To strengthen the control and personal autonomy of data subjects over their personal data, thereby contributing to respect for their human rights and fundamental freedoms. This particularly relates to their right to privacy, which goes in line with international data protection standards, and is vital for modern digital economy facilitating services such as e-commerce, international financial transactions, and various online services.

The primary goals of this law are to:

• Empower citizens with agency over their personal data

• Enable trusted and secure data flows, domestically and internationally

• Provide regulatory certainty for existing businesses and prospective investors, and an enabling environment for SME growth

• Accelerate Rwanda’s ambitions towards a technology- enabled and data-driven economy

• Individuals and institutions established or residing in Rwanda, that process the personal data of individuals in Rwanda (not just citizens).

• Individuals and institutions established or residing outside of Rwanda, that process the personal data of individuals in Rwanda

A data subject means is an identified or identifiable individual, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.

Personal data means any information relating to an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that natural person.

Privacy is a fundamental right of a person to decide who can access his or her personal data, and when, where, why and how his or her personal data can be accessed.

Sensitive personal data means any information revealing a person’s race, health status, criminal records, medical records, social origin, religious or philosophical beliefs, political opinion, genetic or biometric information, sexual life or family details.

Genetic data means personal data relating to the general characteristics of an individual which are inherited or acquired and which provide unique information about the physiology or health of the individual and which result, in particular, from an analysis of a biological sample from the individual in question.

Biometric data means any personal data relating to the physical, physiological or behavioral characteristics of an individual which allow his unique identification, including fingerprint mapping, facial recognition, and retina.

Special categories of personal data mean personal data pertaining to:

• Person’s race

• Religious or philosophical beliefs

• Social origin

• Health status

• Sexual life or family details

• Genetic or biometric information

• Criminal records

• Medical records

It is an operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as access to, obtaining, collection, recording, structuring, storage, adaptation or alteration, retrieval, reconstruction, concealment, consultation, use, disclosure by transmission, sharing, transfer, or otherwise making available, sale, restriction, erasure or destruction.

The person who or the public or private body or legal entity which, alone or jointly with others, determines the purposes and means of the processing of personal data and has decision making power with respect to the processing.

It is a person, public or private corporate body or legal entity, which is authorized to process personal data on behalf of the data controller.

It is important to remember that an organization is not by its nature either a controller or a processor. Instead, you need to consider the personal data and the processing activity that is taking place, and consider who is determining the purposes and the manner of that specific processing.

You need to ask yourself do I decide:

• to collect personal data in the first place

• the lawful basis for doing so

• what types of personal data to collect

• the purpose or purposes the data are to be used for

• which individuals to collect data about

• whether to disclose the data, and if so, to whom

• what to tell individuals about the processing

• how to respond to requests made in line with individuals’ rights

• how long to retain the data or whether to make non-routine amendments to the data

These are all decisions that can only be taken by the controller as part of its overall control of the data processing operation. If you make any of these decisions determining the purposes and means of the processing, you are a controller.

If you find yourself; following instructions from someone else regarding the processing of personal data, given the personal data by a customer or similar third party or told what data to collect, not deciding to collect personal data from individuals or what personal data should be collected from individuals, you are a processor.

Yes. In contexts where the data processor has the authority to process personal data for a separate purpose from that originally given by the data controller, the data processor becomes a controller in his or her own right for that element of data processing.

Additionally, in situations where an institution both determines the means of processing and processes the data itself, this entity becomes both a data controller and data processor.

Any natural person, public or private corporate body or legal entity, can be both a controller and processor of personal data when they are carrying out the activities of both roles.

The supervisory authority is a public authority that is charged with enforcement of this law relating to the protection of personal data and privacy. This law designates the National Cyber Security Authority (NCSA) as the supervisory authority.

Article 28 of the law relating to the protection of personal data and privacy deals with the powers of the supervisory authority to carry out her functions under this law. These powers include issuing registration certificates and imposing administrative sanctions are among others.

Yes. Article 29 of the law relating to the protection of personal data and privacy deals with the registration of data controllers and data processors. Anyone who intends to be a data controller or a data processor must register with the supervisory authority.

The supervisory authority issues a registration certificate to an applicant for registration as a data controller or a data processor who meets the requirements for registration within thirty (30) working days from the date of reception of the registration application.

The data controller or the data processor who holds a registration certificate may apply for its renewal within forty-five (45) working days before the expiry date of the existing certificate.

Consent of the data subject is freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by an oral, written or electronic statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

• Consent should be specific, informed and unambiguous, by setting out the purpose of the various phases of the processing.

• Consent should be easy to withdraw without affecting the lawfulness of processing.

• Consent should be made in oral, written or electronic form.

• Consent should be in one of the official languages that is understandable to data subject.

• At the time of collection, data subjects should be informed about the right to withdraw consent at any time.

Yes, it does, the law states, in its Article 9, that where the data controller, the data processor or a third party knows that personal data belong to a child under the age of sixteen (16) years, he or she must obtain the consent of a holder of parental responsibility over the child in accordance with relevant Laws.

One of the provisions of the law on personal data protection and privacy indicates the need to designate a data protection officer (DPO) for any processing of personal data (Article 40).

Whether your institution acts as a data controller, data processor, or both of these roles, this law makes it mandatory to designate the DPO. Failure to designate a personal data protection officer is an administrative misconduct (Article 53).

The principal duties a data protection officer holds according to article 40 are:

• To inform and advise the data controller, the data processor and the employees who carry out personal data processing, of their obligations pursuant to this Law.

• To monitor, in his or her area of work, compliance with this Law and with the policies of the data controller or data processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in personal data processing operations, and the related audits.

• To provide advice were requested as regards the data protection impact assessment and monitor its performance.

• To cooperate with the supervisory authority and to act as its contact point on issues relating to processing of personal data, including the prior consultation with the supervisory authority, and to consult, where appropriate, with regard to any other matter.

Chapter II of the law relating to the protection of personal data and privacy stipulates the rights of data subjects. The Act has enhanced the rights of data subjects by giving substantial rights including:

1. Right of the data subject to withdraw the consent (Article 8)

2. Right to personal data (Article 18)

3. Right to object (Article 19)

4. Right to data portability (Article 20)

5. Right to not be subject to a decision based on automated data processing (Article 21)

6. Right to restriction of processing of personal data (Article 22)

7. Right to erasure of personal data (Article 23)

8. Right to rectification (Article 24)

9. Right to designate an heir to personal data (Article 25)

10. Right to representation (Article 26)

Where the data controllers, the data processors know that personal data belong to a child under the age of sixteen (16) years they must obtain the consent of a holder of parental responsibility over the child in accordance with relevant Laws. Other exceptions are highlighted in the article 9.

What are the obligations of Data Controllers and Data Processors?

Chapter VI of the law relating to the protection of personal data and privacy relates to a number of obligations which have been imposed on data controllers and data processors to ensure that processing of personal data is done in a fair and lawful manner such as:

Principles relating to processing of personal data

Principles relating to processing of personal data Data controllers and data processors need to ensure that processing of personal data is lawful, fair, transparent, adequate, relevant, accurate, kept for as long as required and proportionate to the purposes for which it is being processed, and are processed in compliance with the rights of data subjects.

Duties of the data controller and the data processor

The data controller and data processor must ensure all personal data is processed in compliance with the law, and be able to demonstrate compliance through a series of measures including implementing appropriate technical and organizational measures, keeping a record of personal data processing operations, and designating a data protection officer amongst others.

Information to be provided during personal data collection

The data controller collects personal data for a lawful purpose connected to the activity of the data controller and when the data is necessary for that purpose. The information to be shared with the data subject during data collection are provided in the article 42.

Notification of personal data breach

Notification of personal data breach As soon as the data controller becomes aware that a breach has occurred, the controller must notify the breach to the supervisory authority within forty-eight (48) hours after having become aware of it. Where the data processor becomes aware of a personal data breach, he or she notifies the data controller within forty-eight (48) hours after being aware of the incident.

Report on personal data breach

The data controller draws up a report on personal data breach and submits it to the supervisory authority not later than seventy-two (72) hours with all facts available. The report content format is described in article 44.

Communication of a personal data breach to the data subject

Where the personal data breach is likely to result in a high risk to the rights and freedoms of the data subject, the data controller communicates the personal data breach to the data subject in writing or electronically, after having become aware of it. However, there are some exceptions highlighted in article 45

Lawful processing of personal data

Lawful processing of personal data The law lays down the conditions for legal basis required for processing in the article 46.

Measures to ensure security of personal data

The data controller or the data processor must ensure security of the personal data in his or her possession by, adopting appropriate, reasonable technical measures to prevent loss, damage or destruction of personal data. The measures to ensure security of personal data are described in article 47.

Chapter VII of the law relating to the protection of personal data and privacy deals with storage, transfer and retention of personal data.

Storage of personal data

The data controller or data processor stores personal data in Rwanda

However, the storage of personal data outside Rwanda is only permitted if the data controller or the data processor holds a valid authorization which is issued by the supervisory authority.

Sharing and transfer of personal data outside Rwanda

The data controller or data processor may share or transfer personal data to a third party outside Rwanda if an authorization has been obtained from the supervisory authority. Other conditions are described in article 48 and 49.

Migration and management of personal data after change or closure of business

In case of change or closure of business of the data controller or data processor, the supervisory authority puts in place a regulation determining modalities for migration and management of personal data.

Retention of personal data

The data controller or data processor retains personal data until the purposes of the processing of personal data are fulfilled. However, there are some exceptions highlighted in article 52.

Yes. Offences, administrative misconducts and their respect penalties and sanctions are shown below:

Offences:

• Accessing, collecting, using, offering, sharing, transfer or disclosing of personal data in a way that is contrary to this Law Re-identification of de-identified personal data in a way that is contrary to this Law Destruction, erasure, concealment or alteration of personal data in a way that is contrary to this Law Sale of personal data in a way that is contrary to this Law Collecting or processing of sensitive personal data in a way that is contrary to this Law Providing false information (Article. 56)

• Re-identification of de-identified personal data in a way that is contrary to this Law (Article. 57)

• Accessing, collecting, using, offering, sharing, transfer or disclosing of personal data in a way that is contrary to this Law Re-identification of de-identified personal data in a way that is contrary to this Law Destruction, erasure, concealment or alteration of personal data in a way that is contrary to this Law Sale of personal data in a way that is contrary to this Law Collecting or processing of sensitive personal data in a way that is contrary to this Law Providing false information (Article. 58)

• Sale of personal data in a way that is contrary to this Law (Article. 59)

• Collecting or processing of sensitive personal data in a way that is contrary to this Law (Article. 60)

• Providing false information (Article. 61)

Penalties:

• A controller or processor that commits one of the offences referred to in above Articles 56, 57, 58, 59, 60 and 61 commits an offence. Upon conviction, it is liable to a fine of Rwandan francs amounting to five percent (5%) of its annual turnover of the previous financial year.

• The court may also order permanent or temporary closure of the legal entity or body, or the premises in which any of the offences provided for under this Law was committed.

Administrative misconducts:

• failure to maintain records of processed personal data

• failure to carry out personal data logging

• operating without a registration certificate

• failure to report a change after receiving a registration certificate

• using a certificate whose term of validity has expired

• failure to designate a personal data protection officer

• failure to notify a personal data breach

• failure to make a report on personal data breach

• failure to communicate a personal data breach to the data subject

Sanctions:

• A Data controller or data processor is liable to one percent (1%) of the global turnover of the preceding financial year.

• The supervisory authority may put in place a regulation determining other administrative misconducts and sanctions that are not provided for in this Law.

• On Already Acquired Data

• On New Collected Data

• Storage of personal data

• Share/Transfer of personal data

• Internal Processes of an Institution

  1. Charities and Religious entities

  2. Security companies (including operating security CCTV systems)

  3. Gambling

  4. Operating an educational institution

  5. Health administration and provision of patient care

  6. Hospitality industry firms but excludes tour guides

  7. Property management including the selling of land

  8. Provision of financial services

  9. Telecommunications network or service providers

  10. Businesses that are wholly or mainly in direct marketing

  11. Transport services firms (including online passenger hailing applications)

  12. Businesses that process genetic or/and biometric data

  13. Any businesses that deals with personal data

The data controller and data processor have a transitional period of up to October 15, 2023, to comply with provisions of the law on the processing of personal data (Article 67)

The data controller is required to first register with the supervisory authority. Where the data processor is required to get authorization from the data controller and register with the supervisory authority. (Articles 4, 29 and 30)

The data controller and data processor stores personal data in Rwanda. A valid registration certificate is required to authorize the storage of personal data outside Rwanda (Article 50)

A valid registration certificate is required to authorize the sharing and transfer of personal data outside Rwanda. (Articles 48)

Designation of a data protection officer and adopting appropriate, reasonable technical measures to prevent loss, damage or destruction of personal data. (Articles 40 and 47)

If you are a person, public or private corporate body or legal processing personal data for the following purposes you need to register as a data controller or a data processor with the National Cyber Security Authority (NCSA).

Yes, the law on personal data protection and privacy takes immediate effect. However, companies and individuals in Rwanda that are already in operation and process personal data of individuals have a transitional period up to 15th October 2023 to fully comply with the new law.

