Toll-free: 9080

Rwanda’s law on the protection of personal data and privacy (DPP Law)

DPP Law Table of contents

Art. 1 - Purpose of this Law

Art. 2 - Scope of this Law

Art. 3 - Definitions

Art. 4 - Authorisation to process personal data

Art. 5 - Privacy of the data subject

Art. 6 - Consent of the data subject

Art. 7 - Indication of other matters in the declaration of consent

Art. 8 - Right of the data subject to withdraw his or her consent

Art. 9 - Processing a child’s personal data

Art. 10 - Grounds for processing sensitive personal data

Art. 11 - Safeguards to process sensitive personal data

Art. 12 - Processing personal data of a convict

Art. 13 - Processing of personal data which does not require data subject’s identification

Art. 14 - Source of personal data

Art. 15 - Quality of personal data

Art. 16 - Personal data logging

Art. 17 - Maintaining records of processed personal data

Art. 18 - Right to personal data

Art. 19 - Right to object

Art. 20 - Right to personal data portability

Art. 21 - Right not to be subject to a decision based on automated data processing

Art. 22 - Right to restriction of processing of personal data

Art. 23 - Right to erasure of personal data

Art. 24 - Right to rectification

Art. 25 - Right to designate an heir to personal data

Art. 26 - Right to representation

Art. 27 - Duties of the supervisory authority in matters relating to the protection of personal data and privacy

Art. 28 - Powers of the supervisory authority in matters relating to the protection of personal data and privacy

Art. 29 - Registration as a data controller or a data processor

Art. 30 - Requirements for registration as a data controller or a data processor

Art. 31 - Issuance of a registration certificate

Art. 32 - Reporting a change after receiving a registration certificate

Art. 33 - Renewal of a registration certificate

Art. 34 - Modification of a registration certificate

Art. 35 - Cancellation of a registration certificate

Art. 36 - Register of data controllers and data processors

Art. 37 - Principles relating to processing of personal data

Art. 38 - Duties of the data controller and the data processor

Art. 39 - Designation of a representative of the data controller or the data processor

Art. 40 - Designation of the personal data protection officer

Art. 41 - Duties of the personal data protection officer

Art. 42 - Information to be provided during personal data collection

Art. 43 - Notification of personal data breach

Art. 44 - Report on personal data breach

Art. 45 - Communication of a personal data breach to the data subject

Art. 46 - Lawful processing of personal data

Art. 47 - Measures to ensure security of personal data

Art. 48 - Sharing and transfer of personal data outside Rwanda

Art. 49 - Contract for transfer of personal data

Art. 50 - Storage of personal data

Art. 51 - Migration and management of personal data after change or closure of business

Art. 52 - Retention of personal data

Art. 53 - Administrative misconducts

Art. 54 - Filing an application to the court

Art. 55 - Place where the administrative fine is deposited

Art. 56 - Accessing, collecting, using,offering, sharing, transfer or disclosing of personal data in a way that is contrary to this Law

Art. 57 - Re-identification of de-identified personal data in a way that is contrary to this Law

Art. 58 - Destruction, erasure, concealment or alteration of personal data in a way that is contrary to this La

Art. 59 - Sale of personal data in a way that is contrary to this Law

Art. 60 - Collecting or processing of sensitive personal data in a way that is contrary to this Law

Art. 61 - Providing false information

Art. 62 - Punishment of a corporate body or a legal entity

Art. 63 - Additional penalties

Art. 64 - Organ in charge of settlement of disputes

Art. 65 - Right to claim for compensation

Art. 66 - Power to put in place regulations

Art. 67 - Transitional period

Art. 68 - Drafting, consideration and adoption of this Law

Art. 69 - Repealing provision

Art. 70 - Commencement

Art. 11

Safeguards to process sensitive personal data

When processing sensitive personal data, the data controller or the data processor must:

comply with requirements for personal data protection or personal data monitoring as required by this Law;
comply with applicable sensitive personal data retention periods established by this Law;
put in place measures to strengthen capacities of staff involved in the processing of sensitive personal data;
put in place measures to access sensitive personal data processed by the data controller or the data processor;
implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk posed to the data subject, including, where appropriate, storing sensitive personal data separately from other types of data, and applying measures such as tokenisation, pseudonymisation or encryption.