Rwanda’s law on the protection of personal data and privacy (DPP Law)

DPP Law Table of contents

Art. 17

Maintaining records of processed personal data

The data controller or the data processor must maintain a record of all personal data processing activities under his or her responsibility that indicates:

  1. the name and contact details of the data controller and, where applicable, the data processor, the controller’s representative or the data protection officer
  2. the purposes of the processing of personal data
  3. a description of the categories of data subjects and of the categories of personal data
  4. a full list of the recipients to whom personal data have been or will be disclosed, including those based in other countries;
  5. a description of transfers of personal data to any country outside Rwanda.
  6. where possible, the envisaged data retention periods for the different categories of personal data.

The data controller or the data processor submitsthe records of personal data processing activities to the supervisory authority on request.