Egypt’s Data Protection Law

Simplified

LYNX Business Bulletin

May 2021
 Egypt’s Data Protection Law BUSINESS BULLETIN
May 2021

INTRODUCTION

The Egyptian Data Protection and Privacy Law (Law # 151/2020) entered into force on October 14, 2020. Prior to its enactment, Egypt lacked a single
comprehensive regulatory framework governing data privacy and protection related issues. Matters of data protection were present in other legal frameworks
such as the Cybercrimes Law, the Consumer Protection law, as well as the Egyptian Penal and Civil Code. The Government of Egypt (GoE) is currently
drafting the law’s executive regulations, which are expected in 2H2021 and will elaborate on specific clauses outlined in the law.

CONSTITUTIONAL
Jurisdiction
PROVISION
Scope of the Exempted
Law Data
Article 75 of the Egyptian Constitution
stipulates that ‘private life is inviolable,
safeguarded and may not be infringed
Penalties
upon. Postal, telegraph, e-correspondence, Key
and
telephone calls and any other means of definitions
Sanctions
communications are inviolable, and the
confidentiality thereof is guaranteed, which
communications may only be confiscated,
examined or monitored by virtue of a Data Protection
judicial order for a limited period of time in Law Data
the circumstances stipulated by law. The Electronic Protection
Marketing Centre
State shall protect the rights of citizens to
(DPC)
use all means of public communications,
which communications may not be
arbitrarily disrupted, ceased or withheld
from citizens, and shall be governed by Cross
law.' DPC
Border Data
Transfer Licenses
Data
Data
Protection
Subject
Officer
Rights
(DPO)
 Egypt’s Data Protection Law BUSINESS BULLETIN
May 2021

WHY A DATA PROTECTION LAW? SCOPE OF THE LAW

The law identified two types of data:
PERSONAL DATA
➢Related to an identified natural person
➢Includes: name, voice, ID number,
Protect and picture
regulate the ➢Determines psychological, physical,
handling of economic, or cultural identity
personal data
SENSITIVE DATA
➢ Includes: religious, political, financial,
or health data
Compliance ➢ Children’s data
with the ➢ Obtained through consent of data
General Data subject . The executive regulations will
Protection define the means of obtaining consent.
Regulation The Law also extends regulation to electronic
(GDPR) Attract foreign
investments, marketing and introduces mandatory opt-out
particularly in the mechanism in any form of electronic marketing
technology sector
and support
Egypt’s technology EXEMPTED DATA FROM THE LAW
industries hub
ambitions

Held by national
Census data and security authorities
LAW JURISDICTION exclusively and/or related to
processed data for judicial seizure
media purposes warrants,
EGYPT investigations and
➢Resident Egyptians lawsuits
➢Foreigners resident in Egypt

EXTRATERRITORIAL
➢Egyptians residing abroad Held by Central Saved by natural
➢Foreigners residing abroad if the act is illegal, and the Bank of Egypt and persons for third
data subject is Egyptian or a foreigner residing in Egypt entities falling parties and is
under its authority processed solely for
or supervision personal use.
 Egypt’s Data Protection Law BUSINESS BULLETIN
May 2021

