Rwanda recently enacted a new law No. 058/2021 on protecting personal data and privacy, which was officially gazetted on October 15, 2021.

Among other things, the law aims to protect the personal data and privacy of individuals in Rwanda and at the same time, align the country with international data protection standards.

The law also seeks to enable trusted and secure data flow, domestically and internationally, and to provide regulatory certainty for existing businesses and prospective investors.

In Rwanda, the law applies to any processing of personal data by public or private entities, whether the processing is automated or not, and whether the data controller or processor is established in Rwanda or not, as long as the processing relates to data subjects who are in the country.

What is personal data?

The law defines personal data as any information relating to an identified or identifiable natural person, such as name, identification number, location data, online identifier, or physical, physiological, genetic, mental, economic, cultural, or social characteristics.

The law establishes several principles for the processing of personal data, such as lawfulness, fairness, transparency, purpose limitation, accuracy, storage limitation, integrity, and confidentiality.

The law also requires the clear and unambiguous consent of the data subject for the processing of personal data, unless the processing is necessary for the performance of a contract, compliance with a legal obligation, protection of vital interests, performance of a task in the public interest, or legitimate interests of the data controller or a third party.

The law grants several rights to the data subjects, such as the right to access, rectify, erase, restrict, object to, and port their personal data.

The law also provides for the right to lodge a complaint with the supervisory authority, which is the Data Protection and Privacy Office (DPPO), and the right to seek judicial remedy for any violation of their rights.

The law also requires them to designate a data protection officer (DPO) responsible for informing and advising them on their obligations under the law, monitoring their compliance with the law, and cooperating with the DPPO.

The DPO must be easily accessible from each establishment of the data controller or processor.

The law sets out rules for sharing, transferring, storing, and retaining personal data. The law prohibits sharing or transferring personal data to third parties without the consent of the data subject or on a legal basis.

The law also prohibits transferring personal data outside Rwanda unless the recipient country

ensures an adequate level of protection for personal data or there are appropriate safeguards in place.

The law requires storing personal data in a secure manner that prevents unauthorized access,

alteration, or destruction.

The law also requires retaining personal data only for as long as necessary for the purposes for which they were collected as well as providing for sanctions for any misconduct or offences relating to the processing of personal data.

What are the sanctions?

The sanctions include administrative fines ranging from one million Rwandan francs (Rwf)

(approximately USD 1,000) to fifty million RWF (approximately USD 50,000), depending on the nature and gravity of the violation.

The sanctions also include criminal penalties ranging from six months to two years imprisonment and/or a fine of five million RWF (approximately USD 5,000) to twenty million

RWF (approximately USD 20,000), depending on the type and severity of the offense.

The law gives a transition period of two years from its publication date for all

existing data controllers and processors to comply with its provisions.

This means that they have until 15th October 2023 to register with the DPPO and designate a

DPO if required. They also have to review their current policies and practices regarding personal data processing and ensure that they meet the requirements of the law.

The law is a significant step forward for Rwanda in terms of protecting personal data and the privacy rights of its citizens and residents.

It also creates an opportunity for Rwanda to become a regional hub for digital innovation and trade that respects human dignity and values. However, the law also poses some challenges and responsibilities for all stakeholders involved in personal data processing activities.

Therefore, it is essential for them to understand their obligations under the law and take appropriate measures to comply with it.

The Author is Responsible for Risk Advisory Services in BDO EA Rwanda, part of BDO Global, one of the largest global accounting networks.