Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Personal data visibility

    Yes, but I mean that a company probably needs a set of internal employees (probably executive) involved as "verifiers" that the processes in every area will be "aligned" with GDPR; suppose that we not have a DPO, the question is if exists some formal document (agreement, ecc.) for formally instruct , for example some head office for this specific job supporting the
    "Data Protection Officer". Kind regards. Bruno

  • GDPR in school

    Question: Does this school fall under the same guidelines as schools physically located in the EU?
    Which brings up the issue of any other private schools in the US that an EU citizen might send their student to. Are we responsible for their data as well? Or does this responsibility fall on the EU Citizen?

    Answer:

    If the school is based in the US then the US regulations apply. So the EU GDPR is not relevant in this case. The Regulation will only apply to personal data about individuals in the Union the nationality or habitual residence of those individuals is irrelevant.

    All private schools in the US would need to comply with the US legislation in terms of privacy and you as well. As mentioned above the EU GDPR is only applicable if the processing activity is happening in the EU or if it targets individuals (n ot necessary citizens) that are in the EU.

    To get a better understanding of the extra territorial reach of the EU GDPR check out our article “EU GDPR: What is it, how does it work and why use it?” - https://advisera.com/eugdpracademy/what-is-eugdpr/

  • Alcance certificación ISO 27001

    En relación a la misma cuestión del alcance, he recibido la siguiente pregunta:

    > Entonces ¿puedo certificar incluso un control, objetivo de contro y/o dominio?

    Y mi respuesta: Disculpa, pero no se si he entendido bien tu pregunta, en cualquier caso, no puedes certificar un control un objetivo de control y/o un dominio. Puedes seleccionar aplicar, o no aplicar, controles de seguridad en la Declaración de Aplicabilidad, dependiendo de los resultados del análisis y tratamiento de riesgos. Es decir, si defines un alcance (basado, por ejemplo, como dije en mi mensaje previo, en procesos, servicios, áreas, etc), tienes que identificar los riesgos de este alcance, y tienes que tratar estos riesgos. Para este tratamiento, necesitas controles de seguridad, por tanto, basicamente, tienes que implementar los controles de seguridad necesarios para tratar los riesgos identificados. Este artículo puede ser interesante para ti “La lógica básica de ISO 27001: ¿cómo funciona la seguridad de la información?” : https://advisera.com/27001academy/es/knowledgebase/la-logica-basica-de-iso-27001-como-funciona-la-seguridad-de-la-informacion/

    Y también este otro “La importancia de la Declaración de aplicabilidad para la norma ISO 27001” : https://advisera.com/27001academy/es/knowledgebase/la-importancia-de-la-declaracion-de-aplicabilidad-para-la-norma-iso-27001/

  • Documentation and the process approach


    Answer:

    You wrote about departments and ISO 9001 clauses. I recommend you try another approach. According to ISO 9001:2015 you should have used the process approach. So, you should have developed a map, a model of how your organization works as a set of interrelated processes. You can number each process as 01, 02, and so on.

    When you look into two procedures you can ask: where are these two procedures most used? In process 2. Then, number the procedures as 2.1 and the other as 2.2. Then look into a work instruction and ask: this work instruction is most related to how to make something related wit h procedure 2.1. Then you can call it work instruction 2.1.1 (the first work instruction related with procedure 2.1)

    For example, your organization has a process for buying materials. You can describe the process in one or more procedures like: 3.1-To order material; 3.2-To receive material. 3.1 is mostly about clause 8.4 and 3.2 is about clauses 8.4; 8.5.2; 8.5.3; 8.5.4; 8.6 and 8.7. Everything should be around the process approach.

    The following material will provide you information about the process approach and documentation numbering:

    - ISO 9001: The importance of the process approach - https://advisera.com/9001academy/blog/2015/12/01/iso-9001-the-importance-of-the-process-approach/
    - How to structure quality management system documentation - https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
    - free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
    - book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

  • Local language


    Answer:

    You most likely will be expected to have your documents in local language especially the documents which are front facing the data subjects like the consent forms and privacy notices.

    Also, in case of an audit from the Supervisory Authority they will ask for the documents in local language as well.

  • IT organization


    Answer:

    The small IT organization definitely acts as a processor as you mentioned. As such they need to act only on the instructions of the data controllers an they need to be able to prove that any processing pf personal data was done as instructed by the data controller or based on the contractual obligations set up in the contract between the controller and processor. Logs are definitely a way of keeping a tab on the activities done based on the instructions of the data controller and they would also be useful as proof that the activities are actually happening.

    Regarding the level of details this is something that you need to establish by yourself and is strictly related to the services that are provided.

    To find out more about controllers and processors you can check out our article “EU GDPR controller vs. processor – What are the differences?” - https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/

  • Partes interesadas y su influencia en el SGA

    Sólo será necesario determinar aquellas partes interesadas que sean relevantes, es decir, aquellas que tengan un impacto sobre la capacidad de la organización para proporcionar productos o servicios que cumplan con las necesidades y expectativas de los clientes y otros requisitos legales.
    Las partes interesadas pueden incluir:
    - Aquellas con las que la organización tiene una responsabilidad legal o fiscal: socios de la empresa, subcontratas, entidades gubernamentales, etc.
    - Aquellas que tienen el poder de influencia sobre las actividades de la organización: ONGs, accionistas, etc.
    - Las que dependen de la organización: proveedores, clientes, etc.
    - Otros grupos de interés: vecinos, grupos sindicales, etc.
    Es necesario estudiar cuidadosamente este listado, seleccionando aquellas que reflejan necesidades que son obligatorias y que se enc uentran incluidas en leyes, reglamentos o permisos, y que afectan a la empresa de forma directa o indirecta.
    Para más información vea el artículo "Cómo determinar las partes interesadas de acuerdo a la ISO 14001:2015": https://advisera.com/14001academy/es/knowledgebase/como-determinar-las-partes-:interesadas-de-acuerdo-a-la-iso-140012015/
    Otros materiales que pueden ser de utilidad son:
    - Curso Fundamento de ISO 14001:2015: https://advisera.com/training/es/course/curso-fundamentos-iso-14001/
    - Libro sobre ISO 14001:2015 (sólo disponible en inglés): https://advisera.com/books/the-iso-14001-2015-companion/
    - Herramienta en línea para ISO: https://advisera.com/conformio/

  • Creation of the GDPR privacy notice

    • In section 1 of 02.3_Privacy_Notice_EN.docx, your comments state that I should include personal data categories. I cannot find much information about the definition of personal data categories. Is the following a good set of personal data categories?
    Contact’s full name
    Contact’s job title
    Contact’s phone number
    Contact’s email address
    Registrant’s full name
    Registrant’s gender
    Registrant’s date of birth
    Registrant’s examination venue
    Registrant’s intended destination school
    Registrant’s examination subject options
    Registrant’s Special Education Needs (SEN) flag
    Registrant’s current school

    • In section 3 of 02.3_Privacy_Notice_EN.docx, your wording states ‘No third party providers have access to your data, unless specifically required by law’. Is the third party provider you mention the same as a third party processor? In the case of our company, we use a number of external processors to fulfill variou s aspects of our business (such as printers, online assessment providers etc) and these processors receive some of the data subject’s personal data. Should my use of external processors get declared in this document? If my assumption is correct, what level of detail should I include? Do I need to state each company and what personal data is transferred to them?

    Answer:

    Personal data is defined in EU GDPR article 4 – “ Definitions“ https://advisera.com/gdpr/definitions/ ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;. You can easily observe that the definition is very broad.

    The examples you provided are consistent with the definition of personal data. To continue with some examples you can use the following taxonomy:
    □ Personal master data (e.g. Name, surname, date of birth,)
    □ Communication data (e.g. telephone, e-mail, address)
    □ Contract master data (contractual relationship, product or contract interest)
    □ Customer history
    □ Contractual invoicing and payment data
    □ Planning and control data.
    □ Academic and professional data (training / qualifications, professional experience).
    □ Employment details (work center, job position and department).
    □ IP addresses
    □ Transaction data (bank accounts, transaction history etc.)

    2. Your assumption is right. Third parties refer to the suppliers to whom you may be transferring personal data to. Here you can be quite broad you can just refer to the categories of suppliers and you definitely don’t need to state the names of the suppliers.

    You can use a wording something like :” We may transfer personal data to third party service providers, such as our IT systems providers, our hosting providers cloud service providers, database providers, consultants (including lawyers tax accountants, labor consultants) and third parties who carry out pre-employment or pre-engagement checks on prospective employees and contractors and other goods and services providers (such as food service providers) - each of these service providers has signed contracts to protect your personal information.”

    You can find out more about Privacy Notices form our webinar “Privacy Notices Under the EU GDPR” - https://advisera.com/eugdpracademy/webinar/privacy-notices-under-the-eu-gdpr-free-webinar-on-demand/

  • Databases compliant with the GDPR

    - One to send regular updates on our activities to people who requested it once, either by opting-in on our website or sharing their contacts details during an event. It also contains people who registered to our events, but in that case, the fact that we would keep their details to update them on our activities was not explicit.
    - A stakeholders mapping with details of people that we contact once in a while, on an ad-hoc basis (meetings, polls, etc.)
    My questions are the following:
    1. How to make these databases compliant with the GDPR?
    2. In which conditions can we keep personal data such as name, email, position and organisation?

    Answers:

    1. For the first databases it seems to me that your processing activity, namely sending emails to promote your activities, is based on the consent of the individuals. Where consent has been given under the Data Protection Directive, it will continue to be valid under t he EU GDPR if it also meets the requirements of the Regulation. The EU GDPR requests that the consent is a freely given, specific, informed and unambiguous indication of the individual’s wishes ( Article 7 – Conditions for consent - https://advisera.com/eugdpracademy/gdpr/conditions-for-consent/). Also, as a controller you must keep records so you can demonstrate that consent has been given by the relevant individual.

    There are several consequences of the consent requirements under the EU GDPR:
    - consent must be in an intelligible and accessible form in clear and plain language and in accordance with the Directive on unfair terms in consumer contracts.
    - where the request for consent is part of a written form, it must be clearly distinguishable from other matters.
    - consent must consist of a clear affirmative action. Inactivity or silence is not enough and the use of “pre-ticked boxes” is not permitted.
    - if the relevant processing has multiple purposes, consent must be given for all of them.
    - consent will not be valid if the individual does not have a genuine free choice or if there is a detriment if they refuse or withdraw consent.
    - consent might not be valid if there is a clear imbalance of power between the individual and the controller, particularly where the controller is a public authority.
    - you cannot “bundle consent”. Where different processing activities are taking place, consent is presumed not valid unless the individual can consent to them separately.
    - consent is presumed not valid if it is a condition of performance of a contract.
    - the individual can withdraw consent at any time and must be told of that right prior to giving consent. It should be as easy to withdraw consent as it is to give it.

    Considering the above mentioned conditions you need to check your consents and if they match the requirements you are fine, if not you may need to reach out to the individuals to obtain a compliant consent.

    Regarding your second data base if the individuals are member of your organization or stakeholders you can base your processing activation legitimate interest and you can contact them for meetings polls and similar activities. No consent is needed, you just need to provide them with a Privacy Notice as required be EU GDPR article 13 - Information to be provided where personal data are collected from the data subject https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-are-collected-from-the-data-subject/

    2. In order to process any personal data a controller such as your NGO must ensure the processing of personal data complies with all six of the following general principles:
    1. Lawfulness, fairness and transparency - Personal data must be processed lawfully, fairly and in a transparent manner;
    2. Purpose limitation - Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (with exceptions for public interest, scientific, historical or statistical purposes);
    3. Data minimization - Personal data must be adequate, relevant and limited to what is necessary in relation to purposes for which they are processed;
    4. Accuracy - Personal data must be accurate and, where necessary, kept up to date. Inaccurate personal data should be corrected or deleted;
    5. Retention - Personal data should be kept in an identifiable format for no longer than is necessary (with exceptions for public interest, scientific, historical or statistical purposes); and
    6. Integrity and confidentiality - Personal data should be kept secure.

    Besides respecting the principles set up above processing of personal data will only be lawful if it satisfies at least one of the following processing conditions:

    a. Consent - The individual has given consent to the processing for one or more specific purposes.
    b. Necessary for performance of a contract - The processing is necessary for the performance of a contract with the individual or in order to take steps at the request of the individual prior to entering into a contract;
    c. Legal obligation - The processing is necessary for compliance with a legal obligation to which the controller is subject. Only legal obligations under Union or Member State law will satisfy this condition. However, that law need not be statutory (e.g. common law obligations are sufficient);
    d. Vital interests - The processing is necessary in order to protect the vital interests of the individual or of another natural person. This is typically limited to processing needed for medical emergencies;
    e. Public functions - The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Those functions must arise under Member State or EU law; or
    f. Legitimate interests - The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Public authorities cannot rely on this condition

  • ISO 27001 implementation


    Answer: For the implementation of an ISMS complaint with ISO 27001, the leading ISO standard for information security management, you should consider these steps:
    1) getting management buy-in for the project;
    2) defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding organizational context and requirements of interested parties;
    3) development of risk assessment and treatment methodology;
    4) perform risk assessment and define risk treatment plan;
    5) controls implementation (e.g., policies and procedures documentation, acquisitions, etc.);
    6) people training and awareness;
    7) controls operation;
    8 performance monitoring and measurement;
    9) perform internal audit;
    10) perform management critical review; and
    11) address nonconformities, corrective actions and opportunities for improvement.

    This article will provide you further explanation about ISMS implementation:
    - ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

    Regarding implementation approaches, the most common are:
    - Use you own staff to implement the ISMS
    - Use a consultant to perform most of the effort to implement the ISMS
    - Use a consultant only to support the staff on specific issues, leaving the organization's staff with most of the implementation effort.

    Each one of them have their advantages and disadvantages. For more information, I suggest you the following materials:
    - 3 strategic options to implement any ISO https://advisera.com/blog/2016/04/11/3-strategic-options-to-implement-any-iso-standard/
    - Implementing ISO 27001 with a consultant vs. DIY approach https://info.advisera.com/27001academy/free-download/implementing-iso-27001-with-a-consultant-vs-diy-approach

    These materials will also help you regarding ISO 27001 implementation:
    - Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
    - Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Page 769-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +