Population: 45,741,000

Capital: Kampala

President: Yoweri Museveni

2021 Freedom House Score: 34/100

Data protection law? Yes, with data protection authority appointed

Privacy enshrined in Constitution: Yes, the right to privacy is enshrined in Article 27 of the Constitution.

DPA legislation: The Data Protection and Privacy Act, 2019 (the Act) was passed on 3 March 2019, and is intended to support privacy protections already guaranteed to Ugandans under the Constitution and complement sectoral laws for regulated activities that had previously incorporated data protection provisions.  Further, the Data Protection and Privacy Regulations, 2021 (the Regulations) were passed in May 2021.  The Regulations create the Data Protection office within the National Information Technology Authority, Uganda. 

Under the Act, data subjects have the right to:

• access all personal data concerning them;
• prevent processing of personal data concerning them where it would cause undue damage or distress;
• prevent processing of personal data for purposes of direct marketing; and
• rectify, update, block, erase, or destroy personal data when it is inaccurate.

ICCPR: Acceded

Council of Europe Convention 108: No

Council of Europe Convention 185: No

Malabo Convention: No

ECOWAS Supplementary Act on Personal Data Protection: No

Council of Europe Additional Protocol to Convention 108 (Treaty No. 181): No

Applies to natural persons: Yes

Applies to juristic persons: Yes

Applies to public entities: Yes

Domestic/personal purposes exclusion: No

National security exclusion: No

Law enforcement exclusion: No

Cabinet or Executive Council exclusion: No

Judicial functions exclusion: No

Journalistic, literary or artistic purposes exclusion: No

Temporary copies exclusion: No

Other exclusion(s): No

Broad or vague exclusions: No

Applies to foreign entities: No

Excludes foreign entities that only transit personal data through the country: No

Personal data means information about a person from which the person can be identified, that is recorded in any form and includes data that relates to:

• the nationality, age, or marital status of the person;
• the educational level, or occupation of the person;
• an identification number, symbol or other particulars assigned to a person;
• identity data; or
• other information in the possession of, or likely to come into the possession of the data controller and includes an expression of opinion about the individual.

Unless an exception applies, special personal data may not be processed, which is personal data relating to:

• religious or philosophical beliefs;
• political opinion;
• sexual life;
• financial information; or
• health status or medical records.

A data collector, data processor, or data controller or any person who collects, processes, holds, or uses personal data shall:

• be accountable to the data subject for data collected, processed held or used;
• collect and process data fairly and lawfully;
• collect, process, use or hold adequate, relevant, and not excessive or unnecessary personal data;
• retain personal data for the period authorised by law or for which the data is required;
• ensure quality of information collected, processed, used, or held;
• ensure transparency and participation of the data subject in the collection, processing, use and holding of the personal data; and
• observe security safeguards in respect of the data.

Notification that data is being processed: Yes

Notification to DPA in event of data breach: Yes

Notification to data subject in event of data breach: No

Timeframe for notification is specified: No

Exceptions exist to breach notifications: Yes

Requires a data processing register: Yes

Register is publicly available: Yes

Provides for terms of service icons: No

DPA must submit at least annual report: Yes

DPA report is made public: Yes

Explicit provision for civil liability: Yes

Established/designates a Data Protection Authority: Yes

DPA is empowered to investigate: Yes

DPA is empowered to subpoena or request evidence: No

Law provides for criminal penalties: Yes

Law provides for administrative penalties: Yes

DPA is independently structured (does not exist within or receive instructions from another public body): No

DPA receives funding directly from the state budget/legislative body: Unclear

DPA may receive some forms of external funding/own revenue: Yes

Adequate protections against undue removal: No

Number of members in DPA: Unclear

Maximum term length for members of the DPA (years): 10

Right of data subject to access a copy of their personal data: Partial

Right of data subject to request a correction of data: Yes

Right of data subject to request deletion of data: Yes

Justification required for a request for deletion: Yes

Defines the requirements for consent: Yes

DPA is mandated to participate in policy formulation: Yes

Processing or storage of personal data outside Uganda may occur if adequate data protection measures exist in the country where the data is processed or stored, or with data subject consent.  A data controller wishing to transfer data is required to demonstrate to the Office that the country where it will be transferred provides adequate protection or that the data subject has consented.  The Office will specify which countries are deemed to provide adequate protection, otherwise the data controller may attempt to prove that the country has adequate measures in place.

Provides a right not to be subject to automated decision-making: Partial