

List of legal requirements

Please note an organization has to list only the regulations and laws that are relevant to its business, which vary from industry to industry, and from organization to organization, so our recommendation is that you should seek for an expert legal advisor so this person can point to you which regulations and laws are applicable to your business.

QMS training

There is no requirement in ISO 13485:2016 that training must be every 6 months. In clause 6.2 Human resources it is only stated that the organization shall provide training or take other actions to achieve or maintain necessary competence. 

For more information performing ISO 13485 training and awareness, please read the following article:

How to perform ISO 13485 training and awareness  https://advisera.com/13485academy/blog/2019/10/30/iso-13485-training/

Questions for EU GDPR start

What is the difference between controllers and joint controllers?

Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. If there are more than one controller and the decision on the processing is taken jointly by both this means that they are joint controllers and they will share the responsibility to comply with the GDPR.

Do I need to have DPA with controllers and joint controllers?

The EU GDPR does not mandate that however, it is customary to have a Joint Controller Agreement to clearly state the obligations of the two joint controllers.

Do companies need to have Binding Corporate Rules?

Binding corporate rules (BCR) are data protection policies adhered to by companies established in the EU for transfers of personal data outside the EU within a group of undertakings or enterprises. Such rules must include all general data protection principles and enforceable rights to ensure appropriate safeguards for data transfers. So, BCRs are only useful for intragroup data transfers. If you want to find out more about international data transfers check out this webinar “How to make personal data transfers to other countries compliant with GDPR” (  https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/).

Which is the best way to start with the GDPR from your experience?

If you want to get more information on how to start a GDPR compliance project you should check out this article “ 9 steps for implementing GDPR” (https://advisera.com/articles/9-steps-for-implementing-gdpr/)

How much time and money does a small 20 men company need?

The time needed is not only influenced by the size of the company but also by the types and categories of personal data processes, the amount of the processing etc. You can get an idea of the time needed by using this EU GDPR Compliance Duration Calculator (https://advisera.com/eugdpracademy/eu-gdpr-compliance-duration-calculator/)

Is here any guide for data breaches?

You can find a useful whitepaper on how to assess the severity of the data breaches at Assessing the severity of personal data breaches according to GDPR (https://info.advisera.com/eugdpracademy/free-download/assessing-the-severity-of-personal-data-breaches-according-to-gdpr)