Zimbabwe: Data Protection Regulations of 2024 and Compliance

27 March 2025
The Herald (Harare)

The Cyber and Data Protection Act (Chapter 12:07) (No.5 of 2021) (hereinafter referred to as "the Act") was enacted in 2021.

Further, Statutory Instrument 155 of 2024-Cyber and Data Protection (Licensing of Data Controllers and Appointment of Data Protection Officers) Regulations, 2024 (hereinafter referred to as "the SI" or "the Regulations") were promulgated on September 13, 2024.

Briefly about the Act

According to the Act, it is an Act to provide for data protection with due regard to the Declaration of Rights under the Constitution and the public and national interest; to establish a Cyber Security Centre; a Data Protection Authority and to provide for their functions to create a technology-driven business environment and encourage technological development and the lawful use of technology; to amend sections 162 to 166 of the Criminal Code (Codification and Reform) Act [Chapter 9:23] to provide for investigation and collection of evidence of cybercrime and unauthorised data collection and breaches, and to provide for admissibility of electronic evidence for such offences and to provide for matters connected with or incidental to the foregoing.

The object of the Act is to increase data protection to build confidence and trust in the secure use of information and communication technologies by data controllers, their representatives and data subjects.

The Regulations

The regulations were made by the Minister of Information Communications Technology, Postal and Courier Services in consultation with the authority (Postal and Telecommunication Regulatory Authority or POTRAZ), in terms of section 32 of the Cyber and Data Protection Act [Chapter 12:07]. These were gazetted on September 13, 2024.

Salient provisions of the Regulations

For purposes of this article, I list the following as the key or salient provisions in the regulations:

Processing of data (section 3)

Licensing of data controllers (section 4)

Obligations of data controllers (section 10)

Appointment of data protection officers (section 12)

Qualifications of data protection officers (section 13)

Functions of data protection officers (section 14)

Security of data (section 16)

Security breach notification (section 17)

Data processing

According to section 3 of the Regulations:

Subsection 1 -- No person shall process personal information for the purposes indicated in subsection (2) unless they are licensed with the authority.

Subsection 2 -- Subject to section 4, any person who processes personal information with the intention to--(a) decide the means, purpose or outcome of the processing;

(b) decide what personal data should be collected;

(c) decide which individuals to collect personal data from;

(d) obtain a commercial gain or other benefit from the processing of personal

data; shall apply for a licence in terms of these regulations.

Subsection 3 -- Any person who processes personal information in terms of this section without a data controller licence within the stipulated time frames shall be guilty of an offence and liable to a fine not exceeding level 11 or to imprisonment for a period not exceeding seven years or to both such fine and such imprisonment.

According to section 4(1), any person, whether alone or jointly with others, who determines the purposes and means of the processing of personal data shall apply for a data controller licence.

Key definitions

According to the Act "data" means any representation of facts, concepts, information, whether in text, audio, video, images, machine-readable code or instructions, in a form suitable for communications, interpretation or processing in a computer device, computer system, database, electronic communications network or related devices and includes a computer programme and traffic data.

In terms of the Act, a "data controller" or "controller:

refers to any natural person or legal person who is licensable by the Authority

includes public bodies and any other person who determines the purpose and means of processing data.

According to the Act "data protection officer" or "DPO" refers to any individual appointed by the data controller and is charged with ensuring, in an independent manner, compliance with the obligations provided for in this Act. "Data subject" refers to an individual who is an identifiable person and the subject of data.

Deadline for the registration of data controllers

According to section 4(5) of the Regulations, a data controller was required to submit an application to POTRAZ by March 12, 2025, being 6 months after the promulgation of the Regulations done on September 13, 2024.

Timeframe for the appointment of a data protection officer according to section 12:

A data controller is required to appoint a Data Protection Officer within 90 days from the date of promulgation of these regulations (from September 13, 2024) or the date of termination of the DPO contract

A data controller who fails to appoint a data protection officer in terms of these regulations shall be guilty of an offence and liable to a fine not exceeding level 7 or to imprisonment not exceeding two years or to both such fine and such imprisonment.

Further articles

Space permitting, I promise to write more articles on the salient provisions listed above but not covered in this article.

Conclusion

The Act is relatively new. The regulations are recent. There are deadlines to be met. It is important to consult legal and IT professionals to be compliant. This area also presents career opportunities for IT professionals.

Disclaimer

This simplified article is for general information purposes only and does not constitute the writer's professional advice.

Godknows (GK) Hofisi, LLB(UNISA), B.Acc(UZ), Hons B.Compt (UNISA), CA(Z), ACCA (Business Valuations) MBA(EBS, Heriot- Watt, UK) is the Managing Partner of Hofisi & Partners Commercial Attorneys, chartered accountant, insolvency practitioner, commercial arbitrator, registered tax accountant and advises on deals and transactions.

He has extensive experience from industry and commerce and is a former World Bank staffer in the Resource/Management Unit. He sits on the Council of Estate Administrators in Zimbabwe and was recently appointed to the Board of an Engineering company. He writes in his personal capacity. He can be contacted on +263 772 246 900 or ghofisi@ hofisilaw.com orgohofisi@ gmail.com. Visit www//:hofisilaw.com for more articles.

Read the original article on The Herald.

Tagged:
Copyright © 2025 The Herald. All rights reserved. Distributed by AllAfrica Global Media (allAfrica.com). To contact the copyright holder directly for corrections — or for permission to republish or make other authorized use of this material, click here.

AllAfrica publishes around 500 reports a day from more than 110 news organizations and over 500 other institutions and individuals, representing a diversity of positions on every topic. We publish news and views ranging from vigorous opponents of governments to government publications and spokespersons. Publishers named above each report are responsible for their own content, which AllAfrica does not have the legal right to edit or correct.

Articles and commentaries that identify allAfrica.com as the publisher are produced or commissioned by AllAfrica. To address comments or complaints, please Contact us.