August 2023

1. Governing Texts

Law No. 058/2021 of 13 October 2021 Relating to the Protection of Personal Data and Privacy ('the Data Protection Law') was published in the Official Gazette on October 15, 2021. Prior to passing this law, there were other legal provisions in place that provided for data and privacy protection scattered in different laws, including the Constitution of the Republic of Rwanda of 4 June 2003 (as revised in 2015) ('the Constitution'), which under Article 23 guarantees protection of privacy for persons and family as a fundamental right.

The Data Protection Law gave a transition period of two years to data controllers and data processors who were already in operation to conform to the new law. However, some data controllers and data processors have started conforming whereby they have already registered with the regulatory authority, the National Cyber Security Authority ('NCSA').

1.1. Key acts, regulations, directives, bills

In Rwanda, the Data Protection Law was published on October 15, 2021, in the Official Gazette.

There are other laws in place that also provide for data and privacy protection so as long as they are not contrary to the data and privacy law, including:

• the Constitution;
• Law No. 60/2018 of 22 August 2018 on Prevention and Punishment of Cyber Crimes;
• Law No. 04/2013 of 8 February 2013 Relating to Access to Information;
• Law No. 60/2013 of 22 August 2013 Regulating the Interception of Communications;
• Law No. 16/2010 of 7 May 2010 Governing Credit Information System in Rwanda;
• Law No. 71/2018 of 31 August 2018 Relating to the Protection of the Child;
• Law No. 24/2016 of 18 June 2016 Governing Information and Communication Technologies; and
• Law No. 44bis/2017 of 6 September 2017 Relating to the Protection of Whistleblowers.

1.2. Guidelines

The NCSA is in charge of issuing data protection guidance. However, there are other key public institutions, such as the Ministry of Information Communication Technology and Innovation and the Rwanda Utilities Regulatory Authority ('RURA'), which might also be involved in issuing data protection guidance due to the mandate accorded to them by the laws establishing them.

1.3. Case law

There are no landmark cases regarding breach of data and privacy laws yet due to the fact that the Data Protection Law is still a new law and the majority of the population is not aware of its existence.

2. Scope of Application

2.1. Personal scope

The Data Protection Law applies to natural persons (alive or deceased), as well as private and public institutions.

2.2. Territorial scope

According to Article 2, the Data Protection Law applies to data controllers, processors, or third parties that are established or ordinarily residing in Rwanda and processing personal data while in Rwanda. It also applies to those that are not established or resided in Rwanda, but process the personal data of data subjects located in Rwanda.

2.3. Material scope

The Data Protection Law covers the processing of personal data by electronic or other means using personal data through an automated or non-automated platform.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The NCSA is the authority in charge of issuing data protection guidance. The authority was established by Law No. 26/2017 of 31 May 2017 Establishing the National Cyber Security Authority and Determining its Mission, Organisation and Functioning.

3.2. Main powers, duties and responsibilities

The NCSA has the following duties:

• overseeing the implementation of the Data Protection Law;
• responding to every legitimate request for an opinion regarding personal data processing;
• informing the data subject, data controller, data processor, and a third party of their rights and obligations;
• putting in place a register of data controllers and data processors;
• investigating the subject matter of the complaint lodged by the data subject, the data controller, the data processor, or a third party relating to the processing of personal data and informing them of the outcome of the investigation within a reasonable period;
• receiving and considering the data subject's appeal;
• advising on matters relating to the protection of personal data and privacy; and
• cooperating with authorities, organizations, or entities operating within the country or abroad in the protection of personal data and privacy.

The NCSA has the power to:

• issue registration certificates as provided for by the Data Protection Law;
• ensure that the processing of personal data is consistent with the provisions of the Data Protection Law;
• ensure that information and communication technologies do not constitute a threat to public freedoms and the privacy of a person;
• put in place a regulation relating to the application of the Data Protection Law; and
• to impose administrative sanctions in accordance with the provisions of the Data Protection Law.

4. Key Definitions

Data controller: A natural person, public or private corporate body, or legal entity which, alone or jointly with others, processes personal data and determines the means of their processing.

Data processor: A natural person, public or private corporate body, or legal entity, which is authorized to process personal data on behalf of the data controller.

Personal data: Any information relating to an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural, or social identity of that natural person.

Sensitive data: Information revealing a person's race, health status, criminal records, medical records, social origin, religious or philosophical beliefs, political opinion, genetic or biometric information, sexual life, or family details.

Health data: The Data Protection Law does not provide a definition.

Biometric data: The Data Protection Law does not provide a definition.

Pseudonymization: The processing of personal data in such a manner that the data can no longer be attributed to a specific data subject without the use of additional information kept separately.

Data subject: A natural person from whom, or in respect of whom, personal data has been requested and processed.

5. Legal Bases

5.1. Consent

According to Article 3(18) of the Data Protection Law, consent must be a freely given, specific, informed, and unambiguous indication of the data subject's wishes by which they, by an oral, written, or electronic statement, or by clear affirmative action, signify agreement to the processing of personal data relating to them.

5.2. Contract with the data subject

Article 46(2) of the Data Protection Law stipulates one of the grounds for lawful processing of personal data if the processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract.

Article 48 of the Data Protection Law prohibits any transfer of personal data to third parties outside Rwanda. However, the transfer can be necessary under the following circumstances:

• for the performance of a contract between the data subject and the data controller or the implementation of pre-contractual measures taken in response to the data subject's request; and
• for the performance of a contract concluded in the interest of the data subject between the data controller and a third party.

5.3. Legal obligations

Article 10(2) of the Data Protection Law states that the data controller or data processor can process sensitive personal data only if the processing is necessary for the purposes of carrying out the obligations of the data controller or data processor or exercising specific rights of the data subject in accordance with relevant laws.

In addition, Article 46(3) of the Data Protection Law provides that the data controller or data processor can process personal data if the data controller executes a legal obligation to which they are subject.

5.4. Interests of the data subject

Article 10(3) of the Data Protection Law states that the data controller or data processor can process sensitive personal data only if the processing is necessary to protect the vital interests of the data subject or any other person.

Article 46 of the Data Protection Law provides that the data controller or data processor can lawfully process personal data if it is necessary for the protection of the vital interests of the data subject or any other person.

5.5. Public interest

Articles 10(4) and 10(5) of the Data Protection Law provide that the data controller or data processor can process sensitive personal data only if the processing is necessary for the purposes of preventive or occupational medicine and public health, such as protecting against serious cross-border threats to health and ensuring high standards of quality and safety of healthcare, medicinal products, or medical devices, or the processing is necessary for archiving purposes in the public interest.

In addition, Article 46(3) of the Data Protection Law provides that the data controller or data processor can process personal data if it is necessary for the performance of a duty carried out in the public interest or in the exercise of official authority vested in the data controller.

5.6. Legitimate interests of the data controller

Article 46(7) of the Data Protection Law provides that it is lawful to process data if it is intended for legitimate interests pursued by the data controller or a third party to whom the personal data is disclosed unless the processing of personal data is unwarranted in any particular case having regard to the prejudice to the rights and freedoms or legitimate interests pursued by the data subject.

5.7. Legal bases in other instances

Not applicable.

6. Principles

Article 37 of the Data Protection Law provides for the following principles related to the processing of personal data:

• transparency: the data must be processed lawfully, fairly, and in a transparent manner;
• purpose limitation: the data must be collected for explicit, specified, and legitimate purposes, and not further processed in a manner incompatible with those purposes;
• data minimization: the data must be related to the purposes for which its processing was requested;
• accuracy: the data must be accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified without delay;
• storage limitation: the data is kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; and
• accountability: the data is processed in compliance with the rights of data subjects.

7. Controller and Processor Obligations

7.1. Data processing notification

Article 29 of the Data Protection Law stipulates that a person who intends to be a data controller or data processor must register with the NCSA. According to Article 31, the NCSA issues a registration certificate to those who fulfill the registration requirements set out under Article 30 of the Data Protection Law, which include indicating the following:

• their identity and their designated single point of contact;
• the identity and address of their representative if they have nominated any;
• a description of the personal data to be processed and the category of data subjects;
• whether or not the applicant holds or is likely to hold the types of personal data based on the sectors in which it operates;
• the purposes of the processing of personal data;
• the categories of recipients to whom the data controller or the data processor intends to disclose the personal data;
• the country to which the applicant intends to directly or indirectly transfer the personal data; and
• risks in the processing of personal data and measures to prevent such risks and protect personal data.

