Under Article 4

• Collect Personal Data with the Data Subject’s consent or legal basis.
• Ensure data is accurate, sufficient, and relevant to its purpose.
• Define processing methods unless delegated in writing to a Processor.
• Ensure data is collected only for a specific, valid purpose.
• Do not disclose data unless legally allowed.
• Apply technical and legal safeguards to protect data and ensure confidentiality.
• Delete data after its purpose is fulfilled, or anonymize if retained legally.
• Correct data errors immediately when known.
• Keep records of data categories, disclosures, retention, deletion, and security measures.
• Obtain a license/permit from the Data Protection Center.
• Appoint a local representative if based outside Egypt.
• Demonstrate compliance and allow inspections by the Center.

Each Controller is individually responsible, and Data Subjects may exercise their rights with any Controller.

Under Article 5

• Process data as per the law, based on written instructions from the Center, Controller, or relevant parties.
• Ensure the purpose is lawful and does not violate public order or morals.
• Limit Processing to the intended purpose and duration; notify relevant parties of the timeframe.
• Delete or return data after Processing ends.
• Do not disclose data or results unless legally permitted.
• Avoid Processing that conflicts with the Controller's purpose, unless for non-profit statistical/educational use.
• Secure Processing activities, systems, and data.
• Avoid harming Data Subjects.
• Maintain a Processing record detailing scope, contact info, duration, security measures, and more.
• Demonstrate compliance when requested and allow inspections by the Center.
• Obtain a license/permit from the Center.
• Appoint a local representative if based outside Egypt.

Each Processor must comply unless roles and responsibilities are clearly defined by agreement.

Under Article 7

Each of the Controller and the Processor, as the case may be, shall notify the Center with any Personal Data Infringement, within seventy-two (72) hours of such infringement. In the event that such infringement relates to national security protection concerns, the notification shall be immediate. In all events, the Center shall immediately notify the National Security Authorities with the infringement and provide them, within seventy-two (72) hours from being aware of the Infringement, with the following:

• description of the nature of the infringement, the form and the reasons thereof as well as the approximate number of Personal Data and their records;
• the information of the Data Protection Officer;
• the potential consequences of the infringement;
• description of the procedures which have been followed and the proposed procedures to be adopted in order to minimize the negative impacts of the infringement;
• evidence of documenting any Personal Data Infringement and the corrective actions which have been taken to solve the same and;
• any documents, information or data requested by the Center.

In all events, Controller and Processor, as the case may be, shall notify the Data Subject within three (3) days from the date of notifying the Center, with the infringement and the adopted procedures related thereto.

Under Article 14
Transfer of Personal Data which is collected or prepared for Processing, to a foreign country, or its storage or sharing may only be undertaken if the level of data protection or security in the foreign country meets (or exceeds) the requirements stipulated under this Law, and subject to obtaining a relevant License or Permit from the Center.

Under Article 8
1) The Center shall set a register for the information of Data Protection Officers. The Executive Regulations shall determine the conditions, procedures and mechanisms of registration.

2) The legal representative of the juristic person, with respect to any Controller or Processor, shall appoint a competent employee to be responsible for the protection of Personal Data, inside its legal entity and among its personnel structure. Said employee shall be registered in the register designated for the Data Protection Officers at the Center and such appointment shall be announced.

3) Controller or Processor who is a natural person, shall be the one in-charge of the application of the provisions of this Law.

Under Article 2
Personal Data may not be collected, Processed, disclosed, or revealed by any means except with the explicit consent of the Data Subject or where otherwise permitted by law.

Under Article 4
After obtaining the Data Subject’s consent or where otherwise permitted by law Personal Data could be obtained or received from the Holder or the competent entities providing such data, as applicable.

Under Article 6
Consent of the Data Subject required for electronic processing to be considered legitimate and legal, provided it was given for achieving a specific purpose.

Under Article 12
With exception to the cases authorized by law, Controller or Processor must obtain the explicit written consent of the Data Subject.

Under Article 17
Setting clear and uncomplicated mechanisms to allow the Data Subject to opt-out or withdraw his/her consent in relation thereto.

1) Notify the center: Within 72 hours by Controller/Processor. Immediate notification if national security is involved.

2) Notify to Data Subject: Within 3 days after notifying the Center. Include details of the breach and actions taken.

3) Automate breach detection and response processes.

4) Notify national security authorities immediately if the breach has national security implications.

Under Article 3
1) Personal Data shall be collected for legitimate, specific, and transparent purposes to the Data Subject.

2) Personal Data shall be correct, valid, and secured.

3) Personal Data shall be processed in a legitimate manner and in compliance with the purposes for which it is being collected.

4) Personal Data shall not be retained for a period longer than that is necessary for the fulfilment of the purpose thereof.