Privacy, Data Protection & Cookie Policies
When accessing the https://www.funeralguide.co.uk/ website, FuneralGuide.co.uk will learn certain information about you during your visit.
Similar to other commercial websites, our website utilises a standard technology called “cookies” (see explanation below) and server logs to collect information about how our site is used. Information gathered through cookies and server logs may include the date and time of visits, the pages viewed, time spent at our site, and the websites visited just before and just after our own, as well as your IP address.
A cookie is a very small text document, which often includes an anonymous unique identifier. When you visit awebsite, that site’s computer asks your computer for permission to store this file in a part of your hard drivespecifically designated for cookies. Each website can send its own cookie to your browser if your browser’spreferences allow it, but (to protect your privacy) your browser only permits a website to access the cookies it hasalready sent to you, not the cookies sent to you by other sites.
Usage-based information (targeting and retargeting)We, from time-to-time also employ retargeting technology to allow us to adapt our online marketing (e.g. banner ads) on the websites of our retargeting partners (Google Adwords, Google) more specifically to your needs and interests. These cookies are read and used when you visit other websites that cooperate with our retargeting partners, to provide you with information that is as relevant as possible to your interests. The process is anonymised, i.e. you cannot be identified through retargeting.
IP addresses are used by your computer every time you are connected to the Internet. Your IP address is a number thatis used by computers on the network to identify your computer. IP addresses are automatically collected by our webserver as part of demographic and profile data known as “traffic data” so that data (such as the Web pages yourequest) can be sent to you.
If you choose to correspond with us through email, we may retain the content of your email messages together with your email address and our responses. We provide the same protections for these electronic communications that we employ in the maintenance of information received online, mail and telephone. This also applies when you register for our website, sign up through any of our forms using your email address or make a purchase on this site. For further information see the email policies below.
How Do We Use the Information That You Provide to Us?
Broadly speaking, we use personal information for purposes of administering our business activities, providingcustomer service and making available other items and services to our customers and prospective customers. If you make an enquiry for a funeral plan, you agree to us passing your data to our preferred partner(s) who will contact you regarding your enquiry.
We may disclose information when legally compelled to do so, in other words, when we, in good faith, believe that thelaw requires it or for the protection of our legal rights.
We are committed to keeping your e-mail address confidential. We do not sell, rent, or lease our subscription liststo third parties, and we will not provide your personal information to any third party individual, governmentagency, or company at any time unless strictly compelled to do so by law.
We will use your e-mail address solely to provide timely information about FuneralGuide.co.uk.
We will maintain the information you send via e-mail in accordance with applicable federal law.
In compliance with the CAN-SPAM Act, all e-mail sent from our organisation will clearly state who the e-mail is fromand provide clear information on how to contact the sender. In addition, all e-mail messages will also containconcise information on how to remove yourself from our mailing list so that you receive no further e-mailcommunication from us.
Our site provides users the opportunity to opt-out of receiving communications from us and our partners by readingthe unsubscribe instructions located at the bottom of any e-mail they receive from us at anytime.
Users who no longer wish to receive our newsletter or promotional materials may opt-out of receiving thesecommunications by clicking on the unsubscribe link in the e-mail.
Use of External Links
http://www.funeralguide.co.uk may contain links to many other websites. FuneralGuide.co.uk cannotguaranteethe accuracy of information found at any linked site. Links to or from external sites not owned or controlledby FuneralGuide.co.ukdo not constitute an endorsement by FuneralGuide.co.uk or any of its employees ofthe sponsors of these sites or the products or information presented therein.
By accessing this web site, you are agreeing to be bound by these web site Terms and Conditions of Use, allapplicable laws and regulations, and agree that you are responsible for compliance with any applicable local laws.If you do not agree with any of these terms, you are prohibited from using or accessing this site. The materialscontained in this web site are protected by applicable copyright and trade mark law.
Intellectual Property Rights
All copyrights, trademarks, patents and other intellectual property rights in and on our website and all content andsoftware located on the site shall remain the sole property of FuneralGuide.co.uk or its licensors.The useof our trademarks, content and intellectual property is forbidden without the express written consentfrom FuneralGuide.co.uk.
You must not:
- Republish material from our website without prior written consent.
- Sell or rent material from our website.
- Reproduce, duplicate, create derivative, copy or otherwise exploit material on our website for any purpose.
- Redistribute any content from our website, including onto another website.
You agree to use our website only for lawful purposes, and in a way that does not infringe the rights of, restrict orinhibit anyone else’s use and enjoyment of the website. Prohibited behaviour includes harassing or causing distressor inconvenience to any other user, transmitting obscene or offensive content or disrupting the normal flow ofdialogue within our website.
You must not use our website to send unsolicited commercial communications. You must not use the content on ourwebsite for any marketing related purpose without our express written consent.
We may in the future need to restrict access to parts (or all) of our website and reserve full rights to do so. If,at any point, we provide you with a username and password for you to access restricted areas of our website, youmust ensure that both your username and password are kept confidential.
FuneralGuide.co.uk is not responsible for any of the opinions or comments posted on www.funeralguide.co.uk. FuneralGuide.co.uk is not a forum for testimonials, however provides testimonials as a means for customers to share their experiences with one another. To protect against abuse, all testimonials appear after they have been reviewed by management of FuneralGuide.co.uk. FuneralGuide.co.uk does notshare theopinions, views or commentary of any testimonials on www.funeralguide.co.uk – the opinions are strictlytheviews of the testimonial source.
The testimonials are never intended to make claims that our products and/or services can be used to diagnose, treat,cure, mitigate or prevent any disease. Any such claims, implicit or explicit, in any shape or form, have not beenclinically tested or evaluated.
How Do We Protect Your Information and Secure Information Transmissions?
Email is not recognised as a secure medium of communication. For this reason, we request that you do not send privateinformation to us by email. However, doing so is allowed, but at your own risk. Some of the information you mayenter on our website may be transmitted securely via a secure medium known as Secure Sockets Layer, or SSL. CreditCard information and other sensitive information is never transmitted via email.
FuneralGuide.co.uk may use software programs to create summary statistics, which are used for suchpurposesas assessing the number of visitors to the different sections of our site, what information is of most and leastinterest, determining technical design specifications, and identifying system performance or problem areas.
For site security purposes and to ensure that this service remains available to all users, FuneralGuide.co.uk uses software programs to monitor network traffic to identify unauthorised attempts to upload or change information, or otherwise cause damage.
Disclaimer and Limitation of Liability
FuneralGuide.co.uk makes no representations, warranties, or assurances as to the accuracy, currency or completeness of the content contain on this website or any sites linked to this site.
All the materials on this site are provided “as is” without any express or implied warranty of any kind, includingwarranties of merchantability, non-infringement of intellectual property or fitness for any particular purpose. In noevent shall FuneralGuide.co.uk or its agents or associates be liable for any damages whatsoever(including,without limitation, damages for loss of profits, business interruption, loss of information, injury or death)arising out of the use of or inability to use the materials, even if FuneralGuide.co.uk has beenadvised ofthe possibility of such loss or damages.
We are committed to conducting our business in accordance with these principles in order to ensure that theconfidentiality of personal information is protected and maintained.
Right to information
On request, FuneralGuide.co.uk or the representative responsible for you will inform you in writing as soon as possible and in accordance with applicable law whether and what personal data relating to you has been stored by us. If you are registered as a user, we also enable you to view the data yourself and, if applicable, to delete or amend it. If incorrect information is stored despite our efforts to ensure that data is accurate and up to date, we will correct it at your request.If you have any questions about the processing of your personal data, you can contact our Data Protection Officer, who, along with his team, is available should you have any requests for information, suggestions or complaints.
Data Protection Officer
If you have any questions regarding this policy, or your dealings with our website, please contact us here: https://www.funeralguide.co.uk/contact-us
Data protection policy
In the information age we offer our customers the means to be always connected. This requires data to be collected and processed. When handling any data we adhere to this principle: When storing and transmitting data, we must ensure a high level of data protection and data security. That goes for information pertaining to our customers, prospects, business partners and employees.
We view it as our duty to comply with the various legal regulations around the world that govern the collection and processing of personal data. Our top priority is to ensure universally applicable, worldwide standards for handling personal data. For us, protecting personal rights and privacy for everyone is the foundation of trust in our business relationships.
