Egypt’s Personal Data Protection Law has moved from a dormant statute to an enforceable compliance regime. Law No. 151 of 2020 remained inactive for five years due to the absence of implementing rules. That position changed on November 10, 2025, when the Ministry of Communications and Information Technology issued Executive Decree No. 816 of 2025, published in the Official Gazette. With this decree, compliance obligations are no longer theoretical; they are immediate, clear, and enforceable.
The Personal Data Protection Centre (PDPC) now operates as the primary regulator and enforcement authority, making adherence to the law a pressing requirement for all organizations handling personal data in Egypt.
Legal Status of Egypt’s Personal Data Protection Law
These implementing regulations translate the law’s principles into binding operational duties. Controllers and processors must comply with licensing requirements, breach reporting deadlines, consent standards, and penalty provisions. There is no transition or grace period: obligations apply from the date of enforcement, and non‑compliance exposes organizations to regulatory sanctions.
The regulations establish a fully enforceable regime, positioning data protection as a central pillar of Egypt’s digital governance.
Scope of Egypt’s Personal Data Protection Law
The law applies to any organization that handles the personal data of Egyptian residents. This includes
- Local Egyptian companies
- Multinational corporations with operations in Egypt
- Foreign digital platforms that serve Egyptian users or track their behavior
Physical presence in Egypt is not required for the law to apply. If you process the personal data of Egyptian residents, you must comply.
The decree covers all activities in the data lifecycle, including collection, storage, processing, sharing, and deletion. Its 42 articles set out clear operational duties for data controllers and processors.
Data subject Rights under Egypt PDPL
Individuals now have rights they can enforce over their personal data. A data subject have
- Right to know whether their personal data is being processed
- Right to access a copy of their personal data
- Right to correct inaccurate information
- Right to request erasure in specific circumstances
- Right to object to processing
- Right to withdraw consent at any time without penalty or cost
Organizations must provide clear, working systems that allow individuals to exercise these rights and must respond to requests within set time limits.
Consent must be explicit, informed, and documented. It cannot be bundled or forced unless processing is essential to the service. Consent records must be retained and available for inspection.
Mandatory Licensing Requirements for Data Controllers and Processors
A key feature of Egypt’s framework is the mandatory licensing requirement. Data controllers and processors must get a license from the Personal Data Protection Centre. Personal Data Protection Centre
- This licensing is required and is based on the size of the database. The fees are determined by database size and follow a tiered structure.
- For individuals, fees start at 200 EGP annually for databases containing 1 to 100,000 records and go up to 1,000 EGP annually for databases exceeding 901,000 records.
- For organizations, fees begin at 5,000 EGP annually for databases holding 1 to 25,000 records and scale upward as database size increases. The maximum annual fee for organizations with the largest databases is capped at 2,000,000 EGP per year for the first three years of implementation.
Specialized licenses are required for direct electronic marketing and surveillance equipment. Cross-border transfer licenses cost 50 percent of the main licensing fee.
Licensing fees are separate from penalties. Violations of licensing and permit requirements can attract fines of up to 5 million EGP
Strict Breach Notification Rules
Data controllers must report any personal data breach to the Personal Data Protection Centre, within 72 hours of discovery. There are no exceptions or extensions to this deadline.
The notification must include details such as
- The type of data affected
- The number of people impacted
- The contact information for the data protection officer, and
- The likely results of the breach, and the steps taken or planned to fix it.
If a breach creates a high risk to the rights and freedoms of individuals, then the data subjects must be informed within three (3) business days from the date of notifying the Personal Data Protection Centre.
- This communication must be in clear, simple language.
- Failure to comply with breach‑related obligations, including timely notification and required content, can result in administrative fines of up to 3 million EGP.
Protecting Children's and Sensitive Data
Personal data of children under 15 requires explicit written consent from a parent or legal guardian before collection or processing. Organizations must verify the child’s age and maintain documented proof of parental consent.
