Data protection & privacy laws in Uganda (2026)

The Data Protection and Privacy Act No. 9 of 2019 (in force 3 May 2019) is Uganda's overarching data protection statute, regulating collection, processing, storage, use, and disclosure of personal data by data collectors, processors, and controllers in both the public and private sectors.

The Data Protection and Privacy Regulations, 2021 (SI No. 21 of 2021, effective 12 March 2021) detail operational requirements including PDPO management procedures, data controller and processor registration, cross-border transfer safeguards, and enforcement procedures.

The Personal Data Protection Office (PDPO), headquartered at NITA-U, is the independent national supervisory authority. It registers data controllers and processors, investigates complaints, and issues binding enforcement decisions. The PDPO has shown active enforcement since 2025, including a ruling against Google LLC in July 2025 for operating without registration.

All data collectors, processors, and controllers — whether domestic or foreign — must register with the PDPO and renew annually (fee: UGX 100,000 ≈ USD 30). Failure to register is punishable by fine or up to three months' imprisonment. In August 2025 the PDPO formally clarified that this obligation extends to offshore entities handling Ugandan citizens' data.

Individuals hold rights to access, rectification, erasure, and objection to processing of their personal data. Data subjects may also request the identity of third parties who have accessed their data and the legal basis for its collection and processing.

Transfers of personal data outside Uganda require the destination country to provide equivalent protection, or data subject consent. Entities must maintain records of the legal basis for transfers but do not need advance PDPO approval per transfer. Penalties for serious violations reach UGX 4.8 million (≈ USD 1,300), up to 10 years' imprisonment, or fines of up to 2% of annual gross turnover.