EGYPT
DATA PROTECTION FACTSHEET

-
Population: 102,334,403
Capital: Cairo
President: Abdel Fattah el-Sisi
2021 Freedom House Score: 18/100
Data protection law? Yes, but data protection authority not yet appointed
-
Privacy enshrined in Constitution: Yes.
DPA legislation:
Egypt passed the Data Protection Law on 13 July 2020 under Resolution No. 151 of 2020 (available only in Arabic here, and an unofficial English translation here) and it came into force on 16 October 2020. Data controllers and processers must be compliant within one year of the issuance of the executive regulations, which were expected to be released by 16 April 2021 but do not appear yet to have been.
Under the Law, the processing of personal data is prohibited unless the consent of the data subject is obtained, or it is authorised by law. The law provides data subjects with the right to know, inspect, access, correct, and determine the degree of processing of their personal data possessed by any data controller or processor. They also have a right to be informed of any data breach involving his or her personal data.
-
ICCPR: Ratified
Council of Europe Convention 108: No
Council of Europe Convention 185: No
Malabo Convention: No
ECOWAS Supplementary Act on Personal Data Protection: No
Council of Europe Additional Protocol to Convention 108 (Treaty No. 181): No
-
Applies to natural persons: Yes
Applies to juristic persons: No
Applies to public entities: Yes
Domestic/personal purposes exclusion: Yes
National security exclusion: Yes
Law enforcement exclusion: Yes
Cabinet or Executive Council exclusion: No
Judicial functions exclusion: Yes
Journalistic, literary or artistic purposes exclusion: Yes
Temporary copies exclusion: No
Other exclusion(s): Yes
Broad or vague exclusions: No
Applies to foreign entities: Yes
Excludes foreign entities that only transit personal data through the country: No
-
Personal data is defined as any data relating to an identifiable natural person. It also includes data relating to a natural person which may be, directly or indirectly, identifiable, by reference to any other data such as a name, voice, picture, an identification number, an online identifier or to one or more factors specific to the physical, mental, economic, cultural or social identity of that natural person.
Sensitive personal data is data that reveals the mental health, physical health, genetic health, biometric data, financial data, religious beliefs, political opinions, or security status of a natural person. The personal data relating to children is also considered sensitive personal data.
-
In order to collect and process personal data, the data must be:
- used for legitimate, specific, and public purposes;
- correct and accurate; and
- held only for the period of time required to fulfil its specified purpose.
-
Notification that data is being processed: Yes
Notification to DPA in event of data breach: Yes
Notification to data subject in event of data breach: Yes
Timeframe for notification is specified: Yes
Exceptions exist to breach notifications: No
Requires a data processing register: No
Register is publicly available: NA
Provides for terms of service icons: No
DPA must submit at least annual report: Yes
DPA report is made public: Unclear
-
Explicit provision for civil liability: No
Established/designates a Data Protection Authority: Yes
DPA is empowered to investigate: Yes
DPA is empowered to subpoena or request evidence: No
Law provides for criminal penalties: Yes
Law provides for administrative penalties: Yes
DPA is independently structured (does not exist within or receive instructions from another public body): No
DPA receives funding directly from the state budget/legislative body: Yes
DPA may receive some forms of external funding/own revenue: Yes
Adequate protections against undue removal: No
Number of members in DPA: 10
Maximum term length for members of the DPA (years): Repeatedly renewable
-
Right of data subject to access a copy of their personal data: Yes
Right of data subject to request a correction of data: Yes
Right of data subject to request deletion of data: Yes
Justification required for a request for deletion: No
Defines the requirements for consent: No
DPA is mandated to participate in policy formulation: Yes
-
Transferring or sharing personal data abroad requires a permit from the Centre, provided that the recipient country of the transfer has equal or greater data protection regulations. The processor or controller may allow another controller or processer to access personal data provided the objectives are similar or support a legitimate benefit to the controller, processor, or data subject.
Given explicit consent from the data subject, personal data can be transferred to a country without adequate protection to:
- protect the life of the data subject and to provide medical care;
- prove, claim, or defend a right before the judiciary;
- fulfil a contract for the benefit of the data subject;
- make a monetary transfer; or
- to fulfil a treaty of which Egypt is a member.
-
Provides a right not to be subject to automated decision-making: No
Page last updated: 24 May 2022