A First Look at Egypt’s Personal Data Protection Executive Regulations

In November 2025, the long-awaited Executive Regulations to Egypt’s Personal Data Protection Law No. 151 of 2020 (the “PDPL”) were issued by Minister of Communications and Information Technology Decision No. 81 of 2025 (the “Regulations”). These Regulations move the PDPL from high-level principles to detailed, actionable rules that organizations must now implement. The Regulations end years of speculation by providing a detailed framework for implementing the PDPL, moving the law from general principles to specific, actionable mandates that businesses must follow.

Licensing and Permits Under the New Regulations

A cornerstone of the Regulations is the mandatory requirement for most controllers and data processors to obtain a formal license or permit from the Personal Data Protection Centre (the “PDPC”). The Regulations distinguish between an ongoing license for regular data processing activities and a shorter-term permit for specific, time-bound purposes. The type and cost of the license depend mainly on the number of personal data processed. Under Article 19, entities that hold between 1 and 100,000 personal data records are exempt from license fees. Above this threshold, annual fees apply and increase with the number of records. Separate, specific licenses are also required for activities such as direct electronic marketing (Article 28) and the use of visual surveillance equipment in public places (Article 31).

Controllers’ Core Obligations

Under Articles 2 and 3, controllers must, at a minimum:

• • Obtain clear, informed consent from data subjects before collecting their personal data.
  • Define and document a retention period that is linked to the specific purpose of collection.
  • Erase personal data once that purpose has been fulfilled, unless a legal obligation requires further retention.
  • Put in place a mechanism, approved by the PDPC, that allows data subjects to access, correct, and object to the processing of their data.

Under Article 5, controllers must notify the PDPC of any personal data breach within 72 hours of becoming aware of it. They must then inform affected data subjects within three working days of the breach. Foreign controllers that do not have a branch in Egypt must appoint an authorized local representative in Egypt, as required by Article 3.

Role and Registration of Data Protection Officers (responsibilities of DPOs)

The role of the DPO is formalized under the Regulations. Articles 7 through 12 detail the conditions for registration in the DPO registry, which include professional qualifications, relevant practical experience, and passing exams approved by the Centre. The DPO’s responsibilities include monitoring the application of security policies, handling data subject requests, and providing an annual report on the state of privacy protection to the Centre. The legal representative of the controller or processor must register the DPO and notify the Centre at least 15 days before terminating the relationship with a DPO (Article 10).

Cross-Border Transfers of Personal Data

Cross-border transfers of personal data are not automatic under the Regulations. Controllers must obtain a separate license or permit from the PDPC before transferring personal data outside Egypt (Article 16). The PDPC will assess whether the destination country offers an adequate level of protection. The license application must identify the destination, the purpose of the transfer, the types of data involved, and the security measures applied at the storage locations (Articles 24 and 25). Under Article 27, the fee for a cross-border transfer license is set at 50% of the controller/processor license fee.

Special Categories of Data and Children’s Data

The Regulations also provide heightened protection for sensitive personal data (for example, data about health, biometric identifiers, or religious beliefs) and children’s data.

• • Article 14 requires explicit written consent for processing sensitive personal data and imposes stricter security requirements.
  • For children under 15, Article 15 requires explicit written consent from the child’s legal guardian before any collection or processing of their data.

Digital Evidence and Enforcement Context

Article 13 confirms that digital evidence derived from personal data is admissible, provided it meets technical conditions ensuring integrity and a documented chain of custody. This underscores the importance of maintaining robust logging and evidence-handling procedures.

What Should Organizations Do Now?

The Regulations create a detailed and demanding compliance regime. Organizations operating in or targeting Egypt should now:

• • Map their data processing activities and determine which licenses and permits they require.
  • Review and update their consent, retention, and deletion practices to meet the new standards.
  • Appoint and register a qualified DPO where required.
  • Design incident response procedures that meet the 72-hour PDPC notification and three-day data subject notification deadlines.
  • Assess any cross-border data flows and prepare for the PDPC’s licensing and adequacy assessment.

What to Expect?

The Regulations for Egypt’s PDPL establish a rigorous and detailed compliance landscape. By introducing a structured licensing system, clarifying breach notification protocols, formalizing the DPO role, and setting strict rules for cross-border transfers and special categories of data, the Regulations provide the necessary clarity for businesses to operationalize the law. Organizations must now diligently review their data practices, initiate the required licensing procedures, and implement the prescribed technical and organizational measures to ensure full compliance. We Assess that the PDPC will also become active very soon, allowing for more regulatory practice and compliance direction to be built.

How Can We Help?

GLA & Company is committed to supporting businesses in navigating the complexities of the developing data privacy landscape of Egypt, ensuring compliance with the PDPL and the upcoming regulatory guidelines. Our team of experts have a strong relationship with the regulator and provide tailored solutions, including compliance audits, In-house educational seminars, risk assessments, and the implementation of robust data protection measures. We assist organizations in evaluating the requirements of data transfers, assessing recipient compliance, and implementing security safeguards to mitigate risks.