Disclaimer and data privacy declaration for the AskREACH smartphone apps and web apps
This disclaimer and data privacy statement concerns the app Scan4Chem which was developed in the EU LIFE Project AskREACH (LIFE16 GIE/DE/000738) and is provided by the German Environment Agency (UBA) in Germany. UBA is in the following called provider. The app is addressed to users aged 16 and over.
The provider accepts no responsibility for the accuracy, completeness, quality or actuality of the content of the AskREACH IT tools. Any liability claims against the provider for material or immaterial damages that arise from the use or non-use of information available via the IT tools or the use of erroneous or incomplete information available via the IT tools shall be excluded insofar as no culpable act of gross negligence has been committed by the provider. Our services are non-binding and subject to confirmation. The provider shall be entitled to modify any aspect of the IT tools and/or their content in any way it sees fit, in whole or in part, without prior notification.
The provider shall be liable for links used in the AskREACH IT tools that are beyond their control only insofar as they have knowledge of the relevant content and it would have been reasonable and technically possible for us to forestall the use of any such content that may be illicit. The provider thus hereby expressly state that at the time any such link was created we had no knowledge that it was associated with any illicit Web content. Inasmuch as we have no control over the current or future design, content or copyright of any linked Web page, we hereby expressly repudiate any content of any linked page that was altered after the link in question was created. This applies to all links and references used in the IT tools, as well as any third party entry. In the event of illicit, erroneous or incomplete content, and in particular in connection with damages arising from the use or non-use of such information, the Web site owner to which the link in question pointed shall assume liability, and not the tool owner that provided links to such content. Third party Web sites that can be accessed via external links may not be accessible to the disabled. Please also note that any linking to this application does not constitute grounds for mutual reciprocity.
In all AskREACH IT tools, the provider has made every effort to (a) respect copyright restrictions for all graphics, audio, video and text; or (b) use graphics, audio, video and text created by the UBA or AskREACH itself; or (c) use license-free graphics, audio, video and text. All protected marks and trademarks used are protected by the applicable copyright laws pursuant to the intellectual property rights of their duly registered owners. The fact that registered trademarks are mentioned should not be construed to mean that such trademarks are not protected by third party rights.
The copyright for published objects created by the provider or AskREACH itself remains solely with the provider or AskREACH and the staff working on the IT tools. Unless otherwise indicated, objects, graphics, sound documents, video sequences and texts created by the provider or AskREACH itself are under a creative commons 4.0 international license (no commercial use, no editing, https://creativecommons.org/licenses/by-nc-nd/4.0/).
The disclaimer herein constitutes an element of the AskREACH smartphone apps and web apps. Insofar as any provision of the present disclaimer is or becomes legally invalid or unenforceable, the remaining provisions shall remain fully enforceable.
The UBA, represented by its president, is responsible within the meaning of the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and other data protection regulations:
German Environment Agency
Präsidialbereich / Presse- und Öffentlichkeitsarbeit, Internet
Wörlitzer Platz 1
06844 Dessau-Roßlau
Phone: +49-340-2103-2416
E-mail: buergerservice@uba.de
The UBA data privacy officer is available to answer your questions and provide you with information on the subject of data protection. He is also the contact person for the enforcement of your rights as a party concerned. However, requests made in other languages than German and English have to be directed to other regional app providers for translation. After translation they will be directed by the regional app providers to the data privacy officer:
Mr. Udo Langhoff
German Environment Agency
Wörlitzer Platz 1
06844 Dessau-Roßlau
Phone: +49-30-8903-5141
e-mail: udo.langhoff@uba.de]
The following explanations refer to all apps developed in the LIFE project AskREACH. UBA is the controller of the AskREACH database and business logic and of the master app. The regional app providers are the controllers of the regional app versions they offer in their countries. The AskREACH project partner Luxembourg Institute of Science and Technology (LIST, https://www.list.lu) is responsible for the technical operation of the apps. The server is made available by an external host (IBM of Belgium sprl / bvba https://www.ibm.com/contact/be/en/?lnk=flg-cont-be-en).
Scope of the processing of personal data
We only process personal data of users of our IT tools if this is necessary to provide functional tools as well as our contents and services (such as the provision of SVHC information by suppliers of consumer articles). The processing of our users' personal data takes place regularly only with their consent. An exception applies in those cases where prior consent cannot be obtained for real reasons and the processing of the data is permitted by law.
