Global Data Protection Law Guide  Uganda

K&K Advocates

 

What law(s) specifically govern personal data / information?

Principal legislation

• The Data Protection and Privacy Act, Cap.97 of the Laws of Uganda
• The Data Protection and Privacy Regulations, SI 21 of 2021.

Sector-specific legislation

• Access to Information Act, Cap.95 of the Laws of Uganda.
• The Computer Misuse Act, Cap.96 of the Laws of Uganda.
• The Electronic Transactions Act, Cap.99 of the Laws of Uganda.
• The National Information Technology Authority, Uganda Act, Cap.200 of the Laws of Uganda.
• The National Information Technology Authority, Uganda (National Data Bank) Regulations, SI 109 of 2019.

 

What are the key data protection principles in this jurisdiction?:

All data collectors, data processors or data controllers who collect, hold or use personal data are bound by the following key data protection principles:

• Accountability to the data subject for data collected, processed, held, or used.
• Collecting and processing data fairly and lawfully.
• Collecting, processing, using or holding adequate, relevant and not excessive or unnecessary personal data.
• Retaining personal data for the period authorised by law or for which the data is required.
• Ensuring the quality of information collected, processed, used or held.
• Ensuring transparency and participation of the data subject in the collection, processing, use and holding of the personal data.
• Observing security safeguards in respect of the data.

See Section 3(1) of the Data Protection and Privacy Act, Cap.97 for further details.

 

What is the supervisory authority / regulator in charge of data protection?

The Personal Data Protection Office in the National Information Technology Authority – Uganda (NITA-U).

See Section 4(1) of the Data Protection and Privacy Act, Cap.97 and Regulations 3 & 4 of the Data Protection and Privacy Regulations, 2021 for further details.

 

Is there a requirement to register with a supervisory authority / regulator?

The Personal Data Protection Office in the National Information Technology Authority – Uganda (NITA-U).

See Section 4(1) of the Data Protection and Privacy Act, Cap.97 and Regulations 3 & 4 of the Data Protection and Privacy Regulations, 2021 for further details.

 

Is there a requirement to notify the supervisory authority / regulator?

Yes. A data collector, data processor or data controller, has an obligation to notify the Authority where they believe that the personal data of a data subject has been accessed or acquired by an unauthorised person.

 

Is it possible to register with / notify the supervisory authority / regulator online?

Yes, it is possible to register online with the Data Protection and Privacy Office.

 

What are the key data subject rights under the data protection laws of this jurisdiction?

Right to privacy.

Right to consent to collection or processing of personal data.

Right of a child not to have their personal data collected or processed without parental or guardian consent.

Right to have data collected personally from the data subject.

Right to information on use of personal data.

Right to access personal information.

Right to prevent processing of personal data.

Right to appeal decision to continue processing personal data.

Right to prevent processing of personal data for direct marketing.

Rights in relation to automated decision-making.

Rectification, blocking, erasure and destruction of personal data.

Right to rectification of errors.

Right to withdraw consent.

Right to complain to the Data Protection and Privacy Office where the data subject or any person believes that a data collector, data processor or data controller is infringing on their rights or is in violation of the Act.

Right to complain to the relevant data protection authority(ies).

 

Is there a requirement to appoint a data protection officer (or equivalent)?

Yes. The law mandates that the head of every institution in the country shall designate a person as the data protection officer. This data protection officer is responsible for compliance with the Act as set out in Section 6 of the Data Protection and Privacy Act, Cap.97.

 

Do data protection/ privacy impact assessments need to be carried out in certain circumstances?

Yes. This is a mandatory security measure for data controllers, requiring them to identify reasonably foreseeable internal and external risks to personal data under their possession or control. See Section 20(2)(a) of the Data Protection and Privacy Act, Cap.97 and Regulation 12(1) of the Data Protection and Privacy Act, Cap.97 for further details.

 

Does this jurisdiction have any specific data breach notification requirements?

Yes. Notification of a data security breach must be made to the data subject by registered mail to their last known residential or postal address, by electronic mail to their last known email address, by posting in a prominent position on the responsible party's website, or through publication in the mass media. See Section 23(3) of the Data Protection and Privacy Act, Cap.97 and Regulation 33(3) of the Data Protection and Privacy Regulations, 2021 for further details.

 

What restrictions apply to the international transfer of personal data / information?

Organisations based in Uganda that process or store personal data outside Uganda must ensure that there are adequate measures in place for the protection of personal data at least equivalent to the protection provided for by the Act as specified in Section 19(a) of the Data Protection and Privacy Act, Cap 97.

The law also applies extra-territorially through extending to organisations that collect, hold or process data relating to Ugandan citizens. Se Section 1 of the Data Protection and Privacy Act, Cap 97 for further information. These must observe generally accepted information security practices and procedures, and specific industry or professional rules and regulations as set out in Section 20(3) of the Data Protection and Privacy Act, Cap 97.

Furthermore, personal data processed outside Uganda cannot be further transferred to, or processed in, a third country without the express consent of the data subject. See Regulation 30(2) of the Data Protection and Privacy Regulations, 2021.

 

Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?

Yes. The data protection laws in Uganda have “extra-territorial effect” and apply to organisations outside the jurisdiction which are collecting, processing, holding or using personal data relating to Uganda citizens. See Section 1(f) of the Data Protection and Privacy Act, Cap 97 for further details.

