ARAB REPUBLIC OF EGYPT

E.L. Ref. No.: 5008447

Decision of the Minister of Communications and Information Technology

No. 816 of 2025

Published on 01/11/2025 in the Official Gazette, Issue No. 244 (Supplement “A”)

Effective as of 02/11/2025

Regarding the Issuance of the Executive Regulations of the Personal Data Protection Law promulgated by Law No. 151 of 2020

Dr. Amr Sami Talaat – Minister of Communications and Information Technology

PREAMBLE

The Minister of Communications and Information Technology,

Having reviewed the Constitution; the Penal Code; the Civil Code; the Code of Criminal Procedure; the Decree-Law No. 96 of 1952 on the Organization of Expert Testimony before Judicial Bodies; the Code of Civil and Commercial Procedure promulgated by Law No. 13 of 1968; the Law of Evidence in Civil and Commercial Matters promulgated by Law No. 25 of 1968; Law No. 34 of 1976 on the Commercial Register; the Law on Joint-Stock Companies, Limited Partnerships by Shares, Limited Liability Companies, and Single-Person Companies promulgated by Law No. 159 of 1981; the Child Law promulgated by Law No. 12 of 1996; the Commercial Law promulgated by Law No. 17 of 1999; the Intellectual Property Rights Protection Law promulgated by Law No. 82 of 2002; the Telecommunications Regulatory Law promulgated by Law No. 10 of 2003; Law No. 15 of 2004 on the Organization of Electronic Signatures and the Establishment of the Information Technology Industry Development Authority; the Competition Protection and Prevention of Monopolistic Practices Law promulgated by Law No. 3 of 2005; the Law Regulating Passenger Land Transport Services Using Information Technology promulgated by Law No. 87 of 2018; Law No. 175 of 2018 on Combating Information Technology Crimes; the Consumer Protection Law promulgated by Law No. 181 of 2018; and the Central Bank and Banking Sector Law promulgated by Law No. 194 of 2020;

And based on the opinion of the State Council;

Has decided:

ISSUANCE ARTICLES

Article 1 – Issuance

The provisions of the accompanying Executive Regulations of the Personal Data Protection Law referred to herein shall be applied.

Article 2 – Issuance

This Decision shall be published in the Official Gazette and shall enter into force on the day following the date of its publication.

EXECUTIVE REGULATIONS

Article 1

For the purposes of applying the provisions of these Regulations, the definitions set forth in the Personal Data Protection Law referred to herein shall have the same meanings ascribed thereto. For the purposes of these Regulations, “the Law” means: the Personal Data Protection Law promulgated by Law No. 151 of 2020.

Executive Regulations: Policies, Procedures, Standards, and Controls for the Collection, Processing, Storage, and Security of Personal Data

Article 2

The collection, processing, storage, and security of personal data shall be conducted in accordance with the following controls, standards, procedures, and policies:

First – Controls and Standards:

  1. The party collecting personal data must hold a license or permit as a controller or processor, without prejudice to the obligations imposed by the competent authorities for the practice of the relevant activity.
  2. Personal data shall not be collected except after obtaining the consent of the data subject and notifying them of the purpose of collection in a clear manner. The submission of personal data by a natural person in order to receive services or engage in lawful transactions shall be deemed consent to the collection and processing of that data for such purpose. Such data may not be used for other purposes without prior consent.
  3. Obtain the approval of the Center for the mechanisms used to collect personal data, and the mechanism for obtaining the consent of the data subject or their guardian in the case of children’s data.
  4. Determine the time period necessary for retaining the collected personal data in accordance with the purpose of collection.
  5. Those responsible for collecting personal data are obligated to maintain its confidentiality and not to use, circulate, or disclose it in any form except for legally prescribed reasons and in accordance with the license or permit issued in this regard.

Second – Procedures and Policies:

  1. Inform the data subject of their rights pursuant to Article (2) of the Law.
  2. Take the security procedures and programs issued by the Center that must be followed regarding the security of personal data, including devices and media used.
  3. Adopt in work policies the preparation of a secure electronic register containing the following records:
  • The consent of the data subject, the date such consent was issued, the form in which it was issued, and a description of the categories of personal data collected and the scope of their use.
  • The time period necessary for retaining each category of personal data separately, and its relationship to the purpose of collection.
  • The organizational and technical procedures followed to secure the data, enabling the Center to conduct periodic inspections and verify the compliance of the licensee or permit holder therewith.

Executive Regulations: Policies, Procedures, Technical Standards, and Controls for the Obligations of the Personal Data Controller

Article 3

The obligations of the personal data controller shall be in accordance with the following technical controls, standards, procedures, and policies:

First – Technical Controls and Standards:

  1. Obtain a license or permit from the Center in accordance with the categories, conditions, and procedures specified in these Regulations, without prejudice to the obligations imposed by the competent authorities for the practice of the relevant activity.
  2. Not to violate the purpose for which the license or permit was issued for the use of personal data being collected and processed.
  3. Verify that the personal data being collected is accurate by reviewing the source from which it was obtained, whether from the controller’s employees or the data subject themselves, and the extent to which such data corresponds to the purpose of its collection and processing in accordance with the conditions set out in the license or permit issued to the controller by the Center.
  4. Erase personal data immediately upon the expiration of the purpose for which it is retained, and notify the data subject of such erasure. Such data may not remain in a form that allows identification of the data subject if retained for any legitimate reason after the purpose has ended.
  5. Establish a mechanism approved by the Center enabling the data subject to submit a request to know their personal data and view it, to withdraw prior consent to its retention, to correct and modify their data, to restrict its processing to a specific scope, or to object to any processing thereof.
  6. A controller located outside the Arab Republic of Egypt and without a branch or representative office within the country is obligated to appoint a representative inside Egypt through a company branch, office acting on their behalf, or representative, as the case may be, to be accredited by the Center as a representative of the controller for the duration of the license or permit. If the controller is a natural person, they must appoint an agent within the Arab Republic of Egypt.
  7. Enable Center inspectors, in their capacity as judicial police officers, to access electronic records and verify the application of the standards and technical procedures for data security and protection, and any executive decisions issued by the Center in this regard.
  8. Adhere to the volume and type of personal data that the law governing the controller’s activity permits to be collected, with the rules and controls prescribed by the Law applying to any additional personal data requested, including storage, security, and transfer rules, if the law governing the activity lacks such rules and controls.
  9. Take the necessary measures and procedures to oblige those responsible for collecting personal data to maintain its confidentiality and not use, circulate, or disclose it in any form except for legally prescribed reasons.

Second – Procedures and Policies:

  1. Conduct periodic testing and evaluation operations to ensure the accuracy and integrity of the collected personal data, in accordance with the periodic assessment and inspection mechanisms issued by the Center.
  2. Take the necessary measures and procedures to render the data subject’s data unreadable, and to ensure that such data does not remain in a form that allows identification of the data subject if the controller retains it for legal reasons or national security considerations, provided that such data is erased upon the expiration of the legal reason or purpose.
  3. Take the necessary technical procedures to maintain the confidentiality of data and prevent unauthorized access.
  4. Take the technical and organizational measures that ensure the ability to restore and access personal data in a timely manner, and to contain it in the event of any physical or technical incident.
  5. Without prejudice to the obligation to prepare electronic records referred to in Article (2) of these Regulations, the controller is obligated in its work policy to prepare secure electronic records containing the following:
  • Requests by the data subject for the addition or modification of their personal data, including a record of the data to be modified and confirmation of whether the modification was completed and the reason therefor.
  • Requests by the data subject for the erasure of their data and withdrawal of prior consent, and confirmation of whether the erasure was completed, and the mechanism for notifying the data subject thereof.
  • Personal data retained for legal reasons or national security considerations, enabling Center inspectors to verify the application of the standards and technical procedures for the security and protection of such data, without allowing third parties to identify the data subject.

Executive Regulations: Policies, Procedures, Standards, Controls, Instructions, and Technical Standards for the Obligations of the Personal Data Processor

Article 4

The processing of personal data shall be conducted in accordance with the following controls, standards, procedures, and policies:

First – Controls and Standards:

  1. Obtain a license or permit from the Center in accordance with the categories, conditions, and procedures specified in these Regulations, without prejudice to the obligations imposed by the competent authorities for the practice of the relevant activity.
  2. Establish a mechanism approved by the Center specifying the volume and purpose of the processing, enabling the recording of the data subject’s consent thereto and notifying the controller, the data subject, and all relevant parties of the period required for processing.
  3. Those engaged with personal data among the processor’s employees are obligated to maintain its confidentiality and not to use, circulate, or disclose it in any form except for legally prescribed reasons.
  4. Enable Center inspectors, in their capacity as judicial police officers, to access electronic records and verify the application of the standards and technical procedures for data security and protection, as well as any executive decisions issued by the Center in this regard, and the compatibility of processing purposes with the nature of the licensed activity.
  5. A processor located outside the Arab Republic of Egypt and without a branch or representative office within the country is obligated to appoint a representative inside Egypt through a company branch, office acting on their behalf, or representative, as the case may be, to be accredited by the Center as a representative of the processor for the duration of the license or permit. If the processor is a natural person, they must appoint an agent within the Arab Republic of Egypt.
  6. Prohibit the processing of any personal data for a purpose other than the controller’s purpose or activity, unless for statistical, educational, or non-profit purposes, subject to the following conditions: (a) Obtaining the consent of the data subject; (b) The subject of the study must be related to the personal data being processed; (c) When circulating personal data in any form, it must be coded so that the data subject cannot be identified therefrom.
  7. The processor is obligated, when handling personal data in its processing and use for artificial intelligence training operations and emerging and innovative technologies, to comply with the principles recognized locally, regionally, and internationally, in a manner that ensures the use of such technologies does not cause any harm to the data subject.
  8. Adhere to the volume and type of personal data that the law governing the processor’s activity permits to be obtained, with the rules and controls prescribed by the Law applying to any additional personal data requested, including storage, security, and transfer rules, if the law governing the activity lacks such rules and controls.

Second – Procedures and Policies:

  1. Take the necessary security measures and procedures to secure and protect personal data during processing, including devices and media used, and to store personal data in an unreadable form to ensure its confidentiality and to prevent linking it to the data subject by unauthorized parties.
  2. Take the technical and organizational measures that ensure the ability to restore and access personal data in a timely manner, and to contain it in the event of any physical or technical incident.
  3. Adopt in work policies the preparation of a secure electronic register containing the following:
  • A record and description of the processing operations carried out, and the categories of personal data used and the scope of their use. The register must include the processor’s data, a copy of the processing contract concluded with the controller, the data of the controller’s data protection officer, the data of the controller’s legal representative, the processing standards, and in the case of cross-border data transfers, a specification of the countries to which data is transferred, the security systems applicable thereto, the data flow, and a general description of the technical standards used to protect the data.
  • The time periods required for processing each category of personal data separately.
  • The organizational and technical procedures followed to secure the data and processing operations, enabling the Center to conduct periodic inspections and verify the processor’s compliance therewith.
  • A record of the date and time of data erasure after the completion of processing, or confirmation of its delivery to the controller in accordance with legally prescribed circumstances.

Executive Regulations: Obligations of the Controller and Processor in Cases of Personal Data Breach or Violation

Article 5

The controller and processor, as the case may be, upon the occurrence of a breach or violation, are obligated to notify the Center through the electronic portal or the hotline designated for this purpose by the Center, within seventy-two hours of their becoming aware of the breach or violation. This notification must be recorded in a secure electronic register prepared for this purpose, containing the following:

  1. The hour and date of becoming aware of the breach or violation and the time of notification.
  2. A description of the nature of the breach or violation and the time of its occurrence, enabling the Center to estimate the approximate number of breached data records.
  3. The potential consequences of the breach or violation, and the extent of the expected harm therefrom.
  4. The urgent measures and corrective actions taken in response to the breach or violation.
  5. The data of the data protection officer.
  6. Any additional documents, data, or information requested by the Center.

If the breach or violation is related to national security protection considerations or the authorities responsible therefor, notification to the Center shall be immediate and shall include, in addition to the conditions mentioned in the preceding paragraph, the following: (a) The relationship of the breach or violation to national security protection considerations; (b) The volume of data affected by the breach or violation and an estimate of the resulting harm.

In all cases, the controller and processor, as the case may be, are obligated to notify the data subject within three business days of notifying the Center of the breach or violation, and of the security measures taken, through the communication method agreed upon (text message, email, phone call), which the data subject would have specified upon consent to the collection of their data.

Executive Regulations: Obligations of the Center in Cases of Personal Data Breach or Violation

Article 6

The Center shall make available the means and methods of communication for reporting breaches or violations of personal data, taking into account the adoption of a special communication method for receiving reports related to national security considerations.

The Center is also obligated to coordinate with national security authorities to determine the mechanisms for notifying them upon receiving reports related to a breach or violation of personal data.

The Center shall work to periodically train and raise awareness among personal data protection officers regarding standards for classifying the nature of the breach or violation.

Executive Regulations: Requirements for Registering Personal Data Protection Officers

Article 7

The following conditions must be met for the registration of personal data protection officers:

  1. The applicant must hold academic qualifications or professional certificates along with practical experience in the relevant fields, in accordance with the standards adopted by the Center’s Board of Directors for the purpose of protecting personal data.
  2. Pass the tests approved by the Center in accordance with the nature and volume of the personal data activity subject to the registration application.
  3. Not have been previously convicted of any offenses involving dishonesty or breach of trust.

Executive Regulations: Documents Required for Registration in the Registry of Personal Data Protection Officers

Article 8

The application for registration in the registry of personal data protection officers shall be submitted along with the following documents:

  1. A copy of the identity document of the applicant (National ID for Egyptians, passport for foreigners).
  2. A recent personal photograph.
  3. Academic qualifications obtained.
  4. Duration of practical experience in the relevant fields.
  5. Criminal record certificate for Egyptians, and for foreigners, authenticated by the relevant authorities.
  6. Proof of passing the tests prescribed by the Center for registration.
  7. The personal data protection officer’s code, if previously registered in the registry of personal data protection officers at the Center for a controller or another processor, or if registered as a natural person and wishing to be registered with a controller or processor.

The Center shall study the application and notify the applicant of the acceptance or rejection of their registration within thirty business days from the date of application. The Center may request the submission of any additional documents necessary to decide on the application within a specified period, provided that the applicant is notified of the acceptance or rejection of their registration within fifteen days of submitting the required documents.

The legal representative of any entity shall take the necessary steps to register personal data protection officers, enabling them to carry out their duties in accordance with the provisions of the Law.

Executive Regulations: Registration of Personal Data Protection Officers

Article 9

The Center shall establish an electronic register designated for the registration of personal data protection officers. Each protection officer shall have a unique identification number referred to as the “Personal Data Protection Officer Code,” associated with the nature and volume of data they are permitted to handle, as determined by the results of their passing the test, and through which all their data can be retrieved.

Registration shall be carried out through the electronic portal on the register designated for the registration of personal data protection officers at the Center, through the dedicated links, by any of the following:

  1. An application submitted by the legal representative of the controller or processor for the registration of an employee in the registry of personal data protection officers, including proof of meeting the required conditions for registration and specifying the volume and nature of data the officer is permitted to handle.
  2. An application submitted by a natural person including proof of meeting the required conditions for registration and specifying the volume and nature of data they are permitted to handle.

The personal data protection officer’s code shall be determined based on their fulfillment of the registration conditions.

Executive Regulations: Termination of the Contractual Relationship or Replacement of Personal Data Protection Officers

Article 10

The legal representative of any controller or processor, wishing to terminate the relationship with a personal data protection officer, shall notify the Center thereof no less than fifteen days before the end of that relationship, provided that they have submitted an application to register or assign another data protection officer, whether from their organizational structure or contracted, consistent with the nature and volume of the data previously handled within that period, specifying the code of the replacement data protection officer and the period assigned for carrying out these duties if appointed temporarily, through the Center’s electronic portal or any other communication means approved by the Center.

The Center may suspend a registered personal data protection officer and request their replacement if they violate any of the registration conditions. In this case, the legal representative must register a temporary replacement data protection officer from those registered with the Center, whether from their organizational structure or contracted, for the same volume and nature of data, pending the appointment of a permanent officer within a period determined by the Center. The legal representative must also provide the contact information of the replacement data protection officer and notify the Center thereof.

Executive Regulations: Jurisdictional Limits of Personal Data Protection Officers

Article 11

A personal data protection officer registered with the Center may carry out their duties in one or more organizational structures, provided the following two conditions are met:

  1. The entities with which the personal data protection officer is registered consent to the performance of their duties for other entities or legal persons, without resulting in a conflict of interest, provided this is within the limits of the volume and nature of data the officer is authorized to handle.
  2. The Center approves the registration of the personal data protection officer with more than one entity, in accordance with the nature and volume of activity of those entities, and after verifying the absence of any conflict or impairment of their duties as a result.

One personal data protection officer may be registered for entities that are structurally or organizationally linked and whose activities complement each other through data exchange, provided the Center is notified thereof.

Executive Regulations: Obligations of the Personal Data Protection Officer

Article 12

The personal data protection officer is obligated to:

  1. Monitor the application of the security policies issued by the Center regarding the security of the processing, storage, and circulation operations, and submit an annual report to the Center on the state of privacy protection at the controller’s or processor’s premises, or upon request.
  2. The replacement personal data protection officer shall submit a report to the Center within 15 days of assuming their duties, on the state of privacy protection, in the event of a change of the data protection officer pursuant to the cases referred to in Article (10) of these Regulations.
  3. Monitor the process of receiving reports and complaints from the data subject regarding requests for the erasure, modification, or addition of their personal data, and verify their implementation.
  4. Not to have their duties conflict with any other assignments that may harm the protection of personal data.
  5. Establish a separate system in cases where the personal data protection officer handles a group of bodies, institutions, or companies, enabling them to perform their duties and responsibilities, and enabling the Center to review it.

Executive Regulations: Digital Evidence

Article 13

Digital evidence derived from personal data shall have the same probative value as evidence derived from written data and information, if the following technical standards and conditions are met:

  1. The process of collecting or extracting digital evidence related to personal data must be carried out using technologies that ensure the personal data and related information are not altered, updated, erased, or distorted.
  2. The digital evidence must be relevant to the incident and within the scope of what is to be proven or disproven in accordance with the scope of the order of the investigating authority or the competent court.
  3. The evidence must be collected, extracted, and preserved by judicial police officers authorized to handle this type of evidence, or by experts from investigating or judicial bodies, provided that the type, specifications, software, tools, and devices used are stated in the seizure reports or technical reports, and that the integrity of the original is guaranteed.
  4. Digital evidence must be documented in a procedural report by the competent authority before examination and analysis, by printing copies of the files stored thereon or photographing them by any visual or digital means, and authenticated by those involved in the collection, extraction, or analysis of digital evidence, each bearing the date and time of printing and photographing, the person performing it, the data of the devices, equipment, and tools used, and the data and information specific to the content of the seized evidence.

Executive Regulations: Standards and Controls for Handling Sensitive Personal Data

Article 14

Every controller or processor, as the case may be, whether a natural or legal person, when collecting, transferring, storing, retaining, processing, or making available sensitive personal data, must observe the following controls and standards:

  1. Obtain a license or permit from the Center in accordance with the nature of the activity and the license and permit categories specified in these Regulations.
  2. Obtain explicit written consent (on paper or electronically) from the data subject or their guardian in the case of children’s data, except in cases legally authorized.
  3. Such data must be essential and necessary for the purpose specific to the nature of the work of the controller or processor, and its use must not cause harm to the data subject.
  4. Comply with the security standards set by the Center regarding the handling of sensitive personal data.
  5. In cases where a child participates in a game, competition, or any other activity, no more data than is necessary for participation shall be obtained, and such data shall not be used in operations classifying, tracking, or behaviorally monitoring children.
  6. Any other standards adopted by the Center’s Board of Directors aimed at protecting sensitive personal data.
  7. Maintain secure electronic records in accordance with the Center’s requirements regarding: (a) Recording the consent of the data subject regarding sensitive personal data, or the guardian’s consent in the case of children, when handling such data in any of the forms referred to; (b) Recording requests for the deletion, erasure, modification, or suspension of processing of sensitive personal data submitted by the data subject or their child’s guardian, and confirmation of their implementation.

Executive Regulations: Standards and Controls for Handling Children’s Data

Article 15

Holders, controllers, or processors of data of children under 15 years of age must obtain, before collecting their data, explicit written consent (on paper or electronically) from the guardian for the collection and processing of their data for the purpose of providing a service or for a specific purpose, provided the consent includes its temporal scope, without prejudice to the guardian’s right to withdraw or modify their consent. The Center shall accredit the mechanisms and forms through which such consent is issued.

In the case of children between 15 and 18 years of age, the child or their guardian, as the case may be, is obligated to provide the latter’s consent for the collection and processing of the child’s data. The Center shall determine the mechanisms for this for the guardian, ensuring compliance with the legally prescribed requirements in this regard.

Executive Regulations: Policies, Standards, Controls, and Rules for the Transfer, Storage, Sharing, Processing, Making Available, or Protection of Personal Data Across Borders

Article 16

The transfer, storage, sharing, processing, making available, or protection of personal data across borders shall be in accordance with the following controls, rules, policies, and standards:

First – Controls and Rules:

  1. The controller or processor, as the case may be, when transferring personal data collected or prepared for processing to a foreign country for processing, storage, or sharing, must have obtained a license or permit therefor from the Center, based on its assessment of the adequacy of the level of protection in that country.
  2. The controller or processor, as the case may be, when transferring personal data to a foreign country, must obtain the consent of the data subject.
  3. Both the controller and processor must take all measures and procedures that ensure the use of technologies guaranteeing an adequate level of protection for personal data during its transfer, circulation, sharing, or storage, in accordance with what is stipulated in the license or permit issued by the Center, and commensurate with the volume and nature of the data authorized or permitted to be transferred, shared, circulated, stored, or processed across borders.
  4. The controller or processor, as the case may be, must transfer personal data to the foreign country or countries in accordance with what is stated in the license or permit issued by the Center, and must update the license or permit in case of adding additional countries during the license or permit period.

Second – Policies and Standards:

The Center shall determine, in the policies it adopts, the countries that guarantee an adequate level of protection for personal data in accordance with the provisions of the Law, without prejudice to the establishment of a mechanism for periodic review, in accordance with the following criteria:

  1. The existence of legislation or controls related to personal data protection and the extent of their consistency with the provisions of the Law.
  2. The availability of technical and security rules and measures that achieve the protection of personal data.
  3. The availability of legal rules specific to compensation for damages that may be suffered by the data subject in case of misuse of their personal data.

In light of the fulfillment of the aforementioned criteria, the Center may approve the issuance of a license or permit to the controller or processor, as the case may be, for the transfer, storage, or sharing of such data to or with any of the other foreign countries that meet the same criteria.

Executive Regulations: Requirements, Procedures, Precautions, Standards, and Rules for Making Personal Data Available to a Controller or Processor Outside the Arab Republic of Egypt

Article 17

The controller or processor, as the case may be, may make personal data available to another controller or processor outside the Arab Republic of Egypt with a license from the Center, subject to the following requirements, precautions, and standards:

  1. The activities of the business group or companies must be compatible in nature as a common or complementary business activity, achieving a legitimate interest for both parties or the data subject.
  2. Taking the necessary precautions that achieve a level of legal and technical protection for personal data at the foreign controller’s or processor’s premises that is no less than what is applicable within the Arab Republic of Egypt.

Executive Regulations: Rules, Conditions, and Controls for Direct Electronic Marketing

Article 18

The sender, whether a controller or processor, of any electronic communication for direct marketing purposes, is obligated to comply with the following rules, conditions, and controls:

First – Rules and Conditions:

  1. Hold a license from the Center to practice direct electronic marketing activities.
  2. Have obtained explicit consent from the data subject to receive marketing communications.
  3. The controller, processor, or marketing intermediary must erase personal data in the following two cases: (a) The data subject withdraws their consent to the use of their data for electronic marketing purposes; (b) The expiration of the specified retention period or the cessation of the marketing purpose, whichever comes first.

Second – Controls:

  1. Not to use personal data collected for electronic marketing activities for any other purpose, or to exchange or process them for other purposes without the explicit consent of the data subject.
  2. The initiation of communication must include an identification of the caller and the marketing purpose, enabling the data subject to exercise their right to refuse the communication or withdraw their prior consent, through any communication means approved by the Center in this regard, whether sending personal messages via (social media, text messages, or email), phone calls, or any other technical means.
  3. The sender, being a marketing intermediary, must verify that the controller or processor has obtained the data subject’s consent to receive marketing communications according to the declared purposes, and must retain the source from which the personal data of the contacted person was obtained, including their consent to the use of their data, or else must immediately cease the use of such data in electronic marketing activities.
  4. Maintain electronic records to be made available to the Center upon request, containing the following: (a) How and when the data subject’s consent to receive electronic marketing and the specific purpose thereof was obtained; (b) Requests for erasure or modification of such consent and the measures taken thereon; (c) Mechanisms for securing and storing personal data in accordance with the procedures approved by the Center.

In all cases, the Center shall designate a means of communication to receive citizens’ complaints related to direct electronic marketing, whether through its website or abbreviated telephone numbers.

Executive Regulations: Classification and Categories of Licenses for Controllers and/or Processors of Personal Data and Sensitive Personal Data

Article 19

The Center shall issue a combined controller/processor license for legal persons, in accordance with the following tables:

Annual License Fee Schedule for Controller/Processor (by number of individual personal data records):

  • 1 to 100,000 records: Exempt from license fees
  • 101,000 to 200,000: EGP 200
  • 201,000 to 300,000: EGP 300
  • 301,000 to 400,000: EGP 400
  • 401,000 to 500,000: EGP 500
  • 501,000 to 600,000: EGP 600
  • 601,000 to 700,000: EGP 700
  • 701,000 to 800,000: EGP 800
  • 801,000 to 900,000: EGP 900
  • 901,000 to 1,000,000: EGP 1,000

For every 100,000 records above 1 million and up to 2 million, an additional EGP 5,000 shall be charged, up to a maximum of EGP 50,000 for 1,900,001 to 2,000,000 records.

For every 100,000 records above 2 million and up to 3 million, an additional EGP 10,000 shall be charged.

For every 100,000 records above 3 million and up to 4 million, an additional EGP 15,000 shall be charged.

For every 100,000 records above 4 million and up to 5 million, an additional EGP 20,000 shall be charged, up to a maximum of EGP 500,000 for 4,900,001 to 5,000,000 records.

For data volumes exceeding 5 million individual personal data records, the maximum license fee is the legally prescribed cap of EGP 666,666 annually, totaling EGP 2 million over three years.

The fee for a controller-only or processor-only license for legal persons is half the amount specified in the table above, in accordance with the volume of data.

Associations, syndicates, and clubs processing personal data of their members within the scope of their activities shall be subject to the following fee schedule:

  • Associations: EGP 5,000
  • Syndicates: EGP 10,000
  • Clubs (up to 50,000 member data records): EGP 20,000
  • Clubs (over 50,000 member data records): EGP 50,000

Executive Regulations: Classification and Categories of Permits for Controllers and/or Processors of Personal Data and Sensitive Personal Data

Article 20

The Center shall issue a controller and/or processor permit for a specific and temporary purpose for varying periods not exceeding one calendar year. The Center may assess the continuity of such purpose as a condition for obtaining the permit.

Permit fees shall be determined in accordance with the requested duration and the nature and volume of personal data, as follows:

Permit Fee Schedule (by number of individual personal data records and duration):

  • 1 to 25,000 records: Exempt from fees for all durations
  • 25,001 to 250,000: EGP 10,000 (1-3 months) / EGP 15,000 (3-6 months) / EGP 20,000 (6-9 months) / EGP 25,000 (9-12 months)
  • 250,001 to 500,000: EGP 12,500 / EGP 25,000 / EGP 37,500 / EGP 50,000
  • 500,001 to 1,000,000: EGP 25,000 / EGP 50,000 / EGP 75,000 / EGP 100,000
  • 1,000,001 to 2,000,000: EGP 50,000 / EGP 100,000 / EGP 150,000 / EGP 200,000
  • 2,000,001 to 3,000,000: EGP 75,000 / EGP 150,000 / EGP 225,000 / EGP 300,000
  • 3,000,001 to 4,000,000: EGP 100,000 / EGP 200,000 / EGP 300,000 / EGP 400,000
  • 4,000,001 to 5,000,000: EGP 125,000 / EGP 250,000 / EGP 375,000 / EGP 500,000
  • Over 5,000,000: The maximum legally prescribed permit fee applies for any permit period.

