Law: The Law No. 058/2021 of 13 October 2021 Relating to the Protection of Personal Data and Privacy (the Data Protection Law)

Regulator: The National Cyber Security Authority

Summary: Law No. 058/2021 of 13 October 2021 Relating to the Protection of Personal Data and Privacy (the Data Protection Law) was published on October 15, 2021, in the Rwanda Official Gazette. The Data Protection Law introduces principles related to lawfulness, fairness and transparency, and purpose limitation and accuracy, and obligations related to data subject rights, registration as a data controller or data processor, pseudonymisation, sensitive data, data transfers, designation of a data protection officer (DPO), Data Protection Impact Assessments, and data breach notifications.

The National Cyber Security Authority (NCSA), as the designated supervisory authority under the Data Protection Law, has been active in clarifying compliance with the Data Protection Law. This includes guides on the various data subject rights, principles of personal data processing, and DPO registration and appointment. In addition, the Data Protection Law provides for administrative fines on data controllers, data processors, and third parties who commit misconduct of not less than RWF 2 million (approx. $1,610) but not more than RWF 5 million (approx. $4,030) or 1% of the global turnover.

The Data Protection Law is accompanied by other legislation including Law No. 60/2018 of 22 August 2018 on Prevention and Punishment of Cyber Crimes and Law No. 24 of 18 June 2016 Governing Information and Communication Technologies.