Privacy Notice

CREDITINFO CRB Uganda Limited is committed to protecting personal data in line with the Data Protection and Privacy Act ,2019 of Uganda. (hereinafter referred to as “DPPA”).
This Privacy Notice explains how CREDITINFO Uganda collects, processes, stores, and uses data that we collect from our customers when you use our bureau platform.
It also relates to all our services as provided to our customers from time to time.
In order to secure transparent processing and to comply with the duty to inform you about data processing, we have prepared this document to inform you about how Creditinfo Uganda uses your personal data, as well as about what rights you have under the Data Protection and Privacy Act ,2019

Who we are?

CREDITINFO Uganda CRB Ltd is a credit reference bureau licensed and regulated by Bank of Uganda under the Financial Institutions (Credit Reference Bureau) Regulations) SI No.106 of 2022 to carry on the business of collecting, compiling, disseminating, processing, storing, and updating credit information among financial institutions, microfinance deposit-taking institutions, registered societies, and accredited credit providers.
We also provide credit risk management services that help lenders make informed credit decisions.
In addition, Creditinfo is known for the generation and implementation of decision analytics such as scoring, credit policy rules and bench marking which have proved vital for lenders and creditors as they carry on business in the market.
We are located on the 3rd Floor, North Wing Soliz House, Plot 23, Lumumba Avenue, Nakasero, Kampala, Uganda.


What information do we collect?

At CREDITINFO Uganda, we collect;
  1. Negative or adverse information on the background and credit history relating to the nonperforming obligations and other accredited credit facilities classified as doubtful, substandard or loss of the customers of financial institutions, microfinance deposit-taking institutions, registered societies, and accredited credit providers.
  2. Information on customers of financial institutions, microfinance deposit-taking institutions, registered societies, and accredited credit providers involved in financial malpractices including bounced cheques due to lack of funds and fraud.
  3. Positive information regarding economic, financial, and commercial obligations of such customer of financial institutions, microfinance deposit-taking institutions, registered societies, and accredited credit providers or data subject that determines their overall debt exposure and capacity to repay.
  4. Personal identification data that our customers directly provide like Name, email address, phone number, postal address, function/position, organization, country of residence and other relevant information depending on the context.
CREDITINFO Uganda utilizes the information collected solely for the purposes set out in the law.

Name and address of the person responsible for the collection of the data.

  1. Name of the data controller. CREDITINFO Uganda CRB Limited is registered as a data collector, data controller and data processor under the Data Protection and Privacy Act,2019 under registration number PDPO-202111-0007.
  2. Contact details of the data protection officer.
    The data protection officer at Creditinfo Uganda is it’s Compliance Officer.
     Any questions, comments or requests you might have should be addressed to ug.dpo@creditinfo.com or in writing to the registered seat of Creditinfo addressed “attention DPO“.


Why do we collect personal data and legal basis?

The purpose of collection of data is to; Compile, disseminate, process, store, and update credit information among financial institutions, microfinance deposit-taking institutions, registered societies, and accredited credit providers for profiling, credit decisioning and credit risk management.

Creditinfo Uganda is required by law to process personal data.

Regulation 19 of the Financial Institutions (Credit Reference Bureau) Regulations) SI No.106 of 2022 requires Creditinfo to;
  • a. collect from financial institutions, microfinance deposit-taking institutions, registered societies and accredited credit providers, negative or adverse information on the background and credit history relating to the nonperforming obligations of the customers of such financial institutions, microfinance deposit-taking institutions, registered societies and accredited credit providers.
  • b. collect with the authorization of the data subject or customer of a financial institution, microfinance deposit-taking institution, registered society and accredited credit provider, compile positive information regarding economic, financial and commercial obligations of such customer or data subject in order to determine their overall debt exposure and capacity to repay.

Is the information collected required by law?

CREDITINFO Uganda is required by Regulation 19(1) of the Financial Institutions (Credit Reference Bureau) Regulations) SI No.106 of 2022, to collect negative or adverse information from financial institutions, microfinance deposit-taking institutions, registered societies, and accredited credit providers.
Regulation 19(2) also allows CREDITINFO Uganda with the authorization of the data subject or customer of a financial institution, microfinance deposit-taking institution, registered society and accredited credit provider, to compile positive information regarding economic, financial and commercial obligations of such customer or data subject in order to determine their overall debt exposure and capacity to repay.
Further to the above, Regulation 20 requires financial institutions, microfinance deposit-taking institutions, registered societies, and accredited credit providers without any requirement for consent from the customer; to submit to CREDITINFO Uganda
  1. all the details of non-performing loans and other accredited credit facilities classified as doubtful, substandard or loss,
  2. information on customers involved in financial malpractices including bounced cheques due to lack of funds and fraud.

Consequences on failure to submit information.

Where a financial institution, microfinance deposit-taking institution or registered society fails or neglects to submit to information that is required to be submitted under this regulation, the defaulting institution shall pay to Bank of Uganda a civil penalty of two hundred currency points, and, in the case of a continuing violation, an additional civil penalty not exceeding fifty currency points for each calendar day on which the violation continues.
A currency point is equivalent to twenty thousand Uganda shillings. (UGX 20,000/=).

Details of persons with whom personal data is shared.

CREDITINFO Uganda shares all the personal data collected with financial institutions, microfinance deposit-taking institutions, registered societies and accredited credit providers registered and operating within the Ugandan market.
The personal data and information is shared through a secure web platform.
CREDITINFO Uganda and its employees observe the perpetual duty of confidentiality with regard to all the data and information submitted or obtained under the provisions of these Regulations.

Data subject rights

Under the DPPA, CREDITINFO Uganda is mandated to respect the rights of data subjects while exercising its mandate as indicated in the Financial Institutions (Credit Reference Bureau) Regulations) SI No.106 of 2022.

Accordingly, data subjects have the following rights:

  1. Right of access to data collected wherein as a data subject, you are entitled to a free copy of a credit report at least twice every year. CREDITINFO Uganda is mandated to provide the data within 5 working days of receiving the request for data subject.
  2. Right to authorize a third party in writing to access a copy your credit report or in writing to request CREDITINFO Uganda to share a copy of your credit information with a third party.
  3. Right to request rectification of data collected where your credit information was obtained illegally, is inaccurate, erroneous or outdated.
  4. Right to lodge a complaint with regulator – Personal Data Protection Office.
  5. Right to prevent processing of personal data.
  6. Right to prevent processing of personal data for direct marketing.
  7. Right in relation to automated decision taking.
  8. Right to blocking, erasure and destruction of personal data.

Limitations to data subject rights

Any data subject’s request to delete data which shall be addressed in line with the Financial Institutions (Credit Reference Bureau) Regulations, 2022.

Data subjects and our customers can exercise their rights by doing the following.

  1. Making a formal request for their credit reports
  2. Dispute the information captured on your respective credit reports.

Data subject may exercise these rights through the following channels;

  1. Walk in and speak to our dedicated team of employees.
  2. Send an email to ug.disputes@creditinfo.com or ug.creditreports@creditinfo.com.
  3. Call us on +256200518600 or our Toll-Free Number +2560800333443.
  4. Visit our website ug.creditinfo.com to send in their requests.

How Creditinfo responds to data subject requests?

Upon receipt of a data subjects/customers request or dispute, CREDITINFO Uganda is mandated to rectify the record within 14 days from the date of receipt.

Data Right limitations.

CREDITINFO Uganda and its employees shall not;
  1. Release any information to any third party, other than the agent of a financial institution, microfinance deposit-taking institution, registered society or an accredited credit provider appointed for the purpose of providing external services to the financial institution or microfinance deposit-taking institution, registered society or accredited credit provider.
  2. Request, collect, disseminate or process information or data for any other purpose, other than in relation to its licensed business in Uganda.
  3. Sell, lease or transfer title, ownership, or possession of any data except as permitted by the Bank of Uganda.

How long personal data is retained?

CREDITINFO Uganda is required to retain all data for ten (10) years from the time it received or created the data.
Where such data relates to a debt obligation, CREDITINFO Uganda shall retain the data for ten (10) years after the debt is fully paid off or has been extinguished by any other procedure such as being written-off.

Notice of international data transfer and the safeguards in place.

CREDITINFO Uganda changed its main data hosting centre to CREDITINFO’s Regional Data Centre located in Kenya which qualifies as a personal data transfer under the DPPA.  
CREDITINFO Uganda assures all data subjects that it conducted an adequacy assessment on the Kenyan Data Protection and Privacy Law as required by Section 19(a) of the DPPA prior to the change and confirms that the Kenyan Law meets all the standards for data protection and privacy.
CREDITINFO Uganda has in place safeguards to ensure that there are no data breaches in the process of transferring personal data. These include;
  • i. Personal data and information is extracted and encrypted during transfer.
  • ii. The personal data and information is transferred through a secure encrypted connection (VPN)
  • iii. Access to personal data and information is restricted to CREDITINFO Uganda staff on a need-to-know only.
  • iv. The personal data and information is also segregated from other regional Creditinfo bureaus hosted in the same data centre.

Automated decision-making at CREDITINFO Uganda

CREDITINFO Uganda offers automated decision-making tools like the Creditinfo Instant Decisioning module (IDM) which is a platform for automated evaluation of credit reports that enable our customers digitize their credit applications as a value-add service. 



We also offer the Creditinfo Predictor Score which is a new scorecard and the Branch Transformation module (BTM) an application for data transformation to the required bureau format which is used to map data, transform it into valid xml file and dispatch to the Credit Bureau System.
Financial institutions, microfinance deposit-taking institutions, registered societies or accredited credit providers are advised not to solely rely on our automated decision during credit risk management. 


Our automated decision should be applied together with other internal considerations like credit policies of the institution.
The Automated decision may or may not significantly affect the data subject/ customer.
Where the decision based significantly affects the data subject, CREDITINFO Uganda is required to NOTIFY;
  1. It’s data subject/customer(s) as soon as is reasonably possible that the decision is based on automation.
  2. The data subject/customer of the right to request for a reconsideration of the decision.
  3. The data subject/customer that the decision shall be reconsidered within 21 days from the date of receipt of request by the data subject.

Security measures

CREDITINFO Uganda is committed to adopting appropriate, reasonable, technical, and organizational measures to ensure a level of security that are appropriate to the risks represented by the processing of data and the nature of the personal data to be protected.
Every employee receiving credit information is required to ensure and comply with the protection and security measures in place, confidentiality principles as well as the retention, and destruction policies as required by the DPPA, 2019.
We are also required to comply with the necessary security and control measures to avoid improper use of, access to and mismanagement of information in our possession as well as information to which we have access.
At CREDITINFO Uganda, we implement cyber security protocols to prevent unauthorized access to data subjects’ information both at rest and in transit. We also carry out data verification against external sources such as The National Identification and Registration Authority (NIRA), Uganda Registration Services Bureau (URSB), Courts of Judicature in a secure manner that enforces rigorous standards of security, reliability and efficiency and protects against any loss, unauthorized access, use and disclosure. We also ensure anonymity of data during decision analytics.

Some of the measures include;

  1. Transfer of Data through a secure encrypted connection
  2. Restricted staff access to data on a need-to-know basis only.
  3. Providing cyber security training to staff

CREDITINFO Uganda shall notify you on becoming aware of any Personal Information breach.

If you have any concerns or queries about this notice or require rectification of any personal information, please contact us by sending an email to ug.disputes@creditinfo.com.