1. Introduction
This summary details the principal legislative changes introduced by the Cyber and Data Protection (Licensing of Data Controllers and Appointment of Data Protection Officers) Regulations, 2024 contained in Statutory Instrument 155 of 2024 (the Regulations). The Regulations came into effect on 13 September 2024 and establish a registration requirement on the processing of personal information in Zimbabwe.
2. Notable changes introduced by the regulations:
2.1. Registration
The new Regulations impose a registration requirement for the processing of personal information of data subjects in Zimbabwe.
In terms of Section 3 (2) of the Regulations, the following activities are licensable: processing personal information with the intention to-
(a) decide the means, purpose or outcome of the processing;
(b) decide what personal data should be collected;
(c) decide which individuals to collect personal information from;
(d) obtain a commercial gain or other benefit from the processing of personal data.
The definition of “personal information” as set out in the Act is comprehensive and includes but is not limited to a person’s particulars i.e. name, address, contact information, race, sex, age, identity number, fingerprints, any healthcare history, and information on educational, financial, criminal or employment history.
This places an obligation on every entity, corporation, company, association (to name a few) to obtain the data controller licensing before collecting and processing any of the above information for the purposes outlined above.
This will involve a registration requirement for all institutions that are required to keep KYC (Know-Your-Client) forms for the collection of personal information.
2.2. Registration categories
The Regulations delineate various licenses that apply according to the scale of data processing activities.
The following is an outline of the relevant licenses:
(a) a tier 1 data controller license – for processing information for a minimum of 50 to a maximum of 1000 data subjects;
(b) a tier 2 data controller license – for processing information for a minimum of 1001 to a maximum of 100,000 data subjects;
(c) a tier 3 data controller license – for processing information for a minimum of 100,001 to a maximum of 500,000 data subjects;
(d) a tier 4 data controller license – for processing information of more than 500,000 data subjects.
The threshold for registration eligibility is currently pegged at a minimum of 50 data subjects.
The suitability of each license is contingent upon the scale of data processing associated with each operation.
2.3. Registration requirements
To obtain the required registration, a data controller must apply to the Data Protection Authority and pay the prescribed fee. Typically it will be the business entity that registers as a Data Controller.
The application may also be subject to any further requirements that the Data Protection Authority may impose/ require.
2.4. Transfer of Personal Information outside Zimbabwe
A data controller intending to transfer or share information of data subject outside Zimbabwe is required to notify the Data Protection Authority before such transfer is made.
2.5. Appointment of a data protection officer
For existing institutes or companies whose operations include collection and processing of personal information, the registered data controller is required to appoint a data protection officer (“DPO”), and to notify the Data Protection Authority in writing within 90 days from the date of promulgation of the Regulations.
In the case of new data collection and processing activities, the data controller must designate an individual as a Data Protection Officer and inform the Data Protection Authority of this appointment upon registration.
The Regulations establish the necessary qualifications for an individual to be registered as a Data Protection Officer (DPO) and requires training to be given by the data controller to maintain the certification of the Data Protection Officer.
2.6. Processing of biometric data/ systems
Any person collecting information for operating/using a biometric system and meeting the outlined registration criteria is, in terms of the Regulations required to obtain a data controller licence and to notify the Data Protection Authority of any processing which involves biometric data of data subjects.
2.7. Breach and notification
A data controller is obligated to notify the Data Protection Authority of any beach of personal data within 24 hours of becoming aware of such breach.
Where the breach is likely to result in a high risk of adversely affecting an individual’s rights and freedoms, the data controller is required to inform the data subject within 72 hours of such breach.
2.8. Code of conduct
The data controller is required to submit a Code of Conduct for approval in terms of Section 30 of the Act.
The Data Protection Authority is empowered to make any such recommendations to the data in its consideration on the suitability of the Code of Conduct.
The implications of this provision are that any registered Data processing individual or entity is obligated to have a written internal policy on data protection which conforms to the existing data protection laws in Zimbabwe.
3. VALIDITY PERIOD
The data controller licence is only valid for 12 months and is renewable upon the expiration of the specified period.
4. PENALTIES
Failure to adhere to these provisions may result in a penalty, which could include a designated fine or imprisonment, depending on the nature of the violation.
L.T PHRI
GILL GODLONTON & GERRANS
7 th Floor Beverly Court
100 Nelson Mandela Avenue
HARARE
Note:
This summary has been prepared for general information only. It does not provide a complete or detailed summary of all the provisions in the Bill referred to. Any client is advised to seek specific advice in respect of any particular provision which they may consider has an effect on their operations.