Egypt PDPL Regulatory Profile

This profile maps Egypt's Personal Data Protection Law (Law No. 151 of 2020) to AEEF controls, enabling organizations deploying AI products affecting Egyptian data subjects to align their AEEF implementation with Egyptian legal obligations.

Regulatory status: The Egypt PDPL was enacted in 2020. Implementing executive regulations are pending full issuance. Organizations should monitor for regulatory updates and adjust controls accordingly.

Assessment date: February 22, 2026

Status Note (Assessment-Based Profile) This document is a framework-maintained implementation profile based on publicly available sources and framework interpretation as of February 24, 2026. It is not legal advice and does not imply regulator endorsement, approval, or recognition.

Applicability

This profile applies when:

• AI systems process personal data of individuals located in Egypt
• The organization is established in Egypt or has processing operations in Egypt
• AI inference services are offered to Egyptian customers or data subjects
• Cross-border data transfers originate from Egypt

Annex Precedence and Interaction

This profile is a national annex-style overlay on top of AEEF core controls. Sector-specific requirements (for example banking, telecom, healthcare) are additive and may require regulator-specific controls beyond the PDPL mapping described here.

Egypt PDPL Overlay Control Set

Control ID	PDPL Reference	Control Title	AEEF Mapping	Priority
EG-01	Art. 2-3	Data Classification Alignment	Pillar 2 Data Classification	High
EG-02	Art. 4-7	Lawful Processing Basis	PRD-STD-014	High
EG-03	Art. 8-12	Data Subject Consent	PRD-STD-014 REQ-014-18/19/20	High
EG-04	Art. 13-14	Cross-Border Data Transfer	PRD-STD-014 REQ-014-09/10/11	High
EG-05	Art. 15-18	Data Subject Rights	PRD-STD-014 REQ-014-15/22	High
EG-06	Art. 19-21	Data Protection Officer	Pillar 2 Governance	Medium
EG-07	Art. 22-26	Data Breach Notification	Pillar 2 Incident Response	High
EG-08	Art. 4, 38	Automated Decision-Making	PRD-STD-014 REQ-014-22/23	High

EG-01: Data Classification Alignment

Egypt PDPL defines personal data broadly and includes "sensitive data" categories: health, financial, genetic, biometric, religious, political, and criminal data.

Organizations MUST map AEEF's 4-level data classification to Egypt PDPL data categories. Sensitive data processed through AI inference MUST be classified as Confidential or Restricted. AI features processing sensitive data categories MUST implement enhanced controls including explicit consent and restricted access.

EG-02: Lawful Processing Basis

Personal data processing requires a lawful basis: consent, contract performance, legal obligation, vital interest, public interest, or legitimate interest (with balancing test).

Every AI feature processing personal data of Egyptian data subjects MUST document the lawful processing basis. When legitimate interest is relied upon, a balancing test MUST be documented comparing organizational interests against data subject rights.

EG-03: Data Subject Consent

Consent must be informed, specific, freely given, and revocable. Consent for sensitive data processing must be explicit.

AI features relying on consent MUST obtain specific consent for AI processing purposes distinct from general service consent. Consent for AI processing of sensitive data MUST be explicit and separately obtained. Consent withdrawal MUST be technically enforceable per PRD-STD-014 timelines.

EG-04: Cross-Border Data Transfer

Cross-border transfer requires adequate protection in the receiving country or specific safeguards. The Egypt Data Protection Center (when fully operational) will maintain an adequacy list.

AI inference using third-party providers outside Egypt MUST have documented transfer safeguards. Until Egypt's adequacy list is published, organizations MUST apply equivalent protections (contractual clauses, binding corporate rules). AI data flow inventory MUST include Egypt-origin data specifically.

EG-05: Data Subject Rights

Data subjects have rights to: access, rectification, erasure, portability, restriction, and objection to processing.

AI products MUST be able to fulfill data subject rights requests for Egyptian data subjects. Right to erasure MUST be executable per PRD-STD-014 REQ-014-15/16/17 requirements. Right to access MUST include disclosure of AI processing logic per automated decision-making transparency obligations.

EG-06: Data Protection Officer

Organizations processing personal data above regulatory thresholds or processing sensitive data must appoint a DPO.

Organizations with AI products processing Egyptian personal data at scale SHOULD appoint or designate a DPO with AI governance awareness. The DPO MUST be informed of AI product features involving personal data and MUST review DPIAs for features affecting Egyptian data subjects.

EG-07: Data Breach Notification

Data breaches must be reported to the Data Protection Center within 72 hours and to affected data subjects without undue delay when the breach poses high risk.

AI-related data breaches (model data leakage, cross-tenant data exposure, inference log exposure) MUST follow the 72-hour notification requirement. Incident Response procedures MUST include Egypt-specific notification workflows. AI trust incidents that expose personal data MUST be assessed for PDPL breach notification obligations.

EG-08: Automated Decision-Making

The PDPL addresses automated processing that produces legal or significant effects, requiring transparency and the right to human intervention.

AI features making automated decisions affecting Egyptian data subjects that produce legal or significant effects MUST provide meaningful information about the logic involved. Data subjects MUST have access to human review of automated decisions. This aligns with PRD-STD-014 REQ-014-22/23.

Sectoral Considerations

Banking and Financial Services

AI products serving Egyptian financial institutions must also consider Central Bank of Egypt (CBE) cybersecurity regulations and anti-money laundering requirements.

Telecommunications

AI products processing telecommunications data must comply with National Telecommunications Regulatory Authority (NTRA) data handling requirements.

Healthcare

AI products processing health data of Egyptian data subjects are subject to enhanced sensitive data protections and may require Ministry of Health engagement.

Egypt PDPL Audit Readiness Checklist

• Data classification mapped to Egypt PDPL categories
• Lawful processing basis documented for each AI feature
• Consent mechanisms implemented for AI processing
• Cross-border transfer safeguards in place
• Data subject rights fulfillment workflow operational
• DPO appointed or designated (if required by threshold)
• Breach notification procedure includes Egypt-specific workflow
• Automated decision-making transparency and human review available
• Sensitive data processing has enhanced controls
• AI data flow inventory includes Egypt-origin data mapping

Coverage Limitations

• This profile is focused on PDPL alignment and related AI data protection obligations; it does not provide a complete sovereign control annex for all Egyptian sector regulators.
• Implementing regulation changes may materially affect control interpretation and evidence expectations.
• Adoption of this profile does not imply cross-border recognition or regulator approval.

Related AEEF Content

• National Annex Specification
• Regional Coverage Matrix
• Compliance & Regulatory
• AI Standards Crosswalk
• KSA Regulatory Profile
• UAE AI Governance Profile
• PRD-STD-014: AI Product Privacy & Data Rights
• PRD-STD-013: Multi-Tenant AI Governance
• Incident Response