The Data Protection Law provides for the data subject right to object to the processing of his/her personal data for direct marketing purposes including profiling to the extent that it is related to such direct marketing (article 19). 

The ICT Law provides that a person who sends unsolicited commercial communications to a consumer, provides the consumer with the option to cancel the subscription to the mailing list of that person and identify particulars of the source from which that person obtained the consumer's personal information, upon the request of the consumer (article 168). 

The ICT Law also provides that a person is not allowed to transmit, nor instigate the transmission of, a communication for the purposes of direct marketing by means of electronic mail where (article 223): 

• the identity of the person who has sent the communication has been disguised or concealed;
• an address to which the recipient of the communication may send a request that such communication ceases has not been provided.

Sending unsolicited commercial communication to consumer is sanctioned by an administrative fine of between RWF 50,000 and RWF 500,000. 

The Cyber Crime Law establishes spamming as a criminal offence (article 37). The Cyber Crime Law defines spamming as any intentional and without authorisation from a competent organ sending of unsolicited messages repeatedly or to a large number of persons by use of a computer or a computer system. Spamming also include the use of a computer or a computer system, after receiving a message, to retransmit such a message to many persons or retransmit it several times to a person who doesn’t need it. 

The penalties for this offence are an imprisonment term of 3 months to 6 months and a fine of RWF 300,000 to RWF 500,000 (article 37). 

The prosecution of spamming offence is however instituted only upon complaint of the offended person (article 37).