{"id":4783,"date":"2026-01-12T15:15:46","date_gmt":"2026-01-12T15:15:46","guid":{"rendered":"https:\/\/eldib.com\/?p=4783"},"modified":"2026-01-12T15:15:46","modified_gmt":"2026-01-12T15:15:46","slug":"egypts-pdpl-executive-regulations-beyond-customers-beyond-tech-companies","status":"publish","type":"post","link":"https:\/\/eldib.com\/ar\/egypts-pdpl-executive-regulations-beyond-customers-beyond-tech-companies\/","title":{"rendered":"Egypt\u2019s PDPL Executive Regulations: Beyond Customers, Beyond Tech Companies"},"content":{"rendered":"

\"\"<\/p>\n

 <\/p>\n

 <\/p>\n

\n

The issuance of the Executive Regulations to Egypt\u2019s Personal Data Protection Law (Law No. 151 of 2020) marks a decisive shift from a high-level statutory framework to a fully operational regulatory regime. While much of the early commentary has focused on customer data, digital platforms, and cross-border transfers, the Regulations in fact adopt a much broader and more comprehensive approach, one that brings nearly all operating companies in Egypt within scope,\u00a0including those that believe they \u201cdo not process data\u201d in the conventional sense.<\/span><\/p>\n

 <\/p>\n<\/div>\n

\n

This article highlights the less obvious but practically significant implications\u00a0of the Executive Regulations, with particular focus on employee data, workplace surveillance, licensing philosophy, and governance obligations that many organizations may overlook.<\/span><\/p>\n

 <\/p>\n<\/div>\n

\n

A Permission-Based Data Protection Regime<\/span><\/strong><\/p>\n

 <\/p>\n<\/div>\n

\n

One of the most distinctive features of the Executive Regulations is their regulatory philosophy. Unlike post-compliance regulatory models\u00a0found in other jurisdictions, the Egyptian framework adopts a prior authorization model, whereby the legality of personal data collection and processing is conditional upon holding a license or permit\u00a0issued by the Personal Data Protection Center (the \u201c<\/span>Center<\/span>\u201d).<\/span><\/p>\n

 <\/p>\n<\/div>\n

\n

Article 2 of the Regulations makes this explicit by requiring any entity that collects personal data\u00a0to hold a controller or processor license or permit, irrespective of whether data processing is central or ancillary to its business activities.<\/span><\/p>\n

 <\/p>\n<\/div>\n

\n

This approach positions data protection alongside traditionally licensed sectors such as telecommunications and financial services. Compliance is therefore not merely reactive or remedial; it is a\u00a0<\/span>precondition for lawful operation<\/strong>.<\/span><\/p>\n

 <\/p>\n<\/div>\n

\n

Companies Without Customer Data: A False Sense of Exemption<\/span><\/strong><\/p>\n

 <\/p>\n<\/div>\n

\n

A particularly important and often misunderstood aspect of the Regulations concerns companies that do not process customer data, but instead only handle:<\/span><\/p>\n<\/div>\n

\n

 <\/p>\n

    \n
  • Employee personal data, and\/or<\/span><\/li>\n
  • Workplace CCTV footage<\/span><\/li>\n<\/ul>\n

     <\/p>\n<\/div>\n

    \n

    Many such companies assume that data protection obligations apply only to consumer-facing or digital businesses. The Executive Regulations decisively reject this assumption.<\/span><\/p>\n

     <\/p>\n<\/div>\n

    \n

    Employee Data as a Trigger for Controller Status<\/span><\/strong><\/p>\n

     <\/p>\n<\/div>\n

    \n

    Any company that retains employee data such as identification documents, payroll records, attendance logs, evaluations, or health-related information\u00a0determines the purpose and means of processing that data. As a matter of law, this renders the company a personal data controller, even if data processing is entirely internal.<\/span><\/p>\n

     <\/p>\n<\/div>\n

    \n

    The Regulations do not provide an employment or HR exemption. On the contrary, employee data is fully subject to licensing, record-keeping, security, retention, and inspection obligations. Accordingly, companies that only process employee data are still required to obtain the relevant controller license or permit,\u00a0even if they never interact with customers\u2019 personal data.<\/span><\/p>\n

     <\/p>\n<\/div>\n

    \n

    Workplace CCTV: Regulated Even Inside Private Premises<\/span><\/strong><\/p>\n

     <\/p>\n<\/div>\n

    \n

    The Executive Regulations expressly regulate visual surveillance in public places under a dedicated licensing regime. However, surveillance conducted inside private company premises such as offices, factories, or warehouses is not exempt from regulation merely because it is not public.<\/span><\/p>\n

     <\/p>\n<\/div>\n

    \n

    While internal CCTV does not trigger the special public-place surveillance license, it nonetheless constitutes the collection and processing of identifiable personal data.\u00a0As such, it falls directly within the general obligations imposed on personal data controllers.<\/span><\/p>\n

     <\/p>\n<\/div>\n

    \n

    Companies operating internal CCTV systems must therefore:<\/span><\/p>\n<\/div>\n

    \n

     <\/p>\n

      \n
    • Have a legitimate and defined purpose (e.g., security or safety);<\/span><\/li>\n
    • Inform employees and visitors of surveillance activities;<\/span><\/li>\n
    • Apply data minimization and access controls;<\/span><\/li>\n
    • Define retention periods and deletion mechanisms; and<\/span><\/li>\n
    • Avoid extensive monitoring or biometric analysis without explicit legal basis or consent.<\/span><\/li>\n<\/ul>\n

       <\/p>\n<\/div>\n

      \n

      Crucially, the presence of internal CCTV further confirms the company\u2019s status as a personal data controller, reinforcing the obligation to obtain a controller license under the Regulations.<\/span><\/p>\n

       <\/p>\n<\/div>\n

      \n

      The Center\u2019s Expansive Supervisory Powers<\/span><\/strong><\/p>\n

       <\/p>\n<\/div>\n

      \n

      Another under-discussed feature of the Executive Regulations is the institutional role of the Center itself. Inspectors are granted judicial officer status,\u00a0with authority to access secure electronic records, conduct inspections, and verify technical and organizational safeguards.<\/span><\/p>\n

       <\/p>\n<\/div>\n

      \n

      This elevates data protection compliance from a policy exercise to a matter of regulatory readiness. Companies must be prepared not only to comply, but to demonstrate compliance through inspectable systems and documentation.<\/span><\/p>\n

       <\/p>\n<\/div>\n

      \n

      Digital Evidence and Internal Investigations<\/span><\/strong><\/p>\n

       <\/p>\n<\/div>\n

      \n

      The Executive Regulations also address the evidentiary status of digital evidence derived from personal data. Such evidence is accorded equal weight to written evidence only if collected, preserved, and documented in accordance with strict technical and procedural standards.<\/span><\/p>\n

       <\/p>\n<\/div>\n

      \n

      This has direct implications for internal investigations, HR disciplinary processes, cybersecurity incidents, and disputes relying on CCTV footage, emails, or system logs. Mishandling personal data during evidence collection may result in dual exposure: inadmissible evidence and PDPL violations.<\/span><\/p>\n

       <\/p>\n<\/div>\n

      \n

      Foreign Controllers and Extraterritorial Reach<\/span><\/strong><\/p>\n

       <\/p>\n<\/div>\n

      \n

      The Regulations impose clear obligations on foreign controllers and processors that process personal data related to individuals in Egypt. Where no local presence exists, a\u00a0<\/strong><\/span>locally accredited representative<\/span><\/strong>\u00a0must be appointed for the full duration of the license or permit.<\/span><\/p>\n

       <\/p>\n<\/div>\n

      \n

      This reinforces the territorial reach of the PDPL and places foreign employers, service providers, and parent companies directly within the Egyptian compliance framework.<\/span><\/p>\n

       <\/p>\n<\/div>\n

      \n

      Why This Means\u00a0<\/span>All<\/span>\u00a0Companies Must Reassess Compliance<\/span><\/strong><\/p>\n

       <\/p>\n<\/div>\n

      \n

      Taken together, the Executive Regulations make one conclusion unavoidable:<\/span><\/p>\n

       <\/p>\n<\/div>\n

      \n

      There is no category of operating company that is \u201ctoo small,\u201d \u201ctoo internal,\u201d or \u201ctoo non-digital\u201d to fall outside the scope of Egypt\u2019s data protection regime.<\/span><\/strong><\/p><\/blockquote>\n<\/div>\n

      \n

      Any company that:<\/span><\/p>\n<\/div>\n

      \n

       <\/p>\n

        \n
      • Employs staff,<\/span><\/li>\n
      • Maintains personnel files,<\/span><\/li>\n
      • Operates CCTV systems, or<\/span><\/li>\n
      • Stores identifiable information about natural persons<\/span><\/li>\n<\/ul>\n

         <\/p>\n<\/div>\n

        \n

        is engaged in regulated personal data processing and must obtain the appropriate license or permit from the Center.<\/span><\/p>\n

         <\/p>\n<\/div>\n

        \n

        Although the Executive Regulations entered into force on the day following their publication, Article 6 of the Personal Data Protection Law grants existing entities a transitional compliance period of one year from the date of issuance of the Executive Regulations to regularize their status in accordance with the Law. During this period, companies are expected to take the necessary steps to obtain the required licenses and permits, appoint and register data protection officers, and align their internal policies, systems, and practices with the new regulatory framework.<\/span><\/p>\n

         <\/p>\n<\/div>\n

        \n

        With the introduction of the PDPL Executive Regulations and the expansion of licensing, registration, and inspection requirements, ensuring full compliance with Egypt\u2019s personal data protection framework has become a critical operational priority for businesses across all sectors. From employee data and workplace surveillance to internal records management, breach response, and regulatory licensing, the scope of compliance now extends well beyond customer-facing activities.<\/span><\/p>\n

         <\/p>\n<\/div>\n

        \n

        Eldib & Co.\u00a0is well positioned to assist clients in navigating these obligations, including advising on controller and processor licensing requirements, data protection governance structures, employee data and CCTV compliance, DPO registration and oversight, preparation of required documentation and electronic records, and engagement with the Personal Data Protection Center throughout licensing, inspection, and enforcement processes. We also provide representation and strategic support in the event of investigations, regulatory inquiries, or alleged violations.<\/span><\/p>\n

         <\/p>\n<\/div>\n

        \n

        For more information on how the PDPL Executive Regulations impact your operations, or to discuss compliance strategies tailored to your organization, please feel free to contact us to schedule a consultation.<\/span><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":1,"featured_media":3430,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-4783","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"acf":[],"_links":{"self":[{"href":"https:\/\/eldib.com\/ar\/wp-json\/wp\/v2\/posts\/4783","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/eldib.com\/ar\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/eldib.com\/ar\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/eldib.com\/ar\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/eldib.com\/ar\/wp-json\/wp\/v2\/comments?post=4783"}],"version-history":[{"count":1,"href":"https:\/\/eldib.com\/ar\/wp-json\/wp\/v2\/posts\/4783\/revisions"}],"predecessor-version":[{"id":4791,"href":"https:\/\/eldib.com\/ar\/wp-json\/wp\/v2\/posts\/4783\/revisions\/4791"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/eldib.com\/ar\/wp-json\/wp\/v2\/media\/3430"}],"wp:attachment":[{"href":"https:\/\/eldib.com\/ar\/wp-json\/wp\/v2\/media?parent=4783"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/eldib.com\/ar\/wp-json\/wp\/v2\/categories?post=4783"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/eldib.com\/ar\/wp-json\/wp\/v2\/tags?post=4783"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}