Organisations have until the 15 October 2023 to fully comply with the provisions of the Law Nº 058/2021 of 13/10/2021 relating to the protection of personal data and privacy (the “Data Protection Law”). The key compliance requirements that organisations should be aware of include the following:
Registration with the NCSA:
There is an obligation to register with the supervisory authority as a data controller or data processor for organisations that intend to be data controllers or data processors. The supervisory authority is the National Cybersecurity Authority (NCSA).
The Data Protection Law applies to controllers and processors located in Rwanda, but also to controllers and processors with no local presence, provided that they process the data of individuals located in the country.
According to the Data Protection Law, the application for registration as a data controller or data processor must include:
- the identity and the single point of contact of the applicant;
- the identity and address of the applicant’s representative if it has nominated any, a description of personal data to be processed and the category of data subjects;
- whether or not the applicant holds or is likely to hold the types of personal data based on the sectors in which it operates;
- the purposes of the processing of personal data, the categories of recipients to whom the data controller or the data processor intends to disclose the personal data;
- the country to which the applicant intends to directly or indirectly transfer the personal data; and
- the risks in the processing of personal data and measures to prevent such risks and protect personal data.
It is worth noting that the requirements set forth in the Data Protection Law are considered minimum requirements to be met by applicants for registration as a data controller or data processor. These may be supplemented by additional requirements that may be prescribed under regulations which may be put in place by the supervisory authority i.e., the National Cyber Security Authority, from time to time.
If the application meets the requirements, a certificate of registration will be issued by the supervisory authority to the applicant within 30 working days from the date of receipt of the application.
It should be noted that the Data Protection Law does not prescribe the validity period of the data controller or data processor registration certificate but has instead delegated such authority to the supervisory authority to prescribe the validity period by way of regulation, which is yet to be put in place.
Designation of a local representative:
There is an obligation to designate a representative in Rwanda for data controllers or the data processors who are neither established nor reside in Rwanda but process personal data of data subjects located in Rwanda.
As to the requirement regarding the obligation to designate a representative in Rwanda for data controllers or data processors who are neither established nor reside in Rwanda, but process personal data of data subjects located in Rwanda, the Data Protection Law provides that the supervisory authority must put in place a regulation governing the designation of such a representative, but such regulation is yet to be put in place.
Designation of a data protection officer:
There is an obligation to designate a personal data protection officer.
With regard to the designation of a personal data protection officer, the Data Protection Law requires data controllers or data processors to appoint a personal data protection officer in a situation where:
- the processing of personal data is carried out by public or private corporate body or a legal entity, except courts;
- the core activities of the data controller or the data processor consist of personal data processing operations which, by virtue of their nature, their scope or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- the core activities of the data controller or the data processor consist of processing on a large scale of special categories of data and personal data of a convict.
The data protection officer is designated on the basis of professional qualities, expert knowledge of personal data protection, practices and the ability to fulfil the tasks assigned to him or her and the said officer may be a permanent staff member of the data controller or the data processor, or a person who fulfils the tasks on the basis of a service contract.
Logging of data processing activities:
Under the Data Protection Law, controllers and processors must log their processing activities for the purpose of monitoring and auditing. The processing activities concerned are, at least the (i) collection, (ii) alteration, (iii) access, (iv) disclosure and transfer, (v) combination; and (vi) erasure of personal data.
The Data Protection Law includes a breach notification requirement, stricter than the GDPR obligation, according to which the controller and the processor have 48 hours from becoming aware of a data breach to disclose it respectively to the supervisory authority and the controller.
The controller is also required to disclose the breach to the data subjects unless the breach is unlikely to result in a high risk to their rights and freedoms. The controllers must inform the data subjects “after having become aware” of the breach. No notification timeframe is provided in terms of hours or days. However, a timeframe could later be defined by a regulation issued by the supervisory authority.
Sanctions for non-compliance:
Under the Data Protection Law, the maximum administrative fine amounts to 1% of the global turnover of the preceding financial year and the maximum criminal fine amounts to 5% of the annual turnover of the previous financial year. It is not specified whether the criminal fine is calculated on the turnover generated in Rwanda, or the global turnover, but this determination would be essential to multinational organisations.
Other sanctions include, amongst others, up to 10 years' imprisonment and cancellation of the registration certificate, which would in effect mean a prohibition on processing of personal data.
Although there is some ample time before the strict implementation of the Data Protection Law, it would be advisable to register with the NCSA before the deadline closes, considering the various challenges that may arise when the law comes into full implementation on 15 October 2023.
For more information and guidance on compliance with the Data Protection Law please do not hesitate to get in touch with us.