- Introduction and scope
1.1. gnuGrid CRB Limited (“gnuGrid CRB”, “we”, “us” or “our”) is a trusted credit reference bureau and credit information services provider. As a leading credit information services company, we collect, protect and provide quality consumer and business credit information, which means we look after vast volumes of Personal Data. We are committed to using Personal Data responsibly to make a positive difference to you, and society at large. We have provided this Privacy Notice to communicate the processing activities which all data subjects can expect from us, how we secure your Personal Data, your rights under applicable data privacy legislation, and how you can exercise these privacy rights. This notice is applicable in all instances where gnuGrid CRB determines the manner and purpose for which information is processed.
1.2. This notice applies to all Data Subjects which may include individuals, consumers, and clients (“Data Subject”, “You” or “your”) whose Personal Data is Processed by gnuGrid CRB and explains how we collect, use, and process your data as dictated by the circumstances of your relationship
with us. As a registered credit reference bureau, regulated by the Bank of Uganda, gnuGrid CRB’s clients are credit providing entities for the most part, that provide gnuGrid CRB Personal Data, in line with CRB regulations to perform regulated credit bureau services.
1.3. Unless otherwise stated in a contract, this notice does not form part of any contract you have concluded with us, although gnuGrid CRB may refer to this privacy notice in your contract with gnuGrid CRB. We may update this notice at any time but if we do so, we will make a copy of the amended notice available to you as soon as reasonably practical. We may
also notify you in other ways from time to time about the processing of your Personal Data.
1.4. We respect your right to privacy and are committed to being transparent about how we collect and use your Personal Data. Should you have any
1 | P age
queries on this privacy notice or your privacy rights in general, you may contact our Data Privacy Office at email@example.com.
- Who is responsible for processing your Personal Data?
The Data Controller is gnuGrid CRB Limited whose address is at Plot 77 Buganda Road Kimujo Building ground Floor. Kampala Uganda. For any enquiries on this privacy notice, please contact our Data Privacy Office via: firstname.lastname@example.org.
- Our Privacy Principles
3.1. gnuGrid CRB strives to comply with all applicable Data Privacy legislation. To ensure we respect your right to Privacy, we endeavour to adhere to the following principles when processing Personal Data. Personal Data that we hold about you must be:
3.1.1. used in a lawful, fair, and transparent manner;
3.1.2. collected for lawful purposes and only used in processing activities that are compatible with the lawful purposes;
3.1.3. limited to what is necessary for achieving lawful purposes; 3.1.4. accurate and up to date;
3.1.5. only retained for the period prescribed by law; and
3.1.6. protected from unauthorised access, use or disclosure.
- Key Data Privacy Terms To Interpret This Notice
4.1. “Consumer Credit Information” means information concerning—
4.1.1. An individual’s credit history, including previous credit applications, positive and negative information relating to credit agreements to which the person is or has been a party, pattern of payment or default under any such credit agreements, debt re arrangement, financial malpractice and other matters within the scope of that person’s financial means, prospects, and obligations
2 | P age
in terms of Section 78 (2) of the Financial Institutions Act No.2 of 2004 (FIA), Section 46 of the Microfinance Deposit Taking Institutions Act, 2003 (MDI Act) and Financial Institutions (Credit Reference Bureau) Regulations No 106 of 2022 (CRB Regulations), Credit Reference Bureau Operational Guidelines and Data Submission Manual as amended from time to time, incidence of enforcement actions with respect to any such credit agreement, the circumstances of termination of any such credit agreement, and related matters;
4.2. “Information Incorporated in a consumer’s Credit Report” means all information which is included in consumers credit report, including;
4.2.1. Consumer Credit Information as defined in Section 4.1.1, including:
- credit account history/repayment profile which is a record of all your accounts with financial institutions and microfinance deposit taking Institutions and a history of how you pay including all other credit facilities e.g. overdrafts, guarantees, and bonds. Showing active accounts, not fully paid off, fully paid loans and default data.
