Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Consent and Privacy notice

    1. “as a controller you must keep records so you can demonstrate that consent has been given by the relevant individual”: what does this mean exactly? A copy of the request by email for example, or of the completed subscription form?
    2. Second database (stakeholders mapping): “No consent is needed, you just need to provide them with a Privacy Notice”: does this mean that as soon as we gather professional data from an individual, this person has to be aware of it?
    3. Second database (stakeholders mapping): the processing doesn’t seem to respect the conditions you list at the very end, as there is no consent (and, if I understood correctly, no need for it). Can we understand “legitimate interests” as the necessary actions taken by an organisation to conduct its activities? If that is not the case, is it really possible to make a stakeholders mapping compliant with the GDPR?

    Answers:

    1. It can be the ones you mentioned, it could be the activity logs if the consent was given in the online environment. There are various types of records you can keep and these are closely linked with the channels you use to collect the consent from the data subjects.

    2. If you are collecting the information directly from the data subject you need to provide the Privacy Notice when you collect the data. However, if you obtain the personal data from a third party ( EU GDPR art. 14 – “Information to be provided where personal data have not been obtained from the data subject” - https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-have-not-been-obtained-from-the-data-subject/) you need to provide the Privacy Notice based on the following timeline:

    - within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed;
    - if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or
    - if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.

    You can find valuable information about Privacy Notices form our webinar “Privacy Notices Under the EU GDPR” - https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/

    2. If you want to rely on “legitimate interest” you would need to perform a Legitimate Interest Assessment which is a basic assessment of the processing activity against the rights and freedoms of the data subjects concerned.
    Usually a Legitimate Interest Assessment is structures into three areas:
    - Purpose test: are you pursuing a legitimate interest?
    - Necessity test: is the processing necessary for that purpose?
    - Balancing test: do the individual’s interests override the legitimate interest?

    The Information Commissioner Office issued some guidance on legitimate interest - https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/

  • Study references


    Answer: For study references about ISO 27001 I suggest you to take a look at the following material:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
    - The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
    - ISO 27001: An overview of the ISMS implementation process [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-overview-isms-implementation-process-free-webinar-demand/

  • AS9100 Counterfeit parts


    Answer:
    The implementation of the requirements for controlling counterfeit parts are greatly dependant on the company involved and the product it produces. In clause 8.1.4 the requirement is just to can a process in place to prevent the use of counterfeit parts. This process can include many things from only buying parts form original equipment manufacturers and approved distributors, to performing tests to validate that the product received is actually the product requested. This all come down to what is required for the product in question, and to some extent the risk of actually getting the wrong parts that can cause a problem in the end products.
    For more information see this article on the special aerospace terms in AS9100: https://advisera.com/9100academy/blog/2017/05/01/five-special-aerospace-terms-in-as9100-rev-d/

  • Personal data visibility

    Yes, but I mean that a company probably needs a set of internal employees (probably executive) involved as "verifiers" that the processes in every area will be "aligned" with GDPR; suppose that we not have a DPO, the question is if exists some formal document (agreement, ecc.) for formally instruct , for example some head office for this specific job supporting the
    "Data Protection Officer". Kind regards. Bruno

  • GDPR in school

    Question: Does this school fall under the same guidelines as schools physically located in the EU?
    Which brings up the issue of any other private schools in the US that an EU citizen might send their student to. Are we responsible for their data as well? Or does this responsibility fall on the EU Citizen?

    Answer:

    If the school is based in the US then the US regulations apply. So the EU GDPR is not relevant in this case. The Regulation will only apply to personal data about individuals in the Union the nationality or habitual residence of those individuals is irrelevant.

    All private schools in the US would need to comply with the US legislation in terms of privacy and you as well. As mentioned above the EU GDPR is only applicable if the processing activity is happening in the EU or if it targets individuals (n ot necessary citizens) that are in the EU.

    To get a better understanding of the extra territorial reach of the EU GDPR check out our article “EU GDPR: What is it, how does it work and why use it?” - https://advisera.com/eugdpracademy/what-is-eugdpr/

  • Alcance certificación ISO 27001

    En relación a la misma cuestión del alcance, he recibido la siguiente pregunta:

    > Entonces ¿puedo certificar incluso un control, objetivo de contro y/o dominio?

