The British University in Egypt — Services Help Desk

Policies & Legal

The following policies govern your use of the BUE Service Desk. They are designed to comply with the laws of the Arab Republic of Egypt (including Personal Data Protection Law No. 151 of 2020) and the United Kingdom (UK GDPR and the Data Protection Act 2018), reflecting the dual regulatory context of The British University in Egypt.

Data Protection Policy

Effective date: 11/05/2026

This policy explains how BUE complies with its data protection obligations across two regulatory frameworks: Egypt’s Personal Data Protection Law No. 151 of 2020 (PDPL) and its executive regulations, and the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Principles

BUE processes personal data in line with the following principles, common to both regimes:

  • Lawfulness, fairness and transparency.
  • Purpose limitation — collected for specified, explicit and legitimate purposes.
  • Data minimisation — adequate, relevant and limited to what is necessary.
  • Accuracy — kept up to date; inaccurate data corrected without delay.
  • Storage limitation — kept for no longer than necessary.
  • Integrity and confidentiality — appropriate security at all times.
  • Accountability — we can demonstrate compliance.

2. Lawful bases

We process personal data on one or more of: performance of a contract, compliance with a legal obligation, legitimate interests, public interest, vital interests, or the data subject’s consent. Sensitive categories require an additional condition and, under the PDPL, a licence from the Personal Data Protection Centre.

3. Roles & responsibilities

  • Controller: The British University in Egypt.
  • Data Protection Officer (DPO): appointed under Article 8 PDPL and Article 37 UK GDPR — dpo@bue.edu.eg.
  • Processors: engaged under written contracts that mirror Article 28 UK GDPR and Articles 4–6 PDPL Executive Regulations.

4. Data subject rights

Both regimes guarantee the rights of access, rectification, erasure, restriction, objection, portability, and withdrawal of consent. Requests are handled by the DPO within 30 days (UK GDPR) and within the periods set by the PDPL.

5. International transfers

Cross-border transfers from Egypt are conducted in accordance with Articles 14–16 PDPL (adequate level of protection or a licence from the Centre, plus, where applicable, the explicit consent of the data subject). Transfers from the UK rely on UK adequacy regulations, the UK IDTA or the UK Addendum to the EU SCCs.

6. Records of processing & impact assessments

We maintain a Record of Processing Activities (ROPA) and conduct Data Protection Impact Assessments (DPIAs) for high-risk processing in line with Article 35 UK GDPR.

7. Personal data breach

Breaches are managed under our incident response procedure. We notify the Egyptian Personal Data Protection Centre within 72 hours where required by the PDPL, and the UK ICO within 72 hours under UK GDPR. Affected data subjects are informed without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

8. Complaints

  • Egypt — Personal Data Protection Centre (Ministry of Communications & IT).
  • UK — Information Commissioner’s Office, ico.org.uk.