-1323.png){kind=logo}
Ridwan Oloyede and Victoria Adaramola
Introduction
After a period of anticipation following the enactment of the Personal Data Protection Law (PDPL), the Egyptian Ministry of Communications and Information Technology has issued the Executive Regulation. This critical regulatory development operationalises the PDPL, transforming broad statutory principles into enforceable obligations. The Regulation provides the technical details required for compliance, establishing the licensing regimes, fee structures, and procedural safeguards that will govern the processing of personal data in Egypt. The regulation adopts a distinctly structured, authorisation-heavy approach, similar to that of some other African countries.
The Regulation enters into force on the day following its publication in the Official Gazette. Entities subject to the law are granted a one-year grace period under Article 6 of the PDPL's issuance articles to align their operations with the new regime.
The Regulations reinforce the mandate of the Personal Data Protection Centre (the Centre) as the primary regulator. The scope remains consistent with the Law, covering any processing of personal data performed electronically, with standard exemptions for household use and national security purposes.
The Regulations detail the technical and organisational measures required for compliance:
Perhaps the most significant operational obligation introduced by the Regulation is the licensing system, which effectively transforms the processing of personal data into a regulated activity requiring specific authorisation and fee payments based on data volume. This structure establishes a tiered fee structure for obtaining a "Controller" or "Processor" licence, calculated based on the number of personal data records an entity holds. In a move to support the startup ecosystem, entities holding between one and 100,000 records are exempt from these licensing fees. For larger datasets, fees commence at approximately 200 EGP (approximately 4 USD) for holders of 101,000 to 200,000 records and scale incrementally. For entities managing substantial databases exceeding 5 million records, the fee is capped at a legal maximum of roughly 2 million EGP (approximately 41,000 USD) over a three-year period. Additionally, lower flat fees apply to specific sectors, including Associations (5,000 EGP/100 USD), Unions (10,000 EGP/200 USD), and Clubs (up to 50,000 EGP/1,000 USD). For processing activities that are specific, temporary, and do not exceed one year, the Centre issues temporary permits rather than full licences, with fees similarly based on duration and data volume.
A defining feature of the Regulation is the detailed governance of DPOs, marking a shift from countries where appointing a DPO is largely an internal compliance decision based on specific criteria. The Regulation requires DPOs to be registered with the Centre, establishing a formalised professional standard. To qualify for registration, candidates must possess relevant academic qualifications or professional certifications, successfully pass tests approved by the Centre, and maintain a clean criminal record, free of offences involving honour or trust. Upon registration in a dedicated electronic system, each DPO is assigned a unique identification code that specifies the nature and volume of data they are authorised to handle. Furthermore, the Regulations explicitly define the DPO's professional liability, empowering the Centre to suspend or request the replacement of any officer who violates the registration conditions.
Controllers and Processors must maintain secure electronic logs that record the data categories, processing scope, retention periods, and security measures.
The 72-hour notification window is strictly regulated. Notification to the Centre must include the timing and nature of the breach, the estimated number of affected records, and the remedial measures. Crucially, the data subject must be notified within 3 working days of the breach being reported to the Centre.
Controllers and Processors located outside Egypt must appoint a local representative (branch or agent) to be accredited by the Centre.
The Regulation mandates that transferring data outside Egypt requires a specific licence or permit, adding a significant layer of regulatory approval to international operations. Entities wishing to transfer data must obtain a licence, for which the fee is set at 50% of the standard Controller/Processor licence fee. This transfer is strictly contingent on the recipient country providing an adequate level of protection, as defined by the Regulations, which list specific criteria, including the existence of comprehensive data protection legislation and effective redress mechanisms. Furthermore, applicants must provide detailed documentation specifying the destination, the nature of the data, the purpose of the transfer, and the security measures in place both in transit and at rest.
e. Direct Electronic Marketing
Direct Electronic Marketing is treated as a distinct, licensable activity under the Regulation, meaning it is not automatically covered by general data processing authorisation. Entities must obtain a specific license to conduct such marketing, and this requirement is segmented into two categories: one for marketing one's own products or services, which incurs a fee equal to 10% of the standard license, and another for marketing on behalf of others, which costs 25% of the standard license fee.
In addition to licensing, the Regulation imposes strict operational mandates. Explicit consent from the recipient is required before any marketing communication can be sent, and senders must maintain detailed electronic records of these consents and any opt-out requests. Furthermore, transparency is enforced by requiring that all communications clearly identify both the sender and the marketing purpose, ensuring recipients are fully informed about the message's source and intent. Crucially, every marketing communication must include a clear, accessible mechanism for recipients to opt out or request a "do not contact" preference for future messages.
The Regulation establishes rigorous special regimes for high-risk data categories and surveillance technologies. Processing sensitive data, such as health or biometric information, mandates both a specific licence and explicit written consent. Similarly, strict consent protocols govern children's data: for children under 15, guardian consent is required, and the Centre will define specific consent mechanisms for minors aged 15 to 18. Regarding visual surveillance, operating CCTV in public spaces is now a licensable activity subject to a fee of 1,000 EGP (approximately 20 USD) every three years. Furthermore, the framework explicitly prohibits the use of facial recognition technology without explicit consent or legal authorisation, and bans the transfer of surveillance footage outside Egypt without a valid cause.
The Regulation professionalises the privacy consultancy sector by mandating that entities and individuals offering data protection consultation services obtain official "Accreditation" from the Centre. This accreditation process requires applicants to pass specific tests and demonstrate relevant professional experience, thereby establishing a baseline of market competency. To maintain this status, accredited individuals must pay an annual fee of 5,000 EGP (approximately 100 USD), while corporate entities are charged 50,000 EGP (approximately 1,000 USD) annually. This approach mirrors the Data Protection Compliance Organisation model pioneered in Nigeria, which licenses private firms to audit and assist with compliance, and reflects a growing trend across the continent, as seen in Somalia and Zambia, as well as in proposed amendments to Ghana’s data protection framework.
The Executive Regulation introduces a rigorous compliance framework. The Egyptian regulator has created a system that prioritises formal authorisation alongside operational compliance by tying data processing operations directly to licensing and fee structures. For businesses, particularly multinationals and data-heavy industries, the immediate priorities are clear: conducting a data census to determine licence tiers, appointing and registering a qualified DPO, and preparing for the licensing application process for both domestic processing and cross-border transfers. The exemption for smaller datasets is a welcome relief for the startup ecosystem, but the strict requirements for electronic marketing and cross-border transfers will require significant adjustments to current business practices.
.png)
