Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Inventory of processing activities
1. Do we need a separate inventory for Processing activities for data of our clients (As Processor)? If so should we adapt this document or is there a separate document.
2. Does processing of employee data (of our own employees) also need to be added to the inventory?
Answers:
1. The “Inventory of Processing Activities” has two separate sheets. The controller sheet is to be used to capture the processing activities where you act as a data controller and the processor sheet should be used for the processing activities where you act as a data processor. Art. 30 - Records of processing activities (https://advisera.com/eugdpracademy/gdpr/records-of-processing-activities/) requires that under certain circumstances both controller and processors keep these kind of records.
2. Processing activities related to your own employees such as recruitment, onboarding, payroll, time management etc. need to be captured in the “Inventory of Processing Activities” in the controller sheet. -
Lawful grounds for processing employee biometric data
There is no need for the employees to sign the Privacy Notices, it is enough for you to send an email with the Privacy Notice enclosed or provide a link to the Privacy Notice. It would also be advisable for you to publish the Privacy Notice on your intranet page to be available to all employees. -
An expanding scope
Answer:
In principle, what your client requests is feasible. The scope of a quality management system (QMS) is not necessarily equal to the scope of a company’s activities. Sometimes organizations do it like this: they start with a QMS with a limited scope and certify it. Later, they update the scope and include new activities in the QMS. In your situation, I would document the different scopes and transition schedule and would speak with the certification body, even before starting the implementation project. Certification bodies can help with those issues.
The following material will provide you information about quality management scope:
- ISO 9001 – How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
AS9100 Certification Fees
1. Inspectors site visit,
2. Certification cost etc.?
Scope of work:
· Aircraft Spares Depot
· Abu Dhabi, United Arab Emirates.
Answer:
In general, for any QMS in any location, you will hire a certification body to audit your QMS and provide your certification. The fees for the process typically cover a three-year period: Year 1 – Documentation audit, Certification audit and certification, Year2 – Surveillance audit, Year 3 – Surveillance audit. These fees will differ between certification bodies and might include travel costs as well for each on site audit. They should not include any consulting services since the certification auditors are not supposed to consult on any QMS they will be auditing. It is best to check with a couple different certification bodies in your area to see the differences in fees.
This downloadable checklist includes the implementation and certification steps you will need fo r yoru AS9100 implementation: https://info.advisera.com/9100academy/free-download/project-checklist-for-as9100-rev-d-implementation -
ISO 17024 online ISO 20000 Lead Auditor training
Answer:
I wouldn't point to particular organization, but there are some accredited training institutions that are quite popular and accredited, like: PECB, IRCA, Exemplar Global (formerly RABQSA), etc.
This article provides more information about accreditation:
"Accreditation vs. certification vs. registration in the ISO world" https://advisera.com/articles/accreditation-vs-certification-vs-registration-in-the-iso-world/ -
How to comply with EU GDPR as a data processor
Answer:
The question is much too broad to provide you with an exhaustive answer.
The key for a processor to be compliant with the requirements of the EU GDPR is to make sure that it takes into account the obligations set forth in article 28 – Processors (https://advisera.com/eugdpracademy/gdpr/processor/).
As a processor you also need to :
Process only personal data on the instructions of the controller unless required to process for other purposes by Union or Member State law (but not foreign law, such as US law. This will be a major headache for many foreign processors);
To keep a record of processing carried out on behalf of a controller (see Record keeping obligations);
To cooperate with the supervisory authorities;
To implement appropriate security measures ;
To notify the controller of any personal data breach without u ndue delay;
To appoint a data protection officer in certain cases ;
To comply with the rules on transfers of personal data outside of the Union.
To learn more about processors obligations check our free webinar “EU GDPR Foundations Course” (https://advisera.com/training/eu-gdpr-foundations-course//) -
Managing personal data
1. They receive offer request from new customers via mail. For example, dear XXXX we would like to have a proposal for 100 pieces of this material with this shape. Are you able to make it? These are my details: Name, Surname, Phone number, email, VAT number.
