Walk into almost any office in Egypt and you pass the same device on the way in: a small scanner on the wall that reads a fingerprint, or a face, to log who arrived and when. It is so ordinary that no one thinks of it as a legal matter at all.
Under the Personal Data Protection Law, it is one of the sharpest. A fingerprint and a facial scan are biometric data; biometric data is sensitive personal data; and processing sensitive personal data in Egypt requires two things most companies have neither of — a separate license from the regulator, and the explicit written consent of every person scanned. Getting it wrong is not an administrative slip. It is a criminal offence. This article explains what Egyptian law treats as sensitive, why the attendance scanner is the most common breach of it, and what a company actually has to put in place.
What Egyptian law counts as “sensitive”
Article 1 of Law No. 151 of 2020 defines sensitive personal data as data revealing a person’s psychological, mental, physical, or genetic health; their biometric or financial data; their religious beliefs, political views, or criminal record. Children’s data is sensitive in every case, without exception.
Two of those categories catch international companies off guard, because they are broader than what they are used to under the European GDPR. Biometric data — fingerprints, facial geometry, iris scans — is sensitive, which pulls the ordinary office attendance system squarely into the regime. And financial data is sensitive under Egyptian law in a way it is not under the GDPR, which means payroll records, salary figures, and employee bank details are sensitive too. A company that mapped its sensitive data using a European checklist will have missed both.
The attendance scanner is the most common breach
Tracking attendance is not itself the problem. An employer is entitled to record who is present and who is absent, and that ordinary record can rest on a straightforward legal basis — contractual necessity, or the employer’s legitimate interest in managing working hours.
The moment the method becomes biometric, that changes. A fingerprint or facial scan used to clock in is the processing of sensitive personal data, and the relaxed legal basis no longer applies. Two stricter requirements take its place: explicit written consent, and a license. The convenience device on the wall has quietly moved the company into the most heavily regulated category of data the law recognizes — usually without anyone in HR, IT, or legal having registered the shift.
The two things you must have
A separate sensitive-data license. Sensitive personal data carries its own license requirement, additional to your general controller license — the sensitive-data regime sits in Article 12 of the Law, with the operational detail in the Executive Regulations. It is typically issued for a short term, not exceeding one year, and its fee scales with the volume of records you hold. Short-term means it is a renewal obligation, not a one-time filing.
Explicit written consent. Sensitive data may generally be processed only with the explicit written consent of the data subject, or under one of the law’s narrow statutory exemptions. This is a higher bar than ordinary personal data, where consent can in many cases be implied from the act of handing data over to receive a service. For sensitive data, implication is not enough. A line buried in an employment contract is unlikely to satisfy “explicit written consent” for a fingerprint; the consent has to be specific, informed, and separately given.
Why this lands hardest on international companies
For an upper-mid international company, the exposure is not a single scanner. It runs through the whole HR function.
Centralized HR systems hold exactly the categories Egyptian law treats as sensitive: biometric attendance data, payroll and salary figures, employee bank details, medical and insurance records. Each of those is sensitive personal data under Article 1. Each requires the license and the consent. And because these systems are usually group-standard — designed in Germany or the Netherlands or the UK, configured to a European understanding of what counts as sensitive — the financial and biometric exposure is precisely what the group template does not flag.
The result is a company that believes its HR data is well governed because it is GDPR-compliant, sitting on a body of data that is sensitive by the Egyptian definition, unlicensed, and processed without the required consent.
The penalty
Collecting, processing, disclosing, transferring, or storing sensitive personal data without the data subject’s consent, or outside the cases the law permits, is a criminal offence under the PDPL. It carries imprisonment of not less than three months and/or a fine of EGP 500,000 to EGP 5,000,000. Repeat offences are doubled.
That is the same penalty tier the law reserves for unlicensed cross-border transfer — its most serious category. The fingerprint scanner sits in it.
Where this stands
The obligation is in force, and the grace period to comply closes around the end of October 2026.
The licensing machinery is still coming online — the Centre’s portal was slated to open around mid-2026, and the regulator has signaled a gradual, compliance-first approach rather than immediate enforcement. As with every other PDPL obligation, that is a reason to start now: classifying your sensitive data, fixing your consent mechanism, and preparing the license application all take time, and the work cannot begin until you know which of your systems hold sensitive data in the first place.
What to do now
Three steps, in order.
Classify. Identify every category of sensitive personal data you hold against the Egyptian definition, not a European one — and look specifically for biometric attendance data and employee financial data, the two most commonly missed.
Fix consent. Replace any reliance on implied or contract-bundled consent for sensitive data with explicit, written, specific consent — and decide, for biometric attendance, whether consent is even the right route or whether the system itself should change.
License. Prepare the separate sensitive-data license application, sized to your record volume, and diaries its renewal from the day it issues, since it runs short-term.
The point
The most heavily regulated data in your Egyptian operation is not in a vault. It is the scanner by the front door and the salary column in your HR system — ordinary things the law treats as sensitive, and that almost no one licenses or consents for correctly.
At Consortio, we classify sensitive data against the Egyptian definition, rebuild the consent mechanism so it holds, and carry the licensing — so that the device on the wall and the records behind it are, for once, on the right side of the law before the deadline.
Consortio Law Firm advises upper-mid international companies entering and operating in Egypt. For a review of your sensitive-data exposure under Law 151/2020 — including biometric attendance and employee financial data — contact info@consortiolawfirm.com.
