WSDFSDFDFSDFSDFSDFDSFSDGGGGSGASGDDGGDGDSGSG

2 March 2017 GDPR applies to: Each employer in EU Each company offering products and/or services for individuals in the EU and monitoring their behavior, including companies that have and does not their headquarters in the EU All companies that process personal data of EU citizens on behalf of other companies. New: focused on EU citizens rather than EU companies GDPR: when does it start? Currently, we are in the transition period, set up for entrepreneurs, in order to fully implement regulation, which will be fully applicable from May 25th 2018. Transition period is an opportunity for ensuring the compliance with GDPR in the legal, technology and security areas. GDPR will not apply until 25 May 2018. However, as it contains some onerous obligations, many of which will take time to prepare for, it will have an immediate impact. GDPR: significant fines New: Violating the regulation may result in financial penalties: 20 M euro or 4% of the global turnover Personal Data: ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly New: location, online identifiers, genetic and biometric data Personal Data Processing refers to: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; Specific risk: profiling, processing sensitive personal data, biometric and CCTV monitoring on a large scale GDPR Basic information you need to know

General Data Protection Regulation (GDPR): why needed 3 March 2017 Transition period for ensuring GDPR compliance Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data Directive 95/46 / EC Romania: Law 677/2001 25.05. 2018 2016 - 2018 1998 - 2018 Driven by technology: in 1995 the World Wide Web had 15 M users vs 50% global population today Most lobbied regulation in the history of the European Parliament, with 4,000 amendments Protection of personal data is a fundamental right – citizens do not always feel in control of their personal data

Personal data is valuable: thus the increasing number of cyberattacks Wire scams Identity theft: Use your systems to access others: Last but not least: Physical access to sites Internet of Things Break a sales agent or client email and learn about a future transaction + Ask for payment to a different bank account Steal clients bank accounts/IDs/ etc The liability risk is exponential as it is not contained to your information only Physical access remains an issue in Romania IoT – take ownership of CCTV or even TVs, sprinkles, air conditioning, etc – some may include personal information such as ownership, images, geolocation, etc 4 March 2017

Do you have a complete view of the data you hold and use? 5 March 2017 Agents Daily operations Sales suport function Acquisition of customer data and the customer's consent to the use of data Usage of omnichanel to build relationship with the customer (customer profiling) The flow of customer data within the organization to handle: current contracts, complaints, debt collection, invoicing and settlements The flow of data to external partners (outsourcing services, such as lawyers, property management related services such as physical security, etc ) Data processing in IT systems Analysis of customer data for risk assessment, development of new products (Big Data) Customer profiling, preparation of dedicated marketing campaigns (Marketing) Acquiring new partners / suppliers in the procurement process Assessment of operational risk (risk) Ensuring compliance of the organization with GDPR (Compliance) Audit of internal processes Security of own employees and associates data leakage (HR and Safety) Backoffice

GDPR compliance: what it means for business 6 March 2017 Adjusting business processes Change of organizational procedures in the company Review of IT systems Review of agreements Adjusting data deletion procedures Data transfers Retention of data Ban on modeling and designing without including GDPR rules Necessity of informing Clients on how their data will be processed Transition period for ensuring GDPR compliance Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data Directive 95/46 / EC Romania: Law 677/2001 25.05. 2018 2016 - 2018 1998 - 2018

Why its not easy to confirm compliance: 20 +1 activities you need to consider 7 March 2017 Project Management 1. Personal data mapping and inventory 2. Records of processing activities 3. Privacy Impact Assessment 4. Privacy by Design 5. Privacy by Default 6. Retention of personal data 7. Profililing 8. Notifications and detections of personal data breaches 9. Verification of a data processor 10. Data processing agreements 11. Legal grounds for personal data processing 12. Notification obligation 13. Interaction with data subjects 14. Transfer of personal data to third countries 15. Personal data security 16. Data protection policies 17. Training, Organization, Communication 18. Consultation with the supervisory authority 19. Pseudonymization 20. Post-implementation GDPR Improvement

Our view of top 5 main operational issues in Real Estate 8 March 2017 2. Prove compliance Document procedures but also risk assessments, privacy audits, etc 5. Handle failure Breaches must be reported within 72 hours 3. Getting it right from the beginning Collect, retain, and share personal data – built into products and processes 4. Being a supplier Liability is not only through contract but also through GDPR 1. Identify data and obtain consent May prove to be complex tasks. Similar for erasing (Right to be forgotten)

Pulse survey in the USA! PwC recently conducted a pulse survey of 200 CIOs, CISOs, General Counsels, CCOs, CPOs and CMOs from US companies with more than 500 employees 9 March 2017 Information security enhancement is a top GDPR initiative Among the 23% of survey respondents who haven’t started preparing for GDPR , their top priorities are data discovery, information security enhancement, third-party risk management and GDPR gap assessment. • Among the 71% who have begun GDPR preparation , the most-cited initiatives in flight are information security, privacy policies, GDPR gap assessment and data discovery. • Among the 6% who have completed GDPR preparations , the most-cited projects are information security, GDPR gap assessment, data discovery, and third-party risk management . 54% of the US multinationals say GDPR is on top of their data protection agenda 77% plan to spend $1 million or more on GDPR

How PwC can help 10 As a multi-disciplinary practice, we are uniquely placed to help our clients adjust to the new environment. Our data protection team includes lawyers, security consultants, auditors, risk specialists, forensics experts and strategists . Our team is global, with on the ground expertise in all the major EU economies. PwC Compliance requirement Accountability and Privacy by Design Privacy Impact Assessments Privacy audit Breach Disclosure Regulatory supervision Professional services skills required Trainings, gap assessment, legal and security advice, compliance programme design, controls and assurance Risk assessment services Audit services Incident response and legal services Legal services and supporting expert professional services

Thank you! This publication has been prepared for general guidance on matters of interest only and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PwC, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it. © 2017 PwC. All rights reserved. Not for further distribution without the permission of PwC. “PwC” refers to the network of member firms of PricewaterhouseCoopers International Limited ( PwCIL ), or, as the context requires, individual member firms of the PwC network. Each member firm is a separate legal entity and does not act as agent of PwCIL or any other member firm. PwCIL does not provide any services to clients. PwCIL is not responsible or liable for the acts or omissions of any of its member firms nor can it control the exercise of their professional judgment or bind them in any way. No member firm is responsible or liable for the acts or omissions of any other member firm nor can it control the exercise of another member firm’s professional judgment or bind another member firm or PwCIL in any way.