The Issuance of the Executive Regulations of the Data Protection Law and the establishment of the Data Protection Centre

1- Introduction

The Executive Regulations of the Egyptian Personal Data Protection Law No. 151 of 2020 (the “PDPL”) have been issued pursuant to Minister of Communications and Information Technology Decree No. 816 of 2025 (the “Executive Regulations”), noting that the Executive Regulations have only now been made available to everyone. The issuance of Executive Regulations translates the PDPL’s general principles into detailed, operational, and enforceable rules that data users (controllers and/or processors) must now implement in practice.

In this regard, it is worth noting that the official website of the Personal Data Protection Center (“PDPC”) has now been launched. The website includes the published text of the Executive Regulations, in addition to a set of regulatory guidelines covering the following areas:

- Data Subject Consent: This guideline provides detailed instructions on obtaining valid consent from data subjects, including the design of consent requests, management of consent, withdrawal procedures, and record-keeping requirements.

- Lawful Basis: This guideline explains the different lawful bases for processing personal data, ensuring that all processing activities are justified and compliant. It also covers consent, contractual obligations, legal obligations, legitimate interests, claiming or defending legal rights, and compliance with court or regulatory orders.

- Electronic Direct Marketing: This guideline outlines the requirements and best practices for electronic direct marketing, covering both creators and senders of marketing communications. It emphasizes that all electronic direct marketing messages must be targeted, based on personal data, and include clear information on the sender, purpose, and an effective opt-out mechanism. Key obligations include obtaining valid consent or permits, honoring opt-out requests promptly, maintaining accurate records, and ensuring transparency and lawful use of third-party data, cookies, and tracking technologies. The guideline also highlights the importance of avoiding misleading interfaces or communications that compromise consent validity.

- Data Protection Officer: This guideline explains the role, responsibilities, registration, and appointment of DPOs under the PDPL. The DPO oversees the data user’s compliance with data protection obligations, acts as the main point of contact for both data subjects and the

The guide offers a practical and up-to-date perspective on doing business in Egypt 2025, addressing regulatory developments that impact foreign and local investors alike PDPC, and supports the implementation of data protection measures. It covers DPO registration criteria, application process, and PDPC assessment, as well as appointment procedures, including multiple appointments and termination rules. Data users must ensure the DPO can operate independently, with adequate support and involvement in decision-making, while maintaining neutrality and effective communication channels.

- Data Protection Officer Categories: This guideline classified DPOs into three categories to ensure effective data oversight: Category A (Lead DPO) for large organizations, requiring 3–5 years of experience or recognized certifications and passing an exam with; Category B (Advanced DPO) for medium organizations, requiring 2–3 years of experience or one relevant certification and passing an exam; and Category C (Entry-Level DPO) for small organizations, requiring 0–1 year of experience and passing an exam. Shared DPOs are allowed via formal agreements with PDPC approval. All DPOs undergo reassessment every three years, and voluntary category changes are possible based on demonstrated experience, training, or certifications, with final approval by PDPC.

- Data Users: This guideline defines controllers, processors, and controller/processors, explaining their roles, responsibilities, and legal obligations under the PDPL. It covers how to determine each role, manage relationships between data users, and comply with key requirements, including data protection principles, data subjects’ rights, licenses and permits, DPO appointment, Records of Processing Activities, impact assessments, breach notifications, sensitive data handling, electronic marketing, cross-border transfers, cooperation with the PDPC, and contractual data protection clauses.

- Data Protection Principles: This guideline explains the fundamental principles governing personal data processing under the PDPL. It covers lawfulness, fairness, transparency, purpose limitation, data minimization, data accuracy, storage limitation, data security, and accountability. The guideline provides practical instructions to ensure compliance, including how to determine lawful bases for processing, assess fairness, communicate transparently with data subjects, limit collection to necessary data, maintain accuracy, define retention periods, implement security measures, and demonstrate accountability through documentation, records, impact assessments, and internal policies.