- previous credit applications and rejection reasons where applicable
- financial malpractice including data related to financial malpractice or fraudulent activities
- identifying information such as your first name, surname, other names, identity number (s), physical and postal address, contact numbers (primary and secondary), marital status, past and current employer(s), and occupation;
- previous enquiries on your credit report by any authorised users permitted in terms of the FIA and CRB Regulations to use your credit report;
- employment information relating to your previous and
3 | P age
current employers, employee number, income bands, salary frequency and employment periods;
- information that is publicly available as permitted by law such as judgments, sequestrations, and rehabilitation; h. bounced cheques any information relating to cheques you have issued but have bounced.
- collateral information relating to any material collateral that is held on a credit account / facility.
- collateral credit guarantor where you have guaranteed repayment of a loan as a guarantor to another credit account. k. borrower stakeholder indicating your managerial, shareholder or director role in a business entity with credit obligations.
4.2.2. “Data Controller” refers to the entity that determines the purposes and the manner for processing Personal Data i.e. determines how to collect, store, and use your Personal Data.
4.2.3. “Data Subject(s)” refers to any individual(s) from whom or in respect of whom Personal Data has been requested, collected, collated, processed or stored.
4.2.4. “Personal Data” refers to information about an identifiable person, that is recorded in any form and includes Consumer Credit Information.
4.2.5. “Processing”, means any operation which is performed upon collected data by automated means or otherwise including the collection, receipt, recording, organisation, collation, storage, updating, amendment, retrieval, reading, analysing, use and/or sharing of your Personal Data in the ways set out in this privacy notice. When we do one or more of these actions with your Personal Data, we are “Processing” your Personal Data.
4 | P age
4.2.6. “Special Personal Data” means categories of particularly sensitive Personal Data, such as your health or sexual life, religious or philosophical beliefs, political opinion, financial information and medical records. We minimise the processing of Special Personal Data to what is strictly necessary to achieve a lawful purpose. We will only process Special Personal Data in the exercise or performance of an obligation imposed on us by a specific law and where the information is given freely with your consent. gnuGrid CRB has put in place appropriate policies and safeguards to ensure we apply the strictest privacy standards when we process Special Personal Data.
- Collecting your Personal Data
5.1. When processing Personal Data of a consumer in terms of the CRB Regulations, gnuGrid CRB limits the collection of Personal Data to include only what is permitted in terms of the CRB Regulations (both from a data field and data source perspective) and which is necessary to our clients for credit application to enable them to make meaningful and accurate decisions. We also collect Personal Data of our customers and vendors to comply with contractual obligations, legal requirements or for operational business purposes. Furthermore, we ensure that our retention policies are compliant with applicable legal requirements. Our sources of Personal Data are:
5.1.1. The Data subject to whom the Personal Data relates;
5.1.2. Financial institutions regulated by Bank of Uganda under the FIA and the MDI Act.
5.1.3. Public Sources, like courts of law;
5.1.4. Registered societies and accredited credit providers such as money lenders;
5.1.5. other registered credit bureaus.
5 | P age
- Categories of Personal Data we process, and the purpose(s) for our processing
We to collect and process certain consumer Personal Data to conduct our pre-contract vetting processes, deliver the product(s) or service(s) requested and to facilitate the best possible experience when clients engage with us or use our products and services.
Purpose for processing
Consumer Credit Information relating to Data Subjects
Make, or assist in making or
performing duties in terms
of any agreement with clients, performing our duties and
responsibilities as a registered credit bureau, as well as complying with legal obligations relating to our business.
Information Incorporated in a Consumer’s credit report**
To form a view of Data Subjects as individuals and to identify, develop or improve products in line with our operations as a credit bureau, that may be of interest to clients, by assisting clients in making credit decisions about consumers, carrying out market research, business, and
statistical analysis, performing administrative functions, performing duties in terms of any agreement with clients, operate and manage accounts and manage any application, agreement or correspondence data subjects may have with GnuGrid CRB and complying with the GnuGrid
6 | P age
and other legal obligations.
Payment details such as credit card or debit card details, and the value of the transaction
To facilitate payment for our product(s) and services, where the services you request carry a cost.
Vendor / Supplier information including, name(s) and contact details, ID numbers, directors’ and senior managers’
information, banking details, and other financial
Purpose includes verifying information and performing necessary checks, performing obligations in agreement with the vendor or managing the business relationships between the parties, payment of invoices, and complying with the GnuGrid CRB’s regulatory and
name(s), contact numbers and/or e-mail address,
directors and senior
Activities relating to the processing of a prospect’s information including verifying and updating information, pre-scoring / contractual pre contract
Security information may include security-related verification questions.
To facilitate secure use of our
platforms, to answer any queries you may have, and effectively identify you
when you contact us.
7 | P age
We will only use your Personal Data for the purposes for which we collected it, or a purpose that is reasonably compatible with the original purposes for collection, as indicated above.
- What is our legal basis for processing Personal Data?
7.1. We will only process your Personal Data in accordance with applicable Data Privacy laws, which require that we must satisfy at least one prescribed legal basis for processing. Depending on the context of the processing activity, we rely on a number of different conditions for the activities we carry out. The legal basis we rely on include:
7.1.1. where we need to perform under an agreement that we have concluded with our client, or to take steps at the request of the data subject e.g. to meet our obligations in terms of a contract we have concluded;
7.1.2. where the law authorises or requires us to do so;
7.1.3. processing for compliance with a legal obligation which the Data Subject is subject; or
7.1.4. where you have consented to such processing;
7.1.5. In rare cases, we may process your Personal Data where: 7.1.6. we need to process for medical purposes
7.1.7. we need to do so in the public interest;
7.1.8. if it is necessary for national security; or
7.1.9. the information is necessary for prevention, detection, investigation, prosecution or punishment of an offence or
breach of law.
7.2. Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your Personal Data.
8 | P age
- Am I obliged to provide this Personal Data?
Below is an explanation of when the processing of your information is voluntary or mandatory, depending on the specific context.
8.1. As a registered and regulated Credit Bureau, GnuGrid CRB is required by law to collect and process your Consumer Credit Information (which qualifies as Personal Data) if you are a “consumer” under the CRB Regulations. In this instance you do not have to provide your Consumer Credit Information, as it will be collected directly from original sources of Consumer Credit Information. In such an instance, we are required to collect and process your Personal Data as provided for under the CRB regulations.
8.2. When you engage with our website, staff, products, or services:
8.2.1. Website: The collection of certain Personal Data via essential cookies is necessary for the effective functionality for our website. In these instances, we will communicate this to you when you first arrive at our website. We obtain your consent when we use non- essential cookies, or technology similar to cookies, and/or collect information about the device you use to access our website. Sometimes we work with third parties who carry out these
activities on our behalf. You will be asked to consent to the use of non- essential cookies before using our website, but you are not obliged to provide such consent. The processing of information via non-essential cookies is voluntary i.e. based on your consent.
8.2.2. Engagement with our staff: When you contact gnuGrid CRB for assistance, we will ask you to provide some Personal Data such as a copy of your ID for verification purposes. The provision of this information is not mandatory but a failure to provide such information may negatively affect your ability to do business with GnuGrid CRB, and / or the quality of service you receive.
8.2.3. Products or services by gnuGrid CRB: When you enquire about or apply for gnuGrid CRB products or services, we will ask you to
9 | P age
provide some Personal Data for us to enter into an agreement and provide the products and services accordingly. This information is necessary for us to manage our relationship and effectively meet our obligations. Failure to provide information needed may result in our inability to enter into an agreement and / or perform accordingly.
8.2.4. Unless required by law (such as the CRB regulations), for national security, medical purposes, or to enter into / perform according to an agreement, all provision of Personal Data to gnuGrid CRB is voluntary. In other instances, GnuGrid CRB will only process Personal Data with informed consent (usually captured and produced by the entity instructing GnuGrid CRB as a credit bureau). Consequences of not providing Personal Data or consent for certain types of processing include an inability to benefit from the proposed processing required by the relevant product or service. Where they may be any other consequences, those will be detailed in the specific request for consent.
