Data Privacy Notice
on the duties of disclosure upon the collection and processing of personal data for customers subject to General Data Protection Regulations (GDPR) rights

The following information is intended to provide you with an overview of how your data is processed by Habib
Metropolitan Financial Services Limited (HMFS) and your rights extended to customers subject to GDPR. The
details of what data will be processed and which method will be used depend significantly on the services
applied for or agreed upon. We therefore ask you to familiarize yourself with this Data Privacy Notice.

1. Who is responsible for data processing and how can I contact them?
The legal entity responsible is:
Habib Metropolitan Financial Services Limited - HMFS
First Floor, GPC – 2, Block – 5,
Khekashan, Clifton,
Karachi, Pakistan
Our privacy officer can be reached at:
Email: compliance@hmfs.com.pk

2. What data is used by Habib Metropolitan Financial Services – HMFS?
HMFS processes data that it receives from its clients and that it generates as part of the business relationship
with its clients. In order to facilitate, enable and / or maintain our business relationship, HMFS collects and
otherwise processes personal data relating to clients and any other person(s) involved in the business
relationship, as the case may be, such as authorized representative(s), person(s) holding a power of attorney
and beneficial owners, if different from the client (collectively, an ‘Authorized Person’).
Personal data is the personal information of a client or an Authorized Person, identification data and
authentication data. Furthermore, this can also be order data, data from the fulfilment of our contractual
obligations, information about a client’s or Authorized Person’s financial situation, marketing data, sales data
and / or documentation data.
In addition to data that HMFS receives directly from its clients, it also obtains and processes data on its clients
that is available in the public domain or from other entities within the Habib Bank Group of companies (the
‘Habib Bank Group’).
In summary, personal data processed by Habib Metropolitan Financial Services may include the following:
• personal details (e.g. name, address and other contact data, date and place of birth, as well as nationality)
• identification data (e.g. identification documentation data)
• authentication data (e.g. specimen signature)
• order data (e.g. purchase or sale of ready or futures securities)
• data arising from the fulfilment of obligations (e.g. data required for payment transactions)
• information regarding a client’s financial situation (e.g. credit reports, scoring / rating data, origin of assets)
• record-keeping data (e.g. minutes of consultation)
• data available from the public domain (e.g., internet, social media, debtor directories, land register, trade
association registers, media, etc.)
• other comparable data in line with the criteria outlined above.

3. For what purpose and on what legal basis does Habib Metropolitan Financial Services use your data?

3.1 For the fulfilment of contractual obligations
The processing of your data allows HMFS to provide you with the contractually agreed services or to carry out
pre-contractual measures that occur as part of a request from an interested party. The purposes of data
processing are primarily in compliance with specific banking products (e.g. accounts, loans, securities,
deposits, brokerage services). Your data will be used, among other purposes, for the analysis of any potential
needs, the provision of advice, wealth management, and to support the execution of transactions.

Further details can be found in your contract documents or in the General Terms & Conditions.

3.2 For the safeguarding of HMFS and third party interests

Where required, we process your data beyond the actual fulfilment of the contract for the purposes of the
legitimate interests pursued by us or a third party. For example:
• Consulting with credit rating agencies to investigate creditworthiness and credit risks;
• Reviewing and optimizing procedures for needs assessment for the purpose of direct client discussions.
• Obtaining personal data from publicly available sources for client acquisition purposes.
• Testing and optimization of processes for requirement analysis or client contact.
• Measures for business management and further development of services and products.
• Risk control at Habib Metropolitan Financial Services and Habib Bank Group.
• Asserting legal claims and a defense in legal disputes.
• Guarantee of HMFS and Habib Bank Group’s IT security and IT operations.
• Prevention and investigation of crimes.
• Video surveillance and measures to protect the rights of an owner of premises to keep out trespassers
and to provide security (e.g., access controls).

3.3 On the basis of your consent
As long as you have granted us consent to process your personal data for certain purposes (e.g. analysis of
trading activities for marketing purposes), this processing is legal on the basis of your consent. Consent can
be withdrawn at any time.
Withdrawal of consent does not affect the legality of data processed prior to withdrawal.

3.4 On the basis of statutory requirements or in the public interest
We are subject to various legal obligations, meaning statutory requirements (e.g. Securities Act 2015,
Securities Brokers (Licensing and Operations) Regulations, 2016, Anti-Money Laundering Act 2010, Securities
and Exchange Commission of Pakistan (Anti Money Laundering and Countering Financing of Terrorism)
Regulations, 2020 and, Income Tax Ordinance, 2001 as amended from time to time etc.), and HMFS has to
fulfil requirements outlined by SECP’s specific regulations. The processing of data is used, among others, for
the verification of identity and age, the prevention of fraud and money laundering, the fulfilment of tax-related
monitoring and reporting obligations as well as the assessment and management of risks of HMFS, and the
Habib Bank Group.

4. Who can access your data?

4.1 Habib Bank Group
We may share your data with other entities in the Habib Bank Group where required to fulfil our contractual
and legal obligations. We may transfer your personal data to other members of the Habib Bank Group for risk
control purposes in connection with statutory / regulatory obligations. We may also share information with
other members of the Habib Bank Group in connection with services that we believe may be of interest to you.

4.2 External recipients of data
We will transfer personal data about you in the course of conducting our usual business or if legal, regulatory
or market practice requirements demand it to the following external recipients, or if you have given consent
(e.g. to process a financial transaction you have ordered us to fulfil) for the following purposes:
• to public entities and institutions (e.g. financial authorities, SECP, Law Enforcement Authorities)
• to other financial services institutions or similar institutions to which HMFS transfers personal data within
the context of its business relationship with you (e.g. correspondent banks, custodian banks, brokers,
stock exchanges, information agencies)
• to third parties (for example correspondent banks, brokers, exchanges, trade repositories, processing
units and third party custodians issuers, authorities and their representatives) for the purpose of ensuring
that we can meet the requirements of applicable law, contractual provisions, market practices and
compliance standards in connection with transactions you enter into and the services that we provide you with, or
• to a natural or legal person, public authority, agency or body for which you have given us your consent to
transfer personal data to or for which you have released us from banking confidentiality.

4.3 Service providers and agents
We will transfer your personal data to service providers and agents appointed by us for the purposes given,
subject to maintaining broker confidentiality. These are companies in the categories of banking services, IT
services, logistics, printing services, telecommunications, collection, advice and consulting and sales and
marketing.
HMFS will implement appropriate organizational and technical safeguards to protect the personal data for
which it acts as data controller at all times.

5. Does Habib Metropolitan Financial Services transfer data across borders?
Data transfer to legal entities in countries outside of Pakistan takes place so long as:
• it is necessary for the purpose of carrying out your orders (e.g. payment and securities orders)
• it is required by law (e.g. reporting obligations under financial regulation), or
• if you have given your consent.
These data transfers are secured through corresponding guarantees of the recipients to ensure an appropriate
level of data protection.
6. How long will your data be stored?
We will process and store your information as long as it is necessary in order to fulfil our contractual, regulatory
and statutory obligations. It should be noted here that our business relationship is a long-term obligation, which
is set up on the basis of periods of years.


We will assess and respond to requests to delete data. We will delete data provided that the data is no longer
required in order to fulfil contractual, regulatory or statutory obligations, or the fulfilment of any obligations to
preserve records according to commercial and tax law.
We will normally retain your records for a minimum of ten years after closure of the account to comply with
regulatory and contractual requirements unless there is a particular reason to hold records for longer, including
legal hold requirements, which require us to keep records for an undefined period of time.

7. What are your rights?
Your data protection rights include the following:
• Right of access: requesting that information on your personal data that HMFS holds on record be shared
with you.
• Right to rectification: demanding that the information be rectified should it be incorrect.
• Right to erasure: asking that your data be deleted if HMFS is not permitted or is not legally obliged to
retain your data.
• Right to restrict processing: demanding that the processing of your data be restricted if:
• you have disputed the accuracy of your data stored by HMFS and it has not yet completed its
assessment
• you object to the deletion of your data although HMFS is obligated to delete it, or
• you have objected to the processing of your data, but it has not yet been established whether this
outweighs HMFS’s reasons for processing your data.
• Right to object: objecting to the processing of your data by HMFS if it processes your data on the basis
of its legitimate interest (it will cease this processing unless it is outweighed by compelling and legitimate
grounds).
• Right to data portability: demanding that your personal data that you have provided to HMFS be
transferred in a generally useable, machine-readable and standardized format.
You also have the right of appeal (as far as this affects you) to your respective Data Protection Supervisory
Authority.

8. What data are you asked to supply?
In the context of your relationship with HMFS, you must provide all personal data that
• is required for accepting and carrying out a business relationship and fulfilling the accompanying
contractual obligations, and
• HMFS is legally required to collect.
Without this data, HMFS will most likely be unable to enter into a contractual relationship with you.
Under the regulations on combatting money laundering and the financing of terrorism, HMFS is obligated to
verify your identity on the basis of your identification documents and, in this context, to collect and store your
address, nationality, name, date and place of birth, tax residency and tax identification number, and
identification data prior to the commencement of a business relationship. In order for HMFS to comply with
these regulations, you are required to supply it with the necessary information. If this information changes
during the course of the business relationship, you are obliged to notify HMFS without delay. If you do not
provide HMFS with the necessary information, it will not be able to commence or continue a business
relationship with you.

1. A legal hold period is a process that an organization uses to preserve all forms of relevant information when
litigation is reasonably anticipated.

9. Is the decision-making automated?
No. HMFS does not use automated decision-making.

10. Will cookies be collected?
Yes. HMFS does collect cookies.

10.1 What are cookies?
Cookies are information packages sent by a web server (in this case this website) to your internet browser,
saved on your computer and checked by the server on each subsequent visit to the site. To gain full benefit
from this website, we recommend that you configure your browsers to accept cookies.

10.2 Why do we use them?
Cookies are used to facilitate navigation within the website and correct use. They also serve a statistical
purpose, making it possible to establish which areas of the site have been visited, and to improve and update
user procedures.

10.3 Type of cookies used
For further information about the types of cookies used please refer to our “Cookies Notice” on our website.

10.4 How should I manage my settings with respect to cookies?
To optimize your use of our website, we recommend that you accept the cookies. Most internet browsers are
initially set to accept cookies. You can at any time set your browser to accept all cookies, just some cookies
or no cookies. In the latter case, you would disable use of part of the sites. Additionally, you can set your
preferences in the browser so that you will be notified whenever a cookie is saved on your device. Please note
that if you disable the cookies, you may not have optimum use of the site.

11. Will your data be automatically processed?
We process some of your data automatically, with the goal of assessing certain personal aspects (profiling).
For example we may use profiling in the following ways:
• In order to combat money laundering, the financing of terrorism, and criminal acts, HMFS also conducts
data assessments (among others in payment transactions). The aim of these measures is to protect you.
• HMFS uses assessment tools to provide clients with relevant and appropriate information on its products
and services. These allow communications and marketing to be tailored, as needed, including market and
opinion research.
• HMFS uses assessment tools in order to be able to specifically notify you and advise you regarding
products. These allow communications and marketing to be tailored as needed, including market and
opinion research.

12. Will biometric data be used?
Yes. HMFS verifies a customer’s biometric data at account opening/dormant account reactivation as per
regulatory requirements.

13. Where can you find the current privacy notice?
This Data Privacy Notice can be adapted at any time in accordance with corresponding regulations. You can
find the applicable version at https://hmfs.com.pk/download/Privacy_Data_Notice.pdf

14. How can you contact Habib Metropolitan Financial Services?
Should you have any questions about the treatment of your data, please contact our privacy officer, who will
be happy to assist you.