PDPL compliance playbook for Egyptian fintech and payment apps. Cross-border KYC, biometric onboarding, fraud screening, CBE × Law 151/2020 alignment.
Yes. PDPL applies based on where the data subject is, not where the data sits. Egyptian customers' data falls under Law 151/2020 even if your processing happens on AWS Frankfurt or GCP Belgium.
They are additive. CBE governs financial conduct and record retention; PDPL governs personal data. Where they conflict, the stricter rule generally applies — and PDPL's data minimisation can usually be reconciled with CBE retention by documenting the longer retention as a legal obligation.
Yes, with a documented legal basis (Article 14), a PDPL-aligned DPA, a record of the transfer in your ROPA, and — for sensitive data like biometrics — explicit, separate consent or PDPC authorisation.
Enforcement begins November 1, 2026, under Executive Regulations Decree 816/2025. Penalties range from EGP 100,000 to EGP 5,000,000 per violation, with criminal liability for severe breaches.
Most fintechs do. Article 8 of the Executive Regulations triggers a mandatory DPO when you process sensitive data at scale or do systematic monitoring — both of which describe a typical fintech.