ZIMBABWE
DATA PROTECTION FACTSHEET
-
Population: 14,862,927
Capital: Harare
President: Emmerson Mnangagwa
2021 Freedom House Score: 28/100
Data protection law? Yes, with data protection authority appointed
-
Privacy enshrined in Constitution: Yes, Zimbabwe’s Constitution acknowledges the right to privacy in Article 57, including the privacy of communications
DPA legislation: The new Data Protection Act was gazetted on the 3rd of December 2021 and came into effect on the same day. The Act aims to realise the rights provided for under the Constitution and establishes a new Data Protection Authority to oversee the regulation of the data protection, whose responsibilities will vest in the Postal and Telecommunications Regulatory Authority (POTRAZ). It also deals with various provisions related to cybercrimes and in doing so amends various provisions of existing legislation. It also establishes the Cybersecurity and Monitoring of Interception of Communications Centre housed within the Office of the President which is responsible for authorising the interception of communications, advising the government on cybercrime and cybersecurity, and coordinating activities focused on improving cybersecurity.
The Act draws inspiration from the European Union’s General Data Protection Regulation and places the burden of compliance on data controllers to ensure that data processed is adequate, relevant, and not excessive in relation to the purposes for which it was collected. Section 14 of the Act gives data subjects the right to:
- be informed of the use to which their personal information is to be put;
- access their personal information in the custody of a data controller or data processor;
- object to the processing of all or part of their personal information;
- correct false or misleading personal information; and
- delete false or misleading data about them.
-
ICCPR: Acceded
Council of Europe Convention 108: No
Council of Europe Convention 185: No
Malabo Convention: No
ECOWAS Supplementary Act on Personal Data Protection: No
Council of Europe Additional Protocol to Convention 108 (Treaty No. 181): No
-
Applies to natural persons: Yes
Applies to juristic persons: Yes
Applies to public entities: Yes
Domestic/personal purposes exclusion: No
National security exclusion: Partial
Law enforcement exclusion: No
Cabinet or Executive Council exclusion: No
Judicial functions exclusion: No
Journalistic, literary or artistic purposes exclusion: No
Temporary copies exclusion: No
Other exclusion(s): Yes
Broad or vague exclusions: Yes
Applies to foreign entities: Yes
Excludes foreign entities that only transit personal data through the country: Yes
-
Personal information is defined in the Act as information relating to an identifiable person and includes:
- name, address or telephone number;
- race, national or ethnic origin, colour, religious or political beliefs, or associations;
- age, sex, sexual orientation, marital status, or family status;
- identifying numbers, symbols, or other particulars assigned to that person;
- fingerprints, blood type, or inheritable characteristics;
- information about healthcare history, including a physical or mental disability;
- information about educational, financial, criminal, or employment history;
- opinions expressed about an identifiable person;
- an individual’s personal views or opinions (except if they are about someone else); or
- personal correspondence pertaining to home and family life.
-
The Act provides that all processing must be necessary, fair, and lawful, and that data must be collected for specific, explicit, and legitimate purposes. The Act requires consent to be obtained from the data subject for the processing of all personal information, or from a competent person if the data subject is a child. Consent may be implied where the data subject is an adult natural person or has full legal capacity.
The processing sensitive information, defined as , requires consent in writing, and specific rules apply to the processing of personal data relating to:
- genetic data;
- biometric sensitive data; and
- health data.
The Act requires data controllers to inform the data subject of certain information when processing their data, and to obtain authorisation from the Data Protection Authority for the processing of certain categories of data which the Authority has determined represent specific risks to the fundamental rights of the data subject.
-
Notification that data is being processed: Yes
Notification to DPA in event of data breach: Yes
Notification to data subject in event of data breach: No
Timeframe for notification is specified: Yes
Exceptions exist to breach notifications: No
Requires a data processing register: Partial
Register is publicly available: Yes
Provides for terms of service icons: No
DPA must submit at least annual report: Unclear
DPA report is made public: Unclear
-
Explicit provision for civil liability: No
Established/designates a Data Protection Authority: Yes
DPA is empowered to investigate: Yes
DPA is empowered to subpoena or request evidence: Yes
Law provides for criminal penalties: Yes
Law provides for administrative penalties: Yes
DPA is independently structured (does not exist within or receive instructions from another public body): No
DPA receives funding directly from the state budget/legislative body: Yes
DPA may receive some forms of external funding/own revenue: Yes
Adequate protections against undue removal: No
Number of members in DPA: 5 to 7
Maximum term length for members of the DPA (years): 6
-
Right of data subject to access a copy of their personal data: Yes
Right of data subject to request a correction of data: Yes
Right of data subject to request deletion of data: Yes
Justification required for a request for deletion: Yes
Defines the requirements for consent: Yes
DPA is mandated to participate in policy formulation: Yes
-
The Act provides that data controllers may not transfer personal information to a foreign country unless an adequate level of protection is ensured within that country or within the recipient organisation and the transfer is solely to carry out tasks covered by the competence of the controller. The Act also provides that the Data Protection Authority may lay down categories of processing operations for which transfer is not allowed and sets out specific circumstances in which transfer may occur to a country that does not provide an adequate level of protection.
-
Provides a right not to be subject to automated decision-making: Yes
Page last updated: 27 June 2022