The NCSA can put in place a regulation that provides additional requirements that must be met by an applicant who registers as a data controller or a data processor (Article 30 of the Data Protection Law). Provided that the applicant meets the requirements for registration as a data controller or a data processor, the NCSA will issue the registration certificate within 30 working days from the date of receiving the registration application (Article 31 of the Data Protection Law).

Reporting a change after receiving the registration certificate

After receiving the registration certificate, if there is a change in the grounds on which the registration certificate was issued, the data controller or the data processor who received it must notify the NCSA in writing or electronically within 15 working days from the date on which such a change occurred (Article 32 of the Data Protection Law). The NCSA updates the information, as soon as it is informed of the change, and approves it (Article 32 of the Data Protection Law).

Renewal of the registration certificate

The data controller or the data processor who holds a registration certificate may apply for its renewal within 45 working days before the expiry date of the existing certificate (Article 33 of the Data Protection Law). The NCSA responds in writing or electronically to the application for renewing the registration certificate, within 30 working days following receipt of the application (Article 33 of the Data Protection Law). The NCSA must put in place a regulation that determines the requirements for renewal of the registration certificate (Article 33 of the Data Protection Law).

Modification of the registration certificate

The NCSA may, on its own motion or at the request of the data controller or data processor, modify the registration certificate before its expiry, if it believes that modification is needed to respond to a change in applicable laws or a change in the information that the data controller or data processor provided that may affect the registration certificate (Article 34 of the Data Protection Law).

Cancellation of the registration certificate

The NCSA may cancel the registration certificate before its date of expiry if the data controller or data processor has submitted false or misleading information, or fails to comply with the requirements of the Law or terms and conditions specified in the certificate (Article 35 of the Data Protection Law). Before cancellation of the registration certificate, the NCSA must provide the data controller or data processor, who holds a registration certificate with 15 working days prior notice in writing or electronically, requesting for explanations on non-compliance with the provisions of paragraph 1 of this Article (Article 35 of the Data Protection Law).

Register of data controllers and data processors

The NCSA must put in place a register of data controllers and data processors and keep and manage it, as well as determine its form and the manner in which it is used (Article 36 of the Data Protection Law). The NCSA may, at the request of the data controller or the data processor who has an outdated entry in the register of data controllers and data processors, erase the entry from the register (Article 36 of the Data Protection Law).

7.2. Data transfers

Article 48 of the Data Protection Law prohibits the transfer of data to third parties without authorization from the NCSA. Article 50 of the Data Protection Law states that the data controller or data processor must store personal data in Rwanda. The provision further states that the storage of personal data outside Rwanda is only permitted if the data controller or data processor holds a valid registration certificate authorizing them to store personal data outside Rwanda, which is issued by the NCSA.

7.3. Data processing records

Article 17 of the Data Protection Law requires the data controller or data processor to maintain a record of all personal data processing activities under their responsibility and must submit the records of personal processing activities upon the request of the NCSA.

Furthermore, under Articles 17 and 38(2) of the Data Protection Law, the data controller or the data processor must keep a record of all personal data processing activities under its responsibility. In addition, Article 17 of the Law provides that the record must include the following information:

• the name and contact details of the data controller and, where applicable, the data processor, the controller's representative, or the data protection officer ('DPO');
• the purposes of the processing of personal data;
• a description of the categories of data subjects and of the categories of personal data;
• a full list of the recipients to whom personal data have been or will be disclosed, including those based in other countries;
• a description of transfers of personal data to any country outside Rwanda; and
• where possible, the envisaged data retention periods for the different categories of personal data.

7.4. Data protection impact assessment

Article 38(3) of the Data Protection Law sets out a duty for data controllers and data processors to carry out Data Protection Impact Assessments ('DPIAs') where the processing of personal data is likely to result in a high risk to the rights and freedoms of a natural person.

