What are the key principles for processing personal data?

Rwanda’s law on the protection of personal data and privacy was officially gazetted on October 15, 2021, and applies to individuals and institutions established in and outside of Rwanda that process the personal data of individuals in Rwanda.

Among other objectives, two of the laws primary goals are:

  1. Empowering citizens with agency over their personal data
  2. and enabling trusted and secure data flows, domestically and internationally

In order to achieve on these two objectives, the current law features 6 key principles that all data controllers and data processors must abide by when processing the personal data of individuals in Rwanda.

These key principles not only ensure the protection of personal data and guarantee the privacy of data subjects, but also ensure that all data controllers or data processors are obliged to comply with the law as intended, or risk committing an offence.

According to Rwanda’s law on the protection of personal data and privacy, the data controller and data processor must ensure that the data subject’s personal data are:

  1. Processed lawfully, fairly and in a transparent manner
  2. Collected for explicit, specified and legitimate purposes and not further processed in a manner incompatible with those purposes
  3. Related to the purposes for which their processing was requested
  4. Accurate and, where necessary, kept up to date with every reasonable step being taken to ensure that any inaccurate personal data are erased or rectified without delay
  5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
  6. Processed in compliance with the rights of data subjects