Art 29: "anyone acting under his authority or under that of the data controller, who has access to personal data cannot process such data if it is not instructed to do so by the data controller"
Art 39: "personal training involved in the treatment and related control activities" In other words, is there a document that we can distribute to the staff in order to satisfy the previous points?
Does the Toolkit include templates that we can use for information treatment to be included on institutional and e-commerce sites?
Answer:
1. The training and awareness program is something each company should be creating by itself taking into account the business of the company as well as the processing activities and the relevant personnel which should be trained. So, this is why we did not include any training materials in the toolkit because we can`t know how det ailed the materials should be to satisfy your needs.
2. The information that you need to put o your e-commerce site is consistent with the information form the “General Data Protection Notice” in the Toolkit. Be aware that e-commerce is regulated by a different act Directive No. 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (Directive on electronic commerce), so you should check your local transposition act in your local law.
Answer:
Implementing a QMS is a first step to establish standardized procedures for running several processes in an organization. For each process establish relevant performance indicators and monitor and evaluate performance regularly. I recommend using quality tools like control charts, Pareto diagrams and histograms to get the most information out of the data. When your organization decides to invest in improving performance it can use quality improvement tools and methods during the PDCA cycle.
The following material will provide you information about QMS improvement:
No es necesario que presente un documento de Continuidad de Negocio para demostrar la gestión de riesgos en su organización. Aunque un Plan de Continuidad de Negocio puede ayudarle a reconocer, mitigar y abordar los riesgos de su negocio, ISO 9001:2015 no menciona el Plan de Continuidad de Negocio en la norma.
Lo que ISO 9001:2015 realmente requiere de la organización es demostrar que efectivamente identifica sus riesgos y oportunidades, y que los considera en la planificación del SGC. Pero la norma no dice que sea necesario adoptar un enfoque formal sobre la gestión de riesgos, dejando que la organización decida sobre cómo identificar y gestionar los riesgos y oportunidades que tengan un impacto en el SGC y en los resultados que pretenden alcanzarse.
Además de la documentación requerida por ISO 9001:2015, depende de la organización determinar la documentación necesaria para la eficacia del SGC. Cualquier información documentada dentro del SGC necesita ser controlada, incluyendo no sólo la documentación que es obligatoria sino la que no es obligatoria. Si decide incluir esta análisis DODA como parte de una serie de minutas tendrá que controlar dichas minutas, ya que se considerará información documentada. En cuanto a la codificación de los documentos no se trata de algo obligatorio en la norma, por lo que es la organización la que debe decidir qué tipo de documentos van a ser codificados y cuáles no.
If you are established in a EU the Supervisory Authority is the one in the country of establishment. If you are not established in the EU then your Supervisory Authority is the one in which the relevant individuals whose data you are processing are based.
I can't say that I understood the example but here it how it should work : the Controller contracts a Processor to perform a certain processing activity and the Processor subcontract it or part of it to a Sub processor.
Basically for a Sub processor to become a Processor would mean that for the Sub processor to have a contract with the Controller.
GDPR compliance queries
1) What is the basis on which we can declare that we are GDPR compliant?
2) What is the method of self-declaration? Can we declare it on our website?
3) Are we supposed to communicate with DPA about the compliance?
Answers:
My advice would be to refrain yourself compliant with the GDPR. Is the same thing as declaring that you comply with the Tax Code or Criminal Code or any other piece of legislation. Another reason for not stating this is the fact that you might be challenging people to prove that you may have still some work to do.
And, last but not least don’t go proactively to a Supervisory Authority and state that you are compliant you may involuntarily trigger an audit.
Don't mistake GDPR with some kind of certification because it is not.
GDPR documents
• Right to be Forgotten
• Right to Amend
• Right to Stop Processing
• Right to Transfer
Answer:
We did not add all of the rights you mentioned because you should use the same procedure and process to deal with them, it doesn't make any difference if is a request for access or erasure in terms of processes but only the answer would be different.
Exactly, if you receive a DSAR you can should immediately inform the controller and forward all the necessary details. If the controller needs your assistance most likely will come back to you.
1. If an EU affiliate brings in a new hire and takes down their personal data, and it gets stored on my company’s global HR platform or on hard drives or serves in the US, is that a cross border transfer?
2. Does the fact that it is a US company holding the data make a difference? In other words, has the Commission decided that the US ensures an adequate level of protection?
3. And most importantly, what agreements or series of agreements should I have in place for a US company with EU affiliates?
Answers:
1. Yes it does, the fact that the HR platform is hosted in the US is consistent with a cross border transfer of personal data.
2. The EU Commissions has not issued a adequacy decision for the US. So, the answer would be no. However there is Privacy Shield which was developed by the EU and US provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce. So if the US subsidiary is certified according to Privacy Shield the transfer is permitted.
3. You can chose to rely on Privacy Shield as a safeguard for the transfer or you can have a Intragroup Data Transfer Agreement based on Standard Contractual Clauses between the EU to and US entity.