Egypt’s PDPL: Executive regulations issued – one year compliance countdown begins

Egypt has taken a significant step toward full implementation of its Personal Data Protection Law (Law No. 151/2020) (“PDPL”) with the issuance of the long‑awaited Executive Regulations under Ministerial Decision No. 816/2025. The issuance of the Regulations starts the one‑year compliance grace period, meaning that organisations operating in or targeting Egypt should ensure they achieve full compliance by the end of this year.

Alongside the Regulations, the Personal Data Protection Centre (“PDPC”) has released a set of operational guidelines, offering practical direction on topics such as lawful bases, consent, privacy notices, licensing, electronic direct marketing, Records of Processing Activities (“ROPA”), and Data Protection Officers (“DPOs”).

For many organisations, this combined package of Regulations and guidelines represents the clearest picture to date of what PDPL compliance will require in practice and the operational steps that will need to be embedded over the coming months.

Key requirements and what businesses need to know

1. A licensing and permit framework

The Regulations introduce a structured licensing system covering controllers, processors, and certain high‑risk activities. This framework is built around several key components:

• General licences for controllers, processors or combined roles, usually valid for three years.
• Supplementary permits for activities such as cross‑border data transfers, electronic direct marketing, and visual surveillance.
• A 90‑working‑day review period once applications are complete, with associated fees set according to activity type and data volumes.

This licensing regime is more formal than what many multinational organisations encounter elsewhere. While European regimes (e.g., the GDPR) rely heavily on accountability and self‑assessment, Egypt has opted for prior authorisation, particularly for cross‑border transfers and electronic marketing.

2. Core processing standards and accountability

The Regulations and guidelines reinforce foundational data protection principles: lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, security and accountability. Organisations must, among other things:

• establish clear retention periods, aligned with purpose and sector regulation;
• maintain a secure electronic register covering consent records, data categories, retention schedules, security measures, and (for processors) details of DPAs and cross‑border transfers; and
• provide full access to PDPC inspectors, who may review electronic records and systems.

This is broadly aligned with GDPR‑style accountability expectations, though the PDPC’s inspection powers are notably detailed and formalised.

3. Detailed ROPA requirements

The PDPC’s ROPA guideline sets out detailed documentation requirements for controllers and processors, requiring organisations to record key elements of their processing activities, including the purposes for processing, the categories of data subjects and personal data involved (with specific indicators for sensitive and children’s data), the lawful bases relied upon, applicable retention periods, intended recipients, hosting environments and data locations, as well as the mechanisms used for any cross‑border transfers. The ROPA must also reference supporting internal assessments such as Data Protection Impact Assessments (“DPIAs”), Legitimate Interest Assessments (“LIAs”) and Transfer Impact Assessments (“TIAs”). To support implementation, the PDPC has published two dedicated ROPA templates: one designed for controllers (including those that also act as processors) and a separate version for processors.

Compared with international practice, Egypt’s ROPA content requirements are similar to GDPR but more prescriptive in terms of linking to internal assessments and disposal measures.

4. Privacy notices and consent

The PDPC places strong emphasis on clear and accessible privacy information, requiring notices to be:

• concise, intelligible, visible, and in Arabic;
• tailored to different audience segments where relevant; and
• inclusive of controller/DPO details, purposes, lawful bases, retention, rights, and transfer information

Valid consent under the PDPL must be explicit, informed, specific and freely given. It must be obtained through granular consent requests presented via prominent, affirmative‑action interfaces, supported by frictionless withdrawal mechanisms and robust record‑keeping that evidences how and when consent was obtained. The guidelines emphasise that consent is only one of six lawful bases available under the PDPL and should be selected only where it is genuinely appropriate for the intended processing activity. In line with EU guidance, the PDPC makes clear that consent is not suitable where a real choice cannot be exercised; such as in situations involving a power imbalance, where processing will take place regardless of whether consent is withheld or withdrawn, or where access to a service is made conditional on providing consent.

Additional written‑form and parental consent requirements apply to sensitive and children’s data. These standards are broadly consistent with GDPR expectations, but with more formal procedural requirements, including Arabic‑language consent and heightened record‑keeping.

5. Electronic direct marketing

Electronic direct marketing is subject to both strict substantive rules and licensing requirements:

• Marketing requires prior consent.
• Messages must identify the sender and include free, simple opt‑out mechanisms.
• A specific licence is required, with fees based on whether marketing is for an organisation’s own benefit or on behalf of others.
• A “soft opt‑in” is recognised during the grace period for existing customers.

