Rwanda’s law on the protection of personal data and privacy (DPP Law)

A person who intends to be a data controller or a data processor must register with the supervisory authority.

An applicant for registration as a data controller or a data processor must indicate the following:

1. his or her identity and his or her designated single point of contact;

2. the identity and address of his or her representative if he or she has nominated any;

3. a description of personal data to be processed and the category of data subjects;

4. whether or not the applicant holds or is likely to hold the types of personal data based on the sectors in which it operates;

5. the purposes of the processing of personal data;

6. the categories of recipients to whom the data controller or the data processor intends to disclose the personal data;

7. the country to which the applicant intends to directly or indirectly transfer the personal data;

8. risks in the processing of personal data and measures to prevent such risks and protect personal data.

The supervisory authority may put in place a regulation determining additional requirements to be met by an applicant for registration as a data controller or a data processor.

The supervisory authority issues a registration certificate to an applicant for registration as a data controller or a data processor who meets the requirements for registration within thirty (30) working days from the date of reception of the registration application

The supervisory authority puts in place a regulation determining the period of validity of the registration certificate

After receiving a registration certificate, if there is a change in the grounds on which a registration certificate was issued, the data controller or the data processor who received it notifies the supervisory authority in writing or electronically within fifteen (15) working days from the date on which such a change occurred.

The supervisory authority, as soon as it is informed of change referred to under Paragraph One of this Article and gives its satisfaction, updates the information.

The data controller or the data processor who holds a registration certificate may apply for its renewal within forty-five (45) working days before the expiry date of the existing certificate.

The supervisory authority responds in writing or electronically to the application referred to under Paragraph One of this Article, within thirty (30) working days following receipt of the application.

The supervisory authority puts in place a regulation determining requirements for renewal of the registration certificate.

The supervisory authority, on its own motion or on request by the registration certificate holder, may modify the registration certificate before its expiry, if the supervisory authority believes that modification is needed to respond on:

1. change that occurred on applicable laws;

2. a change in the information that he or she provided that may affect the registration certificate.

The supervisory authority may cancel the registration certificate before its date of expiry if the registration certificate holder:

1. has submitted false or misleading information;

2. fails to comply with requirements of this Law or terms and conditions specified in the certificate.

Before cancellation of the registration certificate, the supervisory authority provides the certificate holder with fifteen (15) working days prior notice in writing or electronically, requesting for explanations on noncompliance with the provisions of Paragraph One of this Article.