The following law(s) specifically govern personal data / information:
Data Protection Law no 151 of year 2020.
Cybercrime Law no 175 of year 2018.
Consumer Protection Law no 181 of year 2018.
The key data protection principles in this jurisdiction are:
- Can be collected and processed only for specific, legitimate, and known to the Data Subject.
- Must be processed in an accurate, correct, and secure manner.
- Shall not be retained once the purpose of its collection and processing has been achieved.
- Shall be processed for a lawful purpose, and in a manner suitable for its intended purpose.
The supervisory authority / regulator in charge of data protection is:
National Telecommunication Regulatory Authority “NTRA” / Personal Data Protection Center “Center”.
Is there a requirement to register with a supervisory authority / regulator?
Data controllers and Processors are required to obtain licenses and permits to process Personal Data. The Centre shall set out the types of licenses, permits, and establish the conditions of application and issuance, in accordance with the provisions of the executive regulation that is expected to be established in April 2021.
The fee payable for obtaining a license is up to two million Egyptian Pounds, as for obtaining a permit it is up to five hundred thousand Egyptian Pounds.
Is there a requirement to notify the supervisory authority / regulator?
As long as the data controller or processor obtained the required licenses and permits to process data, there is no need to notify the supervisory authorities.
Is it possible to register with / notify the supervisory authority / regulator online?
No, online registration is not available in Egypt.
The key data subject rights under the data protection laws of this jurisdiction are:
- To obtain their consent before their personal data is being processed, collected or disclosed by any means.
- To be acknowledged and to review, have access and to obtain their Personal Data, which is held by any Holder, Controller, Processor.
- To reverse the prior consent concerning the retention or processing of their personal data.
- To edit, erase, modify, add or update their Personal Data.
- To limit the processing into a specific scope.
- To be aware of any Personal Data breach in relation to their Personal Data; and
- To object to any processing or its results of Personal Data as long as there is a violation which concerns the Data Subject.
Is there a requirement to appoint a data protection officer (or equivalent)?
Yes, the Data Protection Officer (DPO) is a competent employee responsible for the protection of Personal Data.
The legal representative of the juristic person whether a Data Controller or Processor, shall appoint a DPO who shall be responsible for the enforcement of the provisions of the Law, its executive regulations, and the decisions issued by the Center. Moreover, the DPO shall undertake the following responsibilities such as:
- Conducting regular inspections
- Notifying the Centre in case of the occurrence of any Personal Data breach
- Organizing training programs
- Monitoring and updating the registration of Personal Data record held by the Data Controller or the Processor.
Egypt does not have specific circumstances for appointing a DPO as it is obligatory to appoint one in all cases.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
Does this jurisdiction have any specific data breach notification requirements?
Data Controllers and Processors are obliged to report breach/violation to the Center within 72 hours or immediately in case the breach or violation is related to a national security matter.
In all cases, both Data Controllers and Processors shall notify the Data Subject within three days after the date on which the relevant breach was reported to the Center.
The following restrictions apply to the international transfer of personal data / information:
The Laws prohibits sharing, transferring and storage of any Personal Data which was collected or prepared for processing to any foreign country unless two main conditions are satisfied:
- The protection level for this data is not less than the one being adopted by the Data Protection Law.
- An authorized license from the Data Protection Center is obtained.
In some cases, international transferring of the Personal Data may only be made after obtaining an approval from the Data Subject in the following cases:
- To save the Data Subject’s life, provide health care or treatment,
- To implement obligations to execute or defend any right of the Data Subject before any court outside Egypt.
- To enter into a contract or implement a contract that was already concluded between the Data Processor and a third party for the benefit of the Data Subject.
- Implement a procedure related to international judicial cooperation;
- Cash transfers to another country in accordance with its specific and valid legislation.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
The Cybercrime Law states that it shall apply to every non-Egyptian who commits an offence set forth in this law outside Egypt whenever the crime is criminalized, under any description, in the country in which the offence was committed, in any of the following cases:
- The offence was committed using any means of transportation by land, sea or air registered in Egypt or carrying its flag.
- If one or all of the victims were Egyptians.
- If the offence was prepared, planned, directed, managed or financed in Egypt.
- If the offence was committed by an organized criminal group, which practices its criminal activities in more than one country including Egypt.
- If the offence is likely to cause detriment to any Egyptian citizen or resident, or to endanger the country’s security or any interest whether locally or abroad.
- The perpetrator is found in Egypt after committing the crime and was not extradited yet.
The following rules specifically deal with marketing:
The Law prohibits any kind of electronic communication for the purpose of direct marketing to the Data Subject unless some conditions are fulfilled:
- Obtaining the consent of the Data Subject
- The communication shall determine the identity of its creator and sender
- The sender shall have a valid address in order to be reached
- Setting clear and uncomplicated mechanisms to allow the Data Subject to refuse the communication or withdraw his or her consent
- The sender of any electronic communication for the purpose of direct marketing shall maintain electronic records evidencing the acceptance or non-objection received from the Data Subjects for a period of three years from the date of the last sent communication
Do different rules apply to business-to-business and business-to-consumer marketing?
The following rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc):
According to Cybercrime Law, it is punishable to send emails, texts to a certain person without obtaining their consent, provide personal data to an e-system or website for promoting commodities or services without getting the approval thereof, or publish by any means of information technology, information, news, images which infringes the privacy of any person involuntarily, whether the published information is true or false.
According to the Consumer Protection Law an advertisement made through WhatsApp shall cause WhatsApp to be deemed as an advertisement mean, hence shall be liable with the advertising person and supplier to not commit any fraudulent behaviour which may cause the consumer to have inaccurate information.
The following rules specifically deal with cookies:
There are no specific rules dealing with cookies in this jurisdiction.
The consequences of non compliance with data protections laws (including marketing laws) are:
Fines up to Ten Million Egyptian Pounds and imprisonment up to two years in case of non-compliance.
In broad terms, multinational organisations should be aware of the following key factors if they process personal data / information from individuals within this jurisdiction, without being located there:
- Obtain licenses and permits in order to process Personal Data.
- Obtain the Data Subject consent.
- Appoint a representative in Egypt as it is obligatory.
Multinational organisations should be aware of the following upcoming data protection developments:
Data Protection Law Executive Regulation.