FAQ: Frequently asked Questions on Personal Data Protection and Privacy
Who does the law on personal data protection and privacy apply to?
The law applies to both;
Individuals and institutions established or residing in Rwanda, that process the personal data of individuals in Rwanda (not just citizens)
And Individuals and institutions established or residing outside of Rwanda, that process the personal data of individuals in Rwanda
What is processing of personal data?
An operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as access to, obtaining, collection, recording, structuring, storage, adaptation or alteration, retrieval, reconstruction, concealment, consultation, use, disclosure by transmission, sharing, transfer, or otherwise making available, sale, restriction, erasure or destruction;
Does the law on personal data protection and privacy take immediate effect?
Yes, the law on personal data protection and privacy takes immediate effect. However, companies and individuals in Rwanda that are already in operation and process personal data of individuals have a transitional period up to 15th October 2023 to fully comply with the new law.
What kind of support will be afforded so that organization can assess their compliance?
In order to support organizations that process personal data of individuals who reside in Rwanda, National Cyber Security Authority (NCSA) and partners will provide a compliance guide during the 24-month compliance period that will help firms to assess their readiness and work towards compliance.
What is the difference between a data processor and a data controller?
A data controller is a natural person, public or private corporate body or legal entity which, alone or jointly with others, processes personal data and determines the means of their processing.
A data processor is a natural person, public or private corporate body or legal entity, which is authorised to process personal data on behalf of the data controller.
Is it mandatory to register as a data controller or data processor?
Yes, it is mandatory to register as a data controller. All organizations that process personal data of individuals are required to register with the supervisory authority the National Cyber Security Authority (NCSA).
How do you register as a data controller or data processor?
Data controller and data processor applicants will send an application to the supervisory authority and upon compliance with the registration requirements as stipulated in Article 30 of the law, the supervisory authority will issue a registration certificate that permits the applicant to process personal data.
What is the difference between personal data and sensitive personal data?
Personal data is any information relating to an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that natural person.
Sensitive personal data is any information revealing a person’s race, health status, criminal records, medical records, social origin, religious or philosophical beliefs, political opinion, genetic or biometric information, sexual life or family details.
What is Privacy?
Privacy is a fundamental right of a person to decide who can access his or her personal data, when, where, why and how his or her personal data can be accessed.
Does this law feature any special provisions for children?
Yes it does, the law states, in its Art. 9, that where the data controller, the data processor or a third party knows that personal data belong to a child under the age of sixteen (16) years, he or she must obtain the consent of a holder of parental responsibility over the child in accordance with relevant Laws.
What is a data subject?
A data subject is a natural person from whom or in respect of whom, personal data has been requested and processed.
What does consent mean in the law on personal data protection and privacy?
In the law on personal data protection and privacy, consent must be freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by an oral, written or electronic statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Where can I find more information and resources on the law on personal data protection and privacy?