Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Zimbabwe - Data Protection Overview
Back

Zimbabwe - Data Protection Overview

March 2022

1. Governing Texts

On the 3 December 2021, Zimbabwe gazetted the much anticipated Data Protection Act [Chapter 11:12] ('the Act') into law. Originally referred to as the Cyber Security and Data Protection Bill, this new legal framework seeks to regulate a technology driven business environment and to protect the data subjects in the cyberspace through ensuring the lawful use of technology.

1.1. Key acts, regulations, directives, bills

  • the Act

1.2. Guidelines

Not applicable.

1.3. Case law

Not applicable.

2. Scope of Application

2.1. Personal scope

Section 4 of the Act does not detail or specify the relevant personal scope. However, it is clear from the interpretation of definitions and relevant sections that the Act is applicable to any person who can be identified directly or indirectly, in particular by reference to an identification number or to one or more factors specific to their physical, psychological, mental, economic, cultural, or social identity.

2.2. Territorial scope

The Act applies to the processing of data carried out in the context of the effective and actual activities of any data controller in Zimbabwe. It also applies to the processing and storage of data by a controller who is not permanently established in Zimbabwe, if the means used, whether electronic or otherwise is located in Zimbabwe, and such processing and storage is not for the purposes of the mere transit of data through Zimbabwe. In the case of the latter, the controller is obliged to designate a representative in Zimbabwe, without prejudice to legal proceedings that may be brought against the controller.

2.3. Material scope

In terms of Section 4(1) of the Act the material scope to which this Act is applicable to includes matters relating to access to information, protection of privacy of information and processing and storage of data wholly or partly by automated means and shall be interpreted as being in addition to and not in conflict or inconsistent with the Act.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The designated data protection authority is the Postal and Telecommunications Regulatory Authority of Zimbabwe ('POTRAZ') which is established in terms of the Postal and Telecommunications Act [Chapter 12:05].

3.2. Main powers, duties and responsibilities

In terms of Section 8 of the Act, the data protection authority is obliged to perform regulatory functions regarding the fair processing of data and the application of fundamental principles to protect privacy rights in line with international best practices. Other added functions include consulting and playing an advisory role to the Minister of Information, Publicity and Broadcasting Services (the 'Minister'). The data protection authority is given independence in Section 6(2) of the Act which states that in the lawful exercise of its functions, POTRAZ shall not be subject to the direction or control of any person or authority.

4. Key Definitions

Section 3 of the Act provides the following definitions:

Data controller: Any natural person or legal person who is licensable by the POTRAZ, includes public bodies and any other person who determines the purpose and means of processing data.

Data processor: A natural person or legal person, who processes data for and on behalf of the controller and under the controller's instruction, except for the persons who, under the direct employment or similar authority of the controller, are authorised to process the data.

Personal data: Information relating to a data subject, and includes:

  • the person's name, address or telephone number;
  • the person's race, national or ethnic origin, colour, religious or political beliefs or associations;
  • the person's age, sex, sexual orientation, marital status or family status;
  • an identifying number, symbol or other particulars assigned to that person;
  • fingerprints, blood type or inheritable characteristics;
  • information about a person's health care history, including a physical or mental disability;
  • information about educational, financial, criminal or employment history;
  • opinions expressed about an identifiable person;
  • the individual's personal views or opinions, except if they are about someone else; and
  • personal correspondence pertaining to home and family life.

Sensitive data: Information or any opinion about an individual which reveals or contains the following:

  • racial or ethnic origin;
  • political opinions;
  • membership of a political association;
  • religious beliefs or affiliations;
  • philosophical beliefs;
  • membership of a professional or trade association;
  • membership of a trade union;
  • sex life;
  • criminal educational, financial or employment history;
  • gender, age, marital status or family status;
  • health information about an individual;
  • genetic information about an individual; or
  • any information which may be considered as presenting a major risk to the rights of the data subject.

Health data: No express definition of same in this Act, however Section 12(4) states that health related data may only be processed under the responsibility of a health-care professional (determined as such in terms of the Health Professions Act [Chapter 27:19] unless the data subject gives written consent or the processing is necessary for the prevention of imminent danger or for the mitigation of a specific criminal offence. Further, where the data subject is incapable of providing the data, it may be collected from other sources.

Biometric data: The processing of biometric data is prohibited in terms of Section 12(1) of the Act unless the data subject has given consent in writing to the processing thereof.

Pseudonymisation: Not applicable.

5. Legal Bases

5.1. Consent

The processing of personal data or data relating to a data subject requires express consent. This refers to any manifestation of specific unequivocal, freely given, informed expression of will by which the data subject or their legal representative, judicial or legally appointed representative accepts that their data be processed. Where information being processed is sensitive or has to do with the genetic, biometric and health data, Section 11 of the Act provides that the data subject must be informed of their right to withdraw consent any time and without any explanation and free of charge.

