Legal Notice
Website Privacy Policy
How this website — and the firm behind it — collects, uses, protects, and declines to exploit information.
Last revised 12 July 2026 · Effective on publication
1. Introduction and who we are
1.1 This policy explains how The First Counsel (the "firm", "we", "us") handles information in connection with the website at thefirstcounsel.com (the "website"). It is written to be read, not skimmed. Where the honest answer is "we do not collect that", the policy says so.
1.2 The firm is a law firm practising in Pakistan. Its office is at 8th Floor, Askari Corporate Towers, Lahore, Punjab, Pakistan. Its email address is [email protected]. For the purposes of this policy, the firm is the party that determines why and how the limited personal information described below is handled — the role that data-protection instruments elsewhere call a "controller".
1.3 Effective date. This policy takes effect on [EFFECTIVE DATE — ON PUBLICATION] and speaks as at that date. Statements about the website's design, about Pakistani law, and about the firm's practices are accurate as at the effective date and will be revised if they cease to be accurate (see section 15).
1.4 Scope. This policy covers: (a) the website itself; (b) correspondence you initiate through or because of the website; (c) recruitment applications sent to the firm; and (d) registrations for firm events, if and when the firm takes registrations online. It does not cover information the firm handles for clients in the course of legal engagements. That information is governed by the terms of engagement, by the professional obligations of advocates, and by legal professional privilege — not by this document (see sections 3.5 and 6).
1.5 The legal setting, stated plainly. As at the effective date, Pakistan has no comprehensive personal-data-protection statute in force. Successive drafts of a Personal Data Protection Bill have been circulated by the federal government since 2018; none had been enacted when this policy was published. The statutes that do bear on this subject include the Prevention of Electronic Crimes Act, 2016 ("PECA"), which criminalises unauthorised access to information systems and data, and Article 14(1) of the Constitution of the Islamic Republic of Pakistan, which protects the dignity of man and, subject to law, the privacy of home, and from which the superior courts have drawn a broader privacy interest. The firm applies the standards set out in this policy — which draw on the draft Pakistani legislation and on internationally recognised data-protection principles — as a matter of professional practice, not because a statute presently compels it. When comprehensive Pakistani data-protection legislation comes into force, the firm will conform to it and will amend this policy accordingly.
1.6 Nothing on this website, and nothing in any message you send through it, creates an advocate–client relationship with the firm. That relationship arises only when the firm confirms an engagement in writing after completing its conflicts and intake procedures.
2. Definitions
2.1 In this policy:
"personal information" means information relating to an identified or identifiable natural person, including a name, an email address, an online identifier such as an IP address, or any combination of data that singles a person out.
"processing" means anything done with information — collection, recording, storage, use, disclosure, transfer, erasure — whether or not by automated means.
"technical data" means the data generated automatically when a device requests a page from a web server: IP address, browser and operating-system identifiers (the "user agent" string), the date and time of the request, the pages requested, the referring page if the browser transmits one, and related connection metadata.
"correspondence data" means the content of messages you send to the firm by email, together with the names, addresses, and other details those messages contain.
"recruitment data" means information submitted in connection with an application to work at the firm: a CV, a cover letter, academic records, references, and similar material.
"client matter data" means information the firm receives or generates in the course of, or in contemplation of, a legal engagement. Client matter data is expressly outside the scope of this policy (see section 3.5).
"service provider" means a third party that processes information on the firm's behalf and on its instructions, such as a hosting provider or an email provider.
"CDN" means a content delivery network — infrastructure that serves copies of a website from servers distributed around the world so that pages load from a location near the visitor.
"PECA" means the Prevention of Electronic Crimes Act, 2016, as amended from time to time.
"the anticipated legislation" means comprehensive Pakistani personal-data-protection legislation of the kind foreshadowed by the draft Personal Data Protection Bill, once enacted and in force.
"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council, and references to it include, where the context requires, the equivalent retained law of the United Kingdom.
2.2 Headings are for convenience. Examples introduced by "including" or "such as" do not limit the words that precede them.
3. The information we collect
The starting point matters: this website is a statically generated, informational site. It has no user accounts, no login, no shopping facility, no comment sections, and no database of visitors. The catalogue of information below is short because the website is built to make it short.
