There is no electronic marketing regulation in Uganda.
Uganda recently enacted the Data Protection and Privacy Act, 2019 (Act) to supplement constitutional privacy protections under Article 27 of the Constitution of the Republic of Uganda. The Act regulates personal data collection, processing, use and disclosure, and applies to any person, entity or public body within or outside of Uganda who collects, processes, holds, or uses personal data. The Act will go into effect pending publication in the Uganda Gazette.
Sector specific laws further incorporate data protection provisions applicable to regulated activities, including:
- The Access to Information Act, 2005
- The Regulation of Interception of Communications Act, 2010
- The Computer Misuse Act, 2011
- The Registration of Persons Act, 2015
Definition of Personal Data
Section 2 of the Act defines personal data as information about a person from which the person can be identified, such as information relating to nationality, age, marital status, education level, occupation and identity data.
This information is considered personal data regardless of the form in which the information is recorded.
Definition of Sensitive Personal Data
Section 9 of the Act defines “special personal data” as data relating to the religious or philosophical beliefs, political opinions, sexual life, financial information, health status or medical records of an individual.
Section 4 of the Act establishes the National Information Technology Authority-Uganda as Uganda’s personal data protection office. The office is not yet operational for data protection purposes.
Under Section 29 of the Act, the National Information Technology Authority-Uganda is authorized to maintain a data protection register of every person, institution or public body that collects or processes personal data, including the purpose of data collection or processing.
Registration requirements are not yet in effect, and are pending implementation regulations to be enacted by the Minister of Information and Communications Technology.
Under Section 6 of the Act, covered entities are required to appoint a data protection officer responsible for ensuring compliance with the Data Protection and Privacy Act. The Act does not provide specific criteria for the appointment of data protection officers.
Restrictions on the collection or processing of the personal data
The Data Protection and Privacy Act restricts personal data collection and processing by:
- Requiring entities to obtain informed consent prior to personal data collection or processing
- Prohibiting the collection or processing of children’s personal data unless: (i) done with the prior consent of a parent / guardian; (ii) necessary for compliance with the law; or (iii) for research or statistical purposes
- Prohibiting the collection or processing of special personal data unless specifically permitted by law
- Requiring that personal data be collected directly from the data subject, and only for a lawful or specific purpose related to the functions or activities of the data collector or controller
- Requiring data collectors, processors, and controllers to ensure that personal data is complete, accurate, up-to-date and not misleading
- Requiring that further processing of personal data be for a specific purpose related to the purpose for which personal data was collected
- Prohibiting personal data retention for a period longer than necessary to achieve the purpose for which data was collected and processed, unless specifically authorized by the Act, and
- Requiring destruction or de-identification of personal data records at the end of the retention period to prevent reconstruction of personal data in an intelligible form.
Section 19 of the Data Protection and Privacy Act permits processing or storage of personal data outside Uganda if:
- Adequate measures are in place in the country in which the data is processed or stored, at least equivalent to protections under the Act, or
- With data subject consent.
Under Section 20 of the Act, data controllers, collectors and processors must secure the integrity of personal data in their control or possession by adopting appropriate measures to prevent loss and unauthorized destruction, processing or access to personal data.
Data controllers are specifically required to use measures that:
- Identify reasonable risks to personal data in their possession or control
- Establish and maintain appropriate precautions against the risks identified
- Regularly verify the effective implementation of the precautions, and
- Ensure that the safeguards are continually updated.
In instances where personal data is processed by third parties, entities must ensure that data processors apply security safeguards provided under the Act.
Section 23 of the Data Protection and Privacy Act imposes a duty on data processors, collectors and controllers to immediately notify the National Information Technology Authority-Uganda of any reasonable belief that personal data has been accessed or acquired by an unauthorized person.
The Act empowers the National Information Technology Authority-Uganda to enforce violations of the Act by issuing remedial orders and requiring compliance with data subject requests. Enforcement is generally triggered by complaints lodged with the Authority by aggrieved individuals or by data subjects seeking to enforce rights under the Act.
Ugandan courts may award compensatory damages to persons harmed by data collector, controller or processor violations of the Act.
- Fines – Entities that violate the Act are subject to a fine of up to 245 currency points (UGX4.9 million). If an entity is a corporation, Ugandan courts may enforce violations of the Act by ordering a penalty of up to 2 percent of the corporation’s annual gross turnover.
- Imprisonment – Ugandan courts may punish offenses under the Act with an imprisonment term of up to ten years. In addition to imprisonment, courts may order convicted offenders to pay a monetary fine.
There is no electronic marketing regulation in Uganda.
There is no specific online privacy regulation.