Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Marketing activities

    I own a sandwich bar and run an advert in my local newspaper that says I am giving a 25% discount off any orders. Consumers can get a voucher for this discount by texting the word “discount” to the advertised number and receive a text message by return that contains the voucher code. The text message they receive will include the standard “Optout reply STOP” statement. Two months later I want to send a text message to all 263 people who replied to the first advert to tell them that I now have another offer which is that when they buy their next order they can have a free drink!
    I have one question… which of the following actions would be compliant with GDPR ?
    1. I cannot send them another text message until I receive their written consent to do so
    2. I can send them another text BUT this must only contain a link to my privacy notice where they must provide consent.
    3. I can send them another text message as long as I continue to include the “Optout reply STOP” statement

    Answer:

    1. The general rule i s that you must not send marketing emails or texts to individuals without specific consent. There is a limited exception for your own previous customers, often called the ‘soft opt-in’. So, you may use the “soft opt-in” for your existing customers and in this case you need to provide the possibility to the customer to opt out at any time. When I refer to existing customers I mean the customers that actually used the discount voucher. Your legal base for processing would be legitimate interest.

    Besides the possibility of opting out the data subject will need to be provided with a privacy notice as provided by EU GDPR article 13 - Information to be provided where personal data are collected from the data subject - https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-are-collected-from-the-data-subject/ For the individuals not using your discount but whose data I have received I would reach out to ask for consent.

    2. You definitely need to provide the information in the privacy notice in both cases.
    3. The possibility to opt out has to be provided whenever a message is sent to the data subject. Especially when you don’t use the consent as a lawful base for processing is legitimate interest.

    You might find our article “How does GDPR impact marketing activities?” - https://advisera.com/eugdpracademy/blog/2018/02/08/how-does-gdpr-impact-marketing-activities/ as well as our webinar “How GDPR Affects Marketing Practices” - https://advisera.com/eugdpracademy/webinar/how-gdpr-affects-marketing-practices-free-webinar-on-demand/

  • Data Processor Addendum


    As we are a reporting tool, the above PII is the only information we request from our customers and store this information in Salesforce (Salesforce is a data processor to us).

    We are being requested to sign a Data Processor Agreement with our customers and believe we are more of a Data Controller in this instance. Could you clarify.

    Answer:

    My understanding is that you are providing a Reporting Software to customers that would be required to register with a username and email so start using the software. For th is instance you are a controllers because you are determining what information is required from a customer to register.

    I assume that the reporting software is addressed to companies rather than individuals. In this instance if the companies as your customer would use the reporting software to process personal data of their individual customers that would make you a processor when providing for example hosting and/or maintenance.

    To find out about controllers and processors you can check out our article “EU GDPR controller vs. processor – What are the differences?” - https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/

  • Records of consent


    Answer:

    The fact that you don’t have records of consent basically means that you don’t have any consent. Legitimate interest could be used for marketing only if you can prove that how you use individual data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object. If the individuals that you want to send marketing to are already your customers and their details were collected in the context of a sale and the individual was given the ability to opt-out at that time than you can use the legitimate interests to send information about the goods and/or services you provide. If you can`t rely on legitimate interest you need do reach out to the data subjects to obtain their consent.

    You might find our article “How does GDPR impact marketing activities?” - https://advisera.com/eugdpracademy/blog/2018/02/08/how-does-gdpr-impact-marketing-activities/ as well as our webinar “How GDPR Affects Marketing Practices” - https://advisera.com/eugdpracademy/webinar/how-gdpr-affects-marketing-practices-free-webinar-on-demand/

  • Software validation for raw material supplier

    We are a raw material manufacturer, planning supplying to medical device industry. Are we required to comply with software validation section, that seems to be talking about medical device manufacturer, within ISO 13485:2016.

    Answer:

    Applicability of ISO 13485 to your business is questionable, depending on the raw material that you supply to the customer. The clause 1 Scope of ISO 13485 says that the standard is applicable to organizations that need t demonstrate ability to provide medical devices and related services. It is limited to the organizations that are involved in one or more stages of the product life-cycle including design and development, production, storage, distribution, installation or servicing of medical devices. Supply of raw materials in not mentioned in the standard, so if you don't supply your customer with some parts of the medical device but only with raw materials, the standard is hardly applicable to your business.

    If you don't have ISO 13485 certificate and are not planning to implement the standard, t he requirements for software validation are not applicable to you. If you are planning to implement the standard, exclusion of all requirements for software validation will be impossible, because the standard allows exclusions from clauses 6,7 and 8, but first requirement for software validation is in clause 4.1.6.

    In your case, it might be better to implement ISO 9001 instead of ISO 13485, since it is more widely applicable and you can also include all requirements of your customer in your Quality Management System regarding medical devices, but you will avoid many requirements of ISO 13485 that would be redundant and inapplicable for your type of business.

