RWANDA
DATA PROTECTION FACTSHEET
-
Population: 12,952,209
Capital: Kigali
President: Paul Kagame
2021 Freedom House Score: 21/100
Data protection law? Yes, with data protection authority appointed
-
Privacy enshrined in Constitution: Yes, Article 23 of the Constitution protects the right to privacy.
DPA legislation: In October 2021, Rwanda’s first data protection legislation, Law No. 058/2021 Relating to the Protection of Personal Data and Privacy (the Law) was enacted, and entered into force on 15 October 2021. The Law applies to individuals and institutions established or residing in Rwanda, that process the personal data of individuals in Rwanda (not just citizens), as well as individuals and institutions established or residing outside of Rwanda, that process the personal data of individuals in Rwanda. It institutes, however, a 24-month period in which institutions and individuals are enabled to put in place the necessary processes to ensure compliance before enforcement begins. Individuals and institutions will therefore be required to be compliant starting from 15 October 2023.
The Law designates the National Cyber Security Authority (NCSA) as the supervisory authority charged with enforcement.
-
ICCPR: Acceded
Council of Europe Convention 108: No
Council of Europe Convention 185: No
Malabo Convention: Ratified
ECOWAS Supplementary Act on Personal Data Protection: No
Council of Europe Additional Protocol to Convention 108 (Treaty No. 181): No
-
Applies to natural persons: Yes
Applies to juristic persons: Yes
Applies to public entities: Yes
Domestic/personal purposes exclusion: No
National security exclusion: No
Law enforcement exclusion: No
Cabinet or Executive Council exclusion: No
Judicial functions exclusion: No
Journalistic, literary or artistic purposes exclusion: No
Temporary copies exclusion: No
Other exclusion(s): No
Broad or vague exclusions: No
Applies to foreign entities: Yes
Excludes foreign entities that only transit personal data through the country: No
-
Personal data is defined to mean any information relating to an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that natural person/
Sensitive personal data is defined to mean information revealing a person’s race, health status, criminal records, medical records, social origin, religious or philosophical beliefs, political opinion, genetic or biometric information, sexual life or family details.
-
Data controllers or data processors must request personal data directly from the data subject, unless:
- the personal data is open to the public;
- the data subject has deliberately made the personal data public;
- the data subject has consented to the collection of personal data from another source;
- the collection of the personal data from another source complies with other provisions of the Law.
Data controllers must also ensure that personal data it processes is complete, accurate, kept up to date and misleading, and that the sharing of data with data processors is governed by a contract protecting the rights of the data subject. The controller must also log its collection of personal data, including by indicating the justification, date and time of the processing and, where possible, the contact details of the person who accessed or disclosed the personal data, as well as the contact details of the recipients of the data.
The Law gives data subjects the following rights over their data:
- the right to access their personal data;
- the right to object to the processing of their data;
- the right to personal data portability;
- the right not to be subject to a decision based on automated data processing;
- the right to restriction of processing of personal data;
- the right to erasure of personal data;
- the right to rectification;
- the right to designate an heir to personal data; and
- the right to representation in certain cases.
-
Notification that data is being processed: Yes
Notification to DPA in event of data breach: Yes
Notification to data subject in event of data breach: Partial
Timeframe for notification is specified: Yes
Exceptions exist to breach notifications: Yes
Requires a data processing register: Yes
Register is publicly available: Yes
Provides for terms of service icons: No
DPA must submit at least annual report: No
DPA report is made public: NA
-
Explicit provision for civil liability: Yes
Established/designates a Data Protection Authority: Yes
DPA is empowered to investigate: Yes
DPA is empowered to subpoena or request evidence: Unclear
Law provides for criminal penalties: Yes
Law provides for administrative penalties: Yes
DPA is independently structured (does not exist within or receive instructions from another public body): No
DPA receives funding directly from the state budget/legislative body: Yes
DPA may receive some forms of external funding/own revenue: Yes
Adequate protections against undue removal: No
Number of members in DPA: Unclear
Maximum term length for members of the DPA (years): Unclear
-
Right of data subject to access a copy of their personal data: Yes
Right of data subject to request a correction of data: Yes
Right of data subject to request deletion of data: Yes
Justification required for a request for deletion: Yes
Defines the requirements for consent: Yes
DPA is mandated to participate in policy formulation: No
-
The data controller may only transfer personal data to a third party outside Rwanda if they have obtained authorisation from the Supervisory Authority, the data subject has given their consent, the transfer is necessary for contractual performance, for the public interest, or for legal processes, to protect a data subject’s vital interests, for pursuing the controller or processor’s legitimate interests with certain restrictions, or for the performance of international instruments ratified by Rwanda. The Supervisory Authority may also put in place regulations permitting transfers outside the country for another reason.
-
Provides a right not to be subject to automated decision-making: Yes
Page last updated: 23 May 2022