Privacy Policy (Pakistan)
Privacy Policy
PRIVACY POLICY [Company Name] ("we", "us", "our"), with registered office at [Company Address], operates [Website URL] (the "Platform"). This Privacy Policy explains how we collect, use, store, and protect your personal data in compliance with the Prevention of Electronic Crimes Act 2016 (PECA) and the Electronic Transactions Ordinance 2002. Effective Date: [Effective Date] Privacy Contact: [Privacy Email]
1. Personal Data We Collect
We collect the following categories of personal data: [Data Types Collected] Some data is collected automatically when you use the Platform (e.g. IP address, device identifiers, browser type) via cookies and similar technologies. Other data is collected directly from you when you register, place an order, or contact us.
2. Purposes of Processing
We process your personal data for the following purposes: [Purposes Of Processing] We process personal data only for the purposes stated above and will not use it for incompatible purposes without your prior consent or a lawful basis under applicable Pakistani law.
3. Data Sharing
We may share your personal data with: [Third Party Sharing] We do not sell your personal data to third parties. We share data with government authorities (FIA, PTA, FBR, SBP) only where required by applicable law, including the Prevention of Electronic Crimes Act 2016 and the Pakistan Telecommunication (Re-organisation) Act 1996.
4. Data Retention
We retain your personal data for [Retention Period], after which it is securely deleted or anonymised. Financial records may be retained for six years in compliance with Section 174 of the Income Tax Ordinance 2001 and SBP AML/CFT Regulations.
5. Your Rights
You have the right to: a) Access your personal data held by us; b) Request correction of inaccurate data; c) Request deletion of your data where we have no lawful basis to retain it; d) Withdraw consent to data processing at any time (without affecting the lawfulness of prior processing); e) Lodge a complaint with the Pakistan Telecommunication Authority (PTA) or the Federal Investigation Agency (FIA) Cyber Crime Wing. To exercise any of these rights, contact us at [Privacy Email]. We will respond within 30 days.
6. Cookies
We use [Cookie Types] on the Platform. Essential cookies are necessary for the Platform to function and cannot be disabled. You may disable non-essential cookies through your browser settings, though this may affect your experience. We obtain your consent for non-essential cookies through a cookie consent banner on your first visit.
7. Security
We implement technical and organisational security measures — including SSL/TLS encryption, access controls, and regular security assessments — to protect your personal data against unauthorised access, loss, or misuse, consistent with our obligations under the Prevention of Electronic Crimes Act 2016 and SBP's Cyber Security Framework (for financial services providers).
8. Data Breach Notification
In the event of a personal data breach affecting your rights and freedoms, we will notify affected users and the relevant regulatory authority (PTA, SBP, or SECP as applicable) without undue delay and in any event within 72 hours of becoming aware of the breach.
9. Policy Updates
We may update this Privacy Policy from time to time. Material changes will be notified to registered users by email and by prominent notice on the Platform at least 14 days before the change takes effect. Continued use of the Platform after notification constitutes acceptance of the updated Privacy Policy.
10. Governing Law
This Privacy Policy is governed by the laws of Pakistan, including the Prevention of Electronic Crimes Act 2016 and the Electronic Transactions Ordinance 2002. Disputes shall be subject to the jurisdiction of the courts of [Governing City].
Authorised Representative
________________
Signature
What Is a Privacy Policy (Pakistan)?
A Privacy Policy in Pakistan sets out the rules the organisation expects to be followed and the standards against which conduct will be judged.
Section 3 of the Prevention of Electronic Crimes Act 2016 criminalises unauthorised access to information systems, and Section 5 prohibits unauthorised copying or transmission of critical data. Section 10 of PECA addresses data privacy violations involving electronic communication — making it an offence to obtain, transmit, or use electronic data without authorisation. Businesses that collect personal data of Pakistani citizens through websites, mobile applications, or digital platforms are directly subject to PECA's data protection obligations, making a thorough Privacy Policy both a legal requirement and a trust signal for users.
The Personal Data Protection Bill (PDPB) — which Pakistan has been working to enact since 2018 and which mirrors principles of the European Union's General Data Protection Regulation (GDPR) — is expected to introduce thorough data protection obligations including mandatory data collection consent, data subject rights (access, correction, deletion), data breach notification requirements, and the appointment of a Data Protection Officer (DPO). Although the PDPB has not yet been enacted as at 2025, businesses in Pakistan preparing Privacy Policies compliant with PECA are advised to adopt PDPB-aligned practices in anticipation of enactment.
The Pakistan Telecommunication Authority (PTA), operating under the Pakistan Telecommunication (Re-organisation) Act 1996, regulates the collection and use of personal data by telecom operators, internet service providers (ISPs), and digital platforms. The PTA's Removal and Blocking of Unlawful Online Content (Procedure, Oversight and Safeguards) Rules 2021 require digital platforms operating in Pakistan to establish a local representative and comply with PTA data-sharing directions. Social media platforms, e-commerce operators, and fintech companies regulated by the State Bank of Pakistan (SBP) under the Electronic Money Institutions Regulations 2019 must maintain Privacy Policies disclosing their data practices.
The Electronic Transactions Ordinance 2002 (ETO) provides the legal framework for electronic contracts and digital signatures in Pakistan and implicitly recognises the validity of electronically published Privacy Policies accepted by users via website click-through agreements. Section 2(f) of the Electronic Transactions Ordinance 2002 defines an electronic document to include any information generated, communicated, received, or stored in electronic form, and a Privacy Policy published on a website satisfies this definition.
For financial institutions — including commercial banks, microfinance banks, and electronic money institutions regulated by the State Bank of Pakistan (SBP) — the SBP's Consumer Protection Framework 2022 and Prudential Regulations require clear disclosure of data collection and sharing practices in consumer-facing documents, including Privacy Policies. The Securities and Exchange Commission of Pakistan (SECP), which regulates insurance companies, non-banking financial companies (NBFCs), and capital market intermediaries, similarly requires data protection disclosures in customer-facing documents.
A Privacy Policy Pakistan that is drafted in compliance with PECA 2016, the Electronic Transactions Ordinance 2002, and in anticipation of the PDPB provides Pakistani businesses with a defensible position before the FIA Cyber Crime Wing, the PTA, the SBP, and the SECP in the event of a data privacy complaint or regulatory investigation. Forms-legal.com users in Pakistan should publish this Privacy Policy on their website's footer and link to it from all data collection forms.
When Do You Need a Privacy Policy (Pakistan)?
A Privacy Policy is required for every business, website, and mobile application in Pakistan that collects, processes, or stores personal data of users, customers, or employees, in compliance with the Prevention of Electronic Crimes Act 2016 and the Electronic Transactions Ordinance 2002.
A Privacy Policy is needed for e-commerce platforms — whether registered as companies with SECP under the Companies Act 2017 or as sole proprietorships — that collect customers' names, addresses, CNIC numbers, payment card information, and purchase history through their websites or mobile applications.
A Privacy Policy is required for fintech companies and electronic money institutions (EMIs) regulated by the State Bank of Pakistan (SBP) under the EMI Regulations 2019, mobile banking applications operated by commercial banks under SBP licensing, and digital lending platforms regulated by SECP under the NBFC (Non-Banking Finance Companies) Regulations.
A Privacy Policy is needed for social media platforms, content creators, and digital marketing agencies that collect user data for targeted advertising, analytics, and customer profiling in Pakistan, given the PTA's authority under the Removal and Blocking of Unlawful Online Content Rules 2021.
A Privacy Policy is required for healthcare providers, telemedicine platforms, and health-tech companies that collect patients' medical records, health data, and CNIC information — categories of sensitive personal data requiring heightened protection under PECA 2016 and in anticipation of the Personal Data Protection Bill.
A Privacy Policy is needed for educational institutions, ed-tech platforms, and online learning providers that collect students' personal data, academic records, and parental information — particularly data of minors (under 18 years) — where additional consent requirements apply under Pakistani law.
A Privacy Policy is required for employers and HR departments that collect and process employees' personal data — including CNIC, biometric data for attendance systems, salary details, and medical records — in compliance with PECA 2016 and the SBP's cybersecurity framework for financial institutions.
A Privacy Policy is needed for any Pakistani business that transfers personal data outside Pakistan's borders — to cloud servers, offshore service providers, or foreign parent companies — as cross-border data transfers attract regulatory scrutiny under the PTA's data localisation guidelines.
Parties in Pakistan should publish the Privacy Policy prominently on their website and application before launching data collection activities, and update it whenever there is a material change in data processing practices.
What to Include in Your Privacy Policy (Pakistan)
A valid Privacy Policy for Pakistan under the Prevention of Electronic Crimes Act 2016 and the Electronic Transactions Ordinance 2002 must contain the following essential elements.
Organisation Identification: Full legal name of the data controller (business or organisation), SECP company registration number (for companies incorporated under the Companies Act 2017), registered office address, and a dedicated privacy contact email address to which users can address data inquiries.
Scope of Personal Data Collected: A clear list of categories of personal data collected — including name, CNIC number, email address, phone number, payment information, device identifiers, IP addresses, location data, and biometric data — specifying which data is collected automatically (via cookies, analytics tools) and which is voluntarily provided by the user.
Purpose of Data Collection: A specific statement of the purposes for which each category of personal data is collected and processed — such as order fulfilment, payment processing, fraud prevention, marketing, regulatory compliance, or customer support — consistent with the principle of purpose limitation anticipated by the Personal Data Protection Bill.
Legal Basis for Processing: The lawful basis for processing personal data — whether user consent (obtained through an opt-in mechanism in accordance with the Electronic Transactions Ordinance 2002), contractual necessity, legal obligation (including compliance with PTA directions, FBR requirements, or SBP regulations), or legitimate business interest.
Data Sharing and Third Parties: Disclosure of all third parties with whom personal data is shared — including payment processors (e.g. 1Link, NIFT, JazzCash, EasyPaisa), cloud service providers, analytics platforms, and government authorities (FIA, PTA, FBR, SBP) — along with the legal basis for each sharing arrangement.
Data Retention: The period for which personal data is retained — linked to the purpose of collection, regulatory requirements (FBR requires financial records for six years under Section 174 of the Income Tax Ordinance 2001; SBP requires KYC records for five years under AML/CFT regulations), and the principle of storage limitation.
User Rights: A statement of users' rights over their personal data — including the right to access, correct, delete, and withdraw consent — and the mechanism for exercising those rights, including a response timeline (30 days is the international standard adopted by PDPB drafts).
Cookies Policy: Disclosure of cookie use — including essential cookies, analytics cookies (Google Analytics, Adobe Analytics), and marketing cookies — with an opt-out mechanism for non-essential cookies, consistent with PTA guidance on digital platforms.
Security Measures: A description of technical and organisational security measures implemented to protect personal data — including SSL/TLS encryption, access controls, regular security audits, and incident response procedures — consistent with PECA 2016 obligations and the SBP's Cyber Security Framework for Banks.
Data Breach Notification: A commitment to notify affected users and the relevant authority (PTA, SBP, or SECP depending on the sector) in the event of a data breach affecting their personal data, including the timeframe for notification (72 hours is the standard anticipated by the PDPB).
Policy Updates: A statement of how and when the Privacy Policy will be updated, with a mechanism to notify users of material changes (email notification or prominent website banner).
Forms-legal.com provides this Privacy Policy Pakistan template as a starting point for PECA 2016-compliant data governance. Businesses should consult a technology law specialist and their Data Protection Officer (if appointed) for sector-specific compliance under SBP, SECP, or PTA regulatory frameworks.
Under the Companies Act 2017, the Securities and Exchange Commission of Pakistan (SECP) maintains the register of Pakistani companies. Section 16 of the Companies Act 2017 governs company incorporation. The Contract Act 1872 governs general contractual obligations. The Federal Board of Revenue (FBR) administers corporate tax under the Income Tax Ordinance 2001. The High Courts (Lahore, Sindh, Peshawar, Balochistan, Islamabad) have original and appellate jurisdiction.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Privacy Policy (Pakistan) (Pakistan) [Legal document template]. Forms Legal. https://forms-legal.com/pakistan/business/policies/privacy-policy-pakistan
"Privacy Policy (Pakistan) (Pakistan)." Forms Legal, 2026, https://forms-legal.com/pakistan/business/policies/privacy-policy-pakistan.
@misc{formslegal-privacy-policy-pakistan,
author = {{Forms Legal}},
title = {Privacy Policy (Pakistan) (Pakistan)},
year = {2026},
howpublished = {\url{https://forms-legal.com/pakistan/business/policies/privacy-policy-pakistan}},
note = {Free legal document template}
}
Frequently Asked Questions
While Pakistan does not yet have a standalone data protection law equivalent to the GDPR, the Prevention of Electronic Crimes Act 2016 (PECA) imposes legal obligations on electronic data processors that make a Privacy Policy effectively mandatory for websites and digital platforms. Section 10 of PECA makes it an offence to obtain, transmit, or use electronic data (including personal data) without authorisation, and businesses that process user data without a clear legal basis and disclosure are at risk of FIA Cyber Crime Wing investigation. Additionally, the Pakistan Telecommunication Authority (PTA) under the Removal and Blocking of Unlawful Online Content Rules 2021 requires digital platforms to establish transparent data handling practices. The anticipated Personal Data Protection Bill (PDPB) will make Privacy Policies explicitly mandatory. Businesses operating with foreign users (EU, UK, US) must also comply with GDPR, UK GDPR, or CCPA as applicable, all of which require a Privacy Policy.
In 2025, Pakistani businesses are subject to data protection obligations under several instruments. The Prevention of Electronic Crimes Act 2016 (PECA) — administered by the FIA Cyber Crime Wing and the PTA — provides the primary data privacy framework for electronic data. The Electronic Transactions Ordinance 2002 governs electronic contracts including online consent to Privacy Policies. The SBP's Consumer Protection Framework 2022, AML/CFT Regulations, and Cyber Security Framework impose specific data obligations on banks and financial institutions. The SECP's Fit and Proper Criteria and disclosure requirements apply to regulated entities. The Personal Data Protection Bill (PDPB), when enacted, will introduce a comprehensive regime including mandatory Privacy Policies, data subject rights, data breach notification (within 72 hours), and the appointment of a Data Protection Officer (DPO). Businesses should implement PDPB-aligned practices now to avoid a compliance gap upon enactment.
Cross-border data transfers from Pakistan are regulated by the PTA's guidelines and the anticipated Personal Data Protection Bill (PDPB). Under current PTA framework, digital platforms are encouraged to store data locally within Pakistan (data localisation) in line with national security and privacy interests. The PDPB drafts circulated by the Ministry of IT and Telecommunication propose that personal data may be transferred outside Pakistan only to countries with an adequate level of data protection (as determined by the PDPB authority) or subject to appropriate contractual safeguards (standard contractual clauses). For banks regulated by the SBP, offshore data storage is subject to SBP's Cyber Security Framework requirements. Pakistani businesses using cloud services hosted abroad (AWS, Google Cloud, Microsoft Azure) should conduct a data transfer impact assessment and include appropriate data processing agreements with their cloud providers.
Under the Prevention of Electronic Crimes Act 2016, violations of data privacy provisions attract significant penalties. Section 3 (unauthorised access to information system) carries imprisonment up to three months and/or a fine of PKR 50,000. Section 5 (unauthorised copying or transmission of critical data) carries imprisonment up to six months and/or a fine of PKR 100,000. Section 10 (data privacy violations involving electronic communication) carries imprisonment up to three months and/or a fine of PKR 100,000. For repeat offences, penalties are doubled. The Federal Investigation Agency (FIA) Cyber Crime Wing (established under Section 29 of PECA 2016) investigates and prosecutes PECA offences. For financial sector businesses, SBP can impose regulatory fines and suspend banking licences for data security failures. SECP has similar enforcement powers over regulated entities. The PDPB, when enacted, is expected to introduce administrative fines up to PKR 25 million for serious violations.
A Privacy Policy for a Pakistani business should be published prominently so that users can access it before providing personal data. Best practice — consistent with PTA guidelines and anticipated PDPB requirements — includes: publishing the Privacy Policy as a dedicated page on the business website with a direct URL (e.g. example.com/privacy-policy); linking to the Privacy Policy in the website footer on every page; providing a link to the Privacy Policy at every data collection point (registration forms, checkout pages, contact forms); including the Privacy Policy link in user account creation emails and terms of service; and requiring active opt-in consent (checkbox) before collecting non-essential personal data. The Privacy Policy should be written in plain Urdu and/or English accessible to the target audience, consistent with the Electronic Transactions Ordinance 2002's recognition of electronic communications. Material changes to the Privacy Policy must be notified to existing users by email or prominent website notice.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Non-Disclosure Agreement — Disclosure (Pakistan)
A Non-Disclosure Agreement for Pakistan — a legally binding contract under the Contract Act 1872 by which one or both parties agree to keep specified confidential information secret and not to disclose it to third parties without authorisation, used to protect trade secrets, business plans, and proprietary information.
Service Agreement (Pakistan)
A Service Agreement for Pakistan setting out the scope of work, fees in PKR, withholding tax obligations under the Income Tax Ordinance 2001, IP ownership, indemnity, force majeure, and governing law under the Contract Act 1872.