Unless otherwise stated in this data protection declaration in individual cases, your data will not be passed on to third parties. Your data will not be processed or used for consulting, advertising or market research purposes. In the context of their helpdesk activities the global administrators of the German Environment Agency (UBA), the technical administrators of the Luxembourg Institute of Science and Technology (LIST) and the administrators of the regional app providers may view the stored data. The technical administrators may also view them if necessary for attack prevention. Data protection and confidentiality agreements have been concluded between UBA and LIST, UBA and the regional app providers and between LIST and the external host.
All information you transmitted in encrypted form via a "Secure Socket Layer" (SSL) connection. Your personal data cannot be read by unauthorised persons during transmission on the Internet.
Legal basis for the processing of personal data
The legal basis for the processing of personal data is usually the consent of the data subject pursuant to Art. 6 para. 1 lit. a of the EU General Data Protection Regulation (GDPR).
If processing is necessary to safeguard a legitimate interest of the provider or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6 para. 1 letter f GDPR serves as the legal basis for processing.
Data erasure and storage time
The personal data will be deleted or blocked as soon as the purpose of storage ceases to apply.
Furthermore, data may be stored if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which the person responsible is subject. The data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires.
Our smartphone apps can be downloaded from the Google and Apple app stores. The Android app can also be downloaded from our website.
If users download the app from the app stores they are subjected to the data privacy rules of iTunes and GooglePlay. We hereby expressly bring to users’ attention the fact that we have no control either over the terms of use or the owners of the app stores. We cannot be held liable for any action taken by any owner of an app store or by any third party.
We hereby expressly draw your attention to the fact that app store owners archive data and use it for commercial purposes. We have no knowledge as to the scope of such data or the term of its archiving. However, you are legally entitled to ask any the app store owner to allow you to view your personal data and you can assert all your rights under the EU General Data Protection Regulation (GDPR).
Every time you access our system by using the app, our system automatically collects data and information from the calling smartphone device or computer system. This information (server log files) comprises, e.g. information on the browser, the user’s operating system, the domain of your internet service provider etc. In addition the IP address or potentially the device ID of your smartphone is transmitted and used in order to be able to use the desired service. This information is technically necessary for the correct delivery of content requested by you from our IT tools and is mandatory when using the Internet.
This data is not stored together with other personal data of the user.
According to our data privacy concept the incoming log file data are stored over a period of two weeks in order to recognise and analyse any attacks against our system. The legal basis for data processing is Art. 6 Para. 1 lit. f) GDPR. If a specific IP address or device identification number must be blocked, it is permanently stored.
Scope of the data processing
You get access to the web app via our website. We log the download and collect statistics. The web app then only communicates between the user's browser and the AskREACH server. Each time your computer accesses the AskREACH server, our system automatically collects data and information.
Every time your smartphone accesses the AskREACH server, our system also automatically collects data and information.
The following data is collected:
The data are stored in the log files of our system. IP addresses and device IDs are identifiable in the records for attack prevention purposes and for geographic access statistics. IP addresses/device IDs are also used to limit access rates to the app/database as needed and prevent Denial of Service (DOS) attacks and other threats.
You enter your name and e-mail address yourself. This personal data is not required to retrieve SVHC information from the AskREACH database. You do not have to enter it until you send a request to an article supplier. If you send a request, this data is stored on the server for as long as is necessary to process the app actions you desire. Your name and the country in which you live are visible to the addressee of your request, your e-mail address is not. With the smartphone app, your name, country of residence and e-mail address are stored on your smartphone so you don't have to re-enter them at the next app session where you make a request. In the case of the web app, this information is not stored on your computer, so you must re-enter it in each session you make a request.
Backup copies of the server are divided into different categories for optimal monitoring and control, e.g. consumers, suppliers, article information, requests, etc. If backups contain personal data, they are documented. If backups need to be restored, e.g. after a system failure, each user of the system is informed of this fact and the date of the backup. Backups are stored encrypted.
Legal basis for the processing of personal data
The legal basis for the temporary storage of data and log files is Art. 6 para. 1 lit. a and f GDPR.
Purpose of data processing
The data are stored in the system to ensure the functionality of the system. In addition, the data serves us to optimise our AskREACH IT tools and to ensure the security of our information technology systems. The data are statistically evaluated in anonymous form in order to document the success of AskREACH IT tools. The temporary storage of the IP address by the system is necessary to enable the server information to be delivered to the user's computer/device. For this the IP address of the user must remain stored for the duration of the session. The data are not evaluated for marketing purposes.
Our legitimate interest in data processing pursuant to Art. 6 para. 1 lit. f GDPR also lies in these purposes.
This data from the log file is not combined with any other stored data. A direct reference of the IP number from the log file to your person is not possible and is excluded. The IP address is only evaluated in the event of attacks on the AskREACH IT infrastructure, offences against morality and other illegal activities in connection with the use of the IT tools. A conclusion from the IP number to your person is only possible through your dial-in provider through a public prosecutor's investigation.
You enter your name and e-mail address yourself into the app and can change or delete it at any time. The smartphone app stores this information on your phone so you don't have to re-enter it for each request. With the Web app, this data is stored within a session so you don't have to re-enter it for each request. If you close the Web app, the data is deleted.
If you send a request to a company, only the name you entered and your country of residence are visible to the company. Your name should show the company that there is a real person behind the request. The country is indicated so that the company can reply to you in the appropriate language. After sending your request, the following cases may occur:
· Entry of the desired information by the company into the AskREACH database. You will then receive the corresponding information from the system.
· The company sends the information by e-mail to the AskREACH server, which then forwards it to you.
· Some companies do not want to use our system, but want to contact their customers directly. In this case, our system will inform you accordingly and you will be asked to send your request by e-mail again directly to the company, if you wish.
· It can also happen that a company does not react at all. In this case, the system sends a reminder to the company after 30 days. After 45 days, the system will ask you if you want to send another request. Generally, the regional app providers try to find out why companies do not respond.
To allow the system to respond and contact you appropriately, your name and e-mail address will be stored in the system for as long as the response/processing of your request requires. After a maximum of 60 days (buffer time for potential queries), your name and e-mail address will be pseudonymised in the system and only used for anonymous statistics.
All personal data stored in the AskREACH server are visible to the AskREACH administrators on consumer or supplier request so they can perform their helpdesk activities.
· Technical administrator: Luxembourg Institute of Science and Technology (LIST)
· Global administrator (operator): German Environment Agency UBA
· Regional administrator: regional app provider
Duration of storage
The data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected. Your name and e-mail address will only be stored in connection with your requests and for a maximum of 60 days.
If personal data (online identifiers like IP-addresses and unique device IDs) are stored in log files, they will be deleted after two weeks at the latest. Further storage is possible in case of malicious behaviour and if future access is to be prevented. In this case the IP addresses of the users (as far as possible for the purpose) are deleted or alienated, so that an assignment of the calling client is no longer possible.
Possibility of objection and elimination, revocation of consent
The collection of data for the provision of the IT tools and the storage of data in log files is absolutely necessary for the operation of the IT tools.
Your name and e-mail address are only temporarily stored in the system. Both can be deleted or removed at your request.
You can revoke your consent to the processing of your personal data at any time. The legality of the processing carried out on the basis of the consent up to the revocation remains unaffected by this. After revocation of your consent you can no longer use the app.
App users may enter article name, description, brand/company name and photo, if this information is missing in the AskREACH database. This information is marked as “crowdsourcing information”. In addition app users may enter generic e-mail addresses of companies in order to send their requests there. These e-mail addresses may be included in the internal address list of the system and then used for sending future requests of other app users to the same company. Before inclusion in the internal list they will be checked by the regional administrator. Before entering any data the app user has to consent to the conditions of use and is informed that this information should only concern, show or reflect the article in question, no persons or other personal or confidential data or illegal content. Wrong or illegal contents will be deleted as soon as they are notified (by other app users or suppliers) to the administrators. If repeated misuse is noted, users will be blocked.
We have a Serbian regional provider of our app outside the EU. In Serbia a new law has been adopted that implements provisions equivalent to the GDPR.
In addition requests can be sent to any company outside the EU. However, if the system has access to company contact details indicating that the company is located in a country where REACH does not apply, the app user will be asked to submit his request to the retailer within the EU.
With the consent of an app user geolocation may be used by the smartphone app to find out the contact information of a retailer where the app user is standing. The geolocation data are deleted directly after they served this purpose. They are not stored in the AskREACH system.
