Download

Data Protection Policy

1. Introduction

This Data Protection Policy outlines Karnival Pvt’s commitment to protecting personal data in accordance with the Personal Data Protection Bill (PDPB) 2020 and the Prevention of Electronic Crimes Act (PECA) 2016. This policy governs how data is collected, processed, stored, and shared through our platform and applies to all Users, third-party service providers, and employees.

2. Key Principles

Karnival Pvt upholds the following data protection principles:

  • Lawfulness, Fairness, and Transparency: Data is processed lawfully, fairly, and with full transparency.
  • Purpose Limitation: Data is collected for specified, legitimate purposes only.
  • Data Minimization: Only the minimum necessary data is collected and processed.
  • Accuracy: Personal data is accurate and regularly updated.
  • Storage Limitation: Data is retained only as long as necessary, aligned with the Income Tax Ordinance 2001.
  • Integrity and Confidentiality: Robust security protocols are in place to protect data.

3. Data Classification

  • Personally Identifiable Information (PII): Name, contact details, CNIC/passport numbers, etc.
  • Sensitive Personal Data (SPD): Health records, financial data, biometric identifiers, etc.

4. Data Processing and Consent

4.1 Consent Mechanisms
Data is processed only with explicit, informed user consent through opt-in features (as per PDPB Section 7).

4.2 Legal Grounds for Processing
Processing is based on:

  • Contractual necessity
  • Legal obligations (e.g., PECA 2016)
  • Legitimate interests, barring any override by user rights

5. Data Subject Rights

Under PDPB 2020, users have the following rights:

  • Right to Access
  • Right to Rectification
  • Right to Erasure (Right to be Forgotten)
  • Right to Data Portability
  • Right to Object
  • Right to Restrict Processing

All requests are addressed within 30 days.

6. Data Security and Breach Management

6.1 Security Measures
We implement encryption (AES-256), secure servers, access control, and regular audits compliant with ISO/IEC 27001.

6.2 Breach Notification
Affected users and the Pakistan Telecommunication Authority (PTA) will be notified within 72 hours per PECA Section 29.

7. Data Retention and Deletion

7.1 Retention Periods

  • Transactional Data: 7 years (Income Tax Ordinance Section 174)
  • User Account Data: Until 2 years of inactivity
  • Payment Data: 90 days max unless required for fraud investigation
  • Support Data: Up to 24 months

7.2 Deletion Procedures

  • Permanent Deletion: Following DoD 5220.22-M standards
  • Anonymization: For legally retained data

8. Data Sharing and Third-Party Access

8.1 Third-Party Providers
Bound by Data Processing Agreements (DPAs) and Standard Contractual Clauses (SCCs) when applicable.

8.2 Disclosure to Authorities
Complies with PECA 2016 and only to the extent required. Users will be notified unless legally restricted.

9. International Data Transfers

9.1 Transfer Mechanisms

  • Adequacy Decisions
  • Binding Corporate Rules (BCRs)
  • SCCs

9.2 User Consent
Explicit consent will be obtained for international transfers, especially when risks are identified.

10. Exercising Data Subject Rights

  • Access, correction, erasure, portability, and objection rights can be exercised via platform settings or by contacting our Data Protection Officer (DPO).
  • Requests will be honored within 30 days.

11. Security of Processing

  • Encryption: AES-256 in transit and at rest
  • Network Security: IDS, firewalls, and vulnerability testing
  • Access Controls: Role-based with monitoring and logging
  • Secure Development: OWASP standards followed

Physical Security: 24/7 surveillance and biometric entry at data centers

12. Data Breach Response

  • Detection & Containment: Immediate isolation and investigation
  • Risk Assessment: Assess type and severity of breached data
  • User & Authority Notification: Within 72 hours (PECA Section 29)
  • Corrective Actions: Patch vulnerabilities and improve protocol

13. Data Protection Impact Assessments (DPIA)

Required for high-risk activities (e.g., new tech deployments, profiling). Conducted in line with PDPB Section 30

14. Third-Party Sharing and Transfers

14.1 Law Enforcement Requests
Only shared under applicable laws (PECA 2016, Anti-Terrorism Act 1997) and minimized to the extent required.

14.2 Transfers to Third Countries
Permitted under:

  • Adequate protection laws
  • BCRs or SCCs
  • User consent

15. Audits and Compliance Monitoring

15.1 Annual Audits
Conducted by independent firms to assess compliance with PDPB 2020, PECA 2016, and GDPR.

15.2 Monitoring
Covers:

  • Legal compliance
  • Security measures
  • Data subject rights handling

16. Amendments

This policy may be updated to reflect legal, technological, or operational changes. Users will be notified at least 30 days before changes take effect via email or platform notifications.

Facebook-f Instagram Tiktok
  • 2025-2026 Karnival, All right reserved