Data Protection
Overview of the Executive Regulations of the Egyptian Personal Data Protection Law
I. Purpose, Scope, and Analytical Framework
Law No. 151 of 2020 established Egypt’s first comprehensive statutory framework for the protection of personal data. From the outset, however, the Law was intentionally principles-based and explicitly dependent on its Executive Regulations to define the mechanics of implementation, supervision, and enforcement. For several years following the Law’s issuance, this absence created a structural gap between legislative intent and practical enforceability.
During this interim period, controllers, processors, and regulators alike operated in a state of legal incompleteness. Core obligations existed in theory, but the absence of binding technical standards, licensing structures, procedural timelines, and documentation requirements rendered full compliance difficult to define and enforcement inherently uncertain. In practice, the delayed issuance of the Executive Regulations limited the Law’s operational impact and constrained the development of a predictable compliance environment.
Executive Regulations No. 816 of 2025 therefore represent not merely the final step in implementing Law No. 151 of 2020, but a necessary regulatory inflection point. The Regulations transform the Law from a framework of general principles into a functioning regulatory system by introducing enforceable operational standards, graduated licensing regimes, inspection mechanisms, and detailed procedural obligations.
II. General Principles Governing the Collection and Processing of Personal Data (as Developed by the Executive Regulations)
While Law No. 151 of 2020 establishes the core legality conditions for the collection and processing of personal data, the Executive Regulations No. 816 of 2025 materially develop those conditions by converting high-level statutory principles into binding technical, procedural, and documentation requirements. The Executive Regulations therefore function not merely as interpretive guidance, but as the primary instrument defining how compliance is practically achieved.
A. Licensing, Purpose Specification, and Regulatory Control of Lawfulness
The Executive Regulations reinforce the licensing requirement contained in the Law by making it an operational precondition for any data collection, processing, retention, or securing activity, regardless of whether the entity is otherwise authorized under sector-specific legislation. In practice, this elevates licensing from a formal requirement into a continuous compliance condition.
A key regulatory development introduced by the Executive Regulations is the tight coupling of purpose specification to licensing scope. Collection and processing must not only be lawful and declared, but must remain strictly within the purpose expressly approved by the competent authority. Any functional expansion, even if commercially logical or technically incidental, requires renewed consent and regulatory alignment.
The Executive Regulations further introduce an express recognition of implied consent in narrowly defined circumstances. A natural person is deemed to have implicitly consented where processing is strictly necessary to deliver a lawful service or transaction expressly requested by the data subject. This represents a material clarification not expressly articulated in the Law. However, the Regulations simultaneously restrict this concept by expressly prohibiting any secondary or unrelated use of data obtained on the basis of implied consent, thereby preventing functional creep.
B. Consent Formalization, Transparency, and Enforceable Awareness
Although consent remains the principal legal basis under the Law, the Executive Regulations significantly raise the evidentiary and procedural threshold for valid consent. Consent is no longer assessed solely as a legal condition, but as a documented, auditable process.
Entities are now required to implement consent mechanisms capable of demonstrating, at any time, the form, timing, scope, and validity of consent, including guardian consent for children. This requirement transforms consent from a transactional act into a compliance asset subject to inspection.
The Executive Regulations also operationalize transparency obligations by requiring that data subject rights be communicated at the point of collection, not merely through general privacy notices. This embeds transparency directly into data collection workflows and exposes entities to regulatory risk where rights are technically available but practically obscured.
C. Data Minimization, Retention Mapping, and Purpose-Linked Time Limits
The Executive Regulations materially strengthen the data minimization and retention principles by imposing a forward-looking planning obligation. Entities must now determine, in advance, retention periods for each category of personal data and formally link those periods to the stated purpose of collection.
This represents a shift from outcome-based compliance to design-based compliance. Retention is no longer assessed only after the fact, but at the architectural stage of data systems and processes. Retention beyond the purpose period is expressly prohibited unless supported by an independent legal justification.
D. Security Measures and Mandatory Documentation
While the Law imposes a general duty to protect personal data, the Executive Regulations introduce enforceable technical and organizational compliance expectations by requiring adherence to security measures issued by the competent authority. These measures apply comprehensively to all devices, systems, platforms, and storage media used in any stage of data handling.
A central regulatory innovation introduced by the Executive Regulations is the mandatory maintenance of secure electronic records. These records must document, at a minimum, consent, data categories, retention periods, and applied security measures, and must be structured in a manner that enables direct regulatory inspection. Compliance is therefore no longer assessed solely through outcomes, but through demonstrable internal governance.
III. Controller and Processor Obligations (Expanded and Operationalized by the Executive Regulations)
The Executive Regulations significantly recalibrate the obligations of data controllers and processors by transforming the general duties set out in Law No. 151 of 2020 into detailed operational, organizational, and record-keeping requirements. In doing so, the Regulations materially increase both compliance complexity and regulatory exposure.
A. Obligations of the Data Controller
Licensing Scope and Purpose Discipline
The Executive Regulations elevate licensing from a formal authorization into a substantive constraint on operational behavior. Controllers are prohibited not only from unlicensed processing, but from any use of personal data that exceeds the licensed purpose, even where such use would otherwise appear compatible with the controller’s business model.
Controllers are further required to align the volume and categories of collected data with what is expressly permitted under the laws governing their activity. Where such laws are silent on retention, security, or transfer, the Personal Data Protection framework applies by default, closing regulatory gaps that previously existed.
Accuracy Verification, Retention Termination, and Anonymization Duties
The Executive Regulations introduce a positive obligation on controllers to actively verify the accuracy and currency of personal data, including through review of its source. This shifts responsibility away from passive reliance on initial collection.
Upon expiry of the collection purpose, controllers must not only delete data, but must notify data subjects and ensure that any legally retained data is rendered non-identifiable. Where retention is justified by legal or national security considerations, the Regulations impose a clear obligation to anonymize or render data unreadable and to permanently delete it once justification ceases.
Authority-Approved Mechanisms for Data Subject Rights
A major regulatory development is the requirement that controllers establish authority-approved mechanisms enabling data subjects to exercise their rights. Rights are no longer assessed in abstraction; controllers must demonstrate that mechanisms are functional, documented, and verifiable. This creates direct exposure where rights exist legally but are operationally ineffective.
Confidentiality, Internal Controls, and Inspection Readiness
The Executive Regulations expressly require controllers to bind all personnel involved in data handling to confidentiality obligations and to implement organizational controls capable of withstanding regulatory inspection. Cooperation with inspectors is framed not as a procedural courtesy, but as a substantive obligation.
Foreign controllers without a local presence are required to appoint an approved local representative or agent, reinforcing regulatory reach beyond territorial boundaries.
Mandatory Electronic Registers
Controllers must maintain detailed electronic registers documenting data subject requests, retention decisions, and legally retained data. These registers must be structured to allow inspection without enabling third-party identification, reflecting a balance between oversight and data protection.
B. Obligations of the Data Processor
The Executive Regulations materially expand the compliance footprint of processors, who are no longer treated as operational extensions of controllers but as independently regulated actors.
Processors must operate within a licensed scope, implement authority-approved processing mechanisms, and document data categories, purposes, durations, and consent where applicable. Processing outside the controller’s licensed purpose is prohibited, subject only to narrowly defined and heavily conditioned exceptions.
The explicit regulation of artificial intelligence and emerging technologies constitutes a notable regulatory development. Processors must ensure that data use in such contexts complies with recognized principles and does not result in harm, introducing a risk-based and ethical compliance dimension not previously articulated in the Law.
Processors are also subject to robust security, incident preparedness, register-keeping, and foreign representation requirements equivalent in substance to those imposed on controllers.
IV. Obligations in the Event of a Personal Data Breach (Procedural Intensification under the Executive Regulations)
While the Law establishes the obligation to report personal data breaches, the Executive Regulations significantly intensify this obligation by prescribing the reporting channel, content, documentation standards, and timelines.
Controllers and processors must report breaches through a designated electronic register within seventy-two hours of knowledge, with immediate notification required where national security considerations arise. The Regulations impose detailed content requirements and introduce a parallel obligation to notify affected data subjects within a defined timeframe using pre-agreed communication methods.