2. The same request may arrive via phone.
In this 2 cases, they receive personal data from new customers. My question is, do they need to reply automatically via mail saying, “dear customer, thanks for your email….. we will collect your personal data in order to prepare the proposal and we will keep the data for 60 days after that time, data will be deleted. Data will not be shared with 3rd parties….." The same automatic message can be inserted inside the voice message where the customer needs to press button X to talk with sales department. This is m andatory or do they can prepare the offer and sent via mail that the offer was prepared since a previous contact existed and they will keep the data for 60 days…..?
Answers:
1. When receiving/collecting personal data from a data subject you should comply with the requirements of Article – Transparent information, communication and modalities for the exercise of the rights of the data subject ( https://advisera.com/eugdpracademy/gdpr/transparent-information-communication-and-modalities-for-the-exercise-of-the-rights-of-the-data-subject/ ) and Article 13 – Information to be provided where personal data are collected from the data subject (https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-are-collected-from-the-data-subject/).
2. There is no need to have a prompt automatic answer but they just need to be informed about this in due time, let's say 30 to 60 days or so, or when the customers are contacted to be provided with an offer. -
Is Risk Treatment Table necessary?
Answer: If all the risks are acceptable, this would mean that you do not need to implement any control, so this would mean that Risk Treatment Plan is not needed.
I must add that if you have such situation, there is something wrong - it is impossible to have all the risks at the acceptable level, so you might have not identified all the risks, or you have been assigning the impact or likelihood too low, or your acceptable level of risk is too low. In any case, not having Risk Treatment Plan will create big problems during the certification audit.
Also I would like to know if it's possible to have a detailed list of Control and Objectives to clarify my thoughts when I'm filling out the Statement of Applicability Table.
Answer: In the ISO 27001 Toolkit you purchased, you have the Statement of Applicability template that lists the names of all controls from ISO 27001 Annex A; however to read the description of ea ch of those controls and get the suggested control objectives, you need to purchase the ISO 27001 standard, you can find it on the ISO website: https://www.iso.org/standard/54534.html
By the way, together with the toolkit you received video tutorial that explains how to fill out the Statement of Applicability - there you can see how to fill out this document, including examples of control objectives.
This article can also help you: ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
These materials will also help you regarding Statement of Applicability and Risk Treatment Plan:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/ -
Transfers of coded (pseudonymized) data from EU to US
1. If the US processor is certified in Privacy Shield, would that cover the transfer, or would standard contractual clauses need to be signed between the EU exporter and US importer (of could these be signed between the US controller and US processor on behalf of the EU exporter)?
2. Would the US controller need to make sure there was also a Data Processing Agreement between the US controller and US processor in place since EU coded data is being processed?
3. Is pseudonymized data still considered personal data once transferred to the US or would it not be personal data any more?
Answer:
Before answering your questions I just want to mention something regarding Privacy S hield. First of all Privacy Shield predates the EU GDPR and this is not 100% in line with its provisions and secondly it has been challenged in front of the European Court of Justice and its future is uncertain. Having this in mind I would advise against using Privacy Shield as a safeguard to transfer data to the US.
1. To be sure that your transfer would not be challenged by any Supervisory Authority and that it won't be affected by the outcome of the Privacy Shield litigation, I would advise using controller to processor Standard Contractual Clauses to legitimize your transfer to an US processor. The SSCs can be signed by a US controller on behalf of the EU exporter. The EU would need to issue a power of attorney to the US entity to enter into a SSC based Data Transfer Agreement.
2. The US controller would basically act on behalf of the EU controller which is needed to ensure the legality of all onward transfers.
3. Yes, as long as the data belong to data subjects “in the Union” even if is pseudonymized it would still be considered personal data.
To find out more about international data transfers check out our webinar “How to make personal data transfers to other countries compliant with GDPR” (https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/). -
Personal medical record
Answer:
The organization, in this case NHS Trust Hospital, must act on the subject access request without undue delay and at the latest within one month of receipt. You should calculate the time limit from the day after the hospital received the request (whether the day after is a working day or not) until the corresponding calendar date in the next month.
The timeline for responding can be extended for two additional months if the request is complex or you have sent great number of requests to the hospital. If the hospital cannot respond within one month of receiving your request they should let you know and explain why the extension is necessary.
To learn more about your rights check out our webinar “Dat a Subject Rights under the EU GDPR” (https://advisera.com/eugdpracademy/webinar/data-subject-rights-under-the-eu-gdpr-free-webinar-on-demand/)