Data Consent Form (Pakistan)
DATA CONSENT FORM
Governed by the Prevention of Electronic Crimes Act 2016 (PECA 2016) | Personal Data Protection Bill Framework
1. PARTIES
Data Controller: [Controller Name], NTN/Registration No.: [Controller NTN], Address: [Controller Address], Privacy Officer: [Privacy Officer Name] ([Privacy Officer Email]).
Data Subject: [Subject Name], CNIC/NICOP No.: [Subject CNIC], Address: [Subject Address], Relationship: [Subject Relationship].
2. CATEGORIES OF PERSONAL DATA
The Data Controller will collect and process the following categories of personal data: [Data Categories]
3. PURPOSE OF PROCESSING
The personal data listed above will be processed exclusively for the following purposes: [Processing Purpose]
Processing for any purpose not stated above is prohibited without fresh written consent from the Data Subject.
4. RETENTION AND THIRD-PARTY SHARING
Retention Period: The personal data will be retained for [Retention Period], after which it will be deleted or anonymised in a manner that prevents re-identification.
Third-Party Sharing: The personal data may be shared with the following third parties for the stated purposes only: [Third Party Sharing]. No sharing with any other party will occur without fresh consent, except where required by law.
5. DATA SUBJECT RIGHTS
The Data Subject has the following rights under PECA 2016 and the Personal Data Protection Bill framework:
- Right to access personal data held by the Data Controller
- Right to correct inaccurate or incomplete personal data
- Right to withdraw consent at any time (see withdrawal procedure below)
- Right to complain to the relevant regulator (PTA, SBP, SECP, or PMDC depending on sector)
- Right to be informed of any data breach affecting their personal data
Withdrawal Procedure: [Withdrawal Procedure]
Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal. Where processing is required by law (e.g., SBP Anti-Money Laundering Act 2010 obligations), processing may continue on that legal basis after withdrawal.
6. CONSENT DECLARATION
I, [Subject Name] (CNIC/NICOP: [Subject CNIC]), having read and understood this Data Consent Form, hereby freely, specifically, and unambiguously consent to the collection, processing, storage, and sharing of my personal data by [Controller Name] as described above.
I understand that I may withdraw this consent at any time by following the withdrawal procedure stated above, and that making a false declaration constitutes an offence under Section 14 of the Prevention of Electronic Crimes Act 2016 (PECA 2016).
Signed at [City] on [Consent Date].
Data Subject
________________
Signature
Authorised Representative (Data Controller)
________________
Signature
Witness
________________
Signature
What Is a Data Consent Form (Pakistan)?
A Data Consent Form in Pakistan evidences that consent has been freely given, identifying exactly what has been agreed to and by whom.
The Prevention of Electronic Crimes Act 2016 (Act No. XL of 2016) is the foundational statute governing cybercrime and electronic data in Pakistan. Section 14 of PECA 2016 creates the offence of unauthorised issuance of SIM cards and misuse of identity information. Section 16 of PECA 2016 criminalises unauthorised interception of data. Section 17 of PECA 2016 prohibits glorification of offences and hate speech through information systems. More broadly, PECA 2016 creates a framework within which data controllers must obtain demonstrable consent before processing personal data â particularly sensitive personal data such as financial information, health records, biometric data including fingerprints and facial recognition, religious affiliation, and political opinions.
The Personal Data Protection Bill, which has been reviewed by the Standing Committee on Information Technology and Telecommunication and is expected to be enacted, will introduce formal definitions of 'personal data,' 'sensitive personal data,' 'data controller,' 'data processor,' and 'data subject' analogous to the definitions in the GDPR. Once enacted, the PDPB will require data controllers operating in Pakistan to maintain a written consent record for each data subject whose sensitive personal data is processed, establishing the Data Consent Form as a mandatory compliance document.
Beyond the digital domain, the State Bank of Pakistan (SBP) imposes data consent and Know Your Customer (KYC) requirements on all banks and microfinance institutions regulated under the Banking Companies Ordinance 1962. The SBP's Prudential Regulations require banks to obtain written consent from customers for the use of their personal data in credit bureau reporting to the Credit Information Bureau (CIB) operated by the SBP, as well as for data sharing with the Pakistan Revenue Automation Limited (PRAL) for Federal Board of Revenue (FBR) tax compliance purposes.
The Securities and Exchange Commission of Pakistan (SECP) likewise requires data consent in connection with the processing of personal information of beneficial owners under the Companies Act 2017 and the Anti-Money Laundering Act 2010. The SECP's Know Your Customer regulations for brokers, asset management companies, and insurance companies all require written authorisation from clients before their personal data can be shared with third-party service providers or government agencies.
Hospitals, clinics, and laboratories operating under the Pakistan Medical and Dental Council (PMDC) regulations are expected to obtain patient consent for the processing of health data. The PMDC Code of Ethics and the Health Data Management Policy issued by the Ministry of National Health Services, Regulations and Coordination both reflect the requirement that healthcare providers collect, use, and share patient information only with the patient's informed written consent. Health data constitutes sensitive personal data under the PDPB framework and attracts the highest level of protection.
The Telecom Act (Telecommunications (Re-organization) Act 1996) and the PTA Framework for Lawful Access further regulate the collection and processing of subscriber data by telecom operators Mobilink/Jazz, Telenor Pakistan, Zong (China Mobile Pakistan), Ufone, and Warid (now merged with Jazz) who are required to maintain subscriber records under their network licences and cannot share those records without subscriber consent except in response to lawful interception orders under PECA 2016. The intersection between telecom subscriber data and personal data protection means that mobile-based identity verification systems such as JazzCash, Easypaisa, and bank mobile applications must comply with both PTA regulations and the PDPB framework when processing user personal data. The Data Consent Form in Pakistan is therefore not merely a bureaucratic formality but a substantive legal instrument that defines the boundaries of lawful data processing in an increasingly digitised economy where personal data flows across banking, health, education, telecom, and government systems in real time.
When Do You Need a Data Consent Form (Pakistan)?
A Data Consent Form in Pakistan is required whenever an organisation â whether a company registered with SECP, a government department, a healthcare provider, or a financial institution â intends to collect, process, store, or share an individual's personal information, and that individual's free, informed, and specific consent is a prerequisite for the processing to be lawful.
A Data Consent Form is needed when a Pakistani bank regulated by the State Bank of Pakistan (SBP) wishes to share a customer's personal data with the Credit Information Bureau (CIB), with other financial institutions for fraud prevention purposes, or with the Federal Board of Revenue (FBR) under the Income Tax Ordinance 2001 automatic exchange of information requirements. SBP Prudential Regulations R-7 and R-8 require banks to disclose to customers the purposes for which their data will be used and to obtain their written consent.
A Data Consent Form is required when a healthcare organisation â a hospital, clinic, pathology laboratory, or pharmaceutical company â collects patient health records, medical history, diagnostic results, or genomic data. The Ministry of National Health Services policy on health data management requires patient consent before health data is shared with insurance companies, research institutions, or data analytics firms. The Pakistan Medical and Dental Council (PMDC) Code of Ethics reinforces the principle of informed consent in all patient-data interactions.
A Data Consent Form is needed when a technology company, mobile application developer, or e-commerce platform operating in Pakistan collects personal data from users â including name, address, mobile number, email address, device identifiers, location data, or browsing behaviour â particularly in light of Section 30 of the Telecom Reorganisation Act and PTA's directives on data localisation and user privacy.
A Data Consent Form is required when an employer seeks to process employee biometric data â fingerprints, facial recognition, or retinal scans â for attendance management or access control purposes. Biometric data is treated as sensitive personal data under the PDPB framework and NADRA's biometric verification guidelines, and its processing requires explicit written consent from each employee.
A Data Consent Form is needed when educational institutions registered with the Higher Education Commission (HEC) or provincial education departments process students' personal data â academic records, financial information, disciplinary history â particularly when sharing such records with prospective employers, foreign universities, or scholarship bodies.
A Data Consent Form is required when a property developer or real estate agent registered under the relevant provincial authority collects personal data from prospective buyers CNIC numbers, financial information, contact details for the purposes of anti-money laundering checks under the AML Act 2010. Real estate agents and developers are reporting entities under the AML Act 2010 and must verify and retain customer identity information with the data subject's consent.
A Data Consent Form is needed when a university or school registered with the Higher Education Commission (HEC) or provincial education board processes student data including academic records, financial information, health records, and disciplinary history for administrative, scholarship, or placement purposes. The HEC's data governance framework requires educational institutions to maintain data consent records for students whose information is shared with third parties.
What to Include in Your Data Consent Form (Pakistan)
A valid Data Consent Form in Pakistan under the Prevention of Electronic Crimes Act 2016 and the Personal Data Protection Bill framework must contain the following essential elements to provide effective legal authorisation for data processing.
Identity of Data Controller: Full legal name, registration number (SECP company number, NTN issued by FBR, or National Tax Number), registered address, and contact details of the organisation collecting and processing the data. Where the data controller is a company registered under the Companies Act 2017, the registered company number from the SECP company registry must be stated. This identifies the responsible party and enables the data subject to exercise their rights.
Identity of Data Subject: Full name, NADRA CNIC number (13-digit format: XXXXX-XXXXXXX-X), contact details, and relationship to the data controller (customer, patient, employee, user) of the individual whose data is being collected. The CNIC number is the primary identifier for natural persons in Pakistan and anchors the consent to a specific individual.
Categories of Personal Data: A clear and specific description of each type of personal data to be collected â for example, contact information (name, address, mobile number, email), financial data (bank account number, salary, tax identification number), health data (medical history, diagnoses, prescriptions), biometric data (fingerprints, facial geometry, voice prints), or behavioural data (browsing history, purchase patterns, location data). Vague or blanket descriptions do not satisfy the specificity requirement.
Purpose of Processing: An explicit statement of each specific purpose for which the data will be processed. Purposes must be concrete â 'for credit scoring and loan application processing,' 'for provision of health insurance coverage,' 'for payroll and tax filing purposes' â not general or unlimited. Processing for purposes not stated in the consent form is unlawful under PECA 2016 and the PDPB framework.
Data Retention Period: The period for which the personal data will be retained, after which it must be deleted, anonymised, or returned to the data subject. The SBP's Anti-Money Laundering Act 2010 requirements impose a minimum five-year retention period for financial transaction data. The Companies Act 2017 requires SECP-registered companies to maintain statutory records for a minimum ten-year period.
Third-Party Data Sharing: Identification of any third parties â affiliates, subsidiaries, service providers, government agencies including FBR, NADRA, SBP â with whom the data will be shared, and the purpose of such sharing. Blanket authorisation to share with 'partners' or 'affiliates' without naming them does not satisfy the transparency requirement.
Data Subject Rights: A clear statement of the data subject's rights â the right to access their data, the right to correct inaccurate data, the right to withdraw consent (with a description of the procedure and consequences of withdrawal), and the right to complain to the relevant regulator (PTA, SBP, SECP, or PMDC, depending on the sector). The right to withdraw consent must be exercisable without detriment to the data subject.
Security Measures: A description of the technical and organisational measures implemented by the data controller to protect the personal data â encryption standards, access controls, data breach notification procedures consistent with PECA 2016 Section 43 requirements.
Forms-legal.com provides this Data Consent Form (Pakistan) template as a practical starting point for organisations seeking to implement PECA 2016-compliant data governance. The template reflects the Prevention of Electronic Crimes Act 2016, the Personal Data Protection Bill framework, and sector-specific requirements of the SBP, SECP, and PMDC. Legal advice from a qualified Advocate enrolled at the Islamabad, Lahore, Sindh, Peshawar, or Quetta Bar Council should be obtained for data processing involving sensitive categories of data or international data transfers.
Security Measures Declaration: A clear statement that the Data Controller has implemented appropriate technical and organisational security measures to protect the personal data including encryption, access controls consistent with ISO 27001 standards, regular security audits, and a data breach response plan compliant with PECA 2016 Section 43 and the applicable SBP, SECP, or PTA security guidelines. The data subject is entitled to know that their data will be protected by documented security measures before giving consent.
Cross-Border Transfer Notice: Where the Data Controller intends to transfer the personal data outside Pakistan to a parent company, international cloud provider, or foreign regulatory authority this must be explicitly disclosed in the consent form. The data subject must be informed of the destination country, the purpose of the transfer, and the protections in place. Until the PDPB enacts adequacy rules for cross-border transfers, international transfers require explicit consent and should be disclosed in this section. SBP-regulated entities must obtain SBP approval for any cross-border transfer of financial customer data.
Data Retention Schedule: The Data Consent Form must specify the maximum period for which the personal data will be retained after the purpose of collection has been fulfilled. The State Bank of Pakistan (SBP) Anti-Money Laundering Act 2010 minimum retention period is five years for financial transaction data. Healthcare data under PMDC guidelines is retained for a minimum of ten years. After the retention period expires, the data controller is obligated to securely delete or anonymise the personal data so that it can no longer be attributed to the identified data subject. The data subject must be informed of the retention period at the time of consent.
Under Pakistani law, the Muslim Family Laws Ordinance 1961 governs Muslim marriage (nikah), divorce (talaq), maintenance, and dower (mehr). The Family Courts Act 1964 establishes Family Courts with jurisdiction over matrimonial disputes. The National Database and Registration Authority (NADRA) issues CNIC, NICOP, and birth/death certificates. The Guardian and Wards Act 1890 governs child custody. The Federal Shariat Court reviews laws for Islamic compliance.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Data Consent Form (Pakistan) (Pakistan) [Legal document template]. Forms Legal. https://forms-legal.com/pakistan/personal/consent/data-consent-form-pakistan
"Data Consent Form (Pakistan) (Pakistan)." Forms Legal, 2026, https://forms-legal.com/pakistan/personal/consent/data-consent-form-pakistan.
@misc{formslegal-data-consent-form-pakistan,
author = {{Forms Legal}},
title = {Data Consent Form (Pakistan) (Pakistan)},
year = {2026},
howpublished = {\url{https://forms-legal.com/pakistan/personal/consent/data-consent-form-pakistan}},
note = {Free legal document template}
}
Frequently Asked Questions
Pakistan does not yet have a comprehensive data protection statute equivalent to the GDPR â the Personal Data Protection Bill (PDPB) is awaiting enactment. However, the Prevention of Electronic Crimes Act 2016 (PECA 2016) already creates criminal liability for unauthorised access to and misuse of personal data under Sections 14, 16, and 17. Sector-specific regulators â the State Bank of Pakistan (SBP), the Securities and Exchange Commission of Pakistan (SECP), the Pakistan Medical and Dental Council (PMDC), and the Pakistan Telecommunication Authority (PTA) â have each issued regulations requiring written consent for data processing within their sectors. Once the PDPB is enacted, written data consent will be mandatory for all controllers processing personal data of Pakistani residents, with penalties for non-compliance. Organisations that implement Data Consent Forms now demonstrate regulatory readiness and reduce the risk of enforcement action or reputational harm when the PDPB takes effect.
Under the Personal Data Protection Bill framework and consistent with PECA 2016's principles, consent in Pakistan is intended to be freely given and revocable. A data subject should be able to withdraw consent at any time â the withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal. The Data Consent Form must describe the procedure for withdrawal (for example, submitting a written request to the data controller's designated Privacy Officer) and must state the consequences of withdrawal (for example, termination of a service that depends on data processing). Where processing is required by law â for example, SBP's Anti-Money Laundering Act 2010 reporting obligations or FBR's Income Tax Ordinance 2001 withholding requirements â the data controller is entitled to process data even after consent is withdrawn, but must inform the data subject of this legal basis. Data controllers should process the withdrawal request within a reasonable period â the PDPB framework suggests 30 days â and must cease the relevant processing promptly.
Under the Prevention of Electronic Crimes Act 2016 (PECA 2016), criminal penalties apply for various data-related offences. Section 14 of PECA 2016 â unauthorised use of identity information â carries imprisonment of up to three years and a fine of up to PKR 5 million, or both. Section 16 â unauthorised interception â carries imprisonment up to two years or a fine of up to PKR 5 million. Section 17 â data interference and damage â carries imprisonment up to two years and a fine. These offences are cognisable and investigated by the Federal Investigation Agency (FIA)'s Cybercrime Wing. Beyond criminal penalties, the PDPB is expected to establish a Data Protection Authority with powers to impose administrative fines analogous to GDPR Article 83 penalties. Sector-specific regulators â the SBP, SECP, and PMDC â can also impose regulatory sanctions including licence suspension, fines, and public censure for breaches of their data protection requirements.
The Prevention of Electronic Crimes Act 2016 and the Personal Data Protection Bill framework do not prescribe a mandatory language for data consent forms. Both English and Urdu are widely used in Pakistani commercial and legal documentation. However, the principle of informed consent requires that the data subject actually understand what they are consenting to â a consent form in a language the data subject does not read or understand will not constitute valid consent under the PDPB framework. Best practice is to provide the Data Consent Form in both English and Urdu, particularly where consumer-facing organisations deal with individuals who may not be fluent in English. The PTA's consumer protection regulations require that material terms of consumer contracts â which include data consent provisions in mobile and internet service agreements â be provided in a language accessible to the consumer. For corporate-to-corporate data processing agreements, English is standard and generally accepted by SECP and SBP.
Sharing personal data with foreign entities â whether parent companies, cloud service providers, or international affiliates â without the data subject's explicit consent is a high-risk practice in Pakistan. The Prevention of Electronic Crimes Act 2016 does not specifically regulate cross-border data transfers, but the Personal Data Protection Bill is expected to require that international data transfers occur only to countries with adequate data protection standards or under data transfer agreements incorporating standard contractual clauses. The SBP's data localisation directives require that financial data of Pakistani customers be stored on servers located in Pakistan, and transfer of such data abroad requires SBP approval. NADRA's biometric data is subject to the most stringent localisation requirements and cannot be transferred internationally without government authorisation. Until the PDPB is enacted and defines the rules for international transfers, organisations should obtain explicit written consent from data subjects before transferring their personal data outside Pakistan.
A Data Consent Form and a Data Processing Agreement serve distinct but complementary functions in Pakistan's data protection framework. A Data Consent Form is signed by the data subject â the individual whose personal data is being collected â and records that individual's free, specific, informed, and unambiguous agreement to the processing of their personal data by the data controller. It is a unilateral authorisation by the person whose rights are affected. A Data Processing Agreement, by contrast, is a bilateral contract between a data controller (the organisation that determines the purposes and means of processing) and a data processor (a third party that processes data on behalf of the controller) â for example, between a bank and a cloud computing provider, or between a hospital and a medical records management company. The Data Processing Agreement governs the obligations of the processor, the security standards to be maintained, audit rights, sub-processing restrictions, and liability allocation. Both documents are necessary for PECA 2016 and PDPB compliance when personal data is involved, but they address different relationships and different legal requirements.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful: