Data Protection in Rwanda

Registration in Rwanda

A Data Controller is defined as a “natural person, public or private corporate body or legal entity which, alone or jointly with others, processes personal data and determines their means of their processing” (article 3, 19 °). 

A Data Processor is defined as a “natural person, public or private corporate body or legal entity, which is authorised to process personal data on behalf of the data controller” (article 3, 24°). 

Data controllers (“DC”) and Data Processors (“DP”) are required to register with the NCSA. (article 29). 

The registration application must indicate the following (article 30): 

  • identity of the DC or DP and their designated single point of contact;
  • identity and address of their representative if they have nominated any;
  • description of personal data to be processed and the category of data subjects;
  • whether or not the applicant holds or is likely to hold the types of personal data based on the sectors in which it operates;
  • purposes of the processing of personal data;
  • categories of recipients to whom the DC or DP intends to disclose the personal data;
  • country to which the applicant intends to directly or indirectly transfer the personal data; and
  • risks in the processing of personal data and measures to prevent such risks and protect personal data. 

The NCSA issues a DC or DP registration certificate within 30 days of the application. 

A regulation from the NCSA determining the validity period of the registration certificate is yet to be adopted (article 31).

Back to top