Rwanda’s law on the protection of personal data and privacy (DPP Law)

DPP Law Table of contents

Art. 44

Report on personal data breach

The data controller draws up a report on personal data breach and submits it to the supervisory authority not later than seventytwo (72) hours, with all facts available.

The report describes at least:

  1. the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
  2. the contact details of the personal data protection officer or other contact point where more information can be obtained;
  3. the measures taken to address the personal data breach, including measures to mitigate its possible adverse effects;
  4. the acts relating to personal data breaches, the consequences of the personal data breach and the measures taken to rectify such a breach;
  5. his or her proposal for communicating the personal data breach to affected data subjects and the timeline for such a communication, for approval by the supervisory authority.