Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
GDPR related question about SPAM email
Answer:
What you are describing is commonly referred to as unsolicited marketing. The EU GDPR states that for marketing you need to obtain the consent of the data subject. Also, the ePrivacy Directive imposes additional constraints if you market by telephone, email or fax.
For example, you can only send direct marketing to someone by email if:
- they have given you consent; or
- you have an existing relationship with them and fall within the so-called similar products and services exemption
Unless one of the two criteria apply I would suggest to file a complaint to your local Supervisory Authority.
You can find out about how the EU GDPR will affect marketing by checking out our free webinar “How GDPR Affects Marketing Practices” https://advisera.com/eugdpracademy/webinar/how-gdpr-affects-marketing-practices-free-webinar-on-demand/ -
Content of the medical device file
Answer:
The medical device file should contain the following information:
- General description of the medical device, intended purpose and instructions for use (I think you've covered that)
- specification for the product
- specifications or procedures for manufacturing, packaging, storage, handling and distribution;
- procedures for monitoring and measuring;
- procedure for installation, if appropriate; and
- procedure for servicing, if appropriate.
For more information, see: How to meet ISO 13485:2016 requirements for medical device files https://advisera.com/13485academy/blog/2017/06/28/how-to-meet-iso-13485-requirements-for-medical-device-files/ -
IATF Certificate suspension
I am trying to find out what is the process for IATF certification suspension for the corporate scheme.
The situation is like this: one corporate scheme has few manufacturing sites. What happens if the central functions are claimed by the customer as having an issues? How the manufacturing sites are impacted and where I can find this information? Can the certification body request a special audit at a manufacturing site even if the issues is strictly related to the central functions? The central functions have their own IATF certification audit. In the 5th rules I was not able to find all this details.
Answer:,
According to Rules for achieving and maintaining IATF recognition, the certification body can suspend the certificate if the certification body receives a performance complaint against the client from an IATF OEM member, its relevant IATF Oversight office, or any automotive customer of the client.
The certification body must undertake immediate analysis of the situation to dete rmine the severity of the situation and risk to the customers of the certified client, taking into account, where applicable, IATF OEM customer-specific requirements. This analysis shall be completed within a maximum of twenty (20) calendar days from the start date of the decertification process.
Since the manufacturing sites are under the same certificate as the central office, they can also be subjected to additional audits.
For more information, you can take a look at Rules for achieving and maintaining IATF recognition 5th edition, clause 8.0 CERTIFICATE DECERTIFICATION PROCESS -
Appendix for Inventory of Processing Activities
Answer:
EU GDPR art. 30 “Records of processing activities” https://advisera.com/eugdpracademy/gdpr/records-of-processing-activities/ states that you need to provide a “of data subjects and of the categories of personal data” which suggest that a certain amount of granularity is required and sensitive and non-sensitive would not be enough. -
Information security and ISO 27001 topics
Contudo, gostaria de saber se existe a possibilidade de me fornecer algum material que me ajude nos seguintes tópicos:
Grupo 6 - ISO 27001 - Tecnologia da informação
Iniciar com conceitos e definições do que é “ISO 27001 ”; Quando surgiu, onde surgiu; Atuação das empresas na busca da ISO 27001; Custos de implantação; Concorrência e mercado; Certificação (como é o processo); Quais os requisitos da norma; Exemplos de empresa que aplicam; Por que esta empresa adotou esta norma; Resultados/benefícios desejados; Etc; Desde já grato pela atenção e ao seu dispor.
(I am a Logistics student at XXXX and I need to prepare an academic paper about ISO 27001 requested by the XXXX professor.
However, I would like to know if there is a possibility of providing me with some material that will help me in the following topics:
Group 6 - ISO 27001 - Information technology
Start with concepts and definitions of what is "I SO 27001"; When it arose, where it arose; Companies acting in the search for ISO 27001; Implementation costs; Competition and market; Certification (how is the process); What are the requirements of the standard? Examples of companies that apply; Why this company adopted this standard; Desired outcomes / benefits; Etc; Thank you in advance for your attention and at your disposal.)
Answer: For some topics you asked for information, I suggest you these materials:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- ISO survey https://www.iso.org/the-iso-survey.html
These materials will also help you regarding your questions:
- Clause-by-clause explanation of ISO 27001 https://info.advisera.com/27001academy/free-download/clause-by-clause-explanation-of-iso-27001
- How to Budget an ISO 27001 Implementation Project https://info.advisera.com/27001academy/free-download/how-to-budget-an-iso-27001-implementation-project
- Applicability of ISO 27001 divided by industry https://info.advisera.com/27001academy/free-download/applicability-of-iso-27001
- Checklist of mandatory documentation required by ISO 27001:2013 https://info.advisera.com/27001academy/free-download/checklist-of-mandatory-documentation-required-by-iso-27001
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Mandatory documents as barriers in ISO 9001
Answer:
ISO 9001 is a general standard applicable to any organization. ISO 9001 per se has no mandatory document especially difficult to obtain. What ISO 9001 determines is that any mandatory requirement extra-ISO 9001 text is what any organization already has to submit independently of the standard, due to regulations and legislation.
