Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Egypt - Data Protection Overview
Back

Egypt - Data Protection Overview

September 2023

1. Governing Texts

Egypt recently introduced the Law on the Protection of Personal Data ('the Data Protection Law') (only available in Arabic here), issued under Resolution No. 151 of 2020 (only available in Arabic here) ('the Resolution') on July 13, 2020.

The Executive Regulations for the Data Protection Law have not been issued yet even though they should have been issued by the Minister of Communications and Information Technology within six months from the date on which the Data Protection Law entered into force in Egypt. It is worth noting that any entity that is subject to the Data Protection Law is required to legitimize its position with the provisions of the Data Protection Law within a year, starting from the issuance date of its Executive Regulations.

The Data Protection Law reflects the European General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), as it aims to establish various standards and rules that safeguard the rights of individuals in Egypt regarding their personal data. Prior to the introduction of the Data Protection Law, data protection was only governed through various legislations in Egypt such as the Constitution of the Arab Republic of Egypt ('the Constitution'), the Penal Code No. 58 of 1937 ('the Penal Code') and the Law No. 175 of 2018 on Anti-Cyber and Information Technology Crimes (only available in Arabic here) ('the Cybersecurity Law'). Therefore, the issuance of the Data Protection Law consolidates the rules and regulations regarding data protection and privacy in Egypt.

1.1. Key acts, regulations, directives, bills

  • Article 75 of the Constitution stipulates, 'Private life is inviolable, safeguarded, and may not be infringed upon. Postal, telegraph, e-correspondence, telephone calls, and any other means of communication are inviolable, and the confidentiality thereof is guaranteed, which communications may only be confiscated, examined, or monitored by virtue of a judicial order for a limited period of time in the circumstances stipulated by law. The State shall protect the rights of citizens to use all means of public communications, which communications may not be arbitrarily disrupted, ceased, or withheld from citizens, and shall be governed by law.';
  • the Data Protection Law;
  • the Penal Code; and
  • the Cybersecurity Law.

1.2. Guidelines

There are no applicable guidelines as yet. However, the Data Protection Law provides that the Minister of Communications and Information Technology shall issue the Executive Regulations of the Data Protection Law.

1.3. Case law

Not applicable.

2. Scope of Application

2.1. Personal scope

According to Article 1 of the Resolution of Data Protection Law, it shall apply to any natural persons regarding the processing, controlling, or handling of personal data.

2.2. Territorial scope

According to Article 2 of the Resolution, the Data Protection Law applies to any person who breaches the Data Protection Law if they are:

  • an Egyptian national inside or outside Egypt;
  • a non-Egyptian residing within Egypt; or
  • a non-Egyptian outside Egypt if the act is punishable in any form in the country where it occurred and the data subject who is affected by the breach is an Egyptian national or a non-Egyptian residing in Egypt.

2.3. Material scope

According to Article 1 of the Resolution, the Data Protection Law applies to any personal data that is subject to any electronic processing whether partially or entirely.

According to Article 3 of the Resolution, the Data Protection Law shall not apply to any personal data that is:

  • saved by natural persons for third parties and that is processed solely for personal usage;
  • processed for official statistics purposes or in the application of laws and/or regulations in Egypt;
  • exclusively processed for media purposes, provided that said personal data is correct and accurate and not to be used for any other purposes without prejudice to any applicable press and media regulations in Egypt;
  • related to judicial seizure warrants, investigations, and lawsuits;
  • held by national security authorities; and
  • held by the Central Bank of Egypt ('CBE') and the entities subject to its control and supervision, except for money transfer and foreign exchange companies, provided that they take into account the rules established by CBE regulating personal data.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

According to Article 19 of the Data Protection Law, the Data Protection Centre ('DPC') is empowered to oversee and enforce the Data Protection Law including, inter alia, issuance of required licenses and authorization and certification in accordance with the Data Protection Law. Please note, however, that the DPC is not yet operational.

