Version 20220117
This disclaimer and data privacy statement concerns
The AskREACH IT tools include the business logic, the European smartphone app and web app, the European database and the supplier frontend. They were developed in the EU LIFE Project AskREACH (LIFE16 GIE/DE/000738). The database and the supplier frontend are addressed to suppliers of consumer articles in accordance with the REACH article definition. The German Environment Agency (UBA, Wörlitzer Platz 1, D-06844 Dessau-Rosslau, Germany) is the provider of the database and the respective supplier frontend. UBA is the global administrator of the AskREACH IT tools, the Luxembourg Institute of Science and Technology (LIST) is the technical administrator. The AskREACH project partners and replicators in the various countries where the app developed in AskREACH is available are the regional administrators. Replicators are organisations which are not direct partners in the LIFE AskREACH project, but nevertheless promote the app in their countries.
In addition, the smartphone app “ToxFox” of the AskREACH project partner Friends of the Earth Germany (Bund für Umwelt und Naturschutz e.V., BUND) is connected to the AskREACH business logic. ToxFox uses the AskREACH system for retrieving SVHC information in the AskREACH database, sending REACH consumer requests to companies and getting information about the status of the consumer requests.
UBA accepts no responsibility for the accuracy, completeness, quality or actuality of the contents of the AskREACH IT tools. Any liability claims against UBA for material or immaterial damages that arise from the use or non-use of information available via the IT tools or the use of erroneous or incomplete information available via the IT tools shall be excluded insofar as no culpable act of gross negligence has been committed by UBA. Our services are non-binding and subject to change at any time without notification. UBA shall be entitled to modify any aspect of the IT tools and/or their contents in any way it sees fit, in whole or in part, without prior notification.
UBA and the AskREACH partners and replicators shall not be liable for links used in the AskREACH IT tools that are beyond UBA’s control unless we have knowledge of the relevant contents and it would have been reasonable and technically possible to forestall the use of any such contents that may be illicit. UBA and the AskREACH partners and replicators thus hereby expressly state that at the time any such link was created we had no knowledge that it was associated with any illicit Web contents. Inasmuch as we have no control over the current or future design, contents or copyright of any linked Web page, we hereby expressly repudiate any contents of any linked page that was altered after the link in question was created. This applies to all links and references used in the IT tools, as well as any third party entry. In the event of illicit, erroneous or incomplete contents, and in particular in connection with damages arising from the use or non-use of such information, the Web site owner to which the link in question directed shall assume liability, and not the tool owner that provided links to such contents. Third party Web sites that can be accessed via external links may possibly not be barrier-free. Note that any linking to the AskREACH IT tools does not constitute grounds for reciprocity.
In all AskREACH IT tools, UBA and the AskREACH consortium have made every effort (a) to respect copyright restrictions for all graphics, audio, video and text; (b) to use graphics, audio, video and text created by UBA or AskREACH itself; and (c) to use licence-free graphics, audio, video and text. All protected marks and trademarks used are protected by the applicable copyright laws pursuant to the intellectual property rights of their duly registered owners. The fact that registered trademarks are mentioned should not be taken to mean that such trademarks are not protected by third party rights.
The copyright for published objects created by UBA or AskREACH itself remains solely with UBA or AskREACH and the staff working on the IT tools. Unless otherwise indicated, objects, graphics, sound documents, video sequences and texts created by UBA or AskREACH itself are under a creative commons 4.0 international licence (no commercial use, no editing, https://creativecommons.org/licenses/by-nc-nd/4.0/).
This disclaimer constitutes an element of the AskREACH IT tools. Insofar as any provision of the present disclaimer is or becomes legally invalid or unenforceable, the remaining provisions shall remain fully enforceable.
