Data Processing Addendum.

1. Purpose

This Addendum applies where a supplier, consultant, partner, bank, investor, adviser or other third party receives access to data, documents or files from or in connection with RBC Real Estate Ltd.

2. Protected Data

Protected Data means all information received, accessed, stored or generated in connection with RBC Real Estate Ltd, its clients, projects or mandates, including personal data, project files, financial documents, bank documents, KYC/AML data, beneficial ownership information, contracts, term sheets, mandates, financial models, permits, studies, access data, logs, metadata and copies.

4. Conditions for Authorisation

RBC Real Estate Ltd may authorise a third party only if there is a clear, documented and legitimate purpose, access is necessary, the third party is identified and assessed, an NDA, DPA or equivalent contract is signed, written RBC instructions are followed, appropriate security measures exist, data is not used for the third party's own purposes and no onward transfer or sub-processing occurs without written approval.

5. Mandatory Security

• Role-based access control and strong authentication.
• Encryption in transit and, where possible, at rest.
• Access logs and traceability.
• Separation of clients and projects.
• Contractual confidentiality for personnel.
• Secure backup and incident-response procedure.
• Deletion or return at the end of the mandate.
• No AI training, scoring, marketing, resale or profiling without separate written approval.

6. Processor Obligations

Where a third party acts as a processor under GDPR, it may process personal data only on documented instructions from RBC Real Estate Ltd, only for the approved purpose and duration, under confidentiality obligations, with appropriate technical and organisational measures, and with assistance for data-subject rights, breach response, audits and compliance documentation.

7. Sub-Processors

A processor may not engage another processor without prior written, specific or general authorisation from RBC Real Estate Ltd. Any approved sub-processor must be subject to the same data-protection obligations, and the initial processor remains liable for the sub-processor's acts and omissions.

8. International Transfers

Protected Data may not be transferred outside the European Economic Area or to an international organisation without the written approval of RBC Real Estate Ltd. Personal data transfers must comply with GDPR Chapter V and may require an adequacy decision, Standard Contractual Clauses, Binding Corporate Rules, transfer impact assessment, supplementary safeguards or a lawful derogation.

9. Incident Notice

Any third party that suspects or discovers unauthorised access, loss, disclosure, alteration, unavailability or security breach must notify RBC Real Estate Ltd without undue delay and preferably within 24 hours. The notice should include the nature of the incident, affected data, affected persons or projects, period, measures taken, estimated risk and contact person.

10. Return and Deletion

At the request of RBC Real Estate Ltd or upon termination of the mandate, the third party must return or delete all Protected Data, including copies, backups and extracts, unless retention is required by law. Written deletion confirmation may be required.

11. Recommended Contract Clause

"The Third Party confirms that it shall not access, use, store, copy, disclose, transfer, combine, analyse or process, directly or indirectly, any data, information or document received from or in connection with RBC Real Estate Ltd without the prior written approval of RBC Real Estate Ltd. Any approved processing shall be carried out strictly in accordance with the written instructions of RBC Real Estate Ltd, under confidentiality, security, traceability, no-own-use and no-unauthorised-sub-processing obligations. In the case of personal data, the Third Party shall comply with GDPR, Romanian Law 190/2018 and all applicable international rules, including international-transfer rules."