What is the Data Protection and Privacy Act about?
It is a law enacted to protect the privacy of the individual and of personal data by regulating the collection and processing of personal information; to provide for the rights of the persons whose data is collected and obligations of data collectors, data processors and data controllers and to regulate the use or disclosure of personal information.
Who is a Data Processor?
In relation to personal data, means a person other than an employee of the data controller who processes the data on behalf of the data controller.
What are the provisions for collecting or processing personal data?
Collecting or processing personal data as per the Data Protection and Privacy Act can be carried out under any of the following provisions:
What are the penalties for noncompliance?
Where an offence relates to infringement of a data subject’s rights or is in violation of this Act or following investigations by the Authority, and such offences are committed by a corporation, the court in addition to the punishment order the corporation pay a fine not exceeding two (2) per cent of the corporation’s annual gross turnover.
Whom does the Data Protection and Privacy Act apply to?
The Data Protection and Privacy Act, 2019 applies to a person, institution or public body –
What are the individual’s rights under this Act?
  1. Right to access personal data.
  2. Right to rectification, blocking, erasure and destruction of personal data.
  3. Right to prevent processing of personal data for direct marketing.
  4. Rights in relation to automated decision-taking.
  5. The right to be informed.
  6. Right to file a complaint against breach and non-compliance.
Do I need to appoint a Data Protection Officer?
The Act requires persons, institutions and public bodies to designate a data protection officer in the following circumstances where the core activities of the person, institution or public body consist of:
Who is a Data Controller?

Means a person who alone or jointly with other persons or in common with other persons or as a statutory duty determines the purposes for and the manner in which personal data is processed or is to be processed.

What classifies data as personal?
Personal data means information about a person from which the person can be identified, that is recorded in any form and includes data that relates to –
What is a ‘data subject’?
This is the technical term for an individual from whom or in respect of whom personal data has been requested, collected, collated, processed or stored.
What are the obligations of a data controller?
  1. Establish a privacy governance structure, including designation of a data protection officer, as guided by the Regulations.
  2. Ensure personal data is processed lawfully and fairly.
  3. When intending to further process personal data, data controllers must first verify whether such intended processing is compatible with the purpose for which the personal data was originally collected.
  4. Data controllers should only use a data processor that provides a guarantee to implement appropriate technical and organisational measures to protect the integrity of the personal data.
  5. Embed data protection principles into the data controller’s operations.
  6. Develop and implement policies and procedures to enable data subjects exercise their data protection rights.
  7. A data controller shall notify data security breaches to the Personal Data Protection Office immediately after becoming aware of it.
  8. Any transfer of personal data outside Uganda shall take place only under certain conditions as stipulated by the Act and the Regulations thereunder.
Are there any consequences for violation or non-compliance with the Act and the Regulations thereunder?
Breach or violation of the Act and Regulations thereunder can lead to significant costs and risks for those involved. The possible consequences include: