Report Incident
× Home Cybertech Africa 2023 2 DPO Rw-CSIRT Website About Rw-CSIRT Alerts Advisories About NCSA Documentation News & Events Topics Contact us Opportunities Privacy Policy

Can you be both a data controller and data processor of personal data?

When analysing Rwanda’s law relating to the protection of personal data and privacy (Law No 058/2021 of 13/10/2021, officially gazetted on October 15 2021) one may easily characterize the roles of data controllers and data processors as respectively designated to a single entity, making it non-compliant for a single entity to carry out the duties of both.
 
While both of these roles are pre-defined by their mandate and differ in definition, within the law on personal data protection and privacy, it is entirely possible and lawful that an entity acts as both a controller and processor of personal data.
 
The law on personal data protection and privacy does state that these two roles differ in mandate.
 
A data controller is (Art.3) a natural person, public or private corporate body or legal entity which, alone or jointly with others, processes personal data and determines the means of their processing.
 
While a data processor is (Art.3) a natural person, public or private corporate body or legal entity, which is authorised to process personal data on behalf of the data controller.
 
However, in contexts where the data processor has the authority to process personal data for a separate purpose from that originally given by the data controller, the data processor becomes a controller in his or her own right for that element of data processing.
 
Additionally, in situations where an institution both determines the means of processing and processes the data itself, this entity becomes both a data controller and data processor.
 
Any natural person, public or private corporate body or legal entity, can be both a controller and processor of personal data when they are carrying out the activities of both roles.
 
The law on personal data protection and privacy: 15.10.2021_Amakuru_bwite.pdf
 

27 January 2022

© 2024 National Cyber Security Authority