Zimbabwe’s Cyber and Data Protection Act [Chapter 12:07] establishes a structured legal framework for the processing of personal data, ensuring both privacy and security for individuals.
Section 5 of this Act designates the Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) as the Data Protection Authority. One of its responsibilities is to regulate how personal information may be processed by establishing conditions for the lawful processing of data.
Compliance
Organisations must be aware of POTRAZ’s requirements to ensure compliance. In accordance with Statutory Instrument 155 of 2024, promulgated in September 2024 (Cyber and Data Protection (Licensing of Data Controllers and Appointment of Data Protection Officers) Regulations), all entities engaged in data processing are required to obtain a data controller’s licence from POTRAZ by 12 March 2025.
The licence is valid for 12 months, contingent upon adherence to prevailing legislation, and requires renewal applications to be submitted three months before its expiry.
Entities that manage the personal data of 50 or more individuals must register to comply.
This process requires transparency about data collection and usage, establishing robust technical and organisational safeguards, and appointing a Data Protection Officer (DPO) for ongoing compliance management. Data controllers processing personal data for personal, family, or household matters, law enforcement, journalistic, historical, or archival purposes are exempt from applying for a licence.
Data Controllers must appoint a DPO with specific qualifications (such as law, data science, information systems audit, or any relevant qualification) and inform the Authority using Form DP2 by 12 December 2024.
The deadline has passed and any entity that has not completed these steps is now in violation of the regulations.
A summary of the compliance processes:
1. Appoint a qualified Data Protection Officer (DPO), who must complete a certification course at Harare Institute of Technology (HIT), incurring application and tuition fees.
2. Notify POTRAZ of the DPO’s appointment and detail the collected data.
3. Apply for a Data Controller Licence via Form DP1 on the POTRAZ website.
4. Upon approval, pay the licence fee (US$50-US$2,000) and receive a 12-month licence.
5. Licence renewal is required three months before expiry; all data controllers must obtain a license by March 12, 2025.
Who needs to register
i. Organisations (individual, NGO, company, or public entity) in or outside Zimbabwe processing data through systems located within the country.
ii. Organisations / entities collecting personal information (names, birthdates, addresses, IDs, phone numbers, IP addresses, online identifiers) from 50 or more individuals.
iii. Organisations / entities that process this data (organise, modify, retrieve, use, etc.) as part of their operations.
Enforcement and compliance
POTRAZ, as the Data Protection Authority, possesses the following enforcement powers: conducting audits and investigations to verify compliance; issuing warnings or mandating corrective measures for identified non-compliance; and imposing fines or legal sanctions for significant breaches of data protection regulations.
In terms of Section 4 (c) of the Regulations, any data controller who continues to process data without a license after 12 March 2025 shall be guilty of an offence and liable to a fine not exceeding level 11 (USD1,000) or imprisonment for a period not exceeding seven (7) years or to both such fine and imprisonment.
Conclusion
In summary, the Zimbabwean Cyber and Data Protection Act, enforced by POTRAZ, establishes a clear mandate for data controllers to prioritise data privacy and security.
Organisations must recognise that compliance is not merely a one-off event, but an ongoing commitment. The potential for considerable penalties, including hefty fines and imprisonment, underscores the gravity of non-compliance.
Beyond the legal ramifications, adherence to these regulations fosters trust with data subjects and reinforces ethical data-handling practices. By prioritising data privacy and security, organisations can demonstrate their commitment to ethical data handling and help create a secure digital environment in Zimbabwe.
