DATA PROTECTION POLICY

1. Introduction

Impact Hub Kigali (IHK) is committed to protecting the privacy and security of personal data. This policy outlines our responsibilities and practices in the collection, use, and protection of personal data, ensuring compliance with Rwanda’s data protection laws and regulations.

2. Scope

This Data Protection Policy governs the collection, processing, and storage of personal data by Impact Hub Kigali in accordance with Law No 058/2021 relating to the protection of personal data and privacy. Personal data is processed lawfully based on consent, contract, legal obligation, vital interests, public interest, or legitimate interests. Consent is obtained explicitly, and individuals may withdraw their consent at any time.

3. Definitions
  • Personal data: Information relating to an identified or identifiable individual.
  • Processing: Operations performed on personal data, such as collection, recording, organization, storage, etc.
  • Data controller: Entity determining the purposes and means of processing personal data.
  • Data processor: Entity processing personal data on behalf of the data controller.
  • Data subject: Individual whose personal data is being processed.
  • Consent: Clear and unambiguous indication of the data subject’s agreement to the processing of their personal data.
4. Roles and Responsibilities
  • Data Controller: Impact Hub Kigali is the data controller responsible for ensuring compliance with data protection regulations and organizational policies.
  • Data Processor: Any third-party entity processing personal data on behalf of Impact Hub Kigali must adhere to data protection standards.
  • Data Protection Officer: Impact Hub Kigali designates a Data Protection Officer responsible for overseeing compliance with data protection regulations, conducting impact assessments, and coordinating with relevant stakeholders.
5. Data protection Principles

IHK adheres to the following principles with respect to data protection:

  • Transparency: the data must be processed lawfully, fairly, and in a transparent manner.
  • Purpose limitation: the data must be collected for explicit, specified, and legitimate purposes, and not further processed in a manner incompatible with those purposes.
  • Data minimization: the data must be related to the purposes for which its processing was requested.
  • Accuracy: the data must be accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data is erased or rectified without delay.
  • Storage limitation: the data is kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.
  • Accountability: the data is processed in compliance with the rights of data subjects.
5. a. Processing data fairly and lawfully

When we receive personal data about a person directly from that individual, whichwe intend to keep, we need to provide that person with fair processing information. This means we need to inform them about:

  • The type of information we will be collecting (categories of personal data concerned)
  • Who will be holding their information, including contact details
  • Why we are collecting their information and what we intend to do with it, e.g. to evaluate our programs, write a case study or send updates on our activities
  • The legal basis for collecting their personal data – in our case, we always ask for their consent to process data
  • The period for which their personal data will be stored or, where that is not possible, the criteria that will be used to decide that period
  • Details of people or other organizations with whom we will be sharing their personal data
  • The existence of any automated decision-making including profiling to that personal data.
5. b. Processing data for the original purpose

The second data protection principle requires that personal data is only processed for the specific, explicit and legitimate purposes that the individual was told about when we first obtained their information. This means that we should not collect personal data for one purpose and then use it for another. If it becomes necessary to process a person’s information for a new purpose, the individual should be informed of the new purpose beforehand. For example, sharing an email address that the individual provided to us to keep up to date with our activities, cannot be used to share with other organizations for marketing purposes without the individual’s consent.

5. c. Personal data should be adequate and accurate

Data should be limited to what is necessary in relation to the purpose for which it is processed. Inaccurate or outdated information shall be corrected and/or destroyed securely.

5. d. Not retaining data longer than necessary

We will not keep personal data any longer than we need to for the purpose of what it is collected for. As soon as data is no longer needed, we shall erase it from our systems. Each department of Impact Hub will determine what kind of data will be retained for what amount of time according to the use needed.

6. Data Sharing and Disclosure

Personal data may be shared with third parties only when necessary for the fulfillment of the services provided by IHK, in compliance with the purposes stated, or as required by law. All third parties are vetted to ensure that they comply with this data protection policy and the relevant legal standards. 

7. Rights of Data Subjects

Individuals whose data is held by IHK have the right to:

  • Access their personal data.
  • To be informed on how their data will be processed. 
  • Request correction of incorrect data.
  • Request deletion of data where it is no longer necessary for the purposes for which it was collected.
  • Restrict processing.
  • Object to processing.
  • Request data portability.
8. Data Breach Notification Procedures

In the event of a data breach, Impact Hub Kigali follows procedures to:

  • Identify and contain the breach.
  • Assess risks and consequences.
  • Notify the supervisory authority and affected individuals within the required timeframe.
  • Implement measures to prevent future breaches.
9. Policy Updates

This policy may be updated periodically to reflect changes in legal requirements or our data processing practices. Any changes will be communicated to data subjects through our usual channels of communication.


Contact Information:

For inquiries or complaints regarding data protection, individuals can contact us: [email protected]