Skip to Main Content
Main Menu

Egypt Personal Data Protection Law No.151 of 2020

Egypt’s Personal Data Protection Law (PDPL) establishes standards governing the collection, use, disclosure and care of personal data, while recognizing the rights of individuals. It also establishes the Personal Data Protection Center as the regulatory body with oversight of the law.

Are you covered under the Egypt PDPL?

The PDPL does not contain a specific provision disclosing its applicability however it applies to anyone who processes personal information.

Consistent with GDPR it defines controller and processor.

Under PDPL, a controller is defined as “any natural or legal person who, by virtue of the nature of their work, has the right to obtain personal data and to determine the method, method and criteria for retaining it, processing it and controlling it according to the specific purpose or activity.”
A processor is defined as “any natural or legal person who is competent in the nature of their work, to process personal data for their benefit, or for the benefit of the controller, as established in an agreement with them and according to their instructions.”

Key obligations of Egypt’s Law

Obtainment of license

All controllers and processors must apply for and obtain a license and/or permit from the Center for the Protection of Personal Data (“Center”) prior to processing any personal data.

Sensitive data processing

Controllers are prohibited from possessing any sensitive data (e.g. biometric and financial data) without first obtaining a license from the Center. However, except in legally authorized scenarios, sensitive data may be processed where an individual has provided their written and explicit consent. Where children’s data will be processed, consent from their parents must be obtained.

Principles for processing

The processing of personal data must:

  • Only be processed for a legitimate, specific and declared purpose;
  • Be correct, safe, and secure;
  • Be processed in a lawful and appropriate manner for the purposes for which it was collected; and
  • Not be kept for a period longer than necessary to fulfill the purpose of processing.

Breach notification

Upon discovery of a breach incident, controllers and processors shall notify the Center of the occurrence of the incident, and must disclose: a description of the incident (e.g. cause of the incident and the number of personal data affected), the effects of the incident, and remedial actions taken to address the incident.

Controllers and processors must also notify affected individuals of the occurrence of the incident within three working days from the date of the notification, and the measures taken.


Compliance Brief: Data Minimization under GDPR, CCPA and other Privacy Laws

Businesses need to get a whole lot smarter about how they consume data because greed is not good: it’s risky and uneconomical.

Achieve compliance


  • Can I transfer data overseas?

    Yes. Personal data may be transferred outside the jurisdiction of Egypt where there is a level of protection no less than the level stipulated in the Law, and a license or permit has been obtained from the Center.

  • Can I transfer data to controllers and processors located in a jurisdiction outside of Egypt?

    Yes. Such a transfer is permitted when the following conditions are met:

    • There is an established work agreement requiring such transfer to controllers/processors overseas;
    • There is a legitimate interest to engage in such transfer; and
    • Technical and legal safeguards are applied during the data transfer and by controllers/processors receiving the data abroad, which should not be less than the level of protection available in Egypt.
  • Are there exceptions to solicit electronic communications to individuals for direct marketing purposes?

    Yes. This solicitation is permitted where the following conditions are met:

    • Consent has been obtained from the individual;
    • The communication should disclose the identity of the sender and originator;
    • The sender of the communication has a valid and sufficient address to send the communication to the individual;
    • The communication is only sent for direct marketing purposes; and
    • Opt-out mechanisms are made readily available to individuals if they decide to opt-out from receiving such communications.

The information provided does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials presented are for general informational purposes only.

Back to Top