Our Corporate Data Protection Policy lays out strict requirements for processing personal data pertaining to customers, prospects, business partners and employees. It meets the requirements of the European Data Protection Directive and ensures compliance with the principals of national and international data protection laws in force all over the world. The policy sets a globally applicable data protection and security standard for our company. We have established seven data protection principles – among them transparency, data economy and data security – as our guideline.
Our Directors and employees are obligated to adhere to the Corporate Data Protection Policy and observe their local data protection laws. As the Chief Officer of Corporate Data Protection, it is my duty to ensure that the rules and principles of data protection at FuneralGuide.co.uk are followed around the world.
My staff and I will be pleased to answer any questions you have about data protection and security.
I.Aim of the Data Protection Policy4
II.Scope and amendment of the Data Protection Policy4
III.Application of national laws5
IV.Principles for processing personal data51.Fairness and lawfulness2.Restrictions to a specific purpose3.Transparency4.Data reduction and data economy5.Deletion6.Factual accuracy; up-to-date data7.Confidentiality and data security
V.Reliability of data processing7
1.Customer and partner data1.1Data processing for contractual relationship1.2Data processing for advertising purposes1.3Consent to data processing1.4Data processing pursuant to legal authorization1.5Data processing pursuant to legitimate interest1.6Processing of highly sensitive data1.7Automated individual decisions1.8User data and internet
2.Employee Data102.1 Data processing for the employment relationship2.2 Data processing pursuant to legal authorization2.3 Collective agreements on data processing2.4 Consent to data processing2.5 Data processing pursuant to legitimate interest2.6 Processing of highly sensitive data2.7 Automated decisions2.8 Telecommunications and internet
VI.Transmission of personal data13
VII.Contract data processing14
VIII.Rights of the data subject15
IX.Confidentiality of processing16
XI.Data protection control17
XII.Data protection incidents18
XIII.Responsibilities and sanctions18
XIV.Chief Officer of Corporate Data Protection19
I.Aim of the Data Protection Policy
As part of its social responsibility, FuneralGuide.co.uk is committed to international compliance with data protection laws. This Data Protection Policy applies worldwide and is based on globally accepted, basic principles on data protection. Ensuring data protection is the foundation of trustworthy business relationships and reputation of FuneralGuide.co.uk as an attractive employer.
The Data Protection Policy provides one of the necessary framework conditions for cross-border data transmission. It ensures the adequate level of data protection prescribed by the European Union Data Protection Directive and the national laws for cross-border data transmission, including in countries that do not yet have adequate protection laws.
II.Scope and amendment of the Data Protection Policy
This Data Protection Policy extends to all processing of personal data. In countries where the data of legal entities is protected to the same extent as personal data, this Data Protection Policy applies equally to data of legal entities. Anonymised data, e.g. for statistical evaluations or studies, is not subject to this Data Protection Policy.
This Data Protection Policy will only be amended by the Chief Officer Corporate Data Protection. The latest version of the Data Protection Policy can be accessed with the data privacy information at www.funeralguide.co.uk
III.Application of national laws
This Data Protection Policy comprises the internationally accepted data privacy principles without replacing the existing national laws. It supplements the national data privacy laws. The relevant national law will take precedence in the event it conflicts with the Data Protection Policy, or it has stricter requirements than this Policy. The content of this Data Protection Policy must also be observed in the absence of corresponding national legislation. The reporting requirements for data processing under national laws must be observed.
IV.Principles for processing personal data
1.Fairness and lawfulnessWhen processing personal data, the individual rights of the data subjects must be protected. Personal data must be collected and processed in a legal and fair manner.
2.Restriction to a specific purposePersonal data can be processed only for the purpose that was defined before the data was collected. Subsequent changes to the purpose are only possible to a limited extent and require substantiation.
3.TransparencyThe data subject must be informed of how his/her data is being handled. In general, personal data must be collected directly from the individual concerned. When the data is collected, the data subject must either be aware of, or informed of:
•The identity of the Data Controller•The purpose of the data processing•Third parties or categories of third parties to whom the data might be transmitted
4.Data reduction and data economyBefore processing personal data, you must determine whether and to what extent the processing or personal data is necessary in order to achieve the purpose for which it is undertaken. Where the purpose allows and where the expense involved is in proportion with the goal being pursued, anonymised or statistical data must be used. Personal data may not be collected in advance and stored for potential future purposes unless required or permitted by national law.
