Privacy Policy

  1. Introduction and scope 

1.1. gnuGrid CRB Limited (“gnuGrid CRB”, “we”, “us” or “our”) is a trusted  credit reference bureau and credit information services provider. As a leading credit information services company, we collect, protect and provide  quality consumer and business credit information, which means we look  after vast volumes of Personal Data. We are committed to using Personal  Data responsibly to make a positive difference to you, and society at large. We have provided this Privacy Notice to communicate the processing  activities which all data subjects can expect from us, how we secure your  Personal Data, your rights under applicable data privacy legislation, and  how you can exercise these privacy rights. This notice is applicable in all  instances where gnuGrid CRB determines the manner and purpose for  which information is processed. 

1.2. This notice applies to all Data Subjects which may include individuals,  consumers, and clients (“Data Subject”, “You” or “your”) whose Personal  Data is Processed by gnuGrid CRB and explains how we collect, use, and  process your data as dictated by the circumstances of your relationship 

with us. As a registered credit reference bureau, regulated by the Bank of Uganda, gnuGrid CRB’s clients are credit providing entities for the most  part, that provide gnuGrid CRB Personal Data, in line with CRB  regulations to perform regulated credit bureau services. 

1.3. Unless otherwise stated in a contract, this notice does not form part of  any contract you have concluded with us, although gnuGrid CRB may  refer to this privacy notice in your contract with gnuGrid CRB. We may  update this notice at any time but if we do so, we will make a copy of the  amended notice available to you as soon as reasonably practical. We may 

also notify you in other ways from time to time about the processing of  your Personal Data. 

1.4. We respect your right to privacy and are committed to being transparent  about how we collect and use your Personal Data. Should you have any

1 | P age 

queries on this privacy notice or your privacy rights in general, you may  contact our Data Privacy Office at simonodongoi@gnugridcrb.com. 

  1. Who is responsible for processing your Personal Data? 

The Data Controller is gnuGrid CRB Limited whose address is at Plot 77  Buganda Road Kimujo Building ground Floor. Kampala Uganda. For any  enquiries on this privacy notice, please contact our Data Privacy Office  via: simonodongoi@gnugridcrb.com. 

  1. Our Privacy Principles 

3.1. gnuGrid CRB strives to comply with all applicable Data Privacy legislation. To ensure we respect your right to Privacy, we endeavour to adhere to the  following principles when processing Personal Data. Personal Data that  we hold about you must be: 

3.1.1. used in a lawful, fair, and transparent manner; 

3.1.2. collected for lawful purposes and only used in processing activities that are compatible with the lawful purposes; 

3.1.3. limited to what is necessary for achieving lawful purposes; 3.1.4. accurate and up to date; 

3.1.5. only retained for the period prescribed by law; and 

3.1.6. protected from unauthorised access, use or disclosure. 

  1. Key Data Privacy Terms To Interpret This Notice 

4.1. “Consumer Credit Information” means information concerning— 

4.1.1. An individual’s credit history, including previous credit  applications, positive and negative information relating to credit agreements to which the person is or has been a party, pattern of  payment or default under any such credit agreements, debt re arrangement, financial malpractice and other matters within the scope of that person’s financial means, prospects, and obligations 

2 | P age 

in terms of Section 78 (2) of the Financial Institutions Act No.2 of  2004 (FIA), Section 46 of the Microfinance Deposit Taking  Institutions Act, 2003 (MDI Act) and Financial Institutions (Credit  Reference Bureau) Regulations No 106 of 2022 (CRB  Regulations), Credit Reference Bureau Operational Guidelines  and Data Submission Manual as amended from time to time,  incidence of enforcement actions with respect to any such credit  agreement, the circumstances of termination of any such credit  agreement, and related matters; 

4.2. “Information Incorporated in a consumer’s Credit Report” means all  information which is included in consumers credit report, including; 

4.2.1. Consumer Credit Information as defined in Section 4.1.1, including: 

  1. credit account history/repayment profile which is a record  of all your accounts with financial institutions and  microfinance deposit taking Institutions and a history of how you pay including all other credit facilities e.g. overdrafts, guarantees, and bonds. Showing active accounts, not fully paid off, fully paid loans and default data. 
  2. previous credit applications and rejection reasons where applicable 
  3. financial malpractice including data related to financial  malpractice or fraudulent activities 
  4. identifying information such as your first name, surname,  other names, identity number (s), physical and postal address,  contact numbers (primary and secondary), marital status, past  and current employer(s), and occupation; 
  5. previous enquiries on your credit report by any authorised users permitted in terms of the FIA and CRB Regulations to  use your credit report; 
  6. employment information relating to your previous and 

3 | P age 

current employers, employee number, income bands, salary  frequency and employment periods; 

  1. information that is publicly available as permitted by law  such as judgments, sequestrations, and rehabilitation; h. bounced cheques any information relating to cheques you  have issued but have bounced. 
  2. collateral information relating to any material collateral that  is held on a credit account / facility. 
  3. collateral credit guarantor where you have guaranteed  repayment of a loan as a guarantor to another credit account. k. borrower stakeholder indicating your managerial,  shareholder or director role in a business entity with credit  obligations. 

4.2.2. “Data Controller” refers to the entity that determines the  purposes and the manner for processing Personal Data i.e. determines how to collect, store, and use your Personal Data. 

4.2.3. “Data Subject(s)” refers to any individual(s) from whom or in  respect of whom Personal Data has been requested, collected,  collated, processed or stored. 

4.2.4. “Personal Datarefers to information about an identifiable  person, that is recorded in any form and includes Consumer  Credit Information. 

4.2.5. “Processing”, means any operation which is performed upon  collected data by automated means or otherwise including the  collection, receipt, recording, organisation, collation, storage, updating, amendment, retrieval, reading, analysing, use and/or sharing of your Personal Data in the ways set out in this privacy notice. When we do one or more of these actions with your  Personal Data, we are “Processing” your Personal Data.

4 | P age 

4.2.6. “Special Personal Data” means categories of particularly  sensitive Personal Data, such as your health or sexual life,  religious or philosophical beliefs, political opinion, financial  information and medical records. We minimise the processing of  Special Personal Data to what is strictly necessary to achieve a  lawful purpose. We will only process Special Personal Data in the  exercise or performance of an obligation imposed on us by a  specific law and where the information is given freely with your  consent. gnuGrid CRB has put in place appropriate policies and safeguards to ensure we apply the strictest privacy standards  when we process Special Personal Data. 

  1. Collecting your Personal Data 

5.1. When processing Personal Data of a consumer in terms of the CRB Regulations, gnuGrid CRB limits the collection of Personal Data to include only what is permitted in terms of the CRB Regulations (both from a data  field and data source perspective) and which is necessary to our clients  for credit application to enable them to make meaningful and accurate  decisions. We also collect Personal Data of our customers and vendors to  comply with contractual obligations, legal requirements or for operational  business purposes. Furthermore, we ensure that our retention policies  are compliant with applicable legal requirements. Our sources of Personal  Data are: 

5.1.1. The Data subject to whom the Personal Data relates; 

5.1.2. Financial institutions regulated by Bank of Uganda under the FIA and the MDI Act. 

5.1.3. Public Sources, like courts of law; 

5.1.4. Registered societies and accredited credit providers such as money  lenders; 

5.1.5. other registered credit bureaus.

5 | P age 

  1. Categories of Personal Data we process, and the purpose(s) for our processing 

We to collect and process certain consumer Personal Data to conduct our pre-contract vetting processes, deliver the product(s) or service(s) requested and to facilitate the best possible experience when clients  engage with us or use our products and services.

Personal Data 

Purpose for processing

Consumer Credit Information relating to Data Subjects

Make, or assist in making or 

performing duties in terms 

of any agreement with clients,  performing our duties and 

responsibilities as a registered credit bureau, as well as complying with legal obligations relating to our  business.

Information Incorporated in a Consumer’s credit report**

To form a view of Data Subjects as  individuals and to identify, develop or  improve products in line with our  operations as a credit bureau, that  may be of interest to clients, by  assisting clients in making credit  decisions about consumers, carrying  out market research, business, and 

statistical analysis, performing  administrative functions, performing duties in terms of any agreement with  clients, operate and manage accounts  and manage any application,  agreement or correspondence data  subjects may have with GnuGrid CRB and complying with the GnuGrid 



6 | P age 

 

CRB’s regulatory 

and other legal obligations.

Payment details such as credit card or debit card details, and the value of the transaction

To facilitate payment for our  product(s) and services, where the  services you request carry a cost.

Vendor / Supplier information  including, name(s) and contact details, ID numbers, directors’ and senior managers’ 

information, banking details,  and other financial  

information.

Purpose includes verifying information and performing  necessary checks, performing  obligations in agreement with the vendor or managing the business  relationships between the parties, payment of invoices, and complying with the GnuGrid CRB’s regulatory and 

other obligations.

