In July 2020, the Personal Data Protection Law No. 151 of 2020 was issued, which is the law concerned with the protection of electronically processed personal data. The law regulates the obligations and responsibilities of individuals and entities that may possess the personal data of users. However, some of these obligations and responsibilities can be considered deferred until the issuance of the executive regulations of the law, which were supposed to be issued six months after the date the law came into force, as the articles of the law referred many procedural aspects to the executive regulations, including some legal obligations related to data protection.
It is also worth noting that the delay in issuing the executive regulations of the law has caused the formation of the Data Protection Center to be suspended. The Center is responsible for issuing the necessary licenses for entities that carry out data collection, storage, and processing activities.
This guide seeks to clarify the categories addressed by the Personal Data Protection Law and to explain the obligations that are imposed once the law is issued, and the technical responsibilities associated with the executive regulations of the law that have not yet been issued. The guide also deals with the different types of licenses required to carry out data collection, processing, or storage activities, distinguishing between the different types of personal data that require different degrees of protection, as well as the activities excluded from the Personal Data Protection Law.
What is the difference between the types of licenses required to practice data processing activity? And who is responsible for issuing it?
The Data Protection Center, which has not yet been formed, is solely responsible for issuing all licenses/permits and approvals related to the activities of collecting and processing personal data.
Some activities require collecting and processing data on an ongoing basis, such as electronic marketing activities, which cannot be practiced without obtaining a permit or license to practice the activity. Some other activities require collecting and processing data temporarily or occasionally, as the activity of the company or entity is not based primarily on collecting and processing data, but the company may resort to this for various reasons, including developing the company’s activities and creating a map of those interested in the company’s products and services. The following table shows the difference between the types of licenses and who has the right to obtain them, the authorized activities, and the conditions and documents required to obtain licenses.
Some conditions and controls related to obtaining a data collection and processing license in accordance with Personal Data Protection Law No. 151 of 2020
If the difference between a permit and a license relates to the duration and the nature of the legal entity that is entitled to obtain any of them, what specific licenses/permits should be obtained?
The company or the person who processes the data can obtain a permit if the goal is to carry out a task that does not exceed a year, or a license if the company or the entity carries out data collection and processing activity on an ongoing basis. There are different types of licenses or permits issued by the Data Protection Center, and the requirements for obtaining any of them vary according to conditions and controls determined by the executive regulations that have not yet been issued.
- The license or permit to carry out data storage, handling, and processing operations in general.
- Licenses or permits for direct electronic marketing.
- Licenses or permits related to the processing carried out by associations, trade unions, or clubs of the personal data of the members of these bodies and within the framework of their activities.
- Licenses or permits for visual surveillance devices in public places.
- Licenses or permits for the control and processing of sensitive personal data.
- Permits and accreditations for entities and individuals that allow them to provide consultations on personal data protection procedures and compliance procedures.
- Licenses and permits for the cross-border transfer of personal data.
What are the reasons that may lead to the revocation of licenses, permits, or accreditations?
The authority issuing the license/permit/accreditation, which is the Data Protection Center, has the right to revoke the license, permit, or accreditation after its issuance in any of the following cases:
- Violation of the terms of the license, permit or accreditation.
- Non-payment of license, permit, or accreditation renewal fees.
- Repeated non-compliance with the decisions of the Data Protection Center.
- Assignment of the license, permit, or accreditation to others without the approval of the Data Protection Center.
- Issuance of a verdict declaring the controller or processor bankrupt.
Which entities and companies are bound by the rules and procedures of the Personal Data Protection Law?
The Personal Data Protection Law applies to every person, entity, or organization that collects, processes or possesses the personal data of natural persons. This entity can be a sole proprietorship, a company of funds, companies of persons, clubs, associations, institutions, and other legal forms that practice a profession that by its nature collects, processes, or possesses personal data.
What is the nature of the data that, in case of collection, storage, or possession, requires compliance with the provisions of the Personal Data Protection Law?
The Personal Data Protection Law provides a protection umbrella for the personal data of natural persons only. This means, in the sense of the violation, that the law will not apply to data that is collected, stored, or processed for legal persons, such as data of companies, institutions, civil associations, clubs, associations, and other entities.
What is the law’s date of entry into force? And what is the relationship between the entry into force of the law and the reconciliation related to the issuance of the executive regulations?
The Personal Data Protection Law entered into force 3 months after its promulgation, i.e., on October 13, 2020. This means that it is already possible to hold the people and entities to whom the law is applicable accountable if they commit punishable offenses.