They also apply to organisations based in Uganda that process or store personal data outside Uganda as set out in Section 19 of the Data Protection and Privacy Act, Cap.97.

 

What rules specifically deal with marketing?

The law provides that a data subject can enter into an agreement with a data controller for use of their personal data for pecuniary benefits through direct marketing as set out in Section 26(3) of the Data Protection and Privacy Act, Cap 97.

However, a data subject has the right to give notice to a data controller, requiring the latter to stop processing his or her data for purposes of direct marketing. See Section 26(1) of the Data Protection and Privacy Act, Cap.97.

 

Do different rules apply to business-to-business and business-to-consumer marketing?

The law provides that a data subject can enter into an agreement with a data controller for use of their personal data for pecuniary benefits through direct marketing as set out in Section 26(3) of the Data Protection and Privacy Act, Cap 97.

However, a data subject has the right to give notice to a data controller, requiring the latter to stop processing his or her data for purposes of direct marketing. See Section 26(1) of the Data Protection and Privacy Act, Cap.97.

 

What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?

The law provides rules for business-to-consumer marketing in online transactions. These rules provide that the following information should be provided to the consumer:

• the full name and legal status of the person.
• the physical address and telephone number of the person.
• the web site address or e-mail address of the person.
• membership of any self-regulatory or accreditation bodies to which the person belongs or subscribes and the contact details of that body.
• any code of conduct to which that person subscribes and how the consumer may access that code of conduct electronically.
• in the case of a legal person, the registration number, names of directors and place of registration.
• the physical address where the person may be served with documents.
• a description of the main characteristics of the goods or services offered by the person which is sufficient to enable a consumer to make an informed decision on the proposed electronic transaction.
• the full price of the goods or services, including transport costs, taxes and any other fees or costs.
• the manner of payment.
• any terms or conditions of agreement, including any guarantees, that will apply to the transaction and how those terms may be accessed, stored and reproduced electronically by customers.
• the time within which the goods will be dispatched or delivered or within which the services will be rendered.
• the manner and period within which consumers may access and maintain a full record of the transaction.
• the return, exchange and refund policy of the person.
• any alternative dispute resolution code to which the person subscribes and how the code may be accessed electronically by the consumer.
• the security procedures and privacy policy of the person in respect of payment, payment information and personal information.
• where appropriate, the minimum duration of the agreement in the case of agreements for the sale, hire, exchange or supply of products or services to be performed on an ongoing basis or recurrently.

See Section 24(1) of the Electronic Transactions Act, Cap.99 for further details.

The business also has to give the consumer an opportunity to review the entire electronic transaction, correct any mistakes and to withdraw from the transaction before placing an order as set out in Section 24(2) of the Electronic Transactions Act, Cap.99.

 

What rules specifically deal with cookies?

There are no rules that specifically deal with cookies. However, the law makes it mandatory for consent of the data subject to be given before any data can be collected or processed. See Section 7 of the Data Protection and Privacy Act, Cap.97.

 

What are the consequences of non compliance with data protections laws (including marketing laws)?

Non-compliance with data protection laws, in the form of unlawfully obtaining, disclosing or procuring the disclosure to another person of personal data held or processed by a data collector, data controller or data processor, is an offence with a punishment of ten years’ imprisonment, or a fine, or both. See Section 35(1) and 35(2) of the Data Protection and Privacy Act, Cap.97. Also see Section 17(1) and 17(2) of the Computer Misuse Act, Cap.96.

Non-compliance with the laws governing the processing of personal data outside Uganda is an offence that can lead to a fine for each day the person is in default, or imprisonment not exceeding three months, or both.

 

In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?

Multi-national organisations not based in Uganda should be aware that Uganda’s data protection laws still apply to them for so long as they process personal data/information of Uganda citizens.

 

What upcoming data protection developments should multinational organisations be aware of?

The Personal Data Protection Office which is responsible for overseeing the implementation of and enforcement of the Data Protection and Privacy Act has indicated that all organisations which are registered with them as data controllers, data collectors and data processors are required to submit an Annual Data Protection and Privacy Compliance Report within ninety (90) days after the end of every financial year.

The Report is expected to provide a summary of all complaints received and the status of such complaints including whether the complaint was resolved or is still pending. Further, the report must disclose all data breaches and the action taken to address such data breaches.

The Personal Data Protection Office has developed a template of the Report for reference by all organisations required to prepare and submit this report.

The Report is meant to enable the Personal Data Protection Office to audit the compliance of organisations with the Data Protection and Privacy Act and regulations and policies made under the Act.

 

Search by:

Need more information?
Contact a member firm:

Peter Kauma

K&K Advocates

Uganda

Tendo Lubwama

K&K Advocates

Uganda

Benson Mayanja

K&K Advocates

Uganda

Paul Katuramu

K&K Advocates

Uganda

Disclaimer:

© 2026, K&K Advocates . All rights reserved by K&K Advocates  as author and the owner of the copyright in this chapter. K&K Advocates  has granted to Multilaw non-exclusive worldwide license to use and include this chapter in this guide and to sublicense Lexis Nexis, a division of RELX Inc. and its affiliates certain rights to use and distribute this Guide.

The information in the International Data Protection Laws Guide provides a general overview at the time of publication and is not intended to be a comprehensive review of all legal developments nor should it be taken as opinion or legal advice on the matters covered. It is for general information purposes only and readers should take legal advice from a Multilaw member firm.

Publication Date: 2026