PDPL playbook for Egyptian marketing, CRM and growth agencies handling client data. Processor obligations, DPAs with brands, pixel ownership, audience uploads.
Usually a processor on behalf of the brand for campaign and CRM data; sometimes a joint controller if you're co-deciding the purpose. Often controller for your own agency CRM, leads and prospects.
Yes, with the brand's instruction in writing, valid consent from the underlying customers for the channel, and the platform's own data-processing terms accepted at account level.
Scraped data is still personal data under PDPL. Cold outreach without a clear lawful basis (and a frictionless opt-out) is a complaint magnet. Run lead-gen through opt-in inputs instead.
Most agencies fall under the controller/processor licensing regime in Decree 816/2025. Plan to register before enforcement starts in November 2026.
Maintain a current sub-processor list with regions. Be ready to point to encryption, access controls, and retention policies. A short trust page beats sending a different deck per RFP.