Egypt introduced the Law on the Protection of Personal Data (the Data Protection Law) issued under Resolution No. 151 of 2020 on July 13, 2020. Egypt Data Protection Law aims to establish various standards and rules that safeguard the rights of individuals in Egypt regarding their personal data.  

Prior to the introduction of the Data Protection Law, data protection was only governed through various legislations in Egypt such as the Constitution of the Arab Republic of Egypt (the Constitution), the Penal Code No. 58 of 1937 (the Penal Code), and the Law No. 175 of 2018 on Anti-Cyber and Information Technology Crimes (only available in Arabic here) (the Cybersecurity Law). Therefore, the issuance of the Data Protection Law consolidates the rules and regulations regarding Data protection privacy in Egypt. 

Scope and Applicability. 

Territorial scopes 

Article 2 of the Resolution states that the Data Protection Law applies to anyone who violates it, including:  

1. Egyptian nationals, whether in Egypt or abroad; 

2. Non-Egyptians residing in Egypt;  

3. Non-Egyptians outside Egypt if the act is punishable where it occurred and affects an Egyptian national or a non-Egyptian living in Egypt. 

Material scopes 

Article 1 of the Resolution states that the Data Protection Law applies to any personal data that undergoes electronic processing, either partially or entirely. 

Legal bases 

1. consent 

2. Contract with the data subject 

3. Legal Obligation 

4. Interest in the data subject. 

5. Public Interest. 

6. Legitimate interests of the data controller 

Principles 

Article 3 of the Data Protection Law outlines principles for processing and storing personal data: 

1. Data Minimization: Collect personal data only for legitimate, specific, and transparent purposes known to the data subject. 

2. Accuracy and Security: Ensure personal data is accurate, valid, and secure. 

3. Lawfulness: Treat personal data lawfully and appropriately for its intended purposes. 

4. Storage Limitation: Retain personal data only as long as necessary to fulfill its purpose. 

Controller and Processor Obligation. 

Data processing notification 

  According to Article 12 of the Data Protection Law, both data controllers and processors, whether individuals or organizations, must obtain a license from the DPC(Data Protection Committee) before processing sensitive personal data. This requirement is subject to conditions and measures outlined in the Regulation. 

Data transfers 

Article 14 of the Data Protection Law prohibits the transfer, storage, or sharing of personal data with foreign states unless two conditions are met:  

1. The foreign entity provides protection at least equal to that of the Data Protection Law. 

2. A license or authorization is obtained from the DPC. 

Data processing records 

According to Article 4 of the Data Protection Law, controllers of personal data shall maintain a special record of data provided that it includes a description of the categories of personal data it retains, specifying who disclosed or made the data available to the controller, its documentation, time period, restrictions, scope, mechanisms for erasing or modifying personal data, and any other data related to the transfer of such personal data across borders and a description of technical and organizational procedures of data security.  

Data protection impact assessment 

Article 9 of the Data Protection Law mandates that the Data Protection Officer (DPO) conduct regular evaluations and assessments of personal data protection systems. The DPO must document the results and provide recommendations to enhance data security and prevent breaches. 

Data Protection Officer appointment 

According to Article 8 of the Data Protection Law, controllers and processors are required to appoint a competent employee to be responsible for the protection of personal data as the DPO, who must be registered with the DPC.. 

Data Breach notification. 

Article 7 of the Data Protection Law requires data controllers and processors to report any personal data breach or violation to the DPC within 72 hours. In cases related to national security, this must be done immediately. Additionally, they must notify the affected data subjects within three days of reporting the breach to the DPC. 

Data Retention 

Article 1 of the Data Protection Law states that licenses issued by the DPC for data controllers or processors are valid for three years and can be renewed. 

Children's data 

Article 12 of the Data Protection Law classifies children's data as sensitive and stipulates that its transfer, collection, storage, or processing requires the consent of a guardian. Additionally, Article 2 of Child Law No. 12 of 1996 defines a child as anyone under 18 years of age. 

Special categories of personal data 

Not applicable.  

 Controller and processor contracts. 

Article 4 of the Data Protection Law requires data controllers to implement measures and procedures for processing personal data in line with its intended purpose. If the controller decides to authorize a processor to handle the data, this must be done through a written contract. 

Data Subject Rights 

1. Right to be informed 

2. Right to access 

3. Right to rectification 

4. Right to erasure 

5. Right to object/opt out 

Penalties 

Penalties under the Data Protection Law include: 

1. Fines:  

• A fine of EGP 100,000 to EGP 1 million (approx. $2,066 to $20,662) for unauthorized collection, processing, or disclosure of personal data. 

• If the violation involves financial gain or endangers the data subject, penalties increase to imprisonment for at least six months and fines of EGP 200,000 to EGP 2 million (approx. $4,132 to $41,327).