5.DeletionPersonal data that is no longer needed after the expiration of legal or business process-related periods must be deleted. There may be an indication of interests that merit protection or historical significance of this data in individual cases. If so, the data must remain on file until the interests that merit protection have been clarified legally, or the corporate archive has evaluated the data to determine whether it must be retained for historical purposes.
6.Factual accuracy; up-to-dateness of dataPersonal data on file must be correct, complete, and – if necessary – kept up to date. Suitable steps must be taken to ensure that inaccurate or incomplete data are deleted, corrected, supplemented or updated.
7.Confidentiality and data securityPersonal data is subject to data secrecy. It must be treated as confidential on a personal level and secured with suitable organizational and technical measures to prevent unauthorized access, illegal processing or distribution, as well as accidental loss, modification or destruction.
V.Reliability of data processing
Collecting, processing and using personal data is permitted only under the following legal bases. One of these legal bases is also required if the purpose of collecting, processing and using the personal data is to be changed from the original purpose.
1Customer and partner data
1.1Data processing for contractual relationshipPersonal data of the relevant prospects, customers and partners can be processed in order to establish, execute and terminate a contract. This also includes advisory services for the partner under the contract if this is related to the contractual purpose. Prior to a contract – during the contract initiation phase – personal data can be processed to prepare proposals or purchase orders or to fulfill other requests of the prospect that relate to contract conclusion. Prospects can be contacted during the contract preparation process using the information that they have provided. Any restrictions requested by the prospects must be complied with. For advertising measures beyond that, you must observe the following requirements under V.1.2.
1.2Data processing for advertising purposesIf the data subject contacts FuneralGuide.co.uk to request information (e.g. request to receive information material about a product or service), data processing to meet this request is permitted.
Customer loyalty or advertising measures are subject to further legal requirements. Personal data can be processed for advertising purposes or market and opinion research, provided that this is consistent with the purpose for which the data was originally collected. The data subject must be informed about the use of his/her data for advertising purposes. If data is collected only for advertising purposes, the disclosure form the data subject is voluntary. The data subject shall be informed that providing data for this purpose is voluntary. When communicating with the data subject, consent shallbe obtained from him/her to process the data for advertising purposes. When giving consent, the data subject should be given a choice among available forms of contact such as regular mail, email and phone (Consent, see V.1.3).
1.3Consent to data processingData can be processed following consent by the data subject. Before giving consent, the data subject must be informed in accordance with IV.3 of this Data Protection Policy. The declaration of consent must be obtained in writing or electronically for the purposes of documentation. In some circumstances, such as telephone conversations, consent can be given verbally. The granting of consent must be documented.
1.4Data processing pursuant to legal authorisationThe processing of personal data is also permitted if national legislation requests, requires or allows this. The type and extent of data processing must be necessary for the legally authorized data processing activity, and must comply with the relevant statutory provisions.
1.5Data processing pursuant to legitimate interestPersonal data can be processed if it is necessary for a legitimate interest of FuneralGuide.co.uk. Legitimate interests are generally of a legal (e.g. collection of outstanding receivables) or commercial nature (e.g. avoiding breaches of contract). Personal data may not be processed for the purposes of a legitimate interest if, in individual cases, there is evidence that the interest of the data subject merit protection, and that this takes precedence. Before data is processed, it is necessary to determine whether there are interests that merit protection.
1.6Processing of highly sensitive dataHighly sensitive personal data can be processed only if the law requires this or the data subject has given express consent. This data can also be processed if it is mandatory for asserting, exercising or defending legal claims regarding the data subject. If there are plans to process highly sensitive data, the Chief Officer Corporate Data Protection must be informed in advance.
1.7Automated individual decisionsAutomated processing of personal data that is used to evaluate certain aspects (e.g. credit worthiness) cannot be the sole basis for decisions that have negative legal consequences or could significantly impair the data subject. The data subject must be informed of the facts and results of automated individual decisions and the possibility to respond. To avoid erroneous decisions, a test and plausibility check must be made by an employee.
