Support Centre



Law: The Law No. 058/2021 of 13 October 2021 Relating to the Protection of Personal Data and Privacy ('the Data Protection Law')

Regulator: The National Cyber Security Authority

Summary: The Data Protection Law was published, on 15 October 2021, in the Rwanda Official Gazette. The Data Protection Law introduces principles related to lawfulness, fairness and transparency, purpose limitation and accuracy, and obligations related to data subject rights, registration as a data controller or data processor, pseudonymisation, sensitive data, data transfers, designation of a data protection officer, Data Protection Impact Assessments, and data breach notifications. In addition, the Data Protection Law provides for administrative fines on data controllers, data processors and third parties who commit misconduct of not less than RWF 2 million (approx. €1,500) but not more than RWF 5 million (approx. €4,240) or 1% of the global turnover.


The anticipated data protection law in Rwanda, first of its kind, was adopted by the Chamber of Deputies in its sitting of 12 August 2021 and was published in the Official Gazette of the Republic of Rwanda on 15 October 2021 as Law No. 058/2021 of 13 October 2021 relating to the Protection of Personal Data and Privacy ('the Law')1. The Law entered into effect upon its publication in the Official Gazette, in accordance with Article 70 of the Law. The Law, however, provides for a transitional period not exceeding two years from the date of its publication in the Official Gazette for controllers and processors, who are already in operation, to conform their operations to the provisions of the Law, as per Article 67 of the Law. The purpose of this article is to summarise the key provisions of the Law.