Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11278 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Exclusions vs non-applicability
Answer:
ISO 9001:2015 does not allow exclusions. If design clause is not applicable you only need to state that it is not applicable.
The following material will provide you information about the scope:
- ISO 9001 – What clauses can be excluded in ISO 9001:2015? – https://advisera.com/9001academy/blog/2015/07/07/what-clauses-can-be-excluded-in-iso-90012015/2015/
- How to define the scope of the QMS according to ISO 9001:2015 – https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Flujogramas en ISO 9001
Respuesta:
Este whitepaper puede ayudarle a crear un flujograma para ISO 9001:
- Cómo crear un flujograma en ISO 9001 (disponible en inglés): https://info.advisera.com/9001academy/free-download/how-to-create-an-iso-9001-process-flowchart
Además estos materiales le ayudarán con la implementación de ISO 9001:
- Libro - Descubre ISO 9001:2015 mediante ejemplos prácticos (disponible en inglés): https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Curso de Fundamentos ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/ -
Notification to data subject
Answer:
According to the EU GDPR art. 13 – “Information to be provided where personal data are collected from the data subject” (https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-are-collected-from-the-data-subject/) the privacy notice which should include information about cross border transfers or using a third party processor and it should be provided to the data subject “at the time when personal data are obtained” so it should be, at least for new processing activities, before the actual transfer.
To find out more about privacy notices check out our webinar “Privacy Notices Under the EU GDPR” https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/ -
Data Subject Rights under the EU GDPR
Answer:
The documents can be used to deal with all DSARs not only the right of access to personal data. There is no need for different processes or procedures to be set in place.
To find out more about DSARs please check out our webinar “Data Subject Rights under the EU GDPR” https://advisera.com/eugdpracademy/webinar/data-subject-rights-under-the-eu-gdpr-free-webinar-on-demand/ -
Template for geolocation data
Answer:
The EU GDPR Documentation Toolkit contains a draft “Privacy Notice” that you need to provide to the data subjects whose data are being processed regardless if you process CCTV footage or geolocation data. The same rules set up by article 13 – “Information to be provided where personal data are collected from the data subject” https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-are-collected-from-the-data-subject/ apply.
To find out more about privacy notices check out webinar “Privacy Notices under the EU GDPR” https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/ -
BCMS scope
You can always sent your doubts to our Free Consultation Page at this link: https://advisera.com/27001academy/consultation/
From there, not only me but other ISO 22301 experts can help you with your project.
To make your effort easier and have access to even more specialized support, I suggest you to take a look at our ISO 22301 implementation toolkit at this link: https://advisera.com/27001academy/iso22301-documentation-toolkit/ -
Where to start from
Answer:
Usually you would start the implementation effort as any other project and you will find our article “9 steps for implementing GDPR “ https://advisera.com/articles/9-steps-for-implementing-gdpr/ quite helpful pointing you into the right direction. -
Elaboración de mapa de procesos
Respuesta:
Puede incluir subprocesos en su mapa de procesos, por ejemplo, un proceso muy complejo puede dividirse en dos o más procesos menos complejos, por lo que se recomienda identificar primero los macroprocesos, luego los procesos y finalmente los subprocesos . Solo asegúrese de que su mapa de procesos represente simple y efectivamente la secuencia y las interacciones de los procesos de su organización. También tenga en cuenta que un mapa de proceso no debería ser tan complejo como para que sus empleados no lo entiendan.
Para obtener más información sobre el enfoque de procesos, vea - ISO 9001: La importanca del enfoque de procesos (disponible en inglés): https://advisera.com/9001academy/blog/2015/12/01/iso-9001-the-importance-of-the-process-approach/
Estos materiales pueden ayudarle también con la implementación de ISO 9001:2015:
- Libro "Descubre ISO 9001:2015 mediante ejemplos prácticos" (disponible en inglés): htt ps://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Curso Fundamentos ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/
- Conformio - Herrramienta en línea de cumplimiento: https://advisera.com/conformio/ -
Rejection periods
Answer:
If by “rejection periods” you refer to retention periods the EU GDPR is not very concise on this topic and it only states that personal data is not to be processed “longer than is necessary for the purposes for which the personal data are processed”. So, basically is the duty of every controller to establish these periods also considering some of the mandatory retention periods established by Member States in certain areas
Such mandatory retention periods can be found for example in labor law or tax law and they may vary from country to country so this needs to be checked on a case by case basis.
To learn more about privacy retention periods check out our free “EU GDPR Foundations Course” https://advisera.com/training/eu-gdpr-foundations-course// -
GDPR requirements
2. Is it mandatory to nominate the DPO? if negative with are the cases?
every past privacy policy signed by my customers is now null? Or they have some kind of validity?
3. is it necessary that every software we use need to log every access at the DB and every action we do?(I ask this because of we’re using some software that definitely doesn’t do that…)
4. Is there any documentation or guideline about the technical specifications of the software’s database (I mean the software used that contains private’s data) like cryptography or others?
Answers:
1. The “project plan” is just a document to help you keep track of the documents that need to be drafted, published and implemented as well as the responsible persons within the organization that need to take care of this. Is not mandatory to have and it can filled in later on or you can choose not to use it whatsoever.
2. The a ppointment of a DPO is mandatory only under the EU GDPR only if:
- the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; or
- the core activities of the legal entity consist of processing operations which, by their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- the core activities of the legal entity of processing on a large scale of special categories of data and personal data relating to criminal convictions and offences;
3. Not necessarily, it most likely will need to be updated to be consistent with the new EU GDPR requirements such as the need to mention the retention period pursuant to your processing activities, the new data subject rights such the “right to data portability”. Article 13 of the EU GDPR - “Information to be provided where personal data are collected from the data subject” https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-are-collected-from-the-data-subject/ as well as article 14 – “Information to be provided where personal data have not been obtained from the data subject” https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-have-not-been-obtained-from-the-data-subject/) list the information you need to put in your privacy notice/policy.
4. You would need to ensure some sort of tracking of the activities that are performed upon a personal data base in order to ensure the ” resilience of processing systems “ as per EU GDPR article 32 - Security of processing https://advisera.com/eugdpracademy/gdpr/security-of-processing/ . Is not necessary that all actions are logged but some degree of logging would be required.
5. The EU GDPR does not require a specific set of technical and organizational but just require them to be “appropriate” and mentions “pseudonymisation and encryption” as examples of such security measures. So, is up to you to establish the security which are suited taking into account the personal data that is in your database as well as the purpose of the processing.
To learn more about security measures check out our free “EU GDPR Foundations Course” https://advisera.com/training/eu-gdpr-foundations-course//