The German Environment Agency, represented by its President, is responsible for the AskREACH IT tools within the meaning of the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and other data protection regulations:
German Environment Agency
Präsidialbereich / Presse- und Öffentlichkeitsarbeit, Internet
Wörlitzer Platz 1
06844 Dessau-Rosslau, Germany
Phone: +49-340-2103-2416
E-mail: buergerservice@uba.de
The German Environment Agency's data privacy officer is available to answer your questions and provide you with information on the subject of data protection, and is also the contact person for the enforcement of your rights as a concerned party. However, requests made in other languages than German and English have to be directed to the regional administrators (see https://www.askreach.eu/app-database/) for translation. After translation they will be directed by the regional administrators to the data privacy officer and the global administrator UBA:
Mr Udo Langhoff
German Environment Agency
Wörlitzer Platz 1
06844 Dessau-Rosslau, Germany
Phone: +49-30-8903-5141
e-mail: udo.langhoff@uba.de
The following explanations refer to the European AskREACH database including the supplier frontend, which were both developed in the LIFE project AskREACH. The database is linked to the European smartphone app developed in AskREACH and the corresponding web app as well as to the ToxFox app of BUND.
UBA is the controller of the AskREACH business logic including the database and supplier frontend as well as of the smartphone app and web app developed in the AskREACH project.
Regional administrators in the various countries promote the app and support app and database users. They are authorities or organisations of the AskREACH partner countries and of further countries in which a regional app version is available (“replicator countries“). The AskREACH project partner Luxembourg Institute of Science and Technology (LIST) is responsible for the technical operation of the AskREACH system (database and all frontends). LIST uses IBM cloud for hosting (IBM of Belgium sprl / bvba, https://www.ibm.com/contact/be/en/?lnk=flg-cont-be-en). IBM complies with the German standard cloud computing compliance controls catalogue (C5, see https://www.bsi.bund.de/EN/Topics/CloudComputing/Compliance_Controls_Catalogue/Compliance_Controls_Catalogue_node.html).
BUND is an AskREACH project partner and the controller and provider of the ToxFox app which includes some of the functions of the European app developed in AskREACH. The data privacy declaration of the ToxFox can be found under www.bund.net/toxfox-privacy-policy (in English) or https://www.bund.net/datenschutz/ (in German).
Scope of the processing of personal data
We only process personal data of users of our IT tools if this is necessary to provide functional tools and for our contents and services (such as the provision of SVHC information by suppliers of consumer articles). The processing of our users' personal data takes place as a rule only with their consent.
Unless otherwise provided for in this data protection declaration, your data will not be passed on to third parties. Your data will not be processed or used for consulting, advertising or market research purposes. The stored data can be viewed by the administrators of the German Environment Agency and the Luxembourg Institute of Science and Technology. Data stored in the ToxFox system (company e-mail addresses for SVHC requests, sent SVHC requests) can be viewed by BUND.
Your contact details, GCPs/barcode ranges and information about your answering behaviour will be made available to the regional administrators via the AskREACH system. They may then approach the companies that do not respond to consumer requests in order to find out the reasons. Regional administrators may publish anonymous statistics from the database. Company specific data other than that mentioned above may only be viewed by regional administrators in the framework of their helpdesk activities and with your agreement. Data protection agreements according to GDPR Art. 28 have been concluded between UBA and LIST, UBA and the regional administrators (including BUND) and between LIST and the external host. In addition, BUND has a data protection agreement with their external host.
All information you send when using the AskREACH IT tools is transmitted in encrypted form via a "Secure Socket Layer" (SSL) connection. Your personal data cannot be read by unauthorised persons during transmission on the Internet.
Legal basis for the processing of personal data
The legal basis for the processing of personal data is usually the consent of the data subject pursuant to Art. 6 (1) (a) of the EU General Data Protection Regulation (GDPR).
If processing is necessary to safeguard a legitimate interest of our authority or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6 (1) (f) GDPR serves as the legal basis for processing.
Data erasure and storage time
The personal data will be deleted or blocked as soon as the purpose of storage ceases to apply.
Furthermore, data may be stored if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which the person responsible is subject. The data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires.
Every time you access our AskREACH system, the system automatically collects data and information from the calling computer system. This information (server log files) comprises, for example information on the browser, the user’s operating system, or the domain of your internet service provider. In addition, the IP address or potentially the device ID of your smartphone is transmitted and used in order to be able to use the desired service. This information is technically necessary for the correct delivery of contents requested by you from our IT tools and is mandatory when using the Internet.
This data is not stored together with other personal data of the user.
According to our data privacy concept, the incoming log file data are stored for two weeks in order for us to be able to recognise and analyse any attacks against our system. The legal basis for data processing is Art. 6 (1) (f) GDPR. If a specific IP address or device identification number has to be blocked, it is permanently stored.
Description and scope of the data processing
If you, as a company representative, are sent a request for information about substances of very high concern (SVHCs) via the AskREACH smartphone app, web app, or the ToxFox, this request may be received via your (potentially personalised) company e-mail address. This (potentially personalised) e-mail address can originate from the following sources:
A system-internal list of company names with associated e-mail addresses is maintained. These e-mail addresses are either researched on the Internet by the regional administrators in the various countries or identified by requesters themselves and checked by the regional administrators. The list will only contain personalised e-mail addresses if companies explicitly request that such addresses be included or if companies only provide such addresses on their website.
If the apps cannot offer an e-mail address via the internal address list, the requester can also find out an e-mail address independently and enter it as the recipient of the SVHC request. We recommend that the app user should not use personalised e-mail addresses if possible, but we cannot rule out the possibility that these will nevertheless be used in individual cases.
The e-mail addresses are required in order to be able to send the requests to the companies responsible for SVHC information. The e-mail addresses can be seen by the requesters. If app users choose to send their requests in copy to a retailer, the e-mail address is also shown to the retailer. Companies who want to have the requests directed to a different e-mail address can register with the AskREACH system and give the correct e-mail address there or contact their regional administrator (see https://www.askreach.eu/app-database/).
If you respond to an SVHC request by e-mail, the personal information you provide in your e-mail will be transmitted. The AskREACH server forwards the e-mail to the requesting party and stores it in encrypted form in the system solely for technical purposes. If you respond to a request from a ToxFox user, the AskREACH server forwards your response e-mail directly to the requester and the ToxFox system is informed that the request was answered.
Backup copies of the AskREACH server are divided into different categories for optimum monitoring and control, e.g. consumers, suppliers, article information, requests, etc. If backups contain personal data, they are documented. If backups need to be restored, e.g. after a system failure, each user of the system is informed of this fact and the date of the backup. Backups are stored in encrypted form.
The ToxFox system caches the e-mail addresses it receives from the AskREACH system. The e-mail addresses are updated once a week in a certified data centre. For security reasons, a mirrored update is also stored once a week on a separate storage location in the data centre. Requests for deletion of personal data are kept in a special inbox in case a backup has to be restored and BUND manually deletes the personal data again from the imported backup. The deletion requests in the inbox are automatically deleted once a week.
Legal basis of the processing of data
The legal basis for the temporary storage of data and log files is Art. 6 (f) GDPR.
Purpose of data processing
For data protection purposes, you receive requests from consumers without the clear e-mail address of the requester. The storage of your e-mail address by the AskREACH and ToxFox systems is necessary in order to send you the SVHC requests and forward your replies to the requesters. If you would like to send your answer to the requesting party yourself, please reply to the request e-mail and instruct the consumer to contact you directly by e-mail.
If you do not respond to an SVHC request, the AskREACH system sends a reminder after 30 days. After 45 days, you may receive another request if the requester so wishes. If the original request was sent via ToxFox, the ToxFox system is informed about the status of the request (reminded, expired, answered) and transfers this information to the requester.
All personal data stored in the AskREACH server are visible to the following AskREACH technical and global administrators. On request of suppliers, the regional administrators can also see the data so that they can perform their helpdesk activities.
Personal data stored in the ToxFox server (company e-mail addresses to which the requests are sent) are visible to BUND.
Duration of storage
The data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected.
For personal data stored in log files, this is the case after up to two weeks. In the event of further storage of data, the IP addresses of the users (as far as possible for the purpose) are deleted or alienated, so that an assignment to the calling client is no longer possible.
E-mail addresses in the internal list are permanently stored so that app users can send SVHC requests to these addresses. They are also cached in the ToxFox system.
The e-mail with your response to an SVHC request is forwarded to the requester and cached in the AskREACH system in encrypted form solely for technical purposes.
