Data Protection in Egypt: PDPL Law and Cybersecurity Rules
With the rapid advancement of digital technologies, Data Protection in Egypt has become a critical issue, as personal data is now one of the most valuable assets in today’s economy. Governments worldwide are implementing stringent regulations to protect individuals’ personal information from unauthorized collection, misuse, and security breaches. Egypt has followed this trend by enacting Law No. 151 of 2020 on Personal Data Protection (PDPL), which establishes comprehensive legal standards for handling personal data.
The PDPL aims to regulate the collection, processing, storage, and transfer of personal data within Egypt. It applies to businesses, government agencies, and foreign entities that process data related to Egyptian citizens. The law introduces several obligations for businesses, grants new rights to individuals, and imposes strict penalties for non-compliance.
Key Features of Egypt’s Personal Data Protection Law (PDPL)
1.1 Scope and Applicability:
The PDPL applies to all entities that process personal data of Egyptian citizens, regardless of whether the data controller or processor is located inside or outside Egypt. This extraterritorial reach ensures that any organization dealing with Egyptian personal data is subject to the law’s requirements.
The law applies broadly across industries, covering sectors such as finance, healthcare, telecommunications, e-commerce, and government services. Any business that collects, processes, or stores personal data in Egypt must comply with its provisions.
However, there are specific exemptions under the law. Data processing related to national security, judicial investigations, and law enforcement activities are excluded from PDPL’s requirements. Additionally, personal data processed for purely personal or household activities does not fall under its jurisdiction.
A key feature of the PDPL is its categorization of data. It distinguishes between personal data and sensitive data, with the latter requiring stricter handling and additional protective measures. Sensitive data includes information related to an individual’s health, finances, religious beliefs, and biometric identifiers.
1.2 Key Definitions Under PDPL:
| Term | Definition |
|---|
| Personal Data | Any data related to an identifiable person, whether directly or indirectly. |
| Sensitive Data | Includes financial data, health information, religious beliefs, biometric data, and political opinions. |
| Data Controller | The entity or individual that determines the purpose and means of processing personal data. |
| Data Processor | A third party or service provider that processes personal data on behalf of the Data Controller. |
| Data Subject | The individual whose personal data is being processed. |
2. Rights of Individuals Under PDPL:
The PDPL grants Egyptian citizens several rights to ensure they have control over how their personal data is used. One of the fundamental rights is the right to access, which allows individuals to request a copy of their personal data held by an organization. This ensures transparency and gives individuals insight into how their data is being handled.
Another significant right is the right to correction, which allows individuals to request changes to inaccurate or incomplete personal information. This is particularly important in sectors such as finance and healthcare, where incorrect data can have serious consequences.
The law also introduces the right to deletion, or the “right to be forgotten.” If an individual’s data is no longer needed for its original purpose or if they withdraw their consent, they can request its removal from the organization’s records. However, there are exceptions, particularly in cases where data retention is required for legal or regulatory purposes.
Additionally, the right to object to processing is another key provision. Individuals can refuse the processing of their data for specific purposes, such as direct marketing or automated decision-making processes. This right ensures that businesses do not use personal data for targeted advertising without explicit consent.
A final major right under the PDPL is the right to data portability, which enables individuals to transfer their personal data from one service provider to another. This is particularly relevant in sectors like banking and telecommunications, where customers may want to switch providers without losing access to their historical data.
3. Obligations for Businesses and Data Handlers:
Businesses and organizations that collect, process, or store personal data in Egypt must adhere to strict compliance measures to protect individual privacy. One of the most fundamental obligations is obtaining consent before processing personal data. Organizations must ensure that individuals explicitly agree to the collection and use of their personal information. Consent must be clear, informed, and freely given, and individuals must be able to withdraw it at any time.
Beyond consent, organizations must ensure that data is processed lawfully, fairly, and transparently. Businesses must clearly inform individuals about why their data is being collected, how it will be used, and whether it will be shared with third parties. This requirement helps build consumer trust and ensures accountability in data processing practices.
Data security is another major requirement under the PDPL. Organizations must implement appropriate security measures to prevent unauthorized access, data breaches, and misuse of personal information. This includes adopting encryption, access control systems, and regular security audits to detect vulnerabilities. In the event of a data breach, organizations must notify the Egyptian Data Protection Center (EDPC) and affected individuals within a specified timeframe.
For organizations that process large volumes of data or handle sensitive personal data, the law requires the appointment of a Data Protection Officer (DPO). The DPO is responsible for overseeing data protection policies, ensuring compliance with the law, and acting as a liaison between the company and regulatory authorities. Companies failing to appoint a DPO when required may face fines and other regulatory consequences.
Another critical aspect of the PDPL is its regulation of cross-border data transfers. Personal data cannot be transferred outside Egypt unless the receiving country has adequate data protection laws in place. In some cases, organizations must seek explicit approval from the EDPC before transferring data abroad. This restriction aims to ensure that Egyptian citizens’ personal data remains protected even when processed outside national borders.
4. Penalties for Non-Compliance:
The Egyptian Data Protection Center (EDPC) is the main regulatory authority responsible for enforcing the PDPL. Organizations that fail to comply with the law face severe penalties.
| Violation | Penalty |
|---|
| Processing personal data without consent | EGP 100,000 – EGP 1,000,000 fine |
| Unauthorized transfer of data abroad | EGP 300,000 – EGP 5,000,000 fine |
| Security breaches resulting in data leaks | Criminal liability and fines |
| Non-compliance with DPO requirements | Fines and potential business restrictions |
In cases of major violations, such as deliberate misuse of personal data for fraud or unauthorized surveillance, criminal penalties may also apply, including potential imprisonment.
Conclusion
Egypt’s Personal Data Protection Law (PDPL) marks a significant step toward enhancing digital security and privacy. The law introduces strict obligations for businesses handling personal data while granting new rights to individuals. Compliance with PDPL is crucial for companies operating in Egypt, as failure to adhere to the regulations can result in severe financial and legal consequences.
Learn more about how organizations can strengthen their cybersecurity posture by visiting our Cybersecurity Services page.
To find out more, please fill out the form or email us at: info@eg.Andersen.com
Contact Us
