Skip to main navigation Skip to main content Skip to page footer
Data Protection Office

Rwanda’s law on the protection of personal data and privacy (DPP Law)

 

Art. 48

Sharing and transfer of personal data outside Rwanda

The data controller or the data processor may share or transfer personal data to a third party outside Rwanda if:

  1. he or she has obtained authorisation from the supervisory authority after providing proof of appropriate safeguards with respect to the protection of personal data;

  2. the data subject has given his or her consent;

  3. the transfer is necessary:

    1. for the performance of a contract between the data subject and the data controller or the implementation of precontractual measures taken in response to the data subject's request;

    2. for the performance of a contract concluded in the interest of the data subject between the data controller and a third party;
      for public interest grounds;

    3. for the establishment, exercise or defence of a legal claim;

    4. to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving his or her consent;

    5. for the purposes of compelling legitimate interests pursued by the data controller or by the data processor, which are not overridden by the interests, rights and freedoms of the data subject, and when:

      1. the transfer is not repetitive and concerns only a limited number of data subjects;

      2. the data controller or the data processor has assessed all the circumstances surrounding the data transfer and has, on the basis of that assessment, provided suitable safeguards with regard to the protection of personal data;

    6. for the performance of international instruments ratified by Rwanda.

The supervisory authority may put in place a regulation determining another reason of sharing or transferring personal data to a third party outside Rwanda.

Art. 49

Contract for transfer of personal data

The data controller or the data processor who authorises a person to access personal data, share or transfer them to a third party outside Rwanda, enters into a written contract with such a person setting out the respective roles and responsibilities of each party to ensure compliance with this Law.

The supervisory authority may, by a regulation, determine the form of the contract to be used for transfers of personal data outside Rwanda.

Provisions of Items 1° and 3° a), b) and d) of Article 48 of this Law do not apply to activities carried out by a public body in the exercise of its functions.

The supervisory authority may require the data controller or the data processor to demonstrate their compliance with the provisions of this Article, and in particular, with personal data security safeguards and interests referred to in Item 3° f) of Article 48 of this Law.

The supervisory authority, in order to protect the rights and freedoms of the data subject, may prohibit or suspend the transfer of personal data outside Rwanda.

Art. 50

Storage of personal data

The data controller or the data processor stores personal data in Rwanda.

However, the storage of personal data outside Rwanda is only permitted if the data controller or the data processor holds a valid registration certificate authorising him or her to store personal data outside Rwanda, which is issued by the supervisory authority.

 

Art. 51

Migration and management of personal data after change or closure of business

The supervisory authority puts in place a regulation determining modalities for migration and management of personal data in case of change or closure of business of the data controller or the data processor.

Art. 52

Retention of personal data

The data controller or the data processor retains personal data until the purposes of the processing of personal data are fulfilled.

However, the data controller or the data processor may retain personal data for a longer period for the following grounds:

  1. if retention is authorised by Law;
  2. if retention is required by a contract concluded between the parties;
  3. if the personal data is related to a function or activity for which the personal data are collected or processed;
  4. preventing, detecting, investigating, prosecuting or punishing an offender;
  5. protecting national security;
  6. enforcing a court order;
  7. enforcing legislation relating to collection of public revenues;
  8. conducting proceedings before a court;
  9. carrying out research authorised by a relevant authority;
  10. if the data subject consents

The supervisory authority may put in place a regulation determining any other ground for retention of personal data for a longer period.

At the end of the personal data retention period, the data controller or the data processor must destroy the personal data in a manner that prevents its reconstruction in an intelligible form.