Rwanda’s law on the protection of personal data and privacy (DPP Law)

DPP Law Table of contents

Art. 3


In this Law, the following terms have the following meanings:

  1. personal data:any information relating to an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that natural person;
  2. sensitive personal data:information revealing a person’s race, health status, criminal records, medical records, social origin, religious or philosophical beliefs, political opinion, genetic or biometric information, sexual life or family details;
  3. encryption:technical method used to render the content of data unreadable to any person who is not authorised to access it;
  4. processing of personal data:an operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as access to, obtaining, collection, recording, structuring, storage, adaptation or alteration, retrieval, reconstruction, concealment, consultation, use, disclosure by transmission, sharing, transfer, or otherwise making available, sale, restriction, erasure or destruction;
  5. register of data controllers and data processors:a system of records physical or electronic of registered data controllers and data processors;
  6. privacy:a fundamental right of a person to decide who can access his or her personal data, when, where, why and how his or her personal data can be accessed;
  7. significant consequences:effects that are as similarly significant in their impact as legal effects and that adversely affect a data subject’s behaviour or choices;
  8. legal consequences:effects that adversely affect a person’s legal status or his/her legal rights;
  9. tokenisation:the process of replacing sensitive data with unique identification symbols that retain all the essential information about the data without compromising its security;
  10. vital interests:interests linked to life or death of data subject;
  11. profiling:form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse and predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
  12. personal data logging:the process of recording personal data processing activities over a period of time for the purpose of event monitoring and auditing in an automated processing system;
  13. personal data breach:a breach of personal data security leading to unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
  14. pseudonymisation:the processing of personal data in such a manner that the data can no longer be attributed to a specific data subject without the use of additional information kept separately;
  15. data subject:a natural person from whom or in respect of whom, personal data has been requested and processed;
  16. recipient:a natural person, a public or private corporate body or legal entity to which the personal data are disclosed;
  17. user:a natural person, a public or private corporate body or a legal entity, who uses or who requests personal data processing service;
  18. consent of the data subject:freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by an oral, written or electronic statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
  19. data controller:natural person, public or private corporate body or legal entity which, alone or jointly with others, processes personal data and determines the means of their processing;
  20. person:natural person, corporate body or legal entity;
  21. third party:natural person, corporate body or legal entity other than the data subject, the data controller, the data processor and persons who, under the authority of the data controller, are authorised to process personal data;
  22. competent authority:sectoral authority responsible for overseeing sector-specific compliance in conjunction with the supervisory authority;
  23. supervisory authority:a public authority in charge of cyber security;
  24. data processor:public or private corporate body or legal entity, which is authorised to process personal data on behalf of the data controller.