Privacy Policy of ZAST GmbH

The following information provides an overview of which personal data we process and what your corresponding rights are under the data protection legislation.


Information pursuant to Art. 13 and 14 GDPR (General Data Protection Regulation)


1. Who is responsible for data processing?

The responsible party is:

Zentrale Abrechnungsstelle für den Rettungsdienst Bayern GmbH (ZAST GmbH)
Elsenheimerstr. 41
80687 Munich

Telephone: +49 89 24 44 33 444
Fax: +49 89 24 44 33 75 99
Email: info(at)

Should you have any questions about this Privacy Policy or about data protection at ZAST GmbH, please contact our external data protection officer:

Martin Holzhofer
Holzhofer Consulting GmbH
Lochhamer Str. 31
82152 Muenchen-Planegg

E-Mail: dsb-zast(at)


2. Which sources and personal data does ZAST GmbH use?

As the central billing agent assigned under BayRDG (Bavarian law on emergency rescue services), ZAST GmbH is responsible for the billing of public patient transport, emergency responses (including by emergency doctors), air rescue missions, mountain and water rescue missions, and the transportation of intensive care patients and new-born babies within Bavaria. The information about each incident response is provided to us for billing by the corresponding emergency services. During this process, certain personal data of the patient, as well as details of the response, are shared with us.

The following personal data is recorded and provided to us by the emergency personnel: surname, first name, address, date of birth, health insurance provider, policyholder's number. 

The response data includes information about the type of response, the route, the duration, the deployed emergency personnel, and the vehicle that was used.

If it becomes necessary to search for the correct personal data because the original data is incorrect or incomplete, we will use other sources in addition to the publicly available ones (Internet, telephone or address search). These additional sources may include institutions involved in the response (e.g. emergency services, hospital) or other companies (e.g. credit agency, health insurance provider), should this be necessary to complete our assignment. 

As part of our debt collection practices, we may process additional personal data under certain circumstances, such as telephone numbers, email addresses and payment details.

3. For which purposes is personal data processed, and on what legal basis?

As the central billing agent assigned under BayRDG (Bavarian law on emergency rescue services), ZAST GmbH is responsible for the billing of public patient transport and emergency responses (including by emergency doctors) within Bavaria. Art. 34 para. 9 BayRDG, Art. 47 para. 1 and 2 BayRDG as well as Art. 34 AVBayRDG constitute the main legal basis upon which data is processed.

ZAST processes the data for the purpose of billing all emergency service responses for the deployed support organisations of the Bavarian emergency services. The billing includes invoicing the paying parties (e.g. social insurance agencies, hospitals) or private individuals on behalf of the support organisations. It also includes collecting the corresponding payments, as well as debt collection and complaints management.

Your data will not be processed for sales or marketing purposes.

4. Who receives the data?

Your data will only be provided to those parties within ZAST GmbH that need it to fulfil our contractual and legal obligations.

As part of our debt collection practices, we may share your data with social security agencies, billing centres, hospitals, social welfare offices, prisons, statutory accident insurance institutions and embassies.

Service providers that we use may receive your data if they agree to keep it confidential in accordance with GDPR. Service providers are companies in the following categories: printing, IT, financial services, logistics, debt collection, telecommunications.

We may be legally obliged to share personal data with the following recipients in particular: public authorities, regulatory bodies, law enforcement authorities, auditors and solicitors.

Your data will not be shared for sales or marketing purposes.

5. Is data sent to non-EU countries?

Personal data may be sent to a country outside of the European Union if the person concerned resides in that country or if their representative (e.g. a foreign health insurer) is based there. In such case, personal data will be sent to this non-EU country as part of the debt collection process. In addition to the person concerned, this may also include the service providers listed under item 4. 

6. How long is data stored for?

Your personal data will be stored for as long as is necessary for us to fulfil our contractual and legal obligations. If the personal data is no longer needed to fulfil contractual and legal obligations, it will be deleted, unless it needs to be retained for longer for the following purposes:

- To meet record-keeping requirements under commercial and fiscal law (e.g. HGB – German Commercial Code). The retention and documentation periods range from two to ten years.

- To preserve evidence within the scope of the statutory limitation periods of between 3 and 30 years. (Art. 195 et seq. BGB – German Code of Obligations)

7. Is automated decision-making pursuant to Art. 22 GDPR carried out?

No automated decision-making pursuant to Art. 22 GDPR takes place when we process personal data.

8. Does profiling take place?

We do not perform any profiling when processing personal data.