Clients Alert – H.E. President Abdel Fattah El Sisi Ratified The Personal Data Protection Law
On 15 July 2020, H.E. President Abdel Fattah El Sisi approved the long-awaited Personal Data Protection Law No. 151 of 2020 (the “Law”) to regulate the personal data collection, its processing, and Electronic Marketing. In addition, it imposes obligations on companies towards these data and their role to protect such data from any misuse in violation of the Law’s provisions.
The Law will enter into force after 3 months following its publication in the Official Gazette, and it requires from companies, currently operating and conducting the data collection and processing activities, to reconcile to its new regulations within one year from the issuance date of the executive regulations, which should be issued within 6 months following the law entering into force (i.e after the lapse of 9 months from the publication date).
The Personal Data Protection Center (The “Center”) will be the regulator that will supervise, license, and apply sanctions towards anyone who will violate the Law and its executive regulations, which falls under the supervision of the Ministry of Communications and Information Technology.
The Law is issued to protect any personal data relating to an identified natural person, or one who is identifiable, directly or indirectly, by reference to data such as a name, a voice, a photograph, an identification number, an online identity identifier, or any data referring to the person’s psychological, medical, economic, cultural or social identity. In addition to any sensitive data such as which discloses the psychiatric, psychological, physiological, or genetic health, biometric or financial data, religious beliefs, political opinions, or the criminal/security standing, and, in all cases, data relating to children is considered to be sensitive data.
The Law applies to all personal data controllers and/or processors who are natural or legal persons, which due to their nature of work, have the right to obtain personal data and determine the means, purposes and criteria of keeping, processing and controlling them, and/or process personal data for its own benefit or on behalf of a controller.
For companies who are willing to communicate with their customers by any electronic means (Electronic Marketing), they should have the customer’s written consent and keep it for a reasonable period, reveal their identity, and mention the purpose of the communication.
Companies that control or process personal data must appoint a data protection officer (“DPO”). This data protection officer shall be registered in a special register to be established at the Center.
Controllers and processors must notify the Center of any breach to the personal data protection within 72 hours of such breach. In case the breach relates to public security, notification shall be made immediately to the Center. Also, the concerned individuals, whose data were breached, should be notified within 3 business days.
The Law imposes imprisonment sanctions and/or severe monetary fines on individuals and/or entities that violate its provisions.
Riad, Saleh & Partners respective team(s) is working ahead and assisting their clients in updating all their policies, forms, and systems to cope with the new Law and to comply with its provisions. We have a competent audit and compliance team who are capable of identifying risks and recommend controls in order to make sure that the companies’ business needs are legally realized.
For any inquiries, do not hesitate to contact us: