Registration and Compliance for NGOs under the Data Protection and Privacy Act, 2019
With effect from December 1, 2022, the Personal Data Protection Office (PDPO) will commence enforcement against organisations and persons involved in the collection and processing of personal data without registration in accordance with the Data Protection and Privacy Act, 2019.
Following the passing of the Data Protection and Privacy Act in 2019 and the Data Protection and Privacy Regulations in 2021, the Personal Data Protection Office (PDPO) was established under the National Information Technology Authority (NITA) with the legal mandate of regulating the collection and processing of personal data in Uganda.
Section 29 of the Data Protection and Privacy Act, 2019 and regulation 15(1) of the Data Protection and Privacy Regulations, 2021 require registration of all persons, institutions, and public bodies collecting and processing personal data with the Personal Data Protection Office (PDPO).
In 2021, the PDPO gave entities that collect and process personal data a grace period that lapsed on December 31, 2021 to register in accordance with the Data Protection and Privacy Act, 2019 and the Regulations. The grace period was extended on multiple occasions since 2021 with the latest being a circular dated October 31, 2022 issued by the National Bureau for Non-Governmental Organisations (NGOs) in Uganda. In that circular, the NGO Bureau, in conjunction with the PDPO, gave a final extension for NGOs in Uganda to register with the PDPO by November 30, 2022. Thus, effective December 1, 2022, enforcement measures shall be commenced against organizations or persons that have not registered.
The Legal Regime for Data Protection and Privacy in Uganda
The Data Protection and Privacy Act and Regulations operationalize Article 27(2) of the Constitution of Uganda on the protection of citizens’ rights to privacy and seek to: (a) protect the privacy of the individual and of personal data by regulating the collection and processing of personal information; (b) to provide for the rights of the persons whose data is collected and the obligations of data collectors, data processers and data controllers; (c) to regulate the use or disclosure of personal information; and for related matters
The Act applies to any person, institution or public body collecting, processing, holding or using personal data within Uganda and outside Uganda, in as far as it relates to Ugandan citizens. Personal data is defined under section 2 of the Act to mean information about a person from which the person can be identified, that is recorded in any form. It includes nationality, age and date of birth, educational level and occupation, identification number, addresses, email addresses, photographs, telephone numbers, salary details and bank account information, next of kin details, etc.
The regulations under Regulation 15 mandate every data collector, data processor or data controller to register with the National Data Protection Office. Failure to register before the stated deadline shall attract a fine of UGX 120,000/= or imprisonment for a period not more than three (3) months or both.
Although the November 30, 2022 deadline applies only to NGOs operating in Uganda, all persons, institutions, and public bodies collecting and processing personal data ought to register with the PDPO.
How to Register with the PDPO
To register with the PDPO, the following guidance should be followed.
– Individual or corporate applicants should visit the PDPO website using the link: https://www.pdpo.go.ug/register, create an account and fill in an Application for Registration form which requests for the applicant’s name, nature, category of personal data being processed or to be processed, and purpose for collecting or processing the personal data among others. This form is a replica of Form 2 in Schedule 1 to the Data Protection and Privacy Regulations.
– The Application for Registration should be accompanied by a written undertaking (Form 3 in Schedule 1 to the Data Protection and Privacy Regulations) by the applicant not to process or store personal data in another country unless that country has adequate measures which are at least equivalent to the protection provided for by the Act. Form 3 should be signed and commissioned by a Commissioner for Oaths as an attestation to the submitted application for registration.
– An assessment of UGX 100,000 on the Uganda Revenue Authority (URA) website (ura.go.ug) should be made, payment effected against the assessment, and proof of payment attached at the point of submitting the Application for Registration on the PDPO website.
If the application is successful, a Certificate of Registration valid for 12 months from the date of registration shall be issued by the PDPO. The Certificate is renewed upon application and should be done at least three months before the expiry of the current registration by filing a Renewal of Registration form.
In conclusion, ALP Advocates offers advice to all NGOs to register with the PDPO ahead of the November 30, 2022 deadline in compliance with the regulatory processes and standards under the Data Protection and Privacy Act and Regulations. Noteworthy, the NGO Bureau and the PDPO have also committed to conduct weekly virtual sessions on Wednesdays at 10:00 a.m. to support NGOs in undertaking the registration process.
All other persons and entities collecting and processing personal data are similarly informed of their regulatory compliance obligation to register with the PDPO to avoid any legal penalties or interruption of their work by the PDPO.
Download this Compliance Memo as a PDF file here
No information contained in this alert should be construed as legal advice from ALP East Africa or ALP Advocates or the individual authors, nor is it intended to be a substitute for legal counsel on any subject matter.
For additional information in relation to this alert, please contact the following:
– Fiona V. Lamaro Latigi
Associate, Regulatory and Compliance Department
– Judith Maryanne Aboto
Associate, Infrastructure Business Department