3.1 Technical and log data
3.1.1 When your browser requests a page, the servers that deliver the website record technical data: your IP address, your user agent string, the date and time of the request, the URL requested, and, where your browser transmits it, the referring page. This is a property of how the web works, not a choice peculiar to this website.
3.1.2 The website is served from global CDN infrastructure operated by a third-party hosting provider (currently [HOSTING/CDN PROVIDER, e.g. Cloudflare, Inc. — TO BE CONFIRMED BY THE FIRM]). The technical data described above is generated and held on that provider's systems, under that provider's published terms and retention practices. The firm does not run its own web servers for this site, does not export these logs into its own systems, and does not attempt to link technical data to named individuals.
3.1.3 The firm may consult aggregated or security-related views of this data that the hosting provider makes available — for example, counts of requests, indications of automated abuse, or the origin of an attack — for the purposes in section 5.
3.2 Correspondence you send to us
3.2.1 The contact facility on this website does not transmit anything to a server operated by or for the firm. It assembles a draft message and opens it in your own email application (a "mailto" mechanism). Until you press send in your own mail client, nothing leaves your device by reason of the form, and the firm receives nothing. The website itself stores no form submissions, because there is no server component to store them.
3.2.2 If you do send the message, it travels as ordinary email and is received into the firm's email system, which is operated by the firm's email provider ([EMAIL PROVIDER — TO BE CONFIRMED BY THE FIRM]). At that point the firm holds whatever you chose to include: typically your name, your email address, and the substance of your enquiry.
3.2.3 Conditional provision — hosted form endpoint. The firm may in future replace or supplement the mailto mechanism with a hosted form endpoint, under which submissions would pass through, and be stored for a period by, a form-processing service provider. If that happens: (a) this policy will be amended before the change takes effect to name the provider, the storage location, and the retention period; and (b) the data collected will remain limited to what the form visibly asks for. Until such an amendment appears in this policy, no hosted form endpoint is in use.
3.2.4 Please read section 6 before sending the firm anything confidential. In brief: do not send sensitive details of a legal matter by email before the firm has confirmed, in writing, that it can act for you.
3.3 Recruitment applications
3.3.1 If you apply to work at the firm — whether in response to an advertised position or speculatively — the firm collects the recruitment data you submit and information generated during the process (interview notes, assessments, reference responses). Section 14 is a sub-policy dealing with recruitment data in detail.
3.4 Event registrations (future)
3.4.1 As at the effective date, the firm does not take event registrations through this website. If the firm later hosts seminars, webinars, or similar events and collects registrations online, it will collect only what administration of the event requires — typically name, organisation, professional role, and email address — and section 9 states the retention period that will apply. Any third-party registration or webinar platform used will be identified at the point of registration.
3.5 Client matter data — expressly out of scope
3.5.1 Information that the firm receives from or about clients in the course of an engagement, or in serious contemplation of one, is client matter data. It is handled outside this website, under the firm's terms of engagement, under the confidentiality obligations imposed on advocates by the Legal Practitioners and Bar Councils Act, 1973 and the canons of professional conduct framed under it, and under the privilege recognised by Articles 9 and 12 of the Qanun-e-Shahadat Order, 1984.
3.5.2 Those regimes are stricter than this policy in some respects and different in others — in particular, the rights described in section 11 yield, where they conflict, to privilege and to the firm's professional duties. Nothing in this policy dilutes, waives, or restates the firm's obligations to its clients.
3.6 Analytics — none now; a narrow provision for later
3.6.1 As at the effective date, the website runs no analytics of any kind. No script on the site reports your visit to an analytics service.
3.6.2 Conditional provision. The firm may in future adopt aggregate web analytics, and if it does, only on the following terms: (a) the service will set no cookies and place no identifier of any kind on your device; (b) it will not build profiles of individual visitors and will not retain complete IP addresses; (c) its output will be aggregate counts — pages viewed, countries of origin, referral sources — not records of individuals; and (d) this policy will be amended to name the service before it is deployed. Analytics that fail any of these conditions will not be used.
