Data Processing Agreement (PBC Data Ownership & UAE PDPL Alignment)

Effective Date: 07 January 2026

This Data Processing Agreement (“Agreement” or “DPA”) is effective as of 07 January 2026. This Agreement establishes the mandatory data protection, privacy, and security requirements governing the processing of Personal Data owned by Pakistan Business Council (PBC) in connection with PBC’s digital platforms, applications, systems, and operations.

1. Data Ownership & Authority

  • 1.1 Pakistan Business Council (PBC) is the sole Data Owner and Data Controller of all Personal Data processed under this Agreement.
  • 1.2 All Processing activities are performed exclusively under PBC’s authority, instructions, and control.
  • 1.3 No party processing PBC data shall:
    • Claim ownership or intellectual property rights over the data
    • Determine independent purposes or means of processing
    • Use PBC data for analytics, profiling, benchmarking, training, or secondary purposes
  • 1.4 This DPA prevails over any conflicting privacy, security, or data-related terms.

2. Legal Basis & Definitions

This Agreement is aligned with:

  • UAE Federal Decree-Law No. 45 of 2021 (Personal Data Protection Law – PDPL)
  • Executive Regulations and applicable UAE data protection guidance

Capitalized terms such as Personal Data, Sensitive Personal Data, Processing, Controller, Data Subject, and Personal Data Breach shall have the meanings assigned under PDPL.

3. Scope of Processing

Nature of Processing: Collection, recording, storage, hosting, access, use, transmission, analysis, support, maintenance, backup, archival, and deletion — strictly for PBC-authorized purposes.

Purpose of Processing: Operation, management, delivery, support, and improvement of PBC-controlled platforms, applications, services, and internal systems.

Duration: Processing shall continue only for the period authorized by PBC, or as required by applicable law.

4. Categories of Data

Data Subjects:
  • PBC members
  • Application users
  • Employees and contractors
  • Stakeholders and authorized users
Types of Personal Data:
  • Identifiers (name, email, phone number)
  • Organizational affiliation and role
  • Device, usage, and log data
  • Support, communication, and interaction data

5. Processing Obligations

All Processing of PBC data shall:

  • Be performed only on documented instructions issued by PBC
  • Be limited to the minimum data necessary
  • Maintain strict confidentiality
  • Prevent unauthorized access, disclosure, alteration, or loss
  • Support PBC’s compliance with PDPL and applicable regulations
  • Immediately escalate any data protection or security risks to PBC

6. Security Measures (PDPL Article 20)

Appropriate technical and organizational measures shall be implemented, including:

  • Role-based and least-privilege access controls
  • Strong authentication mechanisms
  • Data encryption in transit and at rest (where applicable)
  • Secure infrastructure and hosting environments
  • Logging, monitoring, and anomaly detection
  • Regular vulnerability management and patching

Security measures shall be proportionate to data sensitivity and risk.

7. Sub-Processing & Delegation

No Personal Data may be further delegated, accessed, or processed by any other entity without explicit written authorization from PBC.

PBC retains full control over approval, oversight, scope, and termination of any delegated processing activities.

8. Cross-Border Data Transfers

Where Personal Data is accessed or transferred outside the UAE:

  • Such transfer shall occur only with written authorization from PBC
  • Adequate protection measures under PDPL must be ensured
  • Contractual, technical, and organizational safeguards must be applied
  • PBC data sovereignty requirements shall prevail

9. Data Subject Rights

Assistance shall be provided to PBC to enable compliance with Data Subject rights, including:

  • Access and data portability
  • Rectification or erasure
  • Restriction or objection to processing
  • Withdrawal of consent

All actions must align with PDPL timelines and instructions.

10. Personal Data Breach Management

In the event of a Personal Data Breach:

  • PBC shall be notified immediately and no later than 24 hours
  • Full details shall be provided, including nature, cause, impact, and remediation
  • Full cooperation with investigations and regulatory requirements is mandatory

11. Audit & Compliance

PBC reserves the right to request compliance evidence, conduct audits or assessments, and require corrective actions. Audit rights may be exercised directly or through appointed representatives.

12. Data Retention, Return & Deletion

Upon completion, termination, or instruction from PBC:

  • All Personal Data shall be securely deleted or returned
  • No copies, backups, or derivatives shall be retained
  • Written confirmation of deletion shall be provided

Retention is permitted only where legally required.

13. Confidentiality

All Personal Data and related information constitute confidential assets of PBC and shall not be disclosed except as authorized by PBC or where legally required.

14. Liability & Indemnification

Any unauthorized, unlawful, or negligent processing resulting in harm, regulatory action, or loss shall give rise to full liability and indemnification obligations in favor of PBC.

15. Governing Law & Jurisdiction

This Agreement shall be governed by the laws of the United Arab Emirates. UAE courts shall have exclusive jurisdiction.

16. Term

This DPA remains effective until all PBC Personal Data has been permanently deleted or returned in accordance with this Agreement.

17. Order of Precedence

In the event of conflict:

  1. This DPA
  2. Any underlying agreement
  3. Any other documentation

18. Contact

Pakistan Business Council

📧 Email: info@pbcdubai.ae

🌐 Website: https://pbcdubai.ae/

📍 Address: Cambridge Business Center Silicon Oasis, Dubai, United Arab Emirates.