GDPR, personal data protection, Pakistan ComplianceGDPR, personal data protection, Pakistan Compliance

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on 25 May 2018, replacing the Data Protection Directive 95/46/EC. While primarily aimed at protecting the privacy of individuals within the European Union (EU), its reach extends far beyond European borders. Pakistani companies, regardless of their location, might find themselves subject to GDPR compliance under specific circumstances. This article aims to elucidate when and how Pakistani companies are required to adhere to GDPR regulations.

Scope of GDPR Applicability

GDPR applies to the processing of personal data of individuals who are in the EU by a controller or processor not established in the EU, where the processing activities are related to:

  1. Offering of goods or services to such data subjects in the EU, irrespective of whether a payment is required.
  2. Monitoring of their behaviour as far as their behaviour takes place within the EU.

Given these criteria, Pakistani companies must consider GDPR compliance in the following scenarios:

1. Offering Goods or Services to EU Residents

If a Pakistani company offers goods or services to EU residents, it falls under the purview of GDPR. This is true even if the services are offered for free. Indicators that a company is targeting EU customers include:

  • The use of EU languages and currencies.
  • The availability of international shipping to the EU.
  • Online advertising aimed at EU customers.
  • Mention of EU customers or users on the company’s website.

For instance, an e-commerce platform in Pakistan that allows European customers to purchase products online and provides an option for delivery to the EU must comply with GDPR.

2. Monitoring Behaviour of EU Residents

GDPR applies to Pakistani companies that monitor the behaviour of individuals within the EU. Behaviour monitoring can include tracking online activities through cookies, profiling for targeted advertising, or any other form of data analytics. Examples include:

  • Websites that use cookies to track the browsing habits of EU visitors.
  • Applications that collect usage data from EU residents for analysis.
  • Services that profile EU users to personalise content or ads.

For example, a Pakistani-based app that tracks user behaviour to tailor advertisements or content based on the user’s location and preferences in the EU is required to comply with GDPR.

Responsibilities Under GDPR

If a Pakistani company falls under the scope of GDPR, it must adhere to the following key principles and obligations:

  1. Lawfulness, Fairness, and Transparency: Data processing must be lawful, fair, and transparent to the data subject.
  2. Purpose Limitation: Data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
  3. Data Minimisation: Data collected must be adequate, relevant, and limited to what is necessary for the intended purposes.
  4. Accuracy: Data must be accurate and kept up to date.
  5. Storage Limitation: Data must be kept in a form that permits identification of data subjects for no longer than is necessary.
  6. Integrity and Confidentiality: Data must be processed in a manner that ensures appropriate security.
See also  Legal Guidelines for Potential Mining Investors in Balochistan

Additionally, Pakistani companies must ensure the following:

  • Data Subject Rights: Respect and facilitate data subject rights, including access, rectification, erasure, restriction of processing, data portability, and the right to object.
  • Data Protection Officer (DPO): Appoint a DPO if required, particularly if the core activities involve regular and systematic monitoring of data subjects on a large scale.
  • Data Protection Impact Assessments (DPIAs): Conduct DPIAs for high-risk processing activities.
  • Cross-Border Data Transfers: Ensure appropriate safeguards are in place for transferring personal data outside the EU, including standard contractual clauses or binding corporate rules.

Enforcement and Penalties

Non-compliance with GDPR can result in substantial penalties, with fines up to €20 million or 4% of the company’s global annual turnover, whichever is higher. Therefore, it is crucial for Pakistani companies to assess their data processing activities and ensure compliance to avoid such punitive measures.


Pakistani companies must be vigilant about their obligations under GDPR, especially when dealing with EU residents’ data. By understanding the circumstances under which GDPR applies and implementing the necessary compliance measures, Pakistani companies can avoid legal repercussions and build trust with their European clients and partners.

For further assistance or detailed guidance on GDPR compliance, it is advisable to consult with legal experts specialised in data protection laws.

Legal Action Against a Pakistani Company for GDPR Violations

When a Pakistani company violates the General Data Protection Regulation (GDPR), it can face significant legal repercussions, including enforcement actions and penalties from European Union (EU) regulatory authorities. This article explores how legal action can be taken against a Pakistani company for GDPR violations and the cross-border legal issues that may arise in such situations.

Mechanisms for Legal Action

  1. Regulatory Enforcement by Data Protection Authorities (DPAs)

    The primary mechanism for enforcing GDPR compliance is through Data Protection Authorities (DPAs) in the EU. These regulatory bodies have the authority to investigate and penalise companies that violate GDPR. If a Pakistani company is found to be in breach of GDPR, the relevant DPA can take several steps:

    • Investigations and Audits: DPAs can conduct investigations and audits to assess compliance. They may request documentation, access to systems, and other information to determine whether the company adheres to GDPR requirements.
    • Corrective Powers: DPAs can issue warnings, reprimands, and orders to bring processing activities into compliance. They can also mandate data subjects’ rights to be fulfilled.
    • Fines and Penalties: Significant fines can be imposed for non-compliance, up to €20 million or 4% of the company’s annual global turnover, whichever is higher.
    • Publicity of Sanctions: DPAs can publicise sanctions to ensure that other organisations are aware of the consequences of non-compliance.
  2. Judicial Remedies for Data Subjects