In the law on personal data protection and privacy, consent must be freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by an oral, written or electronic statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

There are two possible ways particularly on data processing and registration requirement for data transfer outside Rwanda:

• Authorization provided for under Art.48 (1) of DPP law to transfer personal data outside Rwanda is done during registration to operate as a data controller or data processor; This complements Art. 30 (7) DPP law requiring the applicant to indicate the country to which he/she intends to directly or indirectly transfer the personal data

• A request to transfer personal data outside Rwanda may also be submitted after registration for specific processing reasons of personal data outside Rwanda as the need may arise depending on the changing nature of the business/operations and other reasons described in Art. 48 (2-3) and also in consideration of the required appropriate safeguards as provided for by the Law. Note: If the second scenario (2) comes in after registration, he/she will then be required to request for a change on the registration certificate.

Anyone who is processing or who is willing to process personal data/whoever is already in personal data processing or wants to operate as a data controller or data processor.

It is the removal of personal identifiable information for the purpose of safeguarding personal data.

It remains personal between data subject and the data controllers or processors; that is to say, de-identification should be understood as a technique used to protect individual’s privacy.

The Law applies to whoever processes personal data whether natural or moral person, whether directly received from the data subject by the data controller or indirectly received from the data controller by whoever processes data on his/her behalf. A natural person is a physical person as opposed to moral person.

Most of us give personal data to groups such as Government institutions, banks, insurance companies, hospitals, and telecommunication companies to use their services or meet certain conditions. They can also get information about us from other sources.

We refer to organizations or persons who control the contents and use of our personal data as 'data controllers'.

Under the Law Nº 058/2021 of 13/10/2021 Law relating to the protection of personal data and privacy, you have rights regarding the use of these personal data and data controllers have certain responsibilities in how they handle them.

Personal data is any information relating to an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that natural person.

Privacy is a fundamental right of a person to decide who can access his or her personal data, when, where, why and how his or her personal data can be accessed.

When you give your personal data to an organization or person, they have a duty to keep these data private and safe. This process is known as data protection.

If you are not happy with how your personal data are being used, you should contact the organization or person in question. If you believe that the organization or person is still not respecting your data protection rights, you should contact the Data Protection & Privacy Office to ask for help.

You have a range of rights when the organization or person takes and records your personal data.

Right to have your personal data used in line with the law

A data controller who holds information about you must:

• get and use the information fairly;

• keep it for only one or more clearly stated and lawful purposes;

• use and make known this information only in ways that are in keeping with these purposes;

• keep the information safe;

• make sure that the information is factually correct, complete and up-to-date;

• keep the information for no longer than is needed for the reason stated; and

• give you a copy of your personal information when you ask for it.

Right to personal data

1. Data controllers who obtain your personal data must give you:

   • the name of the organization or person collecting the information or for whom they are collecting the information;

   • the reason why they want your personal data; and

   • any other information that you may need to make sure that they are handling your details fairly – for example the details of other organizations or people to whom they may give your personal data.

   If an organization or person gets your personal details from someone else and not directly from you, they must tell you which details they hold and give you the name of the original data controller.

   This right does not apply, however, in a small number of cases where it could harm certain interests – for example when someone is investigating an offence

2. Right to know if your personal details are being held:

   If you think that an organization or person may be holding some of your personal details, you can ask them to confirm. If they do have personal data about you, they must tell you which details they hold and the reason why they are holding this information and its source.

   You can ask for this information free of charge

3. Right to know whether your personal data have been transferred to a third country or to an international organization

   In all above cases, the data controller or the data processor has to respond to you within thirty (30) days from the date of receipt of the request.

   If you are not satisfied with the response of the data controller or the data processor you may appeal to the Data Protection & Privacy Office within thirty (30) days from the date of receipt of the response.

Right to rectification your details

If you discover that a data controller has details about you that are not factually correct, you can ask them to correct them where necessary.

You can write to the organization or person, explaining your concerns or outlining which details are incorrect. Within 30 days, the organization must do as you ask or explain why they will not do so.

Right to object

A data controller may intend to use your details for official purposes, in the public interest or for their own interests. If you feel that doing so could cause you loss, sadness or anxiety, you may ask the data controller not to stop using your personal data.

However, this right does not apply if the data controller or the data processor demonstrates compelling legitimate grounds for the personnel data processing.

