Egypt
Egypt Data Privacy Laws: PDPL Law 151/2020 and the 2025 Executive Regulations
Egypt's data privacy framework is governed by Law No. 151 of 2020 on the Protection of Personal Data, the country's first comprehensive data protection statute. Ministerial Decree No. 816 of 2025 activated the law's full requirements on 1 November 2025, with enforcement beginning 31 October 2026.
Quick Answer
Egypt's data protection regime is built on Law No. 151 of 2020 on the Protection of Personal Data (the PDPL), the country's first dedicated personal data protection statute. The law passed in October 2020 but sat largely dormant for five years, because the executive regulations needed to operationalize key provisions were never issued.
That changed on 1 November 2025, when the Minister of Communications and Information Technology issued Ministerial Decree No. 816 of 2025, promulgating the PDPL's Executive Regulations. The Regulations were published in the Official Gazette and took effect the day after publication. They introduced a mandatory licensing regime, detailed data subject rights mechanisms, cross-border transfer procedures, breach notification timelines, and Data Protection Officer requirements.
Organizations have a one-year grace period, with full enforcement expected on 31 October 2026. The PDPC's online application portal for licences and permits is expected to open around mid-June 2026.
Constitutional Basis for Privacy
Egypt's 2014 Constitution establishes privacy as a fundamental right. Article 57 states that private life is inviolable, safeguarded, and may not be infringed upon. The provision protects individuals from unauthorized surveillance, searches, and interference with personal communications.
Critically for data protection, Article 57 also declares that all forms of communication (including postal correspondence, electronic messages, phone calls, and telegraph communications) are inviolable and their confidentiality is guaranteed. Interception or monitoring may only occur by judicial order for a limited period under circumstances defined by law.
These constitutional protections provided the normative foundation for Law No. 151 of 2020. The PDPL translates the constitutional right to privacy into specific statutory obligations binding on both public and private sector entities.
Law No. 151 of 2020: Core Framework
Scope and Territorial Reach
The PDPL applies to the processing of personal data of natural persons residing in Egypt. Its territorial scope is broad: the law applies to any natural or legal person, whether inside or outside Egypt, who processes the personal data of Egyptian residents through any means, including electronic, digital, and traditional non-automated methods.
This extraterritorial reach brings foreign companies operating digital platforms and services into scope if they collect or process data belonging to Egyptian residents.
Personal data is defined as any information relating to an identified or identifiable natural person. The law separately recognizes a category of sensitive personal data, which receives heightened protection. Sensitive categories include:
- Mental, psychological, physical, or genetic health data
- Financial data and banking details
- Religious and ideological beliefs
- Political opinions
- Criminal records and judicial history
- Biometric data used for identification
Legal Bases for Processing
The PDPL recognizes several lawful bases that justify the processing of personal data:
Consent is the primary basis and is subject to strict requirements. Consent must be explicit, specific to the stated purpose, freely given, informed, and documented. Controllers must inform data subjects of the purpose of collection, the categories of data being processed, the identity of the controller, and the rights available to them. Consent may be withdrawn at any time. Once withdrawn, the controller must cease processing.
The Executive Regulations draw a distinction between explicit consent (required for most processing, sensitive data, and direct marketing) and a narrow category of implied consent, which applies only where processing is strictly necessary to deliver a lawful service or transaction expressly requested by the data subject.
Additional lawful bases include:
- Performance of a contract to which the data subject is a party
- Compliance with a legal obligation imposed on the controller
- Protection of vital interests where the data subject cannot consent
- Performance of a task carried out in the public interest
- Legitimate interests of the controller, provided these do not override the data subject's fundamental rights
Secondary use of data collected for one purpose for a different purpose requires renewed consent.
Sensitive Data Processing
Processing of sensitive personal data faces stricter requirements than ordinary personal data. It may only take place with the explicit consent of the data subject, or under narrowly defined statutory exemptions:
- Compliance with employment law obligations
- Protection of vital interests where the data subject is physically or legally unable to consent
- Public health purposes, including epidemic management
- Legal proceedings or the defense of legal rights
Sensitive data processing under any exemption must still comply with the data minimization, purpose limitation, and security requirements of the PDPL.
