| Authority: |
Personal Data Protection Office (PDPO) in Uganda. |
| Jurisdiction: |
Uganda |
| Relevant law: |
Legal provisions reviewed |
| Type: |
Complaint |
| Outcome: |
No Violation |
| Started: |
27 November 2024 |
| Decided: |
12 March 2025 |
| Published: |
Yes |
| Fine: |
N/A |
| Parties: |
Phillip Simbwa vs. Chipper Technologies Uganda Limited |
| Case No.: |
Complaint No. PDPO 061/2024 |
| Appeal: |
N/A |
| Original Source: |
PDPO |
| Original contributor: |
MZIZI Africa |
Contents
- Summary
- Facts
- Holding
- Comment
- Further resources
- The Decision
Summary
Simbwa Phillip complained Chipper Technologies Uganda Limited denied his data deletion request. Chipper retained KYC/transactional data due to anti-money laundering laws. The PDPO ruled retention was lawful, but ordered Chipper to amend its Privacy Notice, requiring explicit consent for any data processing/sharing beyond statutory compliance, or face penalties.
Facts
The complaint was lodged by Simbwa Phillip against Chipper Technologies Uganda Limited. On 27th November 2024, the complainant alleged that Chipper Technologies Uganda Limited denied his request for deletion of personal data and infringed upon his rights under the Data Protection and Privacy Act, Cap. 97.
Specifically, the complainant sought to delete his Personally Identifiable Information (PII) and Know Your Customer (KYC) data. Dissatisfied with the respondent's initial reply, the complainant lodged a formal complaint, contending that the respondent failed to meet all conditions for data deletion and raised additional issues, including:
- The respondent's failure to acknowledge that it lacked the complainant's explicit consent to process, share, or use his data beyond the 10-year retention period.
- Failure to notify the complainant of any data breaches that might impact his data, even if he was no longer active on the platform, especially beyond the 10 years stipulated by Section 8(3) of the Anti-Money Laundering Act, Cap. 118.
- Failure to notify the complainant whenever the platform underwent an update that might result in the exposure of his data to a third party.
- Failure to provide the complainant with a copy of all data collected about him.
The Response by the Respondent:
- Regarding data deletion: The respondent initially required the complainant to cash out all funds from his account before deletion, committing to address the request within 12-24 working hours. Later, in an email dated 27th November 2024, the respondent stated that while the complainant's account and wallet were removed from the platform, KYC and transactional data could not be deleted due to statutory retention obligations under Section 8(3) of the Anti-Money Laundering Act, Cap. 118. The respondent did not provide proof of secure deletion after the mandatory retention period.
- Regarding explicit consent for data use beyond 10 years: The respondent's Privacy Notice, submitted to the PDPO on 13th January 2025, identified the statutory obligation to retain personal data for at least 10 years in compliance with Section 8(3) of the Anti-Money Laundering Act, Cap. 118. However, the Privacy Notice did not explicitly address whether the respondent intended to process or share this retained data beyond regulatory compliance, nor how explicit consent would be obtained for such additional processing.
- Regarding notification of data breaches: The respondent stated that Section 23 of the Act, Cap. 97, would inform the PDPO of any data breaches. However, it did not explicitly address whether it would directly notify the complainant or agree to unconditional liability for unauthorised disclosure of his data.
- Regarding notification of subcontractors: The respondent's Privacy Notice sufficiently addressed the complainant's request by outlining general categories of subcontractors and third parties who may access personal data, ensuring the complainant is informed about the types of entities handling his data.