Egypt regulatory update on data privacy

After years of anticipation, Egypt has finally issued the Executive Regulations to the Personal Data Protection Law No. 151 of 2020 (PDPL) (the “Regulations”). Issued by the Ministry of Communications and Information Technology on 1 November 2025, the Regulations bring Egypt’s data protection regime fully to life.

With a population exceeding 117 million and more than 96 million internet users, the Regulations mark a decisive shift from high-level principles to enforceable, operational compliance for businesses operating in or targeting Egypt.

Why this matters

The Regulations set out, for the first time, clear rules, procedures and approvals governing how personal and sensitive data must be collected, processed, stored, transferred and monitored. They apply to a wide range of activities from routine data processing to electronic marketing, CCTV use and cross-border data transfers.

Businesses now have a one-year grace period to comply.

Effective date: 1 November 2025
Grace period: 12 months
Full enforcement: 31 October 2026

Key developments at a glance

A formal licensing and permits regime

Data controllers and processors must obtain licences or permits from the Personal Data Protection Centre (PDPC). 

Licences are also required for cross-border data transfers, direct electronic marketing activities and the use of visual surveillance systems in public places. Fees vary depending on database size, with smaller databases benefiting from exemptions.

Clear operational compliance obligations

The Regulations introduce detailed requirements around consent, record-keeping, data retention, security measures and breach response. Personal data breaches must be reported to the PDPC within 72 hours, followed by notification to affected individuals within three working days.

Cross-border data transfers under tight control

Transfers outside Egypt require PDPC approval, data-subject consent and strict adherence to approved destination countries. Ongoing obligations apply to ensure equivalent levels of data protection are maintained outside Egypt.

Expanded enforcement and investigation powers

PDPC investigators are now granted judicial authority, including the right to inspect electronic records and assess compliance on the ground.

New rules for DPOs, digital evidence and marketing

The Regulations formalise the appointment and registration of Data Protection Officers, recognise digital evidence subject to technical safeguards, and impose strict consent and record-keeping requirements on electronic marketing activities.

Who should be paying attention?

Any organisation that collects, uses, or processes personal data connected to Egypt should be paying close attention. This includes businesses handling data that can identify individuals such as customer, employee, financial, or health information as well as those engaged in electronic or digital marketing activities.

The scope extends to organisations that transfer data outside Egypt, operate CCTV or other monitoring systems, or provide data-driven, technology, or outsourced services involving personal data. Importantly, foreign companies are also likely to be caught where their operations involve data flows into or out of Egypt, even if they do not have a physical presence in the country.

In broad terms, any business with customers, users, employees, or operational touchpoints in Egypt and any company relying on cross-border data flows—should assess whether and how these requirements apply to their activities.

What’s at stake?

Non-compliance can result in fines ranging from EGP 200,000 to EGP 5 million, potential criminal liability in certain cases, and mandatory public disclosure of violations creating serious regulatory and reputational exposure.

What should businesses do now?

The grace period has started. Businesses should use this time to assess applicability, identify compliance gaps, structure licensing strategies and prepare for enforcement before the deadline arrives.

How can we help?

The Cairo office of Clyde & Co is a full-service, on-the-ground practice with deep local insight and cross-border capability. Our team advises clients across all practice areas on the requirements of Egypt’s Personal Data Protection Law (PDPL), helping them move swiftly and confidently from regulatory uncertainty to compliance. With an experienced data privacy team and strong regional and international reach, we support our clients in Egypt in assessing scope and regulatory exposure, managing PDPC licensing and permit requirements, and designing practical, business-focused data protection frameworks.

For more information please contact Sameh Dahroug, Salma Abdelaziz or Mohamed ElHossamy.