Generally speaking, under the Data Protection Law No. 151 of 2020 (the DPL), which does not apply to Central Bank of Egypt (CBE)-regulated entities, both the data controller and data processor can transfer personal data to another controller/processor in safe harbor countries affording the same level of protections (i.e., cross border transfer of personal data), provided a permit is obtained from the Data Commissioner, and (i) both controllers/processors agree on the nature of the services and the purpose of the personal data, or (ii) both controllers/processors have a legitimate interest in the personal data.

The cross-border transfer of personal data may be made to a country that does not afford the same level of protection if (i) the express consent of the data subject is obtained, and (ii) if it is only for limited purposes including seeking medical assistance, conducting legal proceedings, performing an agreement, fulfilling legal obligations or to transfer funds.

With respect to CBE-regulated entities, any outsourcing company hosting the data of customers of such entities must be registered with the CBE. To the best of our knowledge, the CBE does not accept the registration of outsourcing companies located outside of Egypt.