Basic obligations for companies to follow in protecting the personal data of citizens

In today's interconnected world, technological advancements have turned the globe into a small village. Smartphone users, connected to the internet, involuntarily share their personal data with known or unknown entities. While sharing personal data has its benefits, it can also lead to harm, such as data exploitation for extortion.

?

To address this, robust protection of personal data is crucial. The Personal Data Protection Law No. 151 of 2020, issued by the Presidency of the Arab Republic of Egypt, is a significant legislative step in safeguarding citizens' personal data. This is particularly vital due to the absence of existing regulations providing a legal framework for protecting electronically processed personal data during collection, storage, or processing.

The law imposes fundamental obligations on companies that may possess personal data of users, whether the data is held for reasons related to their business nature or for any other reason. In the case where the company is a controller under Article (4), it must adhere to necessary obligations, taking into consideration the provisions of Article No. (12). The controller is obligated to:

1. Obtain personal data or receive it from the holder or relevant authorities after the consent of the data subject, or under circumstances authorized by law.

2. Verify the accuracy, agreement, and sufficiency of the personal data for the specified purpose of collection.

3. Establish methods, procedures, and processing standards in accordance with the specified purpose unless delegated by the processor under the contract.

4. Ensure that the specified purpose of collecting personal data aligns with the purposes of processing.

5. Undertake or refrain from actions that would facilitate the availability of personal data, except in cases authorized by law.

6. Implement all technical and organizational measures and apply necessary standard criteria to protect and secure personal data, ensuring confidentiality and preventing unauthorized access, destruction, alteration, or tampering before any unlawful action.

7. Erase personal data as soon as the specified purpose is fulfilled. In cases of retaining data for any legitimate reason after the purpose is fulfilled, it should not remain in a form that allows the identification of the data subject.

8. Correct any errors in personal data promptly upon notification or awareness.

9. Maintain a record of the data, including a description of the categories of personal data held, identification of those who may access or disclose the data, its supporting documentation, the duration, restrictions, scope, mechanisms for erasing or modifying personal data, and any other data related to the transfer of such personal data across borders. Additionally, describe the technical and organizational measures related to data security.

10. Obtain a license or permit from the authority to deal with personal data.

11. The controller outside the Arab Republic of Egypt is obligated to appoint a representative in the Arab Republic of Egypt, as specified by the executive regulations.

12. Provide the necessary capabilities to prove compliance with the provisions of this law and enable the authority to inspect and supervise to ensure compliance. In the case of multiple controllers, each must comply with all obligations stated in this law, and the data subject has the right to exercise their rights against each controller individually.

The executive regulations of this law define the policies, procedures, controls, and technical standards for these provisions.

There are administrative penalties that the CEO of the Personal Data Protection Authority enforces in case of any violation of the provisions of this law. The violator will be warned to cease the violation and remove its causes or effects within a specified period. If the specified period elapses without compliance with the warning, the authority's board may issue a decision causing one of the following:

- Warning to suspend the license, permit, or accreditation partially or completely for a specified period.

- Complete or partial suspension of the license, permit, or accreditation.

- Withdrawal or partial cancellation of the license, permit, or accreditation.

- Publication of a statement of the proven violations in one or more widely circulated media at the violator's expense.