The fee for a controller-only or processor-only permit for natural or legal persons is half the amount specified in the table above, in accordance with the volume of data.

Executive Regulations: Conditions for the License/Permit of the Controller and Processor from Legal Persons for Personal Data and Sensitive Personal Data

Article 21

The following conditions must be met to obtain a license/permit for controllers and processors from legal persons:

  1. Describe the mechanism used to obtain the data subject’s consent for the collection, retention, and processing of their data, as well as the mechanisms for exercising the data subject’s legally prescribed rights.
  2. Submit proof of maintaining the electronic records related to the obligations of the controller and processor.
  3. Specify the mechanisms and procedures used to secure and protect personal data, consistent with the security standards issued by the Center.
  4. Submit proof of the licensee’s or permit holder’s commitment to apply the provisions of the Law and the conditions of the license or permit, enabling the Center to conduct inspections and oversight.
  5. Submit the contractual relationship document with the personal data protection officer, explicitly including their acceptance of the responsibilities of the personal data protection officer, and proof of the controller’s or processor’s commitment to grant the data protection officer the independence necessary to perform their duties.
  6. A declaration of commitment to the financial penalties set by the Center in case of violation of the license or permit conditions.
  7. Submit proof of compliance with the controls and standards for handling sensitive personal data and children’s data.

Executive Regulations: Conditions for the Permit of the Controller and Processor from Natural Persons for Personal Data and Sensitive Personal Data

Article 22

The following conditions must be met to obtain a permit for controllers and processors from natural persons:

  1. Describe the mechanism used to obtain the data subject’s consent for the collection, retention, and processing of their data, as well as the mechanisms for exercising the data subject’s legally prescribed rights.
  2. Specify the mechanisms and procedures used to secure and protect personal data, consistent with the security standards issued by the Center.
  3. Submit proof of the permit holder’s commitment to apply the provisions of the Law and the conditions of the permit, enabling the Center to conduct inspections and oversight.
  4. Submit proof of compliance with the controls and standards for handling sensitive personal data and children’s data.

Executive Regulations: License or Permit for Cross-Border Personal Data Transfer for Legal Persons

Article 23

A license or permit is granted to the controller or processor to transfer personal data collected or prepared for processing from within the geographic territory of the Arab Republic of Egypt to outside it, in accordance with the controls and standards specific to the rules for handling personal data across borders contained in these Regulations.

Executive Regulations: Conditions for Obtaining a License/Permit for Cross-Border Personal Data Transfer for Legal Persons

Article 24

Without prejudice to the general conditions for obtaining a license/permit, the following conditions must be met to obtain a license/permit for cross-border personal data transfer for legal persons:

  1. Specify the destination to which the data is to be transferred.
  2. Submit proof of the nature of the controller’s or processor’s activity to which the personal data is to be transferred.
  3. Specify the nature of the personal data being handled.
  4. Describe the security systems, temporary and final storage locations, and the measures taken to protect data during its transfer to the final destination.
  5. Submit proof of compliance with the standards, controls, and rules necessary for the transfer, storage, sharing, processing, or making available of data across borders.
  6. Specify the purpose of cross-border data transfer.
  7. Provide sufficient data on temporary and final storage locations in accordance with the forms issued by the Center.
  8. A description of the categories of personal data transferred, their volume, and the retention period.

Executive Regulations: Conditions for Obtaining a Permit for Cross-Border Personal Data Transfer for Natural Persons

Article 25

Without prejudice to the general conditions for obtaining a permit, the following conditions must be met to obtain a permit for cross-border personal data transfer for natural persons:

  1. The nature and description of the personal data to be transferred across borders, its volume, and the purpose of the transfer.
  2. Specify the destination to which the data is to be transferred and the retention period.
  3. Describe the security systems, temporary and final storage locations, and the measures taken to protect data during its transfer to the final destination.
  4. Submit proof of compliance with the standards, controls, and rules necessary for the transfer, storage, or sharing of data across borders.
  5. Provide sufficient data on temporary and final storage locations in accordance with the forms issued by the Center.

Executive Regulations: Procedures for Obtaining a License or Permit for Cross-Border Personal Data Transfer for Legal and Natural Persons

Article 26

The representative of the legal or natural person shall submit an application to the Center for a license or permit, as the case may be, for cross-border personal data transfer through the dedicated electronic portal, provided the application includes all data and documents referred to in Articles (24) and (25) of these Regulations.

The Center shall study the application through specialized task forces, in accordance with the applicable procedures and rules, and may contact the applicant if there is a need to clarify any points or submit any documents necessary to decide on the application.

The Center shall notify the applicant of the outcome of the study, whether approval or rejection, within a period not exceeding 90 business days from the date of submission of all required information and documents. Failure to respond shall be deemed a rejection of the application.

Executive Regulations: Fees for Obtaining a License or Permit for Cross-Border Personal Data Transfer

Article 27

The fees for obtaining a license or permit for cross-border personal data transfer shall be 50% of the fees applicable for the controller and/or processor license/permit, as the case may be, and in accordance with the nature and volume of personal data.

Executive Regulations: License or Permit for Direct Electronic Marketing

Article 28

The Center shall issue a license or permit to the controller or processor, as the case may be, among those providing electronic marketing services.

