Rwanda: Adopted DPO registration guide for Data Controllers and Data Processors including operational license requirements

On 29 June 2023, the Data Protection and Privacy Office (DPO) under the National Cyber Security Authority (NCSA) issued the registration guide for Data Controllers and Data Processors, mandated by the Personal Data Protection and Privacy Law. Entities established in Rwanda or processing data of Rwandan subjects must register with the DPO by completing an online application form. This form requires details about the entity, personal data processed, data processors involved, data transfer practices, and security measures. Registration is free, and a certificate is issued within 30 working days if the application is complete. The certificate remains valid until expiry or cancellation by the NCSA. Entities must notify the NCSA of any changes within 15 working days, and failure to register can result in administrative fines. The guide also covers handling rejections, modifications, renewals, and cancellations of the certificate, with contact information provided for further assistance.