GDPR v. Uganda

Download as pdf or txt
Download as pdf or txt
You are on page 1of 36

Comparing privacy laws:

GDPR v. Data
Protection and
Privacy Act
About the authors Table of contents
OneTrust DataGuidanceTM provides a suite of privacy solutions designed to help organisations
monitor regulatory developments, mitigate risk and achieve global compliance. Introduction 5
The OneTrust DataGuidanceTM platform includes focused guidance around core topics (i.e. GDPR, 1. Scope
data transfers, breach notification, among others), Cross-Border Charts which allow you to compare 1.1.
Personal scope 7
regulations across multiple jurisdictions at a glance, a daily customised news service and expert 1.2. Territorial scope 9
analysis. 1.3. Material scope 10
These tools, along with our in-house analyst service to help with your specific research questions,
2. Key definitions
provide a cost-effective and efficient solution to design and support your privacy programme.
2.1. Personal data 13
2.2. Pseudonymisation 15
2.3. Controller and processors 16
2.4. Children 18
2.5. Research 19

3. Legal basis 21
4. Controller and processor obligations
4.1. Data transfers 23
4.2. Data processing records 26
4.3. Data protection impact assessment 29
4.4. Data protection officer appointment 33
4.5. Data security and data breaches 35
4.6. Accountability 39

5. Individuals' rights
5.1. Right to erasure 40
5.2. Right to be informed 44
5.3. Right to object 48
Image production credits:
5.4. Right of access 52
Cover/p.5/p.51: 221A / Signature collection / istockphoto.com | MicroStockHub / Signature collection / istockphoto.com
Scale key p6-49: enisaksoy / Signature collection / istockphoto.com 5.5. Right not to be subject to discrimination 56
Icon p.33-40: AlexeyBlogoodf / Essentials collection / istockphoto.com
Icon p.47-51: cnythzl / Signature collection / istockphoto.com | MicroStockHub / Signature collection / istockphoto.com 5.6. Right to data portability 57

6. Enforcement
6.1. Monetary penalties 59
6.2. Supervisory authority 62
6.3. Civil remedies for individuals 68

2 3
Introduction
The General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') came into effect on 25 May 2018, and governs the
protection of personal data in EU and EEA Member States. The Data Protection and Privacy Act 2019 ('the Act'), which came into force
in May 2019, is the primary piece of data protection legislation in Uganda and has been supplemented with the Data Protection and
Privacy Regulations, 2021 ('the Regulations'), which were introduced on 12 March 2021.

The Act and Regulations share several similarities with the GDPR in terms of overarching principles and the general regulation of
data controllers, processors, and data subject rights. Furthermore, similar to the requirement under the GDPR to provide for a data
protection authority responsible for monitoring the application of the GDPR, the Regulations provide for the establishment of the
Personal Data Protection Office ('PDPO') within the National Information Technology Authority - Uganda ('NITA-U'), with the PDPO
responsible for the overall implementation of the Act and the Regulations.

However, there are also significant differences between the frameworks, particularly in relation to the obligations of organisations.
Notably, the Regulations have introduced additional provisions, particularly in relation to data processing records, Data Protection
Impact Assessments ('DPIA'), data protection officer ('DPO') appointment, and data transfers. However, in general terms, the provisions
within the Act and its Regulations are slightly less detailed than those found within the GDPR.

This overview organises provisions from the GDPR, the Act, and the Regulations into key topics and sets them alongside each other
to enable analysis and comparison. Each section begins with a detailing of principal information and a general introduction, as well as
a consistency rating.

4 5
1. Scope
Introduction (cont'd)
Fairly consistent

Structure and overview of the Guide 1.1. Personal scope


This Guide provides a comparison of the two legislative frameworks on the following key provisions:
The Act employs similar core concepts as the GDPR and refers to data controllers, data processors, and data subjects. The GDPR
and the Act differ, however, in that the latter does not explicitly exclude deceased persons' data. In addition, unlike the GDPR, the
1. Scope
Act includes a definition for data collectors.
2. Key definitions
3. Legal basis
4. Controller and processor obligations
GDPR The Act
5. Individuals' rights
6. Enforcement Data controller

Article 4(7): 'controller' means the natural or legal person, Section 2: 'data controller' means a person who alone, jointly
Each topic includes relevant provisions from the two legislative legal frameworks, a summary of the comparison, and a detailed
public authority, agency or other body which, alone or jointly with other persons or in common with other persons or as a
analysis of the similarities and differences between the GDPR and the Act.
with others, determines the purposes and means of the statutory duty determines the purposes for and the manner
processing of personal data; where the purposes and means in which personal data is processed or is to be processed.
of such processing are determined by Union or Member State

Key for giving the consistency rate law, the controller or the specific criteria for its nomination
may be provided for by Union or Member State law.
 
Consistent: The GDPR and the Act bear a high degree of similarity in the rationale,
core, scope, and the application of the provision considered. Data processor

Fairly consistent: The GDPR and the Act bear a high degree of similarity in the Article 4(8): 'processor' means a natural or legal person, Section 2: 'data processor' means a person other than
rationale, core, and the scope of the provision considered, however, the details public authority, agency or other body which processes an employee of the data controller who processes
governing its application differ. personal data on behalf of the controller. the data on behalf of the data controller.

Fairly inconsistent: The GDPR and the Act bear several differences with regard Data subject
to the scope and application of the provision considered, however, its rationale
and core presents some similarities. Article 4(1): 'personal data' means any information relating to Section 2: 'data subject' means an individual from whom
an identified or identifiable natural person ('data subject'); or in respect of whom personal information has been
Inconsistent: The GDPR and the Act bear a high degree of difference with regard an identifiable natural person is one who can be identified, requested, collected, collated, processed or stored.
to the rationale, core, scope, and application of the provision considered. directly or indirectly, in particular by reference to an identifier
such as a name, an identification number, location data, an
online identifier or to one or more factors specific to the
physical, physiological, genetic, mental, economic, cultural
or social identity of that natural person.

Usage of the Guide Public bodies


This Guide is general and informational in nature, and is not intended to provide, and should not be relied on as a source of, legal
advice. The information and materials provided in the Guide may not be applicable in all (or any) situations and should not be acted
Article 4(7): 'controller' means the natural or legal person, Section 2: 'public body' includes the Government, a
upon without specific legal advice based on particular circumstances.
public authority, agency or other body. department, service or undertaking of the Government,
Cabinet, Parliament, a court, local Government administration
or a local council and any committee or commission thereof,
an urban authority, a municipal council and any committee
of any such council, any corporation, committee, board,
commission or similar body whether corporate or incorporate
6 7
GDPR The Act 1.2. Territorial scope Fairly Inconsistent

Public bodies (cont'd) Like the GDPR, the Act applies extraterritorially. However, the Act does not explicitly regulate goods and services or monitoring from
abroad.
Sestablished by an Act of Parliament relating to undertakings
of public services or such purpose for the benefit of the public GDPR The Act
or any section of the public to administer funds or property
belonging to or granted by the Government or money Establishment in jurisdiction
raised by public subscription, rates, taxes, cess or charges
in pursuance of any written law and any council, board, Article 3: This Regulation applies to the processing of personal Section 1: The Act applies to a person, institution or public
committee or society established by an Act of Parliament data in the context of the activities of an establishment body collecting, processing, holding or using personal data
for the benefit, regulation and control of any profession. of a controller or a processor in the Union, regardless of within Uganda; and outside Uganda who collects, processes,
whether the processing takes place in the Union or not. holds, or uses personal data relating to Ugandan citizens.
Nationality of data subject
Recital 22: Establishment implies the effective and real Section 30 of the Regulations addresses the requirements
Recital 14: The protection afforded by this Regulation Section 1: The Act applies to a person, institution or public exercise of activity through stable arrangements. for processing personal data outside of Uganda.
should apply to natural persons, whatever their body collecting, processing, holding or using personal data
nationality or place of residence, in relation within Uganda; and outside Uganda who collects, processes,
Extraterritorial
to the processing of their personal data. holds, or uses personal data relating to Ugandan citizens.

See Article 3, above. See Section 1 of the Act above.


Place of residence

See Recital 14, above. See Section 1 of the Act above.


Goods & servicies from abroad

Recital 23: In order to ensure that natural persons are The Act does not refer to goods and services from abroad.

Deceased individuals not deprived of the protection to which they are entitled
under this Regulation, the processing of personal data

Recital 27: This Regulation does not apply to the Section 2: The Act's definition of 'personal of data subjects who are in the Union by a controller or a

personal data of deceased persons. Member States data' does not distinguish between information processor not established in the Union should be subject

may provide for rules regarding the processing about a living or deceased person. to this Regulation where the processing activities are

of personal data of deceased persons. h. related to offering goods or services to such data subjects
irrespective of whether connected to a payment.

Monitoring from abroad

Recital 24: The processing of personal data of data The Act does not refer to monitoring from abroad.
subjects who are in the Union by a controller or processor
not established in the Union should also be subject to
this Regulation when it is related to the monitoring of
the behaviour of such data subjects in so far as their
behaviour takes place within the Union.

8 9
GDPR The Act

1.3. Material scope Fairly consistent Special categories of data

The Act and the GDPR provide similar definitions of personal data and data processing, and both include specific requirements Article 9(1): Processing of personal data revealing racial or Section 9(1): 'Special personal data' is referred to as
for special categories of, or sensitive, data. The two pieces of legislation differ, however, in terms of the general exemptions they ethnic origin, political opinions, religious or philosophical personal data which relates to the religious or philosophical
stipulate, and in regard to anonymised and pseudonymised data. beliefs, or trade union membership, and the processing beliefs, political opinions, sexual life, financial information,
of genetic data, biometric data for the purpose of health status or medical records of an individual.
GDPR The Act uniquely identifying a natural person, data concerning
health or data concerning a natural person's sex life or

Personal data/ personal information sexual orientation shall be prohibited.

Article 4(1): 'personal data' means any information relating Section 2: 'personal data' means information about a Anonymised data
to an identified or identifiable natural person ('data person from which the person can be identified, that is
subject'); an identifiable natural person is one who can be recorded in any form and includes data that relates to: Recital 26: The principles of data protection should not apply Section 18(4): A data controller shall destroy or
identified, directly or indirectly, in particular by reference to anonymous information, namely information which does delete a record of personal data or de-identify the
to an identifier such as a name, an identification number, a) the nationality, age or marital status of the person; not relate to an identified or identifiable natural person or to record at the expiry of the retention period.
location data, an online identifier or to one or more factors personal data rendered anonymous in such a manner that
specific to the physical, physiological, genetic, mental, b) the educational level, or occupation of the person; the data subject is not or no longer identifiable. Section 18(5): The destruction or deletion of a record
economic, cultural or social identity of that natural person. of personal data shall be done in a manner that
c) an identification number, symbol or other prevents its reconstruction in an intelligible form.
particulars assigned to a person;
Pseudonymised data
d) identity data; or
Article 4(5): 'pseudonymisation' means the processing of See Section 18(4)-(5) of the Act above.
e) other information which is in the possession of, or is likely personal data in such a manner that the personal data can no
to come into the possession of the data controller and longer be attributed to a specific data subject without the use of
includes an expression of opinion about the individual. additional information, provided that such additional information
is kept separately and is subject to technical and organisational

Data processing measures to ensure that the personal data are not attributed to
an identified or identifiable natural person.

Article 4(2): 'processing' means any operation or set Section 2: 'processing' means any operation
of operations which is performed on personal data or which is performed upon collected data by Automated processing
on sets of personal data, whether or not by automated automated means or otherwise including:
means, such as collection, recording, organisation, Article 2(1): This Regulation applies to the processing Section 2: 'processing' means any operation which is performed
structuring, storage, adaptation or alteration, retrieval, of personal data wholly or partly by automated means upon collected data by automated means or otherwise.
a) organisation, adaptation or alteration
consultation, use, disclosure by transmission, and to the processing other than by automated means
of the information or data;
dissemination or otherwise making available, alignment or of personal data which form part of a filing system or are
combination, restriction, erasure or destruction. intended to form part of a filing system.
b) retrieval, consultation or use of the information or data;

c) disclosure of the information or data by transmission,


dissemination or otherwise making available; or

d) alignment, combination, blocking, erasure or


destruction of the information or data.

10 11
11
GDPR The Act
2. Key definitions
General exemptions
2.1. Personal data Fairly consistent

Article 2(2): This Regulation does not apply Section 9(2): The collection of and processing of special
The GDPR and the Act set out similar understandings for the concepts of personal data and special categories of data.
to the processing of personal data: personal data does not apply to information collected
under the Uganda Bureau of Statistics Act 1998.
(a) in the course of an activity which falls GDPR The Act
outside the scope of Union law;

Personal data/ personal information


(b) by the Member States when carrying out
activities which fall within the scope of Chapter 2 Article 4(1): 'personal data' means any information relating Section 2: 'personal data' means information about a
of Title V of the Treaty on European Union; or to an identified or identifiable natural person ('data person from which the person can be identified, that is
subject'); an identifiable natural person is one who can be recorded in any form and includes data that relates to:
(c) by a natural person in the course of a identified, directly or indirectly, in particular by reference
purely personal or household activity. to an identifier such as a name, an identification number, a) the nationality, age or marital status of the person;
location data, an online identifier or to one or more factors
specific to the physical, physiological, genetic, mental, b) the educational level, or occupation of the person;
economic, cultural or social identity of that natural person.
c) an identification number, symbol or other
particulars assigned to a person;

d) identity data; or

e) other information which is in the possession of, or is likely


to come into the possession of the data controller and
includes an expression of opinion about the individual.

Special categories of data

Article 9(1): Processing of personal data revealing racial or Section 9(1): 'Special personal data' is referred to as
ethnic origin, political opinions, religious or philosophical beliefs, personal data which relates to the religious or philosophical
or trade union membership, and the processing of genetic data, beliefs, political opinions, sexual life, financial information,
biometric data for the purpose of uniquely identifying a natural health status or medical records of an individual.
person, data concerning health or data concerning a natural
person's sex life or sexual orientation shall be prohibited.

Online identifiers

Recital 30: Natural persons may be associated with online The Act does not specifically refer to online identifiers.
identifiers provided by their devices, applications, tools
and protocols, such as internet protocol addresses, cookie
identifiers or other identifiers such as radio frequency
identification tags. This may leave traces which, in particular
when combined with unique identifiers and other information
received by the servers, may be used to create profiles of

12 the natural persons and identify them. 13


13
GDPR The Act 2.2. Pseudonymisation
Fairly inconsistent

Data Collector Unlike the GDPR, the Act does not directly refer to anonymisation and pseudonymisation, however it does contain relevant provisions
related to the destruction and de-identification of data.
The GDPR does not provide for a definition of 'data collector'. Section 2: 'data collector' means a person
who collects personal data.
GDPR The Act
Recipient
Anonymisation
Article 4(9): 'recipient' means a natural or legal person, public Section 2: 'recipient' means a person to whom data is
authority, agency or another body, to which the personal disclosed including an employee or agent of the data Recital 26: 'anonymous information' is information which does The Act does not specifically define anonymised

data are disclosed, whether a third party or not. 2However, controller or the data processor to whom data is disclosed in not relate to an identified or identifiable natural person or to data. However, it refers to de-identified data.

public authorities which may receive personal data in the the course of processing the data for the data controller, but personal data rendered anonymous in such a manner that

framework of a particular inquiry in accordance with Union does not include a person to whom disclosure is made with the data subject is not or no longer identifiable. Section 18(4): A data controller shall destroy or

or Member State law shall not be regarded as recipients; the respect to a particular inquiry pursuant to an enactment. delete a record of personal data or de-identify the

processing of those data by those public authorities shall record at the expiry of the retention period.

be in compliance with the applicable data protection rules


according to the purposes of the processing. Section 18(5): The destruction or deletion of a record
of personal data shall be done in a manner that
prevents its reconstruction in an intelligible form.
Third Party
Pseudonymisation
Article 4(9): 'recipient' means a natural or legal person, public Section 2: 'third party' in relation to personal data, means a
authority, agency or another body, to which the personal person other than the data subject, the data collector, data
Article 4(5): 'pseudonymisation' means the processing of The Act does not explicitly refer to pseudonymisation.
data are disclosed, whether a third party or not. 2However, controller, or any data processor or other person authorised
personal data in such a manner that the personal data can no
public authorities which may receive personal data in the to process data for the data controller or processor.
longer be attributed to a specific data subject without the use of
framework of a particular inquiry in accordance with Union
additional information, provided that such additional information
or Member State law shall not be regarded as recipients; the
is kept separately and is subject to technical and organisational
processing of those data by those public authorities shall
measures to ensure that the personal data are not attributed to
be in compliance with the applicable data protection rules
an identified or identifiable natural person.
according to the purposes of the processing.

14 15 15
GDPR The Act
2.3. Controllers and processors
Consistent Data Protection Impact Assessment ('DPIA')
The Act and the GDPR provide similar definitions for data controllers and data processors, as well as requirements for agreements
between these parties as well as obligations to appoint a DPO. Furthermore, while the Act itself does not specifically address DPIAs, DPIA is not specifically defined, however Article 35 Section 12 of the Regulations: Where the collection or
the Regulations outline when a DPIA should be conducted and what it should include, akin to the relevant provisions of the GDPR. sets out requirements for DPIAs (see section 5.3. for processing of personal data poses a high risk to the rights and
further information). freedoms of natural persons, the data collector, data processor
GDPR The Act or data controller must, prior to the collection or processing,
carry out an assessment of the impact of the envisaged
Data controller collection or processing operations on the protection
of personal data. Every DPIA must include a systematic
Article 4(7): 'controller' means the natural or legal person, Section 2: 'data controller' means a person who alone, jointly description of the envisaged processing and the purposes of
public authority, agency or other body which, alone or jointly with other persons or in common with other persons or as a the processing, an assessment of the risks to personal data and
with others, determines the purposes and means of the statutory duty determines the purposes for and the manner the measures to address the risks, and any other matters the
processing of personal data; where the purposes and means in which personal data is processed or is to be processed. PDPO may require (see section 4.3. for further information).
of such processing are determined by Union or Member State
law, the controller or the specific criteria for its nomination Data Protection Officer ('DPO')
may be provided for by Union or Member State law.
DPO is not specifically defined, however Article DPO is not specifically defined, however Section
Data processor 37 sets out requirements related to DPOs (see 6 mandates the designation of a DPO.
section 5.4. for further information).
Article 4(8): 'processor' means a natural or legal Section 2: 'data processor' means a person other than Section 47 of the Regulations addresses the specifics of
person, public authority, agency or other body which an employee of the data controller who processes designating a DPO (see section 4.4. for further information).
processes personal data on behalf of the controller. the data on behalf of the data controller.

Controller and processor contracts

Article 28(3): Processing by a processor shall be governed Section 21(2): A contract between a data controller and

by a contract or other legal act under Union or Member a data processor relating to processing of personal

State law, that is binding on the processor with regard to data, shall require the data processor to establish and

the controller and that sets out the subject-matter and maintain the confidentiality and security measures

duration of the processing, the nature and purpose of necessary to protect the integrity of the personal data.

the processing, the type of personal data and categories


of data subjects and the obligations and rights of the
controller. [Article 28 goes on to stipulate necessary
information to be included in such a contract.]

16 17
2.5. Research
2.4. Children Fairly inconsistent
Fairly consistent
Like the GDPR, the Act provides exemptions for processing for scientific or historical research purposes in certain instances.
Like the GDPR, the Act provides additional requirements for children's data. However, unlike the GDPR, the Act does not contain
However, the Act does not establish requirements for appropriate safeguards in the manner of the GDPR, nor does it provide
requirements for the provision of privacy notices to children.
specific data subject rights in the context of scientific or historical research.

GDPR The Act GDPR The Act

Children's definition Scientific/ historical research definition

The GDPR does not specifically define 'child'. However, Article The Act does not specifically define 'child'. However, Section Recital 159: Where personal data are processed for scientific The Act does not define or provide examples of
8(1) provides: Where point (a) of Article 6(1) applies, in relation 8 provides: A person shall not collect or process personal data research purposes, this Regulation should also apply to scientific or historical research purposes.
to the offer of information society services directly to a child, relating to a child unless the collection or processing thereof is: that processing. For the purposes of this Regulation, the
the processing of the personal data of a child shall be lawful processing of personal data for scientific research purposes
where the child is at least 16 years old. Where the child is a) carried out with the prior consent of the parent should be interpreted in a broad manner including for example
below the age of 16 years, such processing shall be lawful or guardian or any other person having authority technological development and demonstration, fundamental
only if and to the extent that consent is given or authorised by to make decisions on behalf of the child; research, applied research and privately funded research.
the holder of parental responsibility over the child. Member
States may provide by law for a lower age for those purposes b) necessary to comply with the law; or Recital 160: Where personal data are processed for historical
provided that such lower age is not below 13 years. research purposes, this Regulation should also apply to that
c) for research or statistical purposes. processing. This should also include historical research and
research for genealogical purposes, bearing in mind that

Consent for processing children's data this Regulation should not apply to deceased persons.

Article 8(2): The controller shall make reasonable efforts See Section 8 of the Act above. Compatibility with original purpose of collection
to verify in such cases that consent is given or authorised
by the holder of parental responsibility over the child, Section 11 of the Regulations: For the purposes of Section Article 5(1)(b): Personal data shall be collected for specified, Section 17(3)(e): The further processing of data is considered
taking into consideration available technology. 8 of the Act, every data collector, controller, processor explicit and legitimate purposes and not further processed to be compatible with the purpose of collection where the
must establish a system to ascertain the age of persons in a manner that is incompatible with those purposes; further data is used for historical, statistical or research purposes
whose personal data is to be collected, processed, or processing for archiving purposes in the public interest, and the person responsible for the processing ensures that:
stored, and where the data relates to a child, the manner scientific or historical research purposes or statistical purposes
of obtaining the consent of a parent or legal guardian. shall, in accordance with Article 89(1), not be considered to be i) the further processing is carried out solely for the
incompatible with the initial purposes ('purpose limitation'). purpose for which the data was collected; and

Privacy notice (children)


ii) that the data is not published in a form likely

The Act does not specifically address to reveal the identity of the data subject.
Recital 58: Given that children merit specific protection,
any information and communication, where processing privacy notices for children.

is addressed to a child, should be in such a clear and Appropriate safeguards


plain language that the child can easily understand.
Article 89(1): Processing for archiving purposes in the public The Act does not provide for appropriate safeguards.
interest, scientific or historical research purposes or statistical However, Section 18(2)(f) states that retention of personal
purposes, shall be subject to appropriate safeguards, in data provisions do not apply to personal data retained
accordance with this Regulation, for the rights and freedoms of for historical, statistical, or research purposes.
the data subject. Those safeguards shall ensure that technical
and organisational measures are in place in particular in

18 19
GDPR The Act
3. Legal basis Fairly consistent
Appropriate safeguards (cont'd)
The Act sets out very similar grounds for the processing of personal data to the GDPR, as well as comparable additional requirements

order to ensure respect for the principle of data minimisation. for the processing of special categories of, or sensitive, data. Moreover, the Act has provisions defining conditions for consent,

Those measures may include pseudonymisation provided however it does not address matters such as processing for journalistic/artistic purposes.

that those purposes can be fulfilled in that manner. GDPR The Act

Data subject rights (research) Legal grounds

Under Article 17(3), the right to erasure may not apply in cases The Act does not refer to data subject rights in the Article 6(1): Processing shall be lawful only if and to the Section 7(1): Subject to subsection (2), a person
of scientific or historical research. Article 21(6), however, context of scientific or historical research. extent that at least one of the following applies: shall not collect or process personal data without
provides that data subjects may exercise the right to object the prior consent of the data subject.
to data processing for scientific or historical research (a) the data subject has given consent to the processing of
purposes. In addition, Article 89 provides that Member his or her personal data for one or more specific purposes; (2) Personal data may be collected or processed:
States may derogate from the GDPR in regard to data subject
rights and data processing for research purposes. (b) processing is necessary for the performance of a contract to a) where the collection or processing is
which the data subject is party or in order to take steps at the authorised or required by law; or
request of the data subject prior to entering into a contract;
b) where it is necessary:
(c) processing is necessary for compliance with a
legal obligation to which the controller is subject; i) for the proper performance of a public duty by a public body;

(d) processing is necessary in order to protect the vital ii) for national security;
interests of the data subject or of another natural person;
iii) for the prevention, detection, investigation, prosecution
(e) processing is necessary for the performance of a or punishment of an offence or breach of law.
task carried out in the public interest or in the exercise
of official authority vested in the controller; or c) for the performance of a contract to which the data
subject is party or in order to take steps at the request
(f) processing is necessary for the purposes of the of the data subject prior to entering into a contract;
legitimate interests pursued by the controller or by a
third party, except where such interests are overridden d) for medical purposes; or
by the interests or fundamental rights and freedoms of
the data subject which require protection of personal e) for compliance with a legal obligation to
data, in particular where the data subject is a child. which the data controller is subject.

Sensitive data (legal basis)

There are specific requirements for processing There are specific requirements for processing
special categories of data, see Article 9 of the special personal data under Section 9 of the Act.
GDPR for further information.

20 27
21
GDPR The Act
4. Controller and processor
Conditions for consent

Article 7(3): The data subject shall have the right to Section 7(3): Except for data collected or processed
obligations
withdraw his or her consent at any time. The withdrawal under subsection (2), where a data subject objects to
of consent shall not affect the lawfulness of processing the collection or processing of personal data, the person
4.1. Data transfers Inconsistent
based on consent before its withdrawal. Prior to giving who is collecting or processing the personal data shall
consent, the data subject shall be informed thereof. It stop the collection or processing of the personal data. The Act provides for a similar notion of adequate protection as the GDPR. However, the Act only recognises consent as an alternative
shall be as easy to withdraw as to give consent. mechanism for data transfers, whereas the GDPR provides that transfers to third country or an international organisation may still
Section 2: 'consent' means any freely given, specific, occur if appropriate safeguards are provided.
Article 4: (11) 'consent' of the data subject means any freely informed and unambiguous indication of the data subject's
given, specific, informed and unambiguous indication of the wish which he or she, by a statement or by a clear GDPR The Act
data subject's wishes by which he or she, by a statement affirmative action, signifies agreement to the collection
or by a clear affirmative action, signifies agreement to or processing of personal data relating to him or her. Adequate protection
the processing of personal data relating to him or her.
Schedule 1 of the Regulations includes a form for notice of Article 45(1): A transfer of personal data to a third country Section 19: Where a data processor or data controller based
objection to the collection/processing of personal data. or an international organisation may take place where in Uganda processes or stores personal data outside Uganda,
the Commission has decided that the third country, the data processor or data controller shall ensure that:
Journalism/ artistic purposes a territory or one or more specified sectors within
that third country, or the international organisation in a) the country in which the data is processed or stored has
Article 85(1): Member States shall by law reconcile the right The Act does not refer to journalism or artistic purposes. question ensures an adequate level of protection. Such adequate measures in place for the protection of personal data
to the protection of personal data pursuant to this Regulation a transfer shall not require any specific authorisation. at least equivalent to the protection provided for by this Act; or
with the right to freedom of expression and information,
including processing for journalistic purposes and the b) the data subject has consented.
purposes of academic, artistic or literary expression.
Section 30(1) of the Regulations: A data collector, data
processor or data controller shall not process or store
personal data outside Uganda unless the data collector,
processor, or controller demonstrates to the PDPO (a) the
country outside Uganda where the personal data is to be
processed or stored has adequate measures in place for
the protection of the personal data at least equivalent to the
protection provided for by the Act; or (b) the data subject has
consented to the processing. (5) Where the data collector,
processor, or controller wishes to process or store personal
data in a country that does not appear on the list of countries
deemed adequate by the PDPO, it is the responsibility of the
collector, processor, or controller to prove that the country has
adequate measures in place for the protection of personal
data, at least equivalent to the protection provided by the Act.

22 23
GDPR The Act GDPR The Act

Other mechanisms for data transfers Other mechanisms for data transfers (cont'd)

Article 46(1): In the absence of a decision pursuant to Article (b) provisions to be inserted into administrative
45(3), a controller or processor may transfer personal data arrangements between public authorities or bodies which
to a third country or an international organisation only if the include enforceable and effective data subject rights.
controller or processor has provided appropriate safeguards,
and on condition that enforceable data subject rights and Data localisation
effective legal remedies for data subjects are available.
Not applicable. Not applicable.

(2) The appropriate safeguards referred to in paragraph


1 may be provided for, without requiring any specific
authorisation from a supervisory authority, by:

(a) a legally binding and enforceable instrument


between public authorities or bodies;

(b) binding corporate rules in accordance with Article 47;

(c) standard data protection clauses adopted by the


Commission in accordance with the examination
procedure referred to in Article 93(2);

(d) standard data protection clauses adopted by a supervisory


authority and approved by the Commission pursuant to
the examination procedure referred to in Article 93(2);

(e) an approved code of conduct pursuant to Article 40 together


with binding and enforceable commitments of the controller
or processor in the third country to apply the appropriate
safeguards, including as regards data subjects' rights; or

(f) an approved certification mechanism pursuant


to Article 42 together with binding and enforceable
commitments of the controller or processor in the
third country to apply the appropriate safeguards,
including as regards data subjects' rights.

(3) Subject to the authorisation from the competent


supervisory authority, the appropriate safeguards referred
to in paragraph 1 may also be provided for, in particular, by:

(a) contractual clauses between the controller or processor


and the controller, processor or the recipient of the personal
data in the third country or international organisation; or

24 25 25
GDPR The Act
4.2. Data processing records
Fairly Inconsistent
Data processor obligation
While the GDPR requires both data controllers and data processors to maintain data processing records, the Act does not specify
equivalent obligations for either. However, the Act does set out general provisions for registering with the PDPO. Article 30(2): Each processor and, where applicable, See Section 29 of the Act above.
the processor's representative shall maintain a
GDPR The Act record of all categories of processing activities
carried out on behalf of a controller, containing:

Data controller obligation


(a) the name and contact details of the processor or processors

Article 30(1): Each controller and, where applicable, The Act does not provide for a requirement to maintain data and of each controller on behalf of which the processor

the controller's representative, shall maintain a record processing records. However, Section 29 provides: the is acting, and, where applicable, of the controller's or the

of processing activities under its responsibility. That PDPO shall keep and maintain a data protection register processor's representative, and the data protection officer;

record shall contain all of the following information: and an application by a data controller or other person
to register shall be made in the prescribed manner. (b) the categories of processing carried

(a) the name and contact details of the controller and, out on behalf of each controller;

where applicable, the joint controller, the controller's Section 29(1) of the Act: The PDPO shall keep
representative and the data protection officer; and maintain a data protection register. (c) where applicable, transfers of personal data to a third country
or an international organisation, including the identification

(b) the purposes of the processing; (2) The PDPO shall register in the data protection register, of that third country or international organisation and, in the

every person, institution or public body collecting or case of transfers referred to in the second subparagraph of

(c) a description of the categories of data subjects processing personal data and the purpose for which Article 49(1), the documentation of suitable safeguards; and

and of the categories of personal data; the personal data is collected or processed.
(d) where possible, a general description of the technical and

(d) the categories of recipients to whom the personal (3) An application by a data controller or other person organisational security measures referred to in Article 32(1).

data have been or will be disclosed including recipients to register shall be made in the prescribed manner.
in third countries or international organisations; Records format
Article 30: The PDPO shall make the information
(e) where applicable, transfers of personal data to a third country contained in the Data Protection Register Article 30(3): The records referred to in paragraphs 1 The Act does not provide for such requirements.
or an international organisation, including the identification available for inspection by any person. and 2 shall be in writing, including in electronic form.
of that third country or international organisation and, in the
case of transfers referred to in the second subparagraph of Section 14(1): The Regulations provide the register Required to make available
Article 49(1), the documentation of suitable safeguards; shall contain information relating to data collectors,
data processors and data controllers including the The Act does not provide for such requirements.
Article 30(4): The controller or the processor and,
(f) where possible, the envisaged time limits for purpose for which personal data is collected.
where applicable, the controller's or the processor's
erasure of the different categories of data; and
representative, shall make the record available
(2) The Register will contain the following information (a)
to the supervisory authority on request.
(g) where possible, a general description of the technical and the name of the person, institution, or body (b) the address
organisational security measures referred to in Article 32(1). of the person, institution or public body (c) the nature of
the personal data being collected or processed by the
person, institution or public body; and (e) the purpose
for the collection or processing of personal data.

26 27 27
GDPR The Act 4.3. D
 ata protection impact
Exemptions
assessment Fairly consistent

Although the Act itself does not provide requirements on DPIAs, the Regulations, along with the GDPR, do provide for a requirement
Article 30(5): The obligations referred to in paragraphs 1 The Act does not provide for such requirements.
to carry out a DPIA prior to the processing of personal data, and outline the required contents of a DPIA.
and 2 shall not apply to an enterprise or an organisation
employing fewer than 250 persons unless the processing GDPR The Act
it carries out is likely to result in a risk to the rights and
freedoms of data subjects, the processing is not occasional,
When is a DPIA required
or the processing includes special categories of data as
referred to in Article 9(1) or personal data relating to criminal
Article 35(1): Where a type of processing in particular using new Section 12(1) of the Regulations: Where the collection
convictions and offences referred to in Article 10.
technologies, and taking into account the nature, scope, context or processing of personal data poses a high risk, data
and purposes of the processing, is likely to result in a high risk to collectors, processors, and controllers must, prior to
General Data Processing Notification ('DPN') the rights and freedoms of natural persons, the controller shall, the collection or processing carry out an assessment
prior to the processing, carry out an assessment of the impact of the impact of the envisaged collection or processing
Not applicable. Section 15(1) of the Regulations: Subject to subregulation of the envisaged processing operations on the protection operations on the protection of personal data.
(2), every data collector, data processor or data of personal data. A single assessment may address a set of
controller shall register with the PDPO. similar processing operations that present similar high risks.

(2) The PDPO shall, in consultation with the Board, by notice in […] (3) A data protection impact assessment referred to in
the Gazette, exempt certain data collectors, data processors or paragraph 1 shall in particular be required in the case of:
data controllers from the requirement to register with the PDPO.

