Contents

1. Summary
   1. Facts
   2. Holding
2. Comment
3. Further resources
4. The Decision

Summary

The PDPO secured Uganda’s first criminal conviction under the Data Protection and Privacy Act against Ronald Mugulusi of Nano Loans for operating without registration and misusing client data. He pleaded guilty, was fined UGX 300,000, and reached reconciliation over a separate privacy breach involving online shaming.

Facts

Mr. Wonambwa lodged a complaint with the PDPO alleging that:

• His personal data (name, phone number, and photograph) was misused by Nano Loans Microfinance Ltd, a digital lender operated by Mr. Ronald Mugulusi.
• The data, originally provided for loan processing purposes, was repurposed without consent to shame him over non-repayment. Specifically, a video recording using his personal data was circulated via WhatsApp, accompanied by a threat to publish it on TikTok.
• This, the complainant alleged, constituted: A breach of the purpose limitation principle (data must only be used for the purpose for which it was collected). A violation of his privacy and dignity.

Mr. Mugulusi did not deny the allegations regarding unregistered data processing. He pleaded guilty to the first count, failure to register as a data controller with the PDPO.

For the second count involving the misuse of personal data, he entered into a court-sanctioned reconciliation with the complainant.

As part of that reconciliation: He offered compensation to Mr. Wonambwa.

The matter was resolved under Section 160 of the Magistrates Courts Act and the Judicature (Reconciliation) Rules, 2011.

The court stayed further proceedings on that charge.

Following investigation, PDPO found that:

• Mr. Mugulusi had failed to register Nano Loans Microfinance Ltd as a data controller, in breach of the mandatory registration requirement under the Data Protection and Privacy Act.