V. Cross-Border Transfer and International Processing of Personal Data (Regulatory Expansion Beyond the Law)
Although Law No. 151 of 2020 establishes the principle of adequacy and prior authorization, the Executive Regulations construct a comprehensive regulatory regime governing cross-border data flows. This regime introduces structured adequacy assessments, country-specific licensing, detailed application requirements, and enforceable safeguards, transforming international data transfer from an exception-based concept into a regulated operational activity.
A. General Prohibition and Licensing Requirement
As a general rule, personal data collected or prepared for processing within Egypt may not be transferred, stored, shared, made available, or processed outside Egypt unless the controller or processor has obtained a license or permit from the competent authority. This requirement applies irrespective of whether the transfer is permanent or temporary and covers all forms of cross-border data handling.
In all cases, the data subject’s consent is required prior to the cross-border transfer of personal data, unless a statutory exception applies. Consent must be informed and specific to the transfer activity.
Controllers and processors remain responsible for ensuring that personal data transferred across borders is protected at a level consistent with the scope, nature, and sensitivity of the data, in accordance with the conditions and safeguards set out in the issued license or permit.
Transfers may only be made to the foreign state or states expressly identified in the relevant license or permit. Any subsequent addition of destination countries during the validity period of the authorization requires prior amendment or renewal of the license or permit.
B. Adequacy of Data Protection in the Recipient Country
The Executive Regulations adopt an adequacy-based approach to international data transfers. The competent authority is responsible for determining whether a foreign state provides a sufficient level of personal data protection, based on approved policies and subject to periodic review.
In assessing adequacy, the authority considers, in particular:
The existence of personal data protection legislation or regulatory frameworks and their consistency with the principles of the Personal Data Protection Law.
The availability of technical and security measures ensuring effective data protection.
The presence of legal mechanisms enabling compensation for damage suffered by data subjects as a result of misuse of their personal data.
Where these criteria are met, the authority may approve the issuance of licenses or permits allowing transfers to such foreign states.
C. Transfers to Countries Lacking Adequate Protection (Statutory Exceptions)
By way of exception, personal data may be transferred to a country that does not provide an adequate level of protection, provided that the explicit consent of the data subject or their legal representative has been obtained and that the transfer falls within one of the statutorily defined cases, including:
Protection of the data subject’s life or provision of medical care or health services.
Establishment, exercise, or defense of legal rights before judicial authorities.
Conclusion or performance of a contract concluded in the interest of the data subject.
Execution of international judicial cooperation procedures.
Fulfilment of a legal obligation or protection of the public interest.
Execution of cross-border monetary transfers in accordance with applicable legislation.
Implementation of an international treaty or agreement to which Egypt is a party.
These exceptions are interpreted restrictively and do not dispense with the requirement to implement appropriate technical and organizational safeguards.
D. Disclosure of Personal Data to a Foreign Controller or Processor
Personal data may be made available to another controller or processor located outside Egypt only pursuant to a license issued by the competent authority and subject to additional substantive conditions.
Such disclosure is permitted where there is compatibility or integration between the activities of the relevant entities, or unity of purpose in obtaining the personal data, and where a legitimate interest exists for the transferring entity, the recipient entity, or the data subject.
In all cases, the level of legal and technical protection applied by the foreign controller or processor must not be lower than the level applicable within Egypt.
E. Conditions for Licensing Cross-Border Transfers
a) Legal Persons
Without prejudice to the general licensing requirements, legal persons seeking authorization to transfer personal data across borders must, at a minimum, provide:
Identification of the destination country or countries.
Information on the nature of the activity of the foreign controller or processor.
Description of the categories and nature of the personal data to be transferred.
Details of security systems, storage locations (temporary and permanent), and protective measures applied during transfer and storage.
Evidence of compliance with applicable cross-border data protection standards.
Specification of the purpose of the transfer.
Adequate information on storage locations in accordance with authority-issued templates.
Description of data categories, volume, and retention periods.
b) Natural Persons
Natural persons applying for authorization must provide:
Description, nature, volume, and purpose of the personal data to be transferred.
Identification of the recipient entity and applicable retention period.
Details of security systems, storage locations, and protection measures.
Evidence of compliance with applicable cross-border data protection standards.
Adequate information on storage locations in accordance with authority-issued templates.
F. Licensing Procedures and Regulatory Review
Applications for licenses or permits to transfer personal data across borders must be submitted electronically through the designated portal, accompanied by all required information and supporting documentation.
