The data controller or the data processor may share or transfer personal data to a third party outside Rwanda if:

1. he or she has obtained authorisation from the supervisory authority after providing proof of appropriate safeguards with respect to the protection of personal data;
2. the data subject has given his or her consent;
3. the transfer is necessary:
   1. for the performance of a contract between the data subject and the data controller or the implementation of precontractual measures taken in response to the data subject's request;
   2. for the performance of a contract concluded in the interest of the data subject between the data controller and a third party;
   3. for public interest grounds;
   4. for the establishment, exercise or defence of a legal claim;
   5. to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving his or her consent;
   6. for the purposes of compelling legitimate interests pursued by the data controller or by the data processor, which are not overridden by the interests, rights and freedoms of the data subject, and when:
      1. the transfer is not repetitive and concerns only a limited number of data subjects;
      2. the data controller or the data processor has assessed all the circumstances surrounding the data transfer and has, on the basis of that assessment, provided suitable safeguards with regard to the protection of personal data;
   7. for the performance of international instruments ratified by Rwanda.

The supervisory authority may put in place a regulation determining another reason of sharing or transferring personal data to a third party outside Rwanda.