UGANDA
DATA PROTECTION FACTSHEET
-
Population: 45,741,000
Capital: Kampala
President: Yoweri Museveni
2021 Freedom House Score: 34/100
Data protection law? Yes, with data protection authority appointed
-
Privacy enshrined in Constitution: Yes, the right to privacy is enshrined in Article 27 of the Constitution.
DPA legislation: The Data Protection and Privacy Act, 2019 (the Act) was passed on 3 March 2019, and is intended to support privacy protections already guaranteed to Ugandans under the Constitution and complement sectoral laws for regulated activities that had previously incorporated data protection provisions. Further, the Data Protection and Privacy Regulations, 2021 (the Regulations) were passed in May 2021. The Regulations create the Data Protection office within the National Information Technology Authority, Uganda.
Under the Act, data subjects have the right to:
- access all personal data concerning them;
- prevent processing of personal data concerning them where it would cause undue damage or distress;
- prevent processing of personal data for purposes of direct marketing; and
- rectify, update, block, erase, or destroy personal data when it is inaccurate.
-
ICCPR: Acceded
Council of Europe Convention 108: No
Council of Europe Convention 185: No
Malabo Convention: No
ECOWAS Supplementary Act on Personal Data Protection: No
Council of Europe Additional Protocol to Convention 108 (Treaty No. 181): No
-
Applies to natural persons: Yes
Applies to juristic persons: Yes
Applies to public entities: Yes
Domestic/personal purposes exclusion: No
National security exclusion: No
Law enforcement exclusion: No
Cabinet or Executive Council exclusion: No
Judicial functions exclusion: No
Journalistic, literary or artistic purposes exclusion: No
Temporary copies exclusion: No
Other exclusion(s): No
Broad or vague exclusions: No
Applies to foreign entities: No
Excludes foreign entities that only transit personal data through the country: No
-
Personal data means information about a person from which the person can be identified, that is recorded in any form and includes data that relates to:
- the nationality, age, or marital status of the person;
- the educational level, or occupation of the person;
- an identification number, symbol or other particulars assigned to a person;
- identity data; or
- other information in the possession of, or likely to come into the possession of the data controller and includes an expression of opinion about the individual.
Unless an exception applies, special personal data may not be processed, which is personal data relating to:
- religious or philosophical beliefs;
- political opinion;
- sexual life;
- financial information; or
- health status or medical records.
-
A data collector, data processor, or data controller or any person who collects, processes, holds, or uses personal data shall:
- be accountable to the data subject for data collected, processed held or used;
- collect and process data fairly and lawfully;
- collect, process, use or hold adequate, relevant, and not excessive or unnecessary personal data;
- retain personal data for the period authorised by law or for which the data is required;
- ensure quality of information collected, processed, used, or held;
- ensure transparency and participation of the data subject in the collection, processing, use and holding of the personal data; and
- observe security safeguards in respect of the data.
-
Notification that data is being processed: Yes
Notification to DPA in event of data breach: Yes
Notification to data subject in event of data breach: No
Timeframe for notification is specified: No
Exceptions exist to breach notifications: Yes
Requires a data processing register: Yes
Register is publicly available: Yes
Provides for terms of service icons: No
DPA must submit at least annual report: Yes
DPA report is made public: Yes
-
Explicit provision for civil liability: Yes
Established/designates a Data Protection Authority: Yes
DPA is empowered to investigate: Yes
DPA is empowered to subpoena or request evidence: No
Law provides for criminal penalties: Yes
Law provides for administrative penalties: Yes
DPA is independently structured (does not exist within or receive instructions from another public body): No
DPA receives funding directly from the state budget/legislative body: Unclear
DPA may receive some forms of external funding/own revenue: Yes
Adequate protections against undue removal: No
Number of members in DPA: Unclear
Maximum term length for members of the DPA (years): 10
-
Right of data subject to access a copy of their personal data: Partial
Right of data subject to request a correction of data: Yes
Right of data subject to request deletion of data: Yes
Justification required for a request for deletion: Yes
Defines the requirements for consent: Yes
DPA is mandated to participate in policy formulation: Yes
-
Processing or storage of personal data outside Uganda may occur if adequate data protection measures exist in the country where the data is processed or stored, or with data subject consent. A data controller wishing to transfer data is required to demonstrate to the Office that the country where it will be transferred provides adequate protection or that the data subject has consented. The Office will specify which countries are deemed to provide adequate protection, otherwise the data controller may attempt to prove that the country has adequate measures in place.
-
Provides a right not to be subject to automated decision-making: Partial
Page last updated: 24 May 2022