DLA Piper Intelligence

Data Protection
Laws of the World

Law

Zambia
Zambia

Zambia regulates data privacy and protection issues under the Electronic Communications and Transactions Act (ECTA).

Last modified 23 May 2019
Law
Zambia

Zambia regulates data privacy and protection issues under the Electronic Communications and Transactions Act (ECTA).

Last modified 23 May 2019
Definitions

Definition of Personal Data

The ECTA defines personal information as information about an identifiable individual, including, but not limited to: 

  • information relating to the race, gender, pregnancy, marital status, nationality, ethnic or social origin, color, age, physical or mental health, well-being, disability, religion, belief, culture, language and birth
  • information relating to education, medical, financial transaction, criminal or employment history
  • any identifying number, symbol, or other identifier assigned to the individual
  • address, fingerprints or blood type
  • personal opinions, views or preferences of the individual, except where they are about another individual or about a proposal for a grant, an award of a prize to be made to another individual
  • correspondence sent by the individual that is implicitly or explicitly of a private or confidential nature, or further correspondence that would reveal the contents of the original correspondence
  • views or opinions of others about the individual
  • views or opinions on grant proposals, awards, or prizes granted to another individual, provided such views or opinions are not associated with the other individual’s name
  • an individual’s name, in combination with other personal data, or alone, if could reasonably be linked to personal data (exception applies for persons deceased for more than 20 years).

Definition of Sensitive Personal Data

The ECTA does not define sensitive personal information.

Last modified 23 May 2019
Authority

The Zambia Information and Communication Technology Authority is responsible for enforcing the provisions of the ECTA.

Last modified 23 May 2019
Registration

There are no registration requirements in Zambia.

Last modified 23 May 2019
Data Protection Officers

The ECTA does not require the appointment of a data protection officer.

Last modified 23 May 2019
Collection & Processing

Data controllers must adhere to the following principles in respect of collection and processing: 

  • obtain express written consent from the data subject to collect, collate, process or disclose any of the data subject’s personal information, unless otherwise permitted or required by law
  • only electronically request, collect, collate, process or store personal information on a data subject necessary for the lawful purpose for which the personal information is required
  • disclose, in writing, to the data subject the specific purpose for which any personal information is being requested, collected, collated, processed or stored
  • not use any personal information for any purpose other than the disclosed purpose, without express written permission from the data subject, unless permitted or required by law
  • for as long as any personal information is used and for a period of at least one year thereafter, keep a record of the personal information and the specific purpose for which the personal information was collected
  • not disclose any personal information held by the data controller to a third party unless required or permitted by law or specifically authorized in writing by the data subject
  • for as long as the personal information is used and for a period of at least one year thereafter, keep a record of any third party to whom the personal information was disclosed and of the date on which, and the purpose for which, it was disclosed
  • delete or destroy all personal information, except as otherwise provided under the ECTA or any other law, and
  • may use any personal information to compile profiles for statistical purposes and may freely trade with such profiles and statistical data, as long as the profiles or statistical data cannot be linked to any specific data subject by a third party.
Last modified 23 May 2019
Transfer

All transfers must be based on the consent of the person whose data is to be transferred, unless otherwise required by law.

Last modified 23 May 2019
Security

The ECTA provides for certain criteria for accreditation of authentication products and services.

Last modified 23 May 2019
Breach Notification

There is no breach notification requirement in Zambia.

Last modified 23 May 2019
Enforcement

General penalties under the ECTA include:

  • in case of an individual, a penalty not to exceed five hundred thousand penalty units (approx. US$12,712) or to imprisonment for a period not to exceed five years, or both
  • in case of a corporation or an unincorporated body, a penalty not to exceed one million penalty units (approx. US$25,424). 
Last modified 23 May 2019
Electronic Marketing

The ECTA includes provisions to regulate electronic transactions and requires that suppliers of goods provide certain information on their website. 

The ECTA further includes provisions to protect customers in electronic transactions and requires inter alia that a description of the main characteristics of goods or services offered by a supplier be provided to the consumer to enable the consumer to make an informed decision on the proposed electronic transaction. This description must include the full price of the goods or services, including transport costs, taxes and any other applicable fees or costs.

Last modified 23 May 2019
Online Privacy

Same principles as laid out above apply (see Electronic Marketing).

Last modified 23 May 2019
Contacts
Louise Chilepa
Louise Chilepa
Senior Associate
Chibesakunda & Co
T +260 211 366400
Last modified 23 May 2019