Rwanda’s law on the protection of personal data and privacy (DPP Law)

DPP Law Table of contents

Art. 52

Retention of personal data

The data controller or the data processor retains personal data until the purposes of the processing of personal data are fulfilled.

However, the data controller or the data processor may retain personal data for a longer period for the following grounds:

  1. if retention is authorised by Law;
  2. if retention is required by a contract concluded between the parties;
  3. if the personal data is related to a function or activity for which the personal data are collected or processed;
  4. preventing, detecting, investigating, prosecuting or punishing an offender;
  5. protecting national security;
  6. enforcing a court order;
  7. enforcing legislation relating to collection of public revenues;
  8. conducting proceedings before a court;
  9. carrying out research authorised by a relevant authority;
  10. if the data subject consents

The supervisory authority may put in place a regulation determining any other ground for retention of personal data for a longer period.

At the end of the personal data retention period, the data controller or the data processor must destroy the personal data in a manner that prevents its reconstruction in an intelligible form.