Data Subject Rights
The PDPL grants data subjects a comprehensive set of rights. Controllers must establish PDPC-approved mechanisms for data subjects to exercise these rights and must respond within defined timeframes. The rights include:
Right to be informed: Controllers must provide clear, transparent notice at the point of collection, including the identity of the controller, purpose of processing, categories of data collected, retention periods, the rights available, and whether data will be transferred internationally.
Right of access: Data subjects may request confirmation of whether their data is being processed and may obtain a copy.
Right to rectification: Individuals may request correction of inaccurate or incomplete personal data.
Right to erasure: Data subjects may request deletion of their data upon expiry of the processing purpose, withdrawal of consent, or where processing lacks a legal basis.
Right to restrict processing: Individuals may request that processing be suspended pending resolution of an accuracy dispute or a legal rights determination.
Right to object: Data subjects may object to processing not based on consent or contract, and may object to processing for direct marketing purposes at any time.
Right to withdraw consent: Consent may be revoked at any time; controllers must cease processing upon receiving a withdrawal request.
Right to data portability: Individuals may request that their data be provided in a usable, structured format.
Right to lodge a complaint: Data subjects may file complaints with the PDPC, which must resolve them within 30 working days.
Right to compensation: Individuals who suffer material or moral harm from violations of the PDPL may seek civil compensation through the courts.
The Personal Data Protection Centre (PDPC)
Establishment and Authority
The Personal Data Protection Centre (PDPC) was established under Article 19 of the PDPL as an independent public authority affiliated with the Ministry of Communications and Information Technology. The Executive Regulations issued in November 2025 formally operationalized the PDPC and defined its regulatory framework.
The PDPC's powers include:
- Setting national data protection policies and technical standards
- Issuing, suspending, and revoking processing licences and permits
- Receiving and investigating data subject complaints (30 working days to decide)
- Conducting inspections of controller and processor operations
- Imposing administrative fines and referring criminal violations to prosecutors
- Maintaining the registry of licensed Data Protection Officers
- Publishing the Executive Regulations and guidance on its official website
The PDPC website was launched following the issuance of the Executive Regulations and includes the published text of the Regulations along with regulatory guidance. The electronic licensing portal (through which controllers, processors, and DPOs will submit applications) is expected to open around mid-June 2026.
Licensing Regime
One of the most significant and distinctive features of Egypt's data protection framework is its mandatory pre-authorization licensing regime. Unlike the self-assessment or registration approach used in the EU, UK, or United States, Egypt requires most data controllers and data processors to obtain a PDPC licence or permit before commencing processing activities.
The Executive Regulations establish a tiered fee structure based on the volume of personal data records processed:
| Data Volume (Records) | Annual Licence Fee |
|---|---|
| 1 to 100,000 | Exempt |
| 100,001 to 200,000 | EGP 200 |
| 200,001 to 300,000 | EGP 300 |
| 300,001 to 1,000,000 | EGP 400 to EGP 1,000 (tiered) |
| 1,000,001 to 2,000,000 | EGP 5,000 to EGP 50,000 (tiered) |
| 2,000,001 to 5,000,000 | EGP 60,000 to EGP 500,000 (tiered) |
| Above 5,000,000 | Capped at EGP 2,000,000 per year (3-year maximum) |
Controller-only or processor-only licences receive a 50% fee reduction. A controller-processor combined licence is available for entities acting in both capacities.
Separate licences are required for:
- Cross-border data transfers (priced at 50% of the applicable controller/processor licence fee)
- Direct electronic marketing activities (Article 28 licence)
- Visual surveillance systems in public places (Article 31 licence)
The Regulations also distinguish between an ongoing licence (for continuous, permanent processing activities) and a temporary permit (for specific, time-limited processing purposes with fees scaled by both data volume and duration). Licence applications must include detailed information about the data being processed, the security measures in place, retention periods, and the identity of the DPO.
Cross-Border Data Transfers
Prior Authorization Required
The PDPL prohibits the transfer of personal data outside Egypt without prior authorization from the PDPC. This is a hard rule: no self-certification, no standard contractual clauses alone, and no adequacy reliance without formal approval.
