Disclosure of Data From Ireland to Uganda - Relevant Legal Provisions

The disclosure of personal data from Ireland to Uganda is subject to the Data Protection and Privacy Act of 2019 and the Data Protection and Privacy Regulations of 2021 in Uganda, as well as the European Data Protection Regulation (GDPR): 

On March 1st, 2019, the Data Protection and Privacy Act, 2019 ('the Act') came into force in Uganda. The Act applies to various categories of persons who may be involved in the flow of data information, including the data subject, data collectors, data processors, and data controllers. It further provides for the rights of data subjects, a data protection register, and offences in the event of a breach of the statutory obligations. The Act further applies not only to such persons within Uganda, but also those outside the jurisdiction holding information relating to a Ugandan citizen. This means every company, organisation or institution, as long as it collects or processes any data, is subject to this Act.

A person should not collect or process personal data without the prior consent of the data subject except where the collection is; authorised by law, for performance of a public duty, for national security, for the prevention, detection, investigation, prosecution or punishment of an offence or breach of law, for medical purposes and for compliance with a legal obligation to which the data controller is subject.

• Uganda

The Data Protection and Privacy Act of 2019 and the Data Protection and Privacy Regulations of 2021 apply to anyone who collects, processes, uses, or holds personal data in Uganda, or outside Uganda if it relates to Ugandan citizens. Regulation 30(2) of the Data Protection and Privacy Regulations prohibits transferring personal data processed outside Uganda to a third country without the data subject's consent. 

• GDPR

The GDPR requires that personal data can only be transferred outside the EEA if the conditions in Chapter V of the GDPR are met. The GDPR also contains concepts of controllers and processors, who have different obligations. 

Some other considerations for transferring personal data internationally include: 

• Adequate protection

The data must be transferred to a third country that provides an adequate level of protection. 

• Derogations

There are some exceptions to the general rule, such as for consent, contract performance, legal claims, or important public interest. 

• Compliance

The controller and processor must comply with the GDPR's rules and conditions.

Transfers of Personal Data to Third Countries or International Organisations

Flows of personal data to and from the European Union (the “EU”) are necessary for international trade and international co-operation. However, the transfer of such personal data from the EU to controllers and processors located outside the EU in third countries should not undermine the level of protection of the individuals concerned, with a third country being any country outside the European Economic Area (the “EEA”). Therefore, transfers to third countries or international organisations should be done in full compliance with Chapter V of the General Data Protection Regulation, the “GDPR”.

Article 45 – Transfers on the basis of an adequacy decision

The first thing to consider when transferring personal data to a third country is if there is an “adequacy decision”. An adequacy decision means that the European Commission has decided that a third country or an international organisation ensures an adequate level of data protection.

There is no "adequacy decision" in respect of Uganda.

Article 46 – Transfers subject to appropriate safeguards

In the absence of an adequacy decision, the GDPR does allow a transfer if the controller or processor has provided “appropriate safeguards”. These safeguards may include:

• Standard data protection clauses (SCCs): For the majority of organisations, the most relevant alternative legal basis to an adequacy decision is these clauses. They are model data protection clauses that have been approved by the European Commission. SCCs contain specific data protection safeguards to ensure that personal data continues to benefit from a high level of protection when transferred outside the EEA. The clauses contain contractual obligations on the Data Exporter and the Data Importer, and rights for the individuals whose personal data is being transferred. Individuals can directly enforce those rights against the Data Importer and the Data Exporter.  The SCCs combine general clauses applicable in all cases along with four modules that are adapted to different transfer scenarios. The parties have to choose the module that corresponds to their situation, in particular in light of their different roles, i.e. whether they are controllers, processors or sub-processors.

Article 49 – Derogations for specific situations

Derogations under Article 49 are exemptions from the general principle that personal data may only be transferred to a third country if an adequate level of protection is provided for in that third country. A Data Exporter should first endeavour to frame transfers with one of the mechanisms guaranteeing adequate safeguards listed above, and only in their absence use the derogations provided in Article 49 (1). These derogations or exceptions allow transfers in specific situations, such as based on consent, for the performance or conclusion of a contract, for the exercise of legal claims, to protect the vital interests of the data subject where they cannot give consent or for important reasons of public interest. The EDPB guidance document on these derogations should always be consulted to ensure that they could be relied upon for the specific scenarios that organisations are dealing with.

Transfer of Personal Data to Third Countries

Restrictions on transfers to third countries

The GDPR contains a restriction on transborder dataflows. This restriction does not apply if the transfer is to a whitelisted country.

UGANDA is NOT a whitelisted country

Transfers can be made:

• pursuant to a set of Standard Contractual Clauses;

• pursuant to binding corporate rules;

• to an importer who has signed up to an approved code or obtained an approved certification; or

• where otherwise approved by the relevant supervisory authority. 

However, following the decision in Schrems II (C-311/18), any transfer made on this basis must be subject to a transfer impact assessment of the laws of the relevant third country and supplemented by supplementary protections where necessary.

The European Data Protection Board has issued Recommendation on European Essential Guarantees for surveillance measures (2/2020) and a Recommendation on measures that supplement transfer tools (1/2020) to help conduct this transfer impact assessment.

Transfers are also possible if an individual derogation applies. These derogations allow a transfer if it:

• is made with the data subject’s explicit consent;

• is necessary for the performance of a contract with, or in the interests of, the data subject;

• is necessary or legally required on important public interest grounds, or for legal claims;

• is necessary to protect the vital interests of the data subject;

• is made from a public register; or

• is made under the so-called minor transfer exemption. 

The European Data Protection Board has issued Guidelines on derogations applicable to international transfers (2/2018). Finally, the European Data Protection Board has issued Guidelines on the interplay between Article 3 and international transfers (2/2018) to help identify when a transfer takes place.