Search results

Home / Search

Category:
Select
Select

11269 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Assets management

    I’m assuming that by management of assets you mean the process to of developing, operating, maintaining, upgrading, and disposing of assets in the most cost-effective manner. 

    Considering that, please note that according to ISO 27001 it is not mandatory to document an asset management procedure.

    Only rules applicable to users regarding the use of assets need to be documented, when control A.8.1.3 - Acceptable use of assets - is stated as applicable in the Statement of Applicability. The template which covers control A.8.1.3 is the IT Security Policy, which can be found in the folder 08 Annex A Security Controls >> A.8 Asset Management

    To see an example of an asset management process according to ISO 20000, which is not mandatory for ISO 27001, please see:
    - Asset Management Process (ISO 20000) https://advisera.com/20000academy/documentation/asset-management-process/

    For further information, see:
    - Asset management according to ISO 27001: How to handle an asset register / asset inventory https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

  • ISO 17025 lab certification

    There is no specific period of time that is required; however the laboratory must have sufficient data and information available for assessment. This is needed to provide evidence of effective implementation, monitoring, and improvement. It will therefore depend on how much management, testing or calibration data is available as evidence, say after three months. This is typical period for most laboratories.

    You need to have monitored all the activities that are inputs for management review and completed at least one management review. This need not be on a fully implemented system for all activities, for example you may not yet have enough customer feedback. What is important is that you would have a process in place which is being followed and that actions are being taken to provide evidence.

    On the technical side, participation in external proficiency testing / interlaboratory comparison is often the activity that delays the process. You need evidence of participating in at least one round for each test you are being accredited for and you have to have evaluated the laboratory’s performance and taken corrective action if required. Another examples are that there must be sufficient data on maintenance of equipment, and trends for method quality control.

    For more information have a look at the available Free webinar – What are the steps in the ISO 17025 accreditation process? at https://advisera.com/17025academy/webinar/what-are-the-steps-in-the-iso-17025-accreditation-process-free-webinar

  • Questions about CCTV in GDPR

    1. Is it correct if I mention in DPIA two data collection reasons for the CCTV: facility intrusion detection and labor discipline?

    Mentioning those two data collection requests is correct, but this is not going to be enough. The DPIA must review all the risks to the freedoms and rights of the data subject, per article 35 GDPR - Data protection impact assessment, and it must address each risk with relevant technical and organizational measures in order to address all of them. In the case of the CCTV system, labor discipline can be seen as intrusive in many EU countries. Individuals have the right to private life even if they are at the job, per article 8 in the European Convention of Human Rights - Right to respect for private and family life, home, and correspondence. Facility intrusion detection can be a suitable purpose for processing personal data, however, certain measures need to be implemented in order to respect the freedoms and rights of data subjects, such as limited CCTV coverage (entrance, corridors, etc), limited access to CCTV feed, deletion timeframes, legitimate interest assessments/ Data Protection Impact Assessments, prior employee consultation, prior employee notification and so on. In many countries, 24/7 CCTV systems were found to be intrusive to the private lives of employees. In Germany, a Data Protection Authority issued a 10.4 million EUR GDPR fine for a retailer that installed a 24/7 CCTV system,  even if the purpose was just theft prevention/ location security.

    Please also consult these links:

    2. What is the size of the CCTV sign inside the office and outside premises should be?

    You need to make sure that the sign is big enough to be seen and that the information present on the sign is sufficient. Per article 13 GDPR - Information to be provided where personal data are collected from the data subject – a data subject must be notified regarding the processing of personal data. Namely, the data subject must understand who is the data controller, what personal data categories are being processed, with what purpose and legal ground, whom the data is being shared with and why, data exports outside European Economic Area, and for how long the data is being stored and what rights the data subject has and how can they be exercised. Thus, all measures need to be taken in order to make sure that the data subject is being informed. Some best practices include multi-layered privacy notices, such as CCTV signs, containing some basic information about the data controller (or joint data controllers), storage timelines, purposes, etc, and a QR code and/or a link to the full privacy notice where everything is detailed (including how the data subject can exercise the rights to access/rectification/deletion/restriction/export of personal data, and how he/she can object to the processing if it is based on legitimate interest).  

    Please also consult these links:

    3. There is CCTV in the office with no automated processing. Sometimes there are kids visiting the office. Do I need to mention about the kids' data in recordings?"

    The privacy notice should be generic, but it must detail ways in which data subjects can exercise their rights. The issue with kids visiting the office is not about mentioning their data in the recordings but making sure that the kids understand how their personal data is being processed. Article 12 GDPR clearly states that: “The controller shall take appropriate measures to provide any information referred to in Articles 13 […] relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child”. Consider that children might not know how to read so you might choose to inform them in a different way (animations, videos, audio information, etc), making sure they understand how their personal data is being processed.  

    I recommend performing a thorough DPIA in order to see whether this processing is not too intrusive. At ADVISERA we have a full EU GDPR Premium Toolkit that also contains a DPIA methodology and privacy notice templates that you can use.

    Please also consult these links:

  • QMS requirements

    “ Implications of not conforming with QMS requirements”

    means that personnel must be aware of the consequence of deviating from standard procedures and processes. This starts with having an understanding of the processes they are involved with, and the associated quality risks. This involves understanding the reason certain standard procedures are in place, and why the laboratory has adopted their quality policies and set specific quality objectives. Personnel will then understand the identified risks and risk treatments (controls to reduce the risk) that are in place, and that the deviating from procedures and authorisations is a nonconformance. This results in a possible undesired outcome to quality. The implication is a nonconforming event that needs resources to investigate, where corrective actions could be costly. Work may need to be repeated, which could result in loss of reputation, customer confidence or income.

  • Data Subject Access Request

    The right to access is a fundamental right of the data subject. As stated in Article 15 GDPR - Right of access by the data subject – paragraph 3: “The controller shall provide a copy of the personal data undergoing processing”. However, paragraph 4 states that “The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others”. So you should redact out personal data of other data subjects (including usernames, pseudonyms, etc), intellectual-property protected data, and confidential data (including customer names, customer financial info, discounts, financial offerings, invoices, contracts, etc).

    Advisera’s EU GDPR Premium Toolkit might help you in this endeavor because part of the toolkit we have a template for a Data Subject Access Request Procedure as well as templates for disclosure forms.

     

    Please visit these links for more details:

  • Production Part Approval Process

    It can fit in the Design and development process, but also in the verification of supplied products. 

  • Single Registration Number for MDR

    Single registration number is a number that each business entity has to get from the EUDAMED or local competent authority. A single registration number has to be asked for a manufacturer, importer, and EU representative. Distributors do not need to be registered in the EUDAMED. It is covered in Article 31 of the MDR 2017/745. 

    For more information, see:

    Considering the codes, there are specified codes for medical devices. MDR has a code that is called European medical device nomenclature covered in Article 26 of the MDR. More details regarding this nomenclature you can find on the following links:

Page 88-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +