This disclaimer and data privacy statement concerns the app Tjek Kemien which is available as smartphone app (Android, iOS) and web app. The app was developed in the EU LIFE Project AskREACH (LIFE16 GIE/DE/000738) and is provided by the German Environment Agency (Umweltbundesamt; UBA). UBA is in the following referred to as provider, we, our or us. Depending on the national legislation in Denmark the app is addressed to users aged 13 and over (in the following: you, or your).
The Danish Consumer Council (DCC) and the Danish Environmental Protection Agency (DK EPA) are partners of the AskREACH project and the regional administrators in Denmark.
* App = smartphone app (Android, iOS) + web app.
* IT tools = app + database with product information + business logic.
* Regional administrator = organisation that popularises the app in a certain country and is responsible for support of app users and database users in that country.
1. Content of the IT tools
The provider accepts no responsibility for the accuracy, completeness, quality or actuality of the contents of the AskREACH IT tools. Any liability claims against us for material or immaterial damages that arise from the use or non-use of information available via the IT tools or the use of erroneous or incomplete information available via the IT tools shall be excluded insofar as no culpable act of gross negligence has been committed by us. Our services are non-binding and subject to confirmation. We are entitled to modify any aspect of the IT tools and/or their contents in any way we see fit, in whole or in part, without prior notification.
2. References and links
We shall be liable for links used in the AskREACH IT tools that are beyond our control only insofar as we have knowledge of the relevant contents and it would have been reasonable and technically possible for us to forestall the use of any such contents that may be illicit. Inasmuch as we have no control over the current or future design, content or copyright of any linked Web page, we hereby expressly repudiate any contents of any linked page that was altered after the link in question was created. This applies to all links and references used in the IT tools, as well as any third party entry. In the event of illicit, erroneous or incomplete contents, and in particular in connection with damages arising from the use or non-use of such information, the website owner to which the link in question led shall assume liability, and not the tool owner that provided links to such contents. Third party websites that can be accessed via external links may not be accessible without barriers. Please also note that any linking to this application does not constitute grounds for reciprocity.
3. Copyright and trademark rights
In all AskREACH IT tools, the provider has made every effort to (a) respect copyright restrictions for all graphics, audio, video and text; (b) use graphics, audio, video and text created by the UBA or AskREACH itself; (c) use licence-free graphics, audio, video and text. All protected marks and trademarks used are protected by the applicable copyright laws pursuant to the intellectual property rights of the duly registered owners. If registered trademarks are mentioned in the app this does not mean that such trademarks are not protected by third party rights.
The copyright for published objects created by the provider or AskREACH itself remains solely with the provider or AskREACH and the staff working on the IT tools. Unless otherwise indicated, objects, graphics, sound documents, video sequences and texts created by the provider or AskREACH itself are under a creative commons 4.0 international license (no commercial use, no editing, https://creativecommons.org/licenses/ba-nc-nd/4.0/).
4.Legal validity of this disclaimer
This disclaimer constitutes an element of the AskREACH smartphone app and web app. Insofar as any provision of the present disclaimer is or becomes legally invalid or unenforceable, the remaining provisions shall remain fully enforceable.
5. Data privacy
5.1. Name and address of the person responsible
The German Environment Agency, represented by its President, is responsible within the meaning of the EU General Data Protection Regulation (GDPR) and the relevant law at national level, i.e. in Denmark the Lov nr. 502 af 23. maj 2018 om supplerende bestemmelser til forordning om beskyttelse af fysiske personer i forbindelse med behandling af personoplysninger og om fri udveksling af sådanne oplysninger (databeskyttelsesloven).
German Environment Agency
Präsidialbereich / Presse- und Öffentlichkeitsarbeit, Internet
Wörlitzer Platz 1
06844 Dessau-Rosslau, Germany
5.2. Name and address of the data privacy officer
The German Environment Agency data privacy officer is available to answer your questions and provide you with information on the subject of data protection, and is also the contact person for the enforcement of your rights as a concerned party. However, requests made in languages other than German or English have to be directed to an appropriate regional administrator for translation. After translation they will be redirected by the regional administrators to the data privacy officer:
Mr. Udo Langhoff
German Environment Agency
Wörlitzer Platz 1
06844 Dessau-Rosslau, Germany
The Danish Consumer Council and the Danish Environmental Protection Agency are partners of the AskREACH project and the regional app and database administrators in Denmark. The Danish Consumer Council can be contacted at firstname.lastname@example.org and the Danish Environmental Protection Agency can be contacted at email@example.com.
5.3. General information on data processing
The following explanations refer to the app developed in the LIFE project AskREACH. UBA is the controller of the AskREACH database and business logic and of the smartphone app and web app. The AskREACH project partner Luxembourg Institute of Science and Technology (LIST, https://www.list.lu) is responsible for the technical operation of the app. The server is made available by an external host (IBM of Belgium sprl / bvba https://www.ibm.com/contact/be/en/?lnk=flg-cont-be-en).
Scope of the processing of personal data
We only process personal data of users of our IT tools if this is necessary to provide functional tools as well as our contents and services (such as the provision of SVHC information by suppliers of consumer articles). As a rule, the processing of our users' personal data takes place only with their consent. An exception applies in those cases where prior consent cannot be obtained for reasons of fact and the processing of the data is permitted by law.
Unless otherwise stated in this data privacy declaration in individual cases, your data will not be passed on to third parties. Your data will not be processed or used for consulting, advertising or market research purposes. In the context of their helpdesk activities the global administrators of the German Environment Agency (UBA), the technical administrators of the Luxembourg Institute of Science and Technology (LIST) and the regional administrators may view the stored data. The technical administrators may also view the data as necessary for attack prevention. Data protection agreements in accordance with GDPR Art. 28 have been concluded between UBA and LIST, UBA and the regional administrator and between LIST and the external host.
Legal basis for the processing of personal data
The legal basis for the processing of personal data is the consent of the data subject pursuant to Art. 6 (1) (a) of the EU General Data Protection Regulation (GDPR).
All processing of personal data is tied to your consent given in the app.
Data erasure and storage time
The personal data will be deleted or blocked as soon as the purpose of storage ceases to apply.
Furthermore, data may be stored if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which the person responsible is subject. The data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires.
5.4. Provision of the app
Our smartphone app can be downloaded from the Google and Apple app stores.
5.5. Use of the app
Scope of the data processing
You get access to the web app via our website or the websites of the regional administrator. We log the download and collect statistics. The web app then only communicates between the user's browser and the AskREACH server. Each time your computer accesses the AskREACH server, our system automatically collects data and information.
Every time your smartphone accesses the AskREACH server, our system also automatically collects data and information, including IP address of the user or device identification number.
The data are stored in the log files of our system. IP addresses and device IDs are identifiable in the records for attack prevention purposes and for geographic access statistics. IP addresses/device IDs are also used to limit access rates to the app/database as necessary and prevent Denial of Service (DOS) attacks and other threats.
You enter your name and e-mail address yourself when you send a request to an article supplier. This data is stored on the server for as long as is necessary to process the app actions you desire. Your name, country of residence and e-mail address are stored on your smartphone. In the case of the web app, this information is not stored, so you must re-enter it in each session you make a request.
Backup copies of the server are divided into different categories for monitoring and control. If backups contain personal data, they are documented. If they need to be restored, each user of the system is informed. Backups are stored in encrypted form.
Legal basis for the processing of personal data
The legal basis for the temporary storage of data and log files is Art. 6 (1) (a) of the GDPR.
Purpose of data processing
The log file data are stored in the system to ensure the functionality of the system. In addition, the data help us to optimise our AskREACH IT tools and to ensure the security of our information technology systems. The data are statistically evaluated in anonymous form in order to document the success of the AskREACH IT tools. The temporary storage of the IP address by the system is necessary to enable the server information to be delivered to the user's computer/device. For this the IP address of the user must remain stored for the duration of the session. The data are not evaluated for marketing purposes and a direct reference of the IP number from the log file to your person is not possible and is excluded.
You enter your name and e-mail address yourself into the app and can change or delete it at any time
- If you send a request to a company, only the name you entered and your country of residence are visible to the company. Your name should show the company that a real person is behind the request. The country is indicated so that the company can reply to you in the appropriate language.
All personal data stored in the AskREACH server are visible to the AskREACH administrators on consumer or supplier request so they can administer their helpdesk activities.
- Technical administrator: Luxembourg Institute of Science and Technology (LIST)
- Global administrator (operator): German Environment Agency (UBA)
- Regional administrators in Denmark: Danish Consumer Counsel (DCC)and Danish Environmental Protection Agency (DK EPA)
Duration of storage
The data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected. Your name and e-mail address will only be stored in connection with your requests and for a maximum of 60 days (buffer time for potential queries). They will be pseudonymised in the system and only used for anonymous statistics.
If personal data (online identifiers such as IP-addresses and unique device IDs) are stored in log files, they will be deleted after two weeks at the latest. Further storage is possible in the event of malicious behaviour and if future access is to be prevented. In this case the IP addresses of the users (as far as possible for the purpose) are deleted or alienated, so that an assignment of the calling client is no longer possible.
Possibility of objection and elimination, revocation of consent
The collection of data for the provision of the IT tools and the storage of data in log files is absolutely necessary for the operation of the IT tools.
Your name and e-mail address are only stored temporarily in the system. Both can be deleted or removed at your request.
You can revoke your consent to the processing of your personal data at any time. The legality of the processing carried out on the basis of the consent up to the revocation remains unaffected by this. After revocation of your consent you can no longer use the app.
6.Data transfer to third countries (outside the EU)
Requests can be sent to any company outside the EU. With regard to most countries outside the EU, no adequacy decision of the EU Commission according to Art. 45 GDPR is available. Therefore, data processing is possible only with consent of the persons concerned. Such data transfers without adequacy decision and appropriate guarantees entail risks. Requests that you send to suppliers in such countries contain your name and your country of residence, but no other personal data. Most countries outside the EU do not have legislation similar to the EU Chemicals Regulation. Companies from these countries are therefore not obliged to respond to consumer requests.
7.Push notifications (smartphone app only)
If a smartphone app user agrees to receive push notifications from the AskREACH system, their device ID is stored in the business logic and they are subject to the data privacy rules of the Apple Push Notification service or Google Firebase service.
Once annually in 2020, 2021 and 2022, all active users of the smartphone app at that time will receive via the app a request to participate in a survey. Personal data are not involved.
Consumers who agree to participate in the survey are directed to a questionnaire created in the web tool LimeSurvey which is hosted at an external website by the AskREACH project partner sofia (University of Applied Sciences Darmstadt, Society for Institutional Analysis). The data privacy conditions of LimeSurvey apply (https://www.limesurvey.org/policies/privacy-policy).
In the questionnaires, consumers may leave their e-mail address so that regional administrators can ask them to participate in additional interviews. All surveys are evaluated anonymously. The regional administrators handle the personal data received during this activity as explained under Section 10.
Description and scope of data processing
Description and scope of data processing
You can send questions about the app or supplier responses by e-mail to UBA (in German or English) or your regional administrator. Your personal data transmitted with the e-mail will be stored by us or by the regional administrator.
In this context, the data will not be passed on to third parties (excluding global, technical and regional administrators) without your separate consent. Your consent will be stored as described in Section 5.3. We and the technical and regional administrators will use the data exclusively for processing the exchange and then delete or anonymise it. However, if any administrators are bound by national administrative law to store correspondence for a longer period, they become controller for these data.
Legal basis for the processing of personal data
The legal basis for the processing of data transmitted in the course of sending an e-mail is Art. 6 (1) (f) GDPR.
Purpose of data processing
The processing of the personal data serves in answering your enquiry.
Duration of storage
Your enquiries and answers in electronic files of the regional administrator are stored according to the stipulations of the GDPR: personal data should not be retained longer than necessary, in relation to the purpose for which such data is processed. However, the storage duration is decided by the regional administrator on a case by case basis, taking into account the purpose of the processing and additional national legislation. DK EPA is bound by national administrative law to store correspondence for a longer period. Therefore, they become controller for these data.
Possibility of objection and elimination
You have the possibility to object to the processing of your personal data sent with your e-mail at any time. To this end, please contact our data protection officer (in German or English) or the regional administrator. In such a case, the conversation cannot be continued. All personal data stored in the course of contacting us or the regional administrator will be deleted.
Further information on communication by e-mail
E-mails can be stopped and read by experienced Internet users. If we or the regional administrators receive an e-mail from you, it is assumed that we or the regional administrators are entitled to reply by e-mail.
Be careful with questionable e-mails: Fraudsters repeatedly try to install malware on foreign PCs via attachments or links in e-mails. Don’t trust e-mails with lurid subject lines, dubious contents, or questionable origin – delete them immediately. As a rule, we and the regional administrators never send files with attachments using the suffixes ".exe″ or ".com″. Please do not open such files and inform us (in German or English) or the regional administrators about such an e-mail. We or the regional administrators will never ask you to send us sensitive data by e-mail or telephone.
If your personal data are processed, you are affected within the meaning of the EU General Data Protection Regulation (GDPR) and you have the following rights vis-à-vis the person responsible. Please contact us (in German or English) or the regional administrator (see above).
Right to information
You can ask the person responsible to confirm whether personal data concerning you are being processed by us.
You have the right to request information about whether the personal data concerning you is transferred to a third country or to an international organisation. In this context, you may request to be informed of the appropriate guarantees pursuant to Art. 46 GDPR in connection with the transmission.
This right to information may be limited to the extent that it is likely to make impossible or seriously impair the achievement of research or statistical purposes and the limitation is necessary for the fulfilment of research or statistical purposes.
Right to rectification
You have a right to rectification and/or completion vis-à-vis the data controller if the personal data processed concerning you are incorrect or incomplete. The person responsible shall make the correction without delay.
Your right to rectification may be limited to the extent that it is likely to render impossible or is seriously prejudicial to the achievement of the research or statistical purposes and the limitation is necessary for the fulfilment of the research or statistical purposes.
Right to limitation of processing
Under the following conditions, you may request that the processing of personal data concerning you be restricted:
- If you dispute the accuracy of the personal data concerning you for a period that enables the data controller to verify the accuracy of the personal data;
- The processing is unlawful and you refuse to delete the personal data and instead request that the use of the personal data be restricted;
- The data controller no longer needs the personal data for the purposes of the processing, but you do need them to assert, exercise or defend legal claims, or
- If you have filed an objection to the processing pursuant to Art. 21 (1) GDPR and it has not yet been determined whether the legitimate reasons of the person responsible outweigh your reasons.
If the processing of personal data concerning you has been restricted, such data may only be processed - apart from being stored - with your consent or for the purpose of asserting, exercising or defending rights or protecting the rights of another natural or legal person or on grounds of an important public interest of the European Union or a Member State.
If the processing restriction has been limited according to the above conditions, you will be informed by the person responsible before the restriction is lifted.
Your right to limitation of processing may be limited to the extent that it is likely to render impossible or is seriously prejudicial to the achievement of research or statistical purposes and the restriction is necessary for the fulfilment of research or statistical purposes.
Right to erasure
a) Duty to delete
You may call on the data controller to erase the personal data relating to you and the controller is obliged to erase this data without delay if one of the following reasons applies:
- The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed.
- You revoke the consent on which the processing was based pursuant to Art. 6 (1) (a) or Art. 9(2) (a) GDPR, and there is no other legal basis for the processing.
- You file an objection against the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate reasons for the processing, or you file an objection against the processing pursuant to Art. 21 (2) GDPR.
- The personal data concerning you have been processed unlawfully.
- The deletion of personal data relating to you is necessary to fulfil a legal obligation under EU law or the law of the Member States to which the data controller is subject.
- The personal data concerning you were collected in relation to information society services offered pursuant to Art. 8 (1) GDPR.
b) Information to third parties
If the data controller has made the personal data concerning you public and is obliged to erase it pursuant to Art. 17 (1) GDPR, then the data controller shall take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform data processors who process the personal data that you, as the data subject, have requested the erasure of all links to this personal data or of copies or replications of this personal data.
The right to cancellation does not exist insofar as the processing is necessary:
- To exercise freedom of expression and information;
- For the performance of a legal obligation required for processing under the law of the European Union or of the Member States to which the controller is subject or for the performance of a task in the public interest or in the exercise of official authority conferred on the controller;
- For reasons of public interest in the field of public health pursuant to Art. 9 (2) (h and i) and Art. 9 (3) GDPR;
- For archiving purposes in the public interest, for scientific or historical research purposes, or for statistical purposes pursuant to Art. 89 (1) GDPR, insofar as the law referred to in section a) above is likely to make it impossible or would seriously impair the attainment of the objectives of such processing, or
- To assert, exercise or defend legal claims.
Right to inform
If you have exercised your right to have your data rectified, erased, or to restrict processing, the data controller is obliged to inform all recipients to whom the personal data concerning you have been disclosed of this rectification or erasure of the data or the restriction of processing, unless this proves impossible or involves disproportionate effort.
The person responsible shall inform you about those recipients if you request it.
Right to data portability
You have the right to receive the personal data concerning you that you have provided to the person responsible in a structured, common and machine-readable format. In addition, you have the right to pass this data on to another person in charge without obstruction by the person in charge to whom the personal data was provided, provided that
- Processing is based on consent pursuant to Art. 6 (1) (a) GDPR or Art. 9 (2) (a) GDPR or on a contract pursuant to Art. 6 (1) (b) GDPR and
- Processing is carried out by automated methods.
In exercising this right, you also have the right to request that the personal data concerning you be transferred directly from one data controller to another data controller, insofar as this is technically feasible. The freedoms and rights of others must not be affected by this.
The right to portability shall not apply to the processing of personal data necessary for the performance of a task in the public interest or in the exercise of official authority conferred on the controller.
Right to object
You have the right to object, on grounds relating to your particular situation, to the processing of your personal data in accordance with Art. 6 (1) (f) GDPR.
The data controller shall no longer process the personal data concerning you, unless compelling legitimate grounds can be demonstrated for the processing, which override your interests, rights and freedoms, or the processing serves to establish, exercise or defend legal claims.
Notwithstanding Directive 2002/58/EC, you have the right to object in the context of the use of Information Society services by automated means using technical specifications.
You also have the right to object to the processing of personal data concerning you for scientific or historical research purposes or for statistical purposes pursuant to Art. 89 (1) GDPR for reasons arising from your particular situation.
Your right to object may be limited to the extent that it is likely to make it impossible or would seriously impair the realisation of the research or statistical purposes and the limitation is necessary for the fulfilment of the research or statistical purposes.
Right to revoke the data protection declaration of consent
You have the right to revoke your data protection declaration of consent at any time. The revocation of consent shall not affect the legality of the processing carried out on the basis of the consent prior to revocation.
Right of appeal to a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right of appeal to a supervisory authority, in particular in the Member State in which you reside, work or suspect an infringement, if you believe that the processing of personal data concerning you is contrary to the GDPR.
The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and results of the complaint, including the possibility of a judicial remedy under Article 78 GDPR.
In the case of the German Environment Agency, the responsible supervisory authority is the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (Federal Commissioner for Data Protection and Freedom of Information).
The responsible supervisory authority in Denmark in relation to GDPR is the Danish Data Protection Agency (https://www.datatilsynet.dk/).
12.Sharing of the app in social networks