Support Centre

You have 1 out of 10 free articles left for the week

Click here gain access to unlimited articles

Upgrade Now

Continue reading on DataGuidance with:

Limited Articles

Free

Gain free access to limited white papers, reports, infographics, and regulatory updates and guidance.

Rwanda - Data Protection Overview
Back

Rwanda - Data Protection Overview

March 2021

INTRODUCTION

Rwanda is on the verge of passing its first single and comprehensive legal instrument regulating privacy and data protection. As of 27 October 2020, Rwanda's Cabinet approved the Rwanda Draft Data Protection Law 2020 ('the Draft Law') which was then sent to President Paul Kagame to sign into law. Whilst the Draft Law will regulate the obligations of data controllers and processors, as well as afford data subjects general rights that protect their personal information, it does not establish a national data protection authority.

However, there are other laws that deal directly or indirectly with data privacy and/or data protection as noted below.

1. GOVERNING TEXTS

1.1. Key acts, regulations, directives, bills

Article 23 of the Constitution of Rwanda ('the Constitution') guarantees the right to privacy as a fundamental right:

'The private life, family, home or correspondence of a person shall not be subjected to arbitrary interference; his or her honour and good reputation shall be respected. A person’s home is inviolable. No search of or entry into a home may be carried out without the consent of the owner, except in circumstances and in accordance with procedures determined by law. Confidentiality of correspondence and communication shall not be subject to waiver except in circumstances and in accordance with procedures determined by law.'

To give effect to the constitutional right to privacy under Article 23 of the Constitution, Rwanda has drafted and approved the Draft Law. Whilst the Office of the Prime Minister of the Republic of Rwanda has published a statement indicating the Cabinet has approved the Draft Law, the Draft Law has not been signed into law and is not active as of writing.

Notwithstanding the Draft Law, other laws and regulations contain ancillary provisions concerning the protection of personal data:

1.2. Guidelines

Rwanda has set out a Data Revolution Policy ('the Policy') that targets to achieve specific objectives including, but not limited to, establishing standards and principles for data management, defining the framework for data creation-anonymisation-release, foster data-enabled technology innovations, establish data institutional governance framework, and address concerns of security-privacy and data sovereignty. The Policy requires that all current legislation and rules be checked and revised to ensure that the recommended implementation practices and data security and privacy issues are legally ensured.

1.3. Case law

In light of the fact that the Draft Law has not been signed into law yet, there have been no cases based on it. Additionally, there have been no key data protection cases initiated on Article 23 of the Constitution.

2. SCOPE OF APPLICATION

2.1. Personal scope

The Draft Law applies to a natural person, a legal person (either public or private) or any other body which, alone or jointly with others, processes personal data ('processing' is widely defined under Article 3 of the Draft law to include the: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, analysis, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of personal data).

2.2. Territorial scope

Article 2 of the Draft Law indicates that it applies to any person who processes data whether:

  • established or ordinarily residing in Rwanda and processing data while in Rwanda;
  • not established or not ordinarily residing in Rwanda, but processing personal data of data subjects located in Rwanda; or
  • non-personal data is provided as a service to users residing or having an establishment in Rwanda.

2.3. Material scope

All processing performed on personal data or on sets of personal data, whether or not by automated means, are covered by the Draft Law. Article 4 of the Draft Law distinguishes between categories of data that are regulated in the Draft Law, including personal data and non-personal data, as well as sensitive and non-sensitive data.

3. DATA PROTECTION AUTHORITY | REGULATORY AUTHORITY

3.1. Main regulator for data protection

Currently, Rwanda has not established a data protection regulator. Whilst the Draft Law refers to 'the Authority in charge of data protection and privacy' throughout, it does not establish such authority.

Of note, Article 63 of the Draft Law makes reference to a 'supervising organ' that will process appeals made against a decision of the authority. However, there is no other mention of the supervising organ in the Draft Law, including its creation or further responsibilities.

3.2. Main powers, duties and responsibilities

Not applicable.

4. KEY DEFINITIONS

Article 3 of the Draft Law provides for the following key definitions:

Data controller: A natural person, a legal person (either public or private) or any other body which, alone or jointly with others, collects and/or determines the purposes and means of the processing of personal data.

Data processor: A natural person, a legal person, (either public or private) or any other body authorised by the data controller to process personal data.

Personal data: Any information relating to an identified or identifiable data subject.

Sensitive data: Any personal data revealing the natural person's race, traffic data, health status, criminal or medical records, social origin, religious or philosophical beliefs, political opinion, genetic data, biometric data, property or financial details, family details including names of the person's children, parents, spouse or spouses, sex, sexual life, or orientation of the data subject.

Health data: Health data is not defined in the Draft Law.

Biometric data: Whilst included under the definition of sensitive data, biometric data itself is not defined in the Draft Law.

Pseudonymisation: The processing of personal data in such a manner that the data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data cannot be attributed to an identified or identifiable individual.

5. LEGAL BASES

The Draft Law sets out the following legal grounds that entitle data controllers and their processors to process certain personal data:

5.1. Consent

The consent of the data subject is required in order to process certain personal data unless it is legally permitted to do otherwise. Article 3 of the Draft Law provides that the consent has to be freely given, specific, and an informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Furthermore, as outlined below, the collection and processing of sensitive data (Article 11 of the Draft Law) and children's data (Article 10 of the Draft Law) is unlawful unless certain set out grounds are met.

5.2. Contract with the data subject

Article 43 of the Draft Law provides for various grounds for the lawful processing of personal data. Article 43(b)(i) of the Draft Law, in particular, provides a legal basis to process personal data if it is in the performance of a contractual obligation to which the data subject is a party.

In addition, the Draft Law regulates conditions of eligibility to access personal data and generally prohibits certain processing of personal data, such as in instances including transferring personal data outside Rwanda, and automated individual decision-making (Articles 27(a), 51, and 54(c)(i) of the Draft Law). In these instances, the Draft Law provides the exception that entitles data controllers and their processors to process the personal data if necessary for entering into, or performing, a contract between the data subject and a data controller. 

5.3. Legal obligations

Article 43(b)(ii) of the Draft Law, which determines lawful bases for processing, provides a legal basis to process personal data for compliance with any legal obligation to which the data controller is subject.

Additionally, Article 20(c) of the Draft Law states that the erasure of personal data shall not apply where the processing of the personal data is necessary for compliance with a legal obligation to process the personal data to which the data controller is subject.

5.4. Interests of the data subject

Whilst Article 43(b)(iii) of the Draft provides a legal basis to process personal data if it is done in order to protect the vital interests of the data subject, Article 11(b) of the Draft Law extends this same ground to sensitive personal data as well. Accordingly, Article 3 of the Draft Law clarifies what is regarded as 'vital interests' by defining them as interests linked to the life and/or death of data subjects.

In Article 54(v) of the Draft Law, the protection of vital interests of the data subject is further regarded as a satisfactory legal basis for the transfer or sharing of personal data outside Rwanda if the data subject is physically or legally incapable of giving consent.

5.5. Public interest

Article 43(b)(iv) of the Draft Law provides a legal basis to process personal data for the performance of a task carried out in the public interest. Article 21(a) of the Draft Law states that where the processing of personal data is restricted on the volition of the data controller or at the request of a data subject/competent authority, the data may still be processed for reasons of public interest. What constitutes 'public interest' is not defined in the Draft Law and may be up to the courts to interpret and apply. As highlighted above under section 1.3 of this guidance note, no court decisions have been handed down on the Draft Law as the Draft Law has not yet been signed into law.

The Draft Law also regulates information to be given to a data subject before the collection of personal data, and generally prohibits certain processing of personal data, such as in instances of the processing of sensitive personal data and the transferring personal data outside Rwanda (Articles 16, 11(d), and 54(c)(iii) of the Draft Law). In these instances, the respective articles in the Draft Law provide for an exception that entitles data controllers and their processors to process the data if necessary for reasons of public interest.  

Additionally, Article 20 of the Draft Law states that requirements concerning the erasure of personal data shall not apply where the processing of personal data is necessary for reasons of public interest in public health, and compliance with a legal obligation (Article 20(a) and (c) of the Draft Law).

5.6. Legitimate interests of the data controller

Article 43(b)(vii) of the Draft Law provides a legal basis to process personal data 'for the legitimate interests pursued by the data controller or by a third party to whom the data are disclosed, except if the processing is unwarranted in any particular case having regard to the harm and prejudice to the rights and freedoms or legitimate interests of the data subject'. However, what constitutes 'legitimate interest' is not defined in the Draft Law and may be up to the relevant authority and courts to interpret and apply - keeping in mind that guidance may be sought from international jurisdictions that have provided clarifications on legitimate interest tests for data controllers. As highlighted above under section 1.3 of this guidance note, no court decisions have been handed down on the Draft Law as the Draft Law has not yet been signed into law.

Furthermore, the Draft Law generally prohibits certain processing of personal data, such as in instances of the transferring personal data outside Rwanda, and automated individual decision-making (Articles 54(c)(i) and 27(b) of the Draft Law). In these instances, the respective sections in the Draft Law provide the exception that entitles data controllers and their processors to process the data for the purposes of compelling legitimate interests pursued by the data controller or the processor which are not overridden by the interests, rights and freedoms of the data subjects.

5.7. Legal bases in other instances

Not applicable.

6. PRINCIPLES

Article 5 of the Draft Law sets out the following mandatory data protection principles:

Lawfulness, fairness: Mandates that the processing of personal data must be undertaken lawfully, fairly, and non-fraudulently.

Openness: Mandates that individuals should be able to avail themselves of data collection and be able to contact the entity collecting this information.

Purpose limitation: Mandates that personal data must only be collected for a specific, explicit and legitimate purpose.

Data minimisation: Mandates that personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

Data quality: Mandates that personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete, and kept up-to-date.

Storage limitation: Mandates that personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

Confidentiality and integrity: Mandates that personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Accountability: Mandates that the data controller shall be responsible for, and able to demonstrate compliance with the above principles

7. CONTROLLER AND PROCESSOR OBLIGATIONS

7.1. Data processing notification

The first requirement in this regard is set out in Article 30 of the Draft Law, which states that both data controllers and processors are required to register with the authority in charge of data protection and privacy. The authority is empowered to 'prescribe thresholds required for mandatory registration by considering the nature of the industry, volumes of data processed, whether it is sensitive personal data and any other criteria as the authority in charge of data protection and privacy under this Article may specify.'

Other notable provisions related to data processing notifications include:

  • Article 31 of the Draft Law, which sets out the requirements for registration applications;
  • Article 32 of the Draft Law, which provides for the issuance of registration certificates; and
  • Article 36 of the Draft Law, which establishes a 'data protection register', to be kept and maintained by the authority in charge of data protection and privacy.

7.2. Data transfers

Article 55 of the Draft Law requires '[a]ny data data controller and/or processor [to] host and/or store the data in Rwanda'. In addition, Article 52 of the Draft Law places a prohibition on remote access of personal data in another country, unless authorised by the authority in charge of data protection and privacy.

Article 54 of the Draft Law permits cross-border flows of personal data on various bases which include (but are not limited to) traditional grounds such as consent, the performance of a contract, exercise or defence of a legal claim, vital interests of the data subject, and legitimate interests of a data controller or processor. Article 54 of the Draft Law also empowers the authority in charge of data protection and privacy to 'request a person who transfers data to another country to demonstrate the effectiveness of the safeguards or the existence of compelling legitimate interests and may, in order to protect the rights and fundamental freedoms of data subjects, prohibit, suspend or subject the transfer to such conditions as it may determine'.

The Draft Law also explicitly prohibits the confinement of non-personal data, except where such confinement is justified on the basis of national security. A single point of contact is required to be appointed by 'each entity', who will be responsible for liaising with data protection officers ('DPOs') of other entities, and the authority in charge of data protection and privacy, concerning the application of Chapter VI of the Draft Law (free flows of non-personal data). This provision is ambiguous in that it is unclear whether 'each entity' refers to data controllers, processors, or both.

In addition to the Draft Law, the Policy states that one of its key principles is data sovereignty, indicating a policy stance in Rwanda that embraces the principle of national data sovereignty whereby Rwanda shall retain exclusive sovereign rights on her national data with control and power over her own data.

7.3. Data processing records

Article 22 of the Draft Law requires the data controller or processor to maintain a record of all processing operations under its responsibility. The provision further states that these records must be readily available in cases where a competent authority requests access to such records.

7.4. Data protection impact assessment

Article 38(c) of the Draft Law, which outlines the duties of data controllers, provides that conducting a Data Protection Impact Assessment ('DPIA') must be a mandatory measure implemented by every data controller. Article 54 (c)(iv)(B) of the Draft Law extends the requirement to conduct a DPIA where the data controller or data processor transfers personal data to another country on the legal ground of legitimate interests.

Additionally, Article 44 of the Draft Law sets out a reciprocal security obligation on both data controllers and their processors to secure data in their possession or control, by adopting appropriate, reasonable, technical, and organisational measures to prevent loss, damage, or unauthorised destruction and unlawful access to or unauthorised processing of data.

Data controller-specific obligations include obligations to (Article 44(a)-(d) of the Draft Law):

  • identify reasonably foreseeable internal and external risks to data under that person's possession or control;
  • establish and maintain appropriate safeguards against risks;
  • regularly verify that the safeguards are effectively implemented; and
  • ensure that the safeguards are continually updated in response to new risks or deficiencies.

Data controllers are also required to 'observe generally accepted information security frameworks, and specific industry or professional rules and regulations'.

Importantly, Article 45 of the Draft Law empowers the authority in charge of data protection and privacy to inspect and assess the security measures taken under Article 44 of the Draft Law, which prior to the beginning of the processing or transfer of personal data, where the authority is 'of the opinion that the processing or transfer of data by a data controller or processor may entail a specific risk to the privacy rights of data subjects'. Further inspections and assessments are also mandated by Article 45 of the Draft Law.

7.5. Data protection officer appointment

The Draft Law obligates every data controller to appoint a DPO (Article 38(e) of the Draft Law).

As highlighted above under section 7.2 of this guidance note, a single point of contact is required to be appointed by 'each entity', who will be responsible for liaising with DPOs of other entities, and the authority in charge of data protection and privacy, concerning the application of Chapter VI of the Draft Law (free flows of non-personal data). However, it is unclear a reading of the Draft Law whether 'each entity' refers to data controllers, processors, or both.

7.6. Data breach notification

Data controllers are responsible for reporting a personal data breach to the authority in charge of data protection and privacy, as well as data subjects. Processors are responsible for reporting breaches to data controllers. These reporting obligations are contained in Articles 40-41 of the Draft Law.

Article 40 of the Draft Law sets out specific notification requirements for data controllers and processors in the event of a personal data breach. These provide that:

  • data controllers must, within 24 hours, notify the authority in charge of data protection and privacy of a personal data breach, which notification must contain specifics listed under Article 40 (a)-(c) of the Draft Law. Article 40 of the Draft Law also requires the data controller to 'specify the facts relating to the personal data breach, its effects and the remedial action taken so as to enable the authority in charge of data protection and privacy to verify compliance with this art'; 
  • data controllers who do not notify the authority within 24 hours must provide reasoning. The data controller shall also specify 'the facts relating to the personal data breach, its effects and the remedial action taken so as to enable the authority in charge of data protection and privacy to verify compliance'; and
  • processors are required, within 24 hours after becoming aware of a personal data breach, to notify a data controller of a personal data breach.

Article 41 of the Draft Law sets out a notification requirement for data controllers, to data subjects. Thereunder, data controllers are required, after notification to the authority, to notify data subjects within 24 hours, 'without undue delay'. The notification shall describe in clear language, the nature of the personal data breach and set out the information and the recommendations provided for under Article 39 of the Draft Law.

