Given the criminalization faced by the LGBTQI+ community in Pakistan, the organization primarily operates online. For financial and audit oversight, Pride Pakistan utilizes a fiscal host.

As the entity determining the purposes and means of processing personal data, Pride Pakistan is the Data Controller. The mission inherently requires handling data that is considered highly sensitive, specifically data concerning sexual orientation and health. Such information falls under the definition of Special Category Data under GDPR Article 9(1). The appropriate safeguards and legal bases detailed in this policy reflect the necessity to protect fundamental rights and freedoms, recognizing the heightened risk of discrimination or harm if this sensitive data were improperly disclosed.   

2.1. Direct Collection (Forms, Membership, and Donations)

Personal data is collected when users actively interact with the website, primarily through forms. This includes contact details such as name and email address, transactional data related to donations, and personal account preferences if a user registers. When users fill out volunteer, donor, or query forms, their email and contact details are saved with their expressed consent.

2.2. Special Category Data (Article 9)

In fulfilling its core mission, Pride Pakistan processes highly sensitive information:

• Data Concerning Sexual Orientation and Health: This includes self-identified sexual orientation and potentially data concerning health, such as HIV status (implied by the founder’s profile and the nature of community support).   
• Political or Philosophical Opinions: This category is implicitly processed through the collection of violence reports and membership applications, which relate directly to working for minorities’ rights.   

This Special Category Data is collected for core mission delivery, including providing support, generating advocacy reports, and archiving human rights violations in the public interest.

2.3. Automated and Technical Data

The website, built on a WordPress foundation, and its plugins automatically collect technical data necessary for site operation and security.   

• Comments and User Agent Strings: When a visitor leaves comments, the system collects the data shown in the comments form, along with the visitor’s IP address and browser user agent string. This information is typically used to aid in spam detection.   
• Cookies and Analytics: Technical data collected may include information about cookies. Pride Pakistan explicitly collects visitor region and country information. This geographical data is used specifically for strategic advocacy messaging and ensuring the broader geographical reach of content to the target audience.

3.1. General Data (Article 6)

• Legitimate Interests: This basis is used for site improvements, security monitoring (e.g., anti-spam checks via IP addresses), aggregated analytics, and non-sensitive direct communications, provided the fundamental rights of the data subjects are not overridden.   
• Legal Obligation: This applies to mandatory processing of financial and organizational data necessary for compliance with external laws, such as financial audit requirements and tax purposes, potentially mandated by the fiscal host.   

3.2. Special Category Data (Article 9)

Processing Special Category Data is prohibited unless a specific exception under Article 9(2) applies. Pride Pakistan relies primarily on two key bases:   

• Explicit Consent (Art 9(2)(a)): When users submit data via volunteer, donor, or especially violence report forms, the organization relies on their explicit consent. This consent must be clearly distinguishable, specific, and freely given, recognizing that “tied consent” (where service access is contingent on providing sensitive data unrelated to that service) is invalid.   
• Not-for-Profit Activities (Art 9(2)(d)): This basis allows processing of data concerning members, former members, or individuals in regular contact with Pride Pakistan in connection with its philosophical aim, as a not-for-profit body. However, a crucial limitation of this basis is that it does not permit disclosure of personal data to external third parties (such as UN agencies or external consultants) without separate, explicit consent or reliance on another legal basis.   
• Substantial Public Interest (Art 9(2)(g)) and Public Interest Archiving (Art 9(2)(j)): This basis is essential for using sensitive data (violence reports, health data) for external advocacy, research, and long-term retention. Utilizing this basis allows the organization to fulfil its humanitarian and human rights purpose. This processing must be proportionate and requires appropriate safeguards, which primarily involves anonymization to protect the data subject’s identity when the reports are published or shared externally for research purposes.   

The organization explicitly states that it is not liable for any damage caused by sharing media . Users must only upload and share media if they are certain that public availability will not negatively affect them.

To mitigate the inherent privacy risks associated with user-uploaded images, especially concerning potential location tracking and identification, Pride Pakistan employs a technical safeguard: all Exchangeable Image File Format (EXIF) metadata is systematically stripped from user-uploaded images upon receipt. This proactive measure prevents the retention or exposure of sensitive device or geotagging information, which is particularly important given the high-risk context in which users operate.   

5.1. Sharing with Third-Party Providers and Partners

Pride Pakistan shares user data with third-party providers (e.g., cloud-based services, payment processors) based on the specific service a user avails. Additionally, submitted violence reports, membership forms, and donor transactions are utilized by auditors, consultants, UN agencies, and partners for regulatory compliance, report generation, and advocacy.

Sharing sensitive violence reports with external consultants and UN agencies requires heightened documentation and legal rigor. To ensure compliance, all routine international data exchanges and sharing with partners must be governed by legally binding Data Sharing Agreements (DSAs). These agreements stipulate the parameters for data access, handling, security measures, retention, and re-use, ensuring that external recipients maintain the same level of protection applied by Pride Pakistan.   

5.2. International Data Transfers (Chapter V Compliance)

The organization’s data is typically stored on cloud platforms located in the European Union and the USA. While data stored within the EU is generally covered by adequacy decisions, transfers outside the EU, particularly to the US and other non-adequate third countries, require specific legal safeguards.   

• Transfers to the USA: Transfers to US-based cloud providers and service providers must rely on the US recipient’s adherence to the EU-US Data Privacy Framework (DPF) adequacy decision (if certified) or utilize Standard Contractual Clauses (SCCs) as appropriate safeguards, ensuring data protection standards equivalent to those in the EU are met.   
• Transfers for Legal Obligation: In cases where data must be transferred outside the EU or adequate jurisdictions to auditors or legal authorities (including those outside Pakistan) to fulfill a mandatory legal obligation, and in the absence of an adequacy decision or SCCs, the transfer is conducted under a Derogation for Specific Situations (Art. 49). Such transfers are strictly limited to the necessary data categories required for the specific legal purpose and must be fully documented.   

6.1. General Retention Periods

The records are stored only for the period necessary to fulfill the intended purpose. For instance, data required for audit and legal compliance (such as donor transactions) may be retained for specific periods as mandated by financial regulations (e.g., 7 years).   

6.2. Archiving for Public Interest

The organization’s core mission involves historical recording and statistical analysis of human rights violations. Therefore, data vital for advocacy and historical research purposes may be retained for longer periods, potentially indefinitely, under the exception provided for archiving purposes in the public interest (Article 89(1)). This applies exclusively to data that has been fully and irreversibly anonymized and aggregated, ensuring the data subject can no longer be identified. Identifiable operational data is subject to mandatory deletion or anonymization after its operational utility period (e.g., case management) ends.   

• Right to Access and Rectification: Users have the right to request access to the personal data the organization holds about them and to request corrections if the data is inaccurate.
• Right to Erasure (Deletion): Users may ask for their data to be removed and deleted from the organization’s storage, forms, and archives .

Limitations on Rights

Pride Pakistan must clarify that it may restrict the exercise of certain rights depending on the situation, particularly concerning the Right to Erasure . This restriction is invoked if retaining the data is necessary for compliance with a legal obligation (such as audit requirements imposed by the fiscal host) or if the data has already been fully anonymized, published, and utilized for legally sanctioned public interest archiving and research purposes. Once data is irreversibly anonymized for reporting purposes, it no longer constitutes personal data, and the right to erasure no longer strictly applies to that archived information. Furthermore, the organization is not liable for a data breach that occurs after data has been deleted from its systems.