Rwanda

DATA PROTECTION FACTSHEET

DATA PROTECTION LAW IN PLACE

DATA PROTECTION AUTHORITY APPOINTED

Download the Act

Fast Facts
Domestic Law

Privacy enshrined in Constitution: Yes, Article 23 of the Constitution protects the right to privacy.

DPA legislation: In October 2021, Rwanda’s first data protection legislation, Law No. 058/2021 Relating to the Protection of Personal Data and Privacy (the Law) was enacted, and entered into force on 15 October 2021. The Law applies to individuals and institutions established or residing in Rwanda, that process the personal data of individuals in Rwanda (not just citizens), as well as individuals and institutions established or residing outside of Rwanda, that process the personal data of individuals in Rwanda. It institutes, however, a 24-month period in which institutions and individuals are enabled to put in place the necessary processes to ensure compliance before enforcement begins. Individuals and institutions will therefore be required to be compliant starting from 15 October 2023.

The Law designates the National Cyber Security Authority (NCSA) as the supervisory authority charged with enforcement.
International Commitments
Scope of Application

Applies to natural persons: Yes

Applies to juristic persons: Yes

Applies to public entities: Yes

Domestic/personal purposes exclusion: No

National security exclusion: No

Law enforcement exclusion: No

Cabinet or Executive Council exclusion: No

Judicial functions exclusion: No

Journalistic, literary or artistic purposes exclusion: No

Temporary copies exclusion: No

Other exclusion(s): No

Broad or vague exclusions: No

Applies to foreign entities: Yes

Excludes foreign entities that only transit personal data through the country: No
Personal Data

Personal data is defined to mean any information relating to an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that natural person/

Sensitive personal data is defined to mean information revealing a person’s race, health status, criminal records, medical records, social origin, religious or philosophical beliefs, political opinion, genetic or biometric information, sexual life or family details.
Collection and Processing
Data controllers or data processors must request personal data directly from the data subject, unless:
- the personal data is open to the public;
- the data subject has deliberately made the personal data public;
- the data subject has consented to the collection of personal data from another source;
- the collection of the personal data from another source complies with other provisions of the Law.
Data controllers must also ensure that personal data it processes is complete, accurate, kept up to date and misleading, and that the sharing of data with data processors is governed by a contract protecting the rights of the data subject. The controller must also log its collection of personal data, including by indicating the justification, date and time of the processing and, where possible, the contact details of the person who accessed or disclosed the personal data, as well as the contact details of the recipients of the data.

The Law gives data subjects the following rights over their data:
- the right to access their personal data;
- the right to object to the processing of their data;
- the right to personal data portability;
- the right not to be subject to a decision based on automated data processing;
- the right to restriction of processing of personal data;
- the right to erasure of personal data;
- the right to rectification;
- the right to designate an heir to personal data; and
- the right to representation in certain cases.
Transparency

Notification that data is being processed: Yes

Notification to DPA in event of data breach: Yes

Notification to data subject in event of data breach: Partial

Timeframe for notification is specified: Yes

Exceptions exist to breach notifications: Yes

Requires a data processing register: Yes

Register is publicly available: Yes

Provides for terms of service icons: No

DPA must submit at least annual report: No

DPA report is made public: NA
Accountability

Explicit provision for civil liability: Yes

Established/designates a Data Protection Authority: Yes

DPA is empowered to investigate: Yes

DPA is empowered to subpoena or request evidence: Unclear

Law provides for criminal penalties: Yes

Law provides for administrative penalties: Yes

DPA is independently structured (does not exist within or receive instructions from another public body): No

DPA receives funding directly from the state budget/legislative body: Yes

DPA may receive some forms of external funding/own revenue: Yes

Adequate protections against undue removal: No

Number of members in DPA: Unclear

Maximum term length for members of the DPA (years): Unclear
Participation
Cross-border Transfer

The data controller may only transfer personal data to a third party outside Rwanda if they have obtained authorisation from the Supervisory Authority, the data subject has given their consent, the transfer is necessary for contractual performance, for the public interest, or for legal processes, to protect a data subject’s vital interests, for pursuing the controller or processor’s legitimate interests with certain restrictions, or for the performance of international instruments ratified by Rwanda. The Supervisory Authority may also put in place regulations permitting transfers outside the country for another reason.
Automated Processing

LEARN MORE ABOUT THE METHODOLOGY

Page last updated: 23 May 2022