You Have No Office in Egypt. The Data Protection Law Still Requires a Local Representative There (Art. 4)

By Karim El Sayed

The cleanest assumption an international company can make about Egypt is also the most expensive one to get wrong: we have no entity there, so Egyptian law does not reach us.

It is not true of the Personal Data Protection Law. If your company processes the personal data of people located in Egypt — your customers, the staff of a local distributor, the users of your platform — the law reaches you whether or not you have ever set foot in the country. And if you have no branch or representative office here, it goes one step further: it requires you to appoint a representative inside Egypt, approved by the regulator, who becomes your accountable presence for as long as you operate. This article explains who is caught, what that representative actually is, and why “we are not established in Egypt” is not the shield it looks like.

The law follows the data subject, not your address

Egypt’s PDPL (Law No. 151 of 2020) applies by reference to whose data is processed, not where the company sits. Article 2 extends the law to any natural or legal person processing the personal data of individuals located in Egypt — whether the processing happens inside the country or outside it.

That is the part most foreign companies miss. A German manufacturer with a single distributor in Cairo; a UK software vendor whose platform is used by Egyptian customers; a regional parent holding the HR records of staff at an Egyptian affiliate — none has a “presence” in the ordinary commercial sense, and all sit inside the PDPL’s scope. The reach is deliberate: it places foreign employers, service providers, and parent companies directly inside the Egyptian compliance framework.

The obligation: an accredited representative, if you have no branch

Once you are in scope, the next question is whether you have a foothold in Egypt — and the PDPL draws a sharp line. Under Article 4 of Law 151/2020 and the Executive Regulations (Decree 816/2025), a controller located outside Egypt and without a branch or representative office in the country is obligated to appoint a representative inside Egypt, accredited by the Personal Data Protection Centre, to act on its behalf for the duration of its licence or permit.

The exemption is narrow on purpose. Only an actual branch or representative office takes you outside the requirement. A group affiliate that is its own separate legal entity does not automatically cover the foreign controller. And where the controller is a natural person rather than a company, the obligation becomes appointing an agent in Egypt.

A representative is not a mailbox

It is tempting to treat this as a formality — a name and an address to satisfy a form. It is not.

The representative is accredited by the Centre specifically as your representative, and the appointment runs for the full life of your licence. They are your accountable interface with the regulator: the channel through which the Centre reaches you, inspects, and enforces. Choosing the wrong representative — one who does not understand the obligations they are now standing behind — transfers your regulatory risk onto someone unequipped to carry it, while the exposure stays with you.

This is also distinct from your Data Protection Officer, and the two are routinely conflated. A DPO is your internal compliance function and may, under the Regulations, sit outside Egypt. The local representative must be inside Egypt and accredited as your stand-in before the Centre. Having one does not satisfy the requirement for the other. A company can need both.

It applies to processors, too

The requirement is not limited to controllers. A processor located outside Egypt without a branch or representative office here carries the identical obligation: appoint an accredited representative in Egypt for the duration of its licence or permit.

For the technology and services companies in this position — a SaaS provider, a cloud-based HR platform, an outsourced payroll or analytics vendor handling Egyptian data — this is the obligation most likely to be missed entirely, because such companies rarely think of Egypt as a jurisdiction they “operate in” at all.

What skipping it actually costs

There is no version of compliance that routes around the representative. The appointment is a precondition: the Centre accredits the representative for the duration of the licence or permit, which means the licences you are required to hold — controller or processor registration, a cross-border transfer licence, a sensitive-data licence — cannot be properly obtained and maintained without one in place.

So the consequence of not appointing a representative is not a tidy standalone fine you can budget around. It is structural. Without the representative, you cannot complete the licensing the law requires, which leaves you processing Egyptian data unlicensed — and that is where the PDPL’s administrative and criminal penalties bite hardest.

Where this stands

The obligation is in force. The grace period to come into compliance closes around the end of October 2026.

The accreditation channel, like the rest of the PDPL’s machinery, is still coming online: the Centre’s portal was slated to open around mid-2026, the approval process for foreign-company representatives is being built out, and the regulator has signalled a gradual, compliance-first posture rather than immediate enforcement. That is a reason to move early, not to wait. Appointing and accrediting a representative takes time, and the companies ready when the window is fully open are the ones that avoid the year-end bottleneck.

What to do now

If your company processes the personal data of people in Egypt and has no branch or representative office here, three steps follow.

Confirm scope. Establish whether you are processing the personal data of individuals located in Egypt — directly, through a distributor, or through an Egyptian affiliate’s workforce. If you are, you are within the law’s reach.

Confirm structure. Check whether anything you hold in Egypt actually qualifies as a branch or representative office that exempts you. A separate group company usually does not cover the foreign controller.

Appoint and accredit. Identify a representative capable of carrying the role — one who understands the obligations they will stand behind — and prepare the accreditation so it is in place alongside the licences you will need to hold.

The point

“We have no entity in Egypt” feels like the end of the analysis. Under the PDPL it is the beginning of one. The law reaches the data of people in Egypt wherever the company sits, and where there is no local establishment it insists on a real, accredited, accountable presence in the country.

At Consortio, we act as — and arrange — the accredited local representative for foreign controllers and processors, and we build the appointment into the wider licensing programme rather than leaving it as a loose end. The objective is simple: a company fully in scope, fully represented, and fully licensed before the deadline makes the question of its Egyptian presence a settled one.

Consortio Law Firm advises upper-mid international companies entering and operating in Egypt. For a review of whether the PDPL applies to your operations and what a local representative appointment requires, contact info@consortiolawfirm.com.