Egyptian Data Protection Law Overview

Women In Law Edition 21'

Modern Cases


Alaa El Gohary

As Egypt strives to be on the map of the global electronic hub, it had to set some regulations to govern the use of personal data in order to prevent any breach of personal privacy.

The Egyptian Data Protection Law came into force on October 16, 2020, with a one-year grace period for companies to comply with it. The privacy law’s executive regulations are expected to be issued by April 2021.

Who does the law apply to?

The new law is applicable to any natural and legal person who holds, processes, or controls data, excluding the banking sector.

Which data does this law apply to?

This law applies to personal and sensitive data. While the article did not provide a clear definition as to what the aforementioned data includes, it mentioned some characteristics.

What is personal data?

According to article 1 of the law, personal data includes a person’s name, voice, pictures, identification number and online identifier. Additionally, it includes identified personal data, such as genetic data, biometric data, financial data, religious beliefs, political opinions, criminal records, children’s data and mental, psychological, or physical health data.

What is holding data?

Furthermore, the article also entails that the data holder is any natural or legal person who legally possesses personal data in any form, whether it is created by the holder or acquired.

What is controlling data?

The data controller is any natural or legal person who has the right to obtain data due to the nature of their work. The controller gets to decide and specify the methods, aims, and criteria of keeping, processing and controlling them.

What is processing data?

A data processor is any natural or legal person who has the right to process the data on behalf or in the benefit of the controller through electronic means. This includes writing personal data, collecting, recording, saving, storing, merging, publishing, sending and receiving, circulating, presenting, erasing, amending, and analyzing data, whether totally or partially.

However, data processing does not apply to physical data, such as written documents, letters, photos, etc.

According to the scenario at hand, one can act as both a controller and a processor.

What are the legal rights of the person subject matter of the data?

According to article 2 of the law, the data subject is entitled to several legal rights. This includes the acknowledgement of all the data processed by the holder, controller or processor, and having the right to retrieve or review them. The subject can also revoke their consent for holding or processing their personal data, as well as correcting, amending or deleting the data. Additionally, they can limit the usage or processing of said data. The subject should have the knowledge of any breach or violation of their data. Finally, the subject can refuse the processing of their data whenever it conflicts with their personal rights and liberties.

What are the legal basis for controlling data?

According to article 4 of the law, in order to have valid legal grounds to control data, you must meet various conditions. These conditions include having the consent of the data owner, ensuring the data accuracy and safety, erasing the data after using it for the purpose of which it was collected and obtaining a permit or license to work with personal data. Moreover, a file must be kept in order to track the sensitive data at hand, the reasons for processing this data, the means of processing it and a license or permit for controlling the data.

What is the legal basis for processing data?

There are other conditions in order to have valid legal grounds to process data according to article 4 of the law. These conditions include content from the data owner