Frequently asked questions by individuals

Most of us give personal data to groups such as Government institutions, banks, insurance companies, hospitals, and telecommunication companies to use their services or meet certain conditions. They can also get information about us from other sources.

We refer to organizations or persons who control the contents and use of our personal data as 'data controllers'.

Under the Law Nº 058/2021 of 13/10/2021 Law relating to the protection of personal data and privacy, you have rights regarding the use of these personal data and data controllers have certain responsibilities in how they handle them.

Personal data is any information relating to an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that natural person.

Privacy is a fundamental right of a person to decide who can access his or her personal data, when, where, why and how his or her personal data can be accessed.

When you give your personal data to an organization or person, they have a duty to keep these data private and safe. This process is known as data protection.

If you are not happy with how your personal data are being used, you should contact the organization or person in question. If you believe that the organization or person is still not respecting your data protection rights, you should contact the Data Protection & Privacy Office to ask for help.

You have a range of rights when the organization or person takes and records your personal data.

Right to have your personal data used in line with the law

A data controller who holds information about you must:

  • get and use the information fairly;
  • keep it for only one or more clearly stated and lawful purposes;
  • use and make known this information only in ways that are in keeping with these purposes;
  • keep the information safe;
  • make sure that the information is factually correct, complete and up-to-date;
  • keep the information for no longer than is needed for the reason stated; and
  • give you a copy of your personal information when you ask for it.
Right to personal data
  1. Data controllers who obtain your personal data must give you:
    • the name of the organization or person collecting the information or for whom they are collecting the information;
    • the reason why they want your personal data; and
    • any other information that you may need to make sure that they are handling your details fairly – for example the details of other organizations or people to whom they may give your personal data.

    If an organization or person gets your personal details from someone else and not directly from you, they must tell you which details they hold and give you the name of the original data controller.

    This right does not apply, however, in a small number of cases where it could harm certain interests – for example when someone is investigating an offence

  2. Right to know if your personal details are being held:

    If you think that an organization or person may be holding some of your personal details, you can ask them to confirm. If they do have personal data about you, they must tell you which details they hold and the reason why they are holding this information and its source.

    You can ask for this information free of charge

  3. Right to know whether your personal data have been transferred to a third country or to an international organization

    In all above cases, the data controller or the data processor has to respond to you within thirty (30) days from the date of receipt of the request.

    If you are not satisfied with the response of the data controller or the data processor you may appeal to the Data Protection & Privacy Office within thirty (30) days from the date of receipt of the response.

Right to rectification your details

If you discover that a data controller has details about you that are not factually correct, you can ask them to correct them where necessary.

You can write to the organization or person, explaining your concerns or outlining which details are incorrect. Within 30 days, the organization must do as you ask or explain why they will not do so.

Right to object

A data controller may intend to use your details for official purposes, in the public interest or for their own interests. If you feel that doing so could cause you loss, sadness or anxiety, you may ask the data controller not to stop using your personal data.

However, this right does not apply if the data controller or the data processor demonstrates compelling legitimate grounds for the personnel data processing.

For example

  • you have already agreed that the data controller can use your details;
  • a data controller needs your details under the terms of a contract to which you have agreed;
  • a data controller needs your details for legal reasons.

You have the right to ask a data controller or data processor to stop processing your personal data if are processed for direct marketing purposes, including profiling to the extent that it is related to such direct marketing.

There is no charge for objecting.

Right to restriction of processing of personal data

You have the right to restrict the data controller from processing your personal data for a given period if:

  • You contested the accuracy of your personal data
  • The processing is unlawful and you request the erasure
  • You object to the processing of personal data

The right is not exercised if the processing of personal data:

  • is necessary for the protection of the rights of another person
  • is necessary for reasons of public interest
Right to personal data portability

You have the right to request the data controller to resend the personal data concerning you as it was provided

You also have the right to request the data controller your personal data transmitted to another data controller, where technically feasible, without hindrance.

In all above cases, the data controller has to respond to you within thirty (30) days from the date of receipt of the request.

If you are not satisfied with the response of the data controller, you may appeal to the Data Protection & Privacy Office within thirty (30) days from the date of receipt of the response.

Right to erasure of personal data

You have the right to request the data controller for erasure of your personal data where:

  • Your personal data are no longer necessary in relation to the purposes for which they were collected;
  • You withdraw consent on which the personal data processing is based and where there is no other legal ground for the processing;
  • You object to the processing of personal data and there are no overriding legitimate grounds for the processing
  • Your personal data have been unlawfully processed

However, the right to request the erasure of personal data does not apply to the extent that processing is necessary described in this Law such as reasons of public interest.

Right to designate an heir to personal data

Your personal data are not primarily subject to succession but, where you had left a will, you provide your heir with full or restricted rights relating to the processing of your personal data kept by the data controller or the data processor, if such personal data still need to be used.

Right to representation

You have right to be represented when:

  • You are under sixteen (16) years of age
  • You have a physical impairment and unable to represent yourself
  • You are a medically determinable mental impairment and is unable to represent yourself
  • You have any other reason, in which case you are being represented by another person

In all above cases you need to provide an authorization of representation in accordance with relevant Laws.

Right not to be subject to a decision based on automated data processing

You have the right not to be subject to a decision based solely on automated personal data processing, including profiling, which may produce legal consequences or significant consequences to you.

For example, such decisions may be about your work performance

However, this right is not exercised when the processing:

  • is based on your explicit consent;
  • is necessary for entering into, or performance of, a contract between the you and the data controller;
  • is authorized by to other Laws

Data protection rights will help you to make sure that the information stored about you is:

  • factually correct;
  • only available to those who should have it; and
  • only used for stated purposes

You have the right to data protection when your details are:

  • held on a computer;
  • held on paper or other manual form as part of a filing system; and
  • made up of photographs or video recordings of your image or recordings of your voice

To request access to your details, send a letter or email to the organisation or person holding your personal details and ask them for a copy of this information. The details should be easy to understand.

In your request you should:

  • give any details that will help the person to identify you and find your data – for example a customer account number, any previous address or your date of birth; and
  • be clear about which details you are looking for if you only want certain information. This will help the organisation or person respond more quickly.

Some sample wording appears below as a guide.

                                        
Dear Data Protection & Privacy Officer,

Under the Law Nº 058/2021 of 13/10/2021
Law relating to the protection of personal data
and privacy, I wish to make an access request for a
copy of any information you keep about me, on computer
or in manual form.

[My customer account number is ...]
[My date of birth is...]
[My previous address was....]
Yours faithfully,

[Name]

The Data Protection & Privacy Office aims to make sure that your rights are being upheld and that data controllers and data processors respect data protection rules. If you think that an organization or person is breaking these rules, and you are not satisfied with their response to your concerns, you can complain to the Data Protection & Privacy Office.

If you need further information about your rights, you can contact our office by telephone or email.

Address:18KG Ave, A&P Building, Ground Floor, Kacyiru

Email:dpp@dpo.gov.rw

Toll-free:9080

Personal data is any information relating to an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that natural person.

Sensitive personal data is any information revealing a person’s race, health status, criminal records, medical records, social origin, religious or philosophical beliefs, political opinion, genetic or biometric information, sexual life or family details.

Yes it does, the law states, in its Art. 9, that where the data controller, the data processor or a third party knows that personal data belong to a child under the age of sixteen (16) years, he or she must obtain the consent of a holder of parental responsibility over the child in accordance with relevant Laws.

In the law on personal data protection and privacy, consent must be freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by an oral, written or electronic statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.