Intego ni ugukomeza kugenzura no guha ubwisanzure ba nyiri ubwite ku makuru yabo bwite, bityo bigafasha kubahiriza uburenganzira n’ubwisanzure bwabo bw’ibanze. Ibi by’umwihariko birebana n’uburenganzira ku mibereho bwite yabo, bujyanye n’amahame mpuzamahanga yo kurinda amakuru bwite, kandi ni ingenzi mu bukungu bwa none bushingiye ku ikoranabuhanga, bufasha serivisi nk’ubucuruzi bukorerwa kuri interineti, ihererekanya mpuzamahanga ry’amafaranga, ndetse n’izindi serivisi zitandukanye zikorerwa kuri interineti.

Intego nyamukuru z'iri Tegeko ni: 

• Guha abaturage ubushobozi bwo kugenzura no kwihitiramo uburyo amakuru yabo yihariye akoreshwa.

• Gushyiraho uburyo bwizewe kandi butekanye bwo guhererekanya amakuru, haba mu gihugu imbere cyangwa ku rwego mpuzamahanga.

• Gutanga icyizere gishingiye ku mategeko ku bigo bisanzwe bikora n’abashoramari bashya, no gushyiraho uburyo bukwiye bugamije gufasha ibigo bito n’ibiciriritse.

• Kongera umuvuduko ku cyerekezo cy’U Rwanda cyo kugera ku bukungu bushingiye ku ikoranabuhanga no ku makuru.

• Abantu ku giti cyabo n’ibigo bikorera mu Rwanda, bitunganya amakuru bwite y’abantu mu Rwanda (si ku benegihugu gusa).

• Abantu ku giti cyabo n’ibigo bikorera bikorera hanze y’U Rwanda, bitunganya amakuru bwite y’abantu mu Rwanda. 

Nyiri ubwite ni umuntu wamenyekanye cyangwa ushobora kumenyekana, cyane cyane hashingiwe ku kintu kimuranga nk’izina, nimero y’indangamuntu, amakuru y’aho aherereye, ikimuranga mu buryo koranabuhanga cyangwa hashingiwe ku kintu kimwe cyangwa byinshi byihariye biranga imiterere y'umubiri we, imitekerereze ye, inkomoko ye, ubuzima bwe bwo mu mutwe, ubukungu, umuco cyangwa imibereho ye.

Amakuru bwite ni amakuru ayo ari yo yose yerekeye umuntu ku giti cye uzwi cyangwa ushobora kumenyekana, mu buryo buziguye cyangwa butaziguye, by'umwihariko hashingiwe ku kimuranga nk'izina, nimero imuranga, aho aherereye, ikimuranga mu buryo koranabuhanga cyangwa hashingiwe ku kintu kimwe cyangwa byinshi byihariye biranga imiterere y'umubiri we, imitekerereze ye, inkomoko ye, ubuzima bwe bwo mu mutwe, ubukungu, umuco cyangwa imibereho y'uwo muntu ku giti cye.

Imibereho bwite y’umuntu ni uburenganzira bw’ibanze bw’umuntu bwo kwemeza undi muntu ushobora kubona amakuru bwite ye, igihe n’ahantu yayabonera, impamvu yayabona, uburyo akoresha ayabona n’uburyo bwakoreshwa kugira ngo agerweho

Amakuru bwite y’ibanga ni amakuru agaragaza isanomuzi y’umuntu, uko ubuzima bwe buhagaze, ko yafunzwe cyangwa atafunzwe, dosiye ye yo kwa muganga, inkomoko ye mu muryango, imyemerere ye ishingiye ku idini cyangwa ku mitekerereze, ibitekerezo bye bya politiki, amakuru ndangasano cyangwa ay’imiterere ye, ay’ubuzima bw’imibonano mpuzabitsina cyangwa umwirondoro w’umuryango.

Genetic data means personal data relating to the general characteristics of an individual which are inherited or acquired and which provide unique information about the physiology or health of the individual and which result, in particular, from an analysis of a biological sample from the individual in question.

Biometric data means any personal data relating to the physical, physiological or behavioral characteristics of an individual which allow his unique identification, including fingerprint mapping, facial recognition, and retina.

Ibyiciro by'amakuru bwite y'ibanga birimo:

• Isanomuzi y’umuntu

• Imyemerere ye ishingiye ku idini cyangwa ku mitekerereze

• Inkomoko ye mu muryango

• Uko ubuzima bwe buhagaze

• Ay’ubuzima bw’imibonano mpuzabitsina cyangwa umwirondoro w’umuryango

• Amakuru ndangasano cyangwa ay’imiterere ye

• Ko yafunzwe cyangwa atafunzwe

• Dosiye ye yo kwa muganga

Ni igikorwa kimwe cyangwa ibikorwa byinshi, bikozwe ku makuru bwite hakoreshejwe uburyo bw’ikoranabuhanga bwikoresha cyangwa butikoresha, harimo kugera, kubona, gukusanya, kwandika, kunoza, kubika, guhuza cyangwa guhindura, kugarura, gusubiza, guhisha, kwifashisha, gukoresha, kumenyesha amakuru yerekeye umuntu ku giti cye ahererekanijwe, kuyahanahana, kuyahererekanya cyangwa kuyatanga, kuyagurisha, kubuza imikoreshereze yayo, gusiba cyangwa gusenya.

Umuntu ku giti cye, ikigo cya Leta cyangwa icy’abikorera cyangwa urwego bifite ubuzimagatozi, habaho cyangwa hatabaho ubufatanye, bitunganya amakuru bwite kandi bikagena uburyo bwo kuyatunganya.

umuntu ku giti cye, ikigo cya Leta cyangwa icy’abikorera cyangwa urwego bifite ubuzimagatozi byemerewe gutunganya amakuru bwite mu izina ry’umugenzuzi w’amakuru.

Ni ngombwa kwibuka ko ikigo cyangwa umuntu ataba ari umugenzuzi w’amakuru cyangwa utunganya amakuru mu buryo bw’umwihariko. Ahubwo, ugomba kureba amakuru bwite ari gutunganywa n’ibikorwa byo kuyatunganya biri gukorwa, hanyuma ukareba ugena impamvu n’uburyo bw’iryo tunganywa ry’amakuru.

Ugomba kwibaza uti: Ese ni jye ugena:

• impamvu yo gukusanya amakuru bwite.

• uburyo bwemewe n’amategeko bwo gutunganya amakuru

• ubwoko bw'amakuru bwite akusanywa

• icyo amakuru bwite akoreshwa 

• abampa amakuru

• niba habaho itangazwa ry'amakuru bwite, mu gihe bibaye, kuri bande

• icyo kubwira abantu ku byerekeye itunganywa ry'amakuru

• uko ababaza iby'uburengazira bw'abantu basubizwa

• igihe amakuru amara abitswe cyangwa niba agomba guhindurwa mu buryo budasanzwe

Ibi ni ibyemezo bifatwa n’umugenzuzi w’amakuru gusa nka bumwe mu bubasha bwe bwo kugenzura ibikorwa by’itunganywa ry’amakuru. Niba ari wowe ugena impamvu n’uburyo amakuru atunganywa, uba uri umugenzuzi w’amakuru.

Niba wisanga ukurikiza amabwiriza y’undi muntu ku bijyanye no gutunganya amakuru bwite, ugahabwa amakuru bwite n’umukiriya cyangwa undi muntu, cyangwa ukabwirwa amakuru agomba gukusanywa, atari wowe ugena ikusanywa ry’amakuru y’abantu cyangwa amakuru agomba gukusanywa, icyo gihe uba uri utunganya amakuru.

Yego. Mu gihe utunganya amakuru ahawe ububasha bwo gutunganya amakuru bwite ku mpamvu zitandukanye n’izo umugenzi w’amakuru yari yatanze, utunganya amakuru ahita aba umugenzizi w’amakuru ku gice cy’iyo mirimo yo gutunganya amakuru.

Byongeye kandi, mu gihe ikigo ari cyo gishyiraho uburyo bwo gutunganya amakuru ndetse kikaba ari na cyo gitunganya ayo makuru ubwacyo, icyo kigo kiba ari umugenzuzi w’amakuru ndetse n’utunganya amakuru icyarimwe.

Umuntu ku giti cye, ikigo cya Leta cyangwa ikigo cy’abikorera, cyangwa indi sosiyete yemewe n’amategeko, ashobora kuba umugenzi w’amakuru ndetse n’utunganya amakuru icyarimwe igihe ari we ukora ibikorwa byerekeye inzingano za bombi.

The supervisory authority is a public authority that is charged with enforcement of this law relating to the protection of personal data and privacy. This law designates the National Cyber Security Authority (NCSA) as the supervisory authority.

Ingingo ya 28 y’ Itegeko ryerekeye kurinda amakuru bwite n’imibereho bwite by’umuntu ivuga ku bubasha urwego rubifitiye ububasha rufite mu gushyira mu bikorwa inshingano zarwo zikubiye muri iri tegeko. Ubu bubasha burimo gutanga ibyemezo by’iyandikwa no gutanga ibihano byo mu rwego rw’ubutegetsi, n’ibindi.

Yego. Ingingo ya 29 y’ Itegeko ryerekeye kurinda amakuru bwite n’imibereho bwite by’umuntu ivuga ku kwiyandikisha kw’abagenzuzi b’amakuru n’abatunganya amakuru. Umuntu wese ushaka kuba umugenzuzi w’amakuru cyangwa utunganya amakuru agomba kwiyandikisha mu rwego rugenzura.

Urwego rugenzura rutanga icyemezo cy’iyandikwa ku wasabye kwiyandikisha nk’umugenzuzi w’amakuru cyangwa utunganya amakuru wujuje ibisabwa, mu gihe kitarenze iminsi mirongo itatu (30) y’akazi uhereye ku munsi dosiye y’iyandikwa yakiriwe.

Umugenzuzi w’amakuru cyangwa utunganya amakuru ufite icyemezo cy’iyandikwa ashobora gusaba ko icyemezo cye cyongererwa igihe, mu gihe cy’iminsi mirongo ine n’itanu (45) y’akazi mbere y’uko icyemezo asanganywe kirangira.

Ukwemera kwa nyiri ubwite ni kugaragaza mu bwisanzure ibyifuzo bye nta gahato, bishingiye ku bisobanuro yahawe bitarimo urujijo, yumvikanisha akoresheje imvugo, uburyo bw’inyandiko cyangwa bw’ikoranabuhanga cyangwa igikorwa kigaragara kandi gisobanutse ko yemeye itunganywa ry’amakuru bwite ye.

• Kwemera kwa nyiri ubwite bigomba kuba biciye mu mucyo, bishingiye ku makuru yuzuye kandi bishidikanywho, binyuze mu kugaragaza intego z’icyiciro cyose cy’itunganywa ry’amakuru.

• Kwisubiraho ku kwemera bigomba kuba byoroshye igihe icyo ari cyo cyose, kandi ntibigire ingaruka ku buryo amategeko y’itunganywa ry’amakuru yubahirizwa.

• Kwemera bigomba gukorwa mu mvugo, uburyo bw’inyandiko cyangwa bw’ikoranabuhanga

• Kwemera kugomba gukorwa muri rumwe mu ndimi zemewe n’amategeko kandi rwumva na nyiri ubwite.

• Mu gihe cy’ikusanywa ry’amakuru, nyiri ubwite akwiye  kumenyeshwa ko afite uburenganzira bwo kwisubiraho igihe icyo ari cyo cyose.

Yego. Itegeko mu ngingo yaryo ya 9, rivuga ko iyo umugenzuzi w’amakuru, utunganya amakuru cyangwa undi muntu azi ko ari ay’umwana utarageza ku myaka cumi n’itandatu (16) y’amavuko, agomba kubyemererwa n’ufite ububasha bwa kibyeyi kuri uwo mwana hakurikijwe amategeko abigenga.

Imwe mu ngingo ziri mu Itegeko ryerekeye kurinda amakuru bwite n’imibereho bwite by’umuntu  igaragaza ko hakenewe gushyirwaho umukozi ushinzwe kurinda amakuru (DPO) mu gihe cyose hakorwa ibikorwa byo gutunganya amakuru bwite (Ingingo ya 40).

Ikigo cyawe cyaba gikora nk’umugenzuzi w’amakuru, utunganya amakuru , cyangwa ukora byombi icyarimwe, iri tegeko ritegeka ko hagomba gushyirwaho umukozi ushinzwe kurinda amakuru. Kudashyiraho umukozi ushinzwe kurinda amakuru bwite bifatwa nk’ikosa ryo mu rwego rw’ubuyobozi (Ingingo ya 53).

Hakurikijwe Ingingo ya 40, inshingano z’ingenzi umukozi ushinzwe kurinda amakuru afite, ni:

• Kumenyesha no kugira inama umugenzuzi w’amakuru, utunganya amakuru, ndetse n’abakozi bose batunganya amakuru bwite ku nshingano zabo ziteganywa n’iri Tegeko.

• Kugenzura, aho akorera, iyubahirizwa ry’iri Tegeko n’amabwiriza y’umugenzuzi w’amakuru cyangwa utunganya amakuru ku bijyanye no kurinda amakuru bwite, harimo kugena inshingano, gukora ubukangurambaga, kongera ubumenyi, guhugura abakozi batunganya amakuru bwite, ndetse no gukora igenzura.

• Gutanga inama iyo zisabwe ku bijyanye n’isesengura ry’ingaruka zo kurinda amakuru (DPIA) no kugenzura ishyirwa mu bikorwa ryazo.

• Gukorana n’urwego rugenzura no kuba uwo bakorana mu gihe habayeho ibibazo bijyanye no gutunganya amakuru bwite, harimo kugisha inama urwego rugenzura ndetse no kugisha inama, aho bikenewe, ku bindi bibazo byose.

Chapter II of the law relating to the protection of personal data and privacy stipulates the rights of data subjects. The Act has enhanced the rights of data subjects by giving substantial rights including:

1. Right of the data subject to withdraw the consent (Article 8)

2. Right to personal data (Article 18)

3. Right to object (Article 19)

4. Right to data portability (Article 20)

5. Right to not be subject to a decision based on automated data processing (Article 21)

6. Right to restriction of processing of personal data (Article 22)

7. Right to erasure of personal data (Article 23)

8. Right to rectification (Article 24)

9. Right to designate an heir to personal data (Article 25)

10. Right to representation (Article 26)

Where the data controllers, the data processors know that personal data belong to a child under the age of sixteen (16) years they must obtain the consent of a holder of parental responsibility over the child in accordance with relevant Laws. Other exceptions are highlighted in the article 9.

What are the obligations of Data Controllers and Data Processors?

Chapter VI of the law relating to the protection of personal data and privacy relates to a number of obligations which have been imposed on data controllers and data processors to ensure that processing of personal data is done in a fair and lawful manner such as:

Principles relating to processing of personal data

Data controllers and data processors need to ensure that processing of personal data is lawful, fair, transparent, adequate, relevant, accurate, kept for as long as required and proportionate to the purposes for which it is being processed, and are processed in compliance with the rights of data subjects.

Duties of the data controller and the data processor

The data controller and data processor must ensure all personal data is processed in compliance with the law, and be able to demonstrate compliance through a series of measures including implementing appropriate technical and organizational measures, keeping a record of personal data processing operations, and designating a data protection officer amongst others.

Information to be provided during personal data collection

The data controller collects personal data for a lawful purpose connected to the activity of the data controller and when the data is necessary for that purpose. The information to be shared with the data subject during data collection are provided in the article 42.

Notification of personal data breach

As soon as the data controller becomes aware that a breach has occurred, the controller must notify the breach to the supervisory authority within forty-eight (48) hours after having become aware of it. Where the data processor becomes aware of a personal data breach, he or she notifies the data controller within forty-eight (48) hours after being aware of the incident.

Report on personal data breach

The data controller draws up a report on personal data breach and submits it to the supervisory authority not later than seventy-two (72) hours with all facts available. The report content format is described in article 44.

Communication of a personal data breach to the data subject

Where the personal data breach is likely to result in a high risk to the rights and freedoms of the data subject, the data controller communicates the personal data breach to the data subject in writing or electronically, after having become aware of it. However, there are some exceptions highlighted in article 45

Lawful processing of personal data

The law lays down the conditions for legal basis required for processing in the article 46.

