Purpose: To describe MIC Global Risks Insurance Brokers (Uganda) Ltd’s responsibilities regarding the protection of personal data.

Scope: This policy applies to:

• All clients’ Personal Data.
• All staff of MIC Global Risks Insurance Brokers (Uganda) Ltd.
• All third parties contracted to collect, use, retain, transfer, disclose, store, or destroy customer and staff Personal Data.
• All locations where Personal Data is processed in the context of business activities or service provision.

Principles of Processing of Personal Data

Principle	Definition
Right to privacy	Personal Data shall be processed in accordance with the right to privacy of the Data Subject.
Lawfulness, Fairness and Transparency	Personal Data shall be processed lawfully, fairly and in a transparent manner in relation to the Data Subject.
Purpose Limitation	Personal Data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes.
Data Minimization	Personal Data shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
Accuracy	Personal Data shall be accurate and kept up to date.
Storage Limitation	Personal Data shall be kept in a form which permits identification of Data Subjects for no longer than is necessary.
Integrity & Confidentiality	Personal Data shall be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage.
Valid explanation	A valid explanation shall be provided to a Data Subject whenever information relating to family or private affairs is required.
Transfer out of Uganda	Personal Data shall only be transferred out of Uganda if there are adequate data protection safeguards in place or if there is consent from the Data Subject.

Policy Dissemination and Enforcement

Senior management shall ensure all employees are aware of and comply with this policy. Third parties engaged to process Personal Data on our behalf must also comply, and written commitment shall be obtained prior to granting access to data.

Data Protection by Design

A Data Protection Impact Assessment (DPIA) shall be conducted proactively for all new or enhanced systems, processes, or products that involve processing of Personal Data, especially where high risks to data subjects’ rights are identified.

External Compliance Reviews

The Board may call for an external data protection compliance audit to verify adequacy of controls, training, records management, privacy by design, consent, breach management, and other aspects.

Independent Assurance: The Internal Audit department shall independently evaluate the adequacy of implementation of this policy.

Record Keeping

Personal Data shall only be retained for as long as it is reasonably necessary to satisfy the purpose for which it is processed, unless retention is:

• Required or authorized by law;
• Reasonably necessary for a lawful purpose; and
• Authorized or consented by the Data Subject.

Direct Marketing

MIC Global Risks Insurance Brokers (Uganda) Ltd shall not provide, use, obtain, or procure Personal Data for direct marketing without prior consent of the Data Subject. This includes profiling for that purpose. We shall provide easy opt-out means for clients (e.g., physical and electronic).

Under the Data Protection and Privacy Act 2019 and applicable laws, Data Subjects have the following rights:

• Right to be informed of the use to which their Personal Data is to be put.
• Right to access their Personal Data in custody of Data Controller or Data Processor.
• Right to object to the collection or processing of all or part of their Personal Data.
• Right to correction and/or deletion of false or misleading data about them.
• Right to portability.
• Right to erasure.
• Right to object to direct marketing.
• Right to withdraw consent.

To exercise any of these rights, please contact our Data Protection Officer (see Section 7).

MIC Global Risks Insurance Brokers (Uganda) Ltd shall not process Personal Data unless one of the following applies:

• Consent of the Data Subject for one or more specified purposes.
• Necessary for the performance of a contract to which the Data Subject is party.
• Compliance with a legal obligation.
• To protect the vital interests of the Data Subject or another person.
• Performance of a task carried out in the public interest or in the exercise of official authority.
• Legitimate interests pursued by MIC or a third party, except if processing is unwarranted having regard to the rights and freedoms of the Data Subject.

Additional safeguards:

• We register as a Data Controller and Processor with the Personal Data Protection Office and maintain a registration certificate.
• We maintain a register of systems (reviewed at least annually) detailing data types stored and how they are secured and processed.
• We determine the lawful basis for collecting/processing data (Consent, Contract, Legal obligation, or Legitimate interests under regulatory approval).
• Where consent is relied upon, evidence of opt-in consent is securely kept, and revocation mechanisms are clearly available.
• All Personal Data is adequate, relevant, and limited to what is necessary.
• Reasonable steps are taken to ensure accuracy and, where necessary, to keep data up to date.
• Archiving guidelines are in place to determine retention periods and reasons.
• Access to Personal Data is limited to personnel who need it, with appropriate security to avoid unauthorized sharing.
• When deleted, Personal Data is made irrecoverable.

If Personal Data is collected from someone other than the Data Subject, we inform the Data Subject promptly (within one month unless otherwise required) unless an exemption applies.

Before entering into any third-party relationship, MIC Global Risks Insurance Brokers (Uganda) Ltd conducts a risk assessment covering compliance, reputational, strategic, operational, and transactional risks. Third parties with access to Personal Data or confidential information must demonstrate adequate security policies, processes, and procedures. At a minimum, they must ensure:

Requirement	Mandatory Measures
Organization of Information Security	Have documented policies and measures to prevent unauthorised access; comply with applicable Information Security best practices.
Compliance and Accreditation	Comply with all applicable laws and regulations; conduct regular audits/evaluations (e.g., SOC2 report) covering control environment, risk assessment, security procedures, physical/logical security, monitoring (vulnerability scanning, penetration testing).
Business Continuity Management and Disaster Recovery	Develop, operate, and revise BCP/DR plans with defined roles, recovery time objectives (RTO), recovery point objectives (RPO), daily backups, off‑site storage, and contingency plans commensurate with MIC’s requirements.
Secure Backup and Recovery	Have documented procedures for secure backup and recovery of MIC’s Personal Data, including transport, storage, and disposal of backup copies; provide such procedures upon request.

In the event of a security breach leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, or where there is reasonable ground to believe Personal Data has been accessed or acquired by an unauthorized person, the breach shall be:

• Investigated promptly.
• Reported within the prescribed period to the Personal Data Protection Office.
• Communicated to the Data Subject in the prescribed manner (unless the identity of the Data Subject cannot be established).

We maintain an incident management plan to ensure timely remediation, impact assessments, and appropriate notifications.

The Data Protection Officer shall:

• Ensure IT systems and records management comply with all relevant data privacy laws, regulations, and policies (including retention and destruction).
• Collaborate with Information Security to maintain records of data assets and exports, and maintain a data security incident management plan.
• Implement measures and the privacy policy to manage data use in compliance with local and international laws, including assisting in vendor management reviews.
• Work with key internal stakeholders to review projects and related data for compliance, complete and advise on privacy impact assessments where necessary.
• Serve as the primary point of contact and liaison for the Personal Data Protection Office on all data protection matters.
• Review vendor contracts and consents in liaison with the legal department.
• Monitor changes to local privacy laws and make recommendations to the Board when appropriate.
• Coordinate and conduct data privacy audits.
• Collaborate with Information Security to raise employee awareness and provide training on data privacy and security.

Contact the DPO: For any data protection queries or to exercise your rights, please reach out to our DPO via email at dpo@micglobalrisks.ug or by post to the address provided in the document control section.

Related Policies & Legislation:

• Data Protection and Privacy Act 2019 (Uganda)
• General Data Protection Regulation (GDPR) where applicable
• Information Technology Security Policy
• Incident Management Policy

Enforcement

Failure to comply with the provisions of this policy shall be subject to HR disciplinary actions, including suspension, summary dismissal, and/or termination of employment or contract in accordance with HR procedures. Third parties found in breach shall be subject to penalties or contract termination as prescribed in their contracts.

Violations may also extend personal liability on the parties involved in line with relevant legislation.

Document Name: Data Protection Policy

Version: 1.0

Effective Date: 09/07/2024

Owner: IT Department, MIC Global Risks Insurance Brokers (Uganda) Limited

Author: AKK

Changes: Original Data Protection Policy development and adoption

Approver: As per Section 7 (Senior Management / Board)

Revisions shall be initiated by business needs or regulatory changes, reviewed biennially by the Board, and approved by Senior Management. The IT Policy team shall ensure a continuous improvement cycle.

File Number: MICUG-DPP-Ver -1.0

Personal Data – Any information relating to an identified or identifiable natural person.

Sensitive Personal Data – Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, data concerning health or sex life.

Data Subject – Any living individual who is the subject of Personal Data held by an organization.

Data Controller – The natural or legal person who determines the purposes and means of processing Personal Data.

Data Processor – A natural or legal person who processes Personal Data on behalf of the Data Controller.

Data Protection and Privacy Act, 2019 – The Ugandan regulation on data protection.

Third Parties – Persons other than the Data Subject, controller, or processor, authorized to process Personal Data on behalf of MIC.

Vendor – A person that provides goods or services to MIC.

Direct Marketing – Communication of advertising or marketing material directed at individuals.

GDPR – General Data Protection Regulation (EU).

Processing – Any operation performed on Personal Data, including collection, recording, storage, adaptation, retrieval, disclosure, etc.

Personal Data Breach – An event leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

Data Subject Consent – Freely given, specific, informed, and unambiguous indication of the Data Subject's wishes.

Removable Media – Storage devices that can be removed from a computer (e.g., USB drives, CDs).

Filing System – Any structured set of Personal Data accessible according to specific criteria.