Zimbabwe’s Cyber and Data Protection Act clearly sets out how organisations must collect, use, and protect personal information. Alongside the Cyber and Data Protection (Licensing of Data Controllers and Appointment of Data Protection Officers) Regulations, it forms a comprehensive legal framework that applies to anyone who processes personal data, whether as an individual, private or public body.

This guide explains who must comply, what the law requires, and what steps you need to take to meet the latest deadlines.

What you need to know about the Act

The Cyber and Data Protection Act, 2021, is Zimbabwe’s main data protection law. It applies to all public and private organisations, regardless of size. In September 2024, the government introduced the Cyber and Data Protection (Licensing of Data Controllers and Appointment of Data Protection Officers) Regulations, which strengthen enforcement by requiring registration of data controllers and processors and the appointment of a data protection officer.

The Act is enforced by the Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ).

Who must comply?

The Cyber and Data Protection Act applies to anyone who processes or stores personal data, whether by automated means (like computers or apps) or partly by automated systems. This includes private or public bodies, and individuals who collect, use, or store personal information for purposes beyond personal or household use.

You must comply if you:

  • establish your organisation in Zimbabwe and process personal data in the course of their activities;
  • operate from outside Zimbabwe but use equipment, systems or services located in Zimbabwe to process or store data (this does not apply if the data merely passes through Zimbabwe).
  • collect or store personal data electronically, even if you are not permanently located in Zimbabwe.

If you fall into the last category and are not established in Zimbabwe, you must appoint a local representative in Zimbabwe to handle legal and regulatory matters on your behalf.

Key features

  • Data subject rights: You must inform data subjects when you collect their personal data, whether directly or indirectly. You must explain who you are, why you are collecting the data, and how you will use it. If you collect data for direct marketing, you must also inform individuals of their right to object at any time.
  • Security safeguards: Organisations must protect personal data from unauthorised access, loss, or alteration. They must use physical, technical, and policy measures that match the risks involved. These include doing risk assessments, creating security policies, and testing their systems regularly. Measures must also ensure systems stay secure, available, and can recover quickly after an incident.
  • Breach notification: You must report data breaches to POTRAZ within 24 hours. If the breach poses a high risk to individuals, you must also notify affected people within 72 hours.
  • Cross-border transfers: You must notify POTRAZ before transferring personal data outside Zimbabwe. You may only transfer personal data if the destination offers adequate protection of if specific conditions, such as consent or legal necessity, are met. The Act does not regulate the sale of personal data.
  • Registration and licensing: Most data controllers must register with POTRAZ before starting processing activities. In addition to registering, many controllers must also apply for a licence, especially if they decide what data to collect, how to use it, or process data for commercial purposes. The licence application must include information about the controller, the type of data processed, and the safeguards in place. Fees for registration range depending on the number of people whose data is processed.
  • Appointment of a DPO: All licensed data controllers must appoint a data protection officer (DPO). Data controllers that are only registered, but not licensed, do not need one. The deadline to appoint a DPO was 12 December 2024.
  • Records of processing activities (ROPAs): The Act does not require data controllers to keep internal records of processing activities. Instead, POTRAZ must maintain a public register of automated data processing. Data controllers must notify POTRAZ about their processing activities.
  • Data privacy impact assessments (DPIAs): Data controllers must conduct DPIAs when processing children’s data. The Regulations require these assessments to be carried out regularly, but do not specify how often. The Cyber and Data Protection Act does not prescribe what the DPIA must include, and there is no requirement to consult POTRAZ.

Data processing principles

Zimbabwe’s Cyber and Data Protection Act sets out specific principles that every data controller and processor must follow when handling personal information. These principles are designed to protect the privacy of individuals and ensure responsible data use. Key principles include:

  • Lawfulness, fairness and transparency: You must process data lawfully, fairly, and transparently. You must also respect each data subject’s right to privacy.
  • Purpose limitation: You must collect data for a specific, clear, and legitimate purpose. You may not use it for anything that is incompatible with that purpose.
  • Data minimisation: Only data that is adequate, relevant, and necesary for your purpose.
  • Personal data relating to family or private affairs: The data controller must provide a valid explanation for collecting it.
  • Accuracy: Data must be accurate and kept up to date. Inaccurate data must be corrected or erased without delay.
  • Storage limitation: Data must not be retained for longer than necessary to achieve the purpose for which it was collected.
  • Integrity and confidentiality: Data controllers and processors must take appropriate technical and organisational measures to protect data against unauthorised access, loss, or misuse.
  • Accountability: Data controllers are accountable for complying with these principles and must be able to demonstrate that they do.

The Act also requires data protection by design and by default when processing the minor’s data.

Special category personal data and children

The Act imposes stricter rules on processing sensitive personal data and the personal data of children. You generally need written consent, unless a specific exception applies.

Sensitive personal data

You may only process sensitive, genetic, biometric, or health data if the data subject gives written consent. You do not need consent if:

  • a law on employment or national security requires the processing;
  • the procesisng protects the data subject’s vital interests, public health, or legal rights;
  • the processing supports research, medical treatment, or serves the public interest; or
  • the data subject has made the information public.

The data subject must give explicit consent which they may withdraw at any time.  A data controller may only process health data under the supervision of a health professional, unless the data subject consents or there is an urgent risk of harm. The data controller must also issue a unique health ID when processing health data.

Children

The Act defines a child as anyone under 18. You may only process a child’s personal data with the consent of a parent or legal guardian. That parent or guardian may also exercise the child’s rights under the Act. Once the data subject gives consent, you must still comply with all other data protection requirements under the Act.

Timelines and next steps for compliance

The Regulations came into force on 12 September 2024. Organisations had to register with POTRAZ and, if required, apply for a licence before starting any data processing activities. Licensed data controllers also had until 12 December 2024 to appoint a data protection officer.

If you haven’t already taken steps to comply, now is the time. Start by identifying whether your organisation qualifies as a data controller or processor under the law. Then:

  • Register or apply for a licence with POTRAZ, depending on your data processing activities and scale.
  • Appoint a DPO if you are a licensed data controller.
  • Map your data flows and assess your processing activities, especially those involving sensitive data or children.
  • Review your contracts, consents, and notices to ensure they meet the legal requirements.
  • Implement technical and organisational measures to protect personal data and respond to breaches within the required timeframes.

Building a data protection culture isn’t just about compliance—it builds trust with your customers, partners, and regulators.

Need help navigating Zimbabwe’s data protection laws?

Our legal experts can guide you through registration, licensing, and putting practical controls in place.

  • Engage with us by booking a consulation with one of our data protection experts to understand how you comply with the data protection laws of Zimbabwe.
  • Find out more about your obligations and responsibilities by reading the Cyber and Data Protection Act. You can also refer to the Regulations for more information on registration and DPO requirements.