Data Protection Compliance

At Boresha Credit Services Uganda Limited, we are fully committed to upholding the principles of data privacy, confidentiality, and integrity in accordance with the Data Protection and Privacy Act, 2019 (DPPA) of Uganda. As a BPO center handling sensitive client and customer information, we prioritize robust data protection measures across all levels of our operations.

Legal and Regulatory Compliance

We operate in strict alignment with:
• The Data Protection and Privacy Act, 2019
• The Constitution of the Republic of Uganda, 1995 (Article 27 on privacy rights)
• Regulations issued by the Personal Data Protection Office (PDPO) under the Ministry of ICT and National Guidance

Our practices are designed to comply with all legal requirements regarding the collection, processing, storage, and sharing of personal data.

Data Collection and Consent

• We obtain informed and voluntary consent from all data subjects before collecting personal information.
• Clients are fully briefed on the purpose, scope, and intended use of their data.
• We collect only the minimum necessary data required for service delivery.

Data Processing and Security

• Personal data is processed fairly, lawfully, and transparently.
• Our systems employ encryption, access controls, and secure authentication protocols to prevent unauthorized access or breaches.
• Role-based access ensures that data is only accessible to authorized staff on a need-to-know basis.

Data Storage and Retention

• All data is stored in secure, monitored environments, both physically and electronically.
• We retain data only for as long as necessary to fulfill contractual, legal, or operational requirements, in line with DPPA Section 18 on retention.
• Upon expiry of retention periods, data is disposed of using secure deletion or destruction methods.

Third-Party Data Handling

• When subcontracting or sharing data with third parties, we ensure that:
   ◦ Written Data Processing Agreements (DPAs) are in place.
   ◦ The third parties adhere to equivalent or stronger data protection standards.

• We do not transfer personal data outside Uganda without compliance with cross-border data transfer requirements under the DPPA. We ensure compliance with all relevant data protection obligations.

Data Subject Rights

We uphold the rights of data subjects as provided under Section 24 of the DPPA, including:
• Right to access their personal data
• Right to correction or deletion of inaccurate or misleading data
• Right to object to processing
• Right to data portability
Data subjects can easily exercise their rights through our dedicated Data Protection Office.

Staff Training and Awareness

• All employees undergo mandatory data protection training as part of their onboarding and continuous professional development.
• Regular refresher sessions and audits ensure staff remain up-to-date with data protection laws and best practices.

Data Breach Response

We have a documented Data Breach Response Plan, which includes:
   ◦ Immediate containment of the breach
   ◦ Notification to affected parties and the PDPO within the required timelines (as per Section 22 of the DPPA)
   ◦ Investigation and implementation of corrective measures

Appointment of Data Protection Officer (DPO)

In compliance with the law, we have appointed a Data Protection Officer responsible for:
   ◦ Monitoring compliance with data protection laws
   ◦ Advising on data protection impact assessments
   ◦ Acting as the contact point with the Personal Data Protection Office