1.8User data and internetIf personal data is collected, processed and used on websites or in apps, the data subjects must be informed of this in a privacy statement and, if applicable, information about cookies. The privacy statement and any cookie information must be integrated so that it is easy to identify, directly accessible and consistently available for the data subjects.
If use profiles (tracking) are created to evaluate the use of websites and apps, the data subjects must always be informed accordingly in the privacy statement. Personal tracking may only be effected if it is permitted under national law or upon consent of the data subject. If tracking uses a pseudonym, the data subject should be given the chance to opt out in the privacy statement.
If websites or apps can access personal data in an area restricted to registered users, the identification and authentication of the data subject must offer sufficient protection during access.
2.1Data processing for the employment relationshipIn employment relationships, personal data can be processed if needed to initiate, carry out and terminate the employment agreement. When initiating an employment relationship, the applicants’ personal data can be processed. If the candidate is rejected, his/her data must be deleted in observance of the required retention period, unless the applicant has agreed to remain on file for a future selection process. Consent is also needed to use the data for further application processes.
In the existing employment relationship, data processing must always relate to the purpose of the employment agreement if none of the following circumstances for authorized data processing apply.
If it should be necessary during the application procedure to collect information on an applicant from a third party, the requirements of the corresponding national laws have to be observed. In cases of doubt, consent must be obtained from the data subject.
There must be a legal authorization to process personal data that is related to the employment relationship but was not originally part of performance of the employment agreement. This can include legal requirements, collective regulations with employee representatives, consent of the employee, or the legitimate interest of the company.
2.2Data processing pursuant to legal authorisationThe processing of personal employee data is also permitted if national legislation requests, requires or authorizes this. The type and extent of data processing must be necessary for the legally authorized data processing activity, and must comply with the relevant statutory provisions. If there is some legal flexibility, the interests of the employee that merit protection must be taken into consideration.
2.3Collective agreements on data processingIf a data processing activity exceeds the purposes of fulfilling, it may be permissible if authorized through a collective agreement.
Collective agreements are pay scale agreements or agreements between employers and employee representatives, within the scope allowed under the relevant employment law. The agreement must cover the specific purpose of the intended data processing activity, and must be drawn up within the parameters of national data protection legislation.
2.4Consent to data processingEmployee data can be processed upon consent of the person concerned. Declarations of consent must be submitted voluntarily. Involuntary consent is void. The declaration of consent must be obtained in writing or electronically for the purposes of documentation. In certain circumstances, consent may be given verbally, in which case it must be properly documented. In the event of informed, voluntary provision of data by the relevant party, consent can be assumed if national laws do not require express consent. Before giving consent, the data subject must be informed in accordance with IV.3. of this Data Protection Policy.
2.5Data processing pursuant to legitimate interestPersonal data can be processed if it is necessary to enforce a legitimate interest of FuneralGuide.co.uk. Legitimate interests are generally of a legal (e.g. filing, enforcing or defending against legal claims) or financial (e.g. valuation of company) nature.
Personal data may not be processed based on legitimate interest if, in individual cases, there is evidence that the interests of the employee merit protection. Before data is processed, it must be determined whether there are interests that merit protection.
Control measures that require processing of employee data can be taken only if there is a legal obligation to do so or there is a legitimate reason. Even if there is a legitimate reason, the proportionality of control must also be examined. The justified interests of the company in performing the control measure (e.g. compliance with legal provisions and internal company rules) must be weighed against
any interests meriting protection that the employee affected by the measure may have in its exclusion, and cannot be performed unless appropriate. The legitimate interests of the company and any interests of the employee meriting protection must be identified and documented before any measures are taken. Moreover, any additional requirements under national law (e.g. rights of co-determination for the employee representatives and information rights of the data subjects) must be taken into account.
2.6Processing of highly sensitive dataHighly sensitive data can be processed only under certain conditions. Highly sensitive data is data about racial and ethnic origin, political beliefs, religious or philosophical beliefs and health and sexual life of the data subject. Under national law, further data categories can be considered highly sensitive or the content of the data categories can be filled out differently. Moreover, data that relates to a crime can often be processed only under special requirements under national law.
The processing must be expressly permitted or prescribed under national law. Additionally, processing can be permitted if it is necessary for the responsible authority to fulfill its rights and duties in the area of employment law. The employee can also expressly consent to processing.
If there are plans to process highly sensitive data, the Chief Officer Corporate Data Protection must be informed in advance.
2.7Automated decisionsIf personal data is processed automatically as part of the employment relationship, and specific personal details are evaluated (e.g. as part of personnel selection or the evaluation of skills profiles), this automatic processing cannot be the sole basis for decisions that would have negative consequences or significant problems for the affected employee. To avoid erroneous decisions, the automated process must ensure that a natural person evaluates the consent of the situation, and that this evaluation is the basis for the decision. The data subject must also be informed of the facts and results of automated individual decisions and the possibility to respond.
2.8Telecommunications and internetTelephone equipment, e-mail addresses, intranet and internet along with internal social networks are provided by the company primarily for work-related assignments. They are a tool and a company resource. They can be used within the applicable legal regulations and internal company policies. In the event of authorized use for private purposes, the laws on secrecy of telecommunications and the relevant national telecommunications laws must be observed if applicable.
There will be no general monitoring of telephone and e-mail communications or intranet/internet use. To defend against attacks on the IT infrastructure or individual users, protective measures can be implemented for the connections to the FuneralGuide.co.uk network that block technically harmful content or that analyse the attack patterns. For security reasons, the use of telephone equipment, e-mail addresses, the intranet/internet and internal social networks can be logged for a temporary period. Evaluations of this data from a specific person can be made only in a concrete, justifiable case of suspected violations of laws or policies of FuneralGuide.co.uk. The evaluations can be conducted only by investigating officers while ensuring that the principle of proportionality is met. The relevant national laws must be observed in the same manner Company regulations.
VI.Transmission of personal data
Transmission of personal data to recipients outside or inside FuneralGuide.co.uk is subject to authorisation requirements for processing personal data under section V. The data recipient must be required to use the data only for the defined purposes.
In the event that data is transmitted to a recipient outside of FuneralGuide.co.uk to a third country this country must agree to maintain a data protection level equivalent to this Data Protection Policy. In the alternative, the laws of the domiciliary country can acknowledge the purpose of data transmission based on the legal obligation of a third country. It must be ensured that the data can be used for the intended purpose.The data subject is entitled to assert his or her rights against the company exporting the data. In the event of claims of violation, the company exporting the data must document to the data subject that the company importing the data in a third country (in the event that the data is further processed after receipt) did not violate this Data Protection Policy.
In the case of personal data being transmitted from the European Economic Area to a company located in a third country, the data controller transmitting the data shall be held liable for any violations of this Policy committed by the company in a third country with regard to the data subject whose data was collected in the European Economic Area, as if the violation had been committed by the data controller transmitting the data. The legal venue is the responsible court where the company exporting the data is located.
VII.Contract data processing
Data processing on Behalf means that a provider is hired to process personal data, without being assigned responsibility for the related business process. In these cases, an agreement on Data Processing on Behalf must be concluded with external providers and FuneralGuide.co.uk. The client retains full responsibility for correct performance of data processing. The provider can process personal data only as per the instructions from the client. When issuing the order, the following requirements must be complied with; the department placing the order must ensure that they are met.
1.The provider must be chosen based on its ability to cover the required technical and organizational protective measures.2.The order must be placed in writing. The instructions on data processing and the responsibilities of the client and provider must be documented.3.The contractual standards for data protection provided by the Chief Officer Corporate Data Protection must be considered.4.Before data processing begins, the client must be confident that the provider will comply with the duties. A provider can document its compliance with data security requirements in particular by presenting suitable certification. Depending on the risk of data processing the reviews must be repeated on a regular basis during the term of the contract.
5.In the event of cross-border data processing, the relevant national requirements for disclosing personal data abroad must be met. In particular, personal data from the European Economic Area can be processed in a third country only if the provider can prove that it hasa.Data protection standards equivalent to this Data Protection Policy. Suitable tools can be:i.Agreement on EU standard contract clauses for contract data processing in third countries with the provider and any subcontractors.ii.Participation of the provider in a certification system accredited by the EU for the provision of a sufficient data protection level.iii.Acknowledgement of binding corporate rules of the provider to create a suitable level of data protection by the responsible supervisory authorities for data protection.
VIII.Rights of the data subject
Every data subject has the following rights. Their assertion is to be handled immediately by the responsible unit and cannot pose any disadvantage to the data subject.
1.The data subject may request information on which personal data relating to him/her has been stored, how the data was collected, and for what purpose. If there are further rights to view the employer’s documents (e.g. personnel file) for the employment relationship under the relevant employment laws, this will remain unaffected.2.If personal data is transmitted to third parties, information must be given about the identity of the recipient or the categories of recipients.3.If personal data is incorrect or incomplete, the data subject can demand that it be corrected or supplemented.4.The data subject can object to the processing of his or her data for purposes of advertising or market/opinion research. The data must be blocked from these types of use.
5.The data subject may request his/her data to be deleted if the processing of such data has no legal basis, or if the legal basis has ceased to apply. The same applies if the purpose behind the data processing has lapsed or ceased to be applicable for other reasons. Existing retention periods and conflicting interests meriting protection must be observed.6.The data subject generally has a right to object to his/her data being processed, and this must be taken into account if the protection of his/her interests takes precedence over the interest of the data controller owing to a particular personal situation. This does not apply if a legal provision requires the data to be processed.
Additionally, ever data subject can assert the rights under III, IV, V, Vi, IX, X and XIV as a Para. 3 as a third-party beneficiary if a company that has agreed to comply with the Data Protection Policy does not observe the requirements and violates the party’s rights.
IX.Confidentiality of processing
Personal data is subject to data secrecy. Any unauthorised collection, processing, or use of such data by employees is prohibited. Any data processing undertaken by an employee that he/she has not been authorised to carry out as part of his/her legitimate duties is unauthorised. The “need to know” principle applies. Employees may have access to personal information only as is appropriate for the type and scope of the task in question. This requires a careful breakdown and separation, as well as implementation, of roles and responsibilities.
Employees are forbidden to use personal data for private or commercial purposes, to disclose it to unauthorized persons, or to make it available in any other way. Supervisors must inform their employees at the start of the employment relationship about the obligation to protect data secrecy. This obligation shall remain in force even after employment has ended.
Personal data must be safeguarded from unauthorized access and unlawful processing or disclosure, as well as accidental loss, modification or destruction. This applies regardless of whether data is processed electronically or in paper form. Before the introduction of new methods of data processing, particularly new IT systems, technical and organizational measures to protect personal data must be defined and implemented. These measures must be based on the state of the art, the risks of processing, and the need to protect the data (determined by the process for information classification).
In particular, the responsible department can consult with its Information Security Officer (ISO) and data protection coordinator. The technical and organizational measures for protecting personal data are part of Corporate Information Security management and must be adjusted continuously to the technical developments and company changes.
XI.Data protection control
Compliance with the Data Protection Policy and the applicable data protection laws is checked regularly with data protection audits and other controls. The performance of these controls is the responsibility of the Chief Officer Corporate Data Protection, the data protection coordinators and others within the company with audit rights or external auditors hired. The results of the data protection controls must be reported to the Chief Officer Corporate Data Protection. On request, the results of data protection controls will be made available to the responsible data protection authority. The responsible data protection authority can perform its own controls of compliance with the regulations of this Policy, as permitted under national law.
XII.Data protection incidents
All employees must inform their supervisor, data protection coordinator or the Chief Officer Corporate Data Protection immediately about cases of violations against this Data Protection Policy or other regulations on the protection of personal data (data protection incidents). The manager responsible for the function of the data is required to inform the responsible data protection coordinator or the Chief Officer Corporate Data Protection immediately about data protection incidents.
In cases of:
•Improper transmission of personal data to third parties,•Improper access by third parties to persona data, or•Loss of personal data
the required company reports (Information Security Incident Management) must be made immediately so that any reporting duties under national law can be complied with.
