Art. 40 of the Law relating to the Protection of Personal Data and Privacy requires companies to appoint a Data Protection Officer (DPO). The data controller and the data processor are required to designate a data protection officer if the processing of personal data is carried out by a public or private corporate body or a legal entity. The core activities of the data controller or the data processor consist of personal data processing operations which, by virtue of their nature, their scope or their purposes, require regular and systematic monitoring of data subjects on a large scale.
Additionally, under Art. 38 (3), the data controller and the data processor are to carry out personal Data Protection Impact Assessments (DPIA) in compliance with the principles of the processing of personal data. The DPIA is to be carried out in cases where the processing of personal data is likely to result in a high risk to the rights and freedoms of a natural person.

Art. 3 of the Interception of Communications Law provides for unrestricted access to personal data if it is done in the interest of national security. Furthermore, the Interception of Communications Law provides that an interception warrant must be issued by a national prosecutor designated by the Minister of Justice. Under Art. 7, communications service providers are required to ensure that their systems have the technical capability to intercept communications on demand. Security officials also have the power to “intercept communications using equipment that is not facilitated by communication service providers”, which effectively allows the authorities to hack into a telecommunications network without a provider’s knowledge or assistance.

Under the Guidelines for Siting and Sharing of Telecommunication Base Station Infrastructure (2011) and Law No. 24/2016 of 18/06/2016 Governing Information and Communication Technologies, Rwanda has established a regulatory obligation for passive infrastructure sharing to support the delivery of telecommunications services to end users.
According to Section 4.2.4, when requested by another licensee, each operator or service provider must disclose complete information on the location and technical specifications of their towers within a maximum of 10 working days. Furthermore, within an additional 10 working days, the operator must grant escorted access to the site upon request by another licensee seeking to assess the feasibility of infrastructure sharing.
Furthermore, pursuant to Art. 71 of Law No. 24/2016 licensed network operators must share the use of their electronic communications infrastructures on agreed upon terms and conditions.

Art. 30 of Regulation No. 18/R/SM-ICT/RURA/2024, concerning access to operators’ databases by the regulatory authority, stipulates that the authority shall be granted access to the SIM card registration database without a court order. Licensees must also permit authorised officers to access their systems, premises, facilities, and all relevant records and data, to facilitate inspections and ensure compliance with the Regulation. Also in this case, the law does not require a court order. This Regulation repeals Regulation No. 004/ICT/RURA/2018, which contained a similar provision under Art. 25.

In 2013, the Rwandan government and Korean Telecom (KT) entered into a 25-year agreement to establish a 4G wholesale network in the country. As part of the partnership, the Rwandan government acquired a 49% stake in KT Rwanda networks Ltd (KTRN), with the remaining 51% owned by Korean Telecom.

Law No. 18/2010 establishes a safe harbour regime for intermediaries for copyright infringements. According to Art. 8, intermediaries and telecommunications network service providers are absolved of liability for the contents of documents or electronic messages transmitted through their networks by an individual. This liability applies to the creation, publication, and dissemination of electronic messages on the network and the use of such electronic messages in contravention of the law.
Furthermore, under Art. 10 of the same law, telecommunications operators and intermediaries are not liable for providing access to information, transmission or its retention as long as they do not initiate the transmission of the information or select the addressee and cannot modify the electronic communication. Under Art. 11, an intermediary or a certification authority shall not be liable for the automatic, intermediate, and temporary storage of that electronic record, in case the intention of such storage of electronic record is its onward transmission to other recipients who requested for it.
Additionally, under Art. 12, an intermediary that provides a service comprising the storage of electronic messages shall not be liable for damages arising from information stored if it is not aware that the information or the activity relating to the information infringes any person. Under Art. 13, an intermediary shall not be liable for damages incurred when it links its services with other websites containing electronic messages or activities that do not fulfil legal requirements. Arts. 188-192 of the Law Governing Information Communication and Technologies outlines the limits to liability to electronic service and network providers, limits of caching, hosting, and relating to information local tools.

It is reported that Rwanda does not mandate functional separation for operators with significant market power (SMP) in the telecom market. Yet, the country mandates accounting separation under Art. 103 of Law No. 24/2016 of 18/06/2016 Governing Information and Communication Technologies. This is also confirmed by Art. 18 and Section 15 of Annex II of Regulation No. 013/R/EC-ICT/RURA/2021 of 25/02/2021 Governing Licensing in Electronic Communication.

Law No. 18/2010 establishes a safe harbour regime for intermediaries beyond copyright infringements. According to Art. 8 of the law, intermediaries and telecommunications network service providers are absolved of liability for the contents of documents or electronic messages transmitted through their networks by an individual. This liability applies to the creation, publication, and dissemination of electronic messages on the network and the use of such electronic messages in contravention of the law.
Furthermore, under Art. 10 of the same law, telecommunications operators and intermediaries are not liable for providing access to information, transmission or its retention as long as they do not initiate the transmission of the information or select the addressee and cannot modify the electronic communication. Under Art. 11, an intermediary or a certification authority shall not be liable for the automatic, intermediate, and temporary storage of that electronic record, in case the intention of such storage of electronic record is its onward transmission to other recipients who requested for it.
Additionally, under Art. 12, an intermediary that provides a service comprising the storage of electronic messages shall not be liable for damages arising from information stored if it is not aware that the information or the activity relating to the information infringes any person. Under Art. 13, an intermediary shall not be liable for damages incurred when it links its services with other different websites containing electronic messages or activities that do not fulfil legal requirements. Arts. 188-192 of the Law Governing Information Communication and Technologies outlines the limits to liability to electronic service and network providers, limits of caching, hosting, and relating to information local tools.

Rwanda is not a signatory of the 1996 World Trade Organization (WTO) Information Technology Agreement (ITA) nor the 2015 expansion (ITA II).

According to Art. 73 of Law No. 031/2022, the procuring entity, through competition, gives preference to:
- Supplies or goods produced or manufactured in Rwanda;
- Consultancy and non-consultancy service providers registered as a domestic legal entity when procuring consultancy and non-consultancy services;
- A legal entity registered in Rwanda as a domestic legal entity when procuring for works; and
- An individual consultant operating in consultancy services.
Ministerial Order No. 001/23/10/TC determines the modalities for applying these preferences. According to Art. 62 of the Order, through competition, all procuring entities shall give exclusive preference to:
(i) Goods or supplies manufactured in Rwanda, when procuring goods or supplies with a value not exceeding FRW 200,000,000 (approx. USD 160,000); and
(ii) Service providers registered in Rwanda as domestic companies, for at least six months, when procuring non-consultancy services and consultancy services with a value not exceeding FRW 100,000,000 (approx. USD 80,000).

According to Art. 73 of Law No. 031/2022, the procuring entity, through competition, gives preference to:
- Supplies or goods produced or manufactured in Rwanda;
- Consultancy and non-consultancy service providers registered as a domestic legal entity when procuring consultancy and non-consultancy services;
- A legal entity registered in Rwanda as a domestic legal entity when procuring for works; and
- An individual consultant operating in consultancy services.
Ministerial Order No. 001/23/10/TC determines the modalities for applying these preferences. According to Art. 63 of the Order, price preference is used during the financial evaluation stage of bids for international or national tenders, in accordance with the following rules:
(i) A 15% local preference is granted to locally manufactured goods or supplies. When a bid includes both locally manufactured and imported goods or supplies, the preference applies only to the locally manufactured portion.
(ii) A 15% local preference is granted to companies registered in Rwanda as domestic companies for at least six months, when procuring consultancy and non-consultancy services.
Additionally, local preference is granted to joint ventures between a domestic and a foreign company, provided the domestic company fulfils at least 30% of the technical and financial requirements. However, this preference does not apply to tenders for consultancy services.

Rwanda is not a party to the World Trade Organization (WTO) Agreement on Government Procurement (GPA), nor does it have observer status.

There is no restriction on foreign ownership. According to Art. 9 of the Investment Promotion and Facilitation Law, foreign investors are allowed to invest and purchase shares in an investment entity in Rwanda and receive the same treatment as Rwandan investors in terms of investment incentives and facilitation.
In this regard, Rwanda has neither statutory limits on foreign ownership or control nor any official economic or industrial strategy that discriminates against foreign investors. Local and foreign investors have the right to own and establish business enterprises in all forms of remunerative activity.

According to Art. 6 of Law No. 007/2021 of 05/02/2021 Governing Companies, a company must have at least one director who resides in Rwanda.

Under Art. 17 of the Law on Investment Promotion and Facilitation, commercial entities seeking to invest in Rwanda are required to submit an investment registry application to the Investment Board. The application must include several key documents, including a completed registration form, a certificate of incorporation, and a comprehensive business plan. The business plan must detail the project’s name, an action plan, the projected commencement date, the sourcing of raw materials, the financing or assets to be obtained from abroad, a market survey, plans for technology and knowledge transfer, and five-year income projections. Additionally, the application must include an environmental impact assessment certificate, projected employment numbers and categories, proof of payment of a non-refundable registration fee, and a license from the relevant business sector in which the investor intends to operate. The Investment Board reviews the application, and if any documents are missing, the application will be rejected, with written reasons for rejection provided within two working days. If the application is complete and meets the necessary requirements, the Board will issue an "investment certificate," which is valid for five years.