Data Protection in Rwanda

Breach notification in Rwanda

In case of personal data breach, the DC is required to communicate the personal data breach to the NCSA within 48h after being aware of the incident. The DP is required to notify the DC of any personal data breach within 48h after being aware of the incident (article 43). 

Where the personal data breach is likely to result in a high risk to the rights and freedoms of the data subject, the DC is also required to communicates the personal data breach to the data subject in writing or electronically, after having become aware of it (article 45). The Data Protection Law does not specify in which delay this communication must be done. 

This communication of personal data breach to the data subject is not required in the following cases: 

  • the DC has implemented appropriate technical and organisational protection measures in relation to personal data breached such that the personal data breach is unlikely to result in a high risk to the rights and freedoms of the data subject;
  • the DC has taken measures which ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialize;
  • the DC communicated it to the public whereby the data subject is informed in an equally effective manner. 

The NCSA can request the DC to make such communication if the DC has not done it yet in case the personal data breach is likely to result in a high risk to the rights and freedoms of the data subject.

Continue reading

  • no results

Previous topic
Back to top