Data Protection under Rwandan law.

By On

                                          


With the rapid rise of AI-powered tools like ChatGPT and DeepSeek, concerns over data privacy are becoming more critical than ever. These technologies often require access to vast amounts of personal information, raising questions about how such data is collected, stored, and protected. As Rwanda continues to position itself as a technological hub in Africa, the government has taken significant steps to address these concerns through its data protection framework. The enactment of Law No 058/2021 of 13/10/2021 marks a pivotal moment in safeguarding the privacy of Rwandan citizens. This article explores the key provisions of the law, the roles of data controllers and processors, and why data privacy matters in today's digital age. In the midst of technological developments and the nature of collecting our data, how does the Rwandan law protect us. Let’s find out.

On October 15th 2021, Law No 058/2021 of 13/10/2021 relating to the protection of personal data and privacy was officially gazetted. The law protects personal data and ensures privacy of individual users.[1] This Law applies to the processing of personal data by electronic or other means using personal data through an automated or nonautomated platform; the data controller. The data processor or a third party who is established or resides in Rwanda and processes personal data while in Rwanda; is neither established nor resides in Rwanda, but processes personal data of data subjects located in Rwanda.[2]

As AI Software becomes more advanced and intertwined with our lives, the types of personal data that these systems can collect are expanding rapidly. You might not even realize just how much data AI systems are gathering about you as you go about your day. For years now, we have provided intelligent software apps via our phones, computers, smart speakers, and virtual assistants with a myriad of knowledge; and the list keeps growing - our biometric data such as fingerprints and faces, and internet browsing history. Our personal data, comprising various sensitive types, collectively creates a comprehensive profile of our identity and interests, which can be unsettling to some degree as we entrust our information to unpredictable and unregulated entities.[3]

Where the processing of personal data is based on the consent of the data subject, data subject demonstrates that he or she has consented to the processing of his or her personal data for a specified purpose. The consent of the data subject is valid only when it is based on the data subject’s free decision after being informed of the consequences of his or her consent. The consent of the data subject may be made in oral, written or electronic form.[4]

To understand more about this topic, they are key points to keep in mind. Data controllers, processors, and the consent requirement. This is stipulated in article 3 of the law. A Data Controller is the individual or organization that decides how and why personal data is processed, either independently or in collaboration with others. A Person can refer to an individual, a company, or any legal entity. A Third Party is anyone who isn’t the data subject, data controller, or data processor, and isn’t authorized by the controller to process personal data. Finally, a Data Processor is any individual or organization authorized by the data controller to handle personal data on its behalf. The consent of the data subject is freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by an oral, written or electronic statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her[5]

Article 29 of Rwanda’s Data Protection and Privacy Law mandates that any individual, public, or private organization intending to operate as a Data Controller or Data Processor must register with the supervisory authority. This registration is managed by the Data Protection and Privacy Office under the National Cyber Security Authority (NCSA). A registration certificate is required to legally process data, and failure to obtain one is considered an administrative misconduct.[6]

The registration process is a critical step toward compliance, promoting transparency and accountability in Rwanda's data management ecosystem. The guide for registration clarifies whether an entity qualifies as a Data Controller or Data Processor and offers detailed instructions for the registration and certification process. However, applicants must tailor their submissions to fit their specific operational contexts.[7]

In addition, data controllers and processors have obligations. Requirements include maintaining records of processing activities, ensuring data security and confidentiality, conducting data protection impact assessments, appointing a data protection officer under certain conditions, notifying authorities of data breaches within 48 hours, and registering with the supervisory authority before commencing data processing activities.[8]

Imagine you run a business and hire someone to manage customer data on your behalf. That person or organization isn't deciding what the data is for; they're just handling it based on your instructions. That’s what Rwanda’s Data Protection and Privacy Law defines as a Data Processor. Take this example—a bank hires a researcher to conduct a survey. Even though the researcher picks how to conduct the survey, they’re using the bank’s data under its instructions. Similarly, if a hospital hires an IT company to store patient records, the hospital controls the data's purpose, making the IT firm just a processor. The law makes it clear: If you don’t call the shots but process data for someone else, you’re a Data Processor.[9]

Why Data Privacy Matters? Data privacy has become an essential concern as personal information flows freely through digital platforms and organizations. Rwanda's Law Nº 058/2021 of 13/10/2021 Relating to the Protection of Personal Data and Privacy was enacted to address these challenges and safeguard individuals' personal information. This legislation emphasizes building trust, preventing cyber threats, and mitigating financial risks for organizations operating within the country.

First and foremost, the law helps foster trust between individuals and organizations by establishing clear rules for data collection and processing. Article 3 defines key roles such as the Data Controller and Data Processor, outlining their responsibilities in handling personal data lawfully, fairly, and transparently. When organizations comply with these requirements, they demonstrate a commitment to respecting user privacy. This builds confidence among individuals who are increasingly aware of their right to privacy. On the other hand, mishandling personal data can erode this trust, damaging the organization's reputation.

Preventing fraud and cybercrimes is another critical objective of the law. By requiring organizations to implement appropriate technical and organizational measures, it helps reduce risks such as unauthorized access, identity theft, and data breaches. For instance, Article 15[10].


Conclusion

Rwanda’s Data Protection and Privacy Law (Law No 058/2021) plays a pivotal role in safeguarding individuals' personal data amidst the growing presence of AI-powered tools and digital platforms. It establishes comprehensive legal provisions to promote transparency, trust, and accountability in data processing activities while combating risks such as unauthorized access, data breaches, and identity theft. Through requirements for consent, registration, and the definition of clear responsibilities for data controllers and processors, this law ensures the protection of personal data and strengthens Rwanda's position in global data protection standards.

 

 


[2] Official Gazette n° Special of 15/10/2021, LAW Nº 058/2021 OF 13/10/2021 RELATING TO THE PROTECTION OF

PERSONAL DATA AND PRIVACY Article 2

[4] Official Gazette n° Special of 15/10/2021, LAW Nº 058/2021 OF 13/10/2021 RELATING TO THE PROTECTION OF PERSONAL DATA AND PRIVACY Article 6: Consent of the data subject

[5] Official Gazette n° Special of 15/10/2021, LAW Nº 058/2021 OF 13/10/2021 RELATING TO THE PROTECTION OF PERSONAL DATA AND PRIVACY Article 3

[7] IDEM

[8] NOTABLE DEVELOPMENTS IN RWANDA'S DATA PROTECTION AND PRIVACY REGULATORY LANDSCAPEJANUARY 2025. From K-Solutions & Partners | ALN Rwanda

[10] Article 15: Quality of personal data. The data controller or the data processor ensures that the personal data is complete, accurate, kept up to date and not misleading having regard to the purposes for which they

are processed.

I'm here to shed light on; Law, History, and Politics.

Comments

Post a Comment

Popular posts from this blog

So, you want to be the president.

By On
Image
                                                          You who’s reading this article you might be the president in the future. To be the president it has a lot of requirements to fulfil, be it age, having Rwandan nationality as the sole nationality and other requirements that are honestly not easy to get.  So, you still wanna be the president. Let’s go deep into the subject. In brief the president of the Republic is the Head of State. The President of the Republic is also the defender of the Constitution and the guarantor of national unity. In addition to that, the President of the Republic is elected for a five (5) year term and may be re-elected once. [1] Let’s go back in time to understand how the system of presidency came and we analyze it till today. Before presidency Rwanda was ruled under the absolute monarchy.  Rwa...
Read more

The concept of ubunywarwanda from a legal & historical perspective.

By On
Image
                    Rwandans have existed for centuries. After deciding to have a common country, they distinguished themselves from other kingdoms and became abanyarwanda. Through the expansion of the territory, different clans joined the country and also became abanyarwanda.  To have a country requires a territory, people and a name. As any other project it requires people to move it forward. Those people who got a sovereign territory establish rules that govern them in their territory. Through those rules and laws, they decide how outsiders might be integrated in their society. The time of conquering territories has ended, but conquering minds and hearts has never stopped. In those outsiders who may want to be in the society here we mean a country they follow laws established so as to be accepted. A country not only expands territorially but also in population size. Before independence Rwanda had never had any regulation on n...
Read more

Rethinking War: The Burden of Conflict on a New Generation

By On
Image
  My knowledge of war is primarily based on documentaries, movies, books and now news. The first book I read that walked me through the image of war in the book by Ishmael Beah, A Long Way Gone. The author tells his story as a forced child soldier in Sierra Leone. Politicians initiate the war; the businessmen finance it and the young ones go to the battleground. In the news we mainly see politicians explaining why the war is happening and analysts in different fields get busy in explaining what really happening.   We don’t need economists to explain to us that the economy is going bad while the prices are raising on a daily basis. People are fighting faraway from your country but the consequences are reaching you. I guess the world being a village isn’t entirely good. Its now close to ten years since I read Africa's World War by Gérard Prunier. Anyone who doesn’t know the cause of what’s happening in the great lakes region, that’s the right book to start with in my h...
Read more