Before any international transfer, a controller or processor must:
- Obtain a PDPC cross-border transfer licence (filed separately from the processing licence)
- Demonstrate that the destination country offers an adequate level of data protection
- Specify the destination country, foreign entity, data categories and volumes, security measures, storage locations, and retention periods
Adequacy Assessment
The PDPC assesses the destination country's protection level based on whether it has personal data protection legislation consistent with the principles of the PDPL, adequate technical and security measures, and legal mechanisms enabling compensation for data subjects who suffer harm.
No formal adequacy list had been published by the PDPC as of mid-2026. Organizations seeking transfer authorizations must address these criteria in their applications on a case-by-case basis.
Exceptions
Where a destination country does not meet the adequacy threshold, transfers may still proceed with the explicit consent of the data subject where the transfer falls within a defined statutory category:
- Medical necessity or protection of vital interests
- Performance of a contract at the data subject's request
- Defense of legal rights in judicial proceedings
- Compliance with international treaties to which Egypt is a party
All approved transfers must strictly follow the authorizations issued. Ongoing obligations require controllers to maintain equivalent protection levels throughout the data's lifecycle abroad.
Data Breach Notification
PDPC Notification
Data controllers and processors must notify the PDPC of any personal data breach within 72 hours of becoming aware of it, through a designated electronic register. Where the breach raises national security concerns, immediate notification is required.
The breach notification must include:
- A description of the nature of the breach and the data affected
- The approximate number of records and data subjects involved
- The likely consequences of the breach
- The measures taken or proposed to address the breach
Individual Notification
Where a breach poses a significant risk to data subjects, the controller must also notify affected individuals within three working days of becoming aware of the breach. Notification must be made through pre-agreed communication methods and must describe the breach, its consequences, and the remedial steps being taken.
Data Protection Officer Requirements
Who Must Appoint a DPO
Under the PDPL and Executive Regulations, all legal entities processing personal data must appoint a Data Protection Officer. The DPO must be:
- Formally registered with the PDPC (in the PDPC's DPO registry)
- Publicly announced as the organization's DPO
- Independent from operational decision-making on data processing
Natural persons (sole traders and individual controllers/processors) may appoint a DPO voluntarily but are not required to do so under the same mandatory framework.
The DPO's responsibilities include monitoring compliance with the PDPL and its Regulations, handling data subject requests, advising the organization on data protection matters, acting as the primary point of contact with the PDPC, and reporting compliance issues to senior management.
DPO Qualifications
The Executive Regulations require DPOs to hold professional qualifications, relevant practical experience, and to pass exams approved by the PDPC. The PDPC's DPO examination and accreditation procedures were not fully published as of early 2026.
Foreign controllers without a local presence in Egypt must appoint an approved local representative or agent to serve as their point of contact with the PDPC.
Failure to Appoint
Failure to appoint a registered DPO carries a fine of EGP 200,000 to EGP 2,000,000 under the PDPL's criminal penalty provisions.
Penalties and Enforcement
Criminal Penalties
The PDPL's penalty structure combines criminal sanctions with administrative fines. Criminal penalties are tiered by the type and severity of the violation:
General data processing violations (unauthorized processing causing harm): imprisonment of not less than six months, and/or a fine of EGP 200,000 to EGP 2,000,000.
Sensitive personal data violations (unauthorized collection, disclosure, circulation, or transfer of sensitive data without consent or legal basis): imprisonment of not less than three months, and/or a fine of EGP 500,000 to EGP 5,000,000.
Cross-border transfer violations (transferring personal data outside Egypt without PDPC authorization): imprisonment of not less than three months, and/or a fine of EGP 500,000 to EGP 5,000,000.
Aggravated violations (violations committed for material or moral benefit, or intended to harm the data subject): imprisonment of not less than six months, and/or a fine of EGP 200,000 to EGP 2,000,000.
Denial of data subject rights (refusing to honor data subject rights without lawful justification): a fine of EGP 100,000 to EGP 1,000,000.
DPO negligence (violation attributable to the DPO's negligence): a fine of EGP 50,000 to EGP 500,000.
Data security violations (inadequate security measures leading to a breach): fines of EGP 300,000 to EGP 3,000,000.
Marketing violations (unauthorized direct electronic marketing): fines of EGP 200,000 to EGP 2,000,000.
In all cases, courts are empowered to order publication of the sentence in two widely-circulated newspapers and on the internet, at the convicted party's expense. Attempts to commit violations are punishable at half the prescribed penalty level.
Civil Liability
Data subjects who suffer material or moral harm as a result of a PDPL violation may pursue civil claims for compensation. The PDPL provides for both financial damages and non-financial harm, including reputational injury and distress. A 2024 court case (No. 19754) addressed privacy violations involving unauthorized dissemination of personal information, signaling that Egyptian courts are prepared to engage with data protection claims even before the formal enforcement framework was fully activated.
Administrative Fines
The PDPC has independent authority to impose administrative fines for violations of the law and its Regulations, ranging from EGP 200,000 to EGP 5,000,000 depending on the nature and severity of the violation.
No formal public enforcement actions had been issued by the PDPC as of mid-2026. The 31 October 2026 deadline marks the end of the one-year transitional grace period and the start of active enforcement.
Intersecting Laws
Anti-Cybercrime Law No. 175 of 2018
Egypt's Law No. 175 of 2018 on Anti-Cyber and Information Technology Crimes provides a complementary layer of criminal protection for personal data, operating alongside the PDPL rather than in place of it.
Article 25 of the Cybercrime Law criminalizes the unlawful disclosure or use of personal data and any conduct violating individuals' privacy without consent. Article 26 imposes enhanced penalties for using information technology to process personal data in a way that harms a person's reputation or dignity.
Service providers under the Cybercrime Law must retain system and communication logs for 180 days and cooperate with national security authorities in investigations. This intersects with the PDPL's data retention principles, requiring organizations to balance security-law retention mandates against data minimization obligations.
Telecommunications Law
Egypt's Telecommunications Law regulates the confidentiality of communications infrastructure and intersects with the PDPL where telecom service providers process subscriber personal data, including call records, location data, and billing information. Telecom sector obligations on data security, retention, and disclosure to authorities operate alongside PDPL requirements.
Children's Data
The PDPL and its Executive Regulations establish age-differentiated consent requirements for processing children's personal data:
Under 15 years old: Explicit written consent from the child's legal guardian is required before any personal data collection or processing. The participation of a child in a game, competition, or any other activity may not be made conditional on the submission of personal data beyond what is strictly necessary for that participation.
Ages 15 to 18: Consent must be provided by the child or the guardian depending on circumstances, under mechanisms established by the PDPC and applicable legal conditions.
The Executive Regulations restrict behavioral profiling, tracking, and monitoring of children beyond what is strictly necessary for the stated purpose. Organizations developing apps, platforms, or services directed at or used by children in Egypt should implement age-verification mechanisms and build guardian-consent workflows before the October 2026 enforcement date.
Direct Electronic Marketing
Separate Licence Required
Direct electronic marketing (including promotional emails, SMS, push notifications, and similar communications) requires a separate PDPC licence distinct from the standard controller/processor processing licence. The fee for this licence is set at 50% of the applicable controller/processor licence amount.
The licensing application must demonstrate that explicit, purpose-specific consent was obtained for marketing communications and that such consent is demonstrably linked to direct electronic marketing rather than bundled with other consents.
Consent and Purpose Limitation
The Executive Regulations impose strict purpose limitation on marketing data: personal data collected for direct electronic marketing purposes may not be used for any other purpose unless new, explicit consent is obtained for that secondary use.
Mandatory erasure of marketing data is required upon consent withdrawal or upon expiry of the stated purpose. Withdrawal mechanisms must be accessible through any communication channel approved by the PDPC.
Marketing intermediaries, agencies and third-party platforms used to deliver marketing communications, bear independent obligations to verify that the original controller obtained valid, documented consent before the data was shared.
Data Security Requirements
Controllers and processors must implement appropriate technical and organizational measures to protect personal data against unauthorized access, accidental destruction, loss, alteration, or unlawful disclosure. The measures must be proportionate to the sensitivity of the data, the risks associated with the processing, and the state of the art in available security technologies.
The Executive Regulations require that security measures address:
- Encryption and pseudonymization where appropriate
- System access controls and authentication procedures
- Logging and audit trail capabilities
- Business continuity and disaster recovery procedures
- Regular testing and evaluation of security systems
Privacy notices must be provided in Arabic, be transparent, and be delivered at the time of collection or before any third-party disclosure.