If a smartphone app user agrees to get push notifications from the AskREACH system, their device ID is stored in the business logic and they are subjected to the data privacy rules of the Apple Push Notification service or Google Firebase service.
In April 2020, February 2021 and February 2022 all active users of the smartphone app at that point in time will receive via the app a request to participate in a survey which shall provide the project with data on impacts achieved and user satisfaction. The release of this request will be integrated into the app’s programming from the start, i.e. not sent via external notification (“push message”). Personal data is not involved.
Consumers who agree to participate in the survey are forwarded to a questionnaire created in the web tool Survey Monkey, which is hosted at an external website by the AskREACH project partner sofia (University of Applied Sciences Darmstadt, Society for Institutional Analysis). The data privacy conditions of Survey Monkey apply. Survey Monkey confirms to be fully compliant with GDPR (https://cdn.smassets.net/assets/cms/cc/uploads/SurveyMonkey-GDPR-Whitepaper-v4.pdf).
In the questionnaires, consumers interested in providing more thorough feedback are asked to leave their e-mail addresses. Using these e-mail addresses, UBA may inquire consumers individually to participate in interviews. Your e-mail address will be deleted after the interview is completed. All surveys are evaluated anonymously.
Description and scope of data processing
If you click in our app that you would like to receive our free newsletter, you will be redirected to our website where you can subscribe to the newsletter. Please refer to the privacy policy of our website for information on subscription-related data privacy (https://www.umweltbundesamt.de/en/disclaimer-privacy-policy).
Description and scope of data processing
You can send us questions about the app or received supplier answers by e-mail. In this case, your personal data transmitted with the e-mail will be stored by us.
In this context, the data will not be passed on to third parties without your separate consent. We will use the data exclusively for processing the conversation and then delete or anonymise it.
Legal basis for the processing of personal data
The legal basis for the processing of data transmitted in the course of sending an e-mail is Art. 6 para. 1 lit. f GDPR.
Purpose of data processing
The processing of the personal data serves the answer of your inquiry.
Duration of storage
The storage of your inquiries and answers in electronic files of the regional app provider can take up to 60 days.
Possibility of objection and elimination
You have the possibility to revoke your consent to the processing of your personal data sent with your e-mail at any time. To this end, please contact our data protection officer. In such a case, the conversation cannot be continued. All personal data stored in the course of contacting us will be deleted.
Further information on communication by e-mail
Communication by e-mail can have security gaps. E-mails sent to us can be stopped and read by experienced Internet users. If we receive an e-mail from you, it is assumed that we are also entitled to reply by e-mail to this e-mail address. Otherwise we ask you to consider another way of communication (e.g. by post).
Caution with questionable e-mails: Fraudsters repeatedly try to install malware (e.g. viruses and Trojan horses) on foreign PCs via attachments or links in e-mails - by fomenting fears with content such as unpaid invoices or attracting attention with dramatic messages. Mistrust e-mails with lurid subject lines, dubious content or questionable origin and delete them immediately. Never open attachments or links in such emails. As a general rule, the German Environment Agency and the regional app providers never send files with the suffix".exe″ or".com″ attached. Please do not open such files and inform us best by telephone about such an e-mail. The German Environment Agency or the regional app providers will never ask you to send us sensitive data such as bank details or passwords by e-mail or telephone.
If your personal data are processed, you are affected within the meaning of the basic EU General Data Protection Regulation (GDPR) and you are entitled to the following rights vis-à-vis the person responsible. Please contact us (see above).
Right to information
You can ask the person in charge to confirm whether personal data concerning you will be processed by us.
If such processing has taken place, you can request the following information from the person responsible:
You have the right to request information as to whether the personal data concerning you is transferred to a third country or to an international organisation. In this context, you may request to be informed of the appropriate guarantees pursuant to Art. 46 GDPR in connection with the transmission.
This right to information may be limited to the extent that it is likely to make it impossible or seriously impair the realisation of research or statistical purposes and the limitation is necessary for the fulfilment of research or statistical purposes.
Right to correction
You have a right of rectification and/or completion vis-à-vis the data controller if the personal data processed concerning you are incorrect or incomplete. The person responsible shall make the correction without delay.
