On 15 October 2021, Law No. 058/2021 relating to the protection of personal data and privacy came into effect in Rwanda. The Act is intended to empower data subjects by providing them with agency over their data, to create legal certainty, to enable the secure flow of data, and to facilitate Rwanda’s technology-driven economy.
The Act provides for:
- The application and registration of data controllers and data processors with the supervisory authority;
- Grounds for the processing of personal information, such as consent, legal obligation, the protection of the data subjects’ interests, and when it is in the public interest;
- The empowerment of data subjects with the right to access, erase, and rectify their data;
- The designation of the National Cyber Security Authority (NCSA) as the supervisory authority to issue regulations;
- Requirements for data controllers and processors to log their processing activities;
- Requirements for data controllers to provide notifications that there has been a breach of data subjects’ personal information.
A more established legal framework on data protection in Rwanda will enable the country to expand cross-border business and foreign investment. The Minister of Information and Communication Technologies and Innovation affirms this aspiration by saying that the Act “provides the necessary foundation to transform Rwanda into a data-empowered society.”
The Press release by the Ministry of ICT and Innovation can be accessed here.
The Data Protection Act can be accessed here.
Please note: The information contained in this note is for general guidance on matters of interest and does not constitute legal advice. For any enquiries, please contact us at [email protected].