Zimbabwe's Data Protection Act (DPA) formally came into effect on December 3, 2021. First presented as the Cybersecurity and Data Protection Bill in May 2020, the legislation went through multiple rounds of deliberations, modifications, and debates.
The DPA applies to all such processing and storage activities concerning personal data, where the means used, whether electronic or otherwise, are located in Zimbabwe, and such processing and storage is not for the purposes of mere transit of data through Zimbabwe.
The DPA designates the Postal and Telecommunications Regulatory Authority in Zimbabwe as the ‘Data Protection Authority’ under the Act, which is responsible for regulating the implementation of the DPA’s provisions.
The DPA places stringent obligations upon data controllers and processors to ensure the protection of the personal information of data subjects. The DPA, amongst other things, obligates data controllers and processors to adopt appropriate technical and organizational measures that are necessary to protect data from negligent or unauthorized destruction, negligent loss, unauthorized alteration or access, and any other unauthorized processing of the data.
In the event a data controller or their representative, agent, or assignee contravenes the DPA in respect of the processing of sensitive information, specified duties of the data controller, appropriate technical and organizational measures to be implemented, compliance with the principles and obligations set out in the DPA, or transfer of personal data outside Zimbabwe, they shall be liable to a fine not exceeding level 11 (ZWL$ 400,000) or imprisonment for a period not exceeding seven years or both.
