The National Cyber Security Authority ('NCSA') announced on Twitter, on 5 April 2022, that it had published a guide on controller and processor registration. In particular, the guide notes that Article 29 of the Law No. 058/2021 of 13 October 2021 relating to the Protection of Personal Data and Privacy ('the Data Protection Law') makes it a mandatory requirement for any person who intends to be a controller or processor to register with the NCSA. In addition, the guide provides a step-by-step guide on how to fill the registration form, especially noting that all fields are mandatory, except 'website'.

Furthermore, the guide outlines that the controller and processor should provide basic contact information about the organisation and its data protection officer ('DPO'). Moreover, the guide notes that the NCSA issues a registration certificate to an applicant for registration as a controller or a processor who meets the requirements for registration within 30 working days from the date of receipt of the registration application. Lastly, the guide highlights that as with any other administrative misconducts in Article 53 of the Data Protection Law, a controller or a processor who operates without a registration certificate or uses a certificate whose term of validity has expired will have committed misconduct and will, on conviction, be liable to an administrative fine of not less than RWF 2 million (approx. €1,802) but not more than RWF 5 million (approx. €4,507) or 1% of the global turnover of the preceding financial year.

You can read the press release here, the guide here, and access the controller form here and the processor form here.