New Data Privacy and Economic Development in Rwanda

Rwanda’s Law No. 058/2021 of 13 October 2021 Relating to the Protection of Personal Data and Privacy or ‘the Data Protection Law’ is a data protection law that was recently enacted in 2021. In terms of the purpose of the law, the Data Protection Law “aims at the protection of personal data and privacy and determines their processing.” The passing of this law is the latest step that the country of Rwanda has taken over the past twenty years of the purpose of achieving a knowledge-based economy. As the development of such an economy hinges on the protection of personal data, the Data Protection Law establishes the legal framework for which personal data may be collected, processed, used, and disclosed within the country.

How are data controllers and processors defined under the law?

Under Rwanda’s Data Protection Law, a data controller is defined as a “natural person, public or private corporate body or legal entity which, alone or jointly with others, processes personal data and determines the means of their processing.” Alternatively, the law defines a data processor as a “natural person, public or private corporate body or legal entity, which is authorized to process personal data on behalf of the data controller.” Furthermore, the law defines a data subject as “a natural person from whom or in respect of whom, personal data has been requested and processed”, while the law defines a user as a “natural person, a public or private corporate body or a legal entity, who uses or who requests personal data processing service.”

What are the requirements of data controllers and processors under Rwanda’s Data Protection Law?

Under Rwanda’s Data Protection Law data collectors and processors who both operate within the country and outside of the country, permitting said operations utilize the personal data of data subjects within Rwanda, must adhere to the following requirements:

• The processing of personal data carried out by data processors must be governed by a written contract between themselves and the applicable data controller.
• Any parties that process personal data must do so in a manner that does not infringe on the rights of the associated data subject.
• Parties that process the sensitive personal data of data subjects may only do so under certain circumstances, such as when such processing is based upon the prior consent of a data subject, or the processing is necessary with respect to the obligations of said parties, among various others.
• When collecting or processing personal data, data controllers and processors must “implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk posed to the data subject, including, where appropriate, storing sensitive personal data separately from other types of data, and applying measures such as tokenization, pseudonymization or encryption.”
• Data controllers and processors must collect personal data directly from data subjects, subject to certain exceptions.
• Data controllers and processors must ensure that all personal data they collect or process is “is complete, accurate, kept up to date and not misleading having regard to the purposes for which they are processed.”
• Data controllers and processors are responsible for logging the different data collection and processing operations they engage in, and said logging “must indicate justification, date and time of such operations and, where possible, the contact details of the person who accessed or disclosed the personal data, as well as the contact details of the recipients of the data.”

What are the rights of data subjects under Rwanda’s Data Protection Law?

Under Rwanda’s Data Protection Law, data subjects within the country have the following rights:

• The right to access.
• The right to object.
• The right to data portability.
• The right to erasure.
• The right rectification.
• The right not to be subject to decisions based on automated data processing.
• The right to restrict the processing of personal data.
• The right to designate an heir to personal data.
• The right to representation.

In terms of penalties with respect to non-compliance, Rwanda’s Data Protection Law is enforced by the Supervisory Authority, who have the power to impose the following sanctions and punishments against data controllers and processor who violate the law:

• An administrative fine of “of not less than two million Rwandan francs ($1,985) but not more than five million Rwandan francs ($4,962) or one percent (1%) of the global turnover of the preceding financial year.”
• “In the event of a corporate body or a legal entity, he or she is liable to one percent (1%) of the global turnover of the preceding financial year.”
• “The supervisory authority may put in place a regulation determining other administrative misconducts and sanctions that are not provided for in this Law.”

The passing of the Data Protection Law represents not only comprehensive data privacy protection for all citizens of the country, but also a step forward for Rwanda in terms of the achievement of their larger scale economic goals. As the protection of personal data is pivotal to the success of many economic endeavors, passing legislation that provides an enhanced level of data protection and privacy can only prove beneficial to the advancement of business and commerce. More importantly, however, Rwanda joins the list of many other African countries that have taken legislative steps to ensure the personal data protection of their respective citizens in recent years, such as Zambia’s Data Protection Act and Zimbabwe’s Cybersecurity and Data Protection Bill of 2019.