On October 15^th  2021, Law No 058/2021 of 13/10/2021 relating to the protection of personal data and privacy was officially gazetted. The law protects personal data and ensures privacy of individual users.

Learn more about data protection and privacy office

Data Protection Officer

Article 41: Duties of the personal data protection officer

The personal data protection officer has the following duties:

1° to inform and advise the data controller, the data processor and the employees who carry out personal data processing, of their obligations pursuant to this Law;

2° to monitor, in his or her area of work, compliance with this Law and with the policies of the data controller or data processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in personal data processing operations, and the related audits;

3° to provide advice where requested as regards the data protection impact assessment and monitor its performance;

4° to cooperate with the supervisory authority and to act as its contact point on issues relating to processing of personal data, including the prior consultation with the supervisory authority, and to consult, where appropriate, with regard to any other matter.

The personal data protection officer must in the performance of his or her tasks have due regard to the risk associated with personal data processing operations, considering the nature, scope, context and purpose of processing.

Article 40: Designation of the personal data protection officer

The data controller and the data processor designate a data protection officer where:

1° the processing of personal data is carried out by public or private corporate body or a legal entity, except courts;

2° the core activities of the data controller or the data processor consist of personal data processing operations which, by virtue of their nature, their scope or their purposes, require regular and systematic monitoring of data subjects on a large scale;

3° the core activities of the data controller or the data processor consist of processing on a large scale of special categories of data pursuant to Article 10 of this Law and personal data relating to criminal convictions referred to in Article 12 of this Law.

A group of undertakings may appoint a single personal data protection officer provided that the data protection officer is easily accessible from each establishment.

Where the data controller or the data processor is a public authority or body, a single personal data protection officer may be designated for several such authorities or bodies, taking account of their organizational structure and size.

In cases other than those referred to in Paragraph one of this Article, the data controller or the data processor or associations and other bodies representing categories of data controllers or data processors may designate a personal data protection officer in accordance with the provisions of this Law.

The data protection officer is designated on the basis of professional qualities, expert knowledge of personal data protection, practices and the ability to fulfil the tasks assigned to him or her.

The personal data protection officer may be a permanent staff member of the data controller or the data processor, or a person who fulfils the tasks on the basis of a service contract.

The data controller or the data processor must publish the contact details of the personal data protection officer and communicate them to the supervisory authority.

Article 38: Duties of the data controller and the data processor.

In compliance with the principles of the processing of personal data, the data controller and the data processor discharge the following duties:

1° To implement appropriate technical and organizational measures;

2° To keep a record of personal data processing operations;

3° To carry out personal data protection impact assessments where the processing of personal data is likely to result in a high risk to the rights and freedoms of a natural person;

4° to perform such other duty as may be assigned to him or her by the supervisory authority.

The personal data protection impact assessment referred to in item 30 of Paragraph one of this Article is carried out in case of:

1° a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing of personal data, including profiling, and on which decisions that produce effects concerning such persons are based;

2° processing on a large scale of sensitive personal data;

3° a systematic monitoring of a publicly accessible area on a large scale;

4° processing of personal data identified by the supervisory authority as likely to result in a high risk to the rights and freedoms of natural persons;

5° new technologies used to process personal data.

Article 53: Administrative misconducts

The data controller, the data processor or a third party who commits one of the following misconducts:

1° Failure to maintain records of processed personal data;

 2° Failure to carry out personal data logging;

 3°Operating without a registration certificate;

4° Failure to report a change after receiving a registration certificate;

5° using a certificate whose term of validity has expired;

6° Failure to designate a personal data protection officer;

7° failure to notify a personal data breach;

8° failure to make a report on personal data breach;

 9° failure to communicate a personal data breach to the data subject;

Commits a Misconduct.

He or she is liable to an administrative fine of not less than two million Rwandan francs (RWF 2,000,000) but not more than five million Rwandan francs (RWF 5,000,000) or one percent (1%) of the global turnover of the preceding financial year.

In the event of a corporate body or a legal entity, he or she is liable to one percent (1%) of the global turnover of the preceding financial year.

The supervisory authority may put in place a regulation determining other administrative misconducts and sanctions that are not provided for in this Law.