- Record of Processing Activities (“RoPA”): This guideline provides practical tools for data users to maintain a complete and accurate record of all personal data processing activities, as required under the PDPL. It explains how to develop a RoPA, including asset inventory, data classification, stakeholder interviews, and regular updates. The guideline also covers the PDPC RoPA templates for controllers, processors, and controller/processors, detailing mandatory information such as purpose of processing, categories of data and data subjects, retention periods, technical and organizational security measures, data protection agreements, cross-border transfer details, and impact assessments. Data users must ensure the RoPA is up-to-date, accurate, and available to the PDPC upon request.

- Licenses and Permits: This guideline explains the types, application, renewal, and amendment of licenses and permits issued by the PDPC under the PDPL. Further, the guideline covers general licenses/permits and supplementary licenses/permits. It also outlines application procedures via the PDPC electronic portal, required documentation, prescribed fees, and timelines for issuance. The guideline also addresses renewal, amendment due to legal changes, mergers, or PDPL objectives, and enforcement measures, including warnings, suspension, revocation, and transitional one-year compliance provisions.

- Privacy Notice: This guideline explains the requirements for providing a privacy notice under the PDPL. Data users must inform data subjects about the purpose, scope, and lawful basis of personal data processing, the types of data collected, recipients, cross-border transfers, retention periods, data subject rights, security measures, and the right to lodge complaints with the PDPC. The notice must be visible, in Arabic, concise, transparent, in layperson language, easily accessible, and accurate and up-to-date. It can be provided in layers, just-in-time, or via multimedia formats. Privacy notices must be given at the time of data collection, first communication, or prior to the first disclosure to third parties.

While these guidelines do not carry the force of law, they provide important interpretative insight into the PDPC’s regulatory expectations and enforcement approach.

Entry into Force and Compliance Date

Executive Regulations entered into force on the day following their publication in the Official Gazette on November 2, 2025. Even though the copy that was made available to law firms in Egypt include November 1, 2025, as the publication date, the said copy was made available to the law firms on December 25, 2025. Unfortunately, there is no explanation till now from the Official Gazette or any other authority in Egypt for that approach, which is not common in Egypt.

Accordingly, the Personal Data Protection Law expressly grants all persons subject to its provisions a statutory period of one year from the issuance of the Executive Regulations to legitimize and regularize their data processing activities in accordance with the Data Protection Law and its Executive Regulations. Accordingly, the compliance deadline shall be November 1, 2026. Otherwise, the lack of fulfilling the relevant obligations under the Data Protection Law will expose the relevant controller and/or processor (as the case may be) to financial and/or criminal penalties under the Data Protection Law.

Distinction between the Controller and a Processor

The PDPL adopts a clear functional distinction between controllers and processors. Controllers are any natural or juridical person who—by virtue of their work or by nature of their activity—has the right to obtain and control personal data, as well as to determine the means, techniques, and criteria governing the retention or processing of such data, in accordance with the specified purpose or their activity. Examples of natural persons include, inter alia, Doctors, Lawyers, Accountants, and examples of juridical persons include, inter alia, Government authorities, Hospitals, Corporations, and NGOs.

On the other hand, Processors are any natural or juridical person who—by nature of their activity— processes personal data for their own interest, or for the interest of the controller in accordance with the terms agreed upon and the instructions provided by the controller. Examples of natural persons include, inter alia, IT consultants, Freelance data entry specialists, and Independent marketing specialists and examples of juridical persons include, inter alia, Cloud service providers, Payroll companies, Call center service providers, Marketing agencies.

This distinction is particularly relevant when allocating compliance responsibilities, assessing licensing requirements, and structuring contractual arrangements between data users.

It is worth noting that individuals collecting or processing personal data solely for personal purposes are excluded from the scope of the PDPL.

