Privacy Policy for the ADAC emergency data pass ("Wallet Pass")

1. Scope and Definitions

This privacy notice applies to the use of the Emergency Data Pass ("Wallet Pass") and the services and offerings of ADAC e.V. contained therein.

In addition to this privacy notice, the privacy notice for online platforms also applies. If you are an ADAC member, the privacy notice for members also applies. If you have an insurance with ADAC, the privacy notice for policyholders of ADAC Versicherung AG also applies. Furthermore, our apps (e.g., for smartphones) have their own privacy notices. If the terms of this privacy notice conflict with the privacy notice for online platforms, the terms of this notice take precedence. In the event of a conflict with other specific privacy notices, especially those for members or policyholders, those specific notices take precedence.
When "we" or "us" is used in this privacy notice, it refers to the data controller as defined in section 2.

2. Name and Address of the Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws of the member states as well as other data protection regulations is:

ADAC e.V.
(see Legal Notice)

You can contact us using the details in the legal notice or via:
Phone: +49 89 76 76 0
Email: adac(at)adac.de

3. Address of the Data Protection Officer

You can reach the Data Protection Officer as follows:

ADAC e.V.
Data Protection Officer (DPO)
Hansastraße 19
80686 Munich, Germany
Email: dsb-mail(at)adac.de

The contact details of the Data Protection Officer of your respective ADAC regional club can be found on that club’s online platform.

4. Creation and Use of the Emergency Pass

Both ADAC members and non-members can create an Emergency Data Pass via the website adac.de by registering for an “ADAC Online Account” with ADAC Login, Mein ADAC, and ADAC Mailbox. This pass can be downloaded in digital form to your mobile phone (or another mobile device) to provide emergency responders with important personal and medical information (e.g., medications, pre-existing conditions or allergies) in a structured format - if you choose to do so.

The Emergency Data Pass is a so-called Wallet Pass, which is stored either in the pre-installed Apple Wallet on your iOS device or, if you use an Android device, in Google Wallet (which may also be pre-installed) or in the “YourWallet” app by the third-party provider YOUR PASS, s.r.o. (connected to the “Passcreator” service by our service provider Fobi AI Germany GmbH).

A Wallet Pass is a small file that contains all the information needed to display the pass, such as text or images. The creation and use of the Emergency Data Pass involves the following steps:

Creating and managing the Emergency Data Pass via “Mein ADAC”

You create the Emergency Data Pass through your ADAC Online Account in your personal area “Mein ADAC.” You can modify your data - add or delete information - at any time. Access to your health data is secured by two-factor authentication. This means that to enter, update, or delete your data, you must provide your phone number, to which we send an authentication code via SMS or call, or use it to verify your identity by phone.

Legal basis for processing your phone number:

• Art. 6(1)(b) GDPR (necessary for service delivery), and/or 
• Art. 6(1)(f) GDPR (legitimate interest in ensuring data integrity and confidentiality, especially preventing unauthorized access).
  
  

Secure storage of health data on ADAC servers
Your health data is stored separately from other data on individual server instances of ADAC in a Microsoft Azure database, encrypted using current security standards (asynchronous AES-256 encryption), and located within the European Union. When accessed, the data is decrypted and then re-encrypted.

Integration of encrypted health data into a QR Code
When creating your Emergency Data Pass, your health data is encrypted (asynchronous AES-256) and embedded in a QR code, which is part of the downloadable Wallet Pass. If you later update your health data via “Mein ADAC,” the QR code is automatically updated to reflect the latest information.

Downloading the Emergency Data Pass to your Wallet App
You can download and store your Emergency Data Pass in your preferred Wallet app. You can delete the pass from your Wallet app at any time. This does not affect the health data stored in your “Mein ADAC” account, which can be deleted separately.

Accessing health data by paramedics and other medical services
In an emergency, you can decide whether to allow rescue personnel access to the emergency data stored in your emergency pass. If you choose to do so, open your wallet app (either via quick access from the lock screen or by selecting the wallet app) and select the emergency data pass.

On the front of the emergency data pass, your name, the date of the last update, and a QR code are displayed. This QR code contains your health data in encrypted form. On the back of the pass, a link is shown through which you can access your health data - after entering your login credentials - in your personal area under “My ADAC.”

To read the health data from the QR code (which does not require an internet connection—meaning the emergency pass can also be used offline), paramedics and other medical services scan the QR code using special devices (such as a NidaPAD). These devices decrypt the health data contained in the QR code and display it to the paramedics.

Without the devices used by paramedics - and the software installed on them - decryption and thus reading of the health data is not possible.

Updating your Emergency Data Pass in the Wallet App

As soon as the Emergency Data Pass is saved in your Wallet app, your mobile device automatically sends a message to the so-called Push Notification Service of your device’s operating system provider (Apple/Google). This service then generates a random ID (called a Device Library Identifier), which is sent to our service provider Fobi AI Germany GmbH/Passcreator (see below). This ID is used to update your Wallet Pass but does not allow any conclusions to be drawn about your identity. Once you delete the Emergency Data Pass from your Wallet app, Fobi AI Germany GmbH/Passcreator is notified by the respective Push Notification Service, and no further updates to your Emergency Pass will occur. To enable regular updates, you may - if you wish - receive periodic messages prompting you to review and, if necessary, update your health data.

Types of personal data processed, purposes of processing and legal bases

In the context of the Emergency Data Pass, we only process personal data that is related to your membership and that you provide to us. This includes the following categories of data:

• Personal data (e.g., name, date of birth, membership number, gender, and other personal details you voluntarily provide for the Emergency Data Pass, such as emergency contacts, dependents, etc.)
• Medical data (e.g., medications, pre-existing conditions, allergies, pregnancy status, pacemaker information)
• Declarations of intent (e.g., existence of a living will or organ donor card)

If you provide us with contact details of third parties (e.g., name and phone number) to be listed as emergency contacts or dependents, you will be asked to confirm that these individuals have consented to the disclosure and processing of their data by us.

Please note that in the context of the Emergency Data Pass, we also process special categories of personal data within the meaning of Article 9 GDPR, namely health data, which require special protection.

The purpose of processing personal data in connection with the creation and use of the Emergency Data Pass is to organize and provide the “Emergency Data Pass” service and any related downstream services (see above). The legal bases for processing are:

• Article 6(1)(a) and Article 9(2)(a) GDPR (consent), and/or
• Article 6(1)(b) GDPR (processing necessary for the performance of a service).

Use of data processors

To fulfill the purposes described in section 4, we share your data with the following recipients:

• Fobi AI Germany GmbH, Walter-Gropius-Str. 15, 80807 Munich, as the provider of the “Passcreator” service, processes your personal data on behalf of ADAC in accordance with Article 28 GDPR.
• Service providers (e.g., call centers, IT companies, mobility partners, companies under the “ADAC” brand, and regional clubs not responsible for your membership). These process your personal data on behalf of ADAC as data processors under Article 28 GDPR.
• Authorities (e.g., law enforcement), lawyers, auditors, courts, experts.

Use of Wallet Apps from Apple/Google or Third Parties

When using a Wallet app, it is possible that the app provider and/or Apple (if you use an iOS device) or Google (if you use an Android device) may also process your personal data. We have no influence over this data processing and are not responsible for it. Please refer to the privacy policies of the respective app provider or the privacy statements of Apple (https://www.apple.com/privacy) and Google (https://policies.google.com/privacy).

5. Duration of data storage

Your personal data will be deleted as soon as it is no longer required for the stated purposes or if you withdraw your consent to its processing. Regardless of this, you can delete both your emergency data in your personal area under “Mein ADAC” and the Emergency Pass from your Wallet app at any time.

Please note: Deleting the Emergency Data Pass from the Wallet app does not affect the health data stored in your “Mein ADAC” account - this data must be deleted separately.

In some cases, personal data may be retained for the period during which claims can be made against ADAC. Additionally, personal data will be stored as long as ADAC is legally obligated to do so. Relevant retention and documentation obligations arise, for example, from the German Commercial Code (HGB), the Fiscal Code (AO), and the Money Laundering Act (GwG). These retention periods can be up to ten years.

6. Categories of recipients

Beyond the third parties explicitly mentioned in section 4, we only transfer your personal data to other third parties if:

• you have given your explicit prior consent,
• it is necessary for the preparation or fulfillment of a contract between you and the third party or us, or
• we are legally obligated to do so.

7. Transfers to Third Countries

If we transfer personal data to service providers outside the EU or the European Economic Area (EEA), such processing will only occur based on the EU Commission’s Standard Contractual Clauses, provided that appropriate safeguards ensure an adequate level of data protection (e.g., an adequacy decision by the EU Commission or appropriate safeguards under Art. 44 et seq. GDPR). If data is processed in the United States, this may also be based on the EU-U.S. Data Privacy Framework.

8. Your Rights under the GDPR

If the legal requirements are met, you have the following rights regarding the processing of your personal data:

• Right of access (Art. 15 GDPR): You may request information about the purposes of processing, categories of data, recipients, storage duration, and the origin of data not collected directly from you.
• Right to rectification (Art. 16 GDPR): You may request correction of inaccurate or incomplete data.
• Right to erasure (Art. 17 GDPR): You may request deletion of your data unless legal or contractual retention obligations or other legal rights prevent this.
• Right to restriction of processing (Art. 18 GDPR).
• Right to data portability (Art. 20 GDPR): You may request your data in a common, machine-readable format or its transfer to another controller.
• Right to withdraw consent (Art. 7 GDPR): You may withdraw your consent at any time with future effect. If consent was given via privacy settings, you can withdraw it there.
• Right to object (Art. 21 GDPR): You may object to the processing of your personal data.

You can submit your data protection request informally—ideally including your customer or membership number—by email to: gesundheit(at)adac.de

You also have the right to lodge a complaint with a supervisory authority under Art. 77 GDPR, particularly in the member state of your residence, workplace, or the place of the alleged violation.

The supervisory authority responsible for ADAC e.V. is:
Bavarian Data Protection Authority (BayLDA)
Promenade 18, 91522 Ansbach

Phone: +49 981 1800930
Fax: +49 981 180093800

Stand: Juli 2025