The following material will provide you information about statutory and regulatory requirements:
- ISO 9001 – How to include statutory and regulatory requirements in your QMS - https://advisera.com/9001academy/blog/2017/02/14/how-to-include-statutory-and-regulatory-requirements-in-your-qms/
- free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
Determining environmental objectives
Answer:
When determining the environmental objectives for an organization you should start by the environmental policy. An environmental policy is not written on the air based on abstractions, it is a top management statement based on choices after an environmental assessment. For example, a small service organization can have as significant environmental impacts things like: emissions that could affect local air quality and/or generate greenhouse gas emissions after employees transportation to customers sites where they perform services; landfill occupation with urban wastes generated, …
Now, consider that among all significant environmental impacts top management decided that emissions from transportation and recyclability are very important and were included as commitment to improve performance in the environmental policy. In that case, Reducing air emissions by changing part of the fleet to electric cars or by usin g more public transportation can be a general objective. Increasing solid waste segregation and establishing targets for recyclability can be another genera objective.
The following material will provide you information about environmental objectives:
- ISO 14001 – How to Use Good Environmental Objectives - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/how-to-use-good-environmental-objectives/
- Ensuring that environmental objectives are aligned with the company’s strategic direction - https://advisera.com/14001academy/blog/2017/02/06/ensuring-that-environmental-objectives-are-aligned-with-the-companys-strategic-direction/
- Environmental Objectives and Plans for Achieving Them - https://advisera.com/14001academy/documentation/environmental-objectives-targets-and-programs/
- free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
- book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/ -
Incentives to collect opt-ins from user
Answer:
Based on the requirements EU GDPR article 7 “Conditions for consent” https://advisera.com/eugdpracademy/gdpr/conditions-for-consent/) consent must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. You must also keep records so it can demonstrate that consent has been given by the relevant individual.
Regarding the incentive part the only way that work in my view is that you can offer “coupons” to those customers that have consented to marketing activities. Basically, since the coupons themselves can contain marketing only the customers that have consented to receive marketing.
You can learn more about marketing consent from our webinar “ How GDPR Affects Marketing Practices “ https://advisera.com/eugdpracademy/webinar/how-gdpr-affects-marketing-practices-free-webinar-on-demand/ -
Specific consent
Generally speaking, do we have to mention each third service provider by name in our privacy policy in order to be eligible to use these 3rd services?
Answers:
1. You don’t need to have the consent your customers if you are using a third party as a processor. However you need to mention in the Privacy Notice that you may use third parties that may have access to their personal data.
2. The answer is no. You just need to specify the type of activity that the supplier is providing in generic terms. -
Specification of Information System Requirements
Answer: Unfortunately we have to apologize about not having a video tutorial about this issue, but to help you fill in this document you can schedule a meeting with one of our experts (some sessions with our experts are included in the toolkit you bought). To schedule a meeting, please access this link: https://advisera.com/27001academy/consultation/
This article will provide you further explanation about defining system requirements:
- How to set security requirements and test systems according to ISO 27001 https://advisera.com/27001academy/blog/2016/01/11/how-to-set-security-requirements-and-test-systems-according-to-iso-27001/
2 - Is this document in reference to the applications that we develop or is this in reference to the tools we use to maintain and develop the applications? The question at hand is what does “Information Systems” reference? Is it the internal applications/tools used to produce our product? Is it the external applications that our clients use, that are developed by us? Could it be both?
Answer: Let's start with the definition of Information systems. For ISO 27001, information systems are software, hardware, databases and any other asset used to store and/or process information.
The purpose of this document is to document all requirements for new information systems, and for improvements of existing information systems, whether they are used internally or by customers.
Considering that, this document is applicable either for systems your organization develops, and for systems your organization acquires, for internal purposes only or to provide to external customers. Your organization can define the range of application in the ISMS scope statement.
3- With internal applications, we can dictate specifically access and security as these systems are only for company use. With external applications, we lose control as while these have specific purposes, the end user dictates the use of these.
If we do apply to external applications, does it apply only to the process to ensure that any work done by us is verified to not to significantly affect the end user’s use, regardless of how they use it? For example, for system XXXX is specifically built for XXXX but we do know that we have at least one client that specifically caters to XXXX. The application is the same but workflows are different.
Answer: As mentioned in the previous answer, this document covers the system's requirements, i.e., what a system can do, what it cannot do, and how it must behave under specific conditions. Specifically for the applications you develop for third parties, the conditions to not significantly affect the end user’s use most probably will come from the end users.