Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11278 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Subject access request
Answer:
Checking the identity of the data subject is one of the first steps when dealing with a DSAR so waiting till the last day to confirm the identity of the requester to get the 30 days period “reset” would most likely be considered abusive. So my advice is to check the identity of the requester as soon as possible in he process. Please consult the “Data Subject Access Request Flowchart” which is part of the “ DATA SUBJECT ACCESS REQUEST PROCEDURE” to see how a DSAR flow could look like.
As regards to the form is not a compulsory requirement to use a specific template although is advisable to do so as the requests would be handled much easier and in a consistent way.
To learn more about DSARs check out our webinar “Data Subject Rights under the EU GDPR” (https://advisera.com/eugdpracademy/webinar/data-subject-rights-under-the-eu-gdpr-free-webinar-on-demand/). -
VAT number
If you have just one website which collects data from users you should list both controller entities with their registered address so the users can know who are the data controllers. Is not absolutely necessary to mention the VAT number the contact details should be enough. -
Outsourced activities in ISO 9001
ISO 9001:2015 requires that external providers must be controlled and their performance be evaluated by your organization (since it is your organization which hires their services) but they won´t be audited by the certification body.
Regarding the extent of the controls for external providers established by your company, they must be determined by your organization, sometimes a contract which states your requirements should be enough, but in other occasions you will need to provide the external providers with documented procedures or instructions with your QMS criteria and even carry out some inspections.
To learn more about outsourced processes you can see these articles:
- How to control outsourced processes using ISO 9001: https://advisera.com/9001academy/blog/2015/05/05/how-to-control-outsourced-processes-using-iso-9001/
- How to evaluate supplier performance according to ISO 9001:2015: https://advisera.com/9001academy/blog/2015/10/27/how-to-evaluate-supplier-performance-according-to-iso-90012015/
These materials can also help you with the implementation of ISO 9001:2015:
- Book "Discover ISO 9001:2015 through practical examples": https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- ISO 9001:2015 Foundations Course: https://advisera.com/training/iso-9001-foundations-course/
- Conformio - Compliance tool: https://advisera.com/conformio/ -
server
No it is not. You can store data outside the EU as long as you have implemented the appropriate safeguards as per EU GDPR Chapter 5 – “Transfers of personal data to third countries or international organisations” https://advisera.com/eugdpracademy/gdpr-text/transfers-of-personal-data-to-third-countries-or-international-organisations/ such as Standard contractual clauses.
To learn more about data transfers check out our webinar “How to make personal data transfers to other countries compliant with GDPR” https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/ -
Change of Privacy policy
Answer:
This is up to you basically. Usually companies choose to notify their customers about changes in their T&C or relevant Policies, so this is more like a best practice than an obligation.
You just need to make sure that the Privacy Policy/Notice is easily available to all your customers.
To learn more about privacy notices check out our webinar “Privacy Notices Under the EU GDPR” https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/ -
GDPR in a tourism company
Answer:
If you are offering goods and services to individuals in the Union then at least some GDPR requirements would be applicable to your company as well in terms of processing the data of your customers.
However, if you just provide a service other travel companies this means you are a processor and your reasonability will be limited to certain extent.
To learn more about the EU GDPR check out our free “EU GDPR Foundations Course” https://advisera.com/training/eu-gdpr-foundations-course// -
Confidentiality agreement
Answer:
The document you are looking for is the “Supplier Data Processing Agreement” (especially article 4.Reliability and Non–Disclosure) which can be found in folder 6 of the EU GDPR Documentation Toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/
To learn more about the EU GDPR check out our free “EU GDPR Foundations Course” https://advisera.com/training/eu-gdpr-foundations-course// -
Risks and opportunties in ISO 9001
It is up to the organization to decide whether the responsible of the procedure is the president of the company or the quality manager. Usually the quality manager is responsible for directing the risk and opportunity assessment while the organization´s top management is responsible for creating the risk management committee and providing the resources needed to assess and manage the risks. Nevertheless, the procedure is not a mandatory document within the QMS.
It is important to note that the requirements in ISO 9001:2015 are to analyze the ris ks within your QMS and then decide what actions need to be taken. This doesn´t even need to be maintained as documented information. If you already do this ( analyze risks with FMEA analysis and take actions based on that analysis) as part of your business strategy the you already meet the requirements of ISO 9001:2015 and will be acceptable for your certification audit. Remember you will also need to address the opportunities and this cannot be done through a FMEA analysis, but you can conduct a simple brainstorming session with the relevant people of your organization.
To learn more about risks and opportunities in ISO 9001, see - Does ISO require a procedure for addressing risks and opportunities? https://advisera.com/9001academy/blog/2017/10/10/does-iso-9001-require-a-procedure-for-addressing-risks-and-opportunities/
If you want to find out more about FMEA risk assessment, see this article - Methodology for ISO 9001 risk analysis: https://advisera.com/9001academy/blog/2015/09/01/methodology-for-iso-9001-risk-analysis/ -
GDPR Compliance with Google
Answer:
There is nothing keeping you form storing personal data using Google Sheets or other cloud storage solution. As far as Google is concerned you should also check out their statement on GDPR - https://cloud.google.com/security/gdpr/
To learn more about the EU GDPR check out our free “EU GDPR Foundations Course” https://advisera.com/training/eu-gdpr-foundations-course// -
Parental Consent & Consent withdrawal forms
2. Can we leave the forms 4.1 & 4.2 as templates to be completed when needed? If not, can we use“for the purpose of carrying out business with Grazing and communication” as specification of the purpose for processing activity?
3. On the Personal Protection Policy some of the roles specified don’t exist on our company organisation, should them be replaced? E.g. Procurement Manager, Marketing Manager, etc. Could these be replaced by “Administration Team”?
Answers:
1. The two forms you refer to are to be used only if your services are aimed at minors thus the consent of the parents/legal guardians would be necessary. If you don't intend to sell to minors the forms are not relevant to you.
2. The consent forms are to be used only if you rely your processing activities on consent. In your case most likely you will process the personal data of individuals placing order s based on “contractual necessity” since you need to know the contact details of the individual to deliver the order to them.
3. The roles in the “Personal Data Protection Policy” are to be used just as examples and they can be replaced by any relevant roles in your company that deal with a specific topic.
To learn more about the EU GDPR check out our free “EU GDPR Foundations Course” https://advisera.com/training/eu-gdpr-foundations-course//