Rwanda’s law on the protection of personal data and privacy (DPP Law)

DPP Law Table of contents

Art. 57

Re-identification of de-identified personal data in a way that is contrary to this Law

Any person who knowingly, intentionally or recklessly:

  1. re-identifies personal data which have been de-identified by a data controller or a data processor;
  2. re-identifies and processes personal data, without consent of the data controller;

commits an offence

Upon conviction, he or she is liable to an imprisonment of not less than one (1) year but not exceeding three (3) years and a fine of not less than seven million Rwandan francs (RWF 7,000,000) but not more than ten million Rwandan francs (RWF 10,000,000) or one of these penalties.