    Y mi respuesta: Disculpa, pero no se si he entendido bien tu pregunta, en cualquier caso, no puedes certificar un control un objetivo de control y/o un dominio. Puedes seleccionar aplicar, o no aplicar, controles de seguridad en la Declaración de Aplicabilidad, dependiendo de los resultados del análisis y tratamiento de riesgos. Es decir, si defines un alcance (basado, por ejemplo, como dije en mi mensaje previo, en procesos, servicios, áreas, etc), tienes que identificar los riesgos de este alcance, y tienes que tratar estos riesgos. Para este tratamiento, necesitas controles de seguridad, por tanto, basicamente, tienes que implementar los controles de seguridad necesarios para tratar los riesgos identificados. Este artículo puede ser interesante para ti “La lógica básica de ISO 27001: ¿cómo funciona la seguridad de la información?” : https://advisera.com/27001academy/es/knowledgebase/la-logica-basica-de-iso-27001-como-funciona-la-seguridad-de-la-informacion/

    Y también este otro “La importancia de la Declaración de aplicabilidad para la norma ISO 27001” : https://advisera.com/27001academy/es/knowledgebase/la-importancia-de-la-declaracion-de-aplicabilidad-para-la-norma-iso-27001/

  • Documentation and the process approach


    Answer:

    You wrote about departments and ISO 9001 clauses. I recommend you try another approach. According to ISO 9001:2015 you should have used the process approach. So, you should have developed a map, a model of how your organization works as a set of interrelated processes. You can number each process as 01, 02, and so on.

    When you look into two procedures you can ask: where are these two procedures most used? In process 2. Then, number the procedures as 2.1 and the other as 2.2. Then look into a work instruction and ask: this work instruction is most related to how to make something related wit h procedure 2.1. Then you can call it work instruction 2.1.1 (the first work instruction related with procedure 2.1)

    For example, your organization has a process for buying materials. You can describe the process in one or more procedures like: 3.1-To order material; 3.2-To receive material. 3.1 is mostly about clause 8.4 and 3.2 is about clauses 8.4; 8.5.2; 8.5.3; 8.5.4; 8.6 and 8.7. Everything should be around the process approach.

    The following material will provide you information about the process approach and documentation numbering:

    - ISO 9001: The importance of the process approach - https://advisera.com/9001academy/blog/2015/12/01/iso-9001-the-importance-of-the-process-approach/
    - How to structure quality management system documentation - https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
    - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Local language


    Answer:

    You most likely will be expected to have your documents in local language especially the documents which are front facing the data subjects like the consent forms and privacy notices.

    Also, in case of an audit from the Supervisory Authority they will ask for the documents in local language as well.

  • IT organization


    Answer:

    The small IT organization definitely acts as a processor as you mentioned. As such they need to act only on the instructions of the data controllers an they need to be able to prove that any processing pf personal data was done as instructed by the data controller or based on the contractual obligations set up in the contract between the controller and processor. Logs are definitely a way of keeping a tab on the activities done based on the instructions of the data controller and they would also be useful as proof that the activities are actually happening.

    Regarding the level of details this is something that you need to establish by yourself and is strictly related to the services that are provided.

    To find out more about controllers and processors you can check out our article “EU GDPR controller vs. processor – What are the differences?” - https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/

  • Partes interesadas y su influencia en el SGA

    Sólo será necesario determinar aquellas partes interesadas que sean relevantes, es decir, aquellas que tengan un impacto sobre la capacidad de la organización para proporcionar productos o servicios que cumplan con las necesidades y expectativas de los clientes y otros requisitos legales.
    Las partes interesadas pueden incluir:
    - Aquellas con las que la organización tiene una responsabilidad legal o fiscal: socios de la empresa, subcontratas, entidades gubernamentales, etc.
    - Aquellas que tienen el poder de influencia sobre las actividades de la organización: ONGs, accionistas, etc.
    - Las que dependen de la organización: proveedores, clientes, etc.
    - Otros grupos de interés: vecinos, grupos sindicales, etc.
    Es necesario estudiar cuidadosamente este listado, seleccionando aquellas que reflejan necesidades que son obligatorias y que se enc uentran incluidas en leyes, reglamentos o permisos, y que afectan a la empresa de forma directa o indirecta.
    Para más información vea el artículo "Cómo determinar las partes interesadas de acuerdo a la ISO 14001:2015": https://advisera.com/14001academy/es/knowledgebase/como-determinar-las-partes-:interesadas-de-acuerdo-a-la-iso-140012015/
    Otros materiales que pueden ser de utilidad son:
    - Curso Fundamento de ISO 14001:2015: https://advisera.com/training/es/course/curso-fundamentos-iso-14001/
    - Libro sobre ISO 14001:2015 (sólo disponible en inglés): https://advisera.com/books/the-iso-14001-2015-companion/
    - Herramienta en línea para ISO: https://advisera.com/conformio/
Page 769-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +