The Personal Data Protection (Personal Data Collection and Processing) Regulations, 2023

By Sunday Ndamugoba and Lubaina Hassanali

Introduction

The Personal Data Collection and Processing Regulations, 2023 outline procedures related to the registration of data controllers and processors, enforcement of data subjects’ rights, and the transfer of personal data outside the country. The key components of the regulation are summarized below:

 Application for registration

Individuals or companies collecting or processing personal data must register as data controllers or data processors with the Commission. The application is verified within seven days to ensure the information is valid and complete. Following verification, once the requirements are met and the application is successful, the Commission issues a registration certificate and registers the data controller or data processor. Alternatively, they may reject the application and provide reasons for the rejection. The registration certificate is valid for five years, and renewal of the registration certificate can be done by applying for renewal three months before the expiry date. The Commission may cancel the registration if false information is provided, terms and conditions are violated, offenses are repeated, or fines are not paid. An aggrieved data controller or data processor can appeal the Commission’s decision to the Minister within seven days, and the Minister’s decision is final.

 Procedures of enforcing the rights of data subjects:

Data subjects can apply to suspend or prevent the collection or processing of their personal data if it is likely to cause substantial damage. The data controller or processor receives the application and acknowledges receipt of the application within seventy-two hours and temporarily suspends the processing of personal data. Within seven days, the data controller or data processor considers the application and may accept or reject it. If accepted, they suspend the processing, remove the personal data from the system, and inform third parties to stop using the data. If the application is rejected, the data subject is notified with the reasons provided. If dissatisfied with the rejection, the data subject can submit a complaint to the Commission within fourteen days. On the other hand, if no complaint is filed the data controller/ data processor can continue processing the personal data.

 Erasure or destruction of personal data

Furthermore, data subjects can apply to the data controller/processor to erase or destroy their personal data. Within fourteen days, the data controller /processor considers the application and may accept or reject it. Nonetheless, the right to erase or destroy personal data is not exercised if processing is necessary for freedom of expression, fulfilling legal obligations, or public interest. If the application is rejected, the data subject is notified with the reasons provided. In cases where decisions significantly affect the data subject based solely on automated processing, the data subject is notified in writing.

 Procedure for transfer of personal data outside the country

A data controller or data processor intending to transfer personal data outside the country must apply for a permit from the Commission. The application is considered within fourteen days and the Commission may accept or reject it. If accepted, the Commission issues a permit for the transfer of personal data. On the other hand, if rejected, the applicant is notified with the reasons provided.

Obligations of Data Controllers and Data Processors

Data controllers and processors have obligations that are required to be met during the collection and processing of personal data. Data processors/collectors are obligated to ensure that the personal data is:

• collected or processed lawfully, fairly, and transparently;
• collected for a legitimate and specified purpose;
• adequate and necessary for the purposes for which is processed;
• accurate and where necessary, are kept up to date with every reasonable step taken to ensure that any inaccurate personal data is erased or rectified without delay;
• stored in a form which permits the identification of data subject for no longer than is necessary for the purpose for which the persona data is processed;
• processed in accordance with the rights of the data subject;
• processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against any loss, destruction or damage, using appropriate technical or organizational measures;
• not transferred abroad contrary to the provisions of this Act; and not applied in the existing circumstances without taking steps to ensure such data are complete, accurate, consistent with the content, and not misleading.

Moreover, when processing personal data, the data controller/processor is required to establish a personal data protection mechanism or design technical measures to safeguard and implement the principles of the protection of personal data. Principles include:

1. principle of lawfulness
2. principle of specific purpose

• principle of security of personal data during processing

1. principles of proportionality and the necessity of personal data
2. principle of accuracy
3. principle of storage limitation

• principle of rights of the data subject

Download here: The Personal Data Protection (Personal Data Collection and Processing) Regulations, 2023Subsidiary legislation (The Personal Data Protection (Personal Data Collection and Processing) Regulations, 2023)