Privacy

1. Overview and scope of application

This data protection information contains the information required in accordance with Art. 13 and Art. 14 of the General Data Protection Regulation 2017/679/EU ("GDPR") and explains how your personal data is processed. 

The following data protection information applies to use of the ADAC Versicherung AG whistleblower system, which comprises the "Tell-Me-VES” whistleblower portal, as well as the details for filing a report by email, post and in person. Our whistleblower system provides the opportunity to report potential violations of laws or guidelines on relevant compliance topics. These include, for example, reports on potential white-collar crimes such as corruption, fraud and embezzlement, as well as reports on possible violations of human rights and environmental law.

Kindly use the ADAC Versicherung AG whistleblower system responsibly, as raising suspicions and allegations against a person may have serious consequences. 

All content addresses and applies to all genders (f/m/o). Where grammatically masculine, feminine or neutral personal designations are used, this serves solely to improve readability.

2. Name and contact details the Controller 

The Controller within the meaning of the GDPR is:

• ADAC Versicherung AG (Legal information ADAC Versicherungen)
• and the companies affiliated with ADAC Versicherung AG (Legal information for majority-owned subsidiaries).

The companies specified to act as Controllers within the meaning of the GDPR are referred to in the following as "ADAC Versicherung AG".

3. Name and contact details of the Data Protection Officer

You may contact the Data Protection Officer of ADAC Versicherung AG and its majority-owned subsidiaries at 

ADAC Versicherung AG

Data Protection Officer

Hansastrasse 19

80686 Munich
Email: dsb-mail(at)adac.de

4. Processing of your personal data (data categories, data source, purposes, legal bases, storage period) 

Use of the ADAC Versicherung AG whistleblower system is voluntary and anonymous. We process personal data that whistleblowers provide to us as part of their report or subsequent communication. Where these reports fall under the Whistleblower Protection Act (HinSchG), the reports shall be subject to statutory confidentiality protection. Rest assured that we also treat confidentially reports that do not fall within the scope of the Whistleblower Protection Act. Notwithstanding, confidentiality protection does not apply ifreports contain incorrect information and this is due to intentional or grossly negligent actions on the part of the person providing the information. 

File attachments can be transmitted when submitting reports and in further communication. It is important to note that these file attachments might also contain personal data, which may have to be redacted. Reports that are submitted by email should be encrypted.

a. Data categories

The report in each case determines the categories of data we process.

When a report is submitted – provided it is not anonymous – we collect the following personal data and information from the whistleblower, the person(s) reported or the person(s) affected by the report, as well as other persons (insofar as they are included in the report, e.g. witnesses and/or third parties such as customers, suppliers, colleagues or business partners):

• contact details (if provided by you); 
• other personal data mentioned in the report such as name, membership number, business relationships, ADAC affiliation, documents (e.g. contracts, invoices), communication data;
• potential categories of data may also include particularly sensitive data within the meaning of Art. 9 GDPR.Special categories of personal data include, for example, health data or data that indicates political views and religious or ideological beliefs.  

b. Data source

We receive data that is either transmitted to us as part of a report or collected by us during awareness-raising measures. 

c. Purposes

The provision of confidential reporting channels for customers, business partners, suppliers or other third parties with a connection to ADAC Versicherung AG helps ADAC Versicherung AG to uncover and stop possible misconduct at an early stage and to avert damage of any kind to ADAC Versicherung AG.  

ADAC Versicherung AG therefore processes the personal data for the purpose of investigating the reports and does so in order to prevent or detect violations of applicable law or internal policies/guidelines and/or to take downstream measures (such as measures to verify the validity of the allegations made in the report and, if necessary, to take action against the reported violation, including through internal inquiries, investigations, prosecutions and measures to recover or seize moneys or to close the proceedings). 

ADAC Versicherung AG operates a digital complaints procedure for compliance with its legal obligations under the German Supply Chain Due Diligence Act (LkSG). This complaints procedure is part of the risk management enshrined in the LkSG and provides whistleblowers with a safe and confidential channel to report human rights and environmental risks as well as violations of human rights and environmental obligations (Section 8 LkSG). The objective is to ensure the detection and prevention of material risks and violations along the supply chain.

d. Legal bases 

Processing of reports within the scope of the Whistleblower Protection Act (HinSchG) is carried out in accordance with Art. 6(1)(c) and (3) sentence 1 GDPR in conjunction with Section 10 HinSchG (in accordance with Art. 9(2)(g) GDPR in conjunction with Section 10 sentence 2, sentence 3 HinSchG and Section 22(2) sentence 2 Federal Data Protection Act (BDSG) for special categories of personal data).  

The data contained in other reports that do not fall under the HinSchG are processed in accordance with Art. 6(1)(f) GDPR (in conjunction with Art. 9 (2) (a) GDPR for special categories of personal data). ADAC Versicherung AG has a legitimate interest in ensuring that violations of statutes, the law and internal guidelines are appropriately and swiftly remedied in order to protect ADAC Versicherung AG and its policyholders, customers and third parties from the consequences and ramifications of unlawful or improper conduct.   

Where a report concerns human rights or environmental risks or the violation of human rights or environmental obligations, personal data is processed on the basis of Art. 6(1)(c) GDPR in conjunction with Section 8 LkSG. Insofar as special categories of personal data pursuant to Art. 9 GDPR are affected, their processing is additionally carried out on the basis of Art. 9 (2) (g) GDPR in conjunction with Section 8 LkSG.  

Reports that are mistakenly sent to the whistleblower system – including complaints from members – are forwarded to the competent service unit in accordance with Art. 6(1)(f) GDPR. Our legitimate is to ensure that your request is answered as quickly as possible. Where a report containing special personal data pursuant to Art. 9(1) GDPR is mistakenly sent to the whistleblower system, processing by the competent office at ADAC shall be based on your consent. 

Art. 9(2)(f) GDPR may also provide another legal basis for all reports. ADAC Versicherung AG may process your personal data in individual cases if this is necessary in connection with the establishment, exercise or defence of legal claims by ADAC Versicherung AG.  

5. Storage period

a. Data storage in compliance with statutory retention periods

Personal data is stored inasmuch and for as long as ADAC Versicherung AG is legally obliged to do so. Relevant verification and retention obligations are enshrined in the German Commercial Code (HGB), the German Fiscal Code (AO) and the German Money Laundering Act (GWG), among others. The storage periods are up to ten years in these cases.

b.      Storage in connection with the establishment, exercise and defence of legal claims

The statutory retention obligations apply to storage in these cases.

c.      Reports

The retention period for reports within the scope of HinSchG is, as a rule, three years after conclusion of the proceedings. Documentation may be kept for longer to meet the requirements of HinSchG or other legislation, provided that doing so is necessary and proportionate. 

6. Recipients of your personal data   

ADAC transfers your personal data to the following recipients to fulfil the purposes set out in Clause 4: 

• legal counsel or competent authorities or
• ADAC Compliance Service GmbH

Information on a reported incident is transmitted insofar as this is required for or as part of the processing of reports and follow-up measures.

7. Transfer to third countries

ADAC Versicherung AG does not plan to transfer data to a third country. 

8. Existence of automated decision-making in individual cases (including profiling)

ADAC Versicherung AG does not use exclusively automated decision-making processes in accordance with Art. 22 GDPR.

9. Your data protection rights

• Right to information about your personal data stored by us pursuant to Art. 15 GDPR In particular, you may obtain information about the purposes of processing, the categories of personal data, the categories of recipients, the envisaged storage period and the origin of your data not collected directly from you;
• Right to rectification of incorrect or completion of incomplete data pursuant to Art. 16 GDPR;
• Right to erasure of your data stored by us pursuant to Art. 17 GDPR, insofar as no statutory or contractual retention periods or other statutory obligations or rights to further storage must be complied with;
• Right to restriction of processing of your personal data pursuant to Art. 18 GDPR;
• Right to data portability pursuant to Art. 20 GDPR, that is, the right to receive data that you have provided to us and that we have stored about you in a commonly used, machine-readable format or to obtain its transfer to another controller;
• Right to withdraw your consent pursuant to Art. 7 GDPR; 
• Right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement pursuant to Art. 77 GDPR. The data protection supervisory authority responsible for 
  
  ADAC Versicherung AG is the: Bavarian State Office for Data Protection Supervision (BayLDA).
  
  
• Right to object pursuant to Art. 21 GDPR to the processing of your personal data which is based on Art. 6(1)(f) GDPR or Art. 6(1)(e) GDPR, where there are grounds relating to your particular situation. Where you object, ADAC Versicherung AG will no longer process your personal data unless ADAC Versicherung AG can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is intended for the establishment, exercise or defence of legal claims.

You may submit your data protection request for exercising your rights without adherence to any formal requirements. To simplify implementation for you and us, you may contact us by email at datenschutz.ug(at)adac.de.

[As of March 2026]