Search results

Home / Search

Category:
Select
Select

11270 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • DPO and Data Management

    2) in one trial CRO where I'm working is responsible for Data Management - so here it's clear for me that we are data processor. But I have other trial where the DM is done by third party, but we are checking at the sites patient's data against CRF data - does it mean that here we are also data processor ? it's not clear for me..in this situation..
    3) is there any situation where CRO might have the status of joint data controller ? or CRO is always the data processor, even if not responsible for the data management?

    Answers:

    The DPO contact details should be provided to the patient when the patient consents to the trial and is presented with the Privacy Notice. Don`t forget that the EU GDPR requires that the consent needs to be informed so the consent for shoul d always be paired with the Privacy Notice.

    In the General Data Protection Notice in the EU GDPR Documentation Toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ there is a dedicated section where the DPO contact details need to be filled in.

    If the processing you do is based on the instructions of the DM then you are a processor. If you however do the processing based on your own judgement then you are a controller regardless if you receive the personal data from a third party.

    If the CRO decides the scope and means of processing together with another party then we can assume that joint processing. Each situation needs to be assessed in order to establish the controller, processor, joint controller status.

    You should not assume that you are either until you have assessed the particular situation.

    To learn more about controllers and processors you can check out our article “EU GDPR controller vs. processor – What are the differences?” https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/

  • List of documents - ISO 20000


    Answer:
    List of documents in ISO 20000 Documentation toolkit contains column with reference to particular clause in the standard. In such way you can easily identify which document relates to particular standards' clause (or vice-versa). This is useful while implementing ISO 20000 as well as during the certification audit.
    List of document can be downloaded here https://advisera.com/wp-content/uploads//sites/6/2015/07/List_of_documents_ISO_20000_Documentation_Toolkit_EN.pdf

  • GDPR - processor to controller


    Answer:

    EU GDPR article 28 – “Processor” https://advisera.com/eugdpracademy/gdpr/processor/ requires controllers to “use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.” Thus, is the controller that needs to be sure that it uses processors that are complying with the EU GDPR requirements not the other way around.

    In the EU GDPR Documentation Toolkit you can find in folder 7 a “Processor GDPR Compliance Questionnaire” which can be used as a benchmark in assessing a processor’s compliance with the EU GDPR. This document can be used also to further build up a methodology for auditing your most important processors.

  • Retention Policy


    Answer:

    The retention policy in the toolkit is meant to refer only to records containing personal data and is consistent with the requirements of EU GDPR article 5.1.(e) – “Principles relating to processing of personal data” https://advisera.com/gdpr/principles-relating-to-processing-of-personal-data/ namely personal data cannot be kept for longer than is necessary for the purposes for which the personal data are processed.

    The retention periods in the Inventory of processing activities is consistent with the requirements of EU GDPR article 30 – “Records of processing activities” https://advisera.com/eugdpracademy/gdpr/records-of-processing-activities/ My suggestion is to have the i nformation about retention periods in your Data Retention Policy ( Annex - Data Retention Schedule) since this policy will most likely be available to all employees as opposed to the Inventory of processing activity which is usually handled by the DPO or data protection responsible.

  • Data Breach Register


    Answer:

    EU GDPR requires controllers to report personal data breaches “ without undue delay and, where feasible, not later than 72 hours after having become aware of it” to the Supervisory Authority if the breach is likely to result in a risk to the rights and freedoms of natural persons (Article 33 - Notification of a personal data breach to the supervisory authority https://advisera.com/eugdpracademy/gdpr/notification-of-a-personal-data-breach-to-the-supervisory-authority/
    However if a breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay (Article 34 - Communication of a personal data breach to the data subject https://advisera.com/eugdpracademy/gdpr/communication-of-a-personal-data-breach-to-the-data-subject/
    Controllers are not required to notify the data breach if the data breach is unlikely to result in a risk to the rights and freedoms of the data subjects.

    So, is the controller that needs to assess the severity of the data breach and decide which action to take.

    To find out more about how to asses the severity of personal data breaches you can consult our whitepaper “Assessing the severity of personal data breaches according to GDPR” https://info.advisera.com/eugdpracademy/free-download/assessing-the-severity-of-personal-data-breaches-according-to-gdpr

  • DPO Module 5: Basic Rules for DSAR


    Answer:

    The provisions of Article 12 of the GDPR offers the answer to your question. According to paragraph 3 “The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.” https://advisera.com/eugdpracademy/gdpr/transparent-information-communication-and-modalities-for-the-exercise-of-the-rights-of-the-data-subject/

    You can find out more about the DSARs form our webinar “Data Subject Rights under the EU GDPR” https://advisera.com/eugdpracademy/webinar/data-subject-rights-under-the-eu-gdpr-free-webinar-on-demand/

  • Cláusula 7.4 de comunicación

    La organización debe determinar las comunicaciones internas y externas pertinentes al sistema de gestión de la calidad, que incluyan:
    a) qué comunicar: información relevante para el SGC;
    b) cuándo comunicar: la Información debe ser comunicada de manera oportuna;
    c) a quién comunicar: a quién sea necesario para generar un resultado;
    d) cómo comunicar: qué medio de transmisión es el adecuado;
    e) quién comunica: quién tiene la responsabilidad de transmitir la información.
    La información que es pertinente para el SGC y debe comunicarse es la siguiente :
    - Información relevante para la conformidad de los requisitos.
    - Información relacionada con el cliente y sus requisitos.
    - Información sobre cambios de los requisitos.
    - Información para la toma de decisiones.
    - Información para el cumplimiento de objetivos.
    - Información sobre riesgos y oportunidades.
    Así mismo, hay que tener en cuenta que la comunicación puede ser tanto interna o externa (por ej. con los proveedores), formal o informal, o pueden ser comunicaciones obligatorias o meramente informativas.
    Para más información, estos materiales pueden ser de utilidad:
    - Artículo "Requisitos de comunicación según ISO 9001:2015": https://advisera.com/9001academy/blog/2016/11/01/communication-requirements-according-to-iso-9001-2015/
    - Libro "Gestión de documentación ISO: una guía en un lenguaje sencillo":https://advisera.com/books/gestion-de-documentacion-iso-una-guia-en-un-lenguaje-sencillo/

  • Conocimientos de la organización

    El término conocimiento de la organización se refiere al conocimiento necesario que el personal dentro de la organización posee para el funcionamiento de sus procesos y para lograr la conformidad de sus productos y/o servicios, no es el conocimiento que tengan de la organización en sí. Aunque la norma no requiere documentarlo, sin embargo, se recomienda que se establezca cómo mantener actualizado el conocimiento y cuál es el alcance del mismo.
    Estos materiales pueden ser de utilidad:
    - Artículo "Cómo gestionar el conocimiento de la organización según la ISO 9001" (disponible en inglés): https://advisera.com/9001academy/blog/2016/08/30/how-to-manage-knowledge-of-the-organization-according-to-the-iso9001/
    - Libro "Preparación para la auditoria de certificación: una guía en un lenguaje sencillo": https://advisera.com/books/preparacion-para-la-auditoria-de-certificacion-iso-una-guia-en-un-lenguaje-sencillo/
    - Curso Fundamentos de la ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/

  • Service Desk - RACI matrix


    Answer:
    Service Desk's activities are (mainly) related ti Incident Management process. Incident Management has many activities in scope, so for all of the activities you can define RACI. Additionally, Service Desk in involved in Request Fulfillment process which is also full of activities that can be defined from RACI point of view.

    Article "ITIL / ISO 20000 RACI matrix – How to use it to clarify responsibilities" https://advisera.com/20000academy/blog/2016/01/12/itil-iso-20000-raci-matrix-how-to-use-it-to-clarify-responsibilities/ can help you with RACI. Some other articles can help you to learn about Incident Management and Request Fulfillment activities:
    "ITIL Incident Management" https://advisera.com/20000academy/knowledgebase/itil/-incident-management/
    "ITIL Request Fulfillment: a quick win for customer satisfaction" https://advisera.com/20000academy/blog/2013/08/28/itil-request-fulfillment-quick-win-customer-satisfaction/

  • Auditing the audit function


    Answer:
    Yes, the internal audit function must be audited prior to certification. For example, does the organization keep records of the implementation of the audit program and its results? Does the organization keep records of the selection of auditors that show their ability to conduct audits in an objective and impartial manner?

    Does records of audits carried out show treatment of nonconformities and timely development of effective corrective actions?

    The following material will provide you information about internal audits:

    - ISO 14001 – Internal Audits in the EMS: Five Main Steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/internal-audits-in-the-ems-five-main-steps/
    - Creating an ISO 14001 internal audit plan - https://advisera.com/14001academy/blog/2017/01/16/creating-an-iso-14001-internal-audit-plan/
    - free online training ISO 14001:2015 Foundations Course - https://advisera.com/training/iso-14001-internal-auditor-course/
    - book - THE ISO 14001:2015 COMPANION – A A Straightforward Guide to Implementing an EMS in a Small Business - https://advisera.com/books/the-iso-14001-2015-companion/
Page 766-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +