Data Protection Policy

1. Introduction

This Data Protection Policy outlines Karnival Pvt's commitment to protecting personal data in accordance with the Personal Data Protection Bill (PDPB) 2020 and the Prevention of Electronic Crimes Act (PECA) 2016. This policy governs how data is collected, processed, stored, and shared through our platform and applies to all Users, third-party service providers, and employees.

2. Key Principles

• Lawfulness, Fairness, and Transparency: Data is processed lawfully, fairly, and with full transparency.

• Purpose Limitation: Data is collected for specified, legitimate purposes only.

• Data Minimization: Only the minimum necessary data is collected and processed.

• Accuracy: Personal data is accurate and regularly updated.

• Storage Limitation: Data is retained only as long as necessary, aligned with the Income Tax Ordinance 2001.

• Integrity and Confidentiality: Robust security protocols are in place to protect data.

3. Data Classification

• Personally Identifiable Information (PII): Name, contact details, CNIC/passport numbers, etc.

• Sensitive Personal Data (SPD): Health records, financial data, biometric identifiers, etc.

4. Data Processing and Consent

4.1 Consent Mechanisms: Data is processed only with explicit, informed user consent through opt-in features, as per PDPB Section 7.

4.2 Legal Grounds for Processing: Processing is based on contractual necessity, legal obligations (e.g., PECA 2016), and legitimate interests, barring any override by user rights.

5. Data Subject Rights

Under PDPB 2020, users have the following rights, all addressed within 30 days:

• Right to Access

• Right to Rectification

• Right to Erasure (Right to be Forgotten)

• Right to Data Portability

• Right to Object

• Right to Restrict Processing

6. Data Security and Breach Management

6.1 Security Measures: We implement encryption (AES-256), secure servers, access control, and regular audits compliant with ISO/IEC 27001.

6.2 Breach Notification: Affected users and the Pakistan Telecommunication Authority (PTA) will be notified within 72 hours per PECA Section 29.

7. Data Retention and Deletion

7.1 Retention Periods:

• Transactional Data: 7 years (Income Tax Ordinance Section 174)

• User Account Data: Until 2 years of inactivity

• Payment Data: 90 days max unless required for fraud investigation

• Support Data: Up to 24 months

7.2 Deletion Procedures: Permanent deletion follows DoD 5220.22-M standards. Legally retained data is anonymized.

8. Data Sharing and Third-Party Access

8.1 Third-Party Providers: Bound by Data Processing Agreements (DPAs) and Standard Contractual Clauses (SCCs) when applicable.

8.2 Disclosure to Authorities: Complies with PECA 2016 only to the extent required. Users will be notified unless legally restricted.

9. International Data Transfers

Transfers outside Pakistan are made under Adequacy Decisions, Binding Corporate Rules (BCRs), or Standard Contractual Clauses (SCCs). Explicit consent will be obtained when risks are identified.

10. Security of Processing

• Encryption: AES-256 in transit and at rest

• Network Security: IDS, firewalls, and vulnerability testing

• Access Controls: Role-based with monitoring and logging

• Secure Development: OWASP standards followed

• Physical Security: 24/7 surveillance and biometric entry at data centers

11. Data Breach Response

• Detection & Containment: Immediate isolation and investigation

• Risk Assessment: Assess type and severity of breached data

• User & Authority Notification: Within 72 hours (PECA Section 29)

• Corrective Actions: Patch vulnerabilities and improve protocol

12. Data Protection Impact Assessments (DPIA)

Required for high-risk activities such as new tech deployments and profiling. Conducted in line with PDPB Section 30.

13. Audits and Compliance Monitoring

13.1 Annual Audits: Conducted by independent firms to assess compliance with PDPB 2020, PECA 2016, and GDPR.

13.2 Monitoring: Covers legal compliance, security measures, and data subject rights handling.

14. Amendments

This policy may be updated to reflect legal, technological, or operational changes. Users will be notified at least 30 days before changes take effect via email or platform notifications.