Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11277 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Definition of personal data
The answer is not simple, just a name and e-mail address is not in itself personally identifiable information. A posteo.de account can be set up in a fairly anonymous manner and if I am careful you can't use it to find me or my other persona. Collecting more information or correlating information to trace back to an individual (like birthdate or bank details) turns the data set into personally identifiable information.
Selling or sharing the data to someone who can use big data to profile individuals would be a problem under GDPR unless you clearly told people that is what you are doing with the data before they grant you access.
Certain privacy nerds have always held information carefully, e.g. if I don't trust you then you get a spam mail address tha is used for no one but you. I have roughly 15 myself and only use 3 for outgoing mail.
#MaytheFourthbewithyou -
Conditions for consent
Answer:
As regards to consent the EU GDPR in its Article 7 “Conditions for consent” https://advisera.com/eugdpracademy/gdpr/conditions-for-consent/) mentions that the consent should be presented in written to the data subject. This does not mean that the consent means to be a written paper form. You can choose to collect the consent on your web page by asking the data subject to perform an action that such as ticking a box, this would serve to prove that without any doubt that the data subject agreed to the processing activity. The consent must cons ist of a clear affirmative action. Inactivity or silence is not enough and the use of “pre-ticked boxes” is not permitted.
When getting the consent using an online environment you need to reasonably prove that the consent came from the respective data subject this you need to be able to identify the data subject and log (record) his/her affirmative actions on your website.
You can find out more about consent form our webinar “How to handle consents under GDPR” https://advisera.com/eugdpracademy/webinar/how-to-handle-consents-under-gdpr-free-webinar-on-demand/ -
The employees data
Answer:
In the case you are describing it seems you are a data controller as regards to the data of the employees of your customers. So basically, you are finding yourself in the situation described in EU GDPR article 14 – “Information to be provided where personal data have not been obtained from the data subject” https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-have-not-been-obtained-from-the-data-subject/
In this case my opinion is that you need to provide the individual with a privacy notice informing them about who are you and what are you doing with their data.
On the other hand since the employer would be the one sending the personal data to you they will also need at their end to provide a privacy notice of their own stating among others that they will be sharing data with third parties such as yourself.
To find out more about privacy notices check out our webinar “Privacy Notices Under the EU GDPR” https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/ -
Change Request Policy
Answer:
The policy you are referring to is not directly linked to the EU GDPR requirements, thus, such document is not among the documents in the EU GDPR Documentation Toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/
However, such document is closely linked to ISO 27001 and it can be found under the title “Change Management Policy” in our EU GDPR & ISO 27001 INTEGRATED DOCUMENTATION TOOLKIT https://advisera.com/eugdpracademy/eu-gdpr-iso-27001-integrated-documentation-toolkit/ -
Privacy Notice
2. Provides an outline of governance for a Representative (Art 27), Provides the outline of governance for a DPO. (Art 37-39)
Answers:
1. I think what you are looking for is the Privacy Notice that needs to be delivered to the data subjects when the data is not obtained form him/her. This is a requirements of EU GDPR article 14 “information to be provided where personal data have not been obtained from the data subject” https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-have-not-been-obtained-from-the-data-subject/
This can be achieved by using the “General Data Protection Notice” in folder 2 and adding another mention regarding the source where the personal data has obtained from.
2. The EU GDPR in article 27 “Representatives of controllers or processors not established in the Union” https://advisera.com/eugdpracademy/gdpr/representatives-of-controllers-or-processors-not-established-in-the-union/ requires that under certain circumstances controllers need to appoint a representative in the EU. The administrative appointment itself is subject to local jurisdiction of the place where the representative would be appointed so this is why there is no such template in the toolkit. However, references to the representative can be found in the General Data Protection Policy in folder 2 of our EU GDPR toolkit.
As regards to the DPO you can find a Data Protection Office task description in folder 2 of the EU GDPR implementation toolkit. You can also learn more about the duties of a DPO from our article “The role of the DPO in light of the General Data Protection Regulation” https://advisera.com/eugdpracademy/knowledgebase/the-role-of-the-dpo-in-light-of-the-general-data-protection-regulation/ -
Asset inventory
Answer: The assets to be included in your asset inventory must be related to all processes included in your ISMS scope, so even if you have a single d epartment responsible for physical and environmental security, you have to consider all rooms from all other processes that are included in your ISMS scope.
This article will provide you further explanation about asset inventory:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
These materials will also help you regarding asset inventory:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Template content
so I can update that document accordingly as we got a NC for this during an audit?
Answer: Control A.18.2.3 (Technical compliance review) requires regular review of organization's compliance with information security policies and standards, so this control can be covered by the Internal Audit procedure template. You should also consider review the documents from the toolkit that you implemented that regulate technology issues (e.g., Policy on the Use of Cryptographic Controls), because responsibilities defined on them may cover some degree of compliance review.
It is important to note that there is no need to create a new document to cover this control, rather it is much better if you cover this control with existing documents from the toolkit. -
7.1.6 Conocimientos de la organización
El conocimiento de la organización se refiere a los conocimientos necesarios de los empleados de la organización en relación al funcionamiento de sus procesos así como para alcanzar la conformidad de sus productos y/o servicios.
La norma no requiere documentarlo, sin embargo, se recomienda que se determine cómo mantener actualizado el conocimiento y el alcance del mismo.
Para más información, estos materiales pueden serle de utilidad:
Estos materiales pueden ser de utilidad:
- Artículo “Cómo gestionar el conocimiento de la organización según la ISO 9001” (disponible en inglés): https://advisera.com/9001academy/blog/2016/08/30/how-to-manage-knowledge-of-the-organization-according-to-the-iso9001/
- Libro “Preparación para la audi toria de certificación: una guía en un lenguaje sencillo”: https://advisera.com/books/preparacion-para-la-auditoria-de-certificacion-iso-una-guia-en-un-lenguaje-sencillo/
- Curso Fundamentos de la ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/ -
Eligibility of IATF certification
@Guest user
Hello, I want to know if a company producing raw material ( Polymers : granules) for automotive Customer is eligible for IATF standards. Thanks in advance.
Answer:
The raw material you produce is used in the production of the product Tire ''n'' company; If it goes to the vehicle as an automotive part, your company is also in a position to obtain IATF certification.
As an example, we can give the auto paint raw material manufacturer or the steel manufacturer.
In both cases, these raw materials are used both in the vehicle body to produce the car.
But I should also point out that; The company that extracts the mine to produce this steel; Cannot obtain IATF certification. Or companies that extract coal from coal mines cannot receive IATF.
Here, the location of the raw material company in the automotive supply chain is important, in short.
-
Certificar personas en una implementación ISO 27001
Respuesta: No, no existe un requerimiento en ISO 27001 que exiga a las personas involucradas en el alcance del SGSI, que tengan que estar certificadas, aunque lo que sí es un requerimiento es que las personas estén entrenadas en cuestiones relativas a la seguridad de la información, y esto puedes conseguirlo a través de una certificación (para cada persona), pero también puedes conseguirlo con un simple curso sobre principios básicos de seguridad de la información. Este curso online te puede resultar interensate “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/
Y también este otro: “ISO 27001:2013 Internal Auditor Course” : https://advisera.com/training/iso-27001-internal-auditor-course/