Data Protection & Startups (GDPR & Egyptian Law)

The issuance of the General Data Protection Regulations (“GDPR”) and Egyptian Data Protection Law No. 151 of 2020 (“EDPL”) means that startups must adhere to a new set of legal requirements concerning their data, or they will be subject to severe penalties. Here are the main issues under both the GDPR and the EDPL that matter the most to startups operating in Egypt and the wider MENA Region.

When do Startups clash with data protection laws?

Data protection laws are applied to personal data that could, directly or indirectly, identify a natural person (a “Data Subject”) when they are electronically processed by service providers. These data include name, voice, IP addresses, photos, or any indicators of a Data Subject’s social, cultural, or psychological identity (all together referred to below as “Personal Data”).

The most common example of Personal Data that is subject to data protection laws is the data remitted by Data Subjects to acquire services via mobile applications such as food delivery services, online purchases, online reservations, and similar services. A service provider becomes bound by data-protection laws when it undertakes one of the following three (3) roles:

1. Processing Personal Data; or
2. Controlling Personal Data; or
3. Being a holder of Personal Data.

What is the difference between processing, controlling, and holding Personal Data? Is there a material difference between the three (3) roles from the perspectives of both the EDPL and the GDPR?

As stated above, the EDPL was largely built upon the GDPR, rendering very few non-material differences between the two legislations, if any at all. However, it should be noted that the executive regulations of the EDPL, which is expected to detail many aspects regarding the EDPL’s application, are still to be issued. Accordingly, the three (3) core operations relevant under both the GDPR and the EDPL are defined as follows:

Processor:

Any natural or juristic person (i.e., company) who, by virtue of the nature of his activities, processes Personal Data for his benefit or for the benefit of a data controller (as defined below).

Controller:

Any natural or juristic person (i.e., company) who, by virtue of the nature of his activities, has the right to obtain Personal Data and to specify the method and criteria of retaining, processing, or controlling such data in line with the purpose of their activities.

Holder:

Any natural or juristic person (i.e., company) who is legally or factually holding and retaining Personal Data in any manner, or by any means of storage, regardless of whether that person have initially held the data or it was transferred to them.

For example, if a Data Subject submits his/her information to a food delivery mobile application, then the mobile application operator will be considered as a Controller, thus required to set the parameters of how the data is transmitted and kept. This means that if the data is electronically processed by the startup to record the type of food and to instruct the competent driver to deliver the food, then the startup will be considered as a Processor as well. In all cases, a startup will always be considered as a Data Holder for as long as the data is stored within its own database.

What are the core obligations of the startup under both the EDPL and the GDPR?

As stated above, the EDPL was largely built upon the GDPR. With that being said, the most important obligations imposed by both instruments are related to the due diligence required for undertaking any of the three roles, as follows:

1. Written Consent: The first obligation is obtaining the Data Subject’s written consent. Almost all transactions that require data processing and controlling require that a Data Subject agrees to them under the EDPL and the GDPR. Moreover, this consent must extend to any cross-border processing of Personal Data.
2. Data Security & Right to be Forgotten: The second obligation is to exert the best efforts to maintain the security of data and keep the Data Subject in full control over their data. Meaning that the Data Subjects must be able to retrieve, alter or delete their data from a service provider’s database at any given time. This is usually known as the right to be forgotten. Moreover, the processor and data controllers are bound to destroy the data once it is no longer required for processing. It must be noted that both the EDPL and the GDPR require such obligations.
3. Having a Processing Agreement in Place: The third obligation is that a processor who processes data on behalf of a Controller must have a binding instrument (i.e., contract) with the Controller that states the following conditions:
   • The processing will only happen upon documented instructions from the Controller;
   • The Processor will ensure that the persons authorized to process the Personal Data will maintain the confidentiality of such data;
   • The Processor is offering a minimum security level as defined by the Controller;
   • The Processor must assist in ensuring compliance with the law (i.e., GDPR and/or EDPL).
   • When it comes to the Controller-Processor relationship, the Controller must have a legal instrument (i.e., contract) that details the instructions by which the processor undertakes to process its data; and
   • The instrument must detail the guarantees that the Processor will provide to ensure the Controller’s desired level of security and control over the data in question.
4. Appointing a Data Protection Officer: The last obligation is the appointment of a Data Protection Officer (“DPO”) by the Processor. The DPO, under both the EDPL and the GDPR, is responsible for maintaining regular checks on data security, notifying the competent authorities with data breaches, handling all claims and incidents of a data breach inside its respective service provider’s organization, and notifying the authorities of any breach within 72 hours of its occurrence.
5. Licensing under the EDPL: It must be noted that the EDPL imposes an obligation upon the service provider to obtain a license, authorization, or permit to perform its activities. The EDPL is not clear on which document the service provider must obtain as this is left to its executive regulations which are yet to be issued at the time of this publication.

When does the startup become required to comply with the GDPR?

As a service provider in Egypt, if your data processing and controlling involve the data of EU citizens and/or EU businesses whether inside or outside the EU territory, through the offering of goods/services or monitoring the behavior of individuals in the EU territory, then your startup must then comply with the provisions of the GDPR. Advice on the GDPR extra obligations must be sought from a licensed EU lawyer specialized in such an area of exertise.