(a) a systematic and extensive evaluation of personal aspects


Section 16(1) of the Regulations: An application for relating to natural persons which is based on automated
registration shall be in Form 2 in Schedule 1 and shall processing, including profiling, and on which decisions are
be accompanied by the fee specified in Schedule 2. based that produce legal effects concerning the natural
person or similarly significantly affect the natural person;
Furthermore, Section 16(2) of the Regulations outlines
what should be included within the application. (b) processing on a large scale of special categories of data
referred to in Article 9(1), or of personal data relating to
(3) Every application shall be accompanied by a written criminal convictions and offences referred to in Article 10; or
undertaking by the applicant not to process or store personal
data in a country outside Uganda unless such country has (c) a systematic monitoring of a publicly accessible
adequate measures in place, at least equivalent to the area on a large scale.
protection provided for by the Act for the protection of the
personal data and the data subject consents to the transfer.
DPIA content requirements

Article 35(7): The assessment shall contain at least: Section 12(2) of the Regulations: Every data
protection impact assessment must include:
(a) a systematic description of the envisaged
processing operations and the purposes of the - a systematic description of the envisaged
processing, including, where applicable, the processing and the purposes of the processing;
legitimate interest pursued by the controller;
- an assessment of the risks to personal data and
(b) an assessment of the necessity and proportionality of the measures to address the risks; and
the processing operations in relation to the purposes;
- any other matter the PDPO may require.
28 29
29
Global Regulatory Build a global privacy program by
comparing key legal frameworks
Research Software against the GDPR
40 In-House Legal Researchers, 500 Lawyers CCPA | Russia | Thailand | Brazil | Japan | China
Across 300 Jurisdictions and 20+ other global laws & frameworks
Monitor regulatory developments, mitigate risk,
and achieve global compliance Understand and compare key provisions of the GDPR
with relevant data protection laws from around the globe

The GDPR Benchmarking tool provides comparison of the


various pieces of legislation on the following key provisions

Scope Rights

Definitions and legal basis Enforcement

• Employ topic specific guidance to develop your


compliance activities

• Monitor news and access written opinion pieces on


the most recent developments

Start your free trial at


www.dataguidance.com
GDPR The Act
4.4. D
 ata protection officer
DPIA content requirements (cont'd) appointment Fairly consistent

(c) an assessment of the risks to the rights and freedoms The Act provides for the requirement to appoint a DPO, while the Regulations provide further details and requirements regarding
of data subjects referred to in paragraph 1; and DPO tasks and relevant qualifications.

(d) the measures envisaged to address the risks, including


GDPR The Act
safeguards, security measures and mechanisms to ensure the
protection of personal data and to demonstrate compliance DPO tasks
with this Regulation taking into account the rights and legitimate
interests of data subjects and other persons concerned. Article 39(1): The data protection officer shall Section 47(3): The Regulations provides the responsibilities of
have at least the following tasks: a data protection officer are (a) to conduct regular assessments
and audits to ensure compliance with the Act (b) to serve
Consultation with authority
(a) to inform and advise the controller or the processor as the point of contact between the person, institution or
and the employees who carry out processing of their public body and the PDPO (c) to maintain records of all data
Article 36(1): The controller shall consult the supervisory The Act does not provide for requirements
obligations pursuant to this Regulation and to other processing activities conducted by person, institution or public
authority prior to processing where a data protection impact for DPIA consultation.
Union or Member State data protection provisions; body (d) to respond to data subjects and inform them about
assessment under Article 35 indicates that the processing
would result in a high risk in the absence of measures taken by Section 12(3) of the Regulations: The PDPO shall how their personal data is being used and what measures
(b) to monitor compliance with this Regulation, with other the person, institution or public body, has put in place to
the controller to mitigate the risk. [Article 36 goes on to detail establish and make a list of the processing operations
Union or Member State data protection provisions and protect the data, and (e) to ensure that data subjects' requests
requirements related to such prior consultation]. which are subject to the requirement for a DPIA.
with the policies of the controller or processor in relation to to see copies of their personal data or have their personal
the protection of personal data, including the assignment data erased are fulfilled or responded to, as necessary.
of responsibilities, awareness-raising and training of staff
involved in processing operations, and the related audits;

(c) to provide advice where requested as regards


the data protection impact assessment and monitor
its performance pursuant to Article 35;

(d) to cooperate with the supervisory authority; and

(e) to act as the contact point for the supervisory authority


on issues relating to processing, including the prior
consultation referred to in Article 36, and to consult,
where appropriate, with regard to any other matter.

When is a DPO required

Article 37(1): The controller and the processor shall Section 6: For purposes of this Act, and in so far as
designate a data protection officer in any case where: it applies to an institution, the head of the institution
shall designate a person as the data protection officer
(a) the processing is carried out by a public authority or responsible for ensuring compliance with this Act.
body, except for courts acting in their judicial capacity;

32 33 33
GDPR The Act
4.5. Data security and data
breaches
Fairly consistent
When is a DPO required (cont'd)
The GDPR, the Act, and the Regulations establish similar general data security provisions and require that authorities should be
notified of data breaches within a specific timeframe. However, unlike the GDPR, the Act does not provide for specific exceptions
(b) the core activities of the controller or the processor Section 47(2): The Regulations provide every person,
to data breach notification. Furthermore, the Act provides the PDPO with the power to require that data subjects are notified of
consist of processing operations which, by virtue of their institution or public body that processes or controls personal
breaches, including through public announcements.
nature, their scope and/or their purposes, require regular and data shall designate a data protection officer where (a) the
systematic monitoring of data subjects on a large scale; or activities of the person, institution of public body consist of GDPR The Act
processing operations which by virtue of their nature, scope
(c) the core activities of the controller or the processor or purpose require regular and systematic monitoring of
Security measures defined
consist of processing on a large scale of special categories data subjects on a large scale; or (b) the core activities of
of data pursuant to Article 9 and personal data relating to the person, institution or public body consist of processing Article 32(1): Taking into account the state of the art, the costs of Section 20(1): A data controller, data collector or data
criminal convictions and offences referred to in Article 10. of special person data in accordance with the Act. implementation and the nature, scope, context and purposes of processor shall secure the integrity of personal data in the
processing as well as the risk of varying likelihood and severity possession or control of a data controller, data processor
Group appointments for the rights and freedoms of natural persons, the controller or data collector by adopting appropriate, reasonable,
and the processor shall implement appropriate technical technical and organisational measures to prevent loss,
Article 37(2): A group of undertakings may appoint a single The Act does not provide for requirements and organisational measures to ensure a level of security damage, or unauthorised destruction and unlawful access
data protection officer provided that a data protection in relation to group appointments. appropriate to the risk, including inter alia as appropriate: to or unauthorised processing of the personal data.
officer is easily accessible from each establishment.

(a) the pseudonymisation and encryption of personal data; (2) For the purposes of subsection (1), the data
controller shall take measures to-
Notification of DPO (b) the ability to ensure the ongoing confidentiality, integrity,
availability and resilience of processing systems and services; (a) identify reasonably foreseeable internal and external risks
Article 37(7): The controller or the processor shall publish The Act does not provide for notification requirements.
to personal data under that person's possession or control;
the contact details of the data protection officer and
(c) the ability to restore the availability and
communicate them to the supervisory authority.
access to personal data in a timely manner in the (b) establish and maintain appropriate
event of a physical or technical incident; safeguards against the identified risks;
Qualifications
(d) a process for regularly testing, assessing and evaluating (c) regularly verify that the safeguards are
Article 37(5): The data protection officer shall be designated Section 47(4): The regulations provide every person, institution
the effectiveness of technical and organisational effectively implemented; and
on the basis of professional qualities and, in particular, expert or public body that designates a data protection officer shall
measures for ensuring the security of the processing.
knowledge of data protection law and practices and the provide such data protection officer with the relevant training to
(d) ensure that the safeguards are continually updated
ability to fulfil the tasks referred to in Article 39. enable them to perform the duties of a data protection officer.
in response to new risks or deficiencies,

(3) A data controller shall observe generally accepted


information security practices and procedures, and
specific industry or professional rules and regulations.

Section 21(1): A data controller shall not permit a data


processor to process personal data for the data controller,
unless the data processor establishes and complies
with the security measures specified under this Act.

(2) A contract between a data controller and a data


processor relating to processing of personal data,
shall require the data processor to establish and
maintain the confidentiality and security measures
34 35
35
GDPR The Act GDPR The Act

Security measures defined (cont'd) Timeframe for breach notification

necessary to protect the integrity of the personal data. See Article 33(1) above. See Section 23(1) of the Act and Section
Section 31(1) of the Regulations: For the purposes of Section 33(1) of the Regulations above.
20(3) of the Act, the Office shall publish, in the Gazette, Notifying data subjects of data breach
the generally accepted information security practices and
procedures and specific industry professional rules and Section 23(2): The PDPO shall determine and notify the
Article 34(1): When the personal data breach is likely to
regulations applicable to the security of personal data. data controller, data collector or data processor whether
result in a high risk to the rights and freedoms of natural
persons, the controller shall communicate the personal data the data controller, data collector or data processor
(2) Information security practices and procedures and specific should notify the data subject of the breach.
breach to the data subject without undue delay.
industry professional rules and regulations applicable to the (3) Where the PDPO determines that the data collector,
security of personal data referred to in subregulation (1) include: data processor or data controller should notify the
- administrative measures, that is to say, measures data subject, the notification shall be made by-
aimed at creating efficient guidelines and security (a) registered mail to the data subject's last
standards for dealing with personal data; and known residential or postal address;
- technical measures, that is to say, measures (b) electronic mail to the data subject's last
aimed at preventing overlap and restricting known electronic mail address;
access to systems and personal data. (c) placement in a prominent position on the
website of the responsible party; or
Section 32(1) of the Regulations: For the purposes of (d) publication in the mass media.
Section 21 of the Act, a data controller shall ensure that (4) A notification referred to in sub section (3) shall provide
any data processor that processes personal data for the sufficient information relating to the breach to allow the data
data controller develops and implements appropriate subject to take protective measures against the consequences
security measures to safeguard the personal data. of unauthorised access or acquisition of the data.
(5) Where the PDPO has grounds to believe that publicity

Data breach notification to authority would protect a data subject who is affected by the
unauthorised access or acquisition of data, the PDPO
Article 33(1): In the case of a personal data breach, the Section 23(1): Where a data collector, data processor or data shall direct the responsible party to publicise in the
controller shall without undue delay and, where feasible, controller, believes that the personal data of a data subject has specified manner, the fact of the compromise to the
not later than 72 hours after having become aware of it, been accessed or acquired by an unauthorised person, the data integrity or confidentiality of the personal data.
notify the personal data breach to the supervisory authority collector, data processor or data controller, shall immediately Section 33(4) of the Regulations: The PDPO shall,
competent in accordance with Article 55, unless the personal notify PDPO in the prescribed manner, of the unauthorised immediately after receiving a notification referred to in
data breach is unlikely to result in a risk to the rights and access or acquisition and the remedial action taken. subregulation (1), provide the concerned data collector,
freedoms of natural persons. Where the notification to Section 33(1) of the Regulations: The notification data processor or data controller with appropriate
the supervisory authority is not made within 72 hours, it required under Section 23(1) [of the Act] shall be made guidance on how to deal with the data breach.
shall be accompanied by reasons for the delay. immediately after the occurance of the data breach. (5) The guidance referred to in subregulation (4) shall include:
Section 33(3) of the Regulations provides that the notification (b) the manner of notification of the data subject affected
shall include (a) the nature of the personal data breach by the data breach including requiring the data collector,
(b) the personal data which is the subject of the data data processor or data controller to provide the data subject
breach (c) the categories and approximate number of data with sufficient information relating to the data breach in
subjects affected by the personal data breach (d) the likely order to allow the data subject to take protective measures
consequences of the personal data breach (e) the appropriate against the consequences of the data breach; and
remedial measures taken or proposed to address the
personal data breach, and (f) the name and contact details
of the data protection officer or other point of contact.
36 37
GDPR The Act 4.6. Accountability
Notifying data subjects of data breach (cont'd) Fairly inconsistent

Both the GDPR and the Act provide for a principle of accountability, however they do so in different forms with the Act emphasising

(c) any measures to alert the general public the capacity for data subjects to hold persons to account. Furthermore, the Act does not establish a distinction like the GDPR

on the nature of the data breach. between processor and controller liabilities.

Data processor notification of data breach GDPR The Act

Article 33(2): The processor shall notify the controller See Section 23(1) of the Act above.
Principle of accountability
without undue delay after becoming aware of a
personal data breach. Article 5(2): The controller shall be responsible for, and be able Section 3(1): A data collector, data processor
to demonstrate compliance with, paragraph 1 ('accountability'). or data controller or any person who collects,
Exceptions
[Paragraph 1 details principles of: lawfulness, fairness and processes, holds or uses personal data shall-
transparency, purpose limitation, data minimisation, accuracy,
Article 34(3): The communication to the data subject The Act does not explicitly provide relevant exceptions.
storage limitation, integrity and confidentiality.] (a) be accountable to the data subject for data
referred to in paragraph 1 shall not be required
collected, processed held or used.
if any of the following conditions are met:

(a) the controller has implemented appropriate technical Liability of data controllers and data processors
and organisational protection measures, and those
measures were applied to the personal data affected by Article 82(2): Any controller involved in processing shall In general terms, the Act does not differentiate liabilities

the personal data breach, in particular those that render be liable for the damage caused by processing which between data controllers, collectors, or processors.

the personal data unintelligible to any person who is infringes this Regulation. A processor shall be liable for 'Persons' may be held liable for offences under the Act.

not authorised to access it, such as encryption; the damage caused by processing only where it has not
complied with obligations of this Regulation specifically

(b) the controller has taken subsequent measures which ensure directed to processors or where it has acted outside

that the high risk to the rights and freedoms of data subjects or contrary to lawful instructions of the controller.

referred to in paragraph 1 is no longer likely to materialise;

(c) it would involve disproportionate effort. In such a


case, there shall instead be a public communication
or similar measure whereby the data subjects are
informed in an equally effective manner.

38 39 39
GDPR The Act

5. Rights Fairly inconsistent


Inform data subject of right
5.1. Right to erasure Article 12(1): The controller shall take appropriate measures to Section 13(1)(1): A person collecting personal data shall
provide any information referred to in Articles 13 and 14 and inform the data subject about- […] (h) the existence of the
Unlike the GDPR, the Act only provides data subjects with the capacity to request the erasure of data in the context of correcting or
any communication under Articles 15 to 22 and 34 relating right of access to and the right to request rectification
deleting inaccurate data or information that is unlawfully obtained or held.
to processing to the data subject in a concise, transparent, of the data collected before the collection.
GDPR The Act intelligible and easily accessible form, using clear and
plain language, in particular for any information addressed
specifically to a child. The information shall be provided in
Grounds for erasure
writing, or by other means, including, where appropriate,
by electronic means. When requested by the data subject,
Article 17(1): The data subject shall have the right to obtain Section 16(1): A data subject may request a data controller to-
the information may be provided orally, provided that the
from the controller the erasure of personal data concerning
identity of the data subject is proven by other means.
him or her without undue delay and the controller shall (a) correct or delete personal data about the data subject
have the obligation to erase personal data without undue held by or under the control of the data controller
delay where one of the following grounds applies: that is inaccurate, irrelevant, excessive, out of date, Fees
incomplete, misleading or obtained unlawfully; or
(a) the personal data are no longer necessary in relation to the Article 12(5): Information provided under Articles 13 and The Act does not explicitly refer to this topic.

purposes for which they were collected or otherwise processed; (b) destroy or delete a record of personal data about 14 and any communication and any actions taken under
the data subject held by the data controller which the Articles 15 to 22 and 34 shall be provided free of charge.
(b) the data subject withdraws consent on which the controller no longer has the authority to retain. Where requests from a data subject are manifestly
processing is based according to point (a) of Article unfounded or excessive, in particular because of their
6(1), or point (a) of Article 9(2), and where there is Section 28(1): Where the PDPO is satisfied on a complaint repetitive character, the controller may either:
no other legal ground for the processing; of a data subject that personal data on that data subject
is inaccurate, the PDPO may order the data controller (a) charge a reasonable fee taking into account the
(c) the data subject objects to the processing pursuant to rectify, update, block, erase, or destroy the data. administrative costs of providing the information or
to Article 21(1) and there are no overriding legitimate communication or taking the action requested; or
grounds for the processing, or the data subject objects (2) Subsection (1) applies whether the data is an accurate
to the processing pursuant to Article 21(2); record of information received or obtained by the data (b) refuse to act on the request. The controller shall
controller from the data subject or a third party. bear the burden of demonstrating the manifestly
(d) the personal data have been unlawfully processed; unfounded or excessive character of the request.
Schedule 1 Form 9 of the Regulations can
(e) the personal data have to be erased for compliance be used when requesting erasure. Response timeframe
with a legal obligation in Union or Member State
law to which the controller is subject; Section 16(2): On receipt of the request, a data
Article 12(3): The controller shall provide information on
action taken on a request under Articles 15 to 22 to the controller shall comply with the request.
(f) the personal data have been collected in relation to the
data subject without undue delay and in any event within
offer of information society services referred to in Article 8(1). Section 39(2) of the Regulations: Where the data controller
one month of receipt of the request. That period may be
extended by two further months where necessary, taking does not comply with a request within 30 days of receipt of the

into account the complexity and number of the requests. The request, the data subject may make a complaint to the PDPO.

controller shall inform the data subject of any such extension


within one month of receipt of the request, together with
the reasons for the delay. Where the data subject makes
the request by electronic form means, the information
shall be provided by electronic means where possible,
unless otherwise requested by the data subject.

40 41 41
GDPR The Act GDPR The Act

Format of response Exceptions (cont'd)

Article 12(1): The information shall be provided in writing, or Section 16(3): Where the data controller is not able to (e) for the establishment, exercise or defence of legal claims.
by other means, including, where appropriate, by electronic comply with the request under subsection (1), the data
means. When requested by the data subject, the information controller shall inform the data subject of the rejection, Article 12(5): Information provided under Articles 13 and
may be provided orally, provided that the identity of the and the reasons for the rejection in writing. 14 and any communication and any actions taken under
data subject is proven by other means. Articles 15 to 22 and 34 shall be provided free of charge.
[…] (5) The data controller shall notify the data subject Where requests from a data subject are manifestly
of the action taken as a result of the request. unfounded or excessive, in particular because of their
repetitive character, the controller may either:

Publicly available data


(a) charge a reasonable fee taking into account the

Article 17(2): Where the controller has made the personal Section 28(4): Where the data complained of has been administrative costs of providing the information or

data public and is obliged pursuant to paragraph 1 to erase rectified, blocked, updated, erased or destroyed, the communication or taking the action requested; or

the personal data, the controller, taking account of available data controller is required to notify third parties to
technology and the cost of implementation, shall take whom the data has been previously disclosed of the (b) refuse to act on the request. The controller shall

reasonable steps, including technical measures, to inform rectification, blocking, updated, erasure or destruction. bear the burden of demonstrating the manifestly

controllers which are processing the personal data that the data unfounded or excessive character of the request.

subject has requested the erasure by such controllers of any


links to, or copy or replication of, those personal data. The The Act does not provide specific
exceptions to a right to erasure.

Exceptions

Article 17(3): Paragraphs 1 and 2 shall not apply The Act does not explicitly outline exceptions. However,

to the extent that processing is necessary: Section 29(4) of the Regulations provides that where
a data controller cannot comply with the request for

(a) for exercising the right of freedom of erasure of personal data, the data controller shall,

expression and information; in writing, inform the data subject of the rejection,
and any action taken as a result of the request.

(b) for compliance with a legal obligation which requires


processing by Union or Member State law to which
the controller is subject or for the performance of a
task carried out in the public interest or in the exercise
of official authority vested in the controller;

(c) for reasons of public interest in the area of


public health in accordance with points (h) and
(i) of Article 9(2) as well as Article 9(3);

(d) for archiving purposes in the public interest, scientific


or historical research purposes or statistical purposes in
accordance with Article 89(1) in so far as the right referred to
in paragraph 1 is likely to render impossible or seriously impair
the achievement of the objectives of that processing; or
42 43
43
5.2. Right to be informed GDPR The Act
Fairly inconsistent

The GDPR and the Act provide generally similar requirements for providing specific information to a data subject when collecting
data. However, the Act is less explicit in terms of format and intelligibility requirements.
Informed prior to/ at collection (cont'd)

GDPR The Act (b) the existence of the right to request from the controller
access to and rectification or erasure of personal data or
restriction of processing concerning the data subject or to
Informed prior to/ at collection
object to processing as well as the right to data portability;

Article 13(1): Where personal data relating to a data subject Section 13 provides that information is to be given
(c) where the processing is based on point (a) of Article
are collected from the data subject, the controller shall, to data subject before collection of data.
6(1) or point (a) of Article 9(2), the existence of the right to
at the time when personal data are obtained, provide
withdraw consent at any time, without affecting the lawfulness
the data subject with all of the following information:
of processing based on consent before its withdrawal;

(a) the identity and the contact details of the controller and,
(d) the right to lodge a complaint with a supervisory authority;
where applicable, of the controller's representative;

(e) whether the provision of personal data is a statutory


(b) the contact details of the data protection
or contractual requirement, or a requirement necessary
officer, where applicable;
to enter into a contract, as well as whether the data
subject is obliged to provide the personal data and of the
(c) the purposes of the processing for which the personal data
possible consequences of failure to provide such data; (f)
are intended as well as the legal basis for the processing;
the existence of automated decision-making, including
profiling, referred to in Article 22(1) and (4) and, at least
(d) where the processing is based on point (f) of Article 6(1), the
in those cases, meaningful information about the logic
legitimate interests pursued by the controller or by a third party;
involved, as well as the significance and the envisaged
consequences of such processing for the data subject.
(e) the recipients or categories of recipients
of the personal data, if any;
What information is to be provided
(f) where applicable, the fact that the controller intends to
transfer personal data to a third country or international See Article 13(1) and (2) above. Section 13(1): A person collecting personal data
organisation and the existence or absence of an adequacy shall inform the data subject about:
decision by the Commission, or in the case of transfers (a) the nature and category of data being collected;
referred to in Article 46 or 47, or the second subparagraph (b) the name and address of the person
of Article 49(1), reference to the appropriate or suitable responsible for the collection of data;
safeguards and the means by which to obtain a copy (c)the purpose for which the data is required;
of them or where they have been made available. (d) whether or not the supply of the data by the
data subject is discretionary or mandatory;
(2) In addition to the information referred to in paragraph 1, the (e) the consequences of failure to provide the data;
controller shall, at the time when personal data are obtained, (f) the authorised requirement for the collection of the
provide the data subject with the following further information information or the requirement by law for its collection;
necessary to ensure fair and transparent processing: (g) the recipients of the data;
(h) the existence of the right of access to and the right to request
(a) the period for which the personal data will be stored, or if rectification of the data collected before the collection; and
that is not possible, the criteria used to determine that period; (i) the period for which the data will be retained to
achieve the purpose for which it is collected.

44 45
45
GDPR The Act GDPR The Act

When data is from third party Exceptions

In addition to the information required under Article 13, Section 13(2): Where the data is collected from a third party, The requirements of Article 13 do not apply where The Act does not explicitly refer to particular exceptions
Article 14(2) replaces the requirement that data subjects are the data subject shall be given the information specified the data subject already has the information. where information is collected directly from data subjects.
provided with information on the legitimate interests pursued in subsection (1) before the collection of the data or as
by the controller or by a third party, with an obligation to soon as practicable after the collection of the data. The requirements of Article 14 do not apply where: In relation to data collected from third parties Section
inform data subjects of the categories of personal data. 13(3) stipulates: Subsection (2), shall not apply-
Furthermore, paragraph (e) of Article 13(2) is replaced (3) Subsection (2), shall not apply- (a) the data subject already has the information;
with a requirement to inform data subjects of the source (a) where it is necessary to avoid the compromise
from which the personal data originate, and if applicable, (a) where it is necessary to avoid the compromise (b) the provision of such information proves impossible or would of the law enforcement power of a public body
whether it came from publicly accessible sources. of the law enforcement power of a public body involve a disproportionate effort, in particular for processing responsible for the prevention, detection, investigation,
responsible for the prevention, detection, investigation, for archiving purposes in the public interest, scientific or prosecution or punishment of an offence;
prosecution or punishment of an offence; historical research purposes or statistical purposes, subject
to the conditions and safeguards referred to in Article 89(1) (b) information relating to national security:
(b) information relating to national security; or in so far as the obligation referred to in paragraph 1 of this
Article is likely to render impossible or seriously impair the (c) to information relating to the enforcement of
(c) to information relating to the enforcement of achievement of the objectives of that processing. In such a law which imposes a pecuniary penalty;
a law which imposes a pecuniary penalty; cases the controller shall take appropriate measures to
protect the data subject's rights and freedoms and legitimate (d) to information relating to the enforcement of
(d) to information relating to the enforcement of interests, including making the information publicly available; legislation which concerns public revenue collection;
legislation which concerns public revenue collection;
(c) obtaining or disclosure is expressly laid down by (e) to information relating to the preparation or conduct
(e) to information relating to the preparation or conduct Union or Member State law to which the controller is of proceedings before a court or tribunal.
of proceedings before a court or tribunal. subject and which provides appropriate measures to
protect the data subject's legitimate interests; or

Intelligibility requirements
(d) where the personal data must remain confidential subject

Article 12(1): The controller shall take appropriate measures to The Act does not explicitly refer to intelligibility requirements. to an obligation of professional secrecy regulated by Union or

provide any information referred to in Articles 13 and 14 and Member State law, including a statutory obligation of secrecy.

any communication under Articles 15 to 22 and 34 relating


to processing to the data subject in a concise, transparent,
intelligible and easily accessible form, using clear and
plain language, in particular for any information addressed
specifically to a child. The information shall be provided in
writing, or by other means, including, where appropriate,
by electronic means. When requested by the data subject,
the information may be provided orally, provided that the
identity of the data subject is proven by other means.

Format

See Article 12(1) above. The Act does not explicitly refer to format requirements.

46 47
47
5.3. Right to object Fairly inconsistent GDPR The Act

While both the GDPR and the Act provide for the right to object or to prevent processing, there are significant variations in when Restrict processing (cont'd)
and how these rights apply. In particular, the Act limits the right to object to instances where 'unwarranted substantial damage or
distress' is or is likely to be caused. (a) the accuracy of the personal data is contested by
the data subject, for a period enabling the controller
GDPR The Act to verify the accuracy of the personal data;

Grounds for right to object/ opt out (b) the processing is unlawful and the data subject
opposes the erasure of the personal data and
Article 21(1): The data subject shall have the right to object, on Section 7(3): Except for data collected or processed requests the restriction of their use instead;
grounds relating to his or her particular situation, at any time under subsection (2), where a data subject objects to
to processing of personal data concerning him or her which is the collection or processing of personal data, the person (c) the controller no longer needs the personal data
based on point (e) or (f) of Article 6(1), including profiling based who is collecting or processing the personal data shall for the purposes of the processing, but they are
on those provisions. The controller shall no longer process the stop the collection or processing of the personal data. required by the data subject for the establishment,
personal data unless the controller demonstrates compelling exercise or defence of legal claims;
legitimate grounds for the processing which override the Section 25(1): A data subject shall at any time by notice
interests, rights and freedoms of the data subject or for the in writing to a data controller or data processor, require (d) the data subject has objected to processing pursuant to
establishment, exercise or defence of legal claims. the data controller or data processor to stop processing Article 21(1) pending the verification whether the legitimate
personal data which causes or is likely to cause unwarranted grounds of the controller override those of the data subject.
substantial damage or distress to the data subject.

Object to direct marketing


Section 10(1) of the Regulations: Subject to subregulation (2),
a data subject who objects to the collection or processing Article 21(3): Where the data subject objects to processing Section 26(1): A data subject may by notice in writing to a
of his or her personal data, shall notify the data collector, for direct marketing purposes, the personal data shall no data controller, require the data controller to stop processing
data processor or data controller of the objection. longer be processed for such purposes. his or her personal data for purposes of direct marketing.

Section 36(1) of the Regulations: A data subject may require (3) Subject to sub-section (1) a data subject may enter into
the data controller to cease the processing of personal agreement with a data controller for purposes of using or
data where the processing is not compatible with the processing his or her personal data for pecuniary benefits.
purpose for which the personal data was collected.

(2) A data controller shall within fourteen days after receipt


Withdraw consent of the notice inform the data subject in writing that the data
controller has complied or intends to comply with the notice
Article 7(3): The data subject shall have the right to While the Act does not specifically refer to consent of the data subject, or of the reasons for non-compliance.
withdraw his or her consent at any time. The withdrawal withdrawal, Section 7 provides that consent is required
of consent shall not affect the lawfulness of processing unless exceptions apply. See Section 7(3) of the Act above. (4) Where the data controller gives reasons for non-compliance,
based on consent before its withdrawal. Prior to giving a copy of the notice required by subsection (2) shall be given
consent, the data subject shall be informed thereof. It to the PDPO within the time specified in that subsection.
shall be as easy to withdraw as to give consent.
(5) Where the PDPO is satisfied that the notice in subsection (1)
Restrict processing
is justified, the PDPO may direct the data controller to comply.

Article 18(1): The data subject shall have the The Act does not explicitly refer to a similar
(6) In this section 'direct marketing' includes the
right to obtain from the controller restriction of requirement to restrict processing.
communication by whatever means of any advertising or
processing where one of the following applies: marketing material which is directed at an individual.
48 49
49
GDPR The Act GDPR The Act

Inform data subject of right Response timeframe

See Article 12(1) in section 5.1. above. In addition, The Act does not explicitly refer to a requirement to inform subject of his or her intention to continue processing
Article 21(4) provides: At the latest at the time of the first data subjects of their right to prevent processing. personal data for the purpose of direct marketing,
communication with the data subject, the right referred the data subject may within 14 days of receiving the
to in paragraphs 1 and 2 shall be explicitly brought to notice request the PDPO in writing to review the
the attention of the data subject and shall be presented decision of the data controller or data processor.
clearly and separately from any other information.

Fees (2) The PDPO shall review the decision of the data
controller or data processor within 14 days after

See Article 12(5) in section 5.1. above. Article 16(2): The personal data subject shall have the receiving the request of the data subject.
right to object at any time and free of charge.

Format of response
Response timeframe
See Article 12(1) in section 5.1. above. Schedule 1, Form 1, of the Regulations outlines a notice of
See Article 12(3) in section 5.1. above. Section 25(2): A data controller shall within fourteen days after
objection to the collection/processing of personal data.
receipt of a notice inform the data subject in writing that the
data controller has complied or intends to comply with the
Exceptions
notice of the data subject, or of the reasons for non-compliance.

See Article 12(5) in section 5.1. above. Section 25(5): This Section does not apply to data collected
(3) Where the data controller gives reasons for non-
or processed in accordance with section 4(2). [Section 4(2)
compliance, a copy of the notice required by subsection
refers to the establishment of the data protection office]
(2) shall be given to the PDPO within fourteen days.

Under Section 10(2) of the Regulations, the right to object


(4) Where the PDPO is satisfied that the data
does not apply to personal data provided under Section 7(2)
subject is justified, the PDPO shall direct the data
of the Act, and to personal data which is the subject to the
controller to comply within seven days.
legitimate interest of a data collector, processor, or controller.

Section 36(3) of the Regulations: Where the data


(3) For the purposes of subregulation (2)(b), 'legitimate
controller does not comply with the notice, the data
interest' is the processing of personal data in a manner
controller shall state the reasons for non-compliance.
that the data subject would reasonably expect or where
there is a compelling justification for the processing and
(4) Where a data controller gives reasons for non-
includes the processing of data to prevent fraud, maintain
compliance, a copy of the notice provided by the
network and information security, prevent of crime or threats
data subject, shall be given to the PDPO.
to public security, internal administrative purposes.

(5) Where the PDPO does not agree with the reasons
(4) The burden to establish a legitimate interest lies with
for non-compliance, the PDPO shall direct the data
the data collector, data processor or data controller.
controller or data processor to comply with the
notice of the data subject, within seven days.

Section 37(1) of the Regulations: Where a data


processor or data controller notifies the data
50 51 51
GDPR The Act
5.4. Right of access Fairly consistent

Information to be accessed (cont'd)


Like the GDPR, the Act establishes a right of access, however the provisions regulating the specific information to be accessed are
more detailed in the GDPR. Both pieces of legislation require that data subjects are informed of the right to access. (f) the right to lodge a complaint with a supervisory authority;

GDPR The Act (g) where the personal data are not collected from the data
subject, any available information as to their source; and
Grounds for right of access
(h) the existence of automated decision-making, including
Article 15(1): The data subject shall have the right to obtain Section 24(1): A data subject who provides proof profiling, referred to in Article 22(1) and (4) and, at least in
from the controller confirmation as to whether or not personal of identity may request a data controller to- those cases, meaningful information about the logic involved,
data concerning him or her are being processed. as well as the significance and the envisaged consequences
(a) confirm whether or not the data controller holds of such processing for the data subject.
personal data about that data subject;

Inform data subject of right


(b) give a description of the personal data
which is held by the data controller;
See Article 12(1) in section 5.1. Section 13(1): (1) A person collecting personal data shall
inform the data subject about- […] (h) the existence of the
(c) provide the identity of a third party or a category of a
right of access to and the right to request rectification
third party who has or has had access to information.
of the data collected before the collection.

Information to be accessed Fees


Article 15(1): The data subject shall have the right to Section 24(1): A data subject who provides proof
See Article 12(5) in section 5.1. above. The Act does not explicitly refer to fees or
obtain from the controller confirmation as to whether of identity may request a data controller to-
charges in relation to this right.
or not personal data concerning him or her are being
processed, and, where that is the case, access to (a) confirm whether or not the data controller holds
the personal data and the following information: personal data about that data subject; Verify data subject request

(a) the purposes of the processing; (b) give a description of the personal data Recital 64: The controller should use all reasonable measures Section 13(3): A data controller shall not comply with a
which is held by the data controller; to verify the identity of a data subject who requests access, in request under this section unless the data controller is
(b) the categories of personal data concerned; particular in the context of online services and online identifiers. given information that the data controller may reasonably
(c) provide the identity of a third party or a category of a A controller should not retain personal data for the sole require to identify the person making the request
(c) the recipients or categories of recipient to whom the third party who has or has had access to information. purpose of being able to react to potential requests. and to locate the data requested by that person.
personal data have been or will be disclosed, in particular
recipients in third countries or international organisations; Section 35(2) of the Regulations: A data subject satisfies
the proof of identity where the data subject provides, a
(d) where possible, the envisaged period for which national identification card or alien's identification card, a
the personal data will be stored, or, if not possible, passport or any travel document, or a driver's license.
the criteria used to determine that period;

(e) the existence of the right to request from the


controller rectification or erasure of personal data or
restriction of processing of personal data concerning
the data subject or to object to such processing;

52 53 53
GDPR The Act GDPR The Act

Response timeframe Exceptions (cont'd)

See Article 12(3) in section 5.1. above. Section 13(9): Subject to subsection (4), a data controller shall See Article 12(3) in section 5.1. above. (6) A data controller shall not use subsection (4) as
comply with a request under this Section promptly and in any an excuse for failing to communicate so much of the
event within thirty days from the date of receipt of the request. information sought that may be communicated without the
disclosure of the identity of the individual concerned.
Section 35(3) of the Regulations provide a data
controller must inform data subjects of its decision (7) The data controller may make the communication
within seven days of receipt of the request. under subsection (6) by omitting or deleting the name or
other identifying particulars of the other individual.

