Listed On

corporate law firms in Egypt - corporate law firms in Egypt
The Legal 500 EMEA
logo
mobile logo
09 March
0 Comments

The Personal Data Protection Law in Arab Republic of Egypt

Posted by cxxsx
in Blog
قانون حماية البيانات الشخصية - Personal Data Protection Law

Over the past decade, the global digital ecosystem has undergone structural transformation. Personal data has evolved into a strategic economic asset of substantial commercial value, while simultaneously constituting a legally sensitive element intrinsically linked to constitutional guarantees — most notably, the right to privacy.

In response to these developments, Egypt enacted Law No. 151 of 2020 on Personal Data Protection (the “PDPL” or the “Law”), thereby introducing, for the first time, a comprehensive statutory framework governing the collection, processing, storage, retention, and cross-border transfer of personal data. The Law establishes a supervisory and enforcement regime designed to reconcile digital economic growth with the protection of fundamental individual rights.

Firstly: Constitutional and Legislative Foundations

The PDPL derives its legitimacy from the constitutional protection afforded to private life and the confidentiality of communications under the Egyptian Constitution. The Law represents the legislative implementation of those constitutional guarantees within the digital domain.

The regulatory architecture adopted by the Egyptian legislator is structured upon four foundational pillars:

  1. Protection of data subjects;
  2. Allocation of compliance obligations to controllers and processors;
  3. Establishment of a specialized supervisory authority — the Personal Data Protection Center; and
  4. Introduction of a dual enforcement mechanism combining criminal sanctions and administrative penalties.

This structure reflects a rights-based regulatory model reinforced by institutional oversight and enforceable accountability mechanisms.

Secondly: Definitions and Conceptual Framework

Article (1) of the PDPL sets forth an extensive definitional framework designed to ensure interpretative clarity. Among the principal concepts are the following:

  • Personal Data: Any information relating to an identified natural person or a natural person identifiable directly or indirectly by reference to identifiers such as name, voice, image, identification number, online identifier, or data relating to psychological, health, economic, cultural, or social identity.
  • Processing: Any electronic or technical operation performed on personal data, including collection, recording, storage, preservation, modification, retrieval, analysis, transmission, disclosure, erasure, or destruction, whether wholly or partially.
  • Controller: Any natural or legal person who determines the purposes and means of processing personal data by virtue of law or the nature of its activity.
  • Processor: Any natural or legal person who processes personal data on behalf of the controller pursuant to an agreement and in accordance with the controller’s documented instructions.
  • Data Security: Technical and organizational measures designed to safeguard confidentiality, integrity, availability, and consistency of personal data.
  • Data Breach: Any unauthorized access, unlawful acquisition, disclosure, alteration, destruction, or misuse of personal data during storage, transmission, or processing.

The definitional precision adopted by the Law reflects alignment with comparative international data protection standards, while maintaining a domestically tailored regulatory structure.

Thirdly: Scope of Application and Governing Principles

The PDPL applies to any entity that collects, processes, or retains personal data by electronic means, whether wholly or partially.

Article (3) establishes fundamental processing principles, requiring that personal data:

  • Be collected for specific, legitimate, and declared purposes;
  • Be accurate, valid, and securely maintained;
  • Be processed lawfully and proportionately; and
  • Not be retained beyond the period necessary to fulfill its stated purpose.

The Executive Regulations supplement the Law by prescribing operational controls, licensing requirements, security standards, consent mechanisms, retention policies, and documentation obligations.

1- Controls and Standard Criteria:

  • The entity collecting personal data must obtain a license or permit as a controller or processor.
  • Personal data shall not be collected without the prior consent of the data subject, after clearly informing such subject of the purpose of collection.
  • The Center’s approval must be obtained regarding data collection mechanisms and consent procedures (including parental consent for children).
  • The retention period must be determined according to the purpose of collection.
  • Confidentiality must be maintained, and disclosure shall only occur as permitted by law and in accordance with the issued license or permit.

2- Policies and Procedures:

  • Informing the data subject of their rights under Article (2) of the Law;
  • Implementing security measures and programs issued by the Center;
  • Maintaining a secure electronic register documenting:
  1. The data subject’s consent and its date;
  2. Categories of collected data and scope of use;
  3. Retention periods for each data category;
  4. Organizational and technical security measures enabling inspection by the Center.

Fourthly: Obligations of the Controller and Processor

1. Controller

Article (4) imposes several obligations upon the controller, including:

  • To obtain or receive personal data after obtaining the consent of the data subject, or in cases permitted by law.
  • To ensure the accuracy, consistency, and adequacy of the personal data in relation to the specified purpose for which it was collected.
  • To establish the method, manner, and standards of processing in accordance with the specified purpose, unless it decides to delegate the processor in this regard pursuant to a written contract.
  • To ensure that the specified purpose of collecting personal data applies to the purposes of its processing.
  • To perform or refrain from performing any act that would result in making personal data available, except in cases permitted by law.
  • To take all technical and organizational measures and apply the necessary standard criteria to protect and secure personal data in order to preserve its confidentiality and prevent its breach, destruction, alteration, or tampering prior to any unlawful act.
  • To erase the personal data in its possession immediately upon the expiration of the specified purpose thereof. In the event of retaining, it for any lawful reason after the expiration of the purpose, it must not remain in a form that allows the identification of the data subject.
  • To correct any error in the personal data immediately upon being notified thereof or becoming aware of it.
  • To maintain a special register of data, including a description of the categories of personal data in its possession, specifying those to whom such data will be disclosed or made available and the legal basis thereof, the retention periods and their restrictions and scope, the mechanisms for erasing or amending the personal data in its possession, any data related to the cross-border transfer of such personal data, and a description of the technical and organizational procedures relating to data security.
  • To obtain a license or permit from the Center to deal with personal data.
  • A controller outside the Arab Republic of Egypt shall appoint a representative in the Arab Republic of Egypt in accordance with the provisions set out in the Executive Regulations.
  • To provide the necessary means to prove its compliance with the provisions of this Law and to enable the Center to conduct inspection and supervision to verify such compliance.

Where multiple controllers exist, each shall bear full statutory responsibility.

2. Processor

Article (5) of the Law obliges the processor to process personal data in accordance with the controller’s instructions, to secure such data, and to maintain a record of processing activities.

This indicates that responsibility does not rest solely with the controller, but extends to the processor, thereby reinforcing the concept of a “chain of compliance.” The obligations are as follows:

  • To carry out and implement processing in accordance with the rules governing such processing under this Law and its Executive Regulations, in lawful and legitimate cases, and based on written instructions received from the Center, the controller, or any competent authority, as the case may be, particularly with respect to the scope, subject matter, nature of processing, type of personal data, and its consistency and adequacy with the specified purpose.
  • The purposes and practice of processing must be lawful and must not violate public order or public morals.
  • Not to exceed the specified purpose and duration of processing, and to notify the controller, the data subject, or any competent party, as the case may be, of the period required for processing.
  • To erase the personal data upon the expiration of the processing period or deliver it to the controller.
  • To perform or refrain from performing any act that would result in making personal data or the results of processing available, except in cases permitted by law.
  • Not to carry out any processing of personal data that conflicts with the controller’s purpose or activity, unless such processing is for statistical or educational purposes, is non-profit in nature, and without prejudice to the sanctity of private life.
  • To protect and secure the processing operations and the electronic media and devices used therein, including the personal data stored thereon.
  • Not to cause any harm to the data subject, whether directly or indirectly.
  • To prepare and maintain a special record of processing activities, including the categories of processing carried out on behalf of any controller, the controller’s contact details and the Data Protection Officer’s details, processing periods and their limitations and scope, mechanisms for erasing or amending personal data, and a description of the technical and organizational procedures relating to data security and processing operations.
  • To provide the necessary means to demonstrate compliance with the provisions of this Law upon request of the controller and to enable the Center to conduct inspection and supervision to verify such compliance.
  • To obtain a license or permit from the Center to deal with personal data.
  • A processor outside the Arab Republic of Egypt shall appoint a representative in the Arab Republic of Egypt in accordance with the provisions set out in the Executive Regulations.

In the event that there is more than one processor, each shall be bound by all the obligations stipulated in this Law in the absence of a contract clearly defining their respective obligations and responsibilities.

The Executive Regulations shall determine the policies, procedures, controls, conditions, instructions, and standard criteria governing such obligations.

Fifth: Data Breach Notification

Both the controller and the processor, as the case may be, upon becoming aware of a personal data breach or violation, shall notify the Center within seventy-two (72) hours.

Where the breach relates to considerations of national security protection, notification shall be immediate. In all cases, the Center shall immediately inform the national security authorities of the incident.

They shall also provide the Center within seventy-two (72) hours from the date of becoming aware of the following:

  1. A description of the nature of the breach or violation, its form, causes, and the approximate number of personal data records affected.
  2. The contact details of the Data Protection Officer.
  3. The potential consequences of the breach or violation incident.
  4. A description of the measures taken and proposed to address the breach or violation and mitigate its adverse effects.
  5. Documentation of any breach or violation of personal data and the corrective actions taken to address it.
  6. Any documents, information, or data requested by the Center.

In all cases, the controller and the processor, as applicable, must notify the data subject within three working days from the date of notification, including the measures taken.

Finally, Law No. 151 of 2020 represents a modern framework for personal data protection in Egypt, based on safeguarding individuals’ rights and regulating the obligations of data-processing entities. With its effective implementation underway, compliance has become a legal and institutional necessity to ensure a secure and balanced digital environment.