kb-data-privacy-egypt
Rating is derived from the repo's GitHub stars and shown for reference.
network_access
name: kb-data-privacy-egypt
description: Use when a matter involves personal data processing, privacy obligations, or data-breach response in Egypt. Covers Egypt's Personal Data Protection Law (Law 151/2020) and its executive regulations, the role of the Personal Data Protection Centre (PDPC), consent requirements, data subject rights, cross-border transfer restrictions, and penalties. Triggers on questions about Egyptian data privacy compliance, PDPL Egypt, data controller obligations, or sensitive-data handling in Egyptian jurisdiction.
license: MIT
metadata:
id: kb.data-privacy-Egypt
category: kb
practice_area: Data Privacy & Technology Law
jurisdictions: [EG]
priority: P2
intent: [data-privacy, PDPL-Egypt, personal-data, compliance, data-protection]
related: [kb-data-privacy-gdpr, kb-data-privacy-ksa-pdpl, kb-data-privacy-uae-pdpl, kb-healthcare-regulation-mena]
source: Louis — HAQQ Legal AI (github.com/sboghossian/mini-claude-for-legal)
version: "1.0"
Knowledge Pack — Egypt Personal Data Protection Law (Law 151/2020)
Scope
Egypt's Personal Data Protection Law (Law No. 151 of 2020) and its Executive Regulations (Prime Ministerial Decree 1074/2022) constitute the country's first comprehensive data-protection framework. The law applies to:
- Any entity (natural or legal, public or private) that collects, stores, processes, or transmits personal data of individuals who are:
- Located in Egypt at the time of processing, or
- Egyptian nationals (regardless of location)
- Extra-territorial reach: foreign entities processing Egyptian residents' or nationals' data are covered.
- Exempted: purely personal/household use; national security and public order data processed by competent authorities; statistical research using anonymized data.
Key Definitions
| Term | Egyptian Law Definition |
|---|---|
| Personal data | Any data that identifies or could identify a natural person |
| Sensitive data | Health, genetic, biometric, religious belief, political opinion, criminal records, financial data |
| Controller | Entity that determines purposes and means of processing |
| Processor | Entity that processes data on behalf of a controller |
| Processing | Any operation performed on personal data (collection, storage, use, transfer, erasure, etc.) |
| PDPC | Personal Data Protection Centre — supervisory authority |
Lawful Bases for Processing
- Express consent — written, explicit, and informed; may be withdrawn at any time.
- Contractual necessity — processing necessary to perform a contract to which the data subject is a party.
- Legal obligation — required by Egyptian law.
- Vital interests — necessary to protect the life or health of the data subject or a third party.
- Public task — processing by a public authority for a task in the public interest.
- Legitimate interests — balance-of-interests test; not available for sensitive data.
Sensitive data requires explicit written consent plus additional safeguards — no legitimate-interests basis.
Data Subject Rights
| Right | Details |
|---|---|
| Access | Request a copy of personal data held |
| Rectification | Correct inaccurate or incomplete data |
| Erasure | Request deletion when legal basis ceases or consent withdrawn |
| Restriction | Suspend processing while dispute is resolved |
| Objection | Object to processing (especially direct marketing) |
| Portability | Receive data in a machine-readable format |
| Withdraw consent | At any time; withdrawal does not affect prior lawful processing |
- Controllers must respond to requests within 30 days (extendable to 60 days with notice).
Registration & Notification Obligations
- Controllers and processors that process sensitive data or that process on a large scale must register with the PDPC before commencing processing.
- Registration fee + periodic renewal.
- Prior notification to PDPC required for:
- High-risk processing activities (DPIA-equivalent assessment required)
- Automated decision-making affecting individuals
- Large-scale processing of sensitive categories
Cross-Border Data Transfers
- Transfer outside Egypt is prohibited unless:
- The destination country provides adequate protection (PDPC adequacy list — not yet published as of 2025; EU SCCs used as reference practice).
- Contractual safeguards approved by PDPC (standard contractual clauses or binding corporate rules).
- Express consent of the data subject for the specific transfer.
- Transfer is necessary for contract performance, legal claims, vital interests, or public interest.
- Controllers must document the transfer basis and retain records.
Data Breach Obligations
- Notify PDPC within 72 hours of becoming aware of a breach that is likely to risk data subjects' rights or freedoms.
- Notify affected data subjects without undue delay if the breach is likely to cause high risk.
- Maintain internal breach register.
Data Protection Officer (DPO)
- Required for:
- Public authorities
- Entities whose core activities involve large-scale processing of sensitive data
- Entities whose core activities involve large-scale systematic monitoring
- DPO must have expertise in data-protection law; may be internal or external.
Security Requirements
- Implement technical and organizational measures appropriate to the risk level.
- Measures include: encryption, pseudonymization, access controls, regular testing.
- Third-party processors must provide sufficient security guarantees; documented by a Data Processing Agreement (DPA).
Penalties
| Violation | Penalty |
|---|---|
| Processing without lawful basis or without consent | EGP 100,000 – 1,000,000 |
| Transfer outside Egypt without authorization | EGP 500,000 – 5,000,000 |
| Processing sensitive data without explicit consent | EGP 500,000 – 5,000,000 |
| Failure to notify breach | EGP 50,000 – 500,000 |
| General non-compliance | EGP 10,000 – 1,000,000 |
| Repeated violations | Doubled fines + criminal liability for responsible individuals |
Supervisory Authority: PDPC
- Personal Data Protection Centre (PDPC) — under the Ministry of Communications.
- Powers: registration, inspection, investigation, issuing guidance, imposing fines.
- Complaint mechanism: data subjects may file complaints with PDPC.
- PDPC may issue binding guidance and codes of practice.
Practical Compliance Checklist
- Map all personal data flows (data mapping / inventory)
- Identify and document lawful basis for each processing activity
- Update privacy notices / privacy policy (Arabic and English)
- Ensure consent mechanisms meet "explicit, informed, withdrawable" standard
- Register with PDPC if required (sensitive data / large-scale processing)
- Put Data Processing Agreements in place with all processors
- Establish cross-border transfer mechanisms for international data flows
- Implement breach detection and notification procedures
- Appoint DPO if triggered
- Conduct Data Protection Impact Assessments (DPIAs) for high-risk activities
Comparison with GDPR and Regional PDPLs
| Feature | Egypt 151/2020 | GDPR (EU) | KSA PDPL | UAE PDPL |
|---|---|---|---|---|
| Adequacy mechanism | Yes (PDPC list) | Yes (EC list) | Yes (NDMO list) | Yes (DIFC/ADGM separate) |
| DPO mandatory | Large-scale/sensitive | Public/core activities | Not specified | Certain controllers |
| Max fine | EGP 5M | €20M / 4% global | SAR 5M | AED 20M |
| Breach notification | 72 hours to PDPC | 72 hours to DPA | 72 hours to SDAIA | 72 hours to TDRA |
| Extra-territorial | Yes | Yes | Yes | Yes |
Caveats & Currency
Egypt's PDPC is newly established and enforcement practice is still developing. Executive Regulations were issued in 2022; implementing guidance continues to be published. Verify current PDPC adequacy lists, registration fees, and specific thresholds before advising. The penalty amounts above reflect the law as enacted; assess any amendments post-2023 with current sources.
Related Skills
- [[kb-data-privacy-gdpr]]
- [[kb-data-privacy-ksa-pdpl]]
- [[kb-data-privacy-uae-pdpl]]
- [[kb-healthcare-regulation-mena]]
- [[draft-privacy-policy]]
- [[draft-data-processing-agreement]]