Format of response
(8) For the purposes of subsection (4), to
determine whether it is reasonable to
See Article 12(1) in section 5.1. above. The Act does not explicitly refer to the format of response
beyond the information in Section 24 (see above).
comply with the request without the consent of the other
individual concerned, the data controller shall take into account-
Exceptions
(a) any duty of confidentiality owed to the other individual;
See Article 12(5) in section 5.1. above. Section 13(4): Where a data controller is unable to comply
with the request without disclosing data related to another
(b) any steps taken by the data controller to
individual who may be identified from the information, the
seek the consent of that other individual;
data controller shall not comply with the request unless-

(c) whether the other individual is capable of giving consent; and


(a) the other individual consents to the disclosure of
the data to the person who makes the request;
(d) any express refusal of consent by the other individual.

(b) it is reasonable in all the circumstances to comply with


the request without the consent of the other individual; or

(c) compelled by a court order.

(5) For the purposes of subsection (4)-

(a) a reference to data related to another individual


includes a reference to data which identifies that
individual as the source of the data requested; and

(b) another individual may be identified from the data


disclosed if that individual can be identified from that
data, or any other data which in the reasonable belief of
the data controller are likely to be in, or come into the
possession of the data subject who made the request.

54 55 55
5.5. Right not to be subject to 5.6. Right to data portability
Consistent Inconsistent
discrimination Unlike the GDPR, the Act does not explicitly refer to a right to data portability.

Neither the GDPR nor the Act explicitly provide a definition for a general right to non-discrimination for the exercise of rights. Both
GDPR The Act
pieces of legislation, however, establish rights for data subjects not to be subject to decisions made solely through automated
processing. Grounds for portability

GDPR The Act Article 20(1): The data subject shall have the right to receive The Act does not explicitly refer to a right to data portability.
the personal data concerning him or her, which he or she has
Definition of right provided to a controller, in a structured, commonly used and
machine-readable format and have the right to transmit those
The GDPR only implies this right and does The Act only implies this right and does not data to another controller without hindrance from the controller
not provide an explicit definition for it. provide an explicit definition for it. to which the personal data have been provided, where:

Automated processing (a) the processing is based on consent pursuant to


point (a) of Article 6(1) or point (a) of Article 9(2) or on
a contract pursuant to point (b) of Article 6(1); and
Article 22(1): The data subject shall have the right not to be Section 27(1): A data subject may by notice in writing to a
subject to a decision based solely on automated processing, data controller require the data controller to ensure that any
(b) the processing is carried out by automated means.
including profiling, which produces legal effects concerning decision taken by or on behalf of the data controller which
him or her or similarly significantly affects him or her. [Article 22 significantly affects that data subject is not based solely
goes on to detail this right, including exceptions] on the processing by automatic means of personal data in Inform data subject of right
respect of that data subject. [Section 27 of the Act goes on
to detail this right, including exceptions whereas Section 38 See Article 12(1) in section 5.1. The Act does not explicitly refer to a right to data portability.
of the Regulations outlines format and response times]
Fees

See Article 12(5) in section 5.1. above. The Act does not explicitly refer to a right to data portability.

Response timeframe

See Article 12(3) in section 5.1. above. The Act does not explicitly refer to a right to data portability.

Format

See Article 20(1) above. The Act does not explicitly refer to a right to data portability.

Controller to controller

Article 20(2): In exercising his or her right to data portability The Act does not explicitly refer to a right to data portability.
pursuant to paragraph 1, the data subject shall have the
right to have the personal data transmitted directly from one
controller to another, where technically feasible.

57
56 57
GDPR The Act
6. Enforcement Fairly inconsistent
Technically feasible
6.1. Monetary penalties
See Article 20(2) above. The Act does not explicitly refer to a right to data portability.
There are several similarities between the GDPR and the Act, including that they both establish the potential for significant monetary
penalties equivalent to millions of euros or percentages of global annual turnover. A key difference between the pieces of legislation,
Exceptions
however, is that the Act provides for potential prison terms and that individuals may be held liable for offences.

See Article 12(5) in section 5.1. above. The Act does not explicitly refer to a right to data portability. GDPR The Act

Provides for monetary penalties

The GDPR provides for monetary penalties. The Act provides for monetary penalties.

Issued by

Article 58(2) Each supervisory authority shall Section 5(1): For purposes of this Act and in
have all of the following corrective powers: addition to its functions under any other law,
the personal data protection office shall-
[…] (i): to impose an administrative fine pursuant to Article 83, in
addition to, or instead of measures referred to in this paragraph, (a) oversee the implementation of and be
depending on the circumstances of each individual case. responsible for the enforcement of this Act.

Fine maximum

Article 83(5): infringements of the following provisions The maximum stated monetary penalty under the Act
shall, in accordance with paragraph 2, be subject to is equivalent to 245 currency points' (Section 37(2) of
administrative fines up to 20 000 000 EUR, or in the case the Act), which is UGX 4.9 million (approx. €1,240).
of an undertaking, up to 4 % of the total worldwide annual
turnover of the preceding financial year, whichever is higher:

(a) the basic principles for processing, including conditions


for consent, pursuant to Articles 5, 6, 7 and 9;

(b) the data subjects' rights pursuant to Articles 12 to 22;

(c) the transfers of personal data to a recipient in a third country


or an international organisation pursuant to Articles 44 to 49;

(d) any obligations pursuant to Member State


law adopted under Chapter IX;

(e) non-compliance with an order or a temporary or definitive


limitation on processing or the suspension of data flows
by the supervisory authority pursuant to Article 58(2) or
58 failure to provide access in violation of Article 58(1). 59
GDPR The Act GDPR The Act

Fine maximum (cont'd) Mitigating factors (cont'd)

(6) Non-compliance with an order by the supervisory authority (f) the degree of cooperation with the supervisory
as referred to in Article 58(2) shall, in accordance with authority, in order to remedy the infringement and mitigate
paragraph 2 of this Article, be subject to administrative fines the possible adverse effects of the infringement;
up to 20 000 000 EUR, or in the case of an undertaking,
up to 4 % of the total worldwide annual turnover of (g) the categories of personal data affected by the infringement;
the preceding financial year, whichever is higher.
(h) the manner in which the infringement became known to the

Percentage of turnover supervisory authority, in particular whether, and if so to what


extent, the controller or processor notified the infringement;

Under Article 83(4), (5), and (6), fines may be issued Section 38(1): Where an offence under Sections 31 and 32 is
that equate to 2% or 4% of the total worldwide annual committed by a corporation, the corporation and every officer (i) where measures referred to in Article 58(2) have

turnover of the preceding financial year. of the corporation who knowingly and willfully authorises previously been ordered against the controller or

or permits the contravention is liable to the offence. processor concerned with regard to the same subject-
matter, compliance with those measures;

(2) A court which convicts a person under subsection


(1) may, in addition to the punishment order the (j) adherence to approved codes of conduct

corporation, pay a fine not exceeding two percent pursuant to Article 40 or approved certification

of the corporation's annual gross turnover. mechanisms pursuant to Article 42; and

(k) any other aggravating or mitigating factor applicable to the


Mitigating factors
circumstances of the case, such as financial benefits gained,
or losses avoided, directly or indirectly, from the infringement.
Article 83(2): When deciding whether to impose Section 38(3): A court shall take into consideration the
an administrative fine and deciding on the amount gravity of the offence under subsection (1) and its impact
of the administrative fine in each individual case in determining the fine to impose under subsection (2).
Imprisonment
due regard shall be given to the following:
Not applicable. Part VII of the Act established that penalties may
include a prison term not exceeding 10 years.
(a) the nature, gravity and duration of the infringement
taking into account the nature scope or purpose of the
processing concerned as well as the number of data subjects DPO liability
affected and the level of damage suffered by them;
Not applicable. Section 38(1): Where an offence under Sections 31 and 32 is

(b) the intentional or negligent character of the infringement; committed by a corporation, the corporation and every officer
of the corporation who knowingly and willfully authorises

(c) any action taken by the controller or processor to or permits the contravention is liable to the offence.

mitigate the damage suffered by data subjects;

(d) the degree of responsibility of the controller or processor


taking into account technical and organisational measures
implemented by them pursuant to Articles 25 and 32;

(e) any relevant previous infringements


by the controller or processor;

60 61
6.2. Supervisory authority GDPR The Act
Fairly consistent
The scope, general powers, and tasks assigned to data protection authorities under the GDPR, and the Act and Regulations are Investigatory powers (cont'd)
largely similar. There is, however, a significant difference in the level of detail provided to describe and regulate these powers, with
the Act leaving more room for interpretation. (f) to obtain access to any premises of the controller
and the processor, including to any data processing
GDPR The Act equipment and means, in accordance with Union or
Member State procedural law.
Provides for data protection authority
Corrective powers
Article 51(1): Each Member State shall provide for one or Section 4(1): There is established a PDPO
more independent public authorities to be responsible for responsible for personal data protection under Article 58(2): Each supervisory authority shall Section 5(1): For purposes of this Act and in addition to
monitoring the application of this Regulation, in order to protect NITA-U which shall report directly to the Board. have all of the following corrective powers: its functions under any other law, the PDPO shall-
the fundamental rights and freedoms of natural persons
in relation to processing and to facilitate the free flow of Section 5(3): The office in performing its functions (a) to issue warnings to a controller or processor (a) oversee the implementation of and be
personal data within the Union ('supervisory authority'). under this Act shall not be under the direction that intended processing operations are likely responsible for the enforcement of this Act;
or control of any person or Authority. to infringe provisions of this Regulation;
[…] (e) receive and investigate complaints relating to
Section 3(1) of the Regulations provides for the establishment (b) to issue reprimands to a controller or a infringement of the rights of the data subject under this Act;
of a PDPO in the NITA-U. (2) The PDPO shall be under the processor where processing operations have
general supervision of the Board of Directors of the NITA-U. infringed provisions of this Regulation; […] (g) perform such other functions as may be prescribed by
any other law or as the office considers necessary for the
Investigatory powers (c) to order the controller or the processor to comply promotion, implementation and enforcement of this Act;
with the data subject's requests to exercise his

Article 58(1): Each supervisory authority shall have Section 5(1): For purposes of this Act and in addition to or her rights pursuant to this Regulation; (2) The office shall have all powers necessary for

all of the following investigative powers: its functions under any other law, the PDPO shall- the performance of its functions under this Act.
(d) to order the controller or processor to bring

(a) to order the controller and the processor, and, […] (c) monitor, investigate and report on the observance processing operations into compliance with the

where applicable, the controller's or the processor's of the right to privacy and of personal data; provisions of this Regulation, where appropriate, in a

representative to provide any information it specified manner and within a specified period; Section 4 of the Regulations provide the PDPO shall:

requires for the performance of its tasks; […] (e) receive and investigate complaints relating to
infringement of the rights of the data subject under this Act; (e) to order the controller to communicate a […] (b) coordinate, supervise and monitor data

(b) to carry out investigations in the form personal data breach to the data subject; collectors, data processors, data controllers and data

of data protection audits; […] (2) The office shall have all powers necessary for subjects on all matters relating to the Act; and

the performance of its functions under this Act. (f) to impose a temporary or definitive limitation

(c) to carry out a review on certifications including a ban on processing; […] (d) set, monitor and regulate standards for

issued pursuant to Article 42(7); Section 4 of the Regulations provide, in addition to those personal data protection and privacy.

functions specified in Section 5 of the Act, the PDPO shall (g) to order the rectification or erasure of personal

(d) to notify the controller or the processor of an data or restriction of processing pursuant to Articles

alleged infringement of this Regulation; […] 16, 17 and 18 and the notification of such actions to
recipients to whom the personal data have been

(e) to obtain, from the controller and the processor, (e) conduct audits to ensure compliance by data collectors, disclosed pursuant to Article 17(2) and Article 19;

access to all personal data and to all information processors, controllers and data subjects with the Act and
necessary for the performance of its tasks; the Regulations and address potential issues proactively. (h) to withdraw a certification or to order the certification body
to withdraw a certification issued pursuant to Articles 42 and 43,
or to order the certification body not to issue certification if the
requirements for the certification are not or are no longer met;
62 63
GDPR The Act
GDPR The Act
Tasks of authority
Corrective powers (cont'd)
Article 57(1): Without prejudice to other tasks set out under this Section 5(1): For purposes of this Act and in addition to
(i) to impose an administrative fine pursuant to Article 83, in Regulation, each supervisory authority shall on its territory: its functions under any other law, the PDPO shall-
addition to, or instead of measures referred to in this paragraph,
depending on the circumstances of each individual case; (a) monitor and enforce the application of this Regulation; (a) oversee the implementation of and be
responsible for the enforcement of this Act;
(j) to order the suspension of data flows to a recipient (b) promote public awareness and understanding
in a third country or to an international organisation. of the risks, rules, safeguards and rights in relation (b) promote the protection and observance of the right
to processing. Activities addressed specifically to the privacy of a person and of personal data;
Authorisation/ advisory powers to children shall receive specific attention;
(c) monitor, investigate and report on the observance
Article 58(3): Each supervisory authority shall have all Section 5(1): For purposes of this Act and in addition to (c) advise, in accordance with Member State law, of the right to privacy and of personal data;
of the following authorisation and advisory powers: its functions under any other law, the PDPO shall- the national parliament, the government, and other
institutions and bodies on legislative and administrative (d) formulate, implement and oversee programmes
(a) to advise the controller in accordance with the prior […] (b) promote the protection and observance of the measures relating to the protection of natural persons' intended to raise public awareness about this Act;
consultation procedure referred to in Article 36; right to the privacy of a person and of personal data; rights and freedoms with regard to processing;
(e) receive and investigate complaints relating to infringement
(b) to issue, on its own initiative or on request, opinions to […] (d) formulate, implement and oversee programmes (d) promote the awareness of controllers and processors of the rights of the data subject under this Act;
the national parliament, the Member State government intended to raise public awareness about this Act; of their obligations under this Regulation;
or, in accordance with Member State law, to other (f) establish and maintain a data protection and privacy register;
institutions and bodies as well as to the public on any […] (f) establish and maintain a data (e) upon request, provide information to any data subject
issue related to the protection of personal data; protection and privacy register; concerning the exercise of their rights under this Regulation (g) perform such other functions as may be prescribed by
and, if appropriate, cooperate with the supervisory any other law or as the PDPO considers necessary for the
(c) to authorise processing referred to in Article 36(5), if the […] (2) The office shall have all powers necessary for authorities in other Member States to that end; promotion, implementation and enforcement of this Act;
law of the Member State requires such prior authorisation; the performance of its functions under this Act.
(f) handle complaints lodged by a data subject, or by a (2) The office shall have all powers necessary for
(d) to issue an opinion and approve draft codes Section 4 of the Regulations provide the PDPO shall: body, organisation or association in accordance with Article the performance of its functions under this Act.
of conduct pursuant to Article 40(5); 80, and investigate, to the extent appropriate, the subject
[…] (a) provide guidance to data collectors, processors, data matter of the complaint and inform the complainant of the Section 4 of the Regulations: In addition to the functions
(e) to accredit certification bodies pursuant to Article 43; controllers, and data subjects about their data protection and progress and the outcome of the investigation within a specified in Section 5 of the Act, the PDPO shall:
privacy rights, obligations and responsibilities under the Act; reasonable period, in particular if further investigation or
(f) to issue certifications and approve criteria of coordination with another supervisory authority is necessary; - provide guidance to data collectors, data processors, data
certification in accordance with Article 42(5); […] (f) provide guidance to Government on controllers, and data subjects about their data protection and
matters of data protection and privacy; (g) cooperate with, including sharing information privacy rights, obligations and responsibilities under the Act;
(g) to adopt standard data protection clauses referred and provide mutual assistance to, other supervisory
to in Article 28(8) and in point (d) of Article 46(2); […] (h) issue recommendations to institutions about the authorities with a view to ensuring the consistency of - coordinate, supervise and monitor data collectors,
interpretation or application of data protection and privacy rules. application and enforcement of this Regulation; data processors, data controllers and data
(h) to authorise contractual clauses referred subjects on all matters relating to the Act;
to in point (a) of Article 46(3); (h) conduct investigations on the application of this
Regulation, including on the basis of information received - build capacity of management of the PDPO and staff on
(i) to authorise administrative arrangements from another supervisory authority or other public authority; compliance requirements under the Act and these regulations;
referred to in point (b) of Article 46(3);

(i) monitor relevant developments, insofar as they have an - set, monitor and regulate standards for
(j) to approve binding corporate rules pursuant to Article 47. impact on the protection of personal data, in particular personal data protection and privacy;

64 65
GDPR The Act
GDPR The Act
Tasks of authority (cont'd)
Tasks of authority (cont'd)
the development of information and communication - conduct audits to ensure compliance by data collectors, data
technologies and commercial practices; processors, data controllers and data subjects with the Act and (v) fulfil any other tasks related to the

these regulations and address potential issues pro­actively; protection of personal data.

(j) adopt standard contractual clauses referred to in


Annual report
Article 28(8) and in point (d) of Article 46(2); - provide guidance to Government on matters
of data protection and privacy;
Article 59: Each supervisory authority shall draw up The Act does not explicitly refer to annual
(k) establish and maintain a list in relation to the requirement for
an annual report on its activities, which may include reports, although it does establish that the PDPO
data protection impact assessment pursuant to Article 35(4); - undertake or commission research as may be
a list of types of infringement notified and types of should report to NITA-U under Section 5.
necessary to promote the objects of the Act; and
measures taken in accordance with Article 58(2). Those
(l) give advice on the processing operations
reports shall be transmitted to the national parliament,
referred to in Article 36(2); - issue recommendations to institutions about the interpretation
the government and other authorities as designated
or application of data protection and privacy rules.
by Member State law. They shall be made available to
(m) encourage the drawing up of codes of conduct
the public, to the Commission and to the Board.
pursuant to Article 40(1) and provide an opinion Section 5 of the Regulation: The PDPO may (a) establish a
and approve such codes of conduct which provide mechanism for collaboration and promotion of partnerships
sufficient safeguards, pursuant to Article 40(5); between various categories of players in data protection and
privacy; and (b) charge fees for services provided by the PDPO.
(n) encourage the establishment of data protection
certification mechanisms and of data protection seals Section 6 of the Regulations: The PDPO shall cooperate with
and marks pursuant to Article 42(1), and approve the other government ministries, departments and agencies
criteria of certification pursuant to Article 42(5); in the implementation of the Act and regulations.

(o) where applicable, carry out a periodic review of Section 13(1) of the Regulations: The PDPO must keep and
certifications issued in accordance with Article 42(7); maintain the data protection and privacy register, provided
under Section 29 of the Act, in electronic or manual form.
(p) draft and publish the criteria for accreditation of a
body for monitoring codes of conduct pursuant to Article (2) The PDPO must keep the Register up to date.
41 and of a certification body pursuant to Article 43;
Section 42(1) of the Regulations provide, where a
(q) conduct the accreditation of a body for monitoring complaint is made to the PDPO under Sections 39 and
codes of conduct pursuant to Article 41 and of a 40 of the Regulations, the PDPO must investigate the
certification body pursuant to Article 43; complaint within 21 days of receipt of the complaint.

(r) authorise contractual clauses and


provisions referred to in Article 46(3);

(s) approve binding corporate rules pursuant to Article 47;

(t) contribute to the activities of the Board;

(u) keep internal records of infringements of this Regulation


and of measures taken in accordance with Article 58(2); and

66 67
6.3. Civil remedies for individuals GDPR The Act
Fairly consistent
Both the GDPR and the Act provide for data subjects to seek compensation or judicial remedy if they have suffered material Processor liability
or non-material damage. Similarly, both legislative frameworks establish that data processors may be held liable under certain
circumstances and do not specify an amount for damages. The GDPR and the Act differ, though, in relation to the capacity to Article 82(2): Any controller involved in processing shall In general terms, the Act does not differentiate liabilities
mandate another body to act as representative for the data subject. be liable for the damage caused by processing which between data controllers, collectors, or processors.
infringes this Regulation. A processor shall be liable for 'Persons' may be held liable for offences under the Act.
GDPR The Act
the damage caused by processing only where it has not
complied with obligations of this Regulation specifically
Provides for claims/ cause of action directed to processors or where it has acted outside
or contrary to lawful instructions of the controller.
Article 79: Without prejudice to any available administrative or Section 33(1): Where a data subject suffers damage or
non-judicial remedy, including the right to lodge a complaint distress through the contravention by a data controller, data
Exceptions
with a supervisory authority pursuant to Article 77, each data processor or data collector of the requirements of this Act,
subject shall have the right to an effective judicial remedy where that data subject is entitled to apply to a Court of competent
Article 82(3): A controller or processor shall be exempt from Section 33(2): In proceedings against a person
he or she considers that his or her rights under this Regulation jurisdiction for compensation from the data collector, data
liability under paragraph 2 if it proves that it is not in any way under this section, it is a defence to prove that the
have been infringed as a result of the processing of his or her processor or data controller for the damage or distress.
responsible for the event giving rise to the damage. person took reasonable care in all the circumstances
personal data in non-compliance with this Regulation.
to comply with the requirements of this Act.

Material and non-material damage


Section 34 of the Act further establishes a process for
appeals against decisions made by the PDPO.
Article 82(1): Any person who has suffered material or non- See Section 33(1) of the Act above, which
material damage as a result of an infringement of this Regulation refers to 'damage or distress'.
shall have the right to receive compensation from the
controller or processor for the damage suffered.

Mandate for representation

Article 80(1): The data subject shall have the right to mandate The Act does not explicitly refer to mandates for representation.
a not-for-profit body, organisation or association which has
been properly constituted in accordance with the law of
a Member State, has statutory objectives which are in the
public interest, and is active in the field of the protection
of data subjects' rights and freedoms with regard to the
protection of their personal data to lodge the complaint on
his or her behalf, to exercise the rights referred to in Articles
77, 78 and 79 on his or her behalf, and to exercise the right
to receive compensation referred to in Article 82 on his
or her behalf where provided for by Member State law.

Specifies amount for damages

Not applicable. The Act does not explicitly refer to an amount for damages.

68 69

You might also like