Uganda passed the Data Protection and Privacy Act, 2019 and the Data Protection Act and Privacy Regulations, 2021 (the Regulations) were issued in May 2021, to implement the Act. The Act and the Regulations are intended to support privacy protections that are already guaranteed to Ugandans under the Constitution of the Republic of Uganda, 1995 (the Constitution) and further to complement sectoral laws for regulated activities that had previously incorporated data protection provisions.  

Scope and Applicability. 

Territorial scope 

The Act's applicability to persons or entities outside Uganda is restricted to personal data relating to Ugandan citizens.   

Material scope 

The Act defines processing as any action carried out on collected data, whether through automated means or otherwise, which includes the following (Section 2 of the Act): 

• Organizing, adapting, or altering data; 

• Retrieving, consulting, or utilizing data; 

• Disclosing data through transmission, dissemination, or by making it accessible in any form; and 

• Aligning, combining, blocking, erasing, or destroying information or data. 

 Legal bases 

1. Consent 

2. Contract with the Data Subject 

3. Legal Obligation 

4. Public Interest. 

5. Interest of the Data Subject. 

6. Legitimate Interests of the Data Controller. 

Principles 

The Act requires data processors to: 

• Handle and process personal data in a way that respects the privacy of the data subject; 

• Ensure the data is complete, accurate, and up-to-date; 

• Retain personal data only for the legally required duration or as long as necessary for its intended purpose; 

• Process only data that is relevant to the purpose; and 

• Implement security measures to protect the data. 

Controller and Processor Obligation.  

Data processing notification 

Under Section 3 of the Registration Guide (Version 1.3, December 2021), all individuals, institutions, and public bodies collecting or processing personal data must register with NITA-U for inclusion on the public Register. If data is collected or processed for multiple purposes, these must be specified in a single application. The Register is accessible to the public for inspection.  

Data transfers 

The Act permits the processing or storage of personal data outside Uganda if the receiving jurisdiction provides protection measures equivalent to those under the Act or if the data subject consents (Section 19). Consent from the data subject eliminates the requirement to ensure equivalent protection measures.  

Data processing records 

Not Applicable   

Data protection impact assessment 

When the collection or processing of personal data poses a high risk to individuals' rights and freedoms, a Data Protection Impact Assessment (DPIA) must be conducted beforehand. The DPIA should include: 

• A detailed description of the intended processing and its purposes; 

• An assessment of risks to personal data and measures to mitigate them; and 

• Any additional requirements specified by the PDPO. 

The PDPO will publish a list of processing activities requiring a DPIA under Regulations 12(1) and (3).  

Data Protection Officer appointment 

Section 6 of the Act mandates institutions to appoint a Data Protection Officer (DPO) but does not specify the qualifications, duties, or responsibilities of the role.  

Data Breach notification. 

Section 23 of the Act requires NITA-U to notify them of any unauthorized data access or acquisition and the remedial actions taken. NITA-U decides whether to inform the data subject. The Act emphasizes strong data security and regular updates to address emerging risks. 

 Data Retention 

The Act does not specify a general data retention period. Still, it requires that personal data be retained only as long as necessary to fulfill the purpose for which it was collected or processed. 

 Children's data 

Section 8 of the Act and Regulation 11 require data collectors, processors, and controllers to verify the age of individuals and obtain parental or guardian consent before collecting or processing children's data.  

Special categories of personal data 

The Act prohibits the collection of special personal data often used for profiling individuals and running political advertisements. However, data collected by the Uganda Bureau of Statistics is exempt from this restriction. 

Data Subject Rights 

Data subject rights are set out through Sections 24 to 28 of the Act. These rights are: 

1. the right to access personal information; 

2. the right to know the purpose for which the information is collected; 

3. the right to prevent the processing of personal data; 

4. the right to prevent processing of personal data for direct marketing purposes; and 

5. the right not to be subjected to a decision affecting the data subject which is solely based on processing by automatic means. 

Penalties 

The Act defines several offenses to ensure compliance, including unlawful obtaining, disclosing, destroying, deleting, concealing, altering, or selling personal data. Corporations found guilty may face penalties such as up to 10 years imprisonment for officers, fines up to 240 currency points (UGX 4.9 million or approx. $1,330), or 2% of the corporation's gross income.