The Data Protection and Privacy Law in Rwanda now brings the country in line with international data protection standards, vital for modern digital economies powered by e-commerce, international financial transactions, and various online services. Are you ready to comply?
Rwanda’s Data Protection and Privacy Law (Law No. 058/2021 of 13 October 2021) establishes a comprehensive legal framework regulating the collection, processing, transfer, and protection of personal data. One of the tenets of the Data Protection and Privacy Law in Rwanda is the requirement to obtain the clear and unambiguous consent of an individual to collect, store, and process their personal data, which is a fundamental right.
Businesses must undertake a number of processes to be compliant with the law in Rwanda. Among these include:
Register:
Registration with the NCSA as a data controller or processor within 30 working days
Appoint a DPO:
Appointing a Data Protection Officer (DPO) if processing is large-scale or involves sensitive data
Keep records:
Maintaining processing records, performing DPIAs for high-risk activities, and implementing security measures
Notify about breaches:
Notifying the NCSA of breaches within 48 hours as well as affected individuals as it pertains to risk to their rights.
Privacy notices:
Publishing privacy notices disclosing data use, retention, transfers abroad, subject rights
Obtaining consent, including for cookies, for non-essential processing
Evaluating cross-border data transfer
The law applies to:
All data controllers or processors in Rwanda (public or private)
Foreign entities processing personal data of Rwandan subjects or transferring data out of the country
This includes SMEs, NGOs, public bodies, tech startups, fintechs, ecommerce platforms—any organization handling personal data of Rwandans.
Rwanda’s DPPL gives residents a set of data privacy rights, including:
Request access to their personal information
Request to know how personal data is being collected and used
Request that inaccurate, incomplete or out-of-date information be corrected
Request the erasure of their personal information under certain circumstances
Request to opt out of processing of their data
Request data in a structured, commonly used format
Request that decisions not be made solely on automated processing
Organizations must obtain consumer consent before processing data
Although the law doesn’t mention cookies explicitly, cookie usage falls under processing of personal data (e.g. online identifiers, profiling). Consent must be:
Freely given, specific, informed, and explicit, covering distinct purposes (e.g. analytics vs advertising)
Able to be withdrawn at any time
Implementing cookie banners with granular controls (accept/decline categories) and a preferences centre — aligning with EU-style consent principles – is considered best practice for businesses operating in Rwanda.
The law outlines administrative and criminal sanctions for non-compliance:
Administrative penalties (Article 53) include:
Fines between 2 million–5 million RWF (~$2 000–5 000 USD) or up to 1% of global annual turnover for corporations
Criminal offences (Articles 56–61) include:
Intentional data misuse, unauthorized reidentification, false info, mishandling sensitive data: 1–3 years imprisonment and fines from 7 million–10 million RWF (or 5% of global turnover for entities)
Courts may also impose business closures or revoke registration certificates.
DPPL compliance is within reach by implementing a number of data privacy best practices:
Conduct data and cookie audits:
Review current data practices to identify areas for aligning with the DPPL
Update privacy and cookie policies:
Revise privacy notices to clearly outline data practices, consumer rights, and how to exercise those rights
Implement consent management:
Manage cookie use and consent with a comprehensive consent management platform like CookieHub
Educate employees:
Give employees training on the importance of compliance with DPPL
Implement breach processes:
Ensure clear pathways for notifying consumers about data breaches
Assign a privacy officer:
Add a privacy officer to your organization to manage compliance
The Data Protection and Privacy Law (DPPL) in Rwanda governs the collection, processing, storage, and sharing of personal data. It applies to both public and private entities that handle personal data of individuals in Rwanda, as well as organizations outside Rwanda that process data of Rwandan residents. The law ensures that personal data is handled lawfully, fairly, and transparently.
Personal data is any information relating to an identified or identifiable natural person. This includes, but is not limited to, names, identification numbers, location data, online identifiers, or any data that can directly or indirectly identify an individual.
Sensitive data refers to a special category of personal data that requires enhanced protection. This includes information related to racial or ethnic origin, political opinions, religious or philosophical beliefs, health status, genetic or biometric data, sexual orientation, or trade union membership.
The regulatory authority responsible for overseeing the implementation and enforcement of the DPPL in Rwanda is the National Cyber Security Authority (NCSA), particularly through its Data Protection Office.
Exemptions to the DPPL may apply in certain cases, such as processing for personal or household activities, national security, law enforcement, public interest, or research and statistical purposes—provided appropriate safeguards are in place. Specific exemptions are defined in the law and relevant regulations.
You can access the full text of the DPPL and related guidelines through the National Cyber Security Authority (NCSA) website or consult legal professionals specializing in data protection in Rwanda.
©2018-2025 CookieHub ehf.
CookieHub CMP offers tools and services for managing cookies and online privacy.
