Art. 4
Authorisation to process personal data
The processing of personal data carried out by the data processor is governed by a written contract between the data processor and the data controller.
The data processor processes personal data on behalf of the data controller subject to a written contract referred to in Paragraph One of this Article.
The data controller authorises the data processor who provides sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing meets the requirements of this Law.
Art. 5
Privacy of the data subject
The data controller, the data processor or a third party processes personal data in a manner which does not infringe on the privacy of the data subject.
Art. 6
Consent of the data subject
Where the processing of personal data is based on the consent of the data subject, data subject demonstrates that he or she has consented to the processing of his or her personal data for a specified purpose.
The consent of the data subject is valid only when it is based on the data subject’s free decision after being informed of the consequences of his or her consent.
The consent of the data subject may be made in oral, written or electronic form.
Art. 7
Indication of other matters in the declaration of consent
The data subject’s declaration of consent that contains other matters must clearly indicate those other matters to which he or she consents in one of the official languages that is understandable to him or her.
Any part of the declaration referred to in Paragraph One of this Article which constitutes an infringement of the provisions of this Law cannot be binding.
Art. 8
Right of the data subject to withdraw his or her consent
The data subject has the right to withdraw his or her consent at any time.
The withdrawal of consent by the data subject does not affect the lawfulness of processing of personal data based on consent before its withdrawal.
The withdrawal of consent by the data subject is as easy as expressing it.
The withdrawal of consent by the data subject takes effect as of the date on which the data subject applied for it.
Art. 9
Processing a child’s personal data
Where the data controller, the data processor or a third party knows that personal data belong to a child under the age of sixteen (16) years, he or she must obtain the consent of a holder of parental responsibility over the child in accordance with relevant laws.
Subject to the provisions of other Laws, the consent obtained on behalf of the child is acceptable only if it is given in the interest of the child.
However, the consent is not required to process the child’s personal data if it is necessary for protecting the vital interest of the child.
Art. 10
Grounds for processing sensitive personal data
The data controller or the data processor processes sensitive personal data only if:
the processing is based on the data subject’s consent;
the processing is necessary for the purposes of carrying out the obligations of the data controller, of the data processor or exercising specific rights of the data subject in accordance with relevant Laws;
the processing is necessary to protect the vital interests of the data subject or of any other person;
the processing is necessary for the purposes of preventive or occupational medicine, public health such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices;
the processing is necessary for archiving purposes in the public interest or scientific and historical research purposes or statistical purposes.
Art. 11
Safeguards to process sensitive personal data
When processing sensitive personal data, the data controller or the data processor must:
comply with requirements for personal data protection or personal data monitoring as required by this Law;
comply with applicable sensitive personal data retention periods established by this Law;
put in place measures to strengthen capacities of staff involved in the processing of sensitive personal data;
put in place measures to access sensitive personal data processed by the data controller or the data processor;
implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk posed to the data subject, including, where appropriate, storing sensitive personal data separately from other types of data, and applying measures such as tokenisation, pseudonymisation or encryption.
Art. 12
Processing personal data of a convict
Processing personal data of a convict is carried out under the supervision of the supervisory authority in accordance with the provisions of this Law.
The data controller or the data processor puts in place appropriate safeguards to ensure the respect of rights and freedoms of the data subject.
Art. 13
Processing of personal data which does not require data subject’s identification
If the purposes for which the data controller or the data processor processes personal data do not or no longer require the identification of the data subject, the data controller or the data processor is not obliged to maintain, acquire or process additional information in order to identify the data subject for the sole purpose of complying with this Law.
In case the data controller or the data processor is unable to identify the data subject because of the alteration of his or her personal data, the data controller informs the data subject in writing or electronically, if necessary
However, the data subject, with respect to his or her rights, provides additional information enabling his or her identification.
Art. 14
Source of personal data
The data controller or the data processor requests personal data directly from the data subject.
However, a person can collect personal data from another person, another source or a public institution if:
the personal data is open to the public;
the data subject has deliberately made the personal data public;
the data subject has consented to the collection of personal data from another source;
the collection of the personal data from another source complies with the provisions of this Law.
Art. 15
Quality of personal data
The data controller or the data processor ensures that the personal data is complete, accurate, kept up to date and not misleading having regard to the purposes for which they are processed.
Art. 16
Personal data logging
The data controller or the data processor ensures personal data logging at least on the following data operations:
data collected
data altered
data accessed
data disclosed including data sharing and transfer
combined data
erased data
Personal data logging must indicate justification, date and time of such operations and, where possible, the contact details of the person who accessed or disclosed the personal data, as well as the contact details of the recipients of the data.
The supervisory authority may require the data controller or the data processor to provide access to the personal data logging so as to verify the lawfulness of the personal data processing.
Art. 17
Maintaining records of processed personal data
The data controller or the data processor must maintain a record of all personal data processing activities under his or her responsibility that indicates:
the name and contact details of the data controller and, where applicable, the data processor, the controller’s representative or the data protection officer;
the purposes of the processing of personal data;
a description of the categories of data subjects and of the categories of personal data;
a full list of the recipients to whom personal data have been or will be disclosed, including those based in other countries;
a description of transfers of personal data to any country outside Rwanda;
where possible, the envisaged data retention periods for the different categories of personal data;
The data controller or the data processor submits the records of personal data processing activities to the supervisory authority on request.