Personal Data Protection Law in Egypt

Written By - Amr Hareedy, Associate, Levari
Blog Thumbnail

On 15 July 2020, Law No. 151 of 2020 concerning Personal Data Protection has been finally issued:

The Law stating on the obligations of businesses regarding the personal data of individuals and their privacy. The Law also stated on different types of data such as personal data, sensitive personal data, including the child’s data, and the cross-border transfer of personal data.

The Law defines the personal data as any data relating to an identified natural person, or one who is identifiable, directly or indirectly, by reference to such data and other data. Also, the Law defines the Sensitive Data as data which discloses the psychiatric, psychological, physiological, or genetic health, biometric or financial data, religious beliefs, political opinions, or the criminal/security standing and, in all cases, data relating to children is considered to be sensitive data.

Furthermore, the Law excludes from its scope of protection (a) personal data held by natural persons for personal purposes; (b) data processed for official statistics; (c) data processed for media purposes, provided that such data is accurate and valid; (d) data obtained for the purpose of investigations and lawsuits; (e) personal data held by national security authorities; and (f) data held by the Central Bank of Egypt and the entities subject to its supervision and control. Money transfer and exchange companies are not, however, excluded from the application of the law.

The Law indicates certain rights related to the person concerned with the personal data to protect and ensure its privacy, including but not limited to, knowing, reviewing, accessing and obtaining the personal data belonging to it which is held by any holder of such data, controller or processor.

Moreover, the Law has stated on certain obligation which the controller and the processor of such data, whether natural or juristic person, shall undertake, including but not limited to, a license or permit to handle personal data shall be obtained for the controller and the possessor from the Personal Data Protection Center (the “Center”). Also, maintaining the appropriate systems and controls for the protection of personal data privacy. In addition, controller and processor shall appoint a data protection officer to assure that the provisions of this Law are applied.

In case of a Breach of any of the personal data, the controller and processor shall, within seventy-two hours from their knowledge of a breach in relation to the Personal Data, in all cases inform the Concerned Person and the Center, if such breach relates to national security, the notification shall be promptly.

Regarding the cross-border transfer, sharing, store of Personal Data to foreign country shall be prohibited unless such country guarantees a level of protection of Personal Data such as what is stated herein.

If you are interested to know more about the Personal Data Protection New Law, please send us on