This license or permit shall allow the use of personal data in the fields and activities of direct electronic marketing for oneself or for others, subject to the legally prescribed conditions and controls.

Executive Regulations: Categories of Licenses and Permits for Direct Electronic Marketing

Article 29

The categories of licenses/permits for direct electronic marketing shall be determined as follows:

Category One: License/Permit for Direct Electronic Marketing for Others:

This license shall be issued to the controller and/or processor among providers of direct electronic marketing services for others, for the purpose of promoting goods, services, or activities of third parties.

Category Two: License/Permit for Direct Electronic Marketing for Oneself:

This license shall be issued to the licensed controller and/or processor for the purpose of promoting their own goods or services.

Fee Schedule for Electronic Marketing Licenses/Permits:

  • Self-marketing license/permit: 10% of the controller/processor license/permit fee
  • Marketing for others license/permit: 25% of the controller/processor license/permit fee

Executive Regulations: Controls for Obtaining a License/Permit for Direct Electronic Marketing

Article 30

The obtaining of a license/permit for electronic marketing in its various categories shall be subject to the following controls:

  1. Submit proof of obtaining the approval of the competent authority to practice the activity.
  2. Obtain a controller/processor license/permit.
  3. Describe the mechanisms for obtaining the data subject’s consent to receive direct electronic communications regarding the product or service being marketed.
  4. Specify the mechanisms enabling the data subject to refuse electronic communications or withdraw prior consent to receive such communications.
  5. Maintain electronic records specifically for recording the data subject’s consents and any erasure or modification requests pertaining thereto.

Executive Regulations: License/Permit for the Use of Visual Surveillance Means in Public Places

Article 31

The Center shall issue a license/permit for the use of visual surveillance means in public places, which would enable the display or recording and possession of images or videos of natural persons from which they can be identified, subject to the following conditions:

  1. Obtain the necessary licenses, permits, and approvals from the competent authorities for the use of visual surveillance means in public places.
  2. Post notices in visible locations about the presence of visual surveillance means.
  3. Not to transfer, make available, record, or process what has been monitored through such means to outside the geographic territory of the Arab Republic of Egypt, except for legally prescribed reasons.
  4. Not to perform any processing that would allow access to personal data through personal photographs or videos using technologies such as Face Recognition or other similar technologies, except in legally prescribed cases or with the explicit consent of the data subject.
  5. Take the measures necessary to obligate those working with visual surveillance systems in public places to maintain the confidentiality of such data and not to use, circulate, or disclose it in any form, except for legally prescribed reasons.
  6. Follow the measures and procedures issued by the Center that ensure the security and protection of recordings collected through visual surveillance means from unauthorized access.
  7. Enable the Center to take the necessary oversight and inspection measures on visual surveillance systems in public places to achieve its legally prescribed objectives and competencies.

Private visual surveillance means at individuals’ residential premises are excluded, provided they do not exceed their spatial limits.

The license fee for the use of visual surveillance means in public places is EGP 1,000 every three years. The permit fee for the use of visual surveillance means in public places is EGP 500 annually.

Executive Regulations: Conditions for Obtaining an Accreditation Certificate to Provide Consultations on Personal Data Protection Procedures for Natural Persons

Article 32

The following conditions must be met to obtain an accreditation certificate to provide consultations on personal data protection procedures for natural persons:

  1. The applicant must hold academic qualifications or professional certificates along with practical experience in the relevant fields.
  2. Pass the tests approved by the Center in accordance with the nature and volume of the personal data activity subject to the registration application.
  3. Not have been previously convicted of any offenses involving dishonesty or breach of trust.

Executive Regulations: Conditions for Obtaining an Accreditation Certificate to Provide Consultations on Personal Data Protection Procedures for Legal Persons

Article 33

The following conditions must be met to obtain an accreditation certificate to provide consultations on personal data protection procedures for legal persons:

  1. Submit proof of the nature of the legal person’s activity and its legal basis.
  2. Have practical experience in the relevant fields.
  3. Submit proof that employees engaged in the field of consultations on personal data protection procedures hold an accreditation certificate from the Center and a valid permit to practice in the field of consultations.

Executive Regulations: Fees for Obtaining an Accreditation Certificate to Provide Consultations in the Field of Personal Data Protection for Natural and Legal Persons

Article 34

The fees for obtaining an accreditation certificate to provide consultations shall be as follows:

  • For natural persons: EGP 5,000 annually.
  • For legal persons: EGP 50,000 annually.

The validity period of the accreditation certificate is three years from the date of its issuance, and shall be renewed for similar periods at the same fees mentioned.

Executive Regulations: Data and Documents Required for Obtaining a License/Permit for Legal Persons

Article 35

The following data and documents are required to obtain a license/permit for legal persons:

  1. A copy of the commercial register of the legal person, their address, legal representative, organizational structure, nature of their activity, and contact information (phone, email).
  2. Specify the category of license/permit being applied for.
  3. The nature and volume of personal data, and identification of sensitive data therein.
  4. The retention period for personal data.
  5. Specify the security procedures for the transfer of personal data.
  6. Describe the mechanism for erasing and modifying data in accordance with the data subject’s wishes or for legally prescribed reasons.
  7. Specify the method of data storage.
  8. Identify the data protection officer.
  9. Describe the mechanism for obtaining the data subject’s consent.
  10. Provide all technical data on the infrastructure used, including (data center classification, types of devices used, current technical certificates and accreditations from various bodies), and the extent to which they comply with the technical and operational requirements specified by the Center.
  11. Submit the technical certificates and accreditations obtained by the license/permit applicant regarding the security of personal data retention and processing, specifying the issuing bodies, the date of obtainment, and their validity period.

