Compliance Deadline
The enactment of the Executive Regulations marked the commencement of the one-year reconciliation period set forth under PDPL. From 31 October 2026, individuals and entities captured by PDPL and its Executive Regulations shall ensure full compliance with the substantive obligations and regulatory requirements set forth thereunder.
The Personal Data Protection Center (PDPC) referred to under Article (19) of PDPL has been already established and is chaired by the Minister of Telecommunication and Information Technology. PDPC is currently entrusted with raising awareness of personal data protection in Egypt, setting out the regulatory framework pertaining thereto and ensuring compliance with the pertinent laws and implementing rules, as well as issuing licenses and undertaking registrations pursuant to PDPL.
Licensing and registration requests will be submitted electronically on the PDPC portal. The portal is scheduled to go live by May 2026.
Any person that controls or processes personal data shall procure the relevant licenses described under PDPL. The key licensing/registration requirements are summarized as follows:
The appointment of a DPO reflects one of the key requirements under PDPL. In fact, the appointment of a DPO is a prerequisite for obtaining any license or undertaking any registration from PDPC.
The DPO must be registered with PDPC, having met the requirements and passed the PDPC examination. There are currently three categories of DPO registrations: A, B and C, where category A pertains to highly experienced DPOs with advanced expertise in data protection. The requisite DPO category for applicants will depend on the nature and size of the data in relation to which they are appointed. Once registered, registration will be valid for a renewable 2-year period.
In making its assessment, PDPC will take into account any appropriate certifications held by the relevant individual, to assess the category under which they fit.
PDPC has introduced a unified licensing regime applicable to both personal data controllers and data processors, under a single overarching licence referred to as the “Controller/Processor Licence.” This licence represents the primary and mandatory authorisation for any person (whether an individual or a legal entity) intending to process personal data.
The applicable licensing fees are determined by reference to the volume of personal data records processed, with each data subject counted as one record.
In addition, where a data controller or processor processes personal data relating to individuals located in Egypt, but is not established in Egypt and does not maintain a branch or representative office in the country, it will be required to appoint a local representative. Such appointment is subject to the approval of PDPC.
In addition to the general controller/processor license, where a person wishes to undertake direct electronic marketing, whether by themselves or through a third party, they must obtain a direct electronic marketing license.
The receipt of this license is conditional on, amongst other things, (a) setting out a mechanism to obtain the data subject’s consent to receive direct marketing communication, as well as reject it and withdraw consent thereto, and (b) the applicant must hold an electronic register to record said consent and any changes thereto or withdrawal thereof.
The applicable fee for a direct electronic marketing license obtained for the applicant’s own use would be 10% of their controller/processor license fee while the fee for a direct electronic marketing license to allow a third-party service provider to market their products or services is 25% of the controller/processor fee.
Sensitive personal data pertains to psychological, mental, physical, genetic health, biometric, financial data, any data that reveals religious beliefs, as well as data pertinent to the political views or the security situation of the data subject. Any data relating to children is automatically deemed to be sensitive personal data.
Where sensitive personal data is involved, the relevant controller/processor must additionally obtain a sensitive personal data license. This license would be typically issued for a short term, not exceeding one year. This license fee also depends on the volume of data records being processed.
Where the controller/processor wishes to transfer personal data outside of Egypt, they must ensure, amongst other things, that the level of protection in the receiving country is not less than the standards applied in Egypt and carry out a transfer impact assessment covering the underlying risks that could affect data subjects and adequacy safeguards. In addition, they must obtain the approval of the data subject to transfer the data overseas, as well as the prior approval of the PDPC which is granted in view of the level of protection/security applied in the other jurisdiction.
Once obtained, the license will identify the category of the data being transferred, transfer routes, recipient(s), and destination(s) abroad. The fee for obtaining a license to process and transfer personal data overseas will be 50% of the license fees to process the same kind and type of data locally.
The PDPC is preparing a whitelist of countries that provide a sufficient level of protection to personal data. This whitelist of countries will help in identifying countries to which data may be transferred without the need for additional safeguards.
The PDPC will be also entrusted to issue licenses for the use of visual surveillance systems (“VSS”), such as CCTV equipment, in public areas, where such systems involve presenting or recording photos or videos of data subjects. Private households are exempt from this licensing requirement. Where VSS are used, a sign must be displayed at the relevant place informing present persons of its operation.
The applicable fees are EGP 1,000 for a three-year license to use VSS in public areas, and EGP 500 for an annual permit.
Entities wishing to provide consultancy or advisory services in relation to the PDPL (including law firms and IT service providers) are required to obtain a licence from the PDPC.
The applicable licence fee is currently EGP 50,000 for legal entities (juridical persons), and EGP 5,000 for natural persons. In both cases, the licence is valid for a period of three years.
Organisations processing personal data relating to individuals in Egypt should assess whether they fall within the scope of the licensing regime and, if so, ensure that the appropriate licence is obtained. Businesses should also evaluate their data volumes to anticipate potential licensing costs and confirm whether a local representative must be appointed. Early engagement with these requirements will be key to ensuring compliance and avoiding potential regulatory exposure.
If you would like more information about this topic then please contact us.
-
SENIOR ASSOCIATE
