I. Information on data processing
1. Contact details of the data protection officer
Controller for the purposes of the General Data Protection Regulation (GDPR) is Bund für Umwelt und Naturschutz Deutschland e.V. (BUND).
Kaiserin-Augusta-Allee 5, D – 10553 Berlin
Phone: +49 (0) 30 275 86-40, Fax: +49 (0) 30 275 86-440
For questions concerning processing of your personal data by BUND, data protection in general and assertion of your data subject rights (e.g., requests for information), please contact the above address or send an email to datenschutz(at)bund.net. For all other queries about data protection law you can contact our external data protection officer directly by sending an email to datenschutzbeauftragter(at)bund.net.
2. General information
With the ToxFox app you can obtain information about substances of very high concern (SVHCs) in consumer products or send SVHC inquiries ("poison-related questions") to the appropriate product vendor. The ToxFox app is connected to the ToxFox database for this purpose (hereinafter referred to as "ToxFox system"). For technical operation of the ToxFox system BUND relies on a service provider operating in accordance with Art. 28 of the GDPR.
The ToxFox system is also connected to a database called AskREACH, which, among other things, makes information on SVHCs and contact details of product vendors available. Submission of poison-related questions to product vendors is also performed as a service via AskREACH. The central AskREACH system consists of the database plus services. The German Environment Agency (Umweltbundesamt – UBA) is responsible for the central AskREACH system (https://www.umweltbundesamt.de/sites/default/files/medien/421/dokumente/20200719_privacy_policy_scan4chem_uba.pdf).
Scope of processing of personal data
BUND processes personal data of users of the ToxFox app basically only to the extent necessary for making available content and services (such as providing information on substances of very high concern ("SVHCs") supplied via consumer product vendors). The processing of personal data of users is only carried out on a regular basis with their consent. An exception applies in those cases where prior consent cannot be obtained for reasons of fact and the processing of the data is permitted by law.
Unless otherwise stated in this data privacy declaration in specific cases, your data will not be passed on to third parties. Your data will not be processed or used for consulting, advertising or market research purposes. As part of their help desk activities, the administrators of the ToxFox system and of the AskREACH system may view the stored data.
All information is transmitted via an encrypted Secure Socket Layer (SSL) connection. Your personal data cannot be read by unauthorized persons while being transmitted via the Internet.
The legal basis for processing personal data
The legal basis for the processing of personal data is the consent of the data subject pursuant to Art. 6 (1) (a) of the EU GDPR. All processing of personal data is subject to your having given your consent in the app.
Data erasure and storage period
The ToxFox system stores email addresses in connection with poison-related questions in a certified data center. For security reasons a weekly backup is created on a further storage location at the same data center. The personal data is deleted or blocked as soon as the purpose of storage ceases to apply. In addition, data may be stored if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which the person responsible is subject. The data is also blocked or deleted if a storage period prescribed by the aforementioned standards expires.
3. Provision of the app
The ToxFox app can be downloaded from the Google and Apple app stores.
If users download the app from the app stores, they are subject to the data protection regulations of iTunes and GooglePlay. BUND has no influence over the conditions of use or the owners of the app stores. BUND assumes no liability for actions carried out by the owner of an app store or by third parties. BUND hereby expressly advises you that app store owners archive data and use it for commercial purposes. BUND has no knowledge of the scope of this data or how long it is archived. However, you are legally entitled to request the owner of an app store to inform you about which personal data about you is being processed and you can assert all rights to which you are entitled under the GDPR.
4. Use of the app
Scope of data processing
Each time your smartphone accesses the ToxFox and AskREACH systems, data and information, including the user’s IP address or the device identification number, are automatically collected.
The data is stored in the access statistics (logfiles) of both systems. IP addresses and device IDs can be identified for the purpose of preventing attacks and for geographic access statistics. IP addresses/device IDs are also used to limit access to the app/database if necessary and to prevent denial of service attacks and other threats.
If you wish to send a poison-related question to a product provider, you can enter your name and email address yourself. This data is stored in the ToxFox and AskREACH systems for as long as is necessary to process the app operations you have requested. Your name, your country of residence and your email address are also saved on your smartphone.
Legal basis for data processing
The statutory basis for the temporary storage of data and log files is Art. 6 (1) (a) of the GDPR.
Purpose of data processing
The log file data is stored to ensure the functionality of the ToxFox and AskREACH systems. In addition, the data is used to optimize the ToxFox and AskREACH systems and to ensure our information technology systems are secure. The data is statistically evaluated in anonymized form in order to document the success of the ToxFox system and the AskREACH system.
The temporary storage of the IP address is necessary in order to enable the server information to be delivered to the user's computer/device. To do this, the user’s IP address must continue to be stored for the duration of the session. The data is not evaluated for marketing purposes. This data from the logfile is not combined with any other stored data.
A direct reference of the IP number from the logfile to your person is not possible and is ruled out. The IP address is only made use of in the event of attacks on the ToxFox and the AskREACH infrastructure, violations of moral standards, or other illegal actions associated with its use. A link from the IP address to you personally is only possible via your dial-up provider as part of a criminal investigation.
You can decide for yourself whether to disclose your name and email address by entering them in the app. If you choose to do so, you can change or delete them at any time. If you send a poison-related question to a product vendor, only the name you entered and your country of residence are visible to the company; your email address will not be passed on (more detailed information follows below). Your name should show the product vendor that there is a real person behind the request. The country is indicated so that the product vendor can respond to your question in the appropriate language. After you submit your request, the following situations may arise:
- The product vendor enters the requested information in the central AskREACH database. You will then receive the relevant information from the ToxFox system – the company did not receive your email address.
- The product vendor sends the information by email to the AskREACH system, which forwards it to you via the ToxFox system. In this case, too, the company will not receive your contact details.
- Some companies do not want to use the AskREACH system, preferring to contact their customers directly. In this case, the ToxFox system will inform you accordingly and you will be asked to email your request directly to the company. This means that you can decide for yourself whether to disclose your contact details or to waive the request.
Duration of storage
All personal data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected. Your name and email address will only be stored in connection with your inquiries and for a maximum of 60 days (buffer time for potential inquiries). They are given a code name in the system and used for anonymous statistics only.
Personal data stored in logfiles (online identifiers such as IP addresses and unique device IDs) are deleted after two weeks at the latest. Longer storage is possible in cases of malicious behavior or to prevent future access. In this case, the IP addresses of users are deleted or coded (as far as possible for the particular purpose) so that it is no longer possible to identify the client who has called.
Objection and removal option, revocation of consent
The collection of data for the purposes of the ToxFox app and the storage of the data in logfiles is essential for the operation of the app. Your name and email address are stored in the system only temporarily. Both can be deleted if you wish.
You can revoke your authorization of the use of your personal data at any time. The legality of data processing carried out with your consent up to the revocation remains unaffected. Once you have withdrawn your consent, you can no longer use the app.
5. Data transfer to third countries (outside the EU)
No decision on adequacy according to Art. 45 GDPR has been made by the EU Commission for most countries outside the EU. Consequently, data processing is only possible with the consent of the data subjects. Risks are involved with such data transfers without an adequacy decision and appropriate guarantees. Inquiries that you send to product vendors in such countries contain your name and country of residence, but no other personal data. Most countries outside the EU do not have any legislation that is similar to EU Regulation (EC) No. 1907/2006 (EU Chemicals Regulation) in the currently applicable version. Companies from these countries are therefore not obliged to respond to consumer inquiries.
6. Push notifications
You can activate and deactivate push notifications in the app. If push notifications are activated, your IP address and the selected topics will be sent to the Google server (Google LLC, Google Ireland Limited, Google Asia Pacific Pte. Ltd.), which runs the "Firebase Cloud Messaging" push service integrated within Android, and with iOS to servers of the Apple company that operates "Apple Push Notification Services." The statutory basis for this is your consent in accordance with Article 6 (1) (a) GDPR. In these cases, data can be transmitted without suitable guarantees within the meaning of Art. 46 DSGVO to all Google or Apple data centers (including those in non-EU countries – in particular the US). In its decision of July 16, 2020, file number: C-311/18 ("Schrems II") the European Court of Justice ruled that no adequate level of data protection can be guaranteed in the US. On the one hand, there is a risk there that US security authorities may gain access to transferred data without any possibility of effective legal remedies. On the other hand, data subjects have no enforceable rights. Consequently, transmission only occurs with your consent in accordance with Art. 6 (1) (a) of the GDPR, in the case of activation of push notifications on the basis of Art. 49 (1) (a) of the GDPR. You can find further information on data protection of the Google company at: https://firebase.google.com/support/privacy
7. Crash reports
BUND is interested in continuously improving the services and features of the ToxFox app. For this reason, the ToxFox system uses the Sentry service of Functional Software Inc., 132 Hawthorne Street, San Francisco, California 94107, to improve the technical stability of our service through the monitoring of system stability and identification of code errors.
To react to crashes, the operating system ID, the operating system/browser, and crash information are collected and later deleted again.
The statutory basis for this is your consent in accordance with Article 6 (1) (a) GDPR. In these cases, data can be transmitted without suitable guarantees within the meaning of Art. 46 DSGVO to all Google or Apple data centers (including those in non-EU countries – in particular the US). In its decision of July 16, 2020, file number: C-311/18 ("Schrems II") the European Court of Justice ruled that no adequate level of data protection can be guaranteed in the US. On the one hand, there is a risk there that US security authorities may gain access to transferred data without any possibility of effective legal remedies. On the other hand, data subjects have no enforceable rights. Consequently, transmission only occurs with your consent in accordance with Art. 6 (1) (a) of the GDPR, in the case of download in the app on the basis of Art. 49 (1) (a) of the GDPR.
Additional information on the way user data is handled is available in the data protection declaration of Sentry: https://sentry.io/privacy/.
8. Newsletter
If you click in the ToxFox app indicating you wish to receive the BUND newsletter at no cost, you will be transferred to the BUND website where you can subscribe to the newsletter. Information on data protection in connection with the subscription can be found in the data protection declaration on the BUND website (www.bund.net/datenschutz).
9. Email contact
Description and scope of data processing
You can email BUND questions about the app or about the answers received from companies. In this case, the personal data transmitted with the email will be saved by BUND.
The data will not be passed on to third parties without your separate consent (exception: technical administrators and regional administrators). Your consent will be saved as described in section 2. BUND and the technical administrators will use the data exclusively for processing the communication and then delete or anonymize it.
Statutory basis for data processing
The statutory basis for processing data that is transmitted in the course of sending an email is Article 6 (1) (f) GDPR.
Purpose of data processing
The processing of personal data serves to answer your questions to us.
Duration of storage
The storage of your questions and answers in electronic files by the regional app administrator can last up to 60 days.
10. Additional data protection rights
Provided that there are no contractual or legal obligations to the contrary, as a data subject you have the following further rights in principle:
- A right to information (Art. 15 GDPR) with the restrictions specified in §§ 34, 35 BDSG new version
- A right to rectification of incorrect data (Art. 16 GDPR)
- A right to erasure (Art. 17 GDPR) with the restrictions specified in §§ 34, 35 BDSG new version
- A right to restriction of processing of personal data (Art. 18 GDPR)
- A right to data portability (Art. 20 GDPR)
- A right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR)
- A right to object on a case-by-case basis (Art. 21 (1) GDPR) for reasons that arise from your particular situation and related to data processing in accordance with Art. 6 (1) (e) and Art. 6 (1) (f) GDPR
II. Exclusion of liability
1. Content of the ToxFox and AskREACH system
BUND does not guarantee the currentness, correctness, completeness or quality of the content of the ToxFox and AskREACH systems. Liability claims against BUND, which relate to material or non-material damage caused by the use or non-use of the information provided via the ToxFox and AskREACH systems or through the use of incorrect or incomplete information provided via the ToxFox and AskREACH systems are excluded, unless BUND can be shown to have acted with willful intent or gross negligence.
All offers are without obligation and are non-binding. BUND expressly reserves the right to change any aspect of the ToxFox and AskREACH system and/or its content in whole or in part at its own discretion without prior notice, or to temporarily or permanently discontinue the offer.
2. Links to other sites
In the case of direct or indirect references to external websites ("hyperlinks") that are used in the ToxFox app or the AskREACH system and are outside the area of responsibility of BUND, a liability obligation would only come into force if BUND had knowledge of the content and it would be technically possible and reasonable for BUND to prevent its use in the event that the content is illegal. BUND expressly states that, at the time the link was set, no illegal content was recognizable on the linked pages. BUND has no influence at all on the current and future design, contents or copyright of linked pages. For this reason, we expressly distance ourselves from all contents of linked pages which were changed after the links were set. This applies to all links and references made available in the IT tools, as well as for all material from third parties. Only the publisher of the page to which the link leads shall be liable for illegal, incorrect or incomplete content and in particular for damages resulting from the use or non-use of such information, not the person who merely referred to a particular publication via links. Internet pages of third parties reached via external links may not be barrier free. Please bear in mind that links to such applications do not offer any right to mutual links.
3. Copyright
In the ToxFox app BUND undertakes to observe copyrights for graphics, audio files, video sequences and texts, to use its own graphics, audio files, video sequences and text or those created by AskREACH, or to make use of open-access graphics, audio files, video sequences and texts. All brands and trademarks referred to in the ToxFox app or the AskREACH system, or claimed by third parties, are subject without limitation to the provisions of the relevant trademark law and the property rights of the particular rights owner. Use of the trademark on the site is in itself not sufficient grounds for concluding that the trademark is not protected by third-party rights. The copyright for objects created by BUND or AskREACH themselves are exclusively retained by BUND and the relevant employees of the AskREACH system.
4. Legal validity of this exclusion from liability
This exclusion from liability is to be regarded as part of the ToxFox app. To the extent that parts of this text or individual formulations do not or no longer or do not completely adhere to the currently applicable legal situation, the remaining parts of the document shall remain unaffected in their contents and validity.
As of: September 2021