Support Centre



Law: Data Protection Act ('the Act)

Regulator: Postal and Telecommunications Regulatory Authority of Zimbabwe ('POTRAZ')

Summary: The Act was enacted on 3 December 2021, although an official transition period or date for entry into force has not been announced. Initially established under the Postal and Telecommunications Act, POTRAZ has now been designated as the data protection authority responsible for enforcing the processing of personal data in accordance with the Act. In general terms, the Act focuses on breach and data processing notifications to POTRAZ, data security, online conduct, whistleblowers, data transfers, and limited data subject rights. Penalties for contraventions of the Act include a level seven fine of ZWD 120,000 (approx. €292.70) and imprisonment for a period not exceeding seven years. There has also been focus on the development of Zimbabwe's anti-money laundering framework in recent years.


The Minister of Information and Communications Technologies published a new Draft for the Cyber and Data Protection Regulations, 2022 ('the Draft') in November 2022. Melody Musoni, an independent privacy professional, provides an overview of the Draft, with a specific look at licensing and registration of data controllers and how organisations can prepare.