3.2. Main powers, duties and responsibilities

The DPC is authorized to, inter alia:

  • issue the required licenses, approvals, and/or authorizations related to personal data collection and/or processing, as well as revoking the same;
  • issue regulations governing the processing of personal data;
  • receive complaints related to personal data protection violations;
  • supervise, monitor, and inspect any individual and entity dealing with personal data;
  • set, develop, and implement policies necessary for personal data protection, and its execution;
  • unify policies and plans for the protection and processing of personal data within Egypt;
  • develop and implement decisions, regulations, measures, procedures, and standards for the protection of personal data;
  • establish a guiding framework for the codes of conduct for the protection of personal data and approve the codes of conduct of different entities;
  • coordinate and cooperate with all Governmental and non-governmental bodies in ensuring procedures for protecting personal data and communicating with all relevant initiatives;
  • support the development of the competence of the personnel working in all governmental and non-governmental bodies for the protection of personal data;
  • issue licenses, permits, approvals, and various measures related to the protection of personal data and the enforcement of the provisions of the Data Protection Law;
  • accredit the entities or individuals and grant them the required permits to provide consultation in relation to personal data protection measures;
  • receive complaints and communications related to the provisions of the Data Protection Law and issue the necessary decisions;
  • advise on draft laws and international agreements that are related to regulating or affecting personal data directly or indirectly;
  • supervise and inspect subjects of the provisions of the Data Protection Law, and take the necessary legal measures;
  • verify the conditions of cross-border personal data transfer and issue the decisions regulating the same;
  • organize conferences, workshops, training and educational courses, and issue publications to raise awareness and to educate individuals and entities about their rights in relation to dealing with personal data;
  • provide all types of expertise and advice related to the protection of personal data, in particular to the investigation and judicial authorities;
  • conclude agreements and memoranda of understanding, coordinating cooperating, and knowledge exchange with international entities, which are relevant to the DPC's work;
  • issue circulars that update personal data protection measures, in accordance with the activities of different sectors and with the DPC's recommendations; and
  • prepare and issue an annual report on the status of protection of personal data in Egypt.

The DPC is expected to issue the required licensing framework and requirements that should be met by the data protection officer ('DPO'), whose appointment is mandated under the Data Protection Law.

4. Key Definitions

Article 1 of the Data Protection Law defines the following:

Data controller: Any natural or juristic person who has the right, due to the nature of work, to obtain personal data and to determine the process and the criteria of keeping or processing personal data and control it according to the determined purpose.

Data processor: Any natural or juristic person whose work involves the processing of personal data for their own benefit or the benefit of the data controller, according to an agreement with the data controller and the instructions thereof.

Personal data: Any data related to any natural person, who is already determined and who can be determined whether directly or indirectly through relating the data with any other data including, inter alia, name, voice, identification number, and data determining psychological or physical health, economic status, or cultural or social identity.

Sensitive data: Any data that discloses psychological, mental, physical, or genetic health data, biometric data, financial data, religious beliefs, political opinions, or security conditions and, in all cases, children's data, shall be considered as sensitive personal data.

Health data: No specific definition is provided. However, health data is included under the definition of sensitive data.

Biometric data: No specific definition is provided. However, biometric data is included under the definition of sensitive data.

Pseudonymisation: No specific definition is provided for pseudonymization.

The person concerned with the data: Any natural person to whom the personal data is legally or actually attributed to distinguishes the person from others.

Data holder: Any natural or juristic person who legally or actually holds and keeps any kind of personal data, through any means of storage, whether they are the creator of the data, or if it has been transferred to them by any means.

Processing: Any electronic process used to write, collect, record, keep, store, merge, present, send, receive, circulate, publish, delete, change, amend, retrieve, or the personal data using any electronic means or device, whether partially or totally.

Availability of personal data: Any means that allows third-party access to personal data including, inter alia, perusing, circulating, publishing, transferring, using, presenting, sending, receiving, or disclosing data.

5. Legal Bases

5.1. Consent

According to Article 2 of the Data Protection Law, personal data may not be collected, processed, or disclosed by any means except with the explicit consent of the data subject.

In addition, Article 6 of the Data Protection Law, sets consent by the data subject as one of the conditions for the processing of personal data.

5.2. Contract with the data subject

According to Article 6 of the Data Protection Law, the processing of personal data shall be legal if it is necessary for the performance of a contractual obligation, a legal action, the execution of an agreement for the benefit of the data subject, or to undertake any procedure to claim or defend the data subject's legal rights.

5.3. Legal obligations

According to Article 6 of the Data Protection Law, the processing of personal data shall be legal if it is necessary to perform an obligation as regulated by the Data Protection Law, based on a court order or an order issued by regulatory authorities.

5.4. Interests of the data subject

According to Article 6 of the Data Protection Law, the processing of personal data shall be legal if it is necessary for the performance of a contractual obligation, a legal action, the execution of an agreement for the benefit of the data subject, or to undertake any procedure to claim or defend the data subject's legal rights.

5.5. Public interest

This legal basis is not established under the Data Protection Law.

5.6. Legitimate interests of the data controller

According to Article 6 of the Data Protection Law, the processing of personal data shall be legal if it is necessary for fulfilling the legitimate rights of the controller or any relevant person unless it contradicts the basic rights and freedoms of the data subjects.

5.7. Legal bases in other instances

Not applicable.

6. Principles

According to Article 3 of the Data Protection Law, the processing and storage of personal data must be carried out in accordance with the following principles:

  • data minimization – personal data must be collected for legitimate, specific, and transparent purposes known to the data subject;
  • accuracy and security – personal data must be correct, valid, and secure;
  • lawfulness – personal data must be treated in a lawful manner and appropriate for the purposes for which it was collected; and
  • storage limitation – personal data must not be retained for a period longer than that is necessary for the fulfillment of the purpose.

7. Controller and Processor Obligations

7.1. Data processing notification

According to Article 4 of the Data Protection Law, the controller of personal data is obligated to obtain a license from the DPC. Similarly, according to Article 5 of the Data Protection Law, the processor of personal data is obligated to obtain a license from the DPC.

In addition, Article 26 of the Data Protection Law provides further detail on the issuance of licenses by the DPC.

Furthermore, Article 12 of the Data Protection Law prohibits the processing, controlling, or handling of personal data without obtaining a license from the DPC first regardless of whether the controller or processor is a legal or juristic person.

Notably, controllers and processors of personal data, whether they are natural or legal persons, are required to obtain a license from the DPC prior to processing sensitive personal data (Article 12 of the Data Protection Law). The Data Protection Law further provides that this requirement is subject to the conditions and measures set out by the Regulation (Article 12 of the Data Protection Law).

7.2. Data transfers

Article 14 of the Data Protection Law prohibits, inter alia, any act of transfer, storage, and/or sharing of personal data, which was collected or prepared for processing, to any foreign state unless the following two main conditions are satisfied:

  • the application of a level of protection that is not less than that provided by the Data Protection Law; and
  • a license or authorization by the DPC is obtained.

However, according to Article 15 of the Data Protection Law, international transfers of personal data may only be made after obtaining the explicit approval of the data subject in the following cases:

  • to save the life of the said data subject, provide medical care or treatment, or manage health services thereof;
  • to implement obligations to evidence, execute, or defend any right of the data subject before any competent court outside Egypt;
  • to enter into a contract or implement a contract that was already/will be concluded between the data processor and third parties for the benefit of the data subject;
  • to implement a procedure related to international judicial cooperation;
  • where a legal necessity or an obligation to protect the public interest exists;
  • cash transfers to another country in accordance with its specific and valid legislation; or
  • in cases where the transfer or circulation is carried out in the implementation of an international bilateral or multilateral agreement that Egypt is a party to.

According to Article 16 of the Data Protection Law, the controller or processor may disclose personal data to another controller or processor abroad with a license from the DPC whenever the following conditions are met:

  • there is conformity in the nature of the work of each of the controllers or processors or the purpose for which they obtain the personal data;
  • there is a legitimate interest for each of the controllers or processors of personal data or the data subject; and
  • the level of legal and technical protection of personal data abroad is not less than the level of protection in Egypt.

7.3. Data processing records

According to Article 4 of the Data Protection Law, controllers of personal data shall maintain a special record of data provided that it includes a description of the categories of personal data it retains, specifying who disclosed or made the data available to the controller, its documentation, time period, restrictions, scope, mechanisms for erasing or modifying personal data, and any other data related to the transfer of such personal data across borders and a description of technical and organizational procedures of data security.

According to Article 5 of the Data Protection Law, processors of personal data shall prepare a record of processing operations including the categories of processing the processor performs on behalf of any controllers and its contact details and its DPO, processing times, restrictions, scope, mechanisms for erasing and modifying personal data, and a description of the technical and organizational procedures for data security and processing.

7.4. Data protection impact assessment

According to Article 9 of the Data Protection Law, the DPO is obligated to conduct an evaluation and periodic examination of personal data protection systems and to prevent penetration of the same, documenting the evaluation results, and issuing the necessary recommendations for their protection.

7.5. Data protection officer appointment

According to Article 8 of the Data Protection Law, controllers and processors are required to appoint a competent employee to be responsible for the protection of personal data as the DPO, who must be registered with the DPC.

The DPO is responsible for the protection of personal data and the implementation of the provisions of the Data Protection Law, its Regulations, and the decisions of the DPC, as well as supervision of the measures implemented within his/her organization and dealing with requests in relation to personal data under this law. Particularly, the DPO should (Article 9 of the Data Protection Law):

  • conduct periodic assessments and evaluations of data protection systems and measures, document the results of such evaluations, and issue recommendations in response to them;
  • be the point of contact with the DPC and give effect to its decisions;
  • facilitate data subject rights pursuant to the Data Protection Law;
  • notify the DPC in the event of a breach of personal data;
  • respond to data subject requests, and respond to the DPC in relation to any complaints it receives under this law;
  • consistently monitor and update personal data records of the controller, or data processing records of the processor, to guarantee the accuracy of the data and information attached to it;
  • eliminate any violations of personal data within their organization, and take the necessary procedures to correct it; and
  • organize necessary employee training programs to ensure their competent to give effect to the provisions of the law.

The Executive Regulations shall specify further obligations, commitments, and roles of the DPO.

The DPO must be registered in the record established by the DPC and their appointment must be announced. The Data Protection Law highlights that this record shall be a log of the persons responsible for data protection within organizations, i.e., DPOs. Notably, this record has not yet been established (Article 8 of the Data Protection Law).

Moreover, the Data Protection Law notes that the Regulations will determine the conditions upon which DPOs should be registered as well as the procedures and mechanisms attached (Article 8 of the Data Protection Law).

7.6. Data breach notification

According to Article 7 of the Data Protection Law, data controllers and data processors are required in cases where they become aware of any breach or violation of personal data to report such breach/violation to the DPC within 72 hours or immediately in cases where such breach or violation is related to national security. In all cases, both data controllers and data processors shall notify the data subject within three days, as of the date on which the relevant breach was reported to the DPC.

7.7. Data retention

According to Article 1 of the Data Protection Law, licenses issued by the DPC for controllers or processors are valid for three years, which can be renewed.

In addition, according to the Cybersecurity Law and its Executive Regulations, which concern any person providing, directly or indirectly, users with any information technology and telecom service, including, inter alia, processing or data storage, such providers are required to retain and store users' data continuously for at least 180 days, including identification, content of the services' system, communication traffic, terminals and any other data required by the National Telecommunication Regulatory Authority.

7.8. Children's data

Article 12 of the Data Protection Law categorizes children's data as sensitive data and provides that the transfer, collection, storage, or processing of such data shall not be made except with the consent of a guardian. According to Article 2 of the Child Law No. 12 of 1996 any individual under 18 years of age is considered a child in the eyes of the law.

7.9. Special categories of personal data

Not applicable.

7.10. Controller and processor contracts

According to Article 4 of the Data Protection Law, the controller must implement measures, methods, and procedures for processing of personal data in accordance with the specified purpose, unless it is decided that the controller shall authorize a processor to do so by virtue of a written contract.

8. Data Subject Rights

8.1. Right to be informed

Article 2 of the Data Protection Law states that the data subject has the right to be provided with knowledge of the type of personal data that is being held by the data controller, holder, or processor. Furthermore, the data subject has the right to be informed of any breach or violation of their data protection rights.

8.2. Right to access

Article 2 of the Data Protection Law also secures the data subject's right to access or obtain personal data held by the data processor, holder, or controller.

8.3. Right to rectification

Article 2 of the Data Protection Law provides the data subject with the right to amend their personal data.

8.4. Right to erasure

Article 2 of the Data Protection Law gives the data subject the right to erase their personal data.

8.5. Right to object/opt-out

Article 2 of the Data Protection Law gives the data subject the right to object to the processing of personal data or its results whenever it conflicts with the fundamental rights and freedoms of the data subject and to revoke any consent that was granted for storing or processing personal data.

In addition, Article 17 of the Data Protection Law gives the data subject the right to refuse electronic communication or withdraw consent to electronic marketing.

8.6. Right to data portability

The Data Protection Law does not specifically provide for this right.

8.7. Right not to be subject to automated decision-making

The Data Protection Law does not specifically provide for this right.

8.8. Other rights

Article 2 of the Data Protection Law gives the data subject the right to limit the purpose of processing personal data to a specific scope.

9. Penalties

The Data Protection Law includes various penalties for violating its provisions such as the following key examples:

  • a fine of not less than EGP 100,000 (approx. $3,236) and not more than EGP 1 million (approx. $32,361) shall be imposed on any data holder, the data controller, or data processor who collects, processes, discloses, makes available, or circulates personal data by any means other than in the cases authorized by law or without the consent of the data subject, noting that this penalty shall incur imprisonment for a period not less than six months and a fine not less than EGP 200,000 (approx. $6,472) and not more than EGP 2 million (approx.$64,724) provided that the act was committed in exchange for a financial or moral benefit or with the intent of endangering the data subject;
  • a fine of not less than EGP 200,000 (approx. $6,472) and not more than EGP 2 million (approx.$64,724) shall be imposed on any legal representative of a juristic person who did not appoint within the legal representative thereof a dedicated DPO;
  • a penalty of not less than three months imprisonment and a fine of not less than EGP 50,000 (approx. $1,618) and not more than EGP 5 million (approx.$161,798), or any of the aforementioned penalties, shall be imposed on any data controller, holder, or processor who collects, makes available, circulates, processes, discloses, stores, transfers, or keeps sensitive personal data in violation with the Data Protection Law;
  • a penalty of imprisonment of not less than three months and/or a fine of not less than EGP 500,000 (approx.$16,180) and not more than EGP 5 million (approx.$161,798) shall be imposed on any person who transfers personal data to any country that does not have any data protection laws or to a country with a data protection law that has a protection level that is less than the protection level of the Data Protection Law; and
  • a fine of not less than EGP 500,000 (approx. $16,180) and not more than EGP 5 million (approx. $161,798) shall be imposed on anyone who violates the licensing or authorization requirements.

9.1 Enforcement decisions

Not applicable.

Feedback