Data protection & privacy laws in Rwanda (2026)

Law No. 058/2021, officially published in the Official Gazette n° Special of 15/10/2021, is Rwanda's primary and comprehensive data protection statute. It covers all personal data processing by controllers and processors established in Rwanda or processing data of persons in Rwanda (extraterritorial reach).

The National Cyber Security Authority (NCSA) is the designated supervisory authority. It formally launched a dedicated Data Protection & Privacy Office (DPO) to handle registration of data controllers/processors, investigations, binding decisions, and enforcement. The DPO has been actively developing implementing regulations through multi-stakeholder consultations in 2023–2024.

Individuals hold rights to access, rectify, erase, and port their personal data, as well as the right to object to or restrict processing. Uniquely, the law also grants data subjects the right to designate an heir to their personal data.

All data controllers and processors must register with the NCSA and obtain a Data Protection and Privacy (DPP) certificate before commencing processing. Data controllers must notify the NCSA within 48 hours of becoming aware of a personal data breach.

Transfers of personal data outside Rwanda require prior NCSA authorisation and evidence of adequate safeguards in the recipient jurisdiction. Transfers may also proceed on grounds of data subject consent, contract necessity, vital interests, or Rwanda's ratified international instruments.

Administrative fines range from RWF 2,000,000 to RWF 5,000,000 (≈ USD 1,500–3,700) or up to 1% of global annual turnover for compliance failures. Criminal sanctions for intentional violations (e.g., unauthorised processing, re-identification) include imprisonment of 1–3 years and fines up to RWF 10,000,000 or 5% of global turnover for entities.