Dr Afra Sajjad Consultants SMC-PVT Ltd Privacy Notice
Introduction
Dr Afra Sajjad Consultants SMC-Pvt Ltd (“we”, “our”, “us”) is providing this notice to explain how we collect, use, disclose, and safeguard your personal data. While the General Data Protection Regulation (EU) 2016/679 (the “GDPR”) does not apply in Pakistan directly, we endeavour to uphold its values.
Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.
Data Controller and Processor
For most of our purposes we are a data processor. This means that we are under contract to collect, process, use, look after and then delete data where we are being hired to do so.
For some purposes, we are a data controller (which means we determine the means of processing data) – but is mostly for our own contractual purposes and our HR.
Where we collect data from a member of the public, it is likely that we are a data processor. We will always provide information to you about what our client intends to do with your data.
Who we are
Dr Afra Sajjad Consultants SMC-Pvt Ltd
SECP Number: Corporate Unique Identification No. 0207469
Data Protection Officer Email: bilal@drafrasajjad.com
If you have any questions about this notice or how we handle your personal data, please contact us using the above details.
What Personal Data We Collect
As a data controller, we only collect:
- Details of clients and potential clients
- Names, designations and contact details
- Staff
- CVs and work history
- References
- ID documents (this is temporary while we verify identities)
- Staff management information, such as training, complaints, bank details, next of kin, health in relation to adjustments or sick leave
As a Data Processor, we collect:
Information depends on the contract and the data processing we have been asked to undertake. However, we usually provide a proximate privacy notice to help you understand what we are processing. As guidance, the sorts of processing we do may include:
- Company or Institutions:
- Names, designation, contact details
- Exceptionally, we will collect travel details and dietary requirements, if this is sent to us
- Specialist areas of interest
- Members of the public:
- Names, contact details
- Any other information that enables us to provide a service to you
We may also collect special category data only where strictly necessary and with appropriate safeguards.
Legal Basis for Processing
We process your personal data under the following legal bases:
- Your consent (Article 6(1)(a)) GDPR
- Performance of a contract (Article 6(1)(b))
- Legal obligation (Article 6(1)(c))
Legitimate interests (Article 6(1)(f)), provided these are not overridden by your rights and freedoms
How We Use Your Personal Data
We may use your personal data to:
- Provide our products and services
- Manage our relationship with you
- Administer our website
- Send marketing communications (only with your consent or where permitted by law)
- Comply with legal obligations
- Improve our services and user experience
Sharing Your Data
We may share your data with:
- Service providers acting as our data processors. These are limited to:
- Google Workspace
- Zoom
- WhatsApp
- Professional services:
- Tahir & Associates Accountants
- Meezan Bank
- Regulatory and government authorities if required by law
All third parties are required to respect the security of your personal data and to treat it in accordance with the law.
International Transfers
Where possible we have signed up to Standard Contract Clauses with our subprocessors. For most services in Pakistan it is not possible to segregate our data and this is likely held in data centres globally.
Data Security
- All devices have strong password policies and admin accounts have MFA
- Staff only process data in Google Workspace environments or run events in Zoom. Strict policy on no downloads of data being permitted.
- Workspace is controlled by a lead member of staff, who gives RBAC to files.
- Mobile device management is switched on.
- All laptops and phones are issued by the consultancy, including to freelancers such as call centre staff. Phones are wiped after data has been exported to Google Sheets and the phones stored until the next call centre project.
- All staff and freelancers being given access to personal data are given a 30 minute training session on data management and embedding security in practices. This includes identifying and reporting data breaches or concerns.
- There is a basic breach management process, with the DPO on standby to manage any instances.
- We similarly have a basic DSAR process, but there is no data protection law in Pakistan, so this is limited to cooperating with any data controllers, providing them with our data in a timely manner so that they can discharge their obligations.
Data Retention
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
Your Data Protection Rights
Under the GDPR, you have rights including:
- Access – to obtain a copy of your personal data
- Rectification – to request correction of your data
- Erasure – to request deletion of your data
- Restriction – to request restriction of processing
- Data portability – to receive data in a structured format
- Objection – to object to processing based on legitimate interests
- Withdraw consent – where processing is based on consent
While the GDPR does not apply in Pakistan, where we are a data processor for an organisation to which a data protection law does apply, we will promptly cooperate with that organisation to help uphold your rights.
Cookies
Name | Type |
| wpEmojiSettingsSupports | Session storage |
Complaints
If you have any concerns about our use of your personal data, you can write to our DPO at bilal@drafrasajjad.com. While data protection law does not apply to us directly, we take your privacy seriously and will endeavour to resolve your concerns.