4. What we do not collect and do not do
4.1 It is easier to trust a short list of collections when it sits beside an explicit list of abstentions. The firm states, as at the effective date, that:
(a) we set no cookies. Neither the firm nor any script the firm has placed on this website stores cookies, local-storage entries, or comparable identifiers on your device;
(b) we run no advertising or marketing pixels. There are no ad-network tags, no social-media pixels, no cross-site trackers, and no embedded widgets that report your visit to a third party;
(c) we do not sell, rent, trade, or license personal information to anyone, for any consideration, in any circumstance;
(d) we do not profile visitors and we make no automated decisions about anyone based on website data;
(e) we do not build marketing lists from this website. The firm will not add you to any mailing list unless you have expressly asked to be added, and any such list will carry a working unsubscribe mechanism;
(f) we do not buy contact lists or enrich correspondence data with information purchased from data brokers;
(g) we operate no accounts and take no payments through this website, and therefore hold no passwords and no payment-card data in connection with it.
4.2 These statements are verifiable. A visitor with ordinary browser developer tools can confirm the absence of cookies and third-party trackers on this site, and is welcome to do so.
4.3 If the firm ever proposes to depart from any statement in this section, it will amend this policy before the departure takes effect, in the manner described in section 15. Silence in a later version of this policy is not a departure; departures will be explicit.
5. How we use information
The firm uses the limited information described in section 3 for the purposes set out below. For each purpose we state the ground on which we rely. Because no comprehensive Pakistani statute is yet in force, these grounds are expressed in terms consistent with the draft Pakistani legislation and with international practice (including the GDPR, where it applies to a particular visitor); the firm will map them to the statutory grounds of the anticipated legislation once it is enacted.
5.1 Responding to enquiries
5.1.1 The firm uses correspondence data to read, assess, and answer what you sent. The ground is the firm's legitimate interest in dealing with correspondence addressed to it and, where your enquiry contemplates an engagement, the taking of steps at your request prior to entering into a contract.
5.2 Conflicts checking
5.2.1 Before the firm can act for anyone, professional duty requires it to check that doing so would not conflict with duties owed to existing or former clients. Names and brief matter descriptions drawn from correspondence data may be entered into the firm's conflicts records for that purpose. The ground is compliance with the firm's professional obligations and its legitimate interest in maintaining an effective conflicts procedure. Section 9 explains why conflicts records are retained on a long horizon.
5.3 Recruitment
5.3.1 The firm uses recruitment data to assess applications, conduct interviews, take references, and make hiring decisions. The ground is the taking of steps at the applicant's request with a view to a contract of employment, and the firm's legitimate interest in recruiting on merit. Section 14 contains the detail.
5.4 Security and diagnostics
5.4.1 Technical data held by the hosting provider is used — largely by the provider's own automated systems, and occasionally by the firm reviewing the provider's dashboards — to detect and mitigate denial-of-service attacks, automated scraping, intrusion attempts, and faults. The ground is the legitimate interest of the firm and of visitors in a website that stays up and is not abused, and, where PECA offences are suspected, the documentation of unlawful access.
5.5 Legal obligations and legal claims
5.5.1 The firm may use and preserve any category of information described in this policy where a law in force in Pakistan requires it, where a court or competent authority lawfully orders it, or where the information is reasonably necessary to establish, exercise, or defend the firm's legal rights. The ground is compliance with legal obligation, or legitimate interest in the conduct of claims, as the case may be.
5.6 Event administration and prospective analytics
5.6.1 If event registrations are introduced (section 3.4), registration data will be used to administer the event and to send communications about that event only. If aggregate analytics are introduced (section 3.6), the output will be used to understand, in aggregate, which pages are read — nothing more.
5.7 No secondary use
5.7.1 The firm does not use website-derived information for purposes beyond those stated in this section. In particular, the firm does not combine technical data with correspondence data to identify visitors, and does not use correspondence data for marketing (section 4.1(e)).
6. Confidentiality, privilege, and the line between website data and client matter data
6.1 Advocates in Pakistan owe duties of confidence to their clients under the Legal Practitioners and Bar Councils Act, 1973 and the canons of professional conduct framed under it, and communications made to an advocate in the course of and for the purpose of professional engagement are protected from compelled disclosure by Articles 9 and 12 of the Qanun-e-Shahadat Order, 1984. These protections attach to client matter data. They are the reason client matter data is carved out of this policy: it is governed by a stricter and older regime than any website privacy statement.
6.2 What privilege does not automatically cover. An unsolicited email to [email protected] from a person the firm has never acted for is not, without more, a privileged communication, and it does not oblige the firm to act or to keep the sender's confidence in the way an engagement would. Until the firm has run its conflicts procedure and confirmed the engagement in writing, you should therefore send only what is needed to identify yourself, the parties involved, and the general nature of the matter. Do not send documents, account numbers, or the detailed narrative of a dispute at first contact. The firm may be unable to act — for example, because it already acts for another party — and information sent prematurely helps no one.
6.3 The practical line. Information you send through or because of this website is correspondence data and is governed by this policy up to the moment an engagement is confirmed. From that moment, the correspondence and everything that follows becomes client matter data, moves onto the firm's matter-management systems, and is governed by the engagement terms and the professional regime described above. Retention, disclosure, and destruction of client matter data follow that regime, not the schedule in section 9.
6.4 Nothing in this policy is, or may be read as, a waiver of privilege or a dilution of any duty the firm owes a client.
7. Sharing and disclosures
The firm does not publish, sell, or broadcast personal information. Disclosure happens only in the narrow channels below.
7.1 Service providers
7.1.1 The firm uses a small number of service providers whose systems necessarily process the information described in this policy:
(a) hosting and CDN. The website is served by [HOSTING/CDN PROVIDER, e.g. Cloudflare, Inc. — TO BE CONFIRMED BY THE FIRM], which processes technical data on its global infrastructure as described in sections 3.1 and 8;
(b) email. The firm's email is operated by [EMAIL PROVIDER — TO BE CONFIRMED BY THE FIRM], on whose servers correspondence data and emailed recruitment data reside;
(c) IT support. Persons who maintain the firm's systems may incidentally access information stored on those systems, under obligations of confidentiality;
(d) prospective providers. If a hosted form endpoint (section 3.2.3), an event-registration platform (section 3.4), an analytics service (section 3.6), or a recruitment platform (section 14) is adopted, the relevant provider will be identified in this policy or at the point of collection before use begins.
7.1.2 Service providers act under their published terms or under contract with the firm. The firm selects providers that publish meaningful security and privacy commitments, and it does not authorise any provider to use information from this website for the provider's own marketing.
7.2 Disclosure under legal compulsion
7.2.1 The firm may disclose information where disclosure is required by a law in force in Pakistan, by an order of a court of competent jurisdiction, or by a lawful demand of a competent authority — including investigative agencies exercising powers under PECA. Before complying, the firm will assess the demand's lawfulness and scope, will disclose no more than the demand lawfully requires, and will assert privilege and professional confidentiality wherever they apply. Where the law permits, the firm will tell the person concerned that a demand has been made.
7.3 Professional and institutional disclosures
7.3.1 The firm may disclose limited information, under obligations of confidence, to: (a) its professional indemnity insurers and their advisers, where a claim or circumstance requires it; (b) its auditors and professional advisers; (c) the Pakistan Bar Council or a Provincial Bar Council, where a regulatory process requires it; and (d) a successor practice, in the event of a merger, acquisition, or reorganisation of the firm — in which case the successor will be bound by this policy or one no less protective, and affected persons will be notified of any change of controller.
7.4 What is never done
7.4.1 For the avoidance of doubt: no information described in this policy is shared with advertisers, ad networks, data brokers, or social-media platforms, and none is sold or rented to anyone (section 4.1(c)).
8. International transfers
8.1 Two features of this website's design mean that some information crosses borders as a matter of course, and this section states that plainly rather than burying it.
8.2 Technical data. Because the website is served from a global CDN, your request is answered by whichever of the provider's edge servers is nearest to you, and the technical data your request generates is processed on that server — which may be in Pakistan, or may be anywhere the provider operates. This is inherent in CDN hosting; it is the mechanism that makes the site fast and resilient.
8.3 Correspondence and email. The firm's email provider may store mail on servers located outside Pakistan. Correspondence data and emailed recruitment data may accordingly be held abroad.
8.4 The safeguards applied. As at the effective date, Pakistani law imposes no general adequacy or transfer-mechanism regime for personal data. The firm nonetheless: (a) uses providers that publish substantial contractual, technical, and organisational security commitments applicable across their infrastructure; (b) transfers nothing beyond the categories this policy describes; and (c) keeps client matter data off this website entirely, so that the transfers described here never include it. Drafts of the anticipated legislation have proposed localisation requirements and conditions on cross-border transfer; if enacted, the firm will comply with them and will amend this section, changing providers or architecture if compliance requires it.
8.5 Visitors in GDPR jurisdictions should understand that information they send to the firm is transferred to Pakistan, a country that has not been the subject of an adequacy decision by the European Commission or the government of the United Kingdom. The protections available are those set out in this policy, the firm's professional obligations, and the contractual commitments of its providers. If that level of protection is not acceptable to you, do not submit personal information through this website; you may contact the firm by other means and ask what alternatives can be arranged.
9. Retention
9.1 The firm keeps information only as long as the purpose for which it was collected requires, and then disposes of it, subject to the overriding grounds in paragraph 9.3.
9.2 Retention schedule. As at the effective date:
| Category | Retention period | Reason |
|---|---|---|
| Technical and log data (held by hosting/CDN provider) | Held under the provider's own published schedule, typically measured in days to weeks [PROVIDER SCHEDULE — TO BE CONFIRMED BY THE FIRM]. The firm does not export or separately retain these logs. | Security, abuse mitigation, diagnostics |
| General enquiry correspondence that does not lead to an engagement | 24 months from the last substantive exchange, then reviewed for deletion | Responding to the enquiry; keeping a record of dealings |
| Conflicts-check records (names and a brief description only) | For as long as the firm operates its conflicts procedures, which may be indefinite | Professional duty to identify conflicts, which does not expire when correspondence ends |
| Correspondence that becomes an engagement | Transferred to the matter file; engagement terms and professional obligations govern from that point | Out of scope of this policy (section 6.3) |
| Recruitment data — unsuccessful applications | 12 months from the decision; up to 24 months where the applicant consents to be considered for future roles | Answering questions about the decision; defending it if challenged |
| Recruitment data — successful applications | Retained as part of the personnel file under the firm's employment records practices | Employment administration |
| Event registration data (if introduced) | 12 months from the event | Administration and follow-up limited to the event |
| Records of privacy requests and complaints (section 11 and section 16) | 36 months from closure | Demonstrating how the request was handled |
9.3 Overriding grounds. A period in the table yields where: (a) a law in force requires longer retention; (b) litigation or a regulatory process involving the information is pending or reasonably anticipated, in which case the information is placed under hold until the matter concludes, bearing in mind the limitation periods prescribed by the Limitation Act, 1908; or (c) you have asked the firm to keep something longer, in writing.
9.4 Disposal. When a retention period ends, the firm deletes the information from its active systems. Copies may persist for a further limited period in routine backups maintained by the firm's providers; such copies are not restored to active use except in a disaster-recovery event, and they expire on the providers' backup cycles.
10. Security measures
10.1 The most effective security measure in this policy has already been described: the website's architecture. A statically generated site with no database, no accounts, no stored form submissions, and no server-side code of the firm's own holds almost nothing that can be breached. The firm regards data it never collects as data it cannot lose.
10.2 For what is collected, the measures as at the effective date include:
(a) transport encryption. The website is served over HTTPS/TLS on every page; the hosting provider's infrastructure provides denial-of-service mitigation and related network protections;
(b) email system controls. Access to the firm's email is limited to authorised personnel and protected by authentication controls, including multi-factor authentication [CONFIGURATION — TO BE CONFIRMED BY THE FIRM];
(c) access on a need basis. Correspondence and recruitment data are accessible only to the personnel who need them for the purposes in section 5;
(d) device and account hygiene. Firm devices that access email are required to use screen locks and storage encryption [CONFIGURATION — TO BE CONFIRMED BY THE FIRM];
(e) provider selection. The firm's providers publish their own security programmes, on which the firm relies for the infrastructure layers it does not control.
10.3 An honest caveat about email. Ordinary email is encrypted in transit between well-configured servers but is not end-to-end encrypted, and no security programme makes interception or compromise impossible. Do not send the firm information whose exposure would seriously harm you before asking whether a more protected channel can be arranged; the firm will arrange one where the sensitivity of a prospective matter warrants it.
10.4 Incidents. If the firm learns of an incident affecting information covered by this policy, it will assess the incident, contain it, and — where the incident creates a real risk of harm to identifiable persons — inform those persons without undue delay, together with any authority that a law in force requires it to notify. When the anticipated legislation prescribes breach-notification duties, the firm will follow them.
11. Your rights
Because no comprehensive data-protection statute is yet in force in Pakistan, the rights in this section are afforded by the firm as a matter of stated practice. The firm intends them to track the rights proposed in the draft Pakistani legislation and recognised internationally, and it will conform this section to the anticipated legislation when it takes effect.
11.1 The rights afforded
11.1.1 Subject to paragraph 11.3, you may ask the firm:
(a) access — whether it holds personal information about you within the scope of this policy, and for a copy of it;
(b) correction — to correct information that is inaccurate or incomplete;
(c) deletion — to delete information the firm holds about you, where no purpose in section 5 and no overriding ground in section 9.3 requires its retention;
(d) objection and restriction — to stop, or confine, a particular use of your information, stating your reasons;
(e) withdrawal of consent — where a use rests on your consent (for example, a talent-pool retention under section 14, or membership of any future mailing list), to withdraw that consent, with effect for the future.
11.2 How to exercise them
11.2.1 Write to [email protected] with the subject line "Privacy request", stating what you ask and, so far as you can, which correspondence or application it concerns. The firm may ask you to verify your identity before acting — a proportionate step, since releasing one person's information to another would itself be the kind of failure this policy exists to prevent.
11.2.2 The firm will acknowledge a request within 7 days and respond substantively within 30 days of verifying identity. If the request is complex, the firm may extend that period once, by no more than 30 further days, and will say so within the first period. No fee is charged for a first request; the firm reserves the right to decline requests that are manifestly repetitive or vexatious, with reasons.
11.3 Limits
11.3.1 Some requests cannot be honoured in full, and the firm will say so rather than comply partially in silence. In particular: (a) conflicts-check records are retained on the long horizon stated in section 9 because the professional duty they serve does not expire; (b) information protected by another person's privilege or confidence will not be disclosed; and (c) information under a legal hold (section 9.3(b)) will not be deleted while the hold lasts. Where a request is refused in whole or part, the firm will give its reasons in writing.
11.4 Visitors in GDPR jurisdictions
11.4.1 This website is an informational site about a Pakistani legal practice. The firm does not direct offers of services to persons in the European Union or the United Kingdom in the manner contemplated by Article 3(2) GDPR, does not monitor the behaviour of persons there, and has not appointed a representative under Article 27 GDPR [POSITION — TO BE CONFIRMED BY THE FIRM].
11.4.2 Nonetheless, if you write to the firm from a GDPR jurisdiction, the firm will as a matter of practice afford you the rights of access, rectification, erasure, restriction, objection, and — where technically feasible for the small volumes involved — portability, on the procedure in section 11.2 and subject to the limits in section 11.3. Nothing in this policy limits any right you hold under your local law against parties that are subject to that law, including any right to complain to your local supervisory authority.
12. Children
12.1 This website provides information about a law firm and is not directed at children. The firm does not knowingly collect personal information from anyone under 18 through this website, and its recruitment processes are addressed to adults.
12.2 If you believe a child has sent personal information to the firm through or because of this website, write to [email protected] and the firm will delete it, subject only to the overriding grounds in section 9.3.
13. Third-party links
13.1 The website links to external resources — courts, regulators, legislation databases, and similar public sources. Following such a link takes you off this website and onto systems governed by their own privacy practices, over which the firm has no control and for which it accepts no responsibility. A link is a reference, not an endorsement of the destination's data practices.
13.2 When you follow an outbound link, your browser may transmit the address of the page you came from to the destination site, depending on your browser's settings and the referrer policy in force. The firm passes no other information about you to linked sites, because it holds none to pass.
14. Recruitment privacy
This section is a sub-policy for applicants. Where it is silent, the rest of this policy applies to recruitment data.
14.1 What is collected, and from whom
14.1.1 The firm collects: (a) what you submit — CV, cover letter, academic records, writing samples, and the contents of your covering email; (b) what the process generates — interview notes and assessments; (c) what referees provide, where you have named them and the firm has told you it is approaching them; and (d) public professional records, such as bar enrolment status, where relevant to the role.
14.2 What you should not send
14.2.1 Do not include in an application information about your health, religion, or other sensitive matters unless the firm has asked for it for a lawful and stated reason (for example, adjustments to the interview process, which you are welcome to request). Unsolicited sensitive information will be disregarded in the assessment and deleted where practicable.
14.3 Confidentiality of applications
14.3.1 Applications are confidential. They are seen only by the personnel involved in the recruitment decision and are not disclosed outside the firm, except to referees you have named (to the extent needed to take the reference), to service providers under section 7.1, and under the compulsion grounds in section 7.2. The firm does not contact your current employer without your prior agreement.
14.4 Retention and outcomes
14.4.1 Unsuccessful applications are retained for 12 months from the decision and then deleted, unless you consent to a longer talent-pool retention of up to 24 months so that the firm may contact you about future roles. Successful applications become part of the personnel file and are governed by the firm's employment records practices. The rights in section 11 apply to recruitment data, though interview notes that record the assessments of others may be summarised rather than reproduced verbatim where reproduction would disclose another person's information.
14.5 Unsolicited applications
14.5.1 A speculative application sent to [email protected] is treated as recruitment data under this section from the moment of receipt, on the same retention terms as an unsuccessful application unless a process begins.
15. Changes to this policy
15.1 The firm will amend this policy when its practices change, when the website's architecture changes in a way this policy describes conditionally (sections 3.2.3, 3.4, and 3.6), and when Pakistani law changes — above all, when the anticipated legislation comes into force.
15.2 Amendments take effect when the revised policy is published on this website with a new effective date. For material changes — a new category of collection, a new class of disclosure, or the activation of any conditional provision — the firm will state prominently at the top of the policy what changed and when. The firm will not apply a material change retroactively to information collected under an earlier version without a lawful basis for doing so.
15.3 Earlier versions are retained by the firm and will be provided on request to [email protected].
16. Complaints and contact
16.1 Questions, requests, and complaints about this policy or about the firm's handling of information within its scope should be addressed to:
The First Counsel Attention: [PARTNER RESPONSIBLE FOR DATA PROTECTION — TO BE CONFIRMED BY THE FIRM] 8th Floor, Askari Corporate Towers, Lahore, Punjab, Pakistan Email: [email protected] (subject line "Privacy") Telephone: [TELEPHONE — TO BE CONFIRMED BY THE FIRM]
16.2 The firm will acknowledge a complaint within 7 days and give a substantive written response within 30 days. If you remain dissatisfied, you may ask for the complaint to be reviewed by a partner not involved in the original response.
16.3 Regulator. As at the effective date, Pakistan has no data-protection authority, because the statute that would create one has not been enacted. The draft Personal Data Protection Bill proposes a national commission for personal data protection. If and when such a commission — or any other statutory authority with jurisdiction over the firm's handling of personal information — is constituted, complaints may lie to it, and this section will be updated with its name and contact details. Until then, the remedies available are those the general law of Pakistan provides, including proceedings before the courts and, where conduct amounts to an offence, complaint to the authorities designated under PECA.
17. Governing law
17.1 This policy, and any dispute or claim arising out of or in connection with it or with the firm's handling of information within its scope, is governed by the laws of the Islamic Republic of Pakistan.
17.2 The courts at Lahore have exclusive jurisdiction over any such dispute or claim, and each person dealing with the firm through this website is taken to submit to that jurisdiction.
17.3 This policy is a statement of the firm's practices. It does not create contractual rights beyond those the general law confers, and it does not enlarge or diminish the firm's professional obligations to its clients. If any provision of this policy is held invalid or unenforceable, the remainder continues in effect.