    Data subjects in the EU have the right to seek judicial remedies for GDPR violations. They can lodge complaints with their national DPA or directly seek compensation from the company for material or non-material damages resulting from the violation. If a Pakistani company violates GDPR, affected individuals can:

    • File Complaints with DPAs: Data subjects can file complaints with their respective DPAs, triggering investigations and potential enforcement actions against the Pakistani company.
    • Pursue Legal Action in National Courts: Data subjects can also pursue legal action in their national courts to claim compensation for damages caused by the GDPR breach.
See also  What is a Security and privacy addendum ?

Cross-Border Legal Issues

  1. Jurisdictional Challenges

    One of the primary cross-border legal issues involves determining the jurisdiction for legal action. While GDPR has extraterritorial reach, applying EU laws to a non-EU company like one based in Pakistan can pose challenges. Key considerations include:

    • Establishing Jurisdiction: EU courts must establish jurisdiction over the Pakistani company. This typically hinges on the company’s activities targeting EU residents, such as offering goods or services or monitoring their behaviour.
    • Recognition and Enforcement of Judgments: Enforcing EU judgments in Pakistan requires recognition of the foreign court’s authority. This can be complex due to differences in legal systems and potential resistance to foreign enforcement.
  2. International Cooperation

    Effective enforcement of GDPR against Pakistani companies necessitates international cooperation between EU DPAs and Pakistani authorities. This cooperation can involve:

    • Mutual Legal Assistance Treaties (MLATs): MLATs facilitate the exchange of information and enforcement of legal requests between countries. They can be instrumental in obtaining evidence and executing enforcement actions.
    • Cross-Border Investigations: Joint investigations by EU DPAs and Pakistani regulators can enhance enforcement efforts. Collaboration can include sharing expertise, resources, and information.
  3. Data Transfer and Privacy Shield

    When a Pakistani company processes EU residents’ data, it must ensure that cross-border data transfers comply with GDPR requirements. Key issues include:

    • Adequacy Decisions: The European Commission can recognise non-EU countries as providing adequate data protection. If Pakistan is not recognised as such, companies must implement alternative safeguards like Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).
    • International Data Transfers: Companies must ensure that data transfers to Pakistan comply with GDPR. This involves implementing appropriate safeguards and maintaining transparency with data subjects.
See also  Legal Remedies for Sealing of Premises


Legal action against Pakistani companies for GDPR violations involves navigating complex cross-border legal issues, including jurisdictional challenges, international cooperation, and compliance with data transfer regulations. By understanding these mechanisms and issues, Pakistani companies can better prepare for GDPR compliance and mitigate potential legal risks.

For a comprehensive analysis of specific cases or tailored legal advice, consulting with legal experts specialising in data protection and international law is advisable.


Pakistani companies need to comply with GDPR if they:

  • Offer goods or services to individuals in the European Union (EU), regardless of whether the company is located in the EU or not.
  • Monitor the behavior of individuals in the EU, regardless of whether the company is located in the EU or not.
  • Process personal data of EU citizens, regardless of whether the company is located in the EU or not.

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. It does this by replacing the data protection directive (Directive 95/46/EC) of 1995. The regulation has been in effect since May 25, 2018.

The GDPR applies to all companies that process the personal data of EU citizens, regardless of whether the company is located in the EU or not. This means that Pakistani companies that offer goods or services to individuals in the EU, monitor the behavior of individuals in the EU, or process personal data of EU citizens, need to comply with the GDPR.

The GDPR sets out a number of requirements for companies that process personal data, including:

  • Obtaining consent from individuals before processing their personal data.
  • Providing individuals with access to their personal data.
  • Deleting personal data upon request from individuals.
  • Reporting data breaches to data protection authorities.

Companies that fail to comply with the GDPR can face a number of penalties, including fines of up to 4% of global annual turnover or €20 million, whichever is higher.

Pakistani companies that are unsure whether they need to comply with the GDPR should consult with a data protection lawyer. Our law firm welcomes queries from startups and established businesses in Pakistan dealing with the possible impact of GDPR on their operations in Pakistan.

By The Josh and Mak Team

Josh and Mak International is a distinguished law firm with a rich legacy that sets us apart in the legal profession. With years of experience and expertise, we have earned a reputation as a trusted and reputable name in the field. Our firm is built on the pillars of professionalism, integrity, and an unwavering commitment to providing excellent legal services. We have a profound understanding of the law and its complexities, enabling us to deliver tailored legal solutions to meet the unique needs of each client. As a virtual law firm, we offer affordable, high-quality legal advice delivered with the same dedication and work ethic as traditional firms. Choose Josh and Mak International as your legal partner and gain an unfair strategic advantage over your competitors.

error: Content is Copyright protected !!