- The Security of your Personal Data
9.1. We take the necessary technical and organisational measures to secure the integrity of information we are responsible for, using accepted technological standards to prevent unauthorised access to or disclosure of your Personal Data. We take all reasonable measures to protect your Personal Data from misuse, loss, alteration, or destruction.
9.2. We have put in place appropriate security measures to protect your Personal Data from accidental loss, unauthorised use, alteration, access, or disclosure. In addition, we limit access to your Personal Data to those employees, agents, contractors and other third parties who have a business need to access the information. They will only process your Personal Data on our instructions and are subject to a duty of confidentiality.
9.3. We review our information collection, storage and processing practices, including physical security measures from time to time, to keep up to date
10 | P age
with good industry practice and standards. GnuGrid CRB has implemented procedures to address any suspected data breaches and will notify any applicable regulator of a breach where GnuGrid CRB is legally required to do so within the period in which GnuGrid CRB is required to
issue such a notification. You will also be notified of any breach where the Regulator has requested GnuGrid CRB to notify, in the manner directed by the Regulator.
- Retention of Your Personal Data
10.1. We will only retain your Personal Data for as long as necessary to achieve the purposes for which it was collected and processed and not beyond the timelines set out by the law. Meaning we will keep your Personal Data for as long as we need it to provide the GnuGrid CRB products and services requested by our client (or by the data subject in limited instances) and no longer. We may also keep it to comply with our legal obligations, resolve any disputes and enforce our rights.
10.2. gnuGrid CRB retains your Personal Data in our credit information database in accordance with the data retention periods prescribed by the CRB Regulations and the Data Privacy laws of Uganda. For examples, the CRB Regulations require that we display and use various categories of your information only for the maximum periods prescribed.
10.3. We retain certain elements of your information as long as is necessary, for the purpose of verifying the integrity of information that we may be required to process in the future or for information quality purposes (i.e. to prevent the re-loading of incorrect information). This information is securely stored and not used for any other purpose than information quality in support of our regulatory obligation to ensure the data we have
is relevant and accurate and not duplicated.
10.4. Our reasons for retention may vary from one record or piece of information to the next and depends on the purposes for the storage and related operational business requirements and / or legal obligations, therefore the amount of time we keep your Personal Data for may vary.
11 | P age
10.5. In all cases, our need to use your Personal Data will be reassessed on a regular basis, and information which is no longer required for any purposes will be disposed of.
- Sharing your Personal Data
11.1. As a general rule, we will only share your Personal Data with those that need access to the information for us to achieve the purpose for which we have collected it, or to comply with an obligation imposed by law. Internally, we will only share your Personal Data on a “need-to-know” basis, i.e. with Employees who need access to the information to perform a task on our behalf.
11.2. Internally, we will only share your Personal Data on a “need-to-know” basis, i.e. with parties who need access to the information to perform a task on our behalf, which includes:
11.2.1.honouring credit report requests by yourself or your authorised agent or Bank of Uganda;
11.2.2.investigating and resolving any disputed information on your credit report;
11.2.3.data loading and management, to maintain the quality of our data 11.2.4.managing any legal and court claims;
11.2.5.other divisions or companies within the group of companies to which we belong so as to provide joint content and services like registration, for transactions and customer support, to help detect and prevent potentially illegal acts and violations of our policies, and to guide decisions about our products, services, and communications;
11.2.7.our service providers under contract who help supply certain goods/services or help with parts of our business operations,
12 | P age
including fraud prevention, bill collection, marketing, technology services (our contracts dictate that these goods suppliers or service providers only use your information in connection with the goods they supply or services they perform for us and not for their own benefit).
- Transborder Flow of Information
12.1. We store our Personal Data in Uganda.
12.2. We may engage service providers to support our business and they may be based or use data centres outside of Uganda. Whenever your Personal Data is transferred cross border, it will be done in line with the requirements of and receive a similar level of protection as described in this notice and the Data Protection and Privacy Act.
- Your rights
This section is only to be used to exercise your privacy rights as provided for in Privacy legislation. All credit bureau information is governed by the CRB Regulations, and any requests which relate to bureau information should be dealt with using the CRB Regulations.