Exceptions to notifications to data subjects include where (Article 41 of the Draft Law):

  • the data controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the breach, in particular, those that render the data unintelligible to any person who is not authorised to access it, such as encryption;
  • the data controller has taken subsequent measures to ensure that the high risk to the rights and freedoms of the data subject referred to in paragraph (1) is no longer likely to materialise; or
  • the data controller has made a public communication or similar measure whereby [the] data subject is informed in an equally effective manner.

7.7. Data retention

Article 59 of the Draft Law states that in ascertaining retention periods, the point of departure should consider the purpose for which the data is processed and accordingly, what would be a reasonably necessary period to achieve it. The article adds exceptions to this presumption under Article 59(a)-(d) of the Draft Law.

where there is no applicable law prescribing a retention period, then two determinants should be considered (Article 59 of the Draft Law):

  • the personal data shall be retained for a period of ten years; or
  • the personal data shall only be retained for as long as may be reasonably necessary to satisfy the purpose for which it is processed

Once this retention period has expired, the data controller must either destroy or de-identify the personal data in a 'manner that prevents its reconstruction in an intelligible form.' Additionally, Article 59 of the Draft Law sets out the exceptions to destroying personal data if retained for:

  • the prevention, detection, investigation, prosecution, or punishment of an offence or breach of law;
  • the national security purposes;
  • the enforcement of a law that imposes a pecuniary penalty;
  • the enforcement of legislation relating to public revenue collection;
  • the conduct of proceedings before any court or tribunal; or
  • historical, statistical, or research purposes; or
  • any other retention as may be determined by the authority in charge of data protection and privacy.

7.8. Children's data

Children data is included as a form of sensitive personal data. The definition of sensitive personal data under Article 3 of the Draft Law includes the names of children. Thus, the lawful grounds for processing sensitive information under Article 11 of the Draft Law, if they involve names of children, will regulate how such data must be processed. Article 12 of the Draft Law sets out the required safeguards for the processing of sensitive personal data.

In addition, Article 10 of the Draft Law, which regulates the consent of children, provides that the minimum age for valid consent to the processing of personal data is 16 years. If the child is below the minimum age for consent, then either both parents or the legal guardian must consent on the child’s behalf.

7.9. Special categories of personal data

Article 13 of the Draft Law, which regulates the personal data relating to criminal convictions, provides that this category of processing must take place under the control of the competent authority. However, when the processing is authorised by law into force, the processor must provide appropriate safeguards for the rights and freedoms of the data subject.

Data involving criminal convictions is also considered a form of sensitive personal data under Article 3 of the Draft Law.

7.10. Controller and processor contracts

Whilst the Draft Law does not expressly require the data controller and processor to set out a contract, Article 38 of the Draft Law imposes a duty on a data controller to implement appropriate data security and organisational measures. In effect, this would require a data controller to ensure that its processor is subject to confidentiality and security requirements.

8. DATA SUBJECT RIGHTS

8.1. Right to be informed

Article 16 of the Draft Law provides for the right of the data subject to be given certain information before personal data can be collected including:

  • the nature and category of the data being collected;
  • the name and address of the person responsible for the collection and the purpose for which the data is required
  • whether or not the supply of the data by the data subject is discretionary or mandatory;
  • the effects of not providing the data;
  • the authorisation or the requirement by law for the collection of data;
  • the recipients of the data;
  • the data subjects right to access and/or rectify the data collected where applicable; and
  • the period for which the data will be retained to achieve the purpose for which it is collected.

8.2. Right to access

Article 23 of the Draft Law provides that without prejudice to other relevant laws, a data subject may request a data controller or data processor to:

  • provide information relating to the purposes of the processing;
  • provide a copy of the data about the data subject;
  • provide a description of the personal data which is held by the data controller including data about the identity of a third party or a category of a third party who has or has had access to the information;
  • request from the data controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
  • be informed of the source of data where the personal data were not collected from the data subject; or
  • be informed in case personal data are transferred to a third country or to an international organisation.

The right further provides that the data controller or data processor shall provide the information to the data subject in a clear and concise manner.

