Egypt's PDPL (Law 151/2020): What Businesses Need to Know
Egypt's PDPL (Law 151/2020): What Businesses Need to Know
QUICK ANSWER
Egypt's Personal Data Protection Law (PDPL), Law 151 of 2020, regulates how organizations collect, process, store, and transfer the personal data of individuals in Egypt. It requires a lawful basis for processing, data-subject consent and rights, breach notification, and appropriate security controls, with penalties for non-compliance.
Egypt's Personal Data Protection Law (Law 151 of 2020) sets out how organisations must handle personal data. This guide explains, in plain terms, what it means for your business.
The PDPL is Egypt's dedicated data-protection law. It establishes rules for collecting, processing, storing, and transferring the personal data of individuals — and applies to organisations that handle such data. If your business holds customer, employee, or patient information, it is relevant to you.
Who and What It Covers
The law governs personal data — information relating to an identifiable person — and places obligations on the organisations that control and process that data. It applies broadly across sectors, which is why banks, healthcare providers, telecoms, and general enterprises all need to take it into account.
Key Obligations in Plain Terms
- Lawful basis and consent: personal data should be collected and processed on a proper basis, with consent where required.
- Protection and security: organisations must take appropriate measures to protect personal data against loss, breach, and unauthorised access.
- Purpose and minimisation: data should be used for the purpose it was collected for, and not held without justification.
- Cross-border transfer: transferring personal data outside Egypt is subject to conditions.
- Breach handling: organisations are expected to handle and respond to data breaches appropriately.
Non-compliance carries the risk of penalties, so the PDPL is a genuine business obligation, not just good practice.
How to Prepare: Turning the Law into Controls
Compliance is ultimately about demonstrable controls. The practical measures that support PDPL obligations include:
- Know where your data is: discover and classify the personal data you hold.
- Control access: identity and access management so only the right people reach personal data, with an audit trail.
- Prevent leakage: Data Loss Prevention and encryption to stop personal data leaving the organisation improperly.
- Protect and recover: reliable backup so personal data is not lost, with the ability to recover after an incident.
- Keep evidence: logging and monitoring so you can demonstrate who accessed data and how breaches were handled.
PDPL by Sector
Different sectors feel the PDPL differently. Banks and financial institutions combine it with Central Bank of Egypt requirements; healthcare providers must protect especially sensitive patient data; and telecoms handle it at enormous scale. In every case, the path is the same: translate the law's principles into concrete technical controls you can prove.
Data Controller and Data Processor Responsibilities
Like modern data-protection laws generally, the PDPL recognises a difference between the organisation that decides why and how personal data is processed and the organisation that processes data on its behalf. Both carry responsibilities. In practice this means understanding your role for each set of data you handle — whether you determine its use or handle it for someone else — and ensuring the appropriate protections and agreements are in place. Getting this mapping right is foundational, because it shapes which obligations apply to you.
Respecting Individuals' Rights
A central theme of data-protection law is that individuals have rights over their own personal data. Organisations should be prepared to handle requests relating to the data they hold about a person, and to process personal data in a way that respects those rights. Building simple internal processes to receive and respond to such requests — rather than improvising when one arrives — is part of being genuinely compliant rather than compliant only on paper.
Common Compliance Gaps
When organisations assess themselves against the PDPL, the same gaps appear repeatedly: not knowing where personal data actually lives, granting far more access to it than necessary, having no clear process for handling a breach, and being unable to produce evidence that controls exist and work. Each is addressable with the practical controls above — and closing them not only supports compliance but genuinely reduces the risk of a damaging breach.
Compliance Is a Programme, Not a Project
Treating the PDPL as a one-off, box-ticking exercise rarely holds up. Data changes, systems change, and obligations must be maintained over time. The organisations that manage it best treat data protection as an ongoing programme — reviewing what data they hold, keeping controls current, training staff, and maintaining evidence of compliance as a routine part of operations. Approached this way, meeting the PDPL becomes a steady state rather than a periodic scramble, and a genuine signal of trustworthiness to customers and partners.
How the PDPL Compares to GDPR
Many businesses first encounter data-protection concepts through the EU's GDPR and ask how Egypt's law relates to it. The two share the same core philosophy — protecting individuals' personal data, requiring a proper basis for processing, and holding organisations accountable — so work done for one often supports the other. But they are distinct laws with their own specific requirements, and GDPR does not govern Egyptian organisations simply because they follow good practice. The practical takeaway: if you handle the personal data of people in Egypt, your obligations flow from the Egyptian PDPL; GDPR applies only where you specifically handle data of individuals in the EU. Treating the PDPL as your baseline, rather than assuming a foreign law covers you, is the correct approach.
Cross-Border Data and the Cloud
One area that catches organisations out is moving personal data outside Egypt — which happens routinely, and often invisibly, when using international cloud services. The PDPL places conditions on cross-border transfers of personal data, so it matters to know where your cloud providers actually store and process your data. In practice this may mean choosing services that can keep sensitive data in-country, or ensuring appropriate safeguards are in place for transfers. Mapping your data flows — including through the cloud tools your teams use every day — is a necessary step that many overlook.
A Practical PDPL Readiness Checklist
- Know what personal data you hold and where it lives, including in cloud services.
- Ensure you have a proper basis for collecting and using it.
- Restrict access to personal data to those who genuinely need it.
- Protect it with appropriate security and encryption.
- Have a clear process for handling breaches and individuals' requests.
- Keep records that demonstrate your controls actually work.
This article is general information, not legal advice. For your specific obligations, consult a qualified legal advisor.
Free tool: Try our free Egypt PDPL compliance self-assessment.
Turn PDPL Into Practical Controls
Get help translating Egypt's data-protection requirements into concrete security controls.
Talk to our data protection team