
Data Protection in Zimbabwe
Data protection laws in Zimbabwe
Definitions in Zimbabwe
Definition of personal data
According to the Act, “personal information” means information relating to a data subject, and includes:
- the person’s name, address or telephone number;
- the person’s race, national or ethnic origin, colour, religious or political beliefs or associations;
- the person’s age, sex, sexual orientation, marital status or family status;
- an identifying number, symbol or other particulars assigned to that person;
- fingerprints, blood type or inheritable characteristics;
- information about a person’s health care history, including a physical or mental disability;
- information about educational, financial, criminal or employment history;
- opinions expressed about an identifiable person;
- the individual’s personal views or opinions, except if they are about someone else; and
- personal correspondence pertaining to home and family life.
Definition of sensitive personal data
According to the Act, “sensitive data” refers to:
- information or any opinion about an individual which reveals or contains the following—
- racial or ethnic origin;
- political opinions;
- membership of a political association;
- religious beliefs or affiliations;
- philosophical beliefs;
- membership of a professional or trade association;
- membership of a trade union;
- sex life;
- criminal educational, financial or employment history;
- gender, age, marital status or family status;
- health information about an individual;
- genetic information about an individual; or
- any information which may be considered presenting a major risk to the rights of the data subject.
Definition of personal life data
There is no definition of “Personal Life Data” in the Act or the Regulations.
Definition of biometric personal data
According to section 2 of the Regulations, “biometric data” means physiological characteristics which are related to a data subject and include but are not limited to the following:
- Fingerprints;
- Palm veins;
- Face recognition.
Definition of publicly available personal data
There is no definition of "Publicly Available Personal Data" in the Act or in the Regulations.
National data protection authority in Zimbabwe
The Data Protection Authority, also referred to as the "Authority," is the Postal and Telecommunications Regulatory Authority of Zimbabwe (the “Authority”). It was established by the Postal and Telecommunications Act [Chapter 12:05] and designated as the Data Protection Authority by the Act.
Registration in Zimbabwe
Section 3 of the Regulations state that anyone who processes personal information to decide the means, purpose, or outcome of processing, to decide what or whose data to collect, or to obtain commercial gain from processing data, must apply for a license with the Data Protection Authority.
The exemptions are data controllers who process personal data for the following purposes are exempt from licensing, but must register with the Authority:
- Law enforcement;
- Journalistic, historical, or archival purposes The Authority maintains a register of all licensed and registered data controllers.
Data protection officers in Zimbabwe
Data Protection Officers Data controllers are required to appoint a data protection officer ("DPO") and notify the Authority in writing using Form DP2. The Authority must also be notified of any changes to the DPO's contact information, dismissal, or resignation. DPOs must have the following qualifications:
- Skill, qualifications, or experience in data science, data analytics, information security systems, information systems audit, law, audit, or any other relevant qualification;
- Knowledge of national data protection laws and practices;
- Understanding of the data controller’s business operations and processing activities;
- Certification through a course approved by the Authority DPOs have the following duties:
- Monitoring compliance with the Act, the Regulations, and organizational data protection policies;
- Managing internal data protection activities;
- Raising awareness of data protection;
- Training staff on data protection;
- Conducting internal data protection compliance audits;
- Dealing with requests from the Authority and data subjects;
- Advising employees on their data protection obligations;
- Advising on and monitoring data protection impact assessments;
- Working with the Authority; and
- Acting as the contact point for data subjects.
Collection and processing in Zimbabwe
Characteristics for processing publicly available personal data
This is not addressed by the Act or the Regulations.
Characteristics for processing sensitive personal data
According to section 11 of the Act, written consent from the data subject is required to process sensitive data. This consent can be withdrawn at any time without explanation and free of charge.
The Minister responsible for the Cyber Security and Monitoring Centre may give directions on processing sensitive data related to national security or state interests.
Several exceptions to the written consent requirement are outlined in the Act, including:
- Processing necessary to carry out the controller's obligations and rights in employment law;
- Processing necessary to protect the vital interests of the data subject or another person when the data subject is incapable of giving consent;
- Processing carried out by a foundation, association, or other non-profit for political, philosophical, religious, health-insurance, or trade-union purposes, provided the processing relates only to members or those with regular contact and the data is not disclosed to third parties without consent;
- Processing necessary to comply with national security laws;
- Processing necessary for the establishment, exercise, or defence of legal claims;
- Processing of data made public by the data subject;
- Processing necessary for scientific research, with conditions specified by the Authority;
- Processing authorized by law for reasons of substantial public interest.
Characteristics for processing personal data of persons with incapacity or limited capacity and minors under the age of 16
The processing of children’s data is subject to the provisions of section 26 of the Act, which addresses the representation of data subjects who are children. Characteristics for processing personal data of persons with incapacity or limited capacity and minors under the age of 16.
