Rwanda Law 058/2021

Law No. 058/2021 of 13/10/2021 Relating to the Protection of Personal Data and Privacy

Flag of RW
Republic of RwandaOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
October 15, 2023
Enacted
October 13, 2021
Enforcing Authority
National Cyber Security Authority (NCSA)
Consent Model
Opt-in
Applies To
All data controllers and processors within Rwanda; extraterritorial application to foreign entities processing data of Rwandan residents

Overview

Rwanda's Law 058/2021 is a GDPR-style data protection law with extraterritorial reach, enforced by the National Cyber Security Authority (NCSA). Effective October 15, 2023 after a 24-month transition period, it requires clear and unambiguous consent before data collection. The law imposes strict data localization requiring personal data storage within Rwanda and mandates 48-hour breach notification to the NCSA, which is faster than GDPR's 72-hour requirement.

What This Means for Your Website

If your website processes personal data of Rwandan residents, this law applies to you even if you operate outside Rwanda. You must obtain clear consent before collecting data, store personal data within Rwanda or obtain an NCSA certificate for overseas storage, and register as a data controller with the NCSA. Breach notification must happen within 48 hours.

Key Requirements

Controllers must register with the NCSA and obtain clear, unambiguous consent before processing. Personal data must be stored on servers within Rwanda unless an NCSA certificate permits otherwise. Breach notification must reach the NCSA within 48 hours. DPIAs are required for high-risk processing. Data subjects have comprehensive rights including access, rectification, erasure, and portability.

How ConsentStack Handles This

ConsentStack helps organizations comply with Rwanda's Law 058/2021 by providing a consent banner that collects clear and unambiguous consent. It maintains detailed consent records with timestamps for NCSA registration requirements, supports data subject rights workflows including portability requests, and provides audit trails to demonstrate compliance during NCSA investigations.

Penalties

Administrative: RWF 2,000,000-5,000,000 or 1% of global turnover. Criminal: 1-3 years imprisonment plus RWF 3,000,000+ for providing false information.

Maximum Fine
RWF5,000,000 aggregate
Revenue-based
1% of annual revenue

Key Requirements

  • Clear and unambiguous consent required before data collection and processing
  • Personal data must be stored within Rwanda (data localization) unless NCSA certificate obtained
  • Mandatory registration as data controller/processor with NCSA
  • 48-hour breach notification to NCSA
  • Data Protection Impact Assessments for high-risk processing
  • Data subjects have rights of access, rectification, erasure, and portability

Notable Provisions

  • Extraterritorial scope (GDPR-style) applies to foreign entities processing Rwandan data
  • Strict data localization — personal data must be stored in Rwanda
  • 48-hour breach notification is faster than GDPR's 72 hours
  • 1% global turnover penalty lower than GDPR but still significant

Other Sub-Saharan Africa Regulations

POPIASouth Africa
Africa's most developed and actively enforced data protection law. POPIA establishes eight conditions for lawful processing and grants the Information Regulator broad enforcement powers including criminal sanctions. The inclusion of "online identifiers" in the definition of personal information means cookies are covered, and Section 69's direct marketing consent requirement is directly relevant to consent management.
NDPANigeria
One of Africa's most comprehensive data protection laws, with the GAID providing Africa's most detailed cookie consent framework. Essential cookies are exempt; non-essential cookies require conspicuous accept/reject banners. The NDPC enforces a two-tier penalty structure based on organizational significance.
Ghana Act 843Ghana
Ghana's foundational data protection law requires mandatory registration with the DPC before processing begins, with renewal every 2 years. Criminal penalties include up to 10 years imprisonment for serious violations. A new comprehensive bill is under consultation as of late 2025.
Kenya DPA 2019Republic of Kenya
Kenya's comprehensive data protection law establishes the ODPC as an independent enforcement authority. It uniquely calculates penalties using "whichever is lower" rather than the global norm of "whichever is higher." Mandatory registration of data controllers is required before processing, and consent serves as the primary legal basis for personal data collection.
Tanzania PDPA 2022United Republic of Tanzania
Tanzania's first comprehensive data protection legislation establishes the Personal Data Protection Commission as the supervisory body. It mandates DPO appointment for all controllers and processors, a broader requirement than most jurisdictions. Personal data must be processed lawfully with consent, and criminal penalties of up to 10 years imprisonment apply for violations.
Ivory Coast Law 2013-450Ivory Coast
Ivory Coast's data protection law features an escalating penalty structure with significant increases for repeat offenders — up to 5% of pre-tax sales or XOF 500 million. ARTCI has been active in issuing formal notices against online lending applications. Prior declaration or authorization from ARTCI is required.

Frequently Asked Questions

Does Rwanda's data protection law apply outside Rwanda?

Yes, Law 058/2021 has extraterritorial scope similar to GDPR, applying to foreign entities that process personal data of Rwandan residents.

What is the data localization requirement in Rwanda?

Personal data must be stored within Rwanda unless the data controller obtains a certificate from the NCSA permitting overseas storage.

How quickly must breaches be reported under Rwanda's law?

Data breaches must be reported to the NCSA within 48 hours, which is faster than GDPR's 72-hour requirement.

What are the penalties under Rwanda's Law 058/2021?

Administrative fines range from RWF 2-5 million or 1% of global turnover. Criminal penalties include 1-3 years imprisonment plus fines of RWF 3 million or more.

Stay compliant with Rwanda Law 058/2021

ConsentStack helps you implement Opt-in consent for Republic of Rwanda automatically.

Get started free