Introduction
PDPL refers to the Personal Data Protection Law (Arabic text), used in Egypt, which establishes the standards governing the collection, use, disclosure and care of personal data, while recognising the rights of individuals. The PDPL law makes consent the primary legal basis for processing all personal data in the country. The primary article of the PDPL that discusses express consent with regard to personal data is Article 2, which flatly forbids the collection, processing and disclosure of personal data “except with the explicit consent of the Data Subject or where otherwise permitted by law”. To boil down this law in its utility in daily life, Egyptian data processors must obtain a clear affirmative opt-in from individuals before the usage of their personal data, and the businesses must respect the legal grounds if the consent is withdrawn or unavailable.
The PDPL does not list consent factors like the General Data Protection Regulation (GDPR) of the European Union, but insists on explicit consent and outlines the obligations of the Controller and Processor. Article 6 of the PDPL specifies a plethora of rules that data controllers must follow, involving lawful processing, data minimisation, purpose limitation, storage limitation and processor obligations and aligns closely with International Standards such as Article 5 and 28 of the EU GDPR, and adds additional compliance rules relating to registration and licensing requirements for controllers and processors.
PDPL specifies the procedure for obtaining consent but does not specify the formal procedure or effects of withdrawal, which leads controllers to treat withdrawals as immediately stopping further processing, subject to any other legal basis, such as contract performance or legal mandate, that may require a permit to continue processing. These provisions mirror global norms; the EU GDPR also requires consent to be freely given and unambiguous and grants the right to withdraw at any time, while India’s DPDP Act mandates consent to be free, specific, informed, with a clean affirmative action and revocable at any time.
Valid Consent under PDPL
The individual must make an intentional action to give their consent, this means that the individual must take an active step in agreeing to something, for example, ticking an unchecked box or signing a form to show agreement. Implied or passive consent, such as pre-checked boxes, is not valid under the PDPL. For online processing, a consent notice should clearly list all intended processing purposes (for marketing, analytics, etc.); so that consent is specific and informed. If the consent is bundled with a contract or another declaration, PDPL requires it to be clearly distinguishable and in plain language, so that the individual does not unknowingly consent to data use.
In many cases, businesses will also need to provide a mechanism for recording consent. For example, if consent is given over the phone or in person, data controllers should either secure a written acknowledgement or log a verbal consent with the individual’s name, date, and context. In sectors with digital transactions, many businesses use consent management platforms or CRM systems to tag which customers have consented and to what. Firms should also put easy opt-out options, like unsubscribe links, wherever data is used. In practice, businesses should design their systems so that a withdrawal request flows immediately to all relevant systems, such as databases, marketing lists, and data lakes, to disable processing and honour any deletion or erasure requests as appropriate.
Withdrawing Consent and Its Limits
The PDPL explicitly recognises the right to withdraw consent and the principle is directly aligned with the EU GDPR and reflects data subject autonomy. Article 2(2) lists “withdraw prior consent concerning the retention or processing” as a data subject right. This is broadly like the GDPR right to withdraw at any time and India’s right to withdraw with equal ease. In practice, withdrawal means that the controller must stop using the individual’s data moving forward. Critically, the PDPL, like the GDPR, clarifies that withdrawing consent does not retroactively invalidate past processing done while consent was in force. So, if a company had lawfully used data under the now-withdrawn consent, it need not return the same on completed transactions. However, the individual can insist that no new processing activities happen and can exercise other rights, such as right to erasure or correction going forward.
PDPL Article 6 explicitly provides alternative bases for processing. Therefore, if withdrawal is attempted, processing can continue only under those other conditions, such as if a consumer withdraws consent to personal data used for a contract of sale, the seller might still lawfully keep the data to complete legal obligations like warranties or payments under Article 6. But it could no longer use that data for unrelated purposes like marketing or profiling. In short, once consent is withdrawn, the controller must assess whether any other legitimate justification remains; lacking that, it must delete or anonymise the data as permitted. We advise communicating this clearly to users; withdrawing consent may affect services that rely on the data, e.g. a customer might be unenrolled from loyalty programs if they revoke consent for tracking.
