Terms of use






Terms of use for the Scan4Chem smartphone app and web app

These terms of use apply to the app Scan4Chem which is available in the Czech Republic as smartphone app or web app. The app was developed in the EU LIFE Project AskREACH (LIFE16 GIE/DE/000738) and is provided and controlled by the German Environment Agency (Umweltbundesamt; UBA). The German Environment Agency is in the following referred to as the provider, we, our or us. ARNIKA is partner of the AskREACH project and the regional app administrator in the Czech Republic.

Children under the age of 16 are not permitted to use the services or provide any personal information about themselves. Parents or guardians may not agree to these terms or register for the services on behalf of children under 16 years of age.

The terms of use together with our privacy policy form a binding agreement. By using our app, you consent to the terms of use. If any of these provisions are changed you will be informed accordingly. If you choose not to accept the new provisions, you may no longer use the app. If you continue to use the app, this means that you agree to the new provisions.

You can use our app to obtain information about substances of very high concern (SVHCs) in consumer products. Please consult the FAQs in the app about the definition of SVHCs, the consumer right to information concerning these substances and the scope of this right.

The use of Scan4Chem is free of charge. Obtaining the company address and sending the request are done through the Internet and involves a variable amount of data (kB), depending on the number of pictures the user attaches. Note that connection costs may be incurred for online requests. The information about SVHCs can be obtained in different ways:

  • Instantaneously via the European database that is connected to the app (provided the product supplier has entered the information into this database)
  • By sending a request to be passed on to the product supplier and receiving their answer.

 

In both cases you have to consent to these terms of use. If you send a request to be passed on to the product supplier, you have to provide your name, e-mail address and country of residence. Then we send you an e-mail and ask you to confirm your e-mail address. Only your name and your country of residence are forwarded to the product supplier.

If you have questions, comments or reservations about these terms of use or our services, please contact scan4chem@uba.de (German or English) or your regional administrator in the Czech Republic: Scan4chem@arnika.org.

 

What do you have to consider when you upload information to the services?

If a product is not yet in our system database, you may provide product name and brand/company name and upload a photo of the product to the database during the request creation process. This information is then marked as crowdsourced information and shown to other app users so that they can identify the products they have just scanned. You can also submit an e-mail address of a product supplier if there is no e-mail address in our address list yet. The e-mail address is checked and, if correct and not a personalised e-mail address, it is included in our address list so that other app users can use it for their requests. In addition, you can add a personal comment to the request that is sent to the product supplier.

You agree not to enter or upload contents or user contributions that infringe the law, including the rights of others. Contents, contributions or comments shall not be harmful, fraudulent, deceptive, threatening, harassing, defamatory, obscene or otherwise objectionable. Photos should show exclusively the consumer product in question, with no persons, vehicle registration numbers, items that suggest the shop in which the photo was made, etc. No copyrighted pictures may be used. Any violation of any of the foregoing will terminate your right to use or access the services.
The provider is entitled to use, edit and exploit the contents at any time and to transfer them to third parties. This includes in particular the right of reproduction, the right of distribution and the right of public reproduction, in particular the right of public accessibility. The user waives any copyright. This provision does not affect the user's right to grant third parties rights to content under certain licencing models.

Finally, you allow the provider to make changes to your user submissions in order to customise and adapt them to the technical requirements of connection networks, devices, services or media when performing the necessary technical steps to provide the services to our users (including you)

We also reserve the right, at our sole discretion and without notice, to remove content from the services at any time and for any reason (including, but not limited to claims by third parties that the content you have contributed violates these terms).

Further obligations of the user

The app user must refrain from any activity that is likely to impair and/or overload the operation of the services or the technical infrastructure behind them.
Should the use of the services or their functionalities be disrupted, the user shall immediately inform the provider or the regional app administrator of this disruption. The same shall apply if the user obtains information about content published by third parties which obviously violates applicable law or the rights of third parties.

Who is responsible for information uploaded/transmitted by the app user or the product supplier?

Any information or contents published or transmitted through the services by product suppliers or app users is the sole responsibility of the person from whom such contents originate. We accept no responsibility for the correctness of information given by product suppliers. Any opinions that might be expressed in the replies of suppliers do not necessarily reflect our own views.

You access all such information and contents at your own risk. We are not liable for any errors or omissions in such information or contents or for any damages or losses you may suffer in connection therewith. We cannot guarantee the identity of all app users and product suppliers with whom you interact in the course of using the services and are not responsible for whoever gains access to the services.

Use of personal data published in our IT tools 

The misuse of data from the imprint or comparable information from contact data published by us such as postal addresses, telephone and fax numbers and e-mail addresses is not permitted. We expressly reserve the right to take legal action against the senders of so-called spam mails in the event of violations of this prohibition.

What happens if I don’t want to use the services anymore?

You can delete the app on your smartphone or other device at any time. Please read our Privacy Policy and the information about the right of using your uploaded data described above to learn more about how we treat the information you have provided to us when you stop using our services. We may also terminate your use of the services (or suspend your access to them) for any reason at our discretion, including your violation of these terms. We have the sole right to determine whether you are in breach of any of the restrictions set forth in these terms.

Liability

The provider makes no guarantees as to the availability, reliability, or functionality of the app, or its suitability for your purposes.

The compensation for breach of essential contractual obligations is limited to the contractually typical, foreseeable damage, unless in cases of intent or gross negligence.

Right of recourse

If your use of the app damages third parties, you release the provider and our employees or representatives from paying damages to the third party. This means that if you as the app user damage a third party and this third party has a claim for damages, the app user must pay the damages to the third party. If in these cases the third party injured by the app user makes a claim for damages against the provider and we and our employees or representatives incur costs, the app user has to reimburse these costs. These costs may also include an appropriate legal defence, if the damage claimed by the third party against the provider can only be averted in this way.

For example: The app user does not use a self-photographed picture in the app in order to use it in the request to a company, but uses a copyrighted picture without any rights of use. If the owner of the copyright for the picture now claims damages for this copyright infringement, the app user must pay damages for the infringement and indemnifies the provider of the app.

Severability Clause

Should one of the above provisions be or become invalid, the remaining provisions shall continue to apply.

 

 



Disclaimer and data privacy declaration for the Scan4Chem smartphone app and web app

This disclaimer and data privacy statement concerns the app Scan4Chem which is available as smartphone app (Android, iOS) and web app. The app was developed in the EU LIFE Project AskREACH (LIFE16 GIE/DE/000738) and is provided by the German Environment Agency (Umweltbundesamt; UBA). The German Environment Agency is in the following referred to as provider, we, our or us. Depending on the national legislation in the Czech Republic the app is addressed to users aged 16 and over (in the following: you, or your).
Definitions:

  • App = smartphone app (Android, iOS) + web app.
  • IT tools = app + database with product information + business logic.
  • Regional administrator = organisation that popularises the app in a certain country and is responsible for support of app users and database users in that country. These organisations are either AskREACH project partners or AskREACH replicators who replicate certain project tasks in their countries.

Content of the IT tools

The provider accepts no responsibility for the accuracy, completeness, quality or actuality of the contents of the AskREACH IT tools. Any liability claims against us for material or immaterial damages that arise from the use or non-use of information available via the IT tools or the use of erroneous or incomplete information available via the IT tools shall be excluded insofar as no culpable act of gross negligence has been committed by us. Our services are non-binding and subject to confirmation. We are entitled to modify any aspect of the IT tools and/or their contents in any way we see fit, in whole or in part, without prior notification.

References and links

We shall be liable for links used in the AskREACH IT tools that are beyond our control only insofar as we have knowledge of the relevant contents and it would have been reasonable and technically possible for us to forestall the use of any such contents that may be illicit. Inasmuch as we have no control over the current or future design, content or copyright of any linked Web page, we hereby expressly repudiate any contents of any linked page that was altered after the link in question was created. This applies to all links and references used in the IT tools, as well as any third party entry. In the event of illicit, erroneous or incomplete contents, and in particular in connection with damages arising from the use or non-use of such information, the website owner to which the link in question led shall assume liability, and not the tool owner that provided links to such contents. Third party websites that can be accessed via external links may not be accessible without barriers. Please also note that any linking to this application does not constitute grounds for reciprocity.

Copyright and trademark rights

In all AskREACH IT tools, the provider has made every effort to (a) respect copyright restrictions for all graphics, audio, video and text; (b) use graphics, audio, video and text created by the UBA or AskREACH itself; (c) use licence-free graphics, audio, video and text. All protected marks and trademarks used are protected by the applicable copyright laws pursuant to the intellectual property rights of the duly registered owners. If registered trademarks are mentioned in the app this does not mean that such trademarks are not protected by third party rights.
The copyright for published objects created by the provider or AskREACH itself remains solely with the provider or AskREACH and the staff working on the IT tools. Unless otherwise indicated, objects, graphics, sound documents, video sequences and texts created by the provider or AskREACH itself are under a creative commons 4.0 international license (no commercial use, no editing, https://creativecommons.org/licenses/ba-nc-nd/4.0/).  

Legal validity of this disclaimer

This disclaimer constitutes an element of the AskREACH smartphone app and web app. Insofar as any provision of the present disclaimer is or becomes legally invalid or unenforceable, the remaining provisions shall remain fully enforceable.

Data privacy

5.1. Name and address of the person responsible

The German Environment Agency, represented by its President, is responsible within the meaning of the EU General Data Protection Regulation (GDPR) and the relevant law at national level, i.e. in the Czech Republic law n.110/2019.
German Environment Agency
Präsidialbereich / Presse- und Öffentlichkeitsarbeit, Internet
Wörlitzer Platz 1
06844 Dessau-Rosslau, Germany
Phone: +49-340-2103-2416
E-mail: buergerservice@uba.de
www.umweltbundesamt.de

5.2. Name and address of the data privacy officer

The German Environment Agency data privacy officer is available to answer your questions and provide you with information on the subject of data protection, and is also the contact person for the enforcement of your rights as a concerned party. However, requests made in languages other than German or English have to be directed to an appropriate regional administrator for translation. After translation they will be redirected by the regional administrators to the data privacy officer:
Mr. Udo Langhoff
German Environment Agency
Wörlitzer Platz 1
06844 Dessau-Rosslau, Germany
Phone: +49-30-8903-5141
E-mail: udo.langhoff@uba.de
In your country the regional administrator is ARNIKA and can be contacted via Scan4chem@arnika.org.

5.3. General information on data processing

The following explanations refer to the app developed in the LIFE project AskREACH. UBA is the controller of the AskREACH database and business logic and of the smartphone app and web app. The AskREACH project partner Luxembourg Institute of Science and Technology (LIST, https://www.list.lu) is responsible for the technical operation of the app. The server is made available by an external host (IBM of Belgium sprl / bvba https://www.ibm.com/contact/be/en/?lnk=flg-cont-be-en).
Scope of the processing of personal data
We only process personal data of users of our IT tools if this is necessary to provide functional tools as well as our contents and services (such as the provision of SVHC information by suppliers of consumer articles). As a rule, the processing of our users' personal data takes place only with their consent. An exception applies in those cases where prior consent cannot be obtained for reasons of fact and the processing of the data is permitted by law.
Unless otherwise stated in this data protection declaration in individual cases, your data will not be passed on to third parties. Your data will not be processed or used for consulting, advertising or market research purposes. In the context of their helpdesk activities the global administrators of the German Environment Agency (UBA), the technical administrators of the Luxembourg Institute of Science and Technology (LIST) and the regional administrators may view the stored data. The technical administrators may also view the data as necessary for attack prevention. Data protection agreements in accordance with GDPR Art. 28 have been concluded between UBA and LIST, UBA and the regional administrator and between LIST and the external host.
All information you transmit is in an encrypted form via a "Secure Socket Layer" (SSL) connection. Your personal data cannot be read by unauthorised persons during transmission on the Internet.
Legal basis for the processing of personal data
The legal basis for the processing of personal data is the consent of the data subject pursuant to Art. 6 (1) (a) of the EU General Data Protection Regulation (GDPR).
All processing of personal data is tied to your consent given in the app.
Data erasure and storage time
The personal data will be deleted or blocked as soon as the purpose of storage ceases to apply. 
Furthermore, data may be stored if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which the person responsible is subject. The data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires.

5.4. Provision of the app and creation of log files

Our smartphone app can be downloaded from the Google and Apple app stores.
If users download the app from the app stores they are subjected to the data privacy rules of iTunes or GooglePlay. We hereby expressly bring to users’ attention the fact that we have no control either over the terms of use or the owners of the app stores. We cannot be held liable for any action taken by any owner of an app store or by any third party.
We hereby expressly draw your attention to the fact that app store owners archive data and use it for commercial purposes. We have no knowledge as to the scope of such data or the term of its archiving. However, you are legally entitled to ask the app store owner to allow you to view your personal data and you can assert all your rights under the EU General Data Protection Regulation (GDPR).  
Every time you access our system by using the app, our system automatically collects data and information from the calling smartphone device or computer system. This information (server log files) includes information on the browser, the operating system, the domain of your internet service provider, etc. In addition, the IP address or the device ID of your smartphone is transmitted and used in order to be able to use the desired service. This information is technically necessary for the correct delivery of content requested by you from our IT tools and is mandatory when using the Internet.
This data is not stored together with other personal data of the user.
In accordance with our data privacy concept, the incoming log file data are stored for two weeks in order to recognise and analyse any attacks against our system. If a specific IP address or device identification number must be blocked, it is permanently stored.

5.5. Use of the app

Scope of the data processing
You get access to the web app via our website or the websites of the regional administrator. We log the download and collect statistics. The web app then only communicates between the user's browser and the AskREACH server. Each time your computer accesses the AskREACH server, our system automatically collects data and information.
Every time your smartphone accesses the AskREACH server, our system also automatically collects data and information.
The following data are collected:

  1. The user's operating system
  2. The IP address of the user
  3. The device identification number, if applicable
  4. Date and time of access
  5. Websites accessed by the user's system via our services
  6. Information about your activities on the server
  7. Volume of data transmitted
  8. Notification whether the access was successful

The data are stored in the log files of our system. IP addresses and device IDs are identifiable in the records for attack prevention purposes and for geographic access statistics. IP addresses/device IDs are also used to limit access rates to the app/database as necessary and prevent Denial of Service (DOS) attacks and other threats.
You enter your name and e-mail address yourself. This personal data is not required to retrieve SVHC information from the AskREACH database. You do not have to make such an entry until you send a request to an article supplier. If you send a request, this data is stored on the server for as long as is necessary to process the app actions you desire. Your name and country of residence are visible to the addressee of your request, but your e-mail address is not. With the smartphone app, your name, country of residence and e-mail address are stored on your smartphone so you don't have to re-enter them at the next app session if you make a request. In the case of the web app, this information is not stored on your computer, so you must re-enter it in each session you make a request.
Backup copies of the server are divided into different categories for monitoring and control, e.g. consumers, suppliers, article information, requests, etc. If backups contain personal data, they are documented. If backups need to be restored, e.g. after a system failure, each user of the system is informed of this fact and the date of the backup. Backups are stored in encrypted form.
Legal basis for the processing of personal data
The legal basis for the temporary storage of data and log files is Art. 6 (1) (a) of the GDPR.
Purpose of data processing
The data are stored in the system to ensure the functionality of the system. In addition, the data help us to optimise our AskREACH IT tools and to ensure the security of our information technology systems. The data are statistically evaluated in anonymous form in order to document the success of AskREACH IT tools. The temporary storage of the IP address by the system is necessary to enable the server information to be delivered to the user's computer/device. For this the IP address of the user must remain stored for the duration of the session. The data are not evaluated for marketing purposes. 
This data from the log file is not combined with any other stored data. A direct reference of the IP number from the log file to your person is not possible and is excluded. The IP address is only evaluated in the event of attacks on the AskREACH IT infrastructure, offences against morality, or other illegal activities in connection with the use of the IT tools. A conclusion from the IP number to your person is only possible through your dial-in provider through a public prosecutor's investigation.
You enter your name and e-mail address yourself into the app and can change or delete it at any time. The smartphone app stores this information on your phone so you don't have to re-enter it for each request. With the Web app, this data is stored during a session so you don't have to re-enter it for each request. When you close the Web app, the data is deleted.
If you send a request to a company, only the name you entered and your country of residence are visible to the company. Your name should show the company that a real person is behind the request. The country is indicated so that the company can reply to you in the appropriate language. Sending a request may lead to the following outcomes:

  • Entry of the desired information by the company into the AskREACH database. You will then receive the corresponding information from the system.
  • The company sends the information by e-mail to the AskREACH server, which then forwards it to you.
  • Some companies do not want to use our system, but want to contact their customers directly. In this case, our system will inform you accordingly and you will be asked to send your request by e-mail again directly to the company, if you wish.
  • Or, a company may not react at all. In this case, the system sends a reminder to the company after 30 days. After 45 days, the system will ask you if you want to send another request. Generally, the regional administrators try to find out why companies do not respond.

To allow the system to respond and contact you appropriately, your name and e-mail address will be stored in the system for as long as the response/processing of your request requires. After a maximum of 60 days (buffer time for potential queries), your name and e-mail address will be pseudonymised in the system and only used for anonymous statistics.

All personal data stored in the AskREACH server are visible to the AskREACH administrators on consumer or supplier request so they can administer their helpdesk activities.

  • Technical administrator: Luxembourg Institute of Science and Technology (LIST)
  • Global administrator (operator): German Environment Agency (UBA)
  • Regional administrator in the Czech Republic: ARNIKA

Duration of storage
The data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected. Your name and e-mail address will only be stored in connection with your requests and for a maximum of 60 days. 
If personal data (online identifiers such as IP-addresses and unique device IDs) are stored in log files, they will be deleted after two weeks at the latest. Further storage is possible in the event of malicious behaviour and if future access is to be prevented. In this case the IP addresses of the users (as far as possible for the purpose) are deleted or alienated, so that an assignment of the calling client is no longer possible.
Possibility of objection and elimination, revocation of consent
The collection of data for the provision of the IT tools and the storage of data in log files is absolutely necessary for the operation of the IT tools.
Your name and e-mail address are only stored temporarily in the system. Both can be deleted or removed at your request.
You can revoke your consent to the processing of your personal data at any time. The legality of the processing carried out on the basis of the consent up to the revocation remains unaffected by this. After revocation of your consent you can no longer use the app.

Data entered to the AskREACH database by consumers

App users may provide article name, description, brand/company name and photo during the request creation process, if this information is missing in the AskREACH database. This information is marked as “crowdsourcing information”. Malicious, illegal or inappropriate content can be reported by other app users and will subsequently be removed. In addition, app users may enter generic e-mail addresses of companies in order to send their requests there. These e-mail addresses may be included in the internal address list of the system and then used for sending future requests of other app users to the same company. Before inclusion in the internal list they will be checked by the regional administrator. Before entering any data, the app user has to consent to the conditions of use and is informed that this information should only concern, show or reflect the article in question, but no persons or other personal or confidential data or illegal content. Wrong or illegal contents will be deleted as soon as they are notified to the administrators (by other app users or suppliers). If repeated misuse by a user is noted, the user will be blocked.

Data transfer to third countries (outside the EU)

Requests can be sent to any company outside the EU.  With regard to most countries outside the EU, no adequacy decision of the EU Commission according to Art. 45 GDPR is available. Therefore, data processing is possible only with consent of the persons concerned. Such data transfers without adequacy decision and appropriate guarantees entail risks. Requests that you send to suppliers in such countries contain your name and your country of residence, but no other personal data. Most countries outside the EU do not have legislation similar to the EU Chemicals Regulation. Companies from these countries are therefore not obliged to respond to consumer requests.

Push notifications (smartphone app only)

If a smartphone app user agrees to receive push notifications from the AskREACH system, their device ID is stored in the business logic and they are subject to the data privacy rules of the Apple Push Notification service or Google Firebase service.

Consumer surveys

Once annually in 2020, 2021 and 2022, all active users of the smartphone app at that time will receive via the app a request to participate in a survey intended to provide the project with data on impacts achieved and user satisfaction. The release of this request will be integrated into the app’s programming from the start, i.e. not sent via external notification (“push message”). Personal data are not involved.

Consumers who agree to participate in the survey are directed to a questionnaire created in the web tool LimeSurvey which is hosted at an external website by the AskREACH project partner sofia (University of Applied Sciences Darmstadt, Society for Institutional Analysis). The data privacy conditions of LimeSurvey apply (https://www.limesurvey.org/policies/privacy-policy).

In the questionnaires, consumers interested in providing more detailed feedback are asked to leave their e-mail address. Using these e-mail addresses, regional administrators may ask individual consumers to participate in interviews. All surveys are evaluated anonymously. The regional administrators handle the e-mail addresses and further personal data received during this activity as explained under Section 11.

Newsletter

Description and scope of data processing
If you click in our app that you would like to receive the free newsletter of UBA or your regional administrator organisation, you will be redirected to our website or the website of your regional administrator organisation where you can subscribe to the newsletter. Please refer to the privacy policy of the respective website for information on subscription-related data privacy.

E-mail contact

Description and scope of data processing
You can send questions about the app or supplier responses by e-mail to UBA (in German or English) or your regional administrator. Your personal data transmitted with the e-mail will be stored by us or by the regional administrator.
In this context, the data will not be passed on to third parties (excluding global, technical and regional administrators) without your separate consent. Your consent will be stored as described in Section 5.3. We and the technical and regional administrators will use the data exclusively for processing the exchange and then delete or anonymise it.
Legal basis for the processing of personal data
The legal basis for the processing of data transmitted in the course of sending an e-mail is Art. 6 (1) (f) GDPR.
Purpose of data processing
The processing of the personal data serves in answering your enquiry.
Duration of storage
Your enquiries and answers in electronic files of the regional administrator are stored according to the stipulations of the GDPR: personal data should not be retained longer than necessary, in relation to the purpose for which such data is processed. So, the storage duration is decided by the regional administrator on a case by case basis, taking into account the purpose of the processing.
Possibility of objection and elimination
You have the possibility to object to the processing of your personal data sent with your e-mail at any time. To this end, please contact our data protection officer (in German or English) or the regional administrator. In such a case, the conversation cannot be continued. All personal data stored in the course of contacting us or the regional administrator will be deleted.
Further information on communication by e-mail
Communication by e-mail can have security gaps. E-mails sent can be stopped and read by experienced Internet users. If we or the regional administrators receive an e-mail from you, it is assumed that we or the regional administrators are also entitled to reply by e-mail to this e-mail address. Otherwise we ask you to consider another form of communication (e.g. by post).
Be careful with questionable e-mails: Fraudsters repeatedly try to install malware (e.g. viruses and Trojans) on foreign PCs via attachments or links in e-mails - by raising fears with claims about unpaid invoices or dramatic messages. You should not trust e-mails with lurid subject lines, dubious contents, or questionable origin – delete them immediately. Never open attachments or links in such e-mails. As a rule, the German Environment Agency and the regional administrators never send files with attachments using the suffixes ".exe″ or ".com″. Please do not open such files and inform us (in German or English) or the regional administrators about such an e-mail. The German Environment Agency or the regional administrators will never ask you to send us sensitive data such as bank details or passwords by e-mail or telephone.

Your rights

If your personal data are processed, you are affected within the meaning of the EU General Data Protection Regulation (GDPR) and you have the following rights vis-à-vis the person responsible. Please contact us (in German or English) or the regional administrator (see above).
Right to information
You can ask the person responsible to confirm whether personal data concerning you are being processed by us. 
You have the right to request information about whether the personal data concerning you is transferred to a third country or to an international organisation. In this context, you may request to be informed of the appropriate guarantees pursuant to Art. 46 GDPR in connection with the transmission.
This right to information may be limited to the extent that it is likely to make impossible or seriously impair the achievement of research or statistical purposes and the limitation is necessary for the fulfilment of research or statistical purposes.
Right to rectification  
You have a right to rectification and/or completion vis-à-vis the data controller if the personal data processed concerning you are incorrect or incomplete. The person responsible shall make the correction without delay.
Your right to rectification may be limited to the extent that it is likely to render impossible or is seriously prejudicial to the achievement of the research or statistical purposes and the limitation is necessary for the fulfilment of the research or statistical purposes.
Right to limitation of processing
Under the following conditions, you may request that the processing of personal data concerning you be restricted:

  1. If you dispute the accuracy of the personal data concerning you for a period that enables the data controller to verify the accuracy of the personal data;
  2. The processing is unlawful and you refuse to delete the personal data and instead request that the use of the personal data be restricted;
  3. The data controller no longer needs the personal data for the purposes of the processing, but you do need them to assert, exercise or defend legal claims, or
  4. If you have filed an objection to the processing pursuant to Art. 21 (1) GDPR and it has not yet been determined whether the legitimate reasons of the person responsible outweigh your reasons.

If the processing of personal data concerning you has been restricted, such data may only be processed - apart from being stored - with your consent or for the purpose of asserting, exercising or defending rights or protecting the rights of another natural or legal person or on grounds of an important public interest of the European Union or a Member State.
If the processing restriction has been limited according to the above conditions, you will be informed by the person responsible before the restriction is lifted.
Your right to limitation of processing may be limited to the extent that it is likely to render impossible or is seriously prejudicial to the achievement of research or statistical purposes and the restriction is necessary for the fulfilment of research or statistical purposes.
Right to erasure
a) Duty to delete
You may call on the data controller to erase the personal data relating to you and the controller is obliged to erase this data without delay if one of the following reasons applies:

  1. The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed.
  2. You revoke the consent on which the processing was based pursuant to Art. 6 (1) (a) or Art. 9(2) (a) GDPR, and there is no other legal basis for the processing.
  3. You file an objection against the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate reasons for the processing, or you file an objection against the processing pursuant to Art. 21 (2) GDPR. 
  4. The personal data concerning you have been processed unlawfully. 
  5. The deletion of personal data relating to you is necessary to fulfil a legal obligation under EU law or the law of the Member States to which the data controller is subject. 
  6. The personal data concerning you were collected in relation to information society services offered pursuant to Art. 8 (1) GDPR.

b) Information to third parties
If the data controller has made the personal data concerning you public and is obliged to erase it pursuant to Art. 17 (1) GDPR, then the data controller shall take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform data processors who process the personal data that you, as the data subject, have requested the erasure of all links to this personal data or of copies or replications of this personal data. 
c) Exceptions
The right to cancellation does not exist insofar as the processing is necessary:

  1. To exercise freedom of expression and information;
  2. For the performance of a legal obligation required for processing under the law of the European Union or of the Member States to which the controller is subject or for the performance of a task in the public interest or in the exercise of official authority conferred on the controller;
  3. For reasons of public interest in the field of public health pursuant to Art. 9 (2) (h and i) and Art. 9 (3) GDPR;
  4. For archiving purposes in the public interest, for scientific or historical research purposes, or for statistical purposes pursuant to Art. 89 (1) GDPR, insofar as the law referred to in section a) above is likely to make it impossible or would seriously impair the attainment of the objectives of such processing, or
  5. To assert, exercise or defend legal claims.

Right to inform
If you have exercised your right to have your data rectified, erased, or to restrict processing, the data controller is obliged to inform all recipients to whom the personal data concerning you have been disclosed of this rectification or erasure of the data or the restriction of processing, unless this proves impossible or involves disproportionate effort.
The person responsible shall inform you about those recipients if you request it.
Right to data portability
You have the right to receive the personal data concerning you that you have provided to the person responsible in a structured, common and machine-readable format. In addition, you have the right to pass this data on to another person in charge without obstruction by the person in charge to whom the personal data was provided, provided that

  1. Processing is based on consent pursuant to Art. 6 (1) (a) GDPR or Art. 9 (2) (a) GDPR or on a contract pursuant to Art. 6 (1) (b) GDPR and
  2. Processing is carried out by automated methods.

In exercising this right, you also have the right to request that the personal data concerning you be transferred directly from one data controller to another data controller, insofar as this is technically feasible. The freedoms and rights of others must not be affected by this.
The right to portability shall not apply to the processing of personal data necessary for the performance of a task in the public interest or in the exercise of official authority conferred on the controller.
Right to object
You have the right to object, on grounds relating to your particular situation, to the processing of your personal data in accordance with Art. 6 (1) (f) GDPR. 
The data controller shall no longer process the personal data concerning you, unless compelling legitimate grounds can be demonstrated for the processing which override your interests, rights and freedoms, or the processing serves to establish, exercise or defend legal claims.
Notwithstanding Directive 2002/58/EC, you have the right to object in the context of the use of Information Society services by automated means using technical specifications.
You also have the right to object to the processing of personal data concerning you for scientific or historical research purposes or for statistical purposes pursuant to Art. 89 (1) GDPR for reasons arising from your particular situation.
Your right to object may be limited to the extent that it is likely to make it impossible or would seriously impair the realisation of the research or statistical purposes and the limitation is necessary for the fulfilment of the research or statistical purposes.
Right to revoke the data protection declaration of consent
You have the right to revoke your data protection declaration of consent at any time. The revocation of consent shall not affect the legality of the processing carried out on the basis of the consent prior to revocation.
Right of appeal to a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right of appeal to a supervisory authority, in particular in the Member State in which you reside, work or suspect an infringement, if you believe that the processing of personal data concerning you is contrary to the GDPR. 
The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and results of the complaint, including the possibility of a judicial remedy under Article 78 GDPR.
In the case of the German Environment Agency, the responsible supervisory authority is the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (Federal Commissioner for Data Protection and Freedom of Information).  

Sharing of the app in social networks

The apps can be shared via social networks. We invite you to recommend our app in this way. However, we hereby expressly bring to users’ attention the fact that we have no control either over the terms of use of such services or the owners of such services. While we will handle with care any personal data on such platforms, we cannot be held liable for the actions of the owner of such a social network site or of any third party.

We draw your attention to the fact that social-network owners archive data and use it for commercial purposes. We have no knowledge of the scope of such data or the duration of its archiving. However, you are legally entitled to ask any such owner to allow you to view your personal data, to be informed on request which personal data is processed, and to assert your rights under the GDPR.


Terms of Use AskREACH Database incl. Supplier Frontend


These terms of use apply to the supplier frontend and database provided by the German Environment Agency (Umweltbundesamt, Wörlitzer Platz 1, D-06844 Dessau-Rosslau, Germany), in the following called provider, we, our, or us. The supplier frontend together with the database and the necessary business logic is in the following called services. They have been developed in the LIFE AskREACH project (LIFE 16 GIE/DE/000738).

Only commercial suppliers of consumer articles from the EU, EU candidate countries, “potential EU candidate countries”, EEA and EFTA, in the following called article supplier, database user, you, or your, are permitted to use the services and provide information about substances of very high concern (SVHCs) in the articles they supply. In addition, a consultant can register who represents such companies.

These services are provided free of charge.

The terms of use are a binding agreement. You must read and agree to these terms prior to your access and use of the services. The terms of use consist of the provisions that follow below as well as those of the data privacy declaration. If any of these provisions are changed, you will be informed accordingly. If you want to continue to use the services after the provisions have been changed, you must agree to the new provisions. If you choose not to accept the new provisions, you will no longer be able to use the services.

The provider makes every effort to ensure the smooth operation of the services over which the provider has an influence. The provider is at liberty to restrict access to the services in whole or in part, temporarily or permanently, due to maintenance work, capacity requirements, and other events beyond the provider's control.
If you have questions, comments or reservations with regard to these terms of use or our services, please contact the regional administrator in your country (see https://www.askreach.eu/app-database/).

Note that the provider and the regional administrator are independent of the article suppliers.

Main functions of the services

You can use our services to provide information about SVHCs in the consumer articles you supply. Please consult the FAQs in the supplier frontend about the definition of SVHCs, the consumer right to information on these substances and the scope of this right.

If you receive consumer requests from our app, you have three ways to respond to the requests:

  • Upload SVHC information to the AskREACH database

 

If you enter the information about SVHCs in your articles (including packaging) in the database, consumers can access the information directly there. You will no longer receive SVHC requests through our app as long as you keep the data up-to-date according to the latest REACH candidate list (https://echa.europa.eu/candidate-list-table).

  • Reply by e-mail

 

If you respond to an SVHC request by e-mail, the information you provide in your e-mail will be transmitted. The AskREACH server forwards the e-mail to the requesting party and caches it in encrypted form in the system for technical purposes, only.

  • Direct contact

 

If you prefer to send your response to the requester, you can submit a request e-mail asking the consumer to contact you directly. The system will then pass this on to the consumer.

If you do not respond to an SVHC request, the system will send you a reminder after 30 days. After 45 days, you may receive another request, if the requester so wishes.

In the framework of the services we send you electronic mails. Consumer requests will be sent to the e-mail address you specify for that purpose. This e-mail address is visible in the smartphone app and web app. Other e-mails are sent to you as the contact person of your company (e.g. reminders for updating your data after REACH candidate list updates).

Consent and registration

If you respond via our system or upload information to our database you must consent to the conditions of use and the data privacy declaration. If you want to upload information to the database you have to register with your company name, postal address and a generic e-mail address (for receiving SVHC requests) as well as the name and e-mail address of the contact person. Our regional administrators will then verify these data and you have to authenticate your e-mail address. Independent of registering with the system, you can always specify to the regional administrators the (preferably generic) e-mail address in your company to which consumer requests shall be sent. When you register with the system you have to choose a user name and a password.

You guarantee to provide us with accurate, complete and updated registration information about yourself. You may not choose a name for your ID which you are not entitled to use, or the name of another person with the intent to imitate that person.

You assure and warrant that you are of legal age.

You will use the services only for the benefit of your company or – if you are a consultant – on behalf of your client, and not on behalf of or for the benefit of any other third party, and only in a manner consistent with all laws applicable to you. If your use of the services is prohibited by law, you may not use the services. We do not and will not assume any responsibility for your use of the services in violation of the law.

You will not share your account or password with anyone, and you must protect the security of your account and password. You are responsible for all activities associated with your account.

Verification/validation procedures

 

After you have registered with the system as an article supplier, verification will be carried out by the regional administrator in your country. Companies must confirm their wish to register by e-mail or postal letter. The verification is documented for future reference.

When article suppliers claim their GCPs and/or GTIN barcode ranges, these are validated by comparison with data in the GS1 GEPIR database. This is done automatically as far as possible.  Other cases will be considered by the regional administrator.

In addition, the regional administrator verifies company e-mail addresses that are proposed by app users or article suppliers to be included in the system’s internal list of e-mail addresses. Personalised e-mail addresses are not included in this list as far as possible.

What do you have to consider when you upload information to the services?

We usually use the GTIN barcode as an identifier for consumer articles. However, proprietary barcodes can also be included. If you want to include your proprietary barcode system, please contact the regional administrator in your country.

When you register with our services you have to specify if you are a barcode owner, a retailer, both, or neither. As a barcode owner, you have to specify your GCPs and/or barcode ranges, otherwise the system does not accept you as a barcode owner. If you are a wholesaler or distributor, choose neither barcode owner nor retailer.

We allow consumers to upload certain article information (article name, brand/company and a photo of the article). This information is marked as crowdsourced and is replaced as soon as an article supplier uploads their own information for the same barcode. We are not liable for any errors or omissions in crowdsourced information or contents, or for any damages or losses you may suffer in connection with this.
The SVHC information you upload to the system is shown to all app users who request this information via the system. It is always clearly recognisable that the information originates from your company and that your company is solely responsible for its correctness. Company specific SVHC information can be seen by the technical administrator (Luxembourg Institute of Science and Technology LIST, rue du Brill 41, L-4422 Belvaux Luxembourg) and the global administrator (German Environment Agency UBA, Wörlitzer Platz 1, D-06844 Dessau-Rosslau, Germany).
Information about the presence of SVHCs in a given article may be uploaded by several retailers, wholesalers or distributors. It is therefore possible that conflicting information is contained in the database.

Your contact details, GCPs/barcode ranges and information about your response behaviour will be made available to the regional administrators via the AskREACH system. They may then approach the companies which did not respond in order to find out why not. Regional administrators (including LIST and UBA) may publish anonymous statistics from the database. Company specific data other than that mentioned above may only be viewed by regional administrators in the framework of their helpdesk activities, and with your agreement. Data protection agreements according to GDPR Art. 28 have been concluded between UBA and LIST, UBA and the organisations of the regional administrators, and between LIST and the external host.

You receive a reminder to update your data every time the REACH candidate list is updated. If you do not update your SVHC data in the database after a new candidate list has been published, a corresponding remark is added to your SVHC data. The data are still shown to app users together with this remark. App users may then again send you consumer requests until you update your data.

You ensure, guarantee and agree not to enter or upload contents or contributions that are against the law, or infringe on the rights of others. Contents/contributions must not be harmful, fraudulent, deceptive, threatening, harassing, defamatory, obscene or otherwise objectionable. Article suppliers who upload article photos to the database are reminded that these photos should show exclusively the consumer article in question, but not persons, vehicle registration plates, items that suggest in which shop the photo was taken, etc.
The article supplier grants the provider a spatially and temporally unlimited, irrevocable, non-exclusive, royalty-free right, transferable to third parties, to use the contents uploaded to the services. The provider is entitled to use the contents at any time. This includes in particular the right of public accessibility via the European app. This provision does not affect the article supplier's right to grant third parties the rights to content under certain licensing models.

For all your submissions, you hereby grant a licence to translate, modify (for technical purposes), reproduce, and otherwise act on your submissions to enable us to operate the services in any event. This is only a licence - your ownership of the submissions is not affected. This licence is granted free of charge on any material and intangible medium, in Europe.

Finally, you acknowledge and agree that we may need to make changes to your submissions in order to customise and adapt them to the technical requirements of connection networks, devices, services or media when performing the necessary technical steps to provide the services to our app users, and the aforementioned licences include the right to do so.

We also reserve the right, at our sole discretion, to remove content from the services at any time if someone claims that the content you have contributed violates these terms. In this case you would be notified accordingly.

When creating own contents, the article supplier undertakes to comply with applicable legislation (e.g. criminal law, competition law, and youth protection law) and not to infringe on the rights of third parties (e.g. name, trademark, copyright and data protection rights).
In the event that the contents contain hyperlinks to pages of third parties, the article supplier warrants that they have the right to use the hyperlink and gives assurance that the website to which reference is made ("landing page") complies with the law and the rights of third parties.

The provider is entitled to block access to individual contents at any time, e.g. if it is suspected that these violate applicable law or the rights of third parties. The article supplier has no claim to the maintenance of individual functionalities of the services.

What happens if an article is no longer marketed?

You can mark as inactive an article that is no longer marketed. Nevertheless, the SVHC information should stay in the database, because consumers might still request this information.

Barcode clashes

It is possible to store SVHC information about different articles which have the same barcode number or different versions of the same article with identical barcode.

Language issues

You receive a consumer request in the language of the consumer and in English. You will also be informed about the country of origin of the consumer so that you can respond to them by e-mail in the appropriate language, if you so wish. However, if you upload your article information to our database, there will be an automatic translation of the standardised data. Non-formalised data are at present not translated, e.g. information on safe use, PDFs, links etc.

Retailers – barcode owners

Consumers will send SVHC requests via our app to barcode owners and retailers. The addressee is responsible for the response to the request. A request addressed to a barcode owner may be sent in copy to the retailer. In such cases, the retailer is also informed if an SVHC request has not been answered by the barcode owner of the article within 30 days (reminder) and again after 45 days. The retailer may choose to answer the request on their own.

Further obligations of the database users

The database user must refrain from any activity that is likely to impair and/or overload the operation of the portal or the technical infrastructure behind it. Any violation of this will terminate your right to use or access the services.
Should the use of the services or their functionalities be disrupted, the database user shall immediately inform the provider or the regional administrator. The same shall apply if the database user obtains information about content published by third parties which obviously violates applicable law or the rights of third parties.

Who is responsible for information uploaded/transmitted by database or app users?

Any information or contents published or transmitted through the services by database or app users is the sole responsibility of the person from whom such contents originate. We accept no responsibility for the correctness of information given by article suppliers or consumers. Opinions that might be expressed by database or app users do not necessarily reflect our own views.

Article suppliers and app users access all such information and contents at their own risk and we are not liable for any errors or omissions in such information or contents or for any damages or losses anyone may suffer in connection therewith. We cannot control and are under no obligation to take any action concerning how database and app users interpret and use the contents or what actions they take after they have been exposed to the contents. You hereby release us from any liability for your receipt or non-acceptance of contents through the services. We cannot guarantee the identity of all app users with whom you interact in the course of using the services and are not responsible for who gains access to the app.

Where can I get help?

 

Please consult the user guide on the AskREACH website or the website of your regional administrator (see https://www.askreach.eu/app-database ). You can always review the audit log information of data manipulation in your account and in doing so trace back data modifications to the individual author/editor. Finally, you can always approach your regional administrator for help (see https://www.askreach.eu/app-database).

What happens if I don’t want to use the services anymore?

If you want to delete your account in our system, send an e-mail to your regional administrator. Please read our Privacy Policy and the licences listed above to learn more about how we treat the information you have provided to us when you stop using our services. Information about your articles will stay in the database, but is marked as inactive. We may also terminate your use of or suspend access to the services for any reason at our discretion, including your violation of these terms. We have the sole right to determine whether you are in breach of any of the restrictions set forth in these terms.

Copyright and trademark law

The materials displayed, performed or made available on or through the services, including but not limited to text, graphics, data, articles, photographs, images, illustrations, or user submissions (all of the foregoing being referred to as "contents") are protected by copyright and/or other intellectual property laws. You agree to comply with all copyright notices, trademark rules, information and restrictions of any contents you access. You agree to refrain from using, copying, reproducing, modifying, translating, publishing, transmitting, distributing, performing, uploading, displaying, licensing, selling or otherwise exploiting any contents not owned by you for any purpose

  • without the prior consent of the owner of the contents, or
  • in a manner that violates any other rights (including the rights of UBA/ the regional administrator).

Liability

The provider and the regional administrator make no guarantees as to the availability, reliability, or functionality of the supplier frontend and the database, or their suitability for your purposes.

Liability is expressly excluded unless it concerns intent, gross negligence, injury to life, body or health, the assumption of a quality guarantee, or fraudulent concealment of a defect, or where the breach of essential contractual obligations or liability is based on Product Liability Law. Significant contractual obligations are those obligations the fulfillment of which enables the proper execution of a contract in the first place and on the compliance of which the contracting parties may regularly rely. Liability for breach of essential contractual obligations is limited to contractually typical, foreseeable damage, unless in cases of intent or gross negligence.

The information from the database is made available as produced or received without any express or tacit guarantee. The absence of defects or possible errors is not guaranteed by the provider and the regional administrator.

Any guarantee as to the identity of all other database or app users or the information transmitted by them and with whom an interaction is carried out during the use of the services is also excluded as well as any recourse or action for liability or compensation.

The database user is solely responsible for the use of the services and in particular for the data and information provided or exchanged, including in the event of any direct or indirect damage caused to third parties. Database users are in particular solely responsible for the interpretation and use they make of the information obtained.

In addition, the use by the database user must not mislead third parties, in particular with regard to the content of the information obtained, its source, and date of updates.

Right of recourse

The database user indemnifies the provider, the regional administrator and their employees or agents against all claims by third parties in the event of claims based on alleged or actual infringement of rights and/or infringement of the rights of third parties by actions undertaken by the database user in connection with the use of the services. In addition, the database user undertakes to reimburse all costs incurred by the provider and the regional administrator as a result of claims made by third parties. Reimbursable costs also include the costs of reasonable legal defence.

Jurisdiction

 

These terms of use shall be governed by German law and subject to the exclusive jurisdiction of the court of Dessau-Rosslau (Germany). For disputes between the database user and the regional administrator, the respective national laws apply and the courts in the country of the regional administrator are responsible.

Severability clause

Should one of the above provisions be or become invalid, the remaining provisions shall continue to apply.


Disclaimer and data privacy statement for companies using the AskREACH system to comply with their SVHC information duties

This disclaimer and data privacy statement concerns
1. all enterprises who want to answer consumer SVHC requests via the AskREACH system
2. all enterprises who want to register with the AskREACH database in order to upload information on SVHCs in their articles to the database.
The AskREACH IT tools include the business logic, the European smartphone app and web app, the European database and the supplier frontend. They were developed in the EU LIFE Project AskREACH (LIFE16 GIE/DE/000738). The database and the supplier frontend are addressed to suppliers of consumer articles in accordance with the REACH article definition. The German Environment Agency (UBA, Wörlitzer Platz 1, D-06844 Dessau-Rosslau, Germany) is the provider of the database and the respective supplier frontend. UBA is the global administrator of the AskREACH IT tools, the Luxembourg Institute of Science and Technology (LIST) is the technical administrator. The AskREACH project partners and replicators in the various countries where the app developed in AskREACH is available are the regional administrators.

Contents of the IT tools

The UBA accepts no responsibility for the accuracy, completeness, quality or actuality of the contents of the AskREACH IT tools. Any liability claims against the UBA for material or immaterial damages that arise from the use or non-use of information available via the IT tools or the use of erroneous or incomplete information available via the IT tools shall be excluded insofar as no culpable act of gross negligence has been committed by the UBA. Our services are non-binding and subject to change at any time without notification. The UBA shall be entitled to modify any aspect of the IT tools and/or their contents in any way it sees fit, in whole or in part, without prior notification.

2. References and links

The UBA and the AskREACH partners and replicators shall not be liable for links used in the AskREACH IT tools that are beyond the UBA’s control unless they have knowledge of the relevant contents and it would have been reasonable and technically possible for us to forestall the use of any such contents that may be illicit. The UBA and the AskREACH partners and replicators thus hereby expressly state that at the time any such link was created we had no knowledge that it was associated with any illicit Web contents. Inasmuch as we have no control over the current or future design, contents or copyright of any linked Web page, we hereby expressly repudiate any contents of any linked page that was altered after the link in question was created. This applies to all links and references used in the IT tools, as well as any third party entry. In the event of illicit, erroneous or incomplete contents, and in particular in connection with damages arising from the use or non-use of such information, the Web site owner to which the link in question directed shall assume liability, and not the tool owner that provided links to such contents. Third party Web sites that can be accessed via external links may possibly not be barrier-free. Note that any linking to the AskREACH IT tools does not constitute grounds for reciprocity.

3. Copyright and trademark rights

In all AskREACH IT tools, the UBA and the AskREACH consortium have made every effort (a) to respect copyright restrictions for all graphics, audio, video and text; (b) to use graphics, audio, video and text created by the UBA or AskREACH itself; and (c) to use licence-free graphics, audio, video and text. All protected marks and trademarks used are protected by the applicable copyright laws pursuant to the intellectual property rights of their duly registered owners. The fact that registered trademarks are mentioned should not be taken to mean that such trademarks are not protected by third party rights.
The copyright for published objects created by the UBA or AskREACH itself remains solely with the UBA or AskREACH and the staff working on the IT tools. Unless otherwise indicated, objects, graphics, sound documents, video sequences and texts created by the UBA or AskREACH itself are under a creative commons 4.0 international licence (no commercial use, no editing, https://creativecommons.org/licenses/by-nc-nd/4.0/).   

4. Legal validity of this disclaimer

This disclaimer constitutes an element of the AskREACH IT tools. Insofar as any provision of the present disclaimer is or becomes legally invalid or unenforceable, the remaining provisions shall remain fully enforceable.

5. Data privacy

5.1. Name and address of the person responsible

The German Environment Agency, represented by its President, is responsible within the meaning of the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and other data protection regulations:
German Environment Agency
Präsidialbereich / Presse- und Öffentlichkeitsarbeit, Internet
Wörlitzer Platz 1
06844 Dessau-Rosslau, Germany
Phone: +49-340-2103-2416
E-mail: buergerservice@uba.de
www.umweltbundesamt.de

5.2. Name and address of the data privacy officer

The German Environment Agency's data privacy officer is available to answer your questions and provide you with information on the subject of data protection, and is also the contact person for the enforcement of your rights as a concerned party. However, requests made in other languages than German and English have to be directed to the regional administrators (see https://www.askreach.eu/app-database/) for translation. After translation they will be directed by the regional administrators to the data privacy officer and the global administrator UBA:
Mr Udo Langhoff
German Environment Agency
Wörlitzer Platz 1
06844 Dessau-Rosslau, Germany
Phone: +49-30-8903-5141
e-mail: udo.langhoff@uba.de

5.3. General information on data processing

The following explanations refer to the European AskREACH database including the supplier frontend, which were both developed in the LIFE project AskREACH. The database is linked to the European smartphone app developed in AskREACH and the corresponding web app.
UBA is the controller of the AskREACH business logic including the database and supplier frontend as well as of the smartphone app and web app. Regional administrators in the various countries promote the app and support app and database users. They are authorities or organisations of the AskREACH partner countries and of further countries in which a regional app version is available (“replicator countries“). The AskREACH project partner Luxembourg Institute of Science and Technology (LIST) is responsible for the technical operation of the AskREACH system (database and all frontends). LIST uses IBM cloud for hosting (IBM of Belgium sprl / bvba, https://www.ibm.com/contact/be/en/?lnk=flg-cont-be-en). IBM complies with the German standard cloud computing compliance controls catalogue (C5, see https://www.bsi.bund.de/EN/Topics/CloudComputing/Compliance_Controls_Catalogue/Compliance_Controls_Catalogue_node.html).

Scope of the processing of personal data
We only process personal data of users of our IT tools if this is necessary to provide functional tools and for our contents and services (such as the provision of SVHC information by suppliers of consumer articles). The processing of our users' personal data takes place as a rule only with their consent.
Unless otherwise provided for in this data protection declaration, your data will not be passed on to third parties. Your data will not be processed or used for consulting, advertising or market research purposes. The stored data can be viewed by the administrators of the German Environment Agency and the Luxembourg Institute of Science and Technology.
Your contact details, GCPs/barcode ranges and information about your answering behaviour will be made available to the regional administrators via the AskREACH system. They may then approach the companies that do not respond to consumer requests in order to find out the reasons. Regional administrators may publish anonymous statistics from the database. Company specific data other than that mentioned above may only be viewed by regional administrators in the framework of their helpdesk activities and with your agreement. Data protection agreements according to GDPR Art. 28 have been concluded between UBA and LIST, UBA and the regional administrators and between LIST and the external host.
All information you send when using the AskREACH IT tools is transmitted in encrypted form via a "Secure Socket Layer" (SSL) connection. Your personal data cannot be read by unauthorised persons during transmission on the Internet.
Legal basis for the processing of personal data
The legal basis for the processing of personal data is usually the consent of the data subject pursuant to Art. 6 (1) (a) of the EU General Data Protection Regulation (GDPR).
If processing is necessary to safeguard a legitimate interest of our authority or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Art. 6 (1) (f) GDPR serves as the legal basis for processing. 
Data erasure and storage time
The personal data will be deleted or blocked as soon as the purpose of storage ceases to apply. 
Furthermore, data may be stored if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which the person responsible is subject. The data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires.

5.4. Provision of the AskREACH IT system and creation of log files

Every time you access our system, the system automatically collects data and information from the calling computer system. This information (server log files) comprises, for example information on the browser, the user’s operating system, or the domain of your internet service provider. In addition, the IP address or potentially the device ID of your smartphone is transmitted and used in order to be able to use the desired service. This information is technically necessary for the correct delivery of contents requested by you from our IT tools and is mandatory when using the Internet.
This data is not stored together with other personal data of the user.
According to our data privacy concept, the incoming log file data are stored for two weeks in order for us to be able to recognise and analyse any attacks against our system. The legal basis for data processing is Art. 6 (1) (f) GDPR. If a specific IP address or device identification number has to be blocked, it is permanently stored.

5.5. Business representatives who receive SVHC requests through the system (and reply by e-mail)

Description and scope of the data processing
If you, as a company representative, are sent a request for substances of very high concern (SVHCs) via the AskREACH smartphone app or web app, this request may be received via your (personalised) company e-mail address. This (personalised) e-mail address can originate from the following sources:

 

1. System-internal list of e-mail addresses

A system-internal list of company names with associated e-mail addresses is maintained. These e-mail addresses are either researched on the Internet by the regional administrators in the various countries or identified by requesters themselves and checked by the regional administrators. The list will only contain personalised e-mail addresses if companies explicitly request that such addresses be included or if companies only provide such addresses on their website.

2. Researched by the requester independently.

If the app cannot offer an e-mail address via the internal address list, the requester can also find out an e-mail address independently and enter it as the recipient of the SVHC request. We recommend that the app user should not use personalised e-mail addresses if possible, but we cannot rule out the possibility that these will nevertheless be used in individual cases.

The e-mail addresses are required in order to be able to send the requests to the companies responsible for SVHC information. The e-mail addresses can be seen by the requesters. If app users choose to send their requests in copy to a retailer, the e-mail address is also shown to the retailer. Companies who want to have the requests directed to a different e-mail address can register with the AskREACH system and give the correct e-mail address there or contact their regional administrator (see https://www.askreach.eu/app-database/).

If you respond to an SVHC request by e-mail, the personal information you provide in your e-mail will be transmitted. The AskREACH server forwards the e-mail to the requesting party and stores it in encrypted form in the system solely for technical purposes.
Audit trail is implemented (who changed what and when). User IDs and user names are stored in the audit trail in pseudonymised form.
Backup copies of the server are divided into different categories for optimum monitoring and control, e.g. consumers, suppliers, article information, requests, etc. If backups contain personal data, they are documented. If backups need to be restored, e.g. after a system failure, each user of the system is informed of this fact and the date of the backup. Backups are stored in encrypted form.
Legal basis of the processing of data
The legal basis for the temporary storage of data and log files is Art. 6 (f) GDPR.

Purpose of data processing
For data protection purposes, you receive requests from consumers without the clear e-mail address of the requester. The storage of your e-mail address by the system is necessary in order to send you the SVHC request and forward your reply to the requester. If you would like to send your answer to the requesting party yourself, please reply to the request e-mail and instruct the consumer to contact you directly by e-mail.  
If you do not respond to an SVHC request, the system sends a reminder after 30 days. After 45 days, you may receive another request if the requester so wishes.
All personal data stored in the AskREACH server are visible to the following AskREACH technical and global administrators. On request of suppliers, the regional administrators can also see the data so that they can perform their helpdesk activities.

  • Technical administrator: Luxembourg Institute of Science and Technology (LIST)
  • Global administrator (controller): German Environment Agency UBA
  • Regional administrators: see https://www.askreach.eu/app-database

Duration of storage
The data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected.
For personal data stored in log files, this is the case after two weeks at the latest. Further storage is possible. In this case the IP addresses of the users (as far as possible for the purpose) are deleted or alienated, so that an assignment to the calling client is no longer possible.
In order for the system to be able to contact you, your e-mail address is stored for as long as required for the response to/processing of each SVHC request for your consumer articles.
If you reply to an SVHC request by e-mail, this e-mail is forwarded and cached in the system in encrypted form solely for technical purposes.
Possibility of objection and elimination, revocation of consent
The collection of data for the provision of the IT tools and the storage of data in log files is absolutely necessary for the operation of the IT tools.
If your e-mail address is stored in the system internal address list, it can be deleted, removed or changed at your request. If your company registers in the AskREACH database, you can enter an e-mail address for the forwarding of SVHC requests for your company. You can revoke your consent to the processing of your personal data at any time by e-mail sent to the regional administrator (see https://www.askreach.eu/app-database/ ). The legality of the processing carried out on the basis of the consent up to the revocation remains unaffected by this.

5.6. Representatives of companies registering in the database

Description, scope and purpose of the data processing
Registration in the AskREACH database takes place via the supplier frontend.
Every time you, as company representative, access the AskREACH server, our system also automatically collects data and information.
The following data are collected:

  1. The user's operating system
  2. The internet service provider of the device
  3. The IP address of the user
  4. Date and time of access
  5. Websites/web pages accessed by the user's system via our services
  6. Information about your activities on the server
  7. Volume of data transmitted
  8. Notification whether the access was successful

The data are stored in the log files of our system. Online identifiers like IP addresses and unique device IDs are identifiable in the records for attack prevention purposes and for geographic access statistics. IP addresses/device IDs are also used to limit access rates to the app/database as needed and to prevent Denial of Service (DOS) attacks and other threats.
If you register as a company representative in the AskREACH database, you enter your name and personalised e-mail address. With this personal data, together with the company name and postal address, you will be stored by the system as your company's contact person for the AskREACH system and may be contacted for queries. The latter may be the case if consumers ask questions, if there are technical problems, etc. We strongly recommend that you also provide an e-mail address for SVHC requests. If possible, choose a general e-mail address, rather than a personalised one, and make sure that someone checks the corresponding e-mail box regularly. This is the only way to ensure that you comply with your obligations under REACH Art. 33 (2) and that you can react in good time in the event of technical problems. The e-mail address for SVHC requests is visible to the public in the smartphone app and web app.
Audit trail is implemented (who changed what and when). Personal data like names and e-mail addresses are stored in the audit trail in pseudonymised form.
Backup copies of the server are divided into different categories for monitoring and control, e.g. consumers, suppliers, article information, requests, etc. If backups contain personal data, they are documented. If backups have to be restored, e.g. after a system failure, each user of the system is informed of this fact and the date of the backup. Backups are stored in encrypted form.
Legal basis for the processing of personal data
The legal basis for the temporary storage of data and log files is Art. 6 (1) (a) and (f) GDPR.
The processing of personal data you enter in the supplier frontend is tied to your consent given during the registration. Independent of your consent your IP address is stored in a log file before you register. The IP address is stored for 14 days.

Purpose of data processing
The data are stored in log files to ensure the functionality of the system. In addition, the data serves us to optimise our AskREACH IT tools and to ensure the security of our information technology systems. The data are statistically evaluated in anonymous form in order to document the success of the AskREACH IT tools. The temporary storage of the IP address by the system is necessary to enable the server information to be delivered to the user's computer/device. For this, the IP address of the user must be stored for the duration of the session. The data are not evaluated for marketing purposes. 
Our legitimate interest in data processing pursuant to Art. 6 (1) (f) GDPR also lies in these purposes.
This data from the log file is not combined with any other stored data. A direct reference of the IP number from the log file to your person is not possible and is excluded. The IP address is only evaluated in the event of attacks on the AskREACH IT infrastructure, offences against morality and other illegal activities in connection with the use of the IT tools. A conclusion from the IP number to your person is only possible through your dial-in provider through a public prosecutor's investigation.
The storage of your name and your personal e-mail address by the system is necessary so that the system can communicate with you. You register as a contact person of your company for AskREACH.
All personal data stored in the AskREACH server are visible to the AskREACH technical and global administrators. In addition, your contact details will be made available to the regional administrators via the AskREACH system.

  • Technical administrator: Luxembourg Institute of Science and Technology (LIST)
  • Global administrator (controller): German Environment Agency UBA
  • Regional administrators: see https://www.askreach.eu/app-database/  

Duration of storage
Your name and email address will be stored until you delete them or your account yourself or the data/account is deleted by an administrator.
If you reply to an SVHC request by e-mail, this e-mail will be forwarded and will be stored in encrypted form in the system for technical purposes.
If personal data is stored in log files (online identifiers), it will be deleted after two weeks at the latest. Further storage is possible. In this case the IP addresses of the users (as far as possible for the purpose) are deleted or alienated, so that an assignment to the calling client is no longer possible.
Possibility of objection and elimination, revocation of consent
The collection of data for the provision of the IT tools and the storage of data in log files is absolutely necessary for the operation of the IT tools.
You can change your name and e-mail address yourself via your account or delete the account. You can revoke your consent to the processing of your personal data at any time by sending a corresponding e-mail to the regional administrator (see https://www.askreach.eu/app-database/). The legality of the processing carried out on the basis of the consent up to the revocation remains unaffected by this.

6. Transfer to third countries (outside the EU)

We have a Serbian regional administrator of our app outside the EU. In Serbia, a national law has been adopted that implements provisions equivalent to the GDPR. The Serbian app is also available in Montenegro and Bosnia Hercegovina. With regard to these countries no adequacy decision of the EU Commission according to Art. 45 GDPR is available. Data transfer (e.g. of your name or personalised e-mail address) into these countries for which there is neither an adequacy decision nor appropriate guarantees entails risks.

In addition, requests can be sent to any company outside the EU.

7. Agreement to be approached for campaigns and questionnaires

Companies that have registered to the system may be asked to participate in surveys to provide the project with data on impacts achieved and user satisfaction. Invitations to participate will be sent via e-mail or will appear on the “landing page” of the supplier frontend, i.e. the first page the user sees after logging on to the system. The project may contact individual suppliers based on their activities as documented by the database (e.g. high proportion of uploaded articles that contain SVHCs). The project may also launch surveys addressing all registered suppliers. Also, in this case companies will see an invitation to participate on their landing page of the supplier frontend (in a survey or interview) or receive it via e-mail. Up to this point, personal data is not involved.

Companies that agree to participate may be directed to a questionnaire created with the web tool LimeSurvey, which is hosted on an external website by the AskREACH partner sofia. The data privacy conditions of LimeSurvey apply (https://www.limesurvey.org/policies/privacy-policy).

Companies that agree to participate may be asked to provide contact data that can be used for individual interviews. All surveys are evaluated anonymously.

8. E-mail contact

Description and scope of data processing and storage of data
You can send questions about the supplier frontend or database by e-mail to UBA (in German or English) or to your regional administrator. In this case, your personal data transmitted with the e-mail will be stored by us or by the regional administrator.
In this context, the data will not be passed on to third parties (excluding global, technical and regional administrators) without your separate consent.
We and the technical and regional administrators will use the data for processing the conversation and store them as long as necessary for further reference in the context of your use of our IT tools. The administrators who store correspondence for a longer period because of their national administrative law become controllers for these data.
The following e-mails are permanently stored:

  • e-mails in which companies confirm that one of their employees has registered their company with the database,
  • e-mails in which companies ask us to include a certain contact e-mail address for their company in our internal list,
  • e-mails in which consent is given to our forwarding your e-mail requests to third parties.

Legal basis for the processing of personal data
The legal basis for the processing of data transmitted in the course of sending an e-mail is Art. 6 (1) (f) GDPR.
Purpose of data processing
The processing of the personal data serves for answering your enquiry.

Possibility of objection and elimination
You have the possibility to object to the processing of your personal data sent with your e-mail at any time. To this end, please contact our data protection officer (in German, English) or the regional administrator.  In such a case, the exchange cannot be continued. All personal data stored in the course of contacting us or the regional administrator will be deleted.

9. Your rights

If your personal data are processed, you are affected within the meaning of the basic EU General Data Protection Regulation (GDPR) and you are entitled to the following rights vis-à-vis the person responsible. Please contact your regional administrator (see https://www.askreach.eu/app-database/) or (in German or English) the German Environment Agency's Data Protection Officer (see above).
Right to information
You can ask the person in charge to confirm whether personal data concerning you will be processed by us. 
You have the right to request information as to whether the personal data concerning you is transferred to a third country or to an international organisation. In this context, you may request to be informed of the appropriate guarantees pursuant to Art. 46 GDPR in connection with the transmission.
This right to information may be limited to the extent that it is likely to make impossible or seriously impair the realisation of research or statistical purposes and the limitation is necessary for the fulfilment of research or statistical purposes.
Right to rectification 
You have a right of rectification and/or completion vis-à-vis the data controller if the personal data processed concerning you are incorrect or incomplete. The person responsible shall make the correction without delay.
Your right to rectification may be limited to the extent that it is likely to render impossible or be seriously prejudicial to the achievement of the research or statistical purposes and the limitation is necessary for the fulfilment of the research or statistical purposes.
Right to restriction of processing
Under the following conditions, you may request that the processing of personal data concerning you be restricted:

  1. if you dispute the accuracy of the personal data concerning you, during a period that enables the data controller to verify the accuracy of the personal data;
  2. the processing is unlawful and you oppose the erasure of the personal data and instead request that the use of the personal data be restricted;
  3. the data controller no longer needs the personal data for the purposes of the processing, but you do need them to establish, exercise or defend legal claims, or
  4. if you have filed an objection to the processing pursuant to Art. 21 (1) GDPR and it has not yet been determined whether the legitimate grounds of the person responsible override your grounds.

If the processing of personal data concerning you has been restricted, such data may only be processed - apart from being stored - with your consent or for the purpose of establishing, exercising or defending legal claims or protecting the rights of another natural or legal person or on grounds of an important public interest of the European Union or a Member State.
If the processing restriction has been restricted according to the above conditions, you will be informed by the person responsible before the restriction is lifted.
Your right to limitation of processing may be limited to the extent that it is likely to render impossible or seriously prejudice the achievement of research or statistical purposes and the restriction is necessary for the fulfilment of research or statistical purposes.
Right to be forgotten
a) Duty to delete
You may request the data controller to delete the personal data relating to you without delay and the controller is obliged to delete this data without delay if one of the following reasons applies:

  1. The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed.
  2. You revoke your consent, on which the processing was based pursuant to Art. 6 (1) (a) or Art. 9 (2) (a) GDPR, and there is no other legal basis for the processing.
  3. You file an objection against the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate reasons for the processing, or you file an objection against the processing pursuant to Art. 21 (2) GDPR. 
  4. The personal data concerning you have been processed unlawfully. 
  5. The deletion of personal data relating to you is necessary to fulfil a legal obligation under EU law or the law of the Member States to which the data controller is subject. 
  6. The personal data concerning you were collected in relation to information society services offered pursuant to Art. 8 (1) GDPR.

b) Information to third parties
Having made the personal data concerning you public and being obliged to delete it pursuant to Art. 17 para. 1 GDPR, the data controller shall take appropriate measures, including technical measures taking into account the available technology and the implementation costs, to inform data processors who process the personal data that you as the data subject have requested the deletion of all links to this personal data or of copies or replications of this personal data. 

c) Exceptions
The right to cancellation does not exist insofar as the processing is necessary

  1. to exercise freedom of expression and information;
  2. for the performance of a legal obligation required for processing under the law of the EU or of the Member State to which the controller is subject or for the performance of a task in the public interest or in the exercise of official authority conferred on the controller;
  3. for reasons of public interest in the field of public health pursuant to Art. 9 (2) (h) and (i) and Art. 9 (3) GDPR;
  4. for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes pursuant to Art. 89 (1) GDPR, insofar as the law referred to under point (a) is likely to make it impossible or would seriously impair the attainment of the objectives of such processing, or
  5. to assert, exercise or defend legal claims.

Right to information
If you have exercised your right to have the data controller correct, delete or limit the processing of data, the controller is obliged to inform all recipients to whom the personal data concerning you have been disclosed of this correction or deletion of the data or restriction on processing, unless this proves impossible or involves a disproportionate effort.
The person responsible shall inform you about those recipients if you request it.
Right to data transferability
You have the right to receive the personal data concerning you that you have provided to the person responsible in a structured, common and machine-readable format. In addition, you have the right to pass this data on to another person in charge without obstruction by the person in charge to whom the personal data was made available, provided that

  1. processing is based on consent pursuant to Art. 6 (1) (a) GDPR or Art. 9 (2) (a) GDPR or on a contract pursuant to Art. 6 (1) (b) GDPR and
  2. processing is carried out by automated methods.

In exercising this right, you also have the right to request that the personal data concerning you be transferred directly from one data controller to another data controller, insofar as this is technically feasible. The freedoms and rights of other persons must not be affected by this.
The right to data portability shall not apply to the processing of personal data necessary for the performance of a task in the public interest or in the exercise of official authority conferred on the controller.

 

Right to object
You have the right to object at any time, for reasons arising from your particular situation, to the processing of your personal data in accordance with Art. 6 (1) (f) GDPR. 
The controller shall then no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.
You may exercise your right of objection in connection with the use of Information Society services by means of automated procedures using technical specifications, notwithstanding Directive 2002/58/EC.
You also have the right to object to the processing of personal data concerning you for scientific or historical research purposes or for statistical purposes pursuant to Art. 89 (1) GDPR for reasons arising from your particular situation.
Your right to object may be limited to the extent that it is likely to render impossible or seriously impair the realisation of the research or statistical measures and the processing is necessary for the performance of a task carried out for reasons of public interest.
Right to revoke the data protection declaration of consent
You have the right to revoke your data protection declaration of consent at any time. The revocation of consent shall not affect the legality of the processing carried out on the basis of the consent until revocation.
Right of appeal to a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right of appeal to a supervisory authority, in particular in the Member State where you reside, work or suspect of infringement, if you believe that the processing of personal data concerning you is contrary to the GDPR. 
The supervisory authority with which the complaint has been lodged shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy under Article 78 GDPR.
In the case of the German Environment Agency, the responsible supervisory authority is the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (Federal Commissioner for Data Protection and Freedom of Information).  

10. Use of personal data published in our IT tools 

The misuse of contact data or comparable information published by us such as postal addresses, telephone and fax numbers and e-mail addresses is not permitted. We expressly reserve the right to take legal action against the senders of so-called spam mails in the event of violations of this prohibition. 

Kontaktujte nás

Arnika, Dělnická 13,
170 00 Praha 7
scan4chem@arnika.org
tel. 774 406 825
Chcete vědět víc? Přidejte se ke kampani Česko bez jedů nebo se přihlaste k odběru našeho newslettru.
Arnika je česká nezisková organizace, která spojuje lidi usilující o lepší životní prostředí. Chráníme přírodu a zdravé prostředí pro budoucí generace doma i ve světě. Dlouhodobě prosazujeme méně odpadů a nebezpečných látek, živé řeky a pestrou přírodu a právo občanů rozhodovat o životním prostředí.