Possibility of objection and elimination, revocation of consent
The collection of data for the provision of the IT tools and the storage of data in log files is absolutely necessary for the operation of the IT tools.
If your e-mail address is stored in the system internal address list, it can be deleted, removed or changed at your request. If your company registers in the AskREACH database, you can enter an e-mail address for the forwarding of SVHC requests for your company. You can revoke your consent to the processing of your personal data at any time by e-mail sent to the regional administrator (see https://www.askreach.eu/app-database/). The legality of the processing carried out on the basis of the consent up to the revocation remains unaffected by this.
Description, scope and purpose of the data processing
Registration in the AskREACH database takes place via the supplier frontend.
Every time you, as company representative, access the AskREACH server, our system also automatically collects data and information.
The following data are collected:
The data are stored in the log files of our system. Online identifiers like IP addresses and unique device IDs are identifiable in the records for attack prevention purposes and for geographic access statistics. IP addresses/device IDs are also used to limit access rates to the app/database as needed and to prevent Denial of Service (DOS) attacks and other threats.
If you register as a company representative in the AskREACH database, you enter your name and personalised e-mail address. With this personal data, together with the company name and postal address, you will be stored in the system as your company's contact person for the AskREACH system and may be contacted for queries. The latter may be the case if consumers ask questions, if there are technical problems, etc. We strongly recommend that you also provide an e-mail address for SVHC requests. If possible, choose a general e-mail address, rather than a personalised one, and make sure that someone checks the corresponding e-mail box regularly. This is the only way to ensure that you comply with your obligations under REACH Art. 33 (2) and that you can react in good time in the event of technical problems. The e-mail address for SVHC requests is visible to the public in the smartphone app and web app developed in AskREACH. This e-mail address and the company name is also transferred to the ToxFox system and therefore visible to the public in the ToxFox app.
Audit trail is implemented in the AskREACH supplier frontend (who changed what and when). Personal data such as names and e-mail addresses are stored in the audit trail in pseudonymised form.
Backup copies of the AskREACH server are divided into different categories for monitoring and control, e.g. consumers, suppliers, article information, requests, etc. If backups contain personal data, they are documented. If backups have to be restored, e.g. after a system failure, each user of the system is informed of this fact and the date of the backup. Backups are stored in encrypted form. The ToxFox system caches the e-mail addresses for SVHC requests that it receives from the AskREACH system. The e-mail addresses are updated once a week in a certified data centre. For security reasons, a mirrored update is also stored once a week on a separate storage location in the data centre.
Legal basis for the processing of personal data
The legal basis for the temporary storage of data and log files is Art. 6 (1) (a) and (f) GDPR.
The processing of personal data you enter in the supplier frontend is tied to your consent given during the registration. Independent of your consent your IP address is stored in a log file before you register. The IP address is stored for 14 days.
Purpose of data processing
The data are stored in log files to ensure the functionality of the system. In addition, the data serves us to optimise our AskREACH IT tools (including ToxFox) and to ensure the security of our information technology systems. The data are statistically evaluated in anonymous form in order to document the success of the AskREACH IT tools (including ToxFox). The temporary storage of the IP address by the AskREACH system is necessary to enable the server information to be delivered to the user's computer/device. For this, the IP address of the user must be stored for the duration of the session. The data are not evaluated for marketing purposes.
Our legitimate interest in data processing pursuant to Art. 6 (1) (f) GDPR also lies in these purposes.
This data from the log file is not combined with any other stored data. A direct reference of the IP number from the log file to your person is not possible and is excluded. The IP address is only evaluated in the event of attacks on the AskREACH IT infrastructure, offences against morality and other illegal activities in connection with the use of the AskREACH IT tools. A conclusion from the IP number to your person is only possible through your dial-in provider through a public prosecutor's investigation.
The storage of your name and your personal e-mail address by the system is necessary so that the system can communicate with you. You register as a contact person of your company for AskREACH.
All personal data stored in the AskREACH server are visible to the AskREACH technical and global administrators. In addition, your contact details will be made available to the regional administrators via the AskREACH system.
Duration of storage
Your name and email address will be stored until you delete them or your account yourself or the data/account is deleted by an administrator.