AI and Emerging Technologies
Egypt's Second National AI Strategy (2025-2030), launched by President El-Sisi in January 2025, integrates data protection as a foundational requirement for responsible AI development. The strategy is built on six pillars (Governance, Technology, Data, Infrastructure, Ecosystem, and Talent) and operates alongside the PDPL's data governance framework.
The Executive Regulations include specific references to artificial intelligence and emerging technologies, requiring that AI-driven processing comply with recognized principles and that such processing not result in harm to data subjects. Controllers using AI for automated decision-making must be prepared to demonstrate that PDPC-approved mechanisms exist for data subjects to exercise their rights.
The strategy also envisions a dedicated Centre for Responsible AI as a specialized oversight body, which will likely interact with the PDPC on AI-specific data governance questions as the framework matures.
Recent Developments (2024-2026)
November 2025: Executive Regulations issued. Ministerial Decree No. 816 of 2025, issued on 1 November 2025, brought the PDPL's operational framework into force after a five-year delay. The Regulations were published in the Official Gazette and entered into force the following day.
December 2025: Regulations publicly released. The full text of the Executive Regulations was published on the PDPC's website in December 2025, along with initial regulatory guidance documents.
January 2025: National AI Strategy 2025-2030 launched. President El-Sisi launched Egypt's second National AI Strategy, emphasizing PDPL-aligned data governance as a prerequisite for responsible AI deployment across sectors.
Mid-2026: PDPC licensing portal expected. The PDPC's electronic application portal for processing licences, cross-border transfer licences, DPO registration, and permit applications is expected to open around mid-June 2026.
31 October 2026: Enforcement deadline. The one-year grace period expires on 31 October 2026. From that date, organizations without valid PDPC licences face full exposure to the PDPL's administrative, criminal, and civil penalties.
2024 court case (No. 19754). An Egyptian court addressed a privacy violation involving the unauthorized dissemination of personal information online, demonstrating judicial engagement with data protection rights in advance of formal regulatory enforcement.
Business Compliance Checklist
Organizations processing personal data of Egyptian residents should work through the following steps ahead of the October 2026 deadline:
Data mapping: complete before the portal opens
- Identify all personal data collected, stored, or shared
- Classify data by category (ordinary personal data vs. sensitive personal data)
- Document processing purposes, retention periods, and data flows
- Identify all international transfers involving Egyptian resident data
Licensing preparation
- Determine which licence categories apply (controller, processor, cross-border transfer, marketing, surveillance)
- Calculate applicable fee tiers based on record volumes
- Prepare application documentation including security measures, retention schedules, and DPO details
- Submit applications through the PDPC portal once it opens (expected mid-June 2026)
DPO appointment
- Identify and appoint a qualified DPO meeting PDPC qualification requirements
- Complete PDPC DPO registration
- Foreign controllers without local presence must appoint an approved local representative
Privacy notices and consent
- Update privacy notices to comply with PDPL requirements, in Arabic where required
- Audit consent mechanisms to ensure consent is explicit, documented, and purpose-specific
- Build separate consent workflows for sensitive data, children's data, and direct marketing
- Implement consent withdrawal mechanisms
Breach response
- Establish a documented breach response procedure
- Ensure the 72-hour PDPC notification window can be met operationally
- Test individual notification workflows for high-risk breaches
Supplier management
- Map third-party data processors and review data processing agreements
- Confirm that marketing intermediaries hold valid consent records before sharing data
International transfers
- Identify all cross-border data flows involving Egyptian resident data
- Obtain separate PDPC cross-border transfer licences for each transfer
- Address destination country adequacy on a case-by-case basis in licence applications
Related Reading
For recording consent laws that intersect with privacy in Egypt, see our guide to Egypt Recording Laws.
Frequently Asked Questions
What is Egypt's main data protection law?
Egypt's primary data protection statute is Law No. 151 of 2020 on the Protection of Personal Data (PDPL). It was enacted in October 2020 and entered into force in January 2021, but full implementation was delayed until Ministerial Decree No. 816 of 2025 issued the Executive Regulations on 1 November 2025. The law covers personal data processing by automated and non-automated means across public and private sectors.
What are the Executive Regulations and when did they come into effect?
The Executive Regulations are the implementing rules issued under the PDPL that specify the operational details of the law, including the licensing regime, DPO requirements, breach notification timelines, cross-border transfer procedures, and fee structures. They were issued by the Minister of Communications and Information Technology under Ministerial Decree No. 816 of 2025 on 1 November 2025 and entered force the following day, ending a five-year implementation delay.
