Egypt PDPL

Personal Data Protection Law No. 151 of 2020

Flag of EG
EgyptOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
October 15, 2020
Enacted
July 13, 2020
Enforcing Authority
Personal Data Protection Center (PDPC)
Consent Model
Opt-in
Applies To
All data controllers/processors handling personal data in Egypt, including foreign entities using means in Egyptian territory

Overview

Egypt's PDPL is the country's first comprehensive data protection law. Executive Regulations were delayed five years before operationalization in November 2025 (Decree 816/2025). The law requires PDPC licensing for certain processing activities and cross-border transfers — among the most restrictive approaches in the region.

What This Means for Your Website

  • Explicit consent is required before processing personal data of Egyptian visitors
  • Data controllers and processors may need PDPC licenses or permits
  • Cross-border data transfers require PDPC licensing — one of the most restrictive regimes
  • Breach notification to PDPC is required within 72 hours
  • Direct electronic marketing requires prior authorization
  • Criminal penalties including imprisonment apply

Key Requirements

The PDPC enforces the law with penalties ranging from EGP 100K for unauthorized processing to EGP 5M plus imprisonment for sensitive data violations. The PDPC licensing requirement for cross-border transfers creates significant operational obligations. The 5-year delay in Executive Regulations means enforcement is still maturing.

How ConsentStack Handles This

ConsentStack applies explicit consent for Egyptian visitors, supporting compliance with the newly operationalized regulatory framework.

Penalties

EGP 100K-1M (unauthorized processing). EGP 200K-2M plus 6 months imprisonment (no consent). EGP 500K-5M plus 3 months (sensitive data).

Maximum Fine
EGP5,000,000 per violation

Key Requirements

  • Explicit consent required before processing personal data
  • Data controllers/processors must obtain PDPC licenses or permits
  • 72-hour breach notification to PDPC, then 3 working days to data subjects
  • Licenses required for cross-border data transfers
  • Direct electronic marketing requires prior authorization
  • Visual surveillance in public places requires licensing

Notable Provisions

  • Executive Regulations delayed 5 years before November 2025 operationalization
  • Criminal penalties including imprisonment
  • PDPC licensing for cross-border transfers — among most restrictive
  • Direct marketing requires prior authorization

Other Middle East & North Africa Regulations

UAE PDPLUnited Arab Emirates (federal, excluding DIFC and ADGM free zones)
The UAE's first federal data protection law, making consent the default legal basis for processing. The UAE operates a unique three-regime system where federal law, DIFC, and ADGM each have separate data protection frameworks. Executive Regulations are still pending, creating enforcement uncertainty around detailed implementation requirements.
KSA PDPLKingdom of Saudi Arabia
Saudi Arabia's first comprehensive data protection law, actively enforced by SDAIA with 48 decisions in its first year. Has the strictest cross-border data transfer restrictions in the Middle East. Consent is the primary legal basis, and the very active enforcement record signals high compliance risk for organizations.
Israel PPL Amendment 13State of Israel
A sweeping reform of Israel's privacy law introducing GDPR-level enforcement capabilities, a private right of action without proof of harm, and extraterritorial scope. IP addresses, online identifiers, and geolocation data are explicitly included as personal data. The PPA's expected binding cookie guidance makes consent banners essential for Israeli users.
Bahrain PDPLKingdom of Bahrain
Bahrain's comprehensive data protection law with a notable prohibition on cookie walls. Consent obtained through forced or obligated browsing is explicitly void. Cookie walls or making website access conditional on cookie acceptance are prohibited, making genuine voluntary consent a strict requirement for CMP implementations.
Algeria Law 18-07Algeria
Algeria's data protection law was significantly modernized by the 2025 amendment (Law 25-11), introducing DPO requirements and DPIA obligations that bring the framework closer to GDPR standards. The ANPDP was formally established in 2023, making the law enforceable. Criminal penalties including imprisonment apply.
Morocco Loi 09-08Morocco
Among the first data protection laws in Africa, modeled after the French Data Protection Act. The CNDP is an autonomous supervisory authority. All processing activities must be declared to the CNDP prior to implementation. The CNDP takes a graduated enforcement approach with warnings before fines or criminal referrals.

Frequently Asked Questions

When did Egypt's data protection law become fully operational?

November 2025, when Executive Regulations (Decree 816/2025) were operationalized — five years after the law was enacted in 2020.

Does Egypt require licensing for cross-border transfers?

Yes. Cross-border data transfers require PDPC licensing, making Egypt one of the most restrictive jurisdictions for international data flows.

What are Egypt's penalties?

EGP 100K-5M in fines plus criminal penalties including up to 6 months imprisonment for processing without consent.

Stay compliant with Egypt PDPL

ConsentStack helps you implement Opt-in consent for Egypt automatically.

Get started