Data Processing Agreement (Pakistan)

A Data Processing Agreement in Pakistan governs the arrangement between the parties and the conditions on which it operates.

The Prevention of Electronic Crimes Act 2016 (PECA 2016, Act No. XL of 2016) is the foundational statute governing data security and cybercrime in Pakistan, administered by the Federal Investigation Agency (FIA) Cybercrime Wing and the Pakistan Telecommunication Authority (PTA). Section 16 of PECA 2016 criminalises unauthorised interception of data. Section 17 of PECA 2016 prohibits unlawful data interference. Section 18 of PECA 2016 creates the offence of misuse of electronic systems. These provisions apply to data processors who handle personal data on a controller's behalf — a processor who misuses or inadequately protects the data entrusted to them faces criminal liability under PECA 2016 in addition to contractual liability under the Data Processing Agreement.

The Personal Data Protection Bill (PDPB), which Pakistan has been developing in alignment with the European Union's General Data Protection Regulation (GDPR) and the OECD Privacy Guidelines, is expected to introduce mandatory Data Processing Agreements for all controller-processor relationships involving personal data of Pakistani data subjects. The PDPB's draft provisions require that every arrangement under which a processor processes data on behalf of a controller be governed by a written contract binding the processor to process data only on the controller's instructions, to implement appropriate security measures, to assist with data subject rights requests, to notify the controller of data breaches, and to delete or return data at the end of the contract. Until the PDPB is enacted, Data Processing Agreements derive their legal force from the Contract Act 1872 and the applicable sector-specific regulations.

The State Bank of Pakistan (SBP) imposes specific requirements on banks and financial institutions regarding third-party arrangements involving data processing. The SBP's Outsourcing Policy for Financial Institutions and the SBP's Cyber Security Framework for Banks and Microfinance Banks (MFBs) require financial institutions to execute written agreements with all service providers that process customer financial data — including cloud computing providers, data analytics firms, payment processors, and credit bureau reporting services. These agreements must address data localisation (SBP requires that financial data of Pakistani customers be stored on servers located within Pakistan), data security standards, incident response, and audit rights. The SBP's supervisory reviews include assessment of banks' third-party data processing agreements.

The Securities and Exchange Commission of Pakistan (SECP) similarly requires that companies, insurance companies, and capital market intermediaries regulated under the Companies Act 2017, the Insurance Ordinance 2000, and the Securities Act 2015 execute data processing agreements with technology vendors and outsourcing partners handling client data. The SECP's Technology Risk Management Guidelines and the Insurance Regulatory and Development Authority (IRDA) equivalent guidelines both require documented processor agreements as part of enterprise risk management.

The Anti-Money Laundering Act 2010 (AML Act 2010) and the Counter-Financing of Terrorism (CFT) requirements administered by the Financial Monitoring Unit (FMU) of the Ministry of Finance impose data retention and security obligations on all reporting entities — banks, insurance companies, real estate agents, lawyers, and accountants — and on the service providers to whom they outsource AML/CFT screening and transaction monitoring functions. Data processing agreements with AML screening vendors must address the security, confidentiality, and cross-border transfer restrictions applicable to AML/CFT data under the AML Act 2010 and the FMU's regulations.

The Securities and Exchange Commission of Pakistan (SECP) under the Companies Act 2017 and the Insurance Ordinance 2000 has issued Technology Risk Management (TRM) Guidelines that require SECP-regulated entities to maintain written agreements with all technology vendors who process personal data on their behalf. The SECP's TRM Guidelines align with international standards including ISO 27001 Information Security Management System and the NIST Cybersecurity Framework. The SECP can inspect processor agreements and associated security documentation during its regulatory examinations of licensed entities, and non-compliance can result in regulatory sanctions under the Securities Act 2015.

A Data Processing Agreement in Pakistan is required whenever a data controller engages a third-party service provider — a vendor, consultant, cloud computing provider, outsourcing partner, or technology company — to process personal data of the controller's customers, employees, or other data subjects on the controller's behalf.

A Data Processing Agreement is needed when a bank regulated by the State Bank of Pakistan (SBP) engages a third-party cloud computing provider — such as a local data centre or an international cloud service provider — to host customer financial data, transaction records, or know-your-customer (KYC) documentation. The SBP's Outsourcing Policy and Cyber Security Framework require a written data processing agreement with all cloud providers before any customer data is transferred to the provider's infrastructure.

A Data Processing Agreement is required when a company registered with the Securities and Exchange Commission of Pakistan (SECP) under the Companies Act 2017 engages a payroll processing firm to manage employee salary calculations, FBR income tax withholding under the Income Tax Ordinance 2001, and EOBI contribution reporting under the EOBI Act 1976. The payroll processor handles sensitive employee personal data — salaries, CNIC numbers, bank account details, NTN numbers — and must be bound by a data processing agreement.

A Data Processing Agreement is needed when a healthcare organisation — a hospital, diagnostic laboratory, or telemedicine platform — engages a health informatics company or electronic medical records (EMR) software provider to process patient health data. Health data is among the most sensitive categories of personal data under the PDPB framework, and the Pakistan Medical and Dental Council (PMDC) Code of Ethics requires healthcare providers to confirm patient data confidentiality through written agreements with all service providers.

A Data Processing Agreement is required when an e-commerce or digital payments company registered in Pakistan engages a payment gateway provider (such as 1Link, PayPak, JazzCash, or Easypaisa infrastructure providers) to process customer payment card data, mobile wallet transactions, or online purchase records. PTA-regulated payment service providers must confirm that sub-processors handling payment data are bound by data processing agreements meeting the applicable security standards.

A Data Processing Agreement is needed when a company outsources its customer service, call centre, or data entry operations to a Business Process Outsourcing (BPO) firm that will have access to the company's customer database — including names, contact details, order histories, and financial information. The BPO firm processes this data on behalf of the company and must be contractually bound to protect it.

A Data Processing Agreement is required when a law firm, accounting firm, or management consulting firm engaged to provide professional services has access to a client's employee or customer personal data as part of the service — the professional firm is a data processor for these purposes and the engagement letter should be supplemented by a data processing agreement.

A Data Processing Agreement is required when a SECP-registered company or fund manager uses a portfolio management software provider or investment analytics platform that processes investor personal data — CNIC numbers, financial profiles, investment holdings — as part of its service delivery under the SECP's Investment Advisers Regulations 2017.

A Data Processing Agreement is needed when a Pakistani insurance company regulated under the Insurance Ordinance 2000 engages a claims processing company, actuarial firm, or fraud detection vendor that will access policyholder personal data — health records, claims history, financial information — as part of the service. The insurance industry's data sensitivity and the SECP's insurance data confidentiality requirements make Data Processing Agreements mandatory for all insurance data processors.

A valid Data Processing Agreement in Pakistan under the Prevention of Electronic Crimes Act 2016 and the Personal Data Protection Bill framework must contain the following essential elements to effectively bind the data processor and protect the data controller's legal position.

Party Identification: Full legal names, SECP company registration numbers, National Tax Numbers (NTN) issued by FBR, and registered addresses of both the data controller and the data processor. For international processors — cloud providers or BPO firms with operations outside Pakistan — the registered address in Pakistan and the address of the entity providing the services must both be stated. The authorised representatives of each party who are executing the agreement must be identified with their designations and authority (board resolution under Section 176 of the Companies Act 2017 for company signatories).

Scope of Processing: A precise description of (i) the categories of personal data to be processed — names, CNIC numbers, financial data, health data, biometric data; (ii) the categories of data subjects whose data will be processed — customers, employees, patients, users; (iii) the nature of the processing operations — collection, storage, analysis, transmission, deletion; (iv) the specific purpose(s) for which the data is processed — payroll processing, credit scoring, customer analytics; and (v) the duration of the processing relationship. Specificity in scope prevents scope creep and limits the processor's authority.

Processor Obligation to Follow Instructions: The central obligation — the processor shall process personal data only on the documented instructions of the controller and shall not process the data for any purpose other than those specified. Any processing beyond the controller's instructions requires prior written authorisation from the controller, except where Pakistani law requires the processor to process the data (in which case the processor must inform the controller before processing unless the law prohibits notification).

Data Security Measures: The processor's obligation to implement appropriate technical and organisational security measures to protect personal data against unauthorised access, accidental loss, destruction, or alteration. The agreement should specify minimum security standards — encryption of data at rest and in transit, access controls and authentication, audit logging, vulnerability assessment, and penetration testing — calibrated to the sensitivity of the data and consistent with the SBP's Cyber Security Framework, SECP's Technology Risk Management Guidelines, and PECA 2016 Section 18 requirements.

Data Localisation: For processors handling financial data of Pakistani customers on behalf of bank or NBFC controllers, the agreement must confirm that all data will be stored and processed on servers physically located in Pakistan, in compliance with the SBP's data localisation requirements. Cross-border data transfers are prohibited without SBP approval and the controller's written consent.

Sub-Processing Restrictions: The processor must not engage sub-processors to handle the personal data without the controller's prior written approval. Where sub-processors are pre-approved, they must be listed by name and be bound by data protection obligations equivalent to those in the main Data Processing Agreement. The processor remains liable to the controller for sub-processor breaches.

Data Breach Notification: The processor's obligation to notify the controller within a specified timeframe — 24 to 48 hours is the PDPB draft standard — upon becoming aware of a personal data breach. The notification must include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach. The processor must cooperate with the controller in notifying the FIA Cybercrime Wing under PECA 2016 Section 43 and any sector regulator (SBP, SECP, or PMDC) as required.

Data Subject Rights Assistance: The processor's obligation to assist the controller in responding to data subject rights requests — particularly rights of access, correction, and withdrawal of consent — within the timeframes specified by the PDPB framework. The processor must not respond directly to data subject requests without the controller's authorisation.

Audit Rights: The controller's right to audit the processor's data processing activities, security measures, and compliance with the agreement — either through the controller's own personnel or through a designated independent auditor. Audit rights must include access to the processor's premises, systems, and records related to the processing. The processor must cooperate fully with audits and provide all information necessary to demonstrate compliance.

Data Return or Deletion: Upon termination of the agreement or the controller's instruction, the processor must promptly return all personal data to the controller in a usable format and delete all copies — or, if return is technically impossible, certify their deletion. The processor must not retain personal data beyond what is necessary for the stated purpose, subject to any mandatory retention periods imposed by Pakistani law (for example, the five-year minimum under the AML Act 2010 for financial transaction data).

Forms-legal.com provides this Data Processing Agreement (Pakistan) template as a practical starting point for organisations implementing data governance frameworks. The template reflects the requirements of the Prevention of Electronic Crimes Act 2016, the Personal Data Protection Bill framework, the SBP's Outsourcing Policy and Cyber Security Framework, and the SECP's Technology Risk Management Guidelines. Legal advice from a qualified Advocate specialising in technology and data law, enrolled at the Islamabad, Lahore, Sindh, or Peshawar Bar Council, is recommended for agreements involving sensitive data categories or international data transfers.

Under the Companies Act 2017, the Securities and Exchange Commission of Pakistan (SECP) maintains the register of Pakistani companies. Section 16 of the Companies Act 2017 governs company incorporation. The Contract Act 1872 governs general contractual obligations. The Federal Board of Revenue (FBR) administers corporate tax under the Income Tax Ordinance 2001. The High Courts (Lahore, Sindh, Peshawar, Balochistan, Islamabad) have original and appellate jurisdiction.