However, there is a difference between the date of entry into force of the law and the dates for reconciliation. The law stipulates the need to take measures for reconciliation within one year from the date of the issuance of the executive regulations, which have not been issued as of this writing. This means that it is not possible to be held accountable for all the provisions that were stipulated in the law and are associated with technical controls that were referred to the executive regulations.
For example, the Personal Data Protection Law imposes a financial penalty of not less than five hundred thousand Egyptian pounds and not more than five million Egyptian pounds if the parties addressed by the law do not abide by the controls for obtaining the necessary licenses or permits related to the activity of collecting and processing personal data. This provision is not applicable at the present time because it is directly related to the issuance of the executive regulations that include the controls and procedures related to obtaining licenses or permits, in addition to the failure to form the entity concerned with issuing these licenses, which is the Data Protection Center.
In other cases, the rules of the law can be applied directly without the need for the issuance of executive regulations, such as a penalty of imprisonment for a period of not less than three months and/or a fine of not less than five hundred thousand Egyptian pounds and not exceeding five Egyptian million pounds, for each possessor, controller, or processor who collected, made available, traded, processed, disclosed, stored, transferred or saved sensitive personal data without the consent of the data subject or in cases other than those authorized by law.
What are the entities and activities that are excluded from applying the rules and conditions of the Personal Data Protection Law?
There are some entities that are completely excluded from the application of the rules and provisions of the Personal Data Protection Law, and they are specified exclusively. These entities are the national security authorities and the Central Bank and its affiliates. As for the activities excluded from applying the provisions of the law, they are also mentioned exclusively, as follows:
- Personal data held by natural persons for third parties and processed for personal use. This means that natural persons’ processing of third-party data for non-personal purposes, for example, commercial purposes, does not fall within the data excluded from the application of the provisions of the law.
- Personal data processed exclusively for informational purposes, provided that such data is true and accurate.
- Personal data that is processed for the purpose of obtaining official statistical data or in the application of a legal text, which means that if there are some activities whose work is regulated by other laws that require them to process data, then they are exempt from compliance with the terms and conditions of the Personal Data Protection Law.
If an entity or company operates an activity exempted from the Personal Data Protection Law, does this mean that it is completely exempt from the provisions of the law?
This depends on the nature of the activities carried out by these entities. For example, if the company is processing personal data for informational purposes as well as processing other data related to advertising or commercial purposes at the same time, then the company is obliged to obtain a license/permit and comply with all provisions of the law for personal data that is processed for purposes other than the informational ones.
What are the most important rules and conditions that must be adhered to during the process of processing personal data to avoid legal accountability?
There are some rules that it is preferable to adhere to in order to avoid the penalties stipulated in the Personal Data Protection Law, and they are:
- The need to obtain the explicit consent of individuals when collecting, processing, disclosing, or sharing their personal data.
- The data processing process must be for a declared and legitimate reason, and the processing should be related to the licensed activity, and should be in accordance with the provisions of the law.
- It is recommended that processing data be carried out within a specific and clear scope.
- Customers must be notified of any breach or violation of their personal data.
- Not to keep the data for a longer period than is necessary to fulfill its intended purpose.
- Ensure the validity of the data being processed.
- Take all necessary technical and organizational measures to protect and secure personal data to maintain its confidentiality.
- Erase personal data as soon as the specified purpose has expired. And if it is kept for any legitimate reason after the end of the purpose, it must not be kept in a form that allows the identification of the person concerned with the data.
What requests can be made by a customer whose data is processed in accordance with the Personal Data Protection Law?
The personal data that is collected, stored, or processed does not belong to the person, company, or entity that does so, and therefore the person whose data is being processed may request the following:
- The customer has the right to request to know, view, access or obtain their personal data.
- The customer has the right to withdraw their prior explicit consent to keep or process their personal data.
- The customer has the right to request the correction, amendment, deletion, addition or update of their personal data.
Can the company or entity to which the provisions of the Personal Data Protection Law apply seek the assistance of specialists to carry out the conditions and controls stipulated in the law?
The Personal Data Protection Law requires the legal representative of a juristic person for any controller or processor to appoint within its legal entity and functional structure a competent officer responsible for the protection of personal data, and to register the Data Protection Officer in a register of the Personal Data Protection Center that has not yet been established.
The job of a Data Protection Officer is a job created by the Personal Data Protection Law, but it is not possible to clearly ascertain the nature of this profession due to the absence of the executive regulations of the law, but it naturally combines a technical and administrative nature, according to the tasks assigned to it.
This means that companies, entities, or legal persons are obligated to appoint a person or department concerned with the procedures and rules related to the application of the law and its implications. However, the law did not clarify whether companies could use specialists outside the company to protect data. The executive regulations that have not yet been issued may regulate the outsourcing of specialists or confirm the obligation of each company to appoint a Data Protection Officer.
