Rwanda’s law on the protection of personal data and privacy (DPP Law)

The supervisory authority is the organ in charge of settlement of conflicts that may arise in relation to this Law.

However, a person who is not satisfied with the settlement of conflicts referred to in Paragraph one of this Article may file a case with the competent court.

A person who suffers serious damage due to acts of a data controller or a data processor in violation of this Law has the right to claim for compensation with a competent court.

However, the data controller or the data processor is exempt from liability if he or she proves that he or she was not responsible for the damage.

The competent authority may, in conjunction with the supervisory authority, put in place other sector-specific regulations governing the protection of personal data and privacy.

The regulations referred to in Paragraph One of this Article must comply with the provisions of this Law.

The data controller or the data processor who is already in operation has a period not exceeding two (2) years from the date of publication of this Law in the Official Gazette of the Republic of Rwanda to conform his or her operations to the provisions of this Law.

This Law was drafted in English, considered and adopted in Ikinyarwanda.

All prior legal provisions contrary to this Law are repealed.