PERSONAL DATA PROTECTION OFFICE (PDPO)

PRIVACY NOTICE
Created: April 2021
Version: 1.1
  1. What is in this Privacy Notice?

    This Privacy Notice tells you what personal data we shall collect about you when you interact with us through use of our website, how we shall use that data, and what data of yours we shall share with others.

  2. Who is the data controller for the personal data collected and processed?

    The Personal Data Protection Office is the controller for the personal data we collect and process. You can contact us about your personal data rights or for any other questions or comments about this Privacy Notice, speak to our Data Protection Officer by:

    1. E-mail; dpo@dataprotection.go.ug
    2. Address: Plot 7A, Rotary Avenue, Rotary Avenue
    3. Telephone: +256 417 801 038
  3. What personal data does the Personal Data Protection Office collect about me?

    Here is the type of personal data we collect directly from you:

    1. Basic personal information, such as a data subject’s and a Data Protection Officer’s name and physical address;
    2. Details of other duties a Data Protection Officer has in an institution;
    3. contact information, such as a data subject’s or a Data Protection Officer’s postal address, e-mail address and phone number(s);
    4. Persons whom applicants for registration may disclose personal data to in the course of their business; and
    5. Any other personal data that is provided to the Personal Data Protection Office during the course of the performance of its functions.

    We also receive personal data indirectly, in the following scenarios:

    1. We have contacted an institution about a complaint you have made and it gives us your personal data in its response.
    2. Your personal data in breach notifications made to us by institutions.
    3. A complainant refers to you in their complaint correspondence.
    4. We have seized personal data as part of an investigation.
    5. From other public authorities, regulators or law enforcement bodies.
    6. Where you have made your contact information available on your institution's website and we use this to contact you and your institution in our role as a regulator.
  4. How we use your personal data that is collected.

    The Office collects and processes personal data for a number of purposes, which arise from its statutory powers, functions and duties under the Data Protection and Privacy Act, 2019 and include the following:

    1. Reviewing applications for registration with the Office from data collectors, data processors or data controllers;
    2. Handling complaints in relation to reported infringements of the Data Protection and Privacy Act;
    3. Conducting inquiries and investigations regarding infringements of the Data Protection and Privacy Act;
    4. Handling personal data breach notifications made to the Office;
    5. Responding to general inquiries
    6. Taking enforcement and prosecution action, where necessary.
  5. With whom we share your personal data.

    Personal data collected and processed by the Office is held confidentially and is not shared with any third parties, with the following exceptions:

    1. Where the sharing of the personal data is necessary for the performance by the Office of its functions. This may arise, for example, in the context of complaints handling, where the Office will usually disclose the complainant’s identity and the subject matter of the complaint to the data collector, data controller or data processor against whom the complaint is made. This is required both for practicality (because without disclosing the identity of the complainant in this manner, it will likely be impossible for the Office to investigate the complaint) as well as to ensure procedural fairness.
    2. For the purpose of co-operation with other data protection regulators. In certain circumstances, the Office may cooperate with and assist other data protection regulators in handing complaints and investigations. In such circumstances, in accordance with the law, we may share some or all of the content of the Office’s file with relevant data protection regulators that may have a role to play in the handling of the matter under the mutual cooperation arrangements we have with them.
    3. For the purpose of legal proceedings. In the event that the matter or complaint in question is brought before the Courts, the materials, including any information, documents or submissions provided by an individual, may be made public in open court.
    4. Publication of information.
      Shall we publish details of complaints?
      We gather and publish case studies and statistical information on the number and type of cases we process, but this information does not contain personal data.
      Shall we publish particulars of enforcement actions?
      The Regulations provide that the Office must publish an annual compliance report on its website. This report will have particulars of:
      1. Any conviction of a person for a contravention of the Act;
      2. Any fine imposed by Court;
      3. The suspension of data transfers to a recipient in a third country or to an international organisation; or
      4. An order made by Court for the suspension, restriction or prohibition of processing of personal data or the transfer of personal data to a recipient in a third country or to an international organisation.
  6. How long shall we keep your personal data?

    The retention periods for personal data held by the Office are based on the requirements of the Data Protection and Privacy Act, this Privacy Notice and on the purpose for which the personal data is collected and processed. For example, in the case of complaints, the Office will retain personal data (as contained on its case file) for as long as is necessary for the handling of the complaint and for any subsequent action that is required.

    The retention periods applied by the Office to personal data which it processes are also, in certain circumstances, based on legal and regulatory requirements to retain information for a specified period and on the relevant limitation periods for taking legal action.

  7. How do you protect my personal data?

    We are strongly committed to keeping your personal data safe. We regularly monitor the security of this website and maintain updated systems.

  8. What are my rights?

    Remember, you are in control of your personal data. You have the right to:

    1. Request a copy of your personal data
      You have the right to ask us for copies of your personal data.
    2. Ask us to correct personal data that is wrong or to delete it.
      You have the right to ask us to correct or delete personal data you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
    3. Right to complain
      We work to high standards when it comes to processing your personal data. If you have queries or concerns, please contact us at dpo@dataprotection.go.ug and we shall respond. If you remain dissatisfied, you can make a complaint about the way we process your personal data to us as the regulator. Complaints about us are handled in the same way as a complaint about any another institution. Complaints will be responded to as quickly as possible, in any case not later than seven (7) days.
  9. How will I find out about changes to this Privacy Notice?

    We regularly update this Privacy Notice. If we make important changes, like how we use your personal data, we shall let you know by e-mail or/and notice. We also maintain notice version control with a link to the previous policy, if any.

    If you have any comments or queries in relation to this Data Protection Notice, please forward same to our Data Protection Officer on dpo@dataprotection.go.ug