13.1. You have rights under applicable Data Privacy laws in relation to your Personal Data, which you may exercise under certain circumstance. To exercise these rights, kindly select “click here” to access the prescribed form as provided for under each right below, fill it in its entirety and send
to email@example.com. For hard copy exercise of your rights, you may also request the prescribed forms from the aforementioned email address or GnuGrid CRB call centre (details found under the contact us now section) or reception. For information on the categories of Personal Data we process, please refer to paragraph 6 of this notice.
13.2.You may have the right to:
13.2.1.Request for confirmation of Personal Data we hold about you. This right enables you to get confirmation on the categories of Information we hold about you.
13 | P age
We hold information on most consumers in Uganda. To confirm what categories of information we hold on you, please contact firstname.lastname@example.org to access a copy of your credit report.
13.2.2.Request access to your Personal Data (commonly known as a “data subject access request”). This enables you to receive a copy of the Personal Data that GnuGrid CRB has about you. “Click here” to request access the Personal Data we hold about you.
Should you wish to access credit bureau information as regulated by the CRB regulations, please contact email@example.com for a copy of your credit report.
13.2.3.Request correction of the Personal Data that we hold about you. This enables you to ensure that any incomplete or inaccurate data that the gnuGrid CRB holds about is corrected. Kindly contact firstname.lastname@example.org, to request correction of your Personal Data.
This excludes any request relating to credit bureau information as regulated by the CRB Regulations. To dispute credit bureau information, please use email@example.com.
13.2.4.Request erasure of your Personal Data. This enables you to request that gnuGrid CRB delete or remove Personal Data where there is no lawful basis for us continuing to process it. You also have the right to ask us to delete or remove your Personal Data where you have successfully exercised your right to object to processing (described below), or where we are required to erase or anonymise your Personal Data to comply with applicable law. gnuGrid CRB may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you (for example where the data is processed in terms of the CRB Regulations), if applicable, at the time of your request. Please contact firstname.lastname@example.org to request an erasure of your Personal Data.
14 | P age
13.2.5.Withdraw consent at any time where we are relying on consent to process your Personal Data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain services that you subscribe to, to you.
We will advise you if this is the case at the time you withdraw your consent. Please note that we may continue to process your Personal Data in certain instances where we are not relying on your consent. Please contact our Data Privacy Office via contact
details provided for below.
If you want to exercise any of these rights, please contact the gnuGrid CRB Data Privacy Office via email@example.com.
13.3. We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it.
13.4. Should your request or dispute relate specifically to credit bureau information, please refer to the Bureau dispute process.
- Maintenance of your Personal Data
14.1. We encourage you to assist us in maintaining the accuracy of Personal Data by notifying us of any changes or by meeting your legal obligations regarding disputes logged.
14.2. Where Personal Data is submitted to GnuGrid CRB in terms of the CRB Regulations we cannot alter the information reported by providers of Personal Data unless the information is confirmed to be wrong or inaccurate by the provider of the Personal Data (this is because the CRB Regulations has a clear procedure for managing disputes and the provider of the Personal Data is the Data Controller, which includes responsible of maintaining the accuracy of the Personal Data).
15 | P age
14.4. Where GnuGrid CRB is the Data Controller, and you do not agree with the accuracy of your Personal Data which GnuGrid CRB has on file, we have procedures to ensure that such information is verified, and, where appropriate, amended or corrected. Please refer to our privacy rights section above.
- Queries and Complaints
15.1. If you have questions about our privacy notice or wish to contact us, please contact our Information Officer at
firstname.lastname@example.org. Our dedicated Data Privacy Office is available to attend to any query you may have.
15.2. Should your query not be resolved to your satisfaction, you may contact the General Legal Counsel at email@example.com.
15.3. As we are a member of the Credit Bureau Association, you can also contact them. Their details are available online
15.4. Where the above channels have not addressed your query or complaint appropriately, you have the right to make a complaint at any time to the government body / regulator responsible for enforcement of Privacy laws (e.g. the information regulator in Uganda). Details of the relevant regulator may be access at the Personal Data Protection Office of Uganda via or requested via firstname.lastname@example.org
16 | P age