It depends on the roles of the two telecommunication companies. If one of the telecom companies (company B) processes personal data on behalf of the other telecom company (company A) this means that company A is a data controller and company B is a data processor and in this case, there needs to be a legally binding document in place between the two companies. You can find a Controller to Processor Data Processing Agreement in our EU GDPR Documentation Toolkit (https://advisera.com/eugdpracademy/documentation/supplier-data-processing-agreement/).
You also need to have a legally binding document in place if the two companies are joint controllers as well.
Although not strictly required by the GDPR, it is a best practice to have GDPR Agreements also between two independent controllers.
Implementing ISO 9001
Answer:
Look into the company at two different levels. First, map the flow of work from customer requirements and needs until customer served “What do you do?” (development of services, commercial activities, purchasing, providing the service, maintenance, training, management). Second, determine: the internal and external context, interested parties, quality policy and objectives, and risks and opportunities.
Characterize the processes and define and implement plans to meet objectives and address risks and opportunities.
The following material will provide you information about implementing an ISO 9001 management system:
The EU GDPR defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological , genetic, mental, economic, cultural or social identity of that natural person;” (Article 4 – Definitions (https://advisera.com/gdpr/definitions/).
So, a phone number is identifiable information which is assimilated to personal data.
Broadly speaking, examples of security objectives for IT Helpdesk function are:
- Protection of IT Helpdesk user/customer data
- Maintenance of IT Helpdesk function availability
- Percent of business processes supported by the IT Helpdesk function
Answer:
When you look into the external and internal issues you can identify risks and opportunities related with the intended outcomes of EMS. For example:
* technological trends may help you reduce environmental impacts;
* legislation trends may make more difficult to comply with legal obligations
“2. Since the standard doesn't require one to document the analysis above, how does one show evidence that the analysis is done, and it is sufficient and appropriate?”
Answer:
Without records, the auditor will have to interview the management team and see if the company had done the risk-based thinking (RBT) and simply write in the report that they demonstrated the RBT during interview with the management.
The following material will provide you information about applying RBT to an environmental management system:
I do think is possible to implement and complete ISO 9001:2015 certification with no prior knowledge. Documents included in the toolkits are designed to comply with all the ISO 9001:2015 so it includes not only the mandatory documents but the commonly used. The templates of the toolkit are also easy to complete, since they deal with technicities and provide many comments about how to fill out the specific information of your company and materials to understand all clauses and requirements. Our toolkits also include expert support, so you can talk to one of our experts in order to clarify some questions along the project and they can review some of your documents. This expert support can be up to 15 hours and 15 documents , so you will assure your organization successfully achieve the certification.
The dur ation of the implementation will depend on the size of the company and the complexity of the product and service but also on the resources provided for the project. You can use this tool to calculate the duration - ISO 9001 Implementation Duration Calculator: https://advisera.com/9001academy/iso-9001-duration-calculator/
If an organization that provides a service designs and develops that service, the clause is applicable. For example, an organization that sells services for babysitting children may want to develop a new service about caring of older people. What is that new service about? What features are included? What requirements for caregivers? That is the scope of design and development.
The following material will provide you information about design and development:
Answer:
Without knowing what your business is about I follow a general rule to answer you. If your business serves other business, B2B, normally, ISO 9001:2015 certification can be a plus. What could go against this general rule? Sometimes, very small businesses take advantage of being very flexible because procedures are very fluid, everybody does a little bit of everything, in that case ISO 9001:2015 can be too soon for them.
The following material will provide you information about ISO 9001 benefits:
Answer:
Without top management involvement and participation any management system will be a burden on the organization and its people.
In a case like yours, I would list all the benefits of being certified for the organization and would list all the risks and costs for the business because of losing certification. Then, I would translate those benefits and drawbacks into money. How much money can the organization lose by losing certification? How much money the organization earns because it is certified? Normally, top management gives more attention to money figures.
The following material will provide you information about convincing top management about keeping a management system:
I assume from your question that you are acting as a data processor in regards to the personal data of the data subject asking for the data to be deleted. In this case, as required by EU GDPR art. 28(3)(e) – Processors (https://advisera.com/eugdpracademy/gdpr/processor/) such requests should be forwarded to the respective data controller. You can inform the data subject that you as a processor have forwarded the request to the controller.