Rwanda’s law on the protection of personal data and privacy (DPP Law)

The data controller and the data processor ensure that the data subject’s personal data:

1. are processed lawfully, fairly and in a transparent manner;

2. are collected for explicit, specified and legitimate purposes and not further processed in a manner incompatible with those purposes;

3. are related to the purposes for which their processing was requested;

4. are accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data are erased or rectified without delay;

5. are kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;

6. are processed in compliance with the rights of data subjects.

In compliance with the principles of the processing of personal data, the data controller and the data processor discharge the following duties:

1. to implement appropriate technical and organisational measures;

2. to keep a record of personal data processing operations;

3. to carry out personal data protection impact assessments where the processing of personal data is likely to result in a high risk to the rights and freedoms of a natural person;

4. to perform such other duty as may be assigned to him or her by the supervisory authority

The personal data protection impact assessment referred to in item 3o of Paragraph one of this Article is carried out in case of:

1. a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing of personal data, including profiling, and on which decisions that produce effects concerning such persons are based;

2. processing on a large scale of sensitive personal data;

3. a systematic monitoring of a publicly accessible area on a large scale;

4. processing of personal data identified by the supervisory authority as likely to result in a high risk to the rights and freedoms of natural persons;
   new technologies used to process personal data.

The data controller or the data processor who is neither established nor resides in Rwanda, but processes personal data of data subjects located in Rwanda, designates in writing a representative in Rwanda to comply with his or her obligations under this Law.

The supervisory authority puts in place a regulation governing the designation of a representative of the data controller or data processor

The data controller and the data processor designate a data protection officer where:

1. the processing of personal data is carried out by public or private corporate body or a legal entity, except courts;

2. the core activities of the data controller or the data processor consist of personal data processing operations which, by virtue of their nature, their scope or their purposes, require regular and systematic monitoring of data subjects on a large scale;

3. the core activities of the data controller or the data processor consist of processing on a large scale of special categories of data pursuant to Article 10 of this Law and personal data relating to criminal convictions referred to in Article 12 of this Law.

A group of undertakings may appoint a single personal data protection officer provided that the data protection officer is easily accessible from each establishment

Where the data controller or the data processor is a public authority or body, a single personal data protection officer may be designated for several such authorities or bodies, taking account of their organizational structure and size.

In cases other than those referred to in Paragraph one of this Article, the data controller or the data processor or associations and other bodies representing categories of data controllers or data processors may designate a personal data protection officer in accordance with the provisions of this Law.

The data protection officer is designated on the basis of professional qualities, expert knowledge of personal data protection, practices and the ability to fulfil the tasks assigned to him or her.

The personal data protection officer may be a permanent staff member of the data controller or the data processor, or a person who fulfils the tasks on the basis of a service contract.

The data controller or the data processor must publish the contact details of the personal data protection officer and communicate them to the supervisory authority.

The personal data protection officer has the following duties:

1. to inform and advise the data controller, the data processor and the employees who carry out personal data processing, of their obligations pursuant to this Law;

2. to monitor, in his or her area of work, compliance with this Law and with the policies of the data controller or data processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in personal data processing operations, and the related audits;

3. to provide advice where requested as regards the data protection impact assessment and monitor its performance;

4. to cooperate with the supervisory authority and to act as its contact point on issues relating to processing of personal data, including the prior consultation with the supervisory authority, and to consult, where appropriate, with regard to any other matter.

The personal data protection officer must in the performance of his or her tasks have due regard to the risk associated with personal data processing operations, considering the nature, scope, context and purpose of processing.

The data controller collects personal data for a lawful purpose connected to the activity of the data controller and when the data is necessary for that purpose.

The data controller who collects personal data informs the data subject of the following:

1. his or her identity and contact details;

2. the purposes for which personal data are collected;

3. recipients of such personal data;

4. whether the data subject has the right to provide personal data voluntarily or mandatorily;

5. the existence of the right to withdraw consent at any time and that such withdrawal does not affect the lawfulness of the processing of personal data based on consent before its withdrawal;

6. the existence of the right to request from the data controller access and rectification, restriction or erasure of personal data concerning the data subject or to object to the processing of the data;

7. the existence of automated decision making, including profiling, and information about the logic involved, as well as the significance and the envisaged consequences of such processing personal data for the data subject;

8. ° the period for which personal data will be stored;

9. the right to appeal to the supervisory authority;

10. °where applicable, that he or she can transfer personal data outside Rwanda and he or she assures him or her of their security;

11. any further information likely to guarantee fair processing of the personal data, having regard to the specific circumstances in which the data are collected.

However, the data controller is not requiredto comply with the provisions of Paragraph 2 of this Article if:

1. the data subject already has the information referred to in Paragraph One of this Article;

2. the provision of such information proves impossible or involves a disproportionate effort;

3. the recording or disclosure of the personal data is provided for by the Law.

In case of personal data breach, the data controller, within forty-eight (48) hours after being aware of the incident, must communicate the personal data breach to the supervisory authority.

Where the data processor becomes aware of personal data breach, he or she notifies the data controller within forty-eight (48) hours after being aware of the incident.

The data controller draws up a report on personal data breach and submits it to the supervisory authority not later than seventytwo (72) hours, with all facts available.

The report describes at least:

1. the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

2. the contact details of the personal data protection officer or other contact point where more information can be obtained;

3. the measures taken to address the personal data breach, including measures to mitigate its possible adverse effects;

4. the acts relating to personal data breaches, the consequences of the personal data breach and the measures taken to rectify such a breach;

5. his or her proposal for communicating the personal data breach to affected data subjects and the timeline for such a communication, for approval by the supervisory authority.

Where the personal data breach is likely to result in a high risk to the rights and freedoms of the data subject, the data controller communicates the personal data breach to the data subject in writing or electronically, after having become aware of it.

However, the data controller is not required to communicate the personal data breach to the data subject if:

1. the data controller has implemented appropriate technical and organisational protection measures in relation to personal data breached such that the personal data breach is unlikely to result in a high risk to the rights and freedoms of the data subject;

2. the data controller has taken measures which ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialize;

3. the data controller communicated it to the public whereby the data subject is informed in an equally effective manner.

If the data controller has not communicated the personal data breach to the data subject, and the personal data breach is likely to result in a high risk to the rights and freedoms of the data subject, the supervisory authority may request the data controller to communicate the personal data breach to the data subject in writing or electronically.

The data controller or the data processor lawfully processes personal data if:

1. the data subject has given consent to the processing of his or her personal data for purposes explained to him or her;

2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

3. the data controller executes a legal obligation to which he or she is a subject;

4. it is necessary for protection of vital interests of the data subject or any other person;

5. it is necessary for the performance of a duty carried out in the public interest or in the exercise of official authority vested in the data controller;

6. it is carried out for the performance of duties of a public entity;

7. it is intended for legitimate interests pursued by the data controller or by a third party to whom the personal data are disclosed, unless the processing of personal data is unwarranted in any particular case having regard to the prejudice to the rights and freedoms or legitimate interests pursued by the data subject;

8. it is carried out for research purposes upon authorisation by relevant institution.