Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Questions from the external auditor
Answer:
The external auditor will ask questions in order to be able to conclude about the conformance and/or effectiveness of the management system. When auditing quality personnel he will be making questions like:
Is the quality control plan at reception and production being fulfilled? Evidence!
Are nonconformities identified, segregated and treated? Evidence!
Are corrective actions developed and effective? Evidence!
Is process and product performance monitored, and decisions made? Evidence!
The following material will provide you information about the certification audit:
- ISO 9001 – How to deal with nonconformities in an ISO 9001 certification audit - https://advisera.com/9001academy/blog/2015/06/09/how-to-deal-with-nonconformities-in-an-iso-9001-certification-audit/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book – Preparing for ISO Certific ation Audit: A Plain English Guide - https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/ -
Right to be deleted
Facebook and Google track their usage of our site. We may continue showing them remarketing ads theoretically for months to come, by using Google and Facebook tools. I believe Facebook and Google are the data controller.
Do we have an obligation to not do this? It's very hard to comply with this technically, and I'm not sure we are required to?
Answer:
If it is Facebook or Goggle that this means that they are the controllers and your customer should direct their deletion request as well. As long as you delete the data and inform the user of the website that Facebook and Google are using cookies to track the behavior o the user of the websites though your cookie policy (providing information on how to set up the website not to accept cookies) you should be fine.
To learn more about data subject rights check out our webinar “Data Subject Rights und er the EU GPPR” https://advisera.com/eugdpracademy/webinar/data-subject-rights-under-the-eu-gdpr-free-webinar-on-demand/ -
Obligations to EU residents
2. Do our clients need to obtain permission to input this personal information first?
3. Do we need to purge any historical data about EU residents from our database if we do not know how the information was collected?
Answers:
1. From the beginning it is important to know that GDPR is applicable to your company because you are monitoring individuals who’s behavior takes place within the European Union. As your company is collecting the data and decides what data is to be collected this makes it a controller. It should notify the EU residents from it’s data base that is processing their personal data as per the requirements of EU GDPR article 14 - “Information to be provided where personal data have not been obtained from the data subject” (https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-have-not-been-obtained-from-the-data-subject/)
2. Your client acts as a controller as well and should notif y the EU Residents that he is processing their personal data and also to communicate them the source of the data (which in this case is you). See art. 14 from the EU GDPR – “Information to be provided where personal data have not been obtained from the data subject” (https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-have-not-been-obtained-from-the-data-subject/ )
3. According to GDPR you can not process personal data unless you have a legal ground. If you can not rely on a legal ground than your processing activity may be unlawful. In conclusion, if you can not prove that your personal data was collected legally, than you should erase it.
To learn more about the EU GDPR check out our free “EU GDPR Foundations Course” https://advisera.com/training/eu-gdpr-foundations-course// -
Parent's right
Answer:
This is related to the age of the student and the local legislation. As long as the parent acts as the legal guardian of the student then the parent is entitled to ask for that information. -
Non- EU clients
2. Eventually, we should protect all the data for the EU clients/ Non-EU clients who has business contact in Europe, right?
Answers:
1. If I understand correctly, after the process of incorporation the company will have the headquarter or a subsidiary in European Union. In this case the answer is yes, GDPR applies to every company which is based in European Union and processes personal data. For example, a company based in the EU which is processing the data of Japanese individuals located in Japan will still need to comply with the EU GDPR.
2. Yes you should protect the personal data of every individual who’s data you are collecting as long as your business is based in European Union.
To learn more about the EU GDPR check out our free “EU GDPR Foundations Course” https://advisera.com/training/eu-gdpr-foundations-course// -
GDPR on employees
Answer:
If the company that performs backgrounds checks is not based in the European Union and processes only the data of individuals located on the territory of the United States, then it does not have to comply with GDPR. -
Documenting QMS Issues in AS9100
Answer:
The internal and external issues that comprise the context of the organization in AS9100 Rev D do not need to be documented information as per the standard requirements. For instance, if you have a small business where the owner is always considering these issues (such as being part of an industry action group that meets to discuss industry issues) then you may not need to write these down. However, as these need to be reviewed occasionally organizations that have several people in top management may find it very useful to write these down for later review.