Executive Regulations: Procedures for Obtaining Licenses/Permits for Legal Persons

Article 36

The Center shall issue licenses/permits for legal persons through an electronic portal established for the purpose of receiving applications for the extraction of licenses/permits for legal persons, in accordance with the following procedures:

  1. An application for any of the licenses/permits specified in these Regulations shall be submitted to the Center through the dedicated electronic portal, provided the application includes all data and documents indicated in these Regulations for each category of license, along with fulfillment of any other requirements specified by the Center.
  2. The Center shall study the application through specialized task forces, in accordance with the applicable procedures and rules, and may contact the applicant if there is a need to clarify any points or submit any documents necessary to decide on the application.
  3. The Center shall notify the applicant of the outcome of the study, whether approval or rejection, within a period not exceeding 90 business days from the date of submission of all required data and documents. Failure to respond shall be deemed a rejection of the application.

Executive Regulations: Data and Documents Required for Obtaining a Permit for Natural Persons

Article 37

The following data and documents are required to obtain a permit for natural persons:

  1. A copy of the identity document, criminal record certificate, academic qualifications, and the nature of work performed.
  2. The nature of the permit being applied for and its category.
  3. The purpose of obtaining the permit.
  4. The nature and volume of personal data being handled, and identification of sensitive data therein.
  5. Specify the retention period for personal data.
  6. Describe the mechanism for erasing and modifying personal data in accordance with the data subject’s wishes or for legally prescribed reasons.
  7. Specify the method of storing personal data.
  8. Describe the mechanism for obtaining and recording the data subject’s consent.
  9. Provide all technical data on the infrastructure used, including (types of devices used, current technical certificates and accreditations), and the extent to which they comply with the technical and operational requirements specified by the Center.
  10. Submit the technical certificates and accreditations obtained by the permit applicant regarding the security of personal data retention and processing, specifying the issuing bodies, the date of obtainment, and their validity period.

Executive Regulations: Procedures for Obtaining Permits for Natural Persons

Article 38

The Center shall issue permits for natural persons through an electronic portal established for the purpose of receiving applications for the extraction of permits for natural persons, in accordance with the following procedures:

  1. An application for any of the permit categories specified in these Regulations shall be submitted to the Center through the dedicated electronic portal, provided the application includes all data and documents indicated in these Regulations for each permit category, along with fulfillment of any other requirements specified by the Center.
  2. The Center shall study the application through specialized task forces, in accordance with the applicable procedures and rules, and may contact the applicant if there is a need to clarify any points or submit any documents necessary to decide on the application.
  3. The Center shall notify the applicant of the outcome of the study, whether approval or rejection, within a period not exceeding 90 days from the date of submission of all required data and documents. Failure to respond shall be deemed a rejection of the application.

In case of the Center’s acceptance of the application, the permit for the natural person shall be for a period not exceeding one year, and they shall be responsible for applying the provisions of the Law and for carrying out the duties of the data protection officer.

Executive Regulations: General Provisions and Requirements for Licenses/Permits for Legal and Natural Persons

Article 39

Associations, syndicates, and clubs handling personal data of their members within the scope of their activities are obligated to obtain the necessary licenses/permits in accordance with the controls and conditions set out in the Law and these Regulations.

In the event of an increase in the number of personal data records beyond what was specified in the license or permit, natural and legal persons must apply to the Center to amend the license/permit in accordance with the nature, volume, and categories of data.

Legal persons wishing to obtain licenses or permits in accordance with the provisions of the Law and these Regulations are obligated to obtain the necessary approvals to practice their activity.

Executive Regulations: Renewal of Licenses/Permits

Article 40

First – Renewal of Licenses:

A license expires upon the end of its validity period and may be renewed for additional periods by means of an application submitted by the licensee to the Center in accordance with the mechanisms it specifies, no less than three months before the expiration of the license period.

Renewal shall be in accordance with the controls, conditions, and upon payment of the prescribed fees for license issuance.

Second – Renewal of Permits:

A permit expires upon the end of its validity period and may be renewed for more than one period by means of an application submitted by the permit holder to the Center in accordance with the mechanisms it specifies, no less than one month before the expiration of the permit period.

Renewal shall be in accordance with the controls, conditions, and upon payment of the prescribed fees for permit issuance.

Article 41

The forms for applying for licenses/permits/accreditations shall be in electronic form submitted through an interactive platform via the Center’s electronic portal.

The type of form, conditions, controls, and procedures necessary for obtaining licenses/permits/accreditations shall be determined based on the nature of the applicant’s activity and the data selected from the content registered on the platform, which includes all segments, categories, and levels specific to the volume and nature of personal data, storage methods, security mechanisms, purposes, and other standards, controls, and measures that the Center’s Board of Directors deems appropriate to adopt for the protection of personal data.

The form shall be issued electronically after reviewing the requirements, documents, and data necessary for its issuance, including the following:

  1. A statement of the type of personal data and the purpose of its retention or processing.
  2. A statement of the time periods for retaining personal data, and the licensee’s or permit holder’s commitment to erasing such data immediately upon the expiration of the specified purpose.
  3. Proof of maintaining a special register for personal data including its categories, identification of those to whom such data will be disclosed or made available and the basis therefor, erasure or modification mechanisms, and any other data related to cross-border personal data transfer.
  4. A description of the mechanism for obtaining the data subject’s consent.
  5. A declaration of commitment to personal data security obligations.
  6. A declaration of providing the necessary capabilities enabling the Center to conduct inspections and oversight.
  7. A declaration by those dealing with the licensee guaranteeing the confidentiality of personal data.
  8. A declaration of commitment to paying the financial penalties and compensation set by the Center.

Official Translation – Ministerial Decision No. 816 of 2025 | Executive Regulations of Law No. 151 of 2020 on Personal Data Protection