Search results

GDPR and surveillance at the workplace

does the data controller have to register surveillance data, or at least the surveillance data of incidents?

Not sure understand what you want to say by surveillance data. If you mean the logs of a security incident you can store and register them an use them in you incident investigation if you want.

do the affected employees have the right to access this surveillance data?

Yes, but only the date concerning them, date relating to other persons should be removed.

does the employer have to inform the employees about all possible surveillance practices it does (or can) carry out?

Yes, you need to inform your employees about the processing activities that their employees is carrying out.  You need to describe the activity, its purpose and its lawful ground in an  Employee Privacy Notice. If you want to find out more about Privacy Notices check out this free webinar Privacy Notices under the EU GDPR (https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/)

How would that happen normally?

For new employees the Privacy Notice could be communicated when they sign the work contract and for the rest it can be either sent via email or uploaded on the intranet so is available to all employees.

in which cases is invasive surveillance (or longer term more or less permanent) surveillance allowed?

 You would need to perform a Legitimate Interest Assessment (LIA) to determine which activities would be infringing upon the rights and freedoms of the employees.

Does the employer have to disclose such cases? Or keep a register of them?

 If the LIA shows that the activity is too intrusive than it should either limit it to what would not be considered intrusive/excessive. Eg. less information could be collected, date could be anonymized, data could be deleted after a shorter period of time etc.

if invasive surveillance is proven, which information can the employee request from the data controller (beginning, end, time period, people involved, decision makers involved, whom it was forwarded to, which kinds of surveillance techniques were employed [electronic, video, audio...], etc.)?

The employees can ask you to provide all information about himself which was collected by the monitoring system such as images, recordings, logs etc. the only limitation regards the information about other individuals which must be removed.

EHS related practical application information

Sir,

Can you please tell me how we can use RAG methodology to rate different criteria while doing  H&S assessment of an organisation.

Request you to share an example in this regard.

List of legal requirements

Please note an organization has to list only the regulations and laws that are relevant to its business, which vary from industry to industry, and from organization to organization, so our recommendation is that you should seek for an expert legal advisor so this person can point to you which regulations and laws are applicable to your business.

QMS training

There is no requirement in ISO 13485:2016 that training must be every 6 months. In clause 6.2 Human resources it is only stated that the organization shall provide training or take other actions to achieve or maintain necessary competence. 

For more information performing ISO 13485 training and awareness, please read the following article:

How to perform ISO 13485 training and awareness  https://advisera.com/13485academy/blog/2019/10/30/iso-13485-training/

Questions for EU GDPR start

What is the difference between controllers and joint controllers?

Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. If there are more than one controller and the decision on the processing is taken jointly by both this means that they are joint controllers and they will share the responsibility to comply with the GDPR.

Do I need to have DPA with controllers and joint controllers?

The EU GDPR does not mandate that however, it is customary to have a Joint Controller Agreement to clearly state the obligations of the two joint controllers.

Do companies need to have Binding Corporate Rules?

Binding corporate rules (BCR) are data protection policies adhered to by companies established in the EU for transfers of personal data outside the EU within a group of undertakings or enterprises. Such rules must include all general data protection principles and enforceable rights to ensure appropriate safeguards for data transfers. So, BCRs are only useful for intragroup data transfers. If you want to find out more about international data transfers check out this webinar “How to make personal data transfers to other countries compliant with GDPR” (  https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/).

Which is the best way to start with the GDPR from your experience?

If you want to get more information on how to start a GDPR compliance project you should check out this article “ 9 steps for implementing GDPR” (https://advisera.com/articles/9-steps-for-implementing-gdpr/)

How much time and money does a small 20 men company need?

The time needed is not only influenced by the size of the company but also by the types and categories of personal data processes, the amount of the processing etc. You can get an idea of the time needed by using this EU GDPR Compliance Duration Calculator (https://advisera.com/eugdpracademy/eu-gdpr-compliance-duration-calculator/)

Is here any guide for data breaches?

You can find a useful whitepaper on how to assess the severity of the data breaches at Assessing the severity of personal data breaches according to GDPR (https://info.advisera.com/eugdpracademy/free-download/assessing-the-severity-of-personal-data-breaches-according-to-gdpr)

Compliance checklist for ITIL

Our documentation toolkit, for both ITIL as well as for ISO 20000, contains list of documents. In that list you’ll find compliance of the documents related to the respective best practice i.e. ISO standard.

ITIL Documentation toolkit can be found here https://advisera.com/wp-content/uploads//sites/6/2015/07/List_of_documents_ITIL_Documentation_Toolkit_EN.pdf

Please note that ITIL doesn't have mandatory documents, compared to ISO 20000.

Section 4.3 ISO 9001:2015

Examples of external issues can be, for example, market factors such as competition, market leader trends, or supply chain relationships. Other examples can be statutory and regulatory factors. Operating in certain areas can require certification due to regulation or competition.

Examples of internal issues can be, for example, operational factors such as process or production and service provision capabilities. For example, an organization can decide to certify just part of the production facilities. 

The following material will provide you information about the scope:

- ISO 9001 – How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
- Free webinar – ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Customer Special Characteristics

Customers usually specify very directly the requirements for special characteristics.

In IATF 16949 there is no requirement for visualization to identify “good” and “bad” examples, but it can be a very common special characteristic.

For more information on requirements when implementing IATF 16949 please read our article: 

How to satisfy customer-specific requirements when implementing IATF 16949 https://advisera.com/16949academy/blog/2019/07/02/iatf-16949-customer-specific-requirements-how-to-meet-them/

Delete the data after a request

The processor must return or delete personal data at the end of the agreement, save to the extent the processor must keep a copy of the personal data under EU or Member State law. Art. 28(3)(g).

Roles in ISMS

1. “Mail significant for the planning and operation of the ISMS/compliance with GDPR” should be recorded. This can be an exell on our Sharepoint or an actual paper/pen notebook at the office I assume. What would, in reality, be such mail? I can think e.g. someone who would send a letter executing his “right to be forgotten”.
I will have to explain to the others in the company which mail they will have to register and what will not be considered as “mail significant for the planning and operation of the ISMS/compliance with GDPR”, but I don’t really know the answer to that myself yet…

Yes, you could receive a letter related to the right to be forgotten, consents, data subject access requests, etc.; you could also receive official letters from data protection authorities, or from agencies that regulate information security. As you mentioned, you can record them in Excel, SharePoint, or in a simple note.

2. I want to make a list per function/role in the company of all the responsibilities and tasks as described trough the policies and procedures. Is there already a template for this? I don’t find it in the kit.

First is important to note that ISO 27001 does not require a central document for all responsibilities and tasks defined for the ISMS. The description of these on each template in the toolkit is sufficient to cover requirements for certification. Considering that, we do not recommend the creation of such a list, because it will only duplicate information (increasing the risks of having outdated information) and increase administrative effort.

3. Also, is there a list of all ISMS related type of roles? As CISO, Senior Management, Compliancy Officer, DPO…?

ISO 27001 does not prescribe roles to be created to implement an ISMS, so organizations to define them as they see fit. You can either create roles you understand are important, or you can designate responsibilities o already existing roles in your organization. I general the most common role created if the chief information security officer (CISO).

These articles will provide you further explanation about roles and responsibilities:
- How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/
- Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
- What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/