For example

• you have already agreed that the data controller can use your details;

• a data controller needs your details under the terms of a contract to which you have agreed;

• a data controller needs your details for legal reasons.

You have the right to ask a data controller or data processor to stop processing your personal data if are processed for direct marketing purposes, including profiling to the extent that it is related to such direct marketing.

There is no charge for objecting.

Right to restriction of processing of personal data

You have the right to restrict the data controller from processing your personal data for a given period if:

• You contested the accuracy of your personal data

• The processing is unlawful and you request the erasure

• You object to the processing of personal data

The right is not exercised if the processing of personal data:

• is necessary for the protection of the rights of another person

• is necessary for reasons of public interest

Right to personal data portability

You have the right to request the data controller to resend the personal data concerning you as it was provided

You also have the right to request the data controller your personal data transmitted to another data controller, where technically feasible, without hindrance.

In all above cases, the data controller has to respond to you within thirty (30) days from the date of receipt of the request.

If you are not satisfied with the response of the data controller, you may appeal to the Data Protection & Privacy Office within thirty (30) days from the date of receipt of the response.

Right to erasure of personal data

You have the right to request the data controller for erasure of your personal data where:

• Your personal data are no longer necessary in relation to the purposes for which they were collected;

• You withdraw consent on which the personal data processing is based and where there is no other legal ground for the processing;

• You object to the processing of personal data and there are no overriding legitimate grounds for the processing

• Your personal data have been unlawfully processed

However, the right to request the erasure of personal data does not apply to the extent that processing is necessary described in this Law such as reasons of public interest.

Right to designate an heir to personal data

Your personal data are not primarily subject to succession but, where you had left a will, you provide your heir with full or restricted rights relating to the processing of your personal data kept by the data controller or the data processor, if such personal data still need to be used.

Right to representation

You have right to be represented when:

• You are under sixteen (16) years of age

• You have a physical impairment and unable to represent yourself

• You are a medically determinable mental impairment and is unable to represent yourself

• You have any other reason, in which case you are being represented by another person

In all above cases you need to provide an authorization of representation in accordance with relevant Laws.

Right not to be subject to a decision based on automated data processing

You have the right not to be subject to a decision based solely on automated personal data processing, including profiling, which may produce legal consequences or significant consequences to you.

For example, such decisions may be about your work performance

However, this right is not exercised when the processing:

• is based on your explicit consent;

• is necessary for entering into, or performance of, a contract between the you and the data controller;

• is authorized by to other Laws

Data protection rights will help you to make sure that the information stored about you is:

• factually correct;

• only available to those who should have it; and

• only used for stated purposes

You have the right to data protection when your details are:

• held on a computer;

• held on paper or other manual form as part of a filing system; and

• made up of photographs or video recordings of your image or recordings of your voice

To request access to your details, send a letter or email to the organisation or person holding your personal details and ask them for a copy of this information. The details should be easy to understand.

In your request you should:

• give any details that will help the person to identify you and find your data – for example a customer account number, any previous address or your date of birth; and

• be clear about which details you are looking for if you only want certain information. This will help the organisation or person respond more quickly.

Some sample wording appears below as a guide.                      

Dear Data Protection & Privacy Officer,

Under the Law Nº 058/2021 of 13/10/2021

Law relating to the protection of personal data

and privacy, I wish to make an access request for a

copy of any information you keep about me, on computer

or in manual form.

[My customer account number is ...]

[My date of birth is...]

[My previous address was....]

Yours faithfully,

[Name]

The Data Protection & Privacy Office aims to make sure that your rights are being upheld and that data controllers and data processors respect data protection rules. If you think that an organization or person is breaking these rules, and you are not satisfied with their response to your concerns, you can complain to the Data Protection & Privacy Office.

How can I call the Data Protection & Privacy Office?

If you need further information about your rights, you can contact our office by telephone or email.

Address:18KG Ave, A&P Building, Ground Floor, Kacyiru

Email:dpp@dpo.gov.rw

Toll-free:9080

Personal data is any information relating to an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that natural person.

Sensitive personal data is any information revealing a person’s race, health status, criminal records, medical records, social origin, religious or philosophical beliefs, political opinion, genetic or biometric information, sexual life or family details.

Yes, it does, the law states, in its Art. 9, that where the data controller, the data processor or a third party knows that personal data belong to a child under the age of sixteen (16) years, he or she must obtain the consent of a holder of parental responsibility over the child in accordance with relevant Laws.

In the law on personal data protection and privacy, consent must be freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by an oral, written or electronic statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.