30th of May, 2018
How the European Union’s New Data Protection Regulation affects your business in Egypt
By: Basma Seif
Here’s how the European General Data Protection Regulation (GDPR) affects companies in Egypt, starting from tomorrow when it goes into effect. It set out the rules for collecting personal information from individuals. The GDPR applies to all companies outside the EU, as long as they collect personal data in the context of offering goods or services to people located in the EU, or if the collected data is about the behavior of individuals located in the EU. We note that the GDPR refers to persons “in” the EU, regardless of their nationality or the place where they usually live.
This means that any personal information you may have collected for future marketing purposes may be subject to the GDPR if the marketing happens when that person was located in the EU. Likewise, if your company has a website with cookies (files that allow you to collect personal information relating to the users of your website), then you must watch out as you never know where the user may be based.
In brief, what the GDPR regulates is mainly the collection, storage, transfer, and usage of any information relating to natural persons. This includes the name, location data, online identifier or cultural traits of that natural person, as long as such information may lead to identifying the concerned person.
Fines are massive and can find their way to Egypt. In certain cases, fines can reach up to EUR 20 million or 4% of the company’s total worldwide annual turnover of the preceding financial year, whichever is higher. Administrative fines are imposed by the competent European supervisory authority. Claims for compensation may be also lodged before EU courts. The GDPR additionally requires all EU States to enforce their international cooperation mechanism to ensure cross-border enforcement where necessary — these mechanisms are already in place between Egypt and a number of EU countries.
But you’re not in the crosshairs — not yet, at least. The EU might not apply the extra-territorial effect of the GDPR aggressively on small and medium-sized non-EU companies, at least at the early stages. Instead, we expect it to start by targeting large global companies, such as Facebook and Google. It might also focus on substantial leakages of personal data that result in actual damages. So if this is the first time you hear about the GDPR, don’t panic — but don’t ignore it, either. You still need to comply.
What you can do now? If your company collects personal information about people outside Egypt, make sure that the concerned persons know who you are, the type of information that you are collecting, and why. For instance:
- If your company sends out newsletters, send an email to your list of addressees to seek their consent, with a link directing them to more details on your privacy policy. Remove from your list those who do not agree to receive the newsletters;
- If your website uses cookies, install a pop-up on your website that notifies the user that these cookies exist;
- If someone requests to correct or delete their data, make sure you comply;
- If you do not have a privacy policy, set up one that is clear and easy to understand;
- If you outsource service providers who collect personal data on your behalf, discuss GDPR compliance with them;
- Also, depending on the nature and amount of personal data that you collect, you may need to designate a representative in the EU.
For your background, Egypt does not have a generic data protection law, although various regulations include privacy and secrecy regulations that apply in specific situations. The Egyptian Constitution of 2014 sanctifies private life. It also provides for the secrecy of emails, phone calls, and other means of communication and prohibits their monitoring and confiscation without a prior court order and for a limited period. However, it remains to be seen how and whether Egypt will be taking effective steps towards further protection of data protection, especially in light of the new draft law against crimes using technical means, which is currently being drafted.
Want more? Visit these links (here and here, both pdfs) for more practical insights on the GDPR.
This means that any personal information you may have collected for future marketing purposes may be subject to the GDPR if the marketing happens when that person was located in the EU. Likewise, if your company has a website with cookies (files that allow you to collect personal information relating to the users of your website), then you must watch out as you never know where the user may be based.
In brief, what the GDPR regulates is mainly the collection, storage, transfer, and usage of any information relating to natural persons. This includes the name, location data, online identifier or cultural traits of that natural person, as long as such information may lead to identifying the concerned person.
Fines are massive and can find their way to Egypt. In certain cases, fines can reach up to EUR 20 million or 4% of the company’s total worldwide annual turnover of the preceding financial year, whichever is higher. Administrative fines are imposed by the competent European supervisory authority. Claims for compensation may be also lodged before EU courts. The GDPR additionally requires all EU States to enforce their international cooperation mechanism to ensure cross-border enforcement where necessary — these mechanisms are already in place between Egypt and a number of EU countries.
But you’re not in the crosshairs — not yet, at least. The EU might not apply the extra-territorial effect of the GDPR aggressively on small and medium-sized non-EU companies, at least at the early stages. Instead, we expect it to start by targeting large global companies, such as Facebook and Google. It might also focus on substantial leakages of personal data that result in actual damages. So if this is the first time you hear about the GDPR, don’t panic — but don’t ignore it, either. You still need to comply.
What you can do now? If your company collects personal information about people outside Egypt, make sure that the concerned persons know who you are, the type of information that you are collecting, and why. For instance:
- If your company sends out newsletters, send an email to your list of addressees to seek their consent, with a link directing them to more details on your privacy policy. Remove from your list those who do not agree to receive the newsletters;
- If your website uses cookies, install a pop-up on your website that notifies the user that these cookies exist;
- If someone requests to correct or delete their data, make sure you comply;
- If you do not have a privacy policy, set up one that is clear and easy to understand;
- If you outsource service providers who collect personal data on your behalf, discuss GDPR compliance with them;
- Also, depending on the nature and amount of personal data that you collect, you may need to designate a representative in the EU.
For your background, Egypt does not have a generic data protection law, although various regulations include privacy and secrecy regulations that apply in specific situations. The Egyptian Constitution of 2014 sanctifies private life. It also provides for the secrecy of emails, phone calls, and other means of communication and prohibits their monitoring and confiscation without a prior court order and for a limited period. However, it remains to be seen how and whether Egypt will be taking effective steps towards further protection of data protection, especially in light of the new draft law against crimes using technical means, which is currently being drafted.
Want more? Visit these links (here and here, both pdfs) for more practical insights on the GDPR.
How the European Union’s New Data Protection Regulation affects your business in Egypt
30th May, 2018
By: Basma Seif
Here’s how the European General Data Protection Regulation (GDPR) affects companies in Egypt, starting from tomorrow when it goes into effect. It set out the rules for collecting personal information from individuals. The GDPR applies to all companies outside the EU, as long as they collect personal data in the context of offering goods or services to people located in the EU, or if the collected data is about the behavior of individuals located in the EU. We note that the GDPR refers to persons “in” the EU, regardless of their nationality or the place where they usually live.
This means that any personal information you may have collected for future marketing purposes may be subject to the GDPR if the marketing happens when that person was located in the EU. Likewise, if your company has a website with cookies (files that allow you to collect personal information relating to the users of your website), then you must watch out as you never know where the user may be based.
In brief, what the GDPR regulates is mainly the collection, storage, transfer, and usage of any information relating to natural persons. This includes the name, location data, online identifier or cultural traits of that natural person, as long as such information may lead to identifying the concerned person.
Fines are massive and can find their way to Egypt. In certain cases, fines can reach up to EUR 20 million or 4% of the company’s total worldwide annual turnover of the preceding financial year, whichever is higher. Administrative fines are imposed by the competent European supervisory authority. Claims for compensation may be also lodged before EU courts. The GDPR additionally requires all EU States to enforce their international cooperation mechanism to ensure cross-border enforcement where necessary — these mechanisms are already in place between Egypt and a number of EU countries.
But you’re not in the crosshairs — not yet, at least. The EU might not apply the extra-territorial effect of the GDPR aggressively on small and medium-sized non-EU companies, at least at the early stages. Instead, we expect it to start by targeting large global companies, such as Facebook and Google. It might also focus on substantial leakages of personal data that result in actual damages. So if this is the first time you hear about the GDPR, don’t panic — but don’t ignore it, either. You still need to comply.
What you can do now? If your company collects personal information about people outside Egypt, make sure that the concerned persons know who you are, the type of information that you are collecting, and why. For instance:
- If your company sends out newsletters, send an email to your list of addressees to seek their consent, with a link directing them to more details on your privacy policy. Remove from your list those who do not agree to receive the newsletters;
- If your website uses cookies, install a pop-up on your website that notifies the user that these cookies exist;
- If someone requests to correct or delete their data, make sure you comply;
- If you do not have a privacy policy, set up one that is clear and easy to understand;
- If you outsource service providers who collect personal data on your behalf, discuss GDPR compliance with them;
- Also, depending on the nature and amount of personal data that you collect, you may need to designate a representative in the EU.
