Personal Data Protection Law No. 151 of 2020 (Egypt PDPL)

What is Egypt's Personal Data Protection Law (PDPL)?

Law No. 151 of 2020 on the Protection of Personal Data — commonly referred to as the Egyptian Personal Data Protection Law (PDPL) — is Egypt's first comprehensive data-protection statute. It was enacted on 13 July 2020 and entered into force on 14 October 2020.

The law establishes a national framework for the collection, processing, storage, transfer, and protection of personal data of identifiable natural persons in Egypt. It introduces the principles of lawful processing now standard across modern data-protection regimes globally — lawfulness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, and confidentiality.

The PDPL aligns Egypt broadly with the structural model of the EU GDPR, the UAE Federal Personal Data Protection Law, and other recent regional frameworks. Practical guidance on operating in this environment is set out in our KYC in Egypt laws and automation guide.

Enforcement sits with the Personal Data Protection Center, established under the Ministry of Communications and Information Technology (MCIT). The Center is empowered to issue guidance, license data controllers and processors where required, receive data-subject complaints, investigate breaches, and impose administrative sanctions.

Operational maturity of the Center and the status of the Executive Regulations that elaborate the law's operating detail have been a recurring topic of compliance discussion since 2020 — practitioners should verify the current status against the Center's published material before relying on specific operating provisions.

Why Egypt's PDPL matters

The PDPL is one of the most consequential regulatory developments in MENA over the past five years. For any business operating in Egypt — domestic or foreign — it imposes comprehensive obligations around how personal data is collected, used, transferred, and secured, with significant administrative and criminal penalties for non-compliance.

The law materially affects:

• Financial institutions — banks, fintechs, payment providers, and insurers processing customer data through KYC and account-management workflows
• Telecommunications — telcos, ISPs, and mobile-money operators
• Healthcare — hospitals, clinics, and digital-health platforms
• E-commerce and digital platforms — including marketplaces and SaaS providers
• Marketing and advertising firms — processing personal data for targeting or analytics
• Employers and government agencies — handling staff and citizen data

For multinational groups, the PDPL adds a new compliance layer alongside the EU GDPR, the UAE PDPL, the Saudi PDPL, and other regional frameworks — requiring careful jurisdictional analysis of which rules apply to which data flows.

Who must comply

The PDPL applies broadly to all entities that collect, process, store, or transfer personal data of individuals in Egypt — irrespective of where the entity itself is based. Foreign entities processing the personal data of Egyptian residents fall within the law's extraterritorial reach.

The law distinguishes between two roles. Data controllers determine the purposes and means of processing; data processors process data on behalf of controllers. Distinct obligations attach to each, and controllers retain primary accountability for the processing operations they direct.

Core obligations under the PDPL

Every controller and processor must operate a compliant data-protection framework anchored in the law's core obligations.

Lawful basis and purpose

Personal data may only be processed with the data subject's explicit consent — the default basis — or on another narrowly defined lawful basis where applicable. Data must be collected for specified, explicit, and legitimate purposes, and not further processed in a way incompatible with those purposes.

Only the data necessary for the stated purpose may be collected. Data must be kept accurate, with reasonable measures to update it, and retained only for as long as necessary.

Data-subject rights

Individuals have the right to:

• Be informed about processing of their personal data
• Access the personal data held about them
• Correct or update inaccurate data
• Request erasure of their data
• Object to specific processing activities
• Withdraw previously given consent

Sensitive personal data

Health, biometric, financial, religious, and certain other categories attract enhanced protections — requiring explicit consent and stronger safeguards on processing, storage, and transfer.

Security obligations

Controllers and processors must implement technical and organisational measures appropriate to the risk of processing — including access controls, encryption where appropriate, and incident detection and response.

Data Protection Officer and operational requirements

Many controllers and processors must appoint a Data Protection Officer (DPO) — particularly those processing sensitive data, processing data at scale, or whose core activities involve regular and systematic monitoring of data subjects.

The DPO advises the organisation on compliance with the PDPL, monitors adherence to the law's operational requirements, trains staff on data-protection obligations, and serves as the contact point for the Personal Data Protection Center.

Other operational requirements include maintaining processing records, conducting data-protection impact assessments for high-risk processing, notifying breaches to the supervisory authority within defined timeframes, and implementing privacy-by-design and privacy-by-default principles in new products and services.

Cross-border data transfers

The PDPL imposes meaningful restrictions on cross-border transfers of personal data out of Egypt. Transfers are permitted only where the receiving country provides an adequate level of protection equivalent to Egyptian standards, where the data subject has given specific consent to the transfer, where the transfer is necessary for the performance of a contract, or where other narrowly defined safeguards apply.

Adequacy assessments are made by the Personal Data Protection Center, and approved mechanisms may include binding corporate rules, standard contractual clauses, or specific licensing.

For financial institutions running cloud-hosted KYC, eKYC, and customer-data platforms operating outside Egypt, cross-border transfer compliance is one of the most operationally consequential aspects of the law.

Penalties and enforcement

The PDPL carries both administrative and criminal penalties:

Penalty type	Range / nature	Typical triggers
Administrative fines	Several million Egyptian pounds per breach; higher for serious or repeated violations	Inadequate consent, missing DPO, weak security, retention failures
Criminal offences	Imprisonment and significant fines	Unauthorised processing, unauthorised cross-border transfer, refusal to respond to data-subject requests, obstruction of the Center
Senior-manager liability	Personal liability in defined circumstances	Where management failure causes or enables the breach
Licence and contract restrictions	Licence limits; exclusion from public contracts	Severe or systemic non-compliance

The deterrent effect of these penalties is one of the most cited motivators for active compliance investment by Egyptian and foreign-headquartered businesses operating in the market.

Compliance implications for financial services

For banks, fintechs, payment providers, and other financial institutions, the PDPL has several specific operational consequences. Customer onboarding flows must capture explicit consent, surface clear privacy notices, and minimise data collection, even as AML screening and AML recordkeeping obligations continue to apply in parallel. KYC and AML data must be retained only for as long as necessary — balanced against the AML recordkeeping obligations under Egyptian financial-services law.

Secondary uses of personal data — marketing and analytics — require fresh, specific consent. Cross-border data flows to global parent companies, cloud providers, or vendors require an appropriate transfer mechanism. Vendor management must include data-processing agreements that bind processors to PDPL standards. Incident response must integrate breach-notification timelines into the institution's existing operational-risk and fraud workflows.

Many institutions deploy unified KYC platforms with PDPL-aligned consent capture, audit logging, and data-residency controls built in.