Sensitive personal data receives heightened protection. This includes information on: Race, Political opinions, Health, Biometric identifiers, Processing sensitive data requires explicit written consent from the data subject.
- Organizations must demonstrate that processing is necessary and that no less intrusive method exists.
- The legal basis of “legitimate interest” cannot be used for processing sensitive data.
Cross-Border Data Transfer Approval
Personal data cannot be transferred outside Egypt without prior approval from the Personal Data Protection Centre. Applications must specify:
- Destination country
- Purpose of the transfer
- Categories of data involved
- Security measures in place
Transfers are approved only if the destination country provides adequate data protection. Where adequacy is absent, transfers are generally prohibited unless:
- A narrow legal exception applies, and
- The data subject provides explicit informed consent.
The Personal Data Protection Centre has 90 working days to decide on transfer applications. If no decision is issued, the application is automatically deemed rejected.
Foreign controllers without an establishment in Egypt must appoint an authorized local representative to manage compliance and regulatory communication.
Mandatory Data Protection Officer
Controllers and processors must appoint a qualified Data Protection Officer (DPO). The DPO must have relevant professional experience or credentials in law, compliance, or information security, and must pass an examination administered by the Personal Data Protection Centre.
The DPO must be registered and issued a unique identification number. The core responsibilities include:
- Monitoring compliance with the law and regulations
- Handling data subject requests
- Submitting annual compliance reports to the Personal Data Protection Centre
Termination or replacement of a DPO must be notified in advance. Failure to maintain a registered DPO can result in fines of up to 2 million EGP.
Data Retention and Record Keeping Obligations
Organizations must define data retention periods in advance and link them to the original purpose of collection. Once the purpose is fulfilled, data must be deleted or rendered non‑identifiable.
- Retention rules must be documented and applied consistently.
- Electronic records must be maintained showing:
- Data categories
- Purposes of processing
- Access controls
- Security measures
- Consent records
- Data subject requests
- Breach incidents
- Records must be available for inspection without exposing personal identities.
Enforcement Powers and Penalties
The Personal Data Protection Centre has authority to inspect, demand documentation, issue corrective orders, and impose administrative fines.
- Penalties scale with severity:
- Unauthorized disclosure or blocking data subject rights – fines up to 1 million EGP.
- Licensing violations, unlawful sensitive data processing, and illegal cross‑border transfers fines up to 5 million EGP
- Intentional violations for personal gain – criminal liability, including imprisonment.
- Senior management and board members may be held personally accountable where violations occur due to knowledge or failure to act.
Immediate Steps for Compliance
There is no grace period for this law. Organizations handling Egyptian resident data must act now.
- Data Inventory: Identify all personal data held, where it is stored, and the volume of records. This step determines the required licensing tier.
- Licensing Application: Register with the Personal Data Protection Centre and submit the licensing application with the appropriate fee based on database size.
- DPO Appointment: Appoint a qualified DPO who can pass the required examination and register them with the Personal Data Protection Centre.
- Consent Review: Update all consent processes to ensure explicit, documented consent is obtained, especially for children’s and sensitive data.
- Breach Protocol: Create a system to ensure the 72-hour notification deadline to the Personal Data Protection Centre can be met upon discovery of a breach.
- Retention Schedules: Define and document how long each category of data will be kept and establish clear deletion procedures.
Conclusion
Executive Decree 816 of 2025 makes Egypt’s data protection law fully operational. Licensing, breach reporting, consent, cross‑border transfers, DPO appointment, and record keeping are now enforceable obligations. The Personal Data Protection Centre has clear authority to supervise and penalize, with no grace period for compliance. Egypt’s permission‑based model embeds data protection into corporate governance and senior management accountability. The law is active, the regulator is functioning, and the risk of inaction is immediate and personal.
At PrivacyPulse, we provide data protection, compliance, and regulatory advisory services. For PDPL Egypt compliance and regulatory support, contact us.
