A new law No. 151 for 2020 is issued in Egypt on 15 July 2020 to regulate Personal Data Protection (the “Data Protection Law” or the “Law”). The Law is modeled to a large extent on the EU General Data Protection Regulation (GDPR).
Entry into Force
The Law will enter into force three (3) months after the issuance date, i.e., on 16 October 2020, and it provides for one (1) year grace period for addressees to comply with its rules.
What is personal data?
Personal data is broadly defined as the information relating to an identified or identifiable natural person (or the ‘data subject’). An identifiable natural person is one who can be identified, or is identifiable, directly or indirectly, by reference to an identifier such as a name, a picture, a voice, an identification number, an online identifier or to one or more factors specific to the identity of that natural person.
It is noted here that the Law expressly states it includes online identifiers such as cookies.
The following data falls outside the scope of the Data Protection Law:
- Data held by natural persons for others and for personal use.
- Data processed for official statistics.
- Data processed for media purposes subject to media laws and regulations.
- Data related to judicial reports, investigations and claims.
- Data in possession of the Presidency, the Ministry of Defense, the Ministry of Interior, General Intelligence, and the Administrative Control Authority.
- Data in possession of the Central Bank of Egypt and banks subject to data protection rules under the banking laws and regulations..
Is information about legal entities personal data?
No, however, information about sole traders or partnerships may be considered personal data.
Scope of Application
Who does the Law Apply to?
The Law applies to all personal data ‘controllers’ and ‘processors’.
Who is a controller? A ‘controller’ means the natural or legal person which due to the nature of its work has the right to obtain personal data and determine the means, purposes and criteria of keeping, processing and controlling them.
Who is a processor? A ‘processor’ is any natural or legal person that process personal data for its own benefit or on behalf of a controller.
The term ‘processing’ is defined broadly under the Law to include anything that is done to, or with, personal data (including simply writing, collecting, recording, storing or deleting those data). This definition is significant because it clarifies the fact that the Law is likely to apply wherever an organisation does anything that involves or affects personal data.
It is likely that all organisations processing personal data (even if only in relation to their own employees) will do so as either a controller or a processor. Therefore, all organisations are advised to start identifying the scenarios in which they act as a controller or a processor, understand the obligations of each role, and deploy a plan to comply with these obligations within the one year grace period provided under the Law.
The Law applies extraterritorially on crimes committed by Egyptians and Non-Egyptians outside Egypt in respect to personal data related to Egyptians or non-Egyptians residing in Egypt.
Systems to which the Law applies
The Law applies only to personal data that are electronically processed in full or in part.
The Law provides that a pubic economic authority will be established to be responsible for personal data protection and the supervision and enforcement of the Data Protection Law. This authority is named the ‘Personal Data Protection Centre’ (“Center”).
The Center is affiliated to the Minister of Communications and Information Technology.
There is a comprehensive list of tasks and competencies given to the Center by virtue of Article 19 of the Law. Among these tasks is to promote awareness among the public, controllers and processors, to encourage the development of Codes of Conduct, issue licenses and permits, and to advise the government and parliament on the proposed relevant laws and international treaties.
All collection and processing of personal data must comply with all four general data quality principles.
Lawfulness and Transparency
Personal data must be collected for specific, explicit and lawful purposes and in transparent manner in relation to the data subject.
In order to be lawful, processing of personal data must satisfy at least one of the following conditions:
- be carried out with the consent of the data subject for specific purpose(s);
- be necessary for the performance of a contract with the data subject or the initiation of a claim thereby;
- be necessary for compliance with a legal or judicial obligation; or
- be necessary for the controller’s or recipient’s legitimate interests, except where overridden by the fundamental rights and freedom of the data subject.
Personal Data must be adequate, relevant, secured and limited to what is necessary in relation to the purpose for which they are processed.
Personal data should be kept for no longer than necessary for the purpose for which they are processed.
Integrity and confidentiality
Personal data must be processed in a manner that ensures appropriate security including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage.
Collection, processing or disclosure of personal data is not allowed unless after obtaining the consent of the data subject. The Law requires that such consent be explicit.
The Law enshrines a wide range of rights for individuals in respect of their personal data. These include the following:
- Right to access information: a data subject will have the right to know its own personal data in possession of the controller/processor and to access copies thereof.
- Rights to be forgotten:a data subject can ask that their data be erased.
- Right to correct and update data: a data subject will have the right to have its data corrected, amended, updated or deleted.
- Right to limit processing: data subject will have the right to request that its personal data be processed for limited purpose(s).
- Right to be notified: a data subject has the right to be notified with any infringement to its personal data.
- Right to object: a data subject has the right to object to certain data processing activities if it violates the data subject’s fundamental rights and freedom.
Sensitive Personal Data
What is sensitive personal data?
Personal data consist of special categories of data that is related to the mental, psychological, physical, genetic or biometric of the individuals. Also financial data and data related to religious beliefs, political opinions, or data related to the security conditions are considered sensitive personal data. Information related to children is always considered as sensitive data.
Additional rules for processing sensitive personal data
Sensitive personal data can be collected, relocated, stored, kept or processed only if:
- the explicit consent of the data subject is obtained; and
- an authorization from the Center is obtained.
Accountability, Security and Breach Notification
The Data Protection Law puts a general accountability obligation under which organizations must be able to demonstrate their compliance with the Law. Organizations are required to implement a wide range of measures to reduce the risk of their breaching the Law and to prove that they take data governance seriously. Among these measures are the following:
Appoint Data Protection Officer (DPO)
• Who must appoint a data protection officer?
Any organization that controls or processes personal data must appoint a data protection officer (“DPO”). This data protection officer shall be registered in a special register to be established at the Center.
• What are the duties of the data protection officer?
A PDO must be involved in all data protection issues in the organization and it will mainly be responsible for:
- monitoring the organisation’s compliance with the Law;
- conducting regular inspections;
- receiving and responding to requests from individuals and assist data subject to enforce its rights;
- acting as a point of contact with the Center on issues relating to compliance;
- organize training programs;
- notify the Center in case of any personal data breach; and
- take corrective actions to remove personal data breaches.
Appoint Local Representative
A controller or a processor outside Egypt is required to appoint a local representative in Egypt, as a point of contact for Egyptian data subjects.
Record of processing activities
Organisations are required to keep a record of their processing activities (the type of data processed, the purposes for which it is used, the responsible PDO, the duration of the processing activities, its scope and limits, the mechanism of its update or deletion, and a description of the technical and organizational security measures.
Personal Data Breach notification
Controllers and processors are required to notify the Center of any breach of personal data within 72 hours of the breach. Notification will be immediate in case the breach relates to public security.
Data subjects must also be informed of the breach within 3 working days of notifying the Center.
Cross-Border Data Transfer
Transfer of personal data that has been collected or processed to a third country is prohibited unless the following conditions are met:
- The third country provides an adequate level of data protection.
- A permit is obtained from the Center
This provision will affect all organisations that are engaged in cross-border data transfers such as organisations using online IT services, cloud- based services, remote access services or global HR databases. These organisations will need to implement lawful data transfer mechanisms.
Personal data can be transferred to a third country that is provide less adequate level of data protection if the following conditions are satisfied:
- An explicit consent of the data subject is obtained; and
- The transfer is necessary for the purpose of:
- Protecting the live of the data subject.
- Claiming or defending rights before the judiciary.
- Concluding or implementing a contract for the benefit of the data subject.
- Implementing a procedure necessary for the international judicial cooperation.
- Making monetary transfers.
- Implementation of an international treaty to which Egypt is a member.
Direct marketing by electronic means (mainly e-mail and SMS) is not allowed unless:
- The consent of the recipient is obtained.
- The identity of the sender is revealed.
- The valid and complete address of the sender is provided.
- An indication that the email or SMS is for marketing purposes.
- An opt-out address is provided.
Senders are required to keep records evidencing the acceptance or non-objection of the recipients for three years.
Enforcement and Sanctions
Failure to comply with the Law exposes the organization to criminal liability; this is beside the administrative penalties such as warning and suspension or withdrawal of the license. Criminal penalties include the following:
- Unlawful disclosing personal data that is electronically processed • A fine not less than EGP 100,000 and not exceeding EGP 1000,000. • The penalty will be imprisonment for a minimum of 6 months and double the fine if such unlawful disclosure was against a benefit or for the purpose of harming the data subject. • If the violation relates to sensitive personal data, the penalty will be imprisonment for not less than 3 months and/or a fine not less than EGP 500,000 and not exceeding EGP 5000,000.
- Unlawfully preventing the data subject from exercising any of its rights under the Law • A fine not less than EGP 200,000 and not exceeding EGP 2000,000.
- Violation by a controller or processor of any of its obligations under the Law • A fine not less than EGP 300,000 and not exceeding EGP 3000,000.
- Failure to appoint a PDO • A fine not less than EGP 200,000 and not exceeding EGP 2000,000.
- Failure by the PDO to carry out its duties as specified under the Law • A fine not less than EGP 200,000 and not exceeding EGP 2000,000.
- Violation of the cross-border data transfer rule • Imprisonment for not less than 3 months and/or a fine not less than EGP 500,000 and not exceeding EGP 5000,000.
- Violation of the electronic marketing rules • A fine not less than EGP 200,000 and not exceeding EGP 2000,000.
How we can help
Under the new Data Protection Law, companies processing the personal data of Egyptian citizens (or any person residing in Egypt at the time the data is processed) will need to comply with the Law where the data is processed and collected.
Riad & Riad team is ready to help prepare your organization to comply with these new requirements before the Law comes into effect. The Law imposes heavy fees and penalties for non-compliance and our goal is to enable you to conduct your business with confidence, clarity and compliance.
We support clients in a variety of industries and sectors including retail, banking and healthcare. Whether you are a start-up or an established multinational, we will tailor our services to your particular needs and provide you with practical business solutions.
Our services include:
Audits and regulatory compliance.
Contract review with business associates and vendors to ensure third-party compliance.
- End-user policies review including Information Technology Policies, Privacy Policies, Terms of Service/Use data sharing, transfer and disclosure policies, and workforce data security matters