The Personal Data Protection Law No. 151 of 2020 (the DPL) sets out obligations on the data controller and the data processor (i.e., the cloud service provider) that will need to be reflected in the Cloud Services contract. The DPL however is not yet in force pending the making of implementing regulations. Please also note, that the DPL does not apply to entities supervised and regulated by the Central Bank of Egypt (CBE) provided the CBE's own rules are followed. Data privacy and data security regulations applicable to CBE-regulated entities are provided under Banking Law No. 194 of 2020 and relevant CBE regulations issued to date. 

Under the DPL, the contract with the cloud service provider should include provisions reflecting the following:

• An undertaking from the cloud service provider to maintain the secrecy and confidentiality of all personal data and information received in relation to customers or data subjects in the context of the services provided to the financial institution.
• An undertaking from the cloud service provider to appoint a representative in Egypt (if based outside the jurisdiction).
• Confirmation from the cloud service provider of its ability to comply with the provisions of the DPL and to allow the Data Commissioner to inspect to ensure compliance.
• An undertaking from the cloud service provider to correct any errors in data when notified.
• An undertaking by the cloud service provider to prepare a special data register which records the different types of "processing" carried out on behalf of the data controller, their contact details and those of the person in charge of protecting the data, the timeframe needed for processing, the process for deleting the data it holds and an explanation of the technical procedures available regarding maintaining the secrecy of the data.