Answer:
The implementation of the requirements for controlling counterfeit parts are greatly dependant on the company involved and the product it produces. In clause 8.1.4 the requirement is just to can a process in place to prevent the use of counterfeit parts. This process can include many things from only buying parts form original equipment manufacturers and approved distributors, to performing tests to validate that the product received is actually the product requested. This all come down to what is required for the product in question, and to some extent the risk of actually getting the wrong parts that can cause a problem in the end products.
For more information see this article on the special aerospace terms in AS9100: https://advisera.com/9100academy/blog/2017/05/01/five-special-aerospace-terms-in-as9100-rev-d/
Personal data visibility
Yes, but I mean that a company probably needs a set of internal employees (probably executive) involved as "verifiers" that the processes in every area will be "aligned" with GDPR; suppose that we not have a DPO, the question is if exists some formal document (agreement, ecc.) for formally instruct , for example some head office for this specific job supporting the
"Data Protection Officer". Kind regards. Bruno
GDPR in school
Question: Does this school fall under the same guidelines as schools physically located in the EU?
Which brings up the issue of any other private schools in the US that an EU citizen might send their student to. Are we responsible for their data as well? Or does this responsibility fall on the EU Citizen?
Answer:
If the school is based in the US then the US regulations apply. So the EU GDPR is not relevant in this case. The Regulation will only apply to personal data about individuals in the Union the nationality or habitual residence of those individuals is irrelevant.
All private schools in the US would need to comply with the US legislation in terms of privacy and you as well. As mentioned above the EU GDPR is only applicable if the processing activity is happening in the EU or if it targets individuals (n ot necessary citizens) that are in the EU.
To get a better understanding of the extra territorial reach of the EU GDPR check out our article “EU GDPR: What is it, how does it work and why use it?” - https://advisera.com/eugdpracademy/what-is-eugdpr/
Alcance certificación ISO 27001
En relación a la misma cuestión del alcance, he recibido la siguiente pregunta:
> Entonces ¿puedo certificar incluso un control, objetivo de contro y/o dominio?
Y mi respuesta: Disculpa, pero no se si he entendido bien tu pregunta, en cualquier caso, no puedes certificar un control un objetivo de control y/o un dominio. Puedes seleccionar aplicar, o no aplicar, controles de seguridad en la Declaración de Aplicabilidad, dependiendo de los resultados del análisis y tratamiento de riesgos. Es decir, si defines un alcance (basado, por ejemplo, como dije en mi mensaje previo, en procesos, servicios, áreas, etc), tienes que identificar los riesgos de este alcance, y tienes que tratar estos riesgos. Para este tratamiento, necesitas controles de seguridad, por tanto, basicamente, tienes que implementar los controles de seguridad necesarios para tratar los riesgos identificados. Este artículo puede ser interesante para ti “La lógica básica de ISO 27001: ¿cómo funciona la seguridad de la información?” : https://advisera.com/27001academy/es/knowledgebase/la-logica-basica-de-iso-27001-como-funciona-la-seguridad-de-la-informacion/
You wrote about departments and ISO 9001 clauses. I recommend you try another approach. According to ISO 9001:2015 you should have used the process approach. So, you should have developed a map, a model of how your organization works as a set of interrelated processes. You can number each process as 01, 02, and so on.
When you look into two procedures you can ask: where are these two procedures most used? In process 2. Then, number the procedures as 2.1 and the other as 2.2. Then look into a work instruction and ask: this work instruction is most related to how to make something related wit h procedure 2.1. Then you can call it work instruction 2.1.1 (the first work instruction related with procedure 2.1)
For example, your organization has a process for buying materials. You can describe the process in one or more procedures like: 3.1-To order material; 3.2-To receive material. 3.1 is mostly about clause 8.4 and 3.2 is about clauses 8.4; 8.5.2; 8.5.3; 8.5.4; 8.6 and 8.7. Everything should be around the process approach.
The following material will provide you information about the process approach and documentation numbering:
You most likely will be expected to have your documents in local language especially the documents which are front facing the data subjects like the consent forms and privacy notices.
Also, in case of an audit from the Supervisory Authority they will ask for the documents in local language as well.
IT organization
Answer:
The small IT organization definitely acts as a processor as you mentioned. As such they need to act only on the instructions of the data controllers an they need to be able to prove that any processing pf personal data was done as instructed by the data controller or based on the contractual obligations set up in the contract between the controller and processor. Logs are definitely a way of keeping a tab on the activities done based on the instructions of the data controller and they would also be useful as proof that the activities are actually happening.
Regarding the level of details this is something that you need to establish by yourself and is strictly related to the services that are provided.
Sólo será necesario determinar aquellas partes interesadas que sean relevantes, es decir, aquellas que tengan un impacto sobre la capacidad de la organización para proporcionar productos o servicios que cumplan con las necesidades y expectativas de los clientes y otros requisitos legales.
Las partes interesadas pueden incluir:
- Aquellas con las que la organización tiene una responsabilidad legal o fiscal: socios de la empresa, subcontratas, entidades gubernamentales, etc.
- Aquellas que tienen el poder de influencia sobre las actividades de la organización: ONGs, accionistas, etc.
- Las que dependen de la organización: proveedores, clientes, etc.
- Otros grupos de interés: vecinos, grupos sindicales, etc.
Es necesario estudiar cuidadosamente este listado, seleccionando aquellas que reflejan necesidades que son obligatorias y que se enc uentran incluidas en leyes, reglamentos o permisos, y que afectan a la empresa de forma directa o indirecta.
Para más información vea el artículo "Cómo determinar las partes interesadas de acuerdo a la ISO 14001:2015": https://advisera.com/14001academy/es/knowledgebase/como-determinar-las-partes-:interesadas-de-acuerdo-a-la-iso-140012015/
Otros materiales que pueden ser de utilidad son:
- Curso Fundamento de ISO 14001:2015: https://advisera.com/training/es/course/curso-fundamentos-iso-14001/
- Libro sobre ISO 14001:2015 (sólo disponible en inglés): https://advisera.com/books/the-iso-14001-2015-companion/
- Herramienta en línea para ISO: https://advisera.com/conformio/
Creation of the GDPR privacy notice
• In section 1 of 02.3_Privacy_Notice_EN.docx, your comments state that I should include personal data categories. I cannot find much information about the definition of personal data categories. Is the following a good set of personal data categories?
Contact’s full name
Contact’s job title
Contact’s phone number
Contact’s email address
Registrant’s full name
Registrant’s gender
Registrant’s date of birth
Registrant’s examination venue
Registrant’s intended destination school
Registrant’s examination subject options
Registrant’s Special Education Needs (SEN) flag
Registrant’s current school
• In section 3 of 02.3_Privacy_Notice_EN.docx, your wording states ‘No third party providers have access to your data, unless specifically required by law’. Is the third party provider you mention the same as a third party processor? In the case of our company, we use a number of external processors to fulfill variou s aspects of our business (such as printers, online assessment providers etc) and these processors receive some of the data subject’s personal data. Should my use of external processors get declared in this document? If my assumption is correct, what level of detail should I include? Do I need to state each company and what personal data is transferred to them?
Answer:
Personal data is defined in EU GDPR article 4 – “ Definitions“ https://advisera.com/gdpr/definitions/ ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;. You can easily observe that the definition is very broad.
The examples you provided are consistent with the definition of personal data. To continue with some examples you can use the following taxonomy:
□ Personal master data (e.g. Name, surname, date of birth,)
□ Communication data (e.g. telephone, e-mail, address)
□ Contract master data (contractual relationship, product or contract interest)
□ Customer history
□ Contractual invoicing and payment data
□ Planning and control data.
□ Academic and professional data (training / qualifications, professional experience).
□ Employment details (work center, job position and department).
□ IP addresses
□ Transaction data (bank accounts, transaction history etc.)
2. Your assumption is right. Third parties refer to the suppliers to whom you may be transferring personal data to. Here you can be quite broad you can just refer to the categories of suppliers and you definitely don’t need to state the names of the suppliers.
You can use a wording something like :” We may transfer personal data to third party service providers, such as our IT systems providers, our hosting providers cloud service providers, database providers, consultants (including lawyers tax accountants, labor consultants) and third parties who carry out pre-employment or pre-engagement checks on prospective employees and contractors and other goods and services providers (such as food service providers) - each of these service providers has signed contracts to protect your personal information.”