Data Protection Policy

1. Purpose of This Policy

This Data Protection Policy explains how Consumer Publications Uganda Limited manages and protects personal data collected through the Business Excellence Awards Online Survey Portal.

The purpose of this Policy is to ensure that all personal data collected through the Portal is handled lawfully, fairly, transparently, securely, and only for legitimate award-related purposes.

2. Scope of This Policy

This Policy applies to registered voters, website visitors, nominees, award participants, Portal administrators, technical support teams, service providers who support the Portal, and any other person whose personal data is collected or processed through the Portal.

3. Data Protection Principles

a) Lawful and Fair Collection

Personal data shall be collected only for lawful, clear, and legitimate purposes related to the Business Excellence Awards.

b) Transparency

Users shall be informed about the type of information collected, why it is collected, and how it will be used.

c) Purpose Limitation

Personal data shall only be used for purposes connected to voter registration, voting, nominee management, award administration, verification, reporting, communication, security, and compliance.

d) Data Minimisation

Only data that is necessary for the proper functioning of the Portal shall be collected.

e) Accuracy

Reasonable steps shall be taken to ensure that personal data is accurate, complete, and updated where necessary.

f) Security

Personal data shall be protected against unauthorised access, misuse, loss, alteration, destruction, or unlawful disclosure.

g) Accountability

Consumer Publications Uganda Limited, the Business Excellence Awards Secretariat, and authorised administrators shall be responsible for ensuring that data is handled in accordance with this Policy.

4. Categories of Data Processed

The Portal may process the following categories of data:

• Voter registration data
• Contact details
• Login and verification data
• Voting records
• Nominee information
• Technical logs
• Device and browser information
• Communication records
• Administrative audit records

5. Purpose of Data Processing

Data collected through the Portal may be processed for the following purposes:

• Registering voters
• Verifying voter accounts
• Enabling eligible users to vote
• Preventing duplicate or fraudulent voting
• Displaying nominees and award categories
• Managing the voting process
• Producing award-related reports
• Responding to user inquiries
• Maintaining Portal security
• Troubleshooting technical issues
• Complying with legal and regulatory obligations

6. Vote Integrity and Data Use

Voting data shall be used to support a fair, credible, and transparent awards process.

The Portal may use account details, voting timestamps, technical logs, IP addresses, and verification records to detect and prevent multiple voting where not permitted, bot activity, fake accounts, unauthorised access, manipulation of votes, and abuse of the voting system.

Voting reports may be generated for internal review, award verification, and final result management.

7. Access to Personal Data

Access to personal data shall be limited to authorised persons only, including designated Portal administrators, authorised award management personnel, technical support providers, and compliance or audit personnel where necessary.

All persons with access to personal data must handle it confidentially and only for authorised purposes.

8. Data Sharing and Disclosure

Personal data shall not be disclosed unnecessarily. Where disclosure is required, it shall only be done with the user’s consent, for legitimate award administration purposes, to authorised technical service providers, to comply with a legal obligation, to investigate misuse, fraud, or security incidents, or to protect the rights, safety, and integrity of the Portal and its users.

9. Data Storage and Retention

Personal data shall be stored securely and retained only for as long as necessary. Retention may be required for award verification, audit trail purposes, complaint handling, legal compliance, historical reporting, and protection against fraud or disputes.

Where data is no longer needed, it shall be securely deleted, anonymised, or archived.

10. Data Security Measures

The Portal shall apply reasonable security measures, which may include secure password storage, restricted administrator access, role-based access controls, secure hosting arrangements, monitoring of suspicious activity, regular backups, protection against unauthorised system access, and secure handling of verification codes and account credentials.

Users are responsible for keeping their passwords, OTP codes, and login details confidential.

11. Data Subject Rights

A person whose data is collected through the Portal may request to access their personal data, correct inaccurate information, update incomplete information, request deletion where legally permissible, object to unlawful or unnecessary processing, withdraw consent where applicable, and lodge a privacy-related complaint.

Requests shall be reviewed and handled within a reasonable period, subject to verification of the requester’s identity.

12. Handling Privacy Complaints

Any person who believes their personal data has been misused, mishandled, accessed without authority, or processed unfairly may submit a complaint to Consumer Publications Uganda Limited / Business Excellence Awards Secretariat.

Complaints should include full name, contact details, nature of the complaint, relevant account or voting details where applicable, and any supporting information. The Secretariat shall review the complaint and take appropriate action.

13. Data Breach Management

Where a data security incident occurs, the Portal administrators shall take reasonable steps to identify the nature and cause of the incident, contain the breach, assess the impact, notify affected persons where necessary, notify the relevant authority where legally required, and take corrective measures to prevent recurrence.

14. Third-Party Service Providers

The Portal may rely on third-party service providers for hosting, email delivery, technical maintenance, security, analytics, or related services. Such service providers shall only process data for authorised purposes and are expected to maintain appropriate confidentiality and security standards.

15. Staff and Administrator Responsibility

All authorised staff, administrators, contractors, and service providers who handle Portal data are expected to use data only for authorised purposes, keep data confidential, avoid unauthorised copying, sharing, or downloading of data, report suspected breaches or misuse immediately, and follow approved data protection procedures.

16. Review of This Policy

This Data Protection Policy may be reviewed and updated from time to time to reflect changes in the Portal, changes in the voting process, legal or regulatory updates, security improvements, and operational changes in the Business Excellence Awards. The latest version shall be published on the Portal.

17. Contact for Data Protection Matters