Do organizations need a licence to process personal data in Egypt?
Yes. The Executive Regulations require most data controllers and data processors to obtain a PDPC licence or permit before processing personal data. Entities processing 100,000 records or fewer are exempt from licence fees but may still need to register. Separate licences are required for cross-border data transfers, direct electronic marketing, and visual surveillance in public places. The PDPC licensing portal is expected to open around mid-June 2026.
What is the compliance deadline for Egypt's PDPL?
The Executive Regulations provide a one-year transitional grace period, meaning the full enforcement deadline is 31 October 2026. From that date, organizations without valid PDPC licences and without compliant data protection programs are exposed to administrative fines, criminal penalties, and civil liability under the PDPL.
What are the penalties for violating Egypt's PDPL?
Penalties depend on the type of violation. Unauthorized processing of sensitive personal data or unlicensed cross-border transfers carry imprisonment of at least three months and fines of EGP 500,000 to EGP 5,000,000. Denial of data subject rights carries fines of EGP 100,000 to EGP 1,000,000. Failure to appoint a registered DPO carries fines of EGP 200,000 to EGP 2,000,000. Courts may also order public disclosure of the conviction in newspapers and online.
Can personal data be transferred outside Egypt?
Yes, but transfers require a separate PDPC cross-border transfer licence in addition to the standard processing licence. The PDPC evaluates whether the destination country provides adequate data protection. Where adequacy cannot be demonstrated, transfers are only permitted with the explicit consent of the data subject for specific statutory purposes such as medical necessity, contract performance, or legal proceedings.
Who must appoint a Data Protection Officer under Egypt's PDPL?
All legal entities (companies, organizations, and public bodies) processing personal data must appoint a PDPC-registered Data Protection Officer. The DPO must meet qualification requirements set by the PDPC, pass PDPC-approved exams, and be publicly announced. Foreign organizations without a local presence in Egypt must appoint an approved local representative to fulfill the DPO function.
What is the breach notification requirement under Egypt's PDPL?
Data controllers must notify the PDPC of a personal data breach within 72 hours of becoming aware of it. Where national security considerations arise, immediate notification is required. If the breach poses a significant risk to data subjects, affected individuals must also be notified within three working days. Notifications must describe the breach, the data and individuals affected, likely consequences, and the remedial steps taken.
How does Egypt's PDPL treat children's data?
Children under 15 require explicit written consent from a legal guardian before any personal data collection or processing. For children aged 15 to 18, consent procedures are determined by the PDPC in line with applicable legal conditions. Processing for games, competitions, or other activities may not be conditioned on collecting more data than is strictly necessary. Behavioral profiling of children is restricted under the Executive Regulations.
Sources and References
- Library of Congress - Egypt Law on Personal Data Implemented 2025(loc.gov).gov
- Library of Congress - Egypt Data Protection Law 2020(loc.gov).gov
- ICLG Egypt Data Protection 2025-2026(iclg.com)
- Chambers Data Protection and Privacy 2026 Egypt(practiceguides.chambers.com)
- Baker McKenzie Egypt Important Data Protection Update 2026(bakermckenzie.com)
- Kennedys Law Egypt PDPL Compliance Countdown 2026(kennedyslaw.com)
- Legal 500 Overview Executive Regulations Egyptian PDPL(legal500.com)
- GLA and Company First Look Egypt PDPL Executive Regulations(glaco.com)
- Access Partnership Egypt Finalises PDPL Executive Regulations(accesspartnership.com)
- Clyde and Co Egypt Regulatory Update Data Privacy 2026(clydeco.com)
- Shand Partners Executive Regulations Data Protection Law Egypt(shandpartners.com)
- WIPO Lex Law No. 175 of 2018 Egypt Cybercrime Law(wipo.int).gov
- ID Legal Egypt Cybersecurity Cybercrime Data Protection Overview(id.com.eg)
- Digital Watch Observatory Egypt National AI Strategy 2025-2030(dig.watch)
- PwC Middle East Egypt Data Protection Law(pwc.com)
- CADE Project Egypt Activates Data Protection Law with Implementing Regulations(cadeproject.org)