Article

Determining your role: Are you a data controller or data processor?

Why must I register?

As stated in Rwanda’s law relating to the protection of personal data and privacy (Law No 058/2021 of 13/10/2021) which was officially gazetted on October 15 2021, all organizations that process personal data of individuals who reside in Rwanda are required to register with the supervisory authority (NCSA) as data controllers or data processors.

What makes data controllers and data processors different?

The law on personal data protection and privacy states that these two roles differ in their mandate.

A data controller, as defined by the law relating to the protection of personal data and privacy, “is a natural person, public or private corporate body or legal entity which, alone or jointly with others, processes personal data and determines the means of their processing.”

A data processor meanwhile, as defined by the law relating to the protection of personal data and privacy, “is a natural person, public or private corporate body or legal entity, which is authorised to process personal data on behalf of the data controller.”

How do I find out what role applies to me?

If you are aiming to find out which of these two roles applies to your organization, examine some of the signs outlined below that indicate whether you are a data controller or data processor.

You are a data controller if:

You decided to collect or process the personal data
You decided the purpose of outcome of the data processing
You decided what personal data should be collected
You decided which individuals to collect personal data about

You are a data processor if:

You are following instructions from a data controller or the supervisory authority regarding the processing of personal data
You were given the personal data by a customer or similar third party, or told what data to collect
You do not decide to collect personal data from individuals
You do not decide what personal data should be collected from individuals

It is important to note that in situations where an institution both determines the means of processing and processes the data itself, this entity becomes both a data controller and data processor.

Any natural person, public or private corporate body or legal entity, can be both a controller and processor of personal data when they are carrying out the activities of both roles.

The law on personal data protection and privacy: 15.10.2021_Amakuru_bwite.pdf

17 March 2022

More updates

03 October 2022

Menya uburenganzira ufite ku makuru yawe bwite igihe – igihe usabwe amakuru yawe bwite

Nyirubwite afite uburenganzira bwo guhitamo uko amakuru ye atunganywa cyangwa akusanywa.

03 October 2022

Know your rights to privacy – when you are requested for your personal data

Data subjects have the right to choose how and why their personal data is processed and collected.

31 August 2022

What should Data Subjects know about Privacy Policies?

How do privacy policies help protect my privacy?

10 August 2022

Personal Data Protection and Privacy: Your Right to Object

When can a data subject object to processing of personal data?

	info@ncsa.gov.rw
	9009 / 0781813310
	‎+250 791 445 224

Why must I register?

What makes data controllers and data processors different?

The law on personal data protection and privacy states that these two roles differ in their mandate.

A data controller, as defined by the law relating to the protection of personal data and privacy, “is a natural person, public or private corporate body or legal entity which, alone or jointly with others, processes personal data and determines the means of their processing.”

A data processor meanwhile, as defined by the law relating to the protection of personal data and privacy, “is a natural person, public or private corporate body or legal entity, which is authorised to process personal data on behalf of the data controller.”

How do I find out what role applies to me?

If you are aiming to find out which of these two roles applies to your organization, examine some of the signs outlined below that indicate whether you are a data controller or data processor.

You are a data controller if:

You decided to collect or process the personal data

You decided the purpose of outcome of the data processing

You decided what personal data should be collected

You decided which individuals to collect personal data about

You are a data processor if:

You are following instructions from a data controller or the supervisory authority regarding the processing of personal data

You were given the personal data by a customer or similar third party, or told what data to collect

You do not decide to collect personal data from individuals

You do not decide what personal data should be collected from individuals

It is important to note that in situations where an institution both determines the means of processing and processes the data itself, this entity becomes both a data controller and data processor.

Any natural person, public or private corporate body or legal entity, can be both a controller and processor of personal data when they are carrying out the activities of both roles.

The law on personal data protection and privacy: 15.10.2021_Amakuru_bwite.pdf