Measures to ensure security of personal data

The data controller or the data processor must ensure security of the personal data in his or her possession by, adopting appropriate, reasonable technical measures to prevent loss, damage or destruction of personal data. The measures to ensure security of personal data are described in article 47.

Chapter VII of the law relating to the protection of personal data and privacy deals with storage, transfer and retention of personal data.

Storage of personal data

The data controller or data processor stores personal data in Rwanda

However, the storage of personal data outside Rwanda is only permitted if the data controller or the data processor holds a valid authorization which is issued by the supervisory authority.

Sharing and transfer of personal data outside Rwanda

The data controller or data processor may share or transfer personal data to a third party outside Rwanda if an authorization has been obtained from the supervisory authority. Other conditions are described in article 48 and 49.

Migration and management of personal data after change or closure of business

In case of change or closure of business of the data controller or data processor, the supervisory authority puts in place a regulation determining modalities for migration and management of personal data.

Retention of personal data

The data controller or data processor retains personal data until the purposes of the processing of personal data are fulfilled. However, there are some exceptions highlighted in article 52.

Yes. Offences, administrative misconducts and their respect penalties and sanctions are shown below:

Offences:

• Accessing, collecting, using, offering, sharing, transfer or disclosing of personal data in a way that is contrary to this Law Re-identification of de-identified personal data in a way that is contrary to this Law Destruction, erasure, concealment or alteration of personal data in a way that is contrary to this Law Sale of personal data in a way that is contrary to this Law Collecting or processing of sensitive personal data in a way that is contrary to this Law Providing false information (Article. 56)

• Re-identification of de-identified personal data in a way that is contrary to this Law (Article. 57)

• Accessing, collecting, using, offering, sharing, transfer or disclosing of personal data in a way that is contrary to this Law Re-identification of de-identified personal data in a way that is contrary to this Law Destruction, erasure, concealment or alteration of personal data in a way that is contrary to this Law Sale of personal data in a way that is contrary to this Law Collecting or processing of sensitive personal data in a way that is contrary to this Law Providing false information (Article. 58)

• Sale of personal data in a way that is contrary to this Law (Article. 59)

• Collecting or processing of sensitive personal data in a way that is contrary to this Law (Article. 60)

• Providing false information (Article. 61)

Penalties:

• A controller or processor that commits one of the offences referred to in above Articles 56, 57, 58, 59, 60 and 61 commits an offence. Upon conviction, it is liable to a fine of Rwandan francs amounting to five percent (5%) of its annual turnover of the previous financial year.

• The court may also order permanent or temporary closure of the legal entity or body, or the premises in which any of the offences provided for under this Law was committed.

Administrative misconducts:

• failure to maintain records of processed personal data

• failure to carry out personal data logging

• operating without a registration certificate

• failure to report a change after receiving a registration certificate

• using a certificate whose term of validity has expired

• failure to designate a personal data protection officer

• failure to notify a personal data breach

• failure to make a report on personal data breach

• failure to communicate a personal data breach to the data subject

Sanctions:

• A Data controller or data processor is liable to one percent (1%) of the global turnover of the preceding financial year.

• The supervisory authority may put in place a regulation determining other administrative misconducts and sanctions that are not provided for in this Law.

• On Already Acquired Data

• On New Collected Data

• Storage of personal data

• Share/Transfer of personal data

• Internal Processes of an Institution

  1. Charities and Religious entities

  2. Security companies (including operating security CCTV systems)

  3. Gambling

  4. Operating an educational institution

  5. Health administration and provision of patient care

  6. Hospitality industry firms but excludes tour guides

  7. Property management including the selling of land

  8. Provision of financial services

  9. Telecommunications network or service providers

  10. Businesses that are wholly or mainly in direct marketing

  11. Transport services firms (including online passenger hailing applications)

  12. Businesses that process genetic or/and biometric data

  13. Any businesses that deals with personal data

The data controller and data processor have a transitional period of up to October 15, 2023, to comply with provisions of the law on the processing of personal data (Article 67)

The data controller is required to first register with the supervisory authority. Where the data processor is required to get authorization from the data controller and register with the supervisory authority. (Articles 4, 29 and 30)

The data controller and data processor stores personal data in Rwanda. A valid registration certificate is required to authorize the storage of personal data outside Rwanda (Article 50)

A valid registration certificate is required to authorize the sharing and transfer of personal data outside Rwanda. (Articles 48)

Designation of a data protection officer and adopting appropriate, reasonable technical measures to prevent loss, damage or destruction of personal data. (Articles 40 and 47)

If you are a person, public or private corporate body or legal processing personal data for the following purposes you need to register as a data controller or a data processor with the National Cyber Security Authority (NCSA).

Yes, the law on personal data protection and privacy takes immediate effect. However, companies and individuals in Rwanda that are already in operation and process personal data of individuals have a transitional period up to 15th October 2023 to fully comply with the new law.

In the law on personal data protection and privacy, consent must be freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by an oral, written or electronic statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

There are two possible ways particularly on data processing and registration requirement for data transfer outside Rwanda:

• Authorization provided for under Art.48 (1) of DPP law to transfer personal data outside Rwanda is done during registration to operate as a data controller or data processor; This complements Art. 30 (7) DPP law requiring the applicant to indicate the country to which he/she intends to directly or indirectly transfer the personal data

• A request to transfer personal data outside Rwanda may also be submitted after registration for specific processing reasons of personal data outside Rwanda as the need may arise depending on the changing nature of the business/operations and other reasons described in Art. 48 (2-3) and also in consideration of the required appropriate safeguards as provided for by the Law. Note: If the second scenario (2) comes in after registration, he/she will then be required to request for a change on the registration certificate.

Anyone who is processing or who is willing to process personal data/whoever is already in personal data processing or wants to operate as a data controller or data processor.

It is the removal of personal identifiable information for the purpose of safeguarding personal data.

It remains personal between data subject and the data controllers or processors; that is to say, de-identification should be understood as a technique used to protect individual’s privacy.

The law applies to any natural or legal person who processes personal data, whether that data is received directly from the data subject by the data controller or indirectly from the data controller by a data processor. A natural person is a human being, as opposed to a legal person.

Most of us give personal data to groups such as Government institutions, banks, insurance companies, hospitals, and telecommunication companies to use their services or meet certain conditions. They can also get information about us from other sources.

We refer to organizations or persons who control the contents and use of our personal data as 'data controllers'.

Under the Law Nº 058/2021 of 13/10/2021 Law relating to the protection of personal data and privacy, you have rights regarding the use of these personal data and data controllers have certain responsibilities in how they handle them.

Personal data is any information relating to an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that natural person.

Privacy is a fundamental right of a person to decide who can access his or her personal data, when, where, why and how his or her personal data can be accessed.

When you give your personal data to an organization or person, they have a duty to keep these data private and safe. This process is known as data protection.

If you are not happy with how your personal data are being used, you should contact the organization or person in question. If you believe that the organization or person is still not respecting your data protection rights, you should contact the Data Protection & Privacy Office to ask for help.

You have a range of rights when the organization or person takes and records your personal data.

Right to have your personal data used in line with the law

A data controller who holds information about you must:

• get and use the information fairly;

• keep it for only one or more clearly stated and lawful purposes;

• use and make known this information only in ways that are in keeping with these purposes;

• keep the information safe;

• make sure that the information is factually correct, complete and up-to-date;

• keep the information for no longer than is needed for the reason stated; and

• give you a copy of your personal information when you ask for it.

Right to personal data

1. Data controllers who obtain your personal data must give you:

   • the name of the organization or person collecting the information or for whom they are collecting the information;

   • the reason why they want your personal data; and

   • any other information that you may need to make sure that they are handling your details fairly – for example the details of other organizations or people to whom they may give your personal data.

   If an organization or person gets your personal details from someone else and not directly from you, they must tell you which details they hold and give you the name of the original data controller.

   This right does not apply, however, in a small number of cases where it could harm certain interests – for example when someone is investigating an offence

2. Right to know if your personal details are being held:

   If you think that an organization or person may be holding some of your personal details, you can ask them to confirm. If they do have personal data about you, they must tell you which details they hold and the reason why they are holding this information and its source.

   You can ask for this information free of charge

3. Right to know whether your personal data have been transferred to a third country or to an international organization

   In all above cases, the data controller or the data processor has to respond to you within thirty (30) days from the date of receipt of the request.

   If you are not satisfied with the response of the data controller or the data processor you may appeal to the Data Protection & Privacy Office within thirty (30) days from the date of receipt of the response.

Right to rectification your details

If you discover that a data controller has details about you that are not factually correct, you can ask them to correct them where necessary.

You can write to the organization or person, explaining your concerns or outlining which details are incorrect. Within 30 days, the organization must do as you ask or explain why they will not do so.

Right to object

A data controller may intend to use your details for official purposes, in the public interest or for their own interests. If you feel that doing so could cause you loss, sadness or anxiety, you may ask the data controller not to stop using your personal data.

However, this right does not apply if the data controller or the data processor demonstrates compelling legitimate grounds for the personnel data processing.

For example

• you have already agreed that the data controller can use your details;

• a data controller needs your details under the terms of a contract to which you have agreed;

• a data controller needs your details for legal reasons.

You have the right to ask a data controller or data processor to stop processing your personal data if are processed for direct marketing purposes, including profiling to the extent that it is related to such direct marketing.

There is no charge for objecting.

Right to restriction of processing of personal data

You have the right to restrict the data controller from processing your personal data for a given period if:

• You contested the accuracy of your personal data

• The processing is unlawful and you request the erasure

• You object to the processing of personal data

The right is not exercised if the processing of personal data:

• is necessary for the protection of the rights of another person

• is necessary for reasons of public interest

Right to personal data portability

You have the right to request the data controller to resend the personal data concerning you as it was provided

You also have the right to request the data controller your personal data transmitted to another data controller, where technically feasible, without hindrance.

In all above cases, the data controller has to respond to you within thirty (30) days from the date of receipt of the request.

If you are not satisfied with the response of the data controller, you may appeal to the Data Protection & Privacy Office within thirty (30) days from the date of receipt of the response.

Right to erasure of personal data

You have the right to request the data controller for erasure of your personal data where:

• Your personal data are no longer necessary in relation to the purposes for which they were collected;

• You withdraw consent on which the personal data processing is based and where there is no other legal ground for the processing;

• You object to the processing of personal data and there are no overriding legitimate grounds for the processing

• Your personal data have been unlawfully processed

However, the right to request the erasure of personal data does not apply to the extent that processing is necessary described in this Law such as reasons of public interest.

Right to designate an heir to personal data

Your personal data are not primarily subject to succession but, where you had left a will, you provide your heir with full or restricted rights relating to the processing of your personal data kept by the data controller or the data processor, if such personal data still need to be used.

Right to representation

You have right to be represented when:

• You are under sixteen (16) years of age

• You have a physical impairment and unable to represent yourself

• You are a medically determinable mental impairment and is unable to represent yourself

• You have any other reason, in which case you are being represented by another person

In all above cases you need to provide an authorization of representation in accordance with relevant Laws.

Right not to be subject to a decision based on automated data processing

You have the right not to be subject to a decision based solely on automated personal data processing, including profiling, which may produce legal consequences or significant consequences to you.

For example, such decisions may be about your work performance

However, this right is not exercised when the processing:

• is based on your explicit consent;

• is necessary for entering into, or performance of, a contract between the you and the data controller;

• is authorized by to other Laws

Uburenganzira ku kurindwa kw'amakuru yawe bugufasha kwemeza ko amakuru yawe abitswe ari:

• ukuri;

• abonwa gusa n'ababyemerewe gusa; kandi

• akoreshwa ku mpamvu yavuzwe gusa

Ufite uburenganzira bwo kurindwa kw’amakuru yawe igihe:

• Abitswe muri mudasobwa; 

• Abitswe ku mpapuro cyangwa mu buryo bwanditse busanzwe

• Agizwe n’amafoto cyangwa amashusho agaragaza isura yawe, cyangwa ijwi ryawe ryafashwe. 

Niba uhaka kubona amakuru yawe, ohereza ibaruwa ku kigo cyangwa umuntu ufite amakuru yawe bwite, ubasabe kuguha kopi yayo. Ayo makuru agomba kuba yoroshye kumenya ayo ari yo.

