Search results

ISO 14001 compliance obligations

Each organization is required to be aware of its compliance obligations. Each country has its own compliance obligations. Does your company belong to any business association? Some business associations perform that service of compliance obligations surveillance. Some lawyer societies also perform that service. Or your EMS can have someone with the responsibility of checking any changes in compliance obligations every X month. I use the service of a company that sends me daily information about changes in compliance obligations.

The following material will provide you more information about external documents control:

- Article - What does “external documents control” mean in ISO 9001? - https://advisera.com/9001academy/blog/2019/02/04/what-does-external-documents-control-mean-in-iso-9001/

ISO 9001 QA/QC documents and differences between documents, procedures and records

What are the qa/qc documents means??

QA normally stands for Quality Assurance. For example, when an organization has a procedure about how to buy services or how to treat an order that is quality assurance stuff.

QC normally stands for Quality Control. For example, when an organization has a procedure about how to perform a quality test when receiving raw materials, or a quality plan with what to control, when, by whom, with what monitoring resources, with what specifications, with what records.

What is the difference between documents, procedure, and records."

A procedure gives direction about what is to be done by whom and when. When they are very detailed about the how to do, they are called work instructions or standard operating procedures. An important point about a procedure is that it can become obsolete, when an organization decides to change a practice. 

A record is an evidence that something was done or occurred. They are like a photo stating “this happened”. An important point about records is that they never become obsolete, because no one can change the past. For example, an order received from a customer, a quality control record, a training record, ...

Both procedures and records are documents, a support carrying information.

The following material will provide you information about documents and records:

- ISO 9001 – List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/- New approach to document and record control in ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/- Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/- Free webinar on demand - Free webinar – How to use a Documentation Toolkit for the implementation of ISO 9001 - https://advisera.com/9001academy/webinar/how-to-use-a-documentation-toolkit-for-the-implementation-of-iso-9001-free-webinar-on-demand/ 

GDPR and surveillance at the workplace

does the data controller have to register surveillance data, or at least the surveillance data of incidents?

Not sure understand what you want to say by surveillance data. If you mean the logs of a security incident you can store and register them an use them in you incident investigation if you want.

do the affected employees have the right to access this surveillance data?

Yes, but only the date concerning them, date relating to other persons should be removed.

does the employer have to inform the employees about all possible surveillance practices it does (or can) carry out?

Yes, you need to inform your employees about the processing activities that their employees is carrying out.  You need to describe the activity, its purpose and its lawful ground in an  Employee Privacy Notice. If you want to find out more about Privacy Notices check out this free webinar Privacy Notices under the EU GDPR (https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/)

How would that happen normally?

For new employees the Privacy Notice could be communicated when they sign the work contract and for the rest it can be either sent via email or uploaded on the intranet so is available to all employees.

in which cases is invasive surveillance (or longer term more or less permanent) surveillance allowed?

 You would need to perform a Legitimate Interest Assessment (LIA) to determine which activities would be infringing upon the rights and freedoms of the employees.

Does the employer have to disclose such cases? Or keep a register of them?

 If the LIA shows that the activity is too intrusive than it should either limit it to what would not be considered intrusive/excessive. Eg. less information could be collected, date could be anonymized, data could be deleted after a shorter period of time etc.

if invasive surveillance is proven, which information can the employee request from the data controller (beginning, end, time period, people involved, decision makers involved, whom it was forwarded to, which kinds of surveillance techniques were employed [electronic, video, audio...], etc.)?

The employees can ask you to provide all information about himself which was collected by the monitoring system such as images, recordings, logs etc. the only limitation regards the information about other individuals which must be removed.

EHS related practical application information

Sir,

Can you please tell me how we can use RAG methodology to rate different criteria while doing  H&S assessment of an organisation.

Request you to share an example in this regard.

List of legal requirements

Please note an organization has to list only the regulations and laws that are relevant to its business, which vary from industry to industry, and from organization to organization, so our recommendation is that you should seek for an expert legal advisor so this person can point to you which regulations and laws are applicable to your business.

QMS training

There is no requirement in ISO 13485:2016 that training must be every 6 months. In clause 6.2 Human resources it is only stated that the organization shall provide training or take other actions to achieve or maintain necessary competence. 

For more information performing ISO 13485 training and awareness, please read the following article:

How to perform ISO 13485 training and awareness  https://advisera.com/13485academy/blog/2019/10/30/iso-13485-training/

Questions for EU GDPR start

What is the difference between controllers and joint controllers?

Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. If there are more than one controller and the decision on the processing is taken jointly by both this means that they are joint controllers and they will share the responsibility to comply with the GDPR.

Do I need to have DPA with controllers and joint controllers?

The EU GDPR does not mandate that however, it is customary to have a Joint Controller Agreement to clearly state the obligations of the two joint controllers.

Do companies need to have Binding Corporate Rules?

Binding corporate rules (BCR) are data protection policies adhered to by companies established in the EU for transfers of personal data outside the EU within a group of undertakings or enterprises. Such rules must include all general data protection principles and enforceable rights to ensure appropriate safeguards for data transfers. So, BCRs are only useful for intragroup data transfers. If you want to find out more about international data transfers check out this webinar “How to make personal data transfers to other countries compliant with GDPR” (  https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/).

Which is the best way to start with the GDPR from your experience?

If you want to get more information on how to start a GDPR compliance project you should check out this article “ 9 steps for implementing GDPR” (https://advisera.com/articles/9-steps-for-implementing-gdpr/)

How much time and money does a small 20 men company need?

The time needed is not only influenced by the size of the company but also by the types and categories of personal data processes, the amount of the processing etc. You can get an idea of the time needed by using this EU GDPR Compliance Duration Calculator (https://advisera.com/eugdpracademy/eu-gdpr-compliance-duration-calculator/)

Is here any guide for data breaches?

You can find a useful whitepaper on how to assess the severity of the data breaches at Assessing the severity of personal data breaches according to GDPR (https://info.advisera.com/eugdpracademy/free-download/assessing-the-severity-of-personal-data-breaches-according-to-gdpr)

Compliance checklist for ITIL

Our documentation toolkit, for both ITIL as well as for ISO 20000, contains list of documents. In that list you’ll find compliance of the documents related to the respective best practice i.e. ISO standard.

ITIL Documentation toolkit can be found here https://advisera.com/wp-content/uploads//sites/6/2015/07/List_of_documents_ITIL_Documentation_Toolkit_EN.pdf

Please note that ITIL doesn't have mandatory documents, compared to ISO 20000.

Section 4.3 ISO 9001:2015

Examples of external issues can be, for example, market factors such as competition, market leader trends, or supply chain relationships. Other examples can be statutory and regulatory factors. Operating in certain areas can require certification due to regulation or competition.

Examples of internal issues can be, for example, operational factors such as process or production and service provision capabilities. For example, an organization can decide to certify just part of the production facilities. 

The following material will provide you information about the scope:

- ISO 9001 – How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
- Free webinar – ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Customer Special Characteristics

Customers usually specify very directly the requirements for special characteristics.

In IATF 16949 there is no requirement for visualization to identify “good” and “bad” examples, but it can be a very common special characteristic.

For more information on requirements when implementing IATF 16949 please read our article: 

How to satisfy customer-specific requirements when implementing IATF 16949 https://advisera.com/16949academy/blog/2019/07/02/iatf-16949-customer-specific-requirements-how-to-meet-them/