Support Centre



Law: Data Protection and Privacy Act 2019 ('the Act') and the Data Protection and Privacy Regulations, 2021 ('the Regulations')

Regulator: The Personal Data Protection Office ('PDPO') within the National Information Technology Authority - Uganda ('NITA - U')

Summary: The Act takes a relatively comprehensive approach to data protection, and in particular provides for a data protection and privacy register, notable powers for the NITA-U, and processes for the investigation of complaints relating to the infringement of data subject rights under the Act. In addition, the Act establishes consent as a central principle, specifies conditions for consent relating to minors as well as other special categories, and, notably, has extraterritorial scope and may apply to entities outside Uganda. The Regulations, which were published in the Official Gazette on 12 March 2021, provide for the establishment of the Personal Data Protection Office within NITA-U, and establish, among other things, a registration obligation for data collectors, controllers, and processors. Another key law in Uganda is the Computer Misuse Act 2011 which, among other things, criminalises any unauthorised disclosure of personal data and confidential information.


In this report, OneTrust DataGuidance provides a means of analyzing and comparing data protection requirements and recommendations under the General Data Protection Regulation (GDPR) and the Data Protection and Privacy Act 2019 (the Act).

The report examines and compares the scope, main definitions, legal bases, data controller and processor obligations, data subject rights, and enforcement capacities of the Act with the  GDPR.

You can access the latest version of the report here.