Toll-free: 9080

Rwanda’s law on the protection of personal data and privacy (DPP Law)

DPP Law Table of contents

Art. 1 - Purpose of this Law

Art. 2 - Scope of this Law

Art. 3 - Definitions

Art. 4 - Authorisation to process personal data

Art. 5 - Privacy of the data subject

Art. 6 - Consent of the data subject

Art. 7 - Indication of other matters in the declaration of consent

Art. 8 - Right of the data subject to withdraw his or her consent

Art. 9 - Processing a child’s personal data

Art. 10 - Grounds for processing sensitive personal data

Art. 11 - Safeguards to process sensitive personal data

Art. 12 - Processing personal data of a convict

Art. 13 - Processing of personal data which does not require data subject’s identification

Art. 14 - Source of personal data

Art. 15 - Quality of personal data

Art. 16 - Personal data logging

Art. 17 - Maintaining records of processed personal data

Art. 18 - Right to personal data

Art. 19 - Right to object

Art. 20 - Right to personal data portability

Art. 21 - Right not to be subject to a decision based on automated data processing

Art. 22 - Right to restriction of processing of personal data

Art. 23 - Right to erasure of personal data

Art. 24 - Right to rectification

Art. 25 - Right to designate an heir to personal data

Art. 26 - Right to representation

Art. 27 - Duties of the supervisory authority in matters relating to the protection of personal data and privacy

Art. 28 - Powers of the supervisory authority in matters relating to the protection of personal data and privacy

Art. 29 - Registration as a data controller or a data processor

Art. 30 - Requirements for registration as a data controller or a data processor

Art. 31 - Issuance of a registration certificate

Art. 32 - Reporting a change after receiving a registration certificate

Art. 33 - Renewal of a registration certificate

Art. 34 - Modification of a registration certificate

Art. 35 - Cancellation of a registration certificate

Art. 36 - Register of data controllers and data processors

Art. 37 - Principles relating to processing of personal data

Art. 38 - Duties of the data controller and the data processor

Art. 39 - Designation of a representative of the data controller or the data processor

Art. 40 - Designation of the personal data protection officer

Art. 41 - Duties of the personal data protection officer

Art. 42 - Information to be provided during personal data collection

Art. 43 - Notification of personal data breach

Art. 44 - Report on personal data breach

Art. 45 - Communication of a personal data breach to the data subject

Art. 46 - Lawful processing of personal data

Art. 47 - Measures to ensure security of personal data

Art. 48 - Sharing and transfer of personal data outside Rwanda

Art. 49 - Contract for transfer of personal data

Art. 50 - Storage of personal data

Art. 51 - Migration and management of personal data after change or closure of business

Art. 52 - Retention of personal data

Art. 53 - Administrative misconducts

Art. 54 - Filing an application to the court

Art. 55 - Place where the administrative fine is deposited

Art. 56 - Accessing, collecting, using,offering, sharing, transfer or disclosing of personal data in a way that is contrary to this Law

Art. 57 - Re-identification of de-identified personal data in a way that is contrary to this Law

Art. 58 - Destruction, erasure, concealment or alteration of personal data in a way that is contrary to this La

Art. 59 - Sale of personal data in a way that is contrary to this Law

Art. 60 - Collecting or processing of sensitive personal data in a way that is contrary to this Law

Art. 61 - Providing false information

Art. 62 - Punishment of a corporate body or a legal entity

Art. 63 - Additional penalties

Art. 64 - Organ in charge of settlement of disputes

Art. 65 - Right to claim for compensation

Art. 66 - Power to put in place regulations

Art. 67 - Transitional period

Art. 68 - Drafting, consideration and adoption of this Law

Art. 69 - Repealing provision

Art. 70 - Commencement

Art. 41

Duties of the personal data protection officer

The personal data protection officer has the following duties:

to inform and advise the data controller, the data processor and the employees who carry out personal data processing, of their obligations pursuant to this Law;
to monitor, in his or her area of work, compliance with this Law and with the policies of the data controller or data processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in personal data processing operations, and the related audits;
to provide advice where requested as regards the data protection impact assessment and monitor its performance;
to cooperate with the supervisory authority and to act as its contact point on issues relating to processing of personal data, including the prior consultation with the supervisory authority, and to consult, where appropriate, with regard to any other matter.

The personal data protection officer must in the performance of his or her tasks have due regard to the risk associated with personal data processing operations, considering the nature, scope, context and purpose of processing.