About Us
- Our Impact ALN’s commitment to CSR and pro bono services
- Our Team Our people define us. Discover ALN’s core values
Team
Expertise
- Industries ALN’s expertise spans several industries and verticals – find them here
- Services
- Case studies Award-winning matters handled by ALN’s lawyers
Our Offices
- Algeria
- Côte d’lvoire
- Ethiopia
- Ghana
- Guinea
- Kenya
- Madagascar
- Mauritius
- Morocco
- Nigeria
- Rwanda
- Sudan
- Tanzania
- UAE
- Uganda
- Zambia
Insights
Careers
Media Center
- News The news and stories shaping Africa’s legal landscape.
- Events Discover and register for ALN and industry events here.
- Awards Delivering outstanding results.
Contact Us

Notable Developments in Rwanda’s Data Protection and Privacy Regulatory Landscape

Legal Alert

To Insights

Rwanda has made significant strides in data protection and privacy with the enactment of Law no. 058/2021 of 13 October 2021 Relating to the Protection of Personal Data and Privacy (Data Protection and Privacy Law), which came into force on the 15 October 2021.

19 February 25

Other Insights:

Key Features of the Data Protection and Privacy Law
A Rwandan company appoints a natural person as a director when the person meets the below requirements:

Scope and Applicability
The law has an extra-territorial scope and applies to data controllers and processors both within Rwanda and those outside the country that process personal data of individuals located in Rwanda.
Legal Grounds for Data Processing
Processing personal data is permissible based on several grounds, including explicit consent, contractual necessity, legal obligations, protection of vital interests, public interest tasks, official authority, legitimate interests of the data controller or third parties, and authorised research purposes.
Data Subject Rights
Individuals are granted rights such as access to their data, rectification, erasure, objection to processing, restriction of processing, data portability, and the unique right to designate an heir for their personal data where the data subject had left a will providing his or her heir with full or restricted rights relating to the processing of personal data kept by the data controller or the data processor, if such personal data still need to be used.
Obligations for Controllers and Processors
Requirements include maintaining records of processing activities, ensuring data security and confidentiality, conducting data protection impact assessments, appointing a data protection officer under certain conditions, notifying authorities of data breaches within 48hours, and registering with the supervisory authority before commencing data processing activities.
Notification requirements
The Law does not only regulate how companies and organisations should protect personal data, it also stipulates what they should doin the event of a security breach that affects personal data. In case of personal data breach, the data controller, within forty-eight (48) hours after being aware of the incident, must communicate the personal data breach to the NCSA. Where the data processor becomes aware of personal data breach, he or she notifies the data controller within forty-eight (48) hours after being aware of the incident.

We analyse key developments in Rwanda’s data protection and privacy regulatory landscape and their impact on businesses.

Click here to download the the full analysis.

Want to know more?

Subscribe to Our Newsletter

Subscribe to our Newsletter to receive the latest updates on our content. By tapping the “Subscribe” button you will be redirected to subscription page. Subscription is free.