2- Key Regulatory Areas Covered by the Executive Regulations

I. Collection, Processing, Storage, and Security of Personal Data

The Executive Regulations establish unified standards governing the collection and processing of personal data. Personal data may only be collected and processed by licensed or permitted controllers or processors and strictly for declared and lawful purposes. Data collection is conditional upon obtaining the data subject’s consent and clearly informing them of the purpose of collection, while any further use beyond that purpose requires renewed consent.

Further, The Executive Regulations require prior PDPC approval of data collection mechanisms, defined retention periods linked to processing purposes, and strict confidentiality obligations on all personnel involved in data handling. Controllers and processors must maintain secure electronic records documenting, among other matters, consent, data categories, retention periods, and applied security measures.

II. Licensing and Permitting Requirements

The Executive Regulations introduced a mandatory authorization regime under which most personal data processing activities require prior approval from the PDPC.

Controllers and processors are required to obtain prior authorization from the PDPC before engaging in personal data processing activities. As a general principle, ongoing or permanent processing activities are subject to a licensing regime, whereas processing conducted for a specific purpose and for a limited duration may be authorized under a permit. The applicable licensing fees are calculated based on the volume of personal data records processed, in accordance with the tiered fee structure set out under the Regulations, whereby entities processing between 1 and 100,000 personal data records are exempt from licensing fees, while higher volumes trigger escalating annual fees.

In addition to the general licensing framework, the Regulations impose separate and activity-specific licensing or permitting requirements for certain regulated processing operations. In particular, electronic direct marketing activities are subject to a dedicated license or permit which require, inter alia, obtaining the explicit consent of data subjects and maintaining detailed records evidencing such consent. Furthermore, the use of visual surveillance systems in public places requires a standalone license or permit subject to compliance with strict conditions relating to transparency, data security, and limitations on processing, including restrictions on facial recognition technologies except where expressly permitted by law.

III. Core Obligations of Controllers and Processors

The Executive Regulations establish a compliance framework for the Controllers and Processors as the following:

- Controllers are required to comply with specific obligations under the Executive Regulations, including, inter alia, ensuring data accuracy, limiting processing to the licensed purpose, erasing personal data upon expiry of its purpose, and enabling data subjects to exercise their statutory rights (access, correction, objection, withdrawal of consent). Controllers must also facilitate PDPC inspections and comply with sector-specific limitations on data volume and categories.

- With respect to processors, the Executive Regulations mirrors many controller obligations while emphasizing adherence to the controller’s defined purpose and prohibiting independent or incompatible processing. Furthermore, The Regulations expressly regulate processing for statistical, educational, and non-profit research purposes, subject to consent, relevance, and anonymization requirements. The Regulations also address the use of personal data in artificial intelligence training and emerging technologies, requiring compliance with recognized principles to prevent harm to data subjects.

Data users are also required to cooperate with PDPC inspections and must notify the PDPC of any personal data breach within (72) hours of becoming aware of it. They must then inform affected data subjects within three (3) working days of the breach.

IV. Appointing a Representative in Egypt

It is worth noting that the Regulations impose a clear localization requirement on foreign data users. Data users located outside Egypt and without an established presence in the country must appoint a representative in Egypt. This requirement applies to entities acting as controllers and/or processors.

The appointment may be fulfilled through:

(i) A local branch in Egypt;

(ii) An existing legal entity; or

(iii) An authorized representative appointed under a power of attorney (“PoA”).

These examples are indicative and remain subject to the approval of the PDPC.

V. Data Protection Officers (“DPOs”)

The Executive Regulations formalize the role of the DPO, establishing registration, qualification, and reporting requirements. DPOs are responsible for monitoring compliance, handling data subject requests, and submitting periodic reports to the PDPC. Controllers and processors must notify the PDPC at least fifteen (15) days prior to terminating a DPO’s appointment.

VI. Digital Evidence

The Regulations confirm the evidentiary validity of digital evidence derived from personal data, provided that it is collected, extracted, and preserved using technical means that ensure data integrity and prevent any alteration or tampering.

The evidence must be relevant to the matter under investigation and collected by authorized judicial officers or qualified experts. In addition, the Regulations requires proper documentation of the collection and preservation process, including identification of the tools used, timestamps, and a clear chain of custody, to ensure the reliability and admissibility of digital evidence.

VII. Cross-Border Transfers of Personal Data

Cross-border data transfers represent one of the most sensitive and high-impact areas under the Executive Regulations. Personal data may not be transferred, stored, shared, processed, or accessed outside Egypt except after obtaining a license or permit from the PDPC, following an assessment of the adequacy of the data protection level in the destination country, and after securing the explicit consent of the data subject.

Such transfers must comply with established policies, standards, and safeguards to ensure that the data is adequately protected throughout its lifecycle, including during transfer, storage, processing, or sharing. When applying for a cross-border transfer license or permit, which include inter alia: (i) specifying the destination country, purpose of transfer, and categories, nature, and volume of data; (ii) providing details of security measures and temporary/final storage locations; (iii) demonstrating compliance with the applicable policies, standards, and regulatory controls; (iv) indicating retention periods; and (v) for legal persons, providing information on the nature of the controller’s or processor’s activities. Transfers must strictly follow the approved authorization, and any addition of new destination countries requires updating the authorization accordingly.

The fee for obtaining a cross-border transfer license or permit is set at 50% of the applicable license fee for the controller or processor, depending on the type, volume, and nature of the personal data involved.

VIII. Sensitive Personal Data and Children’s Data

Pursuant the Executive Regulations Controllers and processors, whether natural or legal persons, shall comply with enhanced safeguards when handling sensitive personal data or children’s data. For sensitive personal data, this includes inter alia obtaining a license or permit from the PDPC, securing explicit written consent from the data subject (or the legal guardian for children, where applicable), ensuring data is necessary for the intended purpose and does not cause harm, complying with PDPC security standards, limiting data collection to what is strictly necessary, avoiding profiling or behavioral tracking of children, and maintaining secure records of consents and requests for deletion, correction, or suspension of processing.

Regarding children’s data, explicit written consent must be obtained from the legal guardian for children under 15 years, specifying its duration and allowing withdrawal or modification, while for children aged 15 to 18, consent must be provided by the child or their guardian as applicable, following mechanisms approved by the PDPC to ensure legal compliance.

IX. Electronic Direct Marketing

The Executive Regulations subject electronic direct marketing activities to a standalone regulatory regime, requiring prior licensing by the PDPC. In this regard, controllers and/or processors engaging in electronic direct marketing, whether for their own products or services or on behalf of third parties must obtain a specific license or permit, with the applicable fees varying depending on the category of marketing activity.

Furthermore, the Regulations condition the legality of electronic direct marketing on obtaining the data subject’s explicit prior consent to receive marketing communications. Data subjects must be clearly informed of the identity of the sender and the marketing purpose at the outset of any communication and must be provided with an effective mechanism to refuse or withdraw their consent at any time. Upon withdrawal of consent or expiry of the data retention period, controllers and processors are required to immediately erase the relevant personal data.

In addition, entities conducting electronic direct marketing are required to maintain secure electronic records documenting the manner and date of obtaining consent, as well as any subsequent requests for withdrawal or erasure. Where marketing activities are carried out through intermediaries, such intermediaries must verify the existence of valid consent and retain evidence thereof, failing which they are required to immediately cease using the relevant personal data.

3- Conclusion

The Executive Regulations, together with the launch of the PDPC website and the publication of sector-wide guidelines, represent a shift toward a structured and enforcement-driven data protection regime in Egypt. By translating the PDPL’s general principles into detailed operational obligations, the Executive Regulations provide data users with a clearer compliance roadmap while significantly raising regulatory expectations for controllers and processors operating in or targeting Egypt.

It is therefore advisable to comply early with the aforementioned and obtain the necessary licenses and/or permits, including for, inter alia, cross-border data transfers and obtaining the proper consent of data subjects, in order to reduce any regulatory and operational risks.