On the 13th of September, Zimbabwe launched new regulations under the Cyber and Data Protection Act [Chapter 12:07] (the “Act”). Known as the Cyber and Data Protection (Licensing of Data Controllers and Appointment of Data Protection Officers) Regulations, 2024 (hereafter “SI 155”), these rules set clear standards for entities handling personal data, prioritizing accountability and safeguarding individuals' personal information.

 

 

SI155 applies to any entity or person processing personal information. The law specifically defines biometric data as physiological characteristics including, but not limited to, fingerprints, palm veins, and facial recognition features, emphasizing their inclusion in personal data protections. Additionally, entities are required to designate a Data Protection Officer (“DPO”) to oversee compliance.

Key Provisions

 

1. Licensing of Data Controllers

A data controller is anyone who determines the purposes and means of processing personal data. To operate, data controllers must apply for a license using Form DP1, accompanied by the relevant fees. 

 

The Data Protection Authority, i.e. the Postal and Telecommunications Regulatory Authority of Zimbabwe (“POTRAZ”,)  has a 14-day window to approve or reject applications. Controllers operating prior to the regulation must obtain a license within six months of the law’s enactment.

 

According to Section 3 of SI 155, you must obtain a license from POTRAZ if you process personal data for any of the following purposes: 

• Determining the means, purpose, or outcome of data processing.

• Deciding what personal data to collect.

• Selecting the individuals from whom to collect data.

• Using personal data for commercial gain or other benefits

 

Existing data controllers have a grace period of six months from the date these Regulations were enacted [i.e. until March 2025] to comply.

When applying for a license, you will need to provide details about the types of sensitive personal data you handle. You will also need to describe the safeguards you have implemented to protect the data and indicate whether the data is stored in Zimbabwe or another country

2. Licence Validity and Renewal

Licenses for data controllers are valid for 12 months, subject to renewal three months before expiration. Failure to renew a license may result in substantial penalties.

3. Licence Categories

Data controllers are categorized into four tiers based on the number of data subjects they manage, ranging from Tier 1 (50-1,000 data subjects) to Tier 4 (over 500,000 data subjects).

4. Exemptions

Some entities, such as those processing data for personal, family, household, law enforcement, or journalistic purposes, may be exempt from licensing. However, they must still adhere to data protection principles outlined in the Act.

5. Data Breach Notification

In the event of a data breach, SI 155 requires data controllers to report the incident to POTRAZ within 24 hours of becoming aware of it. If the breach is likely to pose a high risk to the rights and freedoms of individuals, those affected must also be informed within 72 hours. 

6. Obligations of Data Controllers

Data controllers are obligated to notify POTRAZ of all processing activities involving personal data. Controllers must ensure the security, integrity, and confidentiality of data and are responsible for the actions of their agents or representatives. When handling children's data, special care is required, including obtaining consent from parents or legal guardians and conducting regular privacy assessments.

Moreover, any decision-making based solely on automated processing, particularly where it affects individuals' rights, must be consented to by the data subject or allowed by law.

7. Appointment of Data Protection Officers

Every data controller is required to appoint a DPO within 90 days of the promulgation of SI 155 or when the role becomes vacant. The DPO must possess skills in data science, information security, or relevant fields and must undergo certification training. The DPO is tasked with monitoring compliance, managing internal data protection activities, and ensuring the protection of data subjects' rights.

SI 155 mandate that data controllers must provide continuous professional development training to their DPO to maintain their certification

8. Secure Processing of Personal Data

SI 155 emphasises that all personal data must be processed securely, using appropriate technical and organizational measures, such as:

• Conducting regular risk assessments.

• Developing and implementing organizational policies for data protection.

• Putting in place robust physical and technical security measures for all stages of data handling.

• Regularly testing the effectiveness of security measures and implementing any necessary improvements.

 

 

As Zimbabwe endeavours to advance technologically, SI 155 represent a critical framework for safeguarding personal information. Businesses and organizations must take immediate action to comply with these regulations to avoid legal repercussions while ensuring data protection standards are met.