Personal Data Protection Law, Due to the expansion of digital borders in the Egypt at an unprecedented rate, mobility in the world of cybersecurity is more important than ever for companies that aim to succeed and prosper, as there is a global trend to protect the right to privacy in international constitutions, whether in one of its classic meanings, which is included in the Egyptian Constitution in Article 57, or in its latest meanings, which clearly means, security, digital privacy, and personal data.

The Egyptian government has been rapidly seeking to impose its control over the digital domain and data circulation, which should be done in accordance with international standards and basic rights stipulated in the constitution and other Egyptian legislation, in order to preserve individuals’ right to expression, as well as to guarantee personal rights and freedoms, and so that this data is not used illegally.

Accordingly, the issuance of the Personal Data Protection Law No. 151 of 2020 comes as an important step in this context, to serve as a legislative breakthrough towards securing the personal data of citizens, as the law imposed basic obligations and provisions on companies that may possess users’ personal data, whether the possession of data is for reasons related to the nature of their work or for any other reason.

In the case where the company is a controller under Article (4), it must adhere to necessary obligations, taking into consideration the provisions of Article No. (12). The controller is obligated to the following:

  1. Obtain personal data or receive it from the holder or relevant authorities after the consent of the data subject, or under circumstances authorized by law.
  2. Verify the accuracy, agreement, and sufficiency of the personal data for the specified purpose of collection.
  3. Establish methods, procedures, and processing standards in accordance with the specified purpose unless delegated by the processor under the contract.
  4. Ensure that the specified purpose of collecting personal data aligns with the purposes of processing.
  5. Undertake or refrain from actions that would facilitate the availability of personal data, except in cases authorized by law.
  6. Implement all technical and organizational measures and apply necessary standard criteria to protect and secure personal data, ensuring confidentiality and preventing unauthorized access, destruction, alteration, or tampering before any unlawful action.
  7. Erase personal data as soon as the specified purpose is fulfilled. In cases of retaining data for any legitimate reason after the purpose is fulfilled, it should not remain in a form that allows the identification of the data subject.
  8. Correct any errors in personal data promptly upon notification or awareness.
  9. Maintain a record of the data, including a description of the categories of personal data held, identification of those who may access or disclose the data, its supporting documentation, the duration, restrictions, scope, mechanisms for erasing or modifying personal data, and any other data related to the transfer of such personal data across borders. Additionally, describe the technical and organizational measures related to data security.
  10. Obtain a license or permit from the authority to deal with personal data.
  11. The controller outside the Arab Republic of Egypt is obligated to appoint a representative in the Arab Republic of Egypt, as specified by the executive regulations.
  12. Provide the necessary capabilities to prove compliance with the provisions of this law and enable the authority to inspect and supervise to ensure compliance.

In the case of multiple controllers, each must comply with all obligations stated in this law, and the data subject has the right to exercise their rights against each controller individually.

The executive regulations of this law define the policies, procedures, controls, and technical standards for these provisions.

There are administrative penalties that the CEO of the Personal Data Protection Authority enforces in case of any violation of the provisions of this law. The violator will be warned to cease the violation and remove its causes or effects within a specified period.

If the specified period elapses without compliance with the warning, the authority’s board may issue a decision causing one of the following:

  • Warning to suspend the license, permit, or accreditation partially or completely for a specified period.
  • Complete or partial suspension of the license, permit, or accreditation.
  • Withdrawal or partial cancellation of the license, permit, or accreditation.
  • Publication of a statement of the proven violations in one or more widely circulated media at the violator’s expense.
  • Subjecting the controller or processor to the technical supervision of the authority to ensure the protection of personal data at their expense, depending on the circumstances.

Because digital life entails many problems, the Personal Data Protection Law has set decisive penalties for any violations of the obligations imposed on controlling companies, which may result in the violation or disruption of the protection of personal data.

These penalties for the specified offenses include the following:

  1. A fine of not less than one hundred thousand Egyptian pounds and not exceeding one million Egyptian pounds for each controller who collects, discloses, provides, or trades electronically processed personal data in ways not authorized by law or without the consent of the data subject.

The penalty is imprisonment for a period of not less than six months, and a fine of not less than two hundred thousand Egyptian pounds and not exceeding two million Egyptian pounds, or one of these penalties, if committed for the purpose of obtaining material or moral benefit or with the intention of subjecting the data subject to harm.

  1. A fine of not less than one hundred thousand Egyptian pounds and not exceeding one million Egyptian pounds for each controller who refuses without legal justification to enable the data subject to exercise their rights stated in Article (2). A fine of not less than two hundred thousand Egyptian pounds and not exceeding two million Egyptian pounds for each person who collects personal data without meeting the conditions specified in Article (3).
  2. A fine of not less than three hundred thousand Egyptian pounds and not exceeding three million Egyptian pounds for each controller who fails to comply with their duties specified in Articles (4, 5, 7) of this law.
  3. Imprisonment for a period of not less than three months and a fine of not less than five hundred thousand Egyptian pounds and not exceeding five million Egyptian pounds, or either of these penalties, for each controller who collects, provides, trades, or discloses sensitive personal data without the consent of the data subject or in ways not authorized by law.

In all cases, in addition to the prescribed penalties, the court orders the publication of the conviction judgment in two widely circulated newspapers and on open electronic information networks at the expense of the convicted individual.

And in case of recurrence, the penalties specified have their maximum and minimum limits doubled.

Attempted crimes stipulated are punishable by half of the prescribed penalty.

For more knowledge about the Personal Data Protection Law, contact “Consortio Law Firm” now through the phone number 002 01028806061 or via WhatsApp or email Info@consortiolawfirm.com.