In particular, a DPIA must be conducted in the case of (Article 38(2) of the Data Protection Law):

• a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing of personal data, including profiling, and on which decisions that produce effects concerning such persons are based;
• processing on a large scale of sensitive personal data;
• systematic monitoring of a publicly accessible area on a large scale;
• processing of personal data identified by the supervisory authority as likely to result in a high risk to the rights and freedoms of natural persons; and
• new technologies used to process personal data.

The DPO must provide advice where requested as regards the DPIA and monitor its performance (Article 41(3) of the Data Protection Law).

7.5. Data protection officer appointment

Article 40 of the Data Protection Law imposes the appointment of a DPO for private and public entities that process personal data, where:

• the processing of personal data is carried out by a public or private corporate body or a legal entity, except courts;
• the core activities of the data controller or the data processor consist of personal data processing operations which, by virtue of their nature, their scope, or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
• the core activities of the data controller or the data processor consist of processing on a large scale of special categories of data pursuant to Article 10 of the Data Protection Law and personal data relating to criminal convictions referred to in Article 12 of the Data Protection Law.

The provision further states that a single DPO may be appointed by a group of entities, they can also be an employee of a legal entity, or a person who fulfills the tasks on the basis of a service contract (Article 40 of the Data Protection Law).

The DPO is required to (Article 41 of the Data Protection Law):

• inform and advise the data controller, the data processor, and the employees who carry out personal data processing, of their obligations pursuant to this Law;
• monitor, in their area of work, compliance with this Law and with the policies of the data controller or data processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising, and training of staff involved in personal data processing operations, and the related audits;
• provide advice where requested as regards the DPIA and monitor its performance; and
• cooperate with the supervisory authority and act as its contact point on issues relating to the processing of personal data, including the prior consultation with the supervisory authority, and consult, where appropriate, with regard to any other matter.

The DPO is designated on the basis of professional qualities, expert knowledge of personal data protection practices, and the ability to fulfill the tasks assigned to them (Article 40 of the Data Protection Law). The data controller or the data processor must publish the contact details of the DPO and communicate them to the supervisory authority (Article 40 of the Data Protection Law).

7.6. Data breach notification

Article 43 of the Data Protection Law provides that, in case of personal data breaches, the data controller must, within 48 hours after being aware of the incident, communicate the personal data breach to the NCSA. The provision further states that, when the data processor becomes aware of the personal data breach, it must notify the data controller within 48 hours after being aware of the incident.

7.7. Data retention

Article 52 of the Data Protection Law provides for the retention of personal data. However, it does not specify retention periods. The provision further states that the NCSA may put in place a regulation determining any other ground for the retention of personal data for a longer period. The periods are expected to be put in place by the NCSA as stated in this provision. Article 52(4) of the Data Protection Law stipulates that the data controller or data processor must destroy the personal data at the end of the data retention period in a manner that prevents its reconstruction in an intelligible form.

7.8. Children's data

Article 9 of the Data Protection Law states that personal data that belongs to a child under 16 years of age, the data controller or data processor must obtain consent from a holder of parental responsibility over the child, meaning consent of a child starts at the age of 16. The provision further states that the consent obtained on behalf of the child can only be acceptable if it is given in the interest of the child. Furthermore, consent is not required if it is necessary for protecting the vital interest of the child.

7.9. Special categories of personal data

Under Article 3 of the Data Protection Law on the definition of sensitive data, personal data, including criminal records, counts as a form of sensitive data. Article 12 of the Data Protection Law provides that processing personal data of a convict is carried out under the supervision of the NCSA in accordance with the provisions of the Data Protection Law and that the data controller and data processor must ensure that the rights and freedoms of the data subject are protected.

7.10. Controller and processor contracts

Article 4 of the Data Protection Law provides that the processing of personal data carried out by the data processor is governed by a written contract between the data processor and the data controller. The Data Protection Law did not provide further details on the contract format.

