Registration and Compliance for NGOs under the Data Protection and Privacy Act, 2019

Background

Following the passing of the Data Protection and Privacy Act in 2019 and the Data Protection and Privacy Regulations in 2021, the Personal Data Protection Office (PDPO) was established under the National Information Technology Authority (NITA) with the legal mandate of regulating the collection and processing of personal data in Uganda.

Section 29 of the Data Protection and Privacy Act, 2019 and regulation 15(1) of the Data Protection and Privacy Regulations, 2021 require registration of all persons, institutions, and public bodies collecting and processing personal data with the Personal Data Protection Office (PDPO).

In 2021, the PDPO gave entities that collect and process personal data a grace period that lapsed on December 31, 2021 to register in accordance with the Data Protection and Privacy Act, 2019 and the Regulations. The grace period was extended on multiple occasions since 2021 with the latest being a circular dated October 31, 2022 issued by the National Bureau for Non-Governmental Organisations (NGOs) in Uganda. In that circular, the NGO Bureau, in conjunction with the PDPO, gave a final extension for NGOs in Uganda to register with the PDPO by November 30, 2022.  Thus, effective December 1, 2022, enforcement measures shall be commenced against organizations or persons that have not registered.

The Legal Regime for Data Protection and Privacy in Uganda

The Data Protection and Privacy Act and Regulations operationalize Article 27(2) of the Constitution of Uganda on the protection of citizens’ rights to privacy and seek to: (a) protect the privacy of the individual and of personal data by regulating the collection and processing of personal information; (b) to provide for the rights of the persons whose data is collected and the obligations of data collectors, data processers and data controllers; (c) to regulate the use or disclosure of personal information; and for related matters

The Act applies to any person, institution or public body collecting, processing, holding or using personal data within Uganda and outside Uganda, in as far as it relates to Ugandan citizens. Personal data is defined under section 2 of the Act to mean information about a person from which the person can be identified, that is recorded in any form. It includes nationality, age and date of birth, educational level and occupation, identification number, addresses, email addresses, photographs, telephone numbers, salary details and bank account information, next of kin details, etc.

The regulations under Regulation 15 mandate every data collector, data processor or data controller to register with the National Data Protection Office. Failure to register before the stated deadline shall attract a fine of UGX 120,000/= or imprisonment for a period not more than three (3) months or both.

Although the November 30, 2022 deadline applies only to NGOs operating in Uganda, all persons, institutions, and public bodies collecting and processing personal data ought to register with the PDPO.

How to Register with the PDPO

To register with the PDPO, the following guidance should be followed.

  • Individual or corporate applicants should visit the PDPO website using the link: https://www.pdpo.go.ug/register, create an account and fill in an Application for Registration form which requests for the applicant’s name, nature, category of personal data being processed or to be processed, and purpose for collecting or processing the personal data among others. This form is a replica of Form 2 in Schedule 1 to the Data Protection and Privacy Regulations.
  • The Application for Registration should be accompanied by a written undertaking (Form 3 in Schedule 1 to the Data Protection and Privacy Regulations) by the applicant not to process or store personal data in another country unless that country has adequate measures which are at least equivalent to the protection provided for by the Act. Form 3 should be signed and commissioned by a Commissioner for Oaths as an attestation to the submitted application for registration.
  • An assessment of UGX 100,000 on the Uganda Revenue Authority (URA) website (ura.go.ug) should be made, payment effected against the assessment, and proof of payment attached at the point of submitting the Application for Registration on the PDPO website.

If the application is successful, a Certificate of Registration valid for 12 months from the date of registration shall be issued by the PDPO. The Certificate is renewed upon application and should be done at least three months before the expiry of the current registration by filing a Renewal of Registration form.

Conclusion

In conclusion, ALP Advocates offers advice to all NGOs to register with the PDPO ahead of the November 30, 2022 deadline in compliance with the regulatory processes and standards under the Data Protection and Privacy Act and Regulations. Noteworthy, the NGO Bureau and the PDPO have also committed to conduct weekly virtual sessions on Wednesdays at 10:00 a.m. to support NGOs in undertaking the registration process.

All other persons and entities collecting and processing personal data are similarly informed of their regulatory compliance obligation to register with the PDPO to avoid any legal penalties or interruption of their work by the PDPO.

Download this Legal Alert as a PDF file here

Disclaimer

No information contained in this alert should be construed as legal advice from ALP East Africa or ALP Advocates or the individual authors, nor is it intended to be a substitute for legal counsel on any subject matter.

For additional information in relation to this alert, please contact the following:

  • Fiona Latigi Lamaro
    Associate, Regulatory & Compliance Department
    flatigi@alp-ea.com

 

  • Judith Maryanne Aboto
    Associate, Infrastructure Business Department
    jaboto@alp-ea.com

Related Posts

Book Appointment

Email us for legal service

Mediation Services

The ALP Conflict Resolution Hub Mediation Service provides the most advanced global rules intended to assist parties and mediators to take maximum advantage of the flexible procedures available in mediation for the resolution of disputes quickly and economically.
The Mediation Service guides parties that opt for Dispute Management Clauses in their project contracts wherein the parties to the contract can jointly appoint a mediator to work together, in a more collaborative and mutually beneficial environment and oversee that their contracts proceed smoothly.

Arbitration Services

The ALP Conflict Resolution Hub Arbitration Service is based on the most efficient Arbitration Rules which help the parties and arbitrator to use the best available global practice for the resolution of domestic and international disputes quickly and economically by way of administered arbitration on global standards.
Additionally, the Arbitration Service provides for the appointment of emergency arbitrators, which allows the parties in need of emergency interim reliefs to make such applications even before the constitution of the regular arbitral tribunal.

Conciliation Services

The ALP Conflict Resolution Hub Conciliation Service provides an impartial, fast and effective conciliation operating to a uniformly high standard in both the public and private sector.
Participation in the Conciliation Service processes is voluntary, and so are the outcomes.Solutions are reached only by consensus whether by negotiation and agreements facilitated between the parties themselves or by the parties agreeing to settlement terms proposed by the Hub Conciliation Officer who treats as confidential all information received during the course of conciliation and the service is informal and non-legalistic in practice.

Ombudsman Services

The ALP Conflict Resolution Hub Ombudsman Service is a confidential, impartial and informal service that facilitates the resolution of disputes. A Hub Ombudsman helps parties analyze problems and assists in identifying options and can, only if requested, become involved in trying to resolve issues.
What’s more, the Hub Ombudsman Service alert managements to systemic trends and issues and makes recommendations for necessary changes in their fields.