Pakistani companies need to comply with GDPR if they:
- Offer goods or services to individuals in the European Union (EU), regardless of whether the company is located in the EU or not.
- Monitor the behavior of individuals in the EU, regardless of whether the company is located in the EU or not.
- Process personal data of EU citizens, regardless of whether the company is located in the EU or not.
The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. It does this by replacing the data protection directive (Directive 95/46/EC) of 1995. The regulation has been in effect since May 25, 2018.
The GDPR applies to all companies that process the personal data of EU citizens, regardless of whether the company is located in the EU or not. This means that Pakistani companies that offer goods or services to individuals in the EU, monitor the behavior of individuals in the EU, or process personal data of EU citizens, need to comply with the GDPR.
The GDPR sets out a number of requirements for companies that process personal data, including:
- Obtaining consent from individuals before processing their personal data.
- Providing individuals with access to their personal data.
- Deleting personal data upon request from individuals.
- Reporting data breaches to data protection authorities.
Companies that fail to comply with the GDPR can face a number of penalties, including fines of up to 4% of global annual turnover or €20 million, whichever is higher.
Pakistani companies that are unsure whether they need to comply with the GDPR should consult with a data protection lawyer. Our law firm welcomes queries from startups and established businesses in Pakistan dealing with the possible impact of GDPR on their operations in Pakistan.