Toll-free: 9080

Rwanda’s law on the protection of personal data and privacy (DPP Law)

DPP Law Table of contents

Art. 1 - Purpose of this Law

Art. 2 - Scope of this Law

Art. 3 - Definitions

Art. 4 - Authorisation to process personal data

Art. 5 - Privacy of the data subject

Art. 6 - Consent of the data subject

Art. 7 - Indication of other matters in the declaration of consent

Art. 8 - Right of the data subject to withdraw his or her consent

Art. 9 - Processing a child’s personal data

Art. 10 - Grounds for processing sensitive personal data

Art. 11 - Safeguards to process sensitive personal data

Art. 12 - Processing personal data of a convict

Art. 13 - Processing of personal data which does not require data subject’s identification

Art. 14 - Source of personal data

Art. 15 - Quality of personal data

Art. 16 - Personal data logging

Art. 17 - Maintaining records of processed personal data

Art. 18 - Right to personal data

Art. 19 - Right to object

Art. 20 - Right to personal data portability

Art. 21 - Right not to be subject to a decision based on automated data processing

Art. 22 - Right to restriction of processing of personal data

Art. 23 - Right to erasure of personal data

Art. 24 - Right to rectification

Art. 25 - Right to designate an heir to personal data

Art. 26 - Right to representation

Art. 27 - Duties of the supervisory authority in matters relating to the protection of personal data and privacy

Art. 28 - Powers of the supervisory authority in matters relating to the protection of personal data and privacy

Art. 29 - Registration as a data controller or a data processor

Art. 30 - Requirements for registration as a data controller or a data processor

Art. 31 - Issuance of a registration certificate

Art. 32 - Reporting a change after receiving a registration certificate

Art. 33 - Renewal of a registration certificate

Art. 34 - Modification of a registration certificate

Art. 35 - Cancellation of a registration certificate

Art. 36 - Register of data controllers and data processors

Art. 37 - Principles relating to processing of personal data

Art. 38 - Duties of the data controller and the data processor

Art. 39 - Designation of a representative of the data controller or the data processor

Art. 40 - Designation of the personal data protection officer

Art. 41 - Duties of the personal data protection officer

Art. 42 - Information to be provided during personal data collection

Art. 43 - Notification of personal data breach

Art. 44 - Report on personal data breach

Art. 45 - Communication of a personal data breach to the data subject

Art. 46 - Lawful processing of personal data

Art. 47 - Measures to ensure security of personal data

Art. 48 - Sharing and transfer of personal data outside Rwanda

Art. 49 - Contract for transfer of personal data

Art. 50 - Storage of personal data

Art. 51 - Migration and management of personal data after change or closure of business

Art. 52 - Retention of personal data

Art. 53 - Administrative misconducts

Art. 54 - Filing an application to the court

Art. 55 - Place where the administrative fine is deposited

Art. 56 - Accessing, collecting, using,offering, sharing, transfer or disclosing of personal data in a way that is contrary to this Law

Art. 57 - Re-identification of de-identified personal data in a way that is contrary to this Law

Art. 58 - Destruction, erasure, concealment or alteration of personal data in a way that is contrary to this La

Art. 59 - Sale of personal data in a way that is contrary to this Law

Art. 60 - Collecting or processing of sensitive personal data in a way that is contrary to this Law

Art. 61 - Providing false information

Art. 62 - Punishment of a corporate body or a legal entity

Art. 63 - Additional penalties

Art. 64 - Organ in charge of settlement of disputes

Art. 65 - Right to claim for compensation

Art. 66 - Power to put in place regulations

Art. 67 - Transitional period

Art. 68 - Drafting, consideration and adoption of this Law

Art. 69 - Repealing provision

Art. 70 - Commencement

Art. 44

Report on personal data breach

The data controller draws up a report on personal data breach and submits it to the supervisory authority not later than seventytwo (72) hours, with all facts available.

The report describes at least:

the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
the contact details of the personal data protection officer or other contact point where more information can be obtained;
the measures taken to address the personal data breach, including measures to mitigate its possible adverse effects;
the acts relating to personal data breaches, the consequences of the personal data breach and the measures taken to rectify such a breach;
his or her proposal for communicating the personal data breach to affected data subjects and the timeline for such a communication, for approval by the supervisory authority.