Your right to correction may be limited to the extent that it is likely to render impossible or seriously prejudicial the achievement of the research or statistical purposes and the limitation is necessary for the fulfilment of the research or statistical purposes.
Right to limitation of processing
Under the following conditions, you may request that the processing of personal data concerning you be restricted:
If the processing of personal data concerning you has been restricted, such data may only be processed - apart from being stored - with your consent or for the purpose of asserting, exercising or defending rights or protecting the rights of another natural or legal person or on grounds of an important public interest of the Union or a Member State.
If the processing restriction has been limited according to the above conditions, you will be informed by the person responsible before the restriction is lifted.
Your right to limitation of processing may be limited to the extent that it is likely to render impossible or seriously prejudicial the achievement of research or statistical purposes and the restriction is necessary for the fulfilment of research or statistical purposes.
Right to cancellation
a) Duty to delete
You may request the data controller to delete the personal data relating to you without delay and the controller is obliged to delete this data without delay if one of the following reasons applies:
b) Information to third parties
If the data controller has made the personal data concerning you public and is obliged to delete it pursuant to Art. 17 para. 1 GDPR, he shall take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform data processors who process the personal data that you as the data subject have requested the deletion of all links to this personal data or of copies or replications of this personal data.
c) Exceptions
The right to cancellation does not exist insofar as the processing is necessary
Right to information
If you have exercised your right to have the data controller correct, delete or limit the processing, he/she is obliged to inform all recipients to whom the personal data concerning you have been disclosed of this correction or deletion of the data or restriction on processing, unless this proves impossible or involves a disproportionate effort.
The person responsible shall inform you about those recipients if you request it.
Right to data transferability
You have the right to receive the personal data concerning you that you have provided to the person responsible in a structured, common and machine-readable format. In addition, you have the right to pass this data on to another person in charge without obstruction by the person in charge to whom the personal data was provided, provided that
In exercising this right, you also have the right to request that the personal data concerning you be transferred directly from one data controller to another data controller, insofar as this is technically feasible. The freedoms and rights of other persons must not be affected by this.
The right to transferability shall not apply to the processing of personal data necessary for the performance of a task in the public interest or in the exercise of official authority conferred on the controller.
Right of objection
You have the right to object at any time for reasons arising from your particular situation to the processing of your personal data in accordance with Art. 6 para. 1 lit. f GDPR.
The data controller no longer processes the personal data concerning you, unless he can prove compelling reasons worthy of protection for the processing, which outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
You have the possibility to exercise your right of objection in connection with the use of Information Society services by means of automated procedures using technical specifications, notwithstanding Directive 2002/58/EC.
You also have the right to object to the processing of personal data concerning you for scientific or historical research purposes or for statistical purposes pursuant to Art. 89 para. 1 GDPR for reasons arising from your particular situation.
Your right of objection may be limited to the extent that it is likely to make it impossible or seriously impair the realisation of the research or statistical purposes and the limitation is necessary for the fulfilment of the research or statistical purposes.
Right to revoke the data protection declaration of consent
You have the right to revoke your data protection declaration of consent at any time. The revocation of consent shall not affect the legality of the processing carried out on the basis of the consent until revocation.
Right of appeal to a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right of appeal to a supervisory authority, in particular in the Member State where you reside, work or suspect of infringement, if you believe that the processing of personal data concerning you is contrary to the GDPR.
The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and results of the complaint, including the possibility of a judicial remedy under Article 78 GDPR.
In the case of the German Environment Agency, the responsible supervisory authority is the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (Federal Commissioner for Data Protection and Freedom of Information).
The misuse of data from the imprint or comparable information from contact data published by us such as postal addresses, telephone and fax numbers and e-mail addresses is not permitted. We expressly reserve the right to take legal action against the senders of so-called spam mails in the event of violations of this prohibition.
The apps can be shared via social networks. We invite you to recommend our apps in this way. That said, we hereby expressly bring to users’ attention the fact that we have no control either over the terms of use of such services or the owners of such services. While we will diligently handle any personal data on such platforms, we cannot be held liable for any action taken by any owner of any social network site or by any third party.
We hereby expressly draw your attention to the fact that social-network owners archive data and use it for commercial purposes. We have no knowledge as to the scope of such data or the term of its archiving. However, you are legally entitled to ask any such owner to allow you to view your personal data, to be informed on request which of your personal data is processed and to assert your rights under the GDPR.