On the 2nd of November 2021 a press release was issued by Personal Data Protection Office (“PDPO”) of Uganda for registration of data controllers and data processors by 31st December 2021 as required under the Uganda Data Protection and Privacy Act 2019 (“DPPA”). Failure to register by the deadline of 31st December, enforcement measures will commence from January 2022 against organisations or persons who have not registered, and who may be required to do so. Organisations will be liable to a fine of upto USHS. 120,000 or imprisonment or both. Directors and officers of an organisation are also liable to fine or imprisonment.
The article aims to answer some of the commonly asked questions for registration under Uganda Data Protection and Privacy Act 2019, which may also be applicable to those organisations in Kenya with concerns in Uganda.
Who is required to register?
Every Data Collector, Data Processor or Data Controller is required to register.
Who is a data collector, data processor or data controller?
The DPPA describes:
– Data Collector as a person who collects personal data.
– Data Controller means a person who alone, jointly with other persons or in common with other persons or as a statutory duty determines the purposes for and the manner in which personal data is processed or is to be processed.
– Data Processor in relation to personal data, means a person other than an employee of the data controller who processes the data on behalf of the data controller.
Who does the DPPA apply to?
The DPPA applies to a Data Collector, Data Controller or Data Processor processing personal data. Personal Data, as defined under the DPPA, is information about a person from which that person can be identified.
Is there a list of what constitutes Personal Data?
The Personal Data Protection Office of Uganda in its guidance notes for application has set out a non-exhaustive list of all categories of personal data. However, it is up to each applicant to ascertain personal data it processes when completing the application. As per NITA guidance, the most common personal data identifiers includes name, email address and phone numbers. There are some not-so-obvious categories of personal data which include intelligence, preferences and attitudes.
Do we need to register if we are an organisation based outside Uganda?
Yes, if an organisation or person is processing personal data of Uganda citizens. For example, a business located in Kenya who have employees who are citizens of Uganda or has a subsidiary or branch located in Uganda, they will fall under the ambit of the Act and will be required to register with the PDPO. Section 1 (Application) of the Uganda Data Protection and Privacy Act 2019 states that the it applies to a person, institution or public body:
– collecting , processing , holding or using personal data within Uganda;
– Outside Uganda who collects , processes , holds , or uses personal data relating to Ugandan citizens.
Do we need to appoint a Data Protection Officer?
Under section 47(2) of The Data Protection and Privacy Regulations 2021 organisations under certain situations are required to designate a person as the data protection officer responsible for ensuring compliance with the DPPA. As a matter of best practice it is advisable for all organisations to seek services of a data protection officer.
A data protection officer can be an internal person such as a Director or Manager. The services can also be outsourced externally to experienced data protection professionals and the officer does not have to be located in Uganda, and they can be located in Kenya.
What forms do we need to complete?
Form 2 and Form 3 which are available from the Personal Data Protection Office’s website or they can be downloaded here from Form 2 link and Form 3 link.
What information do we need to submit with the Form 2 and Form 3?
Form 2 requires detailed information for example, basic details of applicant and data protection officer and description of data to be collected or processed, any third parties who will have access to the personal data, countries where data will be transferred with description of transfer, security measures in place to safeguard data collected and duration for which data will be kept.
Form 3 – a written undertaking not to process or store personal data in a country outside Uganda unless such country has adequate measures in place for the protection of the personal data and the individuals whose data it is consents to the transfer. Organisations and persons processing personal data must ensure that any data sent outside of Uganda is disclosed to the Personal Data Protection Office.
Is there a fee for registration?
Yes. Registration fee is USHS 100,000/- (approximately US$30). The registration must be renewed each year and the renewal fee is USHS 100,000/-. Application for registration is required to be completed online via Personal Data Protection Office.
Amit Gadhia
- Advocate of the High Court of Kenya
- Solicitor of the Senior Courts of England and Wales (practicing freelance)
- Certified International Privacy Professional-Europe (CIPP/E)
- OneTrust Fellow of Privacy Technology
- Corporate Governance Professional (ICSA – UK)
- Certified Company Secretary (Kenya)
This post is intended to be of general use only and should not be relied upon without seeking expert legal advice.