This combines elements familiar from the EU ePrivacy Directive with a unique licensing obligation.

6. Cross‑border transfers

The Regulations operationalise the PDPL’s transfer restrictions through:

• a licensing/authorisation regime for transfers to non‑Egyptian locations (including cloud environments);
• a forthcoming adequacy framework to assess third countries; and
• requirements to demonstrate that recipients abroad offer protections not lower than Egypt’s.

Transfer licence applications must include detailed information on the proposed transfer, including the destination country, storage locations, the security measures in place, the categories and volumes of personal data involved and the relevant retention periods. The guidelines also confirm that organisations will be expected to conduct TIAs, where necessary, to evaluate the risks associated with the transfer. A dedicated TIA guideline is expected to be published to support this requirement.

While the Regulations provide for an adequacy framework and recognise the relevance of legal and technical protections in the recipient jurisdiction, the overall regime for international transfers remains fundamentally authorisation‑driven. Unlike jurisdictions that rely primarily on self‑assessed contractual safeguards, Egypt’s model centres on prior regulatory approval, supported by detailed licence applications and ongoing PDPC oversight. As a result, cross‑border transfers are likely to be more procedurally intensive and regulator‑led, with the adequacy process functioning potentially as one component within a broader supervisory framework rather than as a standalone alternative to licensing. Further guidance on cross-border transfers is expected from the PDPC. 

7. DPO requirements and registration

The Regulations establish a comprehensive DPO regime including:

• mandatory DPO appointments for legal entities;
• a PDPC‑maintained DPO registry;
• qualification and exam requirements;
• annual reporting duties; and
• rules around independence, conflicts of interest, and multi‑entity appointments.

Each DPO receives a unique PDPC code aligned to the scale and sensitivity of processing they oversee. Compared with international norms, this is more formal and certification‑driven than many jurisdictions require.

8. Breach notification and governance

Controllers and processors must notify the PDPC within 72 hours of becoming aware of a personal data breach, and notify affected individuals within three days of the PDPC notification (or sooner where national security concerns apply).The Regulations reinforce expectations around incident registers and inspection readiness.

9. Sensitive Data, Children’s Data and Sector‑Specific Overlays

Enhanced protections apply to sensitive personal data, with written consent requirements and specific rules for children’s data. Organisations must also comply with any sector‑specific limits on data collection and retention, applying PDPL standards where sector frameworks are silent.

Timeline for compliance

Although the Regulations were formally issued on 1 November 2025, thereby triggering the one‑year grace period set out in the PDPL, they were not made publicly available until 25 December 2025. On a strict interpretation of the law, the grace period runs from the date of issuance, meaning organisations should plan for enforcement to begin on 1 November 2026. However, the later public release has created some uncertainty as to whether the PDPC may ultimately treat the grace period as running to the end of 2026 instead. Until further clarification is provided, organisations are advised to work on the basis of the statutory timeline while keeping a close watch for any additional guidance from the regulator. Further guidelines are also expected from the PDPC in the coming period, including on DPIAs, cross‑border transfers and personal data breach management, which should offer additional clarity as organisations progress their compliance programmes.

What businesses should do now

With the one‑year grace period underway, organisations should already be preparing. Key near‑term priorities include:

1. Assess your role (controller/processor) and begin preparing the required licence applications.
2. Build or update your ROPA, ensuring alignment with PDPC guidance.
3. Refresh privacy notices and consent mechanisms, ensuring Arabic‑language compliance.
4. Document lawful bases, especially legitimate interests supported by LIAs.
5. Map cross‑border transfers and prepare for licensing submissions.
6. Obtain supplementary permits for electronic direct marketing and surveillance where applicable.
7. Appoint and register a DPO, ensuring adequate independence and resourcing.
8. Enhance breach readiness to meet the PDPC’s notification timelines.
9. For foreign entities, appoint a local representative.

Looking ahead

The Executive Regulations and accompanying guidelines provide the operational clarity that organisations have been awaiting since 2020, although they also raise important questions around how the licensing and permit regime will operate in practice, particularly given the administrative demands it will place on businesses.

With enforcement currently expected to begin on 1 November 2026, the coming year will be a decisive period for organisations preparing to comply. Businesses should treat this as a firm deadline and begin implementing their compliance programmes now to minimise the risk of licensing bottlenecks and potential exposure once the PDPL becomes fully enforceable.

If you require support or would like to discuss what these developments mean for your organisation, please contact the Data and Cyber team at CMS.