Where the data subject is a child, their rights may be exercised by their parents or legal guardian.
Data subjects who are physically, mentally, or legally incapable of exercising their rights may exercise them through a parent, guardian, or as provided by law or a court.
When processing children's information, data controllers must:
- Obtain consent from the child's parent or legal guardian;
- Make reasonable efforts to verify that consent is given or authorized by the parent or legal guardian;
- Adhere to all data processing principles;
- Conduct regular data protection impact assessments to identify and mitigate privacy risks to children;
- Ensure data protection by design and data protection by default;
- Avoid subjecting children’s data to automated decision making that affects their rights.
Characteristics for processing biometric personal data
According to section 12 of the Act, Processing genetic, biometric, and health data is prohibited unless the data subject gives written consent.
The written consent requirement for genetic, biometric, and health data can be withdrawn at any time without explanation and free of charge.
Several exceptions to the written consent requirement for genetic, biometric, and health data are outlined in the Act, including:
- Processing necessary to carry out the controller's obligations and rights in employment law;
- Processing necessary to comply with national security laws;
- Processing necessary for the promotion and protection of public health;
- Processing required by law for reasons of substantial public interest;
- Processing necessary to protect the vital interests of the data subject or another person when the data subject is incapable of giving consent;
- Processing necessary for the prevention of imminent danger or the mitigation of a criminal offense;
- Processing of data made public by the data subject;
- Processing necessary for the establishment, exercise, or defence of legal rights;
- Processing required for scientific research;
- Processing necessary for preventative medicine, medical diagnosis, the provision of care or treatment, or the management of healthcare services;
- Health-related data may only be processed under the responsibility of a healthcare professional unless the data subject provides written consent or the processing is necessary for the prevention of imminent danger or the mitigation of a criminal offense.
Processing of personal data by an authorized person assigned by the processor of data
According to section 17 of the Act, only persons acting under the authority of the controller, as well as the processor themselves may process data as instructed by the controller.
Blocking or destruction of personal data
This is not addressed by the Act or the Regulations.
Transfer in Zimbabwe
According to section 28 of the Act, data controllers may not transfer personal information to a third party in a foreign country unless an adequate level of protection is ensured. This adequacy is assessed based on the circumstances surrounding the transfer, including the nature of the data, the purpose and duration of processing, the recipient, the recipient country's data protection laws, and professional rules and security measures.
Data controllers must notify the Authority of any intention to transfer or share data outside of Zimbabwe.
Security in Zimbabwe
Section 13 of the Act states that Data controllers are responsible for processing personal information lawfully, fairly, and transparently, and for taking all necessary measures to comply with the Act and Regulations.
Data controllers must take appropriate technical and organizational measures to protect personal data from negligent or unauthorized destruction, loss, alteration, access, or processing.
Security measures must ensure an appropriate level of security considering technological development, implementation costs, the nature of the data, and potential risks to the data subject.
The Authority may issue information security standards for processing activities.
Data controllers must appoint data processors who provide sufficient guarantees regarding technical and organizational security measures and must enter into a written contract or legal instrument with the processor ensuring security measures are maintained.
Data controllers must take all appropriate technical and organizational measures to safeguard data security, integrity, and confidentiality, ensuring an appropriate level of security.
Technical and organizational security measures include:
- Conducting risk assessments;
- Developing and implementing organizational policies;
- Implementing appropriate physical and technical measures for all data phases;
- Data controllers and processors may implement additional security measures depending on the circumstances and risks associated with the processing.
Breach notification in Zimbabwe
Data controllers must report data breaches to the Authority within 24 hours of becoming aware of a breach affecting the data they or their processor handles.
If a breach poses a high risk to individuals' rights and freedoms, the data controller must inform the affected data subjects within 72 hours.
Enforcement in Zimbabwe
The Data Protection Authority is responsible for enforcing the Act and Regulations. The Authority has the following functions:
- Regulating personal information processing by establishing conditions for lawful processing;
- Promoting and enforcing fair data processing;
- Issuing opinions on privacy protection matters;
- Submitting administrative acts that violate privacy protection principles to the courts;
- Advising the Minister on privacy and access to information;
- Conducting inquiries or investigations;
- Receiving and investigating complaints;
- Conducting research and advising the Minister on international best practices;
- Facilitating cross-border cooperation in privacy law enforcement.
Electronic marketing in Zimbabwe
This is not addressed by the Act or the Regulations. However, obtaining user consent through appropriate disclaimers is recommended.
- Cyber and Data Protection Act [Chapter 12:07] (the “Act”); and
- Cyber and Data Protection (Licensing of Data Controllers and Appointment of Data Protection Officers) Regulations, 2024 (the “Regulations”).