XIII.Responsibilities and sanctions
The company is required to ensure that the legal requirements, and those contained in the Data Protection Policy, for data protection are met (e.g. national reporting duties). Management staff are responsible for ensuring that organizational, HR and technical measures are in place so that any data processing is carried out in accordance with data protection. Compliance with these requirements is the responsibility of the relevant employees. If official agencies perform data protection controls, the Chief Officer Corporate Data Protection must be informed immediately.
The data protection coordinators are the contact persons on site for data protection. They can perform checks and must familiarize the employees with the content of data protection policies. The relevant management is required to assist the Chief Officer Corporate Data
Protection and the data protection coordinators with their efforts. Those responsible for business process and projects must inform the data protection coordinators in good time about new processing of personal data. For data processing plans that may pose special risks to the individual rights of the data subjects, the Chief officer Corporate Data Protection must be informed before processing begins. This applies in particular to extremely sensitive personal data. The managers must ensure their employees are sufficiently trained in data protection.
Improper processing of personal data, or other violations of the data protection laws, can be criminally prosecuted in many countries and result in claims for compensation of damage. Violations for which individual employees are responsible can lead to sanctions under employment law.
XIV.Chief Officer of Corporate Data Protection
The Chief officer Corporate Data Protection, works towards the compliance with national and international data protection regulations. He/She is responsible for the Data Protection Policy, and supervises its compliance. The Chief Officer Corporate Data Protection is appointed by FuneralGuide.co.uk.
The data protection coordinators shall promptly inform the Chief Officer Corporate Data Protection of any data protection risks.
Any data subject may approach the Chief Officer Corporate Data Protection, or the relevant data protection coordinator, at any time to raise questions, request information or make complaints relating to the data protection or data security issues. If requested, concerns and complaints will be handled confidentially.
If the data coordinator in question cannot resolve a complaint or remedy a breach of the Policy for data protection, the Chief Officer Corporate Data Protection must be consulted immediately. Decisions made by the Chief Officer Corporate Data Protection to remedy data
protection breaches must be upheld by the management of the company in question. Inquiries by supervisory authorities must always be reported to the Chief Officer Corporate Data Protection.
Contact details for the Chief Officer Corporate Data Protection and staff are as follows:
Chief Officer Corporate Data Protection
•Data is anonymized if personal identity can never be traced by anyone, or if the personal identity could be recreated only with an unreasonable amount of time, expense and labour.•Consent is the voluntary, legally binding agreement to data processing.•Data protection incidents are all events where there is justified suspicion that personal data is being illegally captured, collected, modified, copied, transmitted or used. This can pertain to actions by third parties or employees.•Data subject under this Data Protection Policy is any natural person whose data can be processed. In some countries, legal entities can be data subjects as well.•The European Economica Area (EEA) is an economic region associated with the EU, and includes Norway, Iceland and Liechtenstein.•Highly sensitive data is data about racial and ethnic origin, political opinions, religious or philosophical beliefs, union membership or the health and sexual life of the data subject. Under national law, further data categories can be considered highly sensitive or the content of the data categories can be structured differently. Moreover, data that relates to a crime can often be processed only under special requirements under national law.
•Personal data is all information about a certain or definable natural persons. A person is definable for instance if the personal relationship can be determined using a combination of information with even incidental additional knowledge.•Processing personal data means any process, with or without the use of automated systems, to collect, store, organize, retain, modify, query, use, forward, transmit, disseminate or combine and compare data. This also includes disposing of, deleting and blocking data and data storage media.•Processing personal data is required if the permitted purpose or justified interest could not be achieved without the personal data, or only with exceptionally high expense.•A sufficient level of data protection in third countries is acknowledged by the EU Commission if the core of the personal privacy, as unanimously defined in the member countries of the EU is adequately ensured. When making its decision, the EU Commission accounts for all circumstances that play a role in data transmission or a category of data transmission. This includes the opinions under national law and relevant applicable professional standards and security measures.•Third countries under the Data Protection Policy are all nations outside the European Union/EEA. This does not include countries with a data protection level that is considered sufficient by the EU Commission.•Third parties are anyone apart from the data subject and the Data Controller. In a case of Data Processing in Behalf data processors in the EU are not third parties under the data protection laws, because they are assigned by law to the responsible entity.•Transmission is all disclosure of protected data by the responsible entity to third parties.