On 15th October 2021, Rwanda’s Law Relating to the Protection of Personal Data and Privacy Law, which is the first single and comprehensive legal enactment on privacy and data protection in the country, was published in the Official Gazette and this publication brings the law into effect.
The Law is divided into 9 chapters covering general provisions; processing and quality of personal data; rights of the data subject; tasks and powers of the supervisory authority; registration of a data controller and a data processor; obligations of a data controller and a data processor; sharing, transfer, storage and retention of personal data; misconducts, offences, and sanctions; miscellaneous, transitional and final provisions.
What you should know
The data protection and privacy law is applicable to data processing activities of a data controller, data processor, or a third party who is established or resides in Rwanda and processes personal data while in Rwanda; is neither established nor resides in Rwanda but processes personal data of data subjects located in Rwanda. This exterritorial provision on data processing activities aligns with the provisions of the General Data Protection Regulations (GDPR) 2018.
The Law also covers for processing of personal data by electronic or other means using personal data through an automated or nonautomated platform and outlines several data subject rights which include, consent of the data subject and right to withdraw consent, right to personal data, right to object, right to personal data portability, right not to be subject to a decision based on automated processing, right to restriction of processing of personal data, right to the erasure of personal data and right to rectification.
According to the Law, data controllers, data processors, or third parties who commit misconduct are liable to pay administrative fines of not less RWF 2,000,000 (approx. $2,000) but not more than RWF 5,000,000 (approx. $5,000) or 1% of the global turnover of the preceding financial year, or in the event of a corporate body or a legal entity, it shall be liable to 1% of the preceding financial year. Also, the Law provides for a transition period of 2 years in which a data controller or data processor already in operation has to conform the Law.
The law is indeed a laudable feat in Rwanda, as the increased processing of personal data resulting from an enhanced globally digitalized society, emerging technologies, inter-connectedness, etc. necessitates the regulation of data processing activities.
For reference to the law, click here.