8.3. Right to rectification

Article 25 of the Draft Law provides that the data subject may demand that the data controller rectify, complete, update, block or erase, as the case may be, the personal data concerning him/her where such data are inaccurate, incomplete, equivocal or out of date, or whose collection, use, disclosure, or storage are prohibited.

8.4. Right to erasure

Please see section 8.3. above.

8.5. Right to object/opt-out

The Draft Law does not expressly refer to the right to opt-out. While the right to object may afford the right to opt-out, the two are not necessarily synonymous as the right to object covers other scenarios

Article 24 of the Draft law provides that the data subject may at any time, by notice in writing to the data controller and/or data processor, require the data controller and/or data processor to stop processing personal data which causes or is likely to cause unwarranted substantial damage or distress to the data subject.

The right further provides that the data controller or data processor shall, within a period of 15 working days after receipt of the notice, inform the concerned data subject in writing about the compliance or the intention to comply with the notice, or of the reasons for non-compliance.

If the data subject is not satisfied by the response of the data controller and/or data processor, he/she may appeal to the authority in charge of data protection and privacy.

8.6. Right to data portability

Article 26 of the Draft law provides that the data subject may request the transfer or sharing of his/her personal data from one data controller to another.

8.7. Right not to be subject to automated decision-making

Article 27 of the Draft Law provides that any data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him/her or which significantly affects him/her.

However, this right shall not apply where the decision is:

  • necessary for entering into, or performing, a contract between the data subject and a data controller;
  • authorised by a law or a regulation in force, to which the data controller is subject and which lays down suitable measures to safeguard the data subject’s rights, freedoms, and legitimate interests; or
  • based on the data subject's explicit consent.

The right further provides that: any automated processing of personal data intended to evaluate certain personal aspects relating to an individual shall not be based on sensitive personal data.

8.8. Other rights

Not applicable

9. PENALTIES

According to Article 64 of the Draft Law, the authority in charge of data protection and privacy is responsible for the enforcement of the Draft Law. Chapter IX of the Draft Law sets out the different offences and their penalties (which may change once Regulations are promulgated), including:

  • The unlawful obtaining, processing or disclosing of data offence under Article 65 of the Draft Law. Convicted persons are liable for a fine not less than RWF 5,000,000 (approx. €4,220) and not exceeding RWF 10,000,000 (approx. €8,430) or imprisonment not less than six months and not exceeding two years or both.
  • The re-identification and processing of de-identified personal data offences under Article 66 of the Draft Law. Convicted persons are liable for a fine not less than RWF 5,000,000 (approx. €4,220) and not exceeding RWF 10,000,000 (approx. €8,430) or imprisonment not less than two years and not exceeding five years or both.
  • The unlawful destruction, deletion, concealment or alteration of data offences under Article 67 of the Draft Law. Convicted persons are liable for a fine not less than RWF 5,000,000 (approx. €4,220) and not exceeding RWF 10,000,000 (approx. €8,430) or imprisonment not less than six months and not exceeding two years or both.
  • The unlawful sale of data offence under Article 68 of the Draft Law. Convicted persons are liable for a fine not less than RWF 5,000,000 (approx. €4,220) and not exceeding RWF 10,000,000 (approx. €8,430) or imprisonment not less than two years and not exceeding five years or both.
  • The unlawful collecting or processing of sensitive personal data offences under Article 69 of the Draft Law. Convicted persons are liable for a fine not less than RWF 5,000,000 (approx. €4,220) and not exceeding RWF 10,000,000 (approx. €8,430) or imprisonment not less than two years and not exceeding five years or both.
  • The provision of false information offences under Article 70 of the Draft Law. Convicted persons are liable for a fine not less than RWF 500,000 (approx. €420) Rwandan Francs and not exceeding RWF 1,000,000 (approx. €840) or imprisonment not less than one year and not exceeding three years or both.
  • Offences by corporations under Article 71 of the Draft Law. Convicted entities are liable for a fine of 5% of their annual turnover.

9.1 Enforcement decisions

Not applicable as of yet.