Skip to main content

In East Africa, Uganda has taken significant steps to protect personal data through the Data Protection and Privacy Act of 2019 and its subsequent regulations. The operationalisation of the Personal Data Protection Office (PDPO) in August 2021, a key player in this regulatory landscape, provides oversight and guidance in data protection matters.

This post explains the registration requirements with the PDPO for organisations collecting or processing personal data in Uganda.

Why register with the PDPO?

The primary purpose of registration with the PDPO is to promote transparency.

Transparency is a core principle of data protection. It ensures that the public is aware of the personal data collected or processed, including the purposes and methods of processing. This transparency builds trust and assures individuals that controllers and processors process their personal data responsibly and lawfully.

Who needs to register?

According to Section 29 (2) of the Data Protection and Privacy Act and Regulation 15 (1) of the Data Protection and Privacy Regulations, every data collector, data processor, or data controller must register with the PDPO. These roles encompass:

  • individuals and organisations that collect or process personal data.
  • public bodies involved in personal data collection or processing.

Currently, the Ugandan legislature and PDPO have not gazetted any exemptions. So, all collectors, controllers and processors must comply with this registration requirement. Non-compliance can lead to legal consequences, making it crucial for all organisations to meet this requirement.

Registration process

  1. Pay the registration fee

    • Pay the registration fee of USH 100,000 (≈ USD 30) at any commercial bank or through mobile money after generating a PRN through the Uganda Revenue Authority (URA) website, as shown in this video.
  2. Application forms

    • Complete the registration application form available on the PDPO website. These PDPO’s designed these forms to capture essential details about the applicant and their data processing activities.
  3. Details required

    • Applicant information: Name, physical address, contact details, and nature of business.
    • Data protection officer (DPO): The DPO’s name, official address, and contact details. If the DPO has additional roles within the organisation, the applicant should specify these roles.
    • Data description: Detailed descriptions of the personal data they collect or process. Common categories include identifiers (e.g., name, nationality), commercial information, sensory data, internet activity, geolocation data, educational information, employment-related information, and special personal data (e.g., health records, biometric data).
    • Processing purpose: Clearly state the purpose of data collection or processing. This could range from legal compliance to human resource management.
    • Data recipients: List third parties or bodies to whom the data may be disclosed and the purpose of such disclosures.
    • Data transfer: Indicate if the applicant will transfer personal data outside Uganda, specifying the purpose and ensuring the recipient country provides adequate data protection measures.
    • Security measures: Outline the security measures to protect personal data.
    • Data retention policy: Specify the duration for which the data will be kept, guided by a tailored data retention policy.
    • Undertaking: A written undertaking not to process or store personal data in countries without adequate data protection measures equivalent to Uganda’s standards.

Renewal and compliance

Registration with the PDPO is valid for one year and organisation must renew it annually. It’s more practical for organisations to apply for renewal at least three months before the expiry date. Along with the renewal application, the organisation should submit an annual compliance report within ninety days after the end of the financial year.

Non-compliance and penalties

Failure to register or renew registration with the PDPO is punishable by a fine or imprisonment of up to three months or both. Organisations and their officers who knowingly authorise such contraventions are liable to these penalties.

Access to the data protection register

The PDPO maintains a register of all registered data collectors, processors, and controllers. This register is publicly accessible and can be inspected free of charge. However, you’ll have to pay a fee of USH 25,000 to obtain a certified copy of an entry from the register.

How ITLawCo can help

Navigating the complexities of data protection compliance can be challenging. ITLawCo offers expert guidance and support to ensure your organisation meets all registration requirements with the PDPO. Our team of experienced lawyers and IT professionals can assist with:

  • Completing and submitting registration applications.
  • Developing data protection policies and procedures.
  • Ensuring ongoing compliance and timely renewals.
  • Addressing any legal or technical issues related to data protection.

Contact us today to learn how we can help you achieve and maintain compliance with Uganda’s data protection laws.