For your background, Egypt does not have a generic data protection law, although various regulations include privacy and secrecy regulations that apply in specific situations. The Egyptian Constitution of 2014 sanctifies private life. It also provides for the secrecy of emails, phone calls, and other means of communication and prohibits their monitoring and confiscation without a prior court order and for a limited period. However, it remains to be seen how and whether Egypt will be taking effective steps towards further protection of data protection, especially in light of the new draft law against crimes using technical means, which is currently being drafted.
Want more? Visit these links (here and here, both pdfs) for more practical insights on the GDPR.
This means that any personal information you may have collected for future marketing purposes may be subject to the GDPR if the marketing happens when that person was located in the EU. Likewise, if your company has a website with cookies (files that allow you to collect personal information relating to the users of your website), then you must watch out as you never know where the user may be based.
In brief, what the GDPR regulates is mainly the collection, storage, transfer, and usage of any information relating to natural persons. This includes the name, location data, online identifier or cultural traits of that natural person, as long as such information may lead to identifying the concerned person.
Fines are massive and can find their way to Egypt. In certain cases, fines can reach up to EUR 20 million or 4% of the company’s total worldwide annual turnover of the preceding financial year, whichever is higher. Administrative fines are imposed by the competent European supervisory authority. Claims for compensation may be also lodged before EU courts. The GDPR additionally requires all EU States to enforce their international cooperation mechanism to ensure cross-border enforcement where necessary — these mechanisms are already in place between Egypt and a number of EU countries.
But you’re not in the crosshairs — not yet, at least. The EU might not apply the extra-territorial effect of the GDPR aggressively on small and medium-sized non-EU companies, at least at the early stages. Instead, we expect it to start by targeting large global companies, such as Facebook and Google. It might also focus on substantial leakages of personal data that result in actual damages. So if this is the first time you hear about the GDPR, don’t panic — but don’t ignore it, either. You still need to comply.
What you can do now? If your company collects personal information about people outside Egypt, make sure that the concerned persons know who you are, the type of information that you are collecting, and why. For instance:
- If your company sends out newsletters, send an email to your list of addressees to seek their consent, with a link directing them to more details on your privacy policy. Remove from your list those who do not agree to receive the newsletters;
- If your website uses cookies, install a pop-up on your website that notifies the user that these cookies exist;
- If someone requests to correct or delete their data, make sure you comply;
- If you do not have a privacy policy, set up one that is clear and easy to understand;
- If you outsource service providers who collect personal data on your behalf, discuss GDPR compliance with them;
- Also, depending on the nature and amount of personal data that you collect, you may need to designate a representative in the EU.
For your background, Egypt does not have a generic data protection law, although various regulations include privacy and secrecy regulations that apply in specific situations. The Egyptian Constitution of 2014 sanctifies private life. It also provides for the secrecy of emails, phone calls, and other means of communication and prohibits their monitoring and confiscation without a prior court order and for a limited period. However, it remains to be seen how and whether Egypt will be taking effective steps towards further protection of data protection, especially in light of the new draft law against crimes using technical means, which is currently being drafted.
Want more? Visit these links (here and here, both pdfs) for more practical insights on the GDPR.
Insights
Sharkawy & Sarhan IFLR1000 Middle East Rankings 2024
Sharkawy & Sarhan 2024 Promotions!
Sharkawy & Sarhan is shortlisted by Chambers & Partners for two Awards
Disclaimer
The information included in this publication/client alert is not legal advice or any other advice. Publications and client alerts on this site are current as of their date of publication and do not necessarily reflect the present law or regulations. Please feel free to contact us should you need any legal advice related to the publication/client alert. Sharkawy & Sarhan (the “Firm”) will not be held liable for any compensatory, special, direct, incidental, indirect, or consequential damages, exemplary damages or any damages whatsoever arising out of or in connection with the use of the data, information or material included in this publication/client alert. This publication/client alert may contain links to third-party websites that are not controlled by the Firm. These third-party links are made available to you as a convenience and you agree to use these links at your own risk. Please be aware that the Firm is not responsible for the content or services offered by and of third-party websites, links as included in the Newsletter nor are we responsible for the privacy policy or practices of third-party websites links included therein.
Authorization of Use
The data, information, and material included in this publication/client alert are solely owned by the Firm. All rights related are reserved under the laws of the Arab Republic of Egypt. No part of this publication/client alert can be redistributed, copied, or reproduced without the prior written consent of the Firm.