Rwanda’s law on the protection of personal data and privacy (DPP Law)

DPP Law Table of contents

Art. 11

Safeguards to process sensitive personal data

When processing sensitive personal data, the data controller or the data processor must:

  1. comply with requirements for personal data protection or personal data monitoring as required by this Law;
  2. comply with applicable sensitive personal data retention periods established by this Law;
  3. put in place measures to strengthen capacities of staff involved in the processing of sensitive personal data;
  4. put in place measures to access sensitive personal data processed by the data controller or the data processor;
  5. implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk posed to the data subject, including, where appropriate, storing sensitive personal data separately from other types of data, and applying measures such as tokenisation, pseudonymisation or encryption.