Privacy Policy related to the use of our website 

Following information is to be provided pursuant to Art. 13 et seq. GDPR where personal data are collected from the data subject on our website.

In the following sections of this privacy policy, ZAST would like to inform you, among other things, about the extent to which and for what purposes information about you is processed when you visit our website.

 

1. Name and contact details of the controller

Zentrale Abrechnungsstelle für den Rettungsdienst Bayern GmbH (ZAST GmbH)
Elsenheimer Str. 41
80687 München
Tel.: +49 89 244433 444
E-Mail: info@zast.de 

(hereinafter referred to as “ZAST”).

 

2. Contact details of the data protection officer:

Benjamin Link
Zentrale Abrechnungsstelle für den Rettungsdienst Bayern (ZAST GmbH) 
Elsenheimer Str. 41 
80687 München 
E-Mail: datenschutz@zast.de

 

3. Purposes for which the personal data will be processed, as well as the legal basis for the processing

3.1. Processing of access data

For technical reasons, we process a limited amount of data (so-called connection data / server log files) each time this website is accessed. This data is technically necessary to establish and maintain a connection between your device and our servers. This data is processed in the web server’s main memory for the duration of the connection:

The following data or data categories are collected:

• Name of the virtual host (domain accessed)
• IP address of the requesting client
• Client identifier (RFC1413, usually empty “-”)
• Authenticated username (if HTTP authentication is used)
• Date and time of the request
• HTTP request line (method, requested URL, HTTP version)
• HTTP status code of the response
• Size of the response in bytes
• Referrer URL
• User Agent

This data is automatically logged when you visit our website to ensure the functionality and security of our websites. Furthermore, the logs are used to optimize the website. This data is not combined with other data sources. Therefore, we are unable to create user profiles containing personal references using this data.

The storage of information in the end user's terminal equipment or access to information is carried out in accordance with § 25 (2) no. 2 TDDDG (German Telecommunications-Digital Services-Data Protection Act). The processing of personal data is based on our legitimate interest pursuant to Art. 6 (1) lit. f GDPR. A legitimate interest´s assessment was carried out and came to the conclusion that the processing is necessary to safeguard our legitimate interests and that these outweigh your interests, fundamental rights and freedoms which require protection of personal data. We have a legitimate interest in making this website and the services offered on it available to users.

3.2 Cookies and related technologies

3.2.1 General

This website partly uses so-called cookies and related technologies (e.g. scripts). Cookies do not cause any damage to your computer and do not contain viruses. Cookies serve to make our offer more user-friendly, effective and secure. Cookies are small text files that are stored on your terminal device and saved by your browser, for example to "remember" information about you, such as your language settings or login information. These cookies are sometimes set by us and are referred to as first-party cookies. We also use third-party cookies, which come from a different domain than the one of the websites you are visiting.

By selecting the appropriate technical settings in your Internet browser, you can be notified before cookies are set and decide whether to accept them individually and prevent the storage of cookies and transmission of the data they contain. Cookies that have already been saved can be deleted at any time. However, we would like to point out that you may then not be able to use all the functions of our website to their full extent.

You can find out how to manage (including deactivating) cookies in the most important browsers by clicking on the links below:

• Chrome Browser: https://support.google.com/accounts/answer/61416?hl=de
• Mozilla Firefox:  https://support.mozilla.org/de/kb/cookies-erlauben-und-ablehnen
• Safari: https://support.apple.com/de-de/guide/safari/manage-cookies-and-website-data-sfri11471/mac

3.2.2. Technically necessary cookies and related technologies

Most of the cookies we use are so-called “session cookies”. They are automatically deleted after the end of your visit. Such cookies are mandatory and technically necessary for the operation of the website and to provide the service requested by the user and can therefore not be disabled.

The storage of information in the end user's terminal equipment or access to information is carried out in accordance with § 25 (2) no. 2 TDDDG. The processing of personal data is based on our legitimate interest in ensuring the optimal functionality of the website as well as a user-friendly and effective design of our offer pursuant to Art. 6 (1) lit. f GDPR. A legitimate interest´s assessment was carried out and came to the conclusion that the processing is necessary to safeguard our legitimate interests and that these outweigh your interests, fundamental rights and freedoms which require protection of personal data. 

3.2.3 Cookies requiring consent, such as analytics and tracking cookies and related technologies (e.g. Tracking Scripts)

No advertising, marketing, or analytics tools, nor any other third-party services, are integrated into our website.

 

3.3 Data processing in connection with the request for a Duplicate Invoice or Transport Prescription

On this website, you have the option to request a Duplicate Invoice or a Transport Prescription. The information you provide is generally stored solely for the purpose of responding to your request and serves to uniquely identify you.

The following data or categories of data are collected and processed:

• Invoice number
• First and last name
• Date of birth
• Email address 
• Phone number 

The email address and phone number are optional fields so that we can contact you if we have any questions. 

The legal basis for processing your data is our legitimate interest pursuant to Art. 6 (1) lit. f GDPR. A legitimate interest’s assessment was carried out and came to the conclusion that the processing is necessary to safeguard our legitimate interests, and that these interests outweigh your interests, fundamental rights, and freedoms that require the protection of personal data. We have a legitimate interest in responding to your request for a duplicate invoice or a transport prescription, for which the processing of the data and data categories mentioned here is necessary.

The provision of the personal data designated as mandatory is necessary for requesting a duplicate invoice or a transport prescription. If you do not provide us with this information, we cannot send you a duplicate invoice or a transport prescription.

 

3.4 Data processing in connection with the use of our contact form or when contacting us by telephone or e-mail

When you contact us via the contact form on our website, the information you provide is generally stored solely for the purpose of processing and responding to your inquiry, as well as for any follow-up inquiries and, if necessary, for further consultation.

The following data or categories of data are collected and processed:

• First and last name
• Email address
• Phone number
• Personal message (inquiry)

The email address and phone number are optional fields so that we can contact you if we have any questions. 

The legal basis for processing your data is our legitimate interest pursuant to Art. 6 (1) lit. f GDPR. A legitimate interest’s assessment was carried out and came to the conclusion that the interests of the data subject do not outweigh our interests in processing. We have a legitimate interest in answering your inquiry and, if applicable, in conducting pre-contractual, for which the processing of the data and data categories mentioned here is necessary.

The provision of the personal data designated as mandatory is necessary for us to contact you. If you do not provide us with this information, we will not be able to contact you.

 

4. Obligation to provide data

In general, the provision of the personal data mentioned in section 3 is neither legally nor contractually required. You are not obliged to provide the data. Failure to provide it therefore has no consequences. This only applies if no other information is provided for the respective processing operations.

 

5. Automated decision-making, including profiling

Automated decision-making including profiling pursuant to Art. 22 (1) and (4) GDPR do not take place on the part of ZAST GmbH.

 

6. Transfer of personal data to a third country

Data transfers to countries outside the EU and the European Economic Area ("Third Countries") arise in the context of the administration, development and operation of IT systems. The transfer takes place only on the basis: 

• of an adequacy decision of the European Commission according to Art. 45 GDPR.
• of an approved certification mechanism pursuant to Art. 42 GDPR together with legally binding and enforceable obligations of the controller or processor in the third country.
• of standard data protection clauses adopted by the Commission pursuant to the examination procedure referred to in Art. 93 Sec. 2 GDPR.

Currently, no transfer of personal data to third countries takes place when using this website. 

 

7. Categories of recipients of the personal data

For the processing of personal data for the purposes mentioned here, we use the following categories of recipients as processors pursuant to Art. 28 GDPR:

• Provider of servers for hosting our websites.
• IT service provider for the maintenance of our IT infrastructure
• Other processors within the meaning of Art. 28 GDPR in the course of order processing

These service providers process information about you on our behalf and on the basis of our instructions and are contractually obliged to comply with the applicable data protection laws in accordance with Art. 28 GDPR.

Your data will also be passed on if we are legally obliged to do so.

 

8. Period for which the personal data will be stored or criteria used to determine that period

Personal data will generally only be stored as long as necessary to fulfill the purposes mentioned here or as required by the retention periods specified by law. After the respective purpose is fulfilled or after the retention periods have expired, the data will be deleted in accordance with the statutory requirements.

If you contact us to request a duplicate invoice, a transport prescription, or for any other matter, we generally store the collected data for the duration of the response to your inquiry. Statutory retention periods remain unaffected.

All connection data (access logs) in the storage of the web server are deleted automatically after 3 months. In the event that parts of the access logs are required for the preservation of evidence, these are excluded from deletion until final clarification of the respective incident.

 

9. Your rights as a data subject

ZAST GmbH is responsible for processing your data, unless otherwise stated.

You have the right to request from us access to personal data (Art. 15 GDPR) and the rectification of inaccurate personal data (Art. 16 GDPR). Furthermore, you have the right to obtain the erasure of personal data (Art. 17 GDPR) concerning your person, the right to restriction of processing (Art. 18 GDPR) and the right to receive (Art. 20 GDPR) the personal data provided to us by you, in a structured, commonly used and machine-readable format.

In addition, you have the right to object at any time to the use of your data based on public or legitimate interests (Art. 21 GDPR).

Where the processing is based on your given consent you can withdraw the consent (Art. 7 Sec. 3 GDPR) at any time. Upon receipt of your withdrawal of consent, we will no longer use or process the data concerned for purposes mentioned in your consent.

If you wish to exercise your data subject rights, please send your request by email to datenschutz@zast.de or by mail to the address listed in Section 1.

 

10. Your right to lodge a complaint with a supervisory authority

In addition, pursuant to Art. 77 (1) GDPR, you may lodge a complaint with a supervisory authority at any time. The competent authority for us is:

Der Bayerische Landesbeauftragte für den Datenschutz (BayLfD)
Postfach 22 12 19
80502 München
poststelle@datenschutz-bayern.de

Alternatively, you may contact the supervisory authority with local jurisdiction over you. 

 

11. SSL or TLS Encryption

For security reasons and to protect the transmission of confidential content, such as inquiries you send to us as the website operator, this site uses SSL or TLS encryption (TLS 1.2 and 1.3). You can recognize an encrypted connection by the fact that the address bar of the browser changes from “http://” to “https://” and by the lock icon in your browser bar.

When SSL or TLS encryption is enabled, the data you transmit to us cannot be read by third parties.

 

Version April 2026

This privacy policy is subject to ongoing review, and ZAST GmbH reserves the right to make changes at any time. Such changes will be published accordingly on this website.