Privacy notice template (Uganda)

Standard document Data & consumer Updated 9 June 2026 AI-generated

In brief

A precedent privacy notice for an organisation that collects personal data.

When to use this

When you collect personal data and must tell individuals how it is used.

When a bespoke document is needed instead: As a substitute for a full data-protection programme — it is one part of compliance.

The template

A precedent only. Replace every [PLACEHOLDER] with your own details; it contains no real party data. Have it reviewed before use.

Heading

[ORGANISATION NAME] — PRIVACY NOTICE

Last updated: [DATE]

1. Who we are

1.1 [ORGANISATION] (“we”), of [ADDRESS], is the data controller responsible for your personal data. Our data protection contact is [NAME / role], [EMAIL].

2. What we collect

2.1 We collect [categories — e.g. name, contact details, national ID/NIN, financial details, location, device data], directly from you and from [other sources].

3. Why we use it & our lawful basis

3.1 We use your data to [purposes — provide our services, process payments, comply with the law, communicate with you], relying on [your consent / performance of a contract / a legal obligation / our legitimate interests].

4. Who we share it with

4.1 We share your data only as needed with [service providers, regulators, banks], under appropriate safeguards, and we do not sell it.

5. Retention

5.1 We keep your data only as long as necessary for the purposes above or as the law requires, after which we securely delete or anonymise it.

6. Security

6.1 We protect your data with appropriate technical and organisational measures against loss, misuse and unauthorised access.

7. Your rights

7.1 You may ask to access, correct or update your data, object to or restrict certain processing, and withdraw consent. You may also complain to the Personal Data Protection Office.

8. Cross-border transfers

8.1 Where we transfer your data outside Uganda, we do so only with appropriate safeguards and as the law permits.

9. Contact

9.1 To exercise your rights or ask a question, contact [EMAIL / address]. We respond within [timeframe].

Drafting notes

Be specific: List the data you collect, the purposes and the lawful basis; vague notices do not meet the data-protection principles.
Legal basis: State the lawful basis for each main purpose (consent or otherwise) and offer a way to withdraw consent.
Rights & contact: Explain access/correction rights, the right to complain to the PDPO, and give a real contact.
Retention & security: State retention periods and that you protect the data with appropriate measures.

Execution requirements

Publish the notice where individuals can see it before or at collection.
Process data lawfully, fairly and for the stated purpose, and keep it secure (Data Protection and Privacy Act).
Register with the Personal Data Protection Office where required.

Governing law & citations

Governed by the Data Protection and Privacy Act, Cap. 97 (2023 Revision) and the Regulations, 2021.

Data Protection and Privacy Act, Cap. 97 (2023 Revision).

Standard document · Data & consumer. Actively maintained. Last reviewed 9 June 2026; next review due 9 June 2027. This resource is a practitioner orientation and general information, not legal advice, and does not create an advocate–client relationship. It is AI-generated. Ugandan law changes and chapter and section numbers were revised in the 2023 Laws of Uganda. Verify every statute, rule, form, fee and authority against the current primary source — and the specific facts of your matter — before relying on it.