GDPR v. Uganda
GDPR v. Uganda
GDPR v. Uganda
GDPR v. Data
Protection and
Privacy Act
About the authors Table of contents
OneTrust DataGuidanceTM provides a suite of privacy solutions designed to help organisations
monitor regulatory developments, mitigate risk and achieve global compliance. Introduction 5
The OneTrust DataGuidanceTM platform includes focused guidance around core topics (i.e. GDPR, 1. Scope
data transfers, breach notification, among others), Cross-Border Charts which allow you to compare 1.1.
Personal scope 7
regulations across multiple jurisdictions at a glance, a daily customised news service and expert 1.2. Territorial scope 9
analysis. 1.3. Material scope 10
These tools, along with our in-house analyst service to help with your specific research questions,
2. Key definitions
provide a cost-effective and efficient solution to design and support your privacy programme.
2.1. Personal data 13
2.2. Pseudonymisation 15
2.3. Controller and processors 16
2.4. Children 18
2.5. Research 19
3. Legal basis 21
4. Controller and processor obligations
4.1. Data transfers 23
4.2. Data processing records 26
4.3. Data protection impact assessment 29
4.4. Data protection officer appointment 33
4.5. Data security and data breaches 35
4.6. Accountability 39
5. Individuals' rights
5.1. Right to erasure 40
5.2. Right to be informed 44
5.3. Right to object 48
Image production credits:
5.4. Right of access 52
Cover/p.5/p.51: 221A / Signature collection / istockphoto.com | MicroStockHub / Signature collection / istockphoto.com
Scale key p6-49: enisaksoy / Signature collection / istockphoto.com 5.5. Right not to be subject to discrimination 56
Icon p.33-40: AlexeyBlogoodf / Essentials collection / istockphoto.com
Icon p.47-51: cnythzl / Signature collection / istockphoto.com | MicroStockHub / Signature collection / istockphoto.com 5.6. Right to data portability 57
6. Enforcement
6.1. Monetary penalties 59
6.2. Supervisory authority 62
6.3. Civil remedies for individuals 68
2 3
Introduction
The General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') came into effect on 25 May 2018, and governs the
protection of personal data in EU and EEA Member States. The Data Protection and Privacy Act 2019 ('the Act'), which came into force
in May 2019, is the primary piece of data protection legislation in Uganda and has been supplemented with the Data Protection and
Privacy Regulations, 2021 ('the Regulations'), which were introduced on 12 March 2021.
The Act and Regulations share several similarities with the GDPR in terms of overarching principles and the general regulation of
data controllers, processors, and data subject rights. Furthermore, similar to the requirement under the GDPR to provide for a data
protection authority responsible for monitoring the application of the GDPR, the Regulations provide for the establishment of the
Personal Data Protection Office ('PDPO') within the National Information Technology Authority - Uganda ('NITA-U'), with the PDPO
responsible for the overall implementation of the Act and the Regulations.
However, there are also significant differences between the frameworks, particularly in relation to the obligations of organisations.
Notably, the Regulations have introduced additional provisions, particularly in relation to data processing records, Data Protection
Impact Assessments ('DPIA'), data protection officer ('DPO') appointment, and data transfers. However, in general terms, the provisions
within the Act and its Regulations are slightly less detailed than those found within the GDPR.
This overview organises provisions from the GDPR, the Act, and the Regulations into key topics and sets them alongside each other
to enable analysis and comparison. Each section begins with a detailing of principal information and a general introduction, as well as
a consistency rating.
4 5
1. Scope
Introduction (cont'd)
Fairly consistent
Article 4(7): 'controller' means the natural or legal person, Section 2: 'data controller' means a person who alone, jointly
Each topic includes relevant provisions from the two legislative legal frameworks, a summary of the comparison, and a detailed
public authority, agency or other body which, alone or jointly with other persons or in common with other persons or as a
analysis of the similarities and differences between the GDPR and the Act.
with others, determines the purposes and means of the statutory duty determines the purposes for and the manner
processing of personal data; where the purposes and means in which personal data is processed or is to be processed.
of such processing are determined by Union or Member State
Key for giving the consistency rate law, the controller or the specific criteria for its nomination
may be provided for by Union or Member State law.
Consistent: The GDPR and the Act bear a high degree of similarity in the rationale,
core, scope, and the application of the provision considered. Data processor
Fairly consistent: The GDPR and the Act bear a high degree of similarity in the Article 4(8): 'processor' means a natural or legal person, Section 2: 'data processor' means a person other than
rationale, core, and the scope of the provision considered, however, the details public authority, agency or other body which processes an employee of the data controller who processes
governing its application differ. personal data on behalf of the controller. the data on behalf of the data controller.
Fairly inconsistent: The GDPR and the Act bear several differences with regard Data subject
to the scope and application of the provision considered, however, its rationale
and core presents some similarities. Article 4(1): 'personal data' means any information relating to Section 2: 'data subject' means an individual from whom
an identified or identifiable natural person ('data subject'); or in respect of whom personal information has been
Inconsistent: The GDPR and the Act bear a high degree of difference with regard an identifiable natural person is one who can be identified, requested, collected, collated, processed or stored.
to the rationale, core, scope, and application of the provision considered. directly or indirectly, in particular by reference to an identifier
such as a name, an identification number, location data, an
online identifier or to one or more factors specific to the
physical, physiological, genetic, mental, economic, cultural
or social identity of that natural person.
Public bodies (cont'd) Like the GDPR, the Act applies extraterritorially. However, the Act does not explicitly regulate goods and services or monitoring from
abroad.
Sestablished by an Act of Parliament relating to undertakings
of public services or such purpose for the benefit of the public GDPR The Act
or any section of the public to administer funds or property
belonging to or granted by the Government or money Establishment in jurisdiction
raised by public subscription, rates, taxes, cess or charges
in pursuance of any written law and any council, board, Article 3: This Regulation applies to the processing of personal Section 1: The Act applies to a person, institution or public
committee or society established by an Act of Parliament data in the context of the activities of an establishment body collecting, processing, holding or using personal data
for the benefit, regulation and control of any profession. of a controller or a processor in the Union, regardless of within Uganda; and outside Uganda who collects, processes,
whether the processing takes place in the Union or not. holds, or uses personal data relating to Ugandan citizens.
Nationality of data subject
Recital 22: Establishment implies the effective and real Section 30 of the Regulations addresses the requirements
Recital 14: The protection afforded by this Regulation Section 1: The Act applies to a person, institution or public exercise of activity through stable arrangements. for processing personal data outside of Uganda.
should apply to natural persons, whatever their body collecting, processing, holding or using personal data
nationality or place of residence, in relation within Uganda; and outside Uganda who collects, processes,
Extraterritorial
to the processing of their personal data. holds, or uses personal data relating to Ugandan citizens.
Recital 23: In order to ensure that natural persons are The Act does not refer to goods and services from abroad.
Deceased individuals not deprived of the protection to which they are entitled
under this Regulation, the processing of personal data
Recital 27: This Regulation does not apply to the Section 2: The Act's definition of 'personal of data subjects who are in the Union by a controller or a
personal data of deceased persons. Member States data' does not distinguish between information processor not established in the Union should be subject
may provide for rules regarding the processing about a living or deceased person. to this Regulation where the processing activities are
of personal data of deceased persons. h. related to offering goods or services to such data subjects
irrespective of whether connected to a payment.
Recital 24: The processing of personal data of data The Act does not refer to monitoring from abroad.
subjects who are in the Union by a controller or processor
not established in the Union should also be subject to
this Regulation when it is related to the monitoring of
the behaviour of such data subjects in so far as their
behaviour takes place within the Union.
8 9
GDPR The Act
The Act and the GDPR provide similar definitions of personal data and data processing, and both include specific requirements Article 9(1): Processing of personal data revealing racial or Section 9(1): 'Special personal data' is referred to as
for special categories of, or sensitive, data. The two pieces of legislation differ, however, in terms of the general exemptions they ethnic origin, political opinions, religious or philosophical personal data which relates to the religious or philosophical
stipulate, and in regard to anonymised and pseudonymised data. beliefs, or trade union membership, and the processing beliefs, political opinions, sexual life, financial information,
of genetic data, biometric data for the purpose of health status or medical records of an individual.
GDPR The Act uniquely identifying a natural person, data concerning
health or data concerning a natural person's sex life or
Article 4(1): 'personal data' means any information relating Section 2: 'personal data' means information about a Anonymised data
to an identified or identifiable natural person ('data person from which the person can be identified, that is
subject'); an identifiable natural person is one who can be recorded in any form and includes data that relates to: Recital 26: The principles of data protection should not apply Section 18(4): A data controller shall destroy or
identified, directly or indirectly, in particular by reference to anonymous information, namely information which does delete a record of personal data or de-identify the
to an identifier such as a name, an identification number, a) the nationality, age or marital status of the person; not relate to an identified or identifiable natural person or to record at the expiry of the retention period.
location data, an online identifier or to one or more factors personal data rendered anonymous in such a manner that
specific to the physical, physiological, genetic, mental, b) the educational level, or occupation of the person; the data subject is not or no longer identifiable. Section 18(5): The destruction or deletion of a record
economic, cultural or social identity of that natural person. of personal data shall be done in a manner that
c) an identification number, symbol or other prevents its reconstruction in an intelligible form.
particulars assigned to a person;
Pseudonymised data
d) identity data; or
Article 4(5): 'pseudonymisation' means the processing of See Section 18(4)-(5) of the Act above.
e) other information which is in the possession of, or is likely personal data in such a manner that the personal data can no
to come into the possession of the data controller and longer be attributed to a specific data subject without the use of
includes an expression of opinion about the individual. additional information, provided that such additional information
is kept separately and is subject to technical and organisational
Data processing measures to ensure that the personal data are not attributed to
an identified or identifiable natural person.
Article 4(2): 'processing' means any operation or set Section 2: 'processing' means any operation
of operations which is performed on personal data or which is performed upon collected data by Automated processing
on sets of personal data, whether or not by automated automated means or otherwise including:
means, such as collection, recording, organisation, Article 2(1): This Regulation applies to the processing Section 2: 'processing' means any operation which is performed
structuring, storage, adaptation or alteration, retrieval, of personal data wholly or partly by automated means upon collected data by automated means or otherwise.
a) organisation, adaptation or alteration
consultation, use, disclosure by transmission, and to the processing other than by automated means
of the information or data;
dissemination or otherwise making available, alignment or of personal data which form part of a filing system or are
combination, restriction, erasure or destruction. intended to form part of a filing system.
b) retrieval, consultation or use of the information or data;
10 11
11
GDPR The Act
2. Key definitions
General exemptions
2.1. Personal data Fairly consistent
Article 2(2): This Regulation does not apply Section 9(2): The collection of and processing of special
The GDPR and the Act set out similar understandings for the concepts of personal data and special categories of data.
to the processing of personal data: personal data does not apply to information collected
under the Uganda Bureau of Statistics Act 1998.
(a) in the course of an activity which falls GDPR The Act
outside the scope of Union law;
d) identity data; or
Article 9(1): Processing of personal data revealing racial or Section 9(1): 'Special personal data' is referred to as
ethnic origin, political opinions, religious or philosophical beliefs, personal data which relates to the religious or philosophical
or trade union membership, and the processing of genetic data, beliefs, political opinions, sexual life, financial information,
biometric data for the purpose of uniquely identifying a natural health status or medical records of an individual.
person, data concerning health or data concerning a natural
person's sex life or sexual orientation shall be prohibited.
Online identifiers
Recital 30: Natural persons may be associated with online The Act does not specifically refer to online identifiers.
identifiers provided by their devices, applications, tools
and protocols, such as internet protocol addresses, cookie
identifiers or other identifiers such as radio frequency
identification tags. This may leave traces which, in particular
when combined with unique identifiers and other information
received by the servers, may be used to create profiles of
Data Collector Unlike the GDPR, the Act does not directly refer to anonymisation and pseudonymisation, however it does contain relevant provisions
related to the destruction and de-identification of data.
The GDPR does not provide for a definition of 'data collector'. Section 2: 'data collector' means a person
who collects personal data.
GDPR The Act
Recipient
Anonymisation
Article 4(9): 'recipient' means a natural or legal person, public Section 2: 'recipient' means a person to whom data is
authority, agency or another body, to which the personal disclosed including an employee or agent of the data Recital 26: 'anonymous information' is information which does The Act does not specifically define anonymised
data are disclosed, whether a third party or not. 2However, controller or the data processor to whom data is disclosed in not relate to an identified or identifiable natural person or to data. However, it refers to de-identified data.
public authorities which may receive personal data in the the course of processing the data for the data controller, but personal data rendered anonymous in such a manner that
framework of a particular inquiry in accordance with Union does not include a person to whom disclosure is made with the data subject is not or no longer identifiable. Section 18(4): A data controller shall destroy or
or Member State law shall not be regarded as recipients; the respect to a particular inquiry pursuant to an enactment. delete a record of personal data or de-identify the
processing of those data by those public authorities shall record at the expiry of the retention period.
14 15 15
GDPR The Act
2.3. Controllers and processors
Consistent Data Protection Impact Assessment ('DPIA')
The Act and the GDPR provide similar definitions for data controllers and data processors, as well as requirements for agreements
between these parties as well as obligations to appoint a DPO. Furthermore, while the Act itself does not specifically address DPIAs, DPIA is not specifically defined, however Article 35 Section 12 of the Regulations: Where the collection or
the Regulations outline when a DPIA should be conducted and what it should include, akin to the relevant provisions of the GDPR. sets out requirements for DPIAs (see section 5.3. for processing of personal data poses a high risk to the rights and
further information). freedoms of natural persons, the data collector, data processor
GDPR The Act or data controller must, prior to the collection or processing,
carry out an assessment of the impact of the envisaged
Data controller collection or processing operations on the protection
of personal data. Every DPIA must include a systematic
Article 4(7): 'controller' means the natural or legal person, Section 2: 'data controller' means a person who alone, jointly description of the envisaged processing and the purposes of
public authority, agency or other body which, alone or jointly with other persons or in common with other persons or as a the processing, an assessment of the risks to personal data and
with others, determines the purposes and means of the statutory duty determines the purposes for and the manner the measures to address the risks, and any other matters the
processing of personal data; where the purposes and means in which personal data is processed or is to be processed. PDPO may require (see section 4.3. for further information).
of such processing are determined by Union or Member State
law, the controller or the specific criteria for its nomination Data Protection Officer ('DPO')
may be provided for by Union or Member State law.
DPO is not specifically defined, however Article DPO is not specifically defined, however Section
Data processor 37 sets out requirements related to DPOs (see 6 mandates the designation of a DPO.
section 5.4. for further information).
Article 4(8): 'processor' means a natural or legal Section 2: 'data processor' means a person other than Section 47 of the Regulations addresses the specifics of
person, public authority, agency or other body which an employee of the data controller who processes designating a DPO (see section 4.4. for further information).
processes personal data on behalf of the controller. the data on behalf of the data controller.
Article 28(3): Processing by a processor shall be governed Section 21(2): A contract between a data controller and
by a contract or other legal act under Union or Member a data processor relating to processing of personal
State law, that is binding on the processor with regard to data, shall require the data processor to establish and
the controller and that sets out the subject-matter and maintain the confidentiality and security measures
duration of the processing, the nature and purpose of necessary to protect the integrity of the personal data.
16 17
2.5. Research
2.4. Children Fairly inconsistent
Fairly consistent
Like the GDPR, the Act provides exemptions for processing for scientific or historical research purposes in certain instances.
Like the GDPR, the Act provides additional requirements for children's data. However, unlike the GDPR, the Act does not contain
However, the Act does not establish requirements for appropriate safeguards in the manner of the GDPR, nor does it provide
requirements for the provision of privacy notices to children.
specific data subject rights in the context of scientific or historical research.
The GDPR does not specifically define 'child'. However, Article The Act does not specifically define 'child'. However, Section Recital 159: Where personal data are processed for scientific The Act does not define or provide examples of
8(1) provides: Where point (a) of Article 6(1) applies, in relation 8 provides: A person shall not collect or process personal data research purposes, this Regulation should also apply to scientific or historical research purposes.
to the offer of information society services directly to a child, relating to a child unless the collection or processing thereof is: that processing. For the purposes of this Regulation, the
the processing of the personal data of a child shall be lawful processing of personal data for scientific research purposes
where the child is at least 16 years old. Where the child is a) carried out with the prior consent of the parent should be interpreted in a broad manner including for example
below the age of 16 years, such processing shall be lawful or guardian or any other person having authority technological development and demonstration, fundamental
only if and to the extent that consent is given or authorised by to make decisions on behalf of the child; research, applied research and privately funded research.
the holder of parental responsibility over the child. Member
States may provide by law for a lower age for those purposes b) necessary to comply with the law; or Recital 160: Where personal data are processed for historical
provided that such lower age is not below 13 years. research purposes, this Regulation should also apply to that
c) for research or statistical purposes. processing. This should also include historical research and
research for genealogical purposes, bearing in mind that
Consent for processing children's data this Regulation should not apply to deceased persons.
Article 8(2): The controller shall make reasonable efforts See Section 8 of the Act above. Compatibility with original purpose of collection
to verify in such cases that consent is given or authorised
by the holder of parental responsibility over the child, Section 11 of the Regulations: For the purposes of Section Article 5(1)(b): Personal data shall be collected for specified, Section 17(3)(e): The further processing of data is considered
taking into consideration available technology. 8 of the Act, every data collector, controller, processor explicit and legitimate purposes and not further processed to be compatible with the purpose of collection where the
must establish a system to ascertain the age of persons in a manner that is incompatible with those purposes; further data is used for historical, statistical or research purposes
whose personal data is to be collected, processed, or processing for archiving purposes in the public interest, and the person responsible for the processing ensures that:
stored, and where the data relates to a child, the manner scientific or historical research purposes or statistical purposes
of obtaining the consent of a parent or legal guardian. shall, in accordance with Article 89(1), not be considered to be i) the further processing is carried out solely for the
incompatible with the initial purposes ('purpose limitation'). purpose for which the data was collected; and
The Act does not specifically address to reveal the identity of the data subject.
Recital 58: Given that children merit specific protection,
any information and communication, where processing privacy notices for children.
18 19
GDPR The Act
3. Legal basis Fairly consistent
Appropriate safeguards (cont'd)
The Act sets out very similar grounds for the processing of personal data to the GDPR, as well as comparable additional requirements
order to ensure respect for the principle of data minimisation. for the processing of special categories of, or sensitive, data. Moreover, the Act has provisions defining conditions for consent,
Those measures may include pseudonymisation provided however it does not address matters such as processing for journalistic/artistic purposes.
that those purposes can be fulfilled in that manner. GDPR The Act
Under Article 17(3), the right to erasure may not apply in cases The Act does not refer to data subject rights in the Article 6(1): Processing shall be lawful only if and to the Section 7(1): Subject to subsection (2), a person
of scientific or historical research. Article 21(6), however, context of scientific or historical research. extent that at least one of the following applies: shall not collect or process personal data without
provides that data subjects may exercise the right to object the prior consent of the data subject.
to data processing for scientific or historical research (a) the data subject has given consent to the processing of
purposes. In addition, Article 89 provides that Member his or her personal data for one or more specific purposes; (2) Personal data may be collected or processed:
States may derogate from the GDPR in regard to data subject
rights and data processing for research purposes. (b) processing is necessary for the performance of a contract to a) where the collection or processing is
which the data subject is party or in order to take steps at the authorised or required by law; or
request of the data subject prior to entering into a contract;
b) where it is necessary:
(c) processing is necessary for compliance with a
legal obligation to which the controller is subject; i) for the proper performance of a public duty by a public body;
(d) processing is necessary in order to protect the vital ii) for national security;
interests of the data subject or of another natural person;
iii) for the prevention, detection, investigation, prosecution
(e) processing is necessary for the performance of a or punishment of an offence or breach of law.
task carried out in the public interest or in the exercise
of official authority vested in the controller; or c) for the performance of a contract to which the data
subject is party or in order to take steps at the request
(f) processing is necessary for the purposes of the of the data subject prior to entering into a contract;
legitimate interests pursued by the controller or by a
third party, except where such interests are overridden d) for medical purposes; or
by the interests or fundamental rights and freedoms of
the data subject which require protection of personal e) for compliance with a legal obligation to
data, in particular where the data subject is a child. which the data controller is subject.
There are specific requirements for processing There are specific requirements for processing
special categories of data, see Article 9 of the special personal data under Section 9 of the Act.
GDPR for further information.
20 27
21
GDPR The Act
4. Controller and processor
Conditions for consent
Article 7(3): The data subject shall have the right to Section 7(3): Except for data collected or processed
obligations
withdraw his or her consent at any time. The withdrawal under subsection (2), where a data subject objects to
of consent shall not affect the lawfulness of processing the collection or processing of personal data, the person
4.1. Data transfers Inconsistent
based on consent before its withdrawal. Prior to giving who is collecting or processing the personal data shall
consent, the data subject shall be informed thereof. It stop the collection or processing of the personal data. The Act provides for a similar notion of adequate protection as the GDPR. However, the Act only recognises consent as an alternative
shall be as easy to withdraw as to give consent. mechanism for data transfers, whereas the GDPR provides that transfers to third country or an international organisation may still
Section 2: 'consent' means any freely given, specific, occur if appropriate safeguards are provided.
Article 4: (11) 'consent' of the data subject means any freely informed and unambiguous indication of the data subject's
given, specific, informed and unambiguous indication of the wish which he or she, by a statement or by a clear GDPR The Act
data subject's wishes by which he or she, by a statement affirmative action, signifies agreement to the collection
or by a clear affirmative action, signifies agreement to or processing of personal data relating to him or her. Adequate protection
the processing of personal data relating to him or her.
Schedule 1 of the Regulations includes a form for notice of Article 45(1): A transfer of personal data to a third country Section 19: Where a data processor or data controller based
objection to the collection/processing of personal data. or an international organisation may take place where in Uganda processes or stores personal data outside Uganda,
the Commission has decided that the third country, the data processor or data controller shall ensure that:
Journalism/ artistic purposes a territory or one or more specified sectors within
that third country, or the international organisation in a) the country in which the data is processed or stored has
Article 85(1): Member States shall by law reconcile the right The Act does not refer to journalism or artistic purposes. question ensures an adequate level of protection. Such adequate measures in place for the protection of personal data
to the protection of personal data pursuant to this Regulation a transfer shall not require any specific authorisation. at least equivalent to the protection provided for by this Act; or
with the right to freedom of expression and information,
including processing for journalistic purposes and the b) the data subject has consented.
purposes of academic, artistic or literary expression.
Section 30(1) of the Regulations: A data collector, data
processor or data controller shall not process or store
personal data outside Uganda unless the data collector,
processor, or controller demonstrates to the PDPO (a) the
country outside Uganda where the personal data is to be
processed or stored has adequate measures in place for
the protection of the personal data at least equivalent to the
protection provided for by the Act; or (b) the data subject has
consented to the processing. (5) Where the data collector,
processor, or controller wishes to process or store personal
data in a country that does not appear on the list of countries
deemed adequate by the PDPO, it is the responsibility of the
collector, processor, or controller to prove that the country has
adequate measures in place for the protection of personal
data, at least equivalent to the protection provided by the Act.
22 23
GDPR The Act GDPR The Act
Other mechanisms for data transfers Other mechanisms for data transfers (cont'd)
Article 46(1): In the absence of a decision pursuant to Article (b) provisions to be inserted into administrative
45(3), a controller or processor may transfer personal data arrangements between public authorities or bodies which
to a third country or an international organisation only if the include enforceable and effective data subject rights.
controller or processor has provided appropriate safeguards,
and on condition that enforceable data subject rights and Data localisation
effective legal remedies for data subjects are available.
Not applicable. Not applicable.
24 25 25
GDPR The Act
4.2. Data processing records
Fairly Inconsistent
Data processor obligation
While the GDPR requires both data controllers and data processors to maintain data processing records, the Act does not specify
equivalent obligations for either. However, the Act does set out general provisions for registering with the PDPO. Article 30(2): Each processor and, where applicable, See Section 29 of the Act above.
the processor's representative shall maintain a
GDPR The Act record of all categories of processing activities
carried out on behalf of a controller, containing:
Article 30(1): Each controller and, where applicable, The Act does not provide for a requirement to maintain data and of each controller on behalf of which the processor
the controller's representative, shall maintain a record processing records. However, Section 29 provides: the is acting, and, where applicable, of the controller's or the
of processing activities under its responsibility. That PDPO shall keep and maintain a data protection register processor's representative, and the data protection officer;
record shall contain all of the following information: and an application by a data controller or other person
to register shall be made in the prescribed manner. (b) the categories of processing carried
(a) the name and contact details of the controller and, out on behalf of each controller;
where applicable, the joint controller, the controller's Section 29(1) of the Act: The PDPO shall keep
representative and the data protection officer; and maintain a data protection register. (c) where applicable, transfers of personal data to a third country
or an international organisation, including the identification
(b) the purposes of the processing; (2) The PDPO shall register in the data protection register, of that third country or international organisation and, in the
every person, institution or public body collecting or case of transfers referred to in the second subparagraph of
(c) a description of the categories of data subjects processing personal data and the purpose for which Article 49(1), the documentation of suitable safeguards; and
and of the categories of personal data; the personal data is collected or processed.
(d) where possible, a general description of the technical and
(d) the categories of recipients to whom the personal (3) An application by a data controller or other person organisational security measures referred to in Article 32(1).
data have been or will be disclosed including recipients to register shall be made in the prescribed manner.
in third countries or international organisations; Records format
Article 30: The PDPO shall make the information
(e) where applicable, transfers of personal data to a third country contained in the Data Protection Register Article 30(3): The records referred to in paragraphs 1 The Act does not provide for such requirements.
or an international organisation, including the identification available for inspection by any person. and 2 shall be in writing, including in electronic form.
of that third country or international organisation and, in the
case of transfers referred to in the second subparagraph of Section 14(1): The Regulations provide the register Required to make available
Article 49(1), the documentation of suitable safeguards; shall contain information relating to data collectors,
data processors and data controllers including the The Act does not provide for such requirements.
Article 30(4): The controller or the processor and,
(f) where possible, the envisaged time limits for purpose for which personal data is collected.
where applicable, the controller's or the processor's
erasure of the different categories of data; and
representative, shall make the record available
(2) The Register will contain the following information (a)
to the supervisory authority on request.
(g) where possible, a general description of the technical and the name of the person, institution, or body (b) the address
organisational security measures referred to in Article 32(1). of the person, institution or public body (c) the nature of
the personal data being collected or processed by the
person, institution or public body; and (e) the purpose
for the collection or processing of personal data.
26 27 27
GDPR The Act 4.3. D
ata protection impact
Exemptions
assessment Fairly consistent
Although the Act itself does not provide requirements on DPIAs, the Regulations, along with the GDPR, do provide for a requirement
Article 30(5): The obligations referred to in paragraphs 1 The Act does not provide for such requirements.
to carry out a DPIA prior to the processing of personal data, and outline the required contents of a DPIA.
and 2 shall not apply to an enterprise or an organisation
employing fewer than 250 persons unless the processing GDPR The Act
it carries out is likely to result in a risk to the rights and
freedoms of data subjects, the processing is not occasional,
When is a DPIA required
or the processing includes special categories of data as
referred to in Article 9(1) or personal data relating to criminal
Article 35(1): Where a type of processing in particular using new Section 12(1) of the Regulations: Where the collection
convictions and offences referred to in Article 10.
technologies, and taking into account the nature, scope, context or processing of personal data poses a high risk, data
and purposes of the processing, is likely to result in a high risk to collectors, processors, and controllers must, prior to
General Data Processing Notification ('DPN') the rights and freedoms of natural persons, the controller shall, the collection or processing carry out an assessment
prior to the processing, carry out an assessment of the impact of the impact of the envisaged collection or processing
Not applicable. Section 15(1) of the Regulations: Subject to subregulation of the envisaged processing operations on the protection operations on the protection of personal data.
(2), every data collector, data processor or data of personal data. A single assessment may address a set of
controller shall register with the PDPO. similar processing operations that present similar high risks.
(2) The PDPO shall, in consultation with the Board, by notice in […] (3) A data protection impact assessment referred to in
the Gazette, exempt certain data collectors, data processors or paragraph 1 shall in particular be required in the case of:
data controllers from the requirement to register with the PDPO.
Article 35(7): The assessment shall contain at least: Section 12(2) of the Regulations: Every data
protection impact assessment must include:
(a) a systematic description of the envisaged
processing operations and the purposes of the - a systematic description of the envisaged
processing, including, where applicable, the processing and the purposes of the processing;
legitimate interest pursued by the controller;
- an assessment of the risks to personal data and
(b) an assessment of the necessity and proportionality of the measures to address the risks; and
the processing operations in relation to the purposes;
- any other matter the PDPO may require.
28 29
29
Global Regulatory Build a global privacy program by
comparing key legal frameworks
Research Software against the GDPR
40 In-House Legal Researchers, 500 Lawyers CCPA | Russia | Thailand | Brazil | Japan | China
Across 300 Jurisdictions and 20+ other global laws & frameworks
Monitor regulatory developments, mitigate risk,
and achieve global compliance Understand and compare key provisions of the GDPR
with relevant data protection laws from around the globe
Scope Rights
(c) an assessment of the risks to the rights and freedoms The Act provides for the requirement to appoint a DPO, while the Regulations provide further details and requirements regarding
of data subjects referred to in paragraph 1; and DPO tasks and relevant qualifications.
Article 37(1): The controller and the processor shall Section 6: For purposes of this Act, and in so far as
designate a data protection officer in any case where: it applies to an institution, the head of the institution
shall designate a person as the data protection officer
(a) the processing is carried out by a public authority or responsible for ensuring compliance with this Act.
body, except for courts acting in their judicial capacity;
32 33 33
GDPR The Act
4.5. Data security and data
breaches
Fairly consistent
When is a DPO required (cont'd)
The GDPR, the Act, and the Regulations establish similar general data security provisions and require that authorities should be
notified of data breaches within a specific timeframe. However, unlike the GDPR, the Act does not provide for specific exceptions
(b) the core activities of the controller or the processor Section 47(2): The Regulations provide every person,
to data breach notification. Furthermore, the Act provides the PDPO with the power to require that data subjects are notified of
consist of processing operations which, by virtue of their institution or public body that processes or controls personal
breaches, including through public announcements.
nature, their scope and/or their purposes, require regular and data shall designate a data protection officer where (a) the
systematic monitoring of data subjects on a large scale; or activities of the person, institution of public body consist of GDPR The Act
processing operations which by virtue of their nature, scope
(c) the core activities of the controller or the processor or purpose require regular and systematic monitoring of
Security measures defined
consist of processing on a large scale of special categories data subjects on a large scale; or (b) the core activities of
of data pursuant to Article 9 and personal data relating to the person, institution or public body consist of processing Article 32(1): Taking into account the state of the art, the costs of Section 20(1): A data controller, data collector or data
criminal convictions and offences referred to in Article 10. of special person data in accordance with the Act. implementation and the nature, scope, context and purposes of processor shall secure the integrity of personal data in the
processing as well as the risk of varying likelihood and severity possession or control of a data controller, data processor
Group appointments for the rights and freedoms of natural persons, the controller or data collector by adopting appropriate, reasonable,
and the processor shall implement appropriate technical technical and organisational measures to prevent loss,
Article 37(2): A group of undertakings may appoint a single The Act does not provide for requirements and organisational measures to ensure a level of security damage, or unauthorised destruction and unlawful access
data protection officer provided that a data protection in relation to group appointments. appropriate to the risk, including inter alia as appropriate: to or unauthorised processing of the personal data.
officer is easily accessible from each establishment.
(a) the pseudonymisation and encryption of personal data; (2) For the purposes of subsection (1), the data
controller shall take measures to-
Notification of DPO (b) the ability to ensure the ongoing confidentiality, integrity,
availability and resilience of processing systems and services; (a) identify reasonably foreseeable internal and external risks
Article 37(7): The controller or the processor shall publish The Act does not provide for notification requirements.
to personal data under that person's possession or control;
the contact details of the data protection officer and
(c) the ability to restore the availability and
communicate them to the supervisory authority.
access to personal data in a timely manner in the (b) establish and maintain appropriate
event of a physical or technical incident; safeguards against the identified risks;
Qualifications
(d) a process for regularly testing, assessing and evaluating (c) regularly verify that the safeguards are
Article 37(5): The data protection officer shall be designated Section 47(4): The regulations provide every person, institution
the effectiveness of technical and organisational effectively implemented; and
on the basis of professional qualities and, in particular, expert or public body that designates a data protection officer shall
measures for ensuring the security of the processing.
knowledge of data protection law and practices and the provide such data protection officer with the relevant training to
(d) ensure that the safeguards are continually updated
ability to fulfil the tasks referred to in Article 39. enable them to perform the duties of a data protection officer.
in response to new risks or deficiencies,
necessary to protect the integrity of the personal data. See Article 33(1) above. See Section 23(1) of the Act and Section
Section 31(1) of the Regulations: For the purposes of Section 33(1) of the Regulations above.
20(3) of the Act, the Office shall publish, in the Gazette, Notifying data subjects of data breach
the generally accepted information security practices and
procedures and specific industry professional rules and Section 23(2): The PDPO shall determine and notify the
Article 34(1): When the personal data breach is likely to
regulations applicable to the security of personal data. data controller, data collector or data processor whether
result in a high risk to the rights and freedoms of natural
persons, the controller shall communicate the personal data the data controller, data collector or data processor
(2) Information security practices and procedures and specific should notify the data subject of the breach.
breach to the data subject without undue delay.
industry professional rules and regulations applicable to the (3) Where the PDPO determines that the data collector,
security of personal data referred to in subregulation (1) include: data processor or data controller should notify the
- administrative measures, that is to say, measures data subject, the notification shall be made by-
aimed at creating efficient guidelines and security (a) registered mail to the data subject's last
standards for dealing with personal data; and known residential or postal address;
- technical measures, that is to say, measures (b) electronic mail to the data subject's last
aimed at preventing overlap and restricting known electronic mail address;
access to systems and personal data. (c) placement in a prominent position on the
website of the responsible party; or
Section 32(1) of the Regulations: For the purposes of (d) publication in the mass media.
Section 21 of the Act, a data controller shall ensure that (4) A notification referred to in sub section (3) shall provide
any data processor that processes personal data for the sufficient information relating to the breach to allow the data
data controller develops and implements appropriate subject to take protective measures against the consequences
security measures to safeguard the personal data. of unauthorised access or acquisition of the data.
(5) Where the PDPO has grounds to believe that publicity
Data breach notification to authority would protect a data subject who is affected by the
unauthorised access or acquisition of data, the PDPO
Article 33(1): In the case of a personal data breach, the Section 23(1): Where a data collector, data processor or data shall direct the responsible party to publicise in the
controller shall without undue delay and, where feasible, controller, believes that the personal data of a data subject has specified manner, the fact of the compromise to the
not later than 72 hours after having become aware of it, been accessed or acquired by an unauthorised person, the data integrity or confidentiality of the personal data.
notify the personal data breach to the supervisory authority collector, data processor or data controller, shall immediately Section 33(4) of the Regulations: The PDPO shall,
competent in accordance with Article 55, unless the personal notify PDPO in the prescribed manner, of the unauthorised immediately after receiving a notification referred to in
data breach is unlikely to result in a risk to the rights and access or acquisition and the remedial action taken. subregulation (1), provide the concerned data collector,
freedoms of natural persons. Where the notification to Section 33(1) of the Regulations: The notification data processor or data controller with appropriate
the supervisory authority is not made within 72 hours, it required under Section 23(1) [of the Act] shall be made guidance on how to deal with the data breach.
shall be accompanied by reasons for the delay. immediately after the occurance of the data breach. (5) The guidance referred to in subregulation (4) shall include:
Section 33(3) of the Regulations provides that the notification (b) the manner of notification of the data subject affected
shall include (a) the nature of the personal data breach by the data breach including requiring the data collector,
(b) the personal data which is the subject of the data data processor or data controller to provide the data subject
breach (c) the categories and approximate number of data with sufficient information relating to the data breach in
subjects affected by the personal data breach (d) the likely order to allow the data subject to take protective measures
consequences of the personal data breach (e) the appropriate against the consequences of the data breach; and
remedial measures taken or proposed to address the
personal data breach, and (f) the name and contact details
of the data protection officer or other point of contact.
36 37
GDPR The Act 4.6. Accountability
Notifying data subjects of data breach (cont'd) Fairly inconsistent
Both the GDPR and the Act provide for a principle of accountability, however they do so in different forms with the Act emphasising
(c) any measures to alert the general public the capacity for data subjects to hold persons to account. Furthermore, the Act does not establish a distinction like the GDPR
on the nature of the data breach. between processor and controller liabilities.
Article 33(2): The processor shall notify the controller See Section 23(1) of the Act above.
Principle of accountability
without undue delay after becoming aware of a
personal data breach. Article 5(2): The controller shall be responsible for, and be able Section 3(1): A data collector, data processor
to demonstrate compliance with, paragraph 1 ('accountability'). or data controller or any person who collects,
Exceptions
[Paragraph 1 details principles of: lawfulness, fairness and processes, holds or uses personal data shall-
transparency, purpose limitation, data minimisation, accuracy,
Article 34(3): The communication to the data subject The Act does not explicitly provide relevant exceptions.
storage limitation, integrity and confidentiality.] (a) be accountable to the data subject for data
referred to in paragraph 1 shall not be required
collected, processed held or used.
if any of the following conditions are met:
(a) the controller has implemented appropriate technical Liability of data controllers and data processors
and organisational protection measures, and those
measures were applied to the personal data affected by Article 82(2): Any controller involved in processing shall In general terms, the Act does not differentiate liabilities
the personal data breach, in particular those that render be liable for the damage caused by processing which between data controllers, collectors, or processors.
the personal data unintelligible to any person who is infringes this Regulation. A processor shall be liable for 'Persons' may be held liable for offences under the Act.
not authorised to access it, such as encryption; the damage caused by processing only where it has not
complied with obligations of this Regulation specifically
(b) the controller has taken subsequent measures which ensure directed to processors or where it has acted outside
that the high risk to the rights and freedoms of data subjects or contrary to lawful instructions of the controller.
38 39 39
GDPR The Act
purposes for which they were collected or otherwise processed; (b) destroy or delete a record of personal data about 14 and any communication and any actions taken under
the data subject held by the data controller which the Articles 15 to 22 and 34 shall be provided free of charge.
(b) the data subject withdraws consent on which the controller no longer has the authority to retain. Where requests from a data subject are manifestly
processing is based according to point (a) of Article unfounded or excessive, in particular because of their
6(1), or point (a) of Article 9(2), and where there is Section 28(1): Where the PDPO is satisfied on a complaint repetitive character, the controller may either:
no other legal ground for the processing; of a data subject that personal data on that data subject
is inaccurate, the PDPO may order the data controller (a) charge a reasonable fee taking into account the
(c) the data subject objects to the processing pursuant to rectify, update, block, erase, or destroy the data. administrative costs of providing the information or
to Article 21(1) and there are no overriding legitimate communication or taking the action requested; or
grounds for the processing, or the data subject objects (2) Subsection (1) applies whether the data is an accurate
to the processing pursuant to Article 21(2); record of information received or obtained by the data (b) refuse to act on the request. The controller shall
controller from the data subject or a third party. bear the burden of demonstrating the manifestly
(d) the personal data have been unlawfully processed; unfounded or excessive character of the request.
Schedule 1 Form 9 of the Regulations can
(e) the personal data have to be erased for compliance be used when requesting erasure. Response timeframe
with a legal obligation in Union or Member State
law to which the controller is subject; Section 16(2): On receipt of the request, a data
Article 12(3): The controller shall provide information on
action taken on a request under Articles 15 to 22 to the controller shall comply with the request.
(f) the personal data have been collected in relation to the
data subject without undue delay and in any event within
offer of information society services referred to in Article 8(1). Section 39(2) of the Regulations: Where the data controller
one month of receipt of the request. That period may be
extended by two further months where necessary, taking does not comply with a request within 30 days of receipt of the
into account the complexity and number of the requests. The request, the data subject may make a complaint to the PDPO.
40 41 41
GDPR The Act GDPR The Act
Article 12(1): The information shall be provided in writing, or Section 16(3): Where the data controller is not able to (e) for the establishment, exercise or defence of legal claims.
by other means, including, where appropriate, by electronic comply with the request under subsection (1), the data
means. When requested by the data subject, the information controller shall inform the data subject of the rejection, Article 12(5): Information provided under Articles 13 and
may be provided orally, provided that the identity of the and the reasons for the rejection in writing. 14 and any communication and any actions taken under
data subject is proven by other means. Articles 15 to 22 and 34 shall be provided free of charge.
[…] (5) The data controller shall notify the data subject Where requests from a data subject are manifestly
of the action taken as a result of the request. unfounded or excessive, in particular because of their
repetitive character, the controller may either:
Article 17(2): Where the controller has made the personal Section 28(4): Where the data complained of has been administrative costs of providing the information or
data public and is obliged pursuant to paragraph 1 to erase rectified, blocked, updated, erased or destroyed, the communication or taking the action requested; or
the personal data, the controller, taking account of available data controller is required to notify third parties to
technology and the cost of implementation, shall take whom the data has been previously disclosed of the (b) refuse to act on the request. The controller shall
reasonable steps, including technical measures, to inform rectification, blocking, updated, erasure or destruction. bear the burden of demonstrating the manifestly
controllers which are processing the personal data that the data unfounded or excessive character of the request.
Exceptions
Article 17(3): Paragraphs 1 and 2 shall not apply The Act does not explicitly outline exceptions. However,
to the extent that processing is necessary: Section 29(4) of the Regulations provides that where
a data controller cannot comply with the request for
(a) for exercising the right of freedom of erasure of personal data, the data controller shall,
expression and information; in writing, inform the data subject of the rejection,
and any action taken as a result of the request.
The GDPR and the Act provide generally similar requirements for providing specific information to a data subject when collecting
data. However, the Act is less explicit in terms of format and intelligibility requirements.
Informed prior to/ at collection (cont'd)
GDPR The Act (b) the existence of the right to request from the controller
access to and rectification or erasure of personal data or
restriction of processing concerning the data subject or to
Informed prior to/ at collection
object to processing as well as the right to data portability;
Article 13(1): Where personal data relating to a data subject Section 13 provides that information is to be given
(c) where the processing is based on point (a) of Article
are collected from the data subject, the controller shall, to data subject before collection of data.
6(1) or point (a) of Article 9(2), the existence of the right to
at the time when personal data are obtained, provide
withdraw consent at any time, without affecting the lawfulness
the data subject with all of the following information:
of processing based on consent before its withdrawal;
(a) the identity and the contact details of the controller and,
(d) the right to lodge a complaint with a supervisory authority;
where applicable, of the controller's representative;
44 45
45
GDPR The Act GDPR The Act
In addition to the information required under Article 13, Section 13(2): Where the data is collected from a third party, The requirements of Article 13 do not apply where The Act does not explicitly refer to particular exceptions
Article 14(2) replaces the requirement that data subjects are the data subject shall be given the information specified the data subject already has the information. where information is collected directly from data subjects.
provided with information on the legitimate interests pursued in subsection (1) before the collection of the data or as
by the controller or by a third party, with an obligation to soon as practicable after the collection of the data. The requirements of Article 14 do not apply where: In relation to data collected from third parties Section
inform data subjects of the categories of personal data. 13(3) stipulates: Subsection (2), shall not apply-
Furthermore, paragraph (e) of Article 13(2) is replaced (3) Subsection (2), shall not apply- (a) the data subject already has the information;
with a requirement to inform data subjects of the source (a) where it is necessary to avoid the compromise
from which the personal data originate, and if applicable, (a) where it is necessary to avoid the compromise (b) the provision of such information proves impossible or would of the law enforcement power of a public body
whether it came from publicly accessible sources. of the law enforcement power of a public body involve a disproportionate effort, in particular for processing responsible for the prevention, detection, investigation,
responsible for the prevention, detection, investigation, for archiving purposes in the public interest, scientific or prosecution or punishment of an offence;
prosecution or punishment of an offence; historical research purposes or statistical purposes, subject
to the conditions and safeguards referred to in Article 89(1) (b) information relating to national security:
(b) information relating to national security; or in so far as the obligation referred to in paragraph 1 of this
Article is likely to render impossible or seriously impair the (c) to information relating to the enforcement of
(c) to information relating to the enforcement of achievement of the objectives of that processing. In such a law which imposes a pecuniary penalty;
a law which imposes a pecuniary penalty; cases the controller shall take appropriate measures to
protect the data subject's rights and freedoms and legitimate (d) to information relating to the enforcement of
(d) to information relating to the enforcement of interests, including making the information publicly available; legislation which concerns public revenue collection;
legislation which concerns public revenue collection;
(c) obtaining or disclosure is expressly laid down by (e) to information relating to the preparation or conduct
(e) to information relating to the preparation or conduct Union or Member State law to which the controller is of proceedings before a court or tribunal.
of proceedings before a court or tribunal. subject and which provides appropriate measures to
protect the data subject's legitimate interests; or
Intelligibility requirements
(d) where the personal data must remain confidential subject
Article 12(1): The controller shall take appropriate measures to The Act does not explicitly refer to intelligibility requirements. to an obligation of professional secrecy regulated by Union or
provide any information referred to in Articles 13 and 14 and Member State law, including a statutory obligation of secrecy.
Format
See Article 12(1) above. The Act does not explicitly refer to format requirements.
46 47
47
5.3. Right to object Fairly inconsistent GDPR The Act
While both the GDPR and the Act provide for the right to object or to prevent processing, there are significant variations in when Restrict processing (cont'd)
and how these rights apply. In particular, the Act limits the right to object to instances where 'unwarranted substantial damage or
distress' is or is likely to be caused. (a) the accuracy of the personal data is contested by
the data subject, for a period enabling the controller
GDPR The Act to verify the accuracy of the personal data;
Grounds for right to object/ opt out (b) the processing is unlawful and the data subject
opposes the erasure of the personal data and
Article 21(1): The data subject shall have the right to object, on Section 7(3): Except for data collected or processed requests the restriction of their use instead;
grounds relating to his or her particular situation, at any time under subsection (2), where a data subject objects to
to processing of personal data concerning him or her which is the collection or processing of personal data, the person (c) the controller no longer needs the personal data
based on point (e) or (f) of Article 6(1), including profiling based who is collecting or processing the personal data shall for the purposes of the processing, but they are
on those provisions. The controller shall no longer process the stop the collection or processing of the personal data. required by the data subject for the establishment,
personal data unless the controller demonstrates compelling exercise or defence of legal claims;
legitimate grounds for the processing which override the Section 25(1): A data subject shall at any time by notice
interests, rights and freedoms of the data subject or for the in writing to a data controller or data processor, require (d) the data subject has objected to processing pursuant to
establishment, exercise or defence of legal claims. the data controller or data processor to stop processing Article 21(1) pending the verification whether the legitimate
personal data which causes or is likely to cause unwarranted grounds of the controller override those of the data subject.
substantial damage or distress to the data subject.
Section 36(1) of the Regulations: A data subject may require (3) Subject to sub-section (1) a data subject may enter into
the data controller to cease the processing of personal agreement with a data controller for purposes of using or
data where the processing is not compatible with the processing his or her personal data for pecuniary benefits.
purpose for which the personal data was collected.
Article 18(1): The data subject shall have the The Act does not explicitly refer to a similar
(6) In this section 'direct marketing' includes the
right to obtain from the controller restriction of requirement to restrict processing.
communication by whatever means of any advertising or
processing where one of the following applies: marketing material which is directed at an individual.
48 49
49
GDPR The Act GDPR The Act
See Article 12(1) in section 5.1. above. In addition, The Act does not explicitly refer to a requirement to inform subject of his or her intention to continue processing
Article 21(4) provides: At the latest at the time of the first data subjects of their right to prevent processing. personal data for the purpose of direct marketing,
communication with the data subject, the right referred the data subject may within 14 days of receiving the
to in paragraphs 1 and 2 shall be explicitly brought to notice request the PDPO in writing to review the
the attention of the data subject and shall be presented decision of the data controller or data processor.
clearly and separately from any other information.
Fees (2) The PDPO shall review the decision of the data
controller or data processor within 14 days after
See Article 12(5) in section 5.1. above. Article 16(2): The personal data subject shall have the receiving the request of the data subject.
right to object at any time and free of charge.
Format of response
Response timeframe
See Article 12(1) in section 5.1. above. Schedule 1, Form 1, of the Regulations outlines a notice of
See Article 12(3) in section 5.1. above. Section 25(2): A data controller shall within fourteen days after
objection to the collection/processing of personal data.
receipt of a notice inform the data subject in writing that the
data controller has complied or intends to comply with the
Exceptions
notice of the data subject, or of the reasons for non-compliance.
See Article 12(5) in section 5.1. above. Section 25(5): This Section does not apply to data collected
(3) Where the data controller gives reasons for non-
or processed in accordance with section 4(2). [Section 4(2)
compliance, a copy of the notice required by subsection
refers to the establishment of the data protection office]
(2) shall be given to the PDPO within fourteen days.
(5) Where the PDPO does not agree with the reasons
(4) The burden to establish a legitimate interest lies with
for non-compliance, the PDPO shall direct the data
the data collector, data processor or data controller.
controller or data processor to comply with the
notice of the data subject, within seven days.
GDPR The Act (g) where the personal data are not collected from the data
subject, any available information as to their source; and
Grounds for right of access
(h) the existence of automated decision-making, including
Article 15(1): The data subject shall have the right to obtain Section 24(1): A data subject who provides proof profiling, referred to in Article 22(1) and (4) and, at least in
from the controller confirmation as to whether or not personal of identity may request a data controller to- those cases, meaningful information about the logic involved,
data concerning him or her are being processed. as well as the significance and the envisaged consequences
(a) confirm whether or not the data controller holds of such processing for the data subject.
personal data about that data subject;
(a) the purposes of the processing; (b) give a description of the personal data Recital 64: The controller should use all reasonable measures Section 13(3): A data controller shall not comply with a
which is held by the data controller; to verify the identity of a data subject who requests access, in request under this section unless the data controller is
(b) the categories of personal data concerned; particular in the context of online services and online identifiers. given information that the data controller may reasonably
(c) provide the identity of a third party or a category of a A controller should not retain personal data for the sole require to identify the person making the request
(c) the recipients or categories of recipient to whom the third party who has or has had access to information. purpose of being able to react to potential requests. and to locate the data requested by that person.
personal data have been or will be disclosed, in particular
recipients in third countries or international organisations; Section 35(2) of the Regulations: A data subject satisfies
the proof of identity where the data subject provides, a
(d) where possible, the envisaged period for which national identification card or alien's identification card, a
the personal data will be stored, or, if not possible, passport or any travel document, or a driver's license.
the criteria used to determine that period;
52 53 53
GDPR The Act GDPR The Act
See Article 12(3) in section 5.1. above. Section 13(9): Subject to subsection (4), a data controller shall See Article 12(3) in section 5.1. above. (6) A data controller shall not use subsection (4) as
comply with a request under this Section promptly and in any an excuse for failing to communicate so much of the
event within thirty days from the date of receipt of the request. information sought that may be communicated without the
disclosure of the identity of the individual concerned.
Section 35(3) of the Regulations provide a data
controller must inform data subjects of its decision (7) The data controller may make the communication
within seven days of receipt of the request. under subsection (6) by omitting or deleting the name or
other identifying particulars of the other individual.
Format of response
(8) For the purposes of subsection (4), to
determine whether it is reasonable to
See Article 12(1) in section 5.1. above. The Act does not explicitly refer to the format of response
beyond the information in Section 24 (see above).
comply with the request without the consent of the other
individual concerned, the data controller shall take into account-
Exceptions
(a) any duty of confidentiality owed to the other individual;
See Article 12(5) in section 5.1. above. Section 13(4): Where a data controller is unable to comply
with the request without disclosing data related to another
(b) any steps taken by the data controller to
individual who may be identified from the information, the
seek the consent of that other individual;
data controller shall not comply with the request unless-
54 55 55
5.5. Right not to be subject to 5.6. Right to data portability
Consistent Inconsistent
discrimination Unlike the GDPR, the Act does not explicitly refer to a right to data portability.
Neither the GDPR nor the Act explicitly provide a definition for a general right to non-discrimination for the exercise of rights. Both
GDPR The Act
pieces of legislation, however, establish rights for data subjects not to be subject to decisions made solely through automated
processing. Grounds for portability
GDPR The Act Article 20(1): The data subject shall have the right to receive The Act does not explicitly refer to a right to data portability.
the personal data concerning him or her, which he or she has
Definition of right provided to a controller, in a structured, commonly used and
machine-readable format and have the right to transmit those
The GDPR only implies this right and does The Act only implies this right and does not data to another controller without hindrance from the controller
not provide an explicit definition for it. provide an explicit definition for it. to which the personal data have been provided, where:
See Article 12(5) in section 5.1. above. The Act does not explicitly refer to a right to data portability.
Response timeframe
See Article 12(3) in section 5.1. above. The Act does not explicitly refer to a right to data portability.
Format
See Article 20(1) above. The Act does not explicitly refer to a right to data portability.
Controller to controller
Article 20(2): In exercising his or her right to data portability The Act does not explicitly refer to a right to data portability.
pursuant to paragraph 1, the data subject shall have the
right to have the personal data transmitted directly from one
controller to another, where technically feasible.
57
56 57
GDPR The Act
6. Enforcement Fairly inconsistent
Technically feasible
6.1. Monetary penalties
See Article 20(2) above. The Act does not explicitly refer to a right to data portability.
There are several similarities between the GDPR and the Act, including that they both establish the potential for significant monetary
penalties equivalent to millions of euros or percentages of global annual turnover. A key difference between the pieces of legislation,
Exceptions
however, is that the Act provides for potential prison terms and that individuals may be held liable for offences.
See Article 12(5) in section 5.1. above. The Act does not explicitly refer to a right to data portability. GDPR The Act
The GDPR provides for monetary penalties. The Act provides for monetary penalties.
Issued by
Article 58(2) Each supervisory authority shall Section 5(1): For purposes of this Act and in
have all of the following corrective powers: addition to its functions under any other law,
the personal data protection office shall-
[…] (i): to impose an administrative fine pursuant to Article 83, in
addition to, or instead of measures referred to in this paragraph, (a) oversee the implementation of and be
depending on the circumstances of each individual case. responsible for the enforcement of this Act.
Fine maximum
Article 83(5): infringements of the following provisions The maximum stated monetary penalty under the Act
shall, in accordance with paragraph 2, be subject to is equivalent to 245 currency points' (Section 37(2) of
administrative fines up to 20 000 000 EUR, or in the case the Act), which is UGX 4.9 million (approx. €1,240).
of an undertaking, up to 4 % of the total worldwide annual
turnover of the preceding financial year, whichever is higher:
(6) Non-compliance with an order by the supervisory authority (f) the degree of cooperation with the supervisory
as referred to in Article 58(2) shall, in accordance with authority, in order to remedy the infringement and mitigate
paragraph 2 of this Article, be subject to administrative fines the possible adverse effects of the infringement;
up to 20 000 000 EUR, or in the case of an undertaking,
up to 4 % of the total worldwide annual turnover of (g) the categories of personal data affected by the infringement;
the preceding financial year, whichever is higher.
(h) the manner in which the infringement became known to the
Under Article 83(4), (5), and (6), fines may be issued Section 38(1): Where an offence under Sections 31 and 32 is
that equate to 2% or 4% of the total worldwide annual committed by a corporation, the corporation and every officer (i) where measures referred to in Article 58(2) have
turnover of the preceding financial year. of the corporation who knowingly and willfully authorises previously been ordered against the controller or
or permits the contravention is liable to the offence. processor concerned with regard to the same subject-
matter, compliance with those measures;
corporation, pay a fine not exceeding two percent pursuant to Article 40 or approved certification
of the corporation's annual gross turnover. mechanisms pursuant to Article 42; and
(b) the intentional or negligent character of the infringement; committed by a corporation, the corporation and every officer
of the corporation who knowingly and willfully authorises
(c) any action taken by the controller or processor to or permits the contravention is liable to the offence.
60 61
6.2. Supervisory authority GDPR The Act
Fairly consistent
The scope, general powers, and tasks assigned to data protection authorities under the GDPR, and the Act and Regulations are Investigatory powers (cont'd)
largely similar. There is, however, a significant difference in the level of detail provided to describe and regulate these powers, with
the Act leaving more room for interpretation. (f) to obtain access to any premises of the controller
and the processor, including to any data processing
GDPR The Act equipment and means, in accordance with Union or
Member State procedural law.
Provides for data protection authority
Corrective powers
Article 51(1): Each Member State shall provide for one or Section 4(1): There is established a PDPO
more independent public authorities to be responsible for responsible for personal data protection under Article 58(2): Each supervisory authority shall Section 5(1): For purposes of this Act and in addition to
monitoring the application of this Regulation, in order to protect NITA-U which shall report directly to the Board. have all of the following corrective powers: its functions under any other law, the PDPO shall-
the fundamental rights and freedoms of natural persons
in relation to processing and to facilitate the free flow of Section 5(3): The office in performing its functions (a) to issue warnings to a controller or processor (a) oversee the implementation of and be
personal data within the Union ('supervisory authority'). under this Act shall not be under the direction that intended processing operations are likely responsible for the enforcement of this Act;
or control of any person or Authority. to infringe provisions of this Regulation;
[…] (e) receive and investigate complaints relating to
Section 3(1) of the Regulations provides for the establishment (b) to issue reprimands to a controller or a infringement of the rights of the data subject under this Act;
of a PDPO in the NITA-U. (2) The PDPO shall be under the processor where processing operations have
general supervision of the Board of Directors of the NITA-U. infringed provisions of this Regulation; […] (g) perform such other functions as may be prescribed by
any other law or as the office considers necessary for the
Investigatory powers (c) to order the controller or the processor to comply promotion, implementation and enforcement of this Act;
with the data subject's requests to exercise his
Article 58(1): Each supervisory authority shall have Section 5(1): For purposes of this Act and in addition to or her rights pursuant to this Regulation; (2) The office shall have all powers necessary for
all of the following investigative powers: its functions under any other law, the PDPO shall- the performance of its functions under this Act.
(d) to order the controller or processor to bring
(a) to order the controller and the processor, and, […] (c) monitor, investigate and report on the observance processing operations into compliance with the
where applicable, the controller's or the processor's of the right to privacy and of personal data; provisions of this Regulation, where appropriate, in a
representative to provide any information it specified manner and within a specified period; Section 4 of the Regulations provide the PDPO shall:
requires for the performance of its tasks; […] (e) receive and investigate complaints relating to
infringement of the rights of the data subject under this Act; (e) to order the controller to communicate a […] (b) coordinate, supervise and monitor data
(b) to carry out investigations in the form personal data breach to the data subject; collectors, data processors, data controllers and data
of data protection audits; […] (2) The office shall have all powers necessary for subjects on all matters relating to the Act; and
the performance of its functions under this Act. (f) to impose a temporary or definitive limitation
(c) to carry out a review on certifications including a ban on processing; […] (d) set, monitor and regulate standards for
issued pursuant to Article 42(7); Section 4 of the Regulations provide, in addition to those personal data protection and privacy.
functions specified in Section 5 of the Act, the PDPO shall (g) to order the rectification or erasure of personal
(d) to notify the controller or the processor of an data or restriction of processing pursuant to Articles
alleged infringement of this Regulation; […] 16, 17 and 18 and the notification of such actions to
recipients to whom the personal data have been
(e) to obtain, from the controller and the processor, (e) conduct audits to ensure compliance by data collectors, disclosed pursuant to Article 17(2) and Article 19;
access to all personal data and to all information processors, controllers and data subjects with the Act and
necessary for the performance of its tasks; the Regulations and address potential issues proactively. (h) to withdraw a certification or to order the certification body
to withdraw a certification issued pursuant to Articles 42 and 43,
or to order the certification body not to issue certification if the
requirements for the certification are not or are no longer met;
62 63
GDPR The Act
GDPR The Act
Tasks of authority
Corrective powers (cont'd)
Article 57(1): Without prejudice to other tasks set out under this Section 5(1): For purposes of this Act and in addition to
(i) to impose an administrative fine pursuant to Article 83, in Regulation, each supervisory authority shall on its territory: its functions under any other law, the PDPO shall-
addition to, or instead of measures referred to in this paragraph,
depending on the circumstances of each individual case; (a) monitor and enforce the application of this Regulation; (a) oversee the implementation of and be
responsible for the enforcement of this Act;
(j) to order the suspension of data flows to a recipient (b) promote public awareness and understanding
in a third country or to an international organisation. of the risks, rules, safeguards and rights in relation (b) promote the protection and observance of the right
to processing. Activities addressed specifically to the privacy of a person and of personal data;
Authorisation/ advisory powers to children shall receive specific attention;
(c) monitor, investigate and report on the observance
Article 58(3): Each supervisory authority shall have all Section 5(1): For purposes of this Act and in addition to (c) advise, in accordance with Member State law, of the right to privacy and of personal data;
of the following authorisation and advisory powers: its functions under any other law, the PDPO shall- the national parliament, the government, and other
institutions and bodies on legislative and administrative (d) formulate, implement and oversee programmes
(a) to advise the controller in accordance with the prior […] (b) promote the protection and observance of the measures relating to the protection of natural persons' intended to raise public awareness about this Act;
consultation procedure referred to in Article 36; right to the privacy of a person and of personal data; rights and freedoms with regard to processing;
(e) receive and investigate complaints relating to infringement
(b) to issue, on its own initiative or on request, opinions to […] (d) formulate, implement and oversee programmes (d) promote the awareness of controllers and processors of the rights of the data subject under this Act;
the national parliament, the Member State government intended to raise public awareness about this Act; of their obligations under this Regulation;
or, in accordance with Member State law, to other (f) establish and maintain a data protection and privacy register;
institutions and bodies as well as to the public on any […] (f) establish and maintain a data (e) upon request, provide information to any data subject
issue related to the protection of personal data; protection and privacy register; concerning the exercise of their rights under this Regulation (g) perform such other functions as may be prescribed by
and, if appropriate, cooperate with the supervisory any other law or as the PDPO considers necessary for the
(c) to authorise processing referred to in Article 36(5), if the […] (2) The office shall have all powers necessary for authorities in other Member States to that end; promotion, implementation and enforcement of this Act;
law of the Member State requires such prior authorisation; the performance of its functions under this Act.
(f) handle complaints lodged by a data subject, or by a (2) The office shall have all powers necessary for
(d) to issue an opinion and approve draft codes Section 4 of the Regulations provide the PDPO shall: body, organisation or association in accordance with Article the performance of its functions under this Act.
of conduct pursuant to Article 40(5); 80, and investigate, to the extent appropriate, the subject
[…] (a) provide guidance to data collectors, processors, data matter of the complaint and inform the complainant of the Section 4 of the Regulations: In addition to the functions
(e) to accredit certification bodies pursuant to Article 43; controllers, and data subjects about their data protection and progress and the outcome of the investigation within a specified in Section 5 of the Act, the PDPO shall:
privacy rights, obligations and responsibilities under the Act; reasonable period, in particular if further investigation or
(f) to issue certifications and approve criteria of coordination with another supervisory authority is necessary; - provide guidance to data collectors, data processors, data
certification in accordance with Article 42(5); […] (f) provide guidance to Government on controllers, and data subjects about their data protection and
matters of data protection and privacy; (g) cooperate with, including sharing information privacy rights, obligations and responsibilities under the Act;
(g) to adopt standard data protection clauses referred and provide mutual assistance to, other supervisory
to in Article 28(8) and in point (d) of Article 46(2); […] (h) issue recommendations to institutions about the authorities with a view to ensuring the consistency of - coordinate, supervise and monitor data collectors,
interpretation or application of data protection and privacy rules. application and enforcement of this Regulation; data processors, data controllers and data
(h) to authorise contractual clauses referred subjects on all matters relating to the Act;
to in point (a) of Article 46(3); (h) conduct investigations on the application of this
Regulation, including on the basis of information received - build capacity of management of the PDPO and staff on
(i) to authorise administrative arrangements from another supervisory authority or other public authority; compliance requirements under the Act and these regulations;
referred to in point (b) of Article 46(3);
(i) monitor relevant developments, insofar as they have an - set, monitor and regulate standards for
(j) to approve binding corporate rules pursuant to Article 47. impact on the protection of personal data, in particular personal data protection and privacy;
64 65
GDPR The Act
GDPR The Act
Tasks of authority (cont'd)
Tasks of authority (cont'd)
the development of information and communication - conduct audits to ensure compliance by data collectors, data
technologies and commercial practices; processors, data controllers and data subjects with the Act and (v) fulfil any other tasks related to the
these regulations and address potential issues proactively; protection of personal data.
(o) where applicable, carry out a periodic review of Section 13(1) of the Regulations: The PDPO must keep and
certifications issued in accordance with Article 42(7); maintain the data protection and privacy register, provided
under Section 29 of the Act, in electronic or manual form.
(p) draft and publish the criteria for accreditation of a
body for monitoring codes of conduct pursuant to Article (2) The PDPO must keep the Register up to date.
41 and of a certification body pursuant to Article 43;
Section 42(1) of the Regulations provide, where a
(q) conduct the accreditation of a body for monitoring complaint is made to the PDPO under Sections 39 and
codes of conduct pursuant to Article 41 and of a 40 of the Regulations, the PDPO must investigate the
certification body pursuant to Article 43; complaint within 21 days of receipt of the complaint.
66 67
6.3. Civil remedies for individuals GDPR The Act
Fairly consistent
Both the GDPR and the Act provide for data subjects to seek compensation or judicial remedy if they have suffered material Processor liability
or non-material damage. Similarly, both legislative frameworks establish that data processors may be held liable under certain
circumstances and do not specify an amount for damages. The GDPR and the Act differ, though, in relation to the capacity to Article 82(2): Any controller involved in processing shall In general terms, the Act does not differentiate liabilities
mandate another body to act as representative for the data subject. be liable for the damage caused by processing which between data controllers, collectors, or processors.
infringes this Regulation. A processor shall be liable for 'Persons' may be held liable for offences under the Act.
GDPR The Act
the damage caused by processing only where it has not
complied with obligations of this Regulation specifically
Provides for claims/ cause of action directed to processors or where it has acted outside
or contrary to lawful instructions of the controller.
Article 79: Without prejudice to any available administrative or Section 33(1): Where a data subject suffers damage or
non-judicial remedy, including the right to lodge a complaint distress through the contravention by a data controller, data
Exceptions
with a supervisory authority pursuant to Article 77, each data processor or data collector of the requirements of this Act,
subject shall have the right to an effective judicial remedy where that data subject is entitled to apply to a Court of competent
Article 82(3): A controller or processor shall be exempt from Section 33(2): In proceedings against a person
he or she considers that his or her rights under this Regulation jurisdiction for compensation from the data collector, data
liability under paragraph 2 if it proves that it is not in any way under this section, it is a defence to prove that the
have been infringed as a result of the processing of his or her processor or data controller for the damage or distress.
responsible for the event giving rise to the damage. person took reasonable care in all the circumstances
personal data in non-compliance with this Regulation.
to comply with the requirements of this Act.
Article 80(1): The data subject shall have the right to mandate The Act does not explicitly refer to mandates for representation.
a not-for-profit body, organisation or association which has
been properly constituted in accordance with the law of
a Member State, has statutory objectives which are in the
public interest, and is active in the field of the protection
of data subjects' rights and freedoms with regard to the
protection of their personal data to lodge the complaint on
his or her behalf, to exercise the rights referred to in Articles
77, 78 and 79 on his or her behalf, and to exercise the right
to receive compensation referred to in Article 82 on his
or her behalf where provided for by Member State law.
Not applicable. The Act does not explicitly refer to an amount for damages.
68 69