PCA PDMS - Privacy Statement

At Payroll Consults Africa Limited ("PCA," "we," "us," or "our"), we serve as an intermediary platform connecting financial institutions with government payroll systems to facilitate authorized payroll deductions. We are committed to protecting the privacy of all parties involved and handling personal data responsibly in compliance with the Data Protection and Privacy Act, 2019, and other applicable laws in Uganda.

This Privacy Statement applies to personal data we process in our capacity as both data controller and data processor, depending on the specific service and relationship. Our services involve multiple stakeholders, and this statement covers data processing for all parties involved in our ecosystem.

Questions? Contact our Data Protection Officer at info@pcuganda.com or call +256 414 532 287.

1. Who We Are and Our Role

Payroll Consults Africa Limited (PCA) operates as an authorized intermediary platform that facilitates payroll deduction services between multiple parties:

                Our Ecosystem Participants:
                Financial Institutions & Lenders: Banks, SACCOs, microfinance institutions, and other licensed lenders
Government Entities: Ministry of Public Service, employing ministries, departments, and agencies
Civil Servants: Government employees accessing financial services through our platform
System Users: Authorized personnel from financial institutions and government entities
Service Providers: Third-party vendors supporting our platform operations

            

We are registered under relevant Ugandan laws and operate under authorization from the Ministry of Public Service. Depending on the specific data processing activity, we act as:

Data Controller: When determining purposes and means of processing (e.g., platform operations, user management)
Data Processor: When processing on behalf of financial institutions or government entities (e.g., deduction processing, reporting)
Joint Controller: When sharing processing responsibilities with government entities for specific functions

2. Personal Data We Collect by Data Subject Category

The personal data we collect varies depending on your relationship with our platform:

                A. Civil Servants & Government Employees
                Employment Data: Employee number, department, position, salary information, terms of employment
Identity Information: Full name, National ID, date of birth, gender
Contact Details: Phone number, email address (where provided)
Financial Information: Bank details, existing deductions, affordability calculations
Deduction Records: Loan amounts, installment schedules, payment history

            

                B. Financial Institution Personnel
                Professional Data: Name, position, institution affiliation, contact information
System Access: Username, login credentials, access permissions
Activity Logs: System usage, transaction records, audit trails
Communication Records: Platform messages, notifications, correspondence

            

                C. Government Entity Personnel
                Official Data: Name, ministry/department, role, contact information
Authorization Records: Approval permissions, validation credentials
System Activity: Platform usage, validation actions, reporting activities

            

                D. All Platform Users
                Technical Data: IP address, browser information, session data, platform analytics
Security Data: Login attempts, access logs, security incident records

            

Data Minimization: We collect only data necessary for authorized deduction processing, regulatory compliance, and platform security.

3. How We Collect Data by Source

                Government Sources
                Ministry of Public Service: Employee verification, payroll data, employment status
Employing Entities: Departmental confirmations, salary information, authorization approvals
Government Databases: Authenticated employee records, validation data

            

                Financial Institution Sources
                Loan Applications: Customer data submitted for deduction requests
Institution Systems: Lending decisions, repayment schedules, account information
User Registrations: Platform access requests, authorization documents

            

                Direct Collection
                Platform Interactions: User registrations, system usage, help desk contacts
Document Uploads: Consent forms, loan agreements, supporting documentation
Communication: Email correspondence, platform messages, phone interactions

            

                Automated Collection
                System Logs: Platform usage analytics, security monitoring, performance data
Integration APIs: Real-time data synchronization with authorized systems

            

All data collection occurs under proper legal authorization and with appropriate consent where required.

4. Purposes and Legal Basis for Multi-Party Processing

                For Government & Civil Servants
                Employee Verification: Confirming employment status and salary information

                        Legal basis: Legal obligation (Government authorization)
Deduction Authorization: Processing approved payroll deductions

                        Legal basis: Legal obligation & Consent
Compliance Reporting: Providing required reports to government entities

                        Legal basis: Legal obligation (DPPA Section 19(2)(b))

                For Financial Institutions
                Loan Facilitation: Processing deduction requests and confirmations

                        Legal basis: Contract performance (Service agreements)
Risk Management: Affordability verification and fraud prevention

                        Legal basis: Legitimate interests
Regulatory Compliance: AML/KYC requirements, prudential reporting

                        Legal basis: Legal obligation

                Platform Operations
                System Security: Access control, audit trails, incident response

                        Legal basis: Legitimate interests
Service Delivery: Platform functionality, user support, system maintenance

                        Legal basis: Contract performance
Analytics: Platform improvement, usage optimization (anonymized data)

                        Legal basis: Legitimate interests

We do not process sensitive personal data without explicit consent or clear legal requirement (DPPA Section 18).

5. Data Sharing Within Our Authorized Ecosystem

Data sharing occurs only within our authorized network and as required for legitimate deduction processing:

                Government Entity Sharing
                Ministry of Public Service: Employee verification, deduction confirmations, compliance reporting
Employing Ministries/Departments: Deduction authorizations, payroll coordination
Regulatory Bodies: Compliance reports, audit information (as legally required)

            

                Financial Institution Sharing
                Authorized Lenders: Employee verification, affordability confirmations, deduction status
Banking Partners: Payment processing, account verification (under strict agreements)
Credit Reference: Deduction history (with consent and for credit assessment)

            

                Service Provider Sharing
                IT Infrastructure: Cloud hosting, system maintenance (under DPPA-compliant contracts)
Security Services: Cybersecurity monitoring, incident response
Legal/Audit: Professional advisors bound by confidentiality

            

                Cross-Border Transfers
                Limited Scope: Only for essential IT infrastructure (cloud services, security)
Adequate Protection: Transfers only to jurisdictions with adequate data protection
Contractual Safeguards: Binding agreements ensuring DPPA compliance (Section 30)

            

Important: We never sell personal data to third parties. All sharing is limited to authorized ecosystem participants under strict contractual and legal obligations.

6. Data Retention by Category and Purpose

Retention periods vary based on data type, legal requirements, and our role as controller or processor:

                Government/Civil Servant Data
                Employment Records: Duration of deduction plus 7 years (regulatory requirement)
Deduction History: 10 years post-completion (financial records law)
Verification Data: 3 years post-last transaction (operational need)
Audit Trails: 7 years (compliance requirement)

            

                Financial Institution Data
                User Account Data: Duration of service agreement plus 3 years
Transaction Records: 10 years (AML/CFT requirements)
Communication Records: 5 years (business records)
Contract Documents: 10 years post-termination

            

                Platform Operations Data
                System Logs: 2 years (security and performance monitoring)
Analytics Data: 18 months (anonymized operational insights)
Security Incidents: 5 years (cybersecurity best practice)
Support Records: 3 years (service quality)

            

After retention periods expire, we securely delete, anonymize, or return data to the relevant controller as required (DPPA Section 18(4)).

7. Your Rights as a Data Subject

Under the DPPA (Sections 24-28), you have the following rights:

Access

Request confirmation and details of your data we process

Rectification

Correct inaccurate or incomplete data

Erasure

Delete data when no longer needed (subject to legal holds)

Objection/Restriction

Object to processing (e.g., marketing) or restrict it

Portability

Receive your data in a structured, machine-readable format

Withdraw Consent

At any time, without affecting prior lawful processing

Making Requests: Contact our Data Protection Officer in writing. We respond within 30 days.
Complaints: Contact us first, or the PDPO at pdpo@pdpo.go.ug or +256 417 801 008.

8. Security Measures

We implement comprehensive security measures including:

Technical: Encryption, firewalls, secure servers, access controls
Organizational: Staff training, confidentiality agreements, regular security audits
Physical: Secured offices, restricted access to data storage areas

In case of a data breach, we notify affected parties and the PDPO within 72 hours if required (Regulations 2021, Regulation 48).

9. Cookies and Tracking

Our website uses cookies for:

Essential functionality (login sessions, security)
Analytics and performance monitoring
Marketing and personalization (with consent)

You can manage preferences via browser settings or our cookie banner. See our Cookie Policy for details.

10. Marketing Communications

We may send service updates and promotional content via email/SMS with clear opt-out options. All marketing communications require prior consent and include unsubscribe mechanisms.

11. Changes to This Statement

We may update this statement to reflect legal or operational changes. We will notify you via email or our website. The latest version is always available at www.pcuganda.com/privacy.

12. Contact Information for All Stakeholders

PCA Data Protection Office

Data Protection Officer: Ntale Ian
Email: admin@pcuganda.com
Phone: +256 414 532 287
Address: 3-4 New Port Bell Road, Kampala, Uganda

Regulatory Complaints:

Personal Data Protection Office (PDPO)
7th Floor Padre Pio House, Plot 32 Lumumba Ave, Kampala
Website: www.pdpo.go.ug
Email: pdpo@pdpo.go.ug
Phone: +256 200 707 100

Acknowledgment by Stakeholder Category

Civil Servants: By participating in payroll deductions through our platform, you acknowledge this privacy statement.

Financial Institutions: By using our platform services, you confirm compliance with this privacy framework.

Government Entities: By authorizing our services, you acknowledge our data processing practices as outlined.

All Users: Continued use of our platform constitutes acceptance of this Privacy Statement.