The competent authority reviews applications through specialized technical teams and may request additional information where necessary. Applicants are notified of the authority’s decision within a period not exceeding ninety working days from the date of completion of all required documentation. Failure to respond within this period constitutes an implicit rejection of the application.
VI. Direct Digital Marketing (Regulatory Expansion under the Executive Regulations)
While Law No. 151 of 2020 establishes a general prohibition on direct electronic marketing without prior consent, the Executive Regulations No. 816 of 2025 fundamentally restructure this activity by subjecting it to a standalone regulatory and licensing regime. The Regulations move beyond consent as a sufficient compliance condition and treat direct digital marketing as a high-risk processing activity requiring prior authorization, enhanced documentation, and continuous regulatory oversight.
A. Direct Digital Marketing as a Licensed Activity
A central development introduced by the Executive Regulations is the requirement that any entity engaging in direct electronic marketing, whether acting as a controller, processor, or marketing intermediary, must obtain a specific license or permit dedicated to direct electronic marketing activity. This obligation applies independently of any license held by the entity in its capacity as a controller or processor and therefore constitutes an additional layer of regulatory approval.
The Regulations further differentiate between marketing conducted for the entity’s own goods or services and marketing conducted on behalf of third parties. This distinction is not merely descriptive but carries regulatory consequences, including differentiated licensing categories and increased scrutiny for third-party marketing service providers. The structure reflects a clear regulatory assessment that outsourced and intermediary-based marketing presents heightened compliance and abuse risks.
B. Consent as a Condition for Operation, Not Merely Lawfulness
Although prior consent is already required under the Law, the Executive Regulations materially intensify the legal effect of consent in the marketing context. Consent must be explicit, purpose-specific, and demonstrably linked to direct electronic marketing communications.
More importantly, the Regulations impose a mandatory obligation to erase personal data without delay in two situations: (i) where the data subject withdraws consent to marketing, or (ii) where the retention period or marketing purpose expires, whichever occurs first. This requirement departs from more flexible evidentiary retention approaches under the Law and reflects a stricter application of purpose limitation in the marketing context.
C. Absolute Purpose Limitation and Prohibition of Secondary Use
The Executive Regulations expressly prohibit the use of personal data collected for direct electronic marketing for any other purpose, including processing, sharing, or circulation, unless new explicit consent is obtained from the data subject.
This provision closes a practical gap that previously allowed marketing data to be reused for analytics, profiling, or affiliated commercial purposes under broad or bundled consent language. Under the Executive Regulations, marketing data is legally ring-fenced and confined to its declared promotional purpose.
D. Mandatory Content and Functional Requirements for Marketing Communications
The Executive Regulations substantially expand the formal requirements applicable to the structure and content of marketing communications. Every direct electronic marketing message must clearly identify the sender, specify the marketing purpose, and provide the data subject with a continuous and unrestricted ability to refuse or withdraw consent at any time.
Withdrawal and refusal mechanisms must be accessible through any communication channel approved by the competent authority, including digital platforms, messaging services, email, telephone communications, or other technical means. This approach ensures that informal or platform-based outreach falls fully within the regulatory framework and cannot be used to bypass compliance obligations.
E. Regulation of Marketing Intermediaries and Data Provenance
A notable regulatory development introduced by the Executive Regulations is the express regulation of marketing intermediaries. Where marketing is conducted through an intermediary, that intermediary bears an independent obligation to verify that valid consent was originally obtained by the controller or processor and that the marketing activity aligns with the declared purpose.
Intermediaries must also retain evidence of the source of the personal data and the data subject’s consent to receive marketing communications. This eliminates reliance on contractual disclaimers and significantly increases compliance exposure for outsourced marketing providers by imposing direct accountability for consent provenance.
F. Mandatory Electronic Registers and Audit Exposure
The Executive Regulations impose dedicated record-keeping obligations specific to direct electronic marketing. Entities must maintain secure electronic registers documenting the method and timing of consent, the specific marketing purpose, requests for erasure or modification of consent, and the technical and organizational measures used to secure marketing data.
These registers must be made available to the competent authority upon request and operate independently from general processing records. Their purpose is not merely administrative but to enable targeted inspections and enforcement actions in response to complaints or suspected non-compliance.
G. Complaint-Driven Enforcement Mechanism
As an additional regulatory measure, the Executive Regulations require the competent authority to designate specific communication channels for receiving complaints related to direct electronic marketing practices. This introduces a direct enforcement pathway driven by data subjects rather than solely by regulatory audits, increasing the likelihood of investigation based on consumer-level grievances.
VII. Licensing and Permitting Regime under the Executive Regulations
One of the most significant regulatory shifts introduced by the Executive Regulations No. 816 of 2025 is the establishment of a comprehensive, graduated licensing and permitting regime governing all personal data processing activities. While Law No. 151 of 2020 requires controllers and processors to obtain authorization from the competent authority, the Executive Regulations fundamentally restructure this requirement by introducing differentiated license types, time-limited permits, quantitative fee scaling based on data volume, and detailed procedural and documentary thresholds.
A. Consolidated Controller/Processor License for Legal Persons
The Executive Regulations introduce a consolidated “Controller/Processor” license for legal persons, replacing the previously ambiguous distinction between controller-only and processor-only authorizations. This consolidated license recognizes the operational reality that many entities perform both roles concurrently.
Licensing fees under this regime are directly linked to the volume of personal data records processed, measured by the number of individual data subject records held by the applicant. The Regulations establish a progressive fee structure that scales with data volume, introducing predictability while simultaneously discouraging excessive or unjustified data accumulation.
Annual Licensing Fees for Controller/Processor (Up to One Million Records):
Number of Personal Data Records
Annual Licensing Fee (EGP)
From 1 to 10,000
Exempt
From 10,001 to 200,000
200
From 200,001 to 300,000
300
From 300,001 to 400,000
400
From 400,001 to 500,000
500
From 500,001 to 600,000
600
From 600,001 to 700,000
700
From 700,001 to 800,000
800
From 800,001 to 900,000
900
From 900,001 to 1,000,000
1,000
Annual Licensing Fees for Controller/Processor License (Above One Million up to Two Million Records):
Number of Personal Data Records
Annual Licensing Fee (EGP)
From 1,000,001 to 1,100,000
5,000
From 1,100,001 to 1,200,000
10,000
From 1,200,001 to 1,300,000
15,000
From 1,300,001 to 1,400,000
20,000
From 1,400,001 to 1,500,000
25,000
From 1,500,001 to 1,600,000
30,000
From 1,600,001 to 1,700,000
35,000
From 1,700,001 to 1,800,000
40,000
From 1,800,001 to 1,900,000
45,000
From 1,900,001 to 2,000,000
50,000
Annual Licensing Fees for Controller/Processor License (Above Two Million up to Three Million Records):
Number of Personal Data Records
Annual Licensing Fee (EGP)
From 2,000,001 to 2,100,000
60,000
From 2,100,001 to 2,200,000
70,000
From 2,200,001 to 2,300,000
80,000
From 2,300,001 to 2,400,000
90,000
From 2,400,001 to 2,500,000
100,000
From 2,500,001 to 2,600,000
110,000
From 2,600,001 to 2,700,000
120,000
From 2,700,001 to 2,800,000
130,000
From 2,800,001 to 2,900,000
140,000
From 2,900,001 to 3,000,000
150,000
Annual Licensing Fees for Controller/Processor License (Above Three Million up to Four Million Records):
Number of Personal Data Records
Annual Licensing Fee (EGP)
From 3,000,001 to 3,100,000
165,000
From 3,100,001 to 3,200,000
180,000
From 3,200,001 to 3,300,000
195,000
From 3,300,001 to 3,400,000
210,000
From 3,400,001 to 3,500,000
225,000
From 3,500,001 to 3,600,000
240,000
From 3,600,001 to 3,700,000
255,000
From 3,700,001 to 3,800,000
270,000
From 3,800,001 to 3,900,000
285,000
From 3,900,001 to 4,000,000
300,000
Annual Licensing Fees for Controller/Processor License (Above Four Million up to Five Million Records):
Number of Personal Data Records
Annual Licensing Fee (EGP)
From 4,000,001 to 4,100,000
320,000
From 4,100,001 to 4,200,000
340,000
From 4,200,001 to 4,300,000
360,000
From 4,300,001 to 4,400,000
380,000
From 4,400,001 to 4,500,000
400,000
From 4,500,001 to 4,600,000
420,000
From 4,600,001 to 4,700,000
440,000
From 4,700,001 to 4,800,000
460,000
From 4,800,001 to 4,900,000
480,000
From 4,900,001 to 5,000,000
500,000
For data volumes exceeding five million personal data records, the Executive Regulations impose a statutory maximum annual licensing fee, capped at EGP 2,000,000, payable annually for a total of three years.
