Egypt’s primary data privacy framework was established with the issuance of the personal data protection law no. 151 of 2020 (the “PDP Law”), marking a significant legislative step towards regulating personal data practices in Egypt. While the PDP Law set out the core principles governing the protection and processing of personal data, including obligations for controllers and processors, the rights of data subjects, and regulating cross-border transfers, its application remained suspended pending the issuance of the Executive Regulations (the “ER”), which were required to bring the law into force.
Following a prolonged period of regulatory inactivity and uncertainty for stakeholders already engaged in the processing of personal data, the ER were finally issued pursuant to Ministerial Decision No. 81 of 2025, thereby activating the PDP Law and rendering its provisions operational. The ER were published in the Official Gazette on 1 November 2025 and were subsequently made publicly available on 25 December 2025.
Personal Data Protection Centre
The PDP Law previously introduced the Personal Data Protection Centre (the “PDPC”) as the competent authority responsible for implementing the PDP Law by regulating and supervising personal data processing activities in Egypt. Under the PDP Law, the PDPC is tasked with overseeing compliance, issuing licences and permits, developing regulatory policies and standards, and exercising enforcement powers. As the primary data protection regulator, the PDPC plays a central role in implementing the PDP Law, a role that has now been operationalised through the ER.
The PDPC continues to hold significant supervisory responsibilities, including ensuring that parties obtain the required licences and permits, with the duration and costs now specified under the ER. Additionally, parties must implement PDPC-approved mechanisms that enable data subjects to exercise their statutory rights.
The PDPC has also issued a series of preliminary guidelines on various topics, including consent, legal bases for processing, records of processing activities, and Data Protection Officers ( “DPO”) and their categories. It has further published guidelines concerning privacy notices. These resources are intended to assist stakeholders in understanding and complying with the PDP Law and the ER.
Licensing
The PDP Law briefly stated that entities collecting personal data should be duly licensed by the PDPC. Building on the PDP Law, the ER proved detailed guidance on the classification and categories of licences and permits, as well as the conditions applicable to controllers and processors of Sensitive Personal Data. This includes setting out licensing procedures and fees for cross-border data transfers, direct electronic marketing, and the use of visual surveillance means in public places, alongside rules for renewal of such licences and permits. Furthermore, the ER introduce a formal accreditation scheme for natural or juristic persons, enabling them to qualify to provide consultations in the field of personal data management and protection. This scheme sets out eligibility criteria, conditions, and procedures for obtaining accreditation.
A clear distinction is drawn between licences and permits. Licenses are granted on an ongoing basis to authorise continuous processing of personal data. Permits, on the other hand, are issued to controllers and processors for specific and temporary purposes, for varying periods not exceeding one (1) year.
Limited exceptions are also introduced regarding fees, including a key exemption from licensing fees for controllers and processors handling one (1) to one-hundred thousand (100,000) records, and an exemption from permit fees for personal data records ranging between one (1) to twenty-five thousand (25,000) records.
Consent
The ER set out detailed requirements governing consent as a lawful basis for processing personal data. In this regard, valid consent must be personal (provided directly by the data subject or by their authorised legal representative), explicit, informed, freely given, and limited to specific, clearly defined processing purposes.
At a minimum, consent obtained from the data subject must at least clearly cover the following information:
Further, the ER mandates that consent must be stored in a secure electronic register, including the date of such consent and the form in which it was provided.
The provision of personal data by a data subject for the purpose of receiving legitimate services or transaction shall be deemed to constitute valid consent to obtain and process the data for that purpose. Such data may not be used for other purposes without prior consent.
It is important to note that the processing of Sensitive Personal Data is subject to stricter requirements, whereby consent in such cases must be in writing, either on paper or electronically.
Electronic Records
There is an additional mandate to maintain electronic logs (records of processing activities) documenting all actions performed on personal data. The PDPC reserves the right to inspect all data-handling entities through its inspectors, acting in their capacity as judicial officers to review these electronic logs and verify compliance with standard benchmarks and technical procedures for data security and protection.
Enhanced Regulatory Oversight for Sensitive Personal Data and Children’s Data
The ER provides detailed regulatory controls for processing Sensitive Personal Data. Further, children’s data is expressly treated as a heightened category of Sensitive Personal Data, subject to age-based consent requirements and specific restrictions on use.
New Breach Notification Requirements
The ER specifies strict timelines for notifying the PDPC in the event of data breaches: seventy-two (72)-hour notification in general cases, while immediate notification where national security is implicated. The controller/processor then notifies the affected Data Subject of the breach three (3) business days after notifying the PDPC. The ER further introduces requirements for corrective and preventive measures, therefore emphasising the importance of incident response documentation.
DPO Extensive Framework
Beyond the PDP Law’s requirement to appoint a DPO, the ER introduces an exhaustive regulatory framework governing DPO appointment, registration, and replacement procedure. The DPO must hold academic qualifications or professional certifications and possess practical experience in relevant fields in accordance with the standards approved by the PDPC. In addition, the DPO must pass tests approved by the PDPC in accordance with the nature and volume of personal data activities.
The PDPC will also maintain an electronic registry in which DPOs must be recorded. Guidelines relating to DPOs have been published by the PDPC to assist stakeholders in meeting these requirements.
Cross-Border Transfer of Personal Data
The ER set out mechanisms for governing cross-border data transfers, requiring prior authorisation from the PDPC and compliance with conditions relating to the destination, purpose, type of data, security measures, and storage.
A licence or permit must be obtained from the PDPC for any cross-border transfers. Transfers are only permitted to countries specified in the licence or permit, which must be updated if additional countries are included. The ER also introduces an adequacy assessment for cross-border transfers. Such adequacy is evaluated on a case-by-case basis and will be included in the licensing decision, not presumed by law.
Personal Data Representative
Controllers based outside Egypt must appoint a representative or agent within the country, via a branch, office, or other authorised means, who will be accredited by the PDPC for the duration of the licence or permit.
Direct Electronic Marketing
While the PDP Law recognised direct electronic marketing as a lawful processing activity, it did not previously provide any guidance or details on how such activities should be conducted. Accordingly, (prior to the issuance of the ER), entities faced uncertainty regarding how to carry out marketing practices in compliance with the PDP Law.
The ER clarify that direct electronic marketing includes social media, emails, SMS, mobile calls, or any other technical means, and may only be carried out with a licence or permit from the PDPC. The ER also set out rules requiring that all marketing communications be conducted only with the prior, explicit, and informed consent of the data subject, with clear identification of the sender and the marketing purpose. It further requires that controllers, processors, and marketing intermediaries must maintain full electronic records of consent, respect withdrawal requests, and ensure personal data is only used for the declared marketing purpose.
In addition, a separate regulatory framework is introduced for granting access to personal data to foreign controllers or processors, also requiring prior licensing by the PDPC and confirmation that equivalent data protection standards apply.
Concerned Entities
The ER apply broadly to any natural or juristic person involved in the collection, processing, storage, or transfer of personal data in Egypt. This includes controllers, processors, marketing intermediaries, consultants, and any stakeholders engaged in activities covered under the PDP Law and ER, such as direct electronic marketing, surveillance in public spaces, or cross-border data transfers. Foreign entities processing or accessing Egyptian personal data are also subject to the regulatory framework and must comply with any licensing requirements imposed by the PDPC.
Sanctions
Non-compliance may expose entities to administrative sanctions, financial penalties, or enforcement actions by the PDPC. Stakeholders are, therefore, encouraged to review the full scope of the ER and implement measures to integrate these obligations into their operations within the grace period.
Grace Period for Compliance
The PDP Law provides for a one (1) year grace period commencing from the issuance of the ER, during which entities are expected to align their operations with the new requirements. On a strict reading, this transitional period would expire on 31 October 2026 based on the Official Gazette publication date. However, it remains unclear whether the competent authorities will calculate the grace period from the formal publication date or from the date which the ER were made publicly accessible, and further clarification on this point is expected.
The contributors to this article are Darah Zakaria, Counsel and Head of TMT; Hana Koptan, Associate; and Junior Associates Habiba Tarek and Marwan Awny.
