On the 4th of August 2025, President Abdel Fattah El-Sisi approved Law No. 164 of 2025 (the “New Rental Law”). This legislation is considered as one of…
The issuance of the Executive Regulations to Egypt’s Personal Data Protection Law (Law No. 151 of 2020) marks a decisive shift from a high-level statutory framework to a fully operational regulatory regime. While much of the early commentary has focused on customer data, digital platforms, and cross-border transfers, the Regulations in fact adopt a much broader and more comprehensive approach, one that brings nearly all operating companies in Egypt within scope, including those that believe they “do not process data” in the conventional sense.
This article highlights the less obvious but practically significant implications of the Executive Regulations, with particular focus on employee data, workplace surveillance, licensing philosophy, and governance obligations that many organizations may overlook.
A Permission-Based Data Protection Regime
One of the most distinctive features of the Executive Regulations is their regulatory philosophy. Unlike post-compliance regulatory models found in other jurisdictions, the Egyptian framework adopts a prior authorization model, whereby the legality of personal data collection and processing is conditional upon holding a license or permit issued by the Personal Data Protection Center (the “Center”).
Article 2 of the Regulations makes this explicit by requiring any entity that collects personal data to hold a controller or processor license or permit, irrespective of whether data processing is central or ancillary to its business activities.
This approach positions data protection alongside traditionally licensed sectors such as telecommunications and financial services. Compliance is therefore not merely reactive or remedial; it is a precondition for lawful operation.
Companies Without Customer Data: A False Sense of Exemption
A particularly important and often misunderstood aspect of the Regulations concerns companies that do not process customer data, but instead only handle:
- Employee personal data, and/or
- Workplace CCTV footage
Many such companies assume that data protection obligations apply only to consumer-facing or digital businesses. The Executive Regulations decisively reject this assumption.
Employee Data as a Trigger for Controller Status
Any company that retains employee data such as identification documents, payroll records, attendance logs, evaluations, or health-related information determines the purpose and means of processing that data. As a matter of law, this renders the company a personal data controller, even if data processing is entirely internal.
The Regulations do not provide an employment or HR exemption. On the contrary, employee data is fully subject to licensing, record-keeping, security, retention, and inspection obligations. Accordingly, companies that only process employee data are still required to obtain the relevant controller license or permit, even if they never interact with customers’ personal data.
Workplace CCTV: Regulated Even Inside Private Premises
The Executive Regulations expressly regulate visual surveillance in public places under a dedicated licensing regime. However, surveillance conducted inside private company premises such as offices, factories, or warehouses is not exempt from regulation merely because it is not public.
While internal CCTV does not trigger the special public-place surveillance license, it nonetheless constitutes the collection and processing of identifiable personal data. As such, it falls directly within the general obligations imposed on personal data controllers.
Companies operating internal CCTV systems must therefore:
- Have a legitimate and defined purpose (e.g., security or safety);
- Inform employees and visitors of surveillance activities;
- Apply data minimization and access controls;
- Define retention periods and deletion mechanisms; and
- Avoid extensive monitoring or biometric analysis without explicit legal basis or consent.
Crucially, the presence of internal CCTV further confirms the company’s status as a personal data controller, reinforcing the obligation to obtain a controller license under the Regulations.
The Center’s Expansive Supervisory Powers
Another under-discussed feature of the Executive Regulations is the institutional role of the Center itself. Inspectors are granted judicial officer status, with authority to access secure electronic records, conduct inspections, and verify technical and organizational safeguards.
This elevates data protection compliance from a policy exercise to a matter of regulatory readiness. Companies must be prepared not only to comply, but to demonstrate compliance through inspectable systems and documentation.
Digital Evidence and Internal Investigations
The Executive Regulations also address the evidentiary status of digital evidence derived from personal data. Such evidence is accorded equal weight to written evidence only if collected, preserved, and documented in accordance with strict technical and procedural standards.
This has direct implications for internal investigations, HR disciplinary processes, cybersecurity incidents, and disputes relying on CCTV footage, emails, or system logs. Mishandling personal data during evidence collection may result in dual exposure: inadmissible evidence and PDPL violations.
Foreign Controllers and Extraterritorial Reach
The Regulations impose clear obligations on foreign controllers and processors that process personal data related to individuals in Egypt. Where no local presence exists, a locally accredited representative must be appointed for the full duration of the license or permit.
This reinforces the territorial reach of the PDPL and places foreign employers, service providers, and parent companies directly within the Egyptian compliance framework.
Why This Means All Companies Must Reassess Compliance
Taken together, the Executive Regulations make one conclusion unavoidable:
There is no category of operating company that is “too small,” “too internal,” or “too non-digital” to fall outside the scope of Egypt’s data protection regime.
Any company that:
- Employs staff,
- Maintains personnel files,
- Operates CCTV systems, or
- Stores identifiable information about natural persons
is engaged in regulated personal data processing and must obtain the appropriate license or permit from the Center.
Although the Executive Regulations entered into force on the day following their publication, Article 6 of the Personal Data Protection Law grants existing entities a transitional compliance period of one year from the date of issuance of the Executive Regulations to regularize their status in accordance with the Law. During this period, companies are expected to take the necessary steps to obtain the required licenses and permits, appoint and register data protection officers, and align their internal policies, systems, and practices with the new regulatory framework.
With the introduction of the PDPL Executive Regulations and the expansion of licensing, registration, and inspection requirements, ensuring full compliance with Egypt’s personal data protection framework has become a critical operational priority for businesses across all sectors. From employee data and workplace surveillance to internal records management, breach response, and regulatory licensing, the scope of compliance now extends well beyond customer-facing activities.
Eldib & Co. is well positioned to assist clients in navigating these obligations, including advising on controller and processor licensing requirements, data protection governance structures, employee data and CCTV compliance, DPO registration and oversight, preparation of required documentation and electronic records, and engagement with the Personal Data Protection Center throughout licensing, inspection, and enforcement processes. We also provide representation and strategic support in the event of investigations, regulatory inquiries, or alleged violations.
For more information on how the PDPL Executive Regulations impact your operations, or to discuss compliance strategies tailored to your organization, please feel free to contact us to schedule a consultation.