Where an entity applies for a controller-only or processor-only license, the applicable fee is reduced to 50% of the corresponding amount indicated in the tables, reflecting reduced functional scope.
B. Temporary and Purpose-Specific Processing Permits
In addition to permanent licenses, the Executive Regulations introduce time-limited processing permits for specific and temporary purposes, valid for a period not exceeding one calendar year. The competent authority is granted discretion to assess the continuing necessity of the permitted purpose as a condition for renewal or continuation.
Unlike licenses, permits automatically lapse once the authorized purpose expires, without the need for formal revocation.
Permit fees are calculated based on both data volume and permit duration, introducing a granular fee matrix that did not exist under the Law.
Permit Fees Based on Data Volume and Duration:
Number of Records
> 3 months to 1 year
> 1 month to 3 months
> 1 week to 1 month
< 1 week
1 to 25,000
Exempt
Exempt
Exempt
Exempt
25,001 to 250,000
50,000
37,500
25,000
12,500
250,001 to 1,000,000
100,000
75,000
50,000
25,000
1,000,001 to 2,000,000
200,000
150,000
100,000
50,000
2,000,001 to 3,000,000
300,000
225,000
150,000
75,000
3,000,001 to 4,000,000
400,000
300,000
200,000
100,000
4,000,001 to 5,000,000
500,000
375,000
250,000
125,000
Above 5,000,000
Statutory maximum applies
Statutory maximum applies
Statutory maximum applies
Statutory maximum applies
Where the data volume exceeds the statutory threshold, the maximum permit fee prescribed by law applies regardless of duration.
As with licenses, permits issued to controller-only or processor-only applicants are subject to a 50% fee reduction relative to the consolidated rate.
C. Conditions Applicable to Natural Persons
For natural persons, the Executive Regulations introduce a tailored but still rigorous permitting framework. Applicants must demonstrate lawful purpose, technical capacity, and compliance readiness proportionate to the scale of processing, including consent mechanisms, security measures, and compliance with inspection and oversight requirements.
D. Cross-Border Data Transfer Licensing as an Extension of the Core Regime
The Executive Regulations expressly link cross-border data transfer authorization to the underlying controller/processor licensing regime. Any license or permit for international data transfer is priced at 50% of the applicable controller/processor licensing fee, reflecting the heightened risk profile of cross-border processing.
E. Application Procedures and Regulatory Review
A key procedural innovation introduced by the Executive Regulations is the mandatory use of a centralized electronic licensing portal for all license and permit applications.
Applications are reviewed by specialized technical teams, and the authority may request supplementary information as needed. The Regulations impose a definitive review timeline of 90 working days from completion of documentation, with silence constituting an implicit rejection, thereby eliminating regulatory uncertainty through inaction.
F. Expanded Documentation Requirements
The Executive Regulations substantially increase the documentary burden on applicants, particularly legal persons. Required submissions now extend beyond corporate identification to include detailed technical, operational, and security documentation relating to data infrastructure, hosting environments, certifications, and compliance controls.
An applicant that is a legal person must submit the following data and documents in order to obtain a license or permit:
A copy of the commercial register of the legal person, together with its address, details of its legal representative, organizational structure, nature of activity, and contact information, including telephone number and email address.
A clear specification of the category of license or permit requested.
A description of the nature and volume of personal data processed, including identification of any sensitive personal data.
The retention period applicable to the personal data.
A description of the security measures applied to the transfer of personal data.
An explanation of the mechanisms for erasure or modification of personal data in accordance with the data subject’s request or as required by law.
A description of the method used to store personal data.
Identification of the appointed Data Protection Officer.
A description of the mechanism used to obtain the data subject’s consent.
