Personal Data Protection Law, The successive developments of information and communication technology, especially with the emergence of Internet technology, artificial intelligence and others, have led to the emergence of new challenges at the level of personal data protection, as the scope and volume of collection, exchange and processing of this data electronically has increased in an unprecedented manner, allowing companies and private and public institutions to use the personal data of individuals on a large scale, given that electronic activities based on collecting, analyzing, deriving and storing that data, which helps companies and institutions to benefit economically and commercially from those Increasingly digital data.
Due to the Egyptian state’s interest at the present time in encouraging investments in the giant data center industry, the need for a legal representative appointed at the Personal Data Protection Center to be an “employee responsible for protecting personal data” has increased, by registering him in the register of personal data protection officials at the Personal Data Protection Center, and the executive regulations of the Personal Data Protection Law No. 151 of 2020 specify the conditions for registration, its procedures and registration mechanisms.
Personal Data Protection Officer Duties
As for articles No. (9 and 13) of Personal Data Protection Law, important obligations have been established that define the necessary duties of the Personal Data Protection Officer, which must be observed and followed in order to provide accurate control over the protection of individuals’ personal data.
and these obligations are represented in the following points:
- Implementing the provisions of the Law, its Executive Bylaws and the Center’s decisions, monitoring and supervising the procedures in force within its entity, and receiving requests related to personal data in accordance with the provisions of this Law.
- Conduct periodic evaluation and examination of personal data protection and intrusion prevention systems, document the results of the evaluation and issue the necessary recommendations for their protection.
- Acting as a direct point of contact with the Center and implementing its decisions regarding the application of the provisions of this Law.
- Enable the data subject to exercise his rights provided for in this Law.
- Notify the Center in the event of any breach or violation of its personal data.
- Respond to requests submitted by the data subject or any person in a capacity, and respond to the Center in grievances submitted to it by any of them in accordance with the provisions of this Law.
- Follow-up the entry and updating of the personal data record with the controller or the record of processing operations with the processor, in order to ensure the accuracy of the data and information recorded therein.
- Remove any irregularities related to personal data within its entity, and take corrective action in this regard.
- Organizing the necessary training programs for the employees of his entity to qualify them in accordance with the requirements of this Law.
- The personal data protection officer and his subordinates with the controller or processor are obliged to follow and fulfill the necessary security policies and procedures not to breach or violate sensitive personal data.
- The Executive Regulations of this Law specify the obligations, procedures and other tasks that the Personal Data Protection Officer must perform.
- All operations of data transfer that have been collected, prepared, stored or shared for processing to any foreign country, are prohibited unless there is a minimum standard of protection of no less than the level stipulated by law and with the license or permission of the Center.
As an exception, in the case of the express consent of the data subject or his representative, the transfer, sharing, circulation or processing of personal data may be transferred to a country where the aforementioned level of protection is not available, in the following cases:
- Preserving the life of the data subject and providing medical care, treatment or administration of health services.
- Implementing obligations to ensure that a right is proved, exercised before the justice authorities or defended.
- Conclusion of a contract or performance of a contract already concluded or to be concluded between the controller of processing and third parties, for the benefit of the data subject.
- Implementation of a procedure for international judicial cooperation.
- The existence of a legal necessity or obligation to protect the public interest.
- Making cash transfers to another country in accordance with its specific and applicable legislation.
- If the transfer or circulation is carried out in implementation of an international bilateral or multilateral agreement to which the Arab Republic of Egypt is a party.
- The controller or processor may provide the personal data to another controller or processor outside the Arab Republic of Egypt with a license from the Center when the following conditions are met:
- Agreement on the nature of the work of each controller or processor or the unity of purpose under which they obtain the personal data.
- The legitimate interest of both the controllers or processors of the personal data.
- The level of legal and technical protection of the personal data of the controller or processor located abroad shall not be less than the level available in the Arab Republic of Egypt.
- It is prohibited to make any electronic communication for the purpose of direct marketing to the data subject unless the following conditions are met:
- Obtain the consent of the data subject.
- The communication must include the identity of its originator and sender.
- The sender must have a valid and sufficiently accessible address.
- Indicate that the electronic communication is sent for direct marketing purposes.
- Establish clear and accessible mechanisms to enable the data subject to refuse the electronic communication or withdraw his consent to send it.
- The sender of any electronic communication for the purpose of direct marketing shall comply with the following obligations:
- Specific marketing purpose.
- Non-disclosure of contact details to the data subject.
- Keeping electronic records proving the consent of the data subject and its amendments, or not objecting to his continued receipt of marketing electronic communication for a period of three years from the date of the last transmission.
Penalties for the violating personal data protection officer
In order to ensure general control and comprehensive protection of citizens, the Personal Data Protection Law has set firm penalties that apply to every personal data protection officer when he violates any of the obligations set, which may cause a violation or breach of the protection of individuals’ personal data.
and these penalties include the following crimes:
- Any personal data protection officer who fails to comply with the requirements of his job stipulated in Article (9) shall be punished by a fine of not less than two hundred thousand pounds and not exceeding two million pounds.
- Shall be punished by a fine of not less than fifty thousand pounds and not exceeding five hundred thousand pounds if the crime is committed as a result of the negligence of the personal data protection officer.
- Whoever violates the provisions of the cross-border movement of personal data stipulated in Articles (14, 15, 16) shall be punished by imprisonment for a period of not less than three months and a fine of not less than five hundred thousand pounds and not exceeding five million pounds, or by either of these two penalties.
- Whoever violates the provisions of e-marketing stipulated in Articles (17 and 18) shall be punished by a fine of not less than two hundred thousand pounds and not exceeding two million pounds.
- Any member of the Board of Directors or any of the Center’s employees who violates the obligations stipulated in Article (24) shall be punished by a fine of not less than three hundred pounds and not exceeding three million pounds.
- Whoever prevents one of the center’s employees who enjoys the status of judicial seizure from performing his work shall be punished by imprisonment for a period of not less than six months and a fine of not less than two hundred thousand pounds and not exceeding two million pounds, or by either of these two penalties.
- The person responsible for the actual management of the violating legal person shall be punished by the same penalties prescribed for acts committed in violation of the provisions of this Law if it is proven that he is aware of them and his breach of the duties imposed on him by such administration has contributed to the commission of the crime.
In all cases, in addition to the prescribed penalties, the court orders the publication of the conviction judgment in two widely circulated newspapers and on open electronic information networks at the expense of the convicted individual.
And in case of recurrence, the penalties specified have their maximum and minimum limits doubled.
Attempted crimes stipulated are punishable by half of the prescribed penalty.
For more knowledge about the provisions of the Personal Data Protection Law, contact “Consortio Law Firm” now through the phone number 002 01028806061 or via WhatsApp or email Info@consortiolawfirm.com.