Toll-free: 9080

Rwanda’s law on the protection of personal data and privacy (DPP Law)

DPP Law Table of contents

Art. 1 - Purpose of this Law

Art. 2 - Scope of this Law

Art. 3 - Definitions

Art. 4 - Authorisation to process personal data

Art. 5 - Privacy of the data subject

Art. 6 - Consent of the data subject

Art. 7 - Indication of other matters in the declaration of consent

Art. 8 - Right of the data subject to withdraw his or her consent

Art. 9 - Processing a child’s personal data

Art. 10 - Grounds for processing sensitive personal data

Art. 11 - Safeguards to process sensitive personal data

Art. 12 - Processing personal data of a convict

Art. 13 - Processing of personal data which does not require data subject’s identification

Art. 14 - Source of personal data

Art. 15 - Quality of personal data

Art. 16 - Personal data logging

Art. 17 - Maintaining records of processed personal data

Art. 18 - Right to personal data

Art. 19 - Right to object

Art. 20 - Right to personal data portability

Art. 21 - Right not to be subject to a decision based on automated data processing

Art. 22 - Right to restriction of processing of personal data

Art. 23 - Right to erasure of personal data

Art. 24 - Right to rectification

Art. 25 - Right to designate an heir to personal data

Art. 26 - Right to representation

Art. 27 - Duties of the supervisory authority in matters relating to the protection of personal data and privacy

Art. 28 - Powers of the supervisory authority in matters relating to the protection of personal data and privacy

Art. 29 - Registration as a data controller or a data processor

Art. 30 - Requirements for registration as a data controller or a data processor

Art. 31 - Issuance of a registration certificate

Art. 32 - Reporting a change after receiving a registration certificate

Art. 33 - Renewal of a registration certificate

Art. 34 - Modification of a registration certificate

Art. 35 - Cancellation of a registration certificate

Art. 36 - Register of data controllers and data processors

Art. 37 - Principles relating to processing of personal data

Art. 38 - Duties of the data controller and the data processor

Art. 39 - Designation of a representative of the data controller or the data processor

Art. 40 - Designation of the personal data protection officer

Art. 41 - Duties of the personal data protection officer

Art. 42 - Information to be provided during personal data collection

Art. 43 - Notification of personal data breach

Art. 44 - Report on personal data breach

Art. 45 - Communication of a personal data breach to the data subject

Art. 46 - Lawful processing of personal data

Art. 47 - Measures to ensure security of personal data

Art. 48 - Sharing and transfer of personal data outside Rwanda

Art. 49 - Contract for transfer of personal data

Art. 50 - Storage of personal data

Art. 51 - Migration and management of personal data after change or closure of business

Art. 52 - Retention of personal data

Art. 53 - Administrative misconducts

Art. 54 - Filing an application to the court

Art. 55 - Place where the administrative fine is deposited

Art. 56 - Accessing, collecting, using,offering, sharing, transfer or disclosing of personal data in a way that is contrary to this Law

Art. 57 - Re-identification of de-identified personal data in a way that is contrary to this Law

Art. 58 - Destruction, erasure, concealment or alteration of personal data in a way that is contrary to this La

Art. 59 - Sale of personal data in a way that is contrary to this Law

Art. 60 - Collecting or processing of sensitive personal data in a way that is contrary to this Law

Art. 61 - Providing false information

Art. 62 - Punishment of a corporate body or a legal entity

Art. 63 - Additional penalties

Art. 64 - Organ in charge of settlement of disputes

Art. 65 - Right to claim for compensation

Art. 66 - Power to put in place regulations

Art. 67 - Transitional period

Art. 68 - Drafting, consideration and adoption of this Law

Art. 69 - Repealing provision

Art. 70 - Commencement

Art. 38

Duties of the data controller and the data processor

In compliance with the principles of the processing of personal data, the data controller and the data processor discharge the following duties:

to implement appropriate technical and organisational measures;
to keep a record of personal data processing operations;
to carry out personal data protection impact assessments where the processing of personal data is likely to result in a high risk to the rights and freedoms of a natural person;
to perform such other duty as may be assigned to him or her by the supervisory authority

The personal data protection impact assessment referred to in item 3o of Paragraph one of this Article is carried out in case of:

a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing of personal data, including profiling, and on which decisions that produce effects concerning such persons are based;
processing on a large scale of sensitive personal data;
a systematic monitoring of a publicly accessible area on a large scale;
processing of personal data identified by the supervisory authority as likely to result in a high risk to the rights and freedoms of natural persons;
new technologies used to process personal data.