The First Counsel

Legal Notice

Client and Third Party Privacy Notice

How the firm handles personal information in the practice of law — for clients, opposing parties, witnesses, counterparties, and everyone a matter touches.

Last revised 12 July 2026 · Effective on publication

The Privacy Policy on this website covers the website. This notice covers the practice — the receipt, analysis, and deployment of information about people that is a law firm's daily work. If your name is in one of the firm's files, this notice is addressed to you.

1. Who this notice is for

1.1 This notice explains how The First Counsel (the "firm", "we", "us") handles personal information in the practice of law. The firm's office is at 8th Floor, Askari Corporate Towers, Lahore, Punjab, Pakistan; its email address is [email protected]. The notice takes effect on [EFFECTIVE DATE — ON PUBLICATION] and speaks as at that date.

1.2 It is addressed to every category of person whose information passes through the firm because of what the firm does:

(a) clients — individuals who engage the firm, and the directors, officers, employees, shareholders, and beneficial owners of the organisations that do;

(b) prospective clients — persons whose enquiries or intake discussions do not ripen into an engagement;

(c) adverse and opposing parties — persons on the other side of a dispute, investigation, or negotiation in which the firm acts;

(d) witnesses — of fact and expert, whether called by the firm's side or the other;

(e) counterparties and their people — parties to transactions on which the firm advises, and their officers, employees, and advisers;

(f) court, tribunal, and regulator personnel — judges, registrars, officials, and opposing counsel, whose names and acts appear in matter records as public record;

(g) persons surfaced by due diligence — beneficial owners, directors, guarantors, and others identified in verification, diligence, and compliance exercises;

(h) anyone else who appears in a matter file — because disputes and transactions reach whomever they reach.

1.3 Most of the people in that list never handed the firm anything. That is the nature of legal practice, and this notice says so plainly. Section 5 addresses the position of people who are in the firm's files but are not its clients.

1.4 What this notice does not cover. The website is covered by the Privacy Policy; recruitment applications by section 14 of that policy; the firm's own personnel by internal policies. The principles behind all of these documents are stated in the firm's Data Privacy Standards.

1.5 The legal setting, briefly. As at the effective date, Pakistan has no comprehensive personal-data-protection statute in force. The firm's handling of matter information is governed by the terms of engagement, by the confidentiality obligations of advocates under the Legal Practitioners and Bar Councils Act, 1973 and the canons framed under it, by the privilege recognised in Articles 9 and 12 of the Qanun-e-Shahadat Order, 1984, and by the practices this notice states. When comprehensive legislation comes into force, the firm will conform this notice to it.

2. What we collect and where it comes from

2.1 Categories. Depending on the matter, the firm collects and holds:

(a) identity and contact information — names, addresses, identification numbers, and the identification documents that compliance requires (section 11);

(b) the facts of the matter — anything a dispute or transaction touches: financial affairs, business dealings, employment, property, family circumstances, and, where a claim puts them in issue, subjects as sensitive as health or belief;

(c) documents and evidence — contracts, correspondence, accounts, pleadings, witness statements, and every other species of record a matter generates or requires;

(d) engagement and billing information — instructions, scope, time records, invoices, and payment details;

(e) correspondence — everything written between the firm and clients, counterparties, counsel, courts, and authorities in the matter.

2.2 Sources. Information reaches the firm from:

(a) clients, and those who instruct on their behalf;

(b) the matter itself — disclosure and inspection, service of pleadings, evidence exchanged, and hearings;

(c) public registers and records — company filings, land records, court records, gazettes, and other sources open to any diligent inquirer;

(d) courts, tribunals, and authorities;

(e) counterparties, opposing counsel, and other professionals involved in the matter;

(f) due diligence and verification exercises conducted for transactions and for the compliance purposes in section 11;

(g) experts, translators, and investigators lawfully instructed in the matter.

2.3 The firm obtains information by lawful means only: no purchases from data brokers, no scraping, and no instructing others to obtain by pretext what the firm could not properly obtain itself.

2.4 Sensitive information. Some matters put sensitive subjects in issue — a family case, an employment claim, an allegation of medical negligence. The firm collects such information because, and only because, the matter requires it; staffs it narrowly; and applies the heightened care described in section 9.

3. Why we process it

3.1 The firm processes the information described above for these purposes and no others:

(a) providing legal services — advising, drafting, negotiating, and conducting proceedings: the purpose for which everything else exists;

(b) conflicts checking — testing the parties and subject matter of every prospective engagement against the firm's records of existing and former clients — a professional duty that requires names and brief matter descriptions to be recorded and kept (section 8);

(c) engagement administration — intake, scoping, communication, file management, and supervision;

(d) compliance — the customer due diligence, verification, and record-keeping required of legal professionals in specified circumstances under the Anti-Money Laundering Act, 2010 framework (section 11), and compliance with the firm's professional obligations generally;

(e) billing and recovery — invoicing, accounting, and, where necessary, recovering fees;

(f) defending the firm — responding to complaints, claims, bar council processes, and audits, and dealing with the firm's professional indemnity insurers;

(g) compelled purposes — complying with laws in force in Pakistan and with lawful orders of courts and competent authorities.

3.2 The firm does not use matter information for marketing, does not sell or rent it, and does not use it to profile anyone or make automated decisions about anyone.

4. The special position of privilege

4.1 Everything in this notice sits under a regime older and stricter than any data-protection instrument: the advocate's duty of confidence, and the privilege that protects communications made to an advocate in the course of and for the purpose of professional engagement — recognised in Pakistan by Articles 9 and 12 of the Qanun-e-Shahadat Order, 1984 and enforced through the professional obligations of advocates under the Legal Practitioners and Bar Councils Act, 1973.

4.2 Processing inside the privilege. Most of what the firm does with information is itself privileged or confidential activity — reading, analysing, advising, drafting. The consequence: the records of the firm's work on a matter cannot be opened to outsiders without breaching the very protection the law gives the client. This notice must be read with that in mind.

4.3 The paramount rule. The client's confidence prevails over everything else in this notice. No purpose in section 3, no disclosure in section 6, and no right in section 10 operates so as to breach privilege or the duty of confidence. Where this notice and the client's confidence could be read to conflict, the confidence wins, always.

4.4 Privilege belongs to the client, not to the firm. The firm asserts it wherever it applies — against opposing parties, against authorities, and against access requests — and does not waive it except on the client's informed instruction.

5. Third parties whose data we hold but who are not our clients

5.1 If you are in a matter file but are not the firm's client, the honest starting point is this: the firm holds information about you that you did not give it, it did not need your consent to obtain it, and it may be using that information against your interests — because its client's instructions and the law allow that. Legal practice could not function otherwise, and no privacy notice should pretend otherwise.

5.2 What you can expect from the firm. Within that reality: your information is obtained by lawful means only (clause 2.3); it is used for the matter and the ancillary purposes in section 3, and for nothing else; it is never used to market to you and never sold; it is held under the security described in section 9; and it is not disclosed beyond what the matter and the law require.

5.3 What you cannot expect. Equally candidly:

(a) you cannot see the file — it is the client's, and it is privileged;

(b) you cannot have documents "corrected" — a document in a matter file is evidence, and the place to challenge it is the proceedings, not a privacy request to your opponent's counsel;

(c) you cannot require deletion while the matter, its appeals, or the limitation periods that follow it remain live; and

(d) you cannot instruct the firm — it acts on its client's instructions, and your dealings with it should run through your own counsel.

5.4 The rights in section 10 are afforded to third parties as well as to clients, subject to the limits stated there — which for third parties will often be substantial.

6. Sharing

6.1 Matter information is disclosed only through the channels the practice of law requires:

(a) courts and tribunals — pleadings, evidence, and submissions are filed and served as proceedings require, and become part of the record of the court, public to the extent the law and the court's practice provide;

(b) opposing parties and their counsel — through service, disclosure, inspection, and correspondence, as procedure requires;

(c) experts, arbitrators, mediators, and translators — engaged in the matter, under obligations of confidence;

(d) correspondent and foreign counsel — where a matter needs advice or representation elsewhere, on the terms described in section 7;

(e) service providers — the firm's IT, document, and support providers, selected and bound as the Data Privacy Standards describe;

(f) regulators and authorities, under compulsion — where a law in force, a court order, or a lawful demand requires disclosure, the firm assesses the demand, asserts privilege and confidentiality wherever they apply, discloses no more than is lawfully compelled, and, where the law permits, informs the client;

(g) the firm's insurers, auditors, and advisers — under confidence, where a claim, complaint, or audit requires it;

(h) a successor practice — if the firm merges or reorganises, on terms no less protective than this notice, with notice to clients.

6.2 Nothing described in this notice is disclosed for marketing, and nothing is sold or rented, in any circumstance.

7. Cross-border matters

7.1 Matters cross borders in ordinary course — foreign parties, arbitrations seated abroad, evidence in another jurisdiction, foreign counsel. When personal information crosses a border with a matter, the firm applies the safeguards in section 3 of its Data Privacy Standards: transfer only where and so far as the matter requires; confidentiality terms binding foreign counsel and experts no less strictly than the firm itself; secure transmission proportionate to sensitivity; and, before privileged material travels, consideration with the client of how privilege will be maintained at the destination.

7.2 As at the effective date, Pakistani law imposes no general transfer regime on personal data leaving the country. Drafts of the anticipated legislation have proposed localisation duties and transfer conditions; if enacted, the firm will comply and will amend this section.

7.3 If you instruct the firm from outside Pakistan, your information comes to Pakistan and is held there under this notice, the engagement terms, and the professional obligations of advocates. If your own law requires more — a client subject to the GDPR, for example — raise it at engagement; the firm will contract for compatible handling where it properly can (Data Privacy Standards, section 4).

8. Retention

8.1 Matter files are kept after a matter closes, deliberately: limitation periods under the Limitation Act, 1908 may still run; appeals, revivals, enforcement, and related matters may follow; the client may need the file; and the firm must be able to answer for its work.

8.2 As at the effective date, the firm's default periods are:

(a) matter files — [RETENTION PERIOD, e.g. 10 years from the close of the matter — TO BE CONFIRMED BY THE FIRM], measured with the limitation horizon in mind, then reviewed for destruction or return;

(b) clients' original documents — returned at the close of the matter or held under the engagement terms, at the client's choice;

(c) conflicts records — names and brief matter descriptions are kept for as long as the firm practises, because the duty they serve does not expire;

(d) due diligence and AML/CTF records — for the minimum period the Anti-Money Laundering Act, 2010 framework prescribes [PERIOD — TO BE CONFIRMED BY THE FIRM], and longer where another ground in this section applies;

(e) accounting and billing records — for the periods that fiscal and other laws in force require [PERIODS — TO BE CONFIRMED BY THE FIRM].

8.3 A period above yields where litigation or a regulatory process is pending or reasonably anticipated (a hold applies until it concludes), where a law in force requires longer retention, or where the client has agreed longer retention in writing.

8.4 When retention ends, files are disposed of securely — confidential destruction for paper, deletion from active systems for electronic records, with backup copies expiring on the providers' cycles. [FULL RETENTION SCHEDULE — TO BE CONFIRMED BY THE FIRM.]

9. Security

9.1 Matter information is held under the measures the firm's Data Privacy Standards describe: authentication and access controls on firm systems, encryption of devices and of information in transit, physical security and supervision of paper files, and staffing on a need-to-know basis [SPECIFIC MEASURES — TO BE CONFIRMED BY THE FIRM].

9.2 Matters of particular sensitivity are staffed narrowly, and information barriers are erected where professional duty requires them. Material whose exposure would cause serious harm is not sent by ordinary email where a more protected channel can be arranged; clients may ask for one at any time.

9.3 No security programme makes compromise impossible. If an incident affects matter information, the firm follows the incident procedure in section 7 of its Data Privacy Standards: containment, assessment, notification of affected clients without undue delay, and of other affected persons where there is a real risk of harm.

10. Rights and their limits

10.1 As at the effective date, no comprehensive data-protection statute is in force in Pakistan; the rights in this section are afforded as the firm's stated practice. Subject to clause 10.2, any person within section 1.2 may ask the firm: whether it holds personal information about them, and for a copy of what can properly be given (access); to correct inaccurate records about them (correction); to delete information that no retained purpose requires (deletion); or to stop a particular use, stating reasons (objection).

10.2 The limits, stated in advance rather than discovered on refusal:

(a) privilege and confidence prevail. An access request does not open a matter file. What a requester receives, at most, is the information about them that the firm can separate from privileged and confidential material — and for a third party to a matter, that will often be little. The firm will say what it has withheld in principle, and why, so far as it can do so without itself breaching a confidence;

(b) evidence is not edited. Correction operates on the firm's own records — contact details, an attribution error. A document held as evidence will not be altered because a person it mentions disputes it; the rules of evidence, not a privacy request, are the remedy for a false document;

(c) deletion yields to retention grounds. Information held under the horizons in section 8 — limitation periods, legal holds, AML/CTF minimums, conflicts records — will not be deleted while the ground endures;

(d) the firm is not a discovery channel. A request that is in substance an attempt to obtain an opponent's case will be declined. Disclosure between parties to a dispute belongs to the procedural law of the court or tribunal seized of it, with its own tests and its own judge.

10.3 Procedure. Write to [email protected] with the subject line "Privacy request — practice", stating who you are, the matter concerned so far as you know it, and what you ask. The firm may verify identity before acting. It will acknowledge within 7 days, respond substantively within 30 days of verification, and may extend once, by no more than 30 further days, for complex requests. Reasons for any refusal are given in writing.

10.4 When the anticipated legislation takes effect, this section will be conformed to the rights and exemptions it enacts.

11. AML/CTF processing note

11.1 The Anti-Money Laundering Act, 2010 framework imposes obligations on legal professionals in specified circumstances — broadly, when carrying out certain categories of transactions for clients, such as dealings in real estate or the formation and management of companies [PRECISE SCOPE AS APPLIED TO THE FIRM — TO BE CONFIRMED BY THE FIRM]. Where those obligations apply, the firm must conduct customer due diligence before acting: identifying the client, verifying identity against reliable documents, identifying the beneficial owners of corporate clients, and understanding the purpose of the transaction.

11.2 This processing is not optional on either side. The firm cannot dispense with it, and a prospective client who declines to provide what the framework requires cannot be acted for in the matters to which it applies. Identification and verification records collected for this purpose are kept for the period stated in clause 8.2(d).

11.3 Where the framework requires the firm to report a suspicious transaction to the Financial Monitoring Unit, the firm will comply to the extent the law requires — and the law may forbid it from telling the person concerned that a report has been made. These duties interact with privilege, and the interaction is assessed matter by matter: information protected by privilege is not stripped of that protection by the reporting framework. [POSITION ON PRIVILEGE AND REPORTING OBLIGATIONS — TO BE KEPT UNDER REVIEW BY THE FIRM.]

12. Changes

12.1 The firm will amend this notice when its practices change and when Pakistani law changes — above all, when comprehensive data-protection legislation comes into force. Amendments take effect on publication at thefirstcounsel.com with a new effective date; material changes will be flagged at the top of the notice; earlier versions are retained and provided on request.

12.2 This notice is a statement of the firm's practices. It does not vary any engagement letter, does not create contractual rights beyond those the general law confers, and neither enlarges nor diminishes the firm's professional obligations to its clients. It is governed by the laws of the Islamic Republic of Pakistan.

13. Contact

13.1 Questions, requests, and complaints under this notice should be addressed to:

The First Counsel Attention: [PARTNER RESPONSIBLE FOR DATA PROTECTION — TO BE CONFIRMED BY THE FIRM] 8th Floor, Askari Corporate Towers, Lahore, Punjab, Pakistan Email: [email protected] (subject line "Privacy — practice") Telephone: [TELEPHONE — TO BE CONFIRMED BY THE FIRM]

13.2 The firm will acknowledge a complaint within 7 days and respond substantively in writing within 30 days. A person dissatisfied with the response may ask for it to be reviewed by a partner not involved in it. Clients may also raise any concern with the partner responsible for their matter, at any time.

13.3 As at the effective date, Pakistan has no data-protection authority; the statute that would create one has not been enacted. If such an authority is constituted with jurisdiction over the firm, this section will be updated with its name and contact details. Until then, the remedies are those the general law of Pakistan provides.

Questions about this document may be addressed to [email protected]. Where this document is translated, the English text prevails.

Every matter begins with a first conversation.

Contact the Firm