1. Purpose
This Policy is drafted in accordance with Regulation (EU) 2016/679 (GDPR), Romanian Law No. 190/2018, the ePrivacy Directive, OECD international privacy principles and applicable international-transfer rules.
2. Controller
Controller: RBC Real Estate Ltd. Contact: office@rbcrealestate.ro | +40 755 200 917. Registered office, registration number and privacy/DPO contact should be completed in accordance with the company's official corporate records before publication.
3. Categories of Personal Data
RBC Real Estate Ltd may process identification data, contact data, website form data, project-file data, corporate and financial documents, real estate documents, bank documents, KYC/AML data, beneficial-owner information, source-of-funds information, sanctions and PEP screening data, technical logs, correspondence and review notes.
Users should not submit special-category data, medical data, biometric data, criminal-offence data or children's data unless strictly necessary and supported by an appropriate lawful basis.
4. Data Sources
Data may come from the website form, direct communications by email, phone or WhatsApp, uploaded files, client representatives, public registers, commercial databases, banks, investors, consultants, authorised institutions and compliance screening tools, where applicable.
5. Purposes of Processing
- Responding to website and project requests.
- Initial project analysis and eligibility review.
- Preparation of mandates, NDAs, DPAs, term sheets or contracts.
- Business advisory, management consulting, real estate review, project-readiness review and financing documentation.
- KYC/AML, sanctions, beneficial ownership, PEP, source-of-funds and anti-bribery checks.
- Coordination with third parties authorised by RBC Real Estate Ltd.
- Website security, fraud prevention and defence of legal rights.
6. Lawful Bases
Lawful bases may include performance of a contract or pre-contractual steps, legal obligations, legitimate interests, consent where required by law, and establishment, exercise or defence of legal claims. Consent may be withdrawn at any time without affecting prior lawful processing.
7. Third-Party Processing Rule
Data administered by RBC Real Estate Ltd may not be processed by third parties without the prior written approval of RBC Real Estate Ltd.
No third party may access, copy, store, transmit, analyse, use, combine, disclose or process personal data or project documents without written RBC authorisation, documented purpose, written instructions, confidentiality obligations, DPA where applicable, appropriate technical and organisational measures, no-own-use restrictions and no onward transfer without written approval.
8. Recipients
Data may be disclosed only where necessary and authorised to internal personnel, authorised collaborators, IT/hosting/email/security providers, lawyers, auditors, consultants, accountants, technical experts, banks, investors, funds, public companies, DFI/ECA routes, financial institutions, public authorities and processors approved in writing.
RBC Real Estate Ltd does not sell personal data and does not allow third parties to use it for marketing, AI training, profiling, scoring or their own purposes without a lawful basis and separate written approval.
9. International Transfers
Where data must be transferred outside the European Economic Area, the transfer may occur only with a valid mechanism, such as an adequacy decision, Standard Contractual Clauses, Binding Corporate Rules, transfer impact assessment, supplementary security measures and written RBC approval, where required.
10. Retention
Data is retained only as long as necessary. General requests without a mandate may be retained for up to 24 months from the last communication. Active mandates, contractual, tax, KYC/AML and security records may be retained according to contract, law and internal policy. Final periods must be established by RBC Real Estate Ltd with legal and compliance review.
11. Security
RBC Real Estate Ltd should apply appropriate technical and organisational measures, including role-based access, strong passwords, multi-factor authentication where possible, encryption in transit and where possible at rest, project separation, restricted access, secure backup, deletion procedures, confidentiality training, third-party assessment and incident response.
12. Data Subject Rights
Data subjects may have rights of access, rectification, erasure, restriction of processing, data portability, objection, withdrawal of consent and complaint to a supervisory authority under GDPR conditions.
Privacy requests: office@rbcrealestate.ro or a dedicated privacy address to be completed. Romanian authority: National Supervisory Authority for Personal Data Processing - https://www.dataprotection.ro
13. Security Incidents
In the event of a security incident affecting personal data, RBC Real Estate Ltd will assess risk, contain the incident, document the event and notify the authority or data subjects where required by law. Authorised third parties must notify RBC Real Estate Ltd without undue delay and preferably within 24 hours.
14. Changes
This Policy may be updated. The current version should be published on the website and identified by the date of last update.
15. Legal Sources
- Regulation (EU) 2016/679 - GDPR.
- Romanian Law No. 190/2018.
- ePrivacy Directive 2002/58/EC.
- European Commission Standard Contractual Clauses.
- EDPB guidance on international transfers.
- OECD Privacy Principles.