Search results

GDPR applicability

Article 3 – Territorial scope – states in paragraph 2 that “This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.” . So, if the company offers goods and services to people in the EU (actually positioned in the EU), GDPR applies to the company. If the company offers goods and services to people in non-EU countries, and the company is not in the EU, GDPR doesn’t apply to them (even if EU citizens reside in the services countries).

Please also consult these links:

• Article 3 GDPR – Territorial Scope https://advisera.com/eugdpracademy/gdpr/territorial-scope/
• What is the EU GDPR and why is it applicable to the whole world? https://advisera.com/eugdpracademy/knowledgebase/what-is-the-eu-gdpr-and-why-is-it-applicable-to-the-whole-world/
• Is the GDPR applicable to our company? https://advisera.com/eugdpracademy/knowledgebase/who-needs-to-be-gdpr-compliant-an-easy-explanation/
• Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR https://edpb.europa.eu/our-work-tools/documents/public-consultations/2021/guidelines-052021-interplay-between-application_en

ITMS Process

There is no „one size fits all“ approach. However, ITIL encompasses everything you need, at least for the beginning.

Here are the articles to help you while starting the implementation:

• „Ready, steady… go – Starting ITIL implementation“ https://advisera.com/20000academy/blog/2014/06/10/ready-steady-go-starting-itil-implementation/
• „Considerations before ITIL implementation“ https://advisera.com/20000academy/blog/2014/05/21/considerations-itil-implementation/

Additionally, use the ITIL4 approach by following the value. That will help you focus on necessary and avoid overhead.

Data Processing Questions

Regarding the Records of Processing Activities (ROPA), we have a template in our EU GDPR Toolkit that you purchased, you just fill in there details related to processing operations. For example, if you offer SaaS services, you just need to fill in exactly the processing operations that are part of the services offered, without mentioning all the customers. The role of the ROPA is to have a view related to all the processing operations in the organization, done for the Controller role or for the Processor role. Third parties need to be mentioned explicitly only when they perform different processing operations as suppliers (such as externalized backup services, or hosting services).

For more details please consult these resources:

• Article 30 – Records of processing activities: https://advisera.com/eugdpracademy/gdpr/records-of-processing-activities/
• Understanding 6 key GDPR principles: https://advisera.com/eugdpracademy/knowledgebase/understanding-6-key-gdpr-principles/
• Inventory of Processing Activities: https://advisera.com/eugdpracademy/documentation/inventory-of-processing-activities/

ISO 9001 to Software companies

ISO 9001 Internal Auditor Course is applicable to people, internal auditors of quality management systems (QMS). If a software company has a QMS, ISO 9001 Internal Auditor Course will prepare internal auditors to audit the company’s QMS.

The following material will provide you with information about audits:

• ISO 9001 – ISO 9001 internal auditor training: Is it for me? - https://advisera.com/9001academy/blog/2015/06/02/iso-9001-internal-auditor-training-is-it-for-me/
• Book -  ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/

Questions regarding Technical files 13485/MDR

1: Do we need a Technical File for outsourced products that are manufactured elsewhere?

2: Do we need a Technical File for products that we relabel?

Again, the question is who places the product on the market. If by putting the label you state that you are a manufacturer, in that case, you need to have the whole technical file. If with putting the label you state that you are a distributor, in that case, you do not have proper Technical documentation, rather medical device file according to the ISO 13485, requirement 4.2.3 which will then contain the EC certificate, instructions for use, information on installation/service and the like, depending on the type of product.

3: Do we need a Technical File for products that we do not adapt or manufacture ourselves but that we buy and resell (as part of one of our products)?

I believe that I have answered this in the previous two answers. If something else needs to be clarified, feel free to contact us.

Management Review

ISO 45001 is an international standard, intended to be used by any organization, in any industry, anywhere in the world. As such, it is written to be flexible in nature, giving requirements that describe what needs to be, but not how to do it. So, the standard will not give details such as who does and does not need to be included in a management review; only that a management review needs to happen, certain data needs to be reviewed, and records need to be kept. In this case, not all organizations would have access to a doctor for this review, so the standard will not identify this as a requirement.

So, it is up to your organization to determine who needs to be included in your management review. If you do have a doctor on site they may be a valuable asset to this process, but ISO 45001 does not require that a doctor take part.

You can learn a bit more about how management review works in the article:

• How to perform management review in ISO 45001 https://advisera.com/45001academy/blog/2018/11/15/how-to-perform-management-review-in-iso-45001/

• Email Marketing GDPR

  You could contact B2B leads using your legitimate interest to foster a mutually beneficial business, according to Art 6 GDPR (Lawfulness of processing), paragraph 1 (f). I recommend performing a Legitimate Interest Assessment to determine whether the purpose is correct (identify the legitimate interest), whether the processing is necessary (evaluate other means that might be less invasive), and the balancing test (consider the individual’s interests, such as not wanting to be contacted). If you go through the Legitimate Interest Assessment and decide to contact your B2B leads, please make sure you add a disclaimer at the end of the email to allow them to opt out from further communication.    

  Please consult these resources as well:

  • Article 6 GDPR – Lawfulness of processing https://advisera.com/eugdpracademy/gdpr/lawfulness-of-processing/
  • Email marketing in the era of GDPR – How to ensure compliance? https://advisera.com/eugdpracademy/blog/2019/05/27/gdpr-and-email-marketing-rules-for-compliant-campaigns/
  • How do we apply legitimate interests in practice? https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/how-do-we-apply-legitimate-interests-in-practice/

• Risk Assessment Question

  You should always approach risk assessment with professional skepticism.

  For the impact, you need to take the worst-case scenario, i.e., what is the worst impact that can happen if the risk materializes. For likelihood, you have to assess how strong are the current safeguards in place, and how reliable this person is.

  These articles will provide you with further explanation:

  • Risk assessment methodology https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#section3
  • Risk assessment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

  • Air Traffic Control Technology

    It is correct that AS9100 Rev D includes all of ISO 9001:2015, with additional requirements for aerospace organizations. What this means is that if a company is certified to AS9100, they are also certified to ISO 9001 in the same certification because they meet all requirements. In fact, most certification bodies I have seen will list both standards on the certificate.

    As to the question if you should include AS9100 as a supplier requirement, this is completely determined by what you need to meet your customer and legal requirements. If you do not have a requirement from them to use only AS9100 certified suppliers for your Air Traffic Control products I would hesitate to make this a requirement of your suppliers as some of them may not comply with AS9100. If you wanted to include certification to ISO 9001 or AS9100 to make it clear that either is acceptable, this would be my recommended approach.

    You can learn a bit more about the differences in the standards in the article:

    • ISO 9001 vs. AS9100 https://advisera.com/9001academy/blog/2014/09/09/iso-9001-vs-as9100/

    • LEEA and ISO 17025

      I'm not clear on what you mean by “cover” and am not knowledgeable about what membership to the Association entails. ISO/IEC 17025 is the international standard that sets out the general requirements for the competent, impartial, and consistent operation of laboratories. Membership and or certification by a sector specific association typically involves the member meeting a level of compliance and competency based on the associations their standards of practice.  This provides confidence in the organization but does not equate to certification to an ISO standard such as ISO 9001 nor accreditation to ISO 17025, the competency standard for calibration and testing laboratories. There may however be processes and documentation that you have in place that could be built on if you wish to implement ISO 17025.

      For more information on ISO 17025, see What is ISO 17025? at https://advisera.com/17025academy/what-is-iso-17025/ and the white paper
      Clause-by-clause explanation of ISO 17025:2017 available at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025