5.2. Contract with the data subject

The Act makes no provision for contractual requirements enabling the controller to process personal information of a data subject.

5.3. Legal obligations

Not applicable.

5.4. Interests of the data subject

In terms of Sections 10(3)(c) and 11(5)(b) of the Act, the data controller may process genetic, biometric, health, non-sensitive or sensitive data without consent where processing is necessary to protect the vital interests of the data subject or of another person, where the data subject is physically or legally incapable of giving their consent or is not represented by their legal, judicial or agreed representatives.

5.5. Public interest

Not applicable.

5.6. Legitimate interests of the data controller

The general rule highlighted in the Act is personal information may only be processed when consented to. This rule is not absolute and consent is not required in terms of Section 10(3) of the Act where non-sensitive data is processed for purposes of promoting the legitimate interests of the controller or third party to whom the data is disclosed, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject claiming protection under the Act.

5.7. Legal bases in other instances

Not applicable.

6. Principles

The Act ensures that in the processing of data, certain fundamental principles are preserved at all stages. The openness or transparency clause in Section 23 of the Act obliges the POTRAZ to keep a register of all automatic processing operations of data which shall be available for inspection by members of the public. Section 24 of the Act provides for accountability on the part of the data controller by requiring necessary measures and internal mechanism to be put in place to demonstrate compliance to both the data subject and the POTRAZ in the exercise of its powers. The need to ensure accuracy of data being processed is emphasised in Section 7 of the Act and the data controller is required to ensure that the date is adequate, relevant and not excessive in relation to the purpose for which it is collected.

7. Controller and Processor Obligations

7.1. Data processing notification

In terms of Section 20 of the Act, data controllers have an obligation to notify POTRAZ of any wholly or partly automated operation or set of operations intended to serve a single or several related purposes prior to commencement thereof. The POTRAZ has discretionary powers to exempt certain categories of operations from giving such notification upon assessing risk of data subjects' rights and freedoms and whether the data controller has appointed a data protection officer ('DPO'). The provision of guidelines for the qualifications and functions of a DPO are within the legislative purview of POTRAZ. However, these provisions do not apply to operations that keep registers intended to provide information to the public by virtue of operation of law, any person demonstrating a legitimate interest or that is open to access by general public.

In this regard, a notification to POTRAZ must state, at least (Section 21 of the Act):

  • the date of notification and the law or regulatory instrument permitting the automatic processing of data;
  • the surname, first names, and complete address, or the name and registered offices of the controller and of his or her representative, if any;
  • the denomination of the automatic processing;
  • the purpose or the set of related purposes of the automatic processing;
  • the categories of data being processed and a detailed description of the sensitive data being processed;
  • a description of the category or categories of the data subjects;
  • the safeguards that must be linked to the disclosure of the data to third parties;
  • the manner in which the data subjects are informed, the service providing for the exercise of the right to access and the measures taken to facilitate the exercise of that right;
  • the inter-related processing planned or any other form of linking with other processing;
  • the period of time after the expiration of which the data may no longer be stored, used, or disclosed;
  • a general description containing a preliminary assessment of whether the security measures provided for pursuant to Section 13 of the Act are adequate;
  • the recourse to a data processor, if any; and
  • the transfers of data to a third country as planned by the data controller.

Furthermore, PORTAZ may prescribe other information which must be mentioned in the notification, and any modifications to the information provided according to Section 16 of the Act must be notified to the PORTAZ (Sections 20(2) and 21(1) of the Act).

7.2. Data transfers

Part VII of the Act regulates trans-border flow of data. The transfer of personal information by a data controller to a third party in a foreign country is prohibited unless an adequate level of protection is ensured in the country of the recipient or international organisation and the data is transferred solely to allow tasks covered by the competence of the data controller to be carried out. What constitutes an adequate level of protection in terms of Section 28(2) is dependent on the circumstances surrounding a data transfer operation or set of operations; the nature of the data as well as the purpose and duration of proposed processing operation among other considerations. However, transfer of such information where adequate level of protection is not assured is permissible where one of the following instances takes place:

  • the data subject has unambiguously given their consent to the proposed transfer;
  • the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken in response to the data subject's request;
  • the transfer is necessary for the conclusion or performance of a contract concluded or to be concluded between the controller and a third party in the interest of the data subject;
  • the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims;
  • the transfer is necessary in order to protect the vital interests of the data subject; and
  • the transfer is made from a register which, according to acts or regulations, is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the case at hand.

7.3. Data processing records

In terms of provisions applicable to the Cybersecurity Committee ('the Committee'), Section 8 of the Schedule (Section 4B(5)) of the Act which is an amendment to the Interception of Communications Act [Chapter 11:20] ('the Interception of Communications Act'), requires minutes of all proceedings and decisions taken at every meeting of the Committee to be entered in books kept in a confidential manner.

7.4. Data protection impact assessment

Though the Act does not expressly mention any requirements for data controllers to carry out a Data Protection Impact Assessment ('DPIA'), a new development is noted in Section 37 of the Act which repeals the provisions of the Interception of Communications Act regarding a monitoring centre.

This centre is replaced by a Cyber Security and Monitoring of Interception of Communications Centre ('the Centre') which is designated as the monitoring facility through which all call-related information of a particular interception target are forwarded to authorised persons. The Centre will be housed under the Office of the President and be manned, controlled and operated by technical experts. The functions thereof include, but are not limited to, advising and implementing Government policy on cybercrime and cybersecurity, identifying areas of intervention to prevent cybercrime and to provide guidelines to public and private sector interested parties on matters relating to awareness, training, enhancement, investigation, prosecution and combating cybercrime, and managing cybersecurity threats.

7.5. Data protection officer appointment

A DPO refers to any individual appointed by the data controller and is charged with ensuring, in an independent manner, compliance with the obligations provided for in this Act. From the relevant provisions of the Act, it cannot be interpreted that the appointment of a DPO is compulsory. Instead, Section 20(4)(b) of this Act permits POTRAZ to exempt notification for certain categories provided that a data controller has appointed a DPO. Further, Section 20(6) of the Act empowers POTRAZ to provide guidelines that provide for the qualifications and functions of a DPO, which shall include:

  • ensuring compliance by the data controller with the provisions of the Act and regulations made thereunder;
  • dealing with requests made to the data controller pursuant to the Act; and
  • working with POTRAZ in relation to the performance of its functions in relation to the data controller.

Importantly, the appointment of a DPO must be duly notified to PORTAZ (Section 20(5) of the Act).

7.6. Data breach notification

It is peremptory for the data controller to notify the POTRAZ of any security breach affecting data that they processes within 24 hours.

7.7. Data retention

The Act is silent on timeframes regarding data retention, however the data subject has the right to deletion of false or misleading data about them. The Act also provides for instances where deletion of data may be ordered by Court or the POTRAZ.

7.8. Children's data

A child is defined as any person under the age of 18 years. The rights of such person pursuant to provisions of this Act may only be exercised by their parents or legal guardian in terms of Section 26 of the Act. Section 164G of the Act, which is an amendment of the Criminal Law (Codification and Reform) Act [Chapter 9:23], limit's criminal liability of a child. It provides that special considerations shall be given where a child is found guilty of unlawfully and intentionally by means of information and communication technologies generates and sends any data message to another person which is considered an identity-related offence. Guidance is given to the penalty in that no child shall be given a criminal record or imprisoned for such an offence.

7.9. Special categories of personal data

A criminal conviction falls under the definition of sensitive information which is regulated under Section 11 of the Act. Written consent from the data subject is a prerequisite for the processing of sensitive data by a data controller. The POTRAZ is empowered to determine the circumstances in which the prohibition to process sensitive data cannot be lifted even with the date subject's consent. Further, the Minister responsible for the Centre in consultation with the Minister responsible for information and communications technologies may give directions on how to implement the processing of sensitive information affecting national security or the interests of the State.

7.10. Controller and processor contracts

In terms of Section 19(8) of the Act, a data controller must enter into a written contract or any other legal instrument with the data processor which ensures that the data processor maintains security measures on data. Therefore, the contractual relationship between the two extends the duties of a data processor to that of a data processor. Put differently, the data processor has the same responsibilities as the data controller including safeguarding the security, integrity and confidentiality of the data.

8. Data Subject Rights

8.1. Right to be informed

Section 14 of the Act provides that a data subject has the right to:

  • be informed of the use to which their personal information is to be put;
  • access their personal information in custody of data controller or data processor;
  • object to the processing of all or part of their personal information;
  • correction of false or misleading personal information; and
  • deletion of false or misleading data about them.

Furthermore, Section 16 of the Act stipulates that where the data is not collected from the data subject, the controller or their representative must provide the data subject with at least the information set out below when recording the data or considering communication to a third party, unless it is established that the data subject is in receipt of such information (Section 16(1) of the Act):

  • the name and address of the controller and of their representative, if any;
  • the purposes of the processing;
  • whether compliance with the request for information is compulsory or not, as well as what the consequences of the failure to comply are;
  • the existence of the right to object, by request and free of charge, to the intended processing of data relating to them, if it is obtained for the purposes of direct marketing; in which case, the data subject must be informed prior to the first disclosure of the data to a third party or prior to the first use of the data for the purposes of direct marketing on behalf of third parties;
  • taking into account the specific circumstances in which the data is collected, any supporting information, as necessary to ensure fair 20 processing such as:
    • the categories of data concerned;
    • the recipients or categories of recipients of the data; and
    • the existence of the right to access and rectify the data relating to them, unless such additional information, taking into account the specific circumstances in which the data is provided, is not necessary to guarantee fair processing with respect to the data subject; and
  • other information dependent on the specific nature of the processing, which is specified by the POTRAZ.

8.2. Right to access

Section 14 of the Act provides that a data subject has the right to:

  • be informed of the use to which their personal information is to be put;
  • access their personal information in custody of data controller or data processor;
  • object to the processing of all or part of their personal information;
  • correction of false or misleading personal information; and
  • deletion of false or misleading data about them.

8.3. Right to rectification

Section 14 of the Act provides that a data subject has the right to:

  • be informed of the use to which their personal information is to be put;
  • access their personal information in custody of data controller or data processor;
  • object to the processing of all or part of their personal information;
  • correction of false or misleading personal information; and
  • deletion of false or misleading data about them.

8.4. Right to erasure

Section 14 of the Act provides that a data subject has the right to:

  • be informed of the use to which their personal information is to be put;
  • access their personal information in custody of data controller or data processor;
  • object to the processing of all or part of their personal information;
  • correction of false or misleading personal information; and
  • deletion of false or misleading data about them.

8.5. Right to object/opt-out

Section 14 of the Act provides that a data subject has the right to:

  • be informed of the use to which their personal information is to be put;
  • access their personal information in custody of data controller or data processor;
  • object to the processing of all or part of their personal information;
  • correction of false or misleading personal information; and
  • deletion of false or misleading data about them.

8.6. Right to data portability

The Act defines an 'electronic communication network' as any electronic communication infrastructure and facility used for the conveyance of data. Social networking sites have notably gained users from the Zimbabwe populace over the years. Before the Act, there were no legal frameworks for holding online intermediaries liable for any legal content posted on their platforms. The Act has thus established a safe harbour for users to some extent against cyber bullying and harassment. Section 379C of the Act, which is an amendment to the Criminal Procedure and Evident Act [Chapter 9:07], provides that an electronic communications network or access service provider shall not be criminally liable for not providing access or transmitting information through its system if the service provider has not:

  • initiated transmission;
  • selected the receiver of the transmission; or
  • selected or modified the information contained in the transmission.

Although an online intermediary may not be an access service provider, it potentially falls under the definition of 'electronic communication network' provided for in Section 3 because it uses electronic communications infrastructures and facilities (network, servers etc.) to allow users to share information on its platform in Zimbabwe and beyond. Consequently, online intermediaries may be held liable if the above criteria are fulfilled. It must be understood that this does not entail strict liability because the presence of intention on the part of the online intermediary is a requirement for liability to be placed. Section 379C of the Act further provides for remedies available to an aggrieved party in case of illegal content being posted. The procedure to be followed is that the online intermediary must remove or disable the information upon the presentation of a court order or an order by any appropriate authority, which is POTRAZ in our case. Such an order requires compliance and failure to take down/block the unlawful information, the online intermediary risks criminal liability and penalties.

8.7. Right not to be subject to automated decision-making

Section 25 of the Act states that a data subject shall have the right to not be subjected to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. This right may be limited where the decision based solely on automated processing is taken on the basis of the data subject having consented to such decision or is based on a provision established by law.

8.8. Other rights

The Act safeguards other fundamental rights enshrined in the Constitution of Zimbabwe, these include but are not limited to the right to privacy and the protection of recognised freedoms and interests.

9. Penalties

Section 33 of the Act on offences and penalties provides that:

  • any member of staff of the POTRAZ or any expert, contractor, sub-contractor who violates the provisions of this Act shall be guilty of an offence and liable to a fine not exceeding level seven ZWL 120,000 (approx.€300) or to imprisonment for a period not exceeding two years or to both such fine and such imprisonment; and 
  • any data controller, its representative, agent or assignee who contravenes certain provisions of the Act shall be guilty of an offence and liable to a fine not exceeding level eleven ZWL 400,000 (approx. €1,000) or to imprisonment for a period not exceeding seven years or to both such fine and such imprisonment.

Whilst Section 33 deals with liability of POTRAZ staff and data controllers, the Act also criminalises cybercrimes and provides stiff penalties for individuals that infringe the protected rights and freedoms of users in the cyberspace.

9.1 Enforcement decisions

The Act is a welcomed development in Zimbabwe as increased cyberspace relations demand legal frameworks that safeguard the collection, processing, transmission and storage of data. There are no notable enforcement decisions reported as yet but the Act addresses and makes provision for some topical aspects that are key to data protection, cybersecurity, and privacy principles. Nonetheless, there are still concerns on whether its provisions offer adequate protection to data subjects and whether POTRAZ will be able to handle all of its duties. Nonetheless, the Act is a progressive step towards recognising rights and freedoms of data subjects in the cyberspace and it adds Zimbabwe to the list of African countries that now have a data protection law.