From Policy to Practice: Egypt Issues Executive Regulations of the Personal Data Protection Law

On 1 November 2025, the Minister of Communications and Information Technology issued Ministerial Decree No. 816 of 2025 (the “Executive Regulations”), promulgating the long-awaited Executive Regulations of Egypt’s Personal Data Protection Law No. 151 of 2020; the Decree was published in the Official Gazette and enters into force on the day following its publication. The Regulations detail operational rules for consent, licensing, record-keeping, breach notification, cross-border data transfers, special categories of data, children’s data, and direct electronic marketing.

Key Highlights of the Executive Regulations

1. Consent, purpose limitation, retention, and records

The Executive Regulations require clear purpose specification, prior informed consent from data subjects, purpose-aligned collection and processing, defined and limited retention periods, and confidentiality by design. Controllers must maintain a secure electronic register covering consent records, categories of personal data, processing scope, retention schedules, security and organizational measures, enabling Personal Data Protection Center (the “Center”) inspections. Data subjects must be enabled to access, rectify, erase, restrict, or object, and to withdraw consent, with mechanisms approved by the Center and robust logging of requests and actions.

2. Controller/processor licensing and compliance

Controllers and processors must obtain licenses or permits from the Center based on specified categories and conditions before collecting or processing personal data and must not process data beyond the purposes authorized under their license. Entities located outside Egypt that target individuals or activities in Egypt are required to appoint and register a local representative accepted by the Center, subject to the same licensing requirements. The Center’s inspectors have the authority to access electronic records to verify compliance and the implementation of security measures, and to issue enforcement decisions as needed.

3. Breach notification timelines and content

Controllers and processors must notify the Center within 72 hours of becoming aware of a personal data breach or violation, using the Center’s portal or hotline, and must log the incident with all required details. If the breach involves national security or sensitive data, additional information must be provided, and notification must be made immediately. In all cases, data subjects must be informed within three working days of the Center’s notification, through the agreed contact method, including details of safeguards and remedial measures taken. The Center will define the official reporting channels and coordinate with national security authorities for serious incidents.

4. Special category data

Processing of special category personal data requires a license/permit aligned to activity type, explicit written consent from the data subject (or guardian for children), necessity to the legitimate, specific purpose, and Center-approved security controls. Additional controls include prohibition of processing that harms data subjects, and logging of consents and data subject requests in secure electronic systems.

5. Children’s data

Collection and processing of children’s data under age 15 require explicit written consent from the guardian, with scope and duration clearly defined and withdrawal rights preserved using Center-approved consent methods. For children aged 15 to 18, final consent must be provided by the child or guardian depending on circumstances, under mechanisms set by the Center and applicable legal conditions. The Executive Regulations restrict behavioral profiling, tracking, and monitoring of children in certain contexts beyond what is strictly necessary.

1. Cross-border data transfers

Transfers, storage, sharing, or processing of personal data outside Egypt require a license/permit and are permitted only to jurisdictions assessed to provide an adequate level of protection, with data subject consent and robust technical and organizational measures proportionate to the data’s nature and volume. Licenses/permits must be updated when adding new destination countries during the license period, with additional authorization as needed. The Center will publish and maintain adequacy and policy criteria, including existence of data protection legislation, security measures, and legal redress for misuse. Controllers/processors may also provide personal data to another controller/processor outside Egypt when there is a legitimate, joint or complementary purpose and safeguards meet at least Egyptian standards.

2. Direct electronic marketing

Direct electronic marketing requires a specific license/permit, separate from general processing authorizations. Conditions include prior explicit consent from data subjects, clear disclosures at the start of any message, the ability to refuse or withdraw consent via accessible mechanisms, and strict limits on re-use or sharing of personal data for other purposes without new consent. Controllers/processors and intermediaries must maintain electronic logs of consents and deletion/rectification requests, and the Center will provide complaint channels for citizens.

3. Public CCTV and visual surveillance

Use of visual surveillance in public places requires a license/permit, visible notice, and compliance with legal bases for any transfer outside Egypt; facial recognition and similar techniques are prohibited unless explicitly authorized by law or consent is obtained. Controllers must implement security and organizational measures, ensure confidentiality, and support Center inspections; fees apply for permits and licenses.

4. Data Protection Officer (DPO) registration and duties

The Center sets qualification criteria to register DPOs, including academic/professional credentials, experience, and passing Center assessments, with integrity prerequisites. Registered DPOs receive a unique “DPO code” tied to permitted data categories, record-keeping duties, and scope of responsibility. DPOs must monitor security policy implementation, submit annual and ad hoc reports, manage data subject requests, and avoid conflicts of interest; the Center may review performance.

5. Licensing/permit procedures and renewal

The Executive Regulations detail application content, documentation, technical standards, inspection powers, and decision timelines. The Center must decide authorization and registration applications within ninety working days of receiving complete information.

6. Fees and caps

The Executive Regulations provide detailed schedules for controller/processor licenses based on the number of personal data records processed, with progressive fees and an overall annual cap for very large volumes, as well as reduced fees for entities acting only as controller or only as processor. Dedicated fee structures also apply to associations, syndicates, and clubs handling member data; to cross-border transfer licenses/permits; to direct marketing permits; and to public CCTV licenses/permits.

For more information, please contact Ayman Nour, Head of Cairo Office, A.Nour@tamimi.com and Habiba Massoud, Associate, Corporate Structuring and Digital & Data Department, H.Massoud@tamimi.com