KEY DEFINITIONS *

Processing: Any electronic process used

Personal data: Data related to any to write, collect, record, keep, store,
natural person who can be determined merge, present, send, receive, circulate,
whether directly or indirectly through publish, delete, change, amend, retrieve,
relating the data with any other data or analyse the personal data using any Availability of personal data: Any means
including, inter alia, name, voice, electronic means or device, whether that allows third parties to access personal
identification number, and data partially or totally. The executive
determining psychological or physical data including, inter alia, pursuing,
regulations will outline the technical
health, economic status, or cultural or standards for data processing. circulating, publishing, transferring, using,
social identity. presenting, sending, receiving, or disclosing
data.
The lawful processing of data is based on:
➢ Obtaining consent for one or more
specific purpose(s);
➢ Data processing is required and
Sensitive data: Any data that discloses necessary for:
Data holder: Any natural or juristic
psychological, mental, physical, or person who legally or actually holds any • Implementing a contractual
genetic health data, biometric data, kind of personal data, through any means obligation or legal action; or
financial data, religious beliefs, political of storage, whether they are the creator of • Entering a contract on behalf of
opinions, or security conditions and the data, or if it has been transferred to the data subject.
children’s data. them by any means. ➢ Fulfilling an obligation by law or order
from a competent authority or court
➢ Permitting data controllers to perform
an obligation or a relevant party to carry
out a legal right; or
➢ Obtaining the required approval or
authorisation from the Personal Data
Data controller: Any natural or juristic Protection Centre ('DPC’).
person who has the right, due to the
nature of his/her work, to obtain
personal data and to determine the
process and the criteria of keeping or
processing personal data and control it
according to the determined purpose.

Source: https://www.dataguidance.com/notes/egypt-data-protection-overview
 Egypt’s Data Protection Law BUSINESS BULLETIN
May 2021

PERSONAL DATA PROTECTION CENTRE (PDPC)

Board of Directors

Minister of
Communications
and Information
Technology

CEO of the
PDPC

Information
National 3 experts
General Administrative Technology
Ministry of Ministry of Telecom
Intelligence Control Industrial selected by
Defense Interior Regulatory
Services Authority Regulatory MCIT
Authority
Authority

Types of licenses issued by PDPC

✓ Sensitive Data Processing Mandate

✓ Data Storage and Processing

✓ Direct Marketing
Develops Issues licenses,

jkjb
uhlh
Regulates the
ljjlkj
✓ (Camera) Surveillance personal data strategies to permits,
development protect personal accredits entities
✓ Cross-border Data Transfer process; data; receives and consulting
monitors cross- complaints and service
✓ Consulting Services border data inspects any providers
transfers individual or handling
✓ Direct Commercial Marketing entity dealing personal data
with personal
The law’s executive regulations will outline data.
the technical standards of licenses and
authorizations as well as the process of
reporting breaches to the PDPC
 Egypt’s Data Protection Law BUSINESS BULLETIN
May 2021

DATA PROTECTION OFFICER DATA SUBJECT PRIVILEGES

Data Processor/Controller Obligations

➢ Appointing a DPO dedicated to supervise the application of the Law.

➢ Receive personal data after obtaining the consent of the data subject (within the
limits allowed under the Law)
➢ Verify personal data and ensure its accuracy and in line with the purpose for
which it was collected
The legal representative of any juristic person must appoint a ➢ Refrain from disclosing personal data as stipulated under the Law
dedicated Data Protection Officer (DPO). The DPO should be ➢ Remove personal data as soon as the purpose for which it was collected is
registered in the register of the Personal Data Protection Centre of achieved
officials responsible for the protection of personal data. The law does ➢ Maintain a special register of personal data
not outline specific qualifications for the DPO. The law’s executive ➢ Notifying the personal data authority of any breach relating to personal data
regulations will lay out the qualifications of the DPO. ➢ Maintaining the appropriate systems and controls for the protection of personal
data privacy
➢ Obtain a licence or permit from the DPC to undertake data “controller” or
DPO Duties and Responsibilities “processing” activities
➢ Complying with certain conditions for electronic marketing.
➢ Obtaining a license and appointing local representatives by foreign businesses
➢ Monitors his/her entity’s compliance with the applicable that control or process data for individuals residing in Egypt
laws and regulations governing privacy and personal data ➢ The law’s executive regulations will outline the processes for data handling and
protection processing.
➢ Acts as the coordinator between the Controller/Processor
and the PDPC
➢ Ensures that the data user is afforded his/her rights under
the law and applicable regulations Data Subject Rights
➢ Notifies the PDPC on any data security breaches
➢ Attends to inquiries from the PDPC, as well as to complaints ➢ Provided with knowledge of the type of personal data that is being held by the data
and requests from data users controller, holder, or processor
➢ Rectifies any breach to personal data and ensures ➢ Ensure his/her right to check, access, or obtain such data
compliance with the applicable regulations ➢ Revoke any consent granted for saving or processing his/her personal data
➢ Organizes training and workshops for employees on data ➢ Amending and delete previously granted personal data
protection. ➢ Limit the scope of of processing personal data
➢ Informed of any breach of personal data
➢ Object to the processing of his/her personal data once a violation of rights occurs.
 Egypt’s Data Protection Law BUSINESS BULLETIN
May 2021

ELECTRONIC MARKETING CROSS-BORDER MOVEMENT OF DATA

Definition under the Law Conditions

Sending any message, statement, International transfer of personal data is permitted after obtaining the approval of the data subject to:
advertisement, or advertisement or ➢ Save the life of the data subject, provide medical care or treatment, or manage health services
marketing content, by any technological ➢ Implement obligations to execute or defend data subject rights before foreign competent court
means, which directly or indirectly aims to ➢ Complete a bank transfer
promote goods, services or commercial, ➢ Implement a contract between the data processor and third parties for the data subject’s benefit
political, social, or charitable requests, aimed ➢ Implement an international bilateral or multilateral agreement to which Egypt is a party to.
➢ Implement a procedure related to international judicial cooperation
at specific persons. The executive regulations
➢ Legal necessity or obligation to protect the public interest
will define the technical rules and standards ➢ Cash transfers to another country
for electronic marketing. ➢ The law’s executive regulations will define the roles in cases of multiple data processors.

PENALTIES
General Guidelines
Sanctions
Any electronic communication for the purpose of
direct marketing to the data subject must fulfil the ACTION PENALTY
following requirements:
➢ Collects, discloses, makes available or ➢ USD 6400 – USD 64,000
➢ Obtain the consent of the data subject circulates personal data by means other than ➢ Penalty shall incur imprisonment for a
those authorized by the Law or without the minimal period of six months and a fine
➢ Communication shall include the identity of
consent of the data subject by any data holder, ranging between USD 12800 and USD
its creator and sender data controller, or data processor 128,000 if the act was committed in
➢ Sender shall have a valid address to be exchange for a financial or moral benefit or
reached when necessary with the intent of endangering the data
➢ Communication must indicate that its subject
purpose is electronic marketing ➢ Collect, hold, process, makes available, ➢ USD 3200 – USD 320,000
➢ Maintain electronic records evidencing the processes, stores, transfers, circulates, or keeps ➢ Penalty may incur imprisonment for a
sensitive personal data in violation of the law minimal period of three months
consent of the data subject to receive
by any data holder, data controller, or data
electronic marketing communication and processor
any amendments thereof, or their non- ➢ A dedicated data protection officer is not ➢ USD 12,800 – USD 128,000
objection to its continuity for a duration of appointed by company’s legal representative
three years from the date the last ➢ Transfer personal data to a country that lacks ➢ USD 32,000- USD 320,000
communication has been sent. data protection laws or to a country with a data ➢ Penalty may incur imprisonment for a
➢ Setting clear and simple mechanisms to protection law that has a protection level that is minimal period of three months
allow the Data Subject to refuse electronic less than the protection level of Egypt’s law
communication or to withdraw his/her ➢ Violate the licensing or authorization ➢ USD 32,000- USD 320,000
consent to receiving such communication. requirements by the Personal Data Protection
➢ The law’s executive regulations will define Centre
the role and liability of consulting services.
➢ “Defacto manager” may be held personally liable for any breaches to the provisions of the law
➢ The Economic Court will determine the de facto manager; who will most likely be the DPO
➢ In cases of criminal actions, the criminal liability falls on the natural person
 Thank you

www.lynxegypt.com info@lynxegypt.com 4 Latin America Street, Garden City, Cairo +2 02 27944331

© LYNX Strategic Business Advisors 2021