Full technical details of the infrastructure used, including the classification of data centers or the types of servers used, any technical certifications or accreditations obtained, and confirmation that the infrastructure complies with the technical and operational requirements prescribed by the Centre.
Copies of the technical certifications and accreditations obtained in relation to the security of personal data storage and processing, specifying the issuing authority, date of issuance, and validity period.
An applicant that is a natural person must submit the following data and documents in order to obtain a permit:
A copy of the national identification card, a criminal record certificate, academic qualifications, and a description of the professional activity carried out by the applicant.
A specification of the type and category of permit requested.
A statement of the purpose for which the permit is requested.
A description of the nature and volume of personal data processed, including identification of any sensitive personal data.
The retention period applicable to the personal data.
An explanation of the mechanisms for erasure or modification of personal data in accordance with the data subject’s request or as required by law.
A description of the method used to store personal data.
A description of the mechanism used to obtain and record the data subject’s consent.
Full technical details of the infrastructure used, including the types of devices used and any technical certifications or accreditations obtained, together with confirmation that the infrastructure complies with the technical and operational requirements prescribed by the Centre.
Copies of the technical certifications and accreditations obtained in relation to the security of personal data storage and processing, specifying the issuing authority, date of issuance, and validity period.
Conclusion
The issuance of Executive Regulations No. 816 of 2025 marks the effective activation of Egypt’s personal data protection regime. While Law No. 151 of 2020 articulated foundational rights and duties, its practical relevance was necessarily limited in the absence of implementing regulations capable of translating those duties into operational reality.
The prolonged delay in issuing the Executive Regulations underscored the extent to which modern data protection frameworks depend on technical and procedural detail rather than statutory principle alone. Without defined licensing categories, measurable security standards, structured consent mechanisms, and enforceable documentation requirements, compliance remained largely theoretical and enforcement necessarily restrained.
The Executive Regulations close this gap. They convert the Law’s abstract obligations into concrete systems of compliance and oversight. Licensing becomes a structural condition of legality. Consent becomes an auditable process. Retention and minimization are embedded at the design level. Controllers and processors are treated as independently accountable regulatory subjects. Cross-border data transfers are governed through structured adequacy assessments and country-specific authorizations. Direct digital marketing is elevated to a regulated activity in its own right.
Collectively, these developments signal a clear regulatory transition. The Personal Data Protection framework is no longer aspirational or transitional. It is operational.
For regulated entities, this shift carries both risk and clarity. Regulatory exposure increases, but so does predictability. The Executive Regulations provide the long-awaited reference point against which compliance can be assessed, systems can be designed, and enforcement expectations can be anticipated.
In practical terms, Executive Regulations No. 816 of 2025 now constitute the core compliance instrument under Egypt’s personal data protection regime. Any assessment of legal risk, operational readiness, or regulatory strategy must therefore begin with the Regulations themselves. Their issuance not only completes the legislative architecture initiated in 2020, but finally enables the Personal Data Protection Law to function as a living regulatory system rather than a deferred legal promise.
Annex - Executive Regulations Compliance Checklist
A. Governance & Registration
☐ Determine whether you act as controller, processor, or both
☐ Register with the Personal Data Protection Center
☐ Obtain required licenses or permits before processing
☐ Appoint internal data protection responsibility (DPO-like role)
B. Data Mapping & Legal Basis
☐ Map all personal and sensitive data processed
☐ Identify lawful basis for each processing activity
☐ Ensure explicit consent mechanisms are documented
☐ Separate treatment for sensitive and biometric data
C. Policies & Documentation
☐ Privacy notices aligned with Regulation requirements
☐ Records of processing activities
☐ Processor agreements with confidentiality and security clauses
☐ Data retention and deletion schedules
D.Security & Risk Management
☐ Implement technical and organizational safeguards
☐ Conduct risk assessments for high-risk processing
☐ Restrict internal access to personal data
☐ Maintain breach-response protocols
E.Data Breach Response
☐ Notify PDPC within required timelines
☐ Notify affected data subjects where risk exists
☐ Document breach causes and remedial actions
F. Cross-Border Transfers
☐ Assess destination country’s protection level
☐ Obtain prior PDPC approval
☐ Secure explicit data-subject consent where required
☐ Maintain transfer documentation
12 January 2026