Uganda DPPA 2019

The Data Protection and Privacy Act, 2019

Flag of UG
Republic of UgandaOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
March 1, 2019
Enacted
March 1, 2019
Enforcing Authority
Personal Data Protection Office (PDPO) under the National Information Technology Authority - Uganda (NITA-U)
Consent Model
Opt-in
Applies To
All data controllers and processors operating within Uganda

Overview

Uganda's Data Protection and Privacy Act (DPPA) 2019 is the country's comprehensive privacy legislation enforced by the Personal Data Protection Office (PDPO) under NITA-U. The law prohibits processing personal data without prior consent and establishes strict accountability principles. Criminal penalties of up to 10 years imprisonment place it among the most stringent enforcement regimes in East Africa, and the PDPO has begun active enforcement with its first fine.

What This Means for Your Website

If your website serves users in Uganda and collects personal data, you must obtain prior consent before any processing. You need to implement data minimization and purpose limitation practices, maintain transparency about your data processing activities, and ensure adequate security measures protect user data. Processing records must be maintained for accountability.

Key Requirements

The DPPA requires prior consent before any personal data collection or processing. Organizations must follow lawful and fair collection principles, minimize data collection to what is necessary, and limit processing to stated purposes. Transparency obligations include informing data subjects about processing activities. Security measures must be adequate, and processing records must demonstrate compliance.

How ConsentStack Handles This

ConsentStack enables compliant consent collection that meets Uganda's DPPA prior consent requirement. The platform provides a customizable consent banner, records all consent decisions with timestamps, and maintains audit trails for accountability. ConsentStack's preference management supports data subject rights including access and objection requests.

Penalties

Fines up to UGX 4,800,000 or 2% of annual gross turnover in severe cases; 3-10 years imprisonment

Maximum Fine
UGX4,800,000 per violation
Revenue-based
2% of annual revenue

Key Requirements

  • Prior consent required before collecting or processing personal data
  • Accountability and lawful, fair collection principles
  • Data minimization and purpose limitation
  • Transparency and adequate security measures
  • Data subjects have rights to access, rectification, and objection
  • Processing records must be maintained

Notable Provisions

  • Criminal penalties up to 10 years imprisonment among the most severe in East Africa
  • First fine imposed by PDPO signals increasing enforcement activity
  • PDPO operates as independent office under NITA-U

Other Sub-Saharan Africa Regulations

POPIASouth Africa
Africa's most developed and actively enforced data protection law. POPIA establishes eight conditions for lawful processing and grants the Information Regulator broad enforcement powers including criminal sanctions. The inclusion of "online identifiers" in the definition of personal information means cookies are covered, and Section 69's direct marketing consent requirement is directly relevant to consent management.
NDPANigeria
One of Africa's most comprehensive data protection laws, with the GAID providing Africa's most detailed cookie consent framework. Essential cookies are exempt; non-essential cookies require conspicuous accept/reject banners. The NDPC enforces a two-tier penalty structure based on organizational significance.
Ghana Act 843Ghana
Ghana's foundational data protection law requires mandatory registration with the DPC before processing begins, with renewal every 2 years. Criminal penalties include up to 10 years imprisonment for serious violations. A new comprehensive bill is under consultation as of late 2025.
Kenya DPA 2019Republic of Kenya
Kenya's comprehensive data protection law establishes the ODPC as an independent enforcement authority. It uniquely calculates penalties using "whichever is lower" rather than the global norm of "whichever is higher." Mandatory registration of data controllers is required before processing, and consent serves as the primary legal basis for personal data collection.
Tanzania PDPA 2022United Republic of Tanzania
Tanzania's first comprehensive data protection legislation establishes the Personal Data Protection Commission as the supervisory body. It mandates DPO appointment for all controllers and processors, a broader requirement than most jurisdictions. Personal data must be processed lawfully with consent, and criminal penalties of up to 10 years imprisonment apply for violations.
Ivory Coast Law 2013-450Ivory Coast
Ivory Coast's data protection law features an escalating penalty structure with significant increases for repeat offenders — up to 5% of pre-tax sales or XOF 500 million. ARTCI has been active in issuing formal notices against online lending applications. Prior declaration or authorization from ARTCI is required.

Frequently Asked Questions

What does Uganda's DPPA require for consent?

The DPPA requires prior consent before collecting or processing any personal data. Consent must be informed and freely given by the data subject.

What are the penalties under Uganda's DPPA?

Penalties include fines up to UGX 4.8 million or 2% of annual gross turnover for severe cases, plus criminal penalties of 3-10 years imprisonment.

Who enforces Uganda's DPPA?

The Personal Data Protection Office (PDPO), operating as an independent office under the National Information Technology Authority - Uganda (NITA-U), enforces the law.

Does Uganda's DPPA apply to foreign companies?

The DPPA applies to all data controllers and processors operating within Uganda, which can include foreign companies processing data of Ugandan individuals.

Stay compliant with Uganda DPPA 2019

ConsentStack helps you implement Opt-in consent for Republic of Uganda automatically.

Get started