Egypt: Minister of Communications and Information Technology adopted Executive Regulations of the Personal Data Protection Law (Decision No. 816 of 2025) including operational license requirement

On 1 November 2025, the Minister of Communications and Information Technology adopted the Executive Regulations of the Personal Data Protection Law issued by Law No. 151 of 2020 through Ministerial Decision No. 816 of 2025. The Executive Regulations establish a framework for the classification, authorisation, licensing, registration, and accreditation of data controllers, personal data processors, platforms, and related activities under the supervision of the Personal Data Protection Center (PDPC). They require prior permission or authorisation for controller and processor activities and prohibit deviation from the authorised purpose. They set detailed annual licence fee schedules based on the number of managed personal data records, exempting activities involving 1 to 100 thousand records and applying graduated fees above this threshold, with increasing tiers for data volumes up to 5 million records and a maximum statutory fee of EGP 666’666 for data volumes exceeding that level. Reduced fees apply where licensing covers only controller or processor functions. Separate fixed annual licence fees apply to Associations, Unions, and Clubs. The Executive Regulations also establish time-limited permits of up to three years with permit fees linked to data volume and permit duration, including exemptions for small-scale processing. They define conditions, documentation, and electronic procedures for authorisation and licensing of voluntary persons and natural persons, including requirements on data retention periods, security measures, electronic records, and appointment of a personal data protection official. They regulate authorisation and licensing for cross-border data transfers, including purpose specification, data categories, retention periods, safeguards, and PDPC review within 90 days, with fees set at 50% of the applicable controller or processor authorisation fee. They establish authorisation regimes and percentage-based fees for direct electronic marketing, authorisation and fixed fees for the use of surveillance means in public places, and accreditation requirements and fees for providing personal data protection consultancy services.