How to complain about misuse of your personal data in Uganda
In brief
If your personal data is misused, you can complain to the data protection authority. Under the Data Protection and Privacy Act, Cap. 97, a data subject (or any person who believes a data collector, processor or controller is infringing their rights or breaching the Act) may complain, in the prescribed manner, to the Authority — the National Information Technology Authority - Uganda, operating through the Personal Data Protection Office (PDPO) (s.31). The Authority has power to investigate complaints (s.32). You can also exercise direct rights — to access your data (s.24) and to have inaccurate data corrected (s.16).
1. Governing law
Section 31 of the Data Protection and Privacy Act, Cap. 97 provides the complaint route: a data subject or any person who believes that a data collector, data processor or data controller is infringing or has infringed their rights, or is in violation of the Act, may make a complaint in the prescribed manner to the Authority. The Authority — the National Information Technology Authority - Uganda, which runs the Personal Data Protection Office (PDPO) — has power to investigate complaints (s.32) and may take enforcement steps for breaches. Before or instead of complaining, a data subject may exercise statutory rights directly against the data handler, including the right to access their personal data (s.24) and to require correction of inaccurate or misleading data (s.16). The Data Protection and Privacy Regulations, 2021 prescribe the form and process for complaints and for exercising these rights. Remedies for breach can include directions from the Authority and, in appropriate cases, compensation. Statutory text verified against the consolidated Laws of Uganda as at 31 December 2023. Sourced from the Uganda Legal Information Institute (ulii.org).
2. Key statutes & rules
- Data Protection and Privacy Act, Cap. 97 — s.31 (a data subject or any person who believes their rights are infringed or the Act is violated may complain in the prescribed manner to the Authority); s.32 (the Authority's power to investigate complaints); s.24 (right to access personal data); s.16 (correction of personal data). The Authority is NITA-U, acting through the Personal Data Protection Office (PDPO).
- Data Protection and Privacy Regulations, 2021 — prescribed form and process for complaints and data-subject requests.
3. Practical guidance
First, consider exercising your rights directly: ask the data handler to give you access (s.24) or to correct inaccurate data (s.16).
Gather evidence of the misuse — what data, by whom, and the harm or breach.
Lodge a complaint in the prescribed manner with the Authority (the PDPO under NITA-U) under s.31.
Cooperate with the Authority's investigation (s.32) and follow the process in the Data Protection and Privacy Regulations, 2021.
Where appropriate, pursue remedies — directions from the Authority and, in a proper case, compensation.
This note is a practitioner orientation, not legal advice, and does not create an advocate–client relationship. Ugandan law changes and chapter and section numbers were revised in the 2023 Laws of Uganda. Verify every statute, rule and authority against the current primary source — and the specific facts of your matter — before filing or relying on it.