Report Incident
× Home Cybertech Africa 2023 2 DPO Rw-CSIRT Website About Rw-CSIRT Alerts Advisories About NCSA Documentation News & Events Topics Contact us Opportunities Privacy Policy

Powers of the data subject: Right to access, object and restrict processing of personal data

Rwanda’s law relating to the protection of personal data and privacy (Law No 058/2021 of 13/10/2021) was officially gazetted on October 15 2021, with a mandate to protect personal data and ensure privacy of individual users.
 
Within the law on personal data protection and privacy, data subjects are able to exercise several rights in relation to their personal data. These powers include the right to access personal data (Art.18), the right to object to processing of personal data (Art.19) and the right to restrict the processing of personal data (Art.22), which all afford the data subject considerable influence in the lawful collection and processing of his or her personal data.
 
This article takes a specific look at three provisions which contribute significantly to this objective.

 

Right to personal data (Art.18)
The data subject has the ability to request for information relating to the purposes of processing of personal data as well as a copy of his or her personal data, as long as this request is without prejudice to other relevant laws.
 
Should the data subject seek more information, they are able to request for a description of personal data that the data controller of the data processor holds, including data on the contact details of a third party or the categories of third parties who have or had access to personal data.
 
Additionally, the data subject may also request to be informed of the source of the personal data in case his or her personal data have not been obtained from the data subject, as well as a case where his or her personal data may have been transferred to a third country or to an international organisation.
 
However, this right is not exercised if;
  • It may adversely affect the rights and freedoms of other persons
  • Legal professional privilege or another legal obligation of confidentiality applies
  • The data relates to information management or information about the data subject or relates to ongoing negotiations with the data subject requester
  • The data relates to the data subject’s confidential references, examination scripts or examination marks
Significantly, a data subject who is not satisfied with the response of the data controller or data processor may appeal to the supervisory authority the National Cyber Security Authority (NCSA) within thirty (30) days from the date of receipt of the response.

 

Right to object (Art.19)
The data subject may request at any time for the data controller or data processor to stop processing his or her personal data which causes or is likely to cause loss, sadness or anxiety to the data subject.
 
The data subject may also request the data controller or the data processor to stop processing personal data of the data subject if personal data are processed for direct marketing purposes, including profiling to the extent that it is related to such direct marketing.
 
However, this right does not apply if the data controller or the data processor demonstrates compelling legitimate grounds for the personnel data processing, which override the interests, rights and freedoms of the data subject or for the establishment of the legal claim.
 
Similar to article 18, a data subject who is not satisfied with the response of the data controller or the data processor may appeal to the supervisory authority (NCSA) within thirty (30) days from the date of receipt of the response.

 

Right to restriction of processing of personal data (Art.22)
The data subject also has the right to restrict the data controller from processing personal data for a given period if the accuracy of the personal data is contested by the data subject and pending verification, or the processing is unlawful and the data subject requests the erasure of the personal data or the restriction of the use of some of them.
 
Additionally, the data subject has the right to restrict the data controller from processing personal data if the data subject has objected to the processing of personal data, pending the verification whether the legitimate grounds of the controller override those of the data subject.
 
This right is not exercised if;
  • The processing of personal data is necessary for the protecting the rights of another person
  • The processing of personal data is necessary for reasons of public interest
 
Before lifting the restriction of processing of personal data for a given period, the data controller must inform the data subject in writing or electronically.

 

The law on personal data protection and privacy: 15.10.2021_Amakuru_bwite.pdf
 
 

10 January 2022

© 2024 National Cyber Security Authority