What should Data Subjects know about Privacy Policies?

What is a Privacy Policy?

A privacy policy is a legal document that explains in simple language how an organization handles any customer, client or employee information gathered in its data processing activities. The presence of a privacy policy is a good indicator towards an organization that processes personal data safely and lawfully.

What kind of information should a Data Subject look for in a privacy policy?

Privacy policies seek to provide answers to Data Subjects on these key questions.

  • Why is your data used?
  • What data is collected?
  • How is your data collected?
  • How is your data stored and for how long?
  • How will your data be used in marketing?
  • What are my data protection rights?
  • How are cookies used?
  • How do you contact the data controller in the case of a data query?

Are Privacy Policies required for Data Controllers in Rwanda?

Privacy Policies are not stated as a mandatory requirement for data controllers processing personal data of individuals residing in Rwanda, however they are observed as an appropriate technical and organizational measure in fair, lawful and transparent processing.

Within article 37 of Rwanda’s law on personal data protection and privacy, (Principles relating to processing of personal data), it is stated that personal data must be processed lawfully, fairly and in a transparent manner.

Additionally, within article 38, (Duties of the Data Controller and the Data Processor), the law states that appropriate technical and organizational measures must be put in place to comply with the principles of processing personal data.

Privacy policies provide transparency to data subjects through the full disclosure of all the ways a data controller or data processor gathers, uses, and manages personal data. This makes a privacy policy an adequate measure to be considered during the registration of a Data Controller.

How do privacy policies help protect my privacy?

Empowering citizens with agency over their personal data, is one of the main objectives of Rwanda’s personal data protection and privacy law, as privacy is guaranteed when data subjects are aware and have given consent to how their data is being used.

Achieving this depends on the active participation of Data Subjects through best practices such as reading privacy policies, so that Data Subjects are fully aware of the methods of processing, and the rights they can exercise in managing personal data.

For any further information, please contact the Data Protection & Privacy Office through toll-free number 9080, or through email at dpp@dpo.gov.rw.