Privacy Policy. Personal data processing policy.

Pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter “GDPR”).

1. Personal data controller

1.1 YDISTRI, SE, Company ID No: 071 41 998, registered office: Prague 8, Boudníkova 2506/3, Libeň, Postal Code 180 00, registered in the Commercial Register maintained by the Municipal Court in Prague, Section H Insert 2134 (hereinafter the “Controller”) hereby informs you about the processing of your personal data and your rights.

2. Scope of personal data processing

2.1 Personal data are processed to the extent that the relevant data subject has provided the personal data, in particular in connection with the conclusion of a contractual or other legal relationship with the Controller, or which the Controller has otherwise collected and processes in accordance with applicable law or to fulfil the Controller’s legal obligations.

2.2 Personal data is processed to the extent necessary in relation to the purposes set out in section 7 of this Policy.

3. Sources of personal data

3.1 Personal data is collected in the following ways:

  • directly from the data subjects who are employees of the Controller or possibly cooperating persons;
  • directly from the data subjects by phone, email, contact form, website, social media, business cards, etc.;
  • publicly accessible registers, lists and records (commercial register, trade register, land register, public telephone directory, etc.);
  • from other personal data subjects in their capacity as controllers or processors who transfer personal data for direct marketing purposes through the Controller;

4. Categories of processed personal data of the Controller’s employees and job applicants

4.1 The Controller processes the categories of personal data specified below:

  • identification data used to identify the data subject uniquely and unmistakably:
    • name and surname;
    • date of birth, personal ID number;
    • address;
    • telephone number;
    • email address;
    • banking information;
  • other data necessary for the performance of a contract;
  • data provided over and above the applicable laws processed as part of the data subject’s consent for the purpose of personnel management.

5. Categories of processed personal data of contractual partners

5.1 The Controller processes the categories of personal data specified below:

  • identification data used to identify the data subject uniquely and unmistakably:
    • name and surname or trade name;
    • identification number;
    • tax identification number;
    • registered office;
    • telephone number;
    • email address;
  • identification data of the contact person:
    • name and surname;
    • telephone number;
    • email address.

6. Categories of recipients of personal data

6.1 The Controller transfers personal data of data subjects to the following recipients, either on the basis of legal regulations or on the basis of a contractual relationship:

  • financial institutions;
  • public institutions;
  • processor/s;
  • state authorities in the performance of their statutory obligations set out by the relevant legal regulations;
  • other recipients in the event of the transfer of personal data abroad – countries outside/ EU.

7. Purpose of the processing of personal data

7.1 The Controller processes personal data for the purposes set out below:

  • compliance with legal obligations by the Controller;
  • performance of a contract;
  • negotiation on a contractual relationship;
  • the purposes contained in the data subject’s consent;
  • protection of the Controller’s rights;
  • archives maintained on the basis of legal regulations;
  • selection procedures for vacant job positions;
  • direct marketing;
  • arranging a meeting;
  • consulting and advisory services.

8. Method of processing and protection of personal data

8.1 The Controller processes personal data. The processing is carried out at the Controller’s registered office, at its premises, by individual authorised employees of the Controller or by a processor.

8.2 Processing is carried out by means of computer technology, whilst manual processing of personal data in paper form is not excluded, provided that all security principles for the management of personal data are complied with.

8.3 To this end, the Controller has taken technical and organisational measures to ensure the protection of personal data, in particular measures to prevent unauthorised or accidental access to, alteration, destruction or loss of personal data, unauthorised transfers, unauthorised processing or other misuse of personal data.

8.4 All subjects to whom personal data may be disclosed shall respect the data subjects’ rights to privacy and shall comply with applicable data protection laws.

9. Period of processing of personal data

9.1 Personal data of data subjects are processed in accordance with the time limits specified in the relevant legal regulations, in the relevant contracts, in the Controller’s filing and shredding regulations, always for the time necessary to ensure the rights and obligations arising from both the relevant legal regulations and the Controller’s contractual relationship.

10. Lawfulness of the processing of personal data

10.1 The Controller processes personal data with the consent of the data subject, except in cases provided for by law where the processing of personal data does not require the consent of the data subject. In accordance with Article 6 (1) of the GDPR, the Controller may process the following data of the data subject:

  • the data subject has given consent for one or more specific purposes;
  • the processing is necessary for compliance with a legal obligation to which the Controller is subject;
  • the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
  • the processing is necessary for the purposes of the legitimate interests of the relevant controller or third party, except in cases wherein such interests are overridden by the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data, in particular if the data subject is a child.

11. Rights of data subjects

11.1 In accordance with Article 12 of the GDPR and in conjunction with Article 15 of the GDPR, the Controller shall, at the request of the data subject, inform the data subject of the right of access to personal data and to the following information:

  • the purpose of processing,
  • the category of relevant personal data,
  • the recipients or categories of recipients to whom the personal data have been or will be disclosed,
  • the planned period for which the personal data will be stored,
  • all available information on the source of the personal data,
  • unless obtained from the data subject, whether automated decision-making, including profiling, takes place.

11.2 Any data subject who becomes aware of or believes that the Controller or processor is processing his or her personal data contrary to the protection of the private and personal life of the data subject or contrary to law, in particular if the personal data are inaccurate with regard to the purpose of the processing, may:

  • request the Controller to provide an explanation;
  • request the Controller to rectify the situation, which may include blocking, correcting, supplementing or deleting the personal data;
  • if the data subject’s request under paragraph 1 is found to be justified, the Controller shall remedy the defective condition without delay;
  • if the Controller does not comply with the data subject’s request pursuant to paragraph 1, the data subject shall be entitled to directly contact the supervisory authority, i.e., the Office for Personal Data Protection;
  • the procedure referred to in paragraph 1 shall not preclude the data subject from bringing his or her complaint directly to the supervisory authority;

11.3 The data subject shall be entitled to obtain personal data relating to him or her provided by the Controller in a structured, commonly used and machine-readable format, and the right to transfer such data to another controller.

11.4 The Controller shall provide the data subjects with the requested information without undue delay, at the latest within one month of receipt of the request. This time limit may be extended by a further two months, taking into account the complexity and number of requests, and the data subject must be informed thereof.

11.5 The Controller shall provide the data subject with all the requested information in a concise, transparent, comprehensible and easily accessible manner using clear and simple means. The Controller shall do so free of charge.

12. How to exercise your rights

12.1 You can contact the Controller:

  • by e-mail:
  • via the addresses of the Controller referred to in Section 1 of this Policy.