Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11270 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Legal basis
2. What is the most simple but also complete form of consent we can use?
Answers:
1. You can only chose legitimate interest for marketing campaigns if you consider factors such as:
- whether people would expect you to use their details in this way;
- the potential nuisance factor of unwanted marketing messages; and
- the effect your chosen method and frequency of communication might have on more vulnerable individuals.
Also consider that individuals have the absolute right to object to direct marketing under Article 21(2) – “Right to object” (https://advisera.com/eugdpracademy/gdpr/right-to-object/) , it is more difficult to pass the balancing test if you do not give individuals a clear option to opt out of direct marketing when you initially collect their details (or in your first communication, if the data was not collected directly from the individual).
2. There in no such thing as “simple and complete” because the requirements of the EU GDPR in terms of consent are quite extensive. Thus, consent needs to be freely given, specific, informed and unambiguous indication of the individual’s wishes. You must keep records so you can demonstrate that consent has been given by the relevant individual.
To learn more about marketing and the EU GDPR check out our webinar “How GDPR Affects Marketing Practices” https://advisera.com/eugdpracademy/webinar/how-gdpr-affects-marketing-practices-free-webinar-on-demand/ -
Quality and Information Security Manager
Hi Brian,
At small IT organizations (up to 20/30 employees), normally, the same person combines the two roles.
At larger organizations, particularly if the core is not software, like manufacturing, normally, each role is performed by different persons.
Please check this free webinar - Free webinar – ISO 27001 implementation: How to make it easier using ISO 9001 - https://advisera.com/9001academy/webinar/iso-27001-implementation-how-to-make-it-easier-using-iso-9001-free-webinar-on-demand/ -
EN 9100 vs ISO 9001
Answer:
EN 9100 includes ISO 9001 and then some more requirements like, for example, planning for product realization, design and development, purchasing and improvement.
Please check in this text “ISO 9001 vs. AS9100” - https://advisera.com/9001academy/blog/2014/09/09/iso-9001-vs-as9100/ a summary of the main differences between ISO 9001 and EN9100 (AS 9100 in the USA and EN 9100 in Europe).
The following material will provide you information about AS 9100:
- ISO 9001 – Five special aerospace terms in AS 9100 Rev D - https://advisera.com/9100academy/blog/2017/05/01/five-special-aerospace-terms-in-as9100-rev-d/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Required consent
2. Similarly, xxx’s other clients which are case study participants- they share their personal data with xxx.
3. Do we require their consent?
4. GDPR implementation’s deadline was in MAY .What kind of an impact does that have ?
Answers:
1. Consent would be required if you are targeting individuals an not companies and usually when the email notification refers to advertisement. If the notifications are used to communicate based on an existing contract with a customer then the consent is not required as the legal grounds for processing would be “contractual obligation”. The EU GDPR does not require a specific process to obtain consent. You just need to ensure that consent is freely given, specific, informed and unambiguous indication of the individual’s wishes. As data controller you must keep records so you can demonstrate that consent has been given by the relevant individual.
2. Using an attorney at law is entirely up to you such thing is not regulated in the EU GDPR.
3. If the sharing and processing of personal data is based on a contract then consent is not required as the legal grounds for processing is “contract obligations”
4. Question is much to broad to be addressed as the impact is different based on the processing activities of each individual company. The impact is that all companies which are processing personal data and fall under the GDPR need to comply with specific requirements or they risk being fined with up to 4% of their turnover.
To learn more about the EU GDPR check out our “EU GDPR Foundation Course” (https://advisera.com/training/eu-gdpr-foundations-course//) -
Data privacy policy and Data protection policy
Answer:
Both documents refer to the same thing, so only the title is different.
To learn more about the EU GDPR check out our “EU GDPR Foundation Course” (https://advisera.com/training/eu-gdpr-foundations-course//) -
Need for DPO
Answer:
For the purpose of your question to define “large scale” the following factors need to be considered:
- The number of data subjects concerned - either as a specific number or as a proportion of the relevant population
- The volume of data and/or the range of different data items being processed
- The duration, or permanence, of the data processing activity
- The geographical extent of the processing activity
Examples of large-scale processing could include:
- processing of patient data in the regular course of business by a hospital;
- processing of travel data of individuals using a city’s public transport system (e.g. tracking via travel cards);
- processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a - processor specialized in providing these services;
- processing of customer data in the regular course of business by an insurance company or a bank;
- processing of personal data for behavioral advertising by a search engine;
- processing of data (content, traffic, location) by telephone or internet service providers
To learn more about the EU GDPR check out our “EU GDPR Foundation Course” (https://advisera.com/training/eu-gdpr-foundations-course//) -
Processor/Controller
Thank you! -
Filling a template
For example:
Asset name:
Laptop Nr 1
Laptop Nr 2
...
Laptop Nr 20
or
Asset name:
Laptops
Mobile phones
System software
Development software
Answer: You can group your assets in classes, using separated classes only when you have to consider different treatments to the same type of asset (e.g. you have development laptops and management laptops, or corporate phones and personnel phones, etc.).
By the way, included in your toolkit, you have access to video tutorials that can help you fill the risks assessment table. -
BCP sites
Answer: ISO 22301 does not require separated sites for each critical activities/departments when defining BCP plans, so this decision is up to each organization, considering its available resources and defined recovery objectives, but I should say that this is a very unusual situation, and most of time a single BCP site is enough to support a BCP plan.
This article will provide you further explanation about BCP site:
- Disaster recovery site – What is the ideal distance from primary site? https://advisera.com/27001academy/knowledgebase/disaster-recovery-site-what-is-the-ideal-distance-from-primary-site/
This material will also help you regarding BCP site:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ -
Terminology of ISO 9001 - shall word
Answer:
Please check at the end of clause 0.1 of ISO 9001:2015 what is written about the “shall” word, shall is a requirement. How do I, as an auditor, audit clause 7.1.1 shall? I do not ask directly, I look for evidences. For example, looking into process performance indicators, complaints, devolutions and recalls I can get evidences that help me answer to questions like: Do the organization has enough resources? Do they have the right team? Are resources being well used? Is productivity OK? Are support structures OK?
More than direct questions an auditor might be look ing into evidences that support the answers to the checklist questions.
The following material will provide you information about terminology:
- Explanation of the basic terminology in ISO standards - https://advisera.com/27001academy/blog/2015/01/12/explanation-of-the-basic-terminology-in-iso-standards/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/