National Bank of Rwanda Banki Nkuru y’u Rwanda

KN 6 Av.4/P.O. Box 531 Kigali-Rwanda Tel: (+250) 788199000 / Website: www.bnr.rw / E-mail: info@bnr.rw / Swiftcode: BNRWRWRW / Twitter: @CentralBankRw

The Governor

---

NATIONAL BANK OF RWANDA

PRIVACY POLICY

Reference number: 0210 /2023 - 07999/0010 BNR [601.2]

Initiator: Legal Counsel Department

Approved by: NBR Board of Directors

---

TABLE OF CONTENT

1. Introduction and purpose ........................................................................................................... 4
2. Interpretation of terms................................................................................................................ 4
3. Collection of personal data......................................................................................................... 5
4. Types of personal data to be processed..................................................................................... 5
5. Grounds for NBR to process personal data ............................................................................... 5
6. Sharing personal data.................................................................................................................. 6
7. Storage and retention of personal data...................................................................................... 6
8. Personal data safeguards............................................................................................................ 6
9. Individual data rights................................................................................................................... 7
10. Children’s data ........................................................................................................................... 7
11. Consent....................................................................................................................................... 7
12. Implementation and complaints desk........................................................................................ 7
13. Changes to this Policy ................................................................................................................ 8
14. Commencement.......................................................................................................................... 8

---

NBR Identity Statement

The National Bank of Rwanda strives to be a World class Central Bank contributing to economic growth & development, by using robust monetary policy tools to maintain stable market prices. The Bank ensures financial stability in a free-market economy as it embraces innovation, inclusiveness, and economic integration.

NBR Vision

To become a World Class Central Bank

NBR Mission

To ensure price stability and sound financial system

NBR Core Values

Integrity We uphold high moral, ethical and professional standards for our people, systems, and data.

Accountability We are result-focused, transparent, and reward according to performance.

Mutual respect and Teamwork We keep ourselves in high spirit committed to each other for success.

Excellence We passionately strive to deliver quality services in a timely and cost-effective manner. We continuously seek improvement by encouraging new ideas and welcoming feedback that adds value to customer services.

---

NATIONAL BANK OF RWANDA PRIVACY POLICY

1. Introduction and purpose

The National Bank of Rwanda abbreviated as NBR is the Central Bank of the Republic of Rwanda. The Bank mission is to ensure price stability and a sound financial system. NBR undertakes several activities to achieve its mission and throughout the process, the Bank may collect and hold personal data from different individuals and institutions with which NBR interacts in the course of performance of its functions. Those individuals and institutions include Bank employees and their beneficiaries, applicants for employment, contractors, individuals who are officials or customers of financial institutions, officials in the government, other regulatory or government agencies in the Republic of Rwanda or other countries, financial institutions, and global development institutions.

In doing so, the Bank is committed to protecting the privacy of individuals whose personal data is processed to meet NBR responsibilities. The provisions of this Policy are subject to applicable laws and its objective is to set out how personal data will be lawfully processed.

2. Interpretation of terms

In this policy, the National Bank of Rwanda is also referred to as” NBR”, “the Bank”, and the following terms will have the meanings as set out below:

i. Personal data: any data relating to an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural, or social identity of that natural person.

ii. Data Subject: a natural person from whom or in respect of whom, personal data has been requested and processed.

iii. Privacy: a fundamental right of a person to decide who can access his or her personal data, when, where why and how his or her personal data can be accessed.

iv. Processing: any operation or set of operations, automated or not, which is performed on personal data, including but not limited to collection, storage, use, transmission, disclosure, or deletion.

v. Parental authority: rights and obligations that parents or any other legally recognized person have in relation to a minor and which they exercise in the minor’s interest.

---

3. Collection of personal data.

The Bank may among other channels, directly or indirectly collect;

• personal data from data subjects through applications, telephone, internet or in person;
• personal data from other institutions sometimes without direct involvement of a data subject;
• personal data from service providers, regulators or other third parties that may hold such personal data;
• website personal data using ‘cookies’ which allow the Bank to collect standard internet usage data;
• data using electronic equipment such as closed-circuit television on the Bank premises;

4. Types of personal data to be processed.

The Bank may process the following personal data:

• names, identification card numbers, e-mail address, physical address, telephone number, online identifiers or other particulars assigned to an individual;
• data relating to biometrics, gender, sex, marital status, nationality, sexual orientation, age, physical or mental health, disability, religion, culture, language, and birth;
• data relating to education, medical, financial, criminal or employment history of individuals;
• correspondence that is implicitly or explicitly of a private or confidential nature that would reveal the contents of the original correspondence;
• personal opinions, views, or preferences of an individual.

5. Grounds for NBR to process personal data

NBR may among other purposes, process personal data;

• for regulatory purposes and as part of its functions and public interest. The bank regulates and supervises financial institutions which can involve processing personal data;
• for policy formulation and management, NBR gathers, analyses, and publishes data which are used to inform the Bank policy decisions and response to key economic events;
• as part of the recruitment process for its employees and consultants, NBR requires data relating to education, professional background and more.
• to perform different activities that improve public understanding of its functions, NBR may collect personal data through events and/or distributing materials;
• as part of the procurement process, NBR maintains records of individuals across industries. The type of personal data that are processed under this, is usually limited to data the Bank receives directly from individuals it engages with;

---

• to keep track of the number of visitors to its website and portals, NBR uses cookies to make websites work more efficiently as a way to understand how the website is used. It does not however make any attempts to identify individuals visiting the websites;
• as part of identification of visitors to NBR premises, the Bank may ask for identification from all visitors and video surveillance is also operated. This is essential to further the Bank legitimate interests in securing NBR premises, staff, and visitors.

6. Sharing personal data

In some circumstances, it may become necessary for NBR to share personal data with other institutions including other central banks, external auditors, past or future employers as part of reference checks, law enforcement agencies or courts of law. The Bank will only share personal data in compliance with the relevant laws, requests from law enforcement agencies or for any other legitimate reason. In that regard, the Bank requires the recipients of the personal data to appropriately safeguard the privacy and security of personal data they receive from NBR and in case of any breach, NBR will duly notify the National Cyber Security Authority (NCSA) after being aware of the incident.

When NCSA is of the opinion that sharing or transferring personal data may infringe the rights and privacy of individuals, inspections and assessments will be conducted against the measures put in place to prevent loss, damage, or destruction of personal data and determine sanctions if necessary.

7. Storage and retention of personal data

Personal data is stored on Bank servers and/or the servers of the cloud-based database management services NBR contracts and where possible, the Bank will seek to anonymise personal data so that it can no longer be associated with the individual. The Bank retains personal data for as long as it is required for the purposes for which it was collected for, and other purposes that are compatible with this. When determining retention periods, NBR refers to the Bank internal policies and/or national policy, statutory or audit commitments, contractual arrangements, or Bank engagements with the data subject.

8. Personal data safeguards

To protect the privacy of personal data processed by the Bank, NBR maintains technical and administrative safeguards and regularly updates and tests its security technologies. NBR also restricts access to personal data to employees who are authorized to know that data in order to provide services to a data subject. In addition, NBR trains its employees about the importance of privacy and security of personal data and it is committed to taking appropriate disciplinary measures to enforce employees’ privacy responsibilities.

If a data subject previously provided his/her personal data to NBR, he/she may make a request to receive data about the processing of his/her personal data, to access the personal data, and to correct any inaccurate or incomplete personal data. All requests and objections about processing of personal data should be made in writing.

---

9. Individual data rights

Under data protection and privacy laws, a data subject has rights in relation to data held about him/her which include but not limited to:

• to request a copy of the personal data the Bank holds about him/her;
• to request that any incomplete or inaccurate data NBR holds be corrected;
• to request to delete his/her personal data where there is no good reason to continue to process it;
• to object to processing his/her personal data;
• to request a restriction of processing of his/her personal data;
• to request the transfer of his/her personal data to another party.

The rights set out above are not absolute and therefore subject to important exemptions and limitations provided for by relevant laws for example reasons of public interest, establishment or defense of legal claims, necessity for protection of rights of another person, hence NBR will not always comply with requests as mentioned above.

10. Children’s data

The Bank website, services, and functions are primarily intended for adults hence NBR does not collect children’s personal data. However, for special cases, data regarding persons under the age of 16 will only be processed with the explicit consent of an adult holding parental authority over the concerned child. However, consent is not required to process the child’s personal data if it is necessary for protecting the vital interest of the child.

11. Consent

The Bank may process personal data without one’s consent while carrying out its legal obligations or exercising its functions as the Central Bank. However, in certain conditions, the Bank may approach an individual for a written consent to allow to process certain data. If the Bank does so, it will provide him/her with full details of the data that the Bank would like and the reason they are needed, so that a data subject can carefully consider whether he/she wishes to consent to the processing.

12. Implementation and complaints desk

The Bank established a Data Protection Office to act as the point of contact for individuals in relation to concerns around how personal data is processed. Should you have any queries or concerns regarding processing of your personal data, you should undertake to first attempt to resolve any with NBR in writing through email: dpo@bnr.rw, NBR will investigate and report to appropriate authorities, recover or correct the personal data and/or enhance controls. If you are not satisfied with the NBR response, you may appeal to the National Cyber Security Authority within thirty (30) days from the date of receipt of NBR response.

---

13. Changes to this Policy

The Bank reserves the right to update this Policy at any time, and when any substantial updates are made, the new Policy is made public. Any such amendment or update will come into effect and become part of any agreement a data subject has with NBR when a notice of change by publication on the Bank website is given. It is data subject’s responsibility to check the website on a regular basis.

14. Commencement

This Policy shall come into force on the date of its signature.

Done at Kigali, on 5th October 2023

[Signature] Digitally signed by NBR(Deputy Governor)

Soraya M. HAKUZIYAREMYE Deputy Governor and Acting Governor