In the event that the data processing activity is carried out by a natural person, then the natural person is responsible for applying the rules and procedures of the law by themselves without the need for the assistance of the Data Protection Officer.
What are the duties and responsibilities of the Data Protection Officer?
The Personal Data Protection Law requires the company or entity that processes the data to maintain a special data record. Following-up and updating this record is one of the duties of the Data Protection Officer, among others. The data record includes the following:
- Description of categories of personal data.
- Determine to whom the data will be disclosed or made available.
- Basis, duration, restrictions, and scope
- Mechanisms for erasing or modifying personal data.
- Any other data related to the cross-border transfer of such personal data.
- Describe the technical and regularity measures for data security.
The Data Protection Officer is responsible for implementing the provisions of the law, its executive regulations, and the decisions of the Data Protection Center, monitoring and supervising the procedures in place, in addition to receiving requests related to personal data within the framework of the company or entity. The law also stipulates specific tasks for the Data Protection Officer, namely:
- Carrying out periodic evaluation and inspection procedures for personal data protection systems and preventing their infringement, documenting evaluation results, and issuing the necessary recommendations to protect them.
- Serve as a direct point of contact with the Data Protection Center and implement its decisions.
- Enabling the data subject to exercise their rights stipulated in the Personal Data Protection Law.
- Notifying the Data Protection Center in the event of any breach or violation of personal data.
- Responding to the requests submitted by data subject or any relevant person and responding to the Data Protection Center in the grievances submitted to it.
- Follow up on the registration and update of the controller’s personal data record or the processor’s processing operations record, to ensure the accuracy of the data and information entered therein.
- Eliminate any violations related to personal data within the company or entity and taking corrective actions regarding them.
- Organizing the necessary training programs for the employees of the company or entity.
What is sensitive data? And what are its types?
Sensitive personal data is a type of data of a private nature. The Personal Data Protection Law seeks to impose additional forms of protection for this type of data during the process of collecting, storing, and processing it, because its disclosure may cause serious harm to the user. The law specified the types of sensitive data exclusively, namely:
- Data that discloses psychological, mental, physical, or genetic health.
- Biometric data.
- Financial data.
- Data of religious beliefs, political opinions, or security status.
- All data related to children.
What are the additional responsibilities related to the collection and processing of sensitive data?
There are several additional responsibilities that must be considered while collecting, storing or processing sensitive data, especially for companies and entities that provide financial, medical or child-related services in general. These responsibilities can be clarified in specific points:
- A special license/permit must be obtained from the Data Protection Center to collect, transfer, store, save, process or make sensitive personal data available, whether the controller or processor is a natural or legal person.
- If there is no legal provision obligating the collection or processing of data, written and explicit consent is required from the person concerned, indicating the nature of the data to be collected or processed.
- In the event of any data collection or processing of children’s data, parental consent is required. In all cases, the child’s participation in a game, competition, or any other activity should not be conditional on providing the child’s personal data in excess of what is necessary to participate in that.
- Adhere to security standards and procedures to prevent sensitive personal data from being breached or violated.
Violating the controls related to the collection, transfer, storage, retention, processing, or disclosure of sensitive personal data may result in a penalty of imprisonment for a period of no less than three months and up to three years, and/or a fine of no less than five hundred thousand Egyptian pounds and no more than five million Egyptian pounds.
How did the law define the electronic marketing activity? What are the controls for practicing this activity?
The Personal Data Protection Law defines the term electronic marketing as “sending any message, statement, or advertisement or marketing content, by any technological means, whatever its nature or form, aimed directly or indirectly at promoting goods or services, or commercial, political, social, or charitable petitions or requests directed to specific persons”. Practicing this activity requires obtaining a special license/permit, in accordance with the criteria that will be determined by the executive regulations.
The Personal Data Protection Law defines some basic controls related to the practice of electronic marketing activity, the violation of which entails legal liability, namely:
- Obtaining consent from the data subject.
- The communication must include the identity of its originator and sender.
- That the sender has a correct and valid address to reach them.
- A clear indication that the purpose of communication is for direct marketing.
- Develop clear and easy mechanisms to enable the data subject to refuse electronic communication or revoke their consent to send it.
- Specify a defined marketing purpose.
- Maintaining electronic records evidencing the consent of the data subject to receive electronic marketing communication and its amendments, or their non-objection to its continuation for a period of three years from the date of the last communication.
Violating the terms and conditions related to electronic marketing activity may result in a fine of not less than two hundred thousand Egyptian pounds and not exceeding two million Egyptian pounds.