Sensitive Personal Data: Heightened Consent Rules
The PDPL draws a sharp line for sensitive personal data. Article 12 defines this to include information on health, genetics, sexual life, biometrics, as well as financial, political or religious beliefs. Article 12 requires controllers/processors to obtain a license from the Data Protection Centre for any handling of sensitive data. Beyond licensing, PDPL demands that the data subject give explicit written consent before sensitive data can be collected or processed. In other words, mere verbal or implied consent is insufficient, and it must be documented in writing, which may include a digital signature or other e-signature compliant method. If an organisation needs biographical or biometric data, it must similarly get an explicit signed approval.
PDPL classifies all children’s data as sensitive, any processing of minors’ data requires parental or legal guardian consent. This mirrors EU rules, GDPR requires parental consent for under 16, many countries allow 13 and India’s law, the DPDP Act, explicitly treats under-18 as children requiring guardian consent. In practice, businesses should build an age-check into their signup or data intake forms: if a data subject is under 18, the system must route consent requests to the parent/guardian and record their approval before any processing happens.
Segregate such data in their systems
- Obtain explicit written consent for the sensitive processing purpose
- Apply additional safeguards
- Ensure a valid license is held.
Failing to meet these conditions can be costly: Article 28 imposes imprisonment (6 months–2 years) and heavy fines (EGP 200,000–2,000,000) for mishandling sensitive personal data.
Sector Considerations: Telecom and IoT
Certain industries in Egypt have special considerations under the PDPL’s consent rules. Telecom operators are bound by Law 10/2003 to keep customer communications confidential. Under the PDPL, telecom companies must also secure consent for customer data uses beyond core service. A prominent example is direct marketing, PDPL Article 17 expressly forbids any unsolicited electronic marketing (calls, SMS, emails) unless the individual has approved and can opt out. The law lists conditions for lawful marketing; the sender must identify itself and include a valid contact address; each message must clearly state it’s marketing; and a simple opt-out must be provided. In effect, telecoms must only send promotional messages to customers who have signed up and must record that consent. Article 18 goes further, requiring maintenance of an electronic registry of consents and objections for marketing, kept for at least three years. Practically, a telecom firm should have a database flag for customers who opted in to marketing, a logging system to show consent timestamp, and a process to honour all unsubscribe requests immediately.
Conclusion
Egypt’s Personal Data Protection Law (PDPL) establishes explicit, informed consent as a basis for lawful data processing, aligning closely with global standards like the EU’s GDPR and India’s DPDP Act. Businesses must secure active, documented consent before collecting or using personal data, especially sensitive categories such as health, financial, or children’s data, which require written consent and special licensing. Consent must be purpose-specific, easy to withdraw, and properly recorded. Withdrawal halts processing unless another legal basis applies, underscoring the importance of clearly identifying all processing purposes upfront.
Implementing these rules poses challenges. Egyptian companies face regulatory uncertainty, complex licensing requirements, and the need to overhaul legacy systems to manage consent. Yet, failure to comply can bring steep fines and reputational risk. Violations can result in fines ranging from EGP 100,000 to EGP 1,000,000, with potential criminal penalties including imprisonment for serious breaches such as unlawful data processing or cross-border transfers without authorization. Organisations must invest in clear consent procedures, training, and system upgrades to meet their obligations under PDPL. Sector-specific actors, like telecom and IoT providers, must additionally navigate overlapping regulatory frameworks. Ultimately, robust consent management under PDPL is not just a legal necessity, but a trust-building measure in a data-driven economy. Companies that embed transparency and accountability into their data practices will be better positioned to serve customers, minimise risk, and adapt to Egypt’s evolving data governance landscape.
