Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Gestión del Riesgo y Continuidad de Negocio
Respuesta:
No es necesario que presente un documento de Continuidad de Negocio para demostrar la gestión de riesgos en su organización. Aunque un Plan de Continuidad de Negocio puede ayudarle a reconocer, mitigar y abordar los riesgos de su negocio, ISO 9001:2015 no menciona el Plan de Continuidad de Negocio en la norma.
Lo que ISO 9001:2015 realmente requiere de la organización es demostrar que efectivamente identifica sus riesgos y oportunidades, y que los considera en la planificación del SGC. Pero la norma no dice que sea necesario adoptar un enfoque formal sobre la gestión de riesgos, dejando que la organización decida sobre cómo identificar y gestionar los riesgos y oportunidades que tengan un impacto en el SGC y en los resultados que pretenden alcanzarse.
Para conocer más sobre cómo abordar riesgos y oportunidade s, vea Cómo abordar riesgos y oportunidades en ISO 9001 (disponible en inglés):
https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
Estos materiales pueden ayudarle en la implementación de ISO 9001:2015:
- Libro – Descubre ISO 9001:2015 mediante ejemplos prácticos (disponible en inglés): https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Curso de Fundamentos ISO 9001:2015 : https://advisera.com/training/iso-9001-foundations-course/
- Conformio – Herramienta de cumplimiento en línea : https://advisera.com/conformio/ -
Control y codificación de documentos
Respuesta:
Además de la documentación requerida por ISO 9001:2015, depende de la organización determinar la documentación necesaria para la eficacia del SGC. Cualquier información documentada dentro del SGC necesita ser controlada, incluyendo no sólo la documentación que es obligatoria sino la que no es obligatoria. Si decide incluir esta análisis DODA como parte de una serie de minutas tendrá que controlar dichas minutas, ya que se considerará información documentada. En cuanto a la codificación de los documentos no se trata de algo obligatorio en la norma, por lo que es la organización la que debe decidir qué tipo de documentos van a ser codificados y cuáles no.
Para más información sobre control de documentos y registros, vea el artículo Nuevo enfoque sobre control de documentos y registros en ISO 9001:2015 (disponible en inglés): https://advisera.com/9001academy/blog/2015/06/30/new-approach-to-document-and-record-control-in-iso-90012015/#
Estos materiales pueden ayudarle en la implementación de ISO 9001:2015:
- Libro - Descubre ISO 9001:2015 mediante ejemplos prácticos (disponible en inglés): https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
- Curso de Fundamentos ISO 9001:2015 : https://advisera.com/training/iso-9001-foundations-course/
- Conformio - Herramienta de cumplimiento en línea : https://advisera.com/conformio/ -
Supervisory authority
Answer:
If you are established in a EU the Supervisory Authority is the one in the country of establishment. If you are not established in the EU then your Supervisory Authority is the one in which the relevant individuals whose data you are processing are based.
To learn more about the EU GDPR check out our free “EU GDPR Foundations Course” https://advisera.com/training/eu-gdpr-foundations-course// -
Processor Sub Processor Agreement
I can't say that I understood the example but here it how it should work : the Controller contracts a Processor to perform a certain processing activity and the Processor subcontract it or part of it to a Sub processor.
Basically for a Sub processor to become a Processor would mean that for the Sub processor to have a contract with the Controller. -
GDPR compliance queries
1) What is the basis on which we can declare that we are GDPR compliant?
2) What is the method of self-declaration? Can we declare it on our website?
3) Are we supposed to communicate with DPA about the compliance?
Answers:
My advice would be to refrain yourself compliant with the GDPR. Is the same thing as declaring that you comply with the Tax Code or Criminal Code or any other piece of legislation. Another reason for not stating this is the fact that you might be challenging people to prove that you may have still some work to do.
And, last but not least don’t go proactively to a Supervisory Authority and state that you are compliant you may involuntarily trigger an audit.
Don't mistake GDPR with some kind of certification because it is not. -
GDPR documents
• Right to be Forgotten
• Right to Amend
• Right to Stop Processing
• Right to Transfer
Answer:
We did not add all of the rights you mentioned because you should use the same procedure and process to deal with them, it doesn't make any difference if is a request for access or erasure in terms of processes but only the answer would be different.
To find out more about DSARs check out our webinar “Data Subject Rights under the EU GDPR” (https://advisera.com/eugdpracademy/webinar/data-subject-rights-under-the-eu-gdpr-free-webinar-on-demand/). -
Data Subject Rights under the EU GDPR
Answer:
Exactly, if you receive a DSAR you can should immediately inform the controller and forward all the necessary details. If the controller needs your assistance most likely will come back to you.
To find out more about DSARs check out our webinar “Data Subject Rights under the EU GDPR” (https://advisera.com/eugdpracademy/webinar/data-subject-rights-under-the-eu-gdpr-free-webinar-on-demand/). -
GDRP - Transfer to the US
1. If an EU affiliate brings in a new hire and takes down their personal data, and it gets stored on my company’s global HR platform or on hard drives or serves in the US, is that a cross border transfer?
2. Does the fact that it is a US company holding the data make a difference? In other words, has the Commission decided that the US ensures an adequate level of protection?
3. And most importantly, what agreements or series of agreements should I have in place for a US company with EU affiliates?
Answers:
1. Yes it does, the fact that the HR platform is hosted in the US is consistent with a cross border transfer of personal data.
2. The EU Commissions has not issued a adequacy decision for the US. So, the answer would be no. However there is Privacy Shield which was developed by the EU and US provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce. So if the US subsidiary is certified according to Privacy Shield the transfer is permitted.
3. You can chose to rely on Privacy Shield as a safeguard for the transfer or you can have a Intragroup Data Transfer Agreement based on Standard Contractual Clauses between the EU to and US entity.
To find out more about cross border data transfers check out our webinar “ How to make personal data transfers to other countries compliant with GDPR” https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/ -
Data Breach Response and Notification Procedure
Call lists & substitution - who would be on the call list? What does substitution mean in this context?
Contact details - whose contact details are we recording?
Answers:
The “Call lists & substitution” refers to the telephone contacts and the replacements of the persons within the company which are tasked to handle data breaches. Same goes for the contact details.
To learn more about data breaches check out our webinar “A How-to Guide for GDPR Data Breach Notifications” https://advisera.com/eugdpracademy/webinar/a-how-to-guide-for-gdpr-data-breach-notifications-free-webinar-on-demand/ -
GDPR privacy policy
Answer:
Hypothetically yes, especially if you sell your chat software to EU companies this means you may be targeting data subjects in the Union.