Toll-free: 9080

Rwanda’s law on the protection of personal data and privacy (DPP Law)

DPP Law Table of contents

Art. 1 - Purpose of this Law

Art. 2 - Scope of this Law

Art. 3 - Definitions

Art. 4 - Authorisation to process personal data

Art. 5 - Privacy of the data subject

Art. 6 - Consent of the data subject

Art. 7 - Indication of other matters in the declaration of consent

Art. 8 - Right of the data subject to withdraw his or her consent

Art. 9 - Processing a child’s personal data

Art. 10 - Grounds for processing sensitive personal data

Art. 11 - Safeguards to process sensitive personal data

Art. 12 - Processing personal data of a convict

Art. 13 - Processing of personal data which does not require data subject’s identification

Art. 14 - Source of personal data

Art. 15 - Quality of personal data

Art. 16 - Personal data logging

Art. 17 - Maintaining records of processed personal data

Art. 18 - Right to personal data

Art. 19 - Right to object

Art. 20 - Right to personal data portability

Art. 21 - Right not to be subject to a decision based on automated data processing

Art. 22 - Right to restriction of processing of personal data

Art. 23 - Right to erasure of personal data

Art. 24 - Right to rectification

Art. 25 - Right to designate an heir to personal data

Art. 26 - Right to representation

Art. 27 - Duties of the supervisory authority in matters relating to the protection of personal data and privacy

Art. 28 - Powers of the supervisory authority in matters relating to the protection of personal data and privacy

Art. 29 - Registration as a data controller or a data processor

Art. 30 - Requirements for registration as a data controller or a data processor

Art. 31 - Issuance of a registration certificate

Art. 32 - Reporting a change after receiving a registration certificate

Art. 33 - Renewal of a registration certificate

Art. 34 - Modification of a registration certificate

Art. 35 - Cancellation of a registration certificate

Art. 36 - Register of data controllers and data processors

Art. 37 - Principles relating to processing of personal data

Art. 38 - Duties of the data controller and the data processor

Art. 39 - Designation of a representative of the data controller or the data processor

Art. 40 - Designation of the personal data protection officer

Art. 41 - Duties of the personal data protection officer

Art. 42 - Information to be provided during personal data collection

Art. 43 - Notification of personal data breach

Art. 44 - Report on personal data breach

Art. 45 - Communication of a personal data breach to the data subject

Art. 46 - Lawful processing of personal data

Art. 47 - Measures to ensure security of personal data

Art. 48 - Sharing and transfer of personal data outside Rwanda

Art. 49 - Contract for transfer of personal data

Art. 50 - Storage of personal data

Art. 51 - Migration and management of personal data after change or closure of business

Art. 52 - Retention of personal data

Art. 53 - Administrative misconducts

Art. 54 - Filing an application to the court

Art. 55 - Place where the administrative fine is deposited

Art. 56 - Accessing, collecting, using,offering, sharing, transfer or disclosing of personal data in a way that is contrary to this Law

Art. 57 - Re-identification of de-identified personal data in a way that is contrary to this Law

Art. 58 - Destruction, erasure, concealment or alteration of personal data in a way that is contrary to this La

Art. 59 - Sale of personal data in a way that is contrary to this Law

Art. 60 - Collecting or processing of sensitive personal data in a way that is contrary to this Law

Art. 61 - Providing false information

Art. 62 - Punishment of a corporate body or a legal entity

Art. 63 - Additional penalties

Art. 64 - Organ in charge of settlement of disputes

Art. 65 - Right to claim for compensation

Art. 66 - Power to put in place regulations

Art. 67 - Transitional period

Art. 68 - Drafting, consideration and adoption of this Law

Art. 69 - Repealing provision

Art. 70 - Commencement

Art. 45

Communication of a personal data breach to the data subject

Where the personal data breach is likely to result in a high risk to the rights and freedoms of the data subject, the data controller communicates the personal data breach to the data subject in writing or electronically, after having become aware of it.

However, the data controller is not required to communicate the personal data breach to the data subject if:

the data controller has implemented appropriate technical and organisational protection measures in relation to personal data breached such that the personal data breach is unlikely to result in a high risk to the rights and freedoms of the data subject;
the data controller has taken measures which ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialize;
the data controller communicated it to the public whereby the data subject is informed in an equally effective manner.

If the data controller has not communicated the personal data breach to the data subject, and the personal data breach is likely to result in a high risk to the rights and freedoms of the data subject, the supervisory authority may request the data controller to communicate the personal data breach to the data subject in writing or electronically.