Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11270 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Internal record of processing
Answer:
The “Inventory of Processing Activities” is mandatory if (a) the company has more than 250 employees; or (b) the processing the company carries out is likely to result in a risk to the rights and freedoms of data subjects; or (c) the processing is not occasional; or (d) the processing includes special categories of data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation);or (e) the processing includes personal data relating to criminal convictions and offences.
To learn more about the EU GDPR check out our free “EU GDPR Foundations Course” https://advisera.com/training/eu-gdpr-foundations-course// -
Quality tools in ITSM
Answer:
Tools used for quality control have similarities in how we (in ITSM) control quality of delivered services.
Some of the tools that are used to control quality in development and delivery of IT services are:
Testing - to ensure that user's requirements and (quality) expectations are met
Fishbone (or Ishikava) diagram . in e.g. problem resolution
Trend analysis - reporting and trend monitoring is one of the ISO 20000 requirements
Histograms - used to have clear picture of services delivered over longer period of time
Cause and effect analysis - in incident, problem or change management
To read more about Quality Management (applicable to IT service delivery), read the article How to use quality control tools to improve your QMS https://advisera.com/9001academy/blog/2017/04/18/how-to-use-quality-control-tools-to-improve-your-qms/ -
GDPR - specific protections for children
Answer:
The EU GDPR contains specific protections for children. You can only get consent from a child in relation to online services if it is authorized by a parent. A child is someone below the age of 16, though Member States can reduce this age to 13.
The EU GDPR does not apply this restriction when obtaining consent from a child offline, but given the tight controls on consent, you may still wish to obtain parental authorization.
You can find draft parental consent form in our EU GDPR Documentation Toolkit here : https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/
To learn more about t he EU GDPR check out our free “EU GDPR Foundations Course” https://advisera.com/training/eu-gdpr-foundations-course// -
Data subject access requests
Answer:
Yes you are right, data subject access requests are to be handled by the controllers which may ask their respective processors for information in order to be able to accurately respond to such a request.
To learn more about data subject rights check out our webinar “Data Subject Rights under the EU GDPR” https://advisera.com/eugdpracademy/webinar/data-subject-rights-under-the-eu-gdpr-free-webinar-on-demand/ -
Legitimate interest for marketing emails
Answer:
The EU GDPR does not say that direct marketing always constitutes a legitimate interest, and whether your processing is lawful on the basis of legitimate interests depends on the particular circumstances.
In terms of the purpose test, some forms of marketing may not be legitimate if they do not comply with other legal or ethical standards or with industry codes of practice. However, as long as the marketing is carried out in compliance with e-privacy laws and other legal and industry standards, in most cases it is likely that direct marketing is a legitimate interest.
If you intend to process personal data for the purposes of direct marketing by electronic means (by email, text, automated calls etc) legitimate interests may not always be an appropriate basis for processing. This is because the e-priva cy laws on electronic marketing – currently the Privacy and Electronic Communications Regulations (PECR) – require that individuals give their consent to some forms of electronic marketing.
So, I would advise you at least for direct marketing to have a cautious approach and go with consent rather legitimate interest
To learn more about consent check out our webinar “How to handle consents under GDPR” https://advisera.com/eugdpracademy/webinar/how-to-handle-consents-under-gdpr-free-webinar-on-demand/ -
Employee Privacy Notice
2. Do we need to state the legal entity of each country i.e. one version for each country?
3. Any example for “legal or business” purpose as mentioned in the template?
4. Do we need any consent (via the Data Subject Consent Form) from our employee when we use their photos on the corporate web site? We know consent is not needed for any personal data submitted for employment purpose but since the web site is generally used as a marketing tool, I would like to confirm the need of employee’s consent.
Answers:
1. The privacy notice could be sent by email to all employees and also placed on the intranet page of the company. Is not necessary to get the acknowledgment but only to make available the notice to the employees.
2. You need to have an Employee Privacy Notice for each country if you have separate entities there. The content however could be similar if the HR processing activities are similar.
3. I don`t understand this question can you please rephrase it. Usually for HR the legal basis are contract obligations and legitimate interest.
4. Publishing an employee photo on the corporate website is not part of executing the labor agreement so their consent would be needed. -
Privacy policy for amazon and ebay
1. You need to check eBay and Amazon privacy policy to see if they position themselves as processors or controllers. Most likely they will be controllers. Since you are a controller in your own right and you can decide on your own how to process the data of your customers this makes you a controller as well so you would need your own Privacy Notices.
2. If you are only acting as a data processor and receive a request from the data subjects you don`t need to respond but forward that to the respective controller. You can also inform the individual that you are not the controller and that the request was forwarded to the controller.
To learn more about data subject rights check out our webinar “Data Subject Rights under the EU GDPR” https://advisera.com/eugdpracademy/webinar/data-subject-rights-under-the-eu-gdpr-free-webinar-on-demand/ -
Risks and store departments
Answer:
Risk is the effect of uncertainty on an expected result. That effect can be positive or negative, if positive it is an opportunity, if negative it is a risk. So, I would start by listing the expected results, objectives, and undesirable results for a department store.
As objectives, to be monitored I can think about sales; complaints, sellouts, markups, markdowns, …
What can help or hinder meeting those objectives?
· Good or bad quality supplies;
· Good or bad brands;
· Good or bad designs;
· More or less differentiation from other stores and e-commerce;
· Good or bad economic mood.
The following material will provide you information about the risk-based approach:
- ISO 9001 – How to address risks and opportunities in ISO 9001 - https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
- Risk-based thinking replacing preventive action in ISO 9001:2015 – The benefits - https://advisera.com/9001academy/knowledgebase/risk-based-thinking-replacing-preventive-action-in-iso-90012015-the-benefits/
- ISO 9001:2015 Risk Management Toolkit - https://advisera.com/9001academy/iso-90012015-risk-management-toolkit/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Privacy Statement/Privacy Notice
Answer:
Yes, it is the same thing. -
DPO v/s Data Protection Compliance Officer
Answer:
You must appoint a data protection officer if:
- You are required to do so by national law. Some Member States are likely to make this mandatory, particularly where this obligation already exists in national law (e.g. Germany);
- are a public authority or body (other than a court);
- Your core activities consist of regular and systematic monitoring of data subjects on a large scale; or
- Your core activities consist of processing sensitive personal data on a large scale (including processing information about criminal offences)
So, not necessarily related to the size the company.
To learn more about DPOs check out our article “The role of the DPO in light of the General Data Protectio n Regulation” https://advisera.com/eugdpracademy/knowledgebase/the-role-of-the-dpo-in-light-of-the-general-data-protection-regulation/