If you reply to an SVHC request by e-mail, this e-mail will be forwarded and will be stored in encrypted form in the AskREACH system for technical purposes.
If personal data is stored in log files (online identifiers), it will be deleted after two weeks at the latest. Further storage is possible. In this case the IP addresses of the users (as far as possible for the purpose) are deleted or alienated, so that an assignment to the calling client is no longer possible. The ToxFox system caches the e-mail addresses for SVHC requests that it receives from the AskREACH system. The e-mail addresses are updated once a week in a certified data centre. For security reasons, a mirrored update is also stored once a week on a separate storage location in the data centre. In case the AskREACH system is ultimately shut down, supplier data in the ToxFox system will be deleted 90 days later.
Possibility of objection and elimination, revocation of consent
The collection of data for the provision of the IT tools and the storage of data in log files is absolutely necessary for the operation of the IT tools.
You can change your name and e-mail address yourself via your account or delete the account. You can revoke your consent to the processing of your personal data at any time by sending a corresponding e-mail to the regional administrator (see https://www.askreach.eu/app-database/). The legality of the processing carried out on the basis of the consent up to the revocation remains unaffected by this.
We have a Serbian regional administrator of our app outside the EU. In Serbia, a national law has been adopted that implements provisions equivalent to the GDPR. The Serbian app is also available in Montenegro and Bosnia Hercegovina. With regard to these countries, no adequacy decision of the EU Commission according to Art. 45 GDPR is available. Data transfer (e.g. of your name or personalised e-mail address) into these countries for which there is neither an adequacy decision nor appropriate guarantees entails risks.
In addition, requests can be sent to any company outside the EU.
Companies that have registered to the system may be asked to participate in surveys to provide the AskREACH project with data on impacts achieved and user satisfaction. Invitations to participate will be sent via e-mail or will appear on the “landing page” of the supplier frontend, i.e. the first page the user sees after logging on to the system. The project may contact individual suppliers based on their activities as documented by the database (e.g. high proportion of uploaded articles that contain SVHCs). The project may also launch surveys addressing all registered suppliers. Also, in this case companies will see an invitation to participate on their landing page of the supplier frontend (in a survey or interview) or receive it via e-mail. Up to this point, personal data is not involved.
Companies that agree to participate may be directed to a questionnaire created with the web tool LimeSurvey, which is hosted on an external website by the AskREACH partner sofia. The data privacy conditions of LimeSurvey apply (https://www.limesurvey.org/privacy-policy).
Companies that agree to participate may be asked to provide contact data that can be used for individual interviews. All surveys are evaluated anonymously.
Description and scope of data processing and storage of data
You can send questions about the supplier frontend or database by e-mail to UBA (in German or English) or to your regional administrator. In this case, your personal data transmitted with the e-mail will be stored by us or by the regional administrator.
In this context, the data will not be passed on to third parties (excluding global, technical and regional administrators) without your separate consent.
We and the technical and regional administrators will use the data for processing the conversation and store them as long as necessary for further reference in the context of your use of our IT tools. The administrators who store correspondence for a longer period because of their national administrative law become controllers for these data.
The following e-mails are permanently stored:
Legal basis for the processing of personal data
The legal basis for the processing of data transmitted in the course of sending an e-mail is Art. 6 (1) (f) GDPR.
Purpose of data processing
The processing of the personal data serves for answering your enquiry.
Possibility of objection and elimination
You have the possibility to object to the processing of your personal data sent with your e-mail at any time. To this end, please contact our data protection officer (in German, English) or the regional administrator. In such a case, the exchange cannot be continued. All personal data stored in the course of contacting us or the regional administrator will be deleted.
If your personal data are processed, you are affected within the meaning of the basic EU General Data Protection Regulation (GDPR) and you are entitled to the following rights vis-à-vis the person responsible. Please contact your regional administrator (see https://www.askreach.eu/app-database/) or (in German or English) the German Environment Agency's Data Protection Officer (see above).
Right to information
You can ask the person in charge to confirm whether personal data concerning you will be processed by us.
You have the right to request information as to whether the personal data concerning you is transferred to a third country or to an international organisation. In this context, you may request to be informed of the appropriate guarantees pursuant to Art. 46 GDPR in connection with the transmission.
This right to information may be limited to the extent that it is likely to make impossible or seriously impair the realisation of research or statistical purposes and the limitation is necessary for the fulfilment of research or statistical purposes.
Right to rectification
You have a right of rectification and/or completion vis-à-vis the data controller if the personal data processed concerning you are incorrect or incomplete. The person responsible shall make the correction without delay.
Your right to rectification may be limited to the extent that it is likely to render impossible or be seriously prejudicial to the achievement of the research or statistical purposes and the limitation is necessary for the fulfilment of the research or statistical purposes.
Right to restriction of processing
Under the following conditions, you may request that the processing of personal data concerning you be restricted:
If the processing of personal data concerning you has been restricted, such data may only be processed - apart from being stored - with your consent or for the purpose of establishing, exercising or defending legal claims or protecting the rights of another natural or legal person or on grounds of an important public interest of the European Union or a Member State.
If the processing restriction has been restricted according to the above conditions, you will be informed by the person responsible before the restriction is lifted.
Your right to limitation of processing may be limited to the extent that it is likely to render impossible or seriously prejudice the achievement of research or statistical purposes and the restriction is necessary for the fulfilment of research or statistical purposes.
Right to be forgotten
You may request the data controller to delete the personal data relating to you without delay and the controller is obliged to delete this data without delay if one of the following reasons applies:
Having made the personal data concerning you public and being obliged to delete it pursuant to Art. 17 para. 1 GDPR, the data controller shall take appropriate measures, including technical measures taking into account the available technology and the implementation costs, to inform data processors who process the personal data that you as the data subject have requested the deletion of all links to this personal data or of copies or replications of this personal data.
The right to cancellation does not exist insofar as the processing is necessary
Right to information
If you have exercised your right to have the data controller correct, delete or limit the processing of data, the controller is obliged to inform all recipients to whom the personal data concerning you have been disclosed of this correction or deletion of the data or restriction on processing, unless this proves impossible or involves a disproportionate effort.
The person responsible shall inform you about those recipients if you request it.
Right to data transferability
You have the right to receive the personal data concerning you that you have provided to the person responsible in a structured, common and machine-readable format. In addition, you have the right to pass this data on to another person in charge without obstruction by the person in charge to whom the personal data was made available, provided that
In exercising this right, you also have the right to request that the personal data concerning you be transferred directly from one data controller to another data controller, insofar as this is technically feasible. The freedoms and rights of other persons must not be affected by this.
The right to data portability shall not apply to the processing of personal data necessary for the performance of a task in the public interest or in the exercise of official authority conferred on the controller.
Right to object
You have the right to object at any time, for reasons arising from your particular situation, to the processing of your personal data in accordance with Art. 6 (1) (f) GDPR.
The controller shall then no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.
You may exercise your right of objection in connection with the use of Information Society services by means of automated procedures using technical specifications, notwithstanding Directive 2002/58/EC.
You also have the right to object to the processing of personal data concerning you for scientific or historical research purposes or for statistical purposes pursuant to Art. 89 (1) GDPR for reasons arising from your particular situation.
Your right to object may be limited to the extent that it is likely to render impossible or seriously impair the realisation of the research or statistical measures and the processing is necessary for the performance of a task carried out for reasons of public interest.
Right to revoke the data protection declaration of consent
You have the right to revoke your data protection declaration of consent at any time. The revocation of consent shall not affect the legality of the processing carried out on the basis of the consent until revocation.
Right of appeal to a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right of appeal to a supervisory authority, in particular in the Member State where you reside, work or suspect of infringement, if you believe that the processing of personal data concerning you is contrary to the GDPR.
The supervisory authority with which the complaint has been lodged shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy under Article 78 GDPR.
In the case of the German Environment Agency, the responsible supervisory authority is the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (Federal Commissioner for Data Protection and Freedom of Information).
The misuse of contact data or comparable information published by us such as postal addresses, telephone and fax numbers and e-mail addresses is not permitted. We expressly reserve the right to take legal action against the senders of so-called spam mails in the event of violations of this prohibition.