Mu busabe bwawe, ugomba:

• Gutanga amakuru ashobora gufasha umuntu kukumenya no kubona amakuru yawe. Urugero, nka nimero ya konti yawe, aderesi wakoresheje mbere, cyangwa itariki y’amavuko.

• Gusobanura neza amakuru ushaka kubona niba hari ayo wifuza by’umwihariko. Ibi bizafasha ikigo cyangwa umuntu ubisabye kugusubiza vuba kandi neza.

Urugero rw’amagambo wakoresha usaba amakuru yawe:                     

Nyakubahwa Ushinzwe Kurinda Amakuru bwite,

Hashingiwe ku Itegeko N° 058/2021 ryo ku wa 13/10/2021 ryerekeye kurinda amakuru bwite n’imibereho bwite by’umuntu, ndifuza gusaba uburenganzira bwo kubona kopi y’amakuru yanjye yose mubitse, haba ari kuri mudasobwa cyangwa yanditse mu buryo busanzwe.

[Numero ya konti yanjye ni ...] 

[Itariki y’amavuko yanjye ni ...] 

[Ahahoze ari aderesi yanjye ni ...]

Mugire amahoro,

[Izina]

Abakozi b’Ibiro bishinzwe kurinda amakuru bwite bagamije gutuma uburenganzira bwawe bwubahirizwa no gutuma abagenzuzi b’amakuru n’abatunganya amakuru bashyira mu bikorwa amategeko. Niba hari ikigo cyangwa umuntu utubahirije amategeko, ukaba utanyuzwe n’ubusobanuro bwabo ku mpungenge zawe, ushobora gutanga ikirego mu Biro bishinzwe kurinda amakuru bwite.

Ni gute namenyesha Ibiro bishinzwe kurinda amakuru bwite?

Niba ucyeneye amakuru ku burenganzira bwawe, watumenyesha ukoresheje telefoni cyangwa emeyili. 

Aderesi: 18KG Ave, A&P Building, Ground Floor, Kacyiru

Emeyili: dpp@dpo.gov.rw

Umurongo utishyurwa: 9080

Amakuru bwite ni amakuru ayo ari yo yose yerekeye umuntu ku giti cye uzwi cyangwa ushobora kumenyekana, mu buryo buziguye cyangwa butaziguye, by'umwihariko hashingiwe ku kimuranga nk'izina, nimero imuranga, aho aherereye, ikimuranga mu buryo koranabuhanga cyangwa hashingiwe ku kintu kimwe cyangwa byinshi byihariye biranga imiterere y'umubiri we, imitekerereze ye, inkomoko ye, ubuzima bwe bwo mu mutwe, ubukungu, umuco cyangwa imibereho y'uwo muntu ku giti cye.

Amakuru bwite y’ibanga ni amakuru agaragaza isanomuzi y’umuntu, uko ubuzima bwe buhagaze, ko yafunzwe cyangwa atafunzwe, dosiye ye yo kwa muganga, inkomoko ye mu muryango, imyemerere ye ishingiye ku idini cyangwa ku mitekerereze, ibitekerezo bye bya politiki, amakuru ndangasano cyangwa ay’imiterere ye, ay’ubuzima bw’imibonano mpuzabitsina cyangwa umwirondoro w’umuryango.

Yego. Itegeko mu ngingo yaryo ya 9, rivuga ko iyo umugenzuzi w’amakuru, utunganya amakuru cyangwa undi muntu azi ko ari ay’umwana utarageza ku myaka cumi n’itandatu (16) y’amavuko, agomba kubyemererwa n’ufite ububasha bwa kibyeyi kuri uwo mwana hakurikijwe amategeko abigenga.

Mu Itegeko ryerekeye kurinda amakuru bwite n’imibereho bwite by’umuntu, ukwemera kwa nyiri ubwite kugomba kugaragaza mu bwisanzure ibyifuzo bya nyiri ubwite nta gahato bishingiye ku bisobanuro yahawe bitarimo urujijo, yumvikanisha akoresheje imvugo, uburyo bw’inyandiko cyangwa bw’ikoranabuhanga cyangwa igikorwa kigaragara kandi gisobanutse ko yemeye itunganywa ry’amakuru bwite