Population: 18,091,575

Capital: Lilongwe

President: Peter Mutharika

2019 Freedom House Score: 64/100

Malawi does not have a comprehensive data protection law, but the Electronic Transactions and Cybersecurity Act No. 33 of 2016 replicates some provisions seen in data protection laws.

Under Act No. 33 of 2016, individuals have the right to:

• obtain all of their personal data in an understandable form, as well as any available information as to the origin;
• oppose, for legitimate reasons, the processing of personal data concerning them;
• object to the processing of their personal data for prospecting purposes; and
• rectify or erase personal data concerning them where it is inaccurate, incomplete, equivocal, out of date, or if collection, use, communication or conservation is prohibited.

Personal data means any information relating to an individual who:

• may be directly identified; or
• if not directly identified, may be identifiable by reference to an identification number or one or several elements related to his physical, physiological, genetic, psychological, cultural, social, or economic identity.

Personal data processing may only occur with consent from the data subject or if processing is necessary for:

• compliance with a legal obligation to which the controller is subject;
• the performance of a public interest mission or the exercise of public authority;
• the commencement or performance of a contract in the data subject’s interests or to which he, she or they are a party;
• safeguarding the interests or fundamental rights and freedoms of the data subject; or
• the pursuit of legitimate interests of the controller or third-party data processor, provided these interests preserve the fundamental rights and freedoms of the data subject.

Personal data must be:

• processed fairly and legally;
• collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes;
• adequate, relevant, and not excessive in relation to the purposes for which they are collected and processed;
• accurate and kept up to date, where necessary; and
• kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data was collected or for which it is further processed.

There is no data protection regulator. The Malawi Communications Regulatory Authority is responsible for the implementation of Act No. 33 of 2016, and may impose administrative penalties of up to K5,000,000 for violations.

There are no data transfer restrictions in Malawi.

There is no data breach notification protocol stipulated in Malawian law.