-
Population: 12,853,230
Capital: Kigali
President: Paul Kagame
2019 Freedom House Score: 23/100
Data protection law? Partial
-
Rwanda does not currently have a law focused on personal data protection, but the Information and Communication Technologies Law No. 24/2016 contains a few provisions related to personal data processing. However, it is reported that Rwanda is currently drafting a law for personal data protection, which is set to be submitted to the Rwandan Parliament for approval in 2020.
-
Personal data is any information relating to an identified or identifiable natural person by reference to any number of his, her or their identifications or to his, her or their physical, physiological, mental, economic, cultural or social identity.
Sensitive data is all personal data concerning a data subject’s philosophical opinions or religious activities, health, race, sexual life, political opinions, union membership, behaviours, judicial proceedings, or criminal or administrative sanctions.
-
Data controllers must:
- obtain written permission from the data subject or competent organs specifying the object for data collection, collation, processing and storage;
- disclose in writing to the data subject the specific purpose for which any personal information is being requested, collected, processed or stored;
- not use personal information for any other purpose other than the purpose for which it is intended, unless he, she or they are permitted by the data subject or the law to do so;
- not disclose the data without the data subject’s written consent, or unless he, she or they are permitted to do so by law;
- not use electronic means to request, collect, process, or store data relating to a subject which is not authorised by law or requested for research;
- keep a record of the personal information and the specific purpose for which it was collected for as long as the information is used;
- keep the personal information disclosed to a third party, the date, and reason for the disclosure secret for as long as the information is used and at least one year thereafter; and
- delete all data which has become obsolete.
-
The Regulatory Authority is given the power to conduct technical inspections and impose administrative sanctions on ICT operators. It may suspend access to electronic communications networks and services for certain operators, resolve disputes, and refer matters to courts.
-
There are no international data transfer provisions stipulated in Rwandan law.
-
Licensed electronic communications service providers must inform users about any security risks which may occur as a result of a breach of network security measures or protocols, and the necessary remedies available to address the breach of network security.
Rwanda
Home / Rwanda