8. Data Subject Rights

8.1. Right to be informed

Under, Article 3(18) of the Data Protection Law, in the definition of consent of the data subject, being informed is part of what constitutes consent. Article 6(3)(2) of the Data Protection Law requires the data controller and data processor to inform the data subject of the consequences of their consent without which the consent becomes null. Article 45 of the Data Protection Law requires the data controller to inform the data subject of the data breach; except if communicated to the public whereby the data subject is informed in an equally effective manner.

8.2. Right to access

Article 18 of the Data Protection Law provides that without prejudice to other relevant laws, the data subject may, in writing or electronically, request from the data controller or data processor the following:

• to provide them with information relating to the purposes of the processing of personal data;
• to provide them with a copy of their personal data;
• to provide them with a description of personal data that the data controller or data processor holds, including data on the contact details of a third party or the categories of third parties who have or had access to personal data;
• to inform them of the source of the personal data in case their personal data has not been obtained from the data subject; and 
• to inform them in case their personal data has been transferred to a third country or to an international organization.

8.3. Right to rectification

Article 36 of the Data Protection Law provides that the NCSA may, at the request of the data controller or data processor who has an outdated entry in the register of data controllers and data processors, erase the entry from the register. Article 37 of the Data Protection Law provides that data controllers and data processors must ensure that the data recorded is accurate and, where the data is inaccurate, they have a duty to erase or rectify the personal data without delay.

8.4. Right to erasure

Please refer to the above section regarding the right to rectification.

8.5. Right to object/opt-out

Article 8 of the Data Protection Law provides that the data subject has the right to withdraw their consent at any time.

8.6. Right to data portability

Article 20 of the Data Protection Law provides that the data subject has the right to request from the data controller, in writing or electronically, to resend the personal data concerning them as it was provided to the data controller, in a structured and readable format.

8.7. Right not to be subject to automated decision-making

Article 21 of the Data Protection Law provides for the right not to be subject to a decision based on automated data processing and provides for an exception for when it becomes necessary for entering into, or for the performance of, a contract between the data subject and the data controller.

8.8. Other rights

Not applicable. 

9. Penalties

• Unlawful access, collection, use, share, transfer, or disclosure of personal data: Article 56 of the Data Protection Law provides for a sentence of not less than one to three years, and a fine not less than RWF 700,000 (approx. $590) to RWF 10 million (approx. $8,490) upon conviction.
• Unlawful re-identification of de-identified personal data: Article 57 of the Data Protection Law provides for a sentence of for a sentence of not less than three years to five years, and a fine not less than RWF 700,000 (approx. $590) to RWF 10 million (approx. $8,490) upon conviction.
• Unlawful destruction, erasure, conceal, or alteration of personal data: Article 58 of the Data Protection Law provides for a sentence of not less than one to three years, and a fine not less than RWF 700,000 (approx. $590) to RWF 10 million (approx. $8,490) upon conviction.
• Unlawful sale of personal data: Article 59 of the Data Protection Law provides for a sentence of not less than five years to seven years, and a fine not less than RWF 12 million (approx. $10,190) to RWF 15 million (approx. $12,740) upon conviction.
• Unlawful collection or processing of sensitive personal data: Article 60 of the Data Protection Law provides for a sentence of not less than seven to 10 years, and a fine not less than RWF 20 million (approx. $16,980) to RWF 25 million (approx. $21,230) upon conviction.
• Providing false information: Article 61 of the Data Protection Law provides for a sentence of not less than one to three years, and a fine not less than RWF 3 million (approx. $2,550) to RWF 5 million (approx. $4,250) upon conviction.
• Operating without a registration certificate: Article 53 of the Data Protection Law provides a fine of not less than RWF 2 million (approx. $1,700), but not more than RWF 5 million (approx. $4,250), or 1% of the global turnover of the preceding financial year; or in the event of a corporate body or a legal entity, it is liable to 1% of the global turnover of the preceding financial year.
• In the case of a corporate body: Article 62(2) of the Data Protection Law provides for a fine of 5% of its annual turnover of the previous financial year upon conviction of any of the above breaches of the law.

9.1 Enforcement decisions

There are no enforcement decisions as of yet.