Zimbabwe Fact Sheet | Data Protection Africa

ZIMBABWE

DATA PROTECTION FACTSHEET

DATA PROTECTION LAW IN PLACE

DATA PROTECTION AUTHORITY APPOINTED

DOWNLOAD THE ACT

Fast Facts
Domestic Law
Privacy enshrined in Constitution: Yes, Zimbabwe’s Constitution acknowledges the right to privacy in Article 57, including the privacy of communications

DPA legislation: The new Data Protection Act was gazetted on the 3^rd of December 2021 and came into effect on the same day. The Act aims to realise the rights provided for under the Constitution and establishes a new Data Protection Authority to oversee the regulation of the data protection, whose responsibilities will vest in the Postal and Telecommunications Regulatory Authority (POTRAZ). It also deals with various provisions related to cybercrimes and in doing so amends various provisions of existing legislation. It also establishes the Cybersecurity and Monitoring of Interception of Communications Centre housed within the Office of the President which is responsible for authorising the interception of communications, advising the government on cybercrime and cybersecurity, and coordinating activities focused on improving cybersecurity.

The Act draws inspiration from the European Union’s General Data Protection Regulation and places the burden of compliance on data controllers to ensure that data processed is adequate, relevant, and not excessive in relation to the purposes for which it was collected. Section 14 of the Act gives data subjects the right to:
- be informed of the use to which their personal information is to be put;
- access their personal information in the custody of a data controller or data processor;
- object to the processing of all or part of their personal information;
- correct false or misleading personal information; and
- delete false or misleading data about them.
International Commitments
Scope of Application

Applies to natural persons: Yes

Applies to juristic persons: Yes

Applies to public entities: Yes

Domestic/personal purposes exclusion: No

National security exclusion: Partial

Law enforcement exclusion: No

Cabinet or Executive Council exclusion: No

Judicial functions exclusion: No

Journalistic, literary or artistic purposes exclusion: No

Temporary copies exclusion: No

Other exclusion(s): Yes

Broad or vague exclusions: Yes

Applies to foreign entities: Yes

Excludes foreign entities that only transit personal data through the country: Yes
Personal Data
Personal information is defined in the Act as information relating to an identifiable person and includes:
- name, address or telephone number;
- race, national or ethnic origin, colour, religious or political beliefs, or associations;
- age, sex, sexual orientation, marital status, or family status;
- identifying numbers, symbols, or other particulars assigned to that person;
- fingerprints, blood type, or inheritable characteristics;
- information about healthcare history, including a physical or mental disability;
- information about educational, financial, criminal, or employment history;
- opinions expressed about an identifiable person;
- an individual’s personal views or opinions (except if they are about someone else); or
- personal correspondence pertaining to home and family life.
Collection and Processing
The Act provides that all processing must be necessary, fair, and lawful, and that data must be collected for specific, explicit, and legitimate purposes. The Act requires consent to be obtained from the data subject for the processing of all personal information, or from a competent person if the data subject is a child. Consent may be implied where the data subject is an adult natural person or has full legal capacity.

The processing sensitive information, defined as , requires consent in writing, and specific rules apply to the processing of personal data relating to:
- genetic data;
- biometric sensitive data; and
- health data.
The Act requires data controllers to inform the data subject of certain information when processing their data, and to obtain authorisation from the Data Protection Authority for the processing of certain categories of data which the Authority has determined represent specific risks to the fundamental rights of the data subject.
Transparency

Notification that data is being processed: Yes

Notification to DPA in event of data breach: Yes

Notification to data subject in event of data breach: No

Timeframe for notification is specified: Yes

Exceptions exist to breach notifications: No

Requires a data processing register: Partial

Register is publicly available: Yes

Provides for terms of service icons: No

DPA must submit at least annual report: Unclear

DPA report is made public: Unclear
Accountability

Explicit provision for civil liability: No

Established/designates a Data Protection Authority: Yes

DPA is empowered to investigate: Yes

DPA is empowered to subpoena or request evidence: Yes

Law provides for criminal penalties: Yes

Law provides for administrative penalties: Yes

DPA is independently structured (does not exist within or receive instructions from another public body): No

DPA receives funding directly from the state budget/legislative body: Yes

DPA may receive some forms of external funding/own revenue: Yes

Adequate protections against undue removal: No

Number of members in DPA: 5 to 7

Maximum term length for members of the DPA (years): 6
Participation
Cross-border Transfer

The Act provides that data controllers may not transfer personal information to a foreign country unless an adequate level of protection is ensured within that country or within the recipient organisation and the transfer is solely to carry out tasks covered by the competence of the controller. The Act also provides that the Data Protection Authority may lay down categories of processing operations for which transfer is not allowed and sets out specific circumstances in which transfer may occur to a country that does not provide an adequate level of protection.
Automated Processing

LEARN MORE ABOUT THE METHODOLOGY

Page last updated: 27 June 2022