If you want to see a sample of our procedure for context of the organization which includes identifying issues you can see this page: https://adv isera.com/9100academy/documentation/procedure-for-determining-context-of-the-organization-and-interested-parties/ -
ISO 27018
Answer: ISO 27018 is not a certifiable standard. It can be used to support implementation of controls of ISO 27001 Annex A (this one is a certifiable standard), providing additional guidance to implement security practices to protect privacy in the cloud.
Some certification bodies are issuing unofficial ISO 27018 certificates but only together with official ISO 27001 certificate.
This article will provide you further explanation about ISO 27018:
- ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/ -
Controls applicability
Answer: According to ISO 27001, the implementation of antivirus application, or any control from Annex A, is required only if one of the following occurs:
- There are risks identified as unacceptable in the risk assessment that require the implementation of the control
- There are legal requirements (e.g., laws, regulations, contracts, etc.) that require the implementation of the control
- There is a top management decision requiring the implementation of the control
If none of these occurs there is no need to implement a control considering ISO 27001 requirements.
These articles will provide you further explanation about risk assessment:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
These materials will also help you regarding risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/ -
Few GDPR queries
2. Could you clarify the confidential level, what should we write and why?
3. About the Cross-border Transfer of Personal Data. The current legislation GDPR EU 2016/679 says about the free movement of data, so why we need Data Transfer Agreement and with whom? And why we should to obtain the authorization from Supervisory Authority? ( it was before 25 may 2018, the Transfer was with license).
4. So we need only Processor Data Processing Agreement, please approve...
5. Question from 8.1.3 Section: If we are Controller and provide service for Non-EU companies with our nominee EU persons, what we are doing in this case? My opinion, we have EU local Supervisory Authority and we have Processor Agreement with all our suppliers, is it enough lawful or correct...
Answers:
1. Data Protection Policy is usually an internal document but there are companies that chose to publish the document on their website in order to be more tran sparent in front of their clients.
2. Usually companies classify their internal documents based on their importance to the company. Personal data should at least be considered as “Confidential” so it can only be handled by specific personnel that needs to process the data to fulfill their duties. For more information about “Information classification” you can check out our free article https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
3. A Data Transfer Agreement (DTA)is a contract between the providing and recipient organizations that governs the legal obligations and restrictions, as well as compliance with applicable laws and regulations, related to the transfer of such data between the parties. When you are transferring personal data outside the EEA, in addition to the DTA you must use appropriate safeguards in the absence of an adequacy decision. Appropriate safeguards are intended to provide enforcement and effective rights to individuals. All require prior approval from a supervisory authority. According to GDPR the appropriate safeguards are: Binding corporate rules, Standard Contractual Clauses, Approved codes of conduct or certification mechanisms, Ad hoc contractual clauses and Reliance on international agreements. Among the most used appropriate safeguards are Standard Contractual Clauses.
The document “Standard contractual clauses for the transfer to Processors ” is to be used when transferring personal data to countries outside the EEA the same information can be found in the “Cross border data transfer procedure” (Cross Border Data Transfer (CBDT) - Transfer of personal data by controllers established in the European Union (EU) to recipients established outside the territory of the EU/EEA who act either as controllers or as processors.). To learn more about cross border data transfer please check out our free webinar on “How to make personal data transfers to other countries compliant with GDPR “ https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/
4. If you are transferring data to a processor (supplier) which is located in the EU you need to use document 07.2 Supplier data processing agreement that can be found in folder 7 “Third party compliance” in the EU GDPR Documentation Toolkit.
5. I am not sure I understand very well the question. Please rephrase it and please provide more details of what data you are processing in order to provide services to your non – EU clients. Please define “nominee EU Persons”.
To learn more about GDPR implementation please check out our free article “9 steps for implementing GDPR” https://advisera.com/articles/9-steps-for-implementing-gdpr/