  • Asset inventory


    Answer: The article presents enough information for you to build an asset inventory compliant with ISO 27001, but since ISO 27001 does not prescribe which details must be listed in the asset inventory, you should work with members of you organization to identify some other information that can be useful, like asset category, its location, some notes, etc.

    I suggest you take a look a t the free demo of our Inventory of Assets at this link: https://advisera.com/27001academy/documentation/inventory-of-assets/ so you can see how an inventory of assets looks like.
    This article can also provide you useful information about the inventory of assets:
    - How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

  • Cumplir con la cláusula referente a recursos 7.1

    Ambos se tratan de requisitos que la norma no exige que sean documentados, luego simplemente se trata de cumplir con los mismos.
    En cuanto a la infraestructura, ésta puede incluir: edificios y servicios asociados, equipos (incluyendo hardware y software); transporte; tecnología de la información y comunicación.
    El mantenimiento de la infraestructura se puede llevar a cabo a mediante un programa de mantenimiento preventivo planificado, adecuado y proporcionado a las operaciones realizadas y al contexto de la organización, y a cualquier requisito del plan de contingencia en caso de interrupción. Los procesos de planificación empresarial deben determinar los cambios y las necesidades futuras de infraestructura específica.
    En cuanto a la cláusula 7.1.4, ésta incluye que exista un ambiente adecuado que sea resultado de la combinación de factores físicos y humanos, como por ejemplo:
    - sociales: no discriminatorio, tranquilo, sin disputas
    - psicológicos: reducción del estrés, protección emocional
    - físicos: temperatura, humedad, iluminación
    Su organización debe establecer, controlar y mantener sus propios requisitos ambientales.
    En ambos casos los auditores determinarán el cumplimiento de estas cláusulas mediante entrevistas con la alta dirección, los encargados de los procesos correspondientes y la recolección de evidencias objetivas.
    Además el siguiente material puede proporcionarle más información sobre la nueva ISO 9001:2015:
    - Curso gratuito en línea de fundamentos ISO 9001:2015: https://advisera.com/es/formacion/curso-fundamentos-iso-9001/
    - Libro "Gestión de documentación ISO: una guía en un lenguaje sencillo": https://advisera.com/books/gestion-de-documentacion-iso-una-guia-en-un-lenguaje-sencillo/

  • Diferencias ISO 9001:2015 vs. ISO 9001:2008

    Respecto a las diferencias existentes entre ISO 9001:2008 e ISO 9001:2015, puede encontrar información en la siguiente infografía: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/infografia-iso-90012015-vs-revision-del-2008-que-ha-cambiado/
    Por otro lado, puede encontrar la información correspondiente a la Lista de documentos obligatorios en el siguiente artículo: https://advisera.com/9001academy/pt-br/kit-de-documentacao-da-iso-9001/nowledgebase/lista-de-documentos-obligatorios-requeridos-por-la-iso-90012015/
    Además el siguiente material puede proporcionarle más información sobre la nueva ISO 9001:2015:
    - Curso gratuito en línea de fundamentos ISO 9001:2015: https://advisera.com/training/es/c ourse/curso-de-fundamentos-de-la-norma-iso-90012015/
    - Libro "Gestión de documentación ISO: una guía en un lenguaje sencillo": https://advisera.com/books/gestion-de-documentacion-iso-una-guia-en-un-lenguaje-sencillo/

  • Risks in HR depratment


    Answer:

    The risk and opportunities to be identified should be related to the effectiveness of the process, the QMS as a whole and compliance to requirements of the standard and the customers. You need to observe the HR department and all the processes that belong to it and determine what risks exist within this area. The most obvious risk regarding HR department is failure to provide competent employees to other processes within the QMS, of course, depending on the context of the organization this risk can be significant or not.

    As as the methodology for the risk analysis, the most simple approach is to arrange a brainstorming session with the most relevant people in the HR department and talk about the risk, or you can use SWOT analysis.

  • Data Subject Consent Form


    Answer:

    The document is mandatory for those processing activities that are based on consent for example marketing activities. If you rely on any other legal basis you don’t need it but only need to provide the right information to the data subject via you Privacy Notices.

    To find out more about consent you can check out our article “Is consent needed? Six legal bases to process data according to GDPR” https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/

  • Scope of the IT Security Policy (Doc 8.1)


    Answer:

    Article 32 of the EU GDPR - Security of processing https://advisera.com/eugdpracademy/gdpr/security-of-processing/ requires controllers and processors alike to implement “appropriate” technical and organizational measures to keep the personal data.

    The policies you would find in section 8 of the EU GDPR toolkit are examples of organizational measures taken to protect the data. So, in a nutshell the purpose of the IT Security Policy as well as the whole array of policies in section 8 is to provide you with a set of documents which if implemented correctly will ensure that you have taken the appropriate measures to protect personal data.

    If you want to find out more about keeping data secure please check out our article “How cybersecurity solutions can help with GDPR compliance” https://advisera.com/eugdpracademy/blog/2017/11/27/how-cybersecurity-solutions-can-help-with-gdpr-compliance/
Page 774-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +