Version 2025
This disclaimer and data privacy statement concerns
1. all enterprises who want to answer consumer SVHC requests via the AskREACH system
2. all enterprises who want to register with the AskREACH database in order to upload information on SVHCs in their articles to the database.
The AskREACH IT tools include the business logic, the European smartphone app and web app, the European database and the supplier frontend. They were developed in the EU LIFE Project AskREACH (LIFE16 GIE/DE/000738). The database and the supplier frontend are addressed to suppliers of consumer articles in accordance with the REACH article definition. The German Environment Agency (UBA, Wörlitzer Platz 1, D-06844 Dessau-Rosslau, Germany) is the provider of the database and the respective supplier frontend. UBA is the global administrator of the AskREACH IT tools, company adesso SE is the technical administrator. The AskREACH project partners and replicators in the various countries where the app developed in AskREACH is available are the regional administrators.
The UBA accepts no responsibility for the accuracy, completeness, quality or actuality of the contents of the AskREACH IT tools. Any liability claims against the UBA for material or immaterial damages that arise from the use or non-use of information available via the IT tools or the use of erroneous or incomplete information available via the IT tools shall be excluded insofar as no culpable act of gross negligence has been committed by the UBA. Our services are non-binding and subject to change at any time without notification. The UBA shall be entitled to modify any aspect of the IT tools and/or their contents in any way it sees fit, in whole or in part, without prior notification.
The UBA and the AskREACH partners and replicators shall not be liable for links used in the AskREACH IT tools that are beyond the UBA’s control unless they have knowledge of the relevant contents and it would have been reasonable and technically possible for us to forestall the use of any such contents that may be illicit. The UBA and the AskREACH partners and replicators thus hereby expressly state that at the time any such link was created we had no knowledge that it was associated with any illicit Web contents. Inasmuch as we have no control over the current or future design, contents or copyright of any linked Web page, we hereby expressly repudiate any contents of any linked page that was altered after the link in question was created. This applies to all links and references used in the IT tools, as well as any third party entry. In the event of illicit, erroneous or incomplete contents, and in particular in connection with damages arising from the use or non-use of such information, the Web site owner to which the link in question directed shall assume liability, and not the tool owner that provided links to such contents. Third party Web sites that can be accessed via external links may possibly not be barrier-free. Note that any linking to the AskREACH IT tools does not constitute grounds for reciprocity.
In all AskREACH IT tools, the UBA and the AskREACH consortium have made every effort (a) to respect copyright restrictions for all graphics, audio, video and text; (b) to use graphics, audio, video and text created by the UBA or AskREACH itself; and (c) to use licence-free graphics, audio, video and text. All protected marks and trademarks used are protected by the applicable copyright laws pursuant to the intellectual property rights of their duly registered owners. The fact that registered trademarks are mentioned should not be taken to mean that such trademarks are not protected by third party rights.
The copyright for published objects created by the UBA or AskREACH itself remains solely with the UBA or AskREACH and the staff working on the IT tools. Unless otherwise indicated, objects, graphics, sound documents, video sequences and texts created by the UBA or AskREACH itself are under a creative commons 4.0 international licence (no commercial use, no editing, https://creativecommons.org/licenses/by-nc-nd/4.0/).
This disclaimer constitutes an element of the AskREACH IT tools. Insofar as any provision of the present disclaimer is or becomes legally invalid or unenforceable, the remaining provisions shall remain fully enforceable.
The German Environment Agency, represented by its President, is responsible within the meaning of the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and other data protection regulations:
German Environment Agency
Präsidialbereich / Presse- und Öffentlichkeitsarbeit, Internet
Wörlitzer Platz 1
06844 Dessau-Rosslau, Germany
Phone: +49-340-2103-2416
E-mail: buergerservice@uba.de
The German Environment Agency's data privacy officer is available to answer your questions and provide you with information on the subject of data protection, and is also the contact person for the enforcement of your rights as a concerned party. However, requests made in other languages than German and English have to be directed to the regional administrators (see https://www.askreach.eu/app-database/) for translation. After translation they will be directed by the regional administrators to the data privacy officer and the global administrator UBA:
Mr Udo Langhoff
German Environment Agency
Wörlitzer Platz 1
06844 Dessau-Rosslau, Germany
Phone: +49-30-8903-5141
e-mail: udo.langhoff@uba.de
The following explanations refer to the European AskREACH database including the supplier frontend, which were both developed in the LIFE project AskREACH. The database is linked to the European smartphone app developed in AskREACH and the corresponding web app.
UBA is the controller of the AskREACH business logic including the database and supplier frontend as well as of the smartphone app and web app. Regional administrators in the various countries promote the app and support app and database users. They are authorities or organisations of the AskREACH partner countries and of further countries in which a regional app version is available (“replicator countries“). Company adesso SE (https://www.adesso.de)) is responsible for the technical operation of the AskREACH system (database and all frontends). Company LUMASERV GmbH is responsible for the hosting (https://lumaserv.com).
Scope of the processing of personal data
We only process personal data of users of our IT tools if this is necessary to provide functional tools and for our contents and services (such as the provision of SVHC information by suppliers of consumer articles). The processing of our users' personal data takes place as a rule only with their consent.
Unless otherwise provided for in this data protection declaration, your data will not be passed on to third parties. Your data will not be processed or used for consulting, advertising or market research purposes. The stored data can be viewed by the administrators of the German Environment Agency and company adesso SE.
Your contact details, GCPs/barcode ranges and information about your answering behaviour will be made available to the regional administrators via the AskREACH system. They may then approach the companies that do not respond to consumer requests in order to find out the reasons. Regional administrators may publish anonymous statistics from the database. Company specific data other than that mentioned above may only be viewed by regional administrators in the framework of their helpdesk activities and with your agreement. Data protection agreements according to GDPR Art. 28 have been concluded between UBA and adesso SE, the external host, UBA and the regional administrators .
All information you send when using the AskREACH IT tools is transmitted in encrypted form via a "Secure Socket Layer" (SSL) connection. Your personal data cannot be read by unauthorised persons during transmission on the Internet.
Legal basis for the processing of personal data
The legal basis for the processing of personal data is usually the consent of the data subject pursuant to Art. 6 (1) (a) of the EU General Data Protection Regulation (GDPR).
If processing is necessary to safeguard a legitimate interest of our authority or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6 (1) (f) GDPR serves as the legal basis for processing.
Data erasure and storage time
The personal data will be deleted or blocked as soon as the purpose of storage ceases to apply.
Furthermore, data may be stored if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which the person responsible is subject. The data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires.
Every time you access our system, the system automatically collects data and information from the calling computer system. This information (server log files) comprises, for example information on the browser, the user’s operating system, or the domain of your internet service provider. In addition, the IP address or potentially the device ID of your smartphone is transmitted and used in order to be able to use the desired service. This information is technically necessary for the correct delivery of contents requested by you from our IT tools and is mandatory when using the Internet.
This data is not stored together with other personal data of the user.
According to our data privacy concept, the incoming log file data are stored for two weeks in order for us to be able to recognise and analyse any attacks against our system. The legal basis for data processing is Art. 6 (1) (f) GDPR. If a specific IP address or device identification number has to be blocked, it is permanently stored.
Description and scope of the data processing
If you, as a company representative, are sent a request for substances of very high concern (SVHCs) via the AskREACH smartphone app or web app, this request may be received via your (personalised) company e-mail address. This (personalised) e-mail address can originate from the following sources:
1. System-internal list of e-mail addresses
A system-internal list of company names with associated e-mail addresses is maintained. These e-mail addresses are either researched on the Internet by the regional administrators in the various countries or identified by requesters themselves and checked by the regional administrators. The list will only contain personalised e-mail addresses if companies explicitly request that such addresses be included or if companies only provide such addresses on their website.
2. Researched by the requester independently.
If the app cannot offer an e-mail address via the internal address list, the requester can also find out an e-mail address independently and enter it as the recipient of the SVHC request. We recommend that the app user should not use personalised e-mail addresses if possible, but we cannot rule out the possibility that these will nevertheless be used in individual cases.
The e-mail addresses are required in order to be able to send the requests to the companies responsible for SVHC information. The e-mail addresses can be seen by the requesters. If app users choose to send their requests in copy to a retailer, the e-mail address is also shown to the retailer. Companies who want to have the requests directed to a different e-mail address can register with the AskREACH system and give the correct e-mail address there or contact their regional administrator (see https://www.askreach.eu/app-database/).
If you respond to an SVHC request by e-mail, the personal information you provide in your e-mail will be transmitted. The AskREACH server forwards the e-mail to the requesting party and stores it in encrypted form in the system solely for technical purposes.
Audit trail is implemented (who changed what and when). User IDs and user names are stored in the audit trail in pseudonymised form.
Backup copies of the server are divided into different categories for optimum monitoring and control, e.g. consumers, suppliers, article information, requests, etc. If backups contain personal data, they are documented. If backups need to be restored, e.g. after a system failure, each user of the system is informed of this fact and the date of the backup. Backups are stored in encrypted form.
Legal basis of the processing of data
The legal basis for the temporary storage of data and log files is Art. 6 (f) GDPR.
Purpose of data processing
For data protection purposes, you receive requests from consumers without the clear e-mail address of the requester. The storage of your e-mail address by the system is necessary in order to send you the SVHC request and forward your reply to the requester. If you would like to send your answer to the requesting party yourself, please reply to the request e-mail and instruct the consumer to contact you directly by e-mail.
If you do not respond to an SVHC request, the system sends a reminder after 30 days. After 45 days, you may receive another request if the requester so wishes.
All personal data stored in the AskREACH server are visible to the following AskREACH technical and global administrators. On request of suppliers, the regional administrators can also see the data so that they can perform their helpdesk activities.
Duration of storage
The data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected.
For personal data stored in log files, this is the case after two weeks at the latest. Further storage is possible. In this case the IP addresses of the users (as far as possible for the purpose) are deleted or alienated, so that an assignment to the calling client is no longer possible.
In order for the system to be able to contact you, your e-mail address is stored for as long as required for the response to/processing of each SVHC request for your consumer articles.
If you reply to an SVHC request by e-mail, this e-mail is forwarded and cached in the system in encrypted form solely for technical purposes.
Possibility of objection and elimination, revocation of consent
The collection of data for the provision of the IT tools and the storage of data in log files is absolutely necessary for the operation of the IT tools.
If your e-mail address is stored in the system internal address list, it can be deleted, removed or changed at your request. If your company registers in the AskREACH database, you can enter an e-mail address for the forwarding of SVHC requests for your company. You can revoke your consent to the processing of your personal data at any time by e-mail sent to the regional administrator (see https://www.askreach.eu/app-database/). The legality of the processing carried out on the basis of the consent up to the revocation remains unaffected by this.
Description, scope and purpose of the data processing
Registration in the AskREACH database takes place via the supplier frontend.
Every time you, as company representative, access the AskREACH server, our system also automatically collects data and information.
The following data are collected:
The data are stored in the log files of our system. Online identifiers like IP addresses and unique device IDs are identifiable in the records for attack prevention purposes and for geographic access statistics. IP addresses/device IDs are also used to limit access rates to the app/database as needed and to prevent Denial of Service (DOS) attacks and other threats.
If you register as a company representative in the AskREACH database, you enter your name and personalised e-mail address. With this personal data, together with the company name and postal address, you will be stored by the system as your company's contact person for the AskREACH system and may be contacted for queries. The latter may be the case if consumers ask questions, if there are technical problems, etc. We strongly recommend that you also provide an e-mail address for SVHC requests. If possible, choose a general e-mail address, rather than a personalised one, and make sure that someone checks the corresponding e-mail box regularly. This is the only way to ensure that you comply with your obligations under REACH Art. 33 (2) and that you can react in good time in the event of technical problems. The e-mail address for SVHC requests is visible to the public in the smartphone app and web app.
Audit trail is implemented (who changed what and when). Personal data like names and e-mail addresses are stored in the audit trail in pseudonymised form.
Backup copies of the server are divided into different categories for monitoring and control, e.g. consumers, suppliers, article information, requests, etc. If backups contain personal data, they are documented. If backups have to be restored, e.g. after a system failure, each user of the system is informed of this fact and the date of the backup. Backups are stored in encrypted form.
Legal basis for the processing of personal data
The legal basis for the temporary storage of data and log files is Art. 6 (1) (a) and (f) GDPR.
The processing of personal data you enter in the supplier frontend is tied to your consent given during the registration. Independent of your consent your IP address is stored in a log file before you register. The IP address is stored for 14 days.
Purpose of data processing
The data are stored in log files to ensure the functionality of the system. In addition, the data serves us to optimise our AskREACH IT tools and to ensure the security of our information technology systems. The data are statistically evaluated in anonymous form in order to document the success of the AskREACH IT tools. The temporary storage of the IP address by the system is necessary to enable the server information to be delivered to the user's computer/device. For this, the IP address of the user must be stored for the duration of the session. The data are not evaluated for marketing purposes.
Our legitimate interest in data processing pursuant to Art. 6 (1) (f) GDPR also lies in these purposes.
This data from the log file is not combined with any other stored data. A direct reference of the IP number from the log file to your person is not possible and is excluded. The IP address is only evaluated in the event of attacks on the AskREACH IT infrastructure, offences against morality and other illegal activities in connection with the use of the IT tools. A conclusion from the IP number to your person is only possible through your dial-in provider through a public prosecutor's investigation.
The storage of your name and your personal e-mail address by the system is necessary so that the system can communicate with you. You register as a contact person of your company for AskREACH.
All personal data stored in the AskREACH server are visible to the AskREACH technical and global administrators. In addition, your contact details will be made available to the regional administrators via the AskREACH system.
Duration of storage
Your name and email address will be stored until you delete them or your account yourself or the data/account is deleted by an administrator.
If you reply to an SVHC request by e-mail, this e-mail will be forwarded and will be stored in encrypted form in the system for technical purposes.
If personal data is stored in log files (online identifiers), it will be deleted after two weeks at the latest. Further storage is possible. In this case the IP addresses of the users (as far as possible for the purpose) are deleted or alienated, so that an assignment to the calling client is no longer possible.
Possibility of objection and elimination, revocation of consent
The collection of data for the provision of the IT tools and the storage of data in log files is absolutely necessary for the operation of the IT tools.
You can change your name and e-mail address yourself via your account or delete the account. You can revoke your consent to the processing of your personal data at any time by sending a corresponding e-mail to the regional administrator (see https://www.askreach.eu/app-database/). The legality of the processing carried out on the basis of the consent up to the revocation remains unaffected by this.
We have a Serbian regional administrator of our app outside the EU. In Serbia, a national law has been adopted that implements provisions equivalent to the GDPR. The Serbian app is also available in Montenegro and Bosnia Hercegovina. With regard to these countries no adequacy decision of the EU Commission according to Art. 45 GDPR is available. Data transfer (e.g. of your name or personalised e-mail address) into these countries for which there is neither an adequacy decision nor appropriate guarantees entails risks.
In addition, requests can be sent to any company outside the EU.
Description and scope of data processing and storage of data
You can send questions about the supplier frontend or database by e-mail to UBA (in German or English) or to your regional administrator. In this case, your personal data transmitted with the e-mail will be stored by us or by the regional administrator.
In this context, the data will not be passed on to third parties (excluding global, technical and regional administrators) without your separate consent.
We and the technical and regional administrators will use the data for processing the conversation and store them as long as necessary for further reference in the context of your use of our IT tools. The administrators who store correspondence for a longer period because of their national administrative law become controllers for these data.
The following e-mails are permanently stored:
Legal basis for the processing of personal data
The legal basis for the processing of data transmitted in the course of sending an e-mail is Art. 6 (1) (f) GDPR.
Purpose of data processing
The processing of the personal data serves for answering your enquiry.
Possibility of objection and elimination
You have the possibility to object to the processing of your personal data sent with your e-mail at any time. To this end, please contact our data protection officer (in German, English) or the regional administrator. In such a case, the exchange cannot be continued. All personal data stored in the course of contacting us or the regional administrator will be deleted.
If your personal data are processed, you are affected within the meaning of the basic EU General Data Protection Regulation (GDPR) and you are entitled to the following rights vis-à-vis the person responsible. Please contact your regional administrator (see https://www.askreach.eu/app-database/) or (in German or English) the German Environment Agency's Data Protection Officer (see above).
Right to information
You can ask the person in charge to confirm whether personal data concerning you will be processed by us.
You have the right to request information as to whether the personal data concerning you is transferred to a third country or to an international organisation. In this context, you may request to be informed of the appropriate guarantees pursuant to Art. 46 GDPR in connection with the transmission.
This right to information may be limited to the extent that it is likely to make impossible or seriously impair the realisation of research or statistical purposes and the limitation is necessary for the fulfilment of research or statistical purposes.
Right to rectification
You have a right of rectification and/or completion vis-à-vis the data controller if the personal data processed concerning you are incorrect or incomplete. The person responsible shall make the correction without delay.
Your right to rectification may be limited to the extent that it is likely to render impossible or be seriously prejudicial to the achievement of the research or statistical purposes and the limitation is necessary for the fulfilment of the research or statistical purposes.
Right to restriction of processing
Under the following conditions, you may request that the processing of personal data concerning you be restricted:
If the processing of personal data concerning you has been restricted, such data may only be processed - apart from being stored - with your consent or for the purpose of establishing, exercising or defending legal claims or protecting the rights of another natural or legal person or on grounds of an important public interest of the European Union or a Member State.
If the processing restriction has been restricted according to the above conditions, you will be informed by the person responsible before the restriction is lifted.
Your right to limitation of processing may be limited to the extent that it is likely to render impossible or seriously prejudice the achievement of research or statistical purposes and the restriction is necessary for the fulfilment of research or statistical purposes.
Right to be forgotten
a) Duty to delete
You may request the data controller to delete the personal data relating to you without delay and the controller is obliged to delete this data without delay if one of the following reasons applies:
b) Information to third parties
Having made the personal data concerning you public and being obliged to delete it pursuant to Art. 17 para. 1 GDPR, the data controller shall take appropriate measures, including technical measures taking into account the available technology and the implementation costs, to inform data processors who process the personal data that you as the data subject have requested the deletion of all links to this personal data or of copies or replications of this personal data.
c) Exceptions
The right to cancellation does not exist insofar as the processing is necessary
Right to information
If you have exercised your right to have the data controller correct, delete or limit the processing of data, the controller is obliged to inform all recipients to whom the personal data concerning you have been disclosed of this correction or deletion of the data or restriction on processing, unless this proves impossible or involves a disproportionate effort.
The person responsible shall inform you about those recipients if you request it.
Right to data transferability
You have the right to receive the personal data concerning you that you have provided to the person responsible in a structured, common and machine-readable format. In addition, you have the right to pass this data on to another person in charge without obstruction by the person in charge to whom the personal data was made available, provided that
In exercising this right, you also have the right to request that the personal data concerning you be transferred directly from one data controller to another data controller, insofar as this is technically feasible. The freedoms and rights of other persons must not be affected by this.
The right to data portability shall not apply to the processing of personal data necessary for the performance of a task in the public interest or in the exercise of official authority conferred on the controller.
Right to object
You have the right to object at any time, for reasons arising from your particular situation, to the processing of your personal data in accordance with Art. 6 (1) (f) GDPR.
The controller shall then no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.
You may exercise your right of objection in connection with the use of Information Society services by means of automated procedures using technical specifications, notwithstanding Directive 2002/58/EC.
You also have the right to object to the processing of personal data concerning you for scientific or historical research purposes or for statistical purposes pursuant to Art. 89 (1) GDPR for reasons arising from your particular situation.
Your right to object may be limited to the extent that it is likely to render impossible or seriously impair the realisation of the research or statistical measures and the processing is necessary for the performance of a task carried out for reasons of public interest.
Right to revoke the data protection declaration of consent
You have the right to revoke your data protection declaration of consent at any time. The revocation of consent shall not affect the legality of the processing carried out on the basis of the consent until revocation.
Right of appeal to a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right of appeal to a supervisory authority, in particular in the Member State where you reside, work or suspect of infringement, if you believe that the processing of personal data concerning you is contrary to the GDPR.
The supervisory authority with which the complaint has been lodged shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy under Article 78 GDPR.
In the case of the German Environment Agency, the responsible supervisory authority is the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (Federal Commissioner for Data Protection and Freedom of Information).
The misuse of contact data or comparable information published by us such as postal addresses, telephone and fax numbers and e-mail addresses is not permitted. We expressly reserve the right to take legal action against the senders of so-called spam mails in the event of violations of this prohibition.