Prospective client’s  

information including,  

name(s), contact numbers  and/or e-mail address, 

directors and senior 

managers 

Information

Activities relating to the processing  of a prospect’s information including  verifying and updating information, pre-scoring / contractual pre contract 

vetting.

Security information may include security-related  verification questions.

To facilitate secure use of our 

platforms, to answer any queries you may have, and effectively identify you 

when you contact us.



7 | P age

We will only use your Personal Data for the purposes for which we collected it,  or a purpose that is reasonably compatible with the original purposes for  collection, as indicated above. 

  1. What is our legal basis for processing Personal Data? 

7.1. We will only process your Personal Data in accordance with applicable Data Privacy laws, which require that we must satisfy at least one prescribed legal basis for processing. Depending on the context of the processing activity, we rely on a number of different conditions for the activities we carry out. The legal basis we rely on include: 

7.1.1. where we need to perform under an agreement that we have concluded with our client, or to take steps at the request of the  data subject e.g. to meet our obligations in terms of a contract we  have concluded; 

7.1.2. where the law authorises or requires us to do so; 

7.1.3. processing for compliance with a legal obligation which the Data Subject is subject; or 

7.1.4. where you have consented to such processing; 

7.1.5. In rare cases, we may process your Personal Data where: 7.1.6. we need to process for medical purposes 

7.1.7. we need to do so in the public interest; 

7.1.8. if it is necessary for national security; or 

7.1.9. the information is necessary for prevention, detection, investigation, prosecution or punishment of an offence or  

breach of law. 

7.2. Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your Personal Data.

8 | P age 

  1. Am I obliged to provide this Personal Data? 

Below is an explanation of when the processing of your information is  voluntary or mandatory, depending on the specific context. 

8.1. As a registered and regulated Credit Bureau, GnuGrid CRB is required by  law to collect and process your Consumer Credit Information (which  qualifies as Personal Data) if you are a “consumer” under the CRB  Regulations. In this instance you do not have to provide your Consumer  Credit Information, as it will be collected directly from original sources of Consumer Credit Information. In such an instance, we are required to  collect and process your Personal Data as provided for under the CRB  regulations. 

8.2. When you engage with our website, staff, products, or services: 

8.2.1. Website: The collection of certain Personal Data via essential cookies is necessary for the effective functionality for our website. In these instances, we will communicate this to you when you first arrive at our website. We obtain your consent when we use non- essential cookies, or technology similar to cookies, and/or collect information about the device you use to access our website. Sometimes we work with third parties who carry out these  

activities on our behalf. You will be asked to consent to the use of  non- essential cookies before using our website, but you are not  obliged to provide such consent. The processing of information via non-essential cookies is voluntary i.e. based on your consent. 

8.2.2. Engagement with our staff: When you contact gnuGrid CRB for assistance, we will ask you to provide some Personal Data such as a copy of your ID for verification purposes. The provision of this  information is not mandatory but a failure to provide such  information may negatively affect your ability to do business with  GnuGrid CRB, and / or the quality of service you receive. 

8.2.3. Products or services by gnuGrid CRB: When you enquire about  or apply for gnuGrid CRB products or services, we will ask you to

9 | P age 

provide some Personal Data for us to enter into an agreement and  provide the products and services accordingly. This information  is necessary for us to manage our relationship and effectively  meet our obligations. Failure to provide information needed may  result in our inability to enter into an agreement and / or perform  accordingly. 

8.2.4. Unless required by law (such as the CRB regulations), for national  security, medical purposes, or to enter into / perform according to an agreement, all provision of Personal Data to gnuGrid CRB is  voluntary. In other instances, GnuGrid CRB will only process  Personal Data with informed consent (usually captured and  produced by the entity instructing GnuGrid CRB as a credit bureau). Consequences of not providing Personal Data or consent  for certain types of processing include an inability to benefit from  the proposed processing required by the relevant product or  service. Where they may be any other consequences, those will be  detailed in the specific request for consent. 

  1. The Security of your Personal Data 

9.1. We take the necessary technical and organisational measures to secure  the integrity of information we are responsible for, using accepted  technological standards to prevent unauthorised access to or disclosure  of your Personal Data. We take all reasonable measures to protect your  Personal Data from misuse, loss, alteration, or destruction. 

9.2. We have put in place appropriate security measures to protect your  Personal Data from accidental loss, unauthorised use, alteration, access,  or disclosure. In addition, we limit access to your Personal Data to those employees, agents, contractors and other third parties who have a  business need to access the information. They will only process your  Personal Data on our instructions and are subject to a duty of  confidentiality. 

9.3. We review our information collection, storage and processing practices,  including physical security measures from time to time, to keep up to date 

10 | P age 

with good industry practice and standards. GnuGrid CRB has implemented procedures to address any suspected data breaches and will notify any applicable regulator of a breach where GnuGrid CRB is legally required to do so within the period in which GnuGrid CRB is required to  

issue such a notification. You will also be notified of any breach where the Regulator has requested GnuGrid CRB to notify, in the manner directed by the Regulator. 

  1. Retention of Your Personal Data 

10.1. We will only retain your Personal Data for as long as necessary to achieve the purposes for which it was collected and processed and not beyond the  timelines set out by the law. Meaning we will keep your Personal Data for as long as we need it to provide the GnuGrid CRB products and services  requested by our client (or by the data subject in limited instances) and  no longer. We may also keep it to comply with our legal obligations, resolve  any disputes and enforce our rights. 

10.2. gnuGrid CRB retains your Personal Data in our credit information  database in accordance with the data retention periods prescribed by the CRB Regulations and the Data Privacy laws of Uganda. For examples, the  CRB Regulations require that we display and use various categories of  your information only for the maximum periods prescribed. 

10.3. We retain certain elements of your information as long as is necessary,  for the purpose of verifying the integrity of information that we may be  required to process in the future or for information quality purposes (i.e.  to prevent the re-loading of incorrect information). This information is  securely stored and not used for any other purpose than information  quality in support of our regulatory obligation to ensure the data we have 

is relevant and accurate and not duplicated. 

10.4. Our reasons for retention may vary from one record or piece of  information to the next and depends on the purposes for the storage and related operational business requirements and / or legal obligations,  therefore the amount of time we keep your Personal Data for may vary.

11 | P age 

10.5. In all cases, our need to use your Personal Data will be reassessed on a  regular basis, and information which is no longer required for any  purposes will be disposed of. 

  1. Sharing your Personal Data 

11.1. As a general rule, we will only share your Personal Data with those that  need access to the information for us to achieve the purpose for which we  have collected it, or to comply with an obligation imposed by law. Internally, we will only share your Personal Data on a “need-to-know”  basis, i.e. with Employees who need access to the information to perform  a task on our behalf. 

11.2. Internally, we will only share your Personal Data on a “need-to-know” basis, i.e. with parties who need access to the information to perform a  task on our behalf, which includes: 

11.2.1.honouring credit report requests by yourself or your authorised  agent or Bank of Uganda; 

11.2.2.investigating and resolving any disputed information on your credit report; 

11.2.3.data loading and management, to maintain the quality of our data 11.2.4.managing any legal and court claims; 

11.2.5.other divisions or companies within the group of companies to  which we belong so as to provide joint content and services like  registration, for transactions and customer support, to help detect and prevent potentially illegal acts and violations of our policies, and to guide decisions about our products, services, and  communications; 

11.2.6.an affiliate, in which case we will seek to require the affiliates to  honour our privacy policy; 

11.2.7.our service providers under contract who help supply certain  goods/services or help with parts of our business operations, 

12 | P age 

including fraud prevention, bill collection, marketing, technology  services (our contracts dictate that these goods suppliers or  service providers only use your information in connection with the goods they supply or services they perform for us and not for their  own benefit). 

  1. Transborder Flow of Information 

12.1. We store our Personal Data in Uganda. 

12.2. We may engage service providers to support our business and they may  be based or use data centres outside of Uganda. Whenever your Personal  Data is transferred cross border, it will be done in line with the requirements of and receive a similar level of protection as described in this notice and the Data Protection and Privacy Act. 

  1. Your rights 

This section is only to be used to exercise your privacy rights as provided  for in Privacy legislation. All credit bureau information is governed by the CRB Regulations, and any requests which relate to bureau  information should be dealt with using the CRB Regulations. 

13.1. You have rights under applicable Data Privacy laws in relation to your Personal Data, which you may exercise under certain circumstance. To exercise these rights, kindly select “click here” to access the prescribed form as provided for under each right below, fill it in its entirety and send  

to simonodongoi@gnugridcrb.com. For hard copy exercise of your rights,  you may also request the prescribed forms from the aforementioned email  address or GnuGrid CRB call centre (details found under the contact us  now section) or reception. For information on the categories of Personal  Data we process, please refer to paragraph 6 of this notice. 

13.2.You may have the right to: 

13.2.1.Request for confirmation of Personal Data we hold about you.  This right enables you to get confirmation on the categories of  Information we hold about you.

13 | P age 

We hold information on most consumers in Uganda. To confirm  what categories of information we hold on you, please contact info@gnugridcrd.com to access a copy of your credit report. 

13.2.2.Request access to your Personal Data (commonly known as a “data subject access request”). This enables you to receive a copy  of the Personal Data that GnuGrid CRB has about you. “Click  here” to request access the Personal Data we hold about you. 

Should you wish to access credit bureau information as regulated  by the CRB regulations, please contact info@gnugridcrb.com for  a copy of your credit report. 

13.2.3.Request correction of the Personal Data that we hold about you. This enables you to ensure that any incomplete or  inaccurate data that the gnuGrid CRB holds about is corrected.  Kindly contact info@gnugridcrb.com, to request correction of your  Personal Data. 

This excludes any request relating to credit bureau information as regulated by the CRB Regulations. To dispute credit bureau  information, please use info@gnugridcrb.com. 

13.2.4.Request erasure of your Personal Data. This enables you to  request that gnuGrid CRB delete or remove Personal Data where there is no lawful basis for us continuing to process it. You also  have the right to ask us to delete or remove your Personal Data  where you have successfully exercised your right to object to  processing (described below), or where we are required to erase or anonymise your Personal Data to comply with applicable law.  gnuGrid CRB may not always be able to comply with your request  of erasure for specific legal reasons which will be notified to you  (for example where the data is processed in terms of the CRB  Regulations), if applicable, at the time of your request. Please  contact info@gnugridcrb.com to request an erasure of your  Personal Data.

14 | P age 

13.2.5.Withdraw consent at any time where we are relying on  consent to process your Personal Data. However, this will not  affect the lawfulness of any processing carried out before you  withdraw your consent. If you withdraw your consent, we may not  be able to provide certain services that you subscribe to, to you. 

We will advise you if this is the case at the time you withdraw  your consent. Please note that we may continue to process your  Personal Data in certain instances where we are not relying on  your consent. Please contact our Data Privacy Office via contact 

details provided for below. 

If you want to exercise any of these rights, please contact the gnuGrid  CRB Data Privacy Office via simonodongoi@gnugridcrb.com. 

13.3. We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to  exercise any of your other rights). This is another appropriate security  measure to ensure that Personal Data is not disclosed to any person who  has no right to receive it. 

13.4. Should your request or dispute relate specifically to credit bureau information, please refer to the Bureau dispute process. 

  1. Maintenance of your Personal Data 

14.1. We encourage you to assist us in maintaining the accuracy of Personal  Data by notifying us of any changes or by meeting your legal obligations  regarding disputes logged. 

14.2. Where Personal Data is submitted to GnuGrid CRB in terms of the CRB  Regulations we cannot alter the information reported by providers of Personal Data unless the information is confirmed to be wrong or  inaccurate by the provider of the Personal Data (this is because the CRB  Regulations has a clear procedure for managing disputes and the provider  of the Personal Data is the Data Controller, which includes responsible of  maintaining the accuracy of the Personal Data). 

14.3.

15 | P age 

14.4. Where GnuGrid CRB is the Data Controller, and you do not agree with the accuracy of your Personal Data which GnuGrid CRB has on file, we have procedures to ensure that such information is verified, and, where appropriate, amended or corrected. Please refer to our privacy rights section above. 

  1. Queries and Complaints 

15.1. If you have questions about our privacy notice or wish to contact us,  please contact our Information Officer at  

siomonodongoi@gnugridcrb.com. Our dedicated Data Privacy Office is  available to attend to any query you may have. 

15.2. Should your query not be resolved to your satisfaction, you may contact  the General Legal Counsel at siomonodongoi@gnugridcrb.com. 

15.3. As we are a member of the Credit Bureau Association, you can also  contact them. Their details are available online  

https://www.gnugridcrb.com 

15.4. Where the above channels have not addressed your query or complaint appropriately, you have the right to make a complaint at any time to the  government body / regulator responsible for enforcement of Privacy laws  (e.g. the information regulator in Uganda). Details of the relevant  regulator may be access at the Personal Data Protection Office of Uganda  via or requested via simonodongoi@gnugridcrb.com

16 | P age