Rwanda enacted a personal data protection and privacy law in 2021. The law aims to keep one’s personal information safe and determines how it can be used. Additionally, the law covers how personal information is handled, whether it’s done electronically or not, using a machine or not. It also applies to anyone in Rwanda who collects or uses personal information, like a company or person doing business in Rwanda, or even someone outside Rwanda who handles the personal info of people in Rwanda. ALSO READ: Parliament votes personal data protection, privacy law Below, we look at five pitfalls that can land you in trouble upon violating the law. 1. Controlling, processing personal data unauthorized could get you fined up to Rwf 5 million According to Article 53 of the law, the data controller, data processor, or a third party who operates without a registration certificate commits misconduct. They are liable to an administrative fine of not less than Rwf 2 million but not more than Rwf 5 million or one per cent of the global turnover of the preceding financial year. Therefore, it is mandatory for any natural person, public or private corporate body intending to be a data controller or a data processor to register with the Data Protection and Privacy Office under the National Cyber Security Authority (NCSA) and receive a registration certificate. ALSO READ: Rwanda moves to tighten data protection, privacy 2. Selling personal data illegally could lead to up to 7 years imprisonment A person who sells personal data in a way that is contrary to the law commits an offence. Upon conviction, they are liable to imprisonment of not less than five years but not more than seven years and a fine of not less than Rwf 12 million but not more than Rwf 15 million or one of the penalties. The law says that when someone handles your personal information, they have to follow rules. These rules are written down in a contract that both the person who has your data (the data controller) and the one who handles it (the data processor) agree to. 3. Collecting or processing sensitive personal data illegally can get you fined up to Rwf 25 million A person who collects or processes sensitive personal data in a way that is contrary to the law commits an offense. Upon conviction, they are liable to imprisonment of not less than seven years but not more than 10 years and a fine of not less than Rwf 20 million but not more than Rwf 25 million or one of the penalties. ALSO READ: Why ‘consent’ is central to personal data processing The law, in Article 42, explains that when a company or person gathers your personal information, they must have a good reason for doing so, and they should only collect the data that they really need for that reason. 4. Disclosing one’s personal data against the law could get you imprisoned for 3 years A person who accesses, collects, uses, offers, shares, transfers, or discloses personal data in a way that is contrary to the law commits an offence. Upon conviction, they are liable to imprisonment of not less than one year but not more than three years and a fine of not less than Rwf 7 million but not more than Rwf 10 million or one of the penalties. Article 50 of the law clarifies that one in charge of personal data in Rwanda should keep that data within the country. But there’s a rule that allows them to store this data outside Rwanda, but only if they have a special certificate from the supervisory authority (currently National Cyber Security Authority) that permits that. 5. Corporate bodies that commit offense could be fined up 5 per cent of their annual turnover According to Article 62 of the law, a corporate body or a legal entity that commits any offense, including operating without registration, commits misconduct. Upon conviction, they are liable to a fine of Rwandan francs amounting to five per cent of the annual turnover of the previous financial year.
