That's right, we are 100% organic

  • KK 4 Ave , Gikondo
  • +250 795 455 440
Privacy & Security

Privacy Policy

1. Introduction

Rwanda Organic Agriculture Movement (ROAM) respects the privacy of individuals and is committed to protecting personal data in accordance with Law Nº 058/2021 of 13/10/2021 relating to the Protection of Personal Data and Privacy and its implementing regulations in Rwanda.

This Privacy Policy explains how ROAM collects, uses, stores, shares, and protects personal data in the course of carrying out its mandate as a non-governmental organization.

2. Data Controller

Rwanda Organic Agriculture Movement (ROAM), legally registered with the Rwanda Governance Board under Legal Personality No. 84/2014 and Tax Identification Number (TIN) 102425306, with its office located at KK 4 Avenue, Gikondo, Kigali, Rwanda, acts as the Data Controller for the personal data it processes.

ROAM determines the purposes and means of processing personal data in line with its statutory objectives and operational activities.

3. Scope of This Policy

This Policy applies to all personal data processed by ROAM, whether collected physically or electronically. It covers personal data relating to members, beneficiaries, project participants, donors, employees, job applicants, volunteers, consultants, suppliers, partners, and users of ROAM’s website or digital platforms.

4. Categories of Personal Data Collected

ROAM may collect and process the following categories of personal data:

  • Identification data, including full name, national ID or passport number, date of birth, gender, and TIN where applicable.
  • Contact information, including telephone number, email address, and physical address.
  • Professional and employment information, including CVs, qualifications, employment history, references, and contractual records.
  • Financial information, including bank account details for payments or reimbursements and donation records.
  • Technical data collected through digital platforms, including IP address, device information, and website usage data.
  • Special categories of personal data where necessary for specific programs and processed in compliance with applicable legal requirements and safeguards.

ROAM collects personal data directly from individuals or, where appropriate, from authorized third parties.

5. Purpose of Processing

ROAM processes personal data for legitimate and lawful purposes related to its activities, including:

  • Membership registration and administration.
  • Implementation and monitoring of projects and programs.
  • Donor management, reporting, and compliance with funding obligations.
  • Recruitment, employment administration, and staff management.
  • Financial management, payments, and accounting.
  • Communication, outreach, and awareness activities.
  • Compliance with legal and regulatory obligations.
  • Management and improvement of ROAM’s website and digital services.

Personal data is processed only to the extent necessary for these purposes.

6. Legal Basis for Processing

ROAM processes personal data based on one or more lawful grounds recognized under Rwandan data protection law, including:

  • Consent provided by the data subject.
  • Performance of a contract or steps taken at the request of the data subject prior to entering into a contract.
  • Compliance with legal obligations.
  • Performance of tasks carried out in the public interest or within ROAM’s mandate.
  • Legitimate interests pursued by ROAM, provided such interests do not override the rights and freedoms of the data subject.

7. Data Sharing and Disclosure

ROAM may share personal data where necessary with:

  • Government authorities and regulators where required by law.
  • Donors and funding partners for reporting and accountability purposes.
  • Partner organizations involved in joint programs.
  • Service providers, including IT providers, cloud hosting services, auditors, and professional advisers, who process data on behalf of ROAM.

ROAM ensures that appropriate contractual and organizational safeguards are in place when personal data is shared with third parties.

8. International Transfers of Personal Data

Where personal data is transferred outside Rwanda, including through the use of international service providers or cloud-based systems, ROAM ensures that adequate safeguards are implemented in accordance with Rwandan law. Such safeguards may include contractual protections and other approved mechanisms to ensure that personal data remains adequately protected.

9. Data Retention

ROAM retains personal data only for as long as necessary to fulfill the purposes for which it was collected or to comply with legal, contractual, and regulatory obligations. Retention periods are determined based on applicable laws, donor requirements, and operational needs.

Once personal data is no longer required, it is securely deleted, destroyed, or anonymized.

10. Data Security

ROAM implements appropriate technical and organizational measures to protect personal data against unauthorized access, accidental loss, alteration, disclosure, or destruction. These measures include access controls, secure storage systems, password protection, confidentiality obligations for staff, and periodic review of data protection practices.

11. Rights of Data Subjects

In accordance with Rwandan data protection law, individuals have the following rights:

  • The right to be informed about the processing of their personal data.
  • The right to access their personal data.
  • The right to request correction of inaccurate or incomplete data.
  • The right to request erasure where legally applicable.
  • The right to object to processing in certain circumstances.
  • The right to request restriction of processing.
  • The right to withdraw consent at any time where processing is based on consent.
  • The right to lodge a complaint with the competent supervisory authority.

Requests to exercise these rights may be submitted to ROAM through its official contact channels.

12. Personal Data Breaches

In the event of a personal data breach, ROAM will assess the nature and impact of the incident, take appropriate containment and mitigation measures, and notify the competent authority and affected individuals where required under applicable law.

13. Children’s Data

Where ROAM processes personal data relating to minors within its programs or activities, such processing will be carried out in compliance with applicable legal requirements and, where necessary, with parental or guardian consent.

14. Changes to This Policy

ROAM may update this Privacy Policy from time to time to reflect changes in legal requirements or operational practices. The updated version will be made available through ROAM’s official communication channels.

15. Contact Information

For any questions regarding this Privacy Policy or the processing of personal data, individuals may contact:

Rwanda Organic Agriculture Movement (ROAM)
KK 4 Avenue, Gikondo
Kigali, Rwanda
Email: info@roam.org.rw
Phone: +250 792 012 275

Information Security Policy

1. Purpose

This Information Security Policy establishes the principles and minimum requirements for protecting the information and information systems of Rwanda Organic Agriculture Movement (ROAM). The objective is to safeguard personal data, organizational records, and digital assets against unauthorized access, loss, alteration, disclosure, or destruction.

2. Scope

This Policy applies to all staff, volunteers, consultants, partners, and service providers who access or process ROAM information. It covers all information assets, whether stored electronically or in physical form.

3. Information Security Principles

  • Confidentiality: Information must be accessible only to authorized individuals.
  • Integrity: Information must be accurate, complete, and protected from unauthorized modification.
  • Availability: Information and systems must remain accessible when required for authorized business purposes.

4. Access Control

Access to systems and information is granted based on job responsibilities and the principle of least privilege. Users must use strong passwords and must not share login credentials. Access rights are reviewed periodically and revoked promptly when no longer required.

5. Data Protection and Handling

Personal data and sensitive organizational information must be processed in accordance with applicable data protection laws. Information must be stored securely, transmitted using secure methods where possible, and not shared without proper authorization.

6. Physical Security

Physical records and IT equipment must be stored in secure locations with controlled access. Devices containing sensitive information must be protected against theft, loss, or unauthorized access.

7. Incident Management

All suspected or actual security incidents, including data breaches, must be reported immediately to management. ROAM will assess incidents, take corrective action, and comply with any legal notification obligations.

8. Compliance

Failure to comply with this Policy may result in disciplinary action and, where applicable